Stage 1 Signon Security Exit
This control point enables the verification of the format and contents of the SIGNON command. The following requirements and restrictions apply:
-
Implement the IBM® Connect:Direct® stage 1 signon exit as an executable load module.
-
Name the load module DGACXSIG. To assemble, link-edit the appropriate name with an alias of DMCXSIGN by using DGAJCXSG.
-
Do not specify NCAL.
- Link-edit the module with either RENT or NORENT, depending on whether it is reentrant or not.
-
Link-edit the module with either REUS or NOREUS, depending on whether it is reusable or not.
-
Link-edit the module with an authorization code (AC) of 0 or omit the SETCODE parameter.
- For the TSO IUI, the Stage 1 Signon Security exit module can come from a library in the LINKLIST, STEPLIB, TSOLIB, ISPLLIB, or LIBDEF-ISPLLIB concatenation. However, if there is a LIBDEF-ISPLLIB in effect, all Connect:Direct load modules (including the Stage 1 exits) must come from a library in the LINKLIST or the LIBDEF-ISPLLIB concatenation or a combination of the two.
-
IBM Connect:Direct will only use the stage 1 signon security exit module if the module is deemed authorized. To be deemed authorized, the module must come from the LINKLIST or an APF-authorized library (partitioned data set). The entire concatenation does not need to be APF-authorized. Connect:Direct branches via BASSM to the Stage 1 exit, so the exit inherits the APF authorization the caller has. The IUI always executes APF unauthorized, so a Stage 1 exit running under the IUI always executes APF unauthorized.
- If a stage 1 signon security exit exists but is not deemed authorized, the SIGNON command fails.
-
For DGADBATC and DGADCHLA, the module search is limited to the LINKLIST, JOBLIB, or STEPLIB. For more information, see IBM Connect:Direct Exits.
-
Because the information that is passed to the exit by IBM Connect:Direct is located above the 16-megabyte line, and because IBM Connect:Direct branches via BASSM to the stage 1 exit, you must link-edit the module with AMODE ANY to allow it to access the information that is passed to it.
- The $CD.SDGASAMP library contains a sample source module exit called DGACXSIG. Edit this module
and modify the variable &SECTYPE to reflect the security system in use. Assemble and link-edit
the exit. For IBM RACF or CA-TOP SECRET,
use the character string RACF for &SECTYPE. For CA-ACF2, use the character string ACF2.
All IBM Connect:Direct nodes in cross-domain signon (or multi-session signon) with a IBM Connect:Direct node that uses the stage 1 signon exit must also use the stage 1 signon exit.
Signon Errors
If you are receiving signon errors about the stage 1 exit, allocate the special DDNAME APISECUR for special diagnostic output using one of the following methods
If you are using the DGADBATC, to route the trace output to SYSOUT, add the following DD statement to the DGADBATC JCL.
|
If you are using the IUI, to route the trace output to the screen, issue the following TSO command.
|
To route the trace output to a data set, issue the following TSO command:
|
You must preallocate the data set with the following DCB attributes.
|
To route the output to spool, issue the following TSO command:
|
Sample SIGNON Panel
Since the TSO user ID has already been authenticated when logging on to TSO, you can bypass the IBM Connect:Direct IUI Signon panel. The Stage 1 Signon Security Exit and replacing the original Signon panel are both required.
The $CD.SDGASAMP library contains a member called DGA@NPAN that you can use to replace the existing signon panel (DGA@GNON) after you implement the Stage 1 Signon Security exit. This sample panel in conjunction with the Stage 1 Signon Security exit allows you to bypass the Signon panel when starting the ISPF/IUI interface. Refer to $CD.SDGASAMP member called DGAUPAN for a sample SMP/E USERMOD which contains instructions to implement this sample panel.