SNACFG Displays APPC Session Security Key in Clear Text (193487)

The information in this article applies to:

Microsoft SNA Server 3.0
Microsoft SNA Server 3.0 SP1
Microsoft SNA Server 3.0 SP2
Microsoft SNA Server 3.0 SP3
Microsoft SNA Server 4.0 SP1
Microsoft SNA Server 4.0

This article was previously published under Q193487

SYMPTOMS

SNA Server supports LU6.2 session security, where a hex or character security key is configured as part of the Remote APPC LU definition. When you use the SNACFG command-line tool to display the configuration, this security key is displayed in clear text, which compromises security.

CAUSE

The SNACFG command-line tool was designed to display the full Remote APPC LU definition, including the session security key.

RESOLUTION

SNA Server 3.0

To resolve this problem, obtain the latest service pack for SNA Server version 3.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

184307 How to Obtain the Latest SNA Server Version 3.0 Service Pack

SNA Server 4.0

This problem was corrected in the latest SNA Server version 4.0 U.S. Service Pack. For information on obtaining this Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

   S E R V P A C K

STATUS

Microsoft has confirmed that this is a problem in SNA Server version 3.0(through SP3) and SNA Server version 4.0 (through SP1). This problem was first corrected in SNA Server 3.0 Service Pack 4.

MORE INFORMATION

The updated Snacfg.exe command-line tool behaves as follows:

The encrypted key may now be input and output using the new /SECURITYEX: option.
The unencrypted security key (/SECURITY option) is no longer displayed.
It is still possible to enter an unencrypted key using the /SECURITY option.

Modification Type:	Major	Last Reviewed:	2/23/2004
Keywords:	kbbug kbfix KB193487 kbAudDeveloper