How To Add Control Over ACCOUNT Field for TSO Sign On?


Article ID: 48698


Updated On:


CA Cleanup CA Datacom CA Datacom - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE



The main goal here is to control ACCOUNT field on every TSO logon.

Unfortunately using the TSSINSTX POST-INIT entry, the field TXAIACCT which should contain an address to point the ACCOUNT flied is always empty.


The TSSINSTX is the Top Secret Site Security Installation Exits which is documented in the in CA Top Secret User Guide Chapter #19:

Chapter 19: Extending Security With Site Security Exits.

The signon for normal TSO/E processing does NOT provide the ACTINFO= parameter, and thus can't be used to check the ACCT information entered at logon time. It's why the TXAIACCT is always zeroed.

However, if an SMS signon is required, that signon will provide the ACTINFO= information. This means that any procedure that contains a DD statement with DISP=NEW or DISP=MOD (including any DD statement without DISP=, as the default is DISP=NEW) will pass the account information to the exit, but any procedure without such DD statement will NOT.

That makes this TSSINSTX unreliable for checking account information on TSO Logons. It is likely that TSO exits (possibly IKJEFLN2) would work better, although the coding would be substantially different.

This being said, if the two conditions below are met then TSSINSTX can be used:

First, SMS must be activate on the system.

Second, a temporary dataset must be allocated in any TSO procedure.

Like it is shown below:

Then the TSSINSTX POST-INIT entry code could be:     
        L     R2,TXAITYPE           TSO?         
        CLI   0(R2),X'03'                        
        BNE   EXIT0                NO GET OUT    
        ICM   R8,15,TXA#PGMS                     
        BZ    EXIT0                              
        LA    R8,10(R8)            SKRUNPG1 (SMS)
        CLC   0(8,R8),=C'IEFNB903'               
        BNE   EXIT0                No SMS call 
        CLC   TXAIACCT,=F'0'                                  
        BNE   ACCTFND                                         
        WTO   'POSTINIT DID NOT FIND ACCT INFO'               
        B     EXIT0                                           
ACCTFND  DS    0H                                              
        WTO   'POSTINIT FOUND ACCT INFO'                      
        B      EXIT0

This code is written to ensure to check the correct event where the ACCOUNT data can be retrieve from.


Release: TOPSEC00200-15-Top Secret-Security