64-bit Arsusec DLL
The Arsusec DLL is invoked to perform authentication (RACROUTE REQUEST=VERIFY) when a user attempts to log on to Content Manager OnDemand, or an attempt is made to add, change, or delete a password, and the security exit is enabled by setting the SRVR_FLAGS_SECURITY_EXIT=1 in the ars.ini configuration file. Similarly, the Arsuperm DLL is invoked to perform permission checks (RACROUTE REQUEST=AUTH) when a user attempts to access a folder, application group, or document, or perform an SQL query, and the security exit is enabled by setting the SRVR_FLAGS_FOLDER_APPLGRP_EXIT=1, SRVR_FLAGS_SQL_QUERY_EXIT=1, SRVR_FLAGS_DOCUMENT_EXIT=1, and/or SRVR_FLAGS_CABINET_EXIT=1 in the ars.ini configuration file.
The ARSUSEC4 described in this section is a 64-bit version of the DLL and only performs an authentication check. It does not perform a permissions check.
The ARSSOCKD server runs as a 64-bit application. Language Environment does not support mixing 31-bit and 64-bit in the same LE enclave, so a software layer is provided to cause a number of exits to be invoked in AMODE 31, thus providing compatibility with older versions of those exits. That compatibility comes at the cost of additional overhead.
To reduce that overhead, a 64-bit assembler Arsusec sample (ARSUSEC4) is provided that incorporates similar functionality to the C and COBOL Arsusec without the necessity of the software layer to invoke the Arsusec DLL in 31-bit mode. One of the differences from the C/COBOL version of Arsusec is that the MVS dynamic exit facility is not used to invoke the ARS.SECURITY dynamic exit (ARSUSECZ). Instead, the RACROUTE REQUEST=VERIFY is performed directly by ARSUSEC4. Note that if you are using Arsuperm, you still need to use the ARS.SECURITY dynamic exit.
JCL to assemble and bind the ARSUSEC4 into the Arsusec DLL is provided in SARSINST(ARSJSEC4). A job card needs to be provided in the sample. The SARSINST JCL SET symbol specifies the name of the PDS/E data set containing the ARSUSEC4 assembler source. The TGTPATH JCL set symbol contains the USS path to the directory used to contain the exits.
mkdir /ars/exits
ln -s /usr/lpp/ars/V10R5M0/bin/exits/arsuperm /ars/exits/arsuperm
If other exits are used, either symlinks need to be created for them, or they need to be placed into the /ars/exits directory.
ARS_USER_EXITS_DIR=/ars/exits
This will cause the /ars/exits directory to be used to locate Arsusec and other DLL-based exits. All of the exits must be located in the ARS_USER_EXITS_DIR. This is not required; you could link the ARSUSEC4 into /installdir/bin/exits/arsusec, where installdir is your installation directory. However, be aware that SMP/E could overwrite the arsusec DLL if you are using that directory as the exits directory.
One difference with the C and COBOL versions of Arsusec is that, by default, ARSUSEC4 will return a message for various error conditions to the user who is logging on to Content Manager OnDemand. The C and COBOL arsusec do not return a message. For ARSUSEC4, an environment variable called ARSUSEC4_NOMSG=1 an be used to cause ARSUSEC4 to not return messages to the user who is logging on.