Stage 1 Signon Security Exit
This control point enables the verification of the format and contents of the SIGNON command. The following requirements and restrictions apply:
-
Implement the IBM® Connect:Direct® stage 1 signon exit as an executable load module.
-
Name the load module DGACXSIG. To assemble, link-edit the appropriate name with an alias of DMCXSIGN by using DGAJCXSG.
-
Do not specify NCAL.
- Link-edit the module with either RENT or NORENT, depending on whether it is reentrant or not.
-
Link-edit the module with either REUS or NOREUS, depending on whether it is reusable or not.
-
Link-edit the module with an authorization code (AC) of 0 or omit the SETCODE parameter.
- For the TSO IUI, the Stage 1 Signon Security exit module can come from a library in the LINKLIST, STEPLIB, TSOLIB, ISPLLIB, or LIBDEF-ISPLLIB concatenation. However, if there is a LIBDEF-ISPLLIB in effect, all Connect:Direct load modules (including the Stage 1 exits) must come from a library in the LINKLIST or the LIBDEF-ISPLLIB concatenation or a combination of the two.
-
IBM Connect:Direct will only use the stage 1 signon security exit module if the module is deemed authorized. To be deemed authorized, the module must come from the LINKLIST or an APF-authorized library (partitioned data set). The entire concatenation does not need to be APF-authorized. Connect:Direct branches via BASSM to the Stage 1 exit, so the exit inherits the APF authorization the caller has. The IUI always executes APF unauthorized, so a Stage 1 exit running under the IUI always executes APF unauthorized.
- If a stage 1 signon security exit exists but is not deemed authorized, the SIGNON command fails.
-
For DGADBATC and DGADCHLA, the module search is limited to the LINKLIST, JOBLIB, or STEPLIB. For more information, see IBM Connect:Direct Exits.
-
Because the information that is passed to the exit by IBM Connect:Direct is located above the 16-megabyte line, and because IBM Connect:Direct branches via BASSM to the stage 1 exit, you must link-edit the module with AMODE 31 to allow it to access the information that is passed to it.
- The $CD.SDGASAMP library contains a sample source module exit called DGACXSIG. Edit this module
and modify the variable &SECTYPE to reflect the security system in use. Assemble and link-edit
the exit. For IBM RACF or CA-TOP SECRET, use
the character string RACF for &SECTYPE. For CA-ACF2, use the character string ACF2.
Member DGAUSEC in $CD.SDGASAMP is a sample SMP/E USERMOD to assist with such changes.
All IBM Connect:Direct nodes in cross-domain signon (or multi-session signon) with a IBM Connect:Direct node that uses the stage 1 signon exit must also use the stage 1 signon exit.
Signon Errors
If you are receiving signon errors about the stage 1 exit, allocate the special DDNAME APISECUR for special diagnostic output using one of the following methods
If you are using the DGADBATC or DGA#CBAT, to route the trace output to SYSOUT, add the following DD statement to the DGADBATC or DGA#CBAT JCL.
|
If you are using the IUI, to route the trace output to the screen, issue the following TSO command.
|
To route the trace output to a data set, issue the following TSO command:
|
You must preallocate the data set with the following DCB attributes.
|
To route the output to spool, issue the following TSO command:
|
Skipping the SIGNON Panel
Since the TSO user ID has already been authenticated when logging on to TSO, you can bypass the IBM Connect:Direct IUI SIGNON panel when using the Stage1 Security exit. To implement this feature, simply use the Global Signon Default feature and set the SSOP option to Y and assemble the Global Signon Default module. For more information, see Global Signon Defaults.