Customization and Operation of Connector for RACF on the Managed Node

Use the following procedure to customize a managed node to support the RRSF feature.

Prepare the RCFRRSTB security table. The RCFRRSTB security table is a data-only module that is link-edited with the IRREVX01 exit (provided on the RRSF managed node). The RCFRRSTB security table provides the following safeguards:
- Prevents the impersonation of the source of the special RACF command that encapsulates the password change event.
- Ensures that the special RACF command that encapsulates the password change event is accepted and interpreted by the IRREVX01 only when the command is shipped from an authorized Connector Online Interceptor on a non-managed node.
Note
Prior to preparing the RCFRRSTB table, review Securing Connector RRSF Support.

It is recommended that you prepare the RCFRRSTB in a test environment using the supplied sample source, prior to actual implementation. Initial sample source is supplied in member RCFRRSTB in the INSTALL library. This sample allows the IRREVX01 exit to accept the special RACF command (containing user-initiated password event) from any combination of origin node and user. You can assemble and link-edit the supplied RCFRRSTB table as supplied to perform a fast initial end-to-end test of the RRSF feature.

To use the supplied sample source, submit the job whose JCLs are in member ASMRRSTB in the Connector INSTALL library.

This job assembles and link-edits the supplied RCFRRSTB table into module CTSEVX01, which is loaded and operated as the IRREVX01 RACF exit.
Specify the following console command to define module CTSEVX01 in the MVS operating system as RACF exit IRREVX01:
Copy
```
EXIT ADD EXITNAME(IRREVX01) MODNAME(CTSEVX01) STATE(ACTIVE)
DSNAME(ctsa.load.library)
```
This command can optionally be embedded in the system PARMLIB(PROGnn) member and subsequently issued by specifying the following command:

SET PROG=nn

Specify the following console command if you wish to delete the CTSEVX01 module from the RACF exit:

EXIT DELETE EXITNAME(IRREVX01) MODNAME(CTSEVX01)

Note
When module CTSEVX01 is defined as RACF exit IRREVX01, it handles password change events that are sent over RRSF from authorized Connector Online Interceptors on non-managed nodes (running in RRSF mode). The sole purpose of CTSEVX01 is to handle user-initiated password change events by forwarding the password change events to the managed Connector Online Interceptor. CTSEVX01 ignores other events sent to it by RACF.

As with any exit defined using the MVS dynamic exit facility, CTSEVX01 can be operated alongside other modules which are ADDED to the same RACF IRREVX01 exit.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Customization and Operation of Connector for RACF on the Managed Node

Documentation Feedback