Re: VTAMLST - missing RACF features
W dniu 2012-03-09 18:00, Juan Mautalen pisze: Hi: We currently have our VTAMLST libraries protected with UACC(READ). IBM suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix D- Security for system datasets) . I want to make the change, but of course i know i must be extremely carefull with this change. I need to detect all users needing read access to VTAMLST. Human users are not my problem, my worry is about non-human ones (users of system tasks, started tasks, etc.). [...] That brought to my mind missing (IMHO) features of RACF. Now one can put the profile in WARNING mode, which effectively mean UACC(ALTER), or one can set AUDIT and wait for the SMF records, which can be ineffective and lengthy. The following solutions could help in such case: 1. ACC-WARN A warning set at given access level. Especially useful for such purposes like change UACC(NONE) - UACC(READ). One simply changes UACC and sets additional field with WARN-READ. Effect: regular checking is performed, only for unauthorized READ requests there is an access with warning message, higher accesses are rejected. To be checked after regular WARNING (which would make the above ineffective). 2. Warning for selected users/groups IMHO less sexy, but still fine. An access list for users/groups - only for them the WARNING is honored. In such case the candidates would be started tasks users. My €0.02 -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
Mark, Your CLIST is almost identical to my REXX exec. Except I have to push the TSOLIB command onto the stack as it won't run under rexx, even with an address TSO in front, and I therefore also push ISPF as well. I tried typing in your commands at the TSO ready prompt. Still no joy ISPF/IPCS just isn't 'seeing' the TSOLIB. It works fine on LPARS running z/OS 1.11. It just doesn't work at z/OS 1.13 as BLSG gets loaded from ISPLLIB insted of the library set with TSOLIB. Unless I can work out what's wrong I'll have to resort to messing with ISPLLIB etc. Ron. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: CICS Maintenance - LPA change
Peter, If it does not work, because the application loads the module once and uses this version from then on, refreshing the module and restarting the application should work, correct? Kees. Peter Relson rel...@us.ibm.com wrote in message news:of912f7c2d.fb4c9ddb-on852579bd.00769d61-852579bd.0076e...@us.ibm.c om... If the owner of the service item did not tell you using dynamic LPA would work, you should have no expectation that it will, and you should not do it. This applies to every piece of service regardless of product. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Aprapros of Nothing
Sadly, there are some that are. Use POPFILE or some other Bayesian filter. On Sun, 11 Mar 2012 14:59:18 -0700 Ulrich Krueger u...@pacbell.net wrote: :Just tell Outlook to _not_ mark emails from IBM-MAIN@bama.ua.edu as Spam. : : :Regards, :Ulrich Krueger : : :-Original Message- :From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf :Of Andy Coburn :Sent: Sunday, March 11, 2012 2:48 PM :To: IBM-MAIN@bama.ua.edu :Subject: Aprapros of Nothing : :Not due to anything I've overtly done, Microsoft Outlook 2003 has decided :that any e-mail with the subject Re: Program FLIH backdoor - This is a :criminal breach of security! is to be placed immediately in the Junk E-mail :folder. And does so. : :Does Outlook know something I don't know? : :Andy : :-- :For IBM-MAIN subscribe / signoff / archive access instructions, :send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN : :-- :For IBM-MAIN subscribe / signoff / archive access instructions, :send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Are LPAR names unique or effectively unique?
I've been asked to look into seat based licensing for z/OS and for this I need a unique z/OS image name for the license. I can see that an LPAR has an ID (a number) and a name. The LPAR ID appears to be unique, but is the name unique or effectively unique? By 'effectively' I mean would a duplicate name be problematic. Also, are LPAR names and IDs normally paired/tied, or might they change? Would a license based on the LPAR ID rather than name be acceptable? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Are LPAR names unique or effectively unique?
Nowadays machine serial number is in Type 70 in a unique way. So I'd use that, together with LPAR number and name. Not sure how you'll cope if an LPAR has to move to a different machine. Cheers, Martin Martin Packer, Mainframe Performance Consultant, zChampion Worldwide Banking Center of Excellence, IBM +44-7802-245-584 email: martin_pac...@uk.ibm.com Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker From: Mr Austin austinm...@yahoo.com To: IBM-MAIN@bama.ua.edu, Date: 12/03/2012 10:39 Subject: Are LPAR names unique or effectively unique? Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I've been asked to look into seat based licensing for z/OS and for this I need a unique z/OS image name for the license. I can see that an LPAR has an ID (a number) and a name. The LPAR ID appears to be unique, but is the name unique or effectively unique? By 'effectively' I mean would a duplicate name be problematic. Also, are LPAR names and IDs normally paired/tied, or might they change? Would a license based on the LPAR ID rather than name be acceptable? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
MIGRATING A ML0 VOLUME - CLARIFICATION
Good Day To All Readers I issued the following command HSEND MIGRATE VOLUME(SMR101) DAYS(0) thinking that it would migrate the dsns to ML1 or ML2. However I noticed that the dsns were migrated to other ML0 volumes. Was I wrong in thinking that? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: MIGRATING A ML0 VOLUME - CLARIFICATION
A non zero days would migrate to ML1 according to normal rules. Then follow with a zero days command to clear the primary volume. On Mon, Mar 12, 2012 at 7:24 AM, willie bunter williebun...@yahoo.com wrote: Good Day To All Readers I issued the following command HSEND MIGRATE VOLUME(SMR101) DAYS(0) thinking that it would migrate the dsns to ML1 or ML2. However I noticed that the dsns were migrated to other ML0 volumes. Was I wrong in thinking that? -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: MIGRATING A ML0 VOLUME - CLARIFICATION
I noticed that when I tried to migrate ML1 to ML2 - HSEND FREEVOL MVOL(MVS001) TARGETLEVEL(ML2)- it is not migrating the dsns to ML2 but to other ML1 volumes Would anybody know why? From: willie bunter williebun...@yahoo.com To: IBM-MAIN@bama.ua.edu Sent: Monday, March 12, 2012 8:24:43 AM Subject: MIGRATING A ML0 VOLUME - CLARIFICATION Good Day To All Readers I issued the following command HSEND MIGRATE VOLUME(SMR101) DAYS(0) thinking that it would migrate the dsns to ML1 or ML2. However I noticed that the dsns were migrated to other ML0 volumes. Was I wrong in thinking that? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: A stupid idea? Using twitter like service for z/SO, et al., event notification.
