Re: Which STEPLIB concatenation is not authorized?

[John Gateley]

Hi

I know it's a while since this discussion, but file 953 on the cbttape latest 
updates page has two possible solutions for this.

Assembler program LISTAPF uses the code from Mark Zelden's IPLINFO to get a 
list of APF authorised datasets
it then gets all datasets concatenated to STEPLIB and reports any which are not 
in the APF list. Then it
does the same for JOBLIB.

Alternatively, assembler program GETDSNAM acts as a rexx function and populates 
a stem variable containing all
datasets concatenated to a DDNAME so the checking could be done in a batch rexx 
program.

Regards
John

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

You know what I am thinking of doing? Yes, it would be great to loop through 
all of the concatenations of STEPLIB and display the APF status of each. More 
time than I can justify at this moment. But what about the following? Wouldn't 
this solve the problem? A very simple program that would open a vanilla input 
DCB for SYSUT1, chain to the DEB and check the APF bit (DEBAPFIN?), and then 
issue a yay/nay WTO? A customer would have to copy the STEPLIB concatenations 
DD's one at a time into the SYSUT1 DD in a simple little jobstep, but that 
should be do-able. Advantage over a display command and IEHIBALL? If they 
copied it exactly as it was specified in STEPLIB then it would avoid all 
eyeball checks on the exact dataset name, multiple instances of a name on 
different VOLSERs, etc.

The source should be small enough to paste here, and I would do so if there is 
interest.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Ed Jaffe
Sent: Tuesday, November 22, 2016 6:23 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On 11/22/2016 5:06 AM, Peter Relson wrote:
>
> What the system has, and could return (indeed does provide to the 
> CSVFETCH exit as of z/OS 2.2) is the UCB address and CCHH of the data 
> set. I don't claim to know exactly how, but you can get from that to the data 
> set name.
> An enhancement could be made to CSVQUERY/CSVINFO to provide that data.

I assume one would use the UCB address to get the volser, then process the VTOC 
using CVAFSEQ or similar to find which data set is located at that CCHH.

Hopefully, CVAFSEQ et al has no APF requirement. It would be an unfortunate 
catch-22 if only an authorized program could determine with certainty why it's 
not running authorized...

--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[John McKown]

On Tue, Nov 22, 2016 at 11:35 AM, Charles Mills  wrote:

> > And those for whom this too complicated: don't touch a z/OS system until
> you have covered the dummies course.
>
> I'll tell the support staff to start telling that to the POCs. I'm sure the
> sales team will be pleased.
>

​INSTALLATION INSTRUCTIONS:

1) Hire someone who can read and is not a complete idiot.
...​



>
> Charles
>
>

-- 
Heisenberg may have been here.

Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

> And those for whom this too complicated: don't touch a z/OS system until
you have covered the dummies course.

I'll tell the support staff to start telling that to the POCs. I'm sure the
sales team will be pleased.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Vernooij, Kees (ITOPT1) - KLM
Sent: Tuesday, November 22, 2016 2:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

Altogether, to me this all seems a tremendous overkill for a problem that
occurs a few time per year somewhere in the world.
How many system programmers does it take to switch a lightbulb? How many to
check a steplib concatenation on 047 abends? 

Take your libraries and check them against D PROG,APF and you know what
you're looking for. 
And those for whom this too complicated: don't touch a z/OS system until you
have covered the dummies course.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Ed Jaffe]

On 11/22/2016 5:06 AM, Peter Relson wrote:


What the system has, and could return (indeed does provide to the CSVFETCH
exit as of z/OS 2.2) is the UCB address and CCHH of the data set. I don't
claim to know exactly how, but you can get from that to the data set name.
An enhancement could be made to CSVQUERY/CSVINFO to provide that data.


I assume one would use the UCB address to get the volser, then process 
the VTOC using CVAFSEQ or similar to find which data set is located at 
that CCHH.


Hopefully, CVAFSEQ et al has no APF requirement. It would be an 
unfortunate catch-22 if only an authorized program could determine with 
certainty why it's not running authorized...


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Lizette Koehler]

Actually this can be in z/OS V2.1 with a PTF

APAR Identifier .. PI60831  Last Changed  16/07/04
  NEW FUNCTION
 
 
  Symptom .. NF NEW FUNCTION  Status ... CLOSED  UR1
  Severity ... 4  Date Closed . 16/06/13
  Component .. 566548802  Duplicate of 
  Reported Release . 790  Fixed Release  999
  Component Name SDSF PLUGIN  Special Notice
  Current Target Date ..16/06/30  Flags
  SCP ...
  Platform 
 
  Status Detail: SHIPMENT - Packaged solution is available for
shipment.
 
  PE PTF List:
 
  PTF List:
  Release 7A0   : UI38655 available 16/06/29 (F606 )
  Release 790   : UI38656 available 16/06/30 (F606 )

  * PROBLEM DESCRIPTION: New function to implement the APF, LNK, *
  *  LPA, PAG, PARM, and  SYS commands using *
  *  the z/OSMF SDSF plug-in.

Lizette



> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Vernooij, Kees (ITOPT1) - KLM
> Sent: Tuesday, November 22, 2016 6:58 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Which STEPLIB concatenation is not authorized?
> 
> I didn't know that one, but now I see I also have it in 2.1
> 
> Kees.
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Tom Marchant
> Sent: 22 November, 2016 14:53
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Which STEPLIB concatenation is not authorized?
> 
> On Tue, 22 Nov 2016 13:28:14 +, Vernooij, Kees wrote:
> 
> >Take your libraries and check them against D PROG,APF and you know what
> >you're looking for.
> 
> And if you are at z/OS 2.2, the APF command in SDSF is even easier, because
> the list is sorted by DSNAME.
> 
> --
> Tom Marchant
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Vernooij, Kees (ITOPT1) - KLM]

I didn't know that one, but now I see I also have it in 2.1

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Marchant
Sent: 22 November, 2016 14:53
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On Tue, 22 Nov 2016 13:28:14 +, Vernooij, Kees wrote:

>Take your libraries and check them against D PROG,APF and you 
>know what you're looking for.

And if you are at z/OS 2.2, the APF command in SDSF is even 
easier, because the list is sorted by DSNAME.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tom Marchant]

On Tue, 22 Nov 2016 13:28:14 +, Vernooij, Kees wrote:

>Take your libraries and check them against D PROG,APF and you 
>know what you're looking for.

And if you are at z/OS 2.2, the APF command in SDSF is even 
easier, because the list is sorted by DSNAME.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Vernooij, Kees (ITOPT1) - KLM]

Altogether, to me this all seems a tremendous overkill for a problem that 
occurs a few time per year somewhere in the world.
How many system programmers does it take to switch a lightbulb? How many to 
check a steplib concatenation on 047 abends? 

Take your libraries and check them against D PROG,APF and you know what you're 
looking for. 
And those for whom this too complicated: don't touch a z/OS system until you 
have covered the dummies course.

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Peter Relson
Sent: 22 November, 2016 14:07
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?


IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to 
return the fully-qualified data set name and volume and/or HFS path from 
which a module was actually fetched. (If it came from VLF, that 
information would need to be preserved at the time the module is cached 
so it can be provided to CSV.)


I don't see this ever happening. The system does not keep that 
information. The extra cycles to determine that information cannot be 
justified at this time. The system also does not keep information about 
whether the fetch was satisfied from LPA, LNKLST, joblib, steplib, some 
tasklib or some user-specified DCB.

By the way, CSV never actually knows the full file system path name. It 
knows only when USS provides it (which is not necessarily the full name). 
CSVQUERY and CSVINFO *do* provide the file system path name to the 
invoker.


>However, it's not trivial to determine from where you were loaded. It
>could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. 

It shouldn't be that hard if you know the member name. Create a DCB 
for STEPLIB and open it. If that works, do a BLDL on the member name 
and if that works, you've found the module. If the BLDL fails, it's not in 

STEPLIB and JOBLIB isn't used. If the open fails, try the same with 
JOBLIB.


It's not "hard" but it's not trivial either.

If you're running under the job, there's no reason to create a DCB for 
STEPLIB and open it, as the DCB already exists and is open. You could just 
do a BLDL yourself using the DCB pointed to by TCBJLB.

Ignoring the user-specified DCB case, the system search is, approximately:
Do for every task from this task repeating using TCBOTC up through the 
jobstep program task
  look for the member in the TCBJLB task if there is one
End Do
Look for the member in LPA
Look for the member in LNKLST

What the system has, and could return (indeed does provide to the CSVFETCH 
exit as of z/OS 2.2) is the UCB address and CCHH of the data set. I don't 
claim to know exactly how, but you can get from that to the data set name. 
An enhancement could be made to CSVQUERY/CSVINFO to provide that data.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Peter Relson]

IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to 
return the fully-qualified data set name and volume and/or HFS path from 
which a module was actually fetched. (If it came from VLF, that 
information would need to be preserved at the time the module is cached 
so it can be provided to CSV.)


I don't see this ever happening. The system does not keep that 
information. The extra cycles to determine that information cannot be 
justified at this time. The system also does not keep information about 
whether the fetch was satisfied from LPA, LNKLST, joblib, steplib, some 
tasklib or some user-specified DCB.

By the way, CSV never actually knows the full file system path name. It 
knows only when USS provides it (which is not necessarily the full name). 
CSVQUERY and CSVINFO *do* provide the file system path name to the 
invoker.


>However, it's not trivial to determine from where you were loaded. It
>could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. 

It shouldn't be that hard if you know the member name. Create a DCB 
for STEPLIB and open it. If that works, do a BLDL on the member name 
and if that works, you've found the module. If the BLDL fails, it's not in 

STEPLIB and JOBLIB isn't used. If the open fails, try the same with 
JOBLIB.


It's not "hard" but it's not trivial either.

If you're running under the job, there's no reason to create a DCB for 
STEPLIB and open it, as the DCB already exists and is open. You could just 
do a BLDL yourself using the DCB pointed to by TCBJLB.

Ignoring the user-specified DCB case, the system search is, approximately:
Do for every task from this task repeating using TCBOTC up through the 
jobstep program task
  look for the member in the TCBJLB task if there is one
End Do
Look for the member in LPA
Look for the member in LNKLST

What the system has, and could return (indeed does provide to the CSVFETCH 
exit as of z/OS 2.2) is the UCB address and CCHH of the data set. I don't 
claim to know exactly how, but you can get from that to the data set name. 
An enhancement could be made to CSVQUERY/CSVINFO to provide that data.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tom Marchant]

On Mon, 21 Nov 2016 09:33:20 -0800, Ed Jaffe wrote:

>However, it's not trivial to determine from where you were loaded. It
>could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. 

It shouldn't be that hard if you know the member name. Create a DCB 
for STEPLIB and open it. If that works, do a BLDL on the member name 
and if that works, you've found the module. If the BLDL fails, it's not in 
STEPLIB and JOBLIB isn't used. If the open fails, try the same with 
JOBLIB.

But for this purpose, I don't think it matters where the module came 
from. If there is a STEPLIB with a non-authorized data set, the step 
is not authorized. If there is no STEPLIB and there is a JOBLIB, all 
data sets in it must be authorized.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Ed Jaffe]

On 11/21/2016 8:27 AM, Charles Mills wrote:

Exactly. That is what I intend to do.

Charles

John McKown wrote:

THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
APF AUTHORIZED.
... or migrated or is not SMS, not cataloged, etc.


I love this idea!!!

However, it's not trivial to determine from where you were loaded. It 
could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. CSVQUERY 
does have an ability to return a token that can, through some complex 
and circuitous logic, actually map back to a data set name or HFS path, 
but it's not easy and I have a nagging suspicion that at least part of 
that processing requires authorization.


IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to 
return the fully-qualified data set name and volume and/or HFS path from 
which a module was actually fetched. (If it came from VLF, that 
information would need to be preserved at the time the module is cached 
so it can be provided to CSV.)


Of course, there is an implied assumption here that you're invoking 
TESTAUTH from inside the program referenced by EXEC PGM=. If not, you 
would first need to determine which program name that is. (It's not 
difficult, but it is an extra step...)


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

I believe that's the right approach. For now anyway. You have control. You can 
build a common routine that any APF product can call during initialization. If 
IBM ever comes up with a more general solution, you can revisit your solution. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Monday, November 21, 2016 8:27 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

Exactly. That is what I intend to do.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Monday, November 21, 2016 2:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

One caveat. APF can be modified dynamically without updating PARMLIB. Not 
necessarily an error if it's the first try with a new application, although in 
practice it's a red flag.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mike Schwab
Sent: Sunday, November 20, 2016 10:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

OK.  How about 2 REXX commands.
The first REXX command reads SYS*.PARMLIB members, parses out the DSN and 
Vol/SMS ignoring syntax errors, and checks each DSN for APF authorization.
The second REXX command read any JCL member, parses out the steplib DSNs and 
Volumes ignoring syntax errors, and checks each DSN for APR authorization.
This would be useful for any site or product that has z/OS APF libraries.

On Sun, Nov 20, 2016 at 11:25 AM, Clark Morris <cfmpub...@ns.sympatico.ca> 
wrote:
> [Default] On 20 Nov 2016 08:47:04 -0800, in bit.listserv.ibm-main 
> charl...@mcn.org (Charles Mills) wrote:
>
>>Thanks @Gil, I think you get where I am trying to go with this.
>>
>>It's not that I don't know how to use TESTAUTH or think TESTAUTH is 
>>giving me the wrong answer. But now what? We say "one or more of your 
>>datasets is apparently not authorized" and the customer says "WE TOLD 
>>YOU THEY ARE ALL AUTHORIZED!" Now what does the poor support tech do? 
>>Say "Issue a 'D PROG,APF' and check all the libraries -- it's not rocket 
>>surgery!"
>
> It seems like a generic module that chases the chains would be useful 
> to a number of vendors and even for Roll your own code.  I know that I 
> was enraged on earlier versions with the JCL message symbol not 
> defined in procedure mess and justified the effort to go to MVS SP
> 1.3.2 or 1.3.3 because that was the version.release.modification level 
> that had the change telling you which symbol wasn't defined in the 
> procedure.  In this case chasing down errant libraries when the 
> installing groups isn't responsible for setting up APF authorization 
> can be interesting.
>
> Clark Morris
>>
>>Would YOU buy a product from a vendor that talked to you like that?
>>
>>Charles
>>
>>-Original Message-
>>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>>On Behalf Of Paul Gilmartin
>>Sent: Sunday, November 20, 2016 1:21 AM
>>To: IBM-MAIN@LISTSERV.UA.EDU
>>Subject: Re: Which STEPLIB concatenation is not authorized?
>>
>>On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
>>>
>>> As complicated this may sound, APF can be determined/diagnosed by
>>inspection with relative ease. It's not rocket surgery.
>>>
>>Perhaps.  But it would be poor business practice for the OP to address 
>>his customer so tactlessly.  IBM ought to help its customers to help 
>>their customers.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

Exactly. That is what I intend to do.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Monday, November 21, 2016 2:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Vernooij, Kees (ITOPT1) - KLM]

Not only STEPLIB (and JOBLIB) but also any tasklib, which in fact can be any 
ddname.

And then the problem arises: when should the 'non-apf warming' be issued? You 
could have a ddname with a concatenation of loadlibraries, that are never going 
to be used to LOAD modules from, so the warning is useless and confusing.

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: 21 November, 2016 14:58
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB 
can show above message.


Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF 
Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ...

... with this one little variation - the FULL lists (all entries in that 
STEPLIB) must be APFed. That is ALL or nothing!

H, ..ok, now drifting somewhat, but what about libraries in Linklist, 
but NOT APFed?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Elardus Engelbrecht]

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB 
can show above message.


Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF 
Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ...

... with this one little variation - the FULL lists (all entries in that 
STEPLIB) must be APFed. That is ALL or nothing!

H, ..ok, now drifting somewhat, but what about libraries in Linklist, 
but NOT APFed?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[John McKown]

On Mon, Nov 21, 2016 at 7:21 AM, Charles Mills  wrote:

>
>
> YOU say it's all authorized. z/OS says it's not. Let's think who's
> probably right here.
>

​I agree, but I have a couple of friends who are / were in level 1​
support. You'd be amazed by stories of ignorance and mental denseness. I've
read comparable stories on "The Register" (http://www.theregister.co.uk). I
loved the one where the end-user apparently didn't know that the "on"
button for a PC was the same one as the "off" button. The one I remember
was from a certain frozen state which shall remain nameless where the
system's programmer reported that the product would immediately abend. He
had not linked the supplied object decks into a load library, but put the
data set containing the object decks in the STEPLIB. I guess he didn't read
the installation documentation (Top Secret was the product).

​But I can see where it would be _very_ nice if an application to do a
TESTAUTH to make sure that it is APF authorized. And, if not, then put out
a message similar to:

THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON
VOLUME volser BEING ON THE STEPLIB/JOBLIB​.
DSN=SOME.NONAPF.LIBRARY ON volser IS NOT APF AUTHORIZED.


-- 
Heisenberg may have been here.

Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

YOU say it's all authorized. z/OS says it's not. Let's think who's probably 
right here.


CharlesSent from a mobile; please excuse the brevity

 Original message 
From: Peter Relson <rel...@us.ibm.com> 
Date: 11/21/16  2:12 PM  (GMT+01:00) 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Which STEPLIB concatenation is not authorized? 

>Would YOU buy a product from a vendor that talked to 
>you like that?

Maybe not. But why wouldn't helpful technical support say
"please issue DISPLAY PROG,APF and let me see the output so that I can 
help you figure out what is wrong?"
How do you think conversations go for just about anyone when customers 
report problems?  An early step is for the customer to make available the 
data that can help to diagnose the problem. (unless you're talking to a 
helpless desk that tells you to power off and power on, or uninstall and 
re-install).

And in the case at hand, what did the customer say if they had asserted 
that all the libraries were APF authorized and you found that there were 3 
in the concatenation that weren't? Maybe your technical support should 
offer to make a friendly wager with the customer about the state of things 
(because "apparently not authorized" is a wimpy -- but possibly necessary 
-- way of stating the fact "is not considered by the system to be 
APF-authorized").

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Peter Relson]

>Would YOU buy a product from a vendor that talked to 
>you like that?

Maybe not. But why wouldn't helpful technical support say
"please issue DISPLAY PROG,APF and let me see the output so that I can 
help you figure out what is wrong?"
How do you think conversations go for just about anyone when customers 
report problems?  An early step is for the customer to make available the 
data that can help to diagnose the problem. (unless you're talking to a 
helpless desk that tells you to power off and power on, or uninstall and 
re-install).

And in the case at hand, what did the customer say if they had asserted 
that all the libraries were APF authorized and you found that there were 3 
in the concatenation that weren't? Maybe your technical support should 
offer to make a friendly wager with the customer about the state of things 
(because "apparently not authorized" is a wimpy -- but possibly necessary 
-- way of stating the fact "is not considered by the system to be 
APF-authorized").

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tom Marchant]

On Sun, 20 Nov 2016 13:41:20 -0600, Paul Gilmartin wrote:

>On Sun, 20 Nov 2016 17:01:43 +, Jesse 1 Robinson wrote:
>
>>the requirements for APF concatenation were invented to protect the customer
>> 
>The particular implementation protects the customer from nothing.

