The RACF user exit parameter list
If you write RACF user exits, you can find the address of the installation data parameter list directly from the RACF user exit parameter list.
The name of the relevant field in the user exit parameter list varies according to the RACROUTE REQUEST type and the RACF user exit that is invoked. The relationships between REQUEST type, exit name, and field name are shown in Table 1.
RACROUTE REQUEST type | RACF exit | Exit list mapping macro | Parameter list field name (see Notes 1 and 2) |
---|---|---|---|
VERIFY | ICHPWX01 | ICHPWXP | PWXINSTL |
ICHPWX11 | ICHPWX2 | PWX2INST | |
ICHRIX01 | ICHRIXP | RIXINSTL | |
ICHRIX02 | ICHRIXP | RIXINSTL | |
AUTH | ICHRCX01 | ICHRCXP | RCXINSTL |
ICHRCX02 | ICHRCXP | RCXINSTL | |
FASTAUTH | ICHRFX01 | ICHRFXP | RFXANSTL |
ICHRFX02 | ICHRFXP | RFXANSTL | |
LIST | ICHRLX01 | ICHRLX1P | RLX1INST |
ICHRLX02 | ICHRLX2P | RLX2PRPA |
- The 'xxxINSTL' field points to the installation parameter list only if you code ESMEXITS=INSTLN in the CICS system initialization parameters. The default value for this parameter is NOINSTLN, which means that no installation data is passed. (Note that ESMEXITS cannot be coded as a SIT override.)
- RLX2PRPA contains the address of the ICHRLX01 user exit parameter list (RLX1P). Field RLX1INST of RLX1P points to the installation data parameter list.
- There is no RACF user exit for REQUEST=EXTRACT, and no installation parameter data is passed. Any customization must be done using the MVS™ router exit, ICHRTX00.
For brief descriptions of RACF exits and their functions, see the z/OS Security Server RACF Security Administrator's Guide. For full descriptions of the RACF exit parameter lists, see the RACF installation exits.
Guidelines on using RACF exits for CICS RACROUTE calls
CICS runs many RACROUTE requests, in particular those that create or delete an RACF access control environment element (ACEE) such as SIGNON, CHANGE PASSWORD, and CHANGE PHRASE commands on the RO TCB. Requests run serially on the RO TCB. Therefore, the exits should not run anything with a large elapse time; otherwise, other security requests or usage of the TCB would be blocked.