Re: RACF passphrase support

W dniu 14.06.2023 o 15:24, rpinion865 pisze: If I want to move away from passwords and use passphrases, how do I force users to use passphrases, i.e. RACF exit(s)? Quite simple. You have to set initial passphrase for every user you want to migrate. And give them the passphrases (I assume uniq

Re: RACF passphrase support

I recommend posting to the RACF-L list. You'll get a lot of help there. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of rpinion865 Sent: 14 June 2023 14:25 To: IBM-

Re: RACF passphrase support

Probably the easiest would be to remove a user’s password and set a phrase for them. ALU userid NOPASSWORD PHRASE(‘This user must use a phrase now’) EXPIRED Tom Chicklon From: IBM Mainframe Discussion List On Behalf Of rpinion865 Sent: Wednesday, June 14, 2023 9:25 AM To: IBM-MAIN@LISTSERV.UA

Re: RACF and Subject Alternate Name

Thanks all! The gskkyman utility seems to do what I want. On Fri, Jun 9, 2023 at 9:27 AM Matt Hogstrom wrote: > At Broadcom we’ve have customers that have experienced similar issues and > we’ve suggested the same workaround that Charles describes with no issues. > The CSR generation functional

Re: RACF and Subject Alternate Name

At Broadcom we’ve have customers that have experienced similar issues and we’ve suggested the same workaround that Charles describes with no issues. The CSR generation functionality is platform dependent (ie RACF’s restriction) but the process is the same for all certs regardless of where they

Re: RACF and Subject Alternate Name

On Thu, 8 Jun 2023 05:29:41 -0500, Michael Babcock wrote: > >And I simply don't see why RACF could not be made to generate more than >one SAN.   Will that change with z/OS 3.1? The RACF-L mailing list would be a better place for that part of your question, and (perhaps) for the complete questio

Re: RACF and Subject Alternate Name

Let me do my best here. Yes, you can generate a CSR, typically including multiple SANs, with OpenSSL (any platform), gskkyman, or even on a CA Web site (or in the case of an in-house CA, using their certificate management tools). Yes, you should be able to import that certificate when signed an

Re: RACF MFA

MFA is a separately charged product from IBM, and is licensed in blocks of 500 users. So there will be a software purchase and install on top of the racf changes Dave Jousma Vice President | Director, Technology Engineering Fifth Third Bank | 1830 East Paris Ave, SE | MD RSCB2H | Grand

Re: RACF - SDSF question

On 2/8/2023 3:10 PM, Lennie Dymoke-Bradshaw wrote: Ed, We have NO discrete profiles, but we do have generic profiles with no wildcard characters in them. You can do that with profiles in the DATASET class but I don't think you can do it with general classes. Good point. I should have said

Re: RACF - SDSF question

some local code to achieve this? Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Ed Jaffe Sent: 08 February 2023 02:32 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question On 2/7/2023 5:14 PM, Seymour J Metz wrote: > Generic is usually more usefu

Re: RACF - SDSF question

z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, February 8, 2023 8:00 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF -

Re: RACF - SDSF question

: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL Hi Terri, Here are a couple of thoughts to add to what others have mentioned. Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.

Re: RACF - SDSF question

Hi Terri, Here are a couple of thoughts to add to what others have mentioned. Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is superfluous since the resource name never includes the jobnam

Re: RACF - SDSF question

. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 7 Feb 2023 18:31:46 -0800 From:Ed Jaffe Subject: Re: RACF - SDSF question On 2/7/2023 5:14 PM, Seymour J Metz wrote: > Generic is usually m

Re: RACF - SDSF question

On 2/7/2023 5:14 PM, Seymour J Metz wrote: Generic is usually more useful, but you can certainly use specific profiles. Even discrete profiles can be made generic by specifying GENERIC when created. That's what we do here. We have NO discrete profiles, but we do have generic profiles with n

Re: RACF - SDSF question

M-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question I guess this bring up another question, which is probably why I am confused. This is for MVS cancel CANCEL jobname MVS.CANCEL.JOB.jobname MVS.CANCEL.** Update Medium And Table 1. RACF profiles and JES2 commands JES2 CommandResourc

Re: RACF - SDSF question

ERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Note that there is no jobname qualifier on the JES2.CANCEL.BAT profile. This is why SDSF has the extra JESSPOOL profile check that goes beyond vanilla JES2 canc

Re: RACF - SDSF question

7, 2023 3:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Note that there is no jobname qualifier on the JES2.CANCEL.BAT profile. This is why SDSF has the extra JESSPOOL profile

Re: RACF - SDSF question

_ > From: IBM Mainframe Discussion List on behalf > of Shaffer, Terri <017d5f778222-dmarc-requ...@listserv.ua.edu> > Sent: Tuesday, February 7, 2023 6:10:11 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: RACF - SDSF question > > EXTERNAL EMAIL > > > > &g

Re: RACF - SDSF question

om Outlook for Android<https://aka.ms/AAb9ysg> From: IBM Mainframe Discussion List on behalf of Shaffer, Terri <017d5f778222-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, February 7, 2023 6:10:11 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - S

Re: RACF - SDSF question

- Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Rob Scott Sent: Tuesday, February 7, 2023 9:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL: Do not click

Re: RACF - SDSF question

Terri said their CICSs are run as jobs, so it would need to be: MVS.CANCEL.JOB.C30TCI* (G) MVS.CANCEL.JOB.** (G) Dana On Tue, 7 Feb 2023 09:22:19 -0500, Roger W Suhr wrote: >Hi Ms. Terri, > >The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command. >I believe you also nee

Re: RACF - SDSF question

action character. Rob Scott Rocket Software From: IBM Mainframe Discussion List On Behalf Of Roger W Suhr Sent: 07 February 2023 14:22 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL Hi Ms. Terri, The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C

Re: RACF - SDSF question

Hi Ms. Terri, The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command. I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id profile to protect the MVS CANCEL command. So in your case, that would be something like this: (if your running CICS as an ST

Re: Racf user detail

Vanguard Racf was a tool I used long ago when Racf was not able to provide easy reporting. Carmen On 1/19/2023 5:26 AM, saurabh khandelwal wrote: Hello Group, Hope you doing well. We have requirement to find any activity detail related to racf user from last 6 month. For example, any additi

Re: Racf user detail

That would be in the SMF data. There are a number of jobs to do various RACF reporting in SYS1.SAMPLIB(IRRICE). Of course, there are likely things is products such a zSecure. About which I know nothing. On Thu, Jan 19, 2023, 05:27 saurabh khandelwal < sourabhkhandelwal...@gmail.com> wrote: > Hel

Re: Racf userid - CICS started as a job

ntosh Oracle/Cerner -Original Message- From: IBM Mainframe Discussion List On Behalf Of Shaffer, Terri Sent: Tuesday, September 20, 2022 6:53 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Racf userid - CICS started as a job Thanks, that's probably the simplest way.. Awesome Ms Terri

Re: Racf userid - CICS started as a job

ymoke-Bradshaw Sent: Tuesday, September 20, 2022 7:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Racf userid - CICS started as a job EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Why not code the userid on the Jobcard and then give the users who submi

Re: Racf userid - CICS started as a job

Why not code the userid on the Jobcard and then give the users who submit the job READ access to the SURROGAT profile for the userid? https://www.ibm.com/docs/en/zos/2.5.0?topic=submitted-allowing-surrogate-job-submission Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching

Re: Racf userid - CICS started as a job

Maybe surrogate job submission? I do like the USER= on this sample: https://www.ibm.com/docs/en/zos/2.3.0?topic=submitted-allowing-surrogate-job-submission On 9/20/2022 4:26 PM, Shaffer, Terri wrote: Hi, I am asking this in the main forum hopefully it will be a simple answer, that I just don’t

Re: RACF violations - MQ and WAS, IMS

For IMS it is both; RACF SMF80 records and also IMS x'10' log records in the IMS log. IMS uses the RACROUTE option LOG=ASIS so the AUDIT and WARN options are in effect as well. On Mon, Apr 12, 2021 at 11:59 PM Pierre Fichaud wrote: > I was told on this forum that RACF violations for DB2 are in

Re: RACF violations - MQ and WAS, IMS

Or refresh security ... ITschak בתאריך יום ב׳, 12 באפר׳ 2021 ב-19:19 מאת Colin Paice : > I dont think MQ provides any as such - I think it was left to RACF to > report any violations. > Once MQ had done a security check it cached the data in its memory, until > it timed out. > Colin > > On Mon,

Re: RACF violations - MQ and WAS, IMS

I dont think MQ provides any as such - I think it was left to RACF to report any violations. Once MQ had done a security check it cached the data in its memory, until it timed out. Colin On Mon, 12 Apr 2021 at 14:59, Pierre Fichaud wrote: > I was told on this forum that RACF violations for DB2 a

Re: RACF violations - MQ and WAS, IMS

] On Behalf Of Tom Conley Sent: Monday, April 12, 2021 8:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF violations - MQ and WAS, IMS On 4/12/2021 10:33 AM, Itschak Mugzach wrote: > All racf violations are reported by SMF80, regardless of the environment of > execution. > > ITschak

Re: RACF violations - MQ and WAS, IMS

On 4/12/2021 10:33 AM, Itschak Mugzach wrote: All racf violations are reported by SMF80, regardless of the environment of execution. ITschak What he said. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive ac

Re: RACF violations - MQ and WAS, IMS

All racf violations are reported by SMF80, regardless of the environment of execution. ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.

Re: RACF certificate usage

A close-enough idea is probably to check if they're connected to any keyrings. Alternatively, depending on whether TLS inspection is setup in your site, the device doing the proxying might keep signatures/fingerprint of certs it has seen so far. I may not be explaining this right, but it is like

Re: RACF certificate usage

You could check the expiration. If they are expired they are pretty much defunct. Of course, that is mostly for endpoint certificates. CA certificates tend to be good for 20-30 years. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Beha

Re: RACF certificate usage

If you have not done so, you may also want to post this on the RACF List RACFhttp://www.listserv.uga.edu/archives/racf-l.html Lizette -Original Message- From: IBM Mainframe Discussion List On Behalf Of Frank Swarbrick Sent: Thursday, February 18, 2021 12:16 PM To: IBM-MAIN@LISTSER

Re: RACF CERT LABEL0000001

Use openssl and separate the certs. That way you can assign a label for each. Rob On Sat, Aug 15, 2020, 06:28 Lizette Koehler wrote: > If you were not aware there is a RACF List that might be helpful with this > question > > To join, if you have not done so, > > RACFhttp://www.listserv.uga

Re: RACF CERT LABEL0000001

If you were not aware there is a RACF List that might be helpful with this question To join, if you have not done so, RACFhttp://www.listserv.uga.edu/archives/racf-l.html Lizette -Original Message- From: IBM Mainframe Discussion List On Behalf Of Matt Martin Sent: Friday, August

Re: RACF ICHDEX01 Exit

Why? It fits in 12 bits, so LA will work. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Charles Mills Sent: Monday, August 10, 2020 11:22 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF

Re: RACF and ICHDEX01 Exit

Hi Andy, (cross-posted to IBM-MAIN and RACF-L) I would strongly advise against implementing ICHDEX01 and retaining the masked passwords. If at some point you want to implement KDFAES encryption, which I recommend be your goal, having masked passwords will prevent you fr

Re: RACF ICHDEX01 Exit

W dniu 10.08.2020 o 17:05, Pesce, Andy pisze: Good morning everyone ! I am going to post this over in the RACF Listserv as well. So, I am trying to go to z/OS 2.2 and I found this APAR OA49109. I have a ton of accounts that were created many years ago that are not able to login to z/OS 2.2.

Re: RACF ICHDEX01 Exit

AIN@LISTSERV.UA.EDU] On > Behalf Of Mark Jacobs > Sent: Monday, August 10, 2020 8:19 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: RACF ICHDEX01 Exit > > Maybe try this. > > ICHDEX01 AMODE 31 > LA R15,8 SET RC 16 > > - RACF IS TO ATTEMPT TO COMPARE THE DAT

Re: RACF ICHDEX01 Exit

Of Mark Jacobs Sent: Monday, August 10, 2020 8:19 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF ICHDEX01 Exit Maybe try this. ICHDEX01 AMODE 31 LA R15,8 SET RC 16 * RACF IS TO ATTEMPT TO COMPARE THE DATA BY USING THE RACF * DES ALGORITHM * IF DES PROCESSING FAILS, RACF U

Re: RACF ICHDEX01 Exit

Maybe try this. ICHDEX01 AMODE 31 LA R15,8 SET RC 16 * RACF IS TO ATTEMPT TO COMPARE THE DATA BY USING THE RACF * DES ALGORITHM * IF DES PROCESSING FAILS, RACF USES MASKING. BR R14RETURN TO SYSTEM END ICHDEX01 Sent from ProtonMail, Swiss-base

Re: RACF-SailPoint

Tks for the info--anything else will be helpful .. Smartphones not that smart.. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Steve Beaver Sent: Thursday, July 02, 2020 10:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint ** EXTERNAL EMAIL - USE

Re: RACF-SailPoint

ces/problems you have had on MF > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Jackson, Rob > Sent: Thursday, July 02, 2020 8:14 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: RACF-SailPoint > > ** EXTERNAL EMAIL - USE CAUTION ** &g

Re: RACF-SailPoint

ing to get pros/cons and what others have experienced.. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pommier, Rex Sent: Thursday, July 02, 2020 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint ** EXTERNAL EMAIL - USE CAUTION ** Unfortunately, yes

Re: RACF-SailPoint

I got free rein and made the 'executive decision' to only use the offline interceptor. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: Thursday, July 2, 2020 8:47 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: RACF-SailPoint

Re: RACF-SailPoint

Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 9:19 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint [External Email. Exercise caution when clicking links or opening attachments.] That is

Re: RACF-SailPoint

y, I'll post again. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 9:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint [External Email. Exercise caution wh

Re: RACF-SailPoint

nframe Discussion List On Behalf Of Pommier, Rex Sent: Thursday, July 02, 2020 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint ** EXTERNAL EMAIL - USE CAUTION ** Unfortunately, yes, a bit. I only have to deal with the mainframe connector and at this point it's only used fo

Re: RACF-SailPoint

Unfortunately, yes, a bit. I only have to deal with the mainframe connector and at this point it's only used for reporting but they're looking at making it do a bunch more. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 7:29

Re: RACF-SailPoint

Unfortunately --- lol What experiences/problems you have had on MF -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: Thursday, July 02, 2020 8:14 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF-SailPoint ** EXTERNAL EMAIL - USE CAUTION

Re: RACF-SailPoint

Unfortunately, yes. We run it. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Ron Wells Sent: Thursday, July 2, 2020 8:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: RACF-SailPoint [External Email. Exercise caution when

Re: RACF Administration the Easy Way using an Open Source ISPF Dialog

This is really cool Lionel. Could do with a install script for the github stuff. Ping me offline if you want a hand with that. On 2020-06-07 12:31 AM, Lionel B Dyck wrote: A group of us have been working on an open source project to simplify RACF Administration - it is called RACFADM and is ava

Re: RACF: Limiting update-authorization of a file to a particular application

On Thu, 7 Mar 2019 19:33:31 +, Seymour J Metz wrote: >My understanding is that he needs ISPF services in his application. Then he is probably not going to be able to get it to run, safely and with integrity, under TSO/E. It will need a multi-address space implementation unless he's very lu

Re: RACF: Limiting update-authorization of a file to a particular application

On Thu, 7 Mar 2019 15:45:14 +0200, Steff Gladstone wrote: >But if I TSOEXEC CALL the Cobol I/O routine, will it retain the context >between calls? Won't the DCBs and ACBs and working storage be reinitialized >on every call? You need to TSOEXEC CALL the main COBOL program. It must run isolated,

Re: RACF: Limiting update-authorization of a file to a particular application

@LISTSERV.UA.EDU Subject: Re: RACF: Limiting update-authorization of a file to a particular application On Wed, 6 Mar 2019 19:29:05 +0200, Steff Gladstone wrote: >One further question: > >Would use of IKJEFTSI/IKJEFTSR/IKJEFTST work here? I.e., provide an >isolated eenvironment for RACF while

Re: RACF: Limiting update-authorization of a file to a particular application

But if I TSOEXEC CALL the Cobol I/O routine, will it retain the context between calls? Won't the DCBs and ACBs and working storage be reinitialized on every call? בתאריך יום ה׳, 7 במרץ 2019, 02:34, מאת Walt Farrell ‏: > On Wed, 6 Mar 2019 19:29:05 +0200, Steff Gladstone < > steff.gladst...@gmail.

Re: RACF: Limiting update-authorization of a file to a particular application

On Wed, 6 Mar 2019 17:26:56 +, Seymour J Metz wrote: >ATTACH by an unprivileged application cannot change the authority and >privileges of the address space. TSOEXEC passes the request to the Terminal >Monitor >Program (TMP), which sets the unauthorized tasks nondispatchable before >attac

Re: RACF: Limiting update-authorization of a file to a particular application

On Wed, 6 Mar 2019 19:29:05 +0200, Steff Gladstone wrote: >One further question: > >Would use of IKJEFTSI/IKJEFTSR/IKJEFTST work here? I.e., provide an >isolated eenvironment for RACF while maintaining continuity within the I/O >routine without re-initializing its working storage on each call?

Re: RACF: Limiting update-authorization of a file to a particular application

On Wed, 6 Mar 2019 19:01:25 +0200, Steff Gladstone wrote: > >This works ok for privileged users (i.e., the subtasking and I/O logic >works fine, the COBOL I/O routine is not reintiaiized on each call, and of >course there are no RACF issues). But for non-privileged users RACF issues >the follo

Re: RACF: Limiting update-authorization of a file to a particular application

On Wed, 6 Mar 2019 19:01:25 +0200, Steff Gladstone wrote: > >The COBOL I/O routine is called by a fairly complex TSO/ISPF application. >So we decided to communicate to the I/O routine via a subtask in order to >simplify the environment (as per Walt Farrell's claim that a new TCB >creates a paral

Re: RACF: Limiting update-authorization of a file to a particular application

From: IBM Mainframe Discussion List on behalf of Steff Gladstone Sent: Wednesday, March 6, 2019 12:29 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF: Limiting update-authorization of a file to a particular application One further question: Would use of IKJEFTSI/IKJEFTSR/IKJEFTST

Re: RACF: Limiting update-authorization of a file to a particular application

, 2019 12:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF: Limiting update-authorization of a file to a particular application Although we have progressed with creating an program-controlled environment, we are still experiencing problems in this area. We have a COBOL routine whose purpose is

Re: RACF: Limiting update-authorization of a file to a particular application

One further question: Would use of IKJEFTSI/IKJEFTSR/IKJEFTST work here? I.e., provide an isolated eenvironment for RACF while maintaining continuity within the I/O routine without re-initializing its working storage on each call? On Wed, 6 Mar 2019 at 19:01, Steff Gladstone wrote: > Although

Re: RACF: Limiting update-authorization of a file to a particular application

Although we have progressed with creating an program-controlled environment, we are still experiencing problems in this area. We have a COBOL routine whose purpose is to open a VSAM data set on the first call, perform I/O (read and write) on subsequent calls, and finally close the dataset on the f

Re: RACF: Limiting update-authorization of a file to a particular application

On Thu, 21 Feb 2019 15:22:33 +, Seymour J Metz wrote: >AFAIK it won't reset the dirty bit. It does isolate AC(0) from AC(1). Yes, it will, for that isolated parallel environment. -- Walt -- For IBM-MAIN subscribe / signof

Re: RACF: Limiting update-authorization of a file to a particular application

On Wed, 20 Feb 2019 15:51:23 +0200, Steff Gladstone wrote: >Do I understand correctly that TSOEXEC CALL creates a new subtask >environment which is "insulated" from the goings-on in the mother task? Yes. The parallel environment established by TSO/E via TSOEXEC would be clean, even if the orig

Re: RACF: Limiting update-authorization of a file to a particular application

-MAIN@LISTSERV.UA.EDU Subject: Re: RACF: Limiting update-authorization of a file to a particular application Do I understand correctly that TSOEXEC CALL creates a new subtask environment which is "insulated" from the goings-on in the mother task? Would specifying TASKLIB further ensure

Re: RACF: Limiting update-authorization of a file to a particular application

Using the term "RACF-authorized" is incorrect in this context.   All modules loaded in the address space must be program-controlled (not authorized), which means they must be covered by a PROGRAM profile that includes a group member for the dataset from which they were loaded.    The fact that a mo

Re: RACF: Limiting update-authorization of a file to a particular application

Do I understand correctly that TSOEXEC CALL creates a new subtask environment which is "insulated" from the goings-on in the mother task? Would specifying TASKLIB further ensure that only those modules loaded/linked/attached from the TASKLIB library need be RACF-authorized? Or is there something I

Re: RACF: Limiting update-authorization of a file to a particular application

://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf of > Joel C. Ewing > Sent: Sunday, February 17, 2019 5:43 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [SPAM] Re: RACF: Limiting update-authorization of a file to a > particular application &

Re: RACF: Limiting update-authorization of a file to a particular application

st on behalf of > Joel C. Ewing > Sent: Sunday, February 17, 2019 5:43 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [SPAM] Re: RACF: Limiting update-authorization of a file to a > particular application > > Unless things have changed, in order for RACF program-controlled

Re: [SPAM] Re: RACF: Limiting update-authorization of a file to a particular application

From: IBM Mainframe Discussion List on behalf of Joel C. Ewing Sent: Sunday, February 17, 2019 5:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [SPAM] Re: RACF: Limiting update-authorization of a file to a particular application Unless things have changed, in order for RACF program

[SPAM] Re: RACF: Limiting update-authorization of a file to a particular application

Unless things have changed, in order for RACF program-controlled dataset access to work, all programs loaded into the address space must be covered by a RACF PROGRAM profile. Typically one sets up a profile that will cover all modules in all system datasets that might be loaded in the TSO environme

Re: RACF: Limiting update-authorization of a file to a particular application

On Sun, 17 Feb 2019 18:05:59 +0200, Steff Gladstone wrote: >Ok. We have been playing around with program control.If PROG1 (a COBOL >program incidentally) is to be allowed exclusively to update file MY.FILE, >then we: > >1. introduced PROG1 into the list of programs in AUTHPGM in member IKJEF

Re: RACF: Limiting update-authorization of a file to a particular application

Discussion List on behalf of Steff Gladstone Sent: Sunday, February 17, 2019 11:05 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF: Limiting update-authorization of a file to a particular application Ok. We have been playing around with program control.If PROG1 (a COBOL program incidentally) is

Re: RACF: Limiting update-authorization of a file to a particular application

Ok. We have been playing around with program control.If PROG1 (a COBOL program incidentally) is to be allowed exclusively to update file MY.FILE, then we: 1. introduced PROG1 into the list of programs in AUTHPGM in member IKJEFT00 2. Executed command RDEFINE for the file (and additionally for

Re: RACF: Limiting update-authorization of a file to a particular application

-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Joel C. Ewing Sent: Thursday, February 07, 2019 3:53 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: RACF: Limiting update

Re: RACF: Limiting update-authorization of a file to a particular application

On 2/7/19 5:57 AM, Elardus Engelbrecht wrote: > Steff Gladstone wrote: > > Please consider subscribing to RACF-L at > http://listserv.uga.edu/archives/racf-l.html > > >> We have an TSO application for end-users that allows them to update certain >> VSAM and PDS files. In order for them to update

Re: RACF: Limiting update-authorization of a file to a particular application

Program control, but pay close attention to the restrictions. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Steff Gladstone Sent: Thursday, February 7, 2019 6:37 AM To: IBM-MAIN@LISTSERV.UA.ED

Re: RACF: Limiting update-authorization of a file to a particular application

Steff Gladstone wrote: Please consider subscribing to RACF-L at http://listserv.uga.edu/archives/racf-l.html >We have an TSO application for end-users that allows them to update certain >VSAM and PDS files. In order for them to update these files we of course have >to give their users update

Re: RACF SERVER Class Activation

W dniu 2019-01-09 o 20:21, Juan Mautalen pisze: Hi: Wecurrently have the RACF SERVER class INACTIVE (I am completely unfamiliar withit, by the way). I was askedto set up security for CICS LIBERTY, and according to the documentation I mustdefine some profiles in the SERVER class. However,

Re: RACF SERVER Class Activation

You may wish to post to the CICS or RACF lists. They may have more specific information. To join, if you have not done so, CICShttp://www.listserv.uga.edu/archives/cics-l.html RACFhttp://www.listserv.uga.edu/archives/racf-l.html Lizette > -Original Message- > From: IBM Mainf

Re: RACF Special User Revoked System

ssage- From: RACF Discussion List [mailto:rac...@listserv.uga.edu] On Behalf Of Bogdan Belciu Sent: Wednesday, August 8, 2018 2:20 AM To: rac...@listserv.uga.edu Subject: Re: RACF Special User Revoked System So in this case like any other case Google and RTFM works fine. For me, at least.

Re: RACF Special User Revoked System

On Sat, 4 Aug 2018 19:41:03 +0300, saurabh khandelwal wrote: >Thanks for reply. > >Special user is getting below message > >IKJ5644I TSOLOGON RECONNECT REJECT - USER ACCESS REVOKED BY RACF > >and any other TSO user getting > >IKJ56425I LOGON REJECTED, RACF TEMPORARILY REVOKING USER access >IK

Re: RACF Special User Revoked System

You may need to respond to 30-40 WTORs to get into TSO after RVARY INACT. Once you have access to TSO, you'll have to issue RVARY ACT command and reply to any WTOR. After that : ALU userid RESUME PASSWORD(XXX) NOEXPIRE On Sun, Aug 5, 2018 at 2:41 AM, saurabh khandelwal < venkatkulkarn..

Re: RACF Special User Revoked System

Thanks for reply. Special user is getting below message IKJ5644I TSOLOGON RECONNECT REJECT - USER ACCESS REVOKED BY RACF and any other TSO user getting IKJ56425I LOGON REJECTED, RACF TEMPORARILY REVOKING USER access IKJ56418I CONTACT YOUR TSO ADMINISTRATOR I dont see any WTOR message for re

Re: RACF Special User Revoked System

When an incorrect password is entered the requisite number of times for a user with SYSTEM SPECIAL, a WTOR is presented to the operator. The user is not revoked unless the operator responds to that WTOR specifying the user should be revoked. If that is indeed what happened, the operator needs

Re: RACF Special User Revoked System

nal Message- > From: IBM Mainframe Discussion List On Behalf Of > Joe Monk > Sent: Saturday, August 04, 2018 6:40 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: RACF Special User Revoked System > > RVARY INACTIVE turns off RACF. Then you can fix your problem and be on your

Re: RACF Special User Revoked System

RVARY INACTIVE turns off RACF. Then you can fix your problem and be on your way. Joe On Sat, Aug 4, 2018 at 8:27 AM, saurabh khandelwal < sourabhkhandelwal...@gmail.com> wrote: > Joe, > So, using rvary inactive, will I be able to use same racf password to login > all users. > > Also, once we log

Re: RACF Special User Revoked System

I am not a RACF expert but IMHO you have a problem that is bigger than a post on a mailing list. You should get IBM involved, or someone like Vanguard, or a serious RACF expert like RSM, Stu Henderson, Tom Conley or Bob Hansel (and apologies to anyone I failed to mention). Charles -Origi

Re: RACF Special User Revoked System

For future reference, there is a RACF related mailing list, RACF-L. List name: RACF-L Host name: LISTSERV.UGA.EDU (UGA) Subscribers: 1,794 Features: - Virus protection (F-Secure Anti-Virus 10.20)

Re: RACF Special User Revoked System

Joe, So, using rvary inactive, will I be able to use same racf password to login all users. Also, once we login how can we solve that special user racf password issue and let system to again use racf for security On Sat, Aug 4, 2018, 2:56 PM Joe Monk wrote: > > https://www.ibm.com/support/knowl

Re: RACF Special User Revoked System

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha200/nut.htm#nut Joe On Sat, Aug 4, 2018 at 7:46 AM, saurabh khandelwal < venkatkulkarn...@gmail.com> wrote: > Hello Joe, > > How RVARY INACTIVE command will solve this issue. Can you please explain > > > On Sat, Au

Re: RACF Special User Revoked System

Is there any way to resume that special user from console or get the WTOR message on console for this user and let this user be in revoked status and other users should be able to login to system On Sat, Aug 4, 2018 at 2:46 PM, saurabh khandelwal < venkatkulkarn...@gmail.com> wrote: > Hello Joe,

<    1   2   3   4   5   >