Re: Console Logon timeout?
On Tue, 18 Aug 2009 10:39:28 -0700 Edward Jaffe edja...@phoenixsoftware.com wrote: :R.S. wrote: : Edward Jaffe pisze: : Peter, this might not be in the same area of code but... : It would be nice to be able to associate a default SAF userid with : consoles that have not yet logged on. That way, OPERCMDS resources : can be used to protect commands issued from those consoles. : LOGON(AUTO) in CONSOLxx. It is available for many years. :No. I was asking for a default SAF UTOKEN to be supplied when a console :is not logged on. The LOGON(AUTO) solution tries to ensure that consoles :are always logged on--a different concept altogether, and one that is an :incomplete solution. :LOGON(AUTO) requires you to define userids for all of your :consoles--potentially hundreds of them. When I was playing around with :this, I noticed that commands issued from LOGON(AUTO) consoles without :an associated userid would get security failures for a user called :'+CONSOLE'. I thought if I could define that user to RACF, that would :provide the default capability I was looking for. Alas, the define of :userids starting with '+' is prohibited. Not that hard to make a SAF/RACF exit to change +CONSOLE to something else. :Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the :Operating System Messages on the HMC/SE. As shown in my Console Me :SHARE presentation, no matter how you try to log on, you get: :IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
On Wed, 19 Aug 2009 00:34:28 -0500, Barbara Nitz nitz-...@gmx.net wrote: Besides, when a sysprog monitors the IPL, it is usually because changes were made and we need to check if there are problems, It is really hard to sit in front of the console and wait for the messages to scrawl by. (Hence my wish to be able to use K to change rtme and del to *my* preferred values.) I'm sure this isn't in the area being looked at, but it made me think... It might be nice if there was an IPL parm / option to have the NIP messages stop and prompt you to continue when a screen fills up similar to SAD. With emulated consoles, the messages scroll by so fast it can be nearly impossible to look for something you want to see except after the fact by examining the syslog / operlog.The only other option is to disconnect the consoles and use the HMC, which you can scroll. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:mark.zel...@zurichna.com z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Force logon after x number of hours. (so they don't just keep using the id that logged on at IPL time despite many shift changes !) Jerry Whitteridge Mainframe Engineering Safeway Inc 925 951 4184 jerry.whitteri...@safeway.com If everything seems under control, you're just not going fast enough. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Peter Fatzinger Sent: Monday, August 17, 2009 8:34 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Console Logon timeout? We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Email Firewall made the following annotations. -- Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. == -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
It might be nice if there was an IPL parm / option to have the NIP messages stop and prompt you to continue when a screen fills up similar to SAD. With emulated consoles, the messages scroll by so fast it can be nearly impossible to look for something you want to see except after the fact by examining the syslog / operlog.The only other option is to disconnect the consoles and use the HMC, which you can scroll. SAD does that? (Stop and prompt, I mean) I guess only on a 'real' console, not on the HMC, right? The last sadumps I have taken were all taken using the HMC, so I haven't noticed that prompt. musings on Before MCS consoles become available (iea549i), there are about 670 NIP message lines on the system I just looked at, and the usual bits for suppression don't work before console address space id full yfunctional. Assuming 25 lines per screen (for easier division) that means about 27 or 28 prompts, depending on the amount of XCF signalling messages you get. Also, *before* MCS consoles, we are talking synchdest WTORs (IIRC), which means the system doesn't go on with the IPL until the prompt has been answered. Considering what havoc a half-XCF-init'd system can cause because it cannot answer to signalling anymore while waiting for the operator to reply, I would agree, that yes, it would be nice to be able to 'see' these messages, but I think it is unlikely that IBM would implement something like this. In those 670 lines there isn't the message that says the bpxprmxx was found and read. And I know for a fact that a syntax error in that member will cause a synchdest wtor prompting for a correct member. (Guess how the syntax checker for bpxprm was 'invented' - after outage of a productive sysplex because the test system was IPL'd and had a syntax error in bpxprm. Operating did not notice the WTOR, the system did not update its heartbeat anymore, XCF message buffers rapidly built up, things got disrupted.) So the 'NIP' messages may not even be finished after those 670 lines in my example. musings off But thanks for pointing me to check the consolxx messages during NIP - cleanup is necessary there! :-( Regards, Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Edward Jaffe pisze: Peter Fatzinger wrote: We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter, this might not be in the same area of code but... It would be nice to be able to associate a default SAF userid with consoles that have not yet logged on. That way, OPERCMDS resources can be used to protect commands issued from those consoles. LOGON(AUTO) in CONSOLxx. It is available for many years. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Barbara Nitz wrote: ...Unfortunately, they all come up with del=rd and rtme=1, which isn't really nice during IPL and usually leads to WTO buffer shortages. At which point automation issues the commands. I just ran into the same issue. Check out the INIT LOGLIM( ) statement in CONSOLExx HTH, Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Barbara, You can specify RTME=1/4 in CONSOL00 - that helps a lot. Alan -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Barbara Nitz What I would really like to have is the ability to issue a K E,1 command *without* logging on. Or better yet, being able to set the console into roll mode *without* logon. On those pesky weekends IPLs I get to do I tend to forget that I can use my own id to logon to the console and never remember the supposed name of the console, much more the passowrd for that console name. Unfortunately, they all come up with del=rd and rtme=1, which isn't really nice during IPL and usually leads to WTO buffer shortages. At which point automation issues the commands. Without the need for commands, I would also go for a new parm in consolxx per console that allows to reset the console to del=rd and the specified rtme *after* IPL is through. (I know, how does one define the point where an IPL is done? Especially, as IPL are the few architected hardware instructions...) Also, I would not allow even display commands without logon. If someone knows enough to be able to issue a valid display command, they can spy on things. Best regards, Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