On Fri, 9 Mar 2012 11:19:30 -0600, McKown, John john.mck...@healthmarkets.com wrote: Anyway, I was thinking that a twitter like service to which they could connect their home PC or smartphone would make it easier for them to track the activity on the system without the need to bring up a VPN connection and logon to TSO. John, I wrote a few tools like this at a previous job where we basically had no operations support. One would select output files from nightly backups using IGGCSIFX and produce an RSS feed of all the backup jobs including their completion status and links to the output from each one (does anybody really use RSS anymore?). I had another one that would use SDSF REXX to check output status of selected jobs and send an HTTP email with info and links to the output datasets. HTH Dana -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
On Mon, 12 Mar 2012 04:15:59 -0500, Ron MacRae ronmac...@hotmail.co.uk wrote: Mark, Your CLIST is almost identical to my REXX exec. Except I have to push the TSOLIB command onto the stack as it won't run under rexx, even with an address TSO in front, and I therefore also push ISPF as well. I tried typing in your commands at the TSO ready prompt. Still no joy ISPF/IPCS just isn't 'seeing' the TSOLIB. It works fine on LPARS running z/OS 1.11. It just doesn't work at z/OS 1.13 as BLSG gets loaded from ISPLLIB insted of the library set with TSOLIB. Unless I can work out what's wrong I'll have to resort to messing with ISPLLIB etc. I'm not sure I understand why your approach even works on 1.11, but it's a complex topic. As previously mentioned, if you have done a LIBDEF for ISPLLIB then in order to get that library concatenation used as a tasklib you have to use SELECT CMD, not SELECT PGM. However, if my understanding is correct, if you had an ISPLLIB DD allocated before you started ISPF, that library concatenation would be a tasklib for anything invoked under ISPF, either via SELECT PGM or SELECT CMD. So, if your correct IPCS library (proper SYS1.MIGLIB) is allocated as ISPLLIB before you start ISPF, or is allocated via LIBDEF and you use SELECT CMD, then everything should work. Your TSOLIB should be irrelevant if you have the wrong level of IPCS allocated as ISPLLIB before ISPF starts, and that should be true with either 1.11 or 1.13. The ISPLLIB allocated when ISPF starts is a tasklib for ISPF and its subtasks, and the TSOLIB as a higher level tasklib would only come into play when modules are not found in the pre-allocated ISPLLIB. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
On Mon, 12 Mar 2012 04:15:59 -0500, Ron MacRae ronmac...@hotmail.co.uk wrote: Mark, Your CLIST is almost identical to my REXX exec. Except I have to push the TSOLIB command onto the stack as it won't run under rexx, even with an address TSO in front, and I therefore also push ISPF as well. I tried typing in your commands at the TSO ready prompt. Still no joy ISPF/IPCS just isn't 'seeing' the TSOLIB. It works fine on LPARS running z/OS 1.11. It just doesn't work at z/OS 1.13 as BLSG gets loaded from ISPLLIB insted of the library set with TSOLIB. Unless I can work out what's wrong I'll have to resort to messing with ISPLLIB etc. User error. :-) I don't know what you are doing wrong. You can use my CLIST as is and it should work. The key is the TSOLIB prior to invoking ISPF and using a modified BLSCLIBD that has LIBRARY ID instead of DATASET in the libdef. I didn't post that CLIST and left that as an exercise for the reader, but if it helps, I'll post that also. Remember BLSCALTL needs one line changed too (I called my IPCSALTL). I won't post that CLIST, but here is the line: ALTLIB ACTIVATE APPLICATION(CLIST) DDNAME(SBLSCLI0) Here is my IPCSALTD CLIST. You can see the changes marked MSZ. I have one other change that forces the DDIR dsn to be userid.DDIR as the normal BLSCDDIR will make it SYS1.DDIR if you run without a prefix. PROC 0 DSNAME() /* MSZ */ /* /* SPECIAL IPCS CLIST TO BE INVOKED FROM IPCSALT DRIVER CLIST TO /* RUN AN IPCS LEVEL DIFFERENT THAN THAT FROM THE RUNNING OS LEVE /* IT USES LIBRARY/DDNAME IN THE LIBDEFS INSTEAD OF DATASET NAME. /* / /* MODIFIED BLSCLIBD CLIST BELOW - LIBDEFS FOR DATASET CHANGED /* TO LIBDEFS FOR LIBRARY WITH DDNAME INSTEAD / CONTROL NOLIST ASIS /* CONTROL LIST CONLIST SYMLIST MSG /*---*/ /* TABLE, MESSAGE, SKELETON, AND PANEL LIBRARIES */ /*---*/ ALTLIB ACTIVATE APPLICATION(CLIST) DDNAME(SBLSCLI0) /* MSZ */ IF LENGTH(DSNAME)=0 THEN SET DSNAME=SYSUID..DDIR /* MSZ */ LISTDSI IPCSDDIR FILE NORECALL /* DUMP DIRECTORY FILE@05A*/ IF LASTCC4 THEN %BLSCDDIR VOLUME(LIBVSM) + DSNAME(DSNAME) /* MSZ */ ISPEXEC LIBDEF ISPMLIB LIBRARY ID(SBLSMSG0) COND/* MSZ */ ISPEXEC LIBDEF ISPPLIB LIBRARY ID(SBLSPNL0) COND/* MSZ */ ISPEXEC LIBDEF ISPSLIB LIBRARY ID(SBLSKEL0) COND/* MSZ */ /*---*/ /* INVOKE LIBDEF FOR ISPTLIB ONLY IF BLSGCMDS IS NOT */ /* AVAILABLE. 5@02A*/ /*---*/ ISPEXEC TBOPEN BLSGCMDS LIBRARY(ISPTLIB) NOWRITE SHARE IF LASTCC¬=0 THEN DO ISPEXEC LIBDEF ISPTLIB LIBRARY ID(SBLSTBL0) COND /* MSZ */ SET TLIBSET=YES END ELSE ISPEXEC TBCLOSE BLSGCMDS LIBRARY(ISPTLIB) /*---*/ /* START THE IPCS DIALOG AND SETUP THE IPCS CLIST AND REXX */ /* LIBRARY SYS1.SBLSCLI0 AS AN ALTLIB APPLICATION CLIST */ /* LIBRARY. */ /*---*/ /* ISPEXEC SELECT PGM(BLSG) NEWAPPL(BLSG) PASSLIB PARM(+ /* PGM(BLSGSCMD) PARM(EX 'SYS1.SBLSCLI0(BLSCALTL)')) /* @05C*/ ISPEXEC SELECT PGM(BLSG) NEWAPPL(BLSG) PASSLIB PARM(+ PGM(BLSGSCMD) PARM(EX 'ZELDEN.LIB.CNTL(IPCSALTL)')) /* @05C*/ /*---*/ /* LOGIC FOR IPCS SECONDARY TUTORIAL PANELS.8@01A*/ /*---*/ SET MYCC=LASTCC IF MYCC=8 THEN DO ISPEXEC SETMSG MSG(BLSMB002) COND /* @06C*/ IF LASTCC=4 THEN EXIT CODE(MYCC) /* @06C*/ WRITE DIALOG PROGRAM BLSG ENDED WITH RETURN CODE MYCC EXIT CODE(MYCC) /* @04C*/ END /*---*/ /* CANCEL THE DEFINITION AFTER THE IPCS DIALOG IS TERMINATED */
Re: Program FLIH backdoor - This is a criminal breach of security!
