Re: When to start security product?
Thanks for response. I will move the start of Top Secret to somewhere after the beginning of the IPL Procedure to satisfy the recommendation. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
On Thu, 12 Apr 2007 16:25:46 -0500 Rick Fochtman [EMAIL PROTECTED] wrote: :---snip- :If I were running any of the other 3 security products (RACF, ACF2, :DEADBOLT) .. I would try to run it the same. :--unsnip :IIRC, RACF doesn't need to be brought up as such. Just run the task :that establishes the in-storage parsing tables before issuing any RACF :commands. Well, that is because the guy three cubicles to the left takes care of providing an internal API. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
At 04:00 PM 4/11/2007, you wrote: We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. We have ACF2 and start it before JES2. My fuzzy memory recalls it being moved from a post JES2 startup via the COMMND member to the pre JES2 startup due to an outside auditor finding. It *may* have been that the finding had something to do with the USS environment ( at that time maybe still called OE) and the fact that ACF2 was not up yet for it. I looked at when I created the new members in parmlib to accomplish this and they where done in 2000. Fuzzy may be strong enough for my memory. :-) Can anyone explain why starting Top Secret/security product is more advantageous? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Brian W. France Systems Administrator (Mainframe) Pennsylvania State University Administrative Information Services - Infrastructure/SYSARC Rm 25 Shields Bldg., University Park, Pa. 16802 814-863-4739 [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
I know very little of how TSS works, but until there is an active security system present, OMVS will not initiate, because it relies on the security system to provide it with UID's and GID's for all (including the root) OMVS processes. Waiting until after JES2 is active to start TSS probably means that you have an outstanding message BPXP006E WAITING FOR SECURITY PRODUCT INITIALIZATION Also, I would strongly suggest that you should ensure that NO jobs or STC's that run without APF authorization are allowed to start before you start the security product. Wayne Driscoll Product Developer JME Software LLC NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman Sent: Wednesday, April 11, 2007 6:37 PM To: [EMAIL PROTECTED] Subject: Re: When to start security product? ---snip-- We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? ---unsnip--- IMHO, as long as it's up and initialized before any users can get access, the detailed timing doesn't matter. Before or after JES2 shouldn't matter a whit. Consider this: if there's a JCL error in the proc, starting it AFTER JES2 will allow you to capture the error without too much trouble. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
Typically a security product should to be started before any AS that needs Unix attributes. The Unix attributes are provided by RACF/ACF2/TSS. I do not know TSS, but ACF2 starts via SYS1.PARMLIB(CAISEC00). I'd guess TSS can be brought up the same way. Hth... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
- Original Message - From: Rick Fochtman [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main Sent: Wednesday, April 11, 2007 7:37 PM Subject: Re: When to start security product? ---snip-- We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? ---unsnip--- IMHO, as long as it's up and initialized before any users can get access, the detailed timing doesn't matter. Before or after JES2 shouldn't matter a whit. Consider this: if there's a JCL error in the proc, starting it AFTER JES2 will allow you to capture the error without too much trouble. When converting from ACF2 to RACF, it turns out that ACF2 starts WAY later than RACF. We found that out the hard way when IXGLOGR yakked on our first RACF IPL (can't leave home without IXGLOGR). We had to add a bunch of RACF profiles just to get the system to IPL, because there was no need for those rules in ACF2. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
At 09:57 AM 4/12/2007, you wrote: - Original Message - From: Rick Fochtman [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main Sent: Wednesday, April 11, 2007 7:37 PM Subject: Re: When to start security product? ---snip-- We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? ---unsnip--- IMHO, as long as it's up and initialized before any users can get access, the detailed timing doesn't matter. Before or after JES2 shouldn't matter a whit. Consider this: if there's a JCL error in the proc, starting it AFTER JES2 will allow you to capture the error without too much trouble. When converting from ACF2 to RACF, it turns out that ACF2 starts WAY later than RACF. We found that out the hard way when IXGLOGR yakked on our first RACF IPL (can't leave home without IXGLOGR). We had to add a bunch of RACF profiles just to get the system to IPL, because there was no need for those rules in ACF2. Really? I had to right 2 or 3 Fac resource rules, possibly a SAF in there as well. BUT then I start ACF2 before JES2. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Brian W. France Systems Administrator (Mainframe) Pennsylvania State University Administrative Information Services - Infrastructure/SYSARC Rm 25 Shields Bldg., University Park, Pa. 16802 814-863-4739 [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
---snip- If I were running any of the other 3 security products (RACF, ACF2, DEADBOLT) .. I would try to run it the same. --unsnip IIRC, RACF doesn't need to be brought up as such. Just run the task that establishes the in-storage parsing tables before issuing any RACF commands. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mark Yuhas Sent: Wednesday, April 11, 2007 3:01 PM To: IBM-MAIN@BAMA.UA.EDU Subject: When to start security product? We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? snip Because until it starts, you have no security? I would assume by this question that you have the system set up to startup with the default of EVERYONE is authorized to everything. Otherwise, you would come up to about the point of the master scheduler getting control, and then your operator(s) would be busy for the next several hours replying U to every OPEN of every data set. So if the first scenario is the case, all STCs that start before JES2, whether they should or not, have access to everything. Regards, Steve Thompson -- all opinions here are my own and not necessarily those of my employer. -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? Well the security product can't protect anything when the security product itself isn't present in the system right? That would take a certain amount of voodoo that (as far as I know) TSS doesn't have. Everything that gets started early in the IPL, i.e. started tasks started with SUB=MSTR before the JES is started, presumably are tightly controlled by the installation. They can be trusted to do whatever they need to, or you would not start them that way. But once the JES is up, the flood gates can open and all of the normal work can run. Your security system must be up for that work to run. The security system is intended to be able to run under the master subsystem before the JES is up and after the JES has gone. There's certainly no harm in starting it first in the IPL and there may be some benefit in not delaying later work. I certainly would not wait until after the JES was up, even though nothing much may be going on that early. And if it makes your security auditors feel happy... CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
I normally start CAS9 first through the subsystem name table member. Then have CAS9 start TSS, then have TSS start everything else, including JES2. On Wed, 11 Apr 2007 16:28:46 -0400, Craddock, Chris [EMAIL PROTECTED] wrote: We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? Well the security product can't protect anything when the security product itself isn't present in the system right? That would take a certain amount of voodoo that (as far as I know) TSS doesn't have. Everything that gets started early in the IPL, i.e. started tasks started with SUB=MSTR before the JES is started, presumably are tightly controlled by the installation. They can be trusted to do whatever they need to, or you would not start them that way. But once the JES is up, the flood gates can open and all of the normal work can run. Your security system must be up for that work to run. The security system is intended to be able to run under the master subsystem before the JES is up and after the JES has gone. There's certainly no harm in starting it first in the IPL and there may be some benefit in not delaying later work. I certainly would not wait until after the JES was up, even though nothing much may be going on that early. And if it makes your security auditors feel happy... CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
Nah, the early start of TSS doesn't buy anything useful. Also, if you wait till JES is up you can see TSS output in SDSF, which often contains useful information, and diagnostics. Potayto, Potahto. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Thompson, Steve Sent: Wednesday, April 11, 2007 3:05 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: When to start security product? -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mark Yuhas Sent: Wednesday, April 11, 2007 3:01 PM To: IBM-MAIN@BAMA.UA.EDU Subject: When to start security product? We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? snip Because until it starts, you have no security? I would assume by this question that you have the system set up to startup with the default of EVERYONE is authorized to everything. Otherwise, you would come up to about the point of the master scheduler getting control, and then your operator(s) would be busy for the next several hours replying U to every OPEN of every data set. So if the first scenario is the case, all STCs that start before JES2, whether they should or not, have access to everything. Regards, Steve Thompson -- all opinions here are my own and not necessarily those of my employer. -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
---snip-- We use Top Secret. A consultant made a recommendation late last year that Top Secret should be the first task started during the IPL procedure. The Security Administrator has requested this change. Currently, we start Top Secret after JES2 completes its start procedure. I really don't see the merit in moving the start of Top Secret earlier in the IPL procedure. Can anyone explain why starting Top Secret/security product is more advantageous? ---unsnip--- IMHO, as long as it's up and initialized before any users can get access, the detailed timing doesn't matter. Before or after JES2 shouldn't matter a whit. Consider this: if there's a JCL error in the proc, starting it AFTER JES2 will allow you to capture the error without too much trouble. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
I disagree Rick. If it starts too late, then you will never know if you have certain started tasks defined correctly, until you have to recycle one of them without and IPL, and it fails for security. Dave Jousma Principal Systems Programmer [EMAIL PROTECTED] 616.653.8429 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman Sent: Wednesday, April 11, 2007 7:37 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: When to start security product? Can anyone explain why starting Top Secret/security product is more advantageous? ---unsnip--- IMHO, as long as it's up and initialized before any users can get access, the detailed timing doesn't matter. Before or after JES2 shouldn't matter a whit. Consider this: if there's a JCL error in the proc, starting it AFTER JES2 will allow you to capture the error without too much trouble. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: When to start security product?
We are starting CAS9,SUB=MSTR which start TSS,SUB=MSTR .. TSS starts JES2/NETVIEW/SA390.. then SA/390 takes over everything else being started. Works pretty well. For CPF logs.. just issue the F TSS,CPF(REFRESH) after JES2 is fully up. We made the move primarily for System Automation... plus all the address spaces are controlled/tracked via Top Secret... and for most everything that requires JES2.. it makes a lot of sense. Seems pretty reasonable to bring up the security product early in the process. If I were running any of the other 3 security products (RACF, ACF2, DEADBOLT) .. I would try to run it the same. Just my 2cents, Rob Schramm This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html