For RACF users — the RACF user exit parameter list
If you are a RACF® user, you can find the address of the installation data parameter list directly from the RACF user exit parameter list. The name of the relevant field in the user exit parameter list varies according to the RACROUTE REQUEST type and the RACF user exit that is invoked.
The relationships between REQUEST type, exit name, and field name are shown in Table 1.
| RACROUTE REQUEST type | RACF exit | Exit list mapping macro | Parameter list field name |
|---|---|---|---|
| VERIFY | ICHRIX01 | ICHRIXP | RIXINSTL |
| VERIFY | ICHRIX02 | ICHRIXP | RIXINSTL |
| AUTH | ICHRCX01 | ICHRCXP | RCXINSTL |
| AUTH | ICHRCX02 | ICHRCXP | RCXINSTL |
| FASTAUTH | ICHRFX01 | ICHRFXP | RFXANSTL |
| FASTAUTH | ICHRFX02 | ICHRFXP | RFXANSTL |
| LIST | ICHRLX01 | ICHRLX1P | RLX1INST |
| LIST | ICHRLX02 | ICHRLX2P | RLX2PRPA See note 2. |
| EXTRACT | Not available | Not available | None |
Note:
- The xxxINSTL field points to the installation parameter list only if you specify INSTLN on the ESMEXITS system initialization parameter. The default value of this parameter is NOINSTLN, which means that no installation data is passed.
- RLX2PRPA contains the address of the ICHRLX01 user exit parameter list (RLX1P). Field RLX1INST of RLX1P in turn points to the installation data parameter list.
- As a result of RACF APAR OA43999, passwords will no longer be available to the ICHRIX01 user
exit when the passwords are valid. In normal usage, the exit will only have access to the password
if the password was invalid. This is because the verification and changing of passwords is now
performed separately from the sign-on. This has changed the RACF calls made during the sign-on, as
well as the data available to user exits invoked as part of those calls. The following steps are performed:
- RACF service IRRSPW00 is called to verify the supplied password. This service does not drive any user exits. If the password verification fails, or the supplied password is a PassTicket, or the password is valid but there was a previous failure, then a RACROUTE REQUEST=VERIFYX call is made. The ICHRIX01 user exit is invoked and is passed installation data.
- If a password change operation is requested, a RACROUTE REQUEST=VERIFYX call is made to verify the original password and to perform the password change operation. The ICHRIX01 user exit is invoked and is passed installation data.
- The sign-on uses RACROUTE REQUEST=VERIFY. This call invokes the ICHRIX01 user exit and passes installation data. The password and any new password are not available.
- There is no RACF user exit for REQUEST=EXTRACT, and no installation parameter data is passed. Any customization must be done using the MVS router exit, ICHRTX00.
For full descriptions of the RACF exit parameter list, see z/OS Security Server RACF Security Administrator's Guide. For more information about CICS® security processing using RACF, see RACF facilities.