How To Add Control Over ACCOUNT Field for TSO Sign On?

Document ID : KB000048698
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The main goal here is to control ACCOUNT field on every TSO logon.

Unfortunately using the TSSINSTX POST-INIT entry, the field TXAIACCT which should contain an address to point the ACCOUNT flied is always empty.

Solution:

The TSSINSTX is the Top Secret Site Security Installation Exits which is documented in the in CA Top Secret User Guide Chapter #19:

Chapter 19: Extending Security With Site Security Exits.

The signon for normal TSO/E processing does NOT provide the ACTINFO= parameter, and thus can't be used to check the ACCT information entered at logon time. It's why the TXAIACCT is always zeroed.

However, if an SMS signon is required, that signon will provide the ACTINFO= information. This means that any procedure that contains a DD statement with DISP=NEW or DISP=MOD (including any DD statement without DISP=, as the default is DISP=NEW) will pass the account information to the exit, but any procedure without such DD statement will NOT.

That makes this TSSINSTX unreliable for checking account information on TSO Logons. It is likely that TSO exits (possibly IKJEFLN2) would work better, although the coding would be substantially different.

This being said, if the two conditions below are met then TSSINSTX can be used:

First, SMS must be activate on the system.

Second, a temporary dataset must be allocated in any TSO procedure.

Like it is shown below:


//DUMMYDD  DD  UNIT=SYSDA,SPACE=(TRK,(1,1))   
 
Then the TSSINSTX POST-INIT entry code could be:     
 
        L     R2,TXAITYPE           TSO?         
        CLI   0(R2),X'03'                        
        BNE   EXIT0                NO GET OUT    
        ICM   R8,15,TXA#PGMS                     
        BZ    EXIT0                              
        LA    R8,10(R8)            SKRUNPG1 (SMS)
        CLC   0(8,R8),=C'IEFNB903'               
        BNE   EXIT0                No SMS call 
        CLC   TXAIACCT,=F'0'                                  
        BNE   ACCTFND                                         
        WTO   'POSTINIT DID NOT FIND ACCT INFO'               
        B     EXIT0                                           
ACCTFND  DS    0H                                              
        WTO   'POSTINIT FOUND ACCT INFO'                      
        B      EXIT0

This code is written to ensure to check the correct event where the ACCOUNT data can be retrieve from.