The NMSAF security exit reads the SXCTL file during initialization of your region:
You can specify any of these parameters in the SXCTL file.
Controls whether APPC user sessions are validated against security.
Note: Do not set this parameter to NO.
Controls whether an APPC user is eligible for model processing (if not known by this region).
(Default) The logon is rejected.
A model can be used (subject to model processing rules).
Blocks the use of the Password Change facility in your region.
(Default) Blocks attempts to use the UAMS Password Change facility, or any other password change interface (for example, using EASINET), and produces an error message. This setting prevents users from using these region features to change their passwords (whether in UAMS or external security) and can be useful in distributed security environments where passwords must be changed by using a particular mechanism.
Allows the Password Change facility to be used (although the security system can reject or ignore it).
Controls the checking of console user IDs. These are user IDs for system consoles.
(Default) The console user ID is presented to SAF.
The console user ID is not presented to SAF.
Note: If CONCHECK YES is specified, this user ID is presented before the CONUID user ID is presented, if one is set.
Provides a single SAF user ID to use for all console environments for this region. This parameter can prevent the need to define individual console users to the security system. If CONCHECK YES is set, the value of CONUID is presented to SAF only if verification of the specific console user ID failed.
Specifies that the value is to be cleared (blank).
Specifies the user ID.
Limits: One through eight characters, with all characters alphanumeric or national
Note: Regardless of the settings of CONCHECK and CONUID, the logon procedure ignores a failure of a console user logon. The procedure allows the logon and, if the user is also not defined on UAMS, supplies default values.
This parameter controls whether data set services register system users for data set resource checking. This feature requires the NMSECDSS exit to be active.
Controls whether data set services register normal users for data set resource checking. This feature requires the NMSECDSS exit to be active.
This parameter controls whether data set services register system users for HFS file resource checking. This feature requires the NMSECDSS exit to be active.
This parameter controls whether data set services register normal users for HFS file resource checking. This feature requires the NMSECDSS exit to be active.
Controls the use of the MODEL user facility.
(Default) No modeling is to be performed.
The setting of the SYSPARMS MODLUSER is to be used.
If a model name is specified in SXCTL, it is used as the model.
If a resource or model list is defined, then it is used to determine the model name.
Modeling applies only if a user logs on to the region and no UAMS definition exists. You can control which logon types can participate in modeling.
Supplies an entry in a list of SAF resource names and associated model names. The parameter can be repeated up to 20 times in the SXCTL file. The order in which the pairs of resource names and model names are specified is the order in which the resource names are tested. Specifying a resource name of * always matches (no SAF AUTH call is made).
If MODEL LIST is specified and modeling is required (that is, the user is not known to the region), then each defined resource name is tested (using the class as set by the RCLASS parameter) in turn, until a resource is found that the user has at least READ access to (or the * entry is reached). If a match is found, the associated model name is returned. If no match is found (and no * entry is found), then no model name is returned and the logon is rejected.
Must be in valid PDSNAME format. The length must be one through eight characters; the first character must be alphabetic or national (@,#,$) and the rest must be alphanumeric or national.
Supplies the model name to use for modeling if MODEL SINGLE is specified (otherwise it is ignored). If no model name is specified (the default), it is as if MODEL NO is specified.
Specifies that the value is to be cleared (blank). This setting can cause substitution by a default value.
Names the model.
Limits: One through eight characters, with all characters alphanumeric or national
Sets the APPL value to use on RACROUTE calls.
(Default) A dash means none; the primary ACBNAME is then used.
Must be in valid PDSNAME format. The length must be one through eight characters; the first character must be alphabetic or national (@,#,$) and the rest must be alphanumeric or national.
Sets the SAF resource class to use for most RACROUTE AUTH checks (for example, for model determination).
(Default) A dash (-) means none; FACILITY is then used.
Must be in valid PDSNAME format. The length must be one through eight characters; the first character must be alphabetic or national (@,#,$) and the rest must be alphanumeric or national.
Controls the SAF validation of a ROF (Remote Operator Facility) user. ROF users are users that use the SIGNON and ROUTE commands from a remotely connected region to send commands to this one. The user ID is always the user ID that the user originally signed on with.
(Default) Validates the user by a SAF call. If the user is not known (or has been revoked, for example), the signon fails.
Makes no SAF call on this system for a ROF user.
Controls whether a ROF user is eligible for model processing (if not known by this region).
(Default) The logon is rejected.
A model can be used (subject to model processing rules).
