Re: How is CAMASTER started?
That leaves me with my original question: How is CAMASTER started? ... How? That CNZ exit? That is up to CA. In general, we have no control over what happens in exit routines. And there might be other possibilities. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
To be fair, it is my understanding that there is no misuse. CAMASTER is not started out of ICHALTSP in the case where RACF is the security product. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
CAMASTER is not started out of ICHALTSP in the case where RACF is the security product. That leaves me with my original question: How is CAMASTER started? As I said before, while ICHALTSP is certainly in LNKLST (since we will run that LPAR with either RACF, ACF2 or TSS, depending on the testcase - we are still converting our RACF data bases to something usable under ACF2 or TSS), right now we still run with RACF and CAMASTER still starts. How? That CNZ exit? Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
- ICHALTSP is an interface made available to the owner of the alternate security product being used on this system, as a means of starting that alternate security product in the same window when RACF is started, i.e., before started tasks and jobs can start. FWIW, ALTSP does indeed stand for ALTernate Security Product. Thanks Peter, you've saved me from searching for the string ICHALTSP in all IBM modules. I figured that this was the mechanism to get CAMASTER up and running, since a true API *requires* to be in control first to call the API. So CA (mis)uses this interface/agreement to get themselves a trusted address space for *all* of their products, not just ACF2 and TSS, which (according to the CA website) were not even the first exploiters of CAMASTER. On systems that run an unmodified SAF (as supplied by IBM), all address spaces that start during NIP are initially TRUSTED and none has a user ID, because there are no security services available to assign anything else that early in the system's life. They also only have limited services available for their use. Later, after the security services become available during MSI, some of those early address spaces may choose to transition into full-service address spaces, and if so they would acquire proper security identities, and possibly lose their TRUSTED status. Thanks Walt, for clarifying this. As far as I am concerned, just about *every* address space should have an associated userid, but most definitely a vendor's address space! I had noticed that the IBM docs on what address space *needs* to have a userid assigned are a bit opaque back when I introduced the * profile in class STARTED with a userid without any rights on my ADCD RACF data base, so being cautious I assigned a userid to just about every address space (with the exception of *master*). I also routinely show IRR812I, so I know now that *MASTER*, PCAUTH, RASP, TRACE, GRS, SMSPDSE, CONSOLE, ALLOCAS are the only address spaces that don't get a userid assigned in STARTED. Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
am I correct in assuming that the API provides IBM with a way to start an address space (via one of the IBM IRIMs used for initializing the system) by using a CA module in the ASCRE? I'd say no, not correct. IBM code does not do an ASCRE such as this. So essentially the first CA module kicking everything else off gets called by IBM code? I'd say sort of. But only when you are running ACF2 or Top Secret. That interface provides a call to a routine owned by the alternate security product in effect for this IPL. If there's a security product other than owned by IBM or CA, the interface would be for them in that case. It can be important that a security product start before anything normal can start. Another early opportunity to start an address space is by an exit routine associated with the CNZ_MSIEXIT exit. z/OS does not have any control over what happens in this exit. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On 6/22/2015 3:13 AM, nitz-...@gmx.net wrote: - ICHALTSP is an interface made available to the owner of the alternate security product being used on this system, as a means of starting that alternate security product in the same window when RACF is started, i.e., before started tasks and jobs can start. FWIW, ALTSP does indeed stand for ALTernate Security Product. Thanks Peter, you've saved me from searching for the string ICHALTSP in all IBM modules. I figured that this was the mechanism to get CAMASTER up and running, since a true API *requires* to be in control first to call the API. So CA (mis)uses this interface/agreement to get themselves a trusted address space for *all* of their products, not just ACF2 and TSS, which (according to the CA website) were not even the first exploiters of CAMASTER. I like banging on CA as much as the next guy, but there is no misuse here. I first presented about the IKJEFXSR exploitation, in August of 2012, at the Bit Bucket for SHARE in Anaheim. At that time, there was no supported interface for CA to start CAMASTER early at IPL time. Now there is, and they're using it as intended. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
