Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>Data set protection alone isn't granular enough.

>It's all or nothing for update access and this change allows more granular 
>control.

Yes, you're right it is simple, but (personal attacks aside) why is this needed?

Are we going to be changing the roles of SYSPROGs so that one does a RECEIVE, 
one does an APPLY, etc?

That kind of granularity is required?


-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Arthur T. 
On 2 Apr 2010 21:41:10 -0700, in bit.listserv.ibm-main 
(Message-ID:) 
d10j...@us.ibm.com (Jim Mulder) wrote:


And this whole idea of trying to hide "Integrity" APARs 
has outlived its

usefulness. If it ever had any.
I have no  gripe with fixing the hole then letting the 
cat out of the

bag, but never doing it ?. Don't vendors ever learn ?.


 We have no way of knowing when all customers have 
applied a
System Integrity fix to all systems, so that there are no 
longer any exposed systems anywhere in the 
world.  Discussions right here on IBM-MAIN suggest that 
some customers run releases
which are no longer supported, and a fix will never be 
available for those unsupported releases.  As a courtesy 
to customers with exposed systems, we do not discuss the 
nature
of System Integrity APARs, since understanding an exposure 
is one of the steps towards formulating a method of attack 
on
an exposed system.  Naturally, you may be curious about 
the nature of an exposure, and of course, we would love to 
show off how clever we were in discovering an exposure by
telling you all about it.  However, we feel that your 
curiosity and our desire to show off are overridden by the 
need to avoid unnecessarily assisting potential attackers.


This particular fix, though, requires each company's 
security department to define who can use SMP/E and in what 
way.  Without knowing what the security hole is, how can 
they know how to assign access?


--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" pobox "dot" com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Jim Mulder 
> And this whole idea of trying to hide "Integrity" APARs has outlived its
> usefulness. If it ever had any.
> I have no  gripe with fixing the hole then letting the cat out of the
> bag, but never doing it ?. Don't vendors ever learn ?.
> I also wonder about Brians assertion of: 
> The (fortunately) rare "integrity" flag
> How the hell are we supposed to be able to tell how rare it is. And if
> IBM doesn't have the confidence that they can talk about fixing these
> exposures, what are we to think of the rest of the codebase ?. Is it
> (supposedly) secure only until exposed/compromised ?. Excuse my lack of
> confidence.

  We have no way of knowing when all customers have applied a
System Integrity fix to all systems, so that there are no 
longer any exposed systems anywhere in the world.  Discussions 
right here on IBM-MAIN suggest that some customers run releases
which are no longer supported, and a fix will never be 
available for those unsupported releases.  As a courtesy to 
customers with exposed systems, we do not discuss the nature
of System Integrity APARs, since understanding an exposure 
is one of the steps towards formulating a method of attack on
an exposed system.  Naturally, you may be curious about the 
nature of an exposure, and of course, we would love to 
show off how clever we were in discovering an exposure by
telling you all about it.  However, we feel that your 
curiosity and our desire to show off are overridden by the 
need to avoid unnecessarily assisting potential attackers. 

Jim Mulder   z/OS System Test   IBM Corp.  Poughkeepsie,  NY

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Mark Zelden 
On Fri, 2 Apr 2010 18:03:58 -0700, Ted MacNEIL  wrote:

>>Keep an open mind and use your imagination a little, your point of view
>isn't the only correct one.
>
>Please don't attribute motivations that aren't there.
>I was asking a question and pointing out what may have been a flaw in
reasoning.
>This has nothing to do with a point of view.
>
>I still don't understand the need to protect commands, when the resources
are protected.
>Same question as others have.
>Still no answer.

I'll try one last time.   No one seems to know why for sure, but possible 
explanations have been discussed. Data set protection alone isn't granular
enough. It's all or nothing for update access and this change allows more
granular control.  Pretty simple concept.  We can't force you to understand
if you don't. 

--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Wayne Driscoll 
Bob,
You are correct, I had the PPT option incorrect, thanks for jogging my 
memory.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
Bob Rutledge 
To:
IBM-MAIN@bama.ua.edu
Date:
04/02/2010 06:04 PM
Subject:
Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required 
for any SMP/E use
Sent by:
IBM Mainframe Discussion List 



Wayne Driscoll wrote:

> Thankfully, APF authorization and system resource access security are 2 
> separate things.  When the OPEN SVC gets invoked, it will perform a 
> RACROUTE REQUEST=AUTH call for the dataset being opened, regardless of 
the 
> value in JSCBAUTH.  The only way that security checks are bypassed is 
via 
> the NODSI option in the PPT.

I think you mean NOPASS.  NODSI bypasses the SYSDSN enqueues.

Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>Keep an open mind and use your imagination a little, your point of view 
isn't the only correct one.

Please don't attribute motivations that aren't there.
I was asking a question and pointing out what may have been a flaw in reasoning.
This has nothing to do with a point of view.

I still don't understand the need to protect commands, when the resources are 
protected.
Same question as others have.
Still no answer.


  __
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your 
favourite sites. Download it now
http://ca.toolbar.yahoo.com.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: "Hidden" APARs (Was: Heads Up: APAR IO11698...)

2010-04-02 Thread Shane Ginnane 
On Sat, Apr 3rd, 2010 at 5:18 AM, Tom Marchant wrote:

> >...  we missed the "action" item for the PTF because the 
> >HOLDDATA was marked REASON(EXIT) not REASON(ACTION) and 
> >we had to remove our SMF dump exit routine
> 
> Don't you think you should check _all_ of the HOLDDATA?

What if you don't have the authority to check the RACF profile to see
who's role it falls under ... ?
Sorry - couldn't resist.

Have a good weekend all.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Starr, Alan 
Mark,

There has been quite a bit if speculation about "why" IBM made this change. 
What was the integrity issue.

Like you, I was mildly curious. A lot of good people have made a lot of good 
points and now I have become very curious.


As you and others have said, RACF DATASET protection can be used to prevent 
users from making updates. Assuming that all SMP/E, target, distribution and 
APF-authorized datasets are properly protected, there shouldn't be an issue.

As many have said, RACF PADS can be used to limit those who may invoke SMP/E.

I believe that there is a general consensus that it probably isn't solely 
related to the fact that GIMSMP runs AC(1). As we all know, if you cannot trust 
staff that has UPDATE access to an APF-authorized library, then all bets are 
off. I am unaware of any special access that GIMSMP would have when executed by 
a user who cannot normally update the datasets / HFS files affected by APPLY.

At first I thought that a clever user could copy the SMP/E datasets and thereby 
get around the UPDATE protection (i.e. execute APPLY or ACCEPT using their copy 
of the SMP/E environment). But, so what? Who cares if they modify their own 
copies of the SMP/E environment? The target and distribution libraries will not 
be updated by any of the utilities that SMP/E invokes because SAF will prevent 
it.



All of this lead me to believe that the issue may not be as critical as getting 
unauthorized access to a dataset or, worse, AC(1) capabilities. It is more 
likely a consideration that is specific to SMP/E commands. I therefore very 
much like your "stretch" hypothesis and would like to offer my own:

Many of us are more cautious with ACCEPT than we are with APPLY. ACCEPT can 
delete things (e.g. SMPPTS members and TLIBs). More importantly, ACCEPT can 
modify an object in a distribution dataset that could conceivably be INCLUDEd 
into some other product that is installed into a different zone. Perhaps, in 
some large shop, an untested MOD was ACCEPTed into a DLIB and subsequently 
pulled into another product's LMOD (via an APPLY in some other zone), which 
then fell over. Just a thought, but I can "stretch" to envision some customers 
wanting to control those who may ACCEPT (i.e. limit it to a subset of those who 
may APPLY).

Happy Easter all!
Alan 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Mark Zelden
Sent: Friday, April 02, 2010 06:46
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition 
required for any SMP/E use

On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon 
wrote:

>We applied the APAR. We protect the SMP data. I'm sort of baffled why 
>IBM
felt SAF support was necessary for SMPE.
>
>Since we are a development shop in which dozens of people use SMPE, we
simply set the access to UACC(READ) which gives everyone access to all of the 
SMP/E commands.
>

It's not necessary, but I can "stretch" and see the case where a shop might 
want to let an ID or group have RECEIVE authority for example, but not let them 
to do an APPLY or not let them perform admin functions.  Perhaps a production 
userid that does RECEIVE ORDER via a job scheduler on a nightly or weekly 
basis. 

For query only, the CSI can simply be protected from update via RACF data set 
profiles.

I'd be mildly curious to know where the requirement came from.  

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Mark Zelden 
That was my example.  And it is valid.  Production job schedulers are the
biggest security whole in a shop.  The admins can usually make a job 
run under any ID they want.

Regardless, that was just an example.  The same could apply to real
people whose job it could be to receive maintenance, but not apply it.  

As R.S. wrote, if you don't like it, there is a simple answer, define a single
generic resource with UACC(READ).  

Keep an open mind and use your imagination a little, your point of view 
isn't the only correct one. 

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/


On Fri, 2 Apr 2010 19:29:10 +, Ted MacNEIL  wrote:

>>Suppose you want a job run via your automated scheduler. This job is only
to do a RECEIVE of maintenance.
>>You want to run this job with an ID which has only enough authority to do
the RECEIVE.
>
>It's a production job, so it's controlled.
>How many controls do we need for the same function?
>
>>So the job runs under that id.
>>That id is only allowed to do the RECEIVE command in SMP/E, and nothing
else. The id must have UPDATE access to the SMP/E datasets, but only WHEN
using SMP/E.
>
>I'm too OCD to be AR!
>
>-
>Too busy driving to stop for gas!
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
>Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Bob Rutledge 

Wayne Driscoll wrote:

Thankfully, APF authorization and system resource access security are 2 
separate things.  When the OPEN SVC gets invoked, it will perform a 
RACROUTE REQUEST=AUTH call for the dataset being opened, regardless of the 
value in JSCBAUTH.  The only way that security checks are bypassed is via 
the NODSI option in the PPT.


I think you mean NOPASS.  NODSI bypasses the SYSDSN enqueues.

Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Starr, Alan 
Lucy,

I am sorry but we have now exceeded my expertise. If you are able to allocate a 
dataset unto a new 3390-9 in the storage group, I tend to agree with your 
assessment that all is well with DF/SMS. Unfortunately, I know zilch about DMS.

I hope that others will be able to help you.

Good luck!

Alan 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Lucy Arnold
Sent: Friday, April 02, 2010 15:28
To: IBM-MAIN@bama.ua.edu
Subject: Re: CBR0095E

Alan,

Here is a screen print of the LDS I am trying to move - it is a VTAPE cache  
LDS:

,, Menu, Options, View, Utilities, Compilers, Help,
,--
,DSLIST - Data Sets Matching SYSP.VTTSOC.VVE.D099B.SAND  Row 1 
of 2,
,Command ===>,,Scroll 
===>,CSR ,
,
,Command - Enter "/" to select action, Message , 
Volume
,---
, SYSP.VTTSOC.VVE.D099B.SAND  ,, 
*VSAM*
, SYSP.VTTSOC.VVE.D099B.SAND.DATA ,, 
VVE001+

I was able to REPRO this LDS to a new one, and the new one went to the correct 
pool:

ALLOC. FOR SYSLLART REPRO
JES2 ALLOCATED TO SYSPRINT
JES2 ALLOCATED TO SYSUDUMP
SMS ALLOCATED TO DDNAME INFILE
SMS ALLOCATED TO DDNAME (OUTFILE )
DSN (SYSP.VTTSOC.VVE.D040210.TEST)
STORCLAS (SCVTAPE) MGMTCLAS (SVTSMAN) DATACLAS (DCVTAPE) VOL SER NOS FOR DATA 
COMPONENT= SBVTP1

I'm beginning to think there is something wrong with my DMS job - not the ACS 
routines.


Thanks!
Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Starr, Alan 
Wayne,

I hadn't known that about the DSI keyword on PPT entries.

My understanding until now had been:
1) OPEN always invokes SAF, which then invokes RACHECK processing.
2) RACHECK processing bypasses all checks if the trusted or privileged bit is 
set (logging done for the former but not the latter). These bits are typically 
set in STDATA segments for STCs.

I had always thought that NODSI was applied at ALLOCation time to determine 
whether or not a SYSDSN ENQ is to be issued. 

Ya learn something new every day. Thanks for that clarification.

Alan  

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Wayne Driscoll
Sent: Friday, April 02, 2010 15:12
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition 
required for any SMP/E use

Paul,
Thankfully, APF authorization and system resource access security are 2 
separate things.  When the OPEN SVC gets invoked, it will perform a RACROUTE 
REQUEST=AUTH call for the dataset being opened, regardless of the value in 
JSCBAUTH.  The only way that security checks are bypassed is via the NODSI 
option in the PPT.  Now an APF authorized program could switch to key 0 and 
update various fields so the security system thinks they have more authority 
than they really should, but that isn't an issue when using a utility, 
particularly one that is covered under the z/OS statement of integrity.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
Paul Gilmartin 
To:
IBM-MAIN@bama.ua.edu
Date:
04/02/2010 05:04 PM
Subject:
Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any 
SMP/E use Sent by:
IBM Mainframe Discussion List 



On Fri, 2 Apr 2010 16:47:54 -0500, Wayne Driscoll wrote:

>Ed's concern is much more valid and realistic than Gil's.  In Gil's case,
>having SYSPUNCH refer to SYS1.PARMLIB, or some other protected dataset
>really won't cause a problem, because APF authorization doesn't
>automatically bypass the security system.  However, a maliciously coded
>
OK.  Educate me.  I had thought that once a program was APF
authorized, it became the responsibility of that program to
issue the SAF calls and respect the replies; if not, the program
could do anything it wanted.

For example, suppose someone link edited IEBGENER into an APF
authorized library and marked it AC=1.  Now, I do:

//STEP EXEC  PGM=IEBGENER
//STEPLIB   DD   DISP=SHR,DSN=...
//SYSUT2DD   DISP=SHR,DSN=SYS1.PARMLIB(...)
//SYSUT1DD   *
...

Where does it fail?
 
>HLASM user exit could, since it contains customer supplied code.  Of
>course, if the Assembler is invoked via SMP/E authorized, those HLASM
>exits will have to be located in an APF authorized library, or else a 306
>abend will occur, so the writer of the malicious exit will still need a
>way to update an APF library.
>
And that wouldn't happen, except at Bob Shannon's site.

Thanks,
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Lucy Arnold 
Alan,

Here is a screen print of the LDS I am trying to move - it is a VTAPE 
cache  LDS:

,, Menu, Options, View, Utilities, Compilers, Help,
,--
,DSLIST - Data Sets Matching SYSP.VTTSOC.VVE.D099B.SAND  Row 1 
of 2,
,Command ===>,,Scroll 
===>,CSR ,
,
,Command - Enter "/" to select action, Message , 
Volume
,---
, SYSP.VTTSOC.VVE.D099B.SAND  ,, 
*VSAM*
, SYSP.VTTSOC.VVE.D099B.SAND.DATA ,, 
VVE001+

I was able to REPRO this LDS to a new one, and the new one went to the 
correct pool:

ALLOC. FOR SYSLLART REPRO
JES2 ALLOCATED TO SYSPRINT
JES2 ALLOCATED TO SYSUDUMP
SMS ALLOCATED TO DDNAME INFILE
SMS ALLOCATED TO DDNAME (OUTFILE )
DSN (SYSP.VTTSOC.VVE.D040210.TEST)
STORCLAS (SCVTAPE) MGMTCLAS (SVTSMAN) DATACLAS (DCVTAPE)
VOL SER NOS FOR DATA COMPONENT= SBVTP1

I'm beginning to think there is something wrong with my DMS job - not the 
ACS routines.


Thanks!
Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Wayne Driscoll 
Paul,
Thankfully, APF authorization and system resource access security are 2 
separate things.  When the OPEN SVC gets invoked, it will perform a 
RACROUTE REQUEST=AUTH call for the dataset being opened, regardless of the 
value in JSCBAUTH.  The only way that security checks are bypassed is via 
the NODSI option in the PPT.  Now an APF authorized program could switch 
to key 0 and update various fields so the security system thinks they have 
more authority than they really should, but that isn't an issue when using 
a utility, particularly one that is covered under the z/OS statement of 
integrity.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
Paul Gilmartin 
To:
IBM-MAIN@bama.ua.edu
Date:
04/02/2010 05:04 PM
Subject:
Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required 
for any SMP/E use
Sent by:
IBM Mainframe Discussion List 



On Fri, 2 Apr 2010 16:47:54 -0500, Wayne Driscoll wrote:

>Ed's concern is much more valid and realistic than Gil's.  In Gil's case,
>having SYSPUNCH refer to SYS1.PARMLIB, or some other protected dataset
>really won't cause a problem, because APF authorization doesn't
>automatically bypass the security system.  However, a maliciously coded
>
OK.  Educate me.  I had thought that once a program was APF
authorized, it became the responsibility of that program to
issue the SAF calls and respect the replies; if not, the program
could do anything it wanted.

For example, suppose someone link edited IEBGENER into an APF
authorized library and marked it AC=1.  Now, I do:

//STEP EXEC  PGM=IEBGENER
//STEPLIB   DD   DISP=SHR,DSN=...
//SYSUT2DD   DISP=SHR,DSN=SYS1.PARMLIB(...)
//SYSUT1DD   *
...

Where does it fail?
 
>HLASM user exit could, since it contains customer supplied code.  Of
>course, if the Assembler is invoked via SMP/E authorized, those HLASM
>exits will have to be located in an APF authorized library, or else a 306
>abend will occur, so the writer of the malicious exit will still need a
>way to update an APF library.
>
And that wouldn't happen, except at Bob Shannon's site.

Thanks,
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Paul Gilmartin 
On Fri, 2 Apr 2010 16:47:54 -0500, Wayne Driscoll wrote:

>Ed's concern is much more valid and realistic than Gil's.  In Gil's case,
>having SYSPUNCH refer to SYS1.PARMLIB, or some other protected dataset
>really won't cause a problem, because APF authorization doesn't
>automatically bypass the security system.  However, a maliciously coded
>
OK.  Educate me.  I had thought that once a program was APF
authorized, it became the responsibility of that program to
issue the SAF calls and respect the replies; if not, the program
could do anything it wanted.

For example, suppose someone link edited IEBGENER into an APF
authorized library and marked it AC=1.  Now, I do:

//STEP EXEC  PGM=IEBGENER
//STEPLIB   DD   DISP=SHR,DSN=...
//SYSUT2DD   DISP=SHR,DSN=SYS1.PARMLIB(...)
//SYSUT1DD   *
...

Where does it fail?
 
>HLASM user exit could, since it contains customer supplied code.  Of
>course, if the Assembler is invoked via SMP/E authorized, those HLASM
>exits will have to be located in an APF authorized library, or else a 306
>abend will occur, so the writer of the malicious exit will still need a
>way to update an APF library.
>
And that wouldn't happen, except at Bob Shannon's site.

Thanks,
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Starr, Alan 
Lucy,

I don't see why you would need OAM unless you use it to track removable media 
datasets and/or volumes (e.g. an ATL).

Physical status "CONVERT" says to me that ICKDSF got the STGR keyword. But 
perhaps a colleague who knows more than I can confirm this? 

Could you send a screen print of the dataset that is being MOVED?

What happens when you try to allocate a dataset in this storage group yourself 
(e.g. with JCL)?

Alan

 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Lucy Arnold
Sent: Friday, April 02, 2010 14:54
To: IBM-MAIN@bama.ua.edu
Subject: Re: CBR0095E

Alan,

Yes if you display the Storage Group you see all volumes in the correct
status:
 LINE ,,VOLUME,PHYSICAL  STORAGE   CF VOLUME  SAND  SAND
 OPERATOR ,,SERIAL,STATUSGRP NAME  STATUSSMS   MVS
---(1),,-(2)--,--(22)--  --(23)--  --(24)--- --(25)--- --(26)---
  ,,SBVTP1,CONVERT   VTPGRPSB  -  ENABLE <== 
mod9
  ,,VVE001,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE002,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE003,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE004,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE005,CONVERT   VTPGRPSB  -  DISNEW
--,,--,---  BOTTOM  OF  DATA  ---  --

We haven't been running OAM, but we SHOULD have been running it, shouldn't we?

Thanks!

Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Lucy Arnold 
Alan,

Yes if you display the Storage Group you see all volumes in the correct 
status:
 LINE ,,VOLUME,PHYSICAL  STORAGE   CF VOLUME  SAND  SAND
 OPERATOR ,,SERIAL,STATUSGRP NAME  STATUSSMS   MVS
---(1),,-(2)--,--(22)--  --(23)--  --(24)--- --(25)--- --(26)---
  ,,SBVTP1,CONVERT   VTPGRPSB  -  ENABLE <== 
mod9
  ,,VVE001,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE002,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE003,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE004,CONVERT   VTPGRPSB  -  DISNEW
  ,,VVE005,CONVERT   VTPGRPSB  -  DISNEW
--,,--,---  BOTTOM  OF  DATA  ---  --

We haven't been running OAM, but we SHOULD have been running it, shouldn't 
we?

Thanks!

Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Wayne Driscoll 
Ed's concern is much more valid and realistic than Gil's.  In Gil's case, 
having SYSPUNCH refer to SYS1.PARMLIB, or some other protected dataset 
really won't cause a problem, because APF authorization doesn't 
automatically bypass the security system.  However, a maliciously coded 
HLASM user exit could, since it contains customer supplied code.  Of 
course, if the Assembler is invoked via SMP/E authorized, those HLASM 
exits will have to be located in an APF authorized library, or else a 306 
abend will occur, so the writer of the malicious exit will still need a 
way to update an APF library.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
Edward Jaffe 
To:
IBM-MAIN@bama.ua.edu
Date:
04/02/2010 04:31 PM
Subject:
Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required 
for any SMP/E use
Sent by:
IBM Mainframe Discussion List 



Paul Gilmartin wrote:
> And I see that GIMSMP is linked with AC=1; ASMA90 with AC=0;
> both in authorized libraries.
>
> So, now sheer conjecture.  ASMA90 may or may not do exhaustive
> SAF checking.  Why should it feel obliged to?  It was designed
> to run unauthorized.  So a maliciously crafty programmer could
> code an SMP/E APPLY step which invokes ASMA90; preallocate
> SYSPUNCH; and supply PUNCH statements which overwrite a member
> in what?  SYS1.PARMLIB?
> 

Or have your HLASM source/library/print user exits now suddenly getting 
control in an authorized environment.

-- 
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Starr, Alan 
Lucy,

As far as I know, OAM is doing what I would expect it to de doing. It is 
complaining that you have nothing defined to it, which sounds right to me 
(since you say that you don't usually use OAM in the sandbox).

If I am understanding you correctly, you:
> Initialized new 3390-9s
> Added these new model 9s to an existing storage group
> Set the existing model 3s to DISNEW
> Activated the modified SCDS

I assume that a dsiplay of the storage group now shows all volumes (i.e. old 
3390-3 and new 3390-9)?

When you initialized the model 9s, did you specify "STGR" to ICKDSF?

I don't know enough about how DMS handles a MOVE, but he must delete the old 
dataset before attempting to allocate the new one or there will be a 
cataloguing issue.

Regards,
Alan  

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Lucy Arnold
Sent: Friday, April 02, 2010 14:19
To: IBM-MAIN@bama.ua.edu
Subject: Re: CBR0095E

We issued :

T SMS=SB
IEE252I MEMBER IGDSMSSB FOUND IN CPAC.SB.PARMLIB IGD031I SMS PARAMETERS 283
ACDS = SYS1.SB.ACDS
COMMDS   = SYS1.SB.COMMDS
INTERVAL = 15   DINTERVAL = 150
CACHETIME = 3600SMF_TIME = YES
CF-TIME = 3600  PDSE_RESTARTABLE_AS = NO
PDSE_BMFTIME = 3600 PDSE1_BMFTIME = 3600
PDSE_LRUTIME = 60   PDSE1_LRUTIME = 60
PDSE_LRUCYCLES = 15PDSE1_LRUCYCLES = 15
LOCAL_DEADLOCK = 15 GLOBAL_DEADLOCK = 4
REVERIFY = NO   ACSDEFAULTS = NO
USE_RESOWNER = YES  DSNTYPE = PDS
GDS_RECLAIM = YES   PDSESHARING = NORMAL
OVRD_EXPDT = NO RLS_MAX_POOL_SIZE = 100MB
SYSTEMS = 8 COMPRESS = GENERIC
PDSE_HSP_SIZE = 0MB   PDSE1_HSP_SIZE = 0MB
RLSINIT = NORLSTMOUT = 0
CICSVR_INIT = NOCICSVR_DSNAME_PREFIX = DWW.
CICSVR_RCDS_PREFIX = DWW
CICSVR_GRPNAME_SUFFIX = PROD
CICSVR_ZZVALUE_PARM =
CICSVR_UNDOLOG_CONTROL =
CICSVR_UNDOLOG_PREFIX = DWW
CICSVR_BACKOUT_CONTROL =
CICSVR_GENERAL_CONTROL =
Rls_MaxCfFeatureLevel = Z
RlsAboveTheBarMaxPoolSize = 0
RlsFixedPoolSize = 0
DSSTIMEOUT =  0 FAST_VOLSEL = OFF
PDSE_MONITOR = (YES,0,0)
PDSE1_MONITOR = (YES,0,0)
PDSE_DIRECTORY_STORAGE = 2000M
PDSE1_DIRECTORY_STORAGE = 2000M
PDSE_BUFFER_BEYOND_CLOSE = NO
PDSE1_BUFFER_BEYOND_CLOSE = NO
BLOCKTOKENSIZE =  NOREQUIRE
IGD031I SMS TRACE PARAMETERS 284
IGD031I SMS TRACE PARAMETERS 284
TRACE= ON SIZE = 128K TYPE = ALL
  JOBNAME = *ASID = *
  TRACING EVENTS:
MODULE = ON   SMSSJF = ON   SMSSSI = ON   ACSINT = ON
OPCMD  = ON   CONFC  = ON   CDSC   = ON   CONFS  = ON
MSG= ON   ERR= ON   CONFR  = ON   CONFA  = ON
ACSPRO = ON   IDAX   = ON   DISP   = ON   CATG   = ON
VOLREF = ON   SCHEDP = ON   SCHEDS = ON   VTOCL  = ON
VTOCD  = ON   VTOCR  = ON   VTOCC  = ON   VTOCA  = ON
RCD= ON   DCF= ON   DPN= ON   TVR= ON
DSTACK = ON   UAFF   = ON   DEBUG  = ON
VOLSELMSG = (OFF,0)TYPE = ALLJOBNAME = *
ASID = *  STEPNAME = *
DSNAME = *
IGW040I Buffer Beyond Close not active for SMSPDSE IGW467I DFSMS RLSINIT 
PARMLIB VALUE ON SYSTEM: SAND 286 CURRENT VALUE: NO IGW451I REQUEST TO UPDATE 
VSAM/RLS PARMLIB 287
KEYWORD: RlsAboveTheBarMaxPoolSize
KEYWORD: RlsAboveTheBarMaxPoolSize
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS WHEN THE VSAM/RLS ADDRESS 
SPACE IS STARTED IGW451I REQUEST TO UPDATE VSAM/RLS PARMLIB 288
KEYWORD: RlsFixedPoolSize
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS WHEN THE VSAM/RLS ADDRESS 
SPACE IS STARTED IGW451I REQUEST TO UPDATE VSAM/RLS PARMLIB 289
KEYWORD: DssTimeOut
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS WHEN THE VSAM/RLS ADDRESS 
SPACE IS STARTED
IEE536I SMS  VALUE SB NOW IN EFFECT
IGD009I ACDS SWITCHED TO SYS1.SB.ACDS

We then started OAM:

S OAM
$HASP100 OAM  ON STCINRDR
IEF695I START OAM  WITH JOBNAME OAM  IS ASSIGNED TO USER OAM
 , GROUP SYS1
$HASP373 OAM  STARTED
IEF403I OAM - STARTED - TIME=14.09.47
CBR0001I OAM initialization starting.
CBR0095E OAM waiting for SMS Control Data Set activation.

Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread McKown, John 
Do you have a valid IGDSMSnn member in PARMLIB, which contains your SMS 
configuration? If so then issue the operator command: T SMS=nn

If not, then create one. Ours looks like:

SMS ACDS(SYS3.SMS.ACDS1)
COMMDS(SYS3.SMS.COMMDS1)
INTERVAL(15)
OAMPROC(OAM)
DB2SSID(NONE)
DINTERVAL(150)
REVERIFY(NO)
ACSDEFAULTS(YES)
TRACE(ON)
SIZE(128K)
PDSE_RESTARTABLE_AS(YES)
OVRD_EXPDT(YES)
VOLSELMSG(OFF)
TYPE(ALL)
JOBNAME(*)
ASID(*)
SELECT(ALL)

Or you could do an operator command something like:

SETSMS ACDS=my.acds.dsn,SCDS=my.scds.dsn,COMMDS=my.commds.dsn

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lucy Arnold
> Sent: Friday, April 02, 2010 3:54 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: CBR0095E
> 
> Hello all!
> 
> I am trying to change a DFSMS managed pool from 6 Shark MOD3s 
> to 1 Hitachi 
> MOD9.  Our PROD and SANDBOX LPARs share the ACS routines, but have 
> different SCDS, ACDS & COMMDS. I made the MOD3s DISNEW, and added the 
> MOD9. I did the translate, validate and activate and the new 
> configuration 
> was activated.  Yet, when I tried to move the data with DMS I got:
> 2860 PROCESSING STARTED FOR VOLUME = VVE001
> 3446 SMS ERROR DETECTED, RC=
> 3415 DEFINE FAILED FOR DATASET SYSP.VTTSOC.VVE.D0994.SAND
> 3412 MOVE FAILED FOR DATA SET SYSP.VTTSOC.VVE.D0994.SAND . 
> RETURN CODE IS 
> 8
> 3446 SMS ERROR DETECTED, RC=
> 
> These indicate a sub-system error.  I went to my boss and he 
> said it was 
> because OAM was not running.  We started OAM, but when we try 
> to activate 
> again we get:
> 
> IEF403I OAM - STARTED - TIME=11.07.05
> CBR0001I OAM initialization starting.
> CBR0095E OAM waiting for SMS Control Data Set activation.
> 
> Explanation:   OAM has initialized with a null configuration. 
> No optical
> libraries, tape libraries or object storage groups are defined in the
> active SMS configuration.
> 
> We do have pools and a tape library defined, though the 
> SANDBOX has no 
> access to the library - but then it never has and there has been no 
> problem.  I could find nothing on the Internet so was hoping 
> ya'll had 
> some ideas!
> 
> Thanks in advance!!!
> 
> 
> Lucy Arnold
> Storage Manager
> U.C. Davis Medical Center
> 916-734-5498
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Lucy Arnold 
Thanks!  We'll look and give it a try!


Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: WTO Alternative using HLASM

2010-04-02 Thread Rick Fochtman 

-


From: Shmuel Metz (Seymour J.) 
To: IBM-MAIN@bama.ua.edu
Sent: Thu, April 1, 2010 11:51:26 AM
Subject: Re: WTO Alternative using HLASM

In <432460.39432...@web54606.mail.re2.yahoo.com>, on 03/29/2010
  at 09:42 PM, Ed Gould  said:

 


I cannot for the life of me remember the IBM module name that provides
this maybe someone can pipe up here and remind me of the name.
   



IEFYS?
SNIP-
I am pretty sure that is correct. Now for the 10 dollar question where is it 
documented?

Ed
 


---
It's DOC'd in MVS Installation Exits, but the example given is poorly 
written.


Rick

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Ted MacNEIL
> Sent: Friday, April 02, 2010 2:09 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class 
> definition required for any SMP/E use
> 
> >I already wrote the idea is perfectly OK and (maybe) it's 
> NOT violated by the profiles. I repeat the possible 
> explanation: separation of rules.
> 
> Juist because you've repeated your statement, it doesn't make 
> it valid.
> Separate files, not commands!
> 
> >Several rules could need same access to SMPE datasets, so if 
> you want to 
> make them separate, you need another check, access to 
> resources is not enough here.
> 
> I disagree.
> Give me an example; a valid one.
> 
> Anything else is just rectal smoke!
> 
> And, repeating what you've said without some evidence is just 
> more smoke.
> 
> Why is command protection better than resource/file protection.
> 
> Separate the SYSPROG roles by files/data rather than command.
> 
> For example, everbody can invoke ISPF browse, but not all can 
> read all files.
> 
> This may sound simplistic, or apples & oranges, but it 
> illustrates my point.
> 
> -
> Too busy driving to stop for gas!

As somebody in this thread said. Suppose you want a job run via your automated 
scheduler. This job is only to do a RECEIVE of maintenance. You want to run 
this job with an ID which has only enough authority to do the RECEIVE. So the 
job runs under that id. That id is only allowed to do the RECEIVE command in 
SMP/E, and nothing else. The id must have UPDATE access to the SMP/E datasets, 
but only WHEN using SMP/E. Grant the id permission to the datasets via PADS 
(Program Access to Data Sets) via the WHEN clause of the PERMIT command. Grant 
the id only SMP/E permission to the RECEIVE command so that nothing else could 
be done using the command.

This is similar logic to "I want user ... to be able to READ a dataset using 
program ..., but not be able to download the data via ftp or look at it in 
ISPF." In this case, the user would need PADS access to the dataset with the 
WHEN clause so that they can READ the data only using that exact program.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>Suppose you want a job run via your automated scheduler. This job is only to 
>do a RECEIVE of maintenance.
>You want to run this job with an ID which has only enough authority to do the 
>RECEIVE. 

It's a production job, so it's controlled.
How many controls do we need for the same function?

>So the job runs under that id.
>That id is only allowed to do the RECEIVE command in SMP/E, and nothing else. 
>The id must have UPDATE access to the SMP/E datasets, but only WHEN using 
>SMP/E.

I'm too OCD to be AR!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Edward Jaffe 

Paul Gilmartin wrote:

And I see that GIMSMP is linked with AC=1; ASMA90 with AC=0;
both in authorized libraries.

So, now sheer conjecture.  ASMA90 may or may not do exhaustive
SAF checking.  Why should it feel obliged to?  It was designed
to run unauthorized.  So a maliciously crafty programmer could
code an SMP/E APPLY step which invokes ASMA90; preallocate
SYSPUNCH; and supply PUNCH statements which overwrite a member
in what?  SYS1.PARMLIB?
  


Or have your HLASM source/library/print user exits now suddenly getting 
control in an authorized environment.


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Paul Gilmartin 
On Fri, 2 Apr 2010 07:47:23 -0700, Edward Jaffe wrote:
>
>Exactly! The problem is that GIMSMP is APF authorized.
>
>AFAIK, that's true only because IEBCOPY requires APF authorization.
>
What about S99WTDSN?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IMS log record sequence number first byte 'F1'x - why?

2010-04-02 Thread Mark Hammond 
I don't know the answer to your question, but if you need to find the
IMS List look at im...@imslistserv.bmc.com

 

The instructions I have are:

 

On August 1, 2008, the sponsorship of the IMS List Serv site will be
changing. We would like to thank University of Missouri, especially Len
Rugen for their many years of sponsorship. As Len has stated in the past
the reason for the change is that they are no longer supporting IMS at
their site.

 

The new sponsor will be BMC Software, yet all data and processes will be
managed by LSoft (the owner of ListServ software) on the LSoft servers. 

 

You should find that everything will work the same. The archives have
been transferred to the LSoft server. The only change you might have
would be email rules associated with the old name.

 

Please feel free to logon to the new server at IMSListServ.bmc.com to
update your profile if needed. All help, commands and user information
will be available at that site.

 

The new name to direct messages to all users will be
ims-l-requ...@imslistserv.bmc.com.

 

If you have any questions, feel free to contact us via the ListServ or
nick_grif...@bmc.com

 

 

 

Mark Hammond

-Original Message-
From: Barry Merrill [mailto:ba...@mxg.com] 
Sent: Friday, April 02, 2010 3:18 PM
To: IBM-MAIN@bama.ua.edu
Subject: IMS log record sequence number first byte 'F1'x - why?

 

Hoping to find my answer within this esteemed group,

rather than finding/subscribing/posting to an IMS

equivalent, does anyone know the significance of

the first byte of the 8-byte IMS Log Sequence Number

(the last eight bytes of each record)?

 

I'm seeing log records with 'F1'x (e.g., '1' EBCDIC)

in the first byte in IMS 11, with one-to-several bytes 

with hex-zeros, and then the sequence number in the low bytes.

 

Spent almost an hour searching with no clue before

asking.

 

Barry Merrill

Herbert W. Barry Merrill, PhD

President-Programmer

Merrill Consultants

MXG Software

10717 Cromwell Drive

Dallas TX 75229

214 351 1966 tel

214 350 3695 fax

www.mxg.com

 

--

For IBM-MAIN subscribe / signoff / archive access instructions,

send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO

Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

IMS log record sequence number first byte 'F1'x - why?

2010-04-02 Thread Barry Merrill 
Hoping to find my answer within this esteemed group,
rather than finding/subscribing/posting to an IMS
equivalent, does anyone know the significance of
the first byte of the 8-byte IMS Log Sequence Number
(the last eight bytes of each record)?

I'm seeing log records with 'F1'x (e.g., '1' EBCDIC)
in the first byte in IMS 11, with one-to-several bytes 
with hex-zeros, and then the sequence number in the low bytes.

Spent almost an hour searching with no clue before
asking.

Barry Merrill
Herbert W. Barry Merrill, PhD
President-Programmer
Merrill Consultants
MXG Software
10717 Cromwell Drive
Dallas TX 75229
214 351 1966 tel
214 350 3695 fax
www.mxg.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

CBR0095E

2010-04-02 Thread Lucy Arnold 
Hello all!

I am trying to change a DFSMS managed pool from 6 Shark MOD3s to 1 Hitachi 
MOD9.  Our PROD and SANDBOX LPARs share the ACS routines, but have 
different SCDS, ACDS & COMMDS. I made the MOD3s DISNEW, and added the 
MOD9. I did the translate, validate and activate and the new configuration 
was activated.  Yet, when I tried to move the data with DMS I got:
2860 PROCESSING STARTED FOR VOLUME = VVE001
3446 SMS ERROR DETECTED, RC=
3415 DEFINE FAILED FOR DATASET SYSP.VTTSOC.VVE.D0994.SAND
3412 MOVE FAILED FOR DATA SET SYSP.VTTSOC.VVE.D0994.SAND . RETURN CODE IS 
8
3446 SMS ERROR DETECTED, RC=

These indicate a sub-system error.  I went to my boss and he said it was 
because OAM was not running.  We started OAM, but when we try to activate 
again we get:

IEF403I OAM - STARTED - TIME=11.07.05
CBR0001I OAM initialization starting.
CBR0095E OAM waiting for SMS Control Data Set activation.

