Parameters
- Work_area
- The name of a 1024-byte work area for SAF and RACF® usage. The work area must be in the primary address space.
- ALET
- The name of a word containing the ALET for the following parameter. Each ALET can be different. The words containing the ALETs must be in the primary address space.
- SAF_return_code
- The name of a fullword in which the SAF router returns the SAF return code.
- RACF_return_code
- The name of a fullword in which the service routine stores the return code.
- RACF_reason_code
- The name of a fullword in which the service routine stores the reason code.
- Function_code
- The name of a 1-byte area containing the function code.
- X'01'
- Create an ACEE.
- X'02'
- Delete an ACEE.
- X'03'
- Purge all managed ACEEs.
- X'04'
- Register a certificate
- X'05'
- Deregister a certificate
- X'06'
- Query a certificate
- X'07'
-
Generate an IDT from an ACEE
- Attributes
- The name of a 4-byte area containing information about the function to be performed. Zero or more attributes can be set. (See Table 2 for the values allowed for the Attributes parameter.)
- RACF_userid
- The name of a 9-byte area that consists of a 1-byte length field followed by up to 8 characters. It must be specified in uppercase. If not specified, the length must equal 0.
- ACEE_ptr
- The name of a 4-byte area that contains the ACEE address. This parameter is not supported for function code X’07’ and ACEE2_PTR should be used instead.
- APPL_id
-
The name of a 9-byte area that consists of a 1-byte length field followed by the name of the application to be used if verifying the user's authority to access the application. This saves the application from having to do a separate authorization check. When using certificate mapping profiles, the application name is also used as part of the additional criteria in determining a user ID when a certificate is passed to initACEE.
When using the Generate an IDT from ACEE function, the application name is used as one of the qualifiers to locate a profile in the IDTDATA class. For the Generate an IDT from ACEE function, the APPL_id parameter must be specified with a length between 1-8.
It must be specified in uppercase. If not specified, the length must equal zero.
- Password
- The name of a 9-byte area that consists of a 1-byte length field followed by the password or PassTicket provided by the user. If not specified, the length must equal zero.
- Logstring
- The name of an area that consists of a 1-byte length field followed by character data to be written to the system-management-facilities (SMF) data set, together with any RACF audit information, if logged. If not specified, the length must equal zero.
- Certificate
- The name of an area that consists of a 4-byte length field followed by a digital certificate. If not specified, the length must equal 0; or the end of the parameter list must be indicated by the setting of the high order bit in the address of the previous parameter. The certificate must be a single DER encoded X.509 certificate. For the registration and deregistration functions, PKCS #7, PEM, or Base64 encoded certificates are also allowed.
- ENVR_in
- The name of the data structure that contains the information necessary to re-create a security
environment. The data structure must have the format shown in Table 3.
See the ENVR_out parameter for additional information about this data structure and the ENVR object
to which it points. The structure must reside on a doubleword boundary.
While the format of the data structure pointed to by ENVR_in is known to the initACEE invokers, the content of the object itself is determined by the external security product.
The input for this parameter can be the output from a previous initACEE with the ENVR_out parameter specified, or from RACROUTE REQUEST=VERIFY or REQUEST=EXTRACT, with the ENVROUT parameter specified.
If ENVR_in is not specified, the ENVR object length must equal 0, or the end of the parameter list must be indicated by the setting of the high order bit in the address of a previous parameter. ENVR_in should not be specified when requesting that an ENVR object be returned (INTA_ENVR_RET).
For more information about the ENVR data structure, see z/OS Security Server RACROUTE Macro Reference.
- ENVR_out
- The name of the data structure to contain the security environment that was just created. The
data structure must have the format shown in Table 3. This data
structure describes the storage location for the ENVR object that is created as part of this
initACEE create request.
While the format of the data structure pointed to by ENVR_out itself is known to the initACEE invokers, the content of the object itself is determined by the external security product.
The ENVR object storage area can be supplied by the caller or obtained by RACF. If supplied by the caller, it must be on a doubleword boundary and be associated with the job step task. If RACF obtains the storage area, it is on a doubleword boundary and is associated with the job step task. The storage is allocated based on the mode of the caller (LOC=ANY for 31-bit callers and LOC=24 for 24-bit callers).
Storage for the ENVR object is obtained and freed in the subpool and key specified by the caller in the ENVR_out data structure. For additional details on specifying the ENVR object storage area length and address, see Table 4.
Since the ENVR object length is returned to the caller, the ENVR object can be moved from one storage area to another. It is intended for use on subsequent initACEEs with the ENVR_in parameter, or on RACROUTE REQUEST=VERIFY with the ENVRIN parameter, as input when rebuilding a user's security environment. It should not be saved for a long period or passed to another system that does not share the same RACF database.
If the Attributes parameter indicates that an ENVR object should be returned (INTA_ENVR_RET), then this parameter must be specified with at a minimum the values for the subpool and key fields.
For more information about the ENVR data structure, see z/OS Security Server RACROUTE Macro Reference.
- Output_area
- The name of a fullword in which the service routine stores the
address of an area containing data about the user. The output area
is obtained in the primary address space, in subpool 229, and must
be freed by the caller of initACEE. The following data is returned;
the area returned is mapped by macro IRRPOUSP (OUSP):
- TSO user ID
- z/OS® UNIX user identifier (UID) of user
- z/OS UNIX group identifier (GID) of current group
- Home directory path name
- Initial program path name
- User limits (when OUSP version is greater than 0)
If the Attributes parameter indicates that an OUSP should be returned (INTA_USP and INTA_OUSP_RET), then this parameter must be specified. If the Attributes do not indicate that an OUSP should be returned, then the fullword must equal 0, or the end of the parameter list must be indicated by the setting of the high order bit in the address of a previous parameter.
- X500name
- If the function code indicates a certificate is being queried and the
attributes indicate that an X500 name pair should be returned (ie. the attributes value must have
INTA_X500_RET set), this parameter stores the address of the X500 name pair data structure to be
returned. The X500 name pair data structure is obtained in the primary address space, in
subpool 229, and must be freed by the caller of initACEE.
If the function code indicates that an ACEE is to be created, and the RACF_userid parameter is specified, X500name can supply the name of a fullword containing the address of the X500 name pair to be associated with the ACEE. The X500 name pair should previously have been obtained, along with the RACF user ID, by querying a certificate using initACEE. Both the issuer's name and subject's name must be supplied, and the length of each must be in the range 1 to 255 to prevent a parameter list error. If a valid X500 name pair is supplied, the ACEE created will point to a copy of the name pair, and it will subsequently be used in auditing.
- Variable_list
- The name of the data structure that contains the additional criteria
to be used to determine the user ID associated with the certificate
supplied to initACEE. The variable list data structure is a 4-byte
number of value entries, followed by that number of entries. Each
value entry consists of an 8-byte value name, a 4-byte value length,
and the value. The value name must be padded on the right with blanks
if it is less than 8-bytes. The value length must be in the range
of 1 to 255. If it is outside of this range, a parameter list error
will result. A maximum of 10 values may be specified. If the number
of values is greater than 10, a parameter list error will result.
Variable names should be meaningful to the caller of initACEE. Making the 3 character prefix associated with the product calling initACEE part of the variable name will ensure that it is unique. For example, assume RACF implemented a server that calls initACEE for its clients. It will pass a variable, IRRSLVL, which has 2 values. The values are LOW and HIGH. LOW is if the user is accessing the server from the internet and HIGH is if the user is accessing the server from the intranet. The variable_list containing the variable name and its value, LOW or HIGH, is passed to initACEE, along with the certificate supplied by the user. The value of the variable will be used as additional criteria in selecting which user ID the certificate maps to. All callers of initACEE should document their variable names, and the values they pass for each name, in their product documentation.
All value names and values should be uppercase. Do not specify the APPLID or SYSID criteria values in the variable_list. These are determined from the APPL_id parameter and MVS control; blocks, respectively. If they are specified in the variable_list, that specification will be ignored.
This parameter is ignored unless the certificate parameter is specified, and the function code indicates that an ACEE is to be created, or that the certificate is to be queried to find a user ID. If the certificate is defined to RACF in the DIGTCERT class, additional criteria will not be used, and the variable_list values will be ignored. If the certificate is not defined in the DIGTCERT class, the values in the variable list will be used along with APPL_id and SYSID to look for an associated user ID using the DIGTNMAP and DIGTCRIT classes if these classes are active and have been RACLISTed with SETROPTS.
- Security_label
- The name of a 9-byte area that consists of a 1-byte length field followed by the name of the security label that defines the security classification of the environment to be created. It must be specified in uppercase. If not specified, the length must be zero.
- SERVAUTH_name
- The name of an area that consists of a 1-byte length field followed by the name of a resource in the SERVAUTH class to be used if verifying the user's authority to access this server. This resource is the network access security zone name that contains the IP address of the user. It must be specified in uppercase, and cannot exceed 64 bytes in length. If not specified, the length must be zero.
- Password_phrase
- The name of an area that consists of a 1-byte length field followed by the password phrase provided by the user. If the length is not specified, it must equal zero. If the length is specified, the length field must be 9-100 characters to prevent a parameter list error.
- IDID_area
- The name of a fullword containing the address of a distributed identity data structure (IDID). If the function code parameter indicates that an ACEE is to be created, no user ID parameter is specified, and the IDIDMAP class is active and RACLISTed, information in the IDID is used to determine a RACF user ID. If the IDIDMAP class is inactive or the information in the IDID does not map to a RACF user ID, the initACEE service will fail. If a RACF_userid parameter is specified on the initACEE call, the IDID_area parameter can supply the name of an IDID to be associated with the ACEE; the IDIDMAP class is not used. When the IDID_area parameter is specified, the distributed identity information in the IDID should have been previously authenticated. If an IDID is supplied and an ACEE is successfully created, the ACEE will point to a copy of the IDID, and it will subsequently be used in auditing.
- ACEE2_ALET
-
The name of a 4-byte area containing the ALET for the ACEE named by the ACEE2_ptr parameter. The 4-byte area must be in the primary address space. This parameter is only supported by function code X’07’.
- ACEE2_PTR
-
The name of a 4-byte area that contains the ACEE address. This parameter may be qualified by the ALET specified in ACEE2_ALET.
This parameter is only supported by function code X’07’.
- IDTA
-
The name of a fullword containing the address of an Identity Token Area for the generation of an Identity Token for the specified ACEE.
The IDT is returned in the buffer pointed to by the IDTA buffer pointer. The IDT length is set in the IDTA IDT length field. More IDTA parameter details are described in z/OS Security Server RACF Callable Services in Appendix G.
The IDTA is mapped by SAF macro IRRPIDTA.
An IDT generated by initACEE will contain an AMR claim value of “saf-acee” which indicates the IDT was generated from an existing security environment. In order to authenticate a user with an IDT with the “saf-acee” AMR claim with RACROUTE REQ=VERIFY the target system must have the required support installed.
| Parameter | Create ACEE | Delete ACEE | Purge ACEE | Reg/Dereg certificate | Query certificate | Generate IDT |
|---|---|---|---|---|---|---|
| SAF_return_code | Output | Output | Output | Output | Output | Output |
| RACF_return_code | Output | Output | Output | Output | Output | Output |
| RACF_reason_code | Output | Output | Output | Output | Output | Output |
| Function_code | Input | Input | Input | Input | Input | Input |
| Attributes | Input | Input | n/a | n/a | Input | n/a |
| RACF_userid | Input | n/a | n/a | n/a | Output | n/a |
| ACEE_ptr | Output | Input | n/a | n/a | n/a | n/a |
| APPL_id | Input | n/a | n/a | n/a | Input | Input |
| Password | Input | n/a | n/a | n/a | n/a | n/a |
| Logstring | Input | n/a | n/a | n/a | n/a | n/a |
| Certificate | Input | n/a | n/a | Input | Input | n/a |
| ENVR_in | Input | n/a | n/a | n/a | n/a | n/a |
| ENVR_out | Input/ Output See Table 3 | n/a | n/a | n/a | n/a | n/a |
| Output_area | Output | n/a | n/a | n/a | n/a | n/a |
| X500name | Input | n/a | n/a | n/a | Output | n/a |
| Variable_list | Input | n/a | n/a | n/a | Input | n/a |
| Security_label | Input | n/a | n/a | n/a | n/a | n/a |
| SERVAUTH_name | Input | n/a | n/a | n/a | n/a | n/a |
| Password_phrase | Input | n/a | n/a | n/a | n/a | n/a |
| IDID_area | Input | n/a | n/a | n/a | n/a | n/a |
| ACEE2_ALET | n/a | n/a | n/a | n/a | n/a | Input |
| ACEE2_ptr | n/a | n/a | n/a | n/a | n/a | Input |
| IDTA | n/a | n/a | n/a | n/a | n/a | Input/Output |
| Parameter | Value | Action to be taken |
|---|---|---|
| INTA_MANAGED | X'80000000' | Create an ACEE for the user ID that is cached by RACF.  This attribute is ignored for MFA users. |
| INTA_USP | X'40000000' | Create a USP for the user ID |
| INTA_TASK_LVL | X'20000000' | For create function code, create an ACEE and attach to the current TCB. For delete function code, delete the ACEE attached to the current TCB. |
| INTA_UNAUTH_CLNT | X'10000000' | Create an ACEE for an unauthenticated client. |
| INTA_AUTH_CLNT | X'08000000' | Create an ACEE for an authenticated client. |
| INTA_MSG_SUPP | X'04000000' | Suppress RACF messages produced as a result of creating a user's security context. |
| INTA_ENVR_RET | X'02000000' | Return an ENVR object for the ACEE created by this request. |
| INTA_NO_TIMEOUT | X'01000000' | Create a managed ACEE that does not time out. When this bit and are set for the creation of a new managed ACEE, the ACEE is cached and does not expire after 5 minutes. |
| INTA_OUSP_RET | X'00800000' | Return an OUSP in the output area |
| INTA_X500_RET | X'00400000' | Return an X500 name pair (Note: When the function code is 6 (query), and the certificate is not installed in RACF, the attributes value must have INTA_X500_RET set) |
| Description | Length (Bytes) | ENVR_out Usage | ENVR_in Usage |
|---|---|---|---|
| ENVR object length | 4 | Output | Input |
| ENVR object storage area length | 4 | Input/Output (see Table 4) | Input |
| ENVR object storage area address | 4 | Input/Output (see Table 4) | Input |
| ENVR object storage area subpool | 1 | Input | n/a |
| ENVR object storage area key | 1 | Input | n/a |
| ENVR object storage area length | ENVR object storage area address | Result |
|---|---|---|
| Zero | Any value | RACF obtains storage size needed to contain ENVR object and sets ENVR object storage area length and address fields. |
| Nonzero | Zero | RACF obtains storage size specified or minimum needed to contain ENVR object and sets ENVR object storage area length and address fields. |
| Nonzero | Nonzero | RACF uses the area provided if large enough to contain ENVR object. If too small, RACF freemains the area, obtains a larger area, and sets ENVR object storage area length and address fields. |
| Offset | Length (Bytes) | Description |
|---|---|---|
| 0 | 4 | Length of name pair data structure |
| 4 | 2 | Length of issuer's name (1 to 255) |
| 6 | 2 | Length of subject's name (1 to 255) |
| 8 | 1 to 255 | Issuer's distinguished name |
| * | 1 to 255 | Subject's distinguished name |
| Offset | Length (Bytes) | Description |
|---|---|---|
| 0 | 4 | Number of value entries |
| 4 | 8 | Value name |
| 12(C) | 4 | Value length (1 to 255) |
| 16(10) | 1 to 255 | Value |