Re: MGCR in a non typical asid
Hi Scott, I tried the ROUTE command (ROUTE xxx,REPLY nn,Y). It failed by RACF as all other commands comes from non typical addressspaces. I think I don't have fingers to count the (new) z/os versions not sup[ported since the one I am running on... I compared the macros between 1.7 and 1.13 and found that in v1.13 the gap between MGCR MGCRE is colsed. THis is not true in V1.7, but ... dsect IEZMGCR do have a room for utoken! I'll change the program to generate a utoken. Regards, ITschak Mugzach Z/OS, ISV Products and Application Security Risk Assessments Professional On Tue, Mar 10, 2015 at 10:34 PM, Scott Fagen 004e4c25b017-dmarc-requ...@listserv.ua.edu wrote: On Thu, 5 Mar 2015 17:29:54 +0200, Itschak Mugzach imugz...@gmail.com wrote: I am running a MPF exit that works fine from user adress spaces. In respond to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile is having uacc read, but racf refuses the REPLYxx,Y Another command issued under the same conditions (no acce)is MVS SEND command, this time from mstjcl00.I am trying to avoid converting to MGCRE. - snip - If you're wedded to the idea of staying with MGCR, what *might* work is to get the command out of the user space and into a system address space. This could be accomplished by pre-pending RO cvtsname, to your REPLY command. Remember to compress out any blanks for a system name that is less than eight characters. No guarantees...if you try it and it works, I'd love to know (having been one of the original developers of the ROUTE command...). Also, it looks like MGCR has been beefed up a bit to allow the specification of security information on the macro call: http://www-01.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.ieaa800/mgcr.htm Scott Fagen Chief Architect - z Systems and Workload Automation CA Technologies Plano, TX -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: MGCR in a non typical asid
On Thu, 5 Mar 2015 17:29:54 +0200, Itschak Mugzach imugz...@gmail.com wrote: I am running a MPF exit that works fine from user adress spaces. In respond to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile is having uacc read, but racf refuses the REPLYxx,Y Another command issued under the same conditions (no acce)is MVS SEND command, this time from mstjcl00.I am trying to avoid converting to MGCRE. - snip - If you're wedded to the idea of staying with MGCR, what *might* work is to get the command out of the user space and into a system address space. This could be accomplished by pre-pending RO cvtsname, to your REPLY command. Remember to compress out any blanks for a system name that is less than eight characters. No guarantees...if you try it and it works, I'd love to know (having been one of the original developers of the ROUTE command...). Also, it looks like MGCR has been beefed up a bit to allow the specification of security information on the macro call: http://www-01.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.ieaa800/mgcr.htm Scott Fagen Chief Architect - z Systems and Workload Automation CA Technologies Plano, TX -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: MGCR in a non typical asid
Hi Biyamin, That's what I was trying to avoid as i am short on free regs and my workarea overflows (I already modified the program tyo use MGCRE)... But, in case of no alternative, a man should do what a man should do and I'll use the mortified version. ITschak ITschak Mugzach Z/OS, ISV Products and Application Security Risk Assessments Professional On Thu, Mar 5, 2015 at 8:20 PM, Binyamin Dissen bdis...@dissensoftware.com wrote: Use MGCRE to specify the user attributes. On Thu, 5 Mar 2015 17:29:54 +0200 Itschak Mugzach imugz...@gmail.com wrote: :I am running a MPF exit that works fine from user adress spaces. In respond :to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile :is having uacc read, but racf refuses the REPLYxx,Y :Another command issued under the same conditions (no acce)is MVS SEND :command, this time from mstjcl00.I am trying to avoid converting to MGCRE. : :Any Idea how to assign an active id to the exit, or CONSOLEID? : : :ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) 931 : : MVS.REPLY CL(OPERCMDS) : : INSUFFICIENT ACCESS AUTHORITY : : ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) : :IEE345I REPLYAUTHORITY INVALID, FAILED BY SECURITY PRODUCT -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
MGCR in a non typical asid
I am running a MPF exit that works fine from user adress spaces. In respond to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile is having uacc read, but racf refuses the REPLYxx,Y Another command issued under the same conditions (no acce)is MVS SEND command, this time from mstjcl00.I am trying to avoid converting to MGCRE. Any Idea how to assign an active id to the exit, or CONSOLEID? ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) 931 MVS.REPLY CL(OPERCMDS) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) IEE345I REPLYAUTHORITY INVALID, FAILED BY SECURITY PRODUCT ITschak Mugzach -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: MGCR in a non typical asid
You might try running the sectrace to see what is occurring. Is the exit apf authorized? Is the exit rent or not? Is the exit in an apf authorized library or lpa? Lizette -Original Message- From: Itschak Mugzach imugz...@gmail.com Sent: Mar 5, 2015 7:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: MGCR in a non typical asid I am running a MPF exit that works fine from user adress spaces. In respond to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile is having uacc read, but racf refuses the REPLYxx,Y Another command issued under the same conditions (no acce)is MVS SEND command, this time from mstjcl00.I am trying to avoid converting to MGCRE. Any Idea how to assign an active id to the exit, or CONSOLEID? ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) 931 MVS.REPLY CL(OPERCMDS) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) IEE345I REPLYAUTHORITY INVALID, FAILED BY SECURITY PRODUCT ITschak Mugzach -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: MGCR in a non typical asid
Yes. It runs in Key zero, apf authorized. I googled for the +console issue, and I think MGCRE with consoleid will solve the problem, but I want to avoid this change. ITschak ITschak Mugzach Z/OS, ISV Products and Application Security Risk Assessments Professional On Thu, Mar 5, 2015 at 5:41 PM, Lizette Koehler stars...@mindspring.com wrote: You might try running the sectrace to see what is occurring. Is the exit apf authorized? Is the exit rent or not? Is the exit in an apf authorized library or lpa? Lizette -Original Message- From: Itschak Mugzach imugz...@gmail.com Sent: Mar 5, 2015 7:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: MGCR in a non typical asid I am running a MPF exit that works fine from user adress spaces. In respond to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile is having uacc read, but racf refuses the REPLYxx,Y Another command issued under the same conditions (no acce)is MVS SEND command, this time from mstjcl00.I am trying to avoid converting to MGCRE. Any Idea how to assign an active id to the exit, or CONSOLEID? ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) 931 MVS.REPLY CL(OPERCMDS) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) IEE345I REPLYAUTHORITY INVALID, FAILED BY SECURITY PRODUCT ITschak Mugzach -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: MGCR in a non typical asid
Use MGCRE to specify the user attributes. On Thu, 5 Mar 2015 17:29:54 +0200 Itschak Mugzach imugz...@gmail.com wrote: :I am running a MPF exit that works fine from user adress spaces. In respond :to RACF msg ICH302D, the userid assigned is +CONSOLE. The OPERCMDS profile :is having uacc read, but racf refuses the REPLYxx,Y :Another command issued under the same conditions (no acce)is MVS SEND :command, this time from mstjcl00.I am trying to avoid converting to MGCRE. : :Any Idea how to assign an active id to the exit, or CONSOLEID? : : :ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) 931 : : MVS.REPLY CL(OPERCMDS) : : INSUFFICIENT ACCESS AUTHORITY : : ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) : :IEE345I REPLYAUTHORITY INVALID, FAILED BY SECURITY PRODUCT -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
