Re: MVS Command Authorization

[Hunkeler Peter (KIUK 3)]

>Peter, I can only speak for the products I've developed and how we
>implemented command security.  Also, I might add that years ago I 
>found a spreadsheet someone had at SHARE that listed each OPERCMDS 
>entities.That could be used as a foundation to know which commands 
>are verified.

Gary, I'm not so much interested in the "which" than in the "how".

What you said about your "own" subsystem commands somehow confirms
my undestanding. But I still do not see how MGCEFAST can be useful
to anything than pure "MVS commands", provided my understanding
as posted is still correct. 

If MGCEFAST is set by sysplex command routing, and if the bit says
"don't broadcast on the SSI", then how could a subsystem catch
its command on the remote system? And, how can it suppress
command authorization checking, when the mechanism is subsystem
specific?

Ok, I think I'll have to include sysplex processing and see if
I got this right (this is pure curiosity):

A command entered into the system through SVC 34 can be:

a) a native MVS command (this includes the ROUTE command)
b) a command beginning with a registered command prefix
c) a command beginning with a *non*-registered command prefix

SVC 34 sends the command to the commiunications task which in turn
tries to get the command processed by whomever as follows

1) Each command is presented to command exits, if any are installed.

   - If any exit indicates the command was processed, that's it, no 
 further processing is done.

2) If the command starts with a registered prefix, then it is routed
   to the target system (if not already here). On the target system,
   the command is issued again (SVC 34) and begins its journey again
   at 1) above.

3) If the command passes the exit(s) without being processed, it is
   presented to the subsystem command routines listening on the SSI.

   - If the command begins with *non-registered* prefix *and* ...
 ... the target subsystem is active, its routine will catch the 
 command, process it and indicate this upon return. Processing 
 ends here, i.e. not further broadcasting occurs.
 ... the target subsystem is not active, the command remains 
 unprocessed, next SSI routine will see it.

   - If the command begins with a *registered* prefix *and* ...
 ... the target subsystem is active, its routine will catch and 
 process the command. Processing then ends here.
 ... the target subsystem is not active, the CPF should have been
 deleted (in which case we don't end up here) or has been
 directed to another system (in which case we again won't end
 up here).

   - If the command has not been processed by a subsystem it "falls 
 through" SSI broadcast processing and is send to "MVS" (see 4).

4) If it is a ROUTE command, the ROUTE command processor strips off
   the ROUTE and sends the command to the target system(s) where it
   is reissued by SVC 34 and starts its journey at 1) above on each
   target system.

5) If it is not a ROUTE command, the MVS command processor analyzes
   the command and, if valid, processes it. These are the commands
   described in the "MVS System Commands" manual plus some additional
   non-MVS commands like "Z NET...", "D NET..." which VTAM managed
   to incorporate into the "MVS Command Processor".

6) Message IEE305I  COMMAND INVALID is issued if the MVS 
   command processor did not recognize it.


Where does MGCEFAST fit into the picture?


Anyone dare to say I'm wrong ;-) I *hope* you do, and tell me where
I'm wrong. Better yet, tell me the truth.


-- 
Peter Hunkeler
Credit Suisse

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Hunkeler Peter (KIUK 3)]

>The only place I've seen MGCEFAST documented is at:
>http://tinyurl.com/2bn87q

Yeah... I've seen this, too,  but I don't consider that to "be
documented".

-- 
Peter Hunkeler
Credit Suisse

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[George Fogg]

Scott. I hope you don't lose any sleep over this and I'm somewhat sorry that
I stirred up the mud on this "out-of_the_closet" bit even though it's
documented enough to describe what it does. But overall, I'm glad I know
about it.
Owe you a beer at SHARE if I ever attend again... :-)
George Fogg

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Scott Fagen
Sent: Tuesday, December 11, 2007 5:56 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: MVS Command Authorization

On Tue, 11 Dec 2007 12:29:46 -0800, George Fogg <[EMAIL PROTECTED]> wrote:
--snip--
 I also don't want vendor
>products and in-house EMCS code setting this bit to bypass security
checking.
>I don't have a problem with its intended purpose as Scott Fagen indicated.
>George Fogg
--snip--

In retrospect, it was probably a _bad_ idea to make such a function
available on the external.  At the time (ca 1988/9), I was still pretty wet
behind the ears and was just doing what the team leader asked.  In
retrospect, the _right_ answer probably should have been a non-externalized
service/entry into command processing that the sysplex code just dropped the
command into, rather than setting a wacky bit on in the parameter list and
re-issuing SVC34.  Probably looks weird in system trace, too.

Scott Fagen
Enterprise Systems Management

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Scott Fagen]

On Tue, 11 Dec 2007 12:29:46 -0800, George Fogg <[EMAIL PROTECTED]> wrote:
--snip--
 I also don't want vendor
>products and in-house EMCS code setting this bit to bypass security checking.
>I don't have a problem with its intended purpose as Scott Fagen indicated.
>George Fogg
--snip--

In retrospect, it was probably a _bad_ idea to make such a function
available on the external.  At the time (ca 1988/9), I was still pretty wet
behind the ears and was just doing what the team leader asked.  In
retrospect, the _right_ answer probably should have been a non-externalized
service/entry into command processing that the sysplex code just dropped the
command into, rather than setting a wacky bit on in the parameter list and
re-issuing SVC34.  Probably looks weird in system trace, too.

Scott Fagen
Enterprise Systems Management

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Gregory, Gary G]

Peter, I can only speak for the products I've developed and how we
implemented command security.  Also, I might add that years ago I found
a spreadsheet someone had at SHARE that listed each OPERCMDS entities.
That could be used as a foundation to know which commands are verified.

If an OEM product uses the SSI (as we do with CA Tape Encryption) our
subsystem is responsible for picking off the command and performing what
action is required (we don't leave a WTOR for communications).  Once the
command has been found in the SSI, we perform a RACROUTE to see if the
user (using that term in the most general sense) has access to the
command.  If a customer defined an OPERCMDS entity BES.DISPLAY
UACC(NONE) and does not have the supporting code in place (in this case
the CA Tape Encryption SAF Interface) then the entity is never verified.

Again, I didn't mean to go start such a debate over my response
yesterday.  I just wanted to make sure the original poster reviewed
their product's documentation.

Regards,

Gary 


You see me confused. Either I'm missing some recent change
or, I have never understood how comand processing really works 
and am just about to discover this...

This is my understanding (leaving out sysplex routing to
drop that level of complexity):

- SVC 34 (MGCR, MGCRE) is the programming interface to issue 
  commands. It verifies the arguments and sends the command
  onto its journey through the system. No command authorization
  processing done yet.
- The commands are presented to the SSI command listener routines
  (SSI function 10) in subsystem sequence, on after the other.
- Finally the command is queued to the MVS command handler.

SSI processing:
- Each subsytem interested in commands sees each and every
  command (unless MGCEFAST has been set).
- When a subsystem detects on if its commands, it marks it as 
  "processed" (and of course, does whatever needs to be done
  to process the command).
- When a subsystem sees a command marked "processed" it ignores
  the command.

MVS command handler:
- When the MVS command handler sees a command marked "processed"
  it ignores it. Otherwise it tries to interpret it as an MVS
  command (one of those commands described in the "MVS System
  Commands" manual).

If this is correct, then neither SVC34 nor the MVS command handler
can do authorization checking for subsystem commands. Each subsystem
is responsible to do its own authorization checking (if at all).

Again if this is correct, MGCEFAST can never be set for a "non-MVS" 
command, i.e. a command recognized by a SSI command listener, since
it is "suppressing SSI" (BTW, I haven't found where MGCEFAST is
documented.)

Happy to learn where I'm wrong and how it really works.

-- 
Peter Hunkeler
CREDIT SUISSE

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Binyamin Dissen]

On Tue, 11 Dec 2007 12:29:46 -0800 George Fogg <[EMAIL PROTECTED]> wrote:

:>> On Mon, 10 Dec 2007 15:38:58 -0800 George Fogg <[EMAIL PROTECTED]> wrote:

:>> :>OK, MGCEFAST has a purpose in certain conditions but I could set this bit 
on
:>> :>in a simple MGCRE call to issue a command without using CPF and CMDSYS
:>> :>processing and it will bypass the command exits and CMDAUTH (OPERCMDS
:>> :>checking)processing?
:>> :>I agree this not apporiate but I'm just curious if it would work.
:>> :>Just another goodie to add to my "gosh, that's interesting" list.

:>> As the MGCR(E) issuer is supervisor state, it is perfectly legitimate for it
:>> to indicate that security be bypassed.

:>Not in our shop.
:>We have 25+ site written commands processed in the command exit if if MGCEFAST
:>bypasses the command exit then they won't work. I also don't want vendor
:>products and in-house EMCS code setting this bit to bypass security checking.

Then you should audit your supervisor state programs.

I am not stating that it is a good idea to set the bit, just that allowing the
MGCR(E) to bypass security is NOT an exposure as it is in supervisor state and
thus can directly do what the issued command would do.

:>I don't have a problem with its intended purpose as Scott Fagen indicated.

--
Binyamin Dissen <[EMAIL PROTECTED]>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[George Fogg]

> On Mon, 10 Dec 2007 15:38:58 -0800 George Fogg <[EMAIL PROTECTED]> wrote:
>
> :>OK, MGCEFAST has a purpose in certain conditions but I could set this bit on
> :>in a simple MGCRE call to issue a command without using CPF and CMDSYS
> :>processing and it will bypass the command exits and CMDAUTH (OPERCMDS
> :>checking)processing?
> :>I agree this not apporiate but I'm just curious if it would work.
> :>Just another goodie to add to my "gosh, that's interesting" list.
>
> As the MGCR(E) issuer is supervisor state, it is perfectly legitimate for it
> to indicate that security be bypassed.

Not in our shop.
We have 25+ site written commands processed in the command exit if if MGCEFAST
bypasses the command exit then they won't work. I also don't want vendor
products and in-house EMCS code setting this bit to bypass security checking.
I don't have a problem with its intended purpose as Scott Fagen indicated.
George Fogg

>
> --
> Binyamin Dissen <[EMAIL PROTECTED]>
> http://www.dissensoftware.com
>
> Director, Dissen Software, Bar & Grill - Israel
>
>
> Should you use the mailblocks package and expect a response from me,
> you should preauthorize the dissensoftware.com domain.
>
> I very rarely bother responding to challenge/response systems,
> especially those from irresponsible companies.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Binyamin Dissen]

On Mon, 10 Dec 2007 15:38:58 -0800 George Fogg <[EMAIL PROTECTED]> wrote:

:>OK, MGCEFAST has a purpose in certain conditions but I could set this bit on
:>in a simple MGCRE call to issue a command without using CPF and CMDSYS
:>processing and it will bypass the command exits and CMDAUTH (OPERCMDS
:>checking)processing?
:>I agree this not apporiate but I'm just curious if it would work.
:>Just another goodie to add to my "gosh, that's interesting" list.

As the MGCR(E) issuer is supervisor state, it is perfectly legitimate for it
to indicate that security be bypassed.

--
Binyamin Dissen <[EMAIL PROTECTED]>
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[George Fogg]

>Peter said:
snip
> Again if this is correct, MGCEFAST can never be set for a "non-MVS"
> command, i.e. a command recognized by a SSI command listener, since
> it is "suppressing SSI" (BTW, I haven't found where MGCEFAST is
> documented.)
>
> Happy to learn where I'm wrong and how it really works.
>
The only place I've seen MGCEFAST documented is at:
http://tinyurl.com/2bn87q
George Fogg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Hunkeler Peter (KIUK 3)]

You see me confused. Either I'm missing some recent change
or, I have never understood how comand processing really works 
and am just about to discover this...

This is my understanding (leaving out sysplex routing to
drop that level of complexity):

- SVC 34 (MGCR, MGCRE) is the programming interface to issue 
  commands. It verifies the arguments and sends the command
  onto its journey through the system. No command authorization
  processing done yet.
- The commands are presented to the SSI command listener routines
  (SSI function 10) in subsystem sequence, on after the other.
- Finally the command is queued to the MVS command handler.

SSI processing:
- Each subsytem interested in commands sees each and every
  command (unless MGCEFAST has been set).
- When a subsystem detects on if its commands, it marks it as 
  "processed" (and of course, does whatever needs to be done
  to process the command).
- When a subsystem sees a command marked "processed" it ignores
  the command.

MVS command handler:
- When the MVS command handler sees a command marked "processed"
  it ignores it. Otherwise it tries to interpret it as an MVS
  command (one of those commands described in the "MVS System
  Commands" manual).

If this is correct, then neither SVC34 nor the MVS command handler
can do authorization checking for subsystem commands. Each subsystem
is responsible to do its own authorization checking (if at all).