Of course it does. Your contention that it could be better is not evidence that 
the 
requirements for APF concatenation does not protect the customer is not 
accurate.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Sun, 20 Nov 2016 17:01:43 +, Jesse 1 Robinson wrote:

>I don't want to sound warlike--especially in today's political climate--but 
>vendors have always expected customers to diagnose their own APF problems. 
>'Tact' is often a matter of delivering uncomfortable news gently and 
>empathetically. As others have said, the requirements for APF concatenation 
>were invented to protect the customer, not to annoy or vex.
> 
The particular implementation protects the customer from nothing.
The convention of LINKLIST which determines APF status from the
individual data set rather than the ensemble as STEPLIB does
provides sufficient integrity protection and greater flexibility.
(But no better diagnostic information for Charles.)

Startool?  ISVs are understandably reluctant to require their customers
to purchase a fourth-party product.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Mike Schwab]

OK.  How about 2 REXX commands.
The first REXX command reads SYS*.PARMLIB members, parses out the DSN
and Vol/SMS ignoring syntax errors, and checks each DSN for APF
authorization.
The second REXX command read any JCL member, parses out the steplib
DSNs and Volumes ignoring syntax errors, and checks each DSN for APR
authorization.
This would be useful for any site or product that has z/OS APF libraries.

On Sun, Nov 20, 2016 at 11:25 AM, Clark Morris
<cfmpub...@ns.sympatico.ca> wrote:
> [Default] On 20 Nov 2016 08:47:04 -0800, in bit.listserv.ibm-main
> charl...@mcn.org (Charles Mills) wrote:
>
>>Thanks @Gil, I think you get where I am trying to go with this.
>>
>>It's not that I don't know how to use TESTAUTH or think TESTAUTH is giving
>>me the wrong answer. But now what? We say "one or more of your datasets is
>>apparently not authorized" and the customer says "WE TOLD YOU THEY ARE ALL
>>AUTHORIZED!" Now what does the poor support tech do? Say "Issue a 'D
>>PROG,APF' and check all the libraries -- it's not rocket surgery!"
>
> It seems like a generic module that chases the chains would be useful
> to a number of vendors and even for Roll your own code.  I know that I
> was enraged on earlier versions with the JCL message symbol not
> defined in procedure mess and justified the effort to go to MVS SP
> 1.3.2 or 1.3.3 because that was the version.release.modification level
> that had the change telling you which symbol wasn't defined in the
> procedure.  In this case chasing down errant libraries when the
> installing groups isn't responsible for setting up APF authorization
> can be interesting.
>
> Clark Morris
>>
>>Would YOU buy a product from a vendor that talked to you like that?
>>
>>Charles
>>
>>-Original Message-
>>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
>>Behalf Of Paul Gilmartin
>>Sent: Sunday, November 20, 2016 1:21 AM
>>To: IBM-MAIN@LISTSERV.UA.EDU
>>Subject: Re: Which STEPLIB concatenation is not authorized?
>>
>>On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
>>>
>>> As complicated this may sound, APF can be determined/diagnosed by
>>inspection with relative ease. It's not rocket surgery.
>>>
>>Perhaps.  But it would be poor business practice for the OP to address his
>>customer so tactlessly.  IBM ought to help its customers to help their
>>customers.
>>
>>--
>>For IBM-MAIN subscribe / signoff / archive access instructions,
>>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Clark Morris]

[Default] On 20 Nov 2016 08:47:04 -0800, in bit.listserv.ibm-main
charl...@mcn.org (Charles Mills) wrote:

>Thanks @Gil, I think you get where I am trying to go with this.
>
>It's not that I don't know how to use TESTAUTH or think TESTAUTH is giving
>me the wrong answer. But now what? We say "one or more of your datasets is
>apparently not authorized" and the customer says "WE TOLD YOU THEY ARE ALL
>AUTHORIZED!" Now what does the poor support tech do? Say "Issue a 'D
>PROG,APF' and check all the libraries -- it's not rocket surgery!"

It seems like a generic module that chases the chains would be useful
to a number of vendors and even for Roll your own code.  I know that I
was enraged on earlier versions with the JCL message symbol not
defined in procedure mess and justified the effort to go to MVS SP
1.3.2 or 1.3.3 because that was the version.release.modification level
that had the change telling you which symbol wasn't defined in the
procedure.  In this case chasing down errant libraries when the
installing groups isn't responsible for setting up APF authorization
can be interesting.  

Clark Morris
>
>Would YOU buy a product from a vendor that talked to you like that?
>
>Charles
>
>-Original Message-
>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
>Behalf Of Paul Gilmartin
>Sent: Sunday, November 20, 2016 1:21 AM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Re: Which STEPLIB concatenation is not authorized?
>
>On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
>> 
>> As complicated this may sound, APF can be determined/diagnosed by
>inspection with relative ease. It's not rocket surgery.
>>  
>Perhaps.  But it would be poor business practice for the OP to address his
>customer so tactlessly.  IBM ought to help its customers to help their
>customers.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

I don't want to sound warlike--especially in today's political climate--but 
vendors have always expected customers to diagnose their own APF problems. 
'Tact' is often a matter of delivering uncomfortable news gently and 
empathetically. As others have said, the requirements for APF concatenation 
were invented to protect the customer, not to annoy or vex.

In short, all products we buy for mainframe come with the same caveat.  

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Sunday, November 20, 2016 8:47 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

Thanks @Gil, I think you get where I am trying to go with this.

It's not that I don't know how to use TESTAUTH or think TESTAUTH is giving me 
the wrong answer. But now what? We say "one or more of your datasets is 
apparently not authorized" and the customer says "WE TOLD YOU THEY ARE ALL 
AUTHORIZED!" Now what does the poor support tech do? Say "Issue a 'D PROG,APF' 
and check all the libraries -- it's not rocket surgery!"

Would YOU buy a product from a vendor that talked to you like that?

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Sunday, November 20, 2016 1:21 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
> 
> As complicated this may sound, APF can be determined/diagnosed by
inspection with relative ease. It's not rocket surgery.
>  
Perhaps.  But it would be poor business practice for the OP to address his 
customer so tactlessly.  IBM ought to help its customers to help their 
customers.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

I can't speak for the CBT PDS Command, but StarTool shows APF directly and 
automatically without any need for OS commands. SYS1.LPALIB, for example, gives 
this message right at the top:

PDS224I This data set is APF authorized

This means of course that it's programmatically possible for an app to 
determine APF status given a specific library. The leap from there to 
displaying APF status at the OS level is greater than this customer cares to 
pay for. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Sunday, November 20, 2016 8:24 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

In the situation that triggered this discussion it was three datasets. Various 
vendor products and DB2 IIRC.

Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Harminc
Sent: Sunday, November 20, 2016 1:46 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On 18 November 2016 at 06:26, Charles Mills <charl...@mcn.org> wrote:
> As a software vendor, on new installs we often get customers saying 
> "your product puts out a message saying it is not authorized but we're 
> sure we authorized the library" and it is often a painful process 
> taking them through checking each concatenation.
[...]
It's been an interesting discussion. But may I ask why you are in the position 
of having your customers with a big pile of datasets in their STEPLIB 
concatenation for your product? Well, you didn't say it's a big pile, but if 
were one or two you surely wouldn't be asking...


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

Thanks @Gil, I think you get where I am trying to go with this.

It's not that I don't know how to use TESTAUTH or think TESTAUTH is giving
me the wrong answer. But now what? We say "one or more of your datasets is
apparently not authorized" and the customer says "WE TOLD YOU THEY ARE ALL
AUTHORIZED!" Now what does the poor support tech do? Say "Issue a 'D
PROG,APF' and check all the libraries -- it's not rocket surgery!"

Would YOU buy a product from a vendor that talked to you like that?

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Paul Gilmartin
Sent: Sunday, November 20, 2016 1:21 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
> 
> As complicated this may sound, APF can be determined/diagnosed by
inspection with relative ease. It's not rocket surgery.
>  
Perhaps.  But it would be poor business practice for the OP to address his
customer so tactlessly.  IBM ought to help its customers to help their
customers.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

In the situation that triggered this discussion it was three datasets. Various 
vendor products and DB2 IIRC.

Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Harminc
Sent: Sunday, November 20, 2016 1:46 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On 18 November 2016 at 06:26, Charles Mills <charl...@mcn.org> wrote:
> As a software vendor, on new installs we often get customers saying 
> "your product puts out a message saying it is not authorized but we're 
> sure we authorized the library" and it is often a painful process 
> taking them through checking each concatenation.
[...]
It's been an interesting discussion. But may I ask why you are in the position 
of having your customers with a big pile of datasets in their STEPLIB 
concatenation for your product? Well, you didn't say it's a big pile, but if 
were one or two you surely wouldn't be asking...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Peter Relson]

I'll accept that as almost true.  But BLDL (I assume LOAD uses 
that or something similar) needs to find the directories to
search.  I'm trying to RTRM and understand.  I guess it can
examine DEBAMLNG bytes in DEBEXTNM to find the first extent
of each catenand which must contain the directory.


BLDL uses the information in the DEB to determine which data sets' 
directories are to be checked.


But that's not enough to really identify the data set; only
unit and address.  Bummer.  The pain customers endure
because storage was so expensive a half-century ago that
32 bytes couldn't be spared for flags indicating which
extents belong to authorized data sets.


I believe that most would use RDJFCB to find the data set name(s) 
comprising a concatenation. The DEB can be traversed (not trivially, but 
not overly hard) to correlate.

I'm sure many on this list could write the sort of program/exec that would 
solve Charles' quandry, taking as input the JCL and using things like 
CSVAPF and IsItMgd.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Sat, 19 Nov 2016 16:05:08 -0600, Paul Gilmartin wrote:
>
>Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS,
>RECFM-F,LRECL=256; could I read it as a PDS directory?
>
No.  And well documented; a limitation for strong technical reasons,
unlike some arbitrary limitations z/OS imposes.  But it has dismaying
consequences: it's probably a contributing factor to ISPF LM's inability
to process UNIX directories.

Researching this, I found instructions in Using Data Sets that cause
a JCL error.  RCF submitted.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tony Harminc]

On 18 November 2016 at 06:26, Charles Mills  wrote:
> As a software vendor, on new installs we often get customers saying "your
> product puts out a message saying it is not authorized but we're sure we
> authorized the library" and it is often a painful process taking them
> through checking each concatenation.
[...]
It's been an interesting discussion. But may I ask why you are in the
position of having your customers with a big pile of datasets in their
STEPLIB concatenation for your product? Well, you didn't say it's a
big pile, but if were one or two you surely wouldn't be asking...

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
> 
> As complicated this may sound, APF can be determined/diagnosed by inspection 
> with relative ease. It's not rocket surgery.
>  
Perhaps.  But it would be poor business practice for the OP
to address his customer so tactlessly.  IBM ought to help
its customers to help their customers.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

APF is defined in SYS1.PARMLIB(PROGxx) according to the installation defined 
concatenation in IEASYSxx. The result of that concatenation determines the set 
of APF libraries unless modified after IPL by SETPROG APF. Entries in PROGxx 
are of two types:

APF ADD DSN(dsn-1)   SMS
APF ADD DSN(dsn-2)   VOL(volser)

If 'SMS' is coded, then the library can be located anywhere, but it must be SMS 
defined. There can only be one dsn-1 because SMS does not allow duplicates in a 
system. If VOL(volser) is coded, then the library must be located on that 
specific volume. There can be multiple entries for dsn-2; as long as one entry 
matches dsn-2 in STEPLIB, then it is APF; otherwise not. 

APF is not indicated anywhere in the intrinsic definition of a library. No bit 
in catalog nor in VTOC nor anywhere else outside of the list of APF libraries 
built and managed by z/OS. At any moment a library may or may not be APF 
according to the current list, which may have additions or deletions or 
(effectively) updates since that last time it was checked.

As complicated this may sound, APF can be determined/diagnosed by inspection 
with relative ease. It's not rocket surgery.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Saturday, November 19, 2016 2:05 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote:
>
>I assume that the subject of this thread should have been "Which data 
>set in the STEPLIB concatenation is not APF-authorized".
>
Me, too.  And if that information were available the adress space could remain 
authorized as long as modules were loaded only from authorized catenands, and 
the failure of authorization could report "which data set", at least by 
catenand ordinal.

>The DEB is build during OPEN. That processing examines the APF status 
>of every individual data set forming the concatenation. If any data set 
>is found that is not APF-authorized, then the DEB is marked as not APF 
>authorized (bit DEBAPFIN). (I think the bit is initialized "on" and 
>then simply turned off when a non-APF-authorized data set is found). By 
>the time "load" is being done, the information about an individual data 
>set is long gone.
>
I'll accept that as almost true.  But BLDL (I assume LOAD uses that or 
something similar) needs to find the directories to search.  I'm trying to RTRM 
and understand.  I guess it can examine DEBAMLNG bytes in DEBEXTNM to find the 
first extent of each catenand which must contain the directory.

But that's not enough to really identify the data set; only unit and address.  
Bummer.  The pain customers endure because storage was so expensive a 
half-century ago that
32 bytes couldn't be spared for flags indicating which extents belong to 
authorized data sets.

>CSVAPF is the programming interface for querying if an individual data 
>set is APF-authorized. To do it completely correctly,  you have to know 
>if the data set is SMS-managed.
>
I've seen the SMS dependency mentioned earlier in this thread.
Why?  is it that APF is indicated in the DSCB for non-SMS and elsewhere for SMS?

And I found nothing in the DEB about PDSE or UNIX files although BPAM now 
supports UNIX directories in mixed concatenations.  How are those represented?  
Major and minor device numbers?  It must be documented somewhere, even if only 
"The following N bytes are not GUPI."

Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS, RECFM-F,LRECL=256; 
could I read it as a PDS directory?

-- gil


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote:
>
>I assume that the subject of this thread should have been "Which data set 
>in the STEPLIB concatenation is not APF-authorized".
>
Me, too.  And if that information were available the adress space could
remain authorized as long as modules were loaded only from authorized
catenands, and the failure of authorization could report "which data set",
at least by catenand ordinal.

>The DEB is build during OPEN. That processing examines the APF status of 
>every individual data set forming the concatenation. If any data set is 
>found that is not APF-authorized, then the DEB is marked as not APF 
>authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then 
>simply turned off when a non-APF-authorized data set is found). By the 
>time "load" is being done, the information about an individual data set is 
>long gone.
>
I'll accept that as almost true.  But BLDL (I assume LOAD uses 
that or something similar) needs to find the directories to
search.  I'm trying to RTRM and understand.  I guess it can
examine DEBAMLNG bytes in DEBEXTNM to find the first extent
of each catenand which must contain the directory.

But that's not enough to really identify the data set; only
unit and address.  Bummer.  The pain customers endure
because storage was so expensive a half-century ago that
32 bytes couldn't be spared for flags indicating which
extents belong to authorized data sets.

>CSVAPF is the programming interface for querying if an individual data set 
>is APF-authorized. To do it completely correctly,  you have to know if the 
>data set is SMS-managed.
>
I've seen the SMS dependency mentioned earlier in this thread.
Why?  is it that APF is indicated in the DSCB for non-SMS and
elsewhere for SMS?

And I found nothing in the DEB about PDSE or UNIX files although BPAM
now supports UNIX directories in mixed concatenations.  How are those
represented?  Major and minor device numbers?  It must be documented
somewhere, even if only "The following N bytes are not GUPI."

Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS,
RECFM-F,LRECL=256; could I read it as a PDS directory?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Peter Relson]

>Thanks, but you might want to read my OP
>>There are various ways to check whether the current environment is APF 
authorized. 
>>For example, the TESTAUTH macro will give a return code to indicate 
>>APF or not. 

Charles, that response *was* an attempt to respond to a question of yours 
in your OP: "Even simpler question: is it possible for a program to check 
(only) its own
AC(1) bit?"

Checking a program's "AC(1)" bit is not usually overly relevant. Checking 
the resulting authorization of the jobstep is what is relevant, and 
TESTAUTH is the way to do that.

I assume that the subject of this thread should have been "Which data set 
in the STEPLIB concatenation is not APF-authorized".

The DEB is build during OPEN. That processing examines the APF status of 
every individual data set forming the concatenation. If any data set is 
found that is not APF-authorized, then the DEB is marked as not APF 
authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then 
simply turned off when a non-APF-authorized data set is found). By the 
time "load" is being done, the information about an individual data set is 
long gone.

CSVAPF is the programming interface for querying if an individual data set 
is APF-authorized. To do it completely correctly,  you have to know if the 
data set is SMS-managed.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

OK, I stand enlightened. A particular extent can be identified by unit address 
and from there back to volser. I abide by my previous post. I would rather see 
IBM work on more productive enhancements. Seriously, how long does it take to 
debug a broken APF environment? It happens rarely, and with any experience at 
all the cause is clear. An application can test for APF and put out a message 
telling the user to investigate. (Abending is shameful.) That should be good 
enough. 

Also note that if APF is broken, the app might be hard put to issue commands or 
chase control blocks. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Ed Jaffe
Sent: Friday, November 18, 2016 12:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

On 11/18/2016 9:43 AM, Jesse 1 Robinson wrote:
> The fundamental difficulty of displaying/presenting the concatenation 
> sequence goes to the heart of program fetch and DEB management in general. 
> The mapping for a concatenation consists of a series of track extents for 
> input I/O; VOLSER identity is not part of the map.

Not sure I agree with this. The DEB extent entry doesn't list the volser per se 
as a 6-byte character field, but it does have the 4-byte UCB address which is 
even better because with that you can find out not only volser but every else 
about the unit...

--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Ed Jaffe]

On 11/18/2016 9:43 AM, Jesse 1 Robinson wrote:

The fundamental difficulty of displaying/presenting the concatenation sequence 
goes to the heart of program fetch and DEB management in general. The mapping 
for a concatenation consists of a series of track extents for input I/O; VOLSER 
identity is not part of the map.


Not sure I agree with this. The DEB extent entry doesn't list the volser 
per se as a 6-byte character field, but it does have the 4-byte UCB 
address which is even better because with that you can find out not only 
volser but every else about the unit...


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Fri, 18 Nov 2016 13:40:36 -0500, Jim Mulder  wrote:

>> So ... if our messages could readily say "not authorized -- check
>> STEPLIB(+2)"
>
>  So you would like OPEN, when it builds a DEB in which the 
>DEBAPFIN is off, to provide in some DEB extension the 
>concatenation number of some data set which it found to be not 
>APF Authorized.
>
>  That may be a reasonable thing to submit to DFSMS as a requirement 
>or request or whatever we call those things now. 
> 
Absolutely.  And more usefully, if such an indication existed, when a
module was loaded from a catenand not marked unauthorized it could
proceed with the address space authorized.

(I think it's called an RFE.)

"extension"?  Is there today no uncommitted bit in the DEB that could
be exploited for the purpose?

What does the DEB entry for a Program Object library catenand look
like?

Jesse Robinson cited insufficient information in the DEB as reason for
the limitation.  Such a clear understanding of tie cause is a large
initial step toward designing a solution.

