RTCS initialization member
This topic presents the contents of the RTCS initialization member.
RTCS initialization member
+----------------------------------------------------------------------+
| Runtime Component System (RTCS) Initialization Parameters |
| |
| OSZ$PARM Distributed in SMP/E distribution library .DOSZCNTL |
| OSZ$PARM Installed into SMP/E target library .TOSZCNTL |
| OSZINI00 Customized in the z/OS Logical PARMLIB data set |
| |
| OSZ$PARM is customized by the installation and then |
| copied into the z/OS image Logical PARMLIB data set |
| (usually DSN=SYS1.PARMLIB). The RTCS Initiator will |
| attempt to locate and read the RTCS Initialization |
| Parameters member from an MVS Logical PARMLIB data |
| set (or SYS1.PARMLIB if no MVS image-specific data |
| set has been established). |
| |
| The default member name is OSZINI00, which can be |
| changed by specifying the INI=nn parameter in the |
| RTCS Initiator START command parameter field (the |
| 4th positional parameter). For example: |
| |
| START OSZINIT,,,(INI=42),SUB=MSTR |
| |
+----------------------------------------------------------------------+
== Runtime Component System (RTCS) Initialization Parameters ==
*
* MVS Subsystem Name to be used by the RTCS Subsystem.
*
+ SSID=RTCS
|
| The MVS Subsystem Name (SSID, or Subsystem ID) that is to
| be used by the RTCS Subsystem address space (OSZRTCS).
*
* Installation Verification Procedure (IVP) Mode
*
NOIVP /* [NO]IVP */
|
| In IVP mode, the RTCS Initiator performs all
| normal parameter verification and processing
| but does not START the RTCS Subsystem address
| space. IVP mode can also be specified in the
| parameter field (the 4th positional parameter)
| of the RTCS Initiator START command, as follows:
|
| START OSZINIT,,,(IVP=Y,LIST=Y)
|
| If IVP mode is requested on the START command,
| a specification of NOIVP in the Logical PARMLIB
| member will NOT disable IVP mode. Once IVP mode
| is in effect (either from the START command or
| from this member), it cannot then be disabled by
| specifying NOIVP (in this member).
|
*
* RTCS Subsystem address space started task PROC name.
*
+ OSZRTCS-PROC=OSZRTCS
|
| If not specified, then the default is the same PROC
| name that was used to start the RTCS initiator with
| 'RTCS' substituted for 'INIT', provided that 'INIT'
| appears in the RTCS Initiator PROC name. Else the
| default is OSZRTCS.
*
* RTCS Generalized Server started task PROC name.
*
+ OSZEXEC-PROC=OSZEXEC
|
| If not specified, the default is the RTCS Subsystem
| PROC name with 'EXEC' substituted for 'RTCS',
| provided that 'RTCS' appears in the RTCS Subsystem
| PROC name. Else the default is OSZEXEC.
*
* RTCS Product Program Library (.TOSZLINK, or a copy)
*
+ POSZLINK=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]LINK, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
| Else the default is the same DSNAME as //STEPLIB.
*
* RTCS Hypertext Document Library (.TOSZHTML, or a copy)
*
+ POSZHTML=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]HTML, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
*
* BMC Product (License) Authorization Table Library
*
+ POSZPSWD=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]PSWD, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
|
| The Product (License) Authorization Table Library
| is a partitioned data set that contains product
| license table members that are created & updated
| by the BMC Licensing Facility batch password
| processing utility, OSZPATLU, or by the legacy
| ISPF-based BMC product password update facility.
| If no RTCS-based licensed products are being used
| then this DD statement may define any partitioned
| data set.
| MainView CAS-based product-only customers should
| simply allocate an empty, DSORG=PO,RECFM=U PDS[E]
| for this production library. The indicated data
| set will by dynamically allocated by the RTCS
| Initiator to ensure its existence and validity,
| but no MainView product will ever cause it to
| be subsequently dynamically allocated by the RTCS
| Subsystem or Generalized Server address spaces.
*
* DSNAME of RTCS System Registry VSAM Linear Data Set (VLDS)
*
+ SREGVLDS=SYS2.SHARED.RTCS.SYSTEM.REGISTRY
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.REGISTRY, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
| Otherwise, there is no default, and this parameter
| must be specified.
|
| The System Registry contains configuration data for
| RTCS, the MainView CAS, RTCS-based products, and any
| RTCS-dependent product which has elected to use it.
| It must be a VSAM Linear Data Set (VSAM LDS or VLDS).
|
| The Registry data set MUST be cataloged, since it is
| a VSAM cluster. It is allocated using only its DSNAME.
| The System Registry VSAM LDS is read/write and cannot
| physically be shared, although it may be allocated on
| shared DASD. Only one RTCS Subsystem will be able to
| allocate a VSAM LDS for use as a Registry because it
| will be allocated DISP=OLD as required by the MVS DIV
| service.
|
| But the data in the System Registry VLDS can be shared
| among members of a Sysplex using XCF. When the System
| Registry is being shared among RTCS Subsystems running
| in a Sysplex, then only one RTCS Subsystem will have
| dynamically allocated the Registry VLDS. That system
| is called the Local Owner. Other systems can access
| data in the Registry (which is allocated to the Local
| Owner) using XCF to transmit requests and retrieve the
| the requested data in response. An RTCS Subsystem that
| is accessing data in the System Registry on the Local
| Owner via XCF is termed a Remote [Registry instance].
| It is not recommended, but it is possible to have a
| private, dedicated System Registry VLDS for each RTCS
| Subsystem. But the MainView CAS will not be able to
| share data with other CASs in the Sysplex if you do.
||
| The first time an RTCS Subsystem becomes the Local
| Owner of the VLDS and encounters a newly-allocated,
| uninitialized, never-before-used Linear Data Set,
| the RTCS Subsystem will initialize the contents of
| the Registry, populating it with all the structures
| required for RTCS Subsystem components and products.
|
*
* System Registry DIV Services Default Performance Parameters
*
DIV-SAVE-MINIMUM = 1 /* DIV Services interval 1: minimum */
DIV-SAVE-MAXIMUM = 6 /* DIV Services interval 2: maximum */
DIV-SAVE-IDLE = 60 /* DIV Services interval 3: idle */
DIV-SAVE-LIMIT = 4000 /* DIV Services batch update limit */
|
| The above parameters indicate the time that the Registry
| DIV Services subtask will wait prior to requesting that
| changes to the System Registry data space be hardened in
| the backing VSAM LDS. After the VLDS is updated, it will
| wait a minimum amount of time before the next request to
| update the VLDS will again be made, but no longer than
| the indicated maximum (after which a VLDS update will be
| forced). If the Registry is idle (not being changed) but
| potentially only being accessed [existing data retrieved],
| then the DIV Services subtask will idle for the indicated
| interval before waking up to check for pending requests.
| The amount of time that pending Registry VLDS updates are
| delayed is heuristically determined according to request
| frequency and arrival pattern, and will never less than
| the indicated minimum value, nor greater than the maximum.
| Regardless of the enforced minimum and maximum intervals
| that will cause the VLDS to be updated, if the number of
| changes exceeds the specified limit then the backing VLDS
| will be updated, hardening all pending changes on DASD.
|
| A MINIMUM interval of zero (0) indicates that all changes
| to the System Registry are to be immediately hardened in
| the backing VSAM LDS, without waiting or attempting to
| batch multiple changes together into a single update. We
| recommend that you do NOT specify DIV-SAVE-MINIMUM = 0.
*
* RTCS System Registry Sysplex Sharing Parameters
* -----------------------------------------------
*
+ REGISTRY-XCF-GROUP = OSZRTCSR /* System Registry XCF Group Name */
/* This parameter will be used only */
/* if some form of Sysplex Registry */
/* Sharing (see below) is specified.*/
ELIGIBLE-OWNER /* This member is ELIGIBLE to */
/* ALLOCATE (and then EXPOSE) */
/* the System Registry VLDS. */
/* RTCS Subsystem XCF members which */
/* are not eligible to own the RTCS */
/* System Registry VLDS will not be */
/* able to assist in recovery when */
/* the image that does own the */
/* Registry fails for any reason. */
/* */
/* RTCS Subsystems on small or */
/* slow MVS images should only */
/* remotely access an exposed */
/* System Registry and should */
/* not be eligible to allocate */
/* and expose/own the Registry. */
*
* RTCS System Registry Sysplex Sharing Options
* --------------------------------------------
*
| The following five options are mutually exclusive. Only
| one of them should be specified without the 'NO' prefix.
| The other four may be omitted (or specified with the 'NO'
| prefix as illustrated below). If more than one positive
| [not prefixed with 'NO'] option is specified, then the
| most restrictive one will become effective. The Registry
| sharing options are listed below in that precedence order
| (the most restrictive first, the least restrictive last).
| In other words, the first (in the order they are listed
| below) positive (not prefixed with 'NO') option specified
| is the one that will be effective and override any others.
|
NOPRIVATE-REGISTRY /* Exclusively allocate the System */
/* Registry VLDS on this image but */
/* do not establish any capability */
/* to share it with other images. */
/* The Registry cannot subsequently */
/* be exposed to other MVS images. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
NOALLOC-REGISTRY /* ALLOCate the System Registry on */
/* this MVS image, but do not (yet) */
/* EXPOSE it for the REMOTE images */
/* to be able to CONNECT to it. It */
/* can be exposed at a later time */
/* via an RTCS operator command. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
NOEXPOSE-REGISTRY /* ALLOCATE and EXPOSE the System */
/* Registry on this MVS image. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
SHARED-REGISTRY /* Setup a REMOTE Registry on this */
/* MVS image, then CONNECT to the */
/* System Registry if it is already */
/* EXPOSEd on another MVS image. */
/* If the Registry is not already */
/* EXPOSEd, then (if it has not yet */
/* been ALLOCated) ALLOCATE and */
/* EXPOSE the System Registry on */
/* this MVS image (if possible). */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD or if */
/* this system is unable to CONNECT */
/* to an already-EXPOSEd Registry */
/* on some other MVS image, then */
/* RTCS initialization will fail. */
NOREMOTE-REGISTRY /* CONNECT to a System Registry */
/* that has already been EXPOSEd */
/* on another MVS image. If this */
/* system is unable to CONNECT to */
/* an EXPOSEd System Registry, then */
/* RTCS initialization will fail. */
*
* External Security Manager (ESM) Type
*
+ ESMTYPE=AUTO
|
| External Security Manager (ESM) that is in
| use on this MVS image and which RTCS is to
| interface with. The default, and the value
| which most installations should specify, is
| AUTO. RTCS is usually able to determine the
| ESM that is being used on an MVS image, but
| under certain circumstances, it cannot do so.
| If this situation occurs, you may explicitly
| indicate which ESM is (or will be) used on
| this MVS image using the ESMTYPE= parameter.
|
| ESMTYPE= Description
| -------- -----------
| AUTO RTCS is to automatically determine,
| if possible, which ESM is in use.
| RACF RTCS is to assume RACF will be used.
| ACF2 RTCS is to assume ACF2 will be used.
| TSS RTCS is to assume TSS (Top Secret)
| will be used.
|
*
* Accept or reject attempts to use undefined ESM User IDs
*
+ UNDEFINEDUSERINHERIT=ACCEPT
|
+ UNDEFINEDUSERSIGNON=REJECT
|
| These two parameters specify the behavior
| when an undefined ESM User ID is provided
| (either by an end user or an application)
| as part of original system entry signon,
| or when attempting to inherit credentials
| on this image from an existing environment.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| ACCEPT RTCS is to allow the INHERIT or the
| SIGNON to proceed. RTCS or the ESM
| will provide a default User ID for
| the security environment that will
| be created as a consequence.
| REJECT RTCS is disallow the INHERIT or the
| SIGNON.
|
| By default, RTCS allows INHERITs to proceed,
| since it would then be assumed that the User
| ID being presented was at least valid in the
| Sysplex or CASplex somewhere, and disallows
| SIGNONs with an undefined User ID, since it
| is usually the case that an invalid User ID
| (that is, one that is not defined) is never
| to be allowed.
*
* Default ESM User ID used in place of an undefined one
*
+ DEFAULTUSERID=' '
|
| This parameter specifies the ESM User ID that
| is to be substituted for an undefined/invalid
| User ID presented for authentication, and the
| UNDEFINEDUSERINHERIT or the UNDEFINEDUSERSIGNON
| option, as appropriate, specifies ACCEPT, which
| indicates that the INHERIT or the SIGNON is to
| be allowed. The value of this parameter should
| usually be set to blanks, which triggers ESM-
| specific behavior to generate its own default
| User ID (USER, LOGONID, or ACID) according to
| well-documented ESM behavior or if allowed by
| ESM-specific security options and parameters.
*
* How to process GROUP IDENT credential during an INHERIT
*
+ GROUPINHERIT=ALWAYS
|
| This parameter specifies how the GROUP IDENT
| credential (GROUP name) is to be processed
| when a security identity is being INHERITed.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| ALWAYS RTCS is to pass the GROUP IDENT to
| the ESM unchanged. In order to be
| successful, the ESM must allow the
| use of that specific GROUP IDENT.
| In the case of RACF, specifically,
| this means that the User ID being
| INHERITed must be CONNECTed to the
| same, exact GROUP IDENT specified
| in the credentials in the RACF data
| base being used on this system image.
| NEVER RTCS is to ignore any specification
| of a GROUP IDENT (GROUP name) in the
| authentication credentials presented
| when attempting to INHERIT a User ID.
|
*
* ESM Security Interface diagnostic tracing
*
+ SECTRACE=NONE
|
| This parameter specifies the default level of
| diagnostic tracing that is to be performed for
| the RTCS External Security Manager interface.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| NONE No ESM interface tracing is to be done.
| SIMPLE Issue only simple trace messages.
| EXTENDED Extended tracing is to be performed.
| COMPLETE Complete tracing is to be performed.
|
| Security diagnostic tracing can be activated
| dynamically via an RTCS operator command, so
| NONE should normally be specified. However,
| if there is a need to perform ESM diagnostic
| tracing during RTCS initialization, this can
| be initially activated using this parameter.
|
*
* ESM SAF Subsystem (RACROUTE SUBSYS) to be used by RTCS
*
+ SAFSUBSYS=&SSID
|
| This parameter specifies the RACROUTE SUBSYS
| (SAF Subsystem ID) that is to be used by the
| RTCS Security Manager. This value is normally
| required only when ACF2 is the indigenous ESM.
| If ACF2 has already been customized (for the
| MainView Security Service interface prior to
| release 6.0) to process RACROUTE invocations
| using a different SAF SUBSYS, such as BBI3,
| then that value may still be used, and should
| be specified here.
|
| The following values can be specified:
|
| SAFSUBSYS Description
| --------- -----------
| &SSID The MVS SSID that was specified in
| this initialization member, or was
| provided as a default by RTCS.
| &PRODUCT The internal (security) product
| name in whose product address space
| an ESM security environment is being
| created (via SIGNON or INHERIT).
| '' or ' ' Null, or one or more blanks: No
| SUBSYS= parameter is to be used
| on any SAF RACROUTE invocation.
| 'xxxxxxxx' A specific RACROUTE SUBSYS= value,
| consisting of up to 8 characters.
|
| Under most circumstances, RACF and Top Secret
| will effectively ignore the RACROUTE SUBSYS=
| specification. However, a value may still be
| usefully provided here, since the SUBSYS can
| be used to filter requests to be traced when
| using the Top Secret SECTRACE facility (as
| well as the ACF2 SECTRACE facility), and to
| subset RACROUTE requests to be traced if an
| IBM or OEM vendor facility (using RACF exits)
| has been installed to facilitate such tracing.
| So, a suitable value should be provided, even
| if RACF or TSS is in use, simply in support
| of any existing ESM-level diagnostic tracing
| facility.
|
*
* Default ESM RACROUTE system entry validation APPL ID
*
+ SECURITYAPPLID=&PRODUCT
|
| This parameter specifies the RACROUTE APPL
| (application name) that is to be used as the
| default SAF APPLication by the RTCS Security
| Manager (if none is specified by the product
| or the caller does not have an RTCS product
| definition, or the definition in the product
| or System Registry is null or blanks).
|
| The following values can be specified:
|
| SAFSUBSYS Description
| --------- -----------
| &SSID The MVS SSID that was specified in
| this initialization member, or was
| provided as a default by RTCS.
| &PRODUCT The internal (security) product
| name in whose product address space
| an ESM security environment is being
| created (via SIGNON or INHERIT) or
| a resource being authorized.
| &PRDAPPL The default product security APPL
| name, usually specified in the
| RTCS product definition in the
| package, or via the RTCS System
| Registry product, context, or
| server (instance) definition.
| '' or ' ' Null, or one or more blanks: No
| APPL= parameter is to be used
| on any SAF RACROUTE invocation.
| 'xxxxxxxx' A specific RACROUTE APPL= value,
| consisting of up to 8 characters.
|
== Runtime Component System (RTCS) Initialization Parameters ==
| Runtime Component System (RTCS) Initialization Parameters |
| |
| OSZ$PARM Distributed in SMP/E distribution library .DOSZCNTL |
| OSZ$PARM Installed into SMP/E target library .TOSZCNTL |
| OSZINI00 Customized in the z/OS Logical PARMLIB data set |
| |
| OSZ$PARM is customized by the installation and then |
| copied into the z/OS image Logical PARMLIB data set |
| (usually DSN=SYS1.PARMLIB). The RTCS Initiator will |
| attempt to locate and read the RTCS Initialization |
| Parameters member from an MVS Logical PARMLIB data |
| set (or SYS1.PARMLIB if no MVS image-specific data |
| set has been established). |
| |
| The default member name is OSZINI00, which can be |
| changed by specifying the INI=nn parameter in the |
| RTCS Initiator START command parameter field (the |
| 4th positional parameter). For example: |
| |
| START OSZINIT,,,(INI=42),SUB=MSTR |
| |
+----------------------------------------------------------------------+
== Runtime Component System (RTCS) Initialization Parameters ==
*
* MVS Subsystem Name to be used by the RTCS Subsystem.
*
+ SSID=RTCS
|
| The MVS Subsystem Name (SSID, or Subsystem ID) that is to
| be used by the RTCS Subsystem address space (OSZRTCS).
*
* Installation Verification Procedure (IVP) Mode
*
NOIVP /* [NO]IVP */
|
| In IVP mode, the RTCS Initiator performs all
| normal parameter verification and processing
| but does not START the RTCS Subsystem address
| space. IVP mode can also be specified in the
| parameter field (the 4th positional parameter)
| of the RTCS Initiator START command, as follows:
|
| START OSZINIT,,,(IVP=Y,LIST=Y)
|
| If IVP mode is requested on the START command,
| a specification of NOIVP in the Logical PARMLIB
| member will NOT disable IVP mode. Once IVP mode
| is in effect (either from the START command or
| from this member), it cannot then be disabled by
| specifying NOIVP (in this member).
|
*
* RTCS Subsystem address space started task PROC name.
*
+ OSZRTCS-PROC=OSZRTCS
|
| If not specified, then the default is the same PROC
| name that was used to start the RTCS initiator with
| 'RTCS' substituted for 'INIT', provided that 'INIT'
| appears in the RTCS Initiator PROC name. Else the
| default is OSZRTCS.
*
* RTCS Generalized Server started task PROC name.
*
+ OSZEXEC-PROC=OSZEXEC
|
| If not specified, the default is the RTCS Subsystem
| PROC name with 'EXEC' substituted for 'RTCS',
| provided that 'RTCS' appears in the RTCS Subsystem
| PROC name. Else the default is OSZEXEC.
*
* RTCS Product Program Library (.TOSZLINK, or a copy)
*
+ POSZLINK=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]LINK, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
| Else the default is the same DSNAME as //STEPLIB.
*
* RTCS Hypertext Document Library (.TOSZHTML, or a copy)
*
+ POSZHTML=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]HTML, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
*
* BMC Product (License) Authorization Table Library
*
+ POSZPSWD=
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.[xosz]PSWD, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
|
| The Product (License) Authorization Table Library
| is a partitioned data set that contains product
| license table members that are created & updated
| by the BMC Licensing Facility batch password
| processing utility, OSZPATLU, or by the legacy
| ISPF-based BMC product password update facility.
| If no RTCS-based licensed products are being used
| then this DD statement may define any partitioned
| data set.
| MainView CAS-based product-only customers should
| simply allocate an empty, DSORG=PO,RECFM=U PDS[E]
| for this production library. The indicated data
| set will by dynamically allocated by the RTCS
| Initiator to ensure its existence and validity,
| but no MainView product will ever cause it to
| be subsequently dynamically allocated by the RTCS
| Subsystem or Generalized Server address spaces.
*
* DSNAME of RTCS System Registry VSAM Linear Data Set (VLDS)
*
+ SREGVLDS=SYS2.SHARED.RTCS.SYSTEM.REGISTRY
|
| If not specified, then this value will default to
| STEPLIB-DSName-prefix.REGISTRY, provided that the
| low-level qualifier of //STEPLIB is '.[xosz]RTCS'.
| Otherwise, there is no default, and this parameter
| must be specified.
|
| The System Registry contains configuration data for
| RTCS, the MainView CAS, RTCS-based products, and any
| RTCS-dependent product which has elected to use it.
| It must be a VSAM Linear Data Set (VSAM LDS or VLDS).
|
| The Registry data set MUST be cataloged, since it is
| a VSAM cluster. It is allocated using only its DSNAME.
| The System Registry VSAM LDS is read/write and cannot
| physically be shared, although it may be allocated on
| shared DASD. Only one RTCS Subsystem will be able to
| allocate a VSAM LDS for use as a Registry because it
| will be allocated DISP=OLD as required by the MVS DIV
| service.
|
| But the data in the System Registry VLDS can be shared
| among members of a Sysplex using XCF. When the System
| Registry is being shared among RTCS Subsystems running
| in a Sysplex, then only one RTCS Subsystem will have
| dynamically allocated the Registry VLDS. That system
| is called the Local Owner. Other systems can access
| data in the Registry (which is allocated to the Local
| Owner) using XCF to transmit requests and retrieve the
| the requested data in response. An RTCS Subsystem that
| is accessing data in the System Registry on the Local
| Owner via XCF is termed a Remote [Registry instance].
| It is not recommended, but it is possible to have a
| private, dedicated System Registry VLDS for each RTCS
| Subsystem. But the MainView CAS will not be able to
| share data with other CASs in the Sysplex if you do.
||
| The first time an RTCS Subsystem becomes the Local
| Owner of the VLDS and encounters a newly-allocated,
| uninitialized, never-before-used Linear Data Set,
| the RTCS Subsystem will initialize the contents of
| the Registry, populating it with all the structures
| required for RTCS Subsystem components and products.
|
*
* System Registry DIV Services Default Performance Parameters
*
DIV-SAVE-MINIMUM = 1 /* DIV Services interval 1: minimum */
DIV-SAVE-MAXIMUM = 6 /* DIV Services interval 2: maximum */
DIV-SAVE-IDLE = 60 /* DIV Services interval 3: idle */
DIV-SAVE-LIMIT = 4000 /* DIV Services batch update limit */
|
| The above parameters indicate the time that the Registry
| DIV Services subtask will wait prior to requesting that
| changes to the System Registry data space be hardened in
| the backing VSAM LDS. After the VLDS is updated, it will
| wait a minimum amount of time before the next request to
| update the VLDS will again be made, but no longer than
| the indicated maximum (after which a VLDS update will be
| forced). If the Registry is idle (not being changed) but
| potentially only being accessed [existing data retrieved],
| then the DIV Services subtask will idle for the indicated
| interval before waking up to check for pending requests.
| The amount of time that pending Registry VLDS updates are
| delayed is heuristically determined according to request
| frequency and arrival pattern, and will never less than
| the indicated minimum value, nor greater than the maximum.
| Regardless of the enforced minimum and maximum intervals
| that will cause the VLDS to be updated, if the number of
| changes exceeds the specified limit then the backing VLDS
| will be updated, hardening all pending changes on DASD.
|
| A MINIMUM interval of zero (0) indicates that all changes
| to the System Registry are to be immediately hardened in
| the backing VSAM LDS, without waiting or attempting to
| batch multiple changes together into a single update. We
| recommend that you do NOT specify DIV-SAVE-MINIMUM = 0.
*
* RTCS System Registry Sysplex Sharing Parameters
* -----------------------------------------------
*
+ REGISTRY-XCF-GROUP = OSZRTCSR /* System Registry XCF Group Name */
/* This parameter will be used only */
/* if some form of Sysplex Registry */
/* Sharing (see below) is specified.*/
ELIGIBLE-OWNER /* This member is ELIGIBLE to */
/* ALLOCATE (and then EXPOSE) */
/* the System Registry VLDS. */
/* RTCS Subsystem XCF members which */
/* are not eligible to own the RTCS */
/* System Registry VLDS will not be */
/* able to assist in recovery when */
/* the image that does own the */
/* Registry fails for any reason. */
/* */
/* RTCS Subsystems on small or */
/* slow MVS images should only */
/* remotely access an exposed */
/* System Registry and should */
/* not be eligible to allocate */
/* and expose/own the Registry. */
*
* RTCS System Registry Sysplex Sharing Options
* --------------------------------------------
*
| The following five options are mutually exclusive. Only
| one of them should be specified without the 'NO' prefix.
| The other four may be omitted (or specified with the 'NO'
| prefix as illustrated below). If more than one positive
| [not prefixed with 'NO'] option is specified, then the
| most restrictive one will become effective. The Registry
| sharing options are listed below in that precedence order
| (the most restrictive first, the least restrictive last).
