1.7 CA-Top Secret Exit Installation

In addition to installing the CA-Top Secret Exit, you will need to review a checklist of considerations if you already use the PREINIT function.

1.7.1 Installing the CA-Top Secret Exit

These instructions assume that you have already installed the Platform Services Process, configured it, started it successfully, and tested it using ASCTEST.

Follow your normal procedure for applying system-level changes to your z/OS system. We recommend that you

  • Install and test the exits on a test system or partition first.

  • Make a copy of applicable libraries before applying any changes.

  • Plan a back off procedure.

To install the CA-Top Secret exits:

  1. Review the section pertaining to the use of the CA-Top Secret Installation Exit TSSINSTX in the CA-Top Secret User Guide.

  2. Modify TSSINSTX to use the driver PREINIT function.

    1. If you already use the PREINIT function, review Considerations Checklist for Sites with a Pre-existing PREINIT Function.

    2. Change the ##MATRIX byte for PREINIT to a value of #####YES.

    3. Insert the following instructions immediately after the PREINIT label:

      LR    R1,R9            <AM> | Copy parmlist ptr to R1
LR    R11,R13          <AM> | Save TSS’s savearea ptr
LA    R13,WORKAREA     <AM> | Use WORKAREA as savearea
L     R15,=V(ASCTSSPI) <AM> | Get addr of AM preinit exit
BALR  R14,R15          <AM> | Call it
LR    R13,R11          <AM> | Restore TSS’s savearea ptr
B     EXIT             <AM> | Exit with exit’s returncode

  3. Place the modified TSSINSTX exit module in your TSS product library.

    1. Customize and run the JCL provided in SAMPLIB member ASMINSTX.

    2. If your TSS product library is in the linklist, refresh LLA with the following operator command: F LLA,REFRESH

  4. Activate the modified TSSINSTX exit.

    1. If TSSINSTX is already in use, issue the following operator command: F TSS,EXIT(OFF)

    2. Issue the following operator command: F TSS,EXIT(ON)

1.7.2 Considerations Checklist for Sites with a Pre-existing PREINIT Function

  • Evaluate your current PREINIT function for conflicts with the driver PREINIT function ASCTSSPI.

    ASCTSSPI expects the following:

    • Standard linkage, AMODE(31), RMODE(24) or RMODE(ANY).

    • Key zero, supervisor state. TSSINSTX normally runs this way.

    • R13 points to a save area, not necessarily with back links. (The area WORKAREA (CL100) in TSSINSTX is used by default.)

    • R1 points to #INSTXPL.

    ASCTSSPI sets the following return codes:

    • 4 if the user ID does not exist in the Census and AS.USER.NONNDS is set to UNDEFINED

    • 0 in all other cases

    ASCTSSPI calls ASCLIENT if all of the following are true:

    • CA-Top Secret is not dormant

    • A password (and perhaps a new password) is provided on an authentication request

    • ASCLIENT is running

    • The user is not excluded

  • If you already link other modules with TSSINSTX, update your TSSINSTX linkedit job.

  • If your PREINIT function can make a final decision that a user is or is not allowed to enter the system, place the call to your function before the call to ASCTSSPI, and bypass the call to ASCTSSPI if a decision has been made.