Another ply (which I can't find) questioned the usefulness of mixing
APF/non-APF in STEPLIB.  By analogy, I understand that in bygone
days LINKLIST was all-or-nothing; no mixture.  Some customers
must have reported sufficient need for a mixed LINKLIST that IBM
relieved the restriction many releases ago.  Similar arguments apply
to STEPLIB.  More so with JCLLIB.  A user may choose not to undertake
the effort of maintaining authorized and unauthorized but otherwise
similar STEPLIB members for the respective purposes.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jim Mulder]

> So ... if our messages could readily say "not authorized -- check
> STEPLIB(+2)"

  So you would like OPEN, when it builds a DEB in which the 
DEBAPFIN is off, to provide in some DEB extension the 
concatenation number of some data set which it found to be not 
APF Authorized.

  That may be a reasonable thing to submit to DFSMS as a requirement 
or request or whatever we call those things now. 

Jim Mulder z/OS Diagnosis, Design, Development, Test  IBM Corp. 
Poughkeepsie NY



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

Thanks, but you might want to read my OP.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Friday, November 18, 2016 6:44 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

There are various ways to check whether the current environment is APF 
authorized. For example, the TESTAUTH macro will give a return code to indicate 
APF or not. No abend, just yay or nay. Given how simple it is to issue D 
PROG,APF, I for one would object to an IBM project for returning detail info 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Walt Farrell]

On Fri, 18 Nov 2016 10:17:31 -0600, Paul Gilmartin  wrote:

>On Fri, 18 Nov 2016 07:21:20 -0600, Walt Farrell wrote:
>>
>>AC(1) is a setting in the directory entry for the load module, so all you 
>>would have to do is a BLDL and then look at the bit setting. However, unless 
>>the bit is off I'm not sure it helps you figure anything out.
>> 
>Naive question: What member name do you use as argument for the BLDL?
>In a different universe, I know it's argv(0).

What you might use depends in part on the environment you run in, how you're 
invoked, how accurate you want to be, and what scenarios you want to handle. 

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Leonardo Vaz]

Sorry to ask, but what do you mean by volume boundaries are no longer 
available? We have a process that goes from DEB to DSSB and then it copies both 
the dataset name at offset 24 and the volser at offset 256 of the DSSB.

Regards,
Leo

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Friday, November 18, 2016 12:44 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

There are various ways to check whether the current environment is APF 
authorized. For example, the TESTAUTH macro will give a return code to indicate 
APF or not. No abend, just yay or nay. Given how simple it is to issue D 
PROG,APF, I for one would object to an IBM project for returning detail info to 
a running program. 

APF authorization does not come or go willy-nilly. Once a process is 
established in production, nothing should change. If something does change, it 
should not take long to figure out what. (Who and why is a whole nother can of 
worms.) 

Also note at AC(1) is not required for every APF program. Only the first 
program--PGM=xx--in a chain needs to be marked AC(1). IBM has always 
recommended that *only* the first program in a call chain be marked AC(1). The 
others should be AC(0). 

The fundamental difficulty of displaying/presenting the concatenation sequence 
goes to the heart of program fetch and DEB management in general. The mapping 
for a concatenation consists of a series of track extents for input I/O; VOLSER 
identity is not part of the map. The APF indication is set--or unset--as each 
library is opened. Once the DEB is built, volume boundaries are no longer 
available.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Friday, November 18, 2016 9:11 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

Thanks all ...

Various responses:

- I know AC(1) is not sufficient for authorization, but AC(0) is sufficient for 
a lack of authorization, so given my problem of "tell the customer everything 
that is wrong" it would be one thing you would want to tell the customer. (The 
least likely cause in my experience because they just install, they don't 
compose linkedit control cards.)

- Yes, authorized on some other volume or SMS/not is a real likely possibility 
but if I can just tell them STEPLIB(+2) is not authorized it would be a huge 
step forward.

- No, "check the libraries against the output from 'D PROG,APF'" is not the 
easiest way from within a program, and outside of a program is subject to 
eyeball faults.

- argv[0] is available in my universe

- Bin's answer is kind of what I feared. Possibly more complexity than I want 
to take on for what is not really a software problem.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Marchant
Sent: Friday, November 18, 2016 5:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On Fri, 18 Nov 2016 14:26:38 +0200, Binyamin Dissen wrote:

>Use the normal services (SWAREQ, RDJFCB, etc.) to get the 
>DSNAMES/VOLSERs of the STEPLIB libraries, and then
>
>  CSVAPF REQUEST=QUERY


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

There are various ways to check whether the current environment is APF 
authorized. For example, the TESTAUTH macro will give a return code to indicate 
APF or not. No abend, just yay or nay. Given how simple it is to issue D 
PROG,APF, I for one would object to an IBM project for returning detail info to 
a running program. 

APF authorization does not come or go willy-nilly. Once a process is 
established in production, nothing should change. If something does change, it 
should not take long to figure out what. (Who and why is a whole nother can of 
worms.) 

Also note at AC(1) is not required for every APF program. Only the first 
program--PGM=xx--in a chain needs to be marked AC(1). IBM has always 
recommended that *only* the first program in a call chain be marked AC(1). The 
others should be AC(0). 

The fundamental difficulty of displaying/presenting the concatenation sequence 
goes to the heart of program fetch and DEB management in general. The mapping 
for a concatenation consists of a series of track extents for input I/O; VOLSER 
identity is not part of the map. The APF indication is set--or unset--as each 
library is opened. Once the DEB is built, volume boundaries are no longer 
available.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Friday, November 18, 2016 9:11 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

Thanks all ...

Various responses:

- I know AC(1) is not sufficient for authorization, but AC(0) is sufficient for 
a lack of authorization, so given my problem of "tell the customer everything 
that is wrong" it would be one thing you would want to tell the customer. (The 
least likely cause in my experience because they just install, they don't 
compose linkedit control cards.)

- Yes, authorized on some other volume or SMS/not is a real likely possibility 
but if I can just tell them STEPLIB(+2) is not authorized it would be a huge 
step forward.

- No, "check the libraries against the output from 'D PROG,APF'" is not the 
easiest way from within a program, and outside of a program is subject to 
eyeball faults.

- argv[0] is available in my universe

- Bin's answer is kind of what I feared. Possibly more complexity than I want 
to take on for what is not really a software problem.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Marchant
Sent: Friday, November 18, 2016 5:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On Fri, 18 Nov 2016 14:26:38 +0200, Binyamin Dissen wrote:

>Use the normal services (SWAREQ, RDJFCB, etc.) to get the 
>DSNAMES/VOLSERs of the STEPLIB libraries, and then
>
>  CSVAPF REQUEST=QUERY


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Charles Mills]

Thanks all ...

Various responses:

- I know AC(1) is not sufficient for authorization, but AC(0) is sufficient for 
a lack of authorization, so given my problem of "tell the customer everything 
that is wrong" it would be one thing you would want to tell the customer. (The 
least likely cause in my experience because they just install, they don't 
compose linkedit control cards.)

- Yes, authorized on some other volume or SMS/not is a real likely possibility 
but if I can just tell them STEPLIB(+2) is not authorized it would be a huge 
step forward.

- No, "check the libraries against the output from 'D PROG,APF'" is not the 
easiest way from within a program, and outside of a program is subject to 
eyeball faults.

- argv[0] is available in my universe

- Bin's answer is kind of what I feared. Possibly more complexity than I want 
to take on for what is not really a software problem.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Marchant
Sent: Friday, November 18, 2016 5:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On Fri, 18 Nov 2016 14:26:38 +0200, Binyamin Dissen wrote:

>Use the normal services (SWAREQ, RDJFCB, etc.) to get the 
>DSNAMES/VOLSERs of the STEPLIB libraries, and then
>
>  CSVAPF REQUEST=QUERY

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tom Marchant]

On Fri, 18 Nov 2016 14:26:38 +0200, Binyamin Dissen wrote:

>Use the normal services (SWAREQ, RDJFCB, etc.) to get the DSNAMES/VOLSERs of
>the STEPLIB libraries, and then
>
>  CSVAPF REQUEST=QUERY
>
>on each one.

And if you find that the data set name is not APF authorized, you 
will want to report that  on  is not APF authorized. 
The same DSNAME may be authorized on a different volume. And 
don't forget the distinction for SMS managed volumes. Don't know how 
you'll determine that the volume is SMS managed.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Fri, 18 Nov 2016 07:21:20 -0600, Walt Farrell wrote:
>
>AC(1) is a setting in the directory entry for the load module, so all you 
>would have to do is a BLDL and then look at the bit setting. However, unless 
>the bit is off I'm not sure it helps you figure anything out.
> 
Naive question: What member name do you use as argument for the BLDL?
In a different universe, I know it's argv(0).

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Walt Farrell]

On Fri, 18 Nov 2016 13:24:01 +, Vernooij, Kees (ITOPT1) - KLM 
 wrote:

>Even so: the fact that AC(1) is on still does not mean that the library is APF 
>authorized and that the module will run authorized. 

Right. That's why I said I didn't think he could draw any conclusions unless 
the bit in the directory is _off_ :)

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Vernooij, Kees (ITOPT1) - KLM]

Even so: the fact that AC(1) is on still does not mean that the library is APF 
authorized and that the module will run authorized.

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Walt Farrell
Sent: 18 November, 2016 14:21
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

On Fri, 18 Nov 2016 12:26:41 +0100, Charles Mills <charl...@mcn.org> wrote:

>Even simpler question: is it possible for a program to check (only) its own
>AC(1) bit?"

I'm not sure I understand what you mean by "its own AC(1) bit". 

AC(1) is a setting in the directory entry for the load module, so all you would 
have to do is a BLDL and then look at the bit setting. However, unless the bit 
is off I'm not sure it helps you figure anything out.

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Walt Farrell]

On Fri, 18 Nov 2016 12:26:41 +0100, Charles Mills  wrote:

>Even simpler question: is it possible for a program to check (only) its own
>AC(1) bit?"

I'm not sure I understand what you mean by "its own AC(1) bit". 

AC(1) is a setting in the directory entry for the load module, so all you would 
have to do is a BLDL and then look at the bit setting. However, unless the bit 
is off I'm not sure it helps you figure anything out.

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Vernooij, Kees (ITOPT1) - KLM]

Well, the 'easiest' way still seems to me: check the libraries against the 
output from 'D PROG,APF'.

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: 18 November, 2016 12:27
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Which STEPLIB concatenation is not authorized?

While we're discussing STEPLIB concatenations and APF authorization, is
there any fairly straightforward way for a running program to determine
"which STEPLIB concatenation[s] made me not APF-authorized?" (I suspect I
know the answer and it is No ...)

I totally get the reason APF-authorization and STEPLIB concatenation is the
way it is, and I am not arguing with that at all. Here's the problem.

As a software vendor, on new installs we often get customers saying "your
product puts out a message saying it is not authorized but we're sure we
authorized the library" and it is often a painful process taking them
through checking each concatenation. The dialog often turns argumentative
with the customer saying "WE TOLD YOU ALL THE LIBRARIES ARE AUTHORIZED" and
our support techs trying to explain that TESTAUTH says differently. Of
course it always turns out to be a typo or a bad volser or SMS versus not or
something like that. So far TESTAUTH has not been wrong once! 

So ... if our messages could readily say "not authorized -- check
STEPLIB(+2)" or "not authorized -- check SYS1.FOO.LOAD" it would be a big
help.

Even simpler question: is it possible for a program to check (only) its own
AC(1) bit?"

Again, I am looking for straightforward solutions. I'm not looking to
implement some huge library search process. I'm looking for something like a
bit in the DEB or something like that.

Charles 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Binyamin Dissen]

Use the normal services (SWAREQ, RDJFCB, etc.) to get the DSNAMES/VOLSERs of
the STEPLIB libraries, and then

  CSVAPF REQUEST=QUERY

on each one.


The DEB applies to the entire DD statement.


On Fri, 18 Nov 2016 12:26:41 +0100 Charles Mills  wrote:

:>While we're discussing STEPLIB concatenations and APF authorization, is
:>there any fairly straightforward way for a running program to determine
:>"which STEPLIB concatenation[s] made me not APF-authorized?" (I suspect I
:>know the answer and it is No ...)
:>
:>I totally get the reason APF-authorization and STEPLIB concatenation is the
:>way it is, and I am not arguing with that at all. Here's the problem.
:>
:>As a software vendor, on new installs we often get customers saying "your
:>product puts out a message saying it is not authorized but we're sure we
:>authorized the library" and it is often a painful process taking them
:>through checking each concatenation. The dialog often turns argumentative
:>with the customer saying "WE TOLD YOU ALL THE LIBRARIES ARE AUTHORIZED" and
:>our support techs trying to explain that TESTAUTH says differently. Of
:>course it always turns out to be a typo or a bad volser or SMS versus not or
:>something like that. So far TESTAUTH has not been wrong once! 

:>So ... if our messages could readily say "not authorized -- check
:>STEPLIB(+2)" or "not authorized -- check SYS1.FOO.LOAD" it would be a big
:>help.

:>Even simpler question: is it possible for a program to check (only) its own
:>AC(1) bit?"

:>Again, I am looking for straightforward solutions. I'm not looking to
:>implement some huge library search process. I'm looking for something like a
:>bit in the DEB or something like that.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN