On Wednesday, 12/16/2009 at 09:21 EST, David Boyes <[email protected]>
wrote:
> :grump.
>
> On 12/16/09 5:03 PM, "Alan Altmark" <[email protected]> wrote:
>
>
> > So. You had to push the Do Not Push button? ;-) You are painting
with a
> > too-wide brush. "Better" is in the eye of the beholder. When
choosing an
> > ESM, you need to assess, aside from cost:
>
> *sigh*
>
> While your points are well argued, I spend a lot of time actually using
both
> product suites, and have recently done a point-by-point examination of
both
> the IBM suite and the CA suite in question. I'm not out to bash either
> company -- I have no great love for CA or CA products -- but this is one
> case where the IBM offering is just not yet as well integrated nor as
> complete. CA (as the last in a chain of companies) has had a lot longer
to
> actually get VM:Manager working and polished during the time while IBM
was
> pretty much ignoring CMS management tooling, and it really, really
shows.
>
> It's possible to implement anything with either one, but I would measure
> "better" in this case by how much additional stuff I need to layer on
top of
> a product to make it easy to use and understand. I need to write or
purchase
> a lot more additional stuff to make the IBM suite easy to use and
> understand.
>
> To your specific point about ESMs, for my recent comparison, I needed to
> write about 2200 lines of EXECs to do a set of functions using
VM:Secure.
> Providing the same checklist of functions with DIRM and RACF required
more
> than 27,000 lines of additional code, and two additional program
products,
> both of which required a special bid process to run on IFLs.
Well, sure, if you're trying to write a Grand Unification program for the
IBM toolset, then I would expect a far larger bill than for CA. They have
done an admirable job of creating a *suite* of tools. No arguments there.
> > - Functionality. If you need mandatory access controls, then RACF is,
to
> > the best of my knowledge, the only choice.
>
> Except the IBM backup and tape products don't pay any attention to RACF
> whatsoever. Neither does DIRMAINT for authorization. You're in a maze of
> twisty little config files, none alike.
True, but that's not the functionality I was talking about. I meant the
functionality of the ESM itself.
> Yes, I wrote requirements. IBM even read them. SMOP. Someday. Play the
Alan
> "show us the business case" tape. Curtain. Two encores. Film at 11.
Putting RACROUTE REQUEST=AUTH calls in the IBM subsystems is, in fact, on
the to-do list.
> I'd also question how much effort it takes to implement zSecure in a
usable
> way -- it needs a LOT of extra effort and thought to reach any kind of
> configuration simplicity. Been there, done that, got the glitter jacket
with
> the diamond piano ring. Not for the faint of heart, or for the n00b.
We, having never installed zSecure before, got it running in an afternoon.
I did discover that they failed to document how to start it with ISPF
(not ISPF/PDF!): ISPSTART CMD(%CKV)
In fact, I modified my CKV exec as follows:
:
arg fname . '(' parms ')'
"ISPQRY"
if rc <> 0 then
do
"ISPSTART CMD(%CKV)"
exit rc
end
:
This information will be fed back to the zSecure folks. I'm not sure how
they missed that.
Alan Altmark
z/VM Development
IBM Endicott
