Previous Topic: External Communicators with IBM-RACFNext Topic: SASSTRLR and External Security

Implementing Security with IBM RACFExternal Communicators with IBM-RACFTerminal Communication

Terminal Communication

Each of the following let the user send terminal commands to CA WA CA 7 Edition:

The Batch Terminal Interface (SASSBSTR), the Trailer facility (SASSTRLR), the CA WA CA 7 Edition CAICCI Interface (CAL2X2W0), CA WA CA 7 Edition TCP/IP Interface (CAL2X2T0), and U7SVC

Although no online terminal is used with this mode of communication, input from these programs is treated as terminal input by CA WA CA 7 Edition. Command security in these environments is handled as it is for all CA WA CA 7 Edition terminals. IBM-RACF controls access to CA WA CA 7 Edition commands if EXTERNAL=COMMAND is specified on the SECURITY statement in the initialization file. IBM-RACF determines the access of a user to CA WA CA 7 Edition terminal commands based on the USERID supplied on the /LOGON command. Thus, when using an External Communicator, a /LOGON command must precede any command input.

IBM-RACF typically requires a password at logon. But including passwords in command input for the External Communicators would obviously represent a serious security exposure. Several checks can be made to avoid the need to include passwords in command input when using these facilities. If no /LOGON command is found in the command input, a /LOGON statement is built using the USERID associated with the current user. Under certain conditions, it is not always possible to extract the USERID associated with the user of the External Communicator. In that event, a /LOGON statement is built using a default USERID of CA7DUMMY. If a /LOGON statement is found in the command input, the current user's authority to use the USERID found on the /LOGON statement can be checked. If the USERID found on the /LOGON statement matches the USERID of the current user, it is assumed that the user has the authority to use the USERID. If the USERIDs differ, a check can validate the READ access of the user to an entity whose name is the USERID found on the /LOGON statement. The resource class is SU@MIT. Create security definitions for this resource to reflect the security needs of your installation. If a /LOGON statement was generated or if the user's authority to use a USERID was successfully validated then CA WA CA 7 Edition allows the user to LOGON without a password.

The USERID of the current user is determined using CAS9 CAISSF services.

Note: For more information about CAISSF, see the CA Common Services documentation.

The value of BSUBCHK that CAIRIM sets controls submit checking for External Communicators.

Note: For more information, see the chapter "Execution" in the Systems Programming Guide.