CA ACF2 for VM uses the CA SAF interface in the CA‑ESM RPIUCMS module. When a system product invokes the RPIUCMS module to request the services of an external security product, CA ACF2 for VM gets control. When a security event occurs, CA ACF2 for VM intercepts the call or processes a SAF call.
When another system product makes a request for security information, it uses the RACROUTE macro. The CA SAF interface intercepts these requests and processes them in terms that CA ACF2 for VM can understand. Some common requests with their CA ACF2 for VM translations are:
|
RACROUTE REQUEST |
CA ACF2 for VM Translation |
|---|---|
|
AUDIT |
CA ACF2 for VM journals a Type=V SMF record for the specified audit event. This results in type TRC entries in the ACFRPTRV report. No SVC calls can be issued from this environment. For example, VTAM, APPC, and PSF make use of these types of calls. |
|
AUTH, CLASS=DATASET |
CA ACF2 for VM performs data set validation for the request. You may need to define a SAFDEF record for the call. |
|
AUTH, CLASS=others |
CA ACF2 for VM performs a resource validation. The default CLASS is SAF. If another CLASS is specified in the RACROUTE macro, you must create a CLASMAP record to define the three‑character resource type of the resource that you want to validate. |
|
DEFINE, CLASS=DATASET |
CA ACF2 for VM performs data set validation for the request. |
|
EXTRACT |
CA ACF2 for VM executes the SAF call to extract the requested information from the CA ACF2 for VM databases, where applicable in CA ACF2 for VM. Standard SAF and SAF product return and reason codes are returned with some exceptions. If a RACROUTE REQUEST=EXTRACT,TYPE=REPLACE SAF request fails, |
|
FASTAUTH |
CA ACF2 for VM FASTAUTH processing retrieves the rule in storage if one exists and performs a resource validation. The validation takes into consideration both NEXTKEY and XREF processing. If access is allowed, CA ACF2 for VM sets an allow return code. If access is denied or no rule exists, CA ACF2 for VM checks for unscoped SECURITY or NON‑CNCL. If these privileges are on, CA ACF2 for VM sets an “allow but log” return code. The caller is responsible for redriving the validation as a regular AUTH call. CA ACF2 for VM performs a FASTAUTH call only if resident rules exist. If the rules are not resident, the call gets a RC=8. See Part I: Defining VM System Options for information about the RESTYPE record and how to activate an infostorage record. If you have not made the rules resident, the FASTAUTH call creates a violation. |
|
LIST |
CA ACF2 for VM builds a resource rule directory for the specified resource class. The default CLASS is SAF. This type code must be specified in a RESTYPE record. If the SAF call is for another CLASS, you must specify a CLASMAP record to translate the resource class into a three‑character resource type. CA ACF2 for VM stores the resource type in the resource rule directory. |
|
STAT |
CA ACF2 for VM verifies that security is active, that the class exists, and that the class is active. CA ACF2 for VM processes all SAF classes as ACTIVE. |
|
TOKENBLD |
CA ACF2 for VM TOKEN processing routines build, map, or extract TOKENs. |
|
VERIFY |
CA ACF2 for VM performs all VERIFY requests to build the user control block (ACEE and ACUCB) for the service machine. CA ACF2 for VM performs system entry validation on the logonid associated with the service machine. VERIFY requests are also supported for MUSASS environments. |
|
VERIFYX |
CA ACF2 for VM performs all VERIFYX requests to validate a user, build a TOKEN, and return it to the caller. |
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|