Connector for RACF RRSF Support

The following figure depicts a non-managed node (RACFN) connected over RRSF to the managed node RACFM. Both the managed node and non-managed node contain the components of the Connector for RACF RRSF support feature supplied with Connector for RACF.

The following components and events are depicted:

  1. In the non-managed node (RACFN), the Connector Online Interceptor is operated in a special mode, called RRSF mode. (The Connector Online Interceptor is run with special JCL and parameters.)

  2. The Connector Online Interceptor running in the non-managed node (RACFN) starts Connector for RACF exit ICHRIX02 for RACF. ICHRIX02 handles user-initiated password changes and forwards them to the Online Interceptor which is operating in RRSF mode.

  3. The Online Interceptor in the non-managed node encapsulates the password change event in a special RACF ALTUSER command that is directed only to (ONLYAT), the managed node (RACFM) over the existing RRSF connection between the two nodes.

  4. The encapsulated RACF command is automatically protected by RRSF using CDMF masking, like all RRSF traffic between nodes. For more information, see Securing Connector RRSF Support.

  5. On the managed node (RACFM), the Connector for RACF provides a new RACF command exit, IRREVX01. This exit traps the inbound RRSF encapsulating command that contains the password change event.

  6. The IRREVX01 exit forwards the password change event to the Online Interceptor operating on the managed node (RACFM) using cross-memory transfer.

  7. The Online Interceptor in the managed node treats the password event as if the event originated locally. Password change event interception proceeds as usual via the QUEUE dataset and the CD component. The event is sent to IdentityIQ and then automatically distributed to other Connector platforms.

In this manner, a user-initiated password change event proceeds:

  • from the user on a non-managed RACF node

  • via Connector for RACF on a managed node

  • to IdentityIQ

  • to all other MSCSs that participate in password synchronization