Skip to main content

Password Change Notification Exit Conflict

At some sites, the password exit that is invoked for password change events may already be in use for another function. Mainframe Connector provides a collection of macros that can be used to drive the individual exits and package them into a single exit replacement.

These macros can be used in RACF environments for the ICHPWX01 exit and in ACF2 environments for the NEWPXIT exit. TopSecret customers who are already using TSSINSTX in their environment should contact Bravura Security for recommendations on how to incorporate the Mainframe Connector requirements for TSSINSTX with those of the customer.

Three macros are used for this purpose. They are

  • #SETUP

  • #XITRTN

  • #TERM

These macros have been included in the installation sample job library included with the Mainframe Connector installation material.

#SETUP

The #SETUP macro is used to initialize the exit environment. Three parameters can be coded on the macro: BASE , AMODE , and RMODE .

BASE is used to indicate the base register for the exit driver module. The default is BASE=R12. Although no validation checks are made in the #SETUP macro, the value for BASE should be restricted to R2 – R12, inclusive.

AMODE is used to indicate the addressing mode of the exit driver module. The default is AMODE=31 . Valid values are AMODE=24 and AMODE=31 .

RMODE is used to indicate the residency mode of the exit driver module. The default is RMODE=ANY . Valid values are RMODE=24 and RMODE=ANY .

#SETUP macro usage examples might look like the following:

ICHPWX01 #SETUP BASE=R10,AMODE=31,RMODE=24
ICHPWX01 #SETUP

The label is required for the #SETUP macro.

#XITRTN

The #XITRTN macro is used to include the individual exit routines. Two parameters can be coded on the macro: NAME and COND.

NAME is used to indicate the module name of a particular individual exit. There is no default for NAME and it must be coded if the #XITRTN macro is used.

COND is used to indicate the maximum highest return code from a previous #XITRTN routine that will be tolerated for the current routine to still execute. For example, COND=4 indicates that the current routine should execute if no previous exit routine has returned a return code greater than 4. A default of COND=0 is assumed if no COND parameter is coded on the #XITRTN macro.

#XITRTN macro usage examples would look as follows:

EXIT1    #XITRTN NAME=PSYNCXIT,COND=0
EXIT2    #XITRTN NAME=OURPWXIT,COND=8

#TERM

The #TERM macro is used to perform cleanup for the #SETUP macro and to return control to the MVS security product caller. The #TERM macro accepts one parameter: RC.

RC is used to indicate the exit return code that will be passed back to the original caller. It should be set to the highest return code value that was returned from any of the #XITRTN exit routines.

#TERM macro usage examples would look as follows:

         #TERM RC=(R5)
END      #TERM RC=8

The #TERM exit establishes register equates and a DSECT mapping for temporary storage obtained in the #SETUP macro. The following labels are used by the temporary storage mapping:

  • TEMPSTOR

  • SAVEAREA

  • R1VAL

  • LASTRC

  • HIGHRC

External to the scope of the macro calls, LASTRC can be used to determine the return code value returned by the last successfully executed #XITRTN exit routine. HIGHRC can be used to determine the highest return code that has been returned from any prior execution of a #XITRTN exit routine.

Recommendations

The Bravura Pass server expects that password update requests that it has approved will not be rejected by the z/OS security product. New password values will have been validated against any installation rules prior to the call to the Bravura Pass server. As a result, if the Mainframe Connector password change exit is used in conjunction with other exits, the following recommendations should be considered:

  • Place the Mainframe Connector exit last in the exit call sequence.

  • Do not invoke the Mainframe Connector exit if a previous exit routine has set a return code that would cause the password update to be rejected (see the Exit driver example).

When multiple exits are linked together, it may be necessary to alter the CSECT names of existing modules. The linkage editor can be used for that purpose. The following example would link an exit driver with CSECT name ICHPWX01 with PWXIT001 , PWXIT002 , and the Mainframe Connector password change exit into a single load module with a name of ICHPWX01 and change the name of the Mainframe Connector password exit to PSNCPWX1 :

       INCLUDE OBJ(XITDRVR)
       INCLUDE OBJ(PWXIT001)
       INCLUDE OBJ(PWXIT002)
       CHANGE  ICHPWX01(PSNCPWX1)
       INCLUDE PSNCOBJ(ICHPWX01)
       ENTRY   ICHPWX01
       SETCODE AC(1)
       NAME    ICHPWX01(R)

Exit driver example

Following is an example of a simple exit driver:

ICHPWX01 #SETUP                   Perform exit driver setup
         #XITRTN NAME=PWXIT001    Execute the PWXIT001 exit
         #XITRTN NAME=PWXIT002,COND=8  Execute the PWXIT002 exit
*                                 routine if PWXIT001 return code
*                                 was 8 or less
         #XITRTN NAME=PSNCPWX1,COND=0  Execute the PSNCPWX1 exit rtn
*                                 if no previous exit had a return
*                                 code greater than 0
         L     R15,HIGHRC         Load the max return code
         #TERM RC=(R15)           Return to the security product
         END
In this section: