I have Specified my Security Package with EXTSEC and also have ACFEXT=NO. How does this Affect my Security with CA ROSCOE?

Document ID : KB000024338
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

What does EXTSEC actually do if it doesn't turn on external security?  How do I turn it on?

Environment:

CA ACF2, IBM RACF, CA Top Secret

Answer: 

With EXTSEC, you are specifying which security package should be used when external security is called. Specifying EXTSEC does NOT set EXTERNAL security on. It tells Roscoe to use your security package IF it makes any external security calls. If you have specified ACFEXT=NO, you are running with Roscoe internal security and relying on your own user written exits to provide security.  

The key to external security is the ACFEXT= parameter. If specified as "YES" and you have specified an external security package with EXTSEC, external security checking is turned on and will be initiated at user sign on. It must be specified as "YES" for any other external security parameters to be valid. In addition, if you are running with IBM RACF, you must define the RO@RES resource class. See TEC475388 ROS453I: Resource Class RO@RES Inactive or not Defined to Security System - RC=08. You may run with a combination of external and internal security.  

  • The other external security parameters are: You may set these to yes only if you have set ACFEXT=YES.
CLLEXT=YES       EXTERNAL SECURITY FOR CALLS W/ETSO
JOBEXT=YES       EXTERNAL SECURITY JESSPOOL CHECKS W/ATTACH JOB
LIBEXT=YES       EXTERNAL SECURITY FOR LIBRARY ADMINISTRATION
MONEXT=YES       EXTERNAL SECURITY FOR MONITOR ROUTINES.
PRVEXT=YES       EXTERNAL SECURITY FOR PRIV COMMANDS.
RPFEXT=YES       EXTERNAL SECURITY FOR RPF EXECUTION
UPSEXT=YES       EXTERNAL SECURITY FOR UPS ADMINISTRATION.
  • You may verify whether you are running with internal security by reviewing your Roscoe joblog. If you have ACFEXT=NO, you will see:
ROS451I: Internal Security set for ROSCMD.ETSO
ROS451I: Internal Security set for ROSCMD.MONITOR
ROS451I: Internal Security set for ROSCMD.RPF
ROS451I: Internal Security set for ROSCMD.PRIV
ROS451I: Internal Security set for EXIT.ACFEXIT
ROS451I: Internal Security set for EXIT.JOBQEXIT
ROS451I: Internal Security set for ROSCMD.ROSLIB
ROS451I: Internal Security set for ROSCMD.ROSUPS
  • If you are running internal security this is what happens:

This is a list of the security exits which CA ROSCOE calls if internal security is being used. They are called if they are present in the Roscoe load library. No parameters are required to "turn on" the exits. These are all user written exits, so you will need to examine your source code to determine what security calls are being made.

ACFEXIT Control access to CA Roscoe. (Sign on)
DSAEXIT Verify that a terminal user is authorized to access a requested data set.
BEXEXIT Verify that the batch programs LIBSERVE, ROSCOPY and ROSDATA may execute.
AUTEXIT Control automatic terminal processing facilities (Inactivity and screen lock)
CLLEXIT Called whenever the CALL command is executed to execute an ETSO application
CMDEXIT|CMDEXIT2 Invoked during the interpretation of every CA Roscoe and RPF command.
DSFEXIT Controls certain aspects of processing performed by the Data Set Facility
LIBEXIT Controls certain aspects of the processing performed by the Library Facility
OUTEXIT Used to control the terminal user's ability to attach and view job output.
SIGEXIT Invoked during sign-on.
SMFEXIT Invoked at system initialization and whenever CA Roscoe writes an SMF record.
SUBEXIT Invoked at SUBMIT time.

Additional Information:

For additional information, please see the CA ROSCOE Security Administration Guide and also TEC425121- Implementing External Security for CA Roscoe.