CICS Access to RACF

CICS doesn’t supply much  access directly to RACF info via the API. But there is a supported way to obtain a lot of RACF information about the current user. And it can be done in plain ol’ COBOL.

EXEC CICS ADDRESS ACEE will provide access to the RACF ACEE control block. (ACEE stands for Access Control Environment Element. Maybe it will come up in a trivia question some day. Probably not. The important thing to know is that it is a block of storage containing RACF information which can be addressed from application programs.) From there, it is possible to easily obtain the user’s primary RACF group and the user’s name (as it is recorded in RACF).

The layout of the ACEE control block is documented in SYS1.MACLIB(IHAACEE). Unfortunately, there is not a COBOL copybook provided, so to access this information in a COBOL program, we have to code our own storage definitions. The following are based on SYS1.MACLIB(IHAACEE):

01 ACEE.
   05 FILLER PIC    X(021).
   05 ACEEUSRI PIC  X(008).
   05 FILLER PIC    X(001).
   05 ACEEGRPN PIC  X(008).
   05 FILLER PIC    X(062).
   05 ACEEUNAM-POINTER USAGE IS  POINTER.
01  ACEE-USER-NAME.
   05 FILLER PIC    X(001).
   05 ACEEUNAM PIC  X(020).

And we need a piece of miscellaneous working storage to hold a pointer:

77  WS-ACEE-ADDR-POINTER USAGE IS  POINTER.

Now, if we execute the following, we’ll have the address of the ACEE control block in that pointer:

EXEC CICS
ADDRESS ACEE  (WS-ACEE-ADDR-POINTER)
END-EXEC.

And then the following commands will make the RACF information addressable by our storage definitions:

SET ADDRESS OF ACEE TO WS-ACEE-ADDR-POINTER.
SET ADDRESS OF ACEE-USER-NAME TO ACEEUNAM-POINTER.

Now we have the user’s RACF id in ACEEUSRI, the user’s primary RACF group in ACEEGRPN, and the user’s name in ACEEUNAM. Very simple – just a matter of knowing how to address the information.

In a future post, we’ll continue this and see how we can obtain all of the RACF groups to which the user’s RACF id is connected.

Advertisements

16 responses to “CICS Access to RACF

  1. This information was very helpful and I am anxiously awaiting the your posting on how to obtain all of the RACF groups to which the user’s RACF id is connected.

  2. I use the EXEC CICS ADDRESS ACEE to get RACF info about a user. However, what I am attempting to do now is determine if a transid is secured by RACF. We were not using RACF to secure our transids, but we are now. We also have a screen that lists the transids and some other information. What I am wanting to see is if a transid is secured, not necessarily, if I the user has access.

  3. Hello Sir,
    Thanks for the useful info. My shop is migrating from RACF to TOP SECRET and we are looking to change the programs that use ACEE. As per RACF Admin, TOP SECRET will no longer support ACE environment. So, we are looking to convert this to Standard RACF so it gets supported in both RACF and TOP SECRET.

    The CICS code is basically checking the list of RACF groups a user is member of. How do we do this through standard RACF Calls, like CICS QUERY SECURITY ?

    • Thanks for your comments. I’m afraid you’re going to find there aren’t very many API’s for accessing SAF information, like EXEC CICS QUERY SECURITY. That’s why I had to “jump through the hoops” to access the ACEE to find out info like the list of groups to which one belongs. You may need another product or maybe investigate LDAP if you are needing more info than the API’s and ACEE can provide. Best of luck with your project!

      Steve
      theCICSguy

  4. Is possible utilize the callables services Unix system services and the callables services RACF also in the cobol language for abtain the result.

    the callables services for Open Edition (BPX1SEC, BPX1GUG, BPX1ACK, ETC)
    the callebles services RACF (IRRSPK00,IRRSIM00, ETC)

    Mauro
    Italy

    • Hi, Mauro.

