|
The example shows changes to be made to the IBM sample DSN3SATH exit, which should be used for RACF and CA-TOP SECRET sites. The example after that should be used by CA-ACF2. |
In this section: |
The arrows in the code indicate the lines containing Information Builders recommended modification of DSN3SATH, which calls FOCDSN3.
Note: The positioning of these lines is appropriate assuming that no other changes or additions have been made to DSN3SATH previously. If any previous changes were made, then you should decide where the most appropriate location for this call to FOCDSN3 should be.
SATH001 DS 0H
USING WORKAREA,R11 ESTABLISH DATA AREA ADDRESSABILITY
ST R2,FREMFLAG SAVE FREEMAIN INDICATOR
XC SAVEAREA(72),SAVEAREA CLEAR REGISTER SAVE AREA
LA R15,SAVEAREA GET ADDRESS OF CSECT'S SAVE AREA
ST R13,FOUR(,R15) CHAIN THE SAVE AREA BACK POINTER
ST R15,EIGHT(,R13) CHAIN SAVEAREA FORWARD
LR R13,R15 ADDRESS OF CSECT'S SAVE AREA
SPACE
XC EXPLARC,EXPLARC INIT RETURN CODE TO NORMAL RETURN
XC SECCOUNT,SECCOUNT CLEAR GROUP NAME COUNTER FIELD
L R8,PSAAOLD-PSA GET CURRENT ASCB ADDRESS AND
USING ASCB,R8 SET MAPPING ADDRESSABILITY
EJECT
**********SECTION 1: DETERMINE THE PRIMARY AUTHORIZATION ID *********
* *
* IF THE INPUT AUTHID IS NULL OR BLANKS, CHANGE IT TO THE AUTHID *
* IN EITHER THE JCT OR THE FIELD POINTED TO BY ASCBJBNS. *
* *
* THE CODE IN THIS SECTION IS AN ASSEMBLER LANGUAGE VERSION OF *
* THE DEFAULT IDENTIFY AUTHORIZATION EXIT. IT IS EXECUTED ONLY *
* IF THE FIELD ASXBUSER IS NULL UPON RETURN FROM THE RACROUTE *
* SERVICE. FOR EXAMPLE, IT DETERMINES THE PRIMARY AUTH ID FOR *
* ENVIRONMENTS WITH NO SECURITY SYSTEM INSTALLED AND ACTIVE. *
* *
***********************************************************************
SPACE
==> LA R1,AIDLPRIM LOAD PARM REG1
==> CALL FOCDSN3 GO GET INFORMATION BUILDERS EXIT
CLI AIDLPRIM,BLANK IS THE INPUT PRIMARY AUTHID NULL
BH SATH020 SKIP IF A PRIMARY AUTH ID EXISTS
L R7,ASCBCSCB GET CSCB ADDRESS
CLI CHTRKID-CHAIN(R7),CHTSID IS IT TSO FOREGROUND ADDR SPACE
BNE SATH010 BRANCH IF NOT
L R7,ASCBJBNS GET ADDRESS OF LOGON ID
MVC AIDLPRIM,0(R7) MAKE IT THE PRIMARY AUTH ID
B SATH019 TO END OF THIS ROUTINE
SATH010 DS 0H NOT TSO, BUT BATCH OR STC SPACE
L R6,PSATOLD-PSA CURRENT TCB ADDRESS
L R7,TCBJSCB-TCB(,R6) CURRENT JSCB ADDRESS
L R5,JSCBJCT-IEZJSCB(,R7) CURRENT JCT ADDRESS
LA R5,X'10'(,R5) ADJUST FOR CORRECT DSECT MAPPING
CLI JCTUSER-INJMJCT(R5),X'4E' IF JCTUSER PLUS SIGN OR LESS
BNH SATH019 THEN LEAVE AIDLPRIM BLANK KEB0026
MVC AIDLPRIM(7),JCTUSER-INJMJCT(R5) COPY JOB USER ID
MVI AIDLPRIM+7,BLANK ASSURE BLANK PADDING
SATH019 DS 0H END OF ROUTINE
EJECT
*****SECTION 2: DETERMINE THE LIST OF SECONDARY AUTHORIZATION IDS*****
* *
* THIS SECTION IS WRITTEN SPECIFICALLY FOR THE RACF ENVIRONMENT. *
* IT CAN/SHOULD BE REPLACED FOR OTHER SECURITY PRODUCTS. *
* *
***********************************************************************
* *
* IF RACF IS ACTIVE AND THE LIST OF GROUPS OPTION IS ALSO ACTIVE, *
* USE THE CGRP AREA TO GET THE CONNECTED GROUP NAMES. *
* COPY THEM TO THE SECONDARY ID LIST IN THE AIDL. *
* *
***********************************************************************
SPACE
CLI AIDLPRIM,BLANK IS THE INPUT PRIMARY AUTHID NULL
BNH SATH090 EXIT IF PRIMARY AUTH ID NULL
SATH020 DS 0H BRANCH TO HERE IF PRIMARY EXISTS
*****OPTIONAL CHANGE @CHAR7: FALLBACK TO SEVEN CHAR PRIMARY AUTHID****
* *
* IF YOUR INSTALLATION REQUIRES ONLY SEVEN CHARACTER PRIMARY *
* AUTHORIZATION IDS (POSSIBLY TRUNCATED) DUE TO DB2 PRIVILEGES *
* GRANTED TO TRUNCATED AUTHORIZATION IDS, THEN YOU MUST BLANK OUT *
* COLUMN 1 OF THE ASSEMBLER STATEMENT IMMEDIATELY FOLLOWING THIS *
* BLOCK COMMENT. THEN ASSEMBLE THIS PROGRAM AND LINK-EDIT IT INTO *
* THE APPROPRIATE DB2 LOAD LIBRARY AS EXPLAINED IN AN APPENDIX *
* OF "THE DB2 ADMINISTRATION GUIDE". *
* *
* OTHERWISE, YOU NEED DO NOTHING. *
* @KYD0271*
***********************************************************************
* MVI AIDLPRIM+7,BLANK BLANK OUT EIGHTH CHARACTER @CHAR7
SPACE
L R5,CVTPTR ADDRESS MVS CVT
L R7,CVTRAC-CVT(,R5) RACF CVT ADDRESS
LTR R7,R7 IF RACF CVT ADDRESS ZERO,
BZ SATH049 RACF IS NOT EVEN INSTALLED
USING RCVT,R7 SET BASE FOR RACF CVT
TM RCVTSTAT,RCVTRNA IS RACF ACTIVE
BO SATH049 SKIP AROUND IF NOT
SPACE 1
* RACF IS ACTIVE ON THIS MVS
USING ACEE,R6 ESTABLISH BASE FOR ACEE @KYL0108
ICM R6,B'1111',AIDLACEE CALLER PASSED ACEE ADDRESS? @KYL0108
BZ SATH024 NO, USE ADDRESS SPACE ACEE @KYL0108
CLC ACEEACEE,EYEACEE IS IT REALLY AN ACEE? @KYL0108
BE SATH027 YES, PROCEED NORMALLY @KYL0108
SPACE 1
SATH024 DS 0H USE ADDRESS SPACE ACEE @KYL0108
L R6,ASCBASXB GET ADDRESS SPACE EXTENSION BLOCK
L R6,ASXBSENV-ASXB(,R6) GET ACEE ADDRESS
==> CALL FOCDSN4 GO GET INFORMATION BUILDERS EXIT
LTR R6,R6 DOES AN ACEE EXIST? IF NOT,
BZ SATH049 SKIP AROUND CONNECTED GROUP NAME
CLC ACEEACEE,EYEACEE DOES IT LOOK LIKE AN ACEE?
BNE SATH049 NO, THEN CAN'T DO GROUPS
DROP R8 DROP ASCB BASE REG @TU25003
SPACE 1
SATH027 DS 0H CHECK LIST OF GROUPS OPTION @KYL0108
TM RCVTOPTX,RCVTLGRP IS LIST OF GROUPS CHECKING ACTIVE
BZ SATH040 SKIP TO SINGLE GROUP COPY IF NOT
DROP R7 DROP RCVT BASE REG @TU25003
SPACE 1
* RACF LIST OF GROUPS OPTION IS ACTIVE
EJECT
****************************************************************
* PRIMARY AUTHORIZATION ID *
****************************************************************
*
---> LA R1,AIDLPRIM POINT TO AUTH FIELD
---> CALL FOCDSN3 CALL INFORMATION BUILDERS TASK-LEVEL-EXIT
CLI AIDLPRIM,C' ' PRIMARY AUTHID THERE?
BH PRIMTSO YES, EVERYTHING OK HERE
L R3,PSAAOLD-PSA(0) CURRENT ASCB ADDRESS
The following sample link JCL for the IBM exit DSN3SATH can be found in FOCSQL.DATA(SATHJCL).
//** Your job card
//**
//LKED EXEC PGM=IEWL,PARM='LIST,XREF,LET,RENT,AMODE=31'
//OBJ DD DSN=DSN610.SDSNSAMP.OBJ,DISP=SHR
//FOCMOD DD DSN=prefix.FOCSQL.LOAD,DISP=SHR
//SYSLMOD DD DSN=DSN610.SDSNEXIT,DISP=SHR
//SYSPRINT DD SYSOUT=A
//SYSUT1 DD UNIT=SYSDA,SPACE=(100,(50,50))
//SYSLIN DD *
INCLUDE OBJ
INCLUDE FOCMOD(FOCDSN3)
INCLUDE FOCMOD(FOCDSN4) <--- Omit for CA-ACF2
ENTRY DSN3@ATH
NAME DSN3@ATH(R)
/*
| Information Builders |