Re: FICON channel utilization
Radoslaw I agree that you wouldn't do this in production, but it is a perfectly valid way to measure the throughput of a host channel. Besides fanning out through an 8Gb switch to multiple FICON blades or storage controllers, I would also suggest that you make sure the other port on the 8S channel card is not being used so that any shared paths and components do not affect your results. I always try to use only one CHPID per host card when I test in the HDS lab to minimize this sort of effect on measurement. Ron BTW: I'm going to connect the chpid to 8gbps switch and SFP and rerun the test. Of course single channel attached CU is not intended to use in production. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
issuing console command via CONSOLE+GETMSG without occurring in the syslog
hi all, is it possible to issue a console command via CONSOLE+GETMSG in a rexx without the resulting messages occurring in the syslog? thanks for your help stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-NoEvasion lets you avoid all 10 pitfalls when connecting z/OS to your SIEM ++NEWS++ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
SMPE HOLDDATA question..
Hi, I am new to System programming and have the following doubt... Below is the extract of latest HOLDDATA from IBM siteand what I understand of it. ++ NULL. /* Enhanced Holddata from 02/07/2012 to 03/08/2012 */ ++HOLD(HAAWA10) FMID(HAAWA10) REASON(AM58699) ERROR DATE(12066) COMMENT(SMRTDATA(SYMP(DAL) CHGDT(120306))) CLASS(HIPER). ++HOLD(HAAW910) FMID(HAAW910) REASON(AM58694) ERROR DATE(12060) COMMENT(SMRTDATA(SYMP(DAL) CHGDT(120229))) CLASS(HIPER). ++HOLD(HADLA10) FMID(HADLA10) REASON(AM54484) ERROR DATE(12040) COMMENT(SMRTDATA(FIX(UK75991) SYMP(FUL) CHGDT(120209))) CLASS(HIPER). ++HOLD(HADRA10) FMID(HADRA10) REASON(AM48159) ERROR DATE(12045) COMMENT(SMRTDATA(FIX(UK74162) SYMP(FUL) CHGDT(120214))) CLASS(HIPER). ++HOLD(HADRB10) FMID(HADRB10) REASON(AM54307) ERROR DATE(12061) COMMENT(SMRTDATA(FIX(UK75928) SYMP(FUL) CHGDT(120301))) CLASS(HIPER). The first HOLD statement says do not apply SYSMOD HAAWA10 because there is an unresolved APAR AM58699 (HIPER). The second HOLD statement says do not apply SYSMOD HAAW910 because there is an unresolved APAR AM58694 (HIPER). Third HOLD statement says there is an APAR AM54484 on FMID HADLA10 but a fix PTF UK75991 is available. Does this mean I skip applying first two SYSMODs HAAWA10 and HAAW910, I will apply the third SYSMOD HADLA10 but follow it up with PTF UK75991 apply. What does it mean when they say obtain your latest HOLDDATA from IBM site and apply it?! Also, when exactly I choose to BYPASS the HOLD information?! Thanks Rgds Sridhar K Veena IMS DBA - Mainframe DBA Services Team Infrastructure Management Senior Analyst ACS, A Xerox Company VOIP: 214-584-2788 Cell: +91-9686570979 sridhar.ve...@acs-inc.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: issuing console command via CONSOLE+GETMSG without occurring in the syslog
hi all, is it possible to issue a console command via CONSOLE+GETMSG in a rexx without the resulting messages occurring in the syslog? thanks for your help stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com I am not sure about your environment, but in mine we have CA OPS/MVS which can suppress most things from SYSLOG if we set it up. So, yes it is possible from an automation tool. What command was issued and what was the response that is not in SYSLOG? It helps to have a fuller picture. Or do you want your rexx to not display the command and response in syslog? Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Interfacing with the MainFrame
In 5664523867703651.wa.dropipopigmail@bama.ua.edu, on 03/07/2012 at 02:47 PM, Ed Mackmahon dropip...@gmail.com said: How would you prefer a product running on a server outside the mainframe will interface with the mainframe? That would depend on what it was interfacing with. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: LAE instruction
In a40b6ee2-4dce-43be-8253-048a17c74...@optonline.net, on 03/06/2012 at 05:52 PM, Micheal Butz michealb...@optonline.net said: But plays no role as far as access register value Why would you use LAE if all you wanted to do was to set an AR? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: LAE instruction
In 7f75cd8a-0b29-448a-bac8-2738c7c3a...@optonline.net, on 03/06/2012 at 09:29 PM, Micheal Butz michealb...@optonline.net said: Or a more practical use of LAE Is chaing thru control blocks from another address space SAC. 512 LAM R3,R3,ASNALET L. R3,ASXBFTCB USING TCB,R3 LAE. R4,TCBRBP USING R4,RB That doesn't do what you think it does. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: LAE instruction
In a6b9336cdb62bb46b9f8708e686a7ea00e924b3...@nrhmms8p02.uicnrh.dom, on 03/07/2012 at 08:59 AM, McKown, John john.mck...@healthmarkets.com said: The OP has been posting from an iPhone. Perhaps he tried to read the PoPs on that device? Or perhaps he is using a current version and the PDF is taking forever to load. SA22-7832-08 took 15 seconds. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
All good points. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Paul Gilmartin Sent: Wednesday, March 07, 2012 11:19 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On Wed, 7 Mar 2012 19:04:40 -0800, Charles Mills charl...@mcn.org wrote: Well, who's counting indeed, but my JCL reference says The pathname: ... - Has a length of 1 through 255 characters. ... I stand corrected; I misread earlier in the same section: Each directory or filename: Is preceded by a slash (/). The system treats any consecutive slashes as a single slash. ... Has a length of 1 through 254 characters, not including the slash. But now I've read it more carefully and submitted the RCF: Hello, MHVRCFS In: Title: z/OS V1R13.0 MVS JCL Reference Document Number: SA22-7597-15 12.48.2 Subparameter Definition pathname Is incomplete, perhaps misleading. The description appears to prohibit the following which are in fact allowed: o A pathname need not contain a filename; it may consist solely of directories, in which case it refers to a directory. o If (and only if) a pathname refers to a directory, it may end with a slash. The following may be implicit, or perhaps needs clarification: o The list of directories may be empty; the path may consist of only a filename, in which case it refers to a file in the root directory; or of only a slash, in which case it refers to the root directory itself. The following appear to be permitted, but are in fact invalid: o A slash may not appear in a directory or filename; it may be used only as a separator between directories and the filename. o The forms . and .. may not be used as filenames; these are reserved for directory names. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: SMPE HOLDDATA question..
