Security manager domain’s specific gates

Table 119 summarizes the security manager domain’s specific gates. It shows the level-1 trace point IDs of the modules providing the functions for the gates, the functions provided by the gates, and whether or not the functions are available through the exit programming interface (XPI).

Table 119. Security manager domain’s specific gates
Gate Trace Function XPI
XSAD
XS 0201
XS 0202
ADD_USER_WITH_PASSWORD
ADD_USER_WITHOUT_PASSWORD
DELETE_USER_SECURITY
INQUIRE_USER_ATTRIBUTES
VALIDATE_USERID
NO
NO
NO
NO
NO
XSFL
XS 0501
XS 0502
FLATTEN_USER_SECURITY
UNFLATTEN_USER_SECURITY
UNFLATTEN ESM_UTOKEN
NO
NO
NO
XSIS
XS 0301
XS 0302
INQUIRE_REGION_USERID
INQ_SECURITY_DOMAIN_PARMS
SET_SECURITY_DOMAIN_PARMS
SET_NETWORK_IDENTIFIER
SET_SPECIAL_TOKENS INQUIRE_REALM_NAME
NO
NO
NO
NO
NO
NO
XSLU
XS 0801
XS 0802
GENERATE_APPC_BIND
GENERATE_APPC_RESPONSE
VALIDATE_APPC_RESPONSE
NO
NO
NO
XSPW
XS 0601
XS 0602
CREATE_PASSTICKET
INQUIRE_PASSWORD_DATA
UPDATE_PASSWORD
INQUIRE_CERTIFICATE_USERID
REGISTER_CERTIFICATE_USER
NO
NO
NO
NO
NO
XSRC
XS 0701
XS 0702
CHECK_CICS_RESOURCE
CHECK_CICS_COMMAND
CHECK_NON_CICS_RESOURCE
CHECK_SURROGATE_USER
REBUILD_RESOURCE_CLASSES
NO
NO
NO
NO
NO
XSXM
XS 0401
XS 0402
ADD_TRANSACTION_SECURITY
DEL_TRANSACTION_SECURITY
END_TRANSACTION
NO
NO
NO

XSAD gate, ADD_USER_WITH_PASSWORD function

The ADD_USER_WITH_PASSWORD function of the XSAD gate is used to add a user to the security domain and verify the associated password or oidcard.

Input parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters) to be added to the security domain.
USERID_LENGTH
is the length of the USERID value.
PASSWORD_TYPE
specifies if the password is masked. It can have either of these values:
CLEAR|MASKED
[PASSWORD]
is the current password, 1 through 10 alphanumeric characters, for the userid specified by the USERID value.
[PASSWORD_LENGTH]
is the 8-bit length of the PASSWORD value. This parameter is only valid if PASSWORD is also specified.
[NEW_PASSWORD]
is a new password, 1 through 10 alphanumeric characters, to be assigned to the userid (specified by the USERID value). This parameter is only valid if PASSWORD is also specified.
[NEW_PASSWORD_LENGTH]
is the 8-bit length of the NEW_PASSWORD value. This parameter is only valid if NEW_PASSWORD is also specified.
APPLID
is the application identifier for the CICS® region.
[OIDCARD]
is an optional oidcard (operator identification card); a 65-byte field containing further security data from a magnetic strip reader (MSR) on 32xx devices.
[GROUPID]
is an optional identifier, 1 through 10 alphanumeric characters, of a RACF® user group to which the userid (specified by the USERID value) is to be assigned.
[GROUPID_LENGTH]
is the 8-bit length of the GROUPID value. This parameter is only valid if GROUPID is also specified.
[ENTRY_PORT_NAME]
is an optional name of an entry port, 1 through 8 alphanumeric characters, to be assigned to the userid (specified by the USERID value).
[ENTRY_PORT_TYPE]
is the type of the optional entry port to be assigned to the userid (specified by the USERID value). It can have either of these values:
TERMINAL|CONSOLE
This parameter is only valid if ENTRY_PORT_NAME is also specified.
SIGNON_TYPE
is the type of signon for the userid (specified by the USERID value). It can have any of these values:
ATTACH_SIGN_ON|DEFAULT_SIGN_ON|IRC_SIGN_ON|
LU61_SIGN_ON|LU62_SIGN_ON|NON_TERMINAL_SIGN_ON|
PRESET_SIGN_ON|USER_SIGN_ON|XRF_SIGN_ON

Output parameters

SECURITY_TOKEN
is the token identifying the userid.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
APPLICATION_NOTAUTH
ENTRY_PORT_NOTAUTH
ESM_INACTIVE
ESM_TRANQUIL
GETMAIN_FAILURE
GROUP_ACCESS_REVOKED
INVALID_GROUPID
INVALID_NEW_PASSWORD
OIDCARD_NOTAUTH
OIDCARD_REQUIRED
PASSWORD_REQUIRED
PASSWORD_EXPIRED
PASSWORD_NOTAUTH
SECLABEL_FAILURE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
USERID_NOT_IN_GROUP
USERID_REVOKED
USERID_NOT_DEFINED
INVALID_USERID
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSAD gate, ADD_USER_WITHOUT_PASSWORD function

The ADD_USER_WITHOUT_PASSWORD function of the XSAD gate is used to add a user to the security domain without verification of a associated password or oidcard.

Input parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters) to be added to the security domain.
USERID_LENGTH
is the 8-bit length of the USERID value.
[GROUPID]
is an optional identifier, 1 through 10 alphanumeric characters, of a RACF user group to which the userid (specified by the USERID value) is to be assigned.
[GROUPID_LENGTH]
is the 8-bit length of the GROUPID value. This parameter is only valid if GROUPID is also specified.
[ENTRY_PORT_NAME]
is an optional name of an entry port, 1 through 8 alphanumeric characters, to be assigned to the userid (specified by the USERID value).
[ENTRY_PORT_TYPE]
is the type of the optional entry port to be assigned to the userid (specified by the USERID value). It can have either of these values:
TERMINAL|CONSOLE
This parameter is only valid if ENTRY_PORT_NAME is also specified.
SIGNON_TYPE
is the type of signon for the userid (specified by the USERID value). It can have any of these values:
ATTACH_SIGN_ON|DEFAULT_SIGN_ON|IRC_SIGN_ON|
LU61_SIGN_ON|LU62_SIGN_ON|NON_TERMINAL_SIGN_ON|
PRESET_SIGN_ON|USER_SIGN_ON|XRF_SIGN_ON
APPLID
is the application identifier for the CICS region.

Output parameters

SECURITY_TOKEN
is the token identifying the userid.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
APPLICATION_NOTAUTH
ENTRY_PORT_NOTAUTH
ESM_INACTIVE
ESM_TRANQUIL
GETMAIN_FAILURE
GROUP_ACCESS_REVOKED
INVALID_GROUPID
SECLABEL_FAILURE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
USERID_NOT_IN_GROUP
USERID_REVOKED
USERID_NOT_DEFINED
INVALID_USERID
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSAD gate, DELETE_USER_SECURITY function

The DELETE_USER_SECURITY function of the XSAD gate is used to delete the storage held to store the ACEE and ACEE pointer for the user represented by the security token.

Input parameters

SECURITY_TOKEN
is the token identifying the userid.
SIGNOFF_TYPE
is the type of signoff for the userid identified by the SECURITY_TOKEN value. It can have any of these values:
ABNORMAL_SIGN_OFF|ATTACH_SIGN_OFF|DEFERRED_SIGN_OFF|
DELETE_SIGN_OFF|LINK_SIGN_OFF|NON_TERMINAL_SIGN_OFF|
PRESET_SIGN_OFF|UNFLATTEN_USER_SIGN_OFF|
USER_SIGN_OFF|XRF_SIGN_OFF

Output parameters

[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
ESM_INACTIVE
ESM_TRANQUIL
INVALID_SECURITY_TOKEN
SECURITY_INACTIVE
SECURITY_TOKEN_IN_USE
UNKNOWN_ESM_ERROR
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSAD gate, INQUIRE_USER_ATTRIBUTES function

The INQUIRE_USER_ATTRIBUTES function of the XSAD gate is used to inquire about the attributes of the user represented by the security token.

Input parameters

SECURITY_TOKEN
is the token identifying the userid.

Output parameters

[USERID]
is the identifier of the user (a userid of 1 through 10 alphanumeric characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
USERID_LENGTH
is the length of the USERID value.
[CURRENT_GROUPID]
is the identifier, 1 through 10 alphanumeric characters, of the current RACF user group to which the userid (specified by the SECURITY_TOKEN value) is assigned.
[CURRENT_GROUPID_LENGTH]
is the 8-bit length of the GROUPID value.
[USERNAME]
is an optional buffer into which the attributes of the user are placed.
[NATIONAL_LANGUAGE]
is a three-character code identifying the national language for the userid. It can have any of the values in Table 120.
[OPCLASS]
is the operator class, in the range 1 through 24, for the userid.
[OPIDENT]
is the operator identification code, 1 through 3 alphanumeric characters, for the userid.
[OPPRTY]
is the operator priority value, in the range 0 through 255 (where 255 is the highest priority), for the userid.
[TIMEOUT]
is the number of minutes, in the range 0 through 60, that must elapse since the user last used the terminal before CICS "times-out" the terminal.
Notes:
  1. CICS rounds values up to the nearest multiple of 5.
  2. A TIMEOUT value of 0 means that the terminal is not timed out.
[XRFSOFF]
indicates whether or not you want CICS to sign off the userid following an XRF takeover. It can have either of these values:
FORCE|NOFORCE
[ACEE_PTR]
is a pointer to the access control environment element, the control block that is generated by an external security manager (ESM) when the user signs on. If the user is not signed on, the address of the CICS DFLTUSER's ACEEis returned. If an ACEE does not exist, CICS sets the pointer reference to the null value, X'FF000000'.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
ESTAE_FAILURE
EXTRACT_FAILURE
INVALID_ACEE
INVALID_ESM_PARAMETER
INVALID_SECURITY_TOKEN
NOTAUTH
PROFILE_UNKNOWN
SECURITY_INACTIVE
INVALID
INVALID_FORMAT
INVALID_FUNCTION
DISASTER
ABEND
LOOP
Table 120. National language codes (three-characters)
Code Language Name Original Name
AFR Afrikaans Afrikaans
ARA Arabic Arabi
BEL Byelorussian Belaruskaja (mova)
BGR Bulgarian Bulgarski
CAT Catalan Catala
CHT Traditional Chinese Zhongwen
CHS Simplified Chinese
CSY Czech Cesky
DAN Danish Dansk
DEU German Deutsch
DES Swiss German Schweizer-Deutsch
ELL Greek Ellinika
ENA Australian English
ENG UK English English
ENU US English
ENP English Upper Case
ESP Spanish Espanol
FAR Farsi Persian
FIN Finnish Suomi
FRA French Francais
FRB Belgian French
FRC Canadian French
FRS Swiss French Suisse-francais
GAE Irish Gaelic (Irish) Gaeilge
HEB Hebrew Ivrith
HRV Croatian Hrvatski
HUN Hungarian Magyar
ISL Icelandic Islenska
ITA Italian Italiano
ITS Swiss Italian Italiano svizzero
JPN Japanese Nihongo
KOR Korean Choson-o; Hanguk-o
MKD Macedonian Makedonski
NLD Dutch Nederlands
NLB Belgian Dutch
NOR Norwegian - Bokmal Norsk - Bokmal
NON Norwegian - Nynorsk Norsk - Nynorsk
PLK Polish Polski
PTG Portuguese Portugues
PTB Brazilian Portuguese
RMS Rhaeto-Romanic Romontsch
ROM Romanian Romana
RUS Russian Russkij
SHC Serbo-Croatian (Cyr) Srpsko-hrvatski
SHL Serbo-Croatian (Lat)
SKY Slovakian Slovensky
SLO Slovenian Slovenski
SRL Serbian (Latin) Srpski (Latin)
SRB Serbian Srpski
SQI Albanian Shqip
SVE Swedish Svenska
THA Thai Thai
TRK Turkish Turkce
UKR Ukrainian Ukrainska (mova)
URD Urdu Urdu
     

XSAD gate, VALIDATE_USERID function

The VALIDATE_USERID function of the XSAD gate is used to check whether the specified userid is valid. It is used especially when the userid has to be validated without the user being added to the system; usually because the userid was specified in a deferred START command, and the user does not need to be added to the system until the started task actually begins to execute.

Input parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters) to be added to the security domain.
USERID_LENGTH
is the length of the USERID value.

Output parameters

RESPONSE
is the domain’s response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
EXCEPTION
SECURITY_INACTIVE
USERID_NOT_DEFINED
USERID_NOT_DETERMINED
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSFL gate, FLATTEN_USER_SECURITY function

The FLATTEN_USER_SECURITY function of the XSFL gate is used to flatten the user’s security state and place into the FLATTENED_SECURITY buffer provided.

Input parameters

SECURITY_TOKEN
is the token identifying the userid.
FLATTENED_SECURITY
is the buffer into which the flattened security state is placed.

Output parameters

[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ESM_ABENDED ABEND
LOOP
EXCEPTION
INVALID_SECURITY_TOKEN
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
INVALID
INVALID_FORMAT
INVALID_FUNCTION
INVALID_FLATTENED_BUFFER

XSFL gate, UNFLATTEN_USER_SECURITY function

The UNFLATTEN_USER_SECURITY function of the XSFL gate is used to unflatten the user security state data in the FLATTENED_SECURITY buffer, and add the userid to the security domain.

Input parameters

FLATTENED_SECURITY
is a buffer containing flattened security state data for a userid.

Output parameters

SECURITY_TOKEN
is the token identifying the userid.
ACEE_PTR
is a pointer to the access control environment element, the control block that is generated by an external security manager (ESM) when the user signs on.
USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
USERID_LENGTH
is the length of the USERID value.
CURRENT_GROUPID
is the identifier, 1 through 10 alphanumeric characters, of the current RACF user group to which the userid is assigned.
CURRENT_GROUPID_LENGTH
is the 8-bit length of the GROUPID value.
ENTRY_PORT_NAME
is the name of an entry port, 1 through 8 alphanumeric characters, for the userid.
ENTRY_PORT_TYPE
is the type of the entry port for the userid. It can have either of these values:
TERMINAL|CONSOLE|NULL
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ESM_ABENDED
ABEND
LOOP
EXCEPTION
SECURITY_INACTIVE
GETMAIN_FAILED
USERID_NOT_DEFINED
USERID_REVOKED
USERID_NOT_IN_GROUP
GROUP_ACCESS_REVOKED
ENTRY_PORT_NOTAUTH
APPLID_NOTAUTH
SECLABEL_CHECK_FAILED
ESM_INACTIVE
ESM_TRANQUIL
UNKNOWN_ESM_RESPONSE
INVALID
INVALID_FLATTENED_BUFFER
INVALID_FORMAT
INVALID_FUNCTION

XSFL gate, UNFLATTEN_ESM_UTOKEN function

The UNFLATTEN_ESM_UTOKEN function of the XSFL gate returns userid and groupid information associated with the external security manager's user token.

Input parameters

ESM_UTOKEN_PTR
is a pointer to a security manager user pointer.

Output parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters). the userid (specified by the SECURITY_TOKEN value) is assigned.
USERID_LENGTH
is the length of the USERID value.
CURRENT_GROUPID
is the identifier, 1 through 10 alphanumeric characters, of the current RACF user group to which the userid is assigned.
CURRENT_GROUPID_LENGTH
is the 8-bit length of the GROUPID value.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ESM_ABENDED
ABEND
LOOP
EXCEPTION
SECURITY_INACTIVE
GETMAIN_FAILED
USERID_NOT_DEFINED
USERID_REVOKED
USERID_NOT_IN_GROUP
GROUP_ACCESS_REVOKED
ENTRY_PORT_NOTAUTH
APPLID_NOTAUTH
SECLABEL_CHECK_FAILED
ESM_INACTIVE
ESM_TRANQUIL
UNKNOWN_ESM_RESPONSE
INVALID
INVALID_FLATTENED_BUFFER
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, INQUIRE_REGION_USERID function

The INQUIRE_REGION_USERID function of the XSIS gate is used to return the userid and groupid associated with the jobstep that is currently executing this CICS region.

Input parameters

None.

Output parameters

REGION_USERID
is the user identifier of the CICS jobstep (a userid of 1 through 8 alphanumeric characters).
REGION_USERID_LENGTH
is the length of the REGION_USERID value.
[REGION_GROUPID]
is the identifier, 1 through 8 alphanumeric characters, of the current RACF user group to which the region userid is assigned.
[REGION_GROUPID_LENGTH]
is the 8-bit length of the REGION_GROUPID value.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, INQ_SECURITY_DOMAIN_PARMS function

The INQ_SECURITY_DOMAIN_PARMS function of the XSIS gate is used to return the current values of parameters from the security state data.

Input parameters

None.

Output parameters

[APPLID]
is the generic applid of the CICS region
[CMDSEC]
indicates whether or the CICS region should obey the CMDSEC option specified on a transaction’s resource definition. It can have either of these values:
YES|NO
[ESMEXITS]
indicates whether or not installation data is to be passed via the RACROUTE interface to the ESM for use in user exits written for the ESM. It can have either of these values:
YES|NO
[PREFIX]
returns the value of the prefix that is being applied to all resource names in authorization requests sent to the external security manager. It can contain 0 through 8 alphanumeric characters.
[PSBCHK]
indicates whether or not DL/I security checking is to be performed for a remote terminal initiating a transaction with transaction routing. It can have either of these values:
YES|NO
[RESSEC]
indicates whether the CICS region should obey the RESSEC option specified on a transaction’s resource definition.
[SECURITY]
indicates whether or not security is active for this CICS region. It can have either of these values:
YES|NO
[XAPPC]
indicates whether or not session security checking is used when establishing APPC sessions. It can have either of these values:
YES|NO
[XCMD]
indicates whether or not EXEC CICS commands are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC CICS commands.
[XDB2]
indicates whether or not CICS performs DB2ENTRY security checking. It can have any of these values:
YES|name|NO
where name is your own resource class name for DB2® entries.
[XDCT]
indicates whether or not destination control entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for destination control entries.
[XEJB]
indicates whether CICS support for enterprise bean security roles is enabled. It can have either of these values:
YES|NO
[XFCT]
indicates whether or not file control entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for file control entries.
[XJCT]
indicates whether or not journal entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for journal entries.
[XPCT]
indicates whether or not EXEC-started transactions entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC-started transactions entries.
[XPPT]
indicates whether or not program entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for program entries.
[XPSB]
indicates whether or not PSB entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for PSB entries.
[XTRAN]
indicates whether or not attached transaction entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for attached transaction entries.
[XTST]
indicates whether or not temporary storage entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for temporary storage entries.
XUSER
indicates whether or not user entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for user entries.
KEYRING
is the fully qualified name of the key ring that contains the keys and X.509 certificates used to support the secure sockets layer (SSL).
EJBROLE_PREFIX
is the prefix that is used to qualify the security role defined in an enterprise bean's deployment descriptor.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
[REASON]
is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, SET_SECURITY_DOMAIN_PARMS function

At CICS startup, loads information for the security domain from the system initialization table (SIT) into the security state data.

Input parameters

APPLID
is the generic applid of the CICS region
[CMDSEC]
indicates whether or the CICS region should obey the CMDSEC option specified on a transaction’s resource definition. It can have either of these values:
YES|NO
ESMEXITS
indicates whether or not installation data is to be passed via the RACROUTE interface to the ESM for use in user exits written for the ESM. It can have either of these values:
YES|NO
[PREFIX]
specifies the prefix to be applied to resource name in any authorization requests send to the external security manager. It can be 1 through 8 alphanumeric characters, or the single character '*', which indicates that the CICS region userid is to be used as the prefix.
PSBCHK
indicates whether or not DL/I security checking is to be performed for a remote terminal initiating a transaction with transaction routing. It can have either of these values:
YES|NO
[RESSEC]
indicates whether the CICS region should obey the RESSEC option specified on a transaction’s resource definition.
SECURITY
indicates whether or not security is active for this CICS region. It can have either of these values:
YES|NO
XAPPC
indicates whether or not session security checking is used when establishing APPC sessions. It can have either of these values:
YES|NO
[XCMD]
indicates whether or not EXEC CICS commands are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC CICS commands.
[XDB2]
indicates whether or not CICS performs DB2ENTRY security checking. It can have any of these values:
YES|name|NO
where name is your own resource class name for DB2 entries.
[XDCT]
indicates whether or not destination control entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for destination control entries.
[XEJB]
indicates whether CICS support for enterprise bean security roles is enabled. It can have either of these values:
YES|NO
[XFCT]
indicates whether or not file control entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for file control entries.
[XJCT]
indicates whether or not journal entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for journal entries.
[XPCT]
indicates whether or not EXEC-started transactions entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for EXEC-started transactions entries.
[XPPT]
indicates whether or not program entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for program entries.
[XPSB]
indicates whether or not PSB entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for PSB entries.
[XTRAN]
indicates whether or not attached transaction entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for attached transaction entries.
[XTST]
indicates whether or not temporary storage entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for temporary storage entries.
XUSER
indicates whether or not user entries are checked by the ESM. It can have any of these values:
YES|name|NO
where name is your own resource class name for user entries.
KEYRING
is the fully qualified name of the key ring that contains the keys and X.509 certificates used to support the secure sockets layer (SSL).
EJBROLE_PREFIX
is the prefix that is used to qualify the security role defined in an enterprise bean's deployment descriptor.

Output parameters

RESPONSE
is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
[REASON]
is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
GETMAIN_FAILED
KEYRING_NOT_FOUND
KEYRING_NOT_AUTH
DISASTER
CWA_WAIT_PHASE_FAILURE
INQUIRE_CWA_FAILURE
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, SET_NETWORK_IDENTIFIER function

When CICS issues an OPEN ACB for VTAM®, the CICS SVC is invoked to store the name (netid) of the local network combined with the local luname, and to RACLIST the profiles in the External Security Manager (ESM) APPCLU Class. If you have specified either of the SEC=NO or XAPPC=NO system initialization parameters, no action is performed, and the return code is set to OK.

If the RACLIST fails, and the CONDITIONAL parameter is NO, then CICS is terminated.

Input parameters

LOCAL_LUNAME
is the VTAM LU name of the local CICS region.
LOCAL_LUNAME_LENGTH
is the length of the VTAM LU name specified by LOCAL_LUNAME.
CONDITIONAL
indicates whether or not CICS can tolerate errors in XSIS calls due to the APPCLU profiles not being in storage (LU6.2 connections cannot be validated). It can have either of these values:
YES|NO

Output parameters

RESPONSE
is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID|PURGED
[REASON]
is returned when RESPONSE is DISASTER or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, SET_SPECIAL_TOKENS function

The SET_SPECIAL_TOKENS function of the XSIS gate sets the security tokens for the default user ID and the region user ID.

Input parameters

DEFAULT_SECURITY_TOKEN
The security token for the default user ID.
REGION_SECURITY_TOKEN
The security token for the region user ID.

Output parameters

RESPONSE
is the domains response to the call. It can have any of these values:
OK|DISASTER|INVALID
[REASON]
is returned when RESPONSE is INVALID. Possible values are:
RESPONSE Possible REASON values
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSIS gate, INQUIRE_REALM_NAME function

Obtains the realm names under which the CICS system is executing; a realm is an environment in which a userid and password pairing is valid.

Input parameters

REALM_TYPE
Indicates that the request is for the Basic realm name. Possible values are:
BASIC

Output parameters

REALM_NAME
Returns the name of the realsm under which CICS is executing.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|INVALID|PURGED|DISASTER
[REASON]
is returned when RESPONSE is INVALID or DISASTER. Possible values are:
RESPONSE Possible REASON values
INVALID
INVALID_FORMAT
INVALID_FUNCTION
DISASTER
ABEND
LOOP

XSLU gate, GENERATE_APPC_BIND function

The GENERATE_APPC_BIND function of the XSLU gate generates a random number which is sent to the partner LU for partner verification.

Input parameters

None

Output parameters

RANDOM_STRING
A random eight-character string.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|INVALID
[REASON]
is returned when RESPONSE is INVALID. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
SECURITY_INACTIVE
BINDSECURITY_INACTIVE
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSLU gate, GENERATE_APPC_RESPONSE function

The GENERATE_APPC_RESPONSE function of the XSLU gate encrypts the string received from the LU partner, and generates a new random string for the partner to validate.

Input parameters

LOCAL_LUNAME
is the VTAM LU name of the local CICS region (sending the response).
REMOTE_LUNAME
is the VTAM LU name of the remote CICS region (that sent the bind).
TEST_STRING
is a random eight-character string receive with a bind request (RANDOM_STRING of the GENERATE_APPC_BIND function).

Output parameters

ENCRYPTED_TEST_STRING
is an eight-character string formed by encrypting the test string using shared DES (Data Encryption Standard/System) encryption keys.
RANDOM_STRING
is a random eight-character string.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
NOTAUTH
PROFILE_UNKNOWN
PROFILE_LOCKED
PROFILE_EXPIRED
SESSION_KEY_NULL
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
BIND_SECURITY_INACTIVE
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSLU gate, VALIDATE_APPC_RESPONSE function

The VALIDATE_APPC_RESPONSE function of the XSLU gate encrypts the string that was previously sent to the partner, and compares it with the encrypted string received from the partner.

Input parameters

LOCAL_LUNAME
is the VTAM LU name of the local CICS region (validating the response).
REMOTE_LUNAME
is the VTAM LU name of the remote CICS region (that sent the response).
TEST_STRING
is a random eight-character string receive with a validate request (RANDOM_STRING of the GENERATE_APPC_RESPONSE function).
ENCRYPTED_TEST_STRING
is an eight-character string formed by encrypting the test string using shared DES (Data Encryption Standard/System) encryption keys.

Output parameters

[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
NOTAUTH
VALIDATION_ERROR
PROFILE_UNKNOWN
PROFILE_LOCKED
PROFILE_EXPIRED
SESSION_KEY_NULL
SECURITY_INACTIVE
UNKNOWN_ESM_RESPONSE
BIND_SECURITY_INACTIVE
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSPW gate, CREATE_PASSTICKET function

The CREATE_PASSTICKET function of the XSPW gate is used to create a RACF PassTicket (an alternative to a password). When created, the RACF PassTicket can be presented for userid verification once only.

Input parameters

APPLID
is the application identifier for the CICS region.
[TRANSACTION_NUMBER]
is an optional number that identifies a transaction from which the caller’s security token is located. If not specified, the caller’s security token is located from the principal security token associated with the current CICS task.

Output parameters

PASSTICKET
is the 10-character passticket to be used for the CICS region specified by the APPLID value.
PASSTICKET_LENGTH
is the 8-bit length of the PASSTICKET value.
ESM_RESPONSE
is the optional 32-bit ESM response code to the call.
ESM_REASON
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
EXCEPTION
FUNCTION_UNAVAILABLE
PASSTICKET_NOT_CREATED
SECURITY_INACTIVE
TRANSACTION_NOT_FOUND
UNKNOWN_ESM_ERROR
INVALID
INVALID_APPLID
INVALID_FORMAT
INVALID_FUNCTION

XSPW gate, INQUIRE_PASSWORD_DATA function

The INQUIRE_PASSWORD_DATA function of the XSPW gate provides information from the ESM.

Input parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters) requesting the ESM information.
USERID_LENGTH
is the length of the USERID value.
PASSWORD
is the password, 1 through 10 alphanumeric characters, for the userid specified by the USERID value.
PASSWORD_LENGTH
is the 8-bit length of the PASSWORD value.
[PASSWORD_TYPE]
indicates whether the password is masked. It can have either of these values:
CLEAR|MASKED
OPTIMIZE
indicates whether the user's revoke status is ignored. It can have any of these values:
YES|NO

Output parameters

[DAYS_LEFT]
is the number of days left before the password must be changed.
[PASSWORD_FAILURES]
is the number of times that the user has unsuccessfully entered tried to enter the password.
[EXPIRY_ABSTIME]
is the date and time of when the password will expire.
[LASTUSE_ABSTIME]
is the date and time of when the password was last used.
[CHANGE_ABSTIME]
is the date and time of when the password was last changed.
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
ESM_INACTIVE
PASSWORD_NOTAUTH
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
NOTAUTH
USERID_UNDEFINED
PASSWORD_EXPIRED
USERID_REVOKED
USERID_FORMAT_ERROR
APPLID_NOT_AUTH
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSPW gate, UPDATE_PASSWORD_DATA function

The UPDATE_PASSWORD_DATA function of the XSPW gate assigns a new password to the userid, if the current password is input correctly and the new password meets ESM and installation defined password quality rules.

Input parameters

USERID
is the identifier of the user (a userid of 1 through 10 alphanumeric characters) requesting the ESM information.
USERID_LENGTH
is the length of the USERID value.
PASSWORD
is the current password, 1 through 10 alphanumeric characters, for the userid specified by the USERID value.
PASSWORD_LENGTH
is the 8-bit length of the PASSWORD value.
NEW_PASSWORD
is the new password, 1 through 10 alphanumeric characters, for the userid specified by the USERID value.
NEW_PASSWORD_LENGTH
is the 8-bit length of the NEW_PASSWORD value.

Output parameters

SAF_RESPONSE
is the optional 32-bit SAF response code to the call.
SAF_REASON
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
ESM_RESPONSE
is the optional 32-bit ESM response code to the call.
ESM_REASON
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
USERID_REVOKED
USERID_UNDEFINED
SECLABEL_FAILURE
PASSWORD_NOTAUTH
INVALID_NEW_PASSWORD
ESM_INACTIVE
SECURITY_INACTIVE
UNKNOWN_ESM_ERROR
GROUP_CONNECTION_REVOKED
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSPW gate, INQUIRE_CERTIFICATE_USERID function

The INQUIRE_CERTIFICATE_USERID function of the XSPW gate obtains the userid associated with an X.509 certificate that has been installed into the External Security Manager.

Input parameters

CERTIFICATE
an X.509 certificate

Output parameters

USERID
is the identifier of the user associated with the certificate.
USERID_LENGTH
is the length of the USERID value.
ESM_RESPONSE
is the optional 32-bit ESM response code to the call.
ESM_REASON
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
LENGTH_ERROR
GETMAIN_FAILED
FREEMAIN_FAILED
INVALID_CERTIFICATE
UNKNOWN_CERTIFICATE
UNTRUSTED_CERTIFICATE
NOTAUTH
SECURITY_INACTIVE
ESM_INACTIVE
UNKNOWN_ESM_ERROR
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSPW gate, REGISTER_CERTIFICATE_USER function

The REGISTER_CERTIFICATE_USER function of the XSPW gate associates a user with an X.509 certificate that has been installed into the External Security Manager.

Input parameters

USERID
is the identifier of the user to be associated with the certificate.
USERID_LENGTH
is the length of the USERID value.
PASSWORD
is the current password, 1 through 10 alphanumeric characters, for the userid specified by the USERID value.
PASSWORD_LENGTH
is the 8-bit length of the PASSWORD value.
CERTIFICATE
the X.509 certificate that is to be registered to the specified userid.

Output parameters

ESM_RESPONSE
is the optional 32-bit ESM response code to the call.
ESM_REASON
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER
ABEND
LOOP
ESM_ABENDED
ESTAE_FAILURE
EXTRACT_FAILURE
EXCEPTION
GETMAIN_FAILED
FREEMAIN_FAILED
INVALID_CERTIFICATE
UNKNOWN_CERTIFICATE
UNTRUSTED_CERTIFICATE
NOTAUTH
SECURITY_INACTIVE
ESM_INACTIVE
UNKNOWN_ESM_ERROR
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSRC gate, CHECK_CICS_RESOURCE function

The CHECK_CICS_RESOURCE function of the XSRC gate performs CICS resource access checks.

Input parameters

RESOURCE
is the name of the resource, padded with blanks to eight-characters.
RESOURCE_TYPE
is the type of the resource. It can have any of these values:
DB2ENTRY|FILE|JOURNALNAME|PROGRAM|PSB|TDQUEUE|
TRANSACTION|TRANSATTACH|TSQUEUE
ACCESS
is the type of access to be made on the resource. It can have any of these values:
EXECUTE|READ|UPDATE|INQUIRE|SET|COLLECT|DEFINE|
PERFORM|CREATE|DISCARD|INSTALL|DELETE
[LOGMESSAGE]
indicates (optionally) whether access failures are logged to the CSCS transient data queue and the MVS™ System Management Facility (SMF). It can have either of these values:
YES|NO
[FORCE]
indicates (optionally) whether or not security checking is forced regardless of the setting of RESSEC in the Security Domain’s transaction token. It can have either of these values:
YES|NO

Output parameters

[FAILING_USERID]
is the userid that failed to access the resource.
[FAILING_USERID_LENGTH]
is the length of the userid (specified by the FAILING_USERID value).
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION NOTAUTH

XSRC gate, CHECK_CICS_COMMAND function

The CHECK_CICS_COMMAND function of the XSRC gate performs CICS command access checks.

Input parameters

RESOURCE_TYPE
is the type of the resource. It can have any of these values:
AUTINSTMODEL|AUTOINSTALL|CFDTPOOL|CONNECTION|
DB2CONN|DB2ENTRY|DB2TRAN|DELETSHIPPED|
DOCTEMPLATE|DSNAME|DUMP|DUMPDS|ENQMODEL|
EXITPROGRAM|FEPIRESOURCE|FILE|IRBATCH|IRC|
JOURNALNAME|JOURNALMODEL|LINE|LSRPOOL|MAPSET|
MODENAME|MONITOR|NONVTAM|PARTITIONSET|PARTNER|
PROCESSTYPE|PROFILE|PROGRAM|PSB|REQID|
REQUESTMODEL|RESETTIME|RRMS|SECURITY|SESSIONS|
SHUTDOWN|STATISTICS|STORAGE|STREAMNAME|
SYSDUMPCODE|SYSTEM|TASK|TCLASS|TCPIP|TCPIPSERVICE|
TDQUEUE|TERMINAL|TIME|TRACE|TRACEDEST|TRACEFLAG|
TRACETYPE|TRANCLASS|TRANDUMPCODE|TRANSACTION|
TRANSATTACH|TSMODEL|TSPOOL|TSQUEUE|TYPETERM|UOW|
UOWDSNFAIL|UOWENQ|UOWLINK|VOLUME|VTAM|WEB|
CORBASERVER|DJAR|JVMPOOL|EXCI|BEAN|BRFACILITY|
DISPATCHER|CLASSCACHE|JVM|JVMPOOL|JVMPROFILE 
ACCESS
is the type of access to be made on the resource. It can have any of these values:
COLLECT|DEFINE|DISCARD|INQUIRE|PERFORM|SET|CREATE|INSTALL|DELETE
[LOGMESSAGE]
indicates (optionally) whether access failures are logged to the CSCS transient data queue and the MVS System Management Facility (SMF). It can have either of these values:
YES|NO
[FORCE]
indicates (optionally) whether or not security checking is forced regardless of the setting of RESSEC in the Security Domain’s transaction token. It can have either of these values:
YES|NO

Output parameters

[FAILING_USERID]
is the userid that failed to access the resource.
[FAILING_USERID_LENGTH]
is the length of the userid (specified by the FAILING_USERID value).
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION NOTAUTH

XSRC gate, CHECK_SURROGATE_USER function

The CHECK_SURROGATE_USER function of the XSRC gate performs surrogate user checking.

Input parameters

USERID
is the identifier of the surrogate user (a userid of 1 through 10 alphanumeric characters).
USERID_LENGTH
is the length of the USERID value.
ACCESS
is the type of access requested. It can have any of these values:
INSTALL|START|CHANGE

Output parameters

[FAILING_USERID]
is the userid that failed to access the resource.
[FAILING_USERID_LENGTH]
is the length of the userid (specified by the FAILING_USERID value).
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION NOTAUTH

XSRC gate, CHECK_NON_CICS_RESOURCE function

The CHECK_NON_CICS_RESOURCE function of the XSRC gate performs non-CICS resource access checks.

Input parameters

RESOURCE_NAME
is the address and length of the resource name, in the form RESOURCE_NAME(addr,length).
CLASSNAME
is the ESM class name in which the resource is defined.
ACCESS
is the type of access to be made on the resource. It can have any of these values:
ALTER|CONTROL|READ|UPDATE
[LOGMESSAGE]
indicates (optionally) whether access failures are logged to the CSCS transient data queue and the MVS System Management Facility (SMF). It can have either of these values:
YES|NO

Output parameters

[FAILING_USERID]
is the userid that failed to access the resource.
[FAILING_USERID_LENGTH]
is the length of the userid (specified by the FAILING_USERID value).
[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
NOTAUTH
ESM_NOT_PRESENT
ESM_INACTIVE
RESOURCE_NOT_FOUND
CLASS_NOT_FOUND
INVALID_RESOURCE_NAME

XSRC gate, REBUILD_RESOURCE_CLASSES function

The REBUILD_RESOURCE_CLASSES function of the XSRC gate rebuilds the resource-class profiles.

Input parameters

None.

Output parameters

[SAF_RESPONSE]
is the optional 32-bit SAF response code to the call.
[SAF_REASON]
is the optional 32-bit SAF reason returned with SAF_RESPONSE.
[ESM_RESPONSE]
is the optional 32-bit ESM response code to the call.
[ESM_REASON]
is the optional 32-bit ESM reason returned with ESM_RESPONSE.
RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is EXCEPTION. Possible values are:
RESPONSE Possible REASON values
EXCEPTION
SECURITY_INACTIVE
REBUILD_ERROR
REBUILD_ALREADY_ACTIVE
REBUILD_NOT_NEEDED
ESM_INACTIVE

XSXM gate, ADD_TRANSACTION_SECURITY function

The ADD_TRANSACTION_SECURITY function of the XSXM gate sets the transaction options input to be stored as extended security tokens maintained by the transaction manager.

Input parameters

[PRINCIPAL_SECURITY_TOKEN]
is the optional principal security token.
[SESSION_SECURITY_TOKEN]
is the optional session security token.
[EDF_SECURITY_TOKEN]
is the optional EDF security token.

Output parameters

RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is DISASTER, EXCEPTION, or INVALID. Possible values are:
RESPONSE Possible REASON values
DISASTER GETMAIN_FAILED
EXCEPTION NO_SECURITY_TOKEN
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSXM gate, DEL_TRANSACTION_SECURITY function

The DEL_TRANSACTION_SECURITY function of the XSXM gate deletes the security token of the specified token type for the transaction.

Input parameters

TOKEN_TYPE
is the type of security token for the transaction. It can have any of these values:
PRINCIPAL|SESSION|EDF

Output parameters

RESPONSE
is the domains response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is INVALID. Possible values are:
RESPONSE Possible REASON values
INVALID
INVALID_FORMAT
INVALID_FUNCTION

XSXM gate, END_TRANSACTION function

The END_TRANSACTION function of the XSXM gate deletes transaction-related data.

Input parameters

None

Output parameters

RESPONSE
is the domain's response to the call. It can have any of these values:
OK|EXCEPTION|DISASTER|INVALID|KERNERROR|PURGED
[REASON]
is returned when RESPONSE is INVALID. Possible values are:
RESPONSE Possible REASON values
INVALID
INVALID_FORMAT
INVALID_FUNCTION
[[ Contents Previous Page | Next Page Index ]]