On Sun, Mar 11, 2012 at 8:07 AM, John Gilmore johnwgilmore0...@gmail.comwrote: Since this sort of thing is expected of me, I will note that we find ourselves between Scylla and Charybdis here. Chris Craddock's formulation was open to the exception that Peter Relson took: there is fetch-protected storage the contents of which its owner is entirely free to make available to others. Peter's exception is logically impeccable. It did, however, seem to me to be a very special one; and I observed that it was. I still prefer the ROT that the contents of protected storage should not be made available to the unauthorized (in any but very special circumstances, when they are known procedurally to be innocuous.). To repeat myself now, Peter is nonetheless correct in the abstract. There is a long intellectual tradition which has it that the production of just one black swan is an unanswerable refutation of the proposition that all swans are white. I can't quibble with Peter's exception. I was evidently not sufficiently clear. I had assumed it was self-evident to everyone that a privileged program is free to do what ever it wants with the contents of its own storage - including both disclosing and/or modifying that data - regardless of fetch protection. I was merely pointing out to a prior poster that a privileged program is required to honor key controlled protection in general and meeting that requirement is more rigorous than just not mindlessly storing in areas provided by a caller (regardless of the caller's key). -- This email might be from the artist formerly known as CC (or not) You be the judge. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
IEFBR14
All, I just ran across something that didn't make sense or maybe I was under a misconception.. I created a DATASET , Qsam file , with iefbr14 , everything looked fine. A COBOL program goes to open the file and abends with a S001-4 , the resolution was to create the DATASET with a gener...never have seen this situation before ...has anyone else seen this one before? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Monday, March 12, 2012 10:00 AM To: IBM-MAIN@bama.ua.edu Subject: IEFBR14 All, I just ran across something that didn't make sense or maybe I was under a misconception.. I created a DATASET , Qsam file , with iefbr14 , everything looked fine. A COBOL program goes to open the file and abends with a S001-4 , the resolution was to create the DATASET with a gener...never have seen this situation before ...has anyone else seen this one before? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
In article a6b9336cdb62bb46b9f8708e686a7ea00e924b3...@nrhmms8p02.uicnrh.dom you wrote: (not posted to the group) Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. But what is on the disk if you don't? In the OS/360 days, you got left-overs from previous data. I am pretty sure for security reasons it doesn't do that anymore. -- glen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: VTAMLST - Who needs to read it
Chris: Fortunately, we have a good VTAM specialist. Of course i talked with him about this idea even before posting to the list. However, in our shop and in a more general context, when i try to make some security change (like this one), i find that support people do not bother very much about security issues. They want the system running fine. That is, of course, an excellent idea. Reaching this point, where products and components run ok, they are not very interested in properly securing them. Given the fact that there is a separate security department (where i work), they feel that security is not their business. In concrete, if i want to change VTAMLST access from UACC(READ) to UACC(NONE), that is not something they are interested in at all. It is MY problem. And, of course, if something crashes after the change, i will be the culprit. Moreover, if i dont make the change and someone extracts some valuable information from VTAMLST for bad purposes, i will also be the culprit (because of allowing anybody to read it). You get the idea... JUAN MAUTALEN --- El dom 11-mar-12, Chris Mason chrisma...@belgacom.net escribió: So this leads to some advice for Juan: Juan In the thread you initiated last August in the RACF-L list regarding the VTAMAPPL class, you said you didn't know a great deal about VTAM. Well, it would seem that the person to whom you should turn first is the VTAM specialist in your installation for advice on anything to do with VTAM. Then he or she can post - probably the best place being the IBMTCP-L list[1] - for any additional help. I have, of course, always to assume that in any installation where VTAM is used in earnest - not necessarily in conjunction with business-critical activity but close to it - there is such a specialist. Unfortunately I have heard of installations with holes in their feet! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Scott - I think the EOF marker is handled by SMS. If a file is allocated to a non-sms volume with IEFBR14 it might be that no EOF marker was created. This can result in a wrong length read when trying to read from the dataset instead of going straight to EODAD. Sam On Mon, Mar 12, 2012 at 8:15 AM, glen herrmannsfeldt g...@ugcs.caltech.edu wrote: In article a6b9336cdb62bb46b9f8708e686a7ea00e924b3...@nrhmms8p02.uicnrh.dom you wrote: (not posted to the group) Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. But what is on the disk if you don't? In the OS/360 days, you got left-overs from previous data. I am pretty sure for security reasons it doesn't do that anymore. -- glen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
John: Here is my 'DD' //INDD5 DD DSN=VOYAGER.CACHESAV, // DCB=(DSORG=PS,RECFM=FB,LRECL=112,BLKSIZE=27888), // UNIT=SYSDA,SPACE=(CYL,5),DISP=(NEW,CATLG), // VOL=SER=XX Do you see anything wrong with this ? Scott J Ford Software Engineer http://www.identityforge.com From: McKown, John john.mck...@healthmarkets.com To: IBM-MAIN@bama.ua.edu Sent: Monday, March 12, 2012 11:06 AM Subject: Re: IEFBR14 Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Monday, March 12, 2012 10:00 AM To: IBM-MAIN@bama.ua.edu Subject: IEFBR14 All, I just ran across something that didn't make sense or maybe I was under a misconception.. I created a DATASET , Qsam file , with iefbr14 , everything looked fine. A COBOL program goes to open the file and abends with a S001-4 , the resolution was to create the DATASET with a gener...never have seen this situation before ...has anyone else seen this one before? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Looks OK to me. I wonder if the other person's idea about SMS managed or not has something to do with it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets® 9151 Boulevard 26 . N. Richland Hills . TX 76010 (817) 255-3225 phone . john.mck...@healthmarkets.com . www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets® is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company®, Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Monday, March 12, 2012 10:22 AM To: IBM-MAIN@bama.ua.edu Subject: Re: IEFBR14 John: Here is my 'DD' //INDD5 DD DSN=VOYAGER.CACHESAV, // DCB=(DSORG=PS,RECFM=FB,LRECL=112,BLKSIZE=27888), // UNIT=SYSDA,SPACE=(CYL,5),DISP=(NEW,CATLG), // VOL=SER=XX Do you see anything wrong with this ? Scott J Ford Software Engineer http://www.identityforge.com From: McKown, John john.mck...@healthmarkets.com To: IBM-MAIN@bama.ua.edu Sent: Monday, March 12, 2012 11:06 AM Subject: Re: IEFBR14 Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Scott Ford Sent: Monday, March 12, 2012 10:00 AM To: IBM-MAIN@bama.ua.edu Subject: IEFBR14 All, I just ran across something that didn't make sense or maybe I was under a misconception.. I created a DATASET , Qsam file , with iefbr14 , everything looked fine. A COBOL program goes to open the file and abends with a S001-4 , the resolution was to create the DATASET with a gener...never have seen this situation before ...has anyone else seen this one before? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Scott and Glenn, Unless you deliberately erase it by over-writing what was on the disk, the data is still out there. The original poster was describing what I call an un-initialized data set. I.E., you allocated it but never opened it. Changes to the system, such as using SMS allocation, has helped, but as you found out, you can still get bit. Chris Blaicher Senior Software Engineer, Software Services Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com www.syncsort.com Check out our Knowledge Base at www.syncsort.com/support Syncsort aims for the best product and service experience. We welcome your feedback. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of glen herrmannsfeldt Sent: Monday, March 12, 2012 10:15 AM To: MVS List Server 1 Subject: Re: IEFBR14 In article a6b9336cdb62bb46b9f8708e686a7ea00e924b3...@nrhmms8p02.uicnrh.dom you wrote: (not posted to the group) Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. But what is on the disk if you don't? In the OS/360 days, you got left-overs from previous data. I am pretty sure for security reasons it doesn't do that anymore. -- glen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Are LPAR names unique or effectively unique?
LPAR Names are unique on a single serial number, but I have at least one client that has the same LPAR names on different physical machines. Al Sherkow, I/S Management Strategies, Ltd. Consulting Expertise on Mainframe Software Pricing, WLC, LPARs and LCS Software Seminars on IBM SW Pricing Voice: +1 414 332-3062 Web: www.sherkow.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, 12 Mar 2012 08:21:13 -0700, Sam Siegel s...@pscsi.net wrote: Scott - I think the EOF marker is handled by SMS. If a file is allocated to a non-sms volume with IEFBR14 it might be that no EOF marker was created. This can result in a wrong length read when trying to read from the dataset instead of going straight to EODAD. Sam This changed in z/OS 1.11 to include non-SMS also for an . As John M. hinted, it does require a valid DSORG. That can come from a default DATACLAS or from JCL. From the announcement letter: In z/OS V1.11, DFSMSdfp processing is changed to indicate end-of-file (EOF) during the allocation of data sets on DASD that are not SMS-managed and have either sequential or an undefined data set organization. This makes this processing for both SMS-managed and non-SMS-managed data sets consistent, to make it unnecessary to open data sets solely to indicate EOF, and to help prevent programs from reading old data when a data set is read immediately after being allocated. -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: MIGRATING A ML0 VOLUME - CLARIFICATION
The FREEVOL is ignoring the targetlevel. Once the datasets are on other ML1 volumes, the ML2 - ML2 will migrate the datasets on that volume using its rules. On Mon, Mar 12, 2012 at 7:52 AM, willie bunter williebun...@yahoo.com wrote: I noticed that when I tried to migrate ML1 to ML2 - HSEND FREEVOL MVOL(MVS001) TARGETLEVEL(ML2)- it is not migrating the dsns to ML2 but to other ML1 volumes Would anybody know why? -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: VTAMLST - Who needs to read it
Lizette But thanks for checking further. How about your local specialist in TPX? I have reviewed my JCL for TPX and it has an allocation for the SYS1.VTAMLST in it. Which, of course is quite a good suggestion for Juan for the purposes of seeing which of the products he runs is interested in the VTAMLST partitioned data sets. ... I can say that ... a few other things might need READ access. It is also a good suggestion for you for the purposes of fleshing out this comment and turning it from FUD to something useful. - Well, it was Sunday and so your TPX specialist may have been enjoying a day of rest. On the other hand I who obviously have nothing better to do decided to engage in some research regarding TPX. First I found the web site: http://www.ca.com/ and then a. I tried to access the TPX product documentation b. I tried to register in order to be able to access the documentation c. I discovered they remembered I had already registered some time in the past even if I had forgotten d. I found the little text file where I recorded my password - which would not be accepted today since it violates at least three of the rules now imposed! e. I logged on and downloaded all 12 pdf files f. I searched each for appearances of the token VTAMLST ... I can say that ..., TPX, ... might need READ access. I can now modify your original assertion as follows: I can say that ..., TPX, ... definitely requires READ access and at least one of the supplied utility programs requires UPDATE access. Essentially this is because, like the NetView component STATMON, TPX does indeed require to know the name of a VBUILD TYPE=APPL major node member in one of the VTAMLST partitioned data sets. There is a default name in the documentation, TPXAPPL, but this can be changed. Being a name in the VTAM name spaces defined by the names which can appear in VARY ACT and VARY INACT commands, it had jolly well better be changeable or customers would be entitled to hire a ton of bricks to drop on any developer who imposed a fixed value for such a name! In a rather hasty scan - after all I had spent enough time just getting access to the documentation! - of the places in the documentation where there was a reference to VTAMLST, I discovered that, also just like STATMON, TPX likes to adorn the APPL statements with its own comments which provide TPX with information during execution. Which leads me to the TPX utility which requires UPDATE access. It seems TPX cannot abide VTAM APPL model statements. VTAM APPL model statements give TPX a *real* headache. There is a TPX utility which corrects VTAM APPL model statements so that they are no longer VTAM APPL model statements. If I had been predisposed to humour by the time I had waded through the documentation in order to work this out, I may have done myself an injury! Chris Mason On Sun, 11 Mar 2012 12:23:48 -0400, Lizette Koehler stars...@mindspring.com wrote: Chris, I have reviewed my JCL for TPX and it has an allocation for the SYS1.VTAMLST in it. How or why it is in the STC JCL, I am unclear. But thanks for checking further. Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: VTAMLST - Who needs to read it
