Internal APF authorization allows MSO to run with APF authorization without requiring that every load library allocated to the MSO address space also be APF authorized.
Normally, when an address space is running with APF authorization, all load libraries allocated to the address space must be APF-authorized libraries. With Internal APF Authorization, only the libraries allocated to ddname STEPLIB must be APF authorized. Unauthorized libraries may be allocated to ddname USERLIB or to product-specific ddnames, as required. Both Information Builders products and third-party products may take advantage of this feature.
This feature works by turning off the APF-authorization bit after MSO starts up. MSO retains the ability to make authorized requests to the operating system when it needs to (for security validation, writing SMF records, etc.), but prevents users from doing so. The APF bit remains off even when MSO makes these requests, so that integrity is ensured without forcing other tasks to be in a "status stop" state. Thus multi-tasking continues even when this feature is active.
When Internal APF Authorization is active, ddnames USERLIB and FOCLIB may not be allocated with the DYNAM command; if used, they must be allocated in the MSO JCL.
When using Internal APF Authorization, ensure that the data set FOCLIB.LOAD is only allocated to STEPLIB, and not to USERLIB and/or FOCLIB. In general, libraries should only be allocated to either STEPLIB or USERLIB; allocating libraries to both is not supported.
Note: Any third party software package that issues MODESET and TESTAUTH macros may not be compatible with APFAUTH=INTERNAL. In order to avoid incompatibility with third party software, use APFAUTH=EXTERNAL (default) in conjunction with APF authorized load libraries allocated to ddnames STEPLIB and USERLIB. MSO then uses MVS standard APF authorization techniques and provides accurate information to third party software packages.
Internal APF Authorization is activated by use of the APFAUTH keyword in the MSO configuration file, as described in The MSO Configuration File.
| Information Builders |