RACFSYNC

The RACFSYNC system initialization parameter specifies whether CICS® listens for type 71 ENF events and refreshes user security.

Defining RACFSYNC

You can define the RACFSYNC system initialization parameter in the following ways:
  • On the PARM parameter of the EXEC PGM=DFHSIP statement
  • In the SYSIN data set of the CICS start up job stream
  • Through the system console
  • In the DFHSIT macro

Values for RACFSYNC

Note: Specify the RACFSYNC=NO parameter only under direction from IBM Service.

Valid values for the RACFSYNC system initialization parameter are as follows:

RACF® sends a type 71 ENF signal to listeners when a CONNECT, REMOVE, or REVOKE command changes a user's resource authorization, or when a user ID is revoked automatically as a result of too many failed password attempts.

When CICS receives a type 71 ENF event for a user ID, all cached user tokens for the user ID are invalidated, irrespective of the setting of the USRDELAY parameter. Subsequent requests from that user ID force a full RACF RACROUTE VERIFY request, which results in a refresh of the user's authorization level. User tokens for tasks that are currently running are not affected. User tokens for signed-on users are not affected, but subsequent work in other regions will be.

CICS also makes Db2® threads for the associated user ID issue a full sign-on when they are next reused.

6.2 and later CICSPlex® SM can also process type 71 ENF events for a CICSplex. You must specify RACFSYNC=YES, or use the default, for the CMAS region and specify RACFSYNC=CPSM for the MAS regions under control of the CMAS. This configuration enables the CMAS to listen for and process type 71 ENF events and its connected MAS regions to obtain type 71 ENF event data directly from the CMAS. When the CMAS region receives a type 71 ENF event, security information for the affected user ID is rebuilt the next time the user ID is used, irrespective of the setting of the SECTIMEOUT parameter. The MAS regions process type 71 ENF events in the same way as CICS.

RACFSYNC={YES|NO|CPSM}
Valid values are as follows:
YES
YES is the default value for RACFSYNC. CICS listens for type 71 ENF events.
6.2 and later A CMAS listens for and processes type 71 ENF events, and makes type 71 ENF event data available in CICSPlex SM storage for its connected MAS regions to consume.
NO
CICS does not listen for type 71 ENF events.
CPSM
6.2 and later
A MAS does not register as a type 71 ENF event listener but obtains type 71 ENF event data directly from its owning CMAS. The MAS attempts to obtain data from the CMAS every 15 seconds.
RACFSYNC=CPSM is intended only for a MAS region. If RACFSYNC=CPSM is specified for a CMAS, message EYUCI0103E is issued.
Note:
  • In the configuration where type 71 signals are issued for large numbers of users simultaneously, combined with large numbers of connections to Db2, the temporary performance overhead might be significant when the full sign-on processing across all affected Db2 threads is completed. To reduce the impact of type 71 ENF processing, it is recommended that updates to large numbers of RACF users be made during off-peak periods.
  • Support for issuing a type 71 ENF as a result of too many failed password attempts requires RACF APAR OA58677 and SAF APAR OA58678.
Restriction: You can specify the RACFSYNC parameter only in the system initialization table (SIT), the PARM parameter of the EXEC PGM=DFHSIP statement, or the SYSIN data set.