On Thu, 15 May 2008 15:55:45 -0500, Wayne Driscoll <[EMAIL PROTECTED]> wrote:
>RACROUTE REQUEST=AUTH cannot be issued with HASN<>PASN. However, >REQUEST=AUTH and REQUEST=FASTAUTH do not require APF authorization for the >general usage. I would think that you want the request to execute on behalf >of the ISPF user, not the server address anyway, so putting the requests in >the application prior to issuing the PC-ss would make sense. If you are >trying to avoid having the code in the TSO user address space, you might be >able to have the server load a routine into CSA, set it up as a PC-cp that >is on a SYSTEM LX, have the PC-cp routine perform the RACROUTE request, then >issue the PC-ss if the RACROUTE succeeded. Now I have never attempted to >issue a RACROUTE from a PC-cp routine. The reason that a RACROUTE >REQUEST=AUTH cannot be issued in space switch PC is because REQUEST=AUTH >(usually, often, always) results in an SVC instruction (at least with RACF). > I usually call this approach a "two stage" PC, where first you use a non-space-switch PC to gain authorization, perform the security check, and if the check passes then you can issue the space-switching PC. Of course, in this case you should set up the space-switch PC so it requires the issuer to be in supervisor state or system key, to ensure that the user code doesn't bypass the security check. The approach of having the space-switch PC use RACROUTE REQUEST=FASTAUTH would also work, if using RACLISTed general resource profiles. And it's simpler than the approach using two PCs. The server should issue a RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES during initialization, and RACROUTE REQUEST=LIST,ENVIR=DELETE during termination. Or the approach of scheduling an IRB back to the in-flight TCB could also work, I think, but feels more complex and fragile. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
