RACF For The Systems Programmers - Part 1 of 2

RACF for the
Systems Programmer
Hayim Sokolsky
RSH Consulting, Inc.
* Permission is granted to SHARE Inc. to copy,
reproduce or republish this document in whole or in
part for SHARE activities only.
Session 1765/1766 RACF for Systems Programmer 1

Having fun with RACF
Crayons not included...

About the presenter
We’re trained professionals… don’t try

this at home boys & girls…
About the presenter
• Hayim Sokolsky has been a systems

programmer, software designer, and
consultant for 21 years, with 19 years of
RACF and security related experience.

Where to find me…
RSH Consulting
Security ! Support ! Solutions
29 Caroline Park, Newton MA 02468-1101
http://www.rshconsulting.com
Hayim Z. Sokolsky
hayim@rshconsulting.com
1 561 393•3666
Fax 1 561 393•7588

The “L” – the RACF-L
• Worldwide Forum - RACF related issues
– Mail to ListServ server
– ListServ mails forwards to all subscribers
– Any subscriber can respond – IBM,
Vendors, Folks like you, even me
• To Subscribe
– Send email to:
LISTSERV@LISTSERV.UGA.EDU
• Subject: SUBSCRIBE RACF-L

The Agenda
Where do we go from here...

Part Uno
• Review of
– RACF control blocks
– Customizable RACF modules
– RACF macros & stuff

Part Deux
• Examples and ideas for:
– RACF exits
– MVS and JES exits

And then...
• It’s a free-for-all…
– Questions
– Your code
– Your exits
– Suggestions
– Whatever…

Questions along the way…
If anything comes to mind,
feel free to ask at any point.

Review
Background stuff…

RACF Control Blocks
Leggo for the

RACF Systems Programmer

Control Blocks Everywhere
• CSA • Private
– RCVT – ACEE
– SAFV – Security Token
(covered later…)
– Router Table
– CDT
– Started Procedures
Table (ICHRIN03)

RCVT
RACF Communication Vector Table
• Primary RACF vector table
– one per system image
– contains active RACF option settings
• Created by RACF at IPL
– if RACF not installed, does not exist
– Other OEM Security creates a RCVT look-
alike

Finding the RCVT
• Resides in CSA
• Anchored in CVTRAC
• Mapped by ICHPRCVT
• Locate via
– TSO TEST L 10.%+3E0%
– XDC L 10%+3E0%

Finding the RCVT
• Locate via Assembler
L R15,CVTPTR
USING CVT,R15
ICM R15,B’1111’,CVTRAC
BZ NORCVT
USING RCVT,R15
– normally replace ICM & BZ with simple L

L R15,CVTRAC

Following the RCVT
• RCVT contains pointers to
DSDT RACF Dataset Descriptor Table
RNG RACF Database Range Table (splits)
ICB Inventory Control Block
(First block of RACF database)
Templates RACF database templates
(Database record descriptions)

Following the RCVT
• RCVT contains pointers to
CDT Class Descriptor Table
NCV Naming Convention Table
Exits Most RACF exits (but not all)
RCVX RACF OCO extension

And in the RCVT
• RCVT contains active RACF options
– Password options
– Class related options (here, not CDT)
• Active, Generic, RACLISTed
– Processing options
• List of groups, protect-all, JES, etc…

RCVT in monochrome
• Unformatted RCVT
+0 0 D9C3E5E3 00C7E700 *RCVT.GX.*
+8 0 00C7E758 060F5380 00000000 060F4380 *.GX.............*
+18 0 00000000 00000000 00000000 00F41B80 *.............4..*
+28 0 00103C80 00C7E788 00000000 123F000C *.....GXh........*
+38 0 D9C1C3C6 C4E24BD7 D9D6C44B D7D9C9D4 *RACFDS.PROD.PRIM*
+48 0 F0F04040 40404040 40404040 40404040 *00 *
+58 0 40404040 40404040 40404040 E2E8E2F1 * SYS1*
+68 0 4BE4C1C4 E2404040 40404040 40404040 *.UADS *
+78 0 40404040 40404040 40404040 40404040 * *
+88 0 40404040 40404040 E2C3D7D4 E5F5397F * SCPMV5."*
+98 0 00030143 80E3ADF4 00000000 00000000 *.....T.4........*
+A8 0 00D92920 08000000 00000000 00000000 *.R..............*

RCVT in monochrome
• Formatted using XDC
+0 RCVTID D9C3E5E3 -641473053 *RCVT*
+4 RCVTDCB 00C7E700 +13100800 *.GX.*
+8 RCVTDEB 00C7E758 +13100888 *.GX.*
+C RCVTINDX 060F5380 +101667712 *....*
+10 RCVTTEMP 00000000 +0 *....*
+14 RCVTHDR 060F4380 +101663616 *....*
+18 RCVTRIX 00000000 +0 *....*
+1C RCVTRCX 00000000 +0 *....*
+20 RCVTRDX 00000000 +0 *....*
+24 RCVTRUCB 00F41B80 +15997824 *.4..*
+28 RCVTXLEN 00103C80 +1064064 *....*
+2C RCVTBAM 00C7E788 +13100936 *.GXh*
+30 RCVTISTL 00000000 +0 *....*

RCVT vs. ICB
• RCVT contains • ICB contains
– Pointers to other – RACF Database
system-wide internal pointers
• Control blocks
• Modules
– Active RACF options – Saved RACF options
• RCVT is local • ICB is shared
– to LPAR – all LPARs using same
RACF database set

SAFV
SAF Vector Table
• Primary SAF vector table
– one per system image
– anchors SAF modules
– anchors SAF tables
• Always exists
– except early in IPL

Finding the SAFV
• Resides in CSA
• Anchored in CVTSAF
• Mapped by ICHPSAFV
• Locate via
– TSO TEST L 10.%+F8%
– XDC L 10%+F8%

Finding the SAFV
L R15,CVTPTR
USING CVT,R15
L R15,CVTSAF
USING SAFV,R15

ACEE
Accessor Environment Element
• Primary user session control block
– represents a single signed-on userid
• Non-relocatable
– contains address pointers
• Mapped by IHAACEE
– technically it’s an MVS not a RACF control
block

ACEE again
• Created/Deleted by RACINIT
• Exists for life of active session
– Batch Job Execution
– TSO session
– CICS/IMS/etc… session
• Must exist to allow for other security
calls

Who’s got my ACEE?
• Anchored via
– ASXBSENV - address space environment
• TSO test… L 224.?+6C?+F8?
– TCBSENV - subtask environment
• TSO test… L 21C.?+154?
– other places - non-system managed
environment
• TSO test… varies

Park my ACEE I
ASXBSENV – Address Space level
– Uses Created/Deleted by
• TSO user TSO logon/logoff
• Batch Job Job init/termination
• Started Task STC init/termination
– May also be anchored elsewhere

• If you did not create it, do NOT delete it

Park my ACEE II
TCBSENV – Task Level
• JES subtask JES processing
• FTP FTP logon/logoff
• Others Their own processing

• Once again, if you did not create it, do NOT
delete it

Park my ACEE III
Local CB – Application owned
• CICS user CICS logon/logoff
• Others Their own processing

• Play it again Sam - if you did not create it, do
NOT delete it

Which ACEE is used?
1. If caller provides ACEE=,
then only ACEE= is used
2. If TCBSENV ¬= 0,
then TCBSENV ACEE is used
3. If ASXBSENV ¬= 0,
then ASXBSENV ACEE is used
4. Otherwise, abend with …
S582, S283, S585, S4C6 …

Caveat ACEE
• TCBSENV is not inherited
– ATTACH does not propagate TCBSENV
• Subtask lives under ASXBSENV ACEE
• TCBSENV can be filled in by ATTACHing code
– DETACH macro does not cause ACEE
deletion

But if I didn’t create it…
• Never delete someone else’s ACEE
– Causes ABENDS
S0C4 Sx82 Sx83 Sx84 Sx85
• However you can…
– De-anchor someone else’s ACEE
– Anchor the one YOU built
– But clean up (re-anchor theirs) when
you’re done

Finding the “Active” ACEE
L R15,PSATOLD R15 -> TCB
USING TCB,R15
ICM R15,B’1111’,TCBSENV R15->ACEE?
BNZ HAVEACEE Yes, use it
L R15,PSAAOLD R15 -> ASCB
USING ASCB,R15
L R15,ASCBASXB R15 -> ASXB
ICM R15,B’1111’,ASXBSENV R15->ACEE?
BNZ HAVEACEE Yes, use it
B NOACEE No, c’est la vie

Raw ACEE
• Unformatted
+0 0 C1C3C5C5 FF0000A8 02000000 00000000 *ACEE...y........*
+10 0 00000000 06C8C1E8 C9D4E740 40085BE2 *.....HAYIMX .$S*
+20 0 D6C6E3C4 E5D30101 0000026F 40404040 *OFTDEV.....? *
+30 0 40404040 00C46D48 00000000 00000000 * .D_.........*
+40 0 E2C3F0E3 C3D7F0F1 00000000 00000000 *SC0TCP01........*
+50 0 00000000 00000000 40404040 40404040 *........ *
+60 0 00000000 008FD5B8 00000000 008FD5D0 *......N.......N}*
+70 0 7FFFB858 008FD638 00000000 0100026F *".....O........?*
+80 0 00000000 00200000 00000000 00000000 *................*
+90 0 00000000 00000000 008FD6A0 00000000 *..........O.....*
+A0 0 00000000 008FD720 *......P.*

Formatted ACEE
• Formatted using XDC
+0 ACEE C1C3C5C5 -1044134459 *ACEE*
+4 ACEESP FF 255 *.*
+5 ACEELEN 0000A8 168 *..y*
+8 ACEEVRSN 02 2 *.*
+9 000000 0 *...*
+C ACEEIEP 00000000 +0 *....*
+10 ACEEINST 00000000 +0 *....*
+14 ACEEUSER
+14 ACEEUSRL 06 6 *.*
+15 ACEEUSRI C8C1E8C9 D4E74040 *HAYIMX
+1D ACEEGRP
+1D ACEEGRPL 08 8 *.*
+1E ACEEGRPN 5BE2D6C6 E3C4E5D3 *$SOFTDEV*
+26 ACEEFLG1 01 1 *.*
+27 ACEEFLG2 01 1 *.*
+28 ACEEFLG3 00 0 *.*
+29 ACEEDATE 00026F 623 *..?*

Security Token
• Transportable data area
– represents a user’s session
• Anchored via / Located in
– ACEETOKP - active environment
– other locations - job header (JCT)...
• Mapped by ICHRUTKN
• Used to recreate a security environment

Security Token Contents
• Active User Info
– Userid, Group, Security Label
– Execution node (batch token)
• Submitting user info
– Submitting Userid, Group and Node

Security Token Use
• Used to recreate a security environment
• Can be passed
– Inside Address Space
– Across Address Spaces
– Across LPARs
– Across RACF nodes
• Will normally require adjustment or translation
• JES uses NODES class for token translation

Raw Token
• Unformatted
+0 0 50012000 0001C000 00000000 00000000 *&.....{.........*
+10 0 00000000 00000000 00000000 00000000 *................*
+20 0 00000000 00000000 00000000 00000000 *................*
+30 0 E2C3F0E3 C3D7F0F1 00000000 00000000 *SC0TCP01........*
+40 0 C8C1E8C9 D4E74040 5BE2D6C6 E3C4E5D3 *HAYIMX $SOFTDEV*

ACEE vs. Token
ACEE Token
• Active environment • Transportable
• Exists only during • Exists before, during
active signon and after use
(BATCH)

Customizable RACF modules
Some ya must,
some ya can…

Modules Everywhere
• ICHSECOP
• ICHRDSNT
• ICHRRNG
• ICHRRCDE
• ICHRFR01
• ICHNCV00
• ICHRIN03

ICHSECOP
Security Initialization Options
• Normally not changed by installation
• Used to
– Bypass RACF startup at IPL
– Select number of resident Data Blocks (if
Database Name Table not used)
– Disallow duplicate Dataset names

ICHRDSNT
RACF Database Name Table
• Defines name(s) of RACF datasets
• Defines database duplexing options
• Defines Resident Data Blocks
• Defines use of Sysplex

ICHRRNG
Database Range Table
• Used to physically split one RACF
database across multiple datasets
• allows distribution of RACF I/O
overhead across multiple DASD drives
• must be kept in synch with Database
Name Table … or else

ICHRRCDE
Installation-defined Class Table
• Defines installation or OEM vendor
RACF classes
– IBM classes provided in ICHRRCDX
– Merged by RACF at IPL
• Changed via IPL

ICHRFR01
“RACF” Router Table
• Used by RACF portion of SAF router
• Defines Installation-defined and OEM
classes to RACF router
– Should match entries in ICHRRCDE
– Merged with IBM provided ICHRFR0X
• Also updated for DB2 subsystems

The usual caveats…
• Installation-defined resource classes
must contain at least one
– national (@ # $) -or-
– numeric (0-9)
in positions 2-8
• Always keep your ICHRRCDE and
ICHRFR01 in sync

ICHNCV00
RACF “Naming Conventions Table”
• Used to rearrange DATASET names to
reference different profiles, based upon
any combination of:
– data set name (or parts thereof)
– userid (or parts thereof)
– current group (or parts thereof)
– event

ICHRIN03
Started Procedures Table
• Assigns user/group to started tasks
– Single entry per STC
– One Default entry
– change via IPL only
• Replaced with RACF STARTED class
– generic assignment for one or more STCs
– change by RACF commands at any time

RACF Macros
Reach out & check someone

Macro Interfaces
• SU 32 style
– individual macros, one per service/svc
– only available to 24-bit callers
• RACROUTE style
– one macro
– available to both 24-bit and 31-bit callers
– provides far greater services and
enhancements

RACF Macros
SU 32 (them oldies) RACROUTE REQUEST=
• RACINIT • VERIFY (& VERIFYX)
• RACHECK • AUTH
• FRACHECK • FASTAUTH
• RACDEF • DEFINE
• RACLIST • LIST
• RACXTRT • EXTRACT
• RACSTAT • STAT

When I say…
Say: Mean: RACROUTE REQUEST=
RACINIT VERIFY
RACHECK AUTH
RACDEF DEFINE
FRACHECK FASTAUTH
RACLIST LIST
RACXTRT EXTRACT
What do they do?
• Authentication (a.k.a. validate an id)
– RACINIT / REQUEST=VERIFY
• Create/delete ACEE
• Validate userid/password/group
• Authorization (a.k.a. allow access)
– RACHECK / REQUEST=AUTH
– FRACHECK / REQUEST=FASTAUTH
– RACDEF / REQUEST=DEFINE

And what else...
• Check RACF status
– RACSTAT / REQUEST=STAT
• Pre-load resource profiles

– RACLIST / REQUEST=LIST
• Extract/Update profiles, Encryption

– RACXTRT / REQUEST=EXTRACT

RACROUTE additions
• Token related
– REQUEST=TOKENBLD - create token
– REQUEST=TOKENMAP - (de)hash token
– REQUEST=TOKENXTR - copy token
• Auditing (without resource check)

– REQUEST=AUDIT

RACROUTE additions
• Mandatory Access Checking
– REQUEST=DIRAUTH
• Signon processing (APPC persistence)

– REQUEST=SIGNON

ICHEINTY & co
• Direct RACF database access
• Not normally recommended
– IBM recommends RACXTRT / RACROUTE
REQUEST=EXTRACT
– Requires thorough knowledge of RACF
database templates and database
• However
– Sometimes it is the only choice

Coding a RACROUTE
Down to the nitty-gritty

What is RACROUTE
• A single “front door” to security via
– One entry service routine – SAF router
– One macro – RACROUTE
– One common parameter list header – SAFP
– Service routine parameter list
ACHKL RACHECK
RDDFL RACDEF
RIPL RACINIT

RACROUTE MF= flavors
• RACROUTE has 4 MF= versions
MF=S Standard Inline (bad idea)
MF=L List form – static source
MF=M Modify form – update parmlist only
MF=E Execute form – invoke SAF & RACF

SAFP – SAF parmlist
• Normally x’68’ (104) bytes long
• Precedes RACF service parameter list
• Contains offset of RACF service
parameter list
– Not the address of that parameter list
– May not be contiguous with parameter list
(nasty side effect of inline RACROUTE)

SAFP – Initialization
• Must be initialized
– Via inline RACROUTE
• Yeech! Non-reentrant code. Phooey!
– Via RACROUTE REQUEST=…,MF=L
• Or a copy of the MF=L copied to dynamic area
• Un-initialized SAFP
– Will cause S0C4 or other abends
• Due to lack of offset to RACF service parmlist

Setting up the SAFP
• Sample code
MVC WINIT,$INIT Copy RACINIT
RACROUTE REQUEST=VERIFY,
MF=(E,WINIT), … execute
$INIT RACROUTE REQUEST=VERIFY,

RELEASE=7703,MF=L
$INITL EQU *-$INIT RACROUTE length
WORK DSECT ,
WINIT DS XL($INITL)

SAFW – SAF work area
• SAF requires a work area
– x’200’ (512) bytes
– Area does not have to be initialized
• But zeroing it out does help debugging
– Set via WORKA= keyword

Setting up the SAFW
• Sample code
MVC WINIT,$INIT Copy RACINIT
WORKA=WRRWORKA, """
MF=(M,WINIT), … update PL

RELEASE=7703,MF=L
WORK DSECT ,
WINIT DS XL($INITL)
WRRWORKA DS XL512 """

REQSTOR & SUBSYS History
• REQSTOR= and SUBSYS=
– Originally intended to prevent back leveled
RACF from processing calls it can’t handle
– Weeded out via lookup in ICHRFR01
(RACF Router Table)
• Lookup for CLASS + REQSTOR + SUBSYS
• RACINIT events use class “USER”

REQSTOR & SUBSYS Use
• REQSTOR= and SUBSYS=
– Provide good documentation in debugging
your own code
– Can be interrogated by your SAF & RACF
exits
• DECOUPL=YES
– Causes bypass of ICHRFR01 lookups
– Always good to code

Setting up REQSTOR/SUBSYS
• Sample code
REQSTOR=$REQSTOR, """
SUBSYS=$SUBSYS, """
DECOUPL=YES, """
RELEASE=7703,MF=L
$REQSTOR DC CL8’MyFunc’
$SUBSYS DC CL8’WHATEVER’

Other RACROUTE-isms
• Always match
– REQUEST= value
• RACF parameter lists vary greatly
• RACROUTE does not validate REQUEST=
mismatches
– RELEASE= value
• Ensure that MF=L area creates large enough
parmlist to handle MF=M and MF=E
parameters

Other RACROUTE-isms II
• Other features
– MSGRTRN=
• Allows direct return of ICH408I messages to
program
– MSGSUPP=
• Controls suppression of ICH408I messages as
WTO

The ACEE= Debacle
• ACEE= points to
– Anchor of the ACEE for RACINIT only
• RACINIT anchors address value in passed field
– ACEE itself for all other calls
• ACEE directly located via ACEE=
– ACEE= miscoded on RACINIT is a common

first time coding error

Return Codes
• RACROUTE stores RACF return and
Reason codes in first 2 words of SAFP
• R15 value generalization:
–0 Success (allowed)
–4 Undefined/ Not processed
–8 Failure (not allowed)

REQUEST=VERIFY
I saw the sign(-on),

it opened up my eyes,
I saw the sign(-on)

RACINIT Requires
• APF Authorization - either
– Key 0
– Supervisor State
– Linked with AC(1)

RACINIT ENVIR= flavors
• ENVIR= keyword determines type
– ENVIR=CREATE – build new ACEE
– ENVIR=DELETE – delete ACEE
– Other values exist, these are the basics
• Used 99.9% of the time

RACINIT ENVIR=CREATE
• Used to (multiple choice)
– Build valid ACEE
– Validate USER=
– Validate USER= and PASSWORD=
• Issuer (YOU) decides if password is

being validated

CREATE whom?
• Possible choices
– End user signing on manually
• Pass USER= and PASSWORD=
– Automatic signon of userid
• Pass USER= and PASSCHK=NO
– Recreation of prior environment via token
• Need TOKNIN= and PASSCHK=NO

RACINIT STAT=
• STAT=ASIS • STAT=NONE
– Last-Used updated – No last-used update
– ICH70001I message – No ICH70001I or
issued for success ICH408I issued
– ICH408I issued for – Ignores SETROPTS
failure INACTIVE(n) value

ENVIR=CREATE ACEE=
• If ACEE= coded
– Value is filled in by RACINIT create
• If ACEE= is not coded

– TCBSENV is set unconditionally
• Even if NOT zero
– If ASXBSENV = 0
then RACINIT also fills in ASXBSENV

Sample User= & Password=
ENVIR=CREATE,
USER=$USER,
PASSWORD=$PASSWD,
APPL=$APPL,
STAT=ASIS,LOG=ASIS,
RELEASE=7703,MF=(E,WINIT)
$USER DC AL1(5),CL5’HAYIM’
$PASSWD DC AL1(6),CL6’SAMPLE’
$APPL DC CL8’MYAPPL’

Sample with PASSCHK=NO
ENVIR=CREATE,
USER=$USER,
PASSCHK=NO, better on MF=L
APPL=$APPL,
STAT=NONE,LOG=NONE,
$USER DC AL1(5),CL5’HAYIM’
$APPL DC CL8’MYAPPL’

Sample with token
ENVIR=CREATE,
TOKNIN=WTOKEN,
PASSCHK=NO, better on MF=L
ACEE=WACEEP,
STAT=NONE,LOG=NONE,
WORK DSECT ,
WTOKEN DS XL80 copy of token
WACEE DS A filled by RACINIT

CREATE SESSION=
• SESSION= qualifies the type of logon
“session”
TSO represents all type of online logins
TSO, CICS, IMS …
INTBATCH, EXTBATCH, NJEBATCH …
represents flavors of batch jobs
STARTED, SYSAS represents STCs

CREATE with TERMINAL=
• TERMINAL= like APPL= used for logon
authorization
• BUT …
– TERMINAL= must point to a long-term
area (like a long term control block)
- or –
S0C4 later on when storage freed

POE=
• POE is the session Point of Entry
• POE= is resource in one of 4 classes
– APPCPORT
– CONSOLE
– JESINPUT
– TERMINAL
• POE= class is determined by SESSION=
type

POE= vs. TERMINAL=
• TERMINAL= requires long term storage
– Has to live as long as ACEE
• POE= does not require long term

storage
– Can be provided like any other operand

Sample with POE=
ENVIR=CREATE,
...
POE=WHERE,
SESSION=TSO,
ACEE=WACEEP,
STAT=NONE,LOG=NONE,
WHERE DC CL8’XYZZY’

What about IP addresses?
• Unfortunately no IP resource class
– No SESSION= value
– No POE class for IPADDR
• However
– 4 byte IP address can be represented as
hex dumped value
– 192.168.42.34 # C0A82A22

RACINIT ENVIR=DELETE
• Used to
– Delete ACEE
• Plain & simple

ENVIR=DELETE ACEE=
• If ACEE= coded and not zero
– That ACEE is deleted
• If ACEE= is not coded
– TCBSENV ACEE is deleted if present
• If it is also anchored in ASXBSENV, then
ASXBSENV is zeroed
– ASXBSENV ACEE is deleted if TCBSENV=0

Sample delete
ENVIR=DELETE,
ACEE=WACEEP,
WORK DSECT ,
WACEE DS A from prior RACINIT

REQUEST=AUTH
Time to CHECK in

Our friend ACEE=
• Not needed if
– TCBSENV or ASXBSENV already points to
ACEE we want
• Needed if
– Overriding TCBSENV & ASXBSENV
• Must point to ACEE
– Not ACEE anchor like RACINIT

CLASS=
• Resource CLASS name must be coded
• Value is length-prefixed
– (FRACHECK uses 8 character, left justified,
right blank padded unlike RACHECK)
• Class must be defined to RACF
– Undefined class results in RC=4 – resource
not defined

ENTITY/ENTITYX=
• Resource name is provided via
ENTITY or ENTITYX keyword
(mutually exclusive)
– ENTITY – you must provide blank padded
field matching CDT definition of class
resource length
– ENTITYX – you provide exact resource
name length or buffer size

ENTITY(X) samples
• ENTITY (for DATASET)
$ENTITY DC CL44’MY.DATASET’
• ENTITYX (for same DATASET)

$ENTITYX DC AL2(0) buffer size
DC AL2(10) actual len.
DC CL10’MY.DATASET’

Sample RACHECK
L R2,ASXBSENV Force ASXBSENV
RACROUTE REQUEST=AUTH,
CLASS=$FACILIT,
ENTITYX=$TESTRES,
ACEE=(R2),
RELEASE=7703,MF=(E,WAUTH)
$FACILIT DC AL(L’FACILITY)
FACILITY DC C’FACILITY’
$TESTRES DC AL2(0),AL2(L’TESTRES)
TESTRES DC C’$MY.TEST.FACILITY.THING’

RACF Exits
Where you can do your thing

ICHRTX00/01
• Invoked for all RACROUTEs
– ICHRTX00 - standard exit
– ICHRTX01 - prior to RACF initialization exit
• Only a pre-processing exit
– there is no post-processing
• Caller key & state

ICHRTX00 – Pre-Processing
• Only a pre-processing exit
– there is no post-processing exit
• If you need to Post-processing …
1. Duplicate original parameter list
2. Re-drive entire event
3. Prevent self-recursion
4. Post-process redriven event
5. Bypass rest of regular processing

ICHRTX00
• Called in caller key & state
– May be supervisor state
– May be system key
– May be non-authorized
– Your code must be able to deal with either
situation

ICHRTX00 input
• SAF passes via R1
+0 Address of SAFP (SAF parmlist)
+4 Address of 152 byte work area
(inside SAFW actually)

ICHRTX00 - output
• Updated SAFP/RACF parameter list
• Return code in R15
= 0 - perform normal processing
= x’c8’ 200 - return RC = 0 to caller
= x’cc’ 204 - return RC = 4 to caller
= x’d0’ 208 - return RC = 8 to caller
= other - return value as is
• All values other than 0 terminate standard
procesing

SVC exits
• ICHRIX01/02 - RACINIT pre & post
• ICHRCX01/02 - RACHECK pre & post
• ICHRDX01/02 - RACDEF pre & post
• ICHRLX01/02 - RACLIST post
• ICHRFX01/02/03/04
- FRACHECK pre & post

Pre- Exit Commonalities
For RACHECK, RACDEF, and RACINIT
• Pre-Processing exit can
– Allow normal processing
– Fail processing (may skip post- exit)

Post- exit Commonalities
For RACHECK, RACDEF, and RACINIT
• Post-Processing exit can
– Allow normal processing
– Force retry of event back to pre- exit
• Post-Processing exit can NOT
– Force event to fail

Pre to Post Communication
• All exits passed exit parmlist
RCXP RACHECK
RDXP RACDEF
RIXP RACINIT
• Exit “Work Area Pointer” in parmlist:
– Used any which way you want to
– You set it, you clean it

Work Area Pointer
• Initial value is x’00000000’
• Set by either exit
– Intended as anchor for a work area
– Can be used however you see fit
• Area anchor
• Flag byte(s)
• Not reinitialized by retry

From Post- to Pre-
• To fail event in post processing:
– Post- determines failure required
– Post- sets “work area address”
– Post- causes retry
– Pre- invoked (retry)
– Pre- fails event based upon “work area
address” value

SVC exit gotchas
• RACF SVCs can be recursive
– RACINIT internally invokes RACHECK
– RACINIT internally invokes RACINIT
(during job validation for RACROUTE
REQUEST=VERIFYX)
– Third-party RACHECK invokes RACINIT
• You may need to check which SVC was
invoked for your exit’s processing

No 5 need input
• RACF exit is not passed ALL parameters
from RACF SVC input parmlist
• You may need more input
• RACF SVC input parmlist can be located
via R0/R1 values at time of SVC
– But it may not belong to YOUR event

Finding the parmlist
• If RACF SVC R1=0
R0 # “RFRP”
• RACF Router Parameter list is used by SAF
• +0 = RACF parameter list
• +4 = SAF parameter list
• If RACF SVC R1 ¬= 0
R1 # RACF Parameter list

Other places
• ICHCNX00/ICHCCX00 - Command
processing
• IRREVX01 - pre-parse command exit
• ICHACX01 - ACEE (de)compression
• ICHPWX01 - new password

Some Common Uses
Homework

So, what can you do?
• Accounting validation
• JCL keyword & operand authorization
– restrict job class, sysout class
• Password-syntax validation
• CPU authorization

“Free-for-all”
What exits/code/info
do you need?

The Truth-in-Testing Law
If something could have gone wrong,
but didn’t go wrong,
then it would have been beneficial
for it to have gone wrong

Questions?
Thanks for coming.

RACF For The Systems Programmers - Part 1 of 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RACF For The Systems Programmers - Part 1 of 2

Uploaded by

Copyright:

Available Formats

RACF for the

Session 1765/1766 RACF for Systems Programmer 1

Crayons not included...

Session 1765/1766 RACF for Systems Programmer 2

We’re trained professionals… don’t try

• Hayim Sokolsky has been a systems

Session 1765/1766 RACF for Systems Programmer 4

Session 1765/1766 RACF for Systems Programmer 5

Session 1765/1766 RACF for Systems Programmer 6

Where do we go from here...

Session 1765/1766 RACF for Systems Programmer 7

Session 1765/1766 RACF for Systems Programmer 8

Session 1765/1766 RACF for Systems Programmer 9

Session 1765/1766 RACF for Systems Programmer 10

Session 1765/1766 RACF for Systems Programmer 11

Session 1765/1766 RACF for Systems Programmer 12

Leggo for the

Session 1765/1766 RACF for Systems Programmer 13

Session 1765/1766 RACF for Systems Programmer 14

Session 1765/1766 RACF for Systems Programmer 15

Session 1765/1766 RACF for Systems Programmer 16

– normally replace ICM & BZ with simple L

Session 1765/1766 RACF for Systems Programmer 17

Session 1765/1766 RACF for Systems Programmer 18

Session 1765/1766 RACF for Systems Programmer 19

Session 1765/1766 RACF for Systems Programmer 20

Session 1765/1766 RACF for Systems Programmer 21

Session 1765/1766 RACF for Systems Programmer 22

Session 1765/1766 RACF for Systems Programmer 23

Session 1765/1766 RACF for Systems Programmer 24

Session 1765/1766 RACF for Systems Programmer 25

Session 1765/1766 RACF for Systems Programmer 26

Session 1765/1766 RACF for Systems Programmer 27

Session 1765/1766 RACF for Systems Programmer 28

Session 1765/1766 RACF for Systems Programmer 29

– May also be anchored elsewhere

Session 1765/1766 RACF for Systems Programmer 30

– May also be anchored elsewhere

Session 1765/1766 RACF for Systems Programmer 31

– May also be anchored elsewhere

Session 1765/1766 RACF for Systems Programmer 32

Session 1765/1766 RACF for Systems Programmer 33

Session 1765/1766 RACF for Systems Programmer 34

Session 1765/1766 RACF for Systems Programmer 35

Session 1765/1766 RACF for Systems Programmer 36

Session 1765/1766 RACF for Systems Programmer 37

Session 1765/1766 RACF for Systems Programmer 38

Session 1765/1766 RACF for Systems Programmer 39

Session 1765/1766 RACF for Systems Programmer 40

Session 1765/1766 RACF for Systems Programmer 41

Session 1765/1766 RACF for Systems Programmer 42

Session 1765/1766 RACF for Systems Programmer 43

Session 1765/1766 RACF for Systems Programmer 44

Session 1765/1766 RACF for Systems Programmer 45

Session 1765/1766 RACF for Systems Programmer 46

Session 1765/1766 RACF for Systems Programmer 47

Session 1765/1766 RACF for Systems Programmer 48

Session 1765/1766 RACF for Systems Programmer 49

Session 1765/1766 RACF for Systems Programmer 50

Session 1765/1766 RACF for Systems Programmer 51

Session 1765/1766 RACF for Systems Programmer 52

Session 1765/1766 RACF for Systems Programmer 53

Reach out & check someone