NETSRV security considerations
- On the initiating (client/sending) node side, SECURE=YES must be coded on the socket statement that is associated with the listening (server/receiving) NODE.
- On the listening (server/receiving) node side:
- A NETSRV or equivalent must exist that can accept secure connections from a remote JES2 node.
- If the listening (server/receiving) node is a JES2 node, you must
use the following settings:
- SECURE=YES on the local node socket that is associated with the NETSRV statement.
- SECURE=YES on the remote node socket or sockets that the connections will be initiated from.
![Secure connection from client node](hasa3053.gif)
The previous configuration, Figure 1, can initiate a secure connection only when started from node NEWYORK1. To enable a secure transmission, the PORT name/number must match between the local socket on the listening side (WASHDC2) and corresponding remote socket on the sending node (NEWYORK1). Using LOCALTLS allows JES2 to automatically utilize the default port for secure transmission.
- Each node must have a local NETSRV with the associated socket statement specifying SECURE=YES.
- Each node must have a defined socket for the remote node also specifying SECURE=YES.
![Secure connection from either node](hasa3054.gif)
The previous configuration, Figure 2, can initiate a secure connection when started from either side. To enable a secure transmission, the PORT name or number must match between the local socket on the listening side (WASHDC2) and corresponding remote socket on the sending node (NEWYORK1). Using LOCALTLS allows JES2 to automatically utilize the default port for secure transmission.
You can also define a NETSRV that can tolerate both secure and non-secure connections, depending on which sockets are utilized in starting the NETSRV connection. See Figure 3 for an example of this configuration.
![Secure and non-secure connections](hasa3055.gif)
In Figure 3, if node NEWYORK1 issues a $SN,SOCKET=WASHDC2A request, a secure connection would be established. However, if node NEWYORK1 issues a $SN,SOCKET=WASHDC2B request, a non-secure connection would be established via conventional secure port 2252.