z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Considerations if writing a command front-end processor

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

If IRRENV00 processing is bypassed by a front-end processor, RACF® remote sharing functions (RRSF) does not work. When writing a command front-end processor, ensure that IRRENV00 gets control somewhere in the processing before the command processor.

To ensure that all RRSF functions are processed as specified, commands must be invoked by one of the alias names with which they are shipped (for example, AG, ADDGROUP, ADDSD, and so on). When IRRENV00 receives control, the command buffer must have one of the two alias names in the first position. For example, AG or ADDGROUP should be coded, not ICHCAG00. If a front-end processor gets control before IRRENV00, set the command buffer correctly before attaching or linking to IRRENV00. If it gets control after IRRENV00, do not change the content of the command buffer as doing so might result in the information not being processed correctly by automatic command direction.

If the alias is changed to point to a front-end processor, it gets control before IRRENV00 when a command is issued as a TSO command. However, the preprocessor does not get control in all situations. For example, it does not get control for commands resulting from automatic command direction, or for commands issued from the RACF parameter library.

One possible approach to avoid the pitfalls mentioned is to include your front-end processor in RACF's load module. 
   INCLUDE mylib(mymod)
   INCLUDE SYSLMOD(ICHCAG00)
   ENTRY mymod
   NAME ICHCAG00(R)

After completing its processing, the front-end processor will need to call the entry point for RACF's command processor. If the front-end processor needs to communicate with the user, be aware that the preprocessor could be running in the RACF subsystem address space and not in the TSO user's address space. The ACEERASP bit (x'40') is set in the ACEEFLG3 flag field of the ACEE for the RACF subsystem address space.

Assigning the entry point to the front-end processor (mymod) causes it to be invoked at the same point in the processing that the specific command processing would be invoked by RACF. Because the alias is not included, the RACF remote sharing functions operate and IRRENV00 is invoked.

Parent topic: Front-ending RACF commands

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014