On Wed, 25 Jun 2014 16:14:32 -0700, Phil Smith <[email protected]> wrote:
>Walt Farrell wrote: >>Generally DB2 will either have the client ACEE in its own address space, or >>will have a valid cross-memory environment between itself and its client. >>Whenever DB2 is calling RACF to perform a security check DB2 will pass the >>ACEE to FASTAUTH, and thus the ACEE will either bein DB2 (P=H=S) or in the >>client (P<>H=S). I don't remember what ALET DB2 passes to RACF for the latter >>case, but it seems likely it would pass the ALET for Home, rather than >>acquiring another one. > >Just a reminder: this is a DB2 FIELDPROC user exit, not DB2 itself. Which adds >yet another layer of indeterminacy. > Does that user exit run in a different address space? If not, my comments about the ACEE location and cross-memory relationship remain valid, don't they? If it does run in the DB2 address space, then the problem would seem to be that you're not really processing within the exit, but have gone cross-memory from it to your own server. But still, I would think that the ALET for Home would work for the case where DB2 was in a cross-memory relationship with the client. And in the case where DB2 has the ACEE in its own address space, the ALET for Home should also work. By the way, an approach I have generally recommended is, where practical, to do the security checking before switching address spaces. This is possible using a two-phase approach. Phase 1 involves a non-SS PC routine, invocable by callers in any state/key, which analyzes the parameters and makes the security check. If the security check passes, phase 1 then invokes phase 2 processing by invoking the space-switching PC, which is defined as requiring supervisor state so it cannot be bypassed by a problem state caller trying to call it directly. I don't know how easily that would work for you, but it would eliminate the aspects of space-switching from the question of how you locate the ACEE and make the security call. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
