|
|
|
The NMSAF and NMSAFF security exits read the SXCTL file during initialization of your region:
You can specify any of these parameters in the SXCTL file.
Controls whether APPC user sessions are validated against security.
Important! Setting this parameter to NO exposes the region to unauthorized APPC sessions.
Controls whether an APPC user is eligible for model processing (if this region does not know the user).
(Default) The logon is rejected.
A model can be used (subject to model processing rules).
Controls the use of the Password Change facility in your region.
(Default) Blocks attempts to use the UAMS Password Change facility, or any other password change interface (for example, using EASINET), and produces an error message. This setting prevents users from using these region features to change their passwords (whether in UAMS or external security). This setting can be useful in distributed security environments where passwords must be changed by using a particular mechanism.
Allows the Password Change facility to be used (although the security system can reject or ignore it).
Controls the checking of console user IDs. These user IDs are for system consoles.
(Default) The console user ID is presented to SAF.
The console user ID is not presented to SAF.
Note: If CONCHECK YES is specified, this user ID is presented before the CONUID user ID is presented.
Provides a single SAF user ID for all console environments for this region. This parameter can prevent the need to define individual console users to the security system. For CONCHECK YES, the value of CONUID is presented to SAF only if verification of the specific console user ID failed.
Clears the value (blank).
Specifies the user ID.
Limits: One through eight characters, with all characters alphanumeric or national
Note: Regardless of the settings of CONCHECK and CONUID, the logon procedure ignores a failure of a console user logon. The procedure permits the logon. If the user is not defined on UAMS, the procedure supplies default values.
Controls whether data set services register system users for data set resource checking. This feature requires the NMSECDSS exit to be active.
Controls whether data set services register normal users for data set resource checking. This feature requires the NMSECDSS exit to be active.
Controls whether data set services register system users for HFS file resource checking. This feature requires the NMSECDSS exit to be active.
Controls whether data set services register normal users for HFS file resource checking. This feature requires the NMSECDSS exit to be active.
Controls the use of the MODEL user facility. If you use NMSAFF, specify MODEL LIST.
(Default) Specifies that no modeling is performed.
Specifies that the setting of SYSPARMS MODLUSER is used.
Specifies that if a model name is specified in SXCTL, it is used as the model.
Specifies that if a resource or model list is defined, then it is used to determine the model name.
You can control which logon types can participate in modeling.
Supplies an entry in a list of SAF resource names and associated model names. The parameter can be repeated up to 20 times in the SXCTL file. The order in which the pairs of resource names and model names are specified is the order in which the resource names are tested. Specifying a resource name of * always matches (no SAF AUTH call is made).
For MODEL LIST, each resource name is tested (using the class that the RCLASS parameter sets), until a resource is found that the user has READ access to (or the * entry is reached). If a match is found, the associated model name is returned. If no match is found (and no * entry is found), then no model name is returned and the logon is rejected.
If you use NMSAFF, a STARTPROF parameter must reference the model name.
Must be in valid PDSNAME format. The length must be one through eight characters. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
Supplies the model name for modeling if MODEL SINGLE is specified (otherwise it is ignored). If no model name is specified (the default), it is the same as MODEL NO.
Clears the value (blank). This setting can cause substitution by a default value.
Names the model.
Limits: One through eight characters, with all characters alphanumeric or national
(NMSAFF only) Begins the profile section.
Begins the definition of a list of attributes and their values for modelname. The attribute names are defined in the SXCTL FIELD description of the structured fields. The MODELGROUP parameter defines modelname.
Ends the list of user attributes and values.
Sets the APPL value for RACROUTE calls.
(Default) A dash means none; the primary ACB name is then used.
Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
Limits: One through eight characters
Sets the SAF resource class for most RACROUTE AUTH checks (for example, for model determination).
(Default) A dash (-) means none; FACILITY is then used.
Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
Limits: One through eight characters
Controls the SAF validation of a ROF (Remote Operator Facility) user. ROF users are users that use the SIGNON and ROUTE commands from a remotely connected region to send commands to this one. The user ID is always the user ID that the user originally signed on with.
(Default) Validates the user by a SAF call. If the user is not known (or has been revoked, for example), the signon fails.
Makes no SAF call on this system for a ROF user.
Controls whether a ROF user is eligible for model processing (if this region does not know the user).
(Default) Rejects the logon.
Specifies that a model can be used (subject to model processing rules).
Controls whether a password is required when signing on to this region by using the ROF SIGNON command.
(Default) Specifies that the SAF password (for the security system in this region) for the current user ID must be supplied on the SIGNON command. Otherwise, the signon is rejected.
Specifies that no password is required (SAF is asked to validate the user with no password if none is supplied).
Note: Specifying ROFPWD YES can cause problems with system user IDs. If NCL processes executing in these environments issue ROF signons to other systems, then, when the requests come in, the user ID is not treated as a system user. Normal validation occurs. This scenario can be a problem if a password is required.
Controls the checking of system (or background) user IDs; for example, the BSYS and BLOG users, and the PPOP and AOMP regions.
Note: If SYSCHECK YES is specified, this user ID is presented before the SYSUID user ID is presented.
(Default) Specifies that the user ID is presented to SAF for validation (no password is required). If SAF verifies the user ID, then it is accepted.
Specifies that the generated user ID is not presented to SAF.
This parameter provides a single SAF user ID to use for all the system (or background) user IDs for this region. This feature prevents the need to define multiple user IDs (such as NM01BSYS and NM01BMON) to the security system. For SYSCHECK YES, the value of SYSUID is presented to SAF only if verification of the specific system user ID failed.
Clears the value (blank). This setting can cause substitution by a default value.
Specifies the user ID.
Limits: One through eight characters, with all characters alphanumeric or national
Note: Regardless of the settings of SYSCHECK and SYSUID, the initialization procedure ignores a failure of a system user logon. The procedure continues initializing. If the user is not defined on UAMS, the procedure supplies default values.
Enables tracing to the SXTRACE data set.
Disables all tracing, regardless of other trace options.
Enables tracing (provided the SXTRACE file can be opened during initialization), but other trace options must be set to cause actual tracing.
Enables tracing of the security exit module flow. Typically, this feature is used only on CA Support request to track down errors in the exit.
Note: This option produces a large amount of trace output.
Enables tracing of the parameter list for the security exit call on entry and exit. The trace includes the fields pointed to by parameters that are not null (except passwords).
Enables tracing of the results of RACROUTE (SAF) macro calls.
Disables all tracing.
Causes tracing of those RACROUTE calls that failed in some way.
Traces all RACROUTE calls. The trace includes the parameter list and return codes.
Controls whether a TSO user is eligible for model processing (if this region does not know the user).
(Default) Specifies that automatic model processing is not used. The user (if not defined to UAMS) is presented with a blank logon panel that uses normal logon processing rules.
Means that a model can be used (subject to model processing rules).
Controls the requirement for a password when using the TSO pass through facility (the NMLOGON TSO command).
(Default) Specifies that the user is presented with a normal logon screen, and must enter the user ID and password to gain access.
Specifies that the user can log on with no password (if this logon is not blocked in the UAMS definition).
Sets a flag in the global area accessible to other exits. You can specify up to eight of these parameters. They can be used to control logic in installation-written exits, such as NCLEX01.
Sets a name value in the global area accessible to other exits. You can specify up to four of these parameters. They can be used as input data in installation-written exits, such as NCLEX01.
Clears the value (blank). This setting can cause substitution by a default value.
Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
Limits: One through eight characters
Sets a user ID value in the global area accessible to other exits. You can specify up to four of these parameters. They can be used as input data in installation-written exits (such as NCLEX01).
Clears the value (blank). This setting can cause substitution by a default value.
Specifies a user ID.
Limits: One through eight characters, with all characters alphanumeric or national
Controls the activation of the APPC link security facility. The facility uses a SAF query to extract a password, with a resource class of APPCLU.
Disables the facility. No passwords are returned.
Performs a SAF resource query using network.locallu.remotelu. If the query works, the password is returned.
Is the same as YES.
Performs a SAF resource query using network.remotelu.locallu. If the query works, the password is returned.
Performs a SAF resource query using network.locallu.remotelu and then another SAF resource query using network.remotelu.locallu. If either of these queries works, the password is returned.
Note: Advanced Program-to-Program Communication (APPC) supports the use of link-level passwords. Both the DEFLINK and LINK START commands for APPC allow the specification of a password. Alternatively, the commands can use PASSWORD=EXIT, which means that the security exit can return the password.
Controls whether WebCenter user sessions are validated against security.
Important! Setting this parameter to NO exposes the region to unauthorized user logins.
Specifies whether a WebCenter user not known by this region is eligible for model processing.
(Default) Specifies that the login is rejected.
Specifies that a model can be used (subject to model processing rules).
| Copyright © 2012 CA. All rights reserved. |
|