To clarify Walt's post, CA's mainframe security solutions do perform appropriate security checking and ensure that the identity issuing the command is authorized to execute that command on the system that it was routed to.
David Hrycewicz CA Mainframe Security Development [EMAIL PROTECTED] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Friday, October 24, 2008 5:19 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: ICH409I 283-054 ABEND DURING FRACINIT PROCESSING It's not that simple, and it's arguably not a bug. An ENVR object is intentionally opaque, as it contains an ACEE, and ACEEs contain both architected SAF-compliant areas and non-architected, OCO areas that differ between security products. As it's an opaque area, we did not in fact architect where within an ENVR object one might find an ACEE, or that in fact it does contain an ACEE. It's a block of storage that a security product will return to the caller, that the caller can return to the security product to acquire an ACEE, and for which no I/O will occur (at least when using the same security product). It is not specified what will happen if one passes an ENVR object to a different security product. And in fact, as I mentioned before, in some cases where we have examined the dumps that result on a RACF system when processing an ENVR object from one of the other security products, we found -no- useful information within their ENVR objects. So I really do not know what they put in there, nor whether they are even doing security properly for routed commands (as I also mentioned in another message in this thread). That's why I suggested someone with access to a mixed sysplex do an experiment to see if command security is really working for commands routed from a RACF system to an ACF2 or TopSecret system, or simply being ignored. To do that, you need to try a command that should fail for security reasons, not one that should work. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html