search cancel

Invalid Facility checked using of Compuware's Xpediter/Xchange

book

Article ID: 189926

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Issues with software product Xpediter/Xchange.

Xpediter/Xchange is a product of Compuware.

It is able to change the date or the time in an address-space, normally for batch-jobs, to provide proactively a series of test through the time, for example to test year-change processing or complex business transactions which are spread over more than one day.

Xpediter/Xchange contains functional security using SAF / RACROUTE to authorize users to set a specific date or time for a job or a pattern of jobs.

When the job starts, this authorization is checked: If the acid of the batchjob is different to the userid requesting that time-set, xpediter/xchange does an authorized login (without password) of the requesting userid.

The macro for that purpose is as follows: RACROUTE REQUEST=VERIFY,WORKA=RIBRACWK,ACEE=RIBACEE, * ENVIR=CREATE,LOC=BELOW,PASSCHK=NO,RELEASE=1.8, * USERID=RIBUSR,MF=(E,(1))

At this point, the problem arises, if the name of the batch-program corresponds to a program prefix in the facility matrix. Such a prefix is set by the FACILITY control option. E.g.: FACILITY(BBIS=PGM=BBM).

If an application program name starts with characters ‚BBM‘ the user of the RACROUTE VERIFY is checked for facility ‚BBIS‘.

But the user is not authorized to login to that facility.

How can the facility-assignment by program prefix be overruled, so that the RACROUTE VERIFY in the above case checks the login either with the original BATCH-Facility or with a facility somehow to be specified in the login-request or anyway without facility?

Is there a different option to solve that problem?

How could you proceed to change the program prefixes to ‚***‘ but to avoid negative impact for the operation ? in other words:

How could you detect, whether or not the program-prefix is used or not, to safely change it to ‚***‘. 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

One can modify the RACROUTE VERIFY to override the facility that is chosen via the TSS facility table lookup.

One can assign a few different facilities, by adding parm session=xxxx, to the RACROUTE.

In order to have the user signon under the batch facility one needs to specify SESSION=INTBATCH or for STC one needs SESSION=STARTED.