Previous Topic: CAIRIM Initialization ParametersNext Topic: Modify RACF

CAIRIM ConfigurationHow to Customize CAISSF for RACF or RACF Compatible Products

How to Customize CAISSF for RACF or RACF Compatible Products

As a system administrator, CAISSF may need to be customized for use with RACF.

CAISSF (Standard Security Facility) is a subservice of the CAIRIM service.

Note: If using CA ACF2™ for z/OS or CA Top Secret® for z/OS, this customization is not necessary.

CAISSF needs a RACF Class table to identify how security calls are processed. A default table is created, but certain CA Technologies products require further entries. These entries are described in the documentation for the related product. If present in the CAS9 procedure, a CAIRACF DD statement contains the control statements for this table.

Note: The security translators for CA ACF2 and CA Top Secret (CAS9ACF2 and CAS9TS42) are provided on the installation media of these CA solutions. Contact CA Support for help with these security translators.

To customize CAISSF for RACF or RACF Compatible Products, follow these steps:

CAIRIM for RACF

  1. Modify CAISSF

    Note: Some CA products provide both a TSO/ISPF user interface and a CICS user interface. If using only the TSO/ISPF interface then CAISSF does not need to be modified.

  2. Install CAS9RACL for CICS TS
  3. Modify RACF
  4. Modify RACF Class Table Entries If Required

Following the completion of this task, the CAISSF for RACF is installed and ready for use for each CA solution.

The security interface for RACF and CAS9SAFC is in both object and source format. The source for CAS9SAFC resides in the CA Common Source library, YourdeployHLQ.CAW0SAMP.

Important! CAS9SAFC can be modified, but we strongly recommend that you run the code that is distributed with Common Services without any modification. Only modify CAS9SAFC under rare conditions where changes have been made to the actual logic of that program. In such a case, update the RACF class name table in the sample module to match the installation requirements in addition to using the control statements in CAIRIM.

Modify CAISSF

If not running any CA products that have a CICS user interface or have CA products that have a CICS user interface but are not used, skip this task. If using a CA product's CICS user interface, modify CAISSF to function properly in a CICS address space when invoked by a CA product.

The CAS9RACL PLT application is required for products using the RESOURCE ACCESS function. The PLT program, CAS9RACL, RACLISTs all classnames that are found in the table that the RACFCLASS initialization parameters create. Even though the CAS9SAFC translator is invoked to issue the RESOURCE ACCESS check (using the RACF macro FRACHECK), it cannot issue a RACLIST to bring the associated classname profiles in storage because CICS runs unauthorized.

To RACLIST the required classnames for RESOURCE ACCESS processing define the CAS9LRAC, CAS9RACL, and DFHSIP programs to RACF through the RACF authorized caller table.

Note: If you have changes to any classname profiles CAS9RACL has RACLISTed, recycle the CICS region.

Install CAS9RACL for CICS TS

Follow these steps:

  1. Add the programs DFHSIP, CAS9LRAC, and CAS9RACL to the RACF authorized caller table, ICHAUTAB, for the RACLIST right only.
  2. Define the CAS9LRAC program to the current startup and shutdown PLT for CICS using the following entry: 
    DFHPLT TYPE=ENTRY,PROGRAM=CAS9LRAC
  3. Add the same entry to your PLT shutdown member.

    All classes RACLISTed during CICS startup are now deleted at shutdown.

    Note: Sample PLT members S910PLT and S910PLTS are furnished in YourdeployHLQ.CAW0OPTN for reference.

  4. Define the CAS9LRAC program to the current PPT for CICS using the following entry: 
    DFHPPT TYPE=ENTRY,PGMLANG=ASSEMBLER,PROGRAM=CAS9LRAC

    Note: A sample PPT member, S910PPT, is furnished in YourdeployHLQ.CAW0OPTN for reference.

  5. Make the CAS9LRAC program accessible through DFHRPL and CAS9RACL accessible through STEPLIB or LNKLSTxx of the CICS job control.

CAS9RACL is installed.