How To Add Control Over ACCOUNT Field for TSO Sign On?
search cancel

How To Add Control Over ACCOUNT Field for TSO Sign On?

book

Article ID: 48698

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

The main goal here is to control ACCOUNT field on every TSO logon.

Unfortunately using the TSSINSTX POST-INIT entry, the field TXAIACCT which should contain an address to point the ACCOUNT flied is always empty.

Solution:

The TSSINSTX is the Top Secret Site Security Installation Exits which is documented in the in CA Top Secret User Guide Chapter #19:

Chapter 19: Extending Security With Site Security Exits.

The signon for normal TSO/E processing does NOT provide the ACTINFO= parameter, and thus can't be used to check the ACCT information entered at logon time. It's why the TXAIACCT is always zeroed.

However, if an SMS signon is required, that signon will provide the ACTINFO= information. This means that any procedure that contains a DD statement with DISP=NEW or DISP=MOD (including any DD statement without DISP=, as the default is DISP=NEW) will pass the account information to the exit, but any procedure without such DD statement will NOT.

That makes this TSSINSTX unreliable for checking account information on TSO Logons. It is likely that TSO exits (possibly IKJEFLN2) would work better, although the coding would be substantially different.

This being said, if the two conditions below are met then TSSINSTX can be used:

First, SMS must be activate on the system.

Second, a temporary dataset must be allocated in any TSO procedure.

Like it is shown below: 


//DUMMYDD  DD  UNIT=SYSDA,SPACE=(TRK,(1,1))   
 
Then the TSSINSTX POST-INIT entry code could be:     
 
        L     R2,TXAITYPE           TSO?         
        CLI   0(R2),X'03'                        
        BNE   EXIT0                NO GET OUT    
        ICM   R8,15,TXA#PGMS                     
        BZ    EXIT0                              
        LA    R8,10(R8)            SKRUNPG1 (SMS)
        CLC   0(8,R8),=C'IEFNB903'               
        BNE   EXIT0                No SMS call 
        CLC   TXAIACCT,=F'0'                                  
        BNE   ACCTFND                                         
        WTO   'POSTINIT DID NOT FIND ACCT INFO'               
        B     EXIT0                                           
ACCTFND  DS    0H                                              
        WTO   'POSTINIT FOUND ACCT INFO'                      
        B      EXIT0

This code is written to ensure to check the correct event where the ACCOUNT data can be retrieve from.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:
Powered by Wolken Software