First - I would request that the period of inactivity be configurable and that may already be planned. Second - I have not played with the way console autologon works (so it may already be working this way) I would like to be able to set up the console to be a specific user so I can give it specific commands (display type usually), then if a more intrusive command is needed, the user would have to logon with their own identity and do the command. When the user either logs off or times out, the console would drop back to the autologon identity. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Peter Fatzinger Sent: Monday, August 17, 2009 10:34 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Console Logon timeout? We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Barbara, We have LOGON(AUTO) set and OPERCMDS protection on the console name as userid. We allow control (K) and display (D) commands from the default userid. Anything else needs a LOGON. Consoles are set RD with roll time 1/4. What I've noticed is that at IPL time any command can be issued without a logon until a certain point (I assume once our security package is fully operational). After the IPL we manually set K S,DEL=R although we could probably put in some sort of automation for after IPL to do the same. So far no issues. Peter, - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. Would be the 2 I would like to see and maybe ignore K E,1 and K when there is nothing to delete. Ken Porowski AVP Systems Software CIT Group E: ken.porow...@cit.com -Original Message- Barbara Nitz Hi Peter, nice to see you're still working in this area! :-) We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. This should be configurable. autologoff would cause a lot of complaints here. - Concurrent user logon to multiple consoles. - Anything else?? What I would really like to have is the ability to issue a K E,1 command *without* logging on. Or better yet, being able to set the console into roll mode *without* logon. On those pesky weekends IPLs I get to do I tend to forget that I can use my own id to logon to the console and never remember the supposed name of the console, much more the passowrd for that console name. Unfortunately, they all come up with del=rd and rtme=1, which isn't really nice during IPL and usually leads to WTO buffer shortages. At which point automation issues the commands. Without the need for commands, I would also go for a new parm in consolxx per console that allows to reset the console to del=rd and the specified rtme *after* IPL is through. (I know, how does one define the point where an IPL is done? Especially, as IPL are the few architected hardware instructions...) Also, I would not allow even display commands without logon. If someone knows enough to be able to issue a valid display command, they can spy on things. Best regards, Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Chris, It already works that way. When you have LOGON(AUTO) specified for consoles, when the console becomes active, it is signed on under a UserID that matches the console name. (If that ID does not exist, or is revoked, the signon will of course fail.) You can permit the Console UserID directly, or via group, to whatever OPERCMDS resources you deem appropriate. You can also choose to permit any ID logged on to that console as well. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 Chris Nelson chris.nelson.b...@statefarm.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 2009.08.18 09:57 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: Console Logon timeout? First - I would request that the period of inactivity be configurable and that may already be planned. Second - I have not played with the way console autologon works (so it may already be working this way) I would like to be able to set up the console to be a specific user so I can give it specific commands (display type usually), then if a more intrusive command is needed, the user would have to logon with their own identity and do the command. When the user either logs off or times out, the console would drop back to the autologon identity. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Peter Fatzinger Sent: Monday, August 17, 2009 10:34 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Console Logon timeout? We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
I think the ability to refresh console definitions without an ipl would be useful. Clifford McNeill Date: Tue, 18 Aug 2009 10:02:16 -0400 From: ken.porow...@cit.com Subject: Re: Console Logon timeout? To: IBM-MAIN@bama.ua.edu Barbara, We have LOGON(AUTO) set and OPERCMDS protection on the console name as userid. We allow control (K) and display (D) commands from the default userid. Anything else needs a LOGON. Consoles are set RD with roll time 1/4. What I've noticed is that at IPL time any command can be issued without a logon until a certain point (I assume once our security package is fully operational). After the IPL we manually set K S,DEL=R although we could probably put in some sort of automation for after IPL to do the same. So far no issues. Peter, - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. Would be the 2 I would like to see and maybe ignore K E,1 and K when there is nothing to delete. Ken Porowski AVP Systems Software CIT Group E: ken.porow...@cit.com -Original Message- Barbara Nitz Hi Peter, nice to see you're still working in this area! :-) We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. This should be configurable. autologoff would cause a lot of complaints here. - Concurrent user logon to multiple consoles. - Anything else?? What I would really like to have is the ability to issue a K E,1 command *without* logging on. Or better yet, being able to set the console into roll mode *without* logon. On those pesky weekends IPLs I get to do I tend to forget that I can use my own id to logon to the console and never remember the supposed name of the console, much more the passowrd for that console name. Unfortunately, they all come up with del=rd and rtme=1, which isn't really nice during IPL and usually leads to WTO buffer shortages. At which point automation issues the commands. Without the need for commands, I would also go for a new parm in consolxx per console that allows to reset the console to del=rd and the specified rtme *after* IPL is through. (I know, how does one define the point where an IPL is done? Especially, as IPL are the few architected hardware instructions...) Also, I would not allow even display commands without logon. If someone knows enough to be able to issue a valid display command, they can spy on things. Best regards, Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html _ Hotmail® is up to 70% faster. Now good news travels really fast. http://windowslive.com/online/hotmail?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_faster:082009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
I'll second that! -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Clifford McNeill Sent: Tuesday, August 18, 2009 11:08 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Console Logon timeout? I think the ability to refresh console definitions without an ipl would be useful. Clifford McNeill NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
R.S. wrote: Edward Jaffe pisze: Peter, this might not be in the same area of code but... It would be nice to be able to associate a default SAF userid with consoles that have not yet logged on. That way, OPERCMDS resources can be used to protect commands issued from those consoles. LOGON(AUTO) in CONSOLxx. It is available for many years. No. I was asking for a default SAF UTOKEN to be supplied when a console is not logged on. The LOGON(AUTO) solution tries to ensure that consoles are always logged on--a different concept altogether, and one that is an incomplete solution. LOGON(AUTO) requires you to define userids for all of your consoles--potentially hundreds of them. When I was playing around with this, I noticed that commands issued from LOGON(AUTO) consoles without an associated userid would get security failures for a user called '+CONSOLE'. I thought if I could define that user to RACF, that would provide the default capability I was looking for. Alas, the define of userids starting with '+' is prohibited. Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the Operating System Messages on the HMC/SE. As shown in my Console Me SHARE presentation, no matter how you try to log on, you get: IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote: I think the ability to refresh console definitions without an ipl would be useful. Oh very yes, that's the first thing I thought of. But I'm not sure that's in the area that Peter was talking about. -- David Andrews A. Duda and Sons, Inc. david.andr...@duda.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Maybe not but if he wants a wish list I appreciate that he is asking the group rather than wait for a SHARE requirement or some such. Of course such requests may never be implemented but at least he's asking. -Original Message- David Andrews On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote: I think the ability to refresh console definitions without an ipl would be useful. Oh very yes, that's the first thing I thought of. But I'm not sure that's in the area that Peter was talking about. -- David Andrews A. Duda and Sons, Inc. david.andr...@duda.com We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Edward Jaffe pisze: R.S. wrote: Edward Jaffe pisze: Peter, this might not be in the same area of code but... It would be nice to be able to associate a default SAF userid with consoles that have not yet logged on. That way, OPERCMDS resources can be used to protect commands issued from those consoles. LOGON(AUTO) in CONSOLxx. It is available for many years. No. I was asking for a default SAF UTOKEN to be supplied when a console is not logged on. The LOGON(AUTO) solution tries to ensure that consoles are always logged on--a different concept altogether, and one that is an incomplete solution. LOGON(AUTO) requires you to define userids for all of your consoles--potentially hundreds of them. When I was playing around with this, I noticed that commands issued from LOGON(AUTO) consoles without an associated userid would get security failures for a user called '+CONSOLE'. I thought if I could define that user to RACF, that would provide the default capability I was looking for. Alas, the define of userids starting with '+' is prohibited. Also, I have been unable to make LOGON(AUTO) work with SYSCONS aka the Operating System Messages on the HMC/SE. As shown in my Console Me SHARE presentation, no matter how you try to log on, you get: IEE847I LOGON NOT VALID FOR EXTENDED MCS CONSOLE OK, now I understand your requirement. And I fully support it. I would like to define generic console userid for this purpose. Specified as parameter in CONSOLxx. BTW: I also miss full console capabilities of SYSCONS. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
On Tue, 18 Aug 2009 15:20:15 -0400, Ken Porowski ken.porow...@cit.com wrote: Maybe not but if he wants a wish list I appreciate that he is asking the group rather than wait for a SHARE requirement or some such. Of course such requests may never be implemented but at least he's asking. I would encourage you to submit SHARE requirements as well since they carry a lot more weight with the business folks than requests on a forum. W. Kevin Kelley IBM POK Lab -- z/OS Core System Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
On Tue, 18 Aug 2009 14:49:07 -0400, David Andrews d...@lists.duda.com wrote: On Tue, 2009-08-18 at 12:07 -0400, Clifford McNeill wrote: I think the ability to refresh console definitions without an ipl would be useful. Oh very yes, that's the first thing I thought of. But I'm not sure that's in the area that Peter was talking about. Its not, but don't let that stop you from submitting it as a requirement. W. Kevin Kelley -- IBM POK Lab -- z/OS Core Technical Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
On Mon, