z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Updating the IEFSSNxx member of SYS1.PARMLIB

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

The IEFSSNxx member of SYS1.PARMLIB must be updated to indicate that the RACF® subsystem is a valid subsystem in the installation. This member also identifies the subsystem's command prefix, which is used in issuing RACF operator commands, and an optional command prefix scope. See z/OS Security Server RACF Command Language Reference for information about how to use the subsystem command prefix.

Rule: Place the entry for RACF after the entries for SMS and the primary subsystem (JES2 or JES3) in the IEFSSNxx member. For more information about the IEFSSNxx member of SYS1.PARMLIB, see z/OS MVS Initialization and Tuning Reference.

You can choose to have RACF register the command prefix with the MVS™ command prefix facility (CPF). CPF ensures that two or more subsystems do not have the same or overlapping command prefixes. CPF also allows an operator or authorized application to enter a RACF command from any system in a sysplex and route that command to run on another system in the sysplex. The command responses come back to the originating system console. For more information about CPF, see z/OS MVS Programming: Authorized Assembler Services Guide.

Guideline: Have RACF register command prefixes with CPF. To do this, specify a scope on the IEFSSNxx entry.

You can code the IEFSSNxx definition in a keyword parameter form or a positional parameter form. The keyword parameter form has the following syntax: 
SUBSYS SUBNAME(ssname) INITRTN(IRRSSI00) [INITPARM('cmdpref[,scope]')]
and the positional parameter form has the following syntax: 
ssname,IRRSSI00[,'cmdpref[,scope]']
where: 
  ssname    is the 1-4 character subsystem name (required)
  IRRSSI00  is the RACF subsystem initialization routine (required)
  cmdpref   is the 1-8 character command prefix (optional)
  scope     is the command prefix scope for CPF (optional)
     X                  for sysplex scope
     M                  for system scope

Guideline: Use the keyword parameter form. Subsystems defined using the keyword parameter form of the IEFSSNxx parmlib member can use dynamic SSI services, while subsystems defined using the positional form of the IEFSSNxx parmlib member cannot use dynamic SSI services.

For information about dynamic SSI services, see z/OS MVS Using the Subsystem Interface. For information about coding the IEFSSNxx parmlib member, see z/OS MVS Initialization and Tuning Reference.

If you do not specify a command prefix, the default is the subsystem name plus a blank, and the command prefix is not registered with CPF. Messages from the subsystem display the subsystem name, which is enclosed in parentheses, instead of a command prefix.

If you do not specify a scope, the quotation marks around the command prefix are optional.

Do not define a command prefix that is the same as an existing command prefix on that system. Do not define a command prefix that is a subset of, or a superset of, an existing command prefix on that system with the same first character. For example, if command prefix $ABC exists, $, $A, and $AB are subsets of $ABC and conflict with it. $ABCD is a superset of $ABC and conflicts with it. You can define command prefix ABC, however, because it does not start with the same letter as $ABC and so does not conflict. You can see which prefixes already exist using the DISPLAY OPDATA command. See z/OS MVS System Commands for information about the DISPLAY OPDATA command.

If you do not specify a scope, the command prefix is not registered with CPF. If you specify sysplex scope, the command prefix must be unique within the sysplex, and a command with the prefix can be issued from another system in the sysplex to run on the system identified by the command prefix. If you specify system scope, the command prefix must be unique within the system, and a command with the prefix runs on the system on which it is issued (or to which it is routed by way of the MVS ROUTE command).

Guideline: Specify a scope.

If the registration with CPF fails (for example, if the command prefix is already registered with CPF), the subsystem is unavailable. Restart the subsystem to make it available (see Restarting the RACF subsystem). The restarted subsystem uses the default command prefix (the subsystem name) and the prefix is not registered with CPF. Messages from the subsystem display the subsystem name, enclosed in parentheses, instead of a command prefix. If you correct the IEFSSNxx member, you must re-IPL for the change to take effect.

Example: If the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00)
or 
RACF,IRRSSI00
RACF is the subsystem name and 'RACF ' (the subsystem name followed by a blank) is the command prefix by default. Because no scope is specified, the command prefix is not registered with CPF.
Example: If the installation assigns a unique subsystem identifier and the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('#')
or 
RACF,IRRSSI00,'#'
RACF is the subsystem name and # is the command prefix. Because no scope is specified, the command prefix is not registered with CPF.
Example: If the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('%')
or 
RACF,IRRSSI00,%
RACF is the subsystem name and % is the command prefix. Because no scope is specified, quotation marks are optional on the command prefix.
Example: If the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('#RACF1')
or 
RACF,IRRSSI00,'#RACF1'
RACF is the subsystem name and #RACF1 is the command prefix. Because no scope is specified, the command prefix is not registered with CPF.
Example: If the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('#,M')
or 
RACF,IRRSSI00,'#,M'
RACF is the subsystem name and # is the command prefix. The prefix has system scope, so a command with this prefix runs on the system on which it is entered (or to which it is routed by way of the MVS ROUTE command). Because a scope is specified, the command prefix is registered with CPF.
Example: If the entry in IEFSSNxx is: 
SUBSYS SUBNAME(RAC3) INITRTN(IRRSSI00) INITPARM('%RACSS1,X')
or 
RAC3,IRRSSI00,'%RACSS1,X'
RAC3 is the subsystem name and %RACSS1 is the command prefix. The prefix has sysplex scope, so a command with this prefix runs on this system no matter where it is issued within the sysplex. Because a scope is specified, the command prefix is registered with CPF.
Note:
  1. For JES2 systems, if a command prefix is specified in the IEFSSNxx member, it must differ from any BSPACE= value defined in the CONDEF part of the JES HASPARM definition.
  2. The command prefix precedes the message ID for some subsystem messages. If you choose to use a long prefix, you should consider the appearance of the subsystem messages and the usability of typing a long prefix on an operator command. Consider including a separator character such as a hyphen at the end of a long prefix to separate it from subsystem message IDs.
Parent topic: Activating the RACF subsystem

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014