Re: Submitting batch if you don't have TSO

[Bill Soper]

Apologies if I'm repeating ... With CICS 5.5... you can submit as the CICS 
logged on userid...
https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.5.0/upgrading/process/upgrade_security.html#upgrade_security__jcl-submission

Short version:
Define surrogate checks to allow the region user ID to submit jobs on behalf of 
these users.
Configure the following feature toggles:
com.ibm.cics.spool.surrogate.check=true
com.ibm.cics.spool.defaultjobuser=TASK

Cheers,
Bill

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Blank fanout z114 CPC adapter

[Christian Svensson]

Hi,

I'm in the process of removing the old I/O cage and just using my PCIe cage.
I can see from some pictures in SHARE slides

(slide
8) that there is a fanout dummy adapter, i.e. what I assume is just a metal
shell that protects the CPC adapter connector during operation.

Anyone out there on the mailing list that happen to know the part number?

Thanks,

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Submitting batch if you don't have TSO

[Walt Farrell]

On Wed, 11 Sep 2019 12:15:11 -0500, Paul Gilmartin  wrote:

>As I follow this thread, I wonder why CICS doesn't submit batch jobs
>with the credentials of the requesting individual rather than the CICS
>region.

Some of the IBM CICS designers over the years have wanted to allow that. The 
IBM z/OS Security and Integrity teams (in my time) strongly resisted that 
because with the design of CICS it's not safe.

Yes, CICS verifies the user's identity with RACF (or other security product) 
but after that there are storage isolation issues in a multi-user environment 
such as a CICS region that make it impossible for the system to trust the 
user's identity sufficiently to allow it to propagate to another environment 
such as a batch job.

Note that this is a fundamental issue with mult-user address spaces that run 
customer- or user-provided code, not just with CICS. 

It can be mitigated by vigilant and vigorous inspection of all the customer- 
and/or user-provided code that will run in the region. However, it can only be 
truly resolved by appropriate protection and isolation of both the control 
blocks that prove a user's identity and the transaction code. And, 
unfortunately, providing that isolation has performance implications and might 
require hardware changes.

Those performance implications were considered unacceptable for a CICS 
environment. We had some interesting discussions over the years investigating 
potential CICS or z/OS software changes, possibly coupled with z hardware 
changes, that could allow protection and propagation of the user's identity 
safely, but none of them resulted in satisfactory solutions that would also 
maintain the required level of performance.

-- 
Walt (former SAF and RACF Designer/Developer, for those who may not know)
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN