Single System Image complex, the Access Control Interface exit routines

Document ID : KB000012487
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Currently running DIRMAINT in a z/VM 6.3 SSI environment and we plan to convert to VMSECURE with Rules.

 

I cloned my sandbox cluster in 2nd level to test out the implementation and built the CP component of Rules into the CP nucleus.

After shutting down one of the members, we tried to IPL which failed with:

HCPPLM1663E SSI function JOIN has failed for service Security.

 

HCPPLM1697I The state of SSI system VMLNX4A has changed from JOINING to ISOLATED

HCPPLM1698I The mode of the SSI cluster is SAFE

 

There is mention in the VM:Secure Installation guide that in a Single System Image complex, the Access Control Interface exit routines

supplied as part of the Rules facility, must be installed in the CP nucleus on every member at the same time.

 

 

 

Answer:

The requirement that the CP components for an External Security Manager product be the same in all members of an SSI complex is specified by IBM. The same characteristic applies to RACF, Top Secret, and ACF/2. All authorizations for access to resources must be the same in every member, so IBM enforces this. A given USER must have the same permission to access a given resource on every member.