Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
On Sun, 13 Jan 2008 20:56:13 -0600, Yan Ying [EMAIL PROTECTED] wrote: Thanks for you reply.What confused me is I can send MVS/JES2 cmd in my rexx program and get the return msg.The pgm look like that : CMD = '$D SPL' CONSPROF SOLDISP(NO) SOLNUM(800) CONSOLE ACTIVATE NAME(DALCMD) CONSOLE SYSCMD(||CMD||) CART('DAL001') GETCODE = GETMSG('DAL1.',,'DAL001','',10) CONSOLE DEACTIVATE The program is sub in JCL by IKJEFT01. Why DB2 cmd need special auth and how to get the auth. Apparently (as Scott indicated), DB2 wants its commands to come from a console with system (SYS) authority. On the other hand, $D should need only INFO authority. Check the OPERPARM segment of the USER profile that matches the console name you use (by default, the system uses the running user ID as the console name). The AUTH field should say SYS or a higher value. Additionally, make sure that you have the OPERCMDS class active, and SETR RACLISTED (if using RACF), and that you have access to OPERCMDS resource MVS.MCSOPER.console-name because without that access you'll only have INFO authority regardless of what the OPERPARM segment specifies. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: [DB2-L] Got DSN3107I FROM REXX CONSOLE SYSCMD command
YY - You need to understand that there are two security checks going on. For MVS commands there is one set of checks. For DB2 Commands there is a different setup. I would contact my security administrator and ask them how the DB2 command you are trying to issue is handled. You also need to check on the internal DB2 Security. It is possible that there is also a security check going on there as well. Each shop is unique on how they setup security. And that depends on the security product you are using. The message DSN3107I - DSN3EC0X -COMMAND REJECT.REQUESTOR NOT AUTHORIZED. Indicates that you are not authorized to the DB2 command. However, since you can issue D IPLINFO, you do have the authority to MVS commands. Look at the SYSTEM PROGRAMMER RESPONSE: System Programmer Response: Verify that this console should be used for entering DB2 commands. If so, authorize it for 'system' commands by using MVS services. Lizette Hi all, I use REXX to inquire DB2 BUFFERPOOL detail status.I use CONSPROF / CONSOLES / CONSOLE SYSCMD command to get the info.But I can only get msg DSN3107I. DSN3107I - DSN3EC0X -COMMAND REJECT.REQUESTOR NOT AUTHORIZED. I have another REXX work like that to gather system info (like'D IPLINFO') can work good. IBMBOOK said:the CSECT DSN3EC0X has discovered that the source of the command was a console that does not have 'system' authority. How can i have the system authorize?Did anyone do job like that? Thanks a lot for help. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
I suspect DB2 needs SYSOPER or SYSADM DB2 authorization. This is DB2 security and it is maintained by DB2. Talk to the DB2 install sysprog's. My memory was console commands came in with userid SYSOPR but there are other circumstances that the userid is passed. Mike On Jan 13, 2008 8:56 PM, Yan Ying [EMAIL PROTECTED] wrote: Hi all, Thanks for you reply.What confused me is I can send MVS/JES2 cmd in my rexx program and get the return msg.The pgm look like that : CMD = '$D SPL' CONSPROF SOLDISP(NO) SOLNUM(800) CONSOLE ACTIVATE NAME(DALCMD) CONSOLE SYSCMD(||CMD||) CART('DAL001') GETCODE = GETMSG('DAL1.',,'DAL001','',10) CONSOLE DEACTIVATE The program is sub in JCL by IKJEFT01. Why DB2 cmd need special auth and how to get the auth. Yan Ying -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Mike -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
In [EMAIL PROTECTED], on 01/10/2008 at 01:56 AM, Yan Ying [EMAIL PROTECTED] said: I use a REXX to inquire DB2 BUFFERPOOL detail status.I use CONSPROF / CONSOLES / CONSOLE SYSCMD command to get the info.But I can only get msg DSN3107I. DSN3107I - DSN3EC0X -COMMAND REJECT.REQUESTOR NOT AUTHORIZED. You need to explain to your security and DB2 people why you need to do this, then ask them to grant the necessary privileges. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
Hi all, Thanks for you reply.What confused me is I can send MVS/JES2 cmd in my rexx program and get the return msg.The pgm look like that : CMD = '$D SPL' CONSPROF SOLDISP(NO) SOLNUM(800) CONSOLE ACTIVATE NAME(DALCMD) CONSOLE SYSCMD(||CMD||) CART('DAL001') GETCODE = GETMSG('DAL1.',,'DAL001','',10) CONSOLE DEACTIVATE The program is sub in JCL by IKJEFT01. Why DB2 cmd need special auth and how to get the auth. Yan Ying -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
In a message dated 1/11/2008 8:02:30 A.M. Central Standard Time, [EMAIL PROTECTED] writes: To set the base MVS console authority for your user, you need to update the OPERPARM segment associated with your userid. Don't think it has anything to do with MVS, only DB2 authorities. Install adm, sysadm, DBADM. It's a hierarchy in DSNZPARM customization. To grant lower you have to have higher **Start the year off right. Easy ways to stay in shape. http://body.aol.com/fitness/winter-exercise?NCID=aolcmp0030002489 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Got DSN3107I FROM REXX CONSOLE SYSCMD command
On Thu, 10 Jan 2008 01:56:57 -0600, Yan Ying wrote: I use a REXX to inquire DB2 BUFFERPOOL detail status.I use CONSPROF / CONSOLES / CONSOLE SYSCMD command to get the info.But I can only get msg DSN3107I. DSN3107I - DSN3EC0X -COMMAND REJECT.REQUESTOR NOT AUTHORIZED. I have another REXX work like that to gather system info (like'D IPLINFO') can work good. IBMBOOK said:the CSECT DSN3EC0X has discovered that the source of the command was a console that does not have 'system' authority. How can i have the system authorize?Did anyone do job like that? The answer is: it depends... 1) Is the OPERCMDS class active in your security product? If so, then you need to give your console authority to the appropriate operator command profile. 2) I am not sure what 'system' authority means. Base MVS console authority comes in a few flavors: o INFO (authorized to issue a smattering of display-only commands) o SYS (authorized to issue smattering of 'system related' commands) o I/O(authorized to issue smattering of 'I/O device related' commands) o CONS (authorized to issue smattering of 'console configuration related' commands) o MASTER (can issue all system commands) To set the base MVS console authority for your user, you need to update the OPERPARM segment associated with your userid. Scott Fagen Enterprise Systems Management -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Got DSN3107I FROM REXX CONSOLE SYSCMD command
Hi all, I use a REXX to inquire DB2 BUFFERPOOL detail status.I use CONSPROF / CONSOLES / CONSOLE SYSCMD command to get the info.But I can only get msg DSN3107I. DSN3107I - DSN3EC0X -COMMAND REJECT.REQUESTOR NOT AUTHORIZED. I have another REXX work like that to gather system info (like'D IPLINFO') can work good. IBMBOOK said:the CSECT DSN3EC0X has discovered that the source of the command was a console that does not have 'system' authority. How can i have the system authorize?Did anyone do job like that? Thanks a lot for help. YY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html