Skip to Content
Information
Space banner This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

RACF Exits

The dynamically activated exits for RACF are ICHRIX01 and ICHRIX02. For more information, see the IBM manual System Programming Library: RACF.

The dynamic RACF exit installation process used by Archive Recording by user ID allows a more simplified installation by removing the following requirements:

  • Access to sensitive MVS system datasets
  • Inserting Session Monitor-supplied code into the ICHRIXnn modules
  • Assembling and linking the ICHRIXnn modules
  • Moving the modules to an MVS LPA library
  • Performing an MVS IPL.
Warning

Important

Dynamic installation does affect the RACF Data Security Monitor (DSMON). The monitor checks the RACF vector table (RCVT) to ensure that the exits addressed in the table are ICHRIX01 and ICHRIX02. When DSMON detects that the table does not address these exits, it interprets this as a security integrity exposure. DSMON detects this exposure only if it is run while the Archive Recording started task is active. Session Monitor installs the exits during initialization and removes them during shutdown.

To alleviate security concerns, we recommend that you limit access to the Archive Recording PROC to the systems personnel responsible for maintenance.

Installing the dynamic exit for RACF involves four modules: SVRACINT, SVRACDEL, SVRACON1, and SVRACON2. These modules are on the product media as separate load modules.

RACF Dynamic Exit Modules

Module

Description

SVRACINT

This module installs the Session Monitor RACF exits for ICHRIX01 and ICHRIX02. The routine works by locating the RACF vector table (RCVT) and replacing or adding exit addresses into the RCVT. The routine also saves the address of any installed exits thatSession Monitor replaces. These exits run after Session Monitor exit routines have finished processing.

SVRACDEL

This routine removes the Session Monitor RACF exits installed by SVRACINT. The de-installation works by locating the RCVT and replacing the exit addresses with the address of any installed exits saved during installation.

SVRACON1

This is the RACF post-processing exit. This routine processes any logon request and puts the information in the Session Monitor user ID tracking table. After processing, Session Monitorinvokes the next exit (the address that was saved during installation).

SVRACON2

This is the RACF preprocessing exit. This routine processes any logoff request and stores the information in the Session Monitor user ID tracking table. After processing Session Monitor invokes the next exit (the address that was saved during installation).

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Security Session Monitor 17.02