Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
Tommy This thread appears to be concerned with the security options supported by APPC/MVS. It would have been helpful if APPC/MVS had appeared in the Subject. Please let us know what the precise problem is as described in the audit report and then we can all make some progress. This something Walt Farrell requested as long ago as 7th June. Surely the messages you got from the DISPLAY APING command do not constitute the invalid user problem in an audit report! Having looked over the posts in the thread, I see the conclusions so far as the following: - The owner/userid assigned to the APPC/MVS address space may well not be relevant for the problem of determining this invalid user - The RACF resource VTAMAPPL is to control the permission to issue the OPEN macro referring to a VTAM ACB for non-authorised programs. I believe you cannot run APPC/MVS without it being an authorised program. I expect you are running APPC/MVS as an authorised program. This being so, the RACF VTAMAPPL resource is irrelevant. - Surprisingly what you report is that defining the RACF resource VTAMAPPL using universal access (UACC) NONE can cause a failure to start the APPC/MVS address space. The very obvious solution is to remove the RDEFINE statement so that you run APPC/MVS as you did before presumably. Changing UACC(NONE) to UACC(READ) is obviously *not* the solution - or did I misunderstand something here? - Anyhow let's analyse the DISPLAY APING output that Walt bypassed. D NET,APING,ID=MVSLU01 IST097I DISPLAY ACCEPTED ICH408I JOB(APPC) STEP(APPC) 619 LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION MVSLU01 IST1489I APING SESSION INFORMATION 618 IST1490I DLU=NET1.MVSLU01 SID=FCA742C3B31EE097 IST933I LOGMODE=#INTER , COS=*BLANK* IST314I END IST1472I APING TRANSACTION ERROR 620 IST1219I RTNCD = 00, FDB2 = 0B IST1002I RCPRI=0004 RCSEC=0005 IST1473I SENSE = 080F6051 These messages describe a failure of a DISPLAY APING command. The VTAM messages, those starting with IST indicate that the desired partner LU, the server, is NET1.MVSLU01, that the mode name to be used is #CONNECT and that the COS name to be used is not specified. The local LU, the client, for a DISPLAY APING command is the VTAM SSCP behaving as a CP and, exceptionally, behaving as an application LU. The codes in the error messages, all described in the Communications Server IP and SNA Codes manual, are as follows: From the RTNCD and FDB2 information for LU 6.2 section: RTNCD = 00, FDB2 = 0B CONDITIONAL COMPLETION FOR APPCCMD Some type of error might have occurred on an APPCCMD macro. For further problem determination, refer to the primary and secondary return codes in the RPL extension. These fields are RPL6RCPR and RPL6RCSC. From the RCPRI and RCSEC return codes for LU 6.2 section: SECURITY NOT VALID The partner LU rejected the allocation request because the access security information supplied by the local application (in the FMH-5) is not valid. This return code is returned on an APPCCMD subsequent to APPCCMD CONTROL=ALLOC. From the SNA sense codes chapter: Sense code 080F End user not authorized: The requesting end user does not have access to the requested resource. Bytes 2 and 3 following the sense code contain sense-code-specific information. 6051 Access security information not valid: The request specifies an access security information field that is not acceptable to the receiver; for security reasons, no further detail about the error is provided. This sense data is sent in FMH-7 or UNBIND. VTAM hint: A security protocol error has been detected in an RU received from the remote LU or transaction program. For persistent verification, VERIFY and PV must be coded on the conversation security level (CONVSEC) in the RACF® profile. End of the explanation of the codes. So it is quite clear what is going wrong here. However, I don't understand what you are trying to tell us with this command. What is MVSLU01? From the unnecessary RDEFINE statement, I thought your APPC/MVS APPL name was PRDLU01. - The evidence for what your real problem is cannot easily be determined but I suspect that your audit report concerns an LU type 6.2 conversation security problem. When you show the audit report problem about which you are worried, please explain what your design is for conversation security. In order to set you on the right track it will correspond to one of the types referenced by the values of the VTAM APPL statement SECACPT operand. These are one of the following: - none: no userid or password values are used - conversation: a userid and a password are always used - already verified: only a userid is used - persistent verification: a userid and password are used in a transaction marked as sign-on and only a userid is used until a sign-off request is used Note that, if you want to protect access to the APPC/MVS LU resource, you should implement session-level security using the RACF
Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
On Mon, 6 Jul 2009 09:36:30 +0800, Tommy Tsui tommyt...@gmail.com wrote: Hi Walt Here is the error message, do youw know what's going on ??? D NET,APING,ID=MVSLU01 IST097I DISPLAY ACCEPTED ICH408I JOB(APPC) STEP(APPC) 619 LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION MVSLU01 IST1489I APING SESSION INFORMATION 618 IST1490I DLU=NET1.MVSLU01 SID=FCA742C3B31EE097 IST933I LOGMODE=#INTER , COS=*BLANK* IST314I END IST1472I APING TRANSACTION ERROR 620 IST1219I RTNCD = 00, FDB2 = 0B IST1002I RCPRI=0004 RCSEC=0005 IST1473I SENSE = 080F6051 I don't know how to interpret the VTAM messages without doing some research, but the ICH408I should indicate that a user sent in an APPC transaction, and the user did not supply a user ID and password, and therefore the user's attempt to access APPL (not VTAMAPPL) MVSLU01 failed. As APPC is a server, this is not a failure of APPC to access something, but a failure of one of APPC's clients. Since it's an unidentified user, you get the JOB/STEP in the message. If you want unauthenticated users sending you APPC transactions, you'll need to change the definition of APPL MVSLU01 to UACC(READ). Once you've done that, it might work, or you might at least get far enough to find the next failure (which I'll guess might be for APPCLU MVSLU01) or the one after that (which I'll guess might be for some APPCPORT or for some APPCTP). Or, you might have some error in your client, where it should be sending in a user ID and password but isn't. Or it might be sending identity information, but you might have an error in the VTAM configuration options for MVSLU01 or in the SESSION segment in the RACF APPCLU profile that protects that session. In any case, VTAMAPPL has nothing to do with this. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
yes, when I set the MVSLU01 to UACC(READ), it works ... so what can I do? If I set the MVSLU01 to UACC(READ) it's too risky for our shop On Mon, Jul 6, 2009 at 6:37 PM, Walt Farrellwfarr...@us.ibm.com wrote: On Mon, 6 Jul 2009 09:36:30 +0800, Tommy Tsui tommyt...@gmail.com wrote: Hi Walt Here is the error message, do youw know what's going on ??? D NET,APING,ID=MVSLU01 IST097I DISPLAY ACCEPTED ICH408I JOB(APPC ) STEP(APPC ) 619 LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION MVSLU01 IST1489I APING SESSION INFORMATION 618 IST1490I DLU=NET1.MVSLU01 SID=FCA742C3B31EE097 IST933I LOGMODE=#INTER , COS=*BLANK* IST314I END IST1472I APING TRANSACTION ERROR 620 IST1219I RTNCD = 00, FDB2 = 0B IST1002I RCPRI=0004 RCSEC=0005 IST1473I SENSE = 080F6051 I don't know how to interpret the VTAM messages without doing some research, but the ICH408I should indicate that a user sent in an APPC transaction, and the user did not supply a user ID and password, and therefore the user's attempt to access APPL (not VTAMAPPL) MVSLU01 failed. As APPC is a server, this is not a failure of APPC to access something, but a failure of one of APPC's clients. Since it's an unidentified user, you get the JOB/STEP in the message. If you want unauthenticated users sending you APPC transactions, you'll need to change the definition of APPL MVSLU01 to UACC(READ). Once you've done that, it might work, or you might at least get far enough to find the next failure (which I'll guess might be for APPCLU MVSLU01) or the one after that (which I'll guess might be for some APPCPORT or for some APPCTP). Or, you might have some error in your client, where it should be sending in a user ID and password but isn't. Or it might be sending identity information, but you might have an error in the VTAM configuration options for MVSLU01 or in the SESSION segment in the RACF APPCLU profile that protects that session. In any case, VTAMAPPL has nothing to do with this. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
On Mon, 6 Jul 2009 18:44:53 +0800, Tommy Tsui tommyt...@gmail.com wrote: yes, when I set the MVSLU01 to UACC(READ), it works ... so what can I do? If I set the MVSLU01 to UACC(READ) it's too risky for our shop Then you'll have to investigate the rest of the items I mentioned, and see if you have a configuration problem. But as I see you have a PMR open now, I won't comment further via IBM-MAIN. I hope they help figure out your problem. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
Hi Walt Here is the error message, do youw know what's going on ??? D NET,APING,ID=MVSLU01 IST097I DISPLAY ACCEPTED ICH408I JOB(APPC) STEP(APPC) 619 LOGON/JOB INITIATION - NOT AUTHORIZED TO APPLICATION MVSLU01 IST1489I APING SESSION INFORMATION 618 IST1490I DLU=NET1.MVSLU01 SID=FCA742C3B31EE097 IST933I LOGMODE=#INTER , COS=*BLANK* IST314I END IST1472I APING TRANSACTION ERROR 620 IST1219I RTNCD = 00, FDB2 = 0B IST1002I RCPRI=0004 RCSEC=0005 IST1473I SENSE = 080F6051 Thanks and regards On Sun, Jul 5, 2009 at 2:22 AM, Walt Farrellwfarr...@us.ibm.com wrote: On Fri, 3 Jul 2009 09:11:50 +0800, Tommy Tsui tommyt...@gmail.com wrote: Hi all, Since we defined following statement to protect our LU on mainframe, APPC cannot access the PRDLU01 becuase without owner information, is there anyone have same problem? RDEFINE VTAMAPPL PRDLU01 UACC(NONE) OWNER(SYS1) PERMIT PRDLU01 CLASS(VTAMAPPL) ID(P428501) Please show us the error messages you're getting, and if possible describe what's happening when you get them. In any case, as far as I know APPC itself runs authorized, and the VTAMAPPL profile would therefore have no effect on it. VTAMAPPL affects only non-authorized programs, and simply determines whether they can OPEN the named VTAM ACB or not. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APPC and VTAMAPPL (was: job started with SUB=MSTR...)
On Fri, 3 Jul 2009 09:11:50 +0800, Tommy Tsui tommyt...@gmail.com wrote: Hi all, Since we defined following statement to protect our LU on mainframe, APPC cannot access the PRDLU01 becuase without owner information, is there anyone have same problem? RDEFINE VTAMAPPL PRDLU01 UACC(NONE) OWNER(SYS1) PERMIT PRDLU01 CLASS(VTAMAPPL) ID(P428501) Please show us the error messages you're getting, and if possible describe what's happening when you get them. In any case, as far as I know APPC itself runs authorized, and the VTAMAPPL profile would therefore have no effect on it. VTAMAPPL affects only non-authorized programs, and simply determines whether they can OPEN the named VTAM ACB or not. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html