Using early verification processing
The CICS® signon routine invokes the SAF interface, using the RACROUTE REQUEST=VERIFY macro with the ENVIR=VERIFY option in problem-program state. Invoking this version of the macro has no effect if the ESM is RACF®, but other external security manager products can get control through the SAF exit interface, and perform their own early verification routine.
CICS defers the creation of the accessor environment element until the RACROUTE REQUEST=VERIFY macro with the ENVIR=CREATE option is issued to perform the normal verification routine. The ENVIR=CREATE version of the macro is issued by the security manager domain running in supervisor state.
CICS passes the following information on the ENVIR=VERIFY version of the RACROUTE REQUEST=VERIFY macro:
- USERID
- The userid of the user signing on to the CICS region.
- GROUP
- The group name, if specified, of the group into which the user wants to sign on.
- PASSWRD
- The user's password to verify the userid.
- NEWPASS
- A new value, if specified, for the user's password. This changes the existing password and is to be used for subsequent signons.
- OIDCARD
- The contents, if supplied, of an operator identification card.
- APPL
- The APPLID of the CICS region on which the user is signing on. Which APPLID is passed depends on what is specified as the system initialization parameter.
- INSTLN
- A pointer to a vector of CICS-related information, which you can map using the DFHXSUXP mapping macro. This pointer is valid only if ESMEXITS=INSTLN is specified as a system initialization parameter for the CICS region.
The installation data referenced by the INSTLN parameter includes a pointer, UXPCOMM, to a two-word communications area that can be used to pass information between the two phases of the signon verification process—between the early verification routine initiated by ENVIR=VERIFY, and the normal verification routine initiated by ENVIR=CREATE.
CICS maintains a separate communications area for each task, in CICS-key storage.