IKJEFLN2 receives control before the address space security environment is fully established.
In the non-OPERCMDS world this did not matter as IKJEFLN2 is invoked in supervisor state and can issue the operator command using MGCRE without problems. When OPERCMDS is active, the authority checking requires some sort of identity so that it can verify the callers ability to issue the command. Without the security environment existing, it cannot do this and the failure message you see is the result of that - I believe the "jobname" in the message is just leftovers from previous calls and has nothing to do with the actual IKJEFLN2 invoker. So, to get IKJEFLN2 to successfully issue the operator command with OPERCMDS active, it has to "help" SAF understand the identity of the caller. It does this by building a UTOKEN using the RACROUTE REQUEST=TOKENBLD service and then plugging this into the MGCRE macro service parameters. The UTOKEN formats for each SAF class (eg OPERCMDS) are documented in the RACF manuals and the MGCRE macro in the normal "Auth ASM" manuals. Rob Scott Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.617.614.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Elardus Engelbrecht Sent: 23 February 2010 14:27 To: IBM-MAIN@bama.ua.edu Subject: Re: TSO reconnect (ikjefln2) reject by RACF Rob Scott wrote: >Be aware that when the RACF OPERCMDS class is active, the IKJEFLN2 exit has to be modified to construct a security token to pass to the MGCRE service. >AFAIK there is no way around this pre z/OS 1.11 Please, could you be very kind to provide any useful documentation(s) or links about this interesting tidbit? Just curious, if you don't mind. Many thanks in advance. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
