Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Rick Fochtman 
Have you done something in that job that will affect the library 
containing the IEBCOPY program?? NOT A GOOD IDEA!!!


Rick
-
Peter Nuttall wrote:


Hi All,

Just wondered if anybody else has come across this phenomenon.   We are 
z/OS 01.09.00. Have a job running a set of IEBCOPY steps and the 8th step 
failed with :


IEB1099E *** IEBCOPY IS NOT APF AUTHORIZED *** 

All the other steps worked ... The rerun of the job from the failing step 
worked successfully  Have checked the log and I don't see any APF type 
messages at the time of the failure (other than the one above ... )


Our sysproggys are currently investigating (apparently they suspect 
PDSMAN, but we weren't running PDSMAN, it was straight EXEC PGM=IEBCOPY)


Anyone got any ideas ?

Cheers,
Peter

This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Clark Morris 
On 16 Apr 2010 08:52:13 -0700, in bit.listserv.ibm-main you wrote:

>On Fri, 2010-04-16 at 11:43 -0400, Walt Farrell wrote:
>> Why would you want to do math on a pointer?
>
>One example: in a COBOL program I wrote awhile ago, I process SMF
>type-30 records.  Those records contain segments whose offsets are
>stored in fullwords - I address those segments by doing pointer
>arithmetic on the address of the SMF30 record.

In response to other postings, TRUNC(OPT) should work as well as
TRUNC(|BIN) without the brain dead code generation if all operands are
either binary or literals.  The more interesting question is why use a
pointer when reference modification works well for playing with the
SMF30 records?  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

OT chicken or egg first was Re: Heads Up: APAR I O11698 - N ew SAF FAC ILITY clas s definiti on require d for any SMP/E use?

2010-04-16 Thread Clark Morris 
On 15 Apr 2010 12:10:48 -0700, in bit.listserv.ibm-main you wrote:

>Don Williams writes:
>
> 
>| Chicken Little does not know which came first, the
>| chicken or the egg.
>
> 
>
>From the egg's perspective, which is clearly the right one here, a chicken is 
>only an egg's device for reproducing itself, making more eggs. 

The egg came first and was laid by another species.
>
>John Gilmore Ashland, MA 01721-1817 USA
>
> 
>_
>The New Busy is not the old busy. Search, chat and e-mail from your inbox.
>http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

2010-04-16 Thread Clark Morris 
On 14 Apr 2010 12:13:53 -0700, in bit.listserv.ibm-main you wrote:

>On Wed, 14 Apr 2010 16:01:52 -0300 Clark Morris 
>wrote:
>
>:>Also given the problem found with SMP/E, I would hope that IBM and
>:>other vendors are checking to see if there are similar exposures in
>:>other utilities and services.
>
>Only possible if IBM tells what the exposure is.

Making the drastic assumption that the various groups WITHIN IBM can
communicate on the exposure, then IBM can check to see if there are
similar exposures in other functions.  

In terms of the third party vendor, it gets to be tricky.  I would
assume that at least CA would have to be made aware of the type of
exposure.  Who is responsible if a similar hole in Vendor x system
type software is exploited because of a presumed underlying hole in
IBM software and a SOX, data compromise or other bad event occurs?  If
I understand this thing correctly, the effect of this APAR is to
restrict the exploitation of this hole, intentionally or
inadvertently, to authorized people.  That might mean we should
restrict SMP access so as to exclude people who have a talent for
finding flaws without looking for them.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

WLM Service Class question

2010-04-16 Thread gsg 
We have two production LPARs and two test LPARs.  We have different 
service classes for Production batch and Test batch.  My question is should 
both production LPARs use the same service class or should we have different 
service classes for each production LPAR as well.  Not sure if it would matter 
or not, but each production LPAR is for a different bank we support.

TIA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Recataloging VSAM Dataset

2010-04-16 Thread Lizette Koehler 
What was used to restore the dataset?  FDR, DFDSS, ???  Some have RENAME
capability that can be used to put it down as a cataloged vsam dataset, then
you could copy (REPRO) to the correct dataset name.

There is also a RECAT option on the DEF VSAM function.  You might want to
review that.

Lastly is the VSAM dataset on the same volser name it was before it was
deleted?  Or did you restore it to a whole new volume?

Lizette



> Behalf Of Klein, Kevin Wrote 
> 
> Is there a way to recatalog a VSAM dataset (non-SMS) that I've restored
> from an old backup tape?  The original volume and catalog for these
> datasets no longer exist.
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Joe Reichman 

TRUNC(BIN). Worked than

Sent from my iPhone

On Apr 16, 2010, at 11:47 AM, David Andrews  wrote:


On Fri, 2010-04-16 at 11:28 -0400, Joe Reichman wrote:

I redefined a usage pointer to PIC 9(8) comp to do arithmetic


Have you compiled with TRUNC(BIN)?

--
David Andrews
A. Duda and Sons, Inc.
david.andr...@duda.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEFUSI - RESERVE SPACE

2010-04-16 Thread Chris Craddock 
On Fri, Apr 16, 2010 at 9:00 AM, Arthur Gutowski  wrote:

> On Thu, 15 Apr 2010 13:46:26, Ted MacNEIL  wrote:
>
> >Third, with the restructuring of the way initiators work, where draining
> an init
> actually terminates the offending address space underpinning that init,
> rather
> than a random one, we found most of the reasons for the exit disappeared.
>
> Not that JES flavor was specified, but with JES3, draining the init takes
> more
> effort.  Quiesce the entire class/group (set INIT counts to zero and wait
> for
> jobs to complete), then restart the class/group.
>
> Is this still effective with WLM-managed INITs?  We don't use them, but
> ISTR
> you lose the ability to manually drain/start inidividual initiators, and
> therefore
> would have to quiesce an entire job class.
>
> In these cases, IEFUSI seems like the easier path.  CHECKREGIONLOSS looks
> interesting, too...



regardless of (ahem) kludges like the region loss thing, the important point
to remember is that the system needs some space to be reserved at the high
end of below the line and at the high end of below the bar for LSQA, ELSQA
etc. The down-side if you don't leave enough space for the system areas can
be quite disastrous. So if you're using IEFUSI don't just pin the respective
region-below-16MB and above region-above-16MB sizes up against the top of
their respective address ranges - even if the JCL specifies 0M. For below
the line you should reserve at least a few hundred KiB and above the line
you could reserve several MiB without hurting anyone's feelings.

-- 
This email might be from the
artist formerly known as CC
(or not) You be the judge.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Recataloging VSAM Dataset

2010-04-16 Thread Elliot, David 
Has this dataset been recovered with a full volume restore? Is there a VVDS 
available on the output volume?

David Elliot
 
zSeries Software Support

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Klein, Kevin
Sent: Friday, April 16, 2010 11:39 AM
To: IBM-MAIN@bama.ua.edu
Subject: Recataloging VSAM Dataset

Is there a way to recatalog a VSAM dataset (non-SMS) that I've restored from an 
old backup tape?  The original volume and catalog for these datasets no longer 
exist.


Attention:
The information contained in this message and or attachments is intended only 
for the person or entity to which it is addressed and may contain confidential 
and/or privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
system and destroy any copies.  (GWCC)



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Recataloging VSAM Dataset

2010-04-16 Thread Linda Mooney 
Hi Kevin, 



VSAM doesn't function without being catalogued.  How did you restore it?  Have 
you tried an IDCAMS listcat for the cluster?  Can I see your restore jcl? 



Linda Mooney 


- Original Message - 
From: "Kevin Klein"  
To: IBM-MAIN@bama.ua.edu 
Sent: Friday, April 16, 2010 9:39:02 AM GMT -08:00 US/Canada Pacific 
Subject: Recataloging VSAM Dataset 

Is there a way to recatalog a VSAM dataset (non-SMS) that I've restored from an 
old backup tape?  The original volume and catalog for these datasets no longer 
exist. 


Attention: 
The information contained in this message and or attachments is intended only 
for the person or entity to which it is addressed and may contain confidential 
and/or privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
system and destroy any copies.  (GWCC) 


-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO 
Search the archives at http://bama.ua.edu/archives/ibm-main.html 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Recataloging VSAM Dataset

2010-04-16 Thread Klein, Kevin 
Is there a way to recatalog a VSAM dataset (non-SMS) that I've restored from an 
old backup tape?  The original volume and catalog for these datasets no longer 
exist.


