/SIGN command

This command enables IMS to identify who is using the terminal and to determine if you are authorized to enter the transaction or command.

Subsections:

• Environment
• Syntax
• Keywords
• Usage notes
• Examples

Environment

The following table lists the environments (DB/DC, DBCTL, and DCCTL) from which the command can be issued.

Keywords

The following keywords are valid for the /SIGN command:

ON

/SIGN ON must be issued for any physical terminal or user ID requiring a signon, or the transaction entered is rejected.

From terminals that require signon, commands other than /SIGN or /RCLSDST are rejected if transaction authorization is requested. Static terminals requiring a signon also have enhanced command authorization with RACF® or an equivalent product if RCF=S or RCF=A is specified at system startup.

At terminals not requiring signon, transactions are passed to RACF, an equivalent security product, or a user exit for authorization checking. If /SIGN ON is entered at a terminal not requiring a signon, the signon is processed as if the terminal required a signon. That is, the terminal is placed in a signed on status with the user ID until a /SIGN OFF or another /SIGN ON command is entered.

After any IMS restart or terminal disconnect, the remote terminal operator is required to sign on again using the /SIGN ON command. A terminal can be disconnected by:

• A switched line disconnect
• A VTAM® CLSDST
• A line shutdown
• The /IDLE command
• Auto logoff

Signon status is also reset by the /START LINE, /START LINE PTERM, and /START NODE commands and auto signoff.

The remote terminal operator must wait at a static physical terminal for confidential responses, because responses queued for a given physical terminal are sent even if the physical terminal is signed off. If the remote terminal operator must be absent, the /LOCK command can be used to prevent output from being received. Confidential output sent to a dynamic user is queued to the user instead of to the physical terminal when the user has signed off. A successful signon of an existing user turns off the DEADQ status for the user, if that status exists.

For the user exit routine DFSCSGN0, the user ID and userdata parameter values are defined by the installation.

PASSPHRASE

The /SIGN PASSPHRASE command is equivalent to the /SIGN ON command except that it uses RACF password phrases instead of passwords for a signon. A RACF password phrase can be up to 100 bytes. IMS uses 100 bytes as the password phrase and removes leading and trailing blanks, if any, before passing it to RACF.

RACF password phrases are used for password, NEWPW, and VERIFY. RACF does not allow a mixture of passwords and password phrases. For example, if PASSPHRASE is specified on the /SIGN command, you must specify password phrases for all the other keywords such as NEWPW and VERIFY.

A blank is necessary after PASSPHRASE. There must be a blank between the 100-character password phrase and the next keyword. A period within the 100 character does not end the /SIGN command. If there is no additional keyword after the password phrase, the password phrase does not need to have trailing blanks. If there are additional keywords after the password phrase, the password phrase needs to include trailing blanks for a total of 100 characters. If a password phrase is less than 9 bytes, IMS will pass the password phrase as a password to RACF. The PASSPHRASE keyword is most likely used on MFS panels, which fill the password phrase with trailing blanks.

RACF password phrases are always mixed case. It is not necessary to turn on mixed-case password for password phrases. The IMS system's default MFS panels do not support password phrases.

PASSPHRASEQ

The /SIGN PASSPHRASEQ command is equivalent to the /SIGN ON command except that it uses RACF password phrases instead of passwords for a signon. A password phrase must start with a single quotation mark (') and end with a single quotation mark. If you want to include a single quotation mark in a password phrase, you must specify two single quotation marks (''). For example,

'This is "my" passphrase.'

IMS removes the single quotation mark at the beginning and ending of the password phrase and also removes one single quotation mark if there are two single quotation marks following each other. PASSPHRASEQ must have at least one blank before the beginning single quotation mark. A password phrase can be up to 100 characters. If a password phrase is less than 9 characters, IMS will pass it as a password to RACF. RACF does not allow a mixture of passwords and password phrases. For example, if PASSPHRASEQ is specified on the /SIGN command, you must specify password phrases for all the other keywords such as NEWPW and VERIFY.

RACF password phrases are always mixed case. It is not necessary to turn on mixed-case password for password phrases. The IMS system's default MFS panels do not support password phrases.

OFF

The /SIGN OFF command is used to complete a session on a terminal that required a signon. Static terminals in conversational mode cannot be signed off without first issuing an /EXIT or /HOLD command.

Another method of signing off a terminal is to reenter the /SIGN ON command. This method initiates a new signon at the terminal without having to enter the /SIGN OFF command.

The /SIGN OFF command resets status that is not significant such as preset mode, test mode, lock lterm, pstop lterm, and purge lterm.

/SIGN OFF for ETO users will also take other actions depending on the recovery settings for the user:

RCVYCONV=NO

/SIGN OFF causes any IMS conversations (active and held) for an ETO user to be terminated. Any conversational message that is queued or being processed has its output response message delivered asynchronously.

RCVYFP=NO

/SIGN OFF causes Fast Path status and messages for an ETO user to be discarded.

RCVYRESP=NO

/SIGN OFF resets full-function response mode.

If global resource information is kept in Resource Manager, /SIGN OFF deletes the user ID from Resource Manager (if single user signon enforced) and resets status globally. If the user has no status, /SIGN OFF deletes the user and associated lterms from Resource Manager.

You can specify the following keywords and parameters with the ON, PASSPHRASE, or PASSPHRASEQ keyword:

APPL

A keyword that notifies IMS that the following character string should be the application name used by IMS when IMS makes the SAF call to verify the user. The default application name used by IMS is the IMSID. The IMSID can be overridden by the SAPPLID= parameter in the IMS PROCLIB member DFSDCxxx. If the signon specifies a PassTicket instead of a password, the APPL parameter should specify the application name used when the PassTicket was created. The creator of the PassTicket can specify any value to identify an IMS subsystem.

If RACF is used, APPL= should specify the name of the RACF PTKTDATA profile for IMS as defined to RACF by the creator of the PassTicket. If the name of the PTKTDATA profile is the same as the IMSID, the APPL keyword is not needed.

GROUP

Is an optional keyword indicating a group name of 8 characters or fewer that is associated with the user ID.

NEWPW

Is an optional keyword that indicates a new user password or a new password phrase that replaces the current user password or password phrase specified in userpw. Passwords can be mixed case or uppercase depending on what is specified on the PSWDC keyword in the DFSPBxxx IMS.PROCLIB member. RACF password phrases are always mixed case.

nuserpw

Is a new password of 8 characters or fewer that is associated with the user identification.

npassphr

Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more single quotation marks, two single quotation marks must be specified for each single quotation mark.

USERD

Is a user descriptor name. This user descriptor name is used in the signon. The userdesc parameter must be a user ID, node name, or DFSUSER.

userdata

Is user identification information that has been defined to IMS with the (RACF), equivalent security product or the user exit routine, DFSCSGN0. For RACF, this information consists of the following:

    userpw  GROUP groupname   NEWPW nuserpw

userid

Is a user identification of 8 characters or fewer.

userpw | PassTicket | passphr

Specifies user identification in one of the following formats:

userpw

Is a password of 8 characters or fewer that is associated with the user identification. Passwords can be mixed case or uppercase depending on what is specified on the PSWDC keyword in the DFSPBxxx IMS.PROCLIB member. If support for special characters is enabled in RACF, IMS supports RACF passwords that contain special characters.

PassTicket

A one-time password that is generated by a requesting product or function. The PassTicket is an alternative to the RACF password. Using a PassTicket removes the need to send RACF passwords across the network in clear text.

passphr

Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more quotation marks, two single quotation marks must be specified for each single quotation mark.

VERIFY

Is an optional keyword that requests IMS to verify the new password entered. IMS verifies the new password before passing it to RACF or to the IMS signon exit routines. This keyword can also be used as an alternative to reentering the password on the DFS3656 panel.

The VERIFY keyword can be used to verify new passwords whether or not password verification is enabled in the Initialization exit routine (DFSINTX0). When password verification is enabled, the user must verify new passwords either by specifying both NEWPW and VERIFY on the /SIGN command, or by reentering the password on the DFS3656 panel. When password verification is disabled, the user can verify new passwords by specifying both NEWPW and VERIFY on the /SIGN command.

Restriction: You can use this keyword only when responding to an IMS DFS3656A message and as an alternative to reentering the password on the DFS3656 panel.

nuserpw

Is a new password of 8 characters or fewer that is associated with the user identification.

npassphr

Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more single quotation marks, two single quotation marks must be specified for each single quotation mark.

Usage notes

When SGN=G, Z, or M is specified, the user can sign on multiple times to both STATIC and ETO terminals when the structure name is different from the user ID.

For a static terminal, or a dynamic terminal that has the same SPQBname as the node name, a user will not be allowed to sign on unless all conversations are held, or the user is authorized to use the transaction for the active conversation.

If there is an active conversation for a static terminal, and the user is not authorized to use its transaction, the user can enter a /HOLD command prior to signing on to put all of the conversations in a held state. The user will then be allowed to sign on.

If there is an active conversation for a dynamic terminal that has the SPQBname the same as the node name, only a user that is authorized to use the transaction of the active conversation will be allowed to sign on. The /HOLD command is not allowed prior to signing on for a dynamic terminal.

If there is an active conversation for a dynamic terminal that has the SPQBname the same as the USERID, the conversation will be associated with that user at signoff. That same user can sign on to any dynamic terminal and continue the conversation if they are still authorized to use the conversational transaction. Any new user that signs on to the dynamic terminal will not be in a conversation unless they are continuing a conversation from a previous signon or starting a new conversation by entering an authorized conversational transaction.

The status fields of /DISPLAY NODE and /DISPLAY LINE PTERM indicate whether a terminal is signed on with the word SIGN.

You can use password phrases for user identification.

A period is normally used as the delimiter at the end of IMS commands. When support for special characters is enabled in RACF, a period becomes a valid character in the RACF password. Therefore, when a password is specified at the end of the /SIGN command, you must insert a space before the period that you are using as the end-of-command delimiter. If a space is not added before the period that you are using as the end-of-command delimiter and support for special characters is enabled in RACF, the period is treated as part of the password and not as a delimiter.

One or more equal signs (=) can normally be used as a valid delimiter between a keyword and the keyword value on the /SIGN command. However, when support for special characters is enabled in RACF, an equal sign becomes a valid character in the RACF password. If you use the equal sign as a delimiter when support for special characters is enabled in RACF, you can specify only one delimiter immediately preceding the new password on the NEWPW keyword and the new password on the VERIFY keyword. Any equal sign that follows the delimiter is interpreted as the first character of the password.