On Thu, 8 Mar 2012 04:39:45 -0600, Veena, Sridhar wrote: ++HOLD(HAAWA10) FMID(HAAWA10) REASON(AM58699) ERROR DATE(12066) COMMENT(SMRTDATA(SYMP(DAL) CHGDT(120306))) CLASS(HIPER). ++HOLD(HAAW910) FMID(HAAW910) REASON(AM58694) ERROR DATE(12060) COMMENT(SMRTDATA(SYMP(DAL) CHGDT(120229))) CLASS(HIPER). ++HOLD(HADLA10) FMID(HADLA10) REASON(AM54484) ERROR DATE(12040) COMMENT(SMRTDATA(FIX(UK75991) SYMP(FUL) CHGDT(120209))) CLASS(HIPER). ++HOLD(HADRA10) FMID(HADRA10) REASON(AM48159) ERROR DATE(12045) COMMENT(SMRTDATA(FIX(UK74162) SYMP(FUL) CHGDT(120214))) CLASS(HIPER). ++HOLD(HADRB10) FMID(HADRB10) REASON(AM54307) ERROR DATE(12061) COMMENT(SMRTDATA(FIX(UK75928) SYMP(FUL) CHGDT(120301))) CLASS(HIPER). The first HOLD statement says do not apply SYSMOD HAAWA10 because there is an unresolved APAR AM58699 (HIPER). The second HOLD statement says do not apply SYSMOD HAAW910 because there is an unresolved APAR AM58694 (HIPER). Error HOLDDATA does not tell you what to apply or not apply. It tells SMP/E about known errors. It also provides information used by REPORT ERRORSYSMODS to tell you about error SYSMODs that are on your system and (if available) the PTF that resolves the error. Additionally, REPORT ERRORSYSMODS will tell you if there is a known error in the resolving PTF. When you are applying a product that has an error hold, you need to examine the APAR information and determine whether you want to take the risk of running with the error. An FMID is a SYSMOD that provided a product or a part of a product. If there is no resolving PTF. If you need the function provided by FMIDs HAAWA10 and/or HAAW910 Third HOLD statement says there is an APAR AM54484 on FMID HADLA10 but a fix PTF UK75991 is available. Yes. If UK75991 is applied (or accepted) at the same time as HADLA10, the error hold will be resolved. It is not the FIX(UK75928) in the HOLDDATA that tells SMP/E this at apply time, but the SUP(AM54484) that is in PTF UK75991. Does this mean I skip applying first two SYSMODs HAAWA10 and HAAW910, I will apply the third SYSMOD HADLA10 but follow it up with PTF UK75991 apply. Not quite. You would not apply HADLA10 and follow it up with UK75991. You would apply them both at the same time. One way of doing that is to APPLY HADLA10 specIfying GROUPEXTEND. HOLDDATA is not something for you to read and make decisions about what to do. You should download and RECEIVE it regularly and run REPORT ERRORSYSMODS. The report will list known errors that are already applied to your system and tell you whether there are fixes for those errors. What does it mean when they say obtain your latest HOLDDATA from IBM site and apply it?! Also, when exactly I choose to BYPASS the HOLD information?! You don't APPLY HOLDDATA. You RECEIVE it. RECEIVE brings it into your global zone so that the information may be used by SMP/E during APPLY and ACCEPT processing. All of the HOLDDATA that you showed is for function SYSMODs. An FMID is a product or part of a product at a particular release level. If you have a need to apply that product, you will try to apply it. If your need for that release of the product exceeds the risk of running without the fix to the problem, you would BYPASS the error. I don't know what HAAWA10 and HAAW910 are, but per the normal FMID naming conventions, they are for two different releases of the same product. You would not likely have them both on the same system. Again, error HOLDDATA is not meant for you to read. It includes HOLDDATA for products that you do not have and do not intend to install. If the SYSMOD that was held was a PTF. you would examine the APAR information for the error and for the APAR that the PTF fixes. You have to weigh the risks of running without the PTF against the risk of running with the known error. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
On Tue, 6 Mar 2012 15:40:25 -0600, Tom Marchant wrote: By PCFLIH backdoor I mean a routine whose address replaced the address of the IBM supplied PCFLIH. That would be a hook or an intercept. Backdoor means something else entirely. You have your definition for 'backdoor', I have mine, Next. The backdoor routine received control every time a PC interrupt ITYM a program interruption. Yes. That is certainly not what the vendor routine being discussed is alleged to have done. It is alleged to return to the program that was interrupted in supervisor state. It is further alleged that it is relatively easy for any program to exploit this and to get put into supervisor state. I keep seeing that 'alleged' word. Doesn't anyone actually know what they did/do, and how did they do this magic without being APF authorized, and if they were APF authorized then they could by definition switch anyone or any task in the system to supervisor state so what does it matter at that point anyway; the battle is lost, get out your white flags and start waving. Now if they did this magic and they were NOT APF authorized, then we have a lot to talk about here. I have not seen the vendor code and cannot comment on what it does or does not do or how much security checking it does or does not perform before it does what it does. My defense was of the use of the technique of 'backdooring, hooking, intercepting, or whatever word you choose to use in whatever language you choose to use' when it is the appropriate technique. I would really hate to see IBM use this discussion as a justification for somehow making it impossible for a sharp systems programmer or vendor to use this technique when there are times that it is the only technique that will work. I guess it was that 'criminal' word in the subject line that set me off. As for what the vendor did, I am not offering any justification and if what you would like to organize with this discussion is a party where we all get together a roast a few vendors I will not only volunteer to bring some firewood I will also invite my CA and IBM marketing reps to come with me to the party! Gene Pate CSX Technology Enterprise Architecture - This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: SMPE HOLDDATA question..
On Thu, 8 Mar 2012 04:39:45 -0600, Veena, Sridhar wrote: I am new to System programming and have the following doubt... I should have added that APPLY CHECK is your friend. It is better to run APPLY CHECK than to try to make sense of error HOLDDATA. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: SMPE HOLDDATA question..
Does this mean I skip applying first two SYSMODs HAAWA10 and HAAW910 Probably not. See below. I will apply the third SYSMOD HADLA10 but follow it up with PTF UK75991 apply. Yes, or better is to apply UK75991 at the same time as HADLA10. What does it mean when they say obtain your latest HOLDDATA from IBM site and apply it?! It means HOLDDATA changes daily, so you should get the very latest from IBM and RECEIVE it into your global zone (you don't APPLY HOLDDATA) so you have the most up to date information at the time you perform an APPLY operation. The HOLDDATA is then used by APPLY to identify known errors and missing fixes. Also, when exactly I choose to BYPASS the HOLD information?! Well, that is of course a matter of differing opinions. If you are installing an IBM product you should refer to the supplied Program Directory which should provide some guidance in this space. This may be more than you're asking for, but I'll post here IBM recommendations that should appear in most recent Program Directories in some form. Use these recommendations when you are applying a Function SYSMOD, such as HAAWA10 which you cite above. *** IBM Program Directory APPLY recommendation template Ensure that you have the latest HOLDDATA. The latest HOLDDATA is available through several different portals, including http://service.software.ibm.com/holdata/390holddata.html. The latest HOLDDATA may identify HIPER and FIXCAT APARs for the FMIDs you will be installing. An APPLY CHECK will help you determine if any HIPER or FIXCAT APARs are applicable to the FMIDs you are installing. If there are any applicable HIPER or FIXCAT APARs, the APPLY CHECK will also identify fixing PTFs that will resolve the APARs, if a fixing PTF is available. You should Install the FMIDs regardless of the status of any unresolved HIPER or FIXCAT APARs. However, do not deploy the software until the unresolved HIPER and FIXCAT APARs have been analyzed to determine their applicability. That is, before deploying the software either ensure fixing PTFs are applied to resolve all HIPER or FIXCAT APARs, or ensure the problems reported by all HIPER or FIXCAT APARs are not applicable to your environment. Here are sample APPLY commands: 1. To ensure that all recommended and critical service is installed with the FMIDs, receive the latest HOLDDATA and use the APPLY CHECK command as follows APPLY S(fmid,fmid,...) CHECK FORFMID(fmid,fmid,...) SOURCEID(RSU*) FIXCAT(IBM.ProductInstall-RequiredService) GROUPEXTEND . Some HIPER APARs might not have fixing PTFs available yet. You should analyze the symptom flags for the unresolved HIPER APARs to determine if the reported problem is applicable to your environment and if you should bypass the specific ERROR HOLDs in order to continue the installation of the FMIDs. This method requires more initial research, but can provide resolution for all HIPERs that have fixing PTFs available and are not in a PE chain. Unresolved PEs or HIPERs might still exist and require the use of BYPASS. 2. To install the FMIDs without regard for unresolved HIPER APARs, you can add the BYPASS(HOLDCLASS(HIPER)) operand to the APPLY CHECK command. This will allow you to install the FMIDs even though one or more unresolved HIPER APARs exist. After the FMIDs are installed, use the SMP/E REPORT ERRSYSMODS command to identify unresolved HIPER APARs and any fixing PTFs. APPLY S(fmid,fmid,...) CHECK FORFMID(fmid,fmid,...) SOURCEID(RSU*) FIXCAT(IBM.ProductInstall-RequiredService) GROUPEXTEND BYPASS(HOLDCLASS(HIPER)) . This method is quicker, but requires subsequent review of the Exception SYSMOD report produced by the REPORT ERRSYSMODS command to investigate any unresolved HIPERs. If you have received the latest HOLDDATA, you can also choose to use the REPORT MISSINGFIX command and specify Fix Category IBM.ProductInstall-RequiredService to investigate missing recommended service. Kurt Quackenbush -- IBM, SMP/E Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
This thread has very largely straightened itself out. For the record, i.e., for the sake of anyone who reads through it in the archives: 1) parameters and subparameters are of two sorts, positional and keyword 2) many historical keyword subparameters, e.g., those of the DCB= keyword parameter, have been half promoted: they continue to be usable as subparameters, but they may now also be coded as parameters 3) PARM= is a keyword parameter 4) The permissible lengths of the values of parameters vary widely [wildly?] 5) The curious restriction that positional parameters must precede keyword ones has been retained, a long, long time after its relaxation in the HLASM macro language 6) In these and other respects JCL has become a patchwork. It is no longer coherent: a knowledge of some of its facilities does not permit plausible, almost invariably confirmed conjectures about the rest of them to be made. 7) Op. cit. [in the work (already) cited] is a suitable locution for avoiding the repetitive full identification of a document. In standard scholarly usage it must be accompanied by a page number, paragraph reference, or the like; and this requirement is a particularly urgent one when the document in question contains multiple, not entirely consistent discussions of the same topic. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
On Thu, 8 Mar 2012 13:49:28 +, Pate, Gene wrote: You have your definition for 'backdoor', I have mine, Next. That is the root of your confusion. This thread is about a vendor creating a backdoor according to my definition. You are amazed at the uproar over this because you applied your definition of what a backdoor is without considering the description of what the backdoor was in the original discussion. if they were APF authorized then they could by definition switch anyone or any task in the system to supervisor state Yes, an APF authorized program can do that. It can also create a backdoor (my definition) that any task in the system can walk through and get into supervisor state. That is the objection that was raised, and it is a very different matter. Since your definition of a backdoor is simply an intercept of a system routine, what would you call it when an authorized program creates an interface that any program can use to put itself into supervisor state? Now if they did this magic and they were NOT APF authorized, then we have a lot to talk about here. Of course they were authorized to be able to install their intercept I have not seen the vendor code and cannot comment on what it does or does not do or how much security checking it does or does not perform before it does what it does. That was Ed's point too. Neither have I and it's the reason I said alleged. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
an APF authorized program can do that. It can also create a backdoor (my definition) that any task in the system can walk through and get into supervisor state. That is the objection that was raised, and it is a very different matter. I should be smarter than to wade into this one but is it not true, unfortunately, that an APF program can do ANYTHING it wants to do? Doing anything it wants to do would include granting privileges implicitly to other programs would it not? Further, there is no industry agreement -- witness this thread -- on what constitutes acceptable APF authorized program conduct. My the only technique that will work is someone else's criminal breach of security. It seems to me the problem here is, from a technological point of view, the all or nothing nature of APF authorization. IBM is moving away from that approach, but APF authorization as it is and was is going to be with us for a long time. From a non-technology point of view, we need some sort of industry agreement on what is good behavior in an authorized program. I am thinking of something like a standardized set of questions that a vendor could answer and have an officer certify: Mr./Ms. Customer, we are asking for APF authorization. I certify under penalty of fraud that our program uses APF authorization to do X, and Y, and Z but does not do A, and B, and C. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tom Marchant Sent: Thursday, March 08, 2012 6:19 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! On Thu, 8 Mar 2012 13:49:28 +, Pate, Gene wrote: You have your definition for 'backdoor', I have mine, Next. That is the root of your confusion. This thread is about a vendor creating a backdoor according to my definition. You are amazed at the uproar over this because you applied your definition of what a backdoor is without considering the description of what the backdoor was in the original discussion. if they were APF authorized then they could by definition switch anyone or any task in the system to supervisor state Yes, an APF authorized program can do that. It can also create a backdoor (my definition) that any task in the system can walk through and get into supervisor state. That is the objection that was raised, and it is a very different matter. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
PATH is not only under-specified in the JCL reference, it is also over-specified. - Is case-sensitive. Thus, /u/joe and /u/JOE and /u/Joe define three different files. Is not an aspect of the PATH= parameter, it is an aspect of the HFS. Logically they could change HFS tomorrow to be non-case-sensitive (granted, it ain't gonna happen -- I'm just talking logic here) without touching the PATH= code and the above sentence would no longer be true. Or I could write a product that mounted a remote Windows volume as an HFS volume and the above sentence would not be true. /u/Joe and /u/Fred are also different files, but that's an aspect of HFS, not of PATH=. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Paul Gilmartin Sent: Wednesday, March 07, 2012 11:19 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On Wed, 7 Mar 2012 19:04:40 -0800, Charles Mills charl...@mcn.org wrote: Well, who's counting indeed, but my JCL reference says The pathname: ... - Has a length of 1 through 255 characters. ... I stand corrected; I misread earlier in the same section: Each directory or filename: Is preceded by a slash (/). The system treats any consecutive slashes as a single slash. ... Has a length of 1 through 254 characters, not including the slash. But now I've read it more carefully and submitted the RCF: Hello, MHVRCFS In: Title: z/OS V1R13.0 MVS JCL Reference Document Number: SA22-7597-15 12.48.2 Subparameter Definition pathname Is incomplete, perhaps misleading. The description appears to prohibit the following which are in fact allowed: -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Nicht_von_TrustMail - issuing console command via CONSOLE+GETMSG without occurring in the syslog
Stephen, you wrote syslog, -- I write SYSLOG in majuscel as seen in IBM manuals as abbrevation for system log. You did not ask for OPERLOG, hardcopy log, operator console, master console etc (I am not sure about permutation of minuscel and majuscel). Then, SYSLOG as described in MVS Planning: Operations is just the data set of your primary job entry system's spool space (I would assume JES2 or JES3). So, I would not expect console output to appear in that data set unless explicitly requested by e.g. requesting the MVS console command LOG. However, thinking a little bit further: the SYSLOG can be defined as media for the hardcopy log. Then, things are a little bit different. For example, we have set up our CONSOLxx parmlib member to always record command responses to hardcopy log -- from any console, including eMCS consoles. Because of this: yes, all our messages from REXX eMCS consoles are also occurring in SYSLOG. Cheers Michael Von:Dr. Stephen Fedtke max_mainframe_...@fedtke.com An: IBM-MAIN@bama.ua.edu Datum: 2012-03-08 11:02 Betreff:Nicht_von_TrustMail - issuing console command via CONSOLE+GETMSG without occurring in the syslog Gesendet von: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu hi all, is it possible to issue a console command via CONSOLE+GETMSG in a rexx without the resulting messages occurring in the syslog? thanks for your help stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-NoEvasion lets you avoid all 10 pitfalls when connecting z/OS to your SIEM ++NEWS++ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
On 3/8/2012 6:40 AM, Charles Mills wrote: From a non-technology point of view, we need some sort of industry agreement on what is good behavior in an authorized program. I am thinking of something like a standardized set of questions that a vendor could answer and have an officer certify: Mr./Ms. Customer, we are asking for APF authorization. I certify under penalty of fraud that our program uses APF authorization to do X, and Y, and Z but does not do A, and B, and C. You have no integrity statement?? Wow! You might consider drafting one... Here is IBM's you can use as a template: http://www.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.html -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
On Thu, 8 Mar 2012 06:48:52 -0800, Charles Mills wrote: PATH is not only under-specified in the JCL reference, it is also over-specified. - Is case-sensitive. Thus, /u/joe and /u/JOE and /u/Joe define three different files. Is not an aspect of the PATH= parameter, it is an aspect of the HFS. Logically they could change HFS tomorrow to be non-case-sensitive (granted, it ain't gonna happen -- I'm just talking logic here) without touching the PATH= code and the above sentence would no longer be true. Or I could write a product that mounted a remote Windows volume as an HFS volume and the above sentence would not be true. /u/Joe and /u/Fred are also different files, but that's an aspect of HFS, not of PATH=. I very much agree. Add, as aspects of the HFS, not of JCL: o Multiple consecutive slashes are equivalent to a single slash, and even: o The slash serves as a directory level separator. o Any discussion that mentions the distinction between directories and filenames doesn't belong to JCL. The JCL RM should leave the specification of the UNIX filesystem(s) to another document, with citation (including page number), and mention only the limitations peculiar to JCL (and allocation) such as: o Pathnames must be absolute (start with /) o 255 character limit o restriction on permissible characters o (Others?) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Linux VM Session Grid for SHARE Atlanta
Maybe found at: http://vm.marist.edu/~neale/grid.pdf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
On Thu, 8 Mar 2012 09:02:47 -0500, John Gilmore wrote: 2) many historical keyword subparameters, e.g., those of the DCB= keyword parameter, have been half promoted: they continue to be usable as subparameters, but they may now also be coded as parameters All DCB subparameters, or only some? And when used in connection with PATH=..., they may be used only as parameters, not as DCB subparameters. I suspect the need to enforce this restriction embodies the rationale for promotion of those subparameters. 5) The curious restriction that positional parameters must precede keyword ones has been retained, a long, long time after its relaxation in the HLASM macro language But note that despite appearance PGM=... is not a keyword parameter but a positional parameter whose allowable values are required to contain =. 6) In these and other respects JCL has become a patchwork. It is no longer coherent: a knowledge of some of its facilities does not permit plausible, almost invariably confirmed conjectures about the rest of them to be made. In this respect, it's highly consistent with the specification of HLASM. 7) Op. cit. [in the work (already) cited] is a suitable locution for avoiding the repetitive full identification of a document. In standard scholarly usage it must be accompanied by a page number, paragraph reference, or the like; and this requirement is a particularly urgent one when the document in question contains multiple, not entirely consistent discussions of the same topic. not entirely consistent could be material for an RCF. Would loc. cit. have been better? (But I was merely too lazy to verify the reference.) The online IBM manuals are infuriating in this respect: They provide a link to the publication title, but not to the page nor the chapter title, and when I follow the link I am presented with a list of every edition of publications matching the title. I hate JCL! -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
Duh! The whole point of home directories. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Edward Jaffe Sent: Thursday, March 08, 2012 7:47 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
Not sure I get your drift. I am talking about the problem in the OP, not about me, and not about preventing programs from doing X and Y but rather about an agreement about what is legitimate and what is not, or as I said, one person's 'the only technique that will work' [a phrase one poster used] is someone else's 'criminal breach of security.' Failing that, a formal affirmation of we do X but we don't do Y. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Edward Jaffe Sent: Thursday, March 08, 2012 7:15 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! On 3/8/2012 6:40 AM, Charles Mills wrote: From a non-technology point of view, we need some sort of industry agreement on what is good behavior in an authorized program. I am thinking of something like a standardized set of questions that a vendor could answer and have an officer certify: Mr./Ms. Customer, we are asking for APF authorization. I certify under penalty of fraud that our program uses APF authorization to do X, and Y, and Z but does not do A, and B, and C. You have no integrity statement?? Wow! You might consider drafting one... Here is IBM's you can use as a template: http://www.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.ht ml -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
On 8 March 2012 10:46, Edward Jaffe edja...@phoenixsoftware.com wrote: On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. When, and on which system, would this be evaluated? Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Bus-Tech MDL 1000
Gentlemen. Does anyone have an old Bus-Tech MDL 1000/2000 laying around that you would like to get rid of? Jim Wangler jim_wang...@osianainc.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
And, I guess, give a JCL error if the user does not have an OMVS segment, or no HOME directory specified in their OMVS segment. I agree this would be easier. But can be emulated with: PATH='/u/SYSUID/file.ext' __if__ the HOME directory is in UPPER CASE. Unfortunately, as I have UNIX set up, the HOME directory use the RACF id after it has been converted to lower-case. I pity any z/OS UNIX user whose RACF id contains a $ anywhere it in. /u/$racf/some.file will likely fail unless the environment variable racf is export'ed with a value of $racf. I guess that the /etc/profile could be set up to export the environmet variable racf set to $racf and mark it READONLY. Which only helps in a shell. And a RACF id like: a$b would be a real terror to fix in /etc/profile. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Edward Jaffe Sent: Thursday, March 08, 2012 9:47 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
Personally, I'd say on the executing system. In any case, __something__ would need to expand the simple file.ext to /path/to/home/file.ext. I guess that would be either during: JCL conversion or JCL interpretation or step execution. Now, UNIX has the concept of current working directory. I think this is generally set when the address space is dubbed, at least for a batch job which is what we're talking about since we're talking JCL (OK, or STC or TSU) and we don't have any inheritance due to fork(). When you UNIX open() a file with a relative path in it, it is relative to the current working directory. So I would consider execution time the proper time to do this. Just make sure that the current working directory for the address space is set to the HOME when it is first dubbed. Of course, if the program is using UNIX services, it could change the current working directory. That would then become the base for the pathname in the open(). Which could be ! very confusing to the ignorant user. So that could be yet another argument against using relative path names in PATH=. Reduction in confusion as to exactly which file is really being opened. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tony Harminc Sent: Thursday, March 08, 2012 10:11 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On 8 March 2012 10:46, Edward Jaffe edja...@phoenixsoftware.com wrote: On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. When, and on which system, would this be evaluated? Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
The IBM statement of Integrity or its equivalent is a standard that all authorized programs should conform with. See IBM statement of Integrity http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statement.html. If you look at z/OS V1R12.0 MVS Authorized Assembler Services Guide: 21.1.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2a8b0/21.1.2?ACTION=MATCHESREQUEST=system+integrityTYPE=FUZZYSHELF=EZ2ZBK0KDT=20100629141054CASE=searchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank=RANKScrollTOP=FIRSTHIT#FIRSTHIT/you/ will see that IBM puts the responsibility on the installation for ensuring the integrity (i.e. - conforms to the IBM statement of Integrity) for any modifications or extensions to z/OS the installation makes. This would include any authorized code written/installed by the installation as well as any authorized code installed that is from ISVs. If the backdoor, intercept, or other authorized program violates the IBM statement of integrity then it is a problem that needs to be remediated. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 08:40 AM, Charles Mills wrote: an APF authorized program can do that. It can also create a backdoor (my definition) that any task in the system can walk through and get into supervisor state. That is the objection that was raised, and it is a very different matter. I should be smarter than to wade into this one but is it not true, unfortunately, that an APF program can do ANYTHING it wants to do? Doing anything it wants to do would include granting privileges implicitly to other programs would it not? Further, there is no industry agreement -- witness this thread -- on what constitutes acceptable APF authorized program conduct. My the only technique that will work is someone else's criminal breach of security. It seems to me the problem here is, from a technological point of view, the all or nothing nature of APF authorization. IBM is moving away from that approach, but APF authorization as it is and was is going to be with us for a long time. From a non-technology point of view, we need some sort of industry agreement on what is good behavior in an authorized program. I am thinking of something like a standardized set of questions that a vendor could answer and have an officer certify: Mr./Ms. Customer, we are asking for APF authorization. I certify under penalty of fraud that our program uses APF authorization to do X, and Y, and Z but does not do A, and B, and C. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tom Marchant Sent: Thursday, March 08, 2012 6:19 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! On Thu, 8 Mar 2012 13:49:28 +, Pate, Gene wrote: You have your definition for 'backdoor', I have mine, Next. That is the root of your confusion. This thread is about a vendor creating a backdoor according to my definition. You are amazed at the uproar over this because you applied your definition of what a backdoor is without considering the description of what the backdoor was in the original discussion. if they were APF authorized then they could by definition switch anyone or any task in the system to supervisor state Yes, an APF authorized program can do that. It can also create a backdoor (my definition) that any task in the system can walk through and get into supervisor state. That is the objection that was raised, and it is a very different matter. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
Hey John, You saying the working directory on Z/os unix is different than the homes? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 11:44 AM, McKown, John john.mck...@healthmarkets.com wrote: Personally, I'd say on the executing system. In any case, __something__ would need to expand the simple file.ext to /path/to/home/file.ext. I guess that would be either during: JCL conversion or JCL interpretation or step execution. Now, UNIX has the concept of current working directory. I think this is generally set when the address space is dubbed, at least for a batch job which is what we're talking about since we're talking JCL (OK, or STC or TSU) and we don't have any inheritance due to fork(). When you UNIX open() a file with a relative path in it, it is relative to the current working directory. So I would consider execution time the proper time to do this. Just make sure that the current working directory for the address space is set to the HOME when it is first dubbed. Of course, if the program is using UNIX services, it could change the current working directory. That would then become the base for the pathname in the open(). Which could b! e ! very confusing to the ignorant user. So that could be yet another argument against using relative path names in PATH=. Reduction in confusion as to exactly which file is really being opened. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tony Harminc Sent: Thursday, March 08, 2012 10:11 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field On 8 March 2012 10:46, Edward Jaffe edja...@phoenixsoftware.com wrote: On 3/8/2012 7:28 AM, Paul Gilmartin wrote: o Pathnames must be absolute (start with /) This is an inconvenience I wish could be rectified. No leading slash should default to one's home directory. When, and on which system, would this be evaluated? Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
JCL example to relink a CSECT into an existing load module
I sent the following to the CICS LISTSERV, and someone mentioned that the IBM-MAIN would be a better place for this type of inquiry. I did get some good JCL examples from the CICS LISTSERV, but if someone has some past experience of this working with specifically COBOL, that would be great. Some of these existing COBOL modules that will be relinked with the new BA4C1426 CSECT were compiled/linked under COBOL-II. We now use Enterprise COBOL 3.4 and the new BA4C1426 will be generated with Enterprise COBOL 3.4. Hello, We have 1000's of CICS COBOL programs that COPY in a COBOL source program called BA4C1426 and then statically call it. I have given some code examples of how this works below. In this example, COBOL program BA4C1976 does a COPY to bring in the COBOL source of BA4C1426 at compile time and then statically calls BA4C1426. Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. Would anyone have some examples of existing JCL of how to do the relink step of swapping in a new CSECT into an existing load module? I was going to research it, but was thinking someone on this list has already done it and would have an example already available. I didn't find any examples quickly with google searches. Here is an example of how a module like BA4C1976 references BA4C1426: Identification Division. * Object-Class PrsnDBPmtInstRef. Program-Id. BA4C1976. . . . Procedure Division using Self Client-Variables Global-Variables Arglist. . . . Call 'BA4C1426' Using DfhEiBlk DfhCommArea TV-023-PRSNDBPMTINSTRSLT-LS Client-Variables Global-Variables ParmList . . . COPY BA4C1426. End Program BA4C1976. The BA4C1426 source that is referenced by the COPY BA4C1426 line is a COBOL program: Identification Division. * Object-Class PARNLIST. Program-Id. BA4C1426. . . . COBOL source . . . End Program BA4C1426. Thanks, Tim Zielke Aon Hewit CICS/MQ Systems Programmer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
I will give it one more shot at trying to clarify what I mean. Witness this thread, reasonable people can disagree on what violates the statement of integrity means. One person's reasonable or only available technique is another person's violation. We could use some finer granularity. We could use a standard statement of does X but does not do Y. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: Thursday, March 08, 2012 8:45 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! The IBM statement of Integrity or its equivalent is a standard that all authorized programs should conform with. See IBM statement of Integrity http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statemen t.html. If you look at z/OS V1R12.0 MVS Authorized Assembler Services Guide: 21.1.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2a8b0/21.1.2? ACTION=MATCHESREQUEST=system+integrityTYPE=FUZZYSHELF=EZ2ZBK0KDT=2010062 9141054CASE=searchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank=RANK ScrollTOP=FIRSTHIT#FIRSTHIT/you/ will see that IBM puts the responsibility on the installation for ensuring the integrity (i.e. - conforms to the IBM statement of Integrity) for any modifications or extensions to z/OS the installation makes. This would include any authorized code written/installed by the installation as well as any authorized code installed that is from ISVs. If the backdoor, intercept, or other authorized program violates the IBM statement of integrity then it is a problem that needs to be remediated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Thursday, March 08, 2012 11:02 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field Hey John, You saying the working directory on Z/os unix is different than the homes? Sent from my iPad Scott Ford Sure current working directory is not always the HOME subdirectory. It is whatever directory was last referenced via the cd command or the C chdir() function or via the callable services: BPX1CHD (24/31 bit) or BPX4CHD (64 bit). -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
Tim, What wouldn't you want to compile and link the appropriate way ? Just curious here and not judging...what's the reasoning ? Maybe other methods ... Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 11:57 AM, Tim Zielke tim.zie...@aonhewitt.com wrote: I sent the following to the CICS LISTSERV, and someone mentioned that the IBM-MAIN would be a better place for this type of inquiry. I did get some good JCL examples from the CICS LISTSERV, but if someone has some past experience of this working with specifically COBOL, that would be great. Some of these existing COBOL modules that will be relinked with the new BA4C1426 CSECT were compiled/linked under COBOL-II. We now use Enterprise COBOL 3.4 and the new BA4C1426 will be generated with Enterprise COBOL 3.4. Hello, We have 1000's of CICS COBOL programs that COPY in a COBOL source program called BA4C1426 and then statically call it. I have given some code examples of how this works below. In this example, COBOL program BA4C1976 does a COPY to bring in the COBOL source of BA4C1426 at compile time and then statically calls BA4C1426. Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. Would anyone have some examples of existing JCL of how to do the relink step of swapping in a new CSECT into an existing load module? I was going to research it, but was thinking someone on this list has already done it and would have an example already available. I didn't find any examples quickly with google searches. Here is an example of how a module like BA4C1976 references BA4C1426: Identification Division. * Object-Class PrsnDBPmtInstRef. Program-Id. BA4C1976. . . . Procedure Division using Self Client-Variables Global-Variables Arglist. . . . Call 'BA4C1426' Using DfhEiBlk DfhCommArea TV-023-PRSNDBPMTINSTRSLT-LS Client-Variables Global-Variables ParmList . . . COPY BA4C1426. End Program BA4C1976. The BA4C1426 source that is referenced by the COPY BA4C1426 line is a COBOL program: Identification Division. * Object-Class PARNLIST. Program-Id. BA4C1426. . . . COBOL source . . . End Program BA4C1426. Thanks, Tim Zielke Aon Hewit CICS/MQ Systems Programmer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
This would require a recompile of pretty much the entire application which is around 11,000 load modules. This COBOL application is written in proprietary object oriented COBOL and each load module represents an object oriented class (for the most part). So a recompile of the entire application would require a testing/migration effort that is too arduous for the application team. However, if we can just change the statically compiled BA4C1426 program and relink it into the existing 11,000 load modules, it significantly reduces the scope of the change to something that is more manageable from a testing and migration effort. Thanks, Tim Zielke CICS/MQ Systems Programmer Aon Hewitt -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Thursday, March 08, 2012 11:33 AM To: IBM-MAIN@bama.ua.edu Subject: Re: JCL example to relink a CSECT into an existing load module Tim, What wouldn't you want to compile and link the appropriate way ? Just curious here and not judging...what's the reasoning ? Maybe other methods ... Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 11:57 AM, Tim Zielke tim.zie...@aonhewitt.com wrote: I sent the following to the CICS LISTSERV, and someone mentioned that the IBM-MAIN would be a better place for this type of inquiry. I did get some good JCL examples from the CICS LISTSERV, but if someone has some past experience of this working with specifically COBOL, that would be great. Some of these existing COBOL modules that will be relinked with the new BA4C1426 CSECT were compiled/linked under COBOL-II. We now use Enterprise COBOL 3.4 and the new BA4C1426 will be generated with Enterprise COBOL 3.4. Hello, We have 1000's of CICS COBOL programs that COPY in a COBOL source program called BA4C1426 and then statically call it. I have given some code examples of how this works below. In this example, COBOL program BA4C1976 does a COPY to bring in the COBOL source of BA4C1426 at compile time and then statically calls BA4C1426. Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. Would anyone have some examples of existing JCL of how to do the relink step of swapping in a new CSECT into an existing load module? I was going to research it, but was thinking someone on this list has already done it and would have an example already available. I didn't find any examples quickly with google searches. Here is an example of how a module like BA4C1976 references BA4C1426: Identification Division. * Object-Class PrsnDBPmtInstRef. Program-Id. BA4C1976. . . . Procedure Division using Self Client-Variables Global-Variables Arglist. . . . Call 'BA4C1426' Using DfhEiBlk DfhCommArea TV-023-PRSNDBPMTINSTRSLT-LS Client-Variables Global-Variables ParmList . . . COPY BA4C1426. End Program BA4C1976. The BA4C1426 source that is referenced by the COPY BA4C1426 line is a COBOL program: Identification Division. * Object-Class PARNLIST. Program-Id. BA4C1426. . . . COBOL source . . . End Program BA4C1426. Thanks, Tim Zielke Aon Hewit CICS/MQ Systems Programmer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
On 8 March 2012 11:57, Tim Zielke tim.zie...@aonhewitt.com wrote: Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. I may well be missing the real question, and I don't know COBOL or its potential intricacies, but it seems to me trivial to replace one CSECT in an existing load module. Essentially you want to INCLUDE the new module, INCLUDE the existing load module, and save the result. Something like //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE SYSLMOD(BA4C1976) NAME BA4C1976(R) And that's it. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
On the basis of the information provided, below, IMO, the only *SAFE* way to make this change is to recompile the entire application. Perhaps if you provided some additional info about BA4C1426, I might have some additional alternatives. Since you have go through the pain of a mass compile, I would make BA4C1426 a stand-alone module and dynamically call it. I understand that this might take some additional time to recoded for dynamic calls. As to the original request: 1) Compile BA4C1976 into a stand-alone csect and link into the special loadlib of your choice 2) Execute the following for each LOAD module currently existing //STEP1 exec pgm=hewl,parm=... //SYSPRINT DD SYSOUT=* //SYSLMOD DD DSN=(new loadmod library) //SYSLIB1 DD DSN=(original loadmod library) //SYSLIB DD DSN=( special loadmod library) //SYSIN DD * Include syslib(BA4C1426) Include syslib1(original loadmod name) Name original loadmod name(r) HTH, snip We have 1000's of CICS COBOL programs that COPY in a COBOL source program called BA4C1426 and then statically call it. I have given some code examples of how this works below. In this example, COBOL program BA4C1976 does a COPY to bring in the COBOL source of BA4C1426 at compile time and then statically calls BA4C1426. Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. Would anyone have some examples of existing JCL of how to do the relink step of swapping in a new CSECT into an existing load module? I was going to research it, but was thinking someone on this list has already done it and would have an example already available. I didn't find any examples quickly with google searches. Here is an example of how a module like BA4C1976 references BA4C1426: Identification Division. * Object-Class PrsnDBPmtInstRef. Program-Id. BA4C1976. . . . Procedure Division using Self Client-Variables Global-Variables Arglist. . . . Call 'BA4C1426' Using DfhEiBlk DfhCommArea TV-023-PRSNDBPMTINSTRSLT-LS Client-Variables Global-Variables ParmList . . . COPY BA4C1426. End Program BA4C1976. The BA4C1426 source that is referenced by the COPY BA4C1426 line is a COBOL program: Identification Division. * Object-Class PARNLIST. Program-Id. BA4C1426. . . . COBOL source . . . End Program BA4C1426. /snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
Tony, Yeah, I also thought. I am assuming, bad word, that the COBOL call will be resolved correctly Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 12:56 PM, Tony Harminc t...@harminc.net wrote: On 8 March 2012 11:57, Tim Zielke tim.zie...@aonhewitt.com wrote: Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. I may well be missing the real question, and I don't know COBOL or its potential intricacies, but it seems to me trivial to replace one CSECT in an existing load module. Essentially you want to INCLUDE the new module, INCLUDE the existing load module, and save the result. Something like //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE SYSLMOD(BA4C1976) NAME BA4C1976(R) And that's it. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
On Thu, 8 Mar 2012 11:29:38 -0600, McKown, John wrote: -Original Message- [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Thursday, March 08, 2012 11:02 AM You saying the working directory on Z/os unix is different than the homes? I really, really hope that was intended as whimsy. Sure current working directory is not always the HOME subdirectory. It is whatever directory was last referenced via the cd command or the C chdir() function or via the callable services: BPX1CHD (24/31 bit) or BPX4CHD (64 bit). Or with Rexx address SYSCALL chdir ... And this works even under TSO, and it stays changed after the EXEC or program exits. Yes, I'd like to see DYNALLOC respect CWD. But the problem remains: should the binding be performed at time of allocation, or at time of OPEN? Even now, one can DYNALLOC a path; delete the referenced file, then OPEN, which fails. IBM has taken a RCF on this WAD behavior. Better: tilde substitution in the PATH. Where I work, user homes are not in /u. And some people mount HOME via NFS from a system with YA naming standard. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
John, thanks for the clarification. Have used z/os unix some I am not the wizard you are.. Used fedora and rh some ..hopefully more later Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 12:29 PM, McKown, John john.mck...@healthmarkets.com wrote: -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Thursday, March 08, 2012 11:02 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Tips for continuing DD statement with only one parameter field Hey John, You saying the working directory on Z/os unix is different than the homes? Sent from my iPad Scott Ford Sure current working directory is not always the HOME subdirectory. It is whatever directory was last referenced via the cd command or the C chdir() function or via the callable services: BPX1CHD (24/31 bit) or BPX4CHD (64 bit). -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
Charles - yes, it is somewhat ambiguous what violation of the IBM statement of integrity means. Perhaps some Integrity Vulnerability examples will help clarify: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. 2)If your authorized program while executing in PSW Key 0-7 or supervisor state branches to an address provided by an unauthorized requester then this is a violation of the IBM statement of Integrity. 3)If your authorized program while executing in PSW Key 0-7 or supervisor state returns control to an unauthorized requester in an authorized state then this is a violation of the IBM statement of Integrity. By authorized state I mean PSW Key 0-7, Supervisor state, or now has the ability to MODESET. 4)If your authorized program while executing in PSW Key 0-7 copies fetch protected storage to non-fetch protected storage then this is a violation of the IBM statement of integrity. The unauthorized requester in these case's would be any PSW Key 8 problem state program that is not currently enabled to MODESET prior to issuing a request to an authorized service. After the request completes the program now has new capabilities that were not available prior to the request such as: -The program could now be in an authorized state (psw key 0-7 or supervisor state) -The program could now have the ability to MODESET -The security credentials may have been dynamically elevated (i.e. - I now have RACF privileged attribute which I did not have before) -Some code provided by my program could have been executed in an authorized state (PSW Key 0-7 or Supervisor state). If you examine the before and after state around the invoking of the authorized service you generally see some form of elevated capabilities when a violation of the IBM statement of integrity occurs. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 11:20 AM, Charles Mills wrote: I will give it one more shot at trying to clarify what I mean. Witness this thread, reasonable people can disagree on what violates the statement of integrity means. One person's reasonable or only available technique is another person's violation. We could use some finer granularity. We could use a standard statement of does X but does not do Y. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: Thursday, March 08, 2012 8:45 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! The IBM statement of Integrity or its equivalent is a standard that all authorized programs should conform with. See IBM statement of Integrity http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_statemen t.html. If you look at z/OS V1R12.0 MVS Authorized Assembler Services Guide: 21.1.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2a8b0/21.1.2? ACTION=MATCHESREQUEST=system+integrityTYPE=FUZZYSHELF=EZ2ZBK0KDT=2010062 9141054CASE=searchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank=RANK ScrollTOP=FIRSTHIT#FIRSTHIT/you/ will see that IBM puts the responsibility on the installation for ensuring the integrity (i.e. - conforms to the IBM statement of Integrity) for any modifications or extensions to z/OS the installation makes. This would include any authorized code written/installed by the installation as well as any authorized code installed that is from ISVs. If the backdoor, intercept, or other authorized program violates the IBM statement of integrity then it is a problem that needs to be remediated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. Sorry - I disagree with this. It is quite OK for auth routines (eg PC-ss) to store into storage whose address is provided by the caller *AS LONG AS THE CALLER'S KEY IS USED* when moving the data. See the MVCDK instruction. Likewise any authorized routine should treat caller provided storage with suspicion and use MVCSK to copy any data from the caller and use trusted control block pointers rather than rely on caller contents. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.781.684.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: 08 March 2012 18:46 To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! Charles - yes, it is somewhat ambiguous what violation of the IBM statement of integrity means. Perhaps some Integrity Vulnerability examples will help clarify: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. 2)If your authorized program while executing in PSW Key 0-7 or supervisor state branches to an address provided by an unauthorized requester then this is a violation of the IBM statement of Integrity. 3)If your authorized program while executing in PSW Key 0-7 or supervisor state returns control to an unauthorized requester in an authorized state then this is a violation of the IBM statement of Integrity. By authorized state I mean PSW Key 0-7, Supervisor state, or now has the ability to MODESET. 4)If your authorized program while executing in PSW Key 0-7 copies fetch protected storage to non-fetch protected storage then this is a violation of the IBM statement of integrity. The unauthorized requester in these case's would be any PSW Key 8 problem state program that is not currently enabled to MODESET prior to issuing a request to an authorized service. After the request completes the program now has new capabilities that were not available prior to the request such as: -The program could now be in an authorized state (psw key 0-7 or supervisor state) -The program could now have the ability to MODESET -The security credentials may have been dynamically elevated (i.e. - I now have RACF privileged attribute which I did not have before) -Some code provided by my program could have been executed in an authorized state (PSW Key 0-7 or Supervisor state). If you examine the before and after state around the invoking of the authorized service you generally see some form of elevated capabilities when a violation of the IBM statement of integrity occurs. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 11:20 AM, Charles Mills wrote: I will give it one more shot at trying to clarify what I mean. Witness this thread, reasonable people can disagree on what violates the statement of integrity means. One person's reasonable or only available technique is another person's violation. We could use some finer granularity. We could use a standard statement of does X but does not do Y. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: Thursday, March 08, 2012 8:45 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! The IBM statement of Integrity or its equivalent is a standard that all authorized programs should conform with. See IBM statement of Integrity http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_st atemen t.html. If you look at z/OS V1R12.0 MVS Authorized Assembler Services Guide: 21.1.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2a8b0/21.1.2? ACTION=MATCHESREQUEST=system+integrityTYPE=FUZZYSHELF=EZ2ZBK0KDT=2 010062 9141054CASE=searchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank =RANK ScrollTOP=FIRSTHIT#FIRSTHIT/you/ will see that IBM puts the responsibility on the installation for ensuring the integrity (i.e. - conforms to the IBM statement of Integrity) for any modifications or extensions to z/OS the installation makes. This would include any authorized code written/installed by the installation as well as any authorized code installed that is from ISVs. If the backdoor, intercept, or other authorized program violates the IBM statement of integrity then it is a problem that needs to be remediated. -- For IBM-MAIN subscribe / signoff / archive access
JCL example to relink a CSECT into an existing load module
Let me try to begin at the beginning. The scheme you used to produce the around 11,000 executables you want to modify was ill-chosen. There was no need to recompile the source text of program BA4C1426 around 11,000 times. Compiling it just once would have been enough. The object module produced by that single compilation could then have been link edited or bound into a convenient library specifying NCAL. Then, when your applications were compiled (WITHOUT including BA4C1426 in them) and subsequently linked or bound---with the library into which the NCAL load module for BA4C1426 was linked or bound made available to these other link or bind steps---the linkage editor or binder would have done the necessary automatically. Now as to your present situation, from circa 1965 forward the various linkage editors and now the binder have supported a REPLACE operation---It is also the delete operation; if you replace something with nothing, something is just deleted---that permits one CSECT to be replaced by another. Please post the linkage-editor [or binder] output for one of your old load modules. If it shows that BA4C1426 is a separate CSECT, a trivial relink or rebind operation with the same REPLACE statement for each of your around 11,000 applications will solve your problem, If not, not. (The ill-advised COPY operations may perhaps, depending upon when they were done, preclude this operation.) John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
On 8 Mar 2012 09:51:54 -0800, in bit.listserv.ibm-main you wrote: This would require a recompile of pretty much the entire application which is around 11,000 load modules. This COBOL application is written in proprietary object oriented COBOL and each load module represents an object oriented class (for the most part). So a recompile of the entire application would require a testing/migration effort that is too arduous for the application team. However, if we can just change the statically compiled BA4C1426 program and relink it into the existing 11,000 load modules, it significantly reduces the scope of the change to something that is more manageable from a testing and migration effort. Because of the way optimization works, BA4C1426 may not be a separate CSECT and may even be inline code with no actual CALL being issued. If you have a smart change management system that can trigger recompiles based on copybook changes, that is probably the way to go. The other choice is to scan the source library for all instances of COPY BA4C1426 and generate the compile jobs for these programs. Clark Morris Thanks, Tim Zielke CICS/MQ Systems Programmer Aon Hewitt -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Thursday, March 08, 2012 11:33 AM To: IBM-MAIN@bama.ua.edu Subject: Re: JCL example to relink a CSECT into an existing load module Tim, What wouldn't you want to compile and link the appropriate way ? Just curious here and not judging...what's the reasoning ? Maybe other methods ... Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 8, 2012, at 11:57 AM, Tim Zielke tim.zie...@aonhewitt.com wrote: I sent the following to the CICS LISTSERV, and someone mentioned that the IBM-MAIN would be a better place for this type of inquiry. I did get some good JCL examples from the CICS LISTSERV, but if someone has some past experience of this working with specifically COBOL, that would be great. Some of these existing COBOL modules that will be relinked with the new BA4C1426 CSECT were compiled/linked under COBOL-II. We now use Enterprise COBOL 3.4 and the new BA4C1426 will be generated with Enterprise COBOL 3.4. Hello, We have 1000's of CICS COBOL programs that COPY in a COBOL source program called BA4C1426 and then statically call it. I have given some code examples of how this works below. In this example, COBOL program BA4C1976 does a COPY to bring in the COBOL source of BA4C1426 at compile time and then statically calls BA4C1426. Our application team would like to change just the BA4C1426 code and then relink the change into the existing modules. So for the example below, BA4C1976 would not be recompiled, but the binder step would be run to update the existing BA4C1976 load module with a new CSECT for BA4C1426. Would anyone have some examples of existing JCL of how to do the relink step of swapping in a new CSECT into an existing load module? I was going to research it, but was thinking someone on this list has already done it and would have an example already available. I didn't find any examples quickly with google searches. Here is an example of how a module like BA4C1976 references BA4C1426: Identification Division. * Object-Class PrsnDBPmtInstRef. Program-Id. BA4C1976. . . . Procedure Division using Self Client-Variables Global-Variables Arglist. . . . Call 'BA4C1426' Using DfhEiBlk DfhCommArea TV-023-PRSNDBPMTINSTRSLT-LS Client-Variables Global-Variables ParmList . . . COPY BA4C1426. End Program BA4C1976. The BA4C1426 source that is referenced by the COPY BA4C1426 line is a COBOL program: Identification Division. * Object-Class PARNLIST. Program-Id. BA4C1426. . . . COBOL source . . . End Program BA4C1426. Thanks, Tim Zielke Aon Hewit CICS/MQ Systems Programmer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
Rob - How about: If your authorized program while executing in PSW Key 0-7 stores into an address provided by an unauthorized caller (as long as the store operation uses the execution PSW KEY) then this is a violation of the IBM statement of integrity. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 13:02 PM, Rob Scott wrote: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. Sorry - I disagree with this. It is quite OK for auth routines (eg PC-ss) to store into storage whose address is provided by the caller *AS LONG AS THE CALLER'S KEY IS USED* when moving the data. See the MVCDK instruction. Likewise any authorized routine should treat caller provided storage with suspicion and use MVCSK to copy any data from the caller and use trusted control block pointers rather than rely on caller contents. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.781.684.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: 08 March 2012 18:46 To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! Charles - yes, it is somewhat ambiguous what violation of the IBM statement of integrity means. Perhaps some Integrity Vulnerability examples will help clarify: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. 2)If your authorized program while executing in PSW Key 0-7 or supervisor state branches to an address provided by an unauthorized requester then this is a violation of the IBM statement of Integrity. 3)If your authorized program while executing in PSW Key 0-7 or supervisor state returns control to an unauthorized requester in an authorized state then this is a violation of the IBM statement of Integrity. By authorized state I mean PSW Key 0-7, Supervisor state, or now has the ability to MODESET. 4)If your authorized program while executing in PSW Key 0-7 copies fetch protected storage to non-fetch protected storage then this is a violation of the IBM statement of integrity. The unauthorized requester in these case's would be any PSW Key 8 problem state program that is not currently enabled to MODESET prior to issuing a request to an authorized service. After the request completes the program now has new capabilities that were not available prior to the request such as: -The program could now be in an authorized state (psw key 0-7 or supervisor state) -The program could now have the ability to MODESET -The security credentials may have been dynamically elevated (i.e. - I now have RACF privileged attribute which I did not have before) -Some code provided by my program could have been executed in an authorized state (PSW Key 0-7 or Supervisor state). If you examine the before and after state around the invoking of the authorized service you generally see some form of elevated capabilities when a violation of the IBM statement of integrity occurs. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 11:20 AM, Charles Mills wrote: I will give it one more shot at trying to clarify what I mean. Witness this thread, reasonable people can disagree on what violates the statement of integrity means. One person's reasonable or only available technique is another person's violation. We could use some finer granularity. We could use a standard statement of does X but does not do Y. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: Thursday, March 08, 2012 8:45 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! The IBM statement of Integrity or its equivalent is a standard that all authorized programs should conform with. See IBM statement of Integrity http://www-03.ibm.com/systems/z/os/zos/features/racf/zos_integrity_st atemen t.html. If you look at z/OS V1R12.0 MVS Authorized Assembler Services Guide: 21.1.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2a8b0/21.1.2? ACTION=MATCHESREQUEST=system+integrityTYPE=FUZZYSHELF=EZ2ZBK0KDT=2 010062 9141054CASE=searchTopic=TOPICsearchText=TEXTsearchIndex=INDEXrank =RANK ScrollTOP=FIRSTHIT#FIRSTHIT/you/ will see that IBM puts the responsibility on the installation for ensuring the integrity (i.e. - conforms to the IBM statement of Integrity) for any modifications or extensions to z/OS the installation makes. This would include any authorized code written/installed by the
Re: Program FLIH backdoor - This is a criminal breach of security!
How about : If your authorized program, while executing in PSW key 0-7 stores into an address provided by an unauthorized caller without using the caller's key then this is a violation of the IBM statement of integrity I am sure there are other people on IBM-Main who could make this more readable and accurate. Truth is that there are lots programs out there (public domain, in-house utilities) that just splat into caller storage using Key0 regardless of caller key. A good example of how to do it properly in Authorized Assembler Programming Guide would be my preferred start for re-education of the masses. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.781.684.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: 08 March 2012 19:15 To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! Rob - How about: If your authorized program while executing in PSW Key 0-7 stores into an address provided by an unauthorized caller (as long as the store operation uses the execution PSW KEY) then this is a violation of the IBM statement of integrity. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 13:02 PM, Rob Scott wrote: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. Sorry - I disagree with this. It is quite OK for auth routines (eg PC-ss) to store into storage whose address is provided by the caller *AS LONG AS THE CALLER'S KEY IS USED* when moving the data. See the MVCDK instruction. Likewise any authorized routine should treat caller provided storage with suspicion and use MVCSK to copy any data from the caller and use trusted control block pointers rather than rely on caller contents. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.781.684.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby Sent: 08 March 2012 18:46 To: IBM-MAIN@bama.ua.edu Subject: Re: Program FLIH backdoor - This is a criminal breach of security! Charles - yes, it is somewhat ambiguous what violation of the IBM statement of integrity means. Perhaps some Integrity Vulnerability examples will help clarify: 1)If your authorized program while executing in PSW key 0-7 stores into an address provided by an unauthorized caller then this is a violation of the IBM statement of integrity. 2)If your authorized program while executing in PSW Key 0-7 or supervisor state branches to an address provided by an unauthorized requester then this is a violation of the IBM statement of Integrity. 3)If your authorized program while executing in PSW Key 0-7 or supervisor state returns control to an unauthorized requester in an authorized state then this is a violation of the IBM statement of Integrity. By authorized state I mean PSW Key 0-7, Supervisor state, or now has the ability to MODESET. 4)If your authorized program while executing in PSW Key 0-7 copies fetch protected storage to non-fetch protected storage then this is a violation of the IBM statement of integrity. The unauthorized requester in these case's would be any PSW Key 8 problem state program that is not currently enabled to MODESET prior to issuing a request to an authorized service. After the request completes the program now has new capabilities that were not available prior to the request such as: -The program could now be in an authorized state (psw key 0-7 or supervisor state) -The program could now have the ability to MODESET -The security credentials may have been dynamically elevated (i.e. - I now have RACF privileged attribute which I did not have before) -Some code provided by my program could have been executed in an authorized state (PSW Key 0-7 or Supervisor state). If you examine the before and after state around the invoking of the authorized service you generally see some form of elevated capabilities when a violation of the IBM statement of integrity occurs. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.zassure.com (312)574-0007 On 3/8/2012 11:20 AM, Charles Mills wrote: I will give it one more shot at trying to clarify what I mean. Witness this thread, reasonable people can disagree on what violates the statement of integrity means. One person's reasonable or only available technique is another person's violation. We could use some finer granularity. We could use a standard statement of does X but does not do Y.
Re: JCL example to relink a CSECT into an existing load module
On Thu, 8 Mar 2012 12:56:32 -0500, Tony Harminc wrote: //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE SYSLMOD(BA4C1976) NAME BA4C1976(R) In order for this to work correctly, an ENTRY statement is needed: //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE SYSLMOD(BA4C1976) ENTRY BA4C1976 NAME BA4C1976(R) The binder will include the new BA4C1426 first, then the old BA4C1976. The old BA4C1976 contains a BA4C1426 CSECT, but since you have already included a CSECT by that name, the old BA4C1426 CSECT is not retained. The ENTRY statement is needed or the entry point for the new load module would be BA4C1426. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
The scheme Tom Marchant proposes is workable, but it is order-dependent in a way that I find disagreeable. I suggest the use of the REPLACE statement instead. Its syntax is | REPLACE oldsec(newsec) See pp. 63ff of z/Os MVS Program management: User's guide and reference, SA22-7643-10, which includes some COBOL examples. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: JCL example to relink a CSECT into an existing load module
On Thu, 8 Mar 2012 14:01:03 -0600, Tom Marchant wrote: In order for this to work correctly, an ENTRY statement is needed: //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE SYSLMOD(BA4C1976) ENTRY BA4C1976 NAME BA4C1976(R) Or not. I've never used it, but an alternative would seem to be: //SYSLMOD DD DSN=main.loadlib //NEWMOD DD DSN=load.library.where.you.put.the.new.module //SYSLIN DD * INCLUDE NEWMOD(BA4C1426) INCLUDE -ATTR SYSLMOD(BA4C1976) NAME BA4C1976(R) This kills many birds with one stone: AC, AMODE, DC, OL, REUS, RMODE, SSI, TEST, entry point, DYNAM, and MIGRATABLE. I suspect this option was introduced to support invocation of Binder by IEBCOPY. I expect a regular contributor to this forum to bristle at such a lazy shortcut. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Interfacing with the MainFrame
Chris, Dude I am in agreement here ...obviously somebody wants a freebie. Describe what you want Ed. We could design it , just come up with the necessary specs and bucks .. Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 7, 2012, at 5:44 PM, Chris Craddock crashlu...@gmail.com wrote: So basically, you're planning to create a product and you want us to describe how to do it? Sent from my iPad On Mar 7, 2012, at 3:51 PM, Ed Mackmahon dropip...@gmail.com wrote: Many thanks for your answers. Let me provide some more information I intend that the interface will logon to the mainframe and issue some operator commands, read some members etc... gather information and send it to the open systems server for further analysis. The user which will be used for logon to the mainframe will have specific RACF/TSS/CA1 display only authorities and the server is on the organization intranet not an out side server. Having that, I am still looking for the preferred way for interfacing in a way that most organization will have no problem to authorize and using most common services available on most organizations (don't want to impose implementing other services as a preq) - that was the reason I was thinking on FTP and Rexx server... Any other comments / Ideas ? Thanks Ed. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Interfacing with the MainFrame
zMan, Yep sure do Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 7, 2012, at 5:36 PM, zMan zedgarhoo...@gmail.com wrote: On Wed, Mar 7, 2012 at 5:31 PM, Scott Ford scott_j_f...@yahoo.com wrote: That would be another way, httpd on z/os , have a cgi do the work, tats. Good one Ed. Scott, Web services doesn't mean httpd+cgi, it means SOA (WSDL, etc.). Which has already been suggested. Whatever you do, you want to use SSL or equivalent. FTP is dead in the water. -- zMan -- I've got a mainframe and I'm not afraid to use it -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Interfacing with the MainFrame
Ed Just in case there could be something in the MQ concept for you, first try this redpaper (1999): http://www.redbooks.ibm.com/abstracts/redp0021.html and then, if appealing, look around the redbook site for current implementations: http://www.redbooks.ibm.com/ Chris Mason On Wed, 7 Mar 2012 15:51:21 -0600, Ed Mackmahon dropip...@gmail.com wrote: Many thanks for your answers. Let me provide some more information I intend that the interface will logon to the mainframe and issue some operator commands, read some members etc... gather information and send it to the open systems server for further analysis. The user which will be used for logon to the mainframe will have specific RACF/TSS/CA1 display only authorities and the server is on the organization intranet not an out side server. Having that, I am still looking for the preferred way for interfacing in a way that most organization will have no problem to authorize and using most common services available on most organizations (don't want to impose implementing other services as a preq) - that was the reason I was thinking on FTP and Rexx server... Any other comments / Ideas ? Thanks Ed. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Tips for continuing DD statement with only one parameter field
In 5b3c73e7-6309-4438-b9ac-9e002f989...@yahoo.com, on 03/07/2012 at 05:30 PM, Scott Ford scott_j_f...@yahoo.com said: There is a limitation on parms of 100 bytes if memory serves me. The PARM keyword parameter of EXEC has a limit of 100; the PATH keyword parameter of DD does not. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Interfacing with the MainFrame
In 4274496589392669.wa.dropipopigmail@bama.ua.edu, on 03/07/2012 at 03:51 PM, Ed Mackmahon dropip...@gmail.com said: I intend that the interface will logon to the mainframe and issue some operator commands, If you really mean *operator* commands, that conflicts with The user which will be used for logon to the mainframe will have specific RACF/TSS/CA1 display only authorities You need more than that to issue operator commands. What commands do you need to issue and why? Having that, I am still looking for the preferred way for interfacing in a way that most organization will have no problem to authorize If you need to run your own code on the mainframe, why bother with FTP at all? Why not let a single address space do all the work, communicating to the other server with TCP, or SCTP if you need to get fancy? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: SMPE HOLDDATA question..
In 846673179e25e44cbe313a7842d7e65a0580b...@a1dal1swpes20mb.ams.acs-inc.net, on 03/08/2012 at 04:39 AM, Veena, Sridhar sridhar.ve...@acs-inc.com said: Does this mean I skip applying first two SYSMODs HAAWA10 and HAAW910, I will apply the third SYSMOD HADLA10 but follow it up with PTF UK75991 apply. No. It means skip applyiong all three unless fixes are available and that UK75991 is supposed to fix AM54484; it says nothing about UK75991 fixing any other APAR. What does it mean when they say obtain your latest HOLDDATA from IBM site and apply it?! Download the file and RECEIVE it. Also, when exactly I choose to BYPASS the HOLD information?! When you know what you're doing. That means that you've read the accompanying documentation and you know that it's safe to bypass. I'd advise a thorough reading of the SMP/E manuals before proceeding. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Customer Service, the good and the bad...
In 77142d37c0c3c34da0d7b1da7d7ca3473...@nwt-s-mbx1.rocketsoftware.com, on 03/07/2012 at 11:36 PM, Bill Fairchild bfairch...@rocketsoftware.com said: My real main subtle point was that we who try to give an answer need to remember to compose our text so that it comes across as helpful; There can be significant disagreement as to what is helpful. Spoon feeding is often not helpful in the long run. Also, there is no requirement to be equally helpful to all posters. I've posted sample code and quotes from manuals for some people, but I'm selective about it. In particular, there are some posters who habitually lie about the positions held by other posters, and I see no reason why I should take the time to help them. Similarly, if someone has already read[1] the manual and it is unclear, or incorrect, then I'm more likely to offer assistance than if he didn't bother. [1] Or been unable to navigate the SRL to find the correct manual, which is often IBM's fault rather than that of the would-be reader. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN