Re: User written checks for IBM health checker
On Sun, 10 Jun 2012 12:04:51 +0300, John s justfor...@gmail.com wrote: I am trying to write checks(user) in IBM health checker using SYSREXX.I have gone through the sample -HZSSXCHK.This sample just outlines the skeleton for writing the user checks. My question is ...lets say for example if I want to rewrite CHECK(IBMRACF,RACF_IBMUSER_REVOKED) ,how would I go about it. What code IBM would have put or should be written between HZSLSTRT() and HZSLSTOP() to accomplish the above check. May be I am thinking stupid- 1.Issue TSO LU for IBMUSER ,capture the output of this command into some variable and decide on whether the user ID is really revoked.This is really cumbersome if we think of some complex checks. The output of LU is not a intended programming interface. If you wanted to examine a user ID, from REXX, you should use the functions provided by IRRXUTIL. See http://publibz.boulder.ibm.com/cgi-bin/bookmgr/BOOKS/ICHZA3C0/14.0?SHELF=ez2zo111DT=20110620175100 or http://preview.tinyurl.com/6q8ecue for more information. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Dumps to vendors with sensitive data
On Fri, 8 Jun 2012 13:58:16 -0400, Andy White awh...@metlife.com wrote: Walt and others I wonder we are the provider of a product which we contain what is the Tricare data. What I am wondering since we are not a military installation etc would we need this type of separation. We called our big vendors and so far they are looking within for answers/solutions. I couldn't imagine us doing this with a SAD or large cics dump. Assuming that Tricare data includes information that would fall under HIPAA or other similar medical regulations, it's unlikely that you need to follow such stringent separation as some of us have mentioned for handling classified data. However, if one of your customers sends you a dump that contains such data, you and your systems (and employees) may well be required to implement appropriate data safeguarding procedures as required by those regulations. And you might also be subject to whatever audit requirements the regulations impose. (I should note, though, that I am not an expert in that area, and do not know exactly what the regulations might require. I recommend that you find an expert and get a more informed answer.) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Dumps to vendors with sensitive data
On Wed, 6 Jun 2012 12:57:19 -0400, Andy White awh...@metlife.com wrote: We recently have a DOD (Department of Defense) account on our systems. Question if you are sending a dump to a vendor e.g. IBM and there might be a slight change it has user data stored in common storage. Do you have a DOD approved person within IBM you send the dump to? Or an assigned group to your account that deals with GSA/DOD type of issues? We haven't sent any dumps to a vendor since taking on this new work but wanted to know how other companies handle this? It may depend on the sensitivity of the data that could be exposed, but in my limited experience with classified systems two approaches were taken: (1) The dump never leaves the customer system. The customer would contact the vendor support analysts who would ask the customer system programmer to read them some data from the dump, and if the data was appropriate he would do so. Then the analyst would transcribe the data, examine it, and ask for the next piece of data he needed. Cumbersome, but safe (from a security perspective). (2) The vendor provides a separate data facility with security as required by the classified customer, and vendor personnel with appropriate security clearances who will work there. At that point the customer can send the data to the support facility by an appropriate secure mechanism, and the cleared personnel can analyze it in their secure facility. Of course, the cleared personnel could also work at the customer facility if that's appropriate, since they have clearances. And in either case, if the cleared analyst lacks enough education to do the complete problem analysis they can consult with uncleared vendor analysts, ensuring (just as the system programmer would) that no inappropriate information is given to them. Approach (2) can result in faster problem determination, if the analysts have appropriate training, but it's an expensive undertaking. I know that approach (1) was used in some cases within IBM, and I know of cases where approach (2) was proposed. But I do not know for sure of cases where approach (2) was actually implemented. But it's important to note that for approach (2) to work you need both the appropriately cleared personnel, and an appropriate facility for them to work in. You can't send classified data to the standard IBM Support Center, in my experience. For the final analysis I think you really need to ask -your- DoD Security folks how to handle things, beause only they will fully understand the requirements that apply in your case. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: How to suppress Message in REXX App
On Fri, 1 Jun 2012 16:37:51 -0400, Scott Ford scott_j_f...@yahoo.com wrote: TPut will go to sysprint or systsprt She's concerned about a TSO session, and there it will go to the terminal. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Spool offload
Make sure you have the RACFVARS class active and SETR RACLISTed, and that you have your JES node name defined as a member of RACFVARS RACLNDE. Otherwise you'll lose all the security info associated with the data when you do the reload. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: RACF extract
First, I suggest that for RACF-related questions you use RACF-L rather than IBM-MAIN, as there will be more RACF-knowledgeable responders there. But to answer your question, EXTWOFF in the returned extract work area (RXTW, see RACF Data Areas) gives you the offset within the returned data area to the data you asked for. At that offset within the RXTW you'll get one chunk of data for each field you asked for. You can figure out what each chunk of data should look like using the template information and the information provided with the description of the REQUEST=EXTRACT keyword in the RACROUTE REQUEST=EXTRACT documentation. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IKJTSOEV ISPF services question
On Fri, 25 May 2012 07:44:31 -0500, McKown, John john.mck...@healthmarkets.com wrote: I know that I can run the TSO TMP in batch. Using this, I can run a REXX program which sets up all the ISPF required datasets. I can then invoke ISPSTART with the CMD(...) option to run another program/CLIST/REXX. In that program, I can use most of the non-DISPLAY oriented services, such as DIRLIST or DSINFO. The TSO book on IKJTSOEV only talks about ISPF in the negative, but mentions display services. So, can I write a batch program which uses IKJTSOEV to set up a TSO environment. Once I have a TSO environment set, can I directly invoke ISPF services? What I would like to do is to have some simple way in a batch program to invoke ISPF services such as DSINFO without the hokeyness of running the TSO TMP. And also without invoking ISPSTART and telling it to run a separate program/CLIST/REXX routine. But I don't think it's possible. Frustrates me no end. As others have noted, you have to be under ISPF to use ISPF services. But you should be able to start ISPF from your program once it's setup a TSO environment using IKJTSOEV. So you might consider: (a) Invoking IKJTSOEV (b) Using IDENTIFY to create an alias (say, for example, XYZ) for an address within your program (c) Invoking ISPSTART (with an appropriate CPPL, etc.) and telling it to invoke XYZ. I'd probably ATTACH it, for safety. At that point, the rest of your code, starting at the XYZ address, is under ISPF. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IKJTSOEV ISPF services question
On Fri, 25 May 2012 13:59:37 -0500, McKown, John john.mck...@healthmarkets.com wrote: Very good. Thanks much, Walt. Now to encapsulate that functionality in a subroutine. And, horrible person that I am, my subroutine will be in HLASM and packaged as an LE enabled DLL so I can use it in my UNIX programs. I don't think it's amenable to coding as a subroutine, John. At least not using ATTACH. And even without using ATTACH I'm not sure I see a good way to run multiple service calls to ISPF. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Unicode Services translation question
Does it work as you expected for other characters in 1047 whose equivalent in 1252 have values above x7F? Or is the not sign the only one that's mis-behaving? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: RES: XPAF replacement
On Wed, 9 May 2012 12:37:18 -0500, Joel C. Ewing jcew...@acm.org wrote: Another one of those message formats that appears to Thunderbird as garbage. I can read it fine on the ibm-main online archive, where is shows Ituriel's readable message followed by the ibm-main trailer lines, but it must be arriving in a format that ibm-main doesn't fully understand, as its re-broadcast seems to have Ituriel's message encoded as base64, followed by the ibm-main trailer lines, also encoded as a separate base64 block but with no message heading structure appropriate to the sending of two base64 blocks. I gather some Email clients may tolerate this, but Thunderbird does not and just displays the base64 encoded data. I think we've been down this path before. The original message format must be partly responsible, but this also looks like a bug in the ibm-main list server logic: it should never think it reasonable to append its trailer in a way that sends out two base64 blocks back-to back, rather than, say, trying to merge the the data into a single base64 block, or resend the whole thing un-decoded with 8-bit MIME Email conventions. In my experience, Joel, it's often a question of -your- (that is, each recipient's) personal settings at the list server. If you query your settings, look at the header options you have. If you have anything other than FULLHDR you may find some messages that don't have enough header info to allow your client (Thunderbird) to process the message properly. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: National Vulnerability Database (NVD) Search for Mainframe Vulnerabilities
On Tue, 8 May 2012 18:31:56 -0400, Tony Harminc t...@harminc.net wrote: One can learn quite a bit from these published documents, not least lists of fixes that must be applied in order to pass the claimed security specifications, from which one might reasonably infer that the fixes are for software vulnerabilities. Sometimes the fixes that IBM lists in that document represent vulnerabilities, but sometimes they are merely PTFs that provide late-shipping functional changes. IBM is required for Common Criteria purposes to run the tests with the final version of the system, and if functional changes to a component are made via PTF after the GA ServerPac tape is produced then the customers who want to run the evaluated/certified version of z/OS are also required to install those PTFs if IBM used them during testing. (Note: in the latter years of my career with IBM I was the technical architect for our z/OS Common Criteria certification efforts and was the person responsible for the Security Target and for input to the Planning Guide.) Obviously IBM has much jucier internal versions of these documents. I don't know if there is an official way to get hold of this kind of material, either from IBM or from your national government. In any case, the weaknesses described are almost certainly long since fixed. As IBMers have mentioned here in the past, and as Mark Jacobs mentioned earlier in this thread, IBM has a web site that provides -some- information about integrity and security fixes for z/OS and z/VM, but the information is not made public. It is made available only to authorized representatives of z/OS and z/VM customers, and even then you do not learn what the actual exposure is; only that a problem exists, the CVSS score for the vulnerability, and the APAR/PTF you should install to close the exposure. Even the general rank-and-file IBM population does not have access to details about security vulnerabilities for z/OS and z/VM, and even most IBMers developing software for z/OS and z/VM do not have access to it except possibly for the system components they work on. IBM treats information about vulnerabilities in z/OS and z/VM as confidential and highly sensitive, as part of their efforts to protect their customers. And that is done in large part at the request of the IBM customer base. As Mark mentioned, you can visit http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html if you are an authorized representative of a z/OS or z/VM site, and learn how to become authorized to view the web site that has the Security/Integrity information for z/OS or z/VM. -- Walt (who no longer has access to that kind of information) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Programming languages can't have copyright protection, EU court rules
On Wed, 2 May 2012 10:49:18 -0700, Charles Mills charl...@mcn.org wrote: Can one replicate the 'look and feel' without copyright issues in the EU now? I might add that look and feel might be subject to copyright protection. Copyright, again, protects *expression.* If I wrote a z/OS system monitor that cleverly displayed the status of started tasks as bouncing balls of various sizes and colors, that expression might be subject to copyright, but the function of displaying the status of started tasks graphically would not. And, if I understand the Oracle claims in the US lawsuit, Oracle says that they -can- copyright the library specifications and implementation (API) because (I think) it's a kind of look and feel aspect of their Java implementation, even if they can't copyright the Java language itself. But that seems to go directly against the EU decision we're talking about here, since the SAS case seems to revolve around duplication of library APIs, too, if I understand it correctly. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: STCBSST bit of STCBFLG1 of STCB DSECT
On Wed, 2 May 2012 21:47:31 -0500, Justin R. Bendich jbend...@austin.rr.com wrote: 9. BSG (BRANCH IN SUBSPACE GROUP) 10. Invoke XDC via its SVC HOOK. I then examine the STCBFLG1 byte and find that it's zero. I don't know for sure how this all works, but have you considered the possibility that step 10 takes you out of subspace mode until you return from the SVC? Why not try checking the flag from your code, instead? Then you'll know for sure. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Programming languages can't have copyright protection, EU court rules
On Thu, 3 May 2012 06:43:45 -0700, Charles Mills charl...@mcn.org wrote: Right, Walt. Their claims fly in the face of precedent as I understand it. They are trying to claim than any implementation of Java is a derivative work (see earlier posts in this thread) of the Java specifications. I predict -- and hope -- they lose. No, I don't -think- that's what they're claiming. The Java language is rather straightforward. But knowing the -language- doesn't really help you write Java programs. Most programs have to rely on the library of function calls that Sun provided, and Oracle seems to be claiming that the library is separate from the language, and that the library calls (the API) are a look and feel expression that is copyrightable. So anyone is free to make a Java interpreter or compiler, but they can't implement the same library without duplicating Oracle's look-and-feel. They could implement a different library of function calls, but of course at that point none of the Java programs expecting Oracle's library would work. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ServerPac RACF* jobs (rant)
If I read the original note(s) correctly, though, there was at least one actual bug reported (creating something in class X but then doing a SETROPTS REFRESH of the FACILITY class). Something like that deserves to be fixed as a bug, without needing to have a requirement submitted. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ServerPac RACF* jobs (rant)
On Fri, 27 Apr 2012 18:42:32 +, Gibney, Dave gib...@wsu.edu wrote: I'll bite. Hi, Walt, What makes you think IBM might listen to this now that you are not there? These jobs have always been a mess. Last time I ranted, I suggested that serverpac provide an unload (or unload records of the required profiles that could be used with DBSYNC (A very useful tool, thank you so much) to more closely approximate the updates needed to a customer specific RACF DB. I think Russ, or someone took the idea under advisement. My presence (or absence) should have no effect, Dave. I was part of the RACF team, not the ServerPac team. They have complete responsibility for the configuration jobs they ship. If no one complains to them, they won't know anyone has a problem. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ServerPac RACF* jobs (rant)
On Fri, 27 Apr 2012 17:57:52 +0200, R.S. r.skoru...@bremultibank.com.pl wrote: RACFDRV and RACFTGT jobs are part of ServerPac installation process. I have the following observation: the jobs are longer and longer and MUCH MORE STUPID. Example: ...snipped... BTW: I corrected (you can call it: edited) RACFDRV. Original size: 1500 lines, size after corrections: 137 lines (including comments), almost no line left untouched. Now I'm editing RACFTGT. 4300+ lines, I edited maybe 50%, 1600 lines left. I think this should be seriously improved. Time for my pills Perhaps better, time for you to open a PMR with the IBM Support Center (directed to ServerPac, of course, not RACF) so they can improve things. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 11:15:37 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote: Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist (CP Assist for Cryptographic Function) is running compliant implementations of the SHA algorithms. For the z196, see Cert #1497 at http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm. Gives me 404: Not Found The requested URL /groups/STM/cavp/documents/shs/shaval.htm. was not found on this server. As often happens when people include links in sentences, his sentence-ending punctuation (. ) was taken as part of the link. Simply remove it and the link works fine. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: A z/OS Redbook Corrected - just about!
On Tue, 24 Apr 2012 12:06:24 -0500, Elardus Engelbrecht elardus.engelbre...@sita.co.za wrote: Jim Phoenix wrote: http://www-01.ibm.com/software/globalization/terminology/u.html#x2182787 Aw cr*p, hehehe ( :-D ) , there are at least two ( 2 ) definitions of USS shown there. There are? I see only one: quote USS See unformatted system service. /quote -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ICSF/CSNBOWH (was: load mmodules copying to other site)
On Tue, 24 Apr 2012 12:05:28 -0500, Paul Gilmartin paulgboul...@aim.com wrote: Hmmm. This could be the basis for the APAR IO11698 fiasco two years ago in which IBM manfestly allowed an integrity exposure to remain unrepaired but provided a means of limiting access to the dangerous tool. No, it's not related to anything like that. I have been granted the RACF authority as I need it for my job; this indicates that I qualify as highly trusted. But it irritates me that I have never been given instructions concerning what behavior I must avoid in order not to compromise system integrity. Having that authority, there's nothing special you neeed to do to avoid compromising system integrity, beyond what you would normally do as someone with the authority to update APF libraries. By granting you that authority, the security administrator has merely indicated his trust that you will not actively try to compromise system security or integrity, and that he trusts you as much as he would had he given you UPDATE to the APF libraries and other sensitive system libraries. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: USS File Integrity
On Fri, 20 Apr 2012 11:18:45 +0800, David Crayford dcrayf...@gmail.com wrote: Of course, fcntl() can be used to implement byte-range-locking. So in theory you could use it to implement row-level locking in a dictionary library. ENQ is not that granular. ENQ is as granular as the application wants to make it, depending on how clever the application programmer is at encoding information into the RNAME the application will use. The key point about UNIX files, though, is that all the locking is advisory, and controlled by the applications that use the file. If they all implement the same locking mechanism (whatever that may be), the locking will work. If they don't, it won't work. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2 - RACF Conversion Utility
On Fri, 20 Apr 2012 15:54:25 -0400, George Henke gahe...@gmail.com wrote: Does anyone know of an ACF2 to RACF conversion utility? IBM, Vanguard, and others have utilities that will help with that, usually (as far as I know) as part of a priced service offering. And from my experiences watching from the sidelines while I was an IBMer, and talking to the IBMers who did the conversions, I would strongly recommend using a vendor-provided service rather than trying it on your own. There can be a lot of subtleties involved with getting the conversion done right, and it can require a strong knowledge of both security systems to get a successful conversion and make the best use of the new product. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: DFSORT, no records for SORTOUT
On Thu, 19 Apr 2012 10:22:56 -0700, Frank Swarbrick frank.swarbr...@yahoo.com wrote: I know of the NULLOUT and NULLOFL options to specify return code setting if there are no records to be written to the output file. I'm wondering if there is any option I can specify so that the SORTOUT file will not even be opened if there are no records to be written to it. Basically, I want to leave the old records that were in SORTOUT alone if there is nothing new to go in to it for this run. Is there some reason you couldn't just use DISP=MOD on your SORTOUT DD statement? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Modernizing the BCP code ?
On Sat, 14 Apr 2012 05:20:09 -0700, Lloyd Fuller leful...@sbcglobal.net wrote: Some of it would be difficult unless you embed at least some assembler in the Metal C stuff. For example, all date handling is removed from Metal C even the capability of getting the system date although that is trivial in assembler. There are other things that are missing from Metal C that probably do not need to be. Another example is that if you want to be able to allocate lasting memory (i.e. malloc) in Metal C, you have to embed some assembler; See the example in the Metal C user's guide. The example works, but there is assembler there (the load of register 12). Thanks, Lloyd. However, even with some assembler embedded in the Metal C source I would still consider that an exit written in Metal C. IBM even embeds assembler in PL/X on occasion, though they try to avoid it. And they still say the module is written in PL/X. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Modernizing the BCP code ?
On Fri, 13 Apr 2012 15:05:57 -0400, Scott Ford scott_j_f...@yahoo.com wrote: Reading through this thread, quickly, it very obvious that certain exits must be in Assembler. So your kind of a captive audience. I am speaking of security type products. I have beem experimenting in C , not being a C heavy, it would be nice and desirable to do them in C . But sure if IBM supports ICHPWX01 in C ... Are there really system exits that -must be- in Assembler? Wouldn't Metal C work instead? (Yes, you might need to provide some control block mappings yourself, of course, but that really doesn't mean the language can't be used; just that it may be a bit inconvenient, depending on what you want to look at.) (And by the way, I'm pretty sure that Metal C would work for ICHPWX01 (RACF new password exit). You can even use System REXX if you want.) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: A deep question about VSAM SHR(4) - can you help?
On Thu, 5 Apr 2012 07:16:15 -0700, Mike Kovach mrmach...@yahoo.com wrote: My specific question is this: I want to introduce multi tasking so that 5 copies of the program can update the file concurrently. If we change STRNO(1) to STRNO(5) on the CICS FCT Definition, will VSAM be smart enough to manage the writes to the file so we don't break it and the BATCH still gets the current information? I am not a VSAM expert, nor a CICS expert (nor am I sure whether your program is using CICS functions to write to the data set, or using VSAM macros directly), but I would be concerned about serialization. From DFSMS Using Data Sets at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dgt2d4a0/2.7.2.1?SHELF=EZ2ZO213DT=20110606092005 or http://preview.tinyurl.com/76joxao you can read that for SHAREOPTIONS 4 you have the same serialization requirements as for SHAREOPTIONS 3, and for SHAREOPTIONS 3 the book says quote This option requires that the user's program use ENQ/DEQ to maintain data integrity while sharing the data set, including the OPEN and CLOSE processing. User programs that ignore the write integrity guidelines can cause VSAM program checks, lost or inaccessible records, uncorrectable data set failures, and other unpredictable results. This option places responsibility on each user sharing the data set. /quote So unless there's something in CICS issuing appropriate ENQ/DEQ macros, I think you'll need to make some program changes. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Initialize Tape Options
On Sun, 1 Apr 2012 18:25:58 +0530, Jake anderson justmainfra...@gmail.com wrote: Could anyone please point me to the manual of DFSMSrmm implementation and customisation guide especially for z/os 1.8 version. http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/EZ2ZO10I?filter=dfsmsrmmSUBMIT=Search+titles or http://preview.tinyurl.com/6psnd83 should get you all the z/OS 1.8 DFSMSrmm books. By the way, are you that z/OS 1.8 has been out of support for quite awhile now? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Malicious Software Protection
On Tue, 27 Mar 2012 11:09:23 -0700, Skip Robinson jo.skip.robin...@sce.com wrote: The reason I brought up this 'vulnerability' is that we hired a consultant a while back to look for weaknesses. Of course they were able to logon with a vanilla userid that had no special authority. And this is what they did. We all spend a lot of time and mental energy focused on how to protect ourselves from sophisticated attack. We look at APF. We look at SVC screening. We look at access to sensitive libraries. But this particular 'denial of service' can be accomplished by anyone with a valid userid and password. And *only* because we lock up users for invalid password attempts. I'm just sayin'... It's just another form of disaster you have to plan for, Skip. It's easy, for example, to setup an STC that runs with an ID that has SPECIAL, or that is the OWNER of some IDs that have SPECIAL, and have that STC run IKJEFT01 and issue ALTUSER ... RESUME for one or more other IDs that have SPECIAL. If they all get locked out, you just run the STC and that set of IDs is RESUMED. The STC itself will be able to run, even if its ID has been revoked, and so it provides protection against the issue you're suggesting. But yes, you need to be prepared for this, just as for anything that can compromise your system. (Other alternatives exist, by the way, including emergency copies of the RACF database that you can make available in such an emergency situation, but the STC approach is the simplest, in my opinion. Nonetheless, I would also recommend having an emergency RACF DB available, too, but that also goes along with having emergency system residence volumes available.) -- Walt Farrell IBM STSM, z/OS Security Design (for another half-hour or so) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Certificates and signed programs
On Mon, 26 Mar 2012 05:31:42 -0500, Josef Boeck josef.bo...@opus-it.at wrote: It's possible to sign a program with a certificate. If you enable the certification this program is verified during LOAD for integrity and you can be sure as program author that the program ist the one you created and is not modified. If you copy the program from a PDSE to a normal PDS no verification can take place cause the information nessesary to verify is not kept the PDS. As far everithing works as documented. My question: Am I able to verify if the program runs as signed program and is verified or if the program runs without verification. I didn't find any hint in documentation. As far as I know, no, the program cannot tell. It is the administrator's responsibility in the current implementation to determine which programs must be signed and which actions the system should take if one of them is not properly signed. It is also the administrator's responsibility to control access to the libraries containing the programs, and enforce which libraries the users will use to run the programs. The programs are not expected to do their own verification. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Leaving IBM
I mentioned this over on RACF-L the other day, so for some of you this will be old news. I've been an IBMer for 28 years and have had a lot of fun with RACF and MVS, and I've had a lot of fun interacting with you folks on RACF-L and IBM-MAIN. But the time has come for me to retire and have fun with other things. I've enjoyed the discussions here, and working with many of you to plan enhancements or resolve problems. I'm sure I'll still read both lists for awhile, and probably even participate from a personal email address. But after Wednesday morning I will no longer be an active IBM employee and I'll speak about z/OS and RACF even less officially than than I do now. It's been a great 28 years, but my family and other activities are calling to me more and more strongly, and it's time to spend more time with them. Best wishes to you all, Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: UNABLE TO DELETE DUPLICTE DSN
On Thu, 22 Mar 2012 06:24:01 -0700, John Dawes jhn_da...@yahoo.com.au wrote: I am trying to delete a duplicate dsn via TSO. Since the cataloged version which resides on volume MPR003 is in use, I thought that I could rename the duplicate dsn which resides on MPR027. However when I try to rename the dsn (via TSO) it gave me the message Duplicate data set name followed by Data set is cataloged on a volume other than MPR027. Both volumes are managed by SMS. Is there some other tactic I could employ? If you have appropriate authority via the RACF resource STGADMIN.DPDSRN.part-of-old-name you can rename the data set, but it must be non-SMS and non-VSAM. Search the z/OS library online for STGADMIN.DPDSRN and you'll find the 2 entries that describe this. But since you appear to have an SMS-managed data set I'm not sure what you can do. (How do you have an uncataloged SMS-managed data set?) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
On Mon, 12 Mar 2012 04:15:59 -0500, Ron MacRae ronmac...@hotmail.co.uk wrote: Mark, Your CLIST is almost identical to my REXX exec. Except I have to push the TSOLIB command onto the stack as it won't run under rexx, even with an address TSO in front, and I therefore also push ISPF as well. I tried typing in your commands at the TSO ready prompt. Still no joy ISPF/IPCS just isn't 'seeing' the TSOLIB. It works fine on LPARS running z/OS 1.11. It just doesn't work at z/OS 1.13 as BLSG gets loaded from ISPLLIB insted of the library set with TSOLIB. Unless I can work out what's wrong I'll have to resort to messing with ISPLLIB etc. I'm not sure I understand why your approach even works on 1.11, but it's a complex topic. As previously mentioned, if you have done a LIBDEF for ISPLLIB then in order to get that library concatenation used as a tasklib you have to use SELECT CMD, not SELECT PGM. However, if my understanding is correct, if you had an ISPLLIB DD allocated before you started ISPF, that library concatenation would be a tasklib for anything invoked under ISPF, either via SELECT PGM or SELECT CMD. So, if your correct IPCS library (proper SYS1.MIGLIB) is allocated as ISPLLIB before you start ISPF, or is allocated via LIBDEF and you use SELECT CMD, then everything should work. Your TSOLIB should be irrelevant if you have the wrong level of IPCS allocated as ISPLLIB before ISPF starts, and that should be true with either 1.11 or 1.13. The ISPLLIB allocated when ISPF starts is a tasklib for ISPF and its subtasks, and the TSOLIB as a higher level tasklib would only come into play when modules are not found in the pre-allocated ISPLLIB. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, 12 Mar 2012 16:08:39 +, Bill Fairchild bfairch...@rocketsoftware.com wrote: Writing an EOF record at the beginning of the data set does indeed help prevent programs from reading old data when a data set is read immediately after being allocated, but the way it does this results in preventing the reading of old data only from the first track. If a program can read beyond this first track (which is not difficult to do even in an unauthorized program), then the program can still read all the rest of the old data in the allocated tracks. The only way truly to prevent a program from reading any of the old data is to erase each allocated track, either when the old data set is deleted or when the new data set is allocated. Erasing is a very expensive process in terms of DASD utilization and elapsed time, which is why it is almost never done. This is perhaps another example of security through obscurity, which has been discussed lately under thread subjects starting with Program FLIH backdoor . I call it obscurity since getting beyond the first! track deters most programs, but is not difficult if you know the obscure fact that it is quite easy to do if you want to. It may be security by obscurity, Bill, but it's not something perpetrated by IBM, in my opinion. We document that Erase on Scratch exists, and why it should be used, and that (depending on the DASD you're using) if you don't use that function old data can be exposed. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: What is a dataset level NUMBER?
On Sun, 4 Mar 2012 13:40:48 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In 072201ccf892$f7184ba0$e548e2e0$@mcn.org, on 03/02/2012 at 08:38 AM, Charles Mills charl...@mcn.org said: What is a dataset level *number*? Could it be part of the support for mandatory access control? No; it's much older than that. And it really is for whatever your installation might want to do with it. Note that the value is made available to exits, for example. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Calling Authorized Assembler from REXX
On Fri, 2 Mar 2012 07:48:53 -0600, Betsy Jeffery betsy_jeff...@mgic.com wrote: Gil, That method yields, 3 *-* arg1 = 'PS0903A' L PS0903A 5 *-* /* ADDRESS tso */ 6 *-* /* Call CICSCMDT ARG1 */ 8 *-* address TSO call CICSCMDT 'ARG1' L call CICSCMDT ' V PS0903A O call CICSCMDT 'PS0903A L ' O call CICSCMDT 'PS0903A' IKJ56228I DATA SET CICSCMDT.LOAD NOT IN CATALOG OR CATALOG CAN NOT BE ACCESSED IKJ56701I MISSING DATA SET NAME+ IKJ56701I MISSING DSNAME (MEMBER NAME) +++ RC(12) +++ 10 *-* say 'rc = ' rc L rc = V 12 Whereas the statement without the quotes does make the call. Thanks O rc = 12 rc = 12 12 *-* exit Yes, it makes the call. But it is NOT using the address TSO and the TSO/E CALL command. It's using the REXX call statement, and invoking your program as a subroutine of the REXX exec. In that case, it will not run authorized. You need to use address TSO call as gil indicated, but his syntax was a bit wrong. Try: address TSO call *(CICSCMDT) ' ARG1 ' Note that before ARG1 that's a single-quote followed by a double quote, and after ARG1 it's a double-quote, single-quote, double-quote. The actual command should end up as (after interpretation by REXX) as call *(CICSCMDT) 'contents of ARG1' -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: What is a dataset level NUMBER?
On Fri, 2 Mar 2012 08:38:57 -0800, Charles Mills charl...@mcn.org wrote: From RACF Macros and Interfaces: 5( 5) 1 Binary Data set level number (00-99). The only meaning I know for dataset level is the ISPF 3.4 meaning of partial name. What is a dataset level *number*? It's the value the profile creator specified for the LEVEL operand of the ADDSD command. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Calling Authorized Assembler from REXX
On Fri, 2 Mar 2012 08:34:50 -0600, Betsy Jeffery betsy_jeff...@mgic.com wrote: I'm beginning to think it can't. I think Rob Scott is correct - I should write a stub using IKJEFTSR. I found the following from Walt Farrell in a different list: Therefore, since Rexx itself is not running authorized, your Rexx exec cannot simply call another program and have that program run authorized. REXX -cannot- simply call another program and have it run authorized. That's why you need the TSO/E CALL -command- not the REXX call -statement-. The TSO/E CALL command -can- call programs and have them run authorized, if they're properly specified in IKJTSOxx and they exist in a properly authorized library. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Calling Authorized Assembler from REXX
On Wed, 29 Feb 2012 15:49:01 +, Rob Scott rsc...@rocketsoftware.com wrote: Search the archives for IKJEFTSR. Overview of one way of doing it : (1) Write a separate non-auth stub REXX external function that processes the parameters and sets up addressability to the IRX* control blocks and handles the return data from the auth function. (2) Ensure that the auth function module is in linklist (or authorized STEPLIB/JOBLIB if you must) (3) Add the auth function module name to AUTHTSF in IKJTSOxx and get your friendly sysprog to update the system. (4) In the stub function program, use IKJEFTSR to invoke the auth subroutine Depending on the capabilities of the auth function stub, you may wish to add some sort of SAF check into its logic. I think you probably meant auth function module in that last sentence, not auth function stub. Performing security checks in the stub (which runs unauthorized, and can be bypassed) are not really effective. If security checks are needed, they should be in the authorized program that is invoked by IKJEFTSR (your auth function module). Also, if the REXX exec merely needs to call an authorized assembler routine (not subroutine) then a simple address TSO call *(modulename) may be simpler. It would still need the system programmer to update IKJTSOxx, but the AUTHPGM section rather than AUTHTSF, but would not need the stub module and other REXX stuff. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Authorized functions
On Wed, 15 Feb 2012 11:15:55 -0800, Scott Ford scott_j_f...@yahoo.com wrote: Walt, First , thanks for responding.. Let me explain: The STC is in LE Cobol..4.2 I want to call IKJEFTSR ...to call a rexx clist that will perform authorized functions , i.e.; alloc, free Alloc and free are not authorized commands as far as I know. But you mention using RACF commands later, and they of course are. You cannot invoke IKJEFTSR to run -authorized- commands using an environment that you create using IKJTSOEV. You can run unauthorized commands using an IKJTSOEV environment, but to run authorized commands using IKJEFTSR you actually need to run under the TSO TMP (IKJEFT01 or one of its alternate entry points). By the way, rather than running RACF commands, you should probably use the SAF IRRSEQ00 callable service to perform the RACF command functions you need, or for information retrieval the REXX-based IRRXUTIL function. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Authorized functions
On Wed, 15 Feb 2012 14:11:14 -0600, McKown, John john.mck...@healthmarkets.com wrote: Is this even possible? here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4b780/23.4.3.2 quote Table 122 shows the reason codes that are found in parameter 5 if IKJEFTSR completes with a return code of 20. ... 24(18) IKJEFTSR was invoked from a non-TSO/E environment. This service can only be used in a foreground or background TSO/E environment. /quote You can invoke IKJEFTSR under the TMP, or from within an environment created by IKJTSOEV (as Scott is doing). However, in order to use IKJEFTSR to invoke an APF-authorized command you need to run under the TMP. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: BPX.UNIQUE.USER APPLDATA model profile
On Wed, 15 Feb 2012 15:29:52 -0600, David Magee david.ma...@dillards.com wrote: I was wondering how some of you are handling the HOME field of the model userid profile specified in the APPLDATA field of the BPX.UNIQUE.USER porfile. The IBM examples I've seen all show /tmp for HOME. My current OEDFLTU userid in use with the BPX.DEFAULT.USER profile uses /tmp. Is there a way to have the generated OMVS segment have /u/userid show up in HOME maybe via a template similar to /u/sysuid (I know that SYSUID is unique to TSO/E). If possible, what are the pros and cons for one over the other? First, I would generally recommend using RACF-L for RACF questions, or MVS-OE for z/OS UNIX questions (such as this one). The relevant IBMers for those products generally do not follow IBM-MAIN, in my experience. But to answer your question, no, there's no way to do what you want. The intention for both BPX.DEFAULT.USER and BPX.UNIQUE.USER is that you're using those profiles to cover users who only incidentally happen to do something that needs access to UNIX functions. If you have users who are really acting as UNIX users (and thus might need to save data in their home directory) then you should manually assign an OMVS segment to them (possibly using the AUTOUID keyword) rather than relying on BPX.DEFAULT.USER or BPX.UNIQUE.USER. (Feel free to submit a requirement to IBM for z/OS UNIX to support some tag such as sysuid, though. It seems like a good idea that would simplify administration.) -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Search in the archive
On Thu, 16 Feb 2012 09:20:55 +0100, Miklos Szigetvari miklos.szigetv...@isis-papyrus.com wrote: Hi Try to search in the archive/and got server errors for //http://bama.ua.edu//archives///ibm/-/main The proper address (as far as I know) is http://bama.ua.edu/archives/ibm-main.html -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Authorized functions
On Thu, 16 Feb 2012 10:31:50 -0800, Scott Ford scott_j_f...@yahoo.com wrote: Walt: Are we saying Cobol cant invoke TMP ?? If so, where do i find an example No, but nothing stops you from structuring your STC so it invokes the TMP, and the TMP invokes your Cobol program. Then it can use IKJEFTSR to invoke authorized commands. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Authorized functions
On Thu, 16 Feb 2012 14:42:01 -0700, Steve Comstock st...@trainersfriend.com wrote: OK, just being a little crazy, what about EXEC PGM=MYASMPGM which does some stuff and then does XCTL to the TMP? Would that work? The last time I tried it (28+ years ago before I joined IBM) it was possible to do that, if you were careful to pass all the proper data. I have no idea if it would still work, nor whether IBM would consider it supported. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Authorized functions
On Wed, 15 Feb 2012 13:34:01 -0500, Scott Ford scott_j_f...@yahoo.com wrote: All, I understand that authorized programs have been talked about before, buti don't understand and I want to make sure I do before I start a design .. What I want Long running STC ... Invoke a rexx clist performing alloc, calls to a program long running STC program is linked ac(1) Do i create an entry in ikjtso00 for the STC program Do I create an entry in ikjtso00 for the clist name This is where I am cornfused. The entries in IKJTSO00 are for programs (not execs or clists) that you invoke under the TSO/E TMP. So, if your STC actually has // EXEC PGM=your-program then there would be no reason to put your-program in IKJTSO00 as you are not running it under the TMP. On the other hand, if your STC has // EXEC PGM=IKJEFT01,PARM=CALL dsname(your-program) and you want your-program to run APF-authorized, then you would need it in IKJTSO00. IF you are doing as my first example, and the STC directly invokes your program, I'd like to inquire -how- you are having your program invoke the REXX exec, though. The way you do that has critical implications for the functions that the exec can perform. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Ikjeft01
On Fri, 27 Jan 2012 11:23:51 -0600, Dan mvs-j...@sympatico.ca wrote: Another would be (for simple SEARCH commands) to use either RACROUTE REQUEST=EXTRACT,TYPE=EXTRACTN. Does anyone know where I might find a sample of this function? I'd like to extract the OTHER groups that are available to the current user. You don't need any kind of RACROUTE request to do that, if I've understood what you want to do. Simply look in the current user's ACEE, find ACEEFCGP, and look in the static list-of-groups table (CGRP) anchored there. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: change job classes for ones submitted via intrdr
On Tue, 24 Jan 2012 15:55:07 -0600, Tom Marchant m42tom-ibmm...@yahoo.com wrote: On Tue, 24 Jan 2012 10:47:37 -0600, Walt Farrell wrote: They're jobs, but they enter the system via stcinrdr not intrdr. Are you saying that a started job is more like a job than like a started task? If so, it surprises me. I would have thought that once it is running it looks about the same as any started task. No. I'm trying to say that most, but not all, jobs come in via intrdr, and that started jobs are one of the exceptions. If the OP wants to change all jobs that come in via intrdr from CLASS=A to CLASS=R then that is very close to saying that he doesn't want CLASS=A at all. If that's the case, it's probably just easier to treat class A identically to class R, rather than writing an exit to change the job class. If it's not the case, the OP needs to explain more about what he's trying to do, in my opinion. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Ikjeft01
On Mon, 23 Jan 2012 15:44:39 -0500, Scott Ford scott_j_f...@yahoo.com wrote: Thanks to all, there is one thing that forced us as a vendor to use external resources outside our STC it is the 4096 line limitation to IRRSEQ00. I hope IBM will resolve this. We have one customer with 350,000 RACF userids, if u do a SEARCH CLASS(USER) a failure will occur. Hopefully, I can take some time to write the new RACROUTE calls and give these ideas a whirl. For the USER class you should use IRRSEQ00 with the ADMN_XTR_USER and ACMN_XTR_NEXT_USER functions. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: change job classes for ones submitted via intrdr
On Tue, 24 Jan 2012 07:21:23 -0500, Tim Brown tbr...@cenhud.com wrote: Is there a way to control job classes that get submitted via intrdr If a job comes through say CLASS=A , have it changed to different class say CLASS=R That question seems a bit odd to me. Have you considered that almost all jobs are submitted via intrdr? The exceptions would be jobs coming from a physical card reader (if any) or via RJE or NJE. Or STCs that are really started jobs rather than started tasks because they have a JOB statement in them. But anything else that's running basically came in via an intrdr, even if it's a production job scheduled by your production job scheduling system. Did you really mean something else? In any case, as others have indicated, you'd use JES or system exits to accomplish that, but what you'd need to do in them may differ depending on what you really meant. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: change job classes for ones submitted via intrdr
On Tue, 24 Jan 2012 11:13:36 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In 7792164355560880.wa.wfarrellus.ibm@bama.ua.edu, on 01/24/2012 at 07:37 AM, Walt Farrell wfarr...@us.ibm.com said: Or STCs that are really started jobs rather than started tasks because they have a JOB statement in them. AFAIK the processing is the same whether there is a default JOB statement or one from a file. In fact, I believe that you can START a proc with a job statement under MSTR. I'm not sure that's really relevant, though. They still are not submitted via intrdr. They're jobs, but they enter the system via stcinrdr not intrdr. I was pointing out that asking about jobs submitted via intrdr is very close to the same as asking about all jobs. His question had more the feel of how do I stop my TSO users from doing x, but with the possible misunderstanding that only TSO users use intrdr. So I wanted to point out his possible misunderstanding and find out what he's really trying to do. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Ikjeft01
On Mon, 23 Jan 2012 10:18:41 -0500, Scott Ford scott_j_f...@yahoo.com wrote: Does anyone know or have called IKJEFT01 from a LE COBOL program. I have read manuals and googled and found no definitive answer. I believe that IKJEFT01 must be invoked APF-authorized, and that probably your COBOL program runs unauthorized. What exactly are you trying to accomplish? If you explain your need, rather than asking about one possible solution, we may have more success suggesting alternatives. But to start, if you're trying to invoke non-APF-authorized commands, you could invoke IKJEFTSI to setup the TSO/E service facility, and then IKJEFTSR to invoke the TSO commands. You'd perhaps want to use an assembler subroutine to make those calls, though, rather than doing so directly from COBOL. And you'd still have to deal with the issue of how you'd trap the output from the commands. So, the more details you can provide of what you need to accomplish the more help we can provide. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Ikjeft01
On Mon, 23 Jan 2012 11:25:30 -0500, Scott Ford scott_j_f...@yahoo.com wrote: Sorry guys my fault, I should have explained. My LE COBOL program is APF authorized. I want to be able to all call IKJEFT01 to invoke authorized functions. These calls are RACF or one of the other security subsystems. I know certain authorized calls I cannot make , now I am submitting a batch IKJEFT01 job stream to the Intrdr and I want to internalize this process to the COBOL STC. Another solution is where can I find an example of an equivalent of RACF SEARCH CLASS(FACILITY) or DATASET ? John McKown has provided a couple of alternatives (IRRSEQ00 callable service, see RACF Callable Services) or REXX. Another would be (for simple SEARCH commands) to use either RACROUTE REQUEST=EXTRACT,TYPE=EXTRACTN. I'd have a preference for either the RACROUTE or callable service, because the command processor output is officially not a programming interface. But it's pretty simple output in this case., And the best form of the IRRSEQ00 callable service, using one of the ADMN_XTR_* functions won't work for the DATASET class. And I have no idea whether or to what extent the other security products support IRRSEQ00. Of course, you're getting into an area where each of the security products will be returning very different data, so you might as well have 3 different programs using 3 different mechanisms of extracting data anyway. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: two-way encryption format for password encryption in IBM Tivoli Directory Servers (ldap) - TIM TAM
On Wed, 18 Jan 2012 11:14:57 -0600, Bruce Wheatley bwheat...@cds.ca wrote: One of our middleware support staff has brought this possible exposure to our attention: By using the two-way encryption format, a super user in ITDS (e.g cn=root) can run the ldapsearch command or any other ldap client tool to retrieve user passwords in clear text format. Questions: 1) - Is this scenario accurate? 2) - What changes can we make to prevent a 'root' user from gaining this access? TIA for your help. A few aspects of your question seem unclear to me, Bruce. (1) Are you talking about the LDAP bind passwords that a user would use when connecting to the ITDS LDAP server, or to the TIM account passwords stored in TIM entries within the LDAP database? (2) Which platform is your ITDS server running on? Note that if you're talking about the LDAP bind passwords you have a choice of storing them in a one-way or two-way encryption format, based on the LDAP configuration options you choose. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: REXX Calling SDSF abend 878-10
On Mon, 16 Jan 2012 15:34:48 -0600, Paul Gilmartin paulgboul...@aim.com wrote: On Mon, 16 Jan 2012 13:14:04 -0800, Cris Hernandez #9 wrote: when I want to know what a job did, I read it's output using REXX, whether it's the util/pgm output to a file or the JES output pulled off the output queue or SAR. what is it you get from SDSF? You get to pull output off the output queue. I know of no native Rexx facility to do that. For some classes of output, you could have the REXX exec invoke the TSO/E OUTPUT command, and outtrap the results. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Eight-character TSO Userid Support
On Tue, 27 Dec 2011 14:29:12 -0600, McKown, John john.mck...@healthmarkets.com wrote: A RACF id can be 8 characters. But, in that case, they cannot have a TSO segment. So they cannot be used to logon to TSO. If you try, you get a message of some sort from the TSO logon process. They can be used for batch jobs, UNIX shell accounts, ftp accounts, CICS logons, and probably others (like DB2 and IMS, but I don't know). Actually, a user with an 8-character user ID should be able to have a TSO segment, John. I'm not aware of anything that would prevent that, unless possibly it's something related to creation of the segment trying to add the user to SYS1.BRODCAST. If you've configured TSO/E to use user brodcast data sets even that should not be a problem. But you're right, they would not be able to logon to TSO. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Eight-character TSO Userid Support
On Tue, 27 Dec 2011 08:18:44 -0600, Paul Gilmartin paulgboul...@aim.com wrote: On Tue, 27 Dec 2011 07:49:31 -0500, Peter Relson wrote: What PARMLIB member is it that allows 8 characters between periods? http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dgt2c190/8.6.5.1 As Paul Gilmartin posted, this is a reference to: MODIFY CATALOG,DISABLE(DSNCHECK) There's precious little further documentation I can find. Is all syntax checking removed? Is even the HLQ allowed to exceed 8 characters? As far as I can tell from looking at the code, yes, all syntax checking is removed. With the option disabled the routine that is preparing to write the new catalog entry bypasses calling the subroutine that would perform the syntax check (overall length, character content, node length, etc.). Technically that should allow any name to be cataloged. Of course, I can't tell what other checking might precede that routine as I don't know the catalog code very well. Of course, it's always been possible to have uncataloged names that violated most of the rules, but this seems to make it possible to catalog those names, too. I have no idea what would happen if the name exceeded 44 characters. Nor what would happen if the first node exceeded 8 characters (though I might guess that it could work, as long as the user had authority to update the master catalog). And, of course, if any security checking occurs you'd find that RACF is one of those components that has no idea about this option, and so would apply its normal rules, but things might work OK if either SETROPTS PROTECTALL(NOFAIL or WARNING) is in effect, or if one has appropriate RACF profiles defined. (Appropriate profiles: RACF will normally require that each qualifier (node) of the name have a length = 8, but a * that ends the profile name (non-EGN), or a ** that ends the profile name (EGN), will handle qualifiers longer than 8. Still, in the absence of a naming convention table RACF will expect the first qualifier to be = 8 characters, and to match a user ID or group name.) But remember that these considerations would also apply to anyone trying to create uncataloged data sets, so it's not really related to this catalog option. Some people suspect that this was an unintended consequence of removing all syntax checking when CVOLs were supplanted. After the product was in the field, some customers complained that programmers were cataloging DSNs that couldn't readily be manipulated with customary utilities. IBM discovered or at least suspected that other customers were actively exploiting the feature and had little choice but to provide an option. As far as I can see, the option has existed since 2000 or 2002, though I get a bit confused as I look at the source: it appears that the option was created in 2000 but that the code to bypass the syntax checking was added in 2002, though it all seems associated with FMID HDZ11G0. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Eight-character TSO Userid Support
On Mon, 26 Dec 2011 09:00:56 -0600, Paul Gilmartin paulgboul...@aim.com wrote: There's a PARMLIB option that allows the use of far more than 36 (39?) (40?) and removes the 1-8 character blocking requirement. What option provides that flexibility? -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Enable security in ftp client
On Wed, 21 Dec 2011 10:00:51 -0600, Jorge Garcia jgarc...@mapfre.com wrote: We want to enable a security for ftp client in our production system. We don't grant access to any user for execute ftp client again our production system. We've searched a RACF resource for limit the access to ftp client in RACF system programmers guide and RACF security administrator guide, but we don't find anything. We don't want to use the exit for limit the access (if that's possible). We prefer to use the RACF for security administration. You would find information about securing the FTP client, if there is any to be found, in the Communications Server books that describe FTP. But I'm curious what you're trying to protect, inbound to the host, or outbound? And I'm curious why you think securing the FTP client will really protect anything? -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: RACF identity when ACEE is above 16MB
Also, if you're asking formal questions related to product development, you might want to consider joining PartnerWorld and asking them formally via the channels that PartnerWorld provides, rather than asking here or in RACF-L. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF identity when ACEE is above 16MB
On Thu, 8 Dec 2011 13:24:59 +, ESHEL Jonathan j.es...@rsd.com wrote: This is my first posting to the list so please bear with me if I missed something in the archives or in the IBM documentation both of which I scrutinized thoroughly. For a product managing a multi number of users in the same address space, we are trying to release some space below the 16MB line especially for a client who has a lot of users /groups and therefore a great deal of below the line memory is taken by ACEEs. We modified our RACROUTE REQUEST=VERIFY and added an ACEE parameter and we effectively create it above the line. However, how will RACF identify now the user linked to the task for operations like datasets open and jobs submission ? The obvious thing to do is storing the address of the ACEE created in the TCB, field TCBSENV, but the documentation clearly stipulates not to do it when the ACEE reside above the line. So what RACF is doing right now is reverting to the ACEE pointed to by the ASXB (the user linked to the whole address space) and this is not what we want. Is there a way to point RACF to the above the line ACEE so it will correctly identify the task with its user ? First, for RACF-specific questions I would suggest using the RACF-L mailing list, rather than IBM-MAIN. However, since you asked here: If all the application code running in that address space is code that you own and control, and it's all AMODE(31) code, or you can guarantee that any AMODE(24) code won't try to look at the ACEE itself, then it's probably safe to put an 31-bit address into TCBSENV. The problem with doing that in the more general case is that you can't guarantee that only AMODE(31) application code will run in an address space, and if any AMODE(24) code tried to look at the ACEE it would abend. Additionally, as far as I can tell the InitACEE callable service will create ACEEs in 31-bit storage, and will anchor them in TCBSENV. That's why I suspect it's safe to do so in other cases, too. On the other hand, you might just want to switch to using InitACEE to manage all your ACEEs. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IKTLOGR ERROR 026
On Thu, 1 Dec 2011 12:33:27 -0500, Richards, Robert B. robert.richa...@opm.gov wrote: IKJ608I TSOLOGON TERMINATED. IKTLOGR ERROR 026,USER xx,PROC x Anyone know what might cause these to show up all of the sudden? We are at z/OS 1.12 and have been for months. It's explained in the Messages book if you lookup that message. See http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IEA2M9C0/SPTM012768 quote When the program is IKTLOGR and the return code is 26, it means reconnect failed because a previous reconnect attempt was already in progress. /quote -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IKTLOGR ERROR 026
On Thu, 1 Dec 2011 13:05:07 -0500, Richards, Robert B. robert.richa...@opm.gov wrote: Walt, Thank you, but I was not asking what it was... I was asking what would cause it to show up all of the sudden (about a dozen times recently for different users on different systems in one sysplex). I am suspecting a bug, but thought I'd canvass the list for their experience with this (or lack thereof). I would suspect you're having a number of users who are starting to do a LOGON RECONNECT and for some reason are initiating another one before the first one finishes. It's hard to say whether that would represent a change in user behavior, an issue with connectivity such that the first reconnect isn't completing for them and they start another one, an issue with the user's PCs, or what. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SYSOUT DATA SET NOT ALLOCATED, USER NOT AUTHORIZED FOR FUNCTION SPECIFIED
On Wed, 9 Nov 2011 17:01:03 +0100, Dr. Stephen Fedtke max_mainframe_...@fedtke.com wrote: I get the following error within a rexx trying to allocate a file to the internal reader: SYSOUT DATA SET NOT ALLOCATED, USER NOT AUTHORIZED FOR FUNCTION SPECIFIED rexx: ADDRESS TSO ALLOC FI(JCL) SYSOUT(A) WRITER(INTRDR) REU rexx becomes executed in a EXEC PGM=IKJEFT01 batch environment. does anybody have an idea? You're not authorized to submit jobs, therefore you can't allocate an internal reader. Basically, you lack authority to the JCL resource in the TSOAUTH class, or possibly if you're using UADS rather than TSO segments, and don't have the TSOAUTH class active, you don't have the appropriate authority in your UADS entry. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SYSOUT DATA SET NOT ALLOCATED, USER NOT AUTHORIZED FOR FUNCTION SPECIFIED
On Wed, 9 Nov 2011 12:50:59 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In 2009170103.ga10...@mail03d.hostcenter.com, on 11/09/2011 at 05:01 PM, Dr. Stephen Fedtke max_mainframe_...@fedtke.com said: SYSOUT DATA SET NOT ALLOCATED, USER NOT AUTHORIZED FOR FUNCTION SPECIFIED Try issuing PROFILE MSGID first, then look up the message. Also check for ICH messages. Generally an excellent approach and recommendation, Shmuel. Wouldn't help in this case, I'm afraid. The relevant TSO/E message gives two dynamic allocation error return codes that are relevant, but both of them just say talk to your RACF admininstrator. And given the design of the TSO processing for this there are no ICH messages. But it has to be either lack of authority to JCL in the TSOAUTH class or an issue with UADS authorities. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Problem with add a RACF certificate
Someone here may be able to help you, but I think you'll find a greater population of experts over on RACF-L, since you're asking a RACF question. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: redbook site?
On Tue, 25 Oct 2011 08:56:36 -0400, Crabtree, Anne D anne.d.crabt...@wv.gov wrote: Anyone else having trouble downloading pdfs from the ibm redbook site? I tried all day yesterday and this morning and it just stops and then gets stuck. I've tried several different books with the same result.. nothing! Don't know if it's us or them... If you're using Firefox, I have often found (not just with the IBM Redbooks site) that trying to view a PDF in Firefox would hang. However, right-clicking the link and choosing Save Link As always seems to work. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: redbook site?
On Tue, 25 Oct 2011 09:34:29 -0500, Elardus Engelbrecht elardus.engelbre...@sita.co.za wrote: What version of Firefox and what PDF viewer (and version) are you using? Adobe or other PDF viewer like Foxit? All versions of Firefox. I've seen it using the Adobe Reader plug-in, and I've also seen it with at least one other PDF viewer plug-in. Sometimes, for small enough PDFs it works. Often, for larger PDFs, it doesn't unless I choose to save the PDF rather than viewing it in Firefox. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Control block question
On Sat, 22 Oct 2011 19:29:11 -0500, Wayne Driscoll wdri...@us.ibm.com wrote: Please explain how all TCB's under a given JSTCB will point to the same TIOT is incorrect, but every TCB with the same TCBJSTCB will normally have the same TIOT is true, when the two statements make the same point? I -think- he's using a different definition of under than you are, Wayne. For example, the Region Control Task (RCT) is a jobstep task, and under it (subtask) is the initiator (also, iirc, a jobstep task), and under the initiator (subtask) is the user's jobstep task. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Control block question
On Mon, 24 Oct 2011 10:03:58 -0500, Wayne Driscoll wdri...@us.ibm.com wrote: Walt, Thanks, I missed an important qualifier what I should have said was all non-job step TCB's under a given JSTCB will point to the same TIOT. No, that still doesn't work, Wayne, as it still has that ambiguous ues of under. I think you really do need to say 'with the same TCBJSTCB rather than under a given JSTCB. Consider, for example, the case where you have // EXEC PGM=A where A, running authorized, attaches B and C both as jobstep TCBs, and with separate TIOTs. B then attaches non-jobstep TCBs B1 and B2, which share B's TIOT. C attaches non-jobstep TCBs C1 and C2, which share C's TIOT. In the sense of subtasking, all of B1, B2, C1, and C2 are under A, but none share A's TIOT. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Certificate JCL error
On Thu, 13 Oct 2011 20:23:31 +0530, Jake anderson justmainfra...@gmail.com wrote: Please suggest My suggestion would be that you'd get a more experienced set of eyes looking at your problem if you try RACF-L rather than IBM-MAIN, or if you open a question with the folks at the IBM Support Center if you're eligible for QA support there. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: BPXWDYN documentation without FTP
The official z/OS Internet library does not require using FTP. Specifically for BPXWDYN, try http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/bpxzb6a0/6.0?SHELF=EZ2ZBK0K.bksDT=20100628090654 -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SRB code
On Wed, 12 Oct 2011 15:37:28 -0400, Micheal Butz michealb...@optonline.net wrote: Hi. I know you can'nt issue SVC from a. SRB however PC rtn's are allowed My question is can that PC rtn issue a SVC No, because the PC is still running within an SRB. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO TEST Debugging with TPUT and input paramters
On Sun, 9 Oct 2011 10:15:55 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In of6cdc7ddc.e421ca97-on86257922.00663a69-86257922.00666...@us.ibm.com, on 10/07/2011 at 01:38 PM, Wayne Driscoll wdri...@us.ibm.com said: TPUT has supported a USERID= operand, which will route the TPUT to a logged on TSO user, for as long as I can remember. Doesn't that require authorizarion? My recollection is that it was in support of SEND, not for unprivileged programs. Based on the published documentation, no, it doesn't require authorization. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: whereis command for TSO.
On Fri, 7 Oct 2011 13:52:51 -0700, Donald Russell russell@gmail.com wrote: Thanks so much Dave, That sounds like what I had done before, in a previous life that will be perfect for my needs. Don't forget, though, that: (a) you'll need to use CSVQUERY to see if the module is in LPA, but only if BLDL indicates that the module is in the LINKLIST, rather than in a JOBLIB/STEPLIB/TASKLIB. (b) If you're running APF-authorized then the rules about which copy of a module the system will actually use are different from the non-APF case, and BLDL won't necessarily show you the module that the system will actually choose. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Rename of DDname ?
On Fri, 7 Oct 2011 15:45:50 +0200, Thomas Berg thomas.b...@swedbank.se wrote: Are there any way to rename a ddname ? By that I mean leaving the allocation as such untouched but the name of the allocation/DDname is changed. An example of usage is when You have an allocation for application 1 with DDname 'ABC' for dataset AAA.BBB and want to keep that and then want to run application 2 which requires the same DDname (for dataset CCC.DDD). This is just *one* example. Is it a matter of editing the TIOT, or ? No, you can't edit the TIOT. How/where are you running these applications? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
On Thu, 6 Oct 2011 05:44:20 -0500, Barbara Nitz nitz-...@gmx.net wrote: Whoever had the glorious idea to name a new RACF class IDIDMAP when the prefix IDI is IBM-defined as belonging to the IBM product Fault Analyzer Makes for some rough searching to find out why something with the prefix IDI is defined on one system in the plex sharing the RACF database but not the other when the Fault Analyzer product is identical and active on both systems! What, and how, are you trying to search, Barbara? And what difficulty are you having? -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
On Thu, 6 Oct 2011 07:10:56 -0500, Barbara Nitz nitz-...@gmx.net wrote: Then we started searching what the heck IDIDMAP is. No hit in the Fault Analyzer books. SIS had two hits, both for zSecure, both ptfs for not showing things correctly. So we assumed that that had something to do with us having the zSecure fix in the 1.12 system, but not in the 1.10 system. No 1.10 system (including the RACF database sharing other system) was even showing this Fault Analyzer class. Eventually both my RACF colleague and I found out that IDIDMAP has nothing whatsoever to do with Fault Analyzer (that has a number of RACF definitions that are *extremely* similar in naming), hence my/our confusion. This has nothing to do with FA at all - hence my question why IBM uses a prefix for an IBM product to name a RACF class that has nothing to do with that product. Don't tell me you're responsible! No, I'm not responsible, at least not directly, and only indirectly in the sense that if we named things as you think we do then I should have recognized such a problem and fixed it before you saw it. However, IBM component prefixes play no role in assigning class names in RACF. The class names derive from the objects being protected. The only usage of component prefixes in this area is for resource and/or profile names in the FACILITY and XFACILIT classes. So thats why we used that prefix: we do not consider the prefixes at all in the way that you think we do, and IDI is not a prefix in this usage. Thus, it's not an IDI-DMAP (some kind of DMAP thing related to FA), but an IDID-MAP, a mapping rule for IDIDs, which are distributed identity objects. But sorry for the confusion, in any case. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: QUESTION ABOUT WILD CARDS
On Wed, 5 Oct 2011 05:39:14 -0700, John Dawes jhn_da...@yahoo.com.au wrote: Is there a difference between the two : ISP.PROFILE.* ISP.PROFILE.** I ran a few tests and I find that they give the same results. If my understanding is correct about WILD CARDS the * or ** are the same when there are no other HLQs after it. Am I right? If you were asking in the context of RACF data set profiles, then ** would match any number of qualifiers, including 0, whereas * would match only 1 or more. So, ISP.PROFILE.** would also match the 2-qualifier name ISP.PROFILE which ISP.PROFILE.* would not match. I do not know if that's true in other contexts, though, nor which context you were asking about. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: QUESTION ABOUT WILD CARDS
On Wed, 5 Oct 2011 06:23:56 -0700, John Dawes jhn_da...@yahoo.com.au wrote: The reason for my post is because I need to create a new MANAGEMENT class for the ISP.PROFILE.*. At the present, they are using a MC which does not expire the dsns. Then http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/dgt2s272/1.16.1.3?SHELF=EZ2ZBK0KDT=20090227163444CASE= is relevant to you, I think. It shows (as I interpret it) that * means 1 or more qualifiers when at the end of a name, and ** means 0 or more qualifiers. So, you need to decide whether your MC routine should apply to ISP.PROFILE or not, and that tells you whether to use ISP.PROFILE.* or ISP.PROFILE.** in your ACS routine. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: WTO Sample Program
On Wed, 5 Oct 2011 09:32:06 -0300, Sérgio Lima Costa sergio.co...@cetip.com.br wrote: We need a sample program that send a message from console operator, and then, receive a response. We imagine, that this is doing using WTO / WTOR macro. Someone, have a sample program for this, or, know where can find a documentation of how use this ? I think part of the confusion in this thread about what you want to do may be language-based. You said you want to send a message -from- the console operator, and receive a response. But WTO and WTOR send a message -to- the console operator, and (for WTOR) get a response -from- the operator. Is that what you meant you wanted (send -to- the operator)? If so, yes, WTO and WTOR are what you want. But if you really did mean that you want the operator to send a message (to someone), and get a response, nothing I've heard of allows that. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF server disabled During IPL
On Fri, 23 Sep 2011 09:50:53 +0200, Michael Klaeschen michael.klaesc...@deutscherring.de wrote: You write about ESS battery and power drip. Therefore I would not expect problems with IOCDS or CPC setup. Instead there seems to be a problem with the RACF data base volumes. Description for IRR418I reads two more possible causes next to RACF product not enabled. You might want to review ESS configuration from it's SE. May be there's no path to your RACF data base volumes, more precise to the Vol Sers holding your data base volumes. Or even more precise: no *valid* path to the Vol Sers, e.g. due to loss of power the questioned 3390 is in inconsistent state. I would look for IOS messages in syslog, just around RACF initialization, as a starting point. If there were a problem with accessing the RACF database volumes you would get messages from RACF to that effect, and a prompt to enter a different database name. Instead the OP got a message about the product not being registered, which is very specific to a problem with IFAPRDxx or to product registration processing. There is an MVS APAR related to issues with overlaid product registration information. I'm a bit surprised that this would have happened so early in the IPL sequence, but I suppose it's possible. It would be interesting to know if there were any RACF messages preceding the IRR418I, as that particular IRR418I message occurred during initialization of the optional RACF subsystem, which happens much later (in the overall scheme of MVS initialization) than RACF itself initializing. But I agree with another list member that it's most appropriate to open a PMR with IBM. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF server disabled During IPL
On Fri, 23 Sep 2011 14:24:56 -0500, Matthew Stitt mathwst...@bellsouth.net wrote: Just a wild guess... You mentioned there is Z/OS 1.6 system which is running without these problems and the system which fails is a Z/OS 1.12 system. Are these two systems sharing the RACF database? Have they run together before the ESS problem? If they are sharing the RACF database and this might be the first IPL of the Z/OS 1.12 system, then I would look at the results of the RACF database template upgrade job. It might be possible the RACF database has not been upgraded to the 1.12 level of the templates and RACF could be complaining about the downlevel database. Since z/OS V1.5 (around 9 years ago) it has not been necessary to run a RACF template job before IPLing a new release of z/OS and RACF. But if it were a problem with the database RACF would not say it was a problem with product registration. In any case, I believe the OP has his answer via the PMR he opened. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Getting CEE3796I AN ATTEMPT TO DYNAMICALLY TAKE A DUMP WAS NOT SUCCESSFUL.
According to the description for the RC=8, RSN=26, you should also have allocation messages that describe the problem. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Printing Question
On Fri, 16 Sep 2011 14:20:14 -0400, Sumi, Joseph J. (CMS/CTR) (CTR) joseph.s...@cms.hhs.gov wrote: Maybe this is ISPF related and he somehow triggered an ISPF log or something (that contains what I'm seeing in print) to go to the printer. The printout I have has - TSU31307 on the cover with a print date of sept 12 the associated job printout is for job 1106-JOB25279 that ran on Sept 8th. (Xxxx = his userid) That sounds like he was in SDSF and viewing job 25279 and asked SDSF to print the job. That would create one or more SYSOUT files for his TSO session, containing output from his batch job. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: DFSORT JOINKEYS question: Where to put INREC and OUTREC?
On Thu, 15 Sep 2011 16:24:43 -0400, Farley, Peter x23353 peter.far...@broadridge.com wrote: Unfortunately I am using one of your competitors' products (Syncsort) and they don't have IFTRAIL yet, though I suppose they will at some point. Speaking entirely personally, and not as a representative of IBM, I'd like to suggest that as you're asking a Syncsort question it was rather misleading for you to have put DFSORT in your subject line. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: DFSORT JOINKEYS question: Where to put INREC and OUTREC?
On Thu, 15 Sep 2011 17:12:57 -0400, Farley, Peter x23353 peter.far...@broadridge.com wrote: Well, I do also have DFSORT available, but for this application I won't know a priori which product will be used (it may run in different locations on different sysplexes) so I need to keep it compatible. I am testing with both SORT versions. Sorry if I did not make that clear. No, that wasn't clear. Thanks for the clarification. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SYS1.IMAGELIB
In case you do want more information, searching the complete z/OS V1.12 library for sys1.imagelib finds hits in 27 documents. http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/EZ2ZBK0K?searchRequest=sys1.imagelibSEARCH=SearchType=FUZZYSearchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank=RANK -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Trouble with Redbooks Link
On Mon, 12 Sep 2011 10:30:43 -0500, Chip Grantham cgrant...@ameritas.com wrote: I just received the weekly Redbooks email with a couple of interesting Redbooks I'd like to read. My session hangs when I try to download the book. Is anyone else have the same trouble? I regularly have issues with Firefox hanging if I try to view PDFs in FF. Generally I end up right-clicking the PDF link and choosing Save As, which works just fine. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to splitting loadmudules
On Fri, 9 Sep 2011 07:36:52 -0700, Edward Jaffe edja...@phoenixsoftware.com wrote: To split a load module 'A' consisting of CSECTs 'A', 'B' and 'C' into modules 'A', 'B' and 'C': REPLACE A,B INCLUDE SYSLIB(A) ENTRY C NAME C(R) REPLACE A,C INCLUDE SYSLIB(A) ENTRY B NAME B(R) REPLACE B,C INCLUDE SYSLIB(A) ENTRY A NAME A(R) You can do all of the relinking/separating in a single binder step. The approach should work even if SYSLIB and SYSLMOD point to the same library. I know of no other way... I think it's unsafe to have SYSLIB and SYSLMOD pointing to the same library. Suppose you have load module A with CSECTs A, B, and C but you also have a load module C with CSECTs D, E, and F. If SYSLIB and SYSLMOD are the same library, your de-linking of A will wipe out load module C. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SMF timestamps
On Wed, 7 Sep 2011 18:26:40 -0400, Robert A. Rosenberg hal9...@panix.com wrote: Since each record has a time stamp in its header showing (in local time) when it was written, I would think that if record X+1's time stamp is an hour earlier than record X's time stamp that would be a red flag that the time shift just occurred (so long is the date is the correct day for the switch). All you need to use is a sanity check routine to keep track of if the switch has occurred. Once you get to 3AM on the switch date you are past the ambiguous hour. Unfortunately, it's not quite that simple. Yes, you can perhaps detect the change based on that particular time stamp, but often the SMF records contain another time stamp that you can not simply change based on the record creation time/date. I refer to the reader start date/time which represent when a particular job was submitted to the system. Those fields you need to leave alone, or rather, keep the same as the first record for that job. So, if the first record for a job happened during standard time, the reader start date/time for all records for that job should remain as standard time. But if the first record for a job happened during daylight saving time, the reader start date/time for all its records should remain as daylight saving time. Other time stamps should change, but not those. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: OT Good/Bad News
On Wed, 7 Sep 2011 17:47:00 -0700, Ed Gould ps2...@yahoo.com wrote: IBM secures deal to supply mainframe in China http://news.techworld.com/storage/3301850/ibm-secures-deal-to-supply-mainframe-in-china/?olo=rss What part of that do you view as bad news, Ed? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SMF timestamps
On Tue, 6 Sep 2011 08:23:12 -0500, McKown, John john.mck...@healthmarkets.com wrote: ... That is, being in the US Central Timezone, when we go to Daylight Saving time (from TIMEZONE=W.06 to TIMEZONE=W.05) at 02:00, the time range from 02:00-02:59 repeats. Is this correct? If so, I don't know if 02:10, for example. is local time for 08:10 or 07:10 GMT. Do I just give up? Or am I missing something simple? For reader start date/time you would probably need to keep track of when you first saw that date/time combination, and remember whether you were in daylight savings time at that point or not. And then hope that you didn't have a job start during the first 02:00-02:59 interval, and another one start at the exact same time during the second 02:00-02:59 interval. There's another timestamp, though, for the date/time the record was provided to SMF. That one is a bit easier, I think. If you're processing the records from that day sequentially, if you're lucky then when you start getting records from the second 02:00-02:59 interval you'll notice the timestamp move backward, and you would then know that you've crossed the boundary. Of course, you might get unlucky and have no records during the first 02:00-02:59 interval, or have some from that interval but have the ones from the second interval occur late enough that you can't observe the timestamp moving backward. So, there will be some cases you can't determine, I think. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SMF timestamps
On Tue, 6 Sep 2011 11:28:40 -0500, Elardus Engelbrecht elardus.engelbre...@sita.co.za wrote: Damn! While we are not using those daylight saving time thing, I see your problem... What about a table driven solution? Say for hours 1-hours 2 you use W.06, hours 2 - hours 3 you use W.05? I admit this is *ugly* and may not work every year. The problem with the transition from daylight-saving time to standard time, Elardus, is that the hour from 1 a.m. to 2 a.m. (0100 to 0200) happens twice: once while you're on daylight saving time, and once when you've switched back to standard time. (Assuming I got the times, and the direction correct. I think I was wrong about that in my prior note.) So I don't think a table-driven approach can work. You can infer whether you've made the transition if you examine the records carefully, and note the times you see in them, and detect the change by noticing overlapping records (one record that says, e.g., 0159 followed by a record that says 0101. But if you don't see that kind of change you can't be sure whether the first set of 0100-0200 was daylight saving time or not. And that only works for the SMF record date/time, not for the reader start date/time fields. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IBM-MAIN INFO
Lizette meant that the proper command is INFO IBM-MAIN not GET IBM-MAIN INFO as the footer of messages from IBM-MAIN indicates. Yes, I think this is something Darren or someone else at bama needs to fix (unless it's something the folks who provide the Listserv software need to fix). -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: why did i just need to sign in to gmail, just to view ibm-main? is it proprietary now?
Given that the OP's question did not appear on the mailing list, it was presumably posted via Google Groups. And I believe that Google Groups will periodically have you sign in again; at least Google Reader does that. As regards cookies, they are specific to the browser you're using when the site sets them, and it's possible that you've configured Firefox not to remember them. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
On Thu, 18 Aug 2011 08:20:42 -0400, Chicklon, Thomas thomas.chick...@53.com wrote: I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. If on the OP's system RACF is for some weird reason configured to use the old, deprecated, obsolete hashing method (different meaning of hash than is typically used today, by the way) for passwords rather than DES, then the password can be recovered by anyone who has access to old enough RACF source code, and is clever enough to figure out how to reverse the method. RACF never provided a retrieval method, but the hashing can be reversed if it's used. Of course, that method has not been the standard (default) method for over 20 years now, and we would hope no one has manually configured their system that way. So it's likely that the OP's system is using the encryption method, rather than the hashing method, and in that case the password can not be retrieved in the sense that we're discussing here. However, the installation does have the option of configuring password enveloping. The password enveloping process allows capture of the user's password, and secures it cryptographically using a PKCS #7 envelope contained within the user's profile so that it can be retrieved securely via LDAP by appropriately authorized users who have authenticated with the proper digital certificate. This would normally be used by some kind of password synchronization process, where you wanted to send the user's RACF password to some other non-z/OS system to keep the passwords synchronized. And of course before doing that you would want to consider the security implications, both of exposing the user's password on a system that is possibly less secure/protected than your z/OS system, and of having some other process or person who knows the user's password and can thus impersonate the user (giving loss of accountability). -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TCB List - again
On Thu, 18 Aug 2011 14:12:42 +, Rob Scott rsc...@rocketsoftware.com wrote: The freeware MXI does have a limit on the maximum number of TCBs shown for an ASID - the commercial version (MXI G2) does not. I do not believe that there is another free tool that lists TCBs in a foreign address space dynamically - your only other free option is to DUMP the address space and use IPCS. With appropriate authorization via FACILITY class resource BLSACTV.SYSTEM an IPCS user can use IPCS ACTIVE and examine the storage of other address spaces. That should allow running TCB chains and producing an appropriate report, possibly via a REXX exec, though of course as TCBs are created or deleted errors might occur and will need to be handled. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Naive BCPii questions
On Tue, 16 Aug 2011 08:50:38 -0400, Tom Ambros thomas_amb...@keybank.com wrote: - I have the zSeries API documentation and the BCPii specific zOS docs but I am not able to find items related to returned values, for example HWIQUERY of HWI_OPERSTAT. I can probe and knowing the state of what I'm seeing can infer what I am getting but I'd like to find wherever these flags are defined to make sure I'm writing my app correctly. For example, querying a deactivated lpar I get x'0008', an activated lpar that's varied from the sysplex I see x'0002' and a running CF gives me x'0001'. That's great but I am concerned about what I don't know here. Where can I find this stuff? Chapter 4 of the System z API book (SB10-7030-13) seems to have a lot of information, including some C #define statements giving values for various integer and bit flag values. I'm not quite sure how to map the names (such as HWI_OPERSTAT) used with BCPii into the object names shown in that book, but in the book you'll find these value definitions (for example) that seem meaningful for the results you saw: quote /**/ /* Defines for the Hardware Management Console Status Values. */ /**/ #define HWMCA_STATUS_OPERATING 0x0001 #define HWMCA_STATUS_NOT_OPERATING 0x0002 #define HWMCA_STATUS_NO_POWER 0x0004 #define HWMCA_STATUS_NOT_ACTIVATED 0x0008 #define HWMCA_STATUS_EXCEPTIONS 0x0010 #define HWMCA_STATUS_STATUS_CHECK 0x0020 #define HWMCA_STATUS_SERVICE 0x0040 #define HWMCA_STATUS_LINKNOTACTIVE 0x0080 #define HWMCA_STATUS_POWERSAVE 0x0100 #define HWMCA_STATUS_SERIOUSALERT 0x0200 #define HWMCA_STATUS_ALERT 0x0400 #define HWMCA_STATUS_ENVALERT 0x0800 #define HWMCA_STATUS_SERVICE_REQ 0x1000 #define HWMCA_STATUS_DEGRADED 0x2000 #define HWMCA_STATUS_STORAGE_EXCEEDED 0x0100 #define HWMCA_STATUS_LOGOFF_TIMEOUT 0x0200 #define HWMCA_STATUS_FORCED_SLEEP 0x0400 #define HWMCA_STATUS_IMAGE_NOT_OPERATING 0x0800 #define HWMCA_STATUS_IMAGE_NOT_ACTIVATED 0x1000 #define HWMCA_STATUS_IMAGE_NOT_CAPABLE 0x2000 #define HWMCA_STATUS_UNKNOWN 0x4000 /quote Note that I'm not claiming any BCPii expertise :) -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SAPI and RACF
On Tue, 16 Aug 2011 16:14:12 +0200, Miklos Szigetvari miklos.szigetv...@isis-papyrus.com wrote: Hi Any RACF privilege necessary to use SAPI (Sysout Programming Interface) ? From JES Application Programming: quote As part of the SAPI processing, JES makes authorization checks using the JESSPOOL security class. /quote -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: batch job as non-swappable
On Wed, 10 Aug 2011 19:27:55 +, Rob Scott rsc...@rocketsoftware.com wrote: Mark Only three SYSEVENTs are unauthorized : FREEAUX, QVS and REQFASD If you are going to use SYSEVENT TRANSWAP or DONTSWAP, then you have to be authorized. But Mark was replying in the context of using the PPT to set the program non-swappable, Rob, not in the context of having the program issue SYSEVENT. Yes, issuing the SYSEVENT requires the program to run authorized. Using the PPT does not; it only requires the program to come from an authorized library. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html