Re: CA-Roscoe shops around?
We do. Roscoe is so deeply embedded here, but as a shop we are also functionally stabilizing it, in that we are not adding anything new to that environment, and in fact, as we migrate to new products(change management, etc), they don’t get put back into Roscoe. The handwriting is on the wall, but for now I still have to support that environment for some time to come. This is all coming about because we are abandoning a long held test batch job naming standard here that is comprised of T+roscoe prefix to using userid. We have so much highly customized infrastructure to support it. All Roscoe job security is based on the roscoe prefix in the jobname vs securing by job owner. Test jobs in TSO/ISPF are based on userid, and some userids actually conflict with the roscoe standards causing confusion with Roscoe users. We have more and more non-Roscoe developers working in TSO/ISPF and one day we will retire Roscoe. All of our development tools(debug, fault analyzer, file manager, etc) are all ISPF based that most of the long timers here are straddling the fence using both. I guess I will be adding the SAF calls to the Roscoe Console exit, assuming we can get that to work. Otherwise it will probably be another nail in the coffin of Roscoe. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Zelden Sent: Tuesday, March 11, 2014 4:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CA-Roscoe shops around? Do you have TSO/ISPF and SDSF? Or CA Sysview? Or any other tool to use for sysprogs / operations so you can just leave Roscoe as is with read only console access to those you chose to let use the command at all? Or you could just use CONSOLE under TSO, that isn't much worse than the Roscoe console command. If you are looking for something a bit more friendly, I have used this rexx exec from a redbook: Extended MCS Console via ISPF doc: This is from Appendix G. of the following Red Book: OS/390 MVS Multisystem Consoles Implementing MVS Sysplex Operations. SG24-4626-00 download from the internet. either: http://www.redbooks.ibm.com/redbooks OR ftp ftp.almaden.ibm.com user: anonymous password: your email address cd redbooks/SG244646 get emcs.code -- This is my personal setup, I don't recall if these are the names used or recommended in the Redbook CLIST: CONS (invoking clist) REXX: CNDS ISPF COMMAND TABLE: CNDSCMDS PANELS: USRCN USRCNS -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Roscoe is no longer in use here but I do have an exit. It depends on two facility classes being defined in RACF. ROSCMD to allow access to issuing commands ROSCON to allow access to viewing the console This is similar to having tables of users defined in the exit but this way the RACF admin controls access. CHKCMD DS0H MVC RACNAME,=CL8'ROSCON' SET FOR CON CHK LR3,UXCONCMD ADDRESS COMMAND CODE CLI 0(R3),UXCO@OPEOPERATOR COMMAND BNERACHKNO...SKIP NEXT MVC RACNAME,=CL8'ROSCMD' SET FOR CMD CHK RACHK MVC RACEXEC,BGNRAC MOVE IN THE RACHECK LIST LR7,SCBACFB GET THE ACEE LA R7,0(0,R7) LTRR7,R7ACEE PRESENT? BZ RC4 NO MODESET MF=(E,SUPSVSL)INTO KEY ZERO RACHECK ENTITY=RACNAME,ACEE=(R7),MF=(E,RACEXEC) STR15,RCODE SAVE RETURN CODE MODESET MF=(E,PROBSVSL) RETURN TO PROBLEM PROGRAM CLC RCODE,=X'' TEST RETURN CODE BNE RC4 FAILED Let me know offline if you would like to have the complete exit. Thanks, Tim Deller -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Jousma, David wrote: CA does provide a very simple exit to allow for authority checks, but is very rudimentary, and uses a hardcoded ID table. Hardcoded table Horrible! Thats so ancient... ;-) What I am looking for is if someone has already written code to do appropriate SAF checks on OPERCMDS. I hate to re-invent the wheel, but will if necessary. I can provide you a sample source code of RACROUTE REQUEST=AUTH macro if you wish. Just say whether you want first or third party checks. Also do you want to pass the entity name or the profile? Is that exit RENT or not? REUS or not? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Elardus, Thanks. I have plenty of examples of that. Not a problem. I appreciate that offer though. These will all be 3rd party calls. To really complete a job that CA has not done, I am going to have to do a couple of SAF calls. Will need a call for OPERCMDS to validate authority to issue the command they want, and then for JES commands that affect JOB/STC/TSU do they also have authority through JESSPOOL facility to modify these jobs. All this would be much simpler, if the operator commands were being issued under the ACEE of the user, not the Roscoe region. Then there would be nothing to do in any exits -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Tuesday, March 11, 2014 9:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CA-Roscoe shops around? Jousma, David wrote: CA does provide a very simple exit to allow for authority checks, but is very rudimentary, and uses a hardcoded ID table. Hardcoded table Horrible! Thats so ancient... ;-) What I am looking for is if someone has already written code to do appropriate SAF checks on OPERCMDS. I hate to re-invent the wheel, but will if necessary. I can provide you a sample source code of RACROUTE REQUEST=AUTH macro if you wish. Just say whether you want first or third party checks. Also do you want to pass the entity name or the profile? Is that exit RENT or not? REUS or not? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Jousma, David wrote: Thanks. I have plenty of examples of that. Not a problem. I appreciate that offer though. These will all be 3rd party calls. Ok. That is Ok. To really complete a job that CA has not done, I am going to have to do a couple of SAF calls. Will need a call for OPERCMDS to validate authority to issue the command they want, and then for JES commands that affect JOB/STC/TSU do they also have authority through JESSPOOL facility to modify these jobs. From what you explain, you need to set the ACEE of the exit to the user and then issue the JES command via say SVC34? I don't think you need to check the JESSPOOL because JES2 will check the JESSPOOL anyways when receiving a command as long it gets the command with its correct id as issuer. The same goes for OPERCMDS, the system will call RACF too. All this would be much simpler, if the operator commands were being issued under the ACEE of the user, not the Roscoe region. Then there would be nothing to do in any exits I believe there are samples on CBTTAPE where you can set your address space ACEE to something else with these: RACROUTE ENVIR=CREATE and RACROUTE ENVIR=DELETE. Of course the exit needs AC(1). Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
It's been a few years, but we tried to do this and could never get it to work properly. We finally just disabled the console command completely from within Roscoe - and we eventually got rid of Roscoe as well. Todd Burrell, PMP, ITIL Expert, CISSP | Project Manager | ITSO AHB | Centers for Disease Control and Prevention (CDC) Contractor - HP Enterprise Services | 1600 Clifton Rd, Building 21, MS D24, RM 1300 | Atlanta, GA 30338 | 404-971-7275 (Blackberry) 404-723-2017 (Mobile) | z...@cdc.gov THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is for use only by the intended recipient. If you received this in error, please notify the sender and delete the communication from all computers. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jousma, David Sent: Tuesday, March 11, 2014 8:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: CA-Roscoe shops around? All, Wondering if there is anyone on the list that runs CA-Roscoe that might be able to help. We have for years. Looking to see if anyone has, and might be willing to share any exit code for the CONSOLE monitor command(CONEXIT). Already verified that operator commands issued by users from within a Roscoe region are presented to the operating system under the authority of the Roscoe Started task ID, not under the ACEE of the user. CA does provide a very simple exit to allow for authority checks, but is very rudimentary, and uses a hardcoded ID table. What I am looking for is if someone has already written code to do appropriate SAF checks on OPERCMDS. I hate to re-invent the wheel, but will if necessary. _ Dave Jousma Assistant Vice President, Mainframe Engineering david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Thanks. The exit is for the built-in Roscoe console interface, and the intention of the exit point is to allow or deny the command before Roscoe actually issues the command. So it really wouldn’t be a good idea to issue the command from the exit itself. If the CONSOLE interface in Roscoe was (in my words) written correctly, it would issue the commands under the ACEE of the user to begin with and have no need to write such an exit. Unfortunately, Roscoe is a product of a by-gone era, and pretty much functionally stabilized by the vendor. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Tuesday, March 11, 2014 10:26 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CA-Roscoe shops around? Jousma, David wrote: Thanks. I have plenty of examples of that. Not a problem. I appreciate that offer though. These will all be 3rd party calls. Ok. That is Ok. To really complete a job that CA has not done, I am going to have to do a couple of SAF calls. Will need a call for OPERCMDS to validate authority to issue the command they want, and then for JES commands that affect JOB/STC/TSU do they also have authority through JESSPOOL facility to modify these jobs. From what you explain, you need to set the ACEE of the exit to the user and then issue the JES command via say SVC34? I don't think you need to check the JESSPOOL because JES2 will check the JESSPOOL anyways when receiving a command as long it gets the command with its correct id as issuer. The same goes for OPERCMDS, the system will call RACF too. All this would be much simpler, if the operator commands were being issued under the ACEE of the user, not the Roscoe region. Then there would be nothing to do in any exits I believe there are samples on CBTTAPE where you can set your address space ACEE to something else with these: RACROUTE ENVIR=CREATE and RACROUTE ENVIR=DELETE. Of course the exit needs AC(1). Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CA-Roscoe shops around?
Do you have TSO/ISPF and SDSF? Or CA Sysview? Or any other tool to use for sysprogs / operations so you can just leave Roscoe as is with read only console access to those you chose to let use the command at all? Or you could just use CONSOLE under TSO, that isn't much worse than the Roscoe console command. If you are looking for something a bit more friendly, I have used this rexx exec from a redbook: Extended MCS Console via ISPF doc: This is from Appendix G. of the following Red Book: OS/390 MVS Multisystem Consoles Implementing MVS Sysplex Operations. SG24-4626-00 download from the internet. either: http://www.redbooks.ibm.com/redbooks OR ftp ftp.almaden.ibm.com user: anonymous password: your email address cd redbooks/SG244646 get emcs.code -- This is my personal setup, I don't recall if these are the names used or recommended in the Redbook CLIST: CONS (invoking clist) REXX: CNDS ISPF COMMAND TABLE: CNDSCMDS PANELS: USRCN USRCNS -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN