Callable services

Table 1 lists the new and changed RACF® callable services. See z/OS Security Server RACF Callable Services for more detailed information.

Table 1. Summary of new and changed RACF callable services
Callable service name Release Description Reason for change

IRRSDL00
(R_datalib)

 z/OS® V1R13
  • A new private key type X’00000009’ for Elliptic Curve Crypto (ECC) key stored in PKDS will be handled by functions DataGetFirst and DataGetNext in R_datalib callable service.
  • Extend the ECC support on hardware from RACF and PKI Services to enhance the key security and to enhance the RACDCERT command to handle the growing number of key types

IRRSCH00
(R_cacheserv)

 z/OS V1R13
  • Function code X’0007’ provides support for an extended read/write cache containing both RACF and distributed user information. The function is further defined by the Option parameter.
  • Enhance z/OS Identity Propagation support by eliminating the need to go to the RACF database for the retrieval of security relevant information.

IRRSCO00
(R_chown)

 z/OS V2R1
  • The R_chown service RACF authorization section has been updated.
  • Clarify the user authority when CHOWN.UNRESTRICTED exists and does not exist.

IRRSDL00 or IRRSDL64
(R_datalib)

 z/OS V2R1
  • Function code X’08’, DataPut, adds a certificate to the RACF database (if it does not already exist), and connect it to a key ring.
  • Multiple private_key_types have been updated for secure PKCS11 support.
  • If the private key associated with the certificate is specified in a DER-encoded format or as a key label, the certificate will be added with the specified key types accordingly in the RACF database.
  • Prevent the deletion of the private key and the certificate that has been used to generate a request.

IRRSEQ00
(R_admin)

 z/OS V2R1
  • The R_admin service, Profile extract parameter list (input and output) table is updated for length X’04000000’.
  • The length X’04000000’ description has been enhanced for clarity.

IRRSGI00
(R_getinfo)

 z/OS V1R13
  • Update the R_getInfo service to return the value of the APPLDATA fields of the caller specified profile in the REALM class.
  • The r_getinfo service is updated to support an additional function to retrieve certain information from the RACF database.

IRRSGM00
(getGMAP)

 z/OS V2R1
  • Update the getGMAP service usage notes when a new GID is assigned and SETROPTS AUDIT(GROUP) is in effect.
  • Determine if an SMF type 80 record is to be generated.

IRRSIA00
(InitACEE)

 z/OS V2R1
  • initACEE register and deregister return codes with reason code 28.
  • The certificate cannot be deregistered because it has been used to generate a request through RACDCERT GENREQ.

IRRSIM00
(R_usermap)

 z/OS V1R13
  • Function code X'0008' returns the RACF user ID associated with the supplied user's Distinguished Name and Registry/Realm Name.
  • The R_usermap support of Identity Propagation enables a user's Distinguished Name and a Registry/Realm Name to be used to determine the associated RACF user ID,

IRRSKA00
(ck_access)

 z/OS V2R1
  • If the user does not have the RACF Auditor attribute, and a file system name was specified in the CRED, and the FSACCESS class is active and RACLISTed, RACF will check for a profile in the FSACCESS class that covers the file system name. If a matching profile is found and the user does not have at least UPDATE authority, access is denied. Otherwise, authorization is determined by subsequent checks.
  • Check for proper authority.

IRRSKI00
(ck_IPC_access)

 z/OS V2R1
  • An audit record is optionally written, depending on the audit options in effect for the system. If the audit function code in the CREDIPC is AFC_WGETIPC, no audit record is written.
  • Check audit function code to determine if an audit record is to be written.

IRRSKP00
(ck_priv)

 z/OS V2R1
  • If the caller is not superuser and the audit function code is listed, an authorization check is performed on the corresponding resource name in the UNIXPRIV class. If the authorization check is successful, the caller is treated as a superuser.
  • Check for proper authority.
z/OS V1R13
  • Update the UNIXPRIV class resource names used in ck_priv table
  • Check for proper authority.

IRRSPX00
(R_PKIServ)

 z/OS V2R1
  • The R_PKIServ SAF callable service Parmlist_version parameter is updated.
  • CertPlist for GENCERT and REQCERT table is updated with new field names.
  • Provide granular authorization on PKI functions.
  • PKI Services supports the creation of Extended Validation certificates.

IRRSQF00
(query_file_security
_options)

 z/OS V2R1
  • The query_file_security_options service Output_value parameter note is updated with a new condition.
  • If all conditions are true, then

    _POSIX_CHOWN
    _RESTRICTED

    is not in effect.

IRRSUM00
(getUMAP)

 z/OS V2R1
  • Update the getUMAP service Flag parameter to search by user ID, return z/OS UNIX user identifier (UID).
  • The getUMAP service flag parameter is updated to not create a new UID even if BPX.UNIQUE.USER is defined.
Parent topic: Security Server summary of interface changes