On Thu, 23 Oct 2008 16:48:54 -0400, Robert A. Rosenberg <[EMAIL PROTECTED]> wrote:
>Based on this, I'd guess that Top Secret uses a larger ENVR object >than RACF. Thus its buffer is large enough to support the smaller >RACF object but RACF does not allocate a larger enough buffer to >accept a Top Secret ENVR object. The "fix" is to APAR the issue >(since the bug is 10 years old) by having IBM increase the fixed size >buffer or supply a PARM to alter its size. It's not that simple, and it's arguably not a bug. An ENVR object is intentionally opaque, as it contains an ACEE, and ACEEs contain both architected SAF-compliant areas and non-architected, OCO areas that differ between security products. As it's an opaque area, we did not in fact architect where within an ENVR object one might find an ACEE, or that in fact it does contain an ACEE. It's a block of storage that a security product will return to the caller, that the caller can return to the security product to acquire an ACEE, and for which no I/O will occur (at least when using the same security product). It is not specified what will happen if one passes an ENVR object to a different security product. And in fact, as I mentioned before, in some cases where we have examined the dumps that result on a RACF system when processing an ENVR object from one of the other security products, we found -no- useful information within their ENVR objects. So I really do not know what they put in there, nor whether they are even doing security properly for routed commands (as I also mentioned in another message in this thread). That's why I suggested someone with access to a mixed sysplex do an experiment to see if command security is really working for commands routed from a RACF system to an ACF2 or TopSecret system, or simply being ignored. To do that, you need to try a command that should fail for security reasons, not one that should work. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
