*Doesn't CICS turn off authorization before executing transactions? * I believe that is true. I believe it disables authorization before the PLT (first opportunity for user code).
Thank you, Brian Chapman On Thu, Mar 28, 2019 at 12:18 PM Seymour J Metz <[email protected]> wrote: > AFAIK, no IBM code runs APF authorized and unauthorized code concurrently > in the same address space, but rather makes the unauthorized code > nondispatchable while the authorized code is running. Doesn't CICS turn off > authorization before executing transactions? > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Brian Chapman <[email protected]> > Sent: Thursday, March 28, 2019 9:06 AM > To: [email protected] > Subject: Authorized and unauthorized in same address space > > Searching through the archives, I quickly saw that this has been a repeat > heated discussion, but > all of the discussions seem to ignore the fact that CICS initializes as an > authorized address space, performs authorized work, and then disables > authorization to load unathorized programs from the DFHRPL tasklib. It does > what so many people deem to be a security integrity violation. > > I have an unauthorized address space that collects information from the > system and uses MQ or CICS EXCI (if MQ is unavailable) to transport the > data to another address space which stores the data to DB2. Having the > ability to execute authorize services would greatly increase the > functionality of this address space. Since neither of these transport > mechanisms are authorized, i cannot run authorized in the current setup. > > The idea is to execute the authorized requests as non-system supervisor PC > routines. One of the PC routines would be to simply disable JSCBAUTH (ONLY > disable. NEVER enable). Before invoking this PC routine, I perform a > MODESET to switch back to problem state and key 8. The only authorized > services performed before this switch would be the LXRES, ETDEF, ETCRE, and > ETCON services to build the PC routines. After invoking the JSCBAUTH > disable PC routine from the job step program, I cannot switch back. > Invoking a MODESET after the switch abends address space with a 047. > > From this point forward, all of the ATTACH and LOAD services are performed > with the supplied tasklib. The unauthorized code is COBOL. Before this > program is invoked, it initializes LE and replaces the default CEEZLOD and > CEEZDEL with my own version that loads from the tasklib. > > > Thank you, > > Brian Chapman > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
