Topics in this section include
Platform Services for RACF uses two standard RACF exits: the RACINIT pre-process exit (ICHRIX01) and the RACF new password exit (ICHPWX01). They are provided in the Platform Services Load Library and are named ASCRIX01 and ASCPWX01 respectively.
These two exits are used to intercept all requests in which a user ID and password (and perhaps a new password) are supplied to RACF. Note, however, that these exits can only intercept password check and change requests that are sent through a standard RACF interface. If you have applications that access the RACF database directly using the RACF internal macros (ICHEINTY, etc.), their requests are not intercepted by the driver.
Platform Services provides an exit router that calls multiple exit modules in sequence. You can use this router if your installation already uses either exit.
These instructions assume that you have already installed the Platform Services Process, configured it, started it successfully, and tested it using ASCTEST.
Follow your normal procedure for applying such changes to your z/OS system. We recommend that you
Install and test the exits on a test system or partition first.
Make a copy of your system volumes before applying any changes.
Consider packaging the exits as SMP/E usermods.
To install the RACF exits:
Install ICHRIX01, the RACINIT pre-process exit.
If you do not have an existing ICHRIX01 exit, run the job in SAMPLIB member RACRIX0A. This job uses SMP/E to linkedit ASCRIX01 into SYS1.LPALIB as exit ICHRIX01.
If you have an existing ICHRIX01 exit, update SAMPLIB member RACRIX0B as appropriate. RACRIX0B installs a router that calls the Platform Services RACINIT exit and your existing exit.
Install ICHPWX01, the new password exit.
If you do not have an existing ICHPWX01 exit, run the job in SAMPLIB member RACPWX0A. This job uses SMP/E to linkedit ASCPWX01 into SYS1.LPALIB as exit ICHPWX01.
If you have an existing ICHPWX01 exit, update SAMPLIB member RACPWX0B as appropriate. RACPWX0B installs a router that calls the Platform Services new password exit and your existing exit.
IPL the z/OS system with the CLPA option.
When you have installed the exits into SYS1.LPALIB and IPLed your system, RACF calls the driver exits for every authentication request that provides a password. If ASCLIENT is not running, the message ASC0071I Userid user will be authenticated locally is issued to the z/OS console as a ROUTCDE=11 WTO. This is normal and will probably be a regular occurrence if logons occur early during an IPL before TCP/IP and ASCLIENT are up.
At this point, RACF users that have not been excluded are authenticating using Authentication Services. If you are phasing in the conversion to the driver, ensure that your RACF and eDirectory password rules (minimum length, etc.) are the same. Otherwise, users can find themselves in a situation where one product accepts the new password and the other doesn't. If the two sets of rules cannot be made the same, then make the RACF rules less restrictive than the eDirectory rules. This way, eDirectory rejects incorrect new passwords before RACF has an opportunity to.
After you have migrated most or all of your user base to the driver, turn off all RACF-related password rules, because they are enforced by the corresponding rules in eDirectory. A RACF SPECIAL user can use the RACF administrator panels to set the options listed in the table that follows, or enter the following command:
setropts password( nohistory interval(254) norevoke norules )
This command affects RACF as follows:
Table 1-4 RACF Options
Record the existing values before you change them, and save them in a safe place. You will want to refer to them if you should ever remove the driver.
Make a copy of your running system before applying any changes.
Use SMP/E to RESTORE the usermods for ICHRIX01 and ICHPWX01.
IPL the updated system specifying CLPA.
Using the RACF administrator panels or the SETROPTS command, reestablish the password rules that you disabled when you installed the RACF interface.