11.5 RACF Exit Installation

Topics in this section include

11.5.1 About the RACF Exits

Platform Services for RACF uses two standard RACF exits: the RACINIT pre-process exit (ICHRIX01) and the RACF new password exit (ICHPWX01). They are provided in the Platform Services Load Library and are named ASCRIX01 and ASCPWX01 respectively.

These two exits are used to intercept all requests in which a user ID and password (and perhaps a new password) are supplied to RACF. Note, however, that these exits can only intercept password check and change requests that are sent through a standard RACF interface. If you have applications that access the RACF database directly using the RACF internal macros (ICHEINTY, etc.), their requests are not intercepted by the driver.

Platform Services provides an exit router that calls multiple exit modules in sequence. You can use this router if your installation already uses either exit.

11.5.2 Installing the RACF Exits

These instructions assume that you have already installed the Platform Services Process, configured it, started it successfully, and tested it using ASCTEST.

Follow your normal procedure for applying such changes to your z/OS system. We recommend that you

  • Install and test the exits on a test system or partition first.

  • Make a copy of your system volumes before applying any changes.

  • Consider packaging the exits as SMP/E usermods.

To install the RACF exits:

  1. Install ICHRIX01, the RACINIT pre-process exit.

    • If you do not have an existing ICHRIX01 exit, run the job in SAMPLIB member RACRIX0A. This job uses SMP/E to linkedit ASCRIX01 into SYS1.LPALIB as exit ICHRIX01.

    • If you have an existing ICHRIX01 exit, update SAMPLIB member RACRIX0B as appropriate. RACRIX0B installs a router that calls the Platform Services RACINIT exit and your existing exit.

  2. Install ICHPWX01, the new password exit.

    • If you do not have an existing ICHPWX01 exit, run the job in SAMPLIB member RACPWX0A. This job uses SMP/E to linkedit ASCPWX01 into SYS1.LPALIB as exit ICHPWX01.

    • If you have an existing ICHPWX01 exit, update SAMPLIB member RACPWX0B as appropriate. RACPWX0B installs a router that calls the Platform Services new password exit and your existing exit.

  3. IPL the z/OS system with the CLPA option.

11.5.3 Updating RACF Options

When you have installed the exits into SYS1.LPALIB and IPLed your system, RACF calls the driver exits for every authentication request that provides a password. If ASCLIENT is not running, the message ASC0071I Userid user will be authenticated locally is issued to the z/OS console as a ROUTCDE=11 WTO. This is normal and will probably be a regular occurrence if logons occur early during an IPL before TCP/IP and ASCLIENT are up.

At this point, RACF users that have not been excluded are authenticating using Authentication Services. If you are phasing in the conversion to the driver, ensure that your RACF and eDirectory password rules (minimum length, etc.) are the same. Otherwise, users can find themselves in a situation where one product accepts the new password and the other doesn't. If the two sets of rules cannot be made the same, then make the RACF rules less restrictive than the eDirectory rules. This way, eDirectory rejects incorrect new passwords before RACF has an opportunity to.

After you have migrated most or all of your user base to the driver, turn off all RACF-related password rules, because they are enforced by the corresponding rules in eDirectory. A RACF SPECIAL user can use the RACF administrator panels to set the options listed in the table that follows, or enter the following command:

setropts password( nohistory interval(254) norevoke norules )

This command affects RACF as follows:

Table 11-4 RACF Options

Option

Description

NoHistory

RACF does not keep a list of previously used passwords for each user. eDirectory does this if configured to do so.

Interval(254)

This is the maximum interval for a RACF password's expiration interval. (RACF interprets 255 as nonexpiring.) Password expiration is controlled by eDirectory through the driver.

NoRevoke

RACF does not revoke a user ID for excessive invalid passwords. If intruder detection is enabled in eDirectory, eDirectory temporarily disables a user if the user enters too many consecutive invalid passwords.

NoRules

RACF does not apply any restrictions to the syntax of new passwords. The password restrictions defined in eDirectory are used instead.

Record the existing values before you change them, and save them in a safe place. You will want to refer to them if you should ever remove the driver.

11.5.4 Uninstalling the RACF Exits

  1. Make a copy of your running system before applying any changes.

  2. Use SMP/E to RESTORE the usermods for ICHRIX01 and ICHPWX01.

  3. IPL the updated system specifying CLPA.

  4. Using the RACF administrator panels or the SETROPTS command, reestablish the password rules that you disabled when you installed the RACF interface.