Again if this is correct, MGCEFAST can never be set for a "non-MVS" 
command, i.e. a command recognized by a SSI command listener, since
it is "suppressing SSI" (BTW, I haven't found where MGCEFAST is
documented.)

Happy to learn where I'm wrong and how it really works.

-- 
Peter Hunkeler
CREDIT SUISSE

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

George Fogg wrote:

OK, MGCEFAST has a purpose in certain conditions but I could set this bit on
in a simple MGCRE call to issue a command without using CPF and CMDSYS
processing and it will bypass the command exits and CMDAUTH (OPERCMDS
checking)processing?
  


Yes.

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[George Fogg]

> Edward Jaffe wrote:
>
>>George Fogg wrote:
>>> Seems like MGCEFAST is kind of like RACF truested where authority exits are
>>> bypassed and 99% of authority checks are passed just for issuing commands
> from
>>> MGCRE.
>>>
>>> MGCEFAST = Bypass SSI, command exits, and CMDAUTH.
>>>
>>
>>MGCEFAST should be used only when that processing has already been done.
>
> Precisely, Ed.  MGCEFAST was created for things like cross system CPF and
> CMDSYS processing to prevent such 'extra' processing.  Checking and auditing
> twice wouldn't be too useful (and might be confusing!).  Even worse would be
> the possibility of a command being infinitely routed about the sysplex as a
> command exit continually changed and caused the command to be forwarded
> elsewhere...

OK, MGCEFAST has a purpose in certain conditions but I could set this bit on
in a simple MGCRE call to issue a command without using CPF and CMDSYS
processing and it will bypass the command exits and CMDAUTH (OPERCMDS
checking)processing?
I agree this not apporiate but I'm just curious if it would work.
Just another goodie to add to my "gosh, that's interesting" list.
George Fogg

>
> Since MGCRE is an authorized service, enabling users to decide whether or
> not such things are done is appropriate, since an authorized task could
> likely do anything it wanted in determining its own security environment
> (both for SAF and default MCS checking).
>
> Scott Fagen
> Enterprise Systems Mangement
> (and one-time coder of MGCEFAST)
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

Pinnacle wrote:
Referee Scott Fagen halts the contest at 2:30 of the 3rd round, for 
the winner by TKO and STILL champen, Ki 
Jaee!


Tom, maybe it's time to cut back a bit on the caffeine. ;-)

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[R.S.]

Maybe I shouldn't say anything after Scott, however I'll dare to. 
I don't know "guts" of subsytems and commands, but I know more or less 
how RACF (or ACF) protection works for them:
If we're talking about MVS commands, I mean START, STOP, CANCEL, FORCE, 
MODIFY - all those commands *are* protected, despite of application design.
If we're talking about "CMDPRFX command" , then it is up to the 
application whether SAF is called or not. Subsystems like SDSF, RACF, 
MQ, JES2, STK HSC use their own command prefix and do call SAF for 
authorization. It can be, but need not to be OPERCMDS class resource. 
Others, like DB2 (older versions) do not call SAF.


Many subsystems/applications, like CICS, BMC ControlM, VTAM, RMM, HSM do 
not use its own command prefix - all the control is provided through 
MODIFY/other commands. In such case relevant OPERCMDS profile will 
always be called.


My $0.02
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Pinnacle]

Referee Scott Fagen halts the contest at 2:30 of the 3rd round, for the 
winner by TKO and STILL champen, Ki 
Jaee!


- Original Message - 
From: "Scott Fagen" <[EMAIL PROTECTED]>

Newsgroups: bit.listserv.ibm-main
Sent: Monday, December 10, 2007 4:43 PM
Subject: Re: MVS Command Authorization



Edward Jaffe wrote:


George Fogg wrote:
Seems like MGCEFAST is kind of like RACF truested where authority exits 
are
bypassed and 99% of authority checks are passed just for issuing 
commands

from

MGCRE.

MGCEFAST = Bypass SSI, command exits, and CMDAUTH.



MGCEFAST should be used only when that processing has already been done.


Precisely, Ed.  MGCEFAST was created for things like cross system CPF and
CMDSYS processing to prevent such 'extra' processing.  Checking and 
auditing
twice wouldn't be too useful (and might be confusing!).  Even worse would 
be
the possibility of a command being infinitely routed about the sysplex as 
a

command exit continually changed and caused the command to be forwarded
elsewhere...

Since MGCRE is an authorized service, enabling users to decide whether or
not such things are done is appropriate, since an authorized task could
likely do anything it wanted in determining its own security environment
(both for SAF and default MCS checking).

Scott Fagen
Enterprise Systems Mangement
(and one-time coder of MGCEFAST)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Scott Fagen]

Edward Jaffe wrote:

>George Fogg wrote:
>> Seems like MGCEFAST is kind of like RACF truested where authority exits are
>> bypassed and 99% of authority checks are passed just for issuing commands
from
>> MGCRE.
>>
>> MGCEFAST = Bypass SSI, command exits, and CMDAUTH.
>>
>
>MGCEFAST should be used only when that processing has already been done.

Precisely, Ed.  MGCEFAST was created for things like cross system CPF and
CMDSYS processing to prevent such 'extra' processing.  Checking and auditing
twice wouldn't be too useful (and might be confusing!).  Even worse would be
the possibility of a command being infinitely routed about the sysplex as a
command exit continually changed and caused the command to be forwarded
elsewhere...

Since MGCRE is an authorized service, enabling users to decide whether or
not such things are done is appropriate, since an authorized task could
likely do anything it wanted in determining its own security environment
(both for SAF and default MCS checking).

Scott Fagen
Enterprise Systems Mangement
(and one-time coder of MGCEFAST)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

George Fogg wrote:

Seems like MGCEFAST is kind of like RACF truested where authority exits are
bypassed and 99% of authority checks are passed just for issuing commands from
MGCRE.

MGCEFAST = Bypass SSI, command exits, and CMDAUTH.
  


MGCEFAST should be used only when that processing has already been done.

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[George Fogg]

> Gregory, Gary G wrote:
>> That is true but if the application is NOT passing the UTOKEN or using
>> the macro that requires the commands be defined in OPERCMDS then that
>> won't work.
>
> I'm not sure I follow you here...
>
> Most of the time, passing UTOKEN is unnecessary. For example, MGCRE
> issued from a TSO session does not need to pass UTOKEN. It's only in
> more exotic situations, e.g., multiuser address spaces, where the
> differentiation is required. Some products, like (E)JES, always pass a
> UTOKEN because they want to differentiate between commands explicitly
> entered by the user and those generated by the product to affect a
> resource protected by other means. This is an above-and-beyond feature
> of mature, robust products and is by no means a requirement to make
> OPERCMDS work.
>
> OTOH, "using the macro that requires the commands be defined in
> OPERCMDS" is not optional. That macro, called MGCRE, is the mechanism by
> which programs enter commands into the system. And, the program doesn't
> do anything special to cause its commands to be validated against
> OPERCMDS resources. CMDAUTH is issued by the system automatically
> unless, as I stated earlier, MGCEFAST is set by the MGCRE issuer.
>

Ed.
Looks like MGCEFAST will bypass command authority checking in the OPERCMDS
class and also bypass the CONSOLE AUTH(xx) settings in the CONSOLxx
parmlib member and the AUTH() setting in the user's OPERPARM segment plus
bypass command exits and SSI--whatever that means.
Seems like MGCEFAST is kind of like RACF truested where authority exits are
bypassed and 99% of authority checks are passed just for issuing commands from
MGCRE.

MGCEFAST = Bypass SSI, command exits, and CMDAUTH.
George Fogg

>> I was only suggesting they refer to the documentation to
>> see if commands are defined in other resource classes.  The CMDAUTH
>> macro requires that all entities be defined in OPERCMDS.
>>
>
> This might be the root source of confusion for this discussion. When
> someone says "MVS commands", I think of commands documented in the "MVS
> System Commands" book, i.e. those that can be issued from an MCS
> console. Such commands are subject to checking against resources in the
> OPERCMDS class.
>
> Obviously, other commands, not defined in "MVS System Commands", would
> be subject to whatever security checking is appropriate for the command
> and the product that defines it. I think this may be the point you're
> trying to make. If so, I agree with that aspect of your statement.
>
> --
> Edward E Jaffe
> Phoenix Software International, Inc
> 5200 W Century Blvd, Suite 800
> Los Angeles, CA 90045
> 310-338-0400 x318
> [EMAIL PROTECTED]
> http://www.phoenixsoftware.com/
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Gregory, Gary G]

Ed, 

Your paragraph " Obviously, other commands, not defined in "MVS System
Commands", would be subject to whatever security checking is appropriate
for the command and the product that defines it."  Is exactly what I was
trying to point out.  

Not all OEM (once again I state OEM) products use CMDAUTH/OPERCMDS
combination some have their entities residing within another resource
class or don't even support or attempt to support command protection.

I was trying to indicate that for OEM products customers should refer to
the product's documentation to see (1) if command protection is
supported and (2) what steps are necessary to define/invoke command
protection.

Gary Garland Gregory, MS
CA 
Senior Software Engineer/Developer - CA Tape Encryption
Tel: +1-214-473-1863
Fax: +1-214-473-1050




-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Edward Jaffe
Sent: Monday, December 10, 2007 11:24 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: MVS Command Authorization

Gregory, Gary G wrote:
> That is true but if the application is NOT passing the UTOKEN or using
> the macro that requires the commands be defined in OPERCMDS then that
> won't work.

I'm not sure I follow you here...

Most of the time, passing UTOKEN is unnecessary. For example, MGCRE 
issued from a TSO session does not need to pass UTOKEN. It's only in 
more exotic situations, e.g., multiuser address spaces, where the 
differentiation is required. Some products, like (E)JES, always pass a 
UTOKEN because they want to differentiate between commands explicitly 
entered by the user and those generated by the product to affect a 
resource protected by other means. This is an above-and-beyond feature 
of mature, robust products and is by no means a requirement to make 
OPERCMDS work.

OTOH, "using the macro that requires the commands be defined in 
OPERCMDS" is not optional. That macro, called MGCRE, is the mechanism by

which programs enter commands into the system. And, the program doesn't 
do anything special to cause its commands to be validated against 
OPERCMDS resources. CMDAUTH is issued by the system automatically 
unless, as I stated earlier, MGCEFAST is set by the MGCRE issuer.

> I was only suggesting they refer to the documentation to
> see if commands are defined in other resource classes.  The CMDAUTH
> macro requires that all entities be defined in OPERCMDS.
>   

This might be the root source of confusion for this discussion. When 
someone says "MVS commands", I think of commands documented in the "MVS 
System Commands" book, i.e. those that can be issued from an MCS 
console. Such commands are subject to checking against resources in the 
OPERCMDS class.

Obviously, other commands, not defined in "MVS System Commands", would 
be subject to whatever security checking is appropriate for the command 
and the product that defines it. I think this may be the point you're 
trying to make. If so, I agree with that aspect of your statement.

-- 
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

Gregory, Gary G wrote:

That is true but if the application is NOT passing the UTOKEN or using
the macro that requires the commands be defined in OPERCMDS then that
won't work.


I'm not sure I follow you here...

Most of the time, passing UTOKEN is unnecessary. For example, MGCRE 
issued from a TSO session does not need to pass UTOKEN. It's only in 
more exotic situations, e.g., multiuser address spaces, where the 
differentiation is required. Some products, like (E)JES, always pass a 
UTOKEN because they want to differentiate between commands explicitly 
entered by the user and those generated by the product to affect a 
resource protected by other means. This is an above-and-beyond feature 
of mature, robust products and is by no means a requirement to make 
OPERCMDS work.


OTOH, "using the macro that requires the commands be defined in 
OPERCMDS" is not optional. That macro, called MGCRE, is the mechanism by 
which programs enter commands into the system. And, the program doesn't 
do anything special to cause its commands to be validated against 
OPERCMDS resources. CMDAUTH is issued by the system automatically 
unless, as I stated earlier, MGCEFAST is set by the MGCRE issuer.



I was only suggesting they refer to the documentation to
see if commands are defined in other resource classes.  The CMDAUTH
macro requires that all entities be defined in OPERCMDS.
  


This might be the root source of confusion for this discussion. When 
someone says "MVS commands", I think of commands documented in the "MVS 
System Commands" book, i.e. those that can be issued from an MCS 
console. Such commands are subject to checking against resources in the 
OPERCMDS class.


Obviously, other commands, not defined in "MVS System Commands", would 
be subject to whatever security checking is appropriate for the command 
and the product that defines it. I think this may be the point you're 
trying to make. If so, I agree with that aspect of your statement.


--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Gregory, Gary G]

That is true but if the application is NOT passing the UTOKEN or using
the macro that requires the commands be defined in OPERCMDS then that
won't work.  I was only suggesting they refer to the documentation to
see if commands are defined in other resource classes.  The CMDAUTH
macro requires that all entities be defined in OPERCMDS.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Edward Jaffe
Sent: Monday, December 10, 2007 10:11 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: MVS Command Authorization

Gregory, Gary G wrote:
> That's assuming the OEM product issues the RACROUTE call to verify the
> user has access to the command.
>   

No. The system issues the CMDAUTH call when processing the command 
unless MGCEFAST is set in the MGCRE parameter list.

The only responsibility of any product issuing MGCRE is to pass the 
correct UTOKEN in the event that the implicit mechanism used by the 
system will choose the "wrong" one.

-- 
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

Gregory, Gary G wrote:

That's assuming the OEM product issues the RACROUTE call to verify the
user has access to the command.
  


No. The system issues the CMDAUTH call when processing the command 
unless MGCEFAST is set in the MGCRE parameter list.


The only responsibility of any product issuing MGCRE is to pass the 
correct UTOKEN in the event that the implicit mechanism used by the 
system will choose the "wrong" one.


--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Gregory, Gary G]

That's assuming the OEM product issues the RACROUTE call to verify the
user has access to the command.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Edward Jaffe
Sent: Sunday, December 09, 2007 9:12 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: MVS Command Authorization

Phillips, Peter wrote:
> We are looking at tightening control over MVS command authorization.
We
> are a JES3 shop running Flasher, Omegamon, Solve etc. with ACF2. Of
> course we have batch production jobs streams, operators, MVS sysprogs
> all issuing MVS commands at different times and in different
situations.
>
> Our management would like two keys areas addressed, firstly how to
best
> control who can issue commands MVS commands and secondly once the
> command is issued how to best track and note that the command has been
> issued.
>
> I assume control of MVS command issuing is a fairly common requirement
> so I was hoping people could pass on the benefit their wisdom and
> knowledge and how they have seen this done.
>   

Take a look at activating the OPERCMDS class in your security product.

-- 
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: MVS Command Authorization

[Edward Jaffe]

Phillips, Peter wrote:

We are looking at tightening control over MVS command authorization. We
are a JES3 shop running Flasher, Omegamon, Solve etc. with ACF2. Of
course we have batch production jobs streams, operators, MVS sysprogs
all issuing MVS commands at different times and in different situations.

Our management would like two keys areas addressed, firstly how to best
control who can issue commands MVS commands and secondly once the
command is issued how to best track and note that the command has been
issued.

I assume control of MVS command issuing is a fairly common requirement
so I was hoping people could pass on the benefit their wisdom and
knowledge and how they have seen this done.
  


Take a look at activating the OPERCMDS class in your security product.

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

MVS Command Authorization

[Phillips, Peter]

Hi,

We are looking at tightening control over MVS command authorization. We
are a JES3 shop running Flasher, Omegamon, Solve etc. with ACF2. Of
course we have batch production jobs streams, operators, MVS sysprogs
all issuing MVS commands at different times and in different situations.


Our management would like two keys areas addressed, firstly how to best
control who can issue commands MVS commands and secondly once the
command is issued how to best track and note that the command has been
issued.

I assume control of MVS command issuing is a fairly common requirement
so I was hoping people could pass on the benefit their wisdom and
knowledge and how they have seen this done.

Thanks for your help.

Regards
Peter Phillips
ANZ
Melbourne
Australia 




"This e-mail and any attachments to it (the "Communication") is, unless 
otherwise stated, confidential,  may contain copyright material and is for the 
use only of the intended recipient. If you receive the Communication in error, 
please notify the sender immediately by return e-mail, delete the Communication 
and the return e-mail, and do not read, copy, retransmit or otherwise deal with 
it. Any views expressed in the Communication are those of the individual sender 
only, unless expressly stated to be those of Australia and New Zealand Banking 
Group Limited ABN 11 005 357 522, or any of its related entities including ANZ 
National Bank Limited (together "ANZ"). ANZ does not accept liability in 
connection with the integrity of or errors in the Communication, computer 
virus, data corruption, interference or delay arising from or in respect of the 
Communication."

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html