      Thanks for checking out the blog. I know that the RACF callable services are not supported under CICS, and the OE ones are likely not supported either – you may want to check to see if the OPENAPI attribute on the PPT definition to see if it may allow for it. Either or both may work, even if not supported; we’ve run a program that issues RACF calls for years, knowing it wasn’t supported. CICS/TS 3.1 caused problems between this program and DB2. We had contacted IBM initially, but when they saw what we were doing they (rightly) told us what we were doing was not supported and that they couldn’t help us. However, knowing that the issue was a conflict between this program and DB2 helped; we got around the issue by moving that program into a region that did not have DB2. We know we’ll eventually have to do something else, but that’s the risk you take when you run unsupported code.

      Good luck with your project!

      Steve

  5. hello Steve
    Callables there are two services types for RACF:
    in supervisor
    in problem state.
    supervisor need to be authorized by SVC.
    those were the problem can be called safely and properly functioning.
    we use these functions with a transactional load of 1000 for second in a CICSPlex and have never taken a DB2 MQSeries abend with Unix.

    the first Callables services utilized is BPX1ACK for verify in environment CICS SOCKET INTERFACE if external User is authorized to run the specific applications.

    Second utility is RACF IRRSPK00 utility for generate PASSTICKET .

    an example is show following.

    move x’0003′ to r-fc.
    move x’00000001′ to ticket-option.
    move zeroes to option-word.

    CALL ‘IRRSPK00’ USING workarea
    alet1 saf-retcode
    alet2 racf-retcode
    alet3 racf-reascode
    alet4 function-code
    option-word
    ticket-area
    ticket-optr
    ticket-princ-user
    ticket-applid.

    move ticket-passtkt to lk-tkt.
    move saf-retcode to lk-safrc.
    move racf-retcode to lk-racfrc.
    move racf-reascode to lk-racfrsn.
    for Unix System Services

    the callables services are all available.

    i will do the cics trace for view the possible swith for OPENAPI

    mauro

  6. yes sir

  7. The RACF Callable Services manual specifies that the services are called in synchronous mode, which means the caller is in a hard WAIT until the RACF address space returns from executing the command (or the RACF extract finished within the caller’s address space).
    Would this not impact multitasking within CICS?

  8. le chiamate alla SAFROUTE sono tutte sincrone per cui o viene eseguita una RACROUTE di tipo verify o una RACROUTE di altro tipo o una callables services RACF IRRSPK00 l’unica accortezza, se veramente è necessario, è considerare le OPENAPI come descritto nella reply del 4 ottobre 2010.

    tale tecnica è stata anche discussa con in centro di supporto IBM.

    mauro

  9. Hello Steve,

    Thank you for the info. I have similar need in Top Secret installation. The only difference is that I need a User profile info [like department, location etc] for a specific User from an MQ triggered transaction. Since the transaction runs under CICS default User, I need to be able to query Top Secret files for a specific User [User ID is in the MQ message]

    Is there a way to invoke the Top secret Interface: TSSCAI for this? If not, is there any other way to get this info from Top Secret?

    Thanks in advance for any help on this

    Regards,
    Shibu

    • Hi, Shibu.

      I have no experience with Top Secret, but I suspect that, like RACF, there is not a supported way for the default CICS user to obtain that information (assuming it is a very limited user).

      Steve

  10. Hi Steve,

    We are facing one issue in our shiop in which users who are logging through web based application are not able to update RACF las login hence they get revoked automatically after 60 days. is there a EXEC command through which I can update the LAST ACCESS in RACF whenever user logs on to web based application.
    Appriciate your help.

    Harish

    • Hi, Harish.

      If the web application is not signing on (which is what it sounds like), you may be out of luck. If you can update the application to perform an EXEC CICS SIGNON, then it will update the LAST ACCESS in RACF. But if you don’t sign on, it’s not going to get updated.

      Good luck!

      Steve

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s