Logon Inheritance Support

Edit online

This feature lets you replace the in-storage representation of a password with an inheritance indicator created from three elements:

user ID
source (terminal ID)
resource (application)

Use of the inheritance indicator eliminates integrity exposures.

Note: Logon inheritance works only for local VTAM® applications, not cross-domain. This is a CA-ACF2 restriction.

Logon inheritance is invoked by the LINK dialog language statement, most likely from a logon dialog. The TLVLOAD and STEPLIB libraries must be APF-authorized.

Installation

The source module for logon inheritance is in member KLKA2INH of TLVSPENU. Assemble the routine into the TLVLOAD target library, using the current level of TLVMAC, SYS1.ACFMAC, and SYS1.MACLIB. A sample jobstream is provided in member KLS@ASM. The SYS1.ACFMAC library needs to be concatenated in SYSLIB.

Implementation

The LINK dialog language statement invokes KLKA2INH to obtain the inheritance indicator, which is good for only one logon. Each time an application that has an auto-logon script is selected, the LINK statement can be used to create another inheritance indicator. You can then use this indicator, instead of the password variable, in the auto-logon sequence. Code the LINK statement as follows:


SET RC (LINK(KLKA2INH userid sourcename resourcename))

userid: The user ID for which the inheritance indicator is obtained.
sourcename: The source where the logon occurs. Normally, this is the virtual terminal network name.
resourcename: The name of the resource to which the source connects. This is the network name of the application being accessed.

The outcome of the function appears as a return code in variable &RC, which may contain one of these values:

0: Successful completion. Variable &KLKA2INH contains the returned token.
4: ACF2 not active.
8: Parameter error. One of the required parameters was not supplied.
12: ACF2 failed the request. Variable &KLKA2INH contains any error message returned by ACF2.

You may hard-code values for userid, sourcename, and resourcename, or you may use variables. To derive the variables:

userid

Use the variable &VSSUSER

sourcename

Obtain the variable &SRCNM by placing the following statement before the LINK statement in your logon dialog:


SET SRCNM (VSSNODE(&SYSPARM))

resourcename

Obtain the variable &RSRCNM by placing the following code before the LINK statement in your logon dialog:


   SET RC (VSSVINFO(&VSPID))
   IF (&RC > 0)
      DO
         VSSTERM(&VSPID  1)
         RETURN &RC
      END
   SET RSRCNM '&VSSAPPL'

The LINK statement would now look like this:


   SET RC (LINK(KLKA2INH '&VSSUSER' &SRCNM &RSRCNM))