Walt - you are correct - I meant "auth function program" and, of course, the SAF checks should be done inside that and not the stub pgm
Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.781.684.2305 Email: [email protected] Web: www.rocketsoftware.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: 29 February 2012 18:26 To: [email protected] Subject: Re: Calling Authorized Assembler from REXX On Wed, 29 Feb 2012 15:49:01 +0000, Rob Scott <[email protected]> wrote: >Search the archives for IKJEFTSR. > >Overview of one way of doing it : > >(1) Write a separate non-auth stub REXX external function that processes the >parameters and sets up addressability to the IRX* control blocks and handles >the return data from the auth function. >(2) Ensure that the auth function module is in linklist (or authorized >STEPLIB/JOBLIB if you must) >(3) Add the auth function module name to AUTHTSF in IKJTSOxx and get your >friendly sysprog to update the system. >(4) In the stub function program, use IKJEFTSR to invoke the auth >subroutine > >Depending on the capabilities of the auth function stub, you may wish to add >some sort of SAF check into its logic. I think you probably meant "auth function module" in that last sentence, not "auth function stub". Performing security checks in the stub (which runs unauthorized, and can be bypassed) are not really effective. If security checks are needed, they should be in the authorized program that is invoked by IKJEFTSR (your "auth function module"). Also, if the REXX exec merely needs to call an authorized assembler routine (not subroutine) then a simple "address TSO call *(modulename)" may be simpler. It would still need the system programmer to update IKJTSOxx, but the AUTHPGM section rather than AUTHTSF, but would not need the stub module and other REXX stuff. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
