Postprocessing exit (ICHRIX02)
The RACROUTE REQUEST=VERIFY(X) postprocessing exit routine must
be named ICHRIX02. It
gets control after:
- User identification
- User verification
- Terminal authorization checking
This exit must be reentrant and is invoked in supervisor state, with protection key 0, with no locks held.
The exit can have any RMODE, but AMODE should be AMODE(31) or AMODE(ANY) for the best use of virtual storage.
When the RACROUTE REQUEST=VERIFY(X) postprocessing exit routine receives control, RACF® has already performed the main function (for example, ACEE creation and statistics recording), but has not written any SMF records or issued any ICH408I messages.
Changes that you make to the database in the postprocessing exit are not reflected in the ACEE
until the next RACROUTE REQUEST=VERIFY. You should make database updates in the preprocessing exit.
If you must update the RACF database in the postprocessing
exit, consider using one of the following approaches to ensure that the ACEE is correct:
- After the exit updates the database, return to the RACROUTE REQUEST=VERIFY with a return code of 4, indicating a retry. This ensures that the ACEE is rebuilt with the updated information.
- Update the ACEE directly with the same update that is made to the database. For example, if the exit updates INSTDATA in the database, it should also update ACEEINST in the ACEE. This ensures that the current ACEE matches the database, and that a refreshed copy of the ACEE is placed in VLF if the IRRACEE VLF class is active.
Note: If user-related custom fields (extracted from the
CSDATA segment of the USER profile) are available in the ACEE, the ACEECSDE bit is on. You can
retrieve this data from within ICHRIX02 by invoking the R_GetInfo callable service (IRRSGI00) and
specifying as input the address of the ACEE that was received by the exit. For more information, see
R_GetInfo (IRRSGI00): Get security server fieldsin z/OS® Security Server RACF Callable Services in the z/OS Internet library.
z/OS Security Server RACF Data Areas in the z/OS Internet library contains a mapping of the RACROUTE REQUEST=VERIFY(X) exit parameter list, RIXP.
Note: If the IDTA keyword is specified and the IDTDATA class is active, the ICHRIX02
return code 4 is not valid. In this case, RACROUTE REQ=VERIFY fails with the 8/70/6 return
codes.