Attention:
The information contained in this message and or attachments is intended only 
for the person or entity to which it is addressed and may contain confidential 
and/or privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
system and destroy any copies.  (GWCC)


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithm etic on CO BOL usage is pointer ‏

2010-04-16 Thread john gilmore 
Enterprise COBOL has two sorts of pointers, [vanilla COBOL] pointer, which 
occupies 8 bytes but is NOT an AMODE(64) pointer, and function pointer, which 
occupies only 4 bytes and is a classical C, HLASM. or PL/I pointer.  Its null 
value, for which you must make provision in doing aliased pointer arithmetic in 
COBOL, is x''.

 

I strongly suggest that you use only instances of function pointer to do 
pointer arithmetic in COBOL.  You will sometimes but not always get away with 
using the eight-byte pointer values, which contain some non-address baggage.   
In general, use the same schemata you would use to pass a COBOL pointer to a C 
subroutine.  

John Gilmore Ashland, MA 01721-1817 USA


  
_
Hotmail is redefining busy with tools for the New Busy. Get more from your 
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Joe Reichman
> 
> I redefined a usage pointer to PIC 9(8) comp to do arithmetic and got
> weird
>   results
> Are there any rules for doing math on
> Usage is pointer

Compiler option TRUNC(BIN) would be "a friend", but specifying COMP-5 on
your REDEFINE would be better.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Patrick Roehl 
Make sure you redefine without being signed as 9(9) COMP (or BINARY) and use
the TRUNC(BIN) option.  

Using a signed field or not having TRUNC(BIN) can cause odd results.

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Joe Reichman
Sent: Friday, April 16, 2010 11:29 AM
To: IBM-MAIN@bama.ua.edu
Subject: Arithmetic on COBOL usage is pointer

I redefined a usage pointer to PIC 9(8) comp to do arithmetic and got  
weird
  results
Are there any rules for doing math on
Usage is pointer

Sent from my iPhone

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Walt Farrell
> Sent: Friday, April 16, 2010 9:50 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> On Fri, 16 Apr 2010 09:29:30 -0500, McKown, John
>  wrote:

> 
> You would need VERIFY, not VERIFYX.
> 
> And you can ask VERIFY to do the auditing (LOG=ALL).
> 
> I doubt you'd need a RESMGR, though you would need some kind of exit
> (ESTAI?) to handle abnormal termination of the subtasks and 
> delete the ACEE.

OK, I know how to do this.

> 
> If you're going multi-user in a single address space then it 
> really only
> works if you have complete control over the code that's 
> running, of course.
>  If the users can supply any of the code you have nothing 
> that can prevent
> one user from assuming another's identity.   And if they can 
> supply any of
> the code you also have the problem of ATTACH not propagating ACEEs.

To be honest, I don't like multi-user address spaces. That would really 
complicate debugging.

> 
> It really is easier for you to simply go the UNIX route.  By 
> the way, your
> code does not need to be in a UNIX file system.  It could be 
> in a PDS or
> PDSE, though you might need an external link in the file 
> system in order for
> UNIX to find it.

I don't know the "plus" of using an External Link versus just putting the 
program object directly into the UNIX filesystem. It would make sense for 
something in LNKLST or LPA, I guess. But for something in the equivalent of a 
STEPLIB, I doubt it would be useful.

> 
> And don't forget that the users will need UNIX identities 
> (OMVS segments
> with UIDs) if you go with anything UNIX related.

Hopefully, using the BPX.DEFAULT.USER profile in the FACILITY class would be 
"good enough". It seems to be OK for ftp users who don't actually do any I/O to 
UNIX files.

> 
> -- 
> Walt Farrell, CISSP
> IBM STSM, z/OS Security Design

It is really beginning to look like using UNIX services "to the max" is just 
going to be so much easier. Instead of my own "listener", I can use inetd. This 
would save me from coding all the TCP/IP stuff. My code could just read and 
write the socket supplied by inetd. I can use BPX1SEC to validate and set the 
RACF identity to the supplied RACF userid/password. This is far simplier than a 
RACROUTE REQUEST=VERIFY or IRRSIA00 in that it does not require supervisor 
state or APF authorization, but the JrEnvDirty seems to imply the program must 
be "program controlled". I know what that means for PDS resident programs, but 
not HFS resident programs. At least as far as I can tell from the manual.

The only thing that I would like, which I cannot seem to get, is the equivalent 
of the TSO message which says something like: "YOUR PASSWORD WILL EXPIRE IN 5 
DAYS". I can only tell if it is EXPIRED or INVALID. And, perhaps, REVOKEd.
--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Rob Scott 
>>You would need VERIFY, not VERIFYX.

D'oh - that'll teach me to assune that an "X" suffix on the end of an IBM macro 
is the "AR mode" version...:-) 

Apologies 


Rob Scott
Developer
Rocket Software
275 Grove Street * Newton, MA 02466-2272 * USA
Tel: +1.617.614.2305 
Email: rsc...@rs.com
Web: www.rocketsoftware.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Walt Farrell
Sent: 16 April 2010 15:50
To: IBM-MAIN@bama.ua.edu
Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE

On Fri, 16 Apr 2010 09:29:30 -0500, McKown, John 
 wrote:

>> -Original Message-
>> From: IBM Mainframe Discussion List
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
>> Sent: Friday, April 16, 2010 8:59 AM
>> To: IBM-MAIN@bama.ua.edu
>> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
>>
>> John
>>
>> Yeah RACROUTE VERIFY(X) is the fella - see the RACROUTE manual for 
>> more info - not exactly a "for dummies" book though :-)
>>
>> Obviously with a multi-user address space you would need to wrap 
>> somnething like a task-level RESMGR around each TCB that is created 
>> for the user "signon". If there is no z/OS-supplied cleanup of ACEE, 
>> then your RESMGR could perform the VERIFYX ENVIR=DELETE - in fact 
>> this is probably a good idea anyway.
>> Another job for the RESMGR could be to cut a "sign-off" SMF record 
>> (and you could cut a "sign-on" when you perform the VERIFYX 
>> ENVIR=CREATE).
>
>Really getting complicated!
>

You would need VERIFY, not VERIFYX.

And you can ask VERIFY to do the auditing (LOG=ALL).

I doubt you'd need a RESMGR, though you would need some kind of exit
(ESTAI?) to handle abnormal termination of the subtasks and delete the ACEE.

If you're going multi-user in a single address space then it really only works 
if you have complete control over the code that's running, of course.
 If the users can supply any of the code you have nothing that can prevent
one user from assuming another's identity.   And if they can supply any of
the code you also have the problem of ATTACH not propagating ACEEs.

It really is easier for you to simply go the UNIX route.  By the way, your code 
does not need to be in a UNIX file system.  It could be in a PDS or PDSE, 
though you might need an external link in the file system in order for UNIX to 
find it.

And don't forget that the users will need UNIX identities (OMVS segments with 
UIDs) if you go with anything UNIX related.

--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Joe Reichman
> Sent: Friday, April 16, 2010 10:29 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Arithmetic on COBOL usage is pointer
> 
> I redefined a usage pointer to PIC 9(8) comp to do arithmetic 
> and got  
> weird
>   results
> Are there any rules for doing math on
> Usage is pointer
> 
> Sent from my iPhone

I use the SET ws-pointer TO ADDRESS OF ... . Something like the following could 
be done:

WORKING-STORAGE SECTION.
77 WS-POINTER POINTER.

...

LINKAGE SECTION.

77 LS-BIG  PIC X OCCURS 1024 TIMES.

...

PROCEDURE DIVISION.

SET WS-POINTER TO ADDRESS OF some-var.
SET ADDRESS OF LS-BIG TO WS-POINTER.
SET ADDRESS OF WS-POINTER TO LS-BIG(5).

The above is equivalent to adding 4 to the current value of WS-POINTER. That's 
because COBOL arrays are 1-origin. 

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Farley, Peter x23353 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Joe Reichman
> Sent: Friday, April 16, 2010 11:29 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Arithmetic on COBOL usage is pointer
> 
> I redefined a usage pointer to PIC 9(8) comp to do arithmetic and got
> weird results.  Are there any rules for doing math on Usage is pointer

What kind of "weird" results?  I have done this before, but I redefined
using PIC S9(09) BINARY rather than 9(8) COMP.  Are you using the
TRUNC(BIN) compiler option?  Check the manual for impact of the TRUNC
option for more info.

Sometimes it helps to use the LIST compiler option to see exactly what
the compiler is generating for your pointer arithmetic statements,
sometimes you can determine your problem more easily that way.

