AFAIK, no IBM code runs APF authorized and unauthorized code concurrently in the same address space, but rather makes the unauthorized code nondispatchable while the authorized code is running. Doesn't CICS turn off authorization before executing transactions?
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Brian Chapman <[email protected]> Sent: Thursday, March 28, 2019 9:06 AM To: [email protected] Subject: Authorized and unauthorized in same address space Searching through the archives, I quickly saw that this has been a repeat heated discussion, but all of the discussions seem to ignore the fact that CICS initializes as an authorized address space, performs authorized work, and then disables authorization to load unathorized programs from the DFHRPL tasklib. It does what so many people deem to be a security integrity violation. I have an unauthorized address space that collects information from the system and uses MQ or CICS EXCI (if MQ is unavailable) to transport the data to another address space which stores the data to DB2. Having the ability to execute authorize services would greatly increase the functionality of this address space. Since neither of these transport mechanisms are authorized, i cannot run authorized in the current setup. The idea is to execute the authorized requests as non-system supervisor PC routines. One of the PC routines would be to simply disable JSCBAUTH (ONLY disable. NEVER enable). Before invoking this PC routine, I perform a MODESET to switch back to problem state and key 8. The only authorized services performed before this switch would be the LXRES, ETDEF, ETCRE, and ETCON services to build the PC routines. After invoking the JSCBAUTH disable PC routine from the job step program, I cannot switch back. Invoking a MODESET after the switch abends address space with a 047. >From this point forward, all of the ATTACH and LOAD services are performed with the supplied tasklib. The unauthorized code is COBOL. Before this program is invoked, it initializes LE and replaces the default CEEZLOD and CEEZDEL with my own version that loads from the tasklib. Thank you, Brian Chapman ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
