You install the security exits by installing the load module
that contains the exit into an APF authorized library.
ICSF uses
this normal search order to locate the exit:
- Job pack area
- Steplib (if one exists)
- Link pack area (LPA)
- Link list (SYS1.LINKLIB concatenation)
Use the EXIT keyword in the installation options data set to define
the
ICSF name and load module name. For information about the installation
options data set, see
Parameters in the installation options data set. The EXIT
keyword has this syntax:
- EXIT ( ICSF name, load module name, FAIL (options)
)
The ICSF name portion of the keyword refers
to the ICSF identifier for each exit, CSFESECI, CSFESECT, CSFESECS,
and CSFESECK. The load module name is the name
of the load module that contains the exit. The name can be any valid
name your installation chooses. The action that the FAIL portion
of the EXIT keyword specifies depends on the type of security exit.
For the security initialization and termination exits, the FAIL
portion specifies the action
ICSF takes if the exit cannot be loaded.
The valid FAIL options mean:
- NONE
- Continue initialization even if exits cannot be loaded.
- SERVICE
- Continue initialization even if exits cannot be loaded.
- EXIT
- Continue initialization even if exits cannot be loaded.
- ICSF
- End ICSF if exits cannot be loaded.
You must specify a FAIL option. If you do not, ICSF returns an
error message, ends abnormally, and generates an SVC dump when attempting
to load the exit.
If the security initialization exit ends abnormally, ICSF ends.
If the security termination exit ends abnormally, ICSF continues
to end.
For the security service and key exits, the FAIL portion specifies
the action
ICSF takes if the exit cannot be loaded or ends abnormally.
When the service or key exit is loaded, the valid FAIL options mean:
- NONE
- Continue initialization even if exits cannot be loaded.
- SERVICE
- Continue initialization even if exits cannot be loaded.
- EXIT
- Continue initialization even if exits cannot be loaded.
- ICSF
- End ICSF if exits cannot be loaded.
You must specify a FAIL option. If you do not, ICSF returns an
error message, ends abnormally, and generates an SVC dump when attempting
to load the exit.
When the security service exit ends abnormally, the valid FAIL
options mean:
- NONE
- Process subsequent calls to the service as if no abnormal ending
occurred. Call the exit for each call of a service.
- SERVICE
- Fail on subsequent calls to the particular service.
- EXIT
- Do not call the exit again. Bypass the exit on subsequent calls
to any IBM service.
- ICSF
- End ICSF.
If the security service exit ends abnormally, ICSF ends the service
call before performing the service.
When the security key exit ends abnormally, the valid FAIL options
mean:
- NONE
- Process subsequent attempts to access the in-storage CKDS as
if no abnormal ending occurred. Call the exit for each access attempt.
- SERVICE
- Fail on subsequent attempts to access the CKDS.
- EXIT
- Do not call the exit again. Bypass the exit on subsequent accesses
of the CKDS.
- ICSF
- End ICSF.
If the security key exit ends abnormally, ICSF ends the attempt
to access the CKDS before performing the access.