Skip to main content

Preparing for Mainframe Connector Subsystem Startup

Defining the Subsystem Name

Mainframe Connector uses the unique subsystem name specified on the SUBSYSNAME parameter. The name can be defined to MVS in one of three ways:

  • Pre-defined in member IEFSSNxx of SYS1.PARMLI B and activated at system IPL time.

  • Added dynamically by the Mainframe Connector started task during the initial Mainframe Connector start. When the Mainframe Connector task is started, it will check for the existence of the subsystem name specified on the SUBSYSNAME parameter. If the subsystem name does not exist, an entry will be dynamically created and used for the current and any subsequent Mainframe Connector restarts that may occur during the life of the current IPL.

  • Defined dynamically using an operator command:

    SETSSI ADD,SUBNAME=mfcs

    where mfcs represents the subsystem name to be used for Mainframe Connector.

Defining an Authorized Library

Mainframe Connector load modules need to run in an APF authorized library. You can copy them into an existing authorized library or you can optionally authorize the current target library by creating an entry for it in member IEAAPFxx or PROGxx of SYS1.PARMLIB .

This can be done dynamically to avoid an IPL by using the following operator command:

SETPROG APF,ADD,DSNAME=your.mfc.loadlib,VOLUME=volser

SYS1.PROCLIB

Before you can start Mainframe Connector , you must provide a startup procedure and include it in a library defined to JES2 . There is a sample shown below followed by a description of each statement. The sample is also provided in member PROC of the install dataset.

  //MFC      PROC

  //MFC      EXEC PGM=PSNCDRVR,TIME=1440

  //STEPLIB  DD   DSN=MFC.LOADLIB,DISP=SHR

  //PARMLIB  DD   DSN=MFC.PARMLIB,DISP=SHR

  //PSYNCLIB DD   DSN=MFC.LOADLIB,DISP=SHR

  //SYSTCPD  DD   DSN=TCPIP.DATA,DISP=SHR

  //AUDIT    DD   DSN=MFC.AUDIT,DISP=SHR

  //INLIST   DD   DSN=MFC.INLIST,DISP=SHR

  //ADMINIDS DD   DSN=MFC.ADMINIDS,DISP=SHR

  //SYNCHLOG DD   SYSOUT=*

  //SYSPRINT DD   SYSOUT=*

  //SYSABEND DD   SYSOUT=*

This example is described below:

  • //MFC PROC

    This statement is required. The procedure name does not have to be MFC .

  • //MFC EXEC PGM=PSNCDRVR,TIME=1440

    This statement is required. The TIME=1440 parameter allows MFC an unlimited amount of processor time.

  • //STEPLIB DD DSN=MFC.LOADLIB,DISP=SHR

    This statement is required. If the PSNCDRVR program and related Mainframe Connector modules reside in your system linklist the STEPLIB DD is still required and must contain the Mainframe Connector parallel function load module P SNCTTOC . The sample expects PSNCTTOC to be in MFC.LOADLIB .

  • //PARMLIB DD DSN=MFC.PARMLIB,DISP=SHR

    This statement is required. It identifies the dataset that contains the startup parameters for Mainframe Connector . It can be a sequential dataset or any member of a partitioned dataset (PDS). The ddname must be PARMLIB . The sample uses MFC.PARMLIB to contain Mainframe Connector parameters.

  • //PSYNCLIB DD DSN=MFC.LOADLIB,DISP=SHR

    This statement is required. Even if you place all Mainframe Connector load modules in your system linklist, you must still code this DD statement and reference the library containing the Mainframe Connector modules. Mainframe Connector uses this library for all its directed load module loads. The ddname must be PSYNCLIB . The sample expects Mainframe Connector load modules to be in MFC.LOADLIB .

  • //SYSTCPD DD DSN=TCPIP.DATA,DISP=SHR

    This statement is optional. It is one of the methods available to obtain TCP/IP parameters for DNS name resolution. The dataset referenced is used to contain those parameters. It can be a sequential dataset or any member of a partitioned dataset (PDS). The ddname must be SYSTCPD. The sample expects TCP/IP parameters to be in TCPIP.DATA . In most cases, the dataset referenced by this DD statement will be the same as the dataset referenced by the SYSTCPD DD statement used by the corresponding TCP/IP stack with one exception as noted below.

    If Mainframe Connector will be making use of a TCPaccess TCP/IP stack, the dataset specified on the SYSTCPD DD statement must be a sequential dataset and it must not be in use for any other application.

    If you specify the server name of the Bravura Security Fabric server in the DNS start parameter, this DD statement will most likely be required.

  • //AUDIT DD DSN=MFC.AUDIT,DISP=SHR

    This statement is optional. The sample uses MFC.AUDIT to write log records containing password change request information. It specifies a disposition of SHR but a disposition of MOD may be used to preserve audit records across multiple startups. It would also be appropriate to specify a JES SYSOUT dataset to record AUDIT log information.

  • //INLIST DD DSN=MFC.INLIST,DISP=SHR

    This statement is optional. The INLIST DD is mutually exclusive with the EXLIST DD however if both are detected in the start JCL, the INLIST DD will be processed and the EXLIST DD will be ignored. If you want to allow only certain userids or certain groups of users to have their passwords reset in a transparent fashion, you can use the INLIST DD statement. The sample uses MFC.INLIST as an input dataset for include list userids or groups.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the INLIST list, the number of datasets in the INLIST DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //EXLIST DD DSN=MFC.EXLIST,DISP=SHR

    This statement is optional. The EXLIST DD is mutually exclusive with the INLIST DD however if both are detected in the start JCL, the INLIST DD will be processed and the EXLIST DD will be ignored. If you want to exclude certain userids or certain groups of users from having their passwords reset in a transparent fashion, you can use the EXLIST DD statement. The sample JCL does not show an example EXLIST DD statement.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the EXLIST list, the number of datasets in the EXLIST DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //ADMINIDS DD DSN=MFC.ADMINIDS,DISP=SHR

    This statement is optional. The ADMINIDS DD is used to indicate which administrator IDs have the ability to forward a third party password reset event to the Bravura Pass server for validation and synchronization. The absence of this DD statement indicates that no administrative password resets will be forwarded to the Bravura Pass server.

    If the dynamic reload command (see Mainframe Connector Operator Commands ) will be used to refresh the contents of the ADMINIDS list, the number of datasets in the ADMINIDS DD concatenation should be limited to a maximum of 32 to obtain expected results.

  • //SYNCHLOG DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which log messages for incoming listener events are written. If this statement is omitted, the Bravura Security Fabric server will be the only source of event information.

  • //SYSPRINT DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which messages are written. If you omit this statement, runtime diagnostic messages may be lost. The sample specifies an output class.

  • //SYSABEND DD SYSOUT=*

    This statement is optional. It defines a dataset or SYSOUT in which a dump is written if Mainframe Connector abends. If you omit this statement, no dump will be available to investigate the abend condition. The sample specifies an output class.

  • Other DD statements available for capturing dumps are SYSUDUMP and SYSMDUM P.

If TCPaccess will provide the TCP/IP stack environment, the Mainframe Connector started task procedure would likely be somewhat different than the example described above. The following is an example procedure that could be used for TCPaccess stack environments.

  //MFC      PROC

  //MFC      EXEC PGM=PSNCDRVR,TIME=1440

  //STEPLIB  DD   DSN=MFC.TCP.ACCESS.LOADLIB,DISP=SHR

  //         DD   DSN=MFC.LOADLIB,DISP=SHR

  //         DD   DSN=tcp.access.LINK,DISP=SHR  <== chng "tcp.access"

  //PARMLIB  DD   DSN=MFC.PARMLIB,DISP=SHR

  //PSYNCLIB DD   DSN=MFC.LOADLIB,DISP=SHR

  //SYSTCPD  DD   DSN=TCPIP.DATA,DISP=SHR

  //AUDIT    DD   DSN=MFC.AUDIT,DISP=SHR

  //INLIST   DD   DSN=MFC.INLIST,DISP=SHR

  //SYSPRINT DD   SYSOUT=*

  //SYNCHLOG DD   SYSOUT=*

  //SYSABEND DD   SYSOUT=*

In the above example MFC.LOADLIB would contain all the common Mainframe Connector load modules and the Mainframe Connector load modules that are used if the IBM TCP/IP stack is being used. The dataset, MFC.TCP.ACCESS.LOADLIB , contains the load modules specific to use in TCPaccess stack environments.

If the Mainframe Connector procedure includes an audit dd statement, auditing of Mainframe Connector events will occur. This is an optional DD statement and if it is not present in the Mainframe Connector procedure, no auditing will occur.

SYS1.LPALIB

Mainframe Connector makes use of password or pass phrase change exits. For RACF (ICHPWX01) or RACF (ICHPWX11) and ACF2 (NEWPXIT), the exit(s) must reside in an LPALIB dataset and requires a system IPL to enable any changes.

If the "new password" exit for RACF or ACF2 is already in use for another function or if the "new pass phrase" exit for RACFis already in use for another function, see Password Change Notification Exit Conflict for an alternative method of creating the "new password" exit when more than one subsystem requires the functionality.

SYS1.LINKLIB

TopSecret Installation Exit TSSINSTX

Mainframe Connector makes use of password change exits. For TopSecret (TSSINSTX), the exit must reside in a linklist dataset.

The current active system linklist can be used for TSSINSTX and an LLA REFRESH should be performed before attempting to dynamically enable the exit to the TopSecret subsystem.

In this section: