Topics in this section include
Platform Services for CA-ACF2 uses two standard ACF2 exits: the System Entry Validation exit (SEVPRE) and the New-Password exit (NEWPXIT). They are provided in the Platform Services Load Library and are named ASCSVPRE and ASCNPXIT respectively. These two exits are used to intercept all requests in which a user ID and password (and perhaps a new password) are supplied to ACF2. Note, however, that these exits can only intercept password check and change requests that are sent through a standard ACF2 interface. If you have applications that use internal ACF2 services, such as ACFSVC ACALT, their requests are not intercepted by the driver.
Platform Services provides an exit router that calls multiple exit modules in sequence. You can use this router if your installation already uses either exit.
These instructions assume that you have already installed the Platform Services Process, configured it, started it successfully, and tested it using ASCTEST.
Follow your normal procedure for applying system-level changes to your z/OS system. We recommend that you
Install and test the exits on a test system or partition first.
Make a copy of applicable libraries before applying any changes.
Plan an uninstallation procedure. For guidelines, see Uninstalling the CA-ACF2 Exits.
ACF2 allows you to call the SEVPRE and NEWPXIT exits by any name. By default, the jobs in SAMPLIB name the exits ASCSVPRE and ASCNPXIT. If you need to name the exits something different, edit the JCL as appropriate. ACF2 requires that both of these exits reside in SYS1.LPALIB or another library in the LPA list.
If you have an existing ACF2 exit (SEVPRE or NEWPXIT) and don't have storage constraints in PLPA, consider leaving your existing exits in PLPA under a different name from the exit name used by Platform Services. This way, you can reinstall your old exit without an IPL.
To install the CA-ACF2 exits:
Install SEVPRE, the system entry validation exit.
If you do not have an existing SEVPRE exit, run the job in SAMPLIB member ACFSVP0A. This job linkedits ASCSVPRE into SYS1.LPALIB as exit ASCSVPRE. If you prefer not to use SYS1.LPALIB, change the SYSLMOD DD statement in ACFSVP0A to a different LPA list library.
If you have an existing SEVPRE exit, update SAMPLIB member ACFSVP0B as appropriate. ACFSVP0B linkedits the Platform Services SEVPRE exit and your existing exit with a router that can call multiple SEVPRE exits in succession. ACFSVP0B contains detailed instructions for setting this up.
Install NEWPXIT, the new password exit.
If you do not have an existing NEWPXIT exit, run the job in SAMPLIB member ACFNPX0A. This job linkedits ACFNPXIT into SYS1.LPALIB. If you prefer not to use SYS1.LPALIB, change the SYSLMOD DD statement in ACFNPX0A to a different LPA list library.
If you have an existing NEWPXIT exit, update SAMPLIB member ACFNPX0B as appropriate. ACFNPX0B linkedits the Platform Services NEWPXIT exit and your existing exit with a router that can call multiple NEWPXIT exits in succession. ACFNPX0B contains detailed instructions for setting this up.
IPL the z/OS system with the CLPA option.
NOTE:You can package the ACF2 exits as SMP/E usermods. ACF2 installations customarily do not install ACF2 exits with SMP/E. Therefore, the ACF2 exits shipped with Platform Services are not set up for SMP/E. If you want to install the exits as SMP/E usermods, you can use the SAMPLIB members ASCRIX0A/B and ASCPWX0A/B, which install the RACF version of the exits, as models.
You will need to set CA-ACF2 to call the exits and then remove password rules.
When you have linked the exits into an LPA library and IPLed your system with CLPA, set ACF2 to start calling the exits.
An ACF2 administrator must perform these steps.
If you do not already have a GSO EXITS record, use the ACF2 ISPF panels to add the exits or enter the following TSO commands:
READY acf ACF set control(gso) sysid(<system>) CONTROL insert sysid(<system>) exits sevpre(ascsvpre) newpxit(ascnpxit)
Substitute your system ID for <system>. If you chose to use other names for these exits, substitute your names. If you only have one system using your ACF2 database, or you want to affect all systems at once, you can omit the sysid operand. However, if you have multiple ACF2 systems, we recommend that you convert them one at a time.
If you already have a GSO EXITS record, do the following:
From the main ACF2 panel, select the GSO option.
From the GSO panel, select CHANGE.
From the Change A GSO Record panel, enter a change type of ADD, the system ID you want the change to affect, and a RECID of EXITS.
Specify a value of ASCSVPRE for exit SEVPRE and a value of ASCNPXIT for exit NEWPXIT. If you chose to use other names for these exits, substitute your names here.
Install the new values.
From an z/OS console, enter MODIFY ACF2,REFRESH
When you do this, ACF2 begins calling the Platform Services SEVPRE and NEWPXIT exits. If ASCLIENT is not running, users attempting to log on are authenticated locally. When this happens, ASCSVPRE issues the message ASC0071I Userid user will be authenticated locally to the z/OS console as a ROUTCDE=11 WTO. This is normal and will probably be a regular occurrence if logons occur early during an IPL before TCP/IP and ASCLIENT are up.
At this point, ACF2 users that have not been excluded are using Authentication Services. Set the ACF2 password-related parameters to disable ACF2 password controls. The eDirectory parameters are used instead. For full descriptions of these parameters, see your CA-ACF2 Administrator Guide.
Record the existing values before you change them, and save them in a safe place. You will want to refer to them if you should ever remove the driver.
An ACF2 administrator must perform these steps.
If you do not already have a GSO EXITS record, use the ACF2 ISPF panels to set the values listed in the table that follows this procedure, or enter the following TSO commands:
READY acf ACF set control(gso) sysid(<system>) CONTROL insert sysid(<system>) pswd <values>
Substitute the system ID for <system>. If you only have one system using your ACF2 database or you want to affect all systems at once, you can omit the sysid operand. However, if you have multiple ACF2 systems, we recommend that you convert them one at a time.
Substitute the values shown in the table that follows this procedure for <values>.
If you already have a GSO EXITS record, use the ACF2 ISPF panels to change the pswd record, or enter the following TSO commands.
READY acf ACF set control(gso) sysid(<system>) CONTROL change sysid(<system>) pswd <values>
Substitute the system ID for <system>. If you only have one system using your ACF2 database or you want to affect all systems at once, you can omit the sysid operand. However, if you have multiple ACF2 systems, we recommend that you convert them one at a time.
Substitute the values shown in the table that follows this procedure for <values>.
Install the new rule values.
From an z/OS console, enter MODIFY ACF2,REFRESH
The following table describes the ACF2 password-related parameters:
If you linked the Platform Services SEVPRE exit or NEWPXIT exit with exits of your own, reinstall your original exits, then IPL with CLPA to load the relinked exits into the active LPA. If you changed the exits' names as you relinked them, you must also update the GSO EXITS record with the changed exit names.
If you are using ASCSVPRE or ASCNPXIT by themselves, update the GSO EXITS record to remove the exit names.
Enter the following TSO commands:
READY acf ACF set control(gso) sysid(<system>) CONTROL insert sysid(<system>) exits sevpre() newpxit()
Install the new values.
From an z/OS console, enter MODIFY ACF2,REFRESH
Delete the exit modules from the LPA library containing them. Then IPL with CLPA at a convenient time.