Controls whether a password is required when signing on to this region by using the ROF SIGNON command.
(Default) The correct SAF password (for this region's security system) for the current user ID must be supplied on the SIGNON command; otherwise, the signon is rejected.
No password is required (SAF is asked to validate the user with no password if none is supplied).
Note: Specifying ROFPWD YES can cause problems with system user IDs. If NCL processes executing in these environments issue ROF signons to other systems, then, when the requests come in, the user ID is not treated as a system user and normal validation occurs. This scenario can be a problem if a password is required.
Controls the checking of system (or background) user IDs; for example, the BSYS and BLOG users, and the PPOP and AOMP regions.
Note: If SYSCHECK YES is specified, this user ID is presented before the SYSUID user ID is presented, if one is set.
(Default) The user ID is presented to SAF for validation (no password is required). If SAF verifies the user ID, then it is accepted.
The generated user ID is not presented to SAF.
This parameter provides a single SAF user ID to use for all the system (or background) user IDs for this region. This feature prevents the need to define multiple user IDs (such as NM01BSYS and NM01BMON) to the security system. If SYSCHECK YES is set, the value of SYSUID is presented to SAF only if verification of the specific system user ID failed.
Specifies that the value is to be cleared (blank). This setting can cause substitution by a default value.
Specifies the user ID.
Limits: One through eight characters, with all characters alphanumeric or national
Note: Regardless of the settings of SYSCHECK and SYSUID, the initialization procedure ignores a failure of a system user logon. The procedure continues initializing and, if the user is also not defined on UAMS, supplies default values.
Enables tracing to the SXTRACE data set.
Disables all tracing, regardless of other trace options.
Enables tracing (provided the SXTRACE file can be opened during initialization), but other trace options must be set to cause actual tracing to occur.
Enables tracing of the security exit module flow. Typically, this feature is used only if requested by Technical Support to track down errors in the exit.
Note: This option produces a large amount of trace output.
Enables tracing of the security exit call parameter list on entry and exit. The trace includes the fields pointed to by parameters that are not null (except passwords).
Enables tracing of the results of RACROUTE (SAF) macro calls.
Disables all tracing.
Causes tracing of those RACROUTE calls that failed in some way.
Traces all RACROUTE calls. The trace includes the parameter list and return codes.
Controls whether a TSO user is eligible for model processing (if not known by this region).
(Default) Automatic model processing is not used and the user (if not defined to UAMS) is presented with a blank logon panel that uses normal logon processing rules.
Means that a model can be used (subject to model processing rules).
Controls the requirement for a password when using the TSO pass through facility (the NMLOGON TSO command). Values are:
(Default) The user is presented with a normal logon screen and must enter the user ID and password to gain access.
The user can be logged on (using the current TSO user ID) with no password (provided that this is not blocked in the UAMS definition for this user).
These parameters (up to 8) set flags in the global area accessible to other exits. They can be used to control logic in installation-written exits, such as NCLEX01.
These parameters (up to 4) set name values in the global area accessible to other exits. They can be used as input data in installation-written exits, such as NCLEX01.
The value is to be cleared (blank). This setting can cause substitution by a default value.
Must be in valid PDSNAME format. The length must be one through eight characters; the first character must be alphabetic or national (@,#,$) and the rest must be alphanumeric or national.
These parameters (up to 4) set user ID values in the global area accessible to other exits. They can be used as input data in installation-written exits (such as NCLEX01).
The value is to be cleared (blank). This setting can cause substitution by a default value.
Specifies a user ID.
Limits: One through eoght characters, with all characters alphanumeric or national
Controls the activation of the APPC link security facility. The facility uses a SAF query to extract a password, with a resource class of APPCLU.
Disables the facility. No passwords are returned.
Causes a SAF resource query using network.locallu.remotelu to be performed. If the query works, the password is returned.
The same as YES.
Causes a SAF resource query using network.remotelu.locallu to be performed. If the query works, the password is returned.
Causes a SAF resource query using network.locallu.remotelu to be performed, and then another SAF resource query using network.remotelu.locallu. If either of these queries works, the password is returned.
Note: Advanced Program-to-Program Communication (APPC) supports the use of link-level passwords. Both the DEFLINK and LINK START commands for APPC allow the specification of a password, or alternatively the use of PASSWORD=EXIT, which means that the security exit can return the password.
Specifies whether a WebCenter user not known by this region is eligible for model processing.
(Default) The logon is rejected.
A model can be used (subject to model processing rules).