Stopping the RACF subsystem address space

You can use the RACF® STOP operator command to stop the RACF subsystem address space. Use the RACF STOP command instead of the MVS™ FORCE command, which has some dangerous side effects, such as not cleaning up resources. For the syntax of the RACF STOP command, see z/OS Security Server RACF Command Language Reference. For information on security for the RACF STOP command, see z/OS Security Server RACF Security Administrator's Guide. (Note that there is also an MVS STOP command. The RACF STOP command and the MVS STOP command are not related.)

Like other system address spaces that are needed for basic system operation, the RACF subsystem address space runs non-cancellable. If you are not using the RACF remote sharing facility, there is no need to stop the address space before system shutdown. Subsequent IPL or MVS START command processing rebuilds the address space for proper system usage.

If you are using the RACF remote sharing facility, the RACF STOP command allows you to stop the RACF subsystem address space with a minimal loss of remote requests. Stopping the RACF subsystem address space any other way (for example, using FORCE) is not recommended, and might cause requests to be lost or the VSAM files for workspace data sets to be damaged. If an RRSF node allows directed commands, password synchronization, or automatic direction, it is important that you stop the address space with the RACF STOP command during a system shutdown, after all users have logged off and all batch jobs have completed. It is also important that you not stop (or FORCE) the address space while users and jobs are active. If you do, updates could be lost, resulting in passwords or profiles not being synchronized, and output from directed commands could be lost.

The STOP command does the following things:

Breaks all connections to other nodes.
Prevents RRSF requests waiting in the INMSG workspace data sets from being dispatched. These requests remain in the INMSG files and are executed when the RACF subsystem is started again.
Rejects all requests to send additional work to the subsystem address space.
- Any inbound requests are rejected as node dormant.
- All RACF TSO commands that use the address space (those with the AT or ONLYAT keyword specified) are rejected with an error message indicating that the subsystem is not active.
Allows current outbound messages to complete, but no additional messages are sent. Outbound messages remain in the OUTMSG workspace data sets, and are sent to the remote nodes after the RACF subsystem is started again and the connections are reestablished.
Stops any RRSF requests that remain running after five seconds, and leaves them in the workspace data sets.
Saves the output from RRSF requests that have completed, for transmission after the address space is restarted.
Closes and deallocates the VSAM files for the workspace data sets.
Stops all remaining tasks in the address space.

If you stop the RACF subsystem address space on an RRSF node, password synchronization and automatic direction can no longer send RRSF requests to remote nodes, and updates that should be made on remote nodes are lost. RRSF requests directed to that node from remote nodes are queued in the workspace data sets at the remote nodes, and are not lost.

For example, assume that ADDUSER commands are being automatically directed between NODEA and NODEB, and the STOP command is issued on NODEA. If a user issues an ADDUSER command on NODEA, the command runs on NODEA, but is not directed to NODEB. However, if a user issues an ADDUSER command on NODEB, the command runs on NODEB, and is held on NODEB until communication with NODEA is re-established. The command is then directed to NODEA.

For information on remote sharing and automatic direction, see RACF remote sharing facility (RRSF).