Steps to implement CA ACF2 as the Enterprise Security Manager with TPX.
1. Specify ACF2 in the Security System field of the System Options Table (SMRT).
2. Put the application in an APF-authorized library, as described in the Installation Guide.
3. If you are running the product as a Multiple User Single Address Space System (MUSASS), you must:
4. If you are not running the product as a MUSASS, you must specify Y in the Bypass MUSASS Processing field of the SMRT.
5. If the CA-ACF2 CVT is pointed to by the CVTUSER field, specify CVTUSER in the CVT Location field of the SMRT.
6. If the CA-ACF2 CVT is offset into the ACTUSER area, specify OFFSET in the CVT Location field of the SMRT.
7. If you are using an attribute byte for the product, examine the CA-ACF2 Logon ID record (LIDREC) and determine the location of the attribute byte.
8. Examine the byte for the location of the CA-TPX bit.
It is recommended to use the Security Action/Message Table (SAMT) to customize the response of the product to messages produced by ACF2.
SAMT uses sense code for RACF or message ID for ACF2, to determine the proper action to return code messages.
The SAMT will contain an entry for the RACF sense code or ACF2 message ID.
The entry will specify what action to take, the cursor position, whether to suppress the message, and what message to display.
For additional information on using this table, see the Administrator Guide - Security Action/Message Tables.
You can use the ACF2 interface to specify how TPX determines profiles for dynamic users. (optional)
Here are two methods for defining profile selection :
NOTE: The TPXUSNSF exit can be used to add profiles to or delete profiles from the list provided by the security system.
Example of PROFILE-LEVEL PROFILE SELECTION:
* Security System: ACF2 * Profile Selection: PROF
* Alias Name: * Resource Class: CA$TPX
VTAM Authorized Path Facility: Y
Large Message Processing Option: Y
Rtasks (Number of servers): 03
Load profiles at startup: Y
Nothing needs to be ADDed to ACF2, but a resource RULE (RSRC) is needed to allow access.
By default, with CLASS=CA$TPX, ACF2 will use resource type of CA$ for resource rule validation.
If a different resource type is to be setup, update the CLASMAP element in the CONTROL(GSO) record.
You may add a CLASMAP if needed:
INSERT CLASMAP.TPX RESOURCE(CA$TPX) RSRCTYPE(nnn) ENTITYLN(39) ; where nnn is the type code
Create or update the ACF2 RESOURCE RULE for the profname and TYPE to allow access:
UID(uid string of user) SERVICE(READ) ALLOW
Depending on your security system, TPX may receive return codes, message IDs, or both from the security system when a user attempts to logon.
If SAF is used as the Security System in place of ACF2, TPX uses the group name(s), received from the security system as the profile names to match in TPX.
When - Return Messages from SAF is turned on (Y) in panel TEN0090.
This specifies whether messages from SAF should be returned to TPX.
The default is N, in which case the return and reason codes will determine a message that is displayed from the TENMSGL member, in the same way that RACF operates.
The limitation when using SAF instead of ACF2 is that the ACF messages will not be received from the security system - return codes.
The SAMT (security action message table) is used to interpret the return codes. The SAMT (table) called 'SAF' is the one to use in this instance.