Explanation:   OAM has initialized with a null configuration. No optical
libraries, tape libraries or object storage groups are defined in the
active SMS configuration.

We do have pools and a tape library defined, though the SANDBOX has no 
access to the library - but then it never has and there has been no 
problem.  I could find nothing on the Internet so was hoping ya'll had 
some ideas!

Thanks in advance!!!


Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: CBR0095E

2010-04-02 Thread Lucy Arnold 
We issued :

T SMS=SB
IEE252I MEMBER IGDSMSSB FOUND IN CPAC.SB.PARMLIB
IGD031I SMS PARAMETERS 283
ACDS = SYS1.SB.ACDS
COMMDS   = SYS1.SB.COMMDS
INTERVAL = 15   DINTERVAL = 150
CACHETIME = 3600SMF_TIME = YES
CF-TIME = 3600  PDSE_RESTARTABLE_AS = NO
PDSE_BMFTIME = 3600 PDSE1_BMFTIME = 3600
PDSE_LRUTIME = 60   PDSE1_LRUTIME = 60
PDSE_LRUCYCLES = 15PDSE1_LRUCYCLES = 15
LOCAL_DEADLOCK = 15 GLOBAL_DEADLOCK = 4
REVERIFY = NO   ACSDEFAULTS = NO
USE_RESOWNER = YES  DSNTYPE = PDS
GDS_RECLAIM = YES   PDSESHARING = NORMAL
OVRD_EXPDT = NO RLS_MAX_POOL_SIZE = 100MB
SYSTEMS = 8 COMPRESS = GENERIC
PDSE_HSP_SIZE = 0MB   PDSE1_HSP_SIZE = 0MB
RLSINIT = NORLSTMOUT = 0
CICSVR_INIT = NOCICSVR_DSNAME_PREFIX = DWW.
CICSVR_RCDS_PREFIX = DWW
CICSVR_GRPNAME_SUFFIX = PROD
CICSVR_ZZVALUE_PARM =
CICSVR_UNDOLOG_CONTROL =
CICSVR_UNDOLOG_PREFIX = DWW
CICSVR_BACKOUT_CONTROL =
CICSVR_GENERAL_CONTROL =
Rls_MaxCfFeatureLevel = Z
RlsAboveTheBarMaxPoolSize = 0
RlsFixedPoolSize = 0
DSSTIMEOUT =  0 FAST_VOLSEL = OFF
PDSE_MONITOR = (YES,0,0)
PDSE1_MONITOR = (YES,0,0)
PDSE_DIRECTORY_STORAGE = 2000M
PDSE1_DIRECTORY_STORAGE = 2000M
PDSE_BUFFER_BEYOND_CLOSE = NO
PDSE1_BUFFER_BEYOND_CLOSE = NO
BLOCKTOKENSIZE =  NOREQUIRE
IGD031I SMS TRACE PARAMETERS 284
IGD031I SMS TRACE PARAMETERS 284
TRACE= ON SIZE = 128K TYPE = ALL
  JOBNAME = *ASID = *
  TRACING EVENTS:
MODULE = ON   SMSSJF = ON   SMSSSI = ON   ACSINT = ON
OPCMD  = ON   CONFC  = ON   CDSC   = ON   CONFS  = ON
MSG= ON   ERR= ON   CONFR  = ON   CONFA  = ON
ACSPRO = ON   IDAX   = ON   DISP   = ON   CATG   = ON
VOLREF = ON   SCHEDP = ON   SCHEDS = ON   VTOCL  = ON
VTOCD  = ON   VTOCR  = ON   VTOCC  = ON   VTOCA  = ON
RCD= ON   DCF= ON   DPN= ON   TVR= ON
DSTACK = ON   UAFF   = ON   DEBUG  = ON
VOLSELMSG = (OFF,0)TYPE = ALLJOBNAME = *
ASID = *  STEPNAME = *
DSNAME = *
IGW040I Buffer Beyond Close not active for SMSPDSE
IGW467I DFSMS RLSINIT PARMLIB VALUE ON SYSTEM: SAND 286
CURRENT VALUE: NO
IGW451I REQUEST TO UPDATE VSAM/RLS PARMLIB 287
KEYWORD: RlsAboveTheBarMaxPoolSize
KEYWORD: RlsAboveTheBarMaxPoolSize
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS
WHEN THE VSAM/RLS ADDRESS SPACE IS STARTED
IGW451I REQUEST TO UPDATE VSAM/RLS PARMLIB 288
KEYWORD: RlsFixedPoolSize
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS
WHEN THE VSAM/RLS ADDRESS SPACE IS STARTED
IGW451I REQUEST TO UPDATE VSAM/RLS PARMLIB 289
KEYWORD: DssTimeOut
HAS BEEN SAVED IN THE SMS CONTROL STRUCTURES.
THE PARMLIB KEYWORD WILL BE PROCESSED BY VSAM/RLS
WHEN THE VSAM/RLS ADDRESS SPACE IS STARTED
IEE536I SMS  VALUE SB NOW IN EFFECT
IGD009I ACDS SWITCHED TO SYS1.SB.ACDS

We then started OAM:

S OAM
$HASP100 OAM  ON STCINRDR
IEF695I START OAM  WITH JOBNAME OAM  IS ASSIGNED TO USER OAM
 , GROUP SYS1
$HASP373 OAM  STARTED
IEF403I OAM - STARTED - TIME=14.09.47
CBR0001I OAM initialization starting.
CBR0095E OAM waiting for SMS Control Data Set activation.

Lucy Arnold
Storage Manager
U.C. Davis Medical Center
916-734-5498


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Paul Gilmartin 
On Fri, 2 Apr 2010 09:56:28 -0700, Edward Jaffe wrote:
>
>An authorized program abends with 306-C if it tries to load a module
>from an unauthorized library. That's all. There is no requirement that
>the modules it attaches be linked with AC(1).
>
Thanks.  I keep forgetting the rule.

And I see that GIMSMP is linked with AC=1; ASMA90 with AC=0;
both in authorized libraries.

So, now sheer conjecture.  ASMA90 may or may not do exhaustive
SAF checking.  Why should it feel obliged to?  It was designed
to run unauthorized.  So a maliciously crafty programmer could
code an SMP/E APPLY step which invokes ASMA90; preallocate
SYSPUNCH; and supply PUNCH statements which overwrite a member
in what?  SYS1.PARMLIB?

Multiply that by the increasing number of utilities called
by SMP/E which may not do SAF checking and SMP/E is strongly
impelled to shift the security burden to customers' system
administrators.

>>> IMHO, the "right" fix would have been to "enhance" IEBCOPY to use
>>> alternate I/O techniques when not running APF authorized. (BTW, that
>>>
Amen.  I can live without S99WTDSN.  If I specify NOWAIT on
my DDDEFS, SMP/E operations not involving a copy run fine.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>I wish life were that simple.  In our shop each of the
6 disciplines you mention has a different maintenance
team.

Yes! So?
That is not necessarily wrong.
Protect the files, and let them use the commands.

> We haven't yet developed roles that specialize,
i.e. receive, apply, accept, but it's certainly thought
provoking.

Why? Who has that many sysprogs?

>Has anyone ever applied something they should not have, due to inexperience?

So, you're saying that these new rules will protect your shop?

Somebody still has to apply, experienced or not.

A protection of function doesn't stop that.

You still need people who know what they ared doing.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>I already wrote the idea is perfectly OK and (maybe) it's NOT violated by the 
>profiles. I repeat the possible explanation: separation of rules.

Juist because you've repeated your statement, it doesn't make it valid.
Separate files, not commands!

>Several rules could need same access to SMPE datasets, so if you want to 
make them separate, you need another check, access to resources is not enough 
here.

I disagree.
Give me an example; a valid one.

Anything else is just rectal smoke!

And, repeating what you've said without some evidence is just more smoke.

Why is command protection better than resource/file protection.

Separate the SYSPROG roles by files/data rather than command.

For example, everbody can invoke ISPF browse, but not all can read all files.

This may sound simplistic, or apples & oranges, but it illustrates my point.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread t babonas 
I wish life were that simple.  In our shop each of the
6 disciplines you mention has a different maintenance
team.  We haven't yet developed roles that specialize,
i.e. receive, apply, accept, but it's certainly thought
provoking.  Has anyone ever applied something they
should not have, due to inexperience?

I've experienced both extremes of the size of shop.
The mind sets are vastly different.  The crew of the
destroyer escort works differently than the crew of an
aircraft carrier.  Rules differ accordingly.





-Original Message-
From: IBM Mainframe Discussion List
[mailto:ibm-m...@bama.ua.edu] On Behalf Of Ted MacNEIL
Sent: Friday, April 02, 2010 1:29 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY
class definition required for any SMP/E use

>large organizations
should think this through in case a role based
methodology would be helpful in the SMPE staff.

Role Based?
You install software & maintain it, or you don't.

CICS, IMS, MQ, DB2, z/OS, and others.

You don't want SYSPROG1 stumbling over SYSPROG2 means
you protect their SMPTS, and other files.

NOT the functions!

-
Too busy driving to stop for gas!

---
---
For IBM-MAIN subscribe / signoff / archive access
instructions, send email to lists...@bama.ua.edu with
the message: GET IBM-MAIN INFO Search the archives at
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread R.S. 

W dniu 2010-04-02 20:17, Ted MacNEIL pisze:

Last but not least: What's a problem gyus???
Do you want it to work in

the old manner?

You need to issue 2-3 RACF commands: RDEF FACI GIM.** DATA('I dont like 
security for SMPE') UACC(A) SETR RACLIST(FACI) REF
And voila.


Yes! But!

Protect the resource, not the programme.
I already wrote the idea is perfectly OK and (maybe) it's NOT violated 
by the profiles. I repeat the possible explanation: separation of rules. 
Several rules could need same access to SMPE datasets, so if you want to 
make them separate, you need another check, access to resources is not 
enough here.




I don't care if it's only one step.
So what if it's sinple.
There is no reason to grumble, even if you don't need it, don't like it, 
don't understand it.




The point is why?

Explained above.


Can/will IBM explain the so-called need?
I wish it too.  However my guess looks quite 
reasonable 



--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 01.01.2009 r. kapitał zakładowy BRE Banku SA (w całości 
wpłacony) wynosi 118.763.528 złotych. W związku z realizacją warunkowego 
podwyższenia kapitału zakładowego, na podstawie uchwały XXI WZ z dnia 16 marca 
2008r., oraz uchwały XVI NWZ z dnia 27 października 2008r., może ulec 
podwyższeniu do kwoty 123.763.528 zł. Akcje w podwyższonym kapitale zakładowym 
BRE Banku SA będą w całości opłacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>large organizations
should think this through in case a role based
methodology would be helpful in the SMPE staff.

Role Based?
You install software & maintain it, or you don't.

CICS, IMS, MQ, DB2, z/OS, and others.

You don't want SYSPROG1 stumbling over SYSPROG2 means you protect their SMPTS, 
and other files.

NOT the functions!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Tom Marchant 
On Fri, 2 Apr 2010 18:17:34 +, Ted MacNEIL wrote:

>The point is why?
>
>Can/will IBM explain the so-called need?

Not likely, but Ed did give a very plausible explanation.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: "Hidden" APARs (Was: Heads Up: APAR IO11698...)

2010-04-02 Thread Tom Marchant 
On Fri, 2 Apr 2010 12:28:04 -0500, Larre Shiller wrote:

>...  we missed the "action" item for the PTF because the 
>HOLDDATA was marked REASON(EXIT) not REASON(ACTION) and 
>we had to remove our SMF dump exit routine

Don't you think you should check _all_ of the HOLDDATA?

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>Last but not least: What's a problem gyus???
>Do you want it to work in 
the old manner?
>You need to issue 2-3 RACF commands: RDEF FACI GIM.** DATA('I dont like 
>security for SMPE') UACC(A) SETR RACLIST(FACI) REF
>And voila.

Yes! But!

Protect the resource, not the programme.

I don't care if it's only one step.
So what if it's sinple.

The point is why?

Can/will IBM explain the so-called need?
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread t babonas 
Well put, Mr. RS.  I can certainly envision this
scenario in a large company with segregated roles.
Conceptually this looks like various sub-function
controls that CEMT has in the CICS world and the
STGADMIN profiles in storage management world.

As to why IBM developed this, maybe someone asked for
it...  It's easy enough to implement, easy enough
to effectively bypass, though large organizations
should think this through in case a role based
methodology would be helpful in the SMPE staff.




 

-Original Message-
From: IBM Mainframe Discussion List
[mailto:ibm-m...@bama.ua.edu] On Behalf Of R.S.
Sent: Friday, April 02, 2010 12:27 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY
class definition required for any SMP/E use

W dniu 2010-04-02 16:19, Paul Gilmartin pisze:
> On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon wrote:
>
>> We applied the APAR. We protect the SMP data. I'm
sort of baffled why IBM felt SAF support was necessary
for SMPE.
>>
> 
> Me either.  And since it's called "integrity", we'll
never know.
It's a pity. I'd like to know.
[...]

> What is becoming of the philosophy, "Protect
resources; don't restrict 
> access to tools."
> 
I agree with the rule. However I would imagine the
following scenario: 
multiple rules within SMP/E team. I.e. John can receive
the service, but he cannot APPLY, because it's Fred's
responsibility. Both need access to datasets. Think
about granularity. Of course it's my guess only, but
not so wild - see latest SAF changes in ICSF - very
reasonable and a (very) little bit similar to those in
SMP/E.

Last but not least: What's a problem gyus??? Do you
want it to work in the old manner? You need to issue
2-3 RACF commands:
RDEF FACI GIM.** DATA('I dont like security for SMPE')
UACC(A) SETR RACLIST(FACI) REF And voila.


Happy Easter
-- 
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237
NIP: 526-021-50-88
Według stanu na dzień 01.01.2009 r. kapitał zakładowy
BRE Banku SA (w całości wpłacony) wynosi 118.763.528
złotych. W związku z realizacją warunkowego
podwyższenia kapitału zakładowego, na podstawie uchwały
XXI WZ z dnia 16 marca 2008r., oraz uchwały XVI NWZ z
dnia 27 października 2008r., może ulec podwyższeniu do
kwoty 123.763.528 zł. Akcje w podwyższonym kapitale
zakładowym BRE Banku SA będą w całości opłacone.

---
---
For IBM-MAIN subscribe / signoff / archive access
instructions,
send email to lists...@bama.ua.edu with the message:
GET IBM-MAIN INFO
Search the archives at
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Lou Losee 
On Fri, Apr 2, 2010 at 12:27 PM, R.S. wrote:

> W dniu 2010-04-02 16:19, Paul Gilmartin pisze:
>
>  On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon wrote:
>>
>>  We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM
>>> felt SAF support was necessary for SMPE.
>>>
>>>  
>> Me either.  And since it's called "integrity", we'll never know.
>>
> It's a pity. I'd like to know.
> [...]
>
>
>  What is becoming of the philosophy, "Protect resources; don't
>> restrict access to tools."
>> 
>>
> I agree with the rule. However I would imagine the following scenario:
> multiple rules within SMP/E team. I.e. John can receive the service, but he
> cannot APPLY, because it's Fred's responsibility. Both need access to
> datasets. Think about granularity. Of course it's my guess only, but not so
> wild - see latest SAF changes in ICSF - very reasonable and a (very) little
> bit similar to those in SMP/E.
>
> Last but not least: What's a problem gyus??? Do you want it to work in the
> old manner? You need to issue 2-3 RACF commands:
> RDEF FACI GIM.** DATA('I dont like security for SMPE') UACC(A)
> SETR RACLIST(FACI) REF
> And voila.
>
> Yes, but since it is an integrity apar and you are now making everything
like it was what 'integrity hole' are you re-opening?

>
> Happy Easter
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
> --
> BRE Bank SA
> ul. Senatorska 18
> 00-950 Warszawa
> www.brebank.pl
>
> Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru
> Sądowego, nr rejestru przedsiębiorców KRS 025237
> NIP: 526-021-50-88
> Według stanu na dzień 01.01.2009 r. kapitał zakładowy BRE Banku SA (w
> całości wpłacony) wynosi 118.763.528 złotych. W związku z realizacją
> warunkowego podwyższenia kapitału zakładowego, na podstawie uchwały XXI WZ z
> dnia 16 marca 2008r., oraz uchwały XVI NWZ z dnia 27 października 2008r.,
> może ulec podwyższeniu do kwoty 123.763.528 zł. Akcje w podwyższonym
> kapitale zakładowym BRE Banku SA będą w całości opłacone.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Edward Jaffe
> 
> Paul Gilmartin wrote:
> > On Fri, 2 Apr 2010 07:47:23 -0700, Edward Jaffe wrote:
> >
> >> Exactly! The problem is that GIMSMP is APF authorized.
> >> [ snip ]
> >> AFAIK, that's true only because IEBCOPY requires APF authorization.
> >> That's required because IEBCOPY uses I/O appendages. But, trust me,
it's
> >> not doing *anything* that can't also be done without I/O
appendages.
> >>
> > Performance?
> 
> Maybe in the old days. The channel programs it uses are extremely
> antiquated. New channel programs, without appendages, would run
circles
> around what they're doing now.

Well, DFSORT gave us ICEGENER to "sub" for IEBGENER.  Perhaps they could
be persuaded to provide an ICECOPY (that doesn't require authorization)
as a "substitute" for IEBCOPY?

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: "Hidden" APARs (Was: Heads Up: APAR IO11698...)

2010-04-02 Thread Larre Shiller 
I don't recall ever reporting any integrity-related issues or getting a
hidden APAR, but I did recently stumble over another hidden APAR: OA29894. 
Apparently we missed the "action" item for the PTF because the HOLDDATA was
marked REASON(EXIT) not REASON(ACTION) and we had to remove our SMF dump
exit routine until we could open an ETR and figure out what
changed/happened.  It makes problem determination fun when you cannot even
cross-reference the symptoms of a problem with a hidden APAR in the IBMLink
data base.  Since then, IBM documented the messages, but you still cannot
see the APAR.

Larre Shiller
US Social Security Administration
410.965.2209
www.ssa.gov
 
"The contents of this message are mine personally and do not necessarily
reflect any official position of the US Government or the US Social Security
Administration."

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread R.S. 

W dniu 2010-04-02 16:19, Paul Gilmartin pisze:

On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon wrote:


We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM felt 
SAF support was necessary for SMPE.



Me either.  And since it's called "integrity", we'll never know.

It's a pity. I'd like to know.
[...]


What is becoming of the philosophy, "Protect resources; don't
restrict access to tools."

I agree with the rule. However I would imagine the following scenario: 
multiple rules within SMP/E team. I.e. John can receive the service, but 
he cannot APPLY, because it's Fred's responsibility. Both need access to 
datasets. Think about granularity. Of course it's my guess only, but not 
so wild - see latest SAF changes in ICSF - very reasonable and a (very) 
little bit similar to those in SMP/E.


Last but not least: What's a problem gyus??? Do you want it to work in 
the old manner? You need to issue 2-3 RACF commands:

RDEF FACI GIM.** DATA('I dont like security for SMPE') UACC(A)
SETR RACLIST(FACI) REF
And voila.


Happy Easter
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 01.01.2009 r. kapitał zakładowy BRE Banku SA (w całości 
wpłacony) wynosi 118.763.528 złotych. W związku z realizacją warunkowego 
podwyższenia kapitału zakładowego, na podstawie uchwały XXI WZ z dnia 16 marca 
2008r., oraz uchwały XVI NWZ z dnia 27 października 2008r., może ulec 
podwyższeniu do kwoty 123.763.528 zł. Akcje w podwyższonym kapitale zakładowym 
BRE Banku SA będą w całości opłacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Edward Jaffe 

Paul Gilmartin wrote:

On Fri, 2 Apr 2010 07:47:23 -0700, Edward Jaffe wrote:
  

Exactly! The problem is that GIMSMP is APF authorized.



I've long wondered about this.  Does this mean, in turn, that all
utilities GIMSMP invokes (IEBCOPY, Binder, Assembler, et al.)  must
likewise be authorized?  It is my understanding that an authorized
program ABENDs if it attempts to ATTACH an unauthorized subtask.
  


An authorized program abends with 306-C if it tries to load a module 
from an unauthorized library. That's all. There is no requirement that 
the modules it attaches be linked with AC(1).


  

AFAIK, that's true only because IEBCOPY requires APF authorization.
That's required because IEBCOPY uses I/O appendages. But, trust me, it's
not doing *anything* that can't also be done without I/O appendages.



Performance?
  


Maybe in the old days. The channel programs it uses are extremely 
antiquated. New channel programs, without appendages, would run circles 
around what they're doing now.


  

IMHO, the "right" fix would have been to "enhance" IEBCOPY to use
alternate I/O techniques when not running APF authorized. (BTW, that



They're 1/3 of the way there.  Ever do LOOKAT IEB1099I?  I asked IBM
in an RCF to elaborate this; IBM declined expressing an unwillingness
to document, and thereby commit to maintaining the current behavior.
  


This has been a "thorn" for years. They should do something about it.

--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Ted MacNEIL 
>>not doing *anything* that can't also be done without I/O appendages.

>Performance?

These days, I doubt that's a major issue.
I'll stand by that equivocall response until somebody in the know tells me why 
it's still required.

SPFCOPY works unauthorised.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Bob Shannon 
>>Since we are a development shop in which dozens of people use SMPE, we simply 
>>set the access to >>UACC(READ) which gives everyone access to all of the 
>>SMP/E commands.

>Us too.  I've put in the request.

I should add that any user can APF-authorize a library. And the rest of you 
think you have integrity problems :-(

Bob Shannon
Rocket Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Paul Gilmartin 
On Fri, 2 Apr 2010 07:47:23 -0700, Edward Jaffe wrote:

>Lou Losee wrote:
>> The thing is integrity APARs do not come from requirements, they come from
>> exposures that violate IBMs integrity statement.  So I would think that the
>> reason behind the APAR has to be deeper than just segregating the use of
>> SMPE.
>>
>
>Exactly! The problem is that GIMSMP is APF authorized.
>
I've long wondered about this.  Does this mean, in turn, that all
utilities GIMSMP invokes (IEBCOPY, Binder, Assembler, et al.)  must
likewise be authorized?  It is my understanding that an authorized
program ABENDs if it attempts to ATTACH an unauthorized subtask.

>AFAIK, that's true only because IEBCOPY requires APF authorization.
>That's required because IEBCOPY uses I/O appendages. But, trust me, it's
>not doing *anything* that can't also be done without I/O appendages.
>
Performance?

>IMHO, the "right" fix would have been to "enhance" IEBCOPY to use
>alternate I/O techniques when not running APF authorized. (BTW, that

They're 1/3 of the way there.  Ever do LOOKAT IEB1099I?  I asked IBM
in an RCF to elaborate this; IBM declined expressing an unwillingness
to document, and thereby commit to maintaining the current behavior.

>would solve numerous other non-SMP/E-related issues at the same time.
>Ever tried to invoke IEBCOPY from a REXX?)
>
Even from "address TSO CALL *(GIMSMP)" (very schematically) from a
Rexx running under z/OS Unix.  I do it regularly.  It works, sort
of.  But when SMP/E recovers from a Sx37 and reports "THE HIGHEST
RETURN CODE WAS 00", TSO reports RC=12 for the CALL.

>Removing APF authorization from GIMSMP would remove the potential for
>integrity exposure. In that case, these ridiculous new SAF resources for
>SMP/E--which really do nothing to protect the system--would never have
>been created in the first place.
>
Yup.  Marna's presentation mentions, but counsels against UACC(READ)
I haven't easy access to the ++HOLD in the APAR.  Does it expand on
the depth of the exposure (unlikely in an integrity APAR), or provide
the administrator any guidance for granting access?  Might it be
as serious as, "any user given access to APPLY can use that privilege
to update any authorized library"?  We'll never know.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Brian Peterson
> 
> My use of the phrase "(fortunately) rare" was a qualitative judgment
on my
> part, based upon observation of the z/OS service stream for many
years.
> 
> At SHARE in Washington DC (Summer 2003), I talked about secret APARs
and
> provided a technique that any customer can use to make their own
> quantitative assessment of the state of their system.
> 
> http://www.share.org/Portals/0/BitBuckets/BitBucket26.pdf  (starting
on page 22)

Based on p. 29 of the cited .pdf document, it would seem that all
"Integrity" APARs are HIPER "by definition"; thus failure to
additionally flag them HIPER borders on fraud.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: z/OS V1R11 Library unzip problem

2010-04-02 Thread Rabbe, Luke 
Looks like the culprit was IE6.  Thanks everyone.
Luke

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Brian Peterson
Sent: Wednesday, March 31, 2010 9:30 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: z/OS V1R11 Library unzip problem

According to the following article, IE6 can only download 2 GB files, and
IE7 only 4 GB.

http://support.microsoft.com/kb/298618

-=-=-=-=-
Symptom: When you attempt to download a file from the Internet by using
Hypertext Transfer Protocol (HTTP) in Microsoft Internet Explorer, you may
find that the download does not complete. As a result, you cannot download
the file.

Cause:  This behavior can occur if you try to download a file that is larger
than 2 gigabytes (GB) in Internet Explorer 6 or is larger than 4 GB in
Internet Explorer 7.

Note This download limit has been removed in Internet Explorer 8. Therefore,
you should not experience this behavior in Internet Explorer 8.
-=-=-=-=-

Or, of course, Firefox or other browsers

Brian

On Wed, 31 Mar 2010 08:04:58 -0500, Tim Deller wrote:

>The file was incomplete (corrupt) when I downloaded it with http (several
>times). Then I used their 'download director' and that gave me the complete
>file which could then be opened by Winzip.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: ESS 2105-800 DS6800 comparison

2010-04-02 Thread Clark, Kevin 
Nigel, 

Converted from a Hitachi unit emulating a ESS 2105 to a DS6800 using
FDRPAS and FLASHCOPY in 1 day, (10 TB), It was awhile back but there
were no problems or issues. Except it didn't support Flashcopy 2 at the
time (Dataset level) 

Since the DS6800 was rack mounted, I should have opted for the in rack
LAPTOP, Instead of table to support my monitor and keyboard only. 

 Oh yea. We went from ESCOM to FICON...so great for performance. 

Kevin 

---Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Nigel Salway
Sent: Thursday, April 01, 2010 12:07 PM
To: IBM-MAIN@bama.ua.edu
Subject: ESS 2105-800 DS6800 comparison

I am looking at migrating from an ESS 2105-800 shark to a used DS6800
1750-522.   
 
I am curious to learn if anyone has done a similar conversion and can
comment on the relative performance of the two storage subsystems.  The
IBM redbook SG24-6781-02 says the DS6800 will out-perform the 2105-800
shark in most zOS implementations. 
 
I am also interested in hearing from someone who has installed a used
DS6800 and if they had any issues installing and setting up the DS
Storage Manager software. 
 
TIA   
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


This e-mail message and any attachments transmitted with it are confidential 
and are intended solely for the use of its authorized recipient(s). If you are 
not an intended or authorized recipient, you are hereby notified that any 
disclosure, copying, distribution or taking any action in reliance on the 
information contained in this e-mail is prohibited. If you have received this 
message in error or are not authorized to receive it, please immediately notify 
the sender and delete the original message and all copies of it from your 
computer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

"Hidden" APARs (Was: Heads Up: APAR IO11698...)

2010-04-02 Thread Edward Jaffe 

Shane Ginnane wrote:
I also wonder about Brians assertion of: 
The (fortunately) rare "integrity" flag

How the hell are we supposed to be able to tell how rare it is. And if
IBM doesn't have the confidence that they can talk about fixing these
exposures, what are we to think of the rest of the codebase ?. Is it
(supposedly) secure only until exposed/compromised ?. Excuse my lack of
confidence.
  


I have no idea how rare they are. I have personally reported two 
"hidden" APARs in the last 10 years. If that's typical for an IBM-MAIN 
contributor, then there are a lot of them. I suspect it's not typical 
though. I would interested to hear from others about their experiences...


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Brian Peterson 
My use of the phrase "(fortunately) rare" was a qualitative judgment on my
part, based upon observation of the z/OS service stream for many years. 

At SHARE in Washington DC (Summer 2003), I talked about secret APARs and
provided a technique that any customer can use to make their own
quantitative assessment of the state of their system.

http://www.share.org/Portals/0/BitBuckets/BitBucket26.pdf  (starting on page 22)

Check your system, and judge for yourself how "rare" these are.

And while you are at it, check out nearly two decades of Bit Bucket
presentations:

http://www.share.org/Volunteers/ProgramsandProjects/MVSProgram/MVSArchives/tabid/309/Default.aspx

Brian

On Sat, 3 Apr 2010 01:01:26 +1100, Shane Ginnane wrote:

>I also wonder about Brians assertion of:
>The (fortunately) rare "integrity" flag
>How the hell are we supposed to be able to tell how rare it is. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Edward Jaffe
> 
> Lou Losee wrote:
> > The thing is integrity APARs do not come from requirements, they come from
> > exposures that violate IBMs integrity statement.  So I would think that the
> > reason behind the APAR has to be deeper than just segregating the use of
> > SMPE.
> >
> 
> Exactly! The problem is that GIMSMP is APF authorized.
> 
> AFAIK, that's true only because IEBCOPY requires APF authorization.
> That's required because IEBCOPY uses I/O appendages. But, trust me, it's
> not doing *anything* that can't also be done without I/O appendages.
> 
> IMHO, the "right" fix would have been to "enhance" IEBCOPY to use
> alternate I/O techniques when not running APF authorized. (BTW, that
> would solve numerous other non-SMP/E-related issues at the same time.
> Ever tried to invoke IEBCOPY from a REXX?)
> 
> Removing APF authorization from GIMSMP would remove the potential for
> integrity exposure. In that case, these ridiculous new SAF resources for
> SMP/E--which really do nothing to protect the system--would never have
> been created in the first place.

But aspirin is cheaper than angioplasty..

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Edward Jaffe 

Lou Losee wrote:

The thing is integrity APARs do not come from requirements, they come from
exposures that violate IBMs integrity statement.  So I would think that the
reason behind the APAR has to be deeper than just segregating the use of
SMPE.
  


Exactly! The problem is that GIMSMP is APF authorized.

AFAIK, that's true only because IEBCOPY requires APF authorization. 
That's required because IEBCOPY uses I/O appendages. But, trust me, it's 
not doing *anything* that can't also be done without I/O appendages.


IMHO, the "right" fix would have been to "enhance" IEBCOPY to use 
alternate I/O techniques when not running APF authorized. (BTW, that 
would solve numerous other non-SMP/E-related issues at the same time. 
Ever tried to invoke IEBCOPY from a REXX?)


Removing APF authorization from GIMSMP would remove the potential for 
integrity exposure. In that case, these ridiculous new SAF resources for 
SMP/E--which really do nothing to protect the system--would never have 
been created in the first place.


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Paul Gilmartin 
On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon wrote:

>We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM felt 
>SAF support was necessary for SMPE.
>

Me either.  And since it's called "integrity", we'll never know.

Apparently SMP/E took the easy way out: rather than take the admittedly
tedious step of putting suitable SAF checks at all points where SMP/E
accesses resources, SMP/E shifted the burden to systems adminstrators
who can use only the relatively coarse granularity of permitting access
to a certain command to a certain user regardless of which resources
it may access.

GIMZIP?  Gimme a break!  All GIMZIP does is invoke IEBCOPY and pax(1).
Doesn't IEBCOPY have its own SAF checks?  (I surely hope so.)  And
isn't pax constrained by the normal Unix file permissions and ACLs?

Or did the perceptibly capable SMP/E designers simply succumb to
ignorant pressure from administrators who chant, "SMP/E is an
administrative tool (like ADRDSSU).  Use of administrative tools
must be restricted to administrators!"

What is becoming of the philosophy, "Protect resources; don't
restrict access to tools."


>Since we are a development shop in which dozens of people use SMPE, we simply 
>set the access to UACC(READ) which gives everyone access to all of the SMP/E 
>commands.
>
Us too.  I've put in the request.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Shane Ginnane 
On Fri, Apr 2nd, 2010 at 9:41 PM, Bob Shannon wrote:

> We protect the SMP data. I'm sort of baffled why
> IBM felt SAF support was necessary for SMPE. 

Me too.
And this whole idea of trying to hide "Integrity" APARs has outlived its
usefulness. If it ever had any.
I have no  gripe with fixing the hole then letting the cat out of the
bag, but never doing it ?. Don't vendors ever learn ?.
I also wonder about Brians assertion of: 
The (fortunately) rare "integrity" flag
How the hell are we supposed to be able to tell how rare it is. And if
IBM doesn't have the confidence that they can talk about fixing these
exposures, what are we to think of the rest of the codebase ?. Is it
(supposedly) secure only until exposed/compromised ?. Excuse my lack of
confidence.

Bah humbug ...  Shane

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Mark Zelden 
On Fri, 2 Apr 2010 13:50:41 +, Bob Shannon 
wrote:

>> I'd be mildly curious to know where the requirement came from.
>
>I'll bet you a beer at the Boston SHARE that it came from the zBLC.
>

I was thinking government.   I only wish I could go to summer SHARE as
I have the last 6 years, but sadly, my new employer doesn't normally
let people go to SHARE - especially when travel is involved.  When's
the next time it will be in Chicago?  :-)Oh, and now that my former
employer is my client, zBLC is out also.

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Veilleux, Jon L 
I think you might owe him that beer. 


Jon L. Veilleux 
veilleu...@aetna.com 
(860) 636-9179 


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Bob Shannon
Sent: Friday, April 02, 2010 9:51 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition 
required for any SMP/E use

> I'd be mildly curious to know where the requirement came from.  

I'll bet you a beer at the Boston SHARE that it came from the zBLC.

Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Lou Losee 
On Fri, Apr 2, 2010 at 8:45 AM, Mark Zelden  wrote:

> On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon <
> bshan...@rocketsoftware.com>
> wrote:
>
> >We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM
> felt SAF support was necessary for SMPE.
> >
> >Since we are a development shop in which dozens of people use SMPE, we
> simply set the access to UACC(READ) which gives everyone access to all of
> the SMP/E commands.
> >
>
> It's not necessary, but I can "stretch" and see the case where a shop might
> want to let an ID or group have RECEIVE authority for example, but
> not let them to do an APPLY or not let them perform admin functions.
>  Perhaps
> a production userid that does RECEIVE ORDER via a job scheduler on a
> nightly or weekly basis.
>
> For query only, the CSI can simply be protected from update via
> RACF data set profiles.
>
> I'd be mildly curious to know where the requirement came from.
>

The thing is integrity APARs do not come from requirements, they come from
exposures that violate IBMs integrity statement.  So I would think that the
reason behind the APAR has to be deeper than just segregating the use of
SMPE.

Lou

> --
> Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
> mailto:mzel...@flash.net
> Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html
> Systems Programming expert at http://expertanswercenter.techtarget.com/
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Bob Shannon 
> I'd be mildly curious to know where the requirement came from.  

I'll bet you a beer at the Boston SHARE that it came from the zBLC.

Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Mark Zelden 
On Fri, 2 Apr 2010 10:41:36 +, Bob Shannon 
wrote:

>We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM
felt SAF support was necessary for SMPE.
>
>Since we are a development shop in which dozens of people use SMPE, we
simply set the access to UACC(READ) which gives everyone access to all of
the SMP/E commands.
>

It's not necessary, but I can "stretch" and see the case where a shop might
want to let an ID or group have RECEIVE authority for example, but
not let them to do an APPLY or not let them perform admin functions.  Perhaps
a production userid that does RECEIVE ORDER via a job scheduler on a
nightly or weekly basis. 

For query only, the CSI can simply be protected from update via 
RACF data set profiles.

I'd be mildly curious to know where the requirement came from.  

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: The hardest JCL ERROR I have met

2010-04-02 Thread Mark Zelden 
On Thu, 1 Apr 2010 18:37:05 -0500, Larry Stout  wrote:

>A quick way to determine the error is to submit the JCL as a batch
>job.  If the job fails during syntax checking, it will not matter
>whether the data sets are cataloged or whether JES2 is already
>running.
>
>//JES2PROC M=JES2PARM
>//IEFPROC EXEC PGM=HASJES20,TIME=1440,DPRTY=(15,15)
>//HASPLIST  DD DDNAME=IEFRDER
>//HASPPARM  DD DSN=SYS1.CPAC.PARMLIB(&M),DISP=SHR
>//PROC00DD DISP=SHR,DSN=SYS1.CPAC.PROCLIB
>//  DD DISP=SHR,DSN=SYS1.PROCLIB
>//HASPLIST  DD DDNAME=IEFRDER
>//STEPLIB   DD DISP=SHR,DSN=SYS1.SHASLNKE
>//PEND
>//DOITEXEC PROC=JES2
>
>The resulting messages are:
>
>STMT NO. MESSAGE
>
>   3 IEFC001I PROCEDURE JES2 WAS EXPANDED USING INSTREAM PROCEDURE
>  DEFINITION
>  10 IEF631I NUMBER OF DDNAMES EXCEEDS MAXIMUM IN THE DDNAME FIELD
>  11 IEF686I DDNAME REFERRED TO ON DDNAME KEYWORD IN PRIOR STEP
> WAS NOT RESOLVED
>
>The second message, IEF631I, is the error.  This message is not fully
>described in the System Messages manual:
>


And I was wondering why those messages were not seen on the console,
but there is a good chance that IEF196I is suppressed via MPF.   

Mark 
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:mzel...@flash.net  
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Kurt Quackenbush 
Information can also be found in INFO APAR II14489.  Essentially this 
contains the information supplied by the ACTION and DOC HOLDs within the 
PTF.


Kurt Quackenbush -- IBM, SMP/E Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-02 Thread Bob Shannon 
We applied the APAR. We protect the SMP data. I'm sort of baffled why IBM felt 
SAF support was necessary for SMPE. 

Since we are a development shop in which dozens of people use SMPE, we simply 
set the access to UACC(READ) which gives everyone access to all of the SMP/E 
commands.

Bob Shannon
Rocket Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use (nomenclature)

2010-04-02 Thread R.S. 

Just to order nomenclature:
The *class* is not new. The class is named FACILITY.
The new thing is called resource name or less correctly profile.

Example
Class: FACILITY
resource name: GIM.PGM.GIMZIP
profile: GIM.PGM.**


So, nobody should "define this FACILITY class".
One should define profile in the FACILITY class. Or: One should create 
FACILITY class profile covering resource GIM.PGM.GIMZIP.


Just €0.02
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html