HTH

Peter

 
This message and any attachments are intended only for the use of the addressee 
and
may contain information that is privileged and confidential. If the reader of 
the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread David Andrews 
On Fri, 2010-04-16 at 11:43 -0400, Walt Farrell wrote:
> Why would you want to do math on a pointer?

One example: in a COBOL program I wrote awhile ago, I process SMF
type-30 records.  Those records contain segments whose offsets are
stored in fullwords - I address those segments by doing pointer
arithmetic on the address of the SMF30 record.

-- 
David Andrews
A. Duda and Sons, Inc.
david.andr...@duda.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread David Andrews 
On Fri, 2010-04-16 at 11:28 -0400, Joe Reichman wrote:
> I redefined a usage pointer to PIC 9(8) comp to do arithmetic

Have you compiled with TRUNC(BIN)?

-- 
David Andrews
A. Duda and Sons, Inc.
david.andr...@duda.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Arithmetic on COBOL usage is pointer

2010-04-16 Thread Walt Farrell 
On Fri, 16 Apr 2010 11:28:32 -0400, Joe Reichman 
wrote:

>I redefined a usage pointer to PIC 9(8) comp to do arithmetic and got
>weird
>  results
>Are there any rules for doing math on
>Usage is pointer
>

Why would you want to do math on a pointer?

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Arithmetic on COBOL usage is pointer

2010-04-16 Thread Joe Reichman 
I redefined a usage pointer to PIC 9(8) comp to do arithmetic and got  
weird

 results
Are there any rules for doing math on
Usage is pointer

Sent from my iPhone

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Walt Farrell 
On Fri, 16 Apr 2010 09:29:30 -0500, McKown, John
 wrote:

>> -Original Message-
>> From: IBM Mainframe Discussion List
>> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
>> Sent: Friday, April 16, 2010 8:59 AM
>> To: IBM-MAIN@bama.ua.edu
>> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
>>
>> John
>>
>> Yeah RACROUTE VERIFY(X) is the fella - see the RACROUTE
>> manual for more info - not exactly a "for dummies" book though :-)
>>
>> Obviously with a multi-user address space you would need to
>> wrap somnething like a task-level RESMGR around each TCB that
>> is created for the user "signon". If there is no
>> z/OS-supplied cleanup of ACEE, then your RESMGR could perform
>> the VERIFYX ENVIR=DELETE - in fact this is probably a good
>> idea anyway.
>> Another job for the RESMGR could be to cut a "sign-off" SMF
>> record (and you could cut a "sign-on" when you perform the
>> VERIFYX ENVIR=CREATE).
>
>Really getting complicated!
>

You would need VERIFY, not VERIFYX.

And you can ask VERIFY to do the auditing (LOG=ALL).

I doubt you'd need a RESMGR, though you would need some kind of exit
(ESTAI?) to handle abnormal termination of the subtasks and delete the ACEE.

If you're going multi-user in a single address space then it really only
works if you have complete control over the code that's running, of course.
 If the users can supply any of the code you have nothing that can prevent
one user from assuming another's identity.   And if they can supply any of
the code you also have the problem of ATTACH not propagating ACEEs.

It really is easier for you to simply go the UNIX route.  By the way, your
code does not need to be in a UNIX file system.  It could be in a PDS or
PDSE, though you might need an external link in the file system in order for
UNIX to find it.

And don't forget that the users will need UNIX identities (OMVS segments
with UIDs) if you go with anything UNIX related.

-- 
Walt Farrell, CISSP
IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
> Sent: Friday, April 16, 2010 8:59 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> John
> 
> Yeah RACROUTE VERIFY(X) is the fella - see the RACROUTE 
> manual for more info - not exactly a "for dummies" book though :-)
> 
> Obviously with a multi-user address space you would need to 
> wrap somnething like a task-level RESMGR around each TCB that 
> is created for the user "signon". If there is no 
> z/OS-supplied cleanup of ACEE, then your RESMGR could perform 
> the VERIFYX ENVIR=DELETE - in fact this is probably a good 
> idea anyway.
> Another job for the RESMGR could be to cut a "sign-off" SMF 
> record (and you could cut a "sign-on" when you perform the 
> VERIFYX ENVIR=CREATE).

Really getting complicated!

> 
> If you go down the "START" command route and your method of 
> assigning ownership to the created address space is a 
> parameter on the START command - what is to stop any bozo who 
> has opercmd authority from spoofing a userid on to one of 
> your address spaces ?

Not a parm on the START command. The "listener" will establish a TCP connection 
to the "client". After it does the START, the "listener" would do a GIVESOCKET. 
The started task would then do a TAKESOCKET. The desktop "client" would then 
send the RACF id / password over the socket. The started task would then use 
BPX1SEC or IRRSIA00 to "logon" using the supplied userid/password. If this 
works (good user/password), the STC sends a message to the "client" that the 
connection is complete. The "client" on the desktop then "daemonizes" itself to 
detach from the shell, retaining the socket to the STC. This "daemon" is then 
used as a "relay" for other commands in order to talk to the z/OS STC. But, now 
that I think about what happens in CICS, if I don't do the equivalent of a 
ENVIR=DELETE before terminating the STC, I won't get the RACF SMF record that I 
would like. 

> 
> There is something that makes me uneasy about an address 
> space that spawns other address spaces in the fashion that 
> you describe - maybe I am concerned about ASVT slot shortages 
> if the spawn process gets into trouble or any x-memory coding 
> errors that could mark these ASIDs as non-reusable.   

The started task(s) involved do not use x-memory coding. They don't talk to 
each other after the START is done at all. They are totally independant. And 
they would be subject to a z/OS CANCEL command.

> 
> Rob Scott


--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Will do that ... No Problem ... 

Cheers,
Peter
 
 



"Lizette Koehler"  
Sent by: "IBM Mainframe Discussion List" 
16/04/2010 04:13 PM
Please respond to
"IBM Mainframe Discussion List" 


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: IEBCOPY losing APF authorisation in middle of JOB.








I will be interested to know what the final resolve will be.

Please post when you have that answer.

Lizette

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Peter Nuttall
> Sent: Friday, April 16, 2010 10:07 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> Thanks Lizette,
> 
> Think I'll leave it with the sysprogs for now ...
> 
> I did check the Parms though, and FASTCOPY=N is currently set ...
> 
> Thanks for the help,
> Peter
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Lizette Koehler 
I will be interested to know what the final resolve will be.

Please post when you have that answer.

Lizette

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Peter Nuttall
> Sent: Friday, April 16, 2010 10:07 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> Thanks Lizette,
> 
> Think I'll leave it with the sysprogs for now ...
> 
> I did check the Parms though, and FASTCOPY=N is currently set ...
> 
> Thanks for the help,
> Peter
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Walt Farrell 
On Fri, 16 Apr 2010 08:43:52 -0500, Wayne Driscoll  wrote:

>To use the TCBSENV field, you issue a RACROUTE
>REQUEST=VERIFY,ENVIRN=CREATE and specify ACEE= passing the address of a
>fullword where RACF returns the ACEE.  You then store that address in
>TCBSENV,  You also need to specify that the ACEE is created below the
>line.  You are also responsible for issuing the RACROUTE
>REQUEST=VERIFY,ENVIRN=DELETE when the use logs off.   One thing to beware
>is that the TCBSENV is not propagated to subtasks, so if any services that
>use ATTACH are allowed, then you will need a way to get the subtask
>TCBSENV populated.
>However, I have to say that I agree that the best approach is to use UNIX
>services, since UNIX has been required since OS/390 1.5.  People may not
>"like" it, but they do need it.

I think it's much better, Wayne, to simply issue the VERIFY without ACEE=
and let RACF automatically anchor it in TCBSENV for you.  

Good point about ATTACH, by the way, but there is at least one case where it
will propagate. Taking a request off of a WLM queue will get an
automatic VERIFY request done, for example, and if that subtask does an
ATTACH TCBSENV will propagate.  I'm not sure if there are other cases of this.

By the way, it's also important to do the corresponding VERIFY with
ENVIR=DELETE later.

-- 
Walt Farrell, CISSP
IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Thanks Lizette,

Think I'll leave it with the sysprogs for now ... 

I did check the Parms though, and FASTCOPY=N is currently set ... 

Thanks for the help,
Peter
 
 



"Lizette Koehler"  
Sent by: "IBM Mainframe Discussion List" 
16/04/2010 03:16 PM
Please respond to
"IBM Mainframe Discussion List" 


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: IEBCOPY losing APF authorisation in middle of JOB.








Peter,
If the expectation is that PDSMAN's FASTCOPY replaces IEBCOPY, then yes, a
change to the $IEBCOPY statement in the parms could have an affect.

Determine the following
1)  Is there an LMP Key for FASTCOPY?
2)  What was the change that required NEWRULES?  Can you compare the
previous parm for PDSMAN with what went in with the NEWRULES?
3)  To truly eliminate FASTCOPY or PDSMAN, you would shut down the PDSMAN
STC and rerun the step.  Danger - if anything is using the FASTCOPY
functions, they will fail while PDSMAN is down.

I don't know of any conditions in PDSMAN that would produce an IEB1099E
message.  This may be pure IEBCOPY and not PDSMAN.  However, eliminating
PDSMAN will be good.

If you are getting the IEB1099E message - then is it possible that there 
is
a unique function in this one step.

I see there are 2 flavors or IEB1099.  There is IEB1099I and IEB1099E.

For IEB1099E it states:

IEBCOPY has found that it is not authorized. IEBCOPY must run from an
authorized library to use special I/O appendages.

I would see if that is the case as well.

Lizette


>  Peter wrote:
>
> 
> Lizette,
> 
> PDSMAN stc has not been shutdown since last weekend.  However in the
> joblog of the started task I see the following :
> 
> 10.59.17 STC32844  FRIDAY,16 APR 2010 
> 10.59.17 STC32844  PDSMOPR-00 Input -> NEWRULES
> 10.59.52 STC32844  PDSM00-34  PDSMAN RELEASE 7.60
> 
> The job steps at around this time are :
> 
> 10.59.22 JOB21391  -EOC004   BEBL3025 BASN121  04 85
> 10.59.22 JOB21391  IGD01008I SC : SYS10106.T105922.RA000.BEBL3025.R03
> 10.59.22 JOB21391  IGD01010I SG : SYS10106.T105922.RA000.BEBL3025.R03
> 10.59.23 JOB21391  +IEB1099E *** IEBCOPY IS NOT APF AUTHORIZED ***
> 10.59.23 JOB21391  -EOC004   BEBL3025 BASN121  08105
> 
> Could the NEWRULES be the cause ?
> 
> Peter,
> 
> IEB1099I message only appears in the failing step's sysout ... It's
> interesting that it gets changed to IEB1099E with the same message text
> at
> the end of the sysout, but I guess that makes sense as you do want it
> to
> be an error message :-) 
> 
> Kind regards,

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

Re: IEFUSI - RESERVE SPACE

2010-04-16 Thread Arthur Gutowski 
On Thu, 15 Apr 2010 13:46:26, Ted MacNEIL  wrote:

>Third, with the restructuring of the way initiators work, where draining an 
>init 
actually terminates the offending address space underpinning that init, rather 
than a random one, we found most of the reasons for the exit disappeared.

Not that JES flavor was specified, but with JES3, draining the init takes more 
effort.  Quiesce the entire class/group (set INIT counts to zero and wait for 
jobs to complete), then restart the class/group.

Is this still effective with WLM-managed INITs?  We don't use them, but ISTR 
you lose the ability to manually drain/start inidividual initiators, and 
therefore 
would have to quiesce an entire job class.

In these cases, IEFUSI seems like the easier path.  CHECKREGIONLOSS looks 
interesting, too...

Regards,
Art Gutowski
Ford Motor Company

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Rob Scott 
John

Yeah RACROUTE VERIFY(X) is the fella - see the RACROUTE manual for more info - 
not exactly a "for dummies" book though :-)

Obviously with a multi-user address space you would need to wrap somnething 
like a task-level RESMGR around each TCB that is created for the user "signon". 
If there is no z/OS-supplied cleanup of ACEE, then your RESMGR could perform 
the VERIFYX ENVIR=DELETE - in fact this is probably a good idea anyway.
Another job for the RESMGR could be to cut a "sign-off" SMF record (and you 
could cut a "sign-on" when you perform the VERIFYX ENVIR=CREATE).

If you go down the "START" command route and your method of assigning ownership 
to the created address space is a parameter on the START command - what is to 
stop any bozo who has opercmd authority from spoofing a userid on to one of 
your address spaces ?

There is something that makes me uneasy about an address space that spawns 
other address spaces in the fashion that you describe - maybe I am concerned 
about ASVT slot shortages if the spawn process gets into trouble or any 
x-memory coding errors that could mark these ASIDs as non-reusable.   

  


Rob Scott
Developer
Rocket Software
275 Grove Street * Newton, MA 02466-2272 * USA
Tel: +1.617.614.2305 
Email: rsc...@rs.com
Web: www.rocketsoftware.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
McKown, John
Sent: 16 April 2010 14:25
To: IBM-MAIN@bama.ua.edu
Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE

> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
> Sent: Friday, April 16, 2010 7:51 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> >>I don't think I can use a single STC because I want the STC
> to service multiple users, each with their own RACF security 
> environment (different z/OS RACF ids).
> 
> This is possible within z/OS and exactly why the TCBSENV field exists.
> 
> Rob Scott

Now that you mention it, I remember that ROSCOE did this too. Unfortunately, I 
don't know how to do this, and can't find documentation on it that I understand 
(I think this is some RACROUTE function, VERIFYX?). I do seem to understand the 
BPX1SEC service, which is address space oriented. Perhaps I should just "go 
UNIX" and use POSIX threads with the BPX1TLS (pthread_security_np) service. I 
don't know why, but these just seem easier to use, to me. Then again, there's 
the RACF callable service: IRRSIA00. Also, if I use a separate address space, I 
don't need to worry about deleting the ACEE. I don't know what happens when a 
subtask does a VERIFYX to set the TCBSENV terminates. I would like a RACF SMF 
records to be cut like happens with CICS on the CESN and CESF commands. I 
haven't seen a "Programming RACF Interfaces for Dummies" book around. Not that 
I'm likely to actually __do__ this. My company is very tight on CPU and likely 
would not approve me "doing things in order to lea!
 rn" anymore. Another point is the SDSF OWNER field. With different STCs, one 
per user, I think the SDSF OWNER would show who was "logged on" to the service 
via that STC. Of course, I could make the STC respond to a MODIFY command such 
as: F STCNAME,LIST USERS or some such. Also, the resource usage would be 
recorded to a specific STC, and thus user, in the SMF records cut for the STC. 
At least I hope the SMF records would show the "logged on" RACF id for the STC. 
But, if I use the MGCRE to do a START, then I'm going to put the RACF id in the 
start: START STCJCL.racfid or maybe use a started JOB: START 
STCJCL,JOBNAME=racfid.

--
John McKown
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell john.mck...@healthmarkets.com * 
www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Wayne Driscoll 
John,
To use the TCBSENV field, you issue a RACROUTE 
REQUEST=VERIFY,ENVIRN=CREATE and specify ACEE= passing the address of a 
fullword where RACF returns the ACEE.  You then store that address in 
TCBSENV,  You also need to specify that the ACEE is created below the 
line.  You are also responsible for issuing the RACROUTE 
REQUEST=VERIFY,ENVIRN=DELETE when the use logs off.   One thing to beware 
is that the TCBSENV is not propagated to subtasks, so if any services that 
use ATTACH are allowed, then you will need a way to get the subtask 
TCBSENV populated. 
However, I have to say that I agree that the best approach is to use UNIX 
services, since UNIX has been required since OS/390 1.5.  People may not 
"like" it, but they do need it.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
"McKown, John" 
To:
IBM-MAIN@bama.ua.edu
Date:
04/16/2010 08:25 AM
Subject:
Re: Internal (program) start of an STC - MGCRE vs. ASCRE
Sent by:
IBM Mainframe Discussion List 



> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
> Sent: Friday, April 16, 2010 7:51 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> >>I don't think I can use a single STC because I want the STC 
> to service multiple users, each with their own RACF security 
> environment (different z/OS RACF ids).
> 
> This is possible within z/OS and exactly why the TCBSENV 
> field exists. 
> 
> Rob Scott

Now that you mention it, I remember that ROSCOE did this too. 
Unfortunately, I don't know how to do this, and can't find documentation 
on it that I understand (I think this is some RACROUTE function, 
VERIFYX?). I do seem to understand the BPX1SEC service, which is address 
space oriented. Perhaps I should just "go UNIX" and use POSIX threads with 
the BPX1TLS (pthread_security_np) service. I don't know why, but these 
just seem easier to use, to me. Then again, there's the RACF callable 
service: IRRSIA00. Also, if I use a separate address space, I don't need 
to worry about deleting the ACEE. I don't know what happens when a subtask 
does a VERIFYX to set the TCBSENV terminates. I would like a RACF SMF 
records to be cut like happens with CICS on the CESN and CESF commands. I 
haven't seen a "Programming RACF Interfaces for Dummies" book around. Not 
that I'm likely to actually __do__ this. My company is very tight on CPU 
and likely would not approve me "doing things in order to lea!
 rn" anymore. Another point is the SDSF OWNER field. With different STCs, 
one per user, I think the SDSF OWNER would show who was "logged on" to the 
service via that STC. Of course, I could make the STC respond to a MODIFY 
command such as: F STCNAME,LIST USERS or some such. Also, the resource 
usage would be recorded to a specific STC, and thus user, in the SMF 
records cut for the STC. At least I hope the SMF records would show the 
"logged on" RACF id for the STC. But, if I use the MGCRE to do a START, 
then I'm going to put the RACF id in the start: START STCJCL.racfid or 
maybe use a started JOB: START STCJCL,JOBNAME=racfid.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message. HealthMarkets(r) is the brand name for products underwritten and 
issued by the insurance subsidiaries of HealthMarkets, Inc. -The 
Chesapeake Life Insurance Company(r), Mid-West National Life Insurance 
Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: DFS/SMB and authentication

2010-04-16 Thread Mark Jacobs 

On 04/15/10 22:41, Paul Oliver wrote:

Hi, I'm attempting to implement DFS/SMB on z/OS 1.9 to enable a shared HFS
resource to be mapped to a PC drive. I've been able to accomplish this by
using clear password text and the smbidmap file, my PC (SMB) userid is
different than my mainframe userid. However when I try to use passthrough
authentication by pointing to the customer's Active Directory domain
controllers authentication fails. The DFS/SMB manual states that if
passthrough authentication fails local authentication might be attempted. So
far I've been unable to get any authentication to work once I define the
authentication servers. Has anybody been able to get DFS/SMB working using
passthrough autentication ? Also is there any way of enabling more informative
messages to determine what is happening ? Currently all I get are :

IOEW16132I DFSKERN accepted connection from 10.86.1.17 socket 10.
IOEW16135I DFSKERN authentication failed for user steel/wemort on
10.86.1.17 socket 10.
IOEW16136I DFSKERN cancelling socket 13 request 7E812260.
IOEW16136I DFSKERN cancelling socket 10 request 7E812180.

But there is no indication where the authentication is failing. I know by using
the NetStat command that the DFSKERN task is establishing a session with the
domain controller. I have the environment variable set as
_IOE_SMB_CONNECT_MSGS=2

Thanks, Paul...


   


SMB doesn't work with Active Directory authentication services only the 
older NT Domain controllers. IBM has stated that they are aware of the 
limitation and it's on their radar to implement, someday.


--
Mark Jacobs
Time Customer Service
Tampa, FL


It is impossible to make anything foolproof, because fools
are so ingenious.

 -- Robert Heinlein

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hunkeler Peter (KIUP 4)
> Sent: Friday, April 16, 2010 8:06 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> >Because I believe that some reactionary shops don't like z/OS 
> >UNIX System Services and I'm considering pandering to them. 
> 
> It's not a question if you (sorry, I mean they) like it or not.
> If they run z/OS, they have got UNIX. They'd better be prepared
> for the next update of one of their IBM or vendor software
> product. It might become a UNIX application all over a sudden.
> 
> We're about to upgrade a vendor software and this now requires
> to be run under the Java VM (for good reasons; I don't want to
> go into details here).
> 
> >... complain bitterly about "idiot designers" who ...
> Only time will tell who has been an idiot ;-)
> 
> >Fully using UNIX would make this much easier to write.
> 
> Having a long term MVS background myself, I still think you
> would be better off the UNIX way. Even if your server is
> run from a PDS(E), will all your users need to have UNIX 
> credentials (UID/GID), so in fact you can't hide doing UNIX 
> stuff.
> 
> 
> --
> Peter Hunkeler
> Credit Suisse

We use the RACF BPX.DEFAULT.USER profile in the FACILITY class so that ftp 
users don't need a UNIX segment. I don't know if this would work properly for 
my process. And, yes, I would like to "go UNIX" and may anyway. It's not as if 
I'm really going to be allowed to develop this monster. There is no company 
need for such as we are a Windows shop on the desktop. And "I don't do 
Windows". My client code will be developed on Linux/Intel. It __might__ run on 
other UNIX systems (I'll try to not do Linux specific coding). This might allow 
it to run on Windows with Cygwin. And I'll try to get it to work on MacOSX 
(which I have at home).

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott
> Sent: Friday, April 16, 2010 7:51 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> >>I don't think I can use a single STC because I want the STC 
> to service multiple users, each with their own RACF security 
> environment (different z/OS RACF ids).
> 
> This is possible within z/OS and exactly why the TCBSENV 
> field exists. 
> 
> Rob Scott

Now that you mention it, I remember that ROSCOE did this too. Unfortunately, I 
don't know how to do this, and can't find documentation on it that I understand 
(I think this is some RACROUTE function, VERIFYX?). I do seem to understand the 
BPX1SEC service, which is address space oriented. Perhaps I should just "go 
UNIX" and use POSIX threads with the BPX1TLS (pthread_security_np) service. I 
don't know why, but these just seem easier to use, to me. Then again, there's 
the RACF callable service: IRRSIA00. Also, if I use a separate address space, I 
don't need to worry about deleting the ACEE. I don't know what happens when a 
subtask does a VERIFYX to set the TCBSENV terminates. I would like a RACF SMF 
records to be cut like happens with CICS on the CESN and CESF commands. I 
haven't seen a "Programming RACF Interfaces for Dummies" book around. Not that 
I'm likely to actually __do__ this. My company is very tight on CPU and likely 
would not approve me "doing things in order to lea!
 rn" anymore. Another point is the SDSF OWNER field. With different STCs, one 
per user, I think the SDSF OWNER would show who was "logged on" to the service 
via that STC. Of course, I could make the STC respond to a MODIFY command such 
as: F STCNAME,LIST USERS or some such. Also, the resource usage would be 
recorded to a specific STC, and thus user, in the SMF records cut for the STC. 
At least I hope the SMF records would show the "logged on" RACF id for the STC. 
But, if I use the MGCRE to do a START, then I'm going to put the RACF id in the 
start: START STCJCL.racfid or maybe use a started JOB: START 
STCJCL,JOBNAME=racfid.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Lizette Koehler 
Peter,
If the expectation is that PDSMAN's FASTCOPY replaces IEBCOPY, then yes, a
change to the $IEBCOPY statement in the parms could have an affect.

Determine the following
1)  Is there an LMP Key for FASTCOPY?
2)  What was the change that required NEWRULES?  Can you compare the
previous parm for PDSMAN with what went in with the NEWRULES?
3)  To truly eliminate FASTCOPY or PDSMAN, you would shut down the PDSMAN
STC and rerun the step.  Danger - if anything is using the FASTCOPY
functions, they will fail while PDSMAN is down.

I don't know of any conditions in PDSMAN that would produce an IEB1099E
message.  This may be pure IEBCOPY and not PDSMAN.  However, eliminating
PDSMAN will be good.

If you are getting the IEB1099E message - then is it possible that there is
a unique function in this one step.

I see there are 2 flavors or IEB1099.  There is IEB1099I and IEB1099E.

For IEB1099E it states:

IEBCOPY has found that it is not authorized. IEBCOPY must run from an
authorized library to use special I/O appendages.

I would see if that is the case as well.

Lizette


>  Peter wrote:
>
> 
> Lizette,
> 
> PDSMAN stc has not been shutdown since last weekend.  However in the
> joblog of the started task I see the following :
> 
> 10.59.17 STC32844  FRIDAY,16 APR 2010 
> 10.59.17 STC32844  PDSMOPR-00 Input -> NEWRULES
> 10.59.52 STC32844  PDSM00-34  PDSMAN RELEASE 7.60
> 
> The job steps at around this time are :
> 
> 10.59.22 JOB21391  -EOC004   BEBL3025 BASN121  04 85
> 10.59.22 JOB21391  IGD01008I SC : SYS10106.T105922.RA000.BEBL3025.R03
> 10.59.22 JOB21391  IGD01010I SG : SYS10106.T105922.RA000.BEBL3025.R03
> 10.59.23 JOB21391  +IEB1099E *** IEBCOPY IS NOT APF AUTHORIZED ***
> 10.59.23 JOB21391  -EOC004   BEBL3025 BASN121  08105
> 
> Could the NEWRULES be the cause ?
> 
> Peter,
> 
> IEB1099I message only appears in the failing step's sysout ... It's
> interesting that it gets changed to IEB1099E with the same message text
> at
> the end of the sysout, but I guess that makes sense as you do want it
> to
> be an error message :-) 
> 
> Kind regards,

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Hunkeler Peter (KIUP 4) 
>Because I believe that some reactionary shops don't like z/OS 
>UNIX System Services and I'm considering pandering to them. 

It's not a question if you (sorry, I mean they) like it or not.
If they run z/OS, they have got UNIX. They'd better be prepared
for the next update of one of their IBM or vendor software
product. It might become a UNIX application all over a sudden.

We're about to upgrade a vendor software and this now requires
to be run under the Java VM (for good reasons; I don't want to
go into details here).

>... complain bitterly about "idiot designers" who ...
Only time will tell who has been an idiot ;-)

>Fully using UNIX would make this much easier to write.

Having a long term MVS background myself, I still think you
would be better off the UNIX way. Even if your server is
run from a PDS(E), will all your users need to have UNIX 
credentials (UID/GID), so in fact you can't hide doing UNIX 
stuff.


--
Peter Hunkeler
Credit Suisse

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread Rob Scott 
>>I don't think I can use a single STC because I want the STC to service 
>>multiple users, each with their own RACF security environment (different z/OS 
>>RACF ids).

This is possible within z/OS and exactly why the TCBSENV field exists. 

 


Rob Scott
Developer
Rocket Software
275 Grove Street * Newton, MA 02466-2272 * USA
Tel: +1.617.614.2305 
Email: rsc...@rs.com
Web: www.rocketsoftware.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
McKown, John
Sent: 16 April 2010 13:40
To: IBM-MAIN@bama.ua.edu
Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE

> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hunkeler Peter (KIUP 4)
> Sent: Friday, April 16, 2010 1:32 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> I admit I'm haven't completely understood what you want to do, but
> 
> o Why bother writing a listener by yourself if you can 
>   take advantage of inetd. From what I understood, it
>   does what you need: Start a new process for each new
>   "login".

Yes inetd does that. So why bother to "roll my own"? Because I believe that 
some reactionary shops don't like z/OS UNIX System Services and I'm considering 
pandering to them. I know that I'm the only sysprog here who has any knowledge 
of, or liking for, UNIX stuff. The others mutter under their breaths when 
confronted with it. For instance, they hate having a config file in /etc 
instead of SYS1.PARMLIB or some other PDS and complain bitterly about "idiot 
designers" who use UNIX services or files. If I use inetd, then my application 
must be a UNIX application - residing in a UNIX subdirectory and not a "legacy" 
application, residing in a PDS[E]. Again, pandering to the "anti UNIX" forces. 
Fully using UNIX would make this much easier to write.

> 
> o Why do you need another fork() of your "login process"
>   and have it daemonize itself? Do you really need two
>   *independent* processes for each client that has logged
>   in?

This is on the "client" end. The user enters a "logon" command to establish 
communications to the z/OS system. Once validated, I want a non-terminal 
process active to talk to the z/OS process. That is why I "daemonize" on the 
client. In order to free up and be independant of the shell command. I am 
probably using the wrong terminology. And I don't want a single process for all 
users, but a separate process for each user which is initiated by the "logon" 
command.

>   
>   Taking up your "ftp picture":
>   the "ftp client" process started by the ftpd is not a
>   daemon as I understand it. It is simply one end of
>   the ftp connection.

True. My poor choice of description.

> 
> o I thought that AF_UNIX is for connections *within" a
>   single instance of UNIX. Would you need this to 
>   communicate between the two server side processes?

Between two client side (desktop) processes. The client "login" command fork()s 
after validation in order to not tie up the command prompt as well as be 
independant of it (like running something "nohup command &" is "detached" from 
the command line, kinda, sorta). This process becomes a "communications 
channel" to the process, which was started from inetd or my own "listener", 
running on z/OS system. Now, I need a way to talk from another client command 
to this "communications channel" "daemon". I will use AF_UNIX to talk from the 
"command line command" to the "personal daemon", which is simply a relay to the 
z/OS process. I fear that I'm still not making sense, but it's because I can't 
think of the proper terminology. What I'm trying to avoid is starting another 
z/OS address space for each client command. I don't think I can use a single 
STC because I want the STC to service multiple users, each with their own RACF 
security environment (different z/OS RACF ids). 

> 
> --
> Peter Hunkeler
> CREDIT SUISSE AG

If I ever get something really designed, I may be able to better explain what 
I'm trying to do. For now, I was just wanting to know which technique to use: 
ASCRE or MGCRE START if I write my own "listener" instead of using inetd.

--
John McKown
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell john.mck...@healthmarkets.com * 
www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Lizette,

PDSMAN stc has not been shutdown since last weekend.  However in the 
joblog of the started task I see the following :

10.59.17 STC32844  FRIDAY,16 APR 2010  
10.59.17 STC32844  PDSMOPR-00 Input -> NEWRULES 
10.59.52 STC32844  PDSM00-34  PDSMAN RELEASE 7.60 

The job steps at around this time are :

10.59.22 JOB21391  -EOC004   BEBL3025 BASN121  04 85 
10.59.22 JOB21391  IGD01008I SC : SYS10106.T105922.RA000.BEBL3025.R03
10.59.22 JOB21391  IGD01010I SG : SYS10106.T105922.RA000.BEBL3025.R03
10.59.23 JOB21391  +IEB1099E *** IEBCOPY IS NOT APF AUTHORIZED *** 
10.59.23 JOB21391  -EOC004   BEBL3025 BASN121  08105 

Could the NEWRULES be the cause ?

Peter,

IEB1099I message only appears in the failing step's sysout ... It's 
interesting that it gets changed to IEB1099E with the same message text at 
the end of the sysout, but I guess that makes sense as you do want it to 
be an error message :-) 

Kind regards,
Peter
 
 



"Lizette Koehler"  
Sent by: "IBM Mainframe Discussion List" 
16/04/2010 02:22 PM
Please respond to
"IBM Mainframe Discussion List" 


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: IEBCOPY losing APF authorisation in middle of JOB.








Let me add one more point.

If you have PDSMAN and it is intercepting IEBCOPY.  If the STC for PDSMAN 
is
down you would only see IEB messages and not FCO.  And this could create
some interesting issues.

If you do not use PDSMAN's Fastcopy, then having the PDSMAN STC down would
be less of a problem.

Lizette


> 
> Thanks Lizette,
> 
> I don't see any FCO messages in any of the sysouts for the failing or
> the
> preceding steps  But I guess those messages could be
> changed/overridden ...
> 
> No Steplib and the JOBLIB is obviously the same for all the steps ...
> When
> the job was restarted from the failing step, no change was made to the
> JOBLIB or the Step itself and it ran successfully ...
> 
> peculiar 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

Re: Internal (program) start of an STC - MGCRE vs. ASCRE

2010-04-16 Thread McKown, John 
> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hunkeler Peter (KIUP 4)
> Sent: Friday, April 16, 2010 1:32 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE
> 
> I admit I'm haven't completely understood what you want
> to do, but
> 
> o Why bother writing a listener by yourself if you can 
>   take advantage of inetd. From what I understood, it
>   does what you need: Start a new process for each new
>   "login".

Yes inetd does that. So why bother to "roll my own"? Because I believe that 
some reactionary shops don't like z/OS UNIX System Services and I'm considering 
pandering to them. I know that I'm the only sysprog here who has any knowledge 
of, or liking for, UNIX stuff. The others mutter under their breaths when 
confronted with it. For instance, they hate having a config file in /etc 
instead of SYS1.PARMLIB or some other PDS and complain bitterly about "idiot 
designers" who use UNIX services or files. If I use inetd, then my application 
must be a UNIX application - residing in a UNIX subdirectory and not a "legacy" 
application, residing in a PDS[E]. Again, pandering to the "anti UNIX" forces. 
Fully using UNIX would make this much easier to write.

> 
> o Why do you need another fork() of your "login process"
>   and have it daemonize itself? Do you really need two
>   *independent* processes for each client that has logged
>   in?

This is on the "client" end. The user enters a "logon" command to establish 
communications to the z/OS system. Once validated, I want a non-terminal 
process active to talk to the z/OS process. That is why I "daemonize" on the 
client. In order to free up and be independant of the shell command. I am 
probably using the wrong terminology. And I don't want a single process for all 
users, but a separate process for each user which is initiated by the "logon" 
command.

>   
>   Taking up your "ftp picture":
>   the "ftp client" process started by the ftpd is not a
>   daemon as I understand it. It is simply one end of
>   the ftp connection.

True. My poor choice of description.

> 
> o I thought that AF_UNIX is for connections *within" a
>   single instance of UNIX. Would you need this to 
>   communicate between the two server side processes?

Between two client side (desktop) processes. The client "login" command fork()s 
after validation in order to not tie up the command prompt as well as be 
independant of it (like running something "nohup command &" is "detached" from 
the command line, kinda, sorta). This process becomes a "communications 
channel" to the process, which was started from inetd or my own "listener", 
running on z/OS system. Now, I need a way to talk from another client command 
to this "communications channel" "daemon". I will use AF_UNIX to talk from the 
"command line command" to the "personal daemon", which is simply a relay to the 
z/OS process. I fear that I'm still not making sense, but it's because I can't 
think of the proper terminology. What I'm trying to avoid is starting another 
z/OS address space for each client command. I don't think I can use a single 
STC because I want the STC to service multiple users, each with their own RACF 
security environment (different z/OS RACF ids). 

> 
> --
> Peter Hunkeler
> CREDIT SUISSE AG

If I ever get something really designed, I may be able to better explain what 
I'm trying to do. For now, I was just wanting to know which technique to use: 
ASCRE or MGCRE START if I write my own "listener" instead of using inetd.

--
John McKown 
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john.mck...@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or 
proprietary information. If you are not the intended recipient, please contact 
the sender by reply e-mail and destroy all copies of the original message. 
HealthMarkets(r) is the brand name for products underwritten and issued by the 
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance 
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The 
MEGA Life and Health Insurance Company.SM

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Lizette Koehler 
Let me add one more point.

If you have PDSMAN and it is intercepting IEBCOPY.  If the STC for PDSMAN is
down you would only see IEB messages and not FCO.  And this could create
some interesting issues.

If you do not use PDSMAN's Fastcopy, then having the PDSMAN STC down would
be less of a problem.

Lizette


> 
> Thanks Lizette,
> 
> I don't see any FCO messages in any of the sysouts for the failing or
> the
> preceding steps  But I guess those messages could be
> changed/overridden ...
> 
> No Steplib and the JOBLIB is obviously the same for all the steps ...
> When
> the job was restarted from the failing step, no change was made to the
> JOBLIB or the Step itself and it ran successfully ...
> 
> peculiar 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Hunkeler Peter (KIUP 4) 
> ... When the job was restarted from the failing step, no change 
>was made to the JOBLIB or the Step itself and it ran successfully

Out of curiosity, and since I just learned that IEBCOPY will
issue message IEB1099I at startup if it finds itself not running APF
authorized: Would you have a look at the steps in your job to see
if msg IEB1099I had been issued form some or all of them?

--
Peter Hunkeler
Credit Suisse

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Thanks Lizette,

I don't see any FCO messages in any of the sysouts for the failing or the 
preceding steps  But I guess those messages could be 
changed/overridden ... 

No Steplib and the JOBLIB is obviously the same for all the steps ... When 
the job was restarted from the failing step, no change was made to the 
JOBLIB or the Step itself and it ran successfully ... 

peculiar  

Cheers,
Peter 
 
 



"Lizette Koehler"  
Sent by: "IBM Mainframe Discussion List" 
16/04/2010 01:34 PM
Please respond to
"IBM Mainframe Discussion List" 


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: IEBCOPY losing APF authorisation in middle of JOB.








PDSMAN has a facility called FASTCOPY that will intercept the call to
IEBCOPY (This is in the PDSMAN Parms) and use FASTCOPY instead.  You can
tell when FASTCOPY is used because in the SYSOUT instead of IEBI
messages you will see FCOI messages.  So you might have PGM=IEBCOPY
coded, but FASTCOPY is actually being used.

My thought would be that either you have a STEPLIB/JOBLIB that invalidates
the Authorization  or   that it is run from a TSO environment and IKJTSOxx
does not have IEBCOPY in the authorization list.

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Peter Nuttall
> Sent: Friday, April 16, 2010 7:25 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> Lol  Not SMP  Just copying members from one library to
> another ...
> This is part of a change management install (using Changeman (Serena)),
> but the batch job is only using IEBCOPY to copy members from and to
> non-APF authorised PDS libraries 
> 
> I have been told that PDSMAN does somehow transparently intercept
> IEBCOPY
> ? ... Though quite how, I'm unsure ...
> 
> 
> 
> 
> 
> "Shane Ginnane" 
> Sent by: "IBM Mainframe Discussion List" 
> 16/04/2010 01:08 PM
> Please respond to
> "IBM Mainframe Discussion List" 
> 
> 
> To
> IBM-MAIN@bama.ua.edu
> cc
> 
> Subject
> Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> 
> 
> 
> 
> 
> 
> 
> On Fri, Apr 16th, 2010 at 9:04 PM, "Hunkeler Peter" wrote:
> 
> > Is step 8 doing something different from all
> > the other steps? Something that might need APF auth.?
> 
> SMP maybe ?.
> 
> Just joking.
> .
> .
> I hope.
> 
> Shane ...
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Hunkeler Peter (KIUP 4) 
>> IEBCOPY does not need APF authorization for every 
>> operation. Is step 8 doing something different from all
>> the other steps? Something that might need APF auth.?
>
>AFAIK the above is not exact. IEBCOPY does check APF authorization 
>before run. Try the following: copy IEBCOPY member to your private 
>(non-APF) library and try to use it for any regular operation like 
>copying PDS FB80. You'll get RC8.

You made me thinking, but I was sure there is a difference between
the different operations wiht respect to APF authorization 
requirement. So I just tried two examples.

While IEBCOPY happily copied members from PDSE to PDSE even if running
unauthorized, it refused to do an UNLOAD operation on the same 
source dsn. You get the 
   IEB1099I *** IEBCOPY IS NOT APF AUTHORIZED ***
message in both cases, indeed (I didn't know), but obviously, it
is more of an information. The actual operation determines if
APF auth is really required or not.

-- 
Peter Hunkeler
Credit Suisse

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SNA over TCPIP OS/390 1.3

2010-04-16 Thread Chris Mason 
Michael

So as an interim step in a decades-long migration "off the mainframe", the 
3745 is to be sunset. What we have which can be used to replace it for 
admittedly a very low traffic requirement is an OSA feature.

That being so, what I said last time about how to replace the 3745 with the 
OSA feature looks just fine to me. Is there anything about that with which 
you need clarification?

One minor adjustment is that what I said about TN3270.

>...> We have the IP TN3270 already on the OSA card ...

This implied you were using ICC. Since you would appear to be using the z/OS 
Communications Server TN3270 server function or the "TCP/IP for MVS" 
TN3270 server function already[1], that just eliminates part of the migration I 
assumed might be necessary.

I believe, in effect, you have already configured the OSA feature port for OSE 
channel type. You are currently running only IP but, with the aid of OSA/SF 
customization, you can add SNA capability.

The OSA feature looks like the sort of OSA-2 on which I honed my early OSA 
skills around 2000 such as all the ways to install OSA/SF and how to set it up 
to be shared by SNA and IP. I think that OSA-2 had the possibility to run 
either Ethernet or Token Ring and you had to decide which you wanted.

I found this snippet in the oldest OSA manual, "OSA Planning", "on" the 
OSA/SF shelf - which quixotically is where you are obliged to look for OSA 
manuals - I could find for the oldest z/OS release to which I - easily - have 
access, 1.1.[2]



3. Unique among OSA-2s, an ENTR OSA-2 has two physical ports, each of 
which can be connected to either an Ethernet LAN segment or a token-ring 
LAN segment. The other OSA-2s have only one physical port. 



>...> ... with an OSA card that supports Ethernet and Token Ring only on port 
and the Token Ring connection.

I think what you might have been saying here in your first post is that your 
OSA feature supports Token Ring and[3] Ethernet but has just one port. Also 
that it's the Token Ring plug to which you have a connection. That snippet 
confirms that you use either Ethernet *or* Token Ring.

> The OSA card has a Ethernet port and a Token ring port.

This from your latest post states two *ports* but it may be that you mean 
two *plugs*. You don't actually need a second port in order to share a single 
port for both IP and SNA. You just need to get to grips with OSA/SF - in case 
you have managed to avoid it so far.

Incidentally, I was on a consultancy when I earned my OSA and OSA/SF spurs 
and, being a conscientious consultant, I documented everything and I've held 
onto the documents. Some might argue that the documents belong to the 
customer who was paying me at the time and so might challenge my 
conscience!

Presumably you are retaining the 3174 and its attached devices pending 
the "reengineering" of the application(s) which rely on them for the business.

If the 3174 also through sheer decrepitude for example needs a one-for-one 
replacement, your 3174 and 3270 devices could be replaced by workstations 
running Windows and Personal Communications software.

I can see that when the "migration" started "migration off the mainframe" was 
on every suit's coffee table but I wonder if the suit responsible or his or her 
successors - the ones lined up by the original suit to take the blame - 
has/have taken a recent look at the glossy magazines on the coffee table and 
seen that "migration off the mainframe" is not now so fashionable. The trouble 
with fashion is that it can be so last year - or last decade - and especially 
last century!

Chris Mason

[1] I'm unclear about exactly when "TCP/IP for MVS" and VTAM combined to 
form z/OS Communications Server. It may have followed OS/390 V1R3. It 
actually doesn't change any of what I am proposing.

[2] http://www-03.ibm.com/systems/z/os/zos/bkserv/r1pdf/#osasf

[3] This should be "or" according to the snippet I found but you don't know 
that from just looking at it and "hope springs eternal ..."

On Fri, 16 Apr 2010 01:37:49 -0500, Michael Saraco  wrote:

What follows showed up as total garbage so I'm cutting the lot!!!
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Lizette Koehler 
PDSMAN has a facility called FASTCOPY that will intercept the call to
IEBCOPY (This is in the PDSMAN Parms) and use FASTCOPY instead.  You can
tell when FASTCOPY is used because in the SYSOUT instead of IEBI
messages you will see FCOI messages.  So you might have PGM=IEBCOPY
coded, but FASTCOPY is actually being used.

My thought would be that either you have a STEPLIB/JOBLIB that invalidates
the Authorization  or   that it is run from a TSO environment and IKJTSOxx
does not have IEBCOPY in the authorization list.

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Peter Nuttall
> Sent: Friday, April 16, 2010 7:25 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> Lol  Not SMP  Just copying members from one library to
> another ...
> This is part of a change management install (using Changeman (Serena)),
> but the batch job is only using IEBCOPY to copy members from and to
> non-APF authorised PDS libraries 
> 
> I have been told that PDSMAN does somehow transparently intercept
> IEBCOPY
> ? ... Though quite how, I'm unsure ...
> 
> 
> 
> 
> 
> "Shane Ginnane" 
> Sent by: "IBM Mainframe Discussion List" 
> 16/04/2010 01:08 PM
> Please respond to
> "IBM Mainframe Discussion List" 
> 
> 
> To
> IBM-MAIN@bama.ua.edu
> cc
> 
> Subject
> Re: IEBCOPY losing APF authorisation in middle of JOB.
> 
> 
> 
> 
> 
> 
> 
> 
> On Fri, Apr 16th, 2010 at 9:04 PM, "Hunkeler Peter" wrote:
> 
> > Is step 8 doing something different from all
> > the other steps? Something that might need APF auth.?
> 
> SMP maybe ?.
> 
> Just joking.
> .
> .
> I hope.
> 
> Shane ...
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Lol  Not SMP  Just copying members from one library to another ... 
This is part of a change management install (using Changeman (Serena)), 
but the batch job is only using IEBCOPY to copy members from and to 
non-APF authorised PDS libraries  

I have been told that PDSMAN does somehow transparently intercept IEBCOPY 
? ... Though quite how, I'm unsure ... 
 
 



"Shane Ginnane"  
Sent by: "IBM Mainframe Discussion List" 
16/04/2010 01:08 PM
Please respond to
"IBM Mainframe Discussion List" 


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: IEBCOPY losing APF authorisation in middle of JOB.








On Fri, Apr 16th, 2010 at 9:04 PM, "Hunkeler Peter" wrote:

> Is step 8 doing something different from all
> the other steps? Something that might need APF auth.?

SMP maybe ?.

Just joking.
.
.
I hope.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread R.S. 

Hunkeler Peter (KIUP 4) pisze:
IEBCOPY does not need APF authorization for every 
operation. Is step 8 doing something different from all

the other steps? Something that might need APF auth.?


AFAIK the above is not exact. IEBCOPY does check APF authorization 
before run. Try the following: copy IEBCOPY member to your private 
(non-APF) library and try to use it for any regular operation like 
copying PDS FB80. You'll get RC8.



--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Shane Ginnane 
On Fri, Apr 16th, 2010 at 9:04 PM, "Hunkeler Peter" wrote:

> Is step 8 doing something different from all
> the other steps? Something that might need APF auth.?

SMP maybe ?.

Just joking.
.
.
I hope.

Shane ...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Hunkeler Peter (KIUP 4) 
IEBCOPY does not need APF authorization for every 
operation. Is step 8 doing something different from all
the other steps? Something that might need APF auth.?

--
Peter Hunkeler
CREDIT SUISSE AG

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SSH connection using PuTTY

2010-04-16 Thread Jan MOEYERSONS 
On Wed, 14 Apr 2010 13:25:59 +0200, Michael Knigge  wrote:

>All,
>
>could anyone tell me correct settings for a SSH connection to a z/OS
>Box? I use PuTTY and encounter some "funny" things, for i. e. I can't
>enter the number "2" Maybe just $TERM is wrong (I use "vt100").
>
Dear Michael,

I am using PuTTY with vanilla settings to get to the OMVS part of zOS. Works 
like a charm.
If you want TN3270, then I recommend Tom Brennans' Vista. (Also with vanilla 
settings, by the way).

Cheers,

Jantje.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: 45 years of Mainframe

2010-04-16 Thread Shmuel Metz (Seymour J.) 
In <60335.130.76.32.16.1271365431.squir...@webmail.iinet.com>, on
04/15/2010
   at 02:03 PM, George Fogg  said:

>I started on the 7094 and finishing on the z/10 this June.

I've got a friend who started on a 704. I, alas, started on a much slower
machine, the 650, about which I feel *no* nostalgia. I do, however, have
fond memories of the 7094.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

IEBCOPY losing APF authorisation in middle of JOB.

2010-04-16 Thread Peter Nuttall 
Hi All,

Just wondered if anybody else has come across this phenomenon.   We are 
z/OS 01.09.00. Have a job running a set of IEBCOPY steps and the 8th step 
failed with :

IEB1099E *** IEBCOPY IS NOT APF AUTHORIZED *** 

All the other steps worked ... The rerun of the job from the failing step 
worked successfully  Have checked the log and I don't see any APF type 
messages at the time of the failure (other than the one above ... )

Our sysproggys are currently investigating (apparently they suspect 
PDSMAN, but we weren't running PDSMAN, it was straight EXEC PGM=IEBCOPY)

Anyone got any ideas ?

Cheers,
Peter
 
This e-mail message, including any attachments transmitted with it, is 
CONFIDENTIAL and may contain legally privileged information. This message is 
intended solely for the use of the individual or entity to whom it is 
addressed. If you have received this message in error, please notify us 
immediately and delete it from your system. Please visit our website to read 
the full disclaimer: http://www.euroclear.com/site/public/disclaimer

AUTO: James Obrizok is out of the office on vacation (returning 04/19/2010)

2010-04-16 Thread James Obrizok 
I am out of the office until 04/19/2010.

 If you require immediate assistance, please contact my backup Fernando
Vega on 1-404-238-4580 or Jon Regitsky on 1-404-238-3134.  Thank you.


Note: This is an automated response to your message  "IBM-MAIN Digest - 14
Apr 2010 to 15 Apr 2010 (#2010-105)" sent on 4/16/10 0:00:02.

This is the only notification you will receive while this person is away.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

SSH connection using PuTTY

2010-04-16 Thread MONTERO ROMERO, ENRIQUE ELOI 
Hi Michael,

I use Putty, but there are several things to consider.

It cannot be used for 3270 emulation, in such case, use a Telnet3270 client. If 
you use Linux to connect to the z/OS, then download a free 3270 client from the 
cloud. If Windows, look in the cloud too or the WS3270 or IBM Personal 
Communication.

The putty can be used as a traditional telnet or ssh dummy terminal, and you 
must have the OMVS and the IBM Ported Tools enabled in the z/OS. Will never see 
an ISPF/CICS/VTAM screens.

Good Luck
Enrique Montero


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html