Re: Console Logon timeout?

[Binyamin Dissen]

On Tue, 18 Aug 2009 10:39:28 -0700 Edward Jaffe edja...@phoenixsoftware.com
wrote:

:R.S. wrote:
: Edward Jaffe pisze:

: Peter, this might not be in the same area of code but...

: It would be nice to be able to associate a default SAF userid with 
: consoles that have not yet logged on. That way, OPERCMDS resources 
: can be used to protect commands issued from those consoles.

: LOGON(AUTO) in CONSOLxx. It is available for many years.

:No. I was asking for a default SAF UTOKEN to be supplied when a console 
:is not logged on. The LOGON(AUTO) solution tries to ensure that consoles 
:are always logged on--a different concept altogether, and one that is an 
:incomplete solution.


:LOGON(AUTO) requires you to define userids for all of your 
:consoles--potentially hundreds of them. When I was playing around with 
:this, I noticed that commands issued from LOGON(AUTO) consoles without 
:an associated userid would get security failures for a user called 
:'+CONSOLE'. I thought if I could define that user to RACF, that would 
:provide the default capability I was looking for. Alas, the define of 
:userids starting with '+' is prohibited.

Not that hard to make a SAF/RACF exit to change +CONSOLE to something else.

:Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the 
:Operating System Messages on the HMC/SE. As shown in my Console Me 
:SHARE presentation, no matter how you try to log on, you get:

:IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE

--
Binyamin Dissen bdis...@dissensoftware.com
http://www.dissensoftware.com

Director, Dissen Software, Bar  Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Mark Zelden]

On Wed, 19 Aug 2009 00:34:28 -0500, Barbara Nitz nitz-...@gmx.net wrote:

Besides, when a sysprog monitors the IPL, it is usually because changes were
made and we need to check if there are problems, It is really hard to sit in
front of the console and wait for the messages to scrawl by. (Hence my wish
to be able to use K to change rtme and del to *my* preferred values.) 

I'm sure this isn't in the area being looked at, but it made me think... 

It might be nice if there was an IPL parm / option to have the NIP messages
stop and prompt you to continue when a screen fills up similar to SAD.  
With emulated consoles, the messages scroll by so fast it can be nearly
impossible to look for something you want to see except after the fact
by examining the syslog / operlog.The only other option is to 
disconnect the consoles and use the HMC, which you can scroll. 

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group - ZFUS G-ITO
mailto:mark.zel...@zurichna.com
z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Jerry Whitteridge]

Force logon after x number of hours. 

(so they don't just keep using the id that logged on at IPL time despite
many shift changes !)

Jerry Whitteridge
Mainframe Engineering
Safeway Inc
925 951 4184
jerry.whitteri...@safeway.com
If everything seems under control, you're just not going fast enough. 
 

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:ibm-m...@bama.ua.edu] On Behalf Of Peter Fatzinger
 Sent: Monday, August 17, 2009 8:34 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Console Logon timeout?
 
 We may have a future opportunity to make some changes in this 
 area of the 
 code.  While we're in there, what would you like to see changed?
 
 - Logoff users after period of inactivity.
 - Concurrent user logon to multiple consoles.
 - Anything else??
 
 Peter Fatzinger
 z/OS Core Components Development and Service
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 
 

Email Firewall made the following annotations.
--

Warning: 
All e-mail sent to this address will be received by the corporate e-mail 
system, and is subject to archival and review by someone other than the 
recipient.  This e-mail may contain proprietary information and is intended 
only for the use of the intended recipient(s).  If the reader of this message 
is not the intended recipient(s), you are notified that you have received this 
message in error and that any review, dissemination, distribution or copying of 
this message is strictly prohibited.  If you have received this message in 
error, please notify the sender immediately.   
 
==

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Barbara Nitz]

It might be nice if there was an IPL parm / option to have the NIP messages
stop and prompt you to continue when a screen fills up similar to SAD.
With emulated consoles, the messages scroll by so fast it can be nearly
impossible to look for something you want to see except after the fact
by examining the syslog / operlog.The only other option is to
disconnect the consoles and use the HMC, which you can scroll.

