Installing the password change exit

Upon completion of the SMP/E apply for the base FUNCTION, the RACF password change exit ICHPWX01 can be installed. Member UMDPWX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.

The USERMOD should be installed in the same SMP/E environment that contains the RACF base FUNCTION. The sample job in UMDPWX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of ICHPWX01 into SYS1.LPALIB . The object code for ICHPWX01 is contained in member ICHPWX01 in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.

If you choose not to install ICHPWX01 into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.

You should expect a return code of zero from the UMDPWX1 job. Any other return code should be investigated.

If the ICHPWX01 exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function ICHPWX01 exit.

Restarting the z/OS Image

To enable the Mainframe Connector functionality in the RACF password exit ICHPWX01 , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of ICHPWX01 for use by RACF.

Upon completion of the SMP/E apply for the base FUNCTION, the RACF pass phrase change exit ICHPWX11 can be installed. Member UMDPH11 in the Mainframe Connector installation library has been provided as a sample to perform this task.

The USERMOD should be installed in the same SMP/E environment that contains the RACF base FUNCTION. The sample job in UMDPH11 will install the USERMOD into the z/OS SMP/E environment and place an updated version of ICHPWX11 into SYS1.LPALIB . The object code for ICHPWX11 is contained in member ICHPWX11 in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.

If you choose not to install ICHPWX11 into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.

You should expect a return code of zero from the UMDPH11 job. Any other return code should be investigated.

If the ICHPWX11 exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function ICHPWX11 exit.

Restarting the z/OS Image

To enable the Mainframe Connector functionality in the RACF pass phrase exit ICHPWX11 , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of ICHPWX11 for use by RACF.

Upon completion of the SMP/E apply for the base FUNCTION, the ACF2 password change exit NEWPXIT can be installed. Member UMDNPX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.

The USERMOD should be installed in the same SMP/E environment that contains the ACF2 base FUNCTION. The sample job in UMDNPX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of NEWPXIT into SYS1.LPALIB . The object code for NEWPXIT is contained in member NEWPXIT in the Mainframe Connector installation library. It should be moved to a site specific library that is used to maintain USERMOD object code.

If you choose not to install NEWPXIT into SYS1.LPALIB , it must be installed into a library that is contained in the LPALSTxx concatenation.

You should expect a return code of zero from the UMDNPX1 job. Any other return code should be investigated.

If the NEWPXIT exit is already being used for other functions, see Password Change Notification Exit Conflict for options for creating a multi-function NEWPXIT exit.

Restarting the z/OS Image

To enable the Mainframe Connector functionality in the ACF2 password exit NEWPXIT , a system IPL (Initial Program Load) must be performed. Make sure that the IPL occurs with a CLPA option. This will cause the system Link Pack Area to be re-initialized and will load a new copy of NEWPXIT for use by ACF2. The ACF2 EXIT GSO record should also be updated to reflect that NEWPXIT is to be active. Contact the ACF2 administrator to have this entry updated in the ACF2 environment.

Upon completion of the SMP/E apply for the base FUNCTION, the TopSecret password change exit TSSINSTX can be installed. Member UMDTSX1 in the Mainframe Connector installation library has been provided as a sample to perform this task.

The USERMOD should be installed in the same SMP/E environment that contains the TopSecret base FUNCTION. The sample job in UMDTSX1 will install the USERMOD into the z/OS SMP/E environment and place an updated version of TSSINSTX into SYS1.LINKLIB . The object code for TSSINSTX is contained in members TSSEXITN and TSSPWXIT in the Mainframe Connector installation library. They should be moved to a site specific library that is used to maintain USERMOD object code.

If you choose not to install TSSINSTX into SYS1.LINKLIB , it must be installed into a library that is contained in the LNKLSTxx concatenation.

You should expect a return code of zero from the UMDTSX1 job. Any other return code should be investigated.

If the TSSINSTX exit is already being used for other functions, contact Bravura Security technical support to discuss available options.

If TSSINSTX has been dynamically installed into a linklist dataset of an active z/OS system, a refresh of LLA will be necessary to activate the new module. This can be accomplished with the following z/OS operator command:

F LLA,REFRESH

Enabling TSSINSTX

To enable the Mainframe Connector functionality in the TopSecret password exit TSSINSTX , the exit must be enabled to TopSecret. This can occur dynamically with a z/OS operator command. The following command can be used to enable the TopSecret installation exit:

F TSS,EXIT(ON)

The above command will cause TSSINSTX to be enabled within TopSecret. TSSINSTX must reside somewhere within the current active z/OS linklist for the above modify command to be successful.