The @SRF macro defines virtual machines authorized to use the System Request Facility (SRF). The System Request Facility lets site‑written applications request access validation and database maintenance services from the CA ACF2 service machine.
Sites that use CA ACF2 for z/VM with CA Top Secret for z/VSE should be aware that the default @SRF macro definitions include VSEIPO and CICSCVT. The VSEIPO definition names the VSE guest machine (as defined in the VM directory) that operates under CA Top Secret for VSE control. CICSCVT names the CICS/VSE system that operates under CA Top Secret for z/VSE control. Review and modify these two definitions when installing CA ACF2 for z/VM or CA Top Secret for z/VSE. You must define an @SRF macro for each VSE guest machine and each CICS partition CA Top Secret for z/VSE is to control. An example of using the @SRF macro to define the VM directory name of a multiuser SRF who is authorized to use the SRF is @SRF VM,MLID=VM. You can only define a multiuser SRF, not a usercall SRF. You can define a maximum of 256 @SRF specifications.
The syntax for the @SRF macro is:
@SRF id, SRF IDENTIFIER MLID=name, NAME OF MINI‑LID DEFINITION MODE=ABORT|WARN|LOG|QUIET|(RULE,no‑rule,no$mode)OPERATIONAL MODE OPTNAME=vseoptmod NAME OF THE VSE OPTIONS MODULE
Identifies a SRF‑authorized virtual machine. This ID must be the same as the one defined in the VM directory entry for the virtual machine or the CICS partition. Whenever you IPL a virtual machine, CA ACF2 for z/VM compares its VM name to the @SRF IDs. If CA ACF2 for z/VM does not find a match, it assumes no special processing. When it does find a match, the associated options control CA ACF2 for z/VM processing while the guest machine is running. We supply sample @SRF macros for both CA ACF2 for z/VM and CA Top Secret for z/VSE environments. We also provide a sample @SRF for sites that choose the CA Top Secret for z/VSE CICS option.
Specifies a minilogonid compression algorithm used for this virtual machine. The minilogonid facility (the ID specified in the @MLID macro) omits unnecessary portions of the logonid record from resident storage to conserve space.
Specifies the mode of the guest machine as it relates to data access. It has an effect on the SRF environment. Set MODE to one of the following:
ABORT
Log attempted violations, issue violation messages, and deny the accesses. This is the default value.
WARN
Log access violations and issue warning messages, but let accesses continue.
LOG
Log data access violations but let access continue.
QUIET
Disable CA ACF2 for z/VM data access rule validations for the guest machine. CA ACF2 for z/VM logonid record and similar user and system access validations still take place.
Checks the $MODE control statement in the appropriate access rule set to determine what action to take if the access request violates security. The value of the $MODE statement can be QUIET, LOG, WARN or ABORT, as defined above. The $MODE control statement applies only when the (RULE,no‑rule,no‑$mode) option is in effect and CA ACF2 for z/VM determines that a data access request violates security. The two positional parameters, no‑rule and no‑$mode, are defined as:
Specifies the action CA ACF2 for z/VM takes if it does not find an access rule when RULE mode is in effect. The value for this parameter can be QUIET, LOG, WARN, or ABORT, as defined above. Be aware that if you run in rule QUIET mode, CA ACF2 for z/VM might handle read errors the same as not found conditions, resulting in allowed access.
Specifies the action CA ACF2 for z/VM takes if it does not find a $MODE control statement in the applicable access rule set when RULE mode is in effect. The value for this parameter can be QUIET, LOG, WARN, or ABORT, as defined above.
For example, if user TLCJJS tries to access user TLCVLL's file named XYZ WORKFILE A for write access, but the TLCVLL rule set does not grant user TLCJJS this access, CA ACF2 for z/VM checks the $MODE control statement in the access rule set and bases the access permission decision on the $MODE value. If you specified $MODE(LOG) in the access rule set, CA ACF2 for z/VM allows user TLCJJS write access to XYZ WORKFILE A and creates an CA ACF2 for z/VM logging record. If you specified $MODE(ABORT), CA ACF2 for z/VM denies user TLCJJS access and creates an CA ACF2 for z/VM logging record detailing the access violation attempt.
Defines the phase name of the guest machine options module for this system. You must code this operand. The phase named must exist in the system core image library on the VSE system. You must add it to the SVA LOADLIST. This operand is applicable to CA Top Secret for z/VSE environments only. It has no effect in a CA ACF2 for z/VM only environment.
The following ACF subcommand displays the current @SRF macro definitions and the options selected for each @SRF macro:
SHOW SRF
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|