SXCTL Parameters

The SXCTL parameter file specifies the parameters that you use for the NMSAF security solution and the NMSAFF security solution.
nwmscl122
The SXCTL parameter file specifies the parameters that you use for the NMSAF security solution and the NMSAFF security solution.
The NMSAF and NMSAFF security exits read the SXCTL file during initialization of your region:
  • Blank lines and lines with an asterisk (*) as the first non-blank character are ignored.
  • Other lines must contain a valid SXCTL parameter.
You can specify any of these parameters in the SXCTL file.
  • APPCCHECK { NO |
    YES
    }
    Controls whether APPC user sessions are validated against security.
    Setting this parameter to NO exposes the region to unauthorized APPC sessions. This parameter does
    not
    apply to NMSAFF.
  • APPCMODEL {
    NO
    | YES }
    Controls whether an APPC user is eligible for model processing (if this region does not know the user).
    • NO
      (Default) The logon is rejected.
    • YES
      A model can be used (subject to model processing rules).
  • CHANGEPWD {
    NO
    | YES }
    Controls the use of the Password Change facility in your region.
    • NO
      (Default) Blocks attempts to use the UAMS Password Change facility, or any other password change interface (for example, using EASINET), and produces an error message. This setting prevents users from using these features to change their passwords (whether in UAMS or external security). This setting can be useful in distributed security environments where passwords must be changed by using a particular mechanism.
    • YES
      Allows the Password Change facility to be used (although the security system can reject or ignore it).
  • CONCHECK {
    YES
    | NO }
    Controls the checking of console user IDs. These user IDs are for system consoles.
    • YES
      (Default) The console user ID is presented to SAF.
    • NO
      The console user ID is not presented to SAF.
    If CONCHECK YES is specified, this user ID is presented before the CONUID user ID is presented.
  • CONUID {
    -
    |
    userid
    }
    Provides a single SAF user ID for all console environments for this region. This parameter can prevent the need to define individual console users to the security system. For CONCHECK YES, the value of CONUID is presented to SAF only if verification of the specific console user ID failed.
    • -
      Clears the value (blank).
    • userid
      Specifies the user ID.
      Limits:
      One through eight characters, with all characters alphanumeric or national
    Regardless of the settings of CONCHECK and CONUID, the logon procedure ignores a failure of a console user logon. The procedure permits the logon. If the user is not defined on UAMS, the procedure supplies default values.
  • DSSDSSEC {
    NO
    | YES }
    Controls whether data set services register system users for data set resource checking. This feature requires the NMSECDSS exit to be active.
  • DSSDUSEC {
    YES
    | NO }
    Controls whether data set services register normal users for data set resource checking. This feature requires the NMSECDSS exit to be active.
  • DSSHSSEC {
    NO
    | YES }
    Controls whether data set services register system users for the HFS file resource checking. This feature requires the NMSECDSS exit to be active.
  • DSSHUSEC {
    YES
    | NO }
    Controls whether data set services register normal users for the HFS file resource checking. This feature requires the NMSECDSS exit to be active.
  • LOGONMSG
    {
    STD
    | PCI }
    Specifies the message text that appears when users attempt to log in to the product with an incorrect user name or password.
    • STD
      (Default) Displays one of the following messages, whichever applies:
      • N20E01 USERID XXXXXXXX IS NOT KNOWN, REENTER OR LOGOFF
      • N20E02 PASSWORD IS INVALID, RE-ENTER
    • PCI
      Displays this message: NSX957 USERID OR PASSWORD DETAILS INCORRECT.
      This message complies with Payment Card Industry Data Security Standards (PCI DSS). These standards specify that users who attempt to log in to a product with an incorrect password or an incorrect user name receive a generic failure message that one of these credentials is incorrect. These standards enhance security by not informing potential hackers of which credential (user name or password) is valid.
  • MODEL {
    NO
    | SYSPARM | SINGLE | LIST }
    Controls the use of the MODEL user facility. If you use NMSAFF, specify
    MODEL LIST
    .
    • NO
      (Default) Specifies that no modeling is performed.
    • SYSPARM
      Specifies that the setting of SYSPARMS MODLUSER is used.
    • SINGLE
      Specifies, if a model name is specified in SXCTL, it is used as the model.
    • LIST
      Specifies, if a resource or model list is defined, then it is used to determine the model name.
    You can control which logon types can participate in modeling.
  • MODELGROUP {
    saf.resource.name
    | * }
    modelname
    Supplies an entry in a list of SAF resource names and associated model names. The parameter can be repeated up to 20 times in the SXCTL file. The order in which the pairs of resource names and model names are specified is the order in which the resource names are tested. Specifying a resource name of * always matches (no SAF AUTH call is made).
    For MODEL LIST, each name is tested (using the class that the RCLASS parameter sets). Testing continues until a resource is found that the user has READ access to (or the * entry is reached). If a match is found, the associated model name is returned. If no match is found (and no * entry is found), then no model name is returned and the logon is rejected.
    If you use NMSAFF, a STARTPROF parameter must reference the model name.
    • saf
      .
      resource
      .
      name
      modelname
      Must be in valid PDSNAME format. The length must be one through eight characters. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
  • MODELNAME {
    -
    |
    userid
    }
    Supplies, if MODEL SINGLE is specified, the model name for modeling (otherwise it is ignored). If no model name is specified (the default), it is the same as MODEL NO.
    • -
      Clears the value (blank). This setting can cause substitution by a default value.
    • userid
      Names the model.
      Limits:
      One through eight characters, with all characters alphanumeric or national
  • PROFILES
    (NMSAFF only) Begins the profile section.
    • STARTPROF
      modelname
      Begins the definition of a list of attributes and their values for
      modelname
      . The attribute names are defined in the SXCTL FIELD description of the structured fields. The MODELGROUP parameter defines
      modelname
      .
    • ENDPROF
      Ends the list of user attributes and values.
  • RAPPL {
    -
    |
    name
    }
    Sets the APPL value for RACROUTE calls.
    • -
      (Default) A dash means none; the primary ACB name is then used.
    • name
      Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
      Limits:
      One through eight characters
  • RCLASS {
    -
    |
    name
    }
    Sets the SAF resource class for most RACROUTE AUTH checks (for example, for model determination).
    • -
      (Default) A dash (-) means none; FACILITY is then used.
    • name
      Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
      Limits:
      One through eight characters
  • REMODEL {
    NO
    | YES }
    Specifies whether a user's SAF model is checked at every logon.
    • NO
      (Default) Specifies that the model is not checked.
    • YES
      Specifies that the model is checked at every logon. If this parameter is set to YES, and the SAF model changes, the system automatically updates the user's UAMS record.
  • ROFCHECK {
    YES
    | NO }
    Controls the SAF validation of a ROF (Remote Operator Facility) user. The ROF users use the SIGNON and ROUTE commands from a remotely connected region to send commands to this one. The user ID is always the user ID that the user originally signed on with.
    • YES
      (Default) Validates the user by a SAF call. If the user is
      not
      known (or has been revoked, for example), the signon fails.
    • NO
      Makes no SAF call on this system for a ROF user.
  • ROFMODEL {
    NO
    | YES }
    Controls whether a ROF user is eligible for model processing (if this region does
    not
    know the user).
    • NO
      (Default) Rejects the logon.
    • YES
      Specifies that a model can be used (subject to model processing rules).
  • ROFPWD {
    YES
    | NO }
    Controls whether a password is required when signing on to this region by using the ROF SIGNON command.
    • YES
      (Default) Specifies that the SAF password (for the security system for this region) for the current user ID must be supplied on the SIGNON command. Otherwise, the signon is rejected.
    • NO
      Specifies that no password is required (SAF is asked to validate the user with no password if none is supplied).
    Specifying ROFPWD YES can cause problems with system user IDs. For example, an NCL process executing in these environments issues ROF signons to other regions. Then, when the requests come in, the user ID is
    not
    treated as a system user. Normal validation occurs. This scenario can be a problem if a password is required.
  • SYSCHECK {
    YES
    | NO }
    Controls the checking of system (or background) user IDs; for example, the BSYS and BLOG users, and the PPOP and AOMP regions.
    If SYSCHECK YES is specified, this user ID is presented before the SYSUID user ID is presented.
  • SYSUID {
    -
    |
    userid
    }
    This parameter provides a single SAF user ID to use for all the system (or background) user IDs for this region. This feature prevents the need to define multiple user IDs (such as NM01BSYS and NM01BMON) to the security system. For SYSCHECK YES, the value of SYSUID is presented to SAF only if verification of the specific system user ID failed.
    • -
      Clears the value (blank). This setting can cause substitution by a default value.
    • userid
      Specifies the user ID.
      Limits:
      One through eight characters, with all characters alphanumeric or national
    Regardless of the settings of SYSCHECK and SYSUID, the initialization procedure ignores a failure of a system user logon. The procedure continues initializing. If the user is not defined on UAMS, the procedure supplies default values.
  • TRACE {
    NO
    | YES }
    Enables tracing to the SXTRACE data set.
    • NO
      Disables all tracing, regardless of other trace options.
    • YES
      Enables tracing (provided the SXTRACE file can be opened during initialization), but other trace options must be set to cause actual tracing.
  • TRACEMOD {
    NO
    | YES }
    Enables tracing of the security exit module flow. Typically, this feature is used only on
    Broadcom Support
    request to track down errors in the exit.
    This option produces a large amount of trace output.
  • TRACEPL {
    NO
    | YES }
    Enables tracing of the parameter list for the security exit call on entry and exit. The trace includes the fields pointed to by parameters that are not null (except passwords).
  • TRACESAF {
    NO
    | ERROR | YES }
    Enables tracing of the results of RACROUTE (SAF) macro calls.
    • NO
      Disables all tracing.
    • ERROR
      Causes tracing of those RACROUTE calls that failed in some way.
    • YES
      Traces all RACROUTE calls. The trace includes the parameter list and return codes.
  • TSOMODEL {
    NO
    | YES }
    Controls whether a TSO user is eligible for model processing (if this region does not know the user).
    • NO
      (Default) Specifies that automatic model processing is not used. The user (if not defined to UAMS) is presented with a blank logon panel that uses normal logon processing rules.
    • YES
      Means that a model can be used (subject to model processing rules).
  • TSOPWD {
    YES
    | NO }
    Controls the requirement for a password when using the TSO pass through facility (the NMLOGON TSO command).
    • YES
      (Default) Specifies that the user is presented with a normal logon screen, and must enter the user ID and password to gain access.
    • NO
      Specifies that the user can log on with no password (if this logon is
      not
      blocked in the UAMS definition).
  • USERFLAG
    n
    {
    NO
    | YES }
    Sets a flag in the global area accessible to other exits. You can specify up to eight of these parameters. They can be used to control logic in installation-written exits, such as NCLEX01.
  • USERNAME
    n
    {
    -
    |
    name
    }
    Sets a name value in the global area accessible to other exits. You can specify up to four of these parameters. They can be used as input data in installation-written exits, such as NCLEX01.
    • -
      Clears the value (blank). This setting can cause substitution by a default value.
    • name
      Must be in valid PDSNAME format. The first character must be alphabetic or national (@,#,$), and the rest must be alphanumeric or national.
      Limits:
      One through eight characters
  • USERUID
    n
    {
    -
    |
    uid
    }
    Sets a user ID value in the global area accessible to other exits. You can specify up to four of these parameters. They can be used as input data in installation-written exits (such as NCLEX01).
    • -
      Clears the value (blank). This setting can cause substitution by a default value.
    • uid
      Specifies a user ID.
      Limits:
      One through eight characters, with all characters alphanumeric or national
  • VAPPCLINK {
    NO
    | YES | N12 | N21 | BOTH }
    Controls the activation of the APPC link security facility. The facility uses a SAF query to extract a password, with a resource class of APPCLU.
    • NO
      Disables the facility. No passwords are returned.
    • YES
      Performs a SAF resource query using
      network
      .
      locallu
      .
      remotelu
      . If the query works, the password is returned.
    • N12
      Is the same as YES.
    • N21
      Performs a SAF resource query using
      network
      .
      remotelu
      .
      locallu
      . If the query works, the password is returned.
    • BOTH
      Performs a SAF resource query using
      network
      .
      locallu
      .
      remotelu
      and then another SAF resource query using
      network
      .
      remotelu
      .
      locallu
      . If either of these queries works, the password is returned.
    Note:
    Advanced Program-to-Program Communication (APPC) supports the use of link-level passwords. Both the DEFLINK and LINK START commands for APPC allow the specification of a password. Alternatively, the commands can use PASSWORD=EXIT, which means that the security exit can return the password.