I'd say sort of. But only when you are running ACF2 or Top Secret. We plan to run with either TSS or ACF2 in that lpar. Currently we still use RACF there. So we already have the (ACF2) library in linklist, but don't actually run an alternate security product yet. Which makes me think that the IBM code just searches for an agreed-upon module name (ICHALTSP) and if found, gives control to that module. That routine in turn will start CAMASTER, is my guess. Another early opportunity to start an address space is by an exit routine associated with the CNZ_MSIEXIT exit. z/OS does not have any control over what happens in this exit. Thanks again, Peter! Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Sun, 21 Jun 2015 11:05:34 +0200, nitz-...@gmx.net nitz-...@gmx.net wrote: Why does CAMASTER make itself a TRUSTED address space, not using any assigned userid in STARTED? On systems that run an unmodified SAF (as supplied by IBM), all address spaces that start during NIP are initially TRUSTED and none has a user ID, because there are no security services available to assign anything else that early in the system's life. They also only have limited services available for their use. Later, after the security services become available during MSI, some of those early address spaces may choose to transition into full-service address spaces, and if so they would acquire proper security identities, and possibly lose their TRUSTED status. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Sun, 21 Jun 2015 11:05:34 +0200, Barbara wrote: Scott, ... am I correct in assuming Barbara, do you still get to the European z conferences?. Scott was at Boston. I'm sure he'd be in Europe as well. Take him out to get (at least) one of those excellent German beers, and find out in person. Much better way to get a definitive answer ... :0) Just my opinion of course, not related to reality in any way. Shane ... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
According to the ibmmain post ICHALTSP is an (IBM) IRIM that receives control in master scheduler (but you're right, I cannot find it in my SMPE environment either). I'm not sure which ibmmain post is being referred to but: - ICHALTSP is not an IRIM. IRIM has a specific meaning to z/OS. - ICHALTSP is not a RIM either. - ICHALTSP is not provided by z/OS itself. - ICHALTSP is an interface made available to the owner of the alternate security product being used on this system, as a means of starting that alternate security product in the same window when RACF is started, i.e., before started tasks and jobs can start. FWIW, ALTSP does indeed stand for ALTernate Security Product. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
Scott, We made our case to IBM, they agreed and provided a licensed API. am I correct in assuming that the API provides IBM with a way to start an address space (via one of the IBM IRIMs used for initializing the system) by using a CA module in the ASCRE? So essentially the first CA module kicking everything else off gets called by IBM code? Why does CAMASTER make itself a TRUSTED address space, not using any assigned userid in STARTED? Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
In 20150618144101.75ef6133e1b938e944115...@gmx.net, on 06/18/2015 at 02:41 PM, nitz-...@gmx.net nitz-...@gmx.net said: According to the ibmmain post ICHALTSP is an (IBM) IRIM that receives control in master scheduler (but you're right, I cannot find it in my SMPE environment either). Could it be a NUCLEUS csect? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
At what level of CCS and/or z/OS. I'm pretty sure my system still uses the TSO module in CAILPA. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Fagen Sent: Friday, June 19, 2015 3:00 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is CAMASTER started? On Thu, 18 Jun 2015 11:12:27 +0200, nitz-...@gmx.net nitz- i...@gmx.net wrote: Does anyone know? Yes. We made our case to IBM, they agreed and provided a licensed API. Scott Fagen Chief Architect - Mainframe CA Technologies -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
Probably SVCs , my guess On Friday, June 19, 2015, Gibney, David Allen,Jr gib...@wsu.edu wrote: At what level of CCS and/or z/OS. I'm pretty sure my system still uses the TSO module in CAILPA. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU javascript:;] On Behalf Of Scott Fagen Sent: Friday, June 19, 2015 3:00 PM To: IBM-MAIN@LISTSERV.UA.EDU javascript:; Subject: Re: How is CAMASTER started? On Thu, 18 Jun 2015 11:12:27 +0200, nitz-...@gmx.net javascript:; nitz- i...@gmx.net javascript:; wrote: Does anyone know? Yes. We made our case to IBM, they agreed and provided a licensed API. Scott Fagen Chief Architect - Mainframe CA Technologies -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
So, how is it done? - -teD - Original Message From: Scott Fagen Sent: Friday, June 19, 2015 17:59 To: IBM-MAIN@LISTSERV.UA.EDU Reply To: IBM Mainframe Discussion List Subject: Re: How is CAMASTER started? On Thu, 18 Jun 2015 11:12:27 +0200, nitz-...@gmx.net nitz-...@gmx.net wrote: Does anyone know? Yes. We made our case to IBM, they agreed and provided a licensed API. Scott Fagen Chief Architect - Mainframe CA Technologies -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Thu, 18 Jun 2015 11:12:27 +0200, nitz-...@gmx.net nitz-...@gmx.net wrote: Does anyone know? Yes. We made our case to IBM, they agreed and provided a licensed API. Scott Fagen Chief Architect - Mainframe CA Technologies -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Fri, 19 Jun 2015 16:59:48 -0500, Scott Fagen wrote: Does anyone know? Yes. oooh yeah, I bet he knows ;-) No-brainer decision really given the emphasis on known attack vectors. IBM just had to provide an API. Shane ... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
Search IBM-MAIN archive (or google) for TEC570878 or IKJEFXSR Thanks Norbert. I can see that CAMASTER started on this system, but I still don't know how this is actually done since no libraries containing this frontend are loaded in LPA via lpalst or command. Right now neither IKJEFXSR nor ICHALTSP can be found in active LPA: D PROG,LPA,MOD=IKJEFXSR CSV550I 06.26.56 LPA DISPLAY 748 IKJEFXSR WAS NOT FOUND IN THE LPA D PROG,LPA,MOD=CCSEFXSR CSV550I 06.27.19 LPA DISPLAY 750 CCSEFXSR WAS NOT FOUND IN THE LPA D PROG,LPA,MOD=ICHALTSP CSV550I 06.29.45 LPA DISPLAY 752 ICHALTSP WAS NOT FOUND IN THE LPA All CA libraries are concatenated behind the IBM ones in linklist, so this does not really explain it. Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Thu, 18 Jun 2015 13:38:19 +0200, nitz-...@gmx.net wrote: Search IBM-MAIN archive (or google) for TEC570878 or IKJEFXSR Thanks Norbert. I can see that CAMASTER started on this system, but I still don't know how this is actually done since no libraries containing this frontend are loaded in LPA via lpalst or command. Right now neither IKJEFXSR nor ICHALTSP can be found in active LPA: D PROG,LPA,MOD=IKJEFXSR CSV550I 06.26.56 LPA DISPLAY 748 IKJEFXSR WAS NOT FOUND IN THE LPA D PROG,LPA,MOD=CCSEFXSR CSV550I 06.27.19 LPA DISPLAY 750 CCSEFXSR WAS NOT FOUND IN THE LPA D PROG,LPA,MOD=ICHALTSP CSV550I 06.29.45 LPA DISPLAY 752 ICHALTSP WAS NOT FOUND IN THE LPA All CA libraries are concatenated behind the IBM ones in linklist, so this does not really explain it. There's no module named ICHALTSP in IBM libraries (LINKLIB, CSSLIB, MIGLIB,...). It's only in CAW0LINK. (ISPF - DDLIST - LINKLIST - MEM ICHALTSP). Norbert Friemel (just guessing: ICH ALTSP: special module for an ALTernate Security Product?) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
There's no module named ICHALTSP in IBM libraries (LINKLIB, CSSLIB, MIGLIB,...). It's only in CAW0LINK. (ISPF - DDLIST - LINKLIST - MEM ICHALTSP). According to the ibmmain post ICHALTSP is an (IBM) IRIM that receives control in master scheduler (but you're right, I cannot find it in my SMPE environment either). I have found ICHALTSP in different CA libraries (common services and ACF2, haven't checked TSS yet). IKJEFXSR is not in LPA, but it is in (IBM) linklib and would be found there before any CA module could be found, so I still don't understand how and what CA intercepts to start CAMASTER. (Not having installed either CA common services not ACF2 nor TSS, I still don't think that there was a job to relink anything into the IBM target libraries with an alias.) Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On 6/18/2015 5:11 AM, nitz-...@gmx.net wrote: Now that CAMASTER has become a mandatory address space, I am asking myself how that address is actually started. The CA documentation makes it sound as if it were magic that starts it, but I don't believe in magic. There are knowledge base articles out there that say that starting CAMASTER at the SSI is too late (which makes sense, especially if a customer uses TSS or ACF2 for security). I would still like to know *how* it is started. Is IBM checking for the presence of certain modules in lpa and then start it during MSI? Does anyone know? What I dislike is also the fact that CA states that absolutely no security definitions are required, since the address space is TRUSTED. Sounds like they give themselves the TRUSTED attribute, since no entry in STARTED is required and my default userid without any rights for non-defined STCs was not taken. The address space has all kinds of priviledges via SCHEDxx and is obviously APF authorized. Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Hi Barbara, I did a Bit Bucket presentation at SHARE on this a few years back. CAMASTER at the time used IKJEFXSR as a front-end. CA is supposed to have changed it to use a supported z/OS interface. Open a case with them and ask. That's how I found out about IKJEFXSR. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How is CAMASTER started?
On Thu, 18 Jun 2015 11:12:27 +0200, nitz-...@gmx.net wrote: Now that CAMASTER has become a mandatory address space, I am asking myself how that address is actually started. The CA documentation makes it sound as if it were magic that starts it, but I don't believe in magic. There are knowledge base articles out there that say that starting CAMASTER at the SSI is too late (which makes sense, especially if a customer uses TSS or ACF2 for security). I would still like to know *how* it is started. Is IBM checking for the presence of certain modules in lpa and then start it during MSI? Does anyone know? Search IBM-MAIN archive (or google) for TEC570878 or IKJEFXSR Norbert Friemel -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
How is CAMASTER started?
Now that CAMASTER has become a mandatory address space, I am asking myself how that address is actually started. The CA documentation makes it sound as if it were magic that starts it, but I don't believe in magic. There are knowledge base articles out there that say that starting CAMASTER at the SSI is too late (which makes sense, especially if a customer uses TSS or ACF2 for security). I would still like to know *how* it is started. Is IBM checking for the presence of certain modules in lpa and then start it during MSI? Does anyone know? What I dislike is also the fact that CA states that absolutely no security definitions are required, since the address space is TRUSTED. Sounds like they give themselves the TRUSTED attribute, since no entry in STARTED is required and my default userid without any rights for non-defined STCs was not taken. The address space has all kinds of priviledges via SCHEDxx and is obviously APF authorized. Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN