Table 119 summarizes the security manager domain’s specific
gates. It shows the level-1 trace point IDs of the modules providing the functions
for the gates, the functions provided by the gates, and whether or not the
functions are available through the exit programming interface (XPI).
Table 119. Security manager domain’s specific gates
Gate |
Trace |
Function |
XPI |
XSAD |
XS 0201
XS 0202
|
ADD_USER_WITH_PASSWORD
ADD_USER_WITHOUT_PASSWORD
DELETE_USER_SECURITY
INQUIRE_USER_ATTRIBUTES
VALIDATE_USERID
|
NO
NO
NO
NO
NO
|
XSFL |
XS 0501
XS 0502
|
FLATTEN_USER_SECURITY
UNFLATTEN_USER_SECURITY
UNFLATTEN ESM_UTOKEN
|
NO
NO
NO
|
XSIS |
XS 0301
XS 0302
|
INQUIRE_REGION_USERID
INQ_SECURITY_DOMAIN_PARMS
SET_SECURITY_DOMAIN_PARMS
SET_NETWORK_IDENTIFIER
SET_SPECIAL_TOKENS INQUIRE_REALM_NAME
|
NO
NO
NO
NO
NO
NO
|
XSLU |
XS 0801
XS 0802
|
GENERATE_APPC_BIND
GENERATE_APPC_RESPONSE
VALIDATE_APPC_RESPONSE
|
NO
NO
NO
|
XSPW |
XS 0601
XS 0602
|
CREATE_PASSTICKET
INQUIRE_PASSWORD_DATA
UPDATE_PASSWORD
INQUIRE_CERTIFICATE_USERID
REGISTER_CERTIFICATE_USER
|
NO
NO
NO
NO
NO
|
XSRC |
XS 0701
XS 0702
|
CHECK_CICS_RESOURCE
CHECK_CICS_COMMAND
CHECK_NON_CICS_RESOURCE
CHECK_SURROGATE_USER
REBUILD_RESOURCE_CLASSES
|
NO
NO
NO
NO
NO
|
XSXM |
XS 0401
XS 0402
|
ADD_TRANSACTION_SECURITY
DEL_TRANSACTION_SECURITY
END_TRANSACTION
|
NO
NO
NO
|
The ADD_USER_WITH_PASSWORD function of the XSAD gate is used to add a user
to the security domain and verify the associated password or oidcard.
Input parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters) to be added to the security domain.
- USERID_LENGTH
- is the length of the USERID value.
- PASSWORD_TYPE
- specifies if the password is masked. It can have either of these values:
CLEAR|MASKED
- [PASSWORD]
- is the current password, 1 through 10 alphanumeric characters, for the
userid specified by the USERID value.
- [PASSWORD_LENGTH]
- is the 8-bit length of the PASSWORD value. This parameter is only valid
if PASSWORD is also specified.
- [NEW_PASSWORD]
- is a new password, 1 through 10 alphanumeric characters, to be assigned
to the userid (specified by the USERID value). This parameter is only valid
if PASSWORD is also specified.
- [NEW_PASSWORD_LENGTH]
- is the 8-bit length of the NEW_PASSWORD value. This parameter is only
valid if NEW_PASSWORD is also specified.
- APPLID
- is the application identifier for the CICS® region.
- [OIDCARD]
- is an optional oidcard (operator identification card); a 65-byte field
containing further security data from a magnetic strip reader (MSR) on 32xx
devices.
- [GROUPID]
- is an optional identifier, 1 through 10 alphanumeric characters, of
a RACF® user group to which the userid (specified by the USERID value) is
to be assigned.
- [GROUPID_LENGTH]
- is the 8-bit length of the GROUPID value. This parameter is only valid
if GROUPID is also specified.
- [ENTRY_PORT_NAME]
- is an optional name of an entry port, 1 through 8 alphanumeric characters,
to be assigned to the userid (specified by the USERID value).
- [ENTRY_PORT_TYPE]
- is the type of the optional entry port to be assigned to the userid
(specified by the USERID value). It can have either of these values:
TERMINAL|CONSOLE
This parameter is only valid if ENTRY_PORT_NAME is
also specified.
- SIGNON_TYPE
- is the type of signon for the userid (specified by the USERID value).
It can have any of these values:
ATTACH_SIGN_ON|DEFAULT_SIGN_ON|IRC_SIGN_ON|
LU61_SIGN_ON|LU62_SIGN_ON|NON_TERMINAL_SIGN_ON|
PRESET_SIGN_ON|USER_SIGN_ON|XRF_SIGN_ON
Output parameters
- SECURITY_TOKEN
- is the token identifying the userid.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
APPLICATION_NOTAUTH
ENTRY_PORT_NOTAUTH
ESM_INACTIVE
ESM_TRANQUIL
GETMAIN_FAILURE
GROUP_ACCESS_REVOKED
INVALID_GROUPID
INVALID_NEW_PASSWORD
OIDCARD_NOTAUTH
OIDCARD_REQUIRED
PASSWORD_REQUIRED
PASSWORD_EXPIRED
PASSWORD_NOTAUTH
SECLABEL_FAILURE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
USERID_NOT_IN_GROUP
USERID_REVOKED
USERID_NOT_DEFINED
INVALID_USERID
|
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The ADD_USER_WITHOUT_PASSWORD function of the XSAD gate is used to add
a user to the security domain without verification
of a associated password or oidcard.
Input parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters) to be added to the security domain.
- USERID_LENGTH
- is the 8-bit length of the USERID value.
- [GROUPID]
- is an optional identifier, 1 through 10 alphanumeric characters, of
a RACF user group to which the userid (specified by the USERID value) is to
be assigned.
- [GROUPID_LENGTH]
- is the 8-bit length of the GROUPID value. This parameter is only valid
if GROUPID is also specified.
- [ENTRY_PORT_NAME]
- is an optional name of an entry port, 1 through 8 alphanumeric characters,
to be assigned to the userid (specified by the USERID value).
- [ENTRY_PORT_TYPE]
- is the type of the optional entry port to be assigned to the userid
(specified by the USERID value). It can have either of these values:
TERMINAL|CONSOLE
This parameter is only valid if ENTRY_PORT_NAME is
also specified.
- SIGNON_TYPE
- is the type of signon for the userid (specified by the USERID value).
It can have any of these values:
ATTACH_SIGN_ON|DEFAULT_SIGN_ON|IRC_SIGN_ON|
LU61_SIGN_ON|LU62_SIGN_ON|NON_TERMINAL_SIGN_ON|
PRESET_SIGN_ON|USER_SIGN_ON|XRF_SIGN_ON
- APPLID
- is the application identifier for the CICS region.
Output parameters
- SECURITY_TOKEN
- is the token identifying the userid.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
APPLICATION_NOTAUTH
ENTRY_PORT_NOTAUTH
ESM_INACTIVE
ESM_TRANQUIL
GETMAIN_FAILURE
GROUP_ACCESS_REVOKED
INVALID_GROUPID
SECLABEL_FAILURE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
USERID_NOT_IN_GROUP
USERID_REVOKED
USERID_NOT_DEFINED
INVALID_USERID
|
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The DELETE_USER_SECURITY function of the XSAD gate is used to delete the
storage held to store the ACEE and ACEE pointer for the user represented by
the security token.
Input parameters
- SECURITY_TOKEN
- is the token identifying the userid.
- SIGNOFF_TYPE
- is the type of signoff for the userid identified by the SECURITY_TOKEN
value. It can have any of these values:
ABNORMAL_SIGN_OFF|ATTACH_SIGN_OFF|DEFERRED_SIGN_OFF|
DELETE_SIGN_OFF|LINK_SIGN_OFF|NON_TERMINAL_SIGN_OFF|
PRESET_SIGN_OFF|UNFLATTEN_USER_SIGN_OFF|
USER_SIGN_OFF|XRF_SIGN_OFF
Output parameters
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
ESM_INACTIVE
ESM_TRANQUIL
INVALID_SECURITY_TOKEN
SECURITY_INACTIVE
SECURITY_TOKEN_IN_USE
UNKNOWN_ESM_ERROR
|
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The INQUIRE_USER_ATTRIBUTES function of the XSAD gate is used to inquire
about the attributes of the user represented by the security token.
Input parameters
- SECURITY_TOKEN
- is the token identifying the userid.
Output parameters
- [USERID]
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
- USERID_LENGTH
- is the length of the USERID value.
- [CURRENT_GROUPID]
- is the identifier, 1 through 10 alphanumeric characters, of the current
RACF user group to which the userid (specified by the SECURITY_TOKEN value)
is assigned.
- [CURRENT_GROUPID_LENGTH]
- is the 8-bit length of the GROUPID value.
- [USERNAME]
- is an optional buffer into which the attributes of the user are placed.
- [NATIONAL_LANGUAGE]
- is a three-character code identifying the national language for the
userid. It can have any of the values in Table 120.
- [OPCLASS]
- is the operator class, in the range 1 through 24, for the userid.
- [OPIDENT]
- is the operator identification code, 1 through 3 alphanumeric characters,
for the userid.
- [OPPRTY]
- is the operator priority value, in the range 0 through 255 (where 255
is the highest priority), for the userid.
- [TIMEOUT]
- is the number of minutes, in the range 0 through 60, that must elapse
since the user last used the terminal before CICS "times-out" the terminal.
Notes:
- CICS rounds values up to the nearest multiple of 5.
- A TIMEOUT value of 0 means that the terminal is not timed out.
- [XRFSOFF]
- indicates whether or not you want CICS to sign off the userid following
an XRF takeover. It can have either of these values:
FORCE|NOFORCE
- [ACEE_PTR]
- is a pointer to the access control environment element, the control
block that is generated by an external security manager (ESM) when the user
signs on. If the user is not signed on, the address of the CICS DFLTUSER's
ACEEis returned. If an ACEE does not exist, CICS sets the pointer reference
to the null value, X'FF000000'.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
ESTAE_FAILURE
EXTRACT_FAILURE
INVALID_ACEE
INVALID_ESM_PARAMETER
INVALID_SECURITY_TOKEN
NOTAUTH
PROFILE_UNKNOWN
SECURITY_INACTIVE
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
DISASTER |
ABEND
LOOP
|
Table 120. National language codes (three-characters)
Code |
Language Name |
Original Name |
AFR |
Afrikaans |
Afrikaans |
ARA |
Arabic |
Arabi |
BEL |
Byelorussian |
Belaruskaja (mova) |
BGR |
Bulgarian |
Bulgarski |
CAT |
Catalan |
Catala |
CHT |
Traditional Chinese |
Zhongwen |
CHS |
Simplified Chinese |
|
CSY |
Czech |
Cesky |
DAN |
Danish |
Dansk |
DEU |
German |
Deutsch |
DES |
Swiss German |
Schweizer-Deutsch |
ELL |
Greek |
Ellinika |
ENA |
Australian English |
|
ENG |
UK English |
English |
ENU |
US English |
|
ENP |
English Upper Case |
|
ESP |
Spanish |
Espanol |
FAR |
Farsi |
Persian |
FIN |
Finnish |
Suomi |
FRA |
French |
Francais |
FRB |
Belgian French |
|
FRC |
Canadian French |
|
FRS |
Swiss French |
Suisse-francais |
GAE |
Irish Gaelic (Irish) |
Gaeilge |
HEB |
Hebrew |
Ivrith |
HRV |
Croatian |
Hrvatski |
HUN |
Hungarian |
Magyar |
ISL |
Icelandic |
Islenska |
ITA |
Italian |
Italiano |
ITS |
Swiss Italian |
Italiano svizzero |
JPN |
Japanese |
Nihongo |
KOR |
Korean |
Choson-o; Hanguk-o |
MKD |
Macedonian |
Makedonski |
NLD |
Dutch |
Nederlands |
NLB |
Belgian Dutch |
|
NOR |
Norwegian - Bokmal |
Norsk - Bokmal |
NON |
Norwegian - Nynorsk |
Norsk - Nynorsk |
PLK |
Polish |
Polski |
PTG |
Portuguese |
Portugues |
PTB |
Brazilian Portuguese |
|
RMS |
Rhaeto-Romanic |
Romontsch |
ROM |
Romanian |
Romana |
RUS |
Russian |
Russkij |
SHC |
Serbo-Croatian (Cyr) |
Srpsko-hrvatski |
SHL |
Serbo-Croatian (Lat) |
|
SKY |
Slovakian |
Slovensky |
SLO |
Slovenian |
Slovenski |
SRL |
Serbian (Latin) |
Srpski (Latin) |
SRB |
Serbian |
Srpski |
SQI |
Albanian |
Shqip |
SVE |
Swedish |
Svenska |
THA |
Thai |
Thai |
TRK |
Turkish |
Turkce |
UKR |
Ukrainian |
Ukrainska (mova) |
URD |
Urdu |
Urdu |
|
|
|
The VALIDATE_USERID function of the XSAD gate is used to check whether
the specified userid is valid. It is used especially when the userid has to
be validated without the user being added to the system; usually because the
userid was specified in a deferred START command, and the user does not need
to be added to the system until the started task actually begins to execute.
Input parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters) to be added to the security domain.
- USERID_LENGTH
- is the length of the USERID value.
Output parameters
- RESPONSE
- is the domain’s response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
|
EXCEPTION |
SECURITY_INACTIVE
USERID_NOT_DEFINED
USERID_NOT_DETERMINED
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The FLATTEN_USER_SECURITY function of the XSFL gate is used to flatten
the user’s security state and place into the FLATTENED_SECURITY buffer
provided.
Input parameters
- SECURITY_TOKEN
- is the token identifying the userid.
- FLATTENED_SECURITY
- is the buffer into which the flattened security state is placed.
Output parameters
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ESM_ABENDED ABEND
LOOP
|
EXCEPTION |
INVALID_SECURITY_TOKEN
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
INVALID_FLATTENED_BUFFER
|
The UNFLATTEN_USER_SECURITY function of the XSFL gate is used to unflatten
the user security state data in the FLATTENED_SECURITY buffer, and add the
userid to the security domain.
Input parameters
- FLATTENED_SECURITY
- is a buffer containing flattened security state data for a userid.
Output parameters
- SECURITY_TOKEN
- is the token identifying the userid.
- ACEE_PTR
- is a pointer to the access control environment element, the control
block that is generated by an external security manager (ESM) when the user
signs on.
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
- USERID_LENGTH
- is the length of the USERID value.
- CURRENT_GROUPID
- is the identifier, 1 through 10 alphanumeric characters, of the current
RACF user group to which the userid is assigned.
- CURRENT_GROUPID_LENGTH
- is the 8-bit length of the GROUPID value.
- ENTRY_PORT_NAME
- is the name of an entry port, 1 through 8 alphanumeric characters, for
the userid.
- ENTRY_PORT_TYPE
- is the type of the entry port for the userid. It can have either of
these values:
TERMINAL|CONSOLE|NULL
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ESM_ABENDED
ABEND
LOOP
|
EXCEPTION |
SECURITY_INACTIVE
GETMAIN_FAILED
USERID_NOT_DEFINED
USERID_REVOKED
USERID_NOT_IN_GROUP
GROUP_ACCESS_REVOKED
ENTRY_PORT_NOTAUTH
APPLID_NOTAUTH
SECLABEL_CHECK_FAILED
ESM_INACTIVE
ESM_TRANQUIL
UNKNOWN_ESM_RESPONSE
|
INVALID |
INVALID_FLATTENED_BUFFER
INVALID_FORMAT
INVALID_FUNCTION
|
The UNFLATTEN_ESM_UTOKEN function of the XSFL gate returns userid and groupid
information associated with the external security manager's user token.
Input parameters
- ESM_UTOKEN_PTR
- is a pointer to a security manager user pointer.
Output parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
- USERID_LENGTH
- is the length of the USERID value.
- CURRENT_GROUPID
- is the identifier, 1 through 10 alphanumeric characters, of the current
RACF user group to which the userid is assigned.
- CURRENT_GROUPID_LENGTH
- is the 8-bit length of the GROUPID value.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ESM_ABENDED
ABEND
LOOP
|
EXCEPTION |
SECURITY_INACTIVE
GETMAIN_FAILED
USERID_NOT_DEFINED
USERID_REVOKED
USERID_NOT_IN_GROUP
GROUP_ACCESS_REVOKED
ENTRY_PORT_NOTAUTH
APPLID_NOTAUTH
SECLABEL_CHECK_FAILED
ESM_INACTIVE
ESM_TRANQUIL
UNKNOWN_ESM_RESPONSE
|
INVALID |
INVALID_FLATTENED_BUFFER
INVALID_FORMAT
INVALID_FUNCTION
|
The INQUIRE_REGION_USERID function of the XSIS gate is used to return the
userid and groupid associated with the jobstep that is currently executing
this CICS region.
Input parameters
None.
Output parameters
- REGION_USERID
- is the user identifier of the CICS jobstep (a userid of 1 through 8
alphanumeric characters).
- REGION_USERID_LENGTH
- is the length of the REGION_USERID value.
- [REGION_GROUPID]
- is the identifier, 1 through 8 alphanumeric characters, of the current
RACF user group to which the region userid is assigned.
- [REGION_GROUPID_LENGTH]
- is the 8-bit length of the REGION_GROUPID value.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The INQ_SECURITY_DOMAIN_PARMS function of the XSIS gate is used to return
the current values of parameters from the security state data.
Input parameters
None.
Output parameters
- [APPLID]
- is the generic applid of the CICS region
- [CMDSEC]
- indicates whether or the CICS region should obey the CMDSEC option specified
on a transaction’s resource definition. It can have either of these values:
YES|NO
- [ESMEXITS]
- indicates whether or not installation data is to be passed via the RACROUTE
interface to the ESM for use in user exits written for the ESM. It can have
either of these values:
YES|NO
- [PREFIX]
- returns the value of the prefix that is being applied to all resource
names in authorization requests sent to the external security manager. It
can contain 0 through 8 alphanumeric characters.
- [PSBCHK]
- indicates whether or not DL/I security checking is to be performed for
a remote terminal initiating a transaction with transaction routing. It can
have either of these values:
YES|NO
- [RESSEC]
- indicates whether the CICS region should obey the RESSEC option specified
on a transaction’s resource definition.
- [SECURITY]
- indicates whether or not security is active for this CICS region. It
can have either of these values:
YES|NO
- [XAPPC]
- indicates whether or not session security checking is used when establishing
APPC sessions. It can have either of these values:
YES|NO
- [XCMD]
- indicates whether or not EXEC CICS commands are checked by the ESM.
It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC CICS commands.
- [XDB2]
- indicates whether or not CICS performs DB2ENTRY security checking. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for DB2® entries.
- [XDCT]
- indicates whether or not destination control entries are checked by
the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for destination control entries.
- [XEJB]
- indicates whether CICS support for enterprise bean security roles is
enabled. It can have either of these values:
YES|NO
- [XFCT]
- indicates whether or not file control entries are checked by the ESM.
It can have any of these values:
YES|name|NO
where name is your own resource class name for file control entries.
- [XJCT]
- indicates whether or not journal entries are checked by the ESM. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for journal entries.
- [XPCT]
- indicates whether or not EXEC-started transactions entries are checked
by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC-started transactions entries.
- [XPPT]
- indicates whether or not program entries are checked by the ESM. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for program entries.
- [XPSB]
- indicates whether or not PSB entries are checked by the ESM. It can
have any of these values:
YES|name|NO
where name is
your own resource class name for PSB entries.
- [XTRAN]
- indicates whether or not attached transaction entries are checked by
the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for attached transaction entries.
- [XTST]
- indicates whether or not temporary storage entries are checked by the
ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for temporary storage entries.
- XUSER
- indicates whether or not user entries are checked by the ESM. It can
have any of these values:
YES|name|NO
where name is
your own resource class name for user entries.
- KEYRING
- is the fully qualified name of the key ring that contains the keys and
X.509 certificates used to support the secure sockets layer (SSL).
- EJBROLE_PREFIX
- is the prefix that is used to qualify the security role defined in an
enterprise bean's deployment descriptor.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
- [REASON]
- is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
At CICS startup, loads information for the security domain from the system
initialization table (SIT) into the security state data.
Input parameters
- APPLID
- is the generic applid of the CICS region
- [CMDSEC]
- indicates whether or the CICS region should obey the CMDSEC option specified
on a transaction’s resource definition. It can have either of these values:
YES|NO
- ESMEXITS
- indicates whether or not installation data is to be passed via the RACROUTE
interface to the ESM for use in user exits written for the ESM. It can have
either of these values:
YES|NO
- [PREFIX]
- specifies the prefix to be applied to resource name in any authorization
requests send to the external security manager. It can be 1 through 8 alphanumeric
characters, or the single character '*', which indicates that the CICS region
userid is to be used as the prefix.
- PSBCHK
- indicates whether or not DL/I security checking is to be performed for
a remote terminal initiating a transaction with transaction routing. It can
have either of these values:
YES|NO
- [RESSEC]
- indicates whether the CICS region should obey the RESSEC option specified
on a transaction’s resource definition.
- SECURITY
- indicates whether or not security is active for this CICS region. It
can have either of these values:
YES|NO
- XAPPC
- indicates whether or not session security checking is used when establishing
APPC sessions. It can have either of these values:
YES|NO
- [XCMD]
- indicates whether or not EXEC CICS commands are checked by the ESM.
It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC CICS commands.
- [XDB2]
- indicates whether or not CICS performs DB2ENTRY security checking. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for DB2 entries.
- [XDCT]
- indicates whether or not destination control entries are checked by
the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for destination control entries.
- [XEJB]
- indicates whether CICS support for enterprise bean security roles is
enabled. It can have either of these values:
YES|NO
- [XFCT]
- indicates whether or not file control entries are checked by the ESM.
It can have any of these values:
YES|name|NO
where name is your own resource class name for file control entries.
- [XJCT]
- indicates whether or not journal entries are checked by the ESM. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for journal entries.
- [XPCT]
- indicates whether or not EXEC-started transactions entries are checked
by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC-started transactions entries.
- [XPPT]
- indicates whether or not program entries are checked by the ESM. It
can have any of these values:
YES|name|NO
where name is
your own resource class name for program entries.
- [XPSB]
- indicates whether or not PSB entries are checked by the ESM. It can
have any of these values:
YES|name|NO
where name is
your own resource class name for PSB entries.
- [XTRAN]
- indicates whether or not attached transaction entries are checked by
the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for attached transaction entries.
- [XTST]
- indicates whether or not temporary storage entries are checked by the
ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for temporary storage entries.
- XUSER
- indicates whether or not user entries are checked by the ESM. It can
have any of these values:
YES|name|NO
where name is
your own resource class name for user entries.
- KEYRING
- is the fully qualified name of the key ring that contains the keys and
X.509 certificates used to support the secure sockets layer (SSL).
- EJBROLE_PREFIX
- is the prefix that is used to qualify the security role defined in an
enterprise bean's deployment descriptor.
Output parameters
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
- [REASON]
- is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
GETMAIN_FAILED
KEYRING_NOT_FOUND
KEYRING_NOT_AUTH
|
DISASTER |
CWA_WAIT_PHASE_FAILURE
INQUIRE_CWA_FAILURE
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
When CICS issues an OPEN ACB for VTAM®, the CICS SVC is invoked to store the
name (netid) of the local network combined with the local luname, and to RACLIST
the profiles in the External Security Manager (ESM) APPCLU Class. If you have
specified either of the SEC=NO or XAPPC=NO system initialization parameters,
no action is performed, and the return code is set to OK.
If the RACLIST fails, and the CONDITIONAL parameter is NO, then CICS is
terminated.
Input parameters
- LOCAL_LUNAME
- is the VTAM LU name of the local CICS region.
- LOCAL_LUNAME_LENGTH
- is the length of the VTAM LU name specified by LOCAL_LUNAME.
- CONDITIONAL
- indicates whether or not CICS can tolerate errors in XSIS calls due
to the APPCLU profiles not being in storage (LU6.2 connections cannot be validated).
It can have either of these values:
YES|NO
Output parameters
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The SET_SPECIAL_TOKENS function of the XSIS gate sets the security tokens
for the default user ID and the region user ID.
Input parameters
- DEFAULT_SECURITY_TOKEN
- The security token for the default user ID.
- REGION_SECURITY_TOKEN
- The security token for the region user ID.
Output parameters
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
- [REASON]
- is returned when RESPONSE is INVALID. Possible values are:
RESPONSE |
Possible REASON values |
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
Obtains the realm names under which the CICS system is executing; a realm is an environment
in which a userid and password pairing is valid.
Input parameters
- REALM_TYPE
- Indicates that the request is for the Basic realm name. Possible values
are:
BASIC
Output parameters
- REALM_NAME
- Returns the name of the realsm under which CICS is executing.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|INVALID|PURGED|DISASTER
- [REASON]
- is returned when RESPONSE is INVALID or DISASTER. Possible values are:
RESPONSE |
Possible REASON values |
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
DISASTER |
ABEND
LOOP
|
The GENERATE_APPC_BIND function of the XSLU gate generates a random number
which is sent to the partner LU for partner verification.
Input parameters
None
Output parameters
- RANDOM_STRING
- A random eight-character string.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|INVALID
- [REASON]
- is returned when RESPONSE is INVALID. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
SECURITY_INACTIVE
BINDSECURITY_INACTIVE
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The GENERATE_APPC_RESPONSE function of the XSLU gate encrypts the string
received from the LU partner, and generates a new random string for the partner
to validate.
Input parameters
- LOCAL_LUNAME
- is the VTAM LU name of the local CICS region (sending the response).
- REMOTE_LUNAME
- is the VTAM LU name of the remote CICS region (that sent the bind).
- TEST_STRING
- is a random eight-character string receive with a bind request (RANDOM_STRING
of the GENERATE_APPC_BIND function).
Output parameters
- ENCRYPTED_TEST_STRING
- is an eight-character string formed by encrypting the test string using
shared DES (Data Encryption Standard/System) encryption keys.
- RANDOM_STRING
- is a random eight-character string.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
NOTAUTH
PROFILE_UNKNOWN
PROFILE_LOCKED
PROFILE_EXPIRED
SESSION_KEY_NULL
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
BIND_SECURITY_INACTIVE
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The VALIDATE_APPC_RESPONSE function of the XSLU gate encrypts the string
that was previously sent to the partner, and compares it with the encrypted
string received from the partner.
Input parameters
- LOCAL_LUNAME
- is the VTAM LU name of the local CICS region (validating the response).
- REMOTE_LUNAME
- is the VTAM LU name of the remote CICS region (that sent the response).
- TEST_STRING
- is a random eight-character string receive with a validate request (RANDOM_STRING
of the GENERATE_APPC_RESPONSE function).
- ENCRYPTED_TEST_STRING
- is an eight-character string formed by encrypting the test string using
shared DES (Data Encryption Standard/System) encryption keys.
Output parameters
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
NOTAUTH
VALIDATION_ERROR
PROFILE_UNKNOWN
PROFILE_LOCKED
PROFILE_EXPIRED
SESSION_KEY_NULL
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
BIND_SECURITY_INACTIVE
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The CREATE_PASSTICKET function of the XSPW gate is used to create a RACF
PassTicket (an alternative to a password). When created, the RACF PassTicket
can be presented for userid verification once only.
Input parameters
- APPLID
- is the application identifier for the CICS region.
- [TRANSACTION_NUMBER]
- is an optional number that identifies a transaction from which the caller’s
security token is located. If not specified, the caller’s security token
is located from the principal security token associated with the current CICS
task.
Output parameters
- PASSTICKET
- is the 10-character passticket to be used for the CICS region specified
by the APPLID value.
- PASSTICKET_LENGTH
- is the 8-bit length of the PASSTICKET value.
- ESM_RESPONSE
- is the optional 32-bit ESM response code to the call.
- ESM_REASON
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
|
EXCEPTION |
FUNCTION_UNAVAILABLE
PASSTICKET_NOT_CREATED
SECURITY_INACTIVE
TRANSACTION_NOT_FOUND
UNKNOWN_ESM_ERROR
|
INVALID |
INVALID_APPLID
INVALID_FORMAT
INVALID_FUNCTION
|
The INQUIRE_PASSWORD_DATA function of the XSPW gate provides information
from the ESM.
Input parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters) requesting the ESM information.
- USERID_LENGTH
- is the length of the USERID value.
- PASSWORD
- is the password, 1 through 10 alphanumeric characters, for the userid
specified by the USERID value.
- PASSWORD_LENGTH
- is the 8-bit length of the PASSWORD value.
- [PASSWORD_TYPE]
- indicates whether the password is masked. It can have either of these
values:
CLEAR|MASKED
- OPTIMIZE
- indicates whether the user's revoke status is ignored. It can have any
of these values:
YES|NO
Output parameters
- [DAYS_LEFT]
- is the number of days left before the password must be changed.
- [PASSWORD_FAILURES]
- is the number of times that the user has unsuccessfully entered tried
to enter the password.
- [EXPIRY_ABSTIME]
- is the date and time of when the password will expire.
- [LASTUSE_ABSTIME]
- is the date and time of when the password was last used.
- [CHANGE_ABSTIME]
- is the date and time of when the password was last changed.
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
ESM_INACTIVE
PASSWORD_NOTAUTH
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
NOTAUTH
USERID_UNDEFINED
PASSWORD_EXPIRED
USERID_REVOKED
USERID_FORMAT_ERROR
APPLID_NOT_AUTH
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The UPDATE_PASSWORD_DATA function of the XSPW gate assigns a new password
to the userid, if the current password is input correctly and the new password
meets ESM and installation defined password quality rules.
Input parameters
- USERID
- is the identifier of the user (a userid of 1 through 10 alphanumeric
characters) requesting the ESM information.
- USERID_LENGTH
- is the length of the USERID value.
- PASSWORD
- is the current password, 1 through 10 alphanumeric characters, for the
userid specified by the USERID value.
- PASSWORD_LENGTH
- is the 8-bit length of the PASSWORD value.
- NEW_PASSWORD
- is the new password, 1 through 10 alphanumeric characters, for the userid
specified by the USERID value.
- NEW_PASSWORD_LENGTH
- is the 8-bit length of the NEW_PASSWORD value.
Output parameters
- SAF_RESPONSE
- is the optional 32-bit SAF response code to the call.
- SAF_REASON
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- ESM_RESPONSE
- is the optional 32-bit ESM response code to the call.
- ESM_REASON
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
USERID_REVOKED
USERID_UNDEFINED
SECLABEL_FAILURE
PASSWORD_NOTAUTH
INVALID_NEW_PASSWORD
ESM_INACTIVE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
GROUP_CONNECTION_REVOKED
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The INQUIRE_CERTIFICATE_USERID function of the XSPW gate obtains the userid
associated with an X.509 certificate that has been installed into the External
Security Manager.
Input parameters
- CERTIFICATE
- an X.509 certificate
Output parameters
- USERID
- is the identifier of the user associated with the certificate.
- USERID_LENGTH
- is the length of the USERID value.
- ESM_RESPONSE
- is the optional 32-bit ESM response code to the call.
- ESM_REASON
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
LENGTH_ERROR
GETMAIN_FAILED
FREEMAIN_FAILED
INVALID_CERTIFICATE
UNKNOWN_CERTIFICATE
UNTRUSTED_CERTIFICATE
NOTAUTH
SECURITY_INACTIVE
ESM_INACTIVE
UNKNOWN_ESM_ERROR
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The REGISTER_CERTIFICATE_USER function of the XSPW gate associates a user
with an X.509 certificate that has been installed into the External Security
Manager.
Input parameters
- USERID
- is the identifier of the user to be associated with the certificate.
- USERID_LENGTH
- is the length of the USERID value.
- PASSWORD
- is the current password, 1 through 10 alphanumeric characters, for the
userid specified by the USERID value.
- PASSWORD_LENGTH
- is the 8-bit length of the PASSWORD value.
- CERTIFICATE
- the X.509 certificate that is to be registered to the specified userid.
Output parameters
- ESM_RESPONSE
- is the optional 32-bit ESM response code to the call.
- ESM_REASON
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
|
EXCEPTION |
GETMAIN_FAILED
FREEMAIN_FAILED
INVALID_CERTIFICATE
UNKNOWN_CERTIFICATE
UNTRUSTED_CERTIFICATE
NOTAUTH
SECURITY_INACTIVE
ESM_INACTIVE
UNKNOWN_ESM_ERROR
|
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The CHECK_CICS_RESOURCE function of the XSRC gate performs CICS resource
access checks.
Input parameters
- RESOURCE
- is the name of the resource, padded with blanks to eight-characters.
- RESOURCE_TYPE
- is the type of the resource. It can have any of these values:
DB2ENTRY|FILE|JOURNALNAME|PROGRAM|PSB|TDQUEUE|
TRANSACTION|TRANSATTACH|TSQUEUE
- ACCESS
- is the type of access to be made on the resource. It can have any of
these values:
EXECUTE|READ|UPDATE|INQUIRE|SET|COLLECT|DEFINE|
PERFORM|CREATE|DISCARD|INSTALL|DELETE
- [LOGMESSAGE]
- indicates (optionally) whether access failures are logged to the CSCS
transient data queue and the MVS™ System Management Facility (SMF). It can
have either of these values:
YES|NO
- [FORCE]
- indicates (optionally) whether or not security checking is forced regardless
of the setting of RESSEC in the Security Domain’s transaction token. It
can have either of these values:
YES|NO
Output parameters
- [FAILING_USERID]
- is the userid that failed to access the resource.
- [FAILING_USERID_LENGTH]
- is the length of the userid (specified by the FAILING_USERID value).
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
NOTAUTH |
The CHECK_CICS_COMMAND function of the XSRC gate performs CICS command
access checks.
Input parameters
- RESOURCE_TYPE
- is the type of the resource. It can have any of these values:
AUTINSTMODEL|AUTOINSTALL|CFDTPOOL|CONNECTION|
DB2CONN|DB2ENTRY|DB2TRAN|DELETSHIPPED|
DOCTEMPLATE|DSNAME|DUMP|DUMPDS|ENQMODEL|
EXITPROGRAM|FEPIRESOURCE|FILE|IRBATCH|IRC|
JOURNALNAME|JOURNALMODEL|LINE|LSRPOOL|MAPSET|
MODENAME|MONITOR|NONVTAM|PARTITIONSET|PARTNER|
PROCESSTYPE|PROFILE|PROGRAM|PSB|REQID|
REQUESTMODEL|RESETTIME|RRMS|SECURITY|SESSIONS|
SHUTDOWN|STATISTICS|STORAGE|STREAMNAME|
SYSDUMPCODE|SYSTEM|TASK|TCLASS|TCPIP|TCPIPSERVICE|
TDQUEUE|TERMINAL|TIME|TRACE|TRACEDEST|TRACEFLAG|
TRACETYPE|TRANCLASS|TRANDUMPCODE|TRANSACTION|
TRANSATTACH|TSMODEL|TSPOOL|TSQUEUE|TYPETERM|UOW|
UOWDSNFAIL|UOWENQ|UOWLINK|VOLUME|VTAM|WEB|
CORBASERVER|DJAR|JVMPOOL|EXCI|BEAN|BRFACILITY|
DISPATCHER|CLASSCACHE|JVM|JVMPOOL|JVMPROFILE
- ACCESS
- is the type of access to be made on the resource. It can have any of
these values:
COLLECT|DEFINE|DISCARD|INQUIRE|PERFORM|SET|CREATE|INSTALL|DELETE
- [LOGMESSAGE]
- indicates (optionally) whether access failures are logged to the CSCS
transient data queue and the MVS System Management Facility (SMF). It can
have either of these values:
YES|NO
- [FORCE]
- indicates (optionally) whether or not security checking is forced regardless
of the setting of RESSEC in the Security Domain’s transaction token. It
can have either of these values:
YES|NO
Output parameters
- [FAILING_USERID]
- is the userid that failed to access the resource.
- [FAILING_USERID_LENGTH]
- is the length of the userid (specified by the FAILING_USERID value).
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
NOTAUTH |
The CHECK_SURROGATE_USER function of the XSRC gate performs surrogate user
checking.
Input parameters
- USERID
- is the identifier of the surrogate user (a userid of 1 through 10 alphanumeric
characters).
- USERID_LENGTH
- is the length of the USERID value.
- ACCESS
- is the type of access requested. It can have any of these values:
INSTALL|START|CHANGE
Output parameters
- [FAILING_USERID]
- is the userid that failed to access the resource.
- [FAILING_USERID_LENGTH]
- is the length of the userid (specified by the FAILING_USERID value).
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
NOTAUTH |
The CHECK_NON_CICS_RESOURCE function of the XSRC gate performs non-CICS
resource access checks.
Input parameters
- RESOURCE_NAME
- is the address and length of the resource name, in the form RESOURCE_NAME(addr,length).
- CLASSNAME
- is the ESM class name in which the resource is defined.
- ACCESS
- is the type of access to be made on the resource. It can have any of
these values:
ALTER|CONTROL|READ|UPDATE
- [LOGMESSAGE]
- indicates (optionally) whether access failures are logged to the CSCS
transient data queue and the MVS System Management Facility (SMF). It can
have either of these values:
YES|NO
Output parameters
- [FAILING_USERID]
- is the userid that failed to access the resource.
- [FAILING_USERID_LENGTH]
- is the length of the userid (specified by the FAILING_USERID value).
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
NOTAUTH
ESM_NOT_PRESENT
ESM_INACTIVE
RESOURCE_NOT_FOUND
CLASS_NOT_FOUND
INVALID_RESOURCE_NAME
|
The REBUILD_RESOURCE_CLASSES function of the XSRC gate rebuilds the resource-class
profiles.
Input parameters
None.
Output parameters
- [SAF_RESPONSE]
- is the optional 32-bit SAF response code to the call.
- [SAF_REASON]
- is the optional 32-bit SAF reason returned with SAF_RESPONSE.
- [ESM_RESPONSE]
- is the optional 32-bit ESM response code to the call.
- [ESM_REASON]
- is the optional 32-bit ESM reason returned with ESM_RESPONSE.
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE |
Possible REASON values |
EXCEPTION |
SECURITY_INACTIVE
REBUILD_ERROR
REBUILD_ALREADY_ACTIVE
REBUILD_NOT_NEEDED
ESM_INACTIVE
|
The ADD_TRANSACTION_SECURITY function of the XSXM gate sets the transaction
options input to be stored as extended security tokens maintained by the transaction
manager.
Input parameters
- [PRINCIPAL_SECURITY_TOKEN]
- is the optional principal security token.
- [SESSION_SECURITY_TOKEN]
- is the optional session security token.
- [EDF_SECURITY_TOKEN]
- is the optional EDF security token.
Output parameters
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible
values are:
RESPONSE |
Possible REASON values |
DISASTER |
GETMAIN_FAILED |
EXCEPTION |
NO_SECURITY_TOKEN |
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The DEL_TRANSACTION_SECURITY function of the XSXM gate deletes the security
token of the specified token type for the transaction.
Input parameters
- TOKEN_TYPE
- is the type of security token for the transaction. It can have any of
these values:
PRINCIPAL|SESSION|EDF
Output parameters
- RESPONSE
- is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is INVALID. Possible values are:
RESPONSE |
Possible REASON values |
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
The END_TRANSACTION function of the XSXM gate deletes transaction-related
data.
Input parameters
None
Output parameters
- RESPONSE
- is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
- [REASON]
- is returned when RESPONSE is INVALID. Possible values are:
RESPONSE |
Possible REASON values |
INVALID |
INVALID_FORMAT
INVALID_FUNCTION
|
[[ Contents Previous Page | Next Page Index ]]