A Remote File Access (RFA) listener in a JCL-enabled enterprise server region can optionally provide access to the catalog, cataloged datasets, and spool (JES job) output.
Access to the catalog and spool requires invoking an internal service provided by the enterprise server region. This service performs catalog and spool lookups, checks user authorization, and provides enqueue/dequeue (lock) operations so exclusive and shared access to datasets can interoperate with applications running in the enterprise server region.
In order to maintain data integrity the RFA APIs for enqueuing and dequeuing datasets should be called before (enqueue) and after (dequeue) accessing datasets. Since an enqueue is automatically released after 30 seconds, there is also an API for periodically renewing an enqueue. It is up to your application to correctly manage the enqueues.
For catalog and spool access the RFA listener will perform a service lookup using MFDS to locate the MF ES service of the enterprise server region it is attached to. The MF ES service is normally created automatically for each enterprise server region defined in MFDS. The RFA listener uses the Micro Focus Common Client (MFCC) to resolve the MF ES service and communicate with it.
If MFDS is configured to refuse anonymous binds, which is the default, then MFCC will need credentials to bind to MFDS. Under the default Enterprise Server security configuration, MFCC will look for credentials for the readonly user in the vault and use those to bind to MFDS. If those credentials are not present in the vault, you might need to edit the bin/mf-client.dat file included with the product to provide different credentials for MFCC. For example:
[mldap] username=mf_dep password=mf_dep
See The Default Enterprise Server Security Configuration and Micro Focus Common Client for more information.
In addition to the mechanisms listed in RFA security, the service which provides catalog and spool access will make an authorization check against the DATASET resource class for dataset access, and the JESSPOOL class for spool access. See the descriptions of these resource classes in the product Help for more information.
When RFA contacts the MF ES service of the enterprise server region for catalog and spool access, it does so using an HTTP conversation with the associated listener, which is usually the Web Services and J2EE listener. If this listener is configured to use TLS, MFCC will need a suitable TLS client configuration: a root setting in mf-client.dat which points to a file containing the certificate(s) needed to validate the listener's certificate, and possibly a client certificate and other settings.