/SIGN command
The /SIGN command is used to sign on and sign off at terminals attached to IMS™.
This command enables IMS to identify who is using the terminal and to determine if you are authorized to enter the transaction or command.
Subsections:
Environment
The following table lists the environments (DB/DC, DBCTL, and DCCTL) from which the command can be issued.
Command | DB/DC | DBCTL | DCCTL |
---|---|---|---|
/SIGN | X | X |
Syntax
.-ON----------. >>-+-/SIGN-+--+-+-------------+--userid--| A |-+--------------->< '-/SIG--' | +-PASSPHRASE--+ | | '-PASSPHRASEQ-' | '-OFF----------------------------' A |--+-----------------+--+------------+--+----------------+------> '-USERD--userdesc-' +-userpw-----+ '-APPL--applname-' +-PassTicket-+ '-passphr----' >--+------------------+-----------------------------------------> '-GROUP--groupname-' >--+-----------------------------------------------+------------> '-NEWPW--+-nuserpw--+--+----------------------+-' '-npassphr-' '-VERIFY--+-nuserpw--+-' '-npassphr-' >--+----------+-------------------------------------------------| '-userdata-'
Keywords
The following keywords are valid for the /SIGN command:
- ON
-
/SIGN ON must be issued for any physical terminal
or user ID requiring a signon, or the transaction entered is rejected.
From terminals that require signon, commands other than /SIGN or /RCLSDST are rejected if transaction authorization is requested. Static terminals requiring a signon also have enhanced command authorization with RACF® or an equivalent product if RCF=S or RCF=A is specified at system startup.
At terminals not requiring signon, transactions are passed to RACF, an equivalent security product, or a user exit for authorization checking. If /SIGN ON is entered at a terminal not requiring a signon, the signon is processed as if the terminal required a signon. That is, the terminal is placed in a signed on status with the user ID until a /SIGN OFF or another /SIGN ON command is entered.
After any IMS restart or terminal disconnect, the remote terminal operator is required to sign on again using the /SIGN ON command. A terminal can be disconnected by:- A switched line disconnect
- A VTAM® CLSDST
- A line shutdown
- The /IDLE command
- Auto logoff
Signon status is also reset by the /START LINE, /START LINE PTERM, and /START NODE commands and auto signoff.
The remote terminal operator must wait at a static physical terminal for confidential responses, because responses queued for a given physical terminal are sent even if the physical terminal is signed off. If the remote terminal operator must be absent, the /LOCK command can be used to prevent output from being received. Confidential output sent to a dynamic user is queued to the user instead of to the physical terminal when the user has signed off. A successful signon of an existing user turns off the DEADQ status for the user, if that status exists.
For the user exit routine DFSCSGN0, the user ID and userdata parameter values are defined by the installation.
- PASSPHRASE
- The /SIGN PASSPHRASE command is equivalent to the /SIGN ON
command except that it uses RACF password phrases instead of
passwords for a signon. A RACF password phrase can be up to
100 bytes. IMS uses 100 bytes as the password phrase and
removes leading and trailing blanks, if any, before passing it to RACF.
RACF password phrases are used for password, NEWPW, and VERIFY. RACF does not allow a mixture of passwords and password phrases. For example, if PASSPHRASE is specified on the /SIGN command, you must specify password phrases for all the other keywords such as NEWPW and VERIFY.
A blank is necessary after PASSPHRASE. There must be a blank between the 100-character password phrase and the next keyword. A period within the 100 character does not end the /SIGN command. If there is no additional keyword after the password phrase, the password phrase does not need to have trailing blanks. If there are additional keywords after the password phrase, the password phrase needs to include trailing blanks for a total of 100 characters. If a password phrase is less than 9 bytes, IMS will pass the password phrase as a password to RACF. The PASSPHRASE keyword is most likely used on MFS panels, which fill the password phrase with trailing blanks.
RACF password phrases are always mixed case. It is not necessary to turn on mixed-case password for password phrases. The IMS system's default MFS panels do not support password phrases.
- PASSPHRASEQ
- The /SIGN PASSPHRASEQ command is equivalent
to the /SIGN ON command except that it uses RACF password phrases instead of
passwords for a signon. A password phrase must start with a single
quotation mark (') and end with a single quotation mark. If you want
to include a single quotation mark in a password phrase, you must
specify two single quotation marks (''). For example,
'This is "my" passphrase.'
IMS removes the single quotation mark at the beginning and ending of the password phrase and also removes one single quotation mark if there are two single quotation marks following each other. PASSPHRASEQ must have at least one blank before the beginning single quotation mark. A password phrase can be up to 100 characters. If a password phrase is less than 9 characters, IMS will pass it as a password to RACF. RACF does not allow a mixture of passwords and password phrases. For example, if PASSPHRASEQ is specified on the /SIGN command, you must specify password phrases for all the other keywords such as NEWPW and VERIFY.
RACF password phrases are always mixed case. It is not necessary to turn on mixed-case password for password phrases. The IMS system's default MFS panels do not support password phrases.
- OFF
- The /SIGN
OFF command is used to complete a session on a terminal
that required a signon. Static terminals in conversational mode cannot
be signed off without first issuing an /EXIT or /HOLD command.
Another method of signing off a terminal is to reenter the /SIGN ON command. This method initiates a new signon at the terminal without having to enter the /SIGN OFF command.
The /SIGN OFF command resets status that is not significant such as preset mode, test mode, lock lterm, pstop lterm, and purge lterm.
/SIGN OFF for ETO users will also take other actions depending on the recovery settings for the user:
- RCVYCONV=NO
- /SIGN OFF causes any IMS conversations (active and held) for an ETO user to be terminated. Any conversational message that is queued or being processed has its output response message delivered asynchronously.
- RCVYFP=NO
- /SIGN OFF causes Fast Path status and messages for an ETO user to be discarded.
- RCVYRESP=NO
- /SIGN OFF resets full-function response mode.
If global resource information is kept in Resource Manager, /SIGN OFF deletes the user ID from Resource Manager (if single user signon enforced) and resets status globally. If the user has no status, /SIGN OFF deletes the user and associated lterms from Resource Manager.
You can specify the following keywords and parameters with the ON, PASSPHRASE, or PASSPHRASEQ keyword:
- APPL
- A keyword that
notifies IMS that the following
character string should be the application name used by IMS when IMS makes
the SAF call to verify the user. The default application name used
by IMS is the IMSID. The IMSID
can be overridden by the SAPPLID= parameter in the IMS PROCLIB member DFSDCxxx. If the signon specifies
a PassTicket instead of a password, the APPL parameter should specify
the application name used when the PassTicket was created. The creator
of the PassTicket can specify any value to identify an IMS subsystem.
If RACF is used, APPL= should specify the name of the RACF PTKTDATA profile for IMS as defined to RACF by the creator of the PassTicket. If the name of the PTKTDATA profile is the same as the IMSID, the APPL keyword is not needed.
- GROUP
- Is an optional keyword indicating a group name of 8 characters or fewer that is associated with the user ID.
- NEWPW
- Is an optional
keyword that indicates a new user password or a new password phrase
that replaces the current user password or password phrase specified
in userpw. Passwords can be mixed case or uppercase depending on what is specified on the PSWDC keyword in the DFSPBxxx IMS.PROCLIB member. RACF password
phrases are always mixed case.
- nuserpw
- Is a new password of 8 characters or fewer that is associated with the user identification.
- npassphr
- Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more single quotation marks, two single quotation marks must be specified for each single quotation mark.
- USERD
- Is a user descriptor name. This user descriptor name is used in the signon. The userdesc parameter must be a user ID, node name, or DFSUSER.
- userdata
- Is user identification information that has been defined to IMS with the (RACF), equivalent security product or the user
exit routine, DFSCSGN0. For RACF,
this information consists of the following:
userpw GROUP groupname NEWPW nuserpw
- userid
- Is a user identification of 8 characters or fewer.
- userpw | PassTicket | passphr
- Specifies user identification in one of the following formats:
- userpw
- Is a password of 8 characters or fewer that is associated with the user identification. Passwords can be mixed case or uppercase depending on what is specified on the PSWDC keyword in the DFSPBxxx IMS.PROCLIB member. If support for special characters is enabled in RACF, IMS supports RACF passwords that contain special characters.
- PassTicket
- A one-time password that is generated by a requesting product or function. The PassTicket is an alternative to the RACF password. Using a PassTicket removes the need to send RACF passwords across the network in clear text.
- passphr
- Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more quotation marks, two single quotation marks must be specified for each single quotation mark.
- VERIFY
- Is an optional keyword that requests IMS to
verify the new password entered. IMS verifies
the new password before passing it to RACF or
to the IMS signon exit routines.
This keyword can also be used as an alternative to reentering the
password on the DFS3656 panel. Restriction: You can use this keyword only when responding to an IMS DFS3656A message and as an alternative to reentering the password on the DFS3656 panel.
- nuserpw
- Is a new password of 8 characters or fewer that is associated with the user identification.
- npassphr
- Is a 9- to 100-character password phrase that is associated with the user identification. If PASSPHRASE is specified, the password phrase must be up to 100 characters. If PASSPHRASEQ is specified, the password phrase must be enclosed in single quotation marks. If a password phrase contains one or more single quotation marks, two single quotation marks must be specified for each single quotation mark.
Usage notes
When SGN=G, Z, or M is specified, the user can sign on multiple times to both STATIC and ETO terminals when the structure name is different from the user ID.
For a static terminal, or a dynamic terminal that has the same SPQBname as the node name, a user will not be allowed to sign on unless all conversations are held, or the user is authorized to use the transaction for the active conversation.
If there is an active conversation for a static terminal, and the user is not authorized to use its transaction, the user can enter a /HOLD command prior to signing on to put all of the conversations in a held state. The user will then be allowed to sign on.
If there is an active conversation for a dynamic terminal that has the SPQBname the same as the node name, only a user that is authorized to use the transaction of the active conversation will be allowed to sign on. The /HOLD command is not allowed prior to signing on for a dynamic terminal.
If there is an active conversation for a dynamic terminal that has the SPQBname the same as the USERID, the conversation will be associated with that user at signoff. That same user can sign on to any dynamic terminal and continue the conversation if they are still authorized to use the conversational transaction. Any new user that signs on to the dynamic terminal will not be in a conversation unless they are continuing a conversation from a previous signon or starting a new conversation by entering an authorized conversational transaction.
The status fields of /DISPLAY NODE and /DISPLAY LINE PTERM indicate whether a terminal is signed on with the word SIGN.
You can use password phrases for user identification.
A period is normally used as the delimiter at the end of IMS commands. When support for special characters is enabled in RACF, a period becomes a valid character in the RACF password. Therefore, when a password is specified at the end of the /SIGN command, you must insert a space before the period that you are using as the end-of-command delimiter. If a space is not added before the period that you are using as the end-of-command delimiter and support for special characters is enabled in RACF, the period is treated as part of the password and not as a delimiter.
Examples
The following are examples of the /SIGN command:
Example 1 for /SIGN command
Entry ET:
DFS3649A /SIGN COMMAND REQUIRED FOR IMS
DATE: 11/03/92 TIME: 14:39:33
NODE NAME: DT327001
USERID: IMSUS01
PASSWORD: IMSPW01
USER DESCRIPTOR:
GROUP NAME:
NEW PASSWORD:
OUTPUT SECURITY AVAILABLE
Response ET:
DFS3650I SESSION STATUS FOR IMS
DATE: 11/03/92 TIME: 14:41:48
NODE NAME: DT327001
USERID: IMSUS01
PRESET DESTINATION:
CURRENT SESSION STATUS:
OUTPUT SECURITY AVAILABLE
Explanation: The user with user ID IMSUS01 and password IMSPW01 has successfully signed on to a dynamic terminal. The signon is done with the panel (DFS3649A).
Example 2 for /SIGN command
Entry ET:
/SIGN IMSUS02 IMSPW02
Response ET:
DFS3650I SESSION STATUS FOR IMS
DATE: 11/03/92 TIME: 14:41:48
NODE NAME: DT327001
USERID: IMSUS02
PRESET DESTINATION:
CURRENT SESSION STATUS:
OUTPUT SECURITY AVAILABLE
Explanation: The user with user ID IMSUS02 and password IMSPW02 has successfully signed on to a dynamic terminal. The signon is done with the /SIGN command.
Example 3 for /SIGN command
Entry ET:
/SIGN IMSUS03 IMSPW03
Response ET:
DFS3650I SESSION STATUS FOR IMS
DATE: 11/03/92 TIME: 14:45:53
NODE NAME: L3270A
USERID: IMSUS03
PRESET DESTINATION:
CURRENT SESSION STATUS:
NO OUTPUT SECURITY AVAILABLE
Explanation: The user with user ID IMSUS03 and password IMSPW03 has successfully signed on to a static terminal.
Example 4 for /SIGN command
Entry ET:
/SIGN PASSPHRASEQ IMSUS03 'this is my ''password'' now'
Response ET:
DFS3650I SESSION STATUS FOR IMS
DATE: 06/07/13 TIME: 15:26:42
NODE NAME: L3270A
USERID: IMSUS03
PRESET DESTINATION:
CURRENT SESSION STATUS:
NO OUTPUT SECURITY AVAILABLE
Explanation: The user with user ID IMSUS03 and password phrase this is my 'password' now has successfully signed on to a static terminal.
Example 5 for /SIGN command
Entry ET:
/SIGN PASSPHRASE IMSUS03 this is my 'password' now.
Response ET:
DFS3650I SESSION STATUS FOR IMS
DATE: 06/07/13 TIME: 15:36:42
NODE NAME: L3270A
USERID: IMSUS03
PRESET DESTINATION:
CURRENT SESSION STATUS:
NO OUTPUT SECURITY AVAILABLE
Explanation: The user with user ID IMSUS03 and password phrase this is my 'password' now. has successfully signed on to a static terminal. Note that the period is part of the password phrase and that no trailing blanks have been added.