Tweet
Does anyone have any info or experience on running under security level 50? We're considering moving to 50 to provide a little marketing sizzle within the banking industry and it doesn't appear to be too involved to move to 50. We had heard that there may be a slight performance hit under 50 because there is some extra validation taking place for parameter checking. Any feedback would be appreciated. thanx mike_kissinger
-
-
QSECURITY=50
Mike, You may want to scan the last few posts in the "I can get your password" thread. There was discussion about the various security levels in there. -
QSECURITY=50
Mike, I used to believe that level 40 was "good enough" security. Not any more. With the things that I have seen in this forum and other places, I believe it is time for us to move on up. If IBM gives us the opportunitiy to have that level of security then we should take it. Oh yea, and it is free!!!! If you are already at level 40, moving to 50 should be a piece of cake. I haven't done the 40 to 50 move yet but the IBM redbook and security references say that the move is painless. ScottComment
-
QSECURITY=50
Thanx Susan. There was a coupla posts that mentioned the performance hit.Comment
-
QSECURITY=50
Scott: The mechanics of doing it aren't too big a deal. I was concerned about the performance hit you take based on the extra validation the system does for parameter checking. If you have lots of programs with lots of parms, it may be noticable, but I don't know. I do agree, that if IBM is providing it, we may as well use it. Ya never know what's out there just thinking of ways to hack into your system.Comment
-
QSECURITY=50
Scott, "security references say that the move is painless." It should be painless. One caveat I know you need to consider deals with command VCP's (Validity Checking Programs). In the past, some people have been known to alter the value of parameters in a VCP, and expect the CPP to see the altered value. That was never a documented feature. But it works up through security level 40 since the VCP receives the parameters by reference, then passes the same pointers on to the CPP. This action could break at any time with a PTF or anytime IBM decided to do so, since it is not a documented feature. At security level 50, the VCP receives the parms by value instead of reference. So the VCP can change them to its heart's content, but the CPP will still see the original value just as the VCP originally did. This is done to prevent a rogue VCP from manipulating the requested values. (I.E., beware of geeks bearing gifts.) You may not have any VCP's, or all of your VCP's may be well behaved and not expect to pass changes on to a CPP. But it is one difference I am aware of. There may be others. (I have not made the move myself, so can't provide more caveats.) DougComment
Comment