> - ICHALTSP is an interface made available to the owner of the alternate > security product being used on this system, as a means of starting that > alternate security product in the same "window" when RACF is started, > i.e., before started tasks and jobs can start. > > FWIW, "ALTSP" does indeed stand for ALTernate Security Product.
Thanks Peter, you've saved me from searching for the string ICHALTSP in all IBM modules. I figured that this was the mechanism to get CAMASTER up and running, since a true API *requires* to be in control first to call the API. So CA (mis)uses this interface/agreement to get themselves a trusted address space for *all* of their products, not just ACF2 and TSS, which (according to the CA website) were not even the first exploiters of CAMASTER. >On systems that run an unmodified SAF (as supplied by IBM), all address spaces >that start during NIP are initially TRUSTED and none has a user ID, because >there are no security services available to assign anything else that early in >the system's life. They also only have limited services available for their >use. Later, after the security services become available during MSI, some of >those early address spaces may choose to transition into full-service address >spaces, and if so they would acquire proper security identities, and possibly >lose their TRUSTED status. Thanks Walt, for clarifying this. As far as I am concerned, just about *every* address space should have an associated userid, but most definitely a vendor's address space! I had noticed that the IBM docs on what address space *needs* to have a userid assigned are a bit opaque back when I introduced the * profile in class STARTED with a userid without any rights on my ADCD RACF data base, so being cautious I assigned a userid to just about every address space (with the exception of *master*). I also routinely show IRR812I, so I know now that *MASTER*, PCAUTH, RASP, TRACE, GRS, SMSPDSE, CONSOLE, ALLOCAS are the only address spaces that don't get a userid assigned in STARTED. Barbara ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