Alan I think you'll find NetView uses ATCCONxx just like VTAM does for deciding what is initially active at startup. You are right in your thinking. Indeed, I did find that the NetView STATMON component uses both ATCCONxx and CNMCONxx. I even recall changing ... providing the same service. to ... providing a similar service. to try to take this into account - but it was obviously insufficient an acknowledgement. My point was that, if a product was interested in a VTAMLST partitioned data set, it would need to be provided with the member names - minimally the suffix of the ATCCONxx member. Incidentally, I clearly must have known this - all of it - in the days I enabled STATMON in the NetView implementation I provided for my hands-on students, 15 to 25 years ago. I have to confess I was never a friend of STATMON and whatever it was called before some bright spark in NetView development incorporated it alongside NCCF, NPDA and NLDM. To my mind - as a teacher trying to drum correct concepts into the minds of students - it tended to reinforce a mistaken picture of the resources so very often confusingly represented by VTAM statements. I provided STATMON in the students' NetView only because they might have withdrawal symptoms if the tool wasn't available.[1] - Back to the original question, most sites I have worked at have the VTAMLST concatenation in NetView so that members can be browsed from it without having to resort to TSO. Good point - in line with Lizette's suggestion that you should look for references to VTAMLST partitioned data sets in product JCL. Casting my mind back, I believe being able to use the NetView BROWSE command for members of VTAMLST partitioned data sets is built into NetView - and I guess NCCF before it - documentation. Very probably you should change your most to all. - [1] I guess that makes sense only when it is appreciated that, in the second week of a two-week hands-on class, the student groups implemented their own small, originally, SNI network which they planned during the first week at the times they weren't following set exercises. - Chris Mason On Mon, 12 Mar 2012 08:39:30 +0300, Alan Watthey a.watt...@gmail.com wrote: Chris, I think you'll find Netview uses ATCCONxx just like VTAM does for deciding what is initially active at startup. However, CNMCONxx is for specifying any additional members that you want Netview to include in STATMON and that are not in ATCCONxx. Perhaps one doesn't activate much at all in ATCCONxx and then one gets automation to activate what one wants depending upon certain criteria. CNMCONxx would then specify all the VTAM major nodes that might get activated. Back to the original question, most sites I have worked at have the VTAMLST concatenation in Netview so that members can be browsed from it without having to resort to TSO. Regards, Alan. This is the NetView STATMON component pre-processor program. Just as VTAM has its ATCCONxx member which provides the names of members as dreamed up by the responsible system programmer so the NetView STATMON component pre-processor program has its CNMCONxx member providing a similar service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, Mar 12, 2012 at 8:40 AM, Mark Zelden m...@mzelden.com wrote: On Mon, 12 Mar 2012 08:21:13 -0700, Sam Siegel s...@pscsi.net wrote: Scott - I think the EOF marker is handled by SMS. If a file is allocated to a non-sms volume with IEFBR14 it might be that no EOF marker was created. This can result in a wrong length read when trying to read from the dataset instead of going straight to EODAD. Sam This changed in z/OS 1.11 to include non-SMS also for an . As John M. hinted, it does require a valid DSORG. That can come from a default DATACLAS or from JCL. From the announcement letter: In z/OS V1.11, DFSMSdfp™ processing is changed to indicate end-of-file (EOF) during the allocation of data sets on DASD that are not SMS-managed and have either sequential or an undefined data set organization. This makes this processing for both SMS-managed and non-SMS-managed data sets consistent, to make it unnecessary to open data sets solely to indicate EOF, and to help prevent programs from reading old data when a data set is read immediately after being allocated. Mark - Thanks ... I did not know that. Sam -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Sam, Yeah I follow you. Has this processing changed from 1.10 up thru 1.13 , it sounds like might have. Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 12, 2012, at 11:21 AM, Sam Siegel s...@pscsi.net wrote: Scott - I think the EOF marker is handled by SMS. If a file is allocated to a non-sms volume with IEFBR14 it might be that no EOF marker was created. This can result in a wrong length read when trying to read from the dataset instead of going straight to EODAD. Sam On Mon, Mar 12, 2012 at 8:15 AM, glen herrmannsfeldt g...@ugcs.caltech.edu wrote: In article a6b9336cdb62bb46b9f8708e686a7ea00e924b3...@nrhmms8p02.uicnrh.dom you wrote: (not posted to the group) Did you include DSORG=PS on the DD in the IEFBR14? I am fairly sure this is necessary to have the system write an EOF during allocation. But what is on the disk if you don't? In the OS/360 days, you got left-overs from previous data. I am pretty sure for security reasons it doesn't do that anymore. -- glen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Writing an EOF record at the beginning of the data set does indeed help prevent programs from reading old data when a data set is read immediately after being allocated, but the way it does this results in preventing the reading of old data only from the first track. If a program can read beyond this first track (which is not difficult to do even in an unauthorized program), then the program can still read all the rest of the old data in the allocated tracks. The only way truly to prevent a program from reading any of the old data is to erase each allocated track, either when the old data set is deleted or when the new data set is allocated. Erasing is a very expensive process in terms of DASD utilization and elapsed time, which is why it is almost never done. This is perhaps another example of security through obscurity, which has been discussed lately under thread subjects starting with Program FLIH backdoor . I call it obscurity since getting beyond the first ! track deters most programs, but is not difficult if you know the obscure fact that it is quite easy to do if you want to. Bill Fairchild -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Mark Zelden Sent: Monday, March 12, 2012 10:40 AM To: IBM-MAIN@bama.ua.edu Subject: Re: IEFBR14 On Mon, 12 Mar 2012 08:21:13 -0700, Sam Siegel s...@pscsi.net wrote: Scott - I think the EOF marker is handled by SMS. If a file is allocated to a non-sms volume with IEFBR14 it might be that no EOF marker was created. This can result in a wrong length read when trying to read from the dataset instead of going straight to EODAD. Sam This changed in z/OS 1.11 to include non-SMS also for an . As John M. hinted, it does require a valid DSORG. That can come from a default DATACLAS or from JCL. From the announcement letter: In z/OS V1.11, DFSMSdfp(tm) processing is changed to indicate end-of-file (EOF) during the allocation of data sets on DASD that are not SMS-managed and have either sequential or an undefined data set organization. This makes this processing for both SMS-managed and non-SMS-managed data sets consistent, to make it unnecessary to open data sets solely to indicate EOF, and to help prevent programs from reading old data when a data set is read immediately after being allocated. -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, 12 Mar 2012 10:40:27 -0500, Mark Zelden wrote: As John M. hinted, it does require a valid DSORG. But why not write the EOF unconditionally, regardless of DSORG? The only reason I can imagine not to do so is if the programmer is alocating absolute track addresses to recover a deleted data set. (Of course, some DSORGs are automatically initialized (PO?), and for those, writing an EOF is superfluous.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Are LPAR names unique or effectively unique?
And LPAR NUMBER cannot be used; it is assigned based on the alphabetical order of the LPAR NAMES so adding or deleting an LPAR will cause subsequently higher LPARs to have different LPAR Numbers. Barry Merrill Herbert W. Barry Merrill, PhD President-Programmer Merrill Consultants MXG Software 10717 Cromwell Drive Dallas TX 75229 214 351 1966 tel 214 350 3695 fax www.mxg.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, 12 Mar 2012 16:08:39 +, Bill Fairchild bfairch...@rocketsoftware.com wrote: Writing an EOF record at the beginning of the data set does indeed help prevent programs from reading old data when a data set is read immediately after being allocated, but the way it does this results in preventing the reading of old data only from the first track. If a program can read beyond this first track (which is not difficult to do even in an unauthorized program), then the program can still read all the rest of the old data in the allocated tracks. The only way truly to prevent a program from reading any of the old data is to erase each allocated track, either when the old data set is deleted or when the new data set is allocated. Erasing is a very expensive process in terms of DASD utilization and elapsed time, which is why it is almost never done. This is perhaps another example of security through obscurity, which has been discussed lately under thread subjects starting with Program FLIH backdoor . I call it obscurity since getting beyond the first! track deters most programs, but is not difficult if you know the obscure fact that it is quite easy to do if you want to. It may be security by obscurity, Bill, but it's not something perpetrated by IBM, in my opinion. We document that Erase on Scratch exists, and why it should be used, and that (depending on the DASD you're using) if you don't use that function old data can be exposed. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
On Mon, 12 Mar 2012 11:14:27 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Mon, 12 Mar 2012 10:40:27 -0500, Mark Zelden wrote: As John M. hinted, it does require a valid DSORG. But why not write the EOF unconditionally, regardless of DSORG? The only reason I can imagine not to do so is if the programmer is alocating absolute track addresses to recover a deleted data set. I don't know under what thread subject and when, but this has been discussed on IBM-MAIN before. I'm not going to try and find it, but you can. I'm sure there's a good reason. :-) Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Question for Changeman sites
We are in the process of upgrading our Changeman product to the current release. We are currently on 5.6.2. We are planning our z/OS upgrade to 1.13 and are looking at support. We inquired with the vendor and they said they have had customers ask about compatibility do not know if they have upgraded. They did not see any reported issues in their database. We're hoping someone watching the list has a not-current Changeman and z/OS 1.13 running and can provide a thumbs up or down. Thanks Alan Alan Schwartz ITO Global Service Operations and Engineering Affiliated Computer Services, LLC, A Xerox Company 1500 Towerview Rd. Eagan, MN 55121-1346 p. 612.266.3150 m. 651.274.5819 f. 612.266.3196 www.xerox.com/businessservices -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Program FLIH backdoor - This is a criminal breach of security!
Some of the integrity examples have been tripping a bit over trying to define system integrity in terms of the behavior of authorized programs, when the statement is in terms of what an unauthorized program must not be allowed to do. For the PC FLIH intercept case, the requirement is that a malicious user must not be able to take advantage of this mechanism in order to get their own code running authorized. For the fetch-protection case, the requirement is that a malicious user must not be able to trick a service into copying arbitrary fetch protected system key storage into non-fetch protected storage viewable by the unauthorized caller. The authorized code must be written to prevent such exposures. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Bill, You are absolutely correct in that this change doesn't really provide much security. I'm looking at it from a different aspect, that of removing one additional way of shooting oneself in the foot. If not you (you being collective, not just Bill), how many of your colleagues (either in the systems programming area or application developers/operations) have had a dataset deleted, only to have a new one allocated directly on top of the old one with a compatible set of DCB information, and have somebody inadvertently run a program that read the old data. I know it has happened more than once where I've worked over the years. I'm sure this change will result (and has resulted) in fewer holes in feet. :-) Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Bill Fairchild Sent: Monday, March 12, 2012 11:09 AM To: IBM-MAIN@bama.ua.edu Subject: Re: IEFBR14 Writing an EOF record at the beginning of the data set does indeed help prevent programs from reading old data when a data set is read immediately after being allocated, but the way it does this results in preventing the reading of old data only from the first track. If a program can read beyond this first track (which is not difficult to do even in an unauthorized program), then the program can still read all the rest of the old data in the allocated tracks. The only way truly to prevent a program from reading any of the old data is to erase each allocated track, either when the old data set is deleted or when the new data set is allocated. Erasing is a very expensive process in terms of DASD utilization and elapsed time, which is why it is almost never done. This is perhaps another example of security through obscurity, which has been discussed lately under thread subjects starting with Program FLIH backdoor . I call it obscurity since getting beyond the first ! track deters most programs, but is not difficult if you know the obscure fact that it is quite easy to do if you want to. Bill Fairchild The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited and that you will be held responsible for any such unauthorized activity, including liability for any resulting damages. As appropriate, such incident(s) may also be reported to law enforcement. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Aprapros of Nothing
In !!AAAYAK31bVwGsNBEjUGJDxIMn0LCgAAAEAMzJfFmEEJOjMYdmFZUt+0BAA==@andycoburn.com, on 03/11/2012 at 05:48 PM, Andy Coburn a...@andycoburn.com said: Does Outlook know something I don't know? No. Have you discussed the issue with your e-mail admins? It's probably something they did rather than outlook per se. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
In 3302630680439302.wa.ronmacraehotmail.co...@bama.ua.edu, on 03/12/2012 at 04:15 AM, Ron MacRae ronmac...@hotmail.co.uk said: Unless I can work out what's wrong I'll have to resort to messing with ISPLLIB etc. What's wrong is that you have then new library in ISPLLIB, which overrides[1] the TASKLIB created by TSOLIB. Either remove the new MIGLIB from the the list or add the old MIGLIB in front of it. [1] For CMD(...) -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Server time Protocol and CICS
This weekend we had our mainframe time automatically adjusted to Day Light Time using S.T.P.. However, CICS did not get the time changed automatically. Is CICS still unable to do this(have the time changed automatically)? John Norgauer Senior Systems Programmer Mainframe Technical Support Services University of California Davis Medical Center 2315 Stockton Blvd ASB 1300 Sacramento, Ca 95817 916-734-0536 SYSTEMS PROGRAMMING.. Guilty, until proven innocent !! JN 2004 Hardware eventually breaks - Software eventually works anon -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Server time Protocol and CICS
F cicsjobn,CEMT PERFORM RESET Dave Gibney Information Technology Services Washington State University -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John Norgauer Sent: Monday, March 12, 2012 3:50 PM To: IBM-MAIN@bama.ua.edu Subject: Server time Protocol and CICS This weekend we had our mainframe time automatically adjusted to Day Light Time using S.T.P.. However, CICS did not get the time changed automatically. Is CICS still unable to do this(have the time changed automatically)? John Norgauer Senior Systems Programmer Mainframe Technical Support Services University of California Davis Medical Center 2315 Stockton Blvd ASB 1300 Sacramento, Ca 95817 916-734-0536 SYSTEMS PROGRAMMING.. Guilty, until proven innocent !! JN 2004 Hardware eventually breaks - Software eventually works anon -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Server time Protocol and CICS
CICS needs a nudge to pick up the timechange - we issue a F CICSNAME,CEMT-PERFORM RESET To each region following the automatic change (We are on Sysplex Timers) Jerry Whitteridge Lead Systems Programmer Safeway Inc. 925 951 4184 If you feel in control you just aren't going fast enough. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John Norgauer Sent: Monday, March 12, 2012 3:50 PM To: IBM-MAIN@bama.ua.edu Subject: Server time Protocol and CICS This weekend we had our mainframe time automatically adjusted to Day Light Time using S.T.P.. However, CICS did not get the time changed automatically. Is CICS still unable to do this(have the time changed automatically)? John Norgauer Senior Systems Programmer Mainframe Technical Support Services University of California Davis Medical Center 2315 Stockton Blvd ASB 1300 Sacramento, Ca 95817 916-734-0536 SYSTEMS PROGRAMMING.. Guilty, until proven innocent !! JN 2004 Hardware eventually breaks - Software eventually works anon -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN Email Firewall made the following annotations. -- Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. == -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IEFBR14
Mark: Thank you, does this account for an iefbr14 executing correctly on a 1.11 or above system and a program receiving an Abend s001-4 , assuming everything else was working correctly ? Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 12, 2012, at 1:18 PM, Mark Zelden m...@mzelden.com wrote: On Mon, 12 Mar 2012 11:14:27 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Mon, 12 Mar 2012 10:40:27 -0500, Mark Zelden wrote: As John M. hinted, it does require a valid DSORG. But why not write the EOF unconditionally, regardless of DSORG? The only reason I can imagine not to do so is if the programmer is alocating absolute track addresses to recover a deleted data set. I don't know under what thread subject and when, but this has been discussed on IBM-MAIN before. I'm not going to try and find it, but you can. I'm sure there's a good reason. :-) Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Server time Protocol and CICS
On Mon, 12 Mar 2012 16:58:44 -0600, Jerry Whitteridge wrote: CICS needs a nudge to pick up the timechange - we issue a F CICSNAME,CEMT-PERFORM RESET Why? Couldn't this be automated with a PARM? To each region following the automatic change (We are on Sysplex Timers) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Backlevel IPCS issue at z/OS 1.13
On 3/12/2012 7:40 AM, Mark Zelden wrote: I don't know what you are doing wrong. You can use my CLIST as is and it should work. The key is the TSOLIB prior to invoking ISPF and using a modified BLSCLIBD that has LIBRARY ID instead of DATASET in the libdef. I didn't post that CLIST and left that as an exercise for the reader, but if it helps, I'll post that also. Remember BLSCALTL needs one line changed too (I called my IPCSALTL). I won't post that CLIST, but here is the line: ALTLIB ACTIVATE APPLICATION(CLIST) DDNAME(SBLSCLI0) Our back-level IPCS execs require manual re-invocation under ISPF. I like you approach much better! -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Check out BBC News - Celebrating Colossus, the codebreaking computer
_BBC News - Celebrating Colossus, the codebreaking computer_ (http://www.bbc.co.uk/news/technology-17237494) Some good links if you're so inclined. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Host on Demand Installation
No, there is no minimum MSU requirement for Host On-Demand installation. Note that running the Host On-Demand Service Manager is technically optional. That's if you use the Deployment Wizard to create an appropriately customized HOD start page, which is my preferred way. The Service Manager is the most demanding part of HOD on the server side, but even that is quite lightweight. If you don't run the Service Manager then the only server side task is HTTP serving, which is extremely lightweight, particularly if you're using the HOD cached client. I see little or no point in using HTTPS to deliver HOD to Web clients, so don't bother with that -- stick with HTTP for your HOD Web server. However, TN3270E with TLS/SSL encryption is highly recommended for security reasons, and that's regardless of client. Obviously do take advantage of hardware crypto support there (CPACF and/or CryptoExpress). Timothy Sipples Resident Enterprise Architect (Based in Singapore) E-Mail: timothy.sipp...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: VTAMLST - Who needs to read it
Chris: This is similar in my estimation to a library sys1.maclib. We were a 100 percent cobol shop so we used the noaccess rule. What we found is that the only people that tried accessing it were people from outside the company that were looking around and had no real need for it as I said we were 100 percent cobol. To give you a fair idea only the senior application people could even remotely look at a dump even then they had no clue. In *OUR* shop it worked. IMO sys1.vtamlst was similar. Every two years we had a consultant who demanded access to it. We were nice and said NO. One consultant came in and asked for access and we said no and he went the politic route and they said sure. Sure enough 3 days later we get an internal memo saying we had to change it and then the memo wars started up. One of my VP's came down and I sat down with him and explained why we didn't want to change it. We were short on man power in the group and could not spare the time I had hours and dates and everything to prove we didn't have the time. He said yes he knew but just this once. I asked which project did he want pushed back and he pointed at one and of course it was a really important one and I asked if he understood the cost and everything and of course he said he did. So somewhere in my 100 hour work week I changed it and of course it did not work. This caused a really nasty backlog to literally break. My 10 minute change caused an outage and we had a outage of one of our customers got their reports 2 hours late and all hell broke loose. The VP was called in and he tried to push it onto us. I got called up to the presidents office and I explained our side and the president actually told the VP to keep his people in line and not to request such items again. The VP eventually moved on and life went back to normal. Ed On Mar 9, 2012, at 12:03 PM, Chris Mason wrote: Juan IBM suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix D- Security for system datasets). Why should the RACF developers be the arbiters of what is the correct access policy for VTAMLST? I would say that they were as likely to get such a proposal correct as any other development shop commenting on the products of another development shop. In other words, they are very, very likely to get it quite wrong - a phenomenon I have observed time and again! Indeed, I have sometimes been very pleasantly surprised when a manual written by one development shop happened to come up with a clear explanation of how to use products from another development shop. Actually the only case I can remember over many years is GDDM talking about the 3270 data stream. (RACF Security Administrator Guide, apendix D- Security for system datasets) Please - and this applies to all posters - provide an URL when referring to something state in a manual. I suggest you post this query on the RACF-L list and challenge the gurus I notice there are not backward in coming forward and see if any of them can provide a reasoned argument why the following recommendation - which I dug out! - is present: quote D.0 Appendix D. Security for system data sets Table 48. UACC values for system data sets Data set/UACC/Comments ... SYS1.VTAMLST/NONE/ ... /quote http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza7c0/ D.0 Note that the people responsible for this table couldn't even imagine any justifying comment to add. I suspect they had wet fingers in the air! If the RACF-L gurus cannot provide a reasoned argument, I suggest you treat this recommendation with the pinch of salt which in my opinion it deserves. Remember There is no substitute for understanding what you are doing., a maxim that isn't necessarily ingrained on the conscience of IBM developers! - Anyhow the users who need to access VTAMLST are obviously the user of the VTAM/NET address space and any system programmer's TSO address space where the system programmer is responsible for maintaining the VTAMLST partitioned data set. I cannot see any reason why a user of the VTAM API would require access to VTAMLST for the reason that he/she was using the VTAM API. - Incidentally, while you are challenging the RACF-L gurus over access to VTAMLST, you might care equally to challenge them over the recommendation to specify universal access of READ for the VTAMLIB partitioned data set where, again, the comment field is completely absent in the now famous table. Again, I suspect a wet finger! - Moreover, take a look at the comments where the authors bothered to add comments and note whether there appear to have been any guidance other than common sense and - it must be said - note the considerable equivocation! - Chris Mason On Fri, 9 Mar 2012 09:00:34 -0800, Juan Mautalen jgmauta...@yahoo.com.ar wrote: Hi: We currently have our VTAMLST libraries
Re: IEFBR14
Hi Rex, A good while ago, on 3390 SLEDs, non-SMS, z/OS 1.4, I used this 'feature' fairly often . We had a big batch process that, on the monthly run would delete a large PS work dataset at eoj. For the quarterly, that same dataset needed to be used in a successor job. The monthly job ran about 12-14 hours. The 'responsible' (or not!) programmer was supposed to take care of the disposition of that big dataset for the quarterly process. A bunch of times (until that programmer left), I'd get in to work to find the monthly still running and a bunch of panicked messages. Sure enough, the disp on the dataset was delete. So, I would mount the vol private and map it. Watch the job and map it again each time it took an extent. No space release coded, so that helped. When the monthly ended, IEFBR14 absolute track allocate the pieces of the dataset, concatenating it all together back into 1 whole with IEBGENER. It was a nice tool to have at the time. :-) Saved a huge rerun to recreate the data set and a day of application outage for the customer. I have also seen the situation you wrote about. One fairly ugly one where bad data was picked up and feed into a database. Linda - Original Message - From: Rex R. Pommier rex.pomm...@cnasurety.com To: IBM-MAIN@bama.ua.edu Sent: Monday, March 12, 2012 11:53:37 AM Subject: Re: IEFBR14 Bill, You are absolutely correct in that this change doesn't really provide much security. I'm looking at it from a different aspect, that of removing one additional way of shooting oneself in the foot. If not you (you being collective, not just Bill), how many of your colleagues (either in the systems programming area or application developers/operations) have had a dataset deleted, only to have a new one allocated directly on top of the old one with a compatible set of DCB information, and have somebody inadvertently run a program that read the old data. I know it has happened more than once where I've worked over the years. I'm sure this change will result (and has resulted) in fewer holes in feet. :-) Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Bill Fairchild Sent: Monday, March 12, 2012 11:09 AM To: IBM-MAIN@bama.ua.edu Subject: Re: IEFBR14 Writing an EOF record at the beginning of the data set does indeed help prevent programs from reading old data when a data set is read immediately after being allocated, but the way it does this results in preventing the reading of old data only from the first track. If a program can read beyond this first track (which is not difficult to do even in an unauthorized program), then the program can still read all the rest of the old data in the allocated tracks. The only way truly to prevent a program from reading any of the old data is to erase each allocated track, either when the old data set is deleted or when the new data set is allocated. Erasing is a very expensive process in terms of DASD utilization and elapsed time, which is why it is almost never done. This is perhaps another example of security through obscurity, which has been discussed lately under thread subjects starting with Program FLIH backdoor . I call it obscurity since getting beyond the first ! track deters most programs, but is not difficult if you know the obscure fact that it is quite easy to do if you want to. Bill Fairchild The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited and that you will be held responsible for any such unauthorized activity, including liability for any resulting damages. As appropriate, such incident(s) may also be reported to law enforcement. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