SAD does that? (Stop and prompt, I mean) I guess only on a 'real' console, not 
on the HMC, right? The last sadumps I have taken were all taken using the 
HMC, so I haven't noticed that prompt.

musings on
Before MCS consoles become available (iea549i), there are about 670 NIP 
message lines on the system I just looked at, and the usual bits for 
suppression don't work before console address space id full yfunctional. 
Assuming 25 lines per screen (for easier division) that means about 27 or 28 
prompts, depending on the amount of XCF signalling messages you get. 
Also, *before* MCS consoles, we are talking synchdest WTORs (IIRC), which 
means the system doesn't go on with the IPL until the prompt has been 
answered. Considering what havoc a half-XCF-init'd system can cause 
because it cannot answer to signalling anymore while waiting for the operator 
to reply, I would agree, that yes, it would be nice to be able to 'see' these 
messages, but I think it is unlikely that IBM would implement something like 
this.

In those 670 lines there isn't the message that says the bpxprmxx was found 
and read. And I know for a fact that a syntax error in that member will cause 
a synchdest wtor prompting for a correct member. (Guess how the syntax 
checker for bpxprm was 'invented' - after outage of a productive sysplex 
because the test system was IPL'd and had a syntax error in bpxprm. 
Operating did not notice the WTOR, the system did not update its heartbeat 
anymore, XCF message buffers rapidly built up, things got disrupted.) So 
the 'NIP' messages may not even be finished after those 670 lines in my 
example.
musings off

But thanks for pointing me to check the consolxx messages during NIP - 
cleanup is necessary there! :-(

Regards, Barbara

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[R.S.]

Edward Jaffe pisze:

Peter Fatzinger wrote:
We may have a future opportunity to make some changes in this area of 
the code.  While we're in there, what would you like to see changed?


- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??
  


Peter, this might not be in the same area of code but...

It would be nice to be able to associate a default SAF userid with 
consoles that have not yet logged on. That way, OPERCMDS resources can 
be used to protect commands issued from those consoles.



LOGON(AUTO) in CONSOLxx. It is available for many years.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Staller, Allan]

Barbara Nitz wrote:

...Unfortunately, they all come up with del=rd and rtme=1, which isn't
really nice during IPL and usually leads to WTO buffer shortages. At
which point automation issues the commands.

I just ran into the same issue. Check out the INIT LOGLIM(  ) statement
in CONSOLExx

HTH,

Barbara Nitz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Field, Alan C.]

Barbara,

You can specify RTME=1/4 in CONSOL00 - that helps a lot. 

Alan 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Barbara Nitz

What I would really like to have is the ability to issue a K E,1 command

*without* logging on. Or better yet, being able to set the console into
roll 
mode *without* logon. On those pesky weekends IPLs I get to do I tend to

forget that I can use my own id to logon to the console and never
remember 
the supposed name of the console, much more the passowrd for that
console 
name. Unfortunately, they all come up with del=rd and rtme=1, which
isn't 
really nice during IPL and usually leads to WTO buffer shortages. At
which 
point automation issues the commands. 

Without the need for commands, I would also go for a new parm in
consolxx 
per console that allows to reset the console to del=rd and the specified
rtme 
*after* IPL is through. (I know, how does one define the point where an
IPL is 
done? Especially, as IPL are the few architected hardware
instructions...)

Also, I would not allow even display commands without logon. If someone 
knows enough to be able to issue a valid display command, they can spy
on 
things. 

Best regards, Barbara Nitz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Chris Nelson]

First - I would request that the period of inactivity be configurable
and that may already be planned.

Second - I have not played with the way console autologon works (so it
may already be working this way) I would like to be able to set up the
console to be a specific user so I can give it specific commands
(display type usually), then if a more intrusive command is needed, the
user would have to logon with their own identity and do the command.
When the user either logs off or times out, the console would drop back
to the autologon identity.


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Peter Fatzinger
Sent: Monday, August 17, 2009 10:34 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Console Logon timeout?

We may have a future opportunity to make some changes in this area of
the code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

Peter Fatzinger
z/OS Core Components Development and Service

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Ken Porowski]

Barbara,

We have LOGON(AUTO) set and OPERCMDS protection on the console name as
userid.  We allow control (K) and display (D) commands from the
default userid.  Anything else needs a LOGON.  Consoles are set RD
with roll time 1/4.  What I've noticed is that at IPL time any command
can be issued without a logon until a certain point (I assume once our
security package is fully operational).  After the IPL we manually set K
S,DEL=R although we could probably put in some sort of automation for
after IPL to do the same.  So far no issues.

Peter,
- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
Would be the 2 I would like to see and maybe ignore K E,1 and K when
there is nothing to delete. 

Ken Porowski
AVP Systems Software
CIT Group
E: ken.porow...@cit.com



-Original Message-
Barbara Nitz

Hi Peter,

nice to see you're still working in this area! :-)

We may have a future opportunity to make some changes in this area of 
the code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
This should be configurable. autologoff would cause a lot of complaints
here.

- Concurrent user logon to multiple consoles.
- Anything else??

What I would really like to have is the ability to issue a K E,1 command
*without* logging on. Or better yet, being able to set the console into
roll mode *without* logon. On those pesky weekends IPLs I get to do I
tend to forget that I can use my own id to logon to the console and
never remember the supposed name of the console, much more the passowrd
for that console name. Unfortunately, they all come up with del=rd and
rtme=1, which isn't really nice during IPL and usually leads to WTO
buffer shortages. At which point automation issues the commands. 

Without the need for commands, I would also go for a new parm in
consolxx per console that allows to reset the console to del=rd and the
specified rtme
*after* IPL is through. (I know, how does one define the point where an
IPL is done? Especially, as IPL are the few architected hardware
instructions...)

Also, I would not allow even display commands without logon. If someone
knows enough to be able to issue a valid display command, they can spy
on things. 

Best regards, Barbara Nitz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Hayim Sokolsky]

Chris,

It already works that way. When you have LOGON(AUTO) specified for 
consoles, when the console becomes active, it is signed on under a UserID 
that matches the console name. (If that ID does not exist, or is revoked, 
the signon will of course fail.) 

You can permit the Console UserID directly, or via group, to whatever 
OPERCMDS resources you deem appropriate. You can also choose to permit any 
ID logged on to that console as well.


Hayim
_
Hayim Sokolsky, CISSP
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760

Tel. (813) 470-2177



Chris Nelson chris.nelson.b...@statefarm.com 
Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu
2009.08.18 09:57
Please respond to
IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: Console Logon timeout?






First - I would request that the period of inactivity be configurable
and that may already be planned.

Second - I have not played with the way console autologon works (so it
may already be working this way) I would like to be able to set up the
console to be a specific user so I can give it specific commands
(display type usually), then if a more intrusive command is needed, the
user would have to logon with their own identity and do the command.
When the user either logs off or times out, the console would drop back
to the autologon identity.


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Peter Fatzinger
Sent: Monday, August 17, 2009 10:34 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Console Logon timeout?

We may have a future opportunity to make some changes in this area of
the code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

Peter Fatzinger
z/OS Core Components Development and Service

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



BR_
FONT size=2BR
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses.  The company
accepts no liability for any damage caused by any virus transmitted
by this email./FONT

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Clifford McNeill]

I think the ability to refresh console definitions without an ipl would be 
useful.

Clifford McNeill
 
 Date: Tue, 18 Aug 2009 10:02:16 -0400
 From: ken.porow...@cit.com
 Subject: Re: Console Logon timeout?
 To: IBM-MAIN@bama.ua.edu
 
 Barbara,
 
 We have LOGON(AUTO) set and OPERCMDS protection on the console name as
 userid. We allow control (K) and display (D) commands from the
 default userid. Anything else needs a LOGON. Consoles are set RD
 with roll time 1/4. What I've noticed is that at IPL time any command
 can be issued without a logon until a certain point (I assume once our
 security package is fully operational). After the IPL we manually set K
 S,DEL=R although we could probably put in some sort of automation for
 after IPL to do the same. So far no issues.
 
 Peter,
 - Logoff users after period of inactivity.
 - Concurrent user logon to multiple consoles.
 Would be the 2 I would like to see and maybe ignore K E,1 and K when
 there is nothing to delete. 
 
 Ken Porowski
 AVP Systems Software
 CIT Group
 E: ken.porow...@cit.com
 
 
 
 -Original Message-
 Barbara Nitz
 
 Hi Peter,
 
 nice to see you're still working in this area! :-)
 
 We may have a future opportunity to make some changes in this area of 
 the code. While we're in there, what would you like to see changed?
 
 - Logoff users after period of inactivity.
 This should be configurable. autologoff would cause a lot of complaints
 here.
 
 - Concurrent user logon to multiple consoles.
 - Anything else??
 
 What I would really like to have is the ability to issue a K E,1 command
 *without* logging on. Or better yet, being able to set the console into
 roll mode *without* logon. On those pesky weekends IPLs I get to do I
 tend to forget that I can use my own id to logon to the console and
 never remember the supposed name of the console, much more the passowrd
 for that console name. Unfortunately, they all come up with del=rd and
 rtme=1, which isn't really nice during IPL and usually leads to WTO
 buffer shortages. At which point automation issues the commands. 
 
 Without the need for commands, I would also go for a new parm in
 consolxx per console that allows to reset the console to del=rd and the
 specified rtme
 *after* IPL is through. (I know, how does one define the point where an
 IPL is done? Especially, as IPL are the few architected hardware
 instructions...)
 
 Also, I would not allow even display commands without logon. If someone
 knows enough to be able to issue a valid display command, they can spy
 on things. 
 
 Best regards, Barbara Nitz
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

_
Hotmail® is up to 70% faster. Now good news travels really fast. 
http://windowslive.com/online/hotmail?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_faster:082009
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Hal Merritt]

I'll second that!

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Clifford McNeill
Sent: Tuesday, August 18, 2009 11:08 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Console Logon timeout?

I think the ability to refresh console definitions without an ipl would be 
useful.

Clifford McNeill
 
 
NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Edward Jaffe]

R.S. wrote:

Edward Jaffe pisze:


Peter, this might not be in the same area of code but...

It would be nice to be able to associate a default SAF userid with 
consoles that have not yet logged on. That way, OPERCMDS resources 
can be used to protect commands issued from those consoles.



LOGON(AUTO) in CONSOLxx. It is available for many years.


No. I was asking for a default SAF UTOKEN to be supplied when a console 
is not logged on. The LOGON(AUTO) solution tries to ensure that consoles 
are always logged on--a different concept altogether, and one that is an 
incomplete solution.


LOGON(AUTO) requires you to define userids for all of your 
consoles--potentially hundreds of them. When I was playing around with 
this, I noticed that commands issued from LOGON(AUTO) consoles without 
an associated userid would get security failures for a user called 
'+CONSOLE'. I thought if I could define that user to RACF, that would 
provide the default capability I was looking for. Alas, the define of 
userids starting with '+' is prohibited.


Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the 
Operating System Messages on the HMC/SE. As shown in my Console Me 
SHARE presentation, no matter how you try to log on, you get:


IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE

--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[David Andrews]

On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote:
 I think the ability to refresh console definitions without an ipl
 would be useful.

Oh very yes, that's the first thing I thought of.  But I'm not sure
that's in the area that Peter was talking about.

-- 
David Andrews
A. Duda and Sons, Inc.
david.andr...@duda.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Ken Porowski]

Maybe not but if he wants a wish list 
I appreciate that he is asking the group rather than wait for a SHARE
requirement or some such.
Of course such requests may never be implemented but at least he's
asking. 

-Original Message-
David Andrews

On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote:
 I think the ability to refresh console definitions without an ipl 
 would be useful.

Oh very yes, that's the first thing I thought of.  But I'm not sure
that's in the area that Peter was talking about.

--
David Andrews
A. Duda and Sons, Inc.
david.andr...@duda.com


We may have a future opportunity to make some changes in this area of
the code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

Peter Fatzinger
z/OS Core Components Development and Service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[R.S.]

Edward Jaffe pisze:

R.S. wrote:

Edward Jaffe pisze:


Peter, this might not be in the same area of code but...

It would be nice to be able to associate a default SAF userid with 
consoles that have not yet logged on. That way, OPERCMDS resources 
can be used to protect commands issued from those consoles.



LOGON(AUTO) in CONSOLxx. It is available for many years.


No. I was asking for a default SAF UTOKEN to be supplied when a console 
is not logged on. The LOGON(AUTO) solution tries to ensure that consoles 
are always logged on--a different concept altogether, and one that is an 
incomplete solution.


LOGON(AUTO) requires you to define userids for all of your 
consoles--potentially hundreds of them. When I was playing around with 
this, I noticed that commands issued from LOGON(AUTO) consoles without 
an associated userid would get security failures for a user called 
'+CONSOLE'. I thought if I could define that user to RACF, that would 
provide the default capability I was looking for. Alas, the define of 
userids starting with '+' is prohibited.


Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the 
Operating System Messages on the HMC/SE. As shown in my Console Me 
SHARE presentation, no matter how you try to log on, you get:


IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE


OK, now I understand your requirement. And I fully support it.
I would like to define generic console userid for this purpose. 
Specified as parameter in CONSOLxx.


BTW: I also miss full console capabilities of SYSCONS.
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[W. Kevin Kelley]

On Tue, 18 Aug 2009 15:20:15 -0400, Ken Porowski 
ken.porow...@cit.com wrote:

Maybe not but if he wants a wish list 
I appreciate that he is asking the group rather than wait for a SHARE
requirement or some such.
Of course such requests may never be implemented but at least he's
asking.


I would encourage you to submit SHARE requirements as well since they carry 
a lot more weight with the business folks than requests on a forum.

W. Kevin Kelley  IBM POK Lab -- z/OS Core System Development
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[W. Kevin Kelley]

On Tue, 18 Aug 2009 14:49:07 -0400, David Andrews 
d...@lists.duda.com wrote:

On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote:
 I think the ability to refresh console definitions without an ipl
 would be useful.

Oh very yes, that's the first thing I thought of.  But I'm not sure
that's in the area that Peter was talking about.


Its not, but don't let that stop you from submitting it as a requirement. 

W. Kevin Kelley -- IBM POK Lab -- z/OS Core Technical Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[W. Kevin Kelley]

On Mon, 17 Aug 2009 11:54:07 -0500, Elardus Engelbrecht 
elardus.engelbre...@sita.co.za wrote:


Another possibility is to reroute console messages to another alternate
console upon logoff?


Console Switch never worked well and we were very glad that we were finally 
able to get rid of it as part of the Console Restructure. I don't think you 
will 
be able to convince us to bring anything like it back.

W. Kevin Kelley -- IBM POK Lab -- z/OS Core Technical Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Bruce Hewson]

Hello Peter,

A Reconnect function, or a logon here, function, when you accidentally lose 
the connection.

A simple remote LOGOFF function, so that any active console user can be 
logged off the system, from any other console. (of course RACF protectable!)

- Logoff users after period of inactivity.  == Yes Please 
- Concurrent user logon to multiple consoles.   == not so much, but OK.

On Mon, 17 Aug 2009 10:34:14 -0500, Peter Fatzinger f...@us.ibm.com 
wrote:

We may have a future opportunity to make some changes in this area of the
code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

Peter Fatzinger
z/OS Core Components Development and Service



Regards
Bruce Hewson

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Barbara Nitz]

Check out the INIT LOGLIM(  ) statement in CONSOLExx
Set to 1. The WTO buffer shortage I am talking about is not caused by 
JES2 not being up yet (and hence not taking the syslog buffer from IPL), it is 
caused by consoles defined with rtme=1 and del=rd (and yes, I know I can 
change those values to something else, doesn't help - operating opposes this 
quite loudly! They don't want to set the consoles to their preferred 
operational 
values later.)

The display area is further diminished by some of the set prog=xx commands 
that add things to LPA. The response messages to that always come out like 
the response to a command just typed in (and not flowing away in hardcopy), 
which makes the area to roll lines even smaller. 

Besides, when a sysprog monitors the IPL, it is usually because changes were 
made and we need to check if there are problems, It is really hard to sit in 
front of the console and wait for the messages to scrawl by. (Hence my wish 
to be able to use K to change rtme and del to *my* preferred values.) So I at 
least usually use my TSO/SDSF session to check the log, and hence forget 
that the console might not have an area to display anything anymore, 
resulting in first the buffer buildup and then the wto buffer shortage. At 
which 
point automation resets the console. In my opinion, the buildup isn't necessary 
and should be prevented, if possible. The convoluted situation I find myself in 
not withstanding.

LOGON(AUTO) is a definite no-no, Audit insists on LOGON(REQUIRED). 

 I think the ability to refresh console definitions without an ipl
 would be useful.

Oh very yes, that's the first thing I thought of.  

Can you elaborate what you mean by 'refresh console defnitions without an 
IPL'? Do you mean addition and deletion of consoles? Or do you mean console 
attributes?

Best regards, Barbara

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Peter Fatzinger]

We may have a future opportunity to make some changes in this area of the 
code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

Peter Fatzinger
z/OS Core Components Development and Service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Elardus Engelbrecht]

Peter Fatzinger wrote:

We may have a future opportunity to make some changes in this area of the
code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??

What about this: after the id has been logoff, then only allow 'display' 
commands without logons? If someone does need for example a 'SET SMF=' 
command, a logon is required. I'm thinking of selective acceptance of 
commands based on logon/logoff status.

Another possibility is to reroute console messages to another alternate 
console upon logoff?

Am I asking too much? :-D

Thanks for soliciting requests via IBM-MAIN.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[R.S.]

Elardus Engelbrecht pisze:

Peter Fatzinger wrote:


We may have a future opportunity to make some changes in this area of the
code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??


What about this: after the id has been logoff, then only allow 'display' 
commands without logons? If someone does need for example a 'SET SMF=' 
command, a logon is required. I'm thinking of selective acceptance of 
commands based on logon/logoff status.


Another possibility is to reroute console messages to another alternate 
console upon logoff?


Am I asking too much? :-D


You ask for something which is available FOR YEARS.
It is enough to define console with LOGON(AUTO) or LOGON(REQUIRED).
In case of REQUIRED your console does not support ANY commands 
(including DISPLAYs) until you log on.
In case of AUTO the console has a userid assigned (similar mechanism to 
STARTED class profile), but you can re-logon to your own userid. Default 
userid can be allowed to do DISPLAY or any other actions of your choice 
(OPERCMDS).


my $0.02
We lack auto-logoff function and possibility to logon on multiple 
consoles concurrently. The last function could be enabled by some 
software switch (possibly SETR) to keep compatibility


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Edward Jaffe]

Peter Fatzinger wrote:
We may have a future opportunity to make some changes in this area of the 
code.  While we're in there, what would you like to see changed?


- Logoff users after period of inactivity.
- Concurrent user logon to multiple consoles.
- Anything else??
  


Peter, this might not be in the same area of code but...

It would be nice to be able to associate a default SAF userid with 
consoles that have not yet logged on. That way, OPERCMDS resources can 
be used to protect commands issued from those consoles.


--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Barbara Nitz]

Hi Peter,

nice to see you're still working in this area! :-)

We may have a future opportunity to make some changes in this area of the
code.  While we're in there, what would you like to see changed?

- Logoff users after period of inactivity.
This should be configurable. autologoff would cause a lot of complaints here.

- Concurrent user logon to multiple consoles.
- Anything else??

What I would really like to have is the ability to issue a K E,1 command 
*without* logging on. Or better yet, being able to set the console into roll 
mode *without* logon. On those pesky weekends IPLs I get to do I tend to 
forget that I can use my own id to logon to the console and never remember 
the supposed name of the console, much more the passowrd for that console 
name. Unfortunately, they all come up with del=rd and rtme=1, which isn't 
really nice during IPL and usually leads to WTO buffer shortages. At which 
point automation issues the commands. 

Without the need for commands, I would also go for a new parm in consolxx 
per console that allows to reset the console to del=rd and the specified rtme 
*after* IPL is through. (I know, how does one define the point where an IPL is 
done? Especially, as IPL are the few architected hardware instructions...)

Also, I would not allow even display commands without logon. If someone 
knows enough to be able to issue a valid display command, they can spy on 
things. 

Best regards, Barbara Nitz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Edward Jaffe]

Vernooij, CP - SPLXM wrote:

We are considering moving the oposite way: eliminate console logon.
The consoles are in a highly controlled area, where only operators come.
Passwords must be carried over from shif to shift, so they are easy to
remember, shouted through the room, widely known and hardly add any
security. Because of further minor inconviniences caused by these
passwords, we consider eliminating them.
  


Keep in mind that allowing not-logged-on consoles exposes you to, what 
some might call, a gaping hole in z/OS security. I discussed this in the 
short subject entitled Console Me in Bit Bucket x'23' from SHARE in 
Orlando.


--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
edja...@phoenixsoftware.com
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Vernooij, CP - SPLXM]

Wissink, Brad [ITSYS] bjwi...@iastate.edu wrote in message
news:d827850abe9b7143b0a8d00087200b8c02d58...@exchs018.its.iastate.edu
...
 We are moving our operations staff to another building from where our
 processor is.  Due to this change we are looking at making operations
 logon to the consoles.  One thing I don't see is a timeout that would
 logoff an operator after some time period.  Is there such a thing?
Do
 most shops auto logon the console or make their staff logon?  Any
 concerns, experience or gotcha's would be appreciated.
 
 Brad Wissink

We are considering moving the oposite way: eliminate console logon.
The consoles are in a highly controlled area, where only operators come.
Passwords must be carried over from shif to shift, so they are easy to
remember, shouted through the room, widely known and hardly add any
security. Because of further minor inconviniences caused by these
passwords, we consider eliminating them.
Your situation might differ of course, but generally you would
protect/control physical access to those and other devices in the same
room, hence to the room.

Gotchas: we use TSS and had some chicken-and-egg situation where the
operator had to logon to the console, but TSS was waiting for an
operator action but not yet accepting (logon) commands from the console.

Kees.
**
For information, services and offers, please visit our web site:
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee
only. If you are not the addressee, you are notified that no part
of the e-mail or any attachment may be disclosed, copied or
distributed, and that any other action related to this e-mail or
attachment is strictly prohibited, and may be unlawful. If you have
received this e-mail by error, please notify the sender immediately
by return e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries
and/or its employees shall not be liable for the incorrect or
incomplete transmission of this e-mail or any attachments, nor
responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal
Dutch Airlines) is registered in Amstelveen, The Netherlands, with
registered number 33014286 
**

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Console Logon timeout?

[Ken Porowski]

AFAIK there is no built in timeout function.

We put one together with our auto ops package (Control/O from BMC) that
notices a logon then issues a logoff after 30 minutes.  Timer is
cancelled if the operator performs their own logoff.

We do run with LOGON=AUTO but commands are protected (Top Secret from
CA) and only display commands are allowed from the default userid.

Only issue we found was that within a plex you could only be logged on
to one console at a time and that it was possible to strand yourself
when shutting down one system if you didn't logoff and had to wait for
the IPL to free your userid.

Ken Porowski
AVP Systems Software
CIT Group
E: ken.porow...@cit.com


-Original Message-
Wissink, Brad [ITSYS]

We are moving our operations staff to another building from where our
processor is.  Due to this change we are looking at making operations
logon to the consoles.  One thing I don't see is a timeout that would
logoff an operator after some time period.  Is there such a thing?   Do
most shops auto logon the console or make their staff logon?  Any
concerns, experience or gotcha's would be appreciated.

Brad Wissink
Information Technology Services
Iowa State University
515-294-3088

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html