Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Updating the IEFSSNxx member of SYS1.PARMLIB z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
The IEFSSNxx member of SYS1.PARMLIB must be updated to indicate that the RACF® subsystem is a valid subsystem in the installation. This member also identifies the subsystem's command prefix, which is used in issuing RACF operator commands, and an optional command prefix scope. See z/OS Security Server RACF Command Language Reference for information about how to use the subsystem command prefix. Rule: Place the entry for RACF after the entries for SMS and the primary subsystem (JES2 or JES3) in the IEFSSNxx member. For more information about the IEFSSNxx member of SYS1.PARMLIB, see z/OS MVS Initialization and Tuning Reference. You can choose to have RACF register the command prefix with the MVS™ command prefix facility (CPF). CPF ensures that two or more subsystems do not have the same or overlapping command prefixes. CPF also allows an operator or authorized application to enter a RACF command from any system in a sysplex and route that command to run on another system in the sysplex. The command responses come back to the originating system console. For more information about CPF, see z/OS MVS Programming: Authorized Assembler Services Guide. Guideline: Have RACF register command prefixes with CPF. To do this, specify a scope on the IEFSSNxx entry. You can code the IEFSSNxx definition
in a keyword parameter form or a positional parameter form. The keyword
parameter form has the following syntax:
and
the positional parameter form has the following syntax:
where:
Guideline: Use the keyword parameter form. Subsystems defined using the keyword parameter form of the IEFSSNxx parmlib member can use dynamic SSI services, while subsystems defined using the positional form of the IEFSSNxx parmlib member cannot use dynamic SSI services. For information about dynamic SSI services, see z/OS MVS Using the Subsystem Interface. For information about coding the IEFSSNxx parmlib member, see z/OS MVS Initialization and Tuning Reference. If you do not specify a command prefix, the default is the subsystem name plus a blank, and the command prefix is not registered with CPF. Messages from the subsystem display the subsystem name, which is enclosed in parentheses, instead of a command prefix. If you do not specify a scope, the quotation marks around the command prefix are optional. Do not define a command prefix that is the same as an existing command prefix on that system. Do not define a command prefix that is a subset of, or a superset of, an existing command prefix on that system with the same first character. For example, if command prefix $ABC exists, $, $A, and $AB are subsets of $ABC and conflict with it. $ABCD is a superset of $ABC and conflicts with it. You can define command prefix ABC, however, because it does not start with the same letter as $ABC and so does not conflict. You can see which prefixes already exist using the DISPLAY OPDATA command. See z/OS MVS System Commands for information about the DISPLAY OPDATA command. If you do not specify a scope, the command prefix is not registered with CPF. If you specify sysplex scope, the command prefix must be unique within the sysplex, and a command with the prefix can be issued from another system in the sysplex to run on the system identified by the command prefix. If you specify system scope, the command prefix must be unique within the system, and a command with the prefix runs on the system on which it is issued (or to which it is routed by way of the MVS ROUTE command). Guideline: Specify a scope. If the registration with CPF fails (for example, if the command prefix is already registered with CPF), the subsystem is unavailable. Restart the subsystem to make it available (see Restarting the RACF subsystem). The restarted subsystem uses the default command prefix (the subsystem name) and the prefix is not registered with CPF. Messages from the subsystem display the subsystem name, enclosed in parentheses, instead of a command prefix. If you correct the IEFSSNxx member, you must re-IPL for the change to take effect. Example: If the entry in IEFSSNxx is:
or
RACF is
the subsystem name and 'RACF ' (the subsystem name
followed by a blank) is the command prefix by default. Because no
scope is specified, the command prefix is not registered with CPF.Example: If the installation assigns a unique subsystem
identifier and the entry in IEFSSNxx is:
or
RACF is
the subsystem name and # is the command prefix. Because
no scope is specified, the command prefix is not registered with CPF.Example: If the entry in IEFSSNxx is:
or
RACF is
the subsystem name and % is the command prefix. Because
no scope is specified, quotation marks are optional on the command
prefix.Example: If the entry in IEFSSNxx is:
or
RACF is
the subsystem name and #RACF1 is the command prefix.
Because no scope is specified, the command prefix is not registered
with CPF.Example: If the entry in IEFSSNxx is:
or
RACF is
the subsystem name and # is the command prefix. The
prefix has system scope, so a command with this prefix runs on the
system on which it is entered (or to which it is routed by way of
the MVS ROUTE command). Because
a scope is specified, the command prefix is registered with CPF.Example: If the entry in IEFSSNxx is:
or
RAC3 is
the subsystem name and %RACSS1 is the command prefix.
The prefix has sysplex scope, so a command with this prefix runs on
this system no matter where it is issued within the sysplex. Because
a scope is specified, the command prefix is registered with CPF.Note:
|
Copyright IBM Corporation 1990, 2014
|