SAF interface protected VTS-TSR start up and validation

This section provides an example on how to authorize, start up and access a Read-write SAF interface protected VTS-TSR. Steps are also provided to validate that a user with no access to the VTS is denied access.

Step 1—Create DK1VBASE for SAF protected VTS

To start up a SAF protected VTS Agent, you must modify the parameter for RACF_VTS to Y and relink DK1VBASE. The TSRACCESS parameter has a default value of RW for a Read-write VTS, so we will not be modifying this parameter for this exercise.

For more information on the RACF_VTS parameter, see tableBASE run-time options. The default values for this product are provided under Default VTS parameters and are also defined in:

  • your.prefix.SRC(DK1V1134)

To change the RACF_VTS parameter and relink DK1VBASE for the example test:

  1. Modify the jobstream RCVTSJ1 in your.prefix.CNTL, specifically:
    • jobname statement
    • dataset name in SYSLIB statement of ASM step to point to
      • your.prefix.SRC
    • dataset name in V11LIB statement of LKED step to point to
      • your.prefix.LOAD
    • dataset name in SYSLMOD statement of LKED step to point to an APF authorized load library for the test.
    Note:
    You can use the same APF authorized test load library that was used in Read-only VTS-TSR start up and validation. This will replace the DK1VBASE module with parameter settings for SAF protection.
  2. Execute RCVTSJ1 and confirm successful return code.
Step 2—Authorize start up and access to SAF protected VTS

An SAF protected VTS requires that a resource profile for the VTS be set up in the Facility class. A minimum of CONTROL access is required to start up an SAF protected VTS.

For more information on access control for SAF protected VTS-TSRs, refer to the tableBASE Administration Guide.

Using the SAF interface tool for your installation, set up and allow a minimum of CONTROL access to the installer’s user-id for the following resource profile in the Facility class:

  • DK1.VTS.lparname.RCVTSDK1

lparname is the name of the LPAR under which this validation is being carried out.

Step 3—Start up SAF protected VTS Agent

This step starts up the SAF protected VTS Agent, first using a user-id with no access, then using a user-id with CONTROL access.

  1. Ensure that the tableBASE PC Server is running.
  2. Modify the jobstream RCVTSJ2 in your.prefix.CNTL, specifically:
    Figure 8. Modify RCVTSJ2
    Modify RCVTSJ2
  3. Using any user-id without authorization to access the VTS, execute RCVTSJ2. The following error messages should be displayed in the JES log:
    ICH408I USER(user-id   ) GROUP(groupname  ) NAME(name   )
      DK1.VTS.lparname.RCVTSDK1 CL(FACILITY)
      INSUFFICIENT ACCESS AUTHORITY
      FROM DK1.VTS.lparname.RCVTSDK1 (G)
      ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE    )
    DK100608E Not authorized to start VTS resource: DK1.VTS.lparname.RCVTSDK1
  4. Using the user-id that was granted CONTROL access to the VTS in step Step 2—Authorize start up and access to SAF protected VTS, execute RCVTSJ2 and confirm successful return code.

    Check the JES log for the following messages:

    .
    DK100251I     RACF_VTS         *= Y
    .
    DK100251I     TSRACCESS        *= RW
    .
    DK100600I tableBASE V700 VTS RCVTSDK1 initialized.
Step 4—Load and validate SAF protected VTS

This step executes the validation job to open a table and access the table on the VTS.

  1. Modify the jobstream RCVTSJ3 in your.prefix.CNTL, specifically:
    • jobname statement
    • dataset name in TBEXEC step to point to your.prefix.LOAD
    • dataset name in TBDRIVER step to point to your.prefix.LOAD
  2. Using any user-id without authorization to access, the VTS, execute RCVTSJ3. The following errors should appear in the job output.
    1. A series of error messages in the JES log of the form:
      ICH408I USER(user-id   ) GROUP(groupname  ) NAME(name   )
        DK1.VTS.lparname.RCVTSDK1 CL(FACILITY)
        INSUFFICIENT ACCESS AUTHORITY
        FROM DK1.VTS.lparname.RCVTSDK1 (G)
        ACCESS INTENT(UPDATE) ACCESS ALLOWED(NONE )
      ICH408I USER(user-id   ) GROUP(groupname  ) NAME(name   )
        DK1.VTS.lparname.RCVTSDK1 CL(FACILITY)
        INSUFFICIENT ACCESS AUTHORITY
        FROM DK1.VTS.lparname.RCVTSDK1 (G)
        ACCESS INTENT(READ) ACCESS ALLOWED(NONE    )
    2. The SYSOUT of the TBDRIVER step should display a series of 1072-4 and 1072-3 return codes and sub-codes.
  3. Using the user-id that was granted CONTROL access to the VTS in step Step 2—Authorize start up and access to SAF protected VTS, execute RCVTSJ3 and confirm successful return code.
Step 5—Stop the SAF protected VTS
  1. Using any user-id without authorization to access, the VTS, stop the VTS Agent using MVS command:
    P RCVTSJ2

    This should fail with the following error messages:

    ICH408I USER(user-id   ) GROUP(groupname  ) NAME(name   )
      DK1.VTS.lparname.RCVTSDK1 CL(FACILITY)
      INSUFFICIENT ACCESS AUTHORITY
      FROM DK1.VTS.lparname.RCVTSDK1 (G)
      ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE    )
    DK100639E Not authorized to stop VTS resource: DK1.VTS.lparname.RCVTSDK1
  2. Using the user-id that was granted CONTROL access to the VTS in step Step 2—Authorize start up and access to SAF protected VTS, stop the VTS Agent using MVS command:
    P RCVTSJ2

    This should be successful with the following message:

    DK100634I STOP command received, V700 VTS RCVTSDK1 terminating