| In other words, the first (in the order they are listed
| below) positive (not prefixed with 'NO') option specified
| is the one that will be effective and override any others.
|
NOPRIVATE-REGISTRY /* Exclusively allocate the System */
/* Registry VLDS on this image but */
/* do not establish any capability */
/* to share it with other images. */
/* The Registry cannot subsequently */
/* be exposed to other MVS images. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
NOALLOC-REGISTRY /* ALLOCate the System Registry on */
/* this MVS image, but do not (yet) */
/* EXPOSE it for the REMOTE images */
/* to be able to CONNECT to it. It */
/* can be exposed at a later time */
/* via an RTCS operator command. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
NOEXPOSE-REGISTRY /* ALLOCATE and EXPOSE the System */
/* Registry on this MVS image. */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD, then */
/* RTCS initialization will fail. */
SHARED-REGISTRY /* Setup a REMOTE Registry on this */
/* MVS image, then CONNECT to the */
/* System Registry if it is already */
/* EXPOSEd on another MVS image. */
/* If the Registry is not already */
/* EXPOSEd, then (if it has not yet */
/* been ALLOCated) ALLOCATE and */
/* EXPOSE the System Registry on */
/* this MVS image (if possible). */
/* If the System Registry VLDS can */
/* not be allocated DISP=OLD or if */
/* this system is unable to CONNECT */
/* to an already-EXPOSEd Registry */
/* on some other MVS image, then */
/* RTCS initialization will fail. */
NOREMOTE-REGISTRY /* CONNECT to a System Registry */
/* that has already been EXPOSEd */
/* on another MVS image. If this */
/* system is unable to CONNECT to */
/* an EXPOSEd System Registry, then */
/* RTCS initialization will fail. */
*
* External Security Manager (ESM) Type
*
+ ESMTYPE=AUTO
|
| External Security Manager (ESM) that is in
| use on this MVS image and which RTCS is to
| interface with. The default, and the value
| which most installations should specify, is
| AUTO. RTCS is usually able to determine the
| ESM that is being used on an MVS image, but
| under certain circumstances, it cannot do so.
| If this situation occurs, you may explicitly
| indicate which ESM is (or will be) used on
| this MVS image using the ESMTYPE= parameter.
|
| ESMTYPE= Description
| -------- -----------
| AUTO RTCS is to automatically determine,
| if possible, which ESM is in use.
| RACF RTCS is to assume RACF will be used.
| ACF2 RTCS is to assume ACF2 will be used.
| TSS RTCS is to assume TSS (Top Secret)
| will be used.
|
*
* Accept or reject attempts to use undefined ESM User IDs
*
+ UNDEFINEDUSERINHERIT=ACCEPT
|
+ UNDEFINEDUSERSIGNON=REJECT
|
| These two parameters specify the behavior
| when an undefined ESM User ID is provided
| (either by an end user or an application)
| as part of original system entry signon,
| or when attempting to inherit credentials
| on this image from an existing environment.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| ACCEPT RTCS is to allow the INHERIT or the
| SIGNON to proceed. RTCS or the ESM
| will provide a default User ID for
| the security environment that will
| be created as a consequence.
| REJECT RTCS is disallow the INHERIT or the
| SIGNON.
|
| By default, RTCS allows INHERITs to proceed,
| since it would then be assumed that the User
| ID being presented was at least valid in the
| Sysplex or CASplex somewhere, and disallows
| SIGNONs with an undefined User ID, since it
| is usually the case that an invalid User ID
| (that is, one that is not defined) is never
| to be allowed.
*
* Default ESM User ID used in place of an undefined one
*
+ DEFAULTUSERID=' '
|
| This parameter specifies the ESM User ID that
| is to be substituted for an undefined/invalid
| User ID presented for authentication, and the
| UNDEFINEDUSERINHERIT or the UNDEFINEDUSERSIGNON
| option, as appropriate, specifies ACCEPT, which
| indicates that the INHERIT or the SIGNON is to
| be allowed. The value of this parameter should
| usually be set to blanks, which triggers ESM-
| specific behavior to generate its own default
| User ID (USER, LOGONID, or ACID) according to
| well-documented ESM behavior or if allowed by
| ESM-specific security options and parameters.
*
* How to process GROUP IDENT credential during an INHERIT
*
+ GROUPINHERIT=ALWAYS
|
| This parameter specifies how the GROUP IDENT
| credential (GROUP name) is to be processed
| when a security identity is being INHERITed.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| ALWAYS RTCS is to pass the GROUP IDENT to
| the ESM unchanged. In order to be
| successful, the ESM must allow the
| use of that specific GROUP IDENT.
| In the case of RACF, specifically,
| this means that the User ID being
| INHERITed must be CONNECTed to the
| same, exact GROUP IDENT specified
| in the credentials in the RACF data
| base being used on this system image.
| NEVER RTCS is to ignore any specification
| of a GROUP IDENT (GROUP name) in the
| authentication credentials presented
| when attempting to INHERIT a User ID.
|
*
* ESM Security Interface diagnostic tracing
*
+ SECTRACE=NONE
|
| This parameter specifies the default level of
| diagnostic tracing that is to be performed for
| the RTCS External Security Manager interface.
|
| The following values can be specified:
|
| Action Description
| ------ -----------
| NONE No ESM interface tracing is to be done.
| SIMPLE Issue only simple trace messages.
| EXTENDED Extended tracing is to be performed.
| COMPLETE Complete tracing is to be performed.
|
| Security diagnostic tracing can be activated
| dynamically via an RTCS operator command, so
| NONE should normally be specified. However,
| if there is a need to perform ESM diagnostic
| tracing during RTCS initialization, this can
| be initially activated using this parameter.
|
*
* ESM SAF Subsystem (RACROUTE SUBSYS) to be used by RTCS
*
+ SAFSUBSYS=&SSID
|
| This parameter specifies the RACROUTE SUBSYS
| (SAF Subsystem ID) that is to be used by the
| RTCS Security Manager. This value is normally
| required only when ACF2 is the indigenous ESM.
| If ACF2 has already been customized (for the
| MainView Security Service interface prior to
| release 6.0) to process RACROUTE invocations
| using a different SAF SUBSYS, such as BBI3,
| then that value may still be used, and should
| be specified here.
|
| The following values can be specified:
|
| SAFSUBSYS Description
| --------- -----------
| &SSID The MVS SSID that was specified in
| this initialization member, or was
| provided as a default by RTCS.
| &PRODUCT The internal (security) product
| name in whose product address space
| an ESM security environment is being
| created (via SIGNON or INHERIT).
| '' or ' ' Null, or one or more blanks: No
| SUBSYS= parameter is to be used
| on any SAF RACROUTE invocation.
| 'xxxxxxxx' A specific RACROUTE SUBSYS= value,
| consisting of up to 8 characters.
|
| Under most circumstances, RACF and Top Secret
| will effectively ignore the RACROUTE SUBSYS=
| specification. However, a value may still be
| usefully provided here, since the SUBSYS can
| be used to filter requests to be traced when
| using the Top Secret SECTRACE facility (as
| well as the ACF2 SECTRACE facility), and to
| subset RACROUTE requests to be traced if an
| IBM or OEM vendor facility (using RACF exits)
| has been installed to facilitate such tracing.
| So, a suitable value should be provided, even
| if RACF or TSS is in use, simply in support
| of any existing ESM-level diagnostic tracing
| facility.
|
*
* Default ESM RACROUTE system entry validation APPL ID
*
+ SECURITYAPPLID=&PRODUCT
|
| This parameter specifies the RACROUTE APPL
| (application name) that is to be used as the
| default SAF APPLication by the RTCS Security
| Manager (if none is specified by the product
| or the caller does not have an RTCS product
| definition, or the definition in the product
| or System Registry is null or blanks).
|
| The following values can be specified:
|
| SAFSUBSYS Description
| --------- -----------
| &SSID The MVS SSID that was specified in
| this initialization member, or was
| provided as a default by RTCS.
| &PRODUCT The internal (security) product
| name in whose product address space
| an ESM security environment is being
| created (via SIGNON or INHERIT) or
| a resource being authorized.
| &PRDAPPL The default product security APPL
| name, usually specified in the
| RTCS product definition in the
| package, or via the RTCS System
| Registry product, context, or
| server (instance) definition.
| '' or ' ' Null, or one or more blanks: No
| APPL= parameter is to be used
| on any SAF RACROUTE invocation.
| 'xxxxxxxx' A specific RACROUTE APPL= value,
| consisting of up to 8 characters.
|
== Runtime Component System (RTCS) Initialization Parameters ==
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*