Preparing security exit routines

Each of the security exit routines need to be prepared as part of authorization.

• Signon⁄off Security exit routine (DFSCSGN0)

  The ⁄SIGN ON⁄OFF Security exit routine must be coded by your installation as module DFSCSGN0. This exit routine should have access to a table of valid user IDs and their associated passwords and RACF® PassTickets (if they are used). For addressability, the table should reside in module DFSCSGN0, the Transaction Authorization exit routine (DFSCTRN0), or in the IMS nucleus. The exit routine should note each successful signon. When the /SIGN OFF command is executed, the exit routine should mark that user ID available for /SIGN ON. The exit routine can place information in the data portion of the user verification string for logging. (An address in a register points to the user verification string.)

• Transaction Authorization exit routine (DFSCTRN0)

  The Transaction Authorization exit routine (DFSCTRN0) should have access to a table of valid user IDs, RACF PassTickets, passwords, and transactions associated with each valid user ID. For addressability, this table should reside in module DFSCTRN0, the ⁄SIGN ON⁄OFF Security exit routine (DFSCSGN0), or in the IMS nucleus. If the table is in the nucleus, it can be shared by the Transaction Authorization exit routine and the Signon Verification exit routine.

  If you use message edit routines, security is checked after the message is edited.

• Command Authorization exit routine (DFSCCMD0)

  The Command Authorization exit routine (DFSCCMD0) should have access to a table of valid user IDs, passwords, and commands associated with each valid user ID. For addressability, this table should reside in module DFSCCMD0, the ⁄SIGN ON⁄OFF Security exit routine (DFSCSGN0), or in the IMS nucleus. If the table is in the nucleus, it can be shared by the Command Authorization exit routine, the Transaction Authorization exit routine, and the Signon Verification exit routine.

• If you are using the Resource Access Security exit routine (RASE)

  You can use the Resource Access Security exit routine (RASE) to augment or refine the security functions that are provided by RAS. The RASE user exit is called after a call to RACF to directly authorize an IMS dependent region to use IMS resources (transactions, PSBs, and LTERMs) that the dependent region attempts to access. The description of the Resource Access Security user exit in the Exit Reference tells how to define the RASE user exit to IMS.