Customization and Operation of Connector for RACF on Non-Managed Nodes

Use the following procedure to customize each non-managed system to be handled via the managed system.

  1. Ensure that the Connector for RACF operation libraries are available on the non-managed node. (Either copy the libraries to the node or place the libraries on a shared DASD.)

  2. Review the RCFRRSF member located in the Connector PROCLIB library. The member contains the JCL used to start the local Online Interceptor in RRSF mode.

    Copy this member to the PROCLIB library of each non-managed system

    Associate the Connector Online Interceptor started task with a RACF user ID (local user).

    Note
    The Online Interceptor started task allocates a one-record temporary dummy QUEUE dataset that is opened, but never used.

  3. An RRSF MANAGED user ID association must be defined between the RACF user ID associated with the non-managed node(s) Online Interceptor started task (local_user) and the RACF remote user on the RACF managed system.

    This association is performed using the RACLINK command and is required for command direction of the special RACF ALTUSER command that encapsulates the user-initiated password change event.

    The syntax of the RACLINK command is:

    RACLINK ID(local_user) DEFINE(target_node.remote_user) MANAGED

    where:

    • local_user – RACF local user ID associated with the Connector Online Interceptor started task

    • target_node – Target RRSF managed system

    • remote_user – RACF remote user on the target RRSF managed system

    For example:

    RACLINK ID(STCUSER) DEFINE(RACFM.CTSUSER) MANAGED

    This command defines a MANAGED user ID association between the local user STCUSER and user CTSUSER on the remote RRSF node RACFM. Such MANAGED association allows one-way RRSFcommand direction from local user STCUSER to remote user CTSUSER on the remote node RACFM.

  4. Enable RRSF command direction by the RACF user ID associated with the Online Interceptor started task (local_user) to the target managed RACF node.

    This is achieved in RACF by creating a class RRSFDATA resource (for example, DIRECT.RACFM) and granting permission for this resource to the RACF local user.

    Specify the following commands to perform these actions:

    Copy 
    RDEF RRSFDATA resource_name UACC(NONE)
    PERMIT resource_name CLASS(RRSFDATA)ID(local_user)ACCESS(READ)
    SETROPTS RACLIST(RRSFDATA)REFRESH

    where:

    • resource_name – Name of the class RRSFDATA resource.

    • local_user – RACF user ID associated with the Online Interceptor started task in the non-managed node.

    Example

    Copy 
    RDEF RRSFDATA resource_name UACC(NONE)
    PERMIT resource_name CLASS(RRSFDATA) ID(STCUSER) ACCESS(READ)
    SETROPTS RACLIST(RRSFDATA) REFRESH

  5. Review and edit member RRSFPARM in the PARM library. This member contains a subset of RSSPARM parameters, as well as parameters that are unique to the Connector Online Interceptor in RRSF mode. The following parameters are of particular importance. Parameters are listed with sample values:

    Copy 
    RRSFONLI RSS_TYPE           RACF
    RRSFONLI TARGET_NODE        RACFM
    RRSFONLI TARGET_USER        CTSUSER
    RRSFONLI DUMMY_USER         $#@$$@#$
    RRSFONLI ONLI_DYNAM_PWX01   N
    RRSFONLI ONLI_DYNAM_RIX02   Y

    Each parameter is explained below:

    • RSSNAME must be RRSFONLI (also specified in local node Online Interceptor JCL using PARM=).

    • RSS_TYPE must be RACF.

    • TARGET_NODE is the RRSF ID of the target managed node.

    • TARGET_USER is a RACF user on the target managed node to which the encapsulating RACF command (ALTUSER) is directed. This is the user that was assigned a RACLINK association in step 3.

    • DUMMY_USER is a string expressed using the syntax of a RACF user; however, this user is never defined in any RACF node. The dummy user name is used in the special RACF ALTUSER command that encapsulates the password change event sent from the non-managed node to the managed node.

    • ONLI_DYNAM_PWX01 must be set to N on the non-managed node to prevent the activation of the Connector for RACF exit ICHPWX01, which traps local password change events performed by the RACF administrator via the ALTUSER or password command.

      Caution
      Do not perform a static installation of ICHPWX01.

    • ONLI_DYNAM_RIX02 must be set to Y to enable Connector for RACF to dynamically load the ICHRIX02 exit, which traps user-initiated password change events.

      Alternatively, ICHRIX02 can be statically installed and loaded during operating system IPL. For more information, see Method 2–Static Installation in 3 – Install RACF Exits ICHRIX02 and ICHPWX01.

      Note
      The parameters TARGET_USER and DUMMY_USER must exactly correspond to the contents of the RCFRRSTB table, where RCFRRSTB is used by the IRREVX01 exit on the managed node to enforce security for incoming RACF commands that encapsulate password change events. For more information, see Customizing the RCFRRSTB Table.

  6. Start the Connector Online Interceptor in RRSF mode on the non-managed node by specifying the following command:

    START prefixRRSF

    where the prefix is the chosen three character prefix for Connector JCL procedures.