Prerequisites for Using TCP/IP under z/OS :: Communications Access Methods for SAS/CONNECT(R) 9.4 and SAS/SHARE(R) 9.4, Second Edition

Task List

Verify that the software requirements are met.
Verify that the SAS SVC routine has been installed.
Become familiar with the TCP/IP access method terminology.
If using network security, set the appropriate SAS system options.
Set the appropriate SAS/CONNECT and SAS/SHARE options.

Software Requirements

Ensure that the following requirements are met:

Base SAS software and either SAS/CONNECT or SAS/SHARE are installed on both the client and the server.
SAS/CONNECT and SAS/SHARE also require the IBM z/OS Communications Server or any server that is functionally compatible with the IBM z/OS Communications Server.
SAS/CONNECT or SAS/SHARE require the definition of TCP/IP resources for the z/OS system. For details, see System Configuration for TCP/IP.

Installation of the SAS SVC Routine

The SAS SVC control program routine is an interface between the z/OS operating environment and a specific request, such as "third-party checking." This facility provides verification in the form of calls for authentication of user IDs and passwords and of library authority.

Install the SAS SVC routine, if necessary.

If you have already installed the SAS SVC routine, do not repeat the step here. If you need to perform the installation, see the Configuration Guide for SAS Foundation for z/OS (PDF) on the SAS Install Center web page.

Because SAS SVC in SAS 9.4 is backward compatible, it replaces the SAS SVC routines from previous releases. You can continue using previous releases of Base SAS, SAS/CONNECT, and SAS/SHARE with the SAS 9.4 SAS SVC that is installed on your system.
Verify the SVC routine SAS system options.

Verify that the SAS system options for the SVC routine accurately reflect how the SAS SVC is installed. The SAS system option SVC0SVC should be set to the number at which the SAS SVC is installed (for example, 251 or 109). If the SAS SVC is installed at 109 as an ESR SVC, the SAS system option SVC0R15 should be set to the ESR code (for example, 4).
Verify installation on all systems, as needed.

If you have more than one z/OS system, verify that the SAS SVC is installed on all the systems that will be running SAS/CONNECT or SAS/SHARE at your site.

TCP/IP Access Method Terminology

Familiarity with the following terms will help you when you set SAS options:

name resolution

the process of mapping a server name to an address. The domain name system provides a facility for naming servers in which programs use remote name servers to resolve server names to IP addresses.

name server

the server program that supplies name-to-address translation (that is, mapping from server names to IP addresses). The server program often runs on a dedicated processor, and the operating environment itself is referred to as the name server.

name resolver

the client software that uses one or more name servers when translating a server name.

SAS/CONNECT and SAS/SHARE Network Security

Encryption is the process of transforming plaintext into a less readable form (called ciphertext) by using a mathematical process. The ciphertext is translated back to plaintext for anyone who can supply the appropriate key, which is necessary for decrypting (or unlocking) the ciphertext.

For details about setting up and using encryption services, see Encryption in SAS, located in the Base SAS Help and Documentation. After an encryption service is set up in your environment, you set SAS encryption options that are appropriate to the encryption service and to the requirements of the client or the server session.

SAS/CONNECT Options Only

TCPMSGLEN n

defines the size of the buffer (in bytes) that the TCP/IP access method uses for breaking up a message that it sends to or receives from the SAS/CONNECT application layer during a SAS/CONNECT session. The application layer uses a message size that is stored in the TBUFSIZE option that you can specify in the SIGNON statement or as a SAS option. For details, see TBUFSIZE= System Option in SAS/CONNECT User's Guide.

If TBUFSIZE is larger than TCPMSGLEN, the TCP/IP access method breaks the message into a buffer whose size is defined by TCPMSGLEN, and issues the number of send and receive messages that are necessary to complete the message transaction.

The value for TCPMSGLEN must be set at both the client and the server. If the values that are set for TCPMSGLEN at the client and at the server are different, the smaller value of the two is used during the SAS/CONNECT session. If the TCPMSGLEN environment variable is not set, SAS uses the TCP stack’s default size and allows autotuning if implemented by the stack.

TCPPORTFIRST=port-number (set at the server)

TCPPORTLAST=port-number (set at the server)

restrict the range of TCP/IP ports that clients can use to access servers.

Within the range of 0 through 32767, assign a beginning value to TCPPORTFIRST and an ending value to TCPPORTLAST. To restrict the number of ports to only one port, set the values for both the TCPPORTFIRST and TCPPORTLAST options to the same number. Consult with your network administrator for advice about setting these values.

At the server, you can set TCPPORTFIRST and TCPPORTLAST in the AUTOEXEC file or in the SAS configuration file.

In the following example, the client is restricted to TCP/IP ports 4020 through 4050 when connecting to a server:

options tcpportfirst=4020; 
options tcpportlast=4050;

TCPTN3270 (set at the client)

supports connections to a z/OS server that uses the full-screen 3270 Telnet protocol. The script file TCPTSO32 is provided. See SAS/CONNECT Sign-on Scripts for Using TCP/IP under z/OS for a complete list of sign-on scripts.

You can set the TCPTN3270 variable only in the SAS CLIST.

To set the TCPTN3270 variable:

Set the TCPTN3270 CLIST variable at the client.
Add TCPTN3270(1) to the SAS CLIST.

If you do not set this variable, the TCP/IP access method uses the Telnet line mode protocol by default.

SAS/SHARE Options Only

TCPSEC=_SECURE_ | _NONE_ (set at the server)

specifies whether the TCP/IP access method verifies user access authority before allowing clients to access the server. The TCPSEC option must be set at the server before the server session is started.

_SECURE_

requires the TCP/IP access method to verify the authority of clients that attempt to access the server. Each client must supply a user ID and a password that are valid at the server.

_NONE_

specifies that the TCP/IP access method does not authenticate SAS/SHARE clients that attempt to access the server.

Default

_NONE_

SECPROFILE=name (set at the client and the server)

specifies the name of a RACF (Resource Access Control Facility) secured sign-on function profile. SAS uses the secured sign-on function to permit a SAS/SHARE client to access a SAS/SHARE server without specifying a password. Successful sign-on without a password requires that the following conditions are met:

Both the client and the server run under z/OS operating environments that are secured by RACF or by another security product that supports PassTickets.
The RACF security administrator has activated the PTKTDATA class, and has defined at least one PTKTDATA profile for use by SAS/SHARE.

If the client and server run under different z/OS operating environments, the RACF security administrator must activate the PTKTDATA class and define identical PTKTDATA profiles in both z/OS operating environments.
TCP/IP is the communications access method.
At the server, the SECPROFILE= option is assigned the name of a valid PTKTDATA profile.
At the client, the SECPROFILE= option is assigned the same name that was assigned at the server.
The client's user ID is specified in either of these ways:
- The USER= option in a LIBNAME or a PROC OPERATE statement specifies the client's RACF user ID.
- If the USER= option in a LIBNAME or a PROC OPERATE statement is omitted, the client's user ID is used by default.