Requesting Mainframe Connector validation external to new password exits
Up to this point, any reference to establishing a dialogue between Mainframe Connector and the Bravura Pass server for password strength validation and synchronization has used a security product "new password" exit as the trigger. This section discusses an external application programming interface (API) that can be used to invoke Mainframe Connector outside the scope of the z/OS security product. This external API is PSNCSSC , the Mainframe Connector SubSystem Call.
PSNCSSC is an assembler based API and is invoked from an assembler program through a macro interface. It can be used from a stand-alone application or program to determine the validity of a potential new password value. This may be appropriate if an application uses its own internal validation method rather then making use of the installed security product.
Member EXAMPL1 in the Mainframe Connector INSTLIB dataset provides an example assembler program for invoking the PSNCSSC service as well as the linkedit information required. Member PSNCSSC in the Mainframe Connector INSTLIB provides the PSNCSSC macro used to generate the call to the PSNCSSC service. The following are some example PSNCSSC macro calls:
* Determine if PWD1 passes Bravura Pass strength
* rules for USRID1
PSNCSSC USERID=USRID1, X
NPWD=PWD1, X
RQSTTYPE=TEST, X
WORKAREA=WORKA
B BRTBL1(R15)
BRTBL1 DS 0H
B TESTOK PSNCSSC RC=0
B TESTFAIL PSNCSSC RC=4
B TIMEOUT PSNCSSC RC=8
B CONNFAIL PSNCSSC RC=12
B UNKNOWN PSNCSSC RC=16
B STORFAIL PSNCSSC RC=20
B NOPSYNCH PSNCSSC RC=24
B BADPARMS PSNCSSC RC=28
B BADRQSTT PSNCSSC RC=32
.
.
* Check PWD1 for Bravura Pass strength rules and
* synchronize if it does
PSNCSSC USERID=USRID2, X
NPWD=PWD2, X
RQSTTYPE=CHNG, X
WORKAREA=WORKA
B BRTBL2(R15)
BRTBL2 DS 0H
B CHNGOK PSNCSSC RC=0
B CHNGFAIL PSNCSSC RC=4
B TIMEOUT PSNCSSC RC=8
B CONNFAIL PSNCSSC RC=12
B UNKNOWN PSNCSSC RC=16
B STORFAIL PSNCSSC RC=20
B NOPSYNCH PSNCSSC RC=24
B BADPARMS PSNCSSC RC=28
B BADRQSTT PSNCSSC RC=32
.
.
USRID1 DC CL8'TEST01'
PWD1 DC CL8'GOODPWD'
USRID2 DC CL8'TEST02'
PWD2 DC CL8'BADPWD'
WORKA DC 8FAny program that uses the PSNCSSC services must be linkedited AC(1).
Using RQSTTYPE=TEST on the macro call requires READ access to the FACILITY class PSYNCAPI profile. Using RQSTTYPE=CHNG on the macro call requires update access to the FACILITY class PSYNCAPI profile. For RACF environments, the following commands would be required to create the PSYNCAPI profile and grant RQSTTYPE=CHNG access to user MTECH01 :
RDEFINE FACILITY (PSYNCAPI) UACC(NONE) PERMIT PSYNCAPI ACCESS(UPDATE) CLASS(FACILITY) ID(MTECH01) SETROPTS RACLIST(FACILITY) REFRESH
If multiple Mainframe Connector started tasks were being used and the PSNCUIDT table had been created, the following FACILITY class changes would be required:
RDEFINE FACILITY (PSYNCAPI.ssn) UACC(NONE) PERMIT PSYNCAPI.ssn ACCESS(UPDATE) CLASS(FACILITY) ID(MTECH01) SETROPTS RACLIST(FACILITY) REFRESH
where ssn is the subsystem name of the Mainframe Connector subsystem that is to be used by this requester.
Appropriate security definitions for ACF2 or TopSecret environments would also be required if the PSNCSSC service were invoked under those security products' control.