DIAG 'A0' subcode '04' is a security subfunction that interfaces between an application (such as DirMaint) and a security product (such as CA ACF2 for z/VM). Subcode '04', in particular, applies to password validation. CA ACF2 for z/VM's support of this diagnose subfunction lets users validate CA ACF2 for z/VM passwords from their own unique applications.
Note: Requirement for VMSAF Logonid Attribute:
The logonid issuing the DIAG 'A0' subcode '04' must have the VMSAF logonid attribute. For details about this logonid field, see the Administrator Guide.
The instruction format for this diagnose and subcode follows:
LA Rx,UIDPW Point Rx to user ID/PW plist
LA Ry,4 Set Ry to subcode 4
DC X'83xy00A0' Issue PW validation Diag
BZ OK cc = 0 then goto OK
C Ry,=F'32' Is security system not‑aval
BE NOACF2 Yes ‑ then goto NOACF2
B ERROR Serious Error contact
* CA‑Technical Support
...
UIDPW DC CL8'userid'
DC CL8'password'
The completion codes for DIAG 'A0' subcode '04' are:
CC0 ‑‑> Successful, Ry = 0
CC1 ‑‑> Unsuccessful, Ry = return code
08 = bad password
32 = Security system CA‑ACF2 VM not active. User application
must determine whether to allow. Not applicable if
NOAUTO=DIRPASS in VMXAOPTS because the password
is validated against the VM directory.
For any process issuing DIAG 'A0' subcode '04', complete the password validation as soon as possible. If a CA ACF2 for z/VM group virtual machine submits a request with the password of the group user and logs off before CA ACF2 for z/VM validates the password, CA ACF2 for z/VM validates the password against the group virtual machine, not the group user. Consequently, the validation fails.
Any application that issues DIAG 'A0' subcode '04' should issue them immediately after receiving a transaction instead of waiting for the transaction processing. For example, a server machine can receive a request for nighttime processing; CA ACF2 for z/VM should validate the password when it receives the request instead of at night.
CA ACF2 for z/VM supplies the ACFSAFA0 module that can be used by user applications to issue DIAG 'A0' subcode '04'. The syntax is as follows:
ACFSAFA0 userid password
CA ACF2 for z/VM password validation for DirMaint occurs through the DIAG 'A0' subcode '04' interface. The CA ACF2 for z/VM support for this interface incorporates special logic for CA ACF2 for z/VM group logon machines (defined with the GRPLOGON privilege) when you install the IBM Inter‑System Facility (ISF) or when you are running in a CSE complex.
For example, assume DirMaint is running on one processor in an ISF/CSE complex. A user running on another processor can issue a DirMaint command that is sent to DirMaint. When DirMaint requires CA ACF2 for z/VM to validate the password, it uses a special check to determine whether the user is defined as a CA ACF2 for z/VM group machine. This check is needed because, if the user is a group machine, CA ACF2 for z/VM must validate the password against the group user of the machine instead of the group machine itself.
The GRP‑USER field, defined in the Access section (Group 3) of LID records, contains the logonid of the last group user to log onto a group machine. The password of this logonid undergoes validation whenever a user invokes DIAG 'A0' subcode '04' to validate the password of a group machine in an ISF/CSE complex.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|