allocated/OPENed the DB originally. And then things start failing when you
get to step (c) because the wrong database (on the old volume) is used.
I think that processing is what the documentation was trying to describe,
for the non-reIPL case.
--
-managed data set and catalog protection through the SAF
interface. For more SAF information, see "System Authorization Facility" in
z/OS MVS Programming: Assembler Services Guide and z/OS MVS Programming:
Assembler Services Reference ABE-HSP.
--
Walt Farrell, CISSP
IBM STSM, z/OS Sec
On Fri, 7 Nov 2008 17:34:03 +0800, Tommy Tsui <[EMAIL PROTECTED]> wrote:
>I checked the result, it only can show up the first 4 lines statement,
>INIT(1), even the AXRCMD run successfully. I also try "/DI(1-2)", the
>result is also 4.
>
>CMDRESULT=AXRCMD('/DI(1-2)','OUTPUTVAR.',100);
> SAY OUTPUTV
ID(*) ACCESS(READ) WHEN(SYSID(smf-id))
If the program runs on a system you have not specified then it will abend
with an S306 abend.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / sign
int out,
though, that for TN3270 access (e.g., to CICS, IMS, TSO, etc.) you don't
need to use passwords. You could use digital certificates instead.
And if you really want to use Secure ID cards I think you'll find other
vendors who provide that support on z/OS, so it's available,
On Fri, 24 Oct 2008 17:43:08 -0400, Hrycewicz, David
<[EMAIL PROTECTED]> wrote:
>To clarify Walt's post, CA's mainframe security solutions do perform
>appropriate security checking and ensure that the identity issuing the
>command is authorized to execute that command on the system that it was
>ro
g
for commands routed from a RACF system to an ACF2 or TopSecret system, or
simply being ignored. To do that, you need to try a command that should
fail for security reasons, not one that should work.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
---
ysplex hangs
during error recovery command processing, at least when routing between
systems with compatible security products, but at the cost of some command
routing issues as we've discussed in this thread.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
---
I/O, then the request should fail.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
S
On Thu, 23 Oct 2008 13:51:38 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote:
>http://preview.tinyurl.com/6g6dqa
>
>Looks pretty clear to me, right there in the Admin Guide.
Thanks for finding that, Scott.
--
Walt Farrell, CISSP
IBM STSM, z/OS
; are as compatible with RACF's
as Top Secret's are.
And for some customers, with highly centralized security administration, (2)
may not be much of a problem. But with less centralized administration it
may be more of a problem.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
ands work" but I've never known if anyone has confirmed that there's any
security processing happening at all on the receiving system when the
security product isn't RACF.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
-
happening. Is this z/OS or security related?
Routing operator commands within a sysplex from a system running a different
security product, to a system running RACF, when you're using the OPERCMDS
class, is not supported. See APAR OW34880 for a bit more info.
On Mon, 20 Oct 2008 09:17:19 -0500, Chase, John <[EMAIL PROTECTED]> wrote:
>Like presumably most shops, we've configured JOBCLASS STC to send the
>joblog, et al to the bit bucket. Now wanting to retain the joblog for
>CICS regions, I've added an //OUT1 OUTPUT JESDS=ALL statement to the
>started j
he variables after that new data.
However, if an error occurs before you finish the writing then you will have
lost the data in your file.
--
Walt Farrell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
se
data sets; and
(b) data sets protected by (really, known to) RACF.
Actually both (a) and (b) apply regardless of security product, as far as I
know.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
-
--
For IBM
ogram" is too imprecise as a description.
Where the program runs is perhaps more important to the original question.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access i
of information required for a
complete answer. Where does that COBOL program run? Batch? CICS? IMS?
Elsewhere?
In particular, for CICS or IMS the required techniques differ from those for
batch.
--
Walt Farrell, CISSP
IBM STSM, z/OS
On Wed, 17 Sep 2008 09:30:08 EDT, IBM Mainframe Discussion List
<[EMAIL PROTECTED]> wrote:
>
>
>From the article on Stretch:
>"[Stretch] ... could perform 100 billion computations a day and handle half
>a million instructions per second."
>
>There are 86400 seconds in one day. Half a million inst
On Tue, 16 Sep 2008 21:01:44 +0200, Lindy Mayfield
<[EMAIL PROTECTED]> wrote:
>Wayne suggested to get DQENEXT and then compare that to the first one on
>the queue (ie SPQAFADQ). This works sometimes, but sometimes after
>making a round, in between the first DQE and the last DQE there is the
>SPQA
On Fri, 12 Sep 2008 11:04:12 -0500, Paul Ip <[EMAIL PROTECTED]> wrote:
>So I think it is different from what FTP does with RDW: (where = length
>of Data + 4)
>x''+Data
It's not merely different from "what FTP does with RDW" but from what z/OS
does with RDW. I doubt that FTP is putti
On Thu, 11 Sep 2008 14:18:47 -0500, Anton Britz <[EMAIL PROTECTED]> wrote:
>
>How can I change the default INTRDR assignments for ISPF to
>
>//? DD sysout=(A,INTRDR),DEST=DUMMY
>
>Summary: I want to change the default print location of all jobs to DUMMY
>without inserting a route print c
eneral snipe at IBM (which, after all, does happen on this
list with some regularity when the topic of interface vs non-interface comes
up) rather than something related to the OP's question about scanning
defined name/token pairs.
My apologies.
--
Walt Farre
On Tue, 9 Sep 2008 12:51:51 -0400, Petersen, Jim
<[EMAIL PROTECTED]> wrote:
>My point is that if I accidently mention it to the auditors that it is a
>security exposure, we might get written up and it might be found that we
>can't run the shop without the CSMAGENT. Normally, you don't tell the
>a
On Tue, 9 Sep 2008 09:57:41 -0700, Edward Jaffe
<[EMAIL PROTECTED]> wrote:
>Walt Farrell wrote:
>> But note that ECVTNTTP is not an intended programming interface, and you use
>> it at your own risk.
>>
>
>IBM never provided an "intended" interface. :-
On Tue, 9 Sep 2008 09:04:03 -0500, Rolf Ernst <[EMAIL PROTECTED]> wrote:
>Ooops,
>
>
>just answered my own question. It's a pointer off the ECVT. Sorry.
>
But note that ECVTNTTP is not an intended programming interface, and you use
it at your own risk.
--
Walt Fa
On Mon, 8 Sep 2008 21:40:41 -0400, Knutson, Sam <[EMAIL PROTECTED]> wrote:
>There is an explanation in the 1.10 Information Roadmap that holds out
>hope. We will have to wait and see what the new web format looks like.
>I do hope you can download the whole lot as a set of PDFs or zipped web
>pages
On Mon, 8 Sep 2008 15:54:33 -0500, Kirk Wolf <[EMAIL PROTECTED]> wrote:
>Its wierd. Some GDGs work fine and others fail with this error.
>
Are you sure that, in the failing cases, that the (0) generation actually
exists? In other words, perhaps no GDS entries exist for that particular
GDG, and
On Wed, 27 Aug 2008 16:52:30 -0400, Howard Rifkind <[EMAIL PROTECTED]>
wrote:
>Anyone out there familiar with the installation of the of the XML 1.9
>product might be able to help me out with this.
>
>My manager wants this product installed in its own CSI.
As far as I know it's not a separate pro
On Thu, 28 Aug 2008 16:05:19 +0100, Jacky Bright <[EMAIL PROTECTED]> wrote:
>Yes actually we are facing performance issue. There was suggestion to
>configure CICS in such a way that CICS transactions will be utilising the
>both processor capacity instead of just one.
You can't simply "configure C
runs IEEMB860,
and IEEMB860 gets the property ND or NODSI from the PPT. With NODSI,
allocation drops the SYSDSN ENQ after allocating the DD, so it won't affect
subsequent allocation processing.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
On Sun, 24 Aug 2008 20:08:26 +0200, Lindy Mayfield
<[EMAIL PROTECTED]> wrote:
>That's exactly what I want to do. Problem is that there are some basic
>concepts that aren't covered so even though I've read those chapters a
>few times over, I don't get out of them what I should.
I think the basics
On Sat, 23 Aug 2008 19:02:21 +0200, Lindy Mayfield
<[EMAIL PROTECTED]> wrote:
>It appears, unfortunately, that WTO isn't allowed. Strange.
The standard form of WTO uses an SVC, and SVCs (except for ABEND) do not
work in SRB mode. If you want a WTO you'll need to use the branch-entry
form (LINKAG
S commands such as MODIFY when directed
against an address space that does not exist.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PR
y.
Note that in z/OS R10 a number of z/OS UNIX functions and some other z/OS
components also support the use of password phrases.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff /
On Fri, 15 Aug 2008 09:07:52 -0400, William F Besnier <[EMAIL PROTECTED]>
wrote:
>I'm not explaining my concerns correctly. My concern is not the number of
>extents used; it is the space allocated, the JCL space parameter is asking
>for 2500,100 cylinders of space for a total 4000 cylinders. What
t
for the DSNUTILB step. He could:
(a) remove the JOBLIB, possibly replacing it for other steps in the job
with STEPLIB DD statements. Or
(b) override the JOBLIB for the DSNUTILB step by providing that step with an
APF-authorized STEPLIB.
--
Walt Farrell, CISSP
IB
messages as we've suggested, such as
IEF188I PROBLEM PROGRAM ATTRIBUTES ASSIGNED
See
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2m881/2.101?SHELF=EZ2MZ900.bks&DT=20080124114103
or http://preview.tinyurl.com/5bzgpr
--
Walt Farrell, CISSP
IBM
ification in the PPT when you have a
non-APF-authorized JOBLIB or STEPLIB.
So, DSNUTILB probably ran APF-authorized, but as it was in key 8 not key 7
DB2 complained.
This kind of error (using a non-authorized JOBLIB/STEPLIB) could happen for
any program with selected PPT properties. You should f
PF authorization when you pull a
module from the linklist. But authorization is a complex topic. Showing us
your JCL and the invocation of DSNUTILB may shed some light on the issue.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
-
On Mon, 11 Aug 2008 09:40:05 -0700, Howard Rifkind <[EMAIL PROTECTED]> wrote:
>I'm trying to access the lists archives and it states that my user email
address isn't the same as were it states it is.
>
>All messages to the list are sent from and received from this email address.
>
>I've even chang
e).
If it had relevance for security the book would say so (as it does for NOPASS).
By the way, for future reference: it will help everyone (you, included) if
you provide a meaningful subject line that actually relates to the content
of the question.
--
Walt Farrel
On Fri, 8 Aug 2008 08:22:20 -0500, Paul Gilmartin <[EMAIL PROTECTED]> wrote:
>On Fri, 8 Aug 2008 07:22:00 -0500, Walt Farrell wrote:
>>
>> http://www-03.ibm.com/systems/z/os/zos/bkserv/v1r10books.html
>>
>Thanks. By habit, I had tried z/OS 1.7. The manual doe
On Thu, 7 Aug 2008 19:08:12 -0500, Paul Gilmartin <[EMAIL PROTECTED]> wrote:
>>
http://publibz.boulder.ibm.com/cgi-bin/bookmgr/BOOKS/h1981605/1.3.1.5?DT=20030825101721
>>
>Thanks; How'd you find this link? I can follow it easily enough,
>but it doesn't turn up in any shelf indexes on publibz that
On Thu, 7 Aug 2008 12:34:46 -0400, Dave Salt <[EMAIL PROTECTED]> wrote:
>If you want compiled REXX to be portable (in other words, you want the REXX
to be executable at sites that don't have the REXX 'library' installed),
then you *must* use the SLINE option (as well as the ALT option). This means
On Thu, 7 Aug 2008 12:47:35 +0200, Itschak Mugzach
<[EMAIL PROTECTED]> wrote:
>Does compiled Rexx need a run-time library to operate?
Yes.
> If so, will static bind solve this requirement?
No, however you could (as another member noted) ship the free alternate
library with your compiled REXX e
t TSOE does not
externalize it via ACCOUNT and RACF does not externalize it via LISTUSER.
In the TSO segment, the flags exist in the TOPTION field, but I don't know
what bit settings TSO/E uses for them; RACF merely holds the data for TSO/E
to use.
--
Walt Farrell,
ecord submission or the
1-800-IBM-SERV (1-800-426-7378) support line, for information pertaining to
any z/OS Communications Server security concerns or issues.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM
On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt <[EMAIL PROTECTED]> wrote:
>I was referring to the sftp that Walt mentioned. My take was that it was
>neither TLS nor SSH.
>
>"SFTP is not FTP at all. It is a secure, FTP-like communication
>protocol."
Perhaps you didn't see the next sentence of th
ally stated that in this thread, so I thought I'd mention it.
Others have discussed additional details that I don't need to repeat.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / sig
in some other type of "secure ftp", but I can't remember
>any details.
The IBM Ported Tools for z/OS provides a free, and as far as I know
supported, implementation of OpenSSH for z/OS. That will give sftp support,
and other ssh functionality.
--
Walt Farrell, CI
showing
"GLOBAL=YES RACLISTED" classes.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MA
On Wed, 9 Jul 2008 07:41:05 -0500, Paul [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
>Just for instructional purposes, I wrote a job step using an undefined
>HLQ that failed with:
>
> ICH408I ...
> INSUFFICIENT ACCESS AUTHORITY
> FROM CATALOG.**.MASTER (G)
>
>... and tried LOOKAT ICH408I.
>...
On Thu, 3 Jul 2008 09:23:31 -0400, Jack Kelly <[EMAIL PROTECTED]>
wrote:
>I don't understand, if you can rename the dataset in a second step, why
>you can't browse it after the first step. I just ran a test and created a
>dsn, with catalog as the disposition, and a second 'wait' step. I could
>rea
an easy prevention step.. oh and things like
>keep APF authorization down to a controlled level.
>
>We do exist on a platform with good controls.. however it does require
>that we use them.
Precisely the main point Ray
On Thu, 22 May 2008 11:46:18 -0500, Walt Farrell <[EMAIL PROTECTED]> wrote:
>On Thu, 22 May 2008 09:17:34 -0500, Dave Cartwright
><[EMAIL PROTECTED]> wrote:
>>...snipped...
>>I'm now wondering if this is an urban myth. At the GSE LSWG meeting last
>>
urse:
(a) machines are getting faster, and the work can perhaps be split across
many machines.
(b) overly restrictive password rules can reduce the amount of work.
Note, though, that this kind of attack requires either the ability to run an
APF-authorized program on the system, or physical access to a
this with the
>RACF-List folks?
One comment: Enhanced Generics are irrelevant here. That option applies
only to DATASET profiles, and has no effect on the characters you can use in
general resource profiles. For general resource you can always use either *
or **, depending on what you wan
the approach of scheduling an IRB back to the in-flight TCB could also
work, I think, but feels more complex and fragile.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archiv
tor can delegate all the DFP
segment authority to the storage administrators. Then you have the
flexibility of using the DFP segments for the simple cases, but using ACS
routines for more complex cases. Of course, then the storage administrators
need to learn a little about RACF.
--
Walt Farre
On Thu, 1 May 2008 20:25:06 +0300, Binyamin Dissen
<[EMAIL PROTECTED]> wrote:
>This would be poor design.
>
>Allow the user to specify a parm as to how he wants this done. Perhaps he
>wishes to use files under TSO.
>
I agree this is better done via some kind of parameter, Binyamin. In
addition,
On Tue, 29 Apr 2008 11:58:24 -0500, Paul Gilmartin <[EMAIL PROTECTED]> wrote:
>On Tue, 29 Apr 2008 11:14:18 -0500, Walt Farrell wrote:
>
>>On Tue, 29 Apr 2008 09:12:53 -0500, Martin Kline wrote:
>>
>>> They tell me they will put in an untrackable request to update
in reader's comments) and then you have something
track.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the mess
des a more external way of using IKJEFTSR, by the
way, as it will get control under the covers to invoke the program.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access in
tion may be returned. Catalog processing has always
worked that way, as far as I know, and it's the main reason that using
WARNING on a RACF profile protecting a catalog gives results that most
customers do not like.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
re exists because you gave the user READ access to the data.
Having that, there's little you can do to prevent him from copying it
somewhere.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscr
last, as the operand (e.g., "*)" ) will follow it.
Assuming your earlier versions looked for FILTER(*) at the end, that would
have worked. Or looking for FILTER(SI1*) at the end would have worked. But
not looking for FILTER( at the end.
--
Walt Farrell, CISSP
IBM STSM, z/OS Se
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil <[EMAIL PROTECTED]>
wrote:
>Walt Farrell wrote:
>> That would allow an authorized program to load a module from an otherwise
>> unauthorized STEPLIB. It won't let you actually start running something as
>> A
as
APF authorized, though. Getting something to start running authorized
requires use of a function like IKJEFTSR, or TESTAUTH.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archiv
too, Russell.
And yes, you can activate a new RACF DB without an IPL, but only if it has
the same dsname as the one you're already running.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe
On Thu, 10 Apr 2008 22:28:12 -0300, Clark Morris <[EMAIL PROTECTED]>
wrote:
>On 10 Apr 2008 16:26:17 -0700, in bit.listserv.ibm-main you wrote:
>
>
>>In October 2000, a man I greatly admire and respect kindly wrote:
>>http://bama.ua.edu/cgi-bin/wa?A2=ind0010&L=ibm-main-archives&P=R3449&I=1.
>>
>>O
?
>
That's what the announcement says. And that's how I understand it to work.
--
Walt Farrell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM
lect system-level, no-charge applications, and helps
reduce the cost and skills needed to install and run those applications.
--
Walt Farrell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMA
On Tue, 8 Apr 2008 13:04:04 -0500, Rick Fochtman <[EMAIL PROTECTED]> wrote:
>Apologies for my inaccuracies. The last time I even LOOKED at this was
>RACF 1.4, so it's been a while. Forgive me for my confusion in the
>details. But I think the general idea will be helpful to the OP.
I certainly agr
x27; and for * we often use x'FC'. There are some
subtle fine points that can change those values a little, but he probably
doesn't need to worry about them.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
-
s I know It's more
likely a personal or server certificate. A CA certificate is one you use to
generate other certificates, not one that you use to connect to a server.
You're probably better off asking on RACF-L rather than IBM-MAIN, where
you'll find more of IBM's experts
king decisions. While running it can make a temporary change to
a different UID. That UID becomes its new effective UID, and is used for
UNIX purposes until the process switches back to its real UID.
By the way, I suggest using the MVS-OE mailing list rather than IBM-MAIN if
you have deta
On Wed, 19 Mar 2008 07:08:21 +1000, Shane <[EMAIL PROTECTED]> wrote:
>And I have had (at least) one product team from a large ISV advise just
>that. Seems they thought they shipped so many fixes as zaps that the IDR
>count was an issue.
>M - my thoughts were unfit for publication.
>No prizes f
d, but have never taken the time to implement it. I'll put
it on the list, though.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [E
erate
commands to recreate the database. From those commands, you could select
all the commands that reference the existing user ID, and then change the ID
to a new one, and run the commands. Then you'd have a user just like the
original one, except for the password that you'd
On Fri, 14 Mar 2008 15:40:36 -0500, Walt Farrell <[EMAIL PROTECTED]> wrote:
>On Fri, 14 Mar 2008 11:46:35 -0700, Edward Jaffe
><[EMAIL PROTECTED]> wrote:
>
>>...snipped...
>>This has nothing to do with anything said in the 1990s. It is a much
>>more rece
On Fri, 14 Mar 2008 11:46:35 -0700, Edward Jaffe
<[EMAIL PROTECTED]> wrote:
>...snipped...
>This has nothing to do with anything said in the 1990s. It is a much
>more recent initiative that has been articulated verbally to ISVs,
>customers at at SHARE, and in other places. It is not a formal promi
On Thu, 13 Mar 2008 04:08:55 -0700, Edward Jaffe
<[EMAIL PROTECTED]> wrote:
>Robert S. Hansel (RSH) wrote:
>> If you can find a copy of the IBM publication GG66-3218-01 "RACF Security
>> Administrator's Quick Reference", March 1992, there is a sample JES Exit 6
>> in Appendix G for controlling the
On Wed, 12 Mar 2008 22:21:34 -0500, Chase, John <[EMAIL PROTECTED]> wrote:
>Indeed, how should Allocation know whether the program about to execute
>wants to "do something" with the dataset(s) before deleting it/them?
>Perhaps Allocation could be "educated" to issue HDELETE iff the dataset
>is mig
On Wed, 12 Mar 2008 11:03:41 -0700, Edward Jaffe
<[EMAIL PROTECTED]> wrote:
>William Bishop wrote:
>> The problem is that if you perfrom an IDCAMS DELETE and specify nonvsam,
>> HSM does a recall. Without the nonvsam, he does an HDELETE if the dataset
>> is migrated.
>>
>
>This sounds APARable to
them somewhere. This may be simpler than using password
enveloping, but is almost certainly less secure.
For any further discussion on these approaches I suggest using RACF-L.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
you an OpenSSH implementation on z/OS, and that
will give you the ability to use sftp.
http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html
For discussion of OpenSSH on z/OS I suggest using the MVS-OE mailing list
rather than IBM-MAIN.
--
Walt Farrell, CISSP
IBM STSM, z/OS S
On Fri, 7 Mar 2008 12:02:25 -0600, McKown, John
<[EMAIL PROTECTED]> wrote:
>Well, in the case of CICS, I was wrong. The manual states:
>
>
>If the task is to be attached, DFHZCNA obtains a TIOA and moves the data
>from the CIB to the TIOA. DFHZATT is then called to attach the task. If
>the attach
On Tue, 4 Mar 2008 12:03:11 -0800, Schwarz, Barry A
<[EMAIL PROTECTED]> wrote:
>I've never seen any SDSF data in ISPF Help. SDSF does have help panels.
>They are not bad as reference but it is difficult to find anything if
>you don't already know the exact command. For example, is FINDLIM a
>com
curity to RACF. The system
programmer does that, and he does not do it by reading a user manual, but
rather by reading the boo,k intended for system programmers, SDSF Operations
and Customization.
If that book is not sufficient for doing the conversion that's a different
topic, in my opinion
On Tue, 4 Mar 2008 07:36:48 -0800, Schwarz, Barry A
<[EMAIL PROTECTED]> wrote:
>Does anyone know of an SDSF user manual newer than the OS/390 2.10
>version dated June 2000? The z/OS manuals are title Operation and
>Customization. The 1.8 version contains chapters for batch and REXX but
>nothing
o ICHDSM00, so I have to wonder what you really intended to do.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with
On Thu, 28 Feb 2008 07:05:05 -0500, Mike Liberatore <[EMAIL PROTECTED]>
wrote:
>I have several Open systems servers each running windows 2003. having
>unique IP addresses and each running their own scripts to capture data.
>This data is then being sent via ftp and stored on mainframe lpar as
>GDG
On Thu, 28 Feb 2008 06:48:14 -0600, Chase, John <[EMAIL PROTECTED]> wrote:
>> -Original Message-
>> From: IBM Mainframe Discussion List On Behalf Of Farley, Peter x23353
>>
>> > -Original Message-
>> > From: IBM Mainframe Discussion List O
On Wed, 27 Feb 2008 17:51:57 -0500, Farley, Peter x23353
<[EMAIL PROTECTED]> wrote:
>So you are saying that "everything else" includes PDSE?
Yes, as PDSE is -not- VSAM.
--
Walt Farrell, CISSP
IBM STSM, z
attribute are restricted to the first 65,520 cylinders.
So, as it says, the support planned in z/OS V1.10 is for VSAM data in the
extended area (except for the kinds of VSAM exempted in the next sentence),
and everything else in the non extended area.
--
Walt Farrell, CISSP
IB
rogram is a different one, it might indicate
a failure when the actual job would work properly.
That's a case that none of the JCL checking products can handle, as far as I
know, because the results can not be checked except during actual execution.
Any outside attempt to check them may give ei
essage but go ahead and cut a record if you want to.
>
>Of course, that doesn't address the SMF noise issue for those who really
>need to track attempted accesses to truly important resources to detect
>actual hacking attempts.
That's MSGSUPP=YES, which does not require APF
gt;UACC=NONE. A Panvalet security exit constructs the pseudo-profile name, and
>invokes RACROUTE to see if read access to the member is permitted or not.
I would agree that's a reasonable case for using LOG=NONE. It will,
however, require you to run APF-authorized, and I think it's a
On Mon, 25 Feb 2008 13:08:53 -0600, Dave Kopischke
<[EMAIL PROTECTED]> wrote:
>On Sat, 23 Feb 2008 10:07:24 -0600, Walt Farrell wrote:
>
>>One could argue that letting you determine your access to resources without
>>actually trying to use them (and thus without causing au
401 - 500 of 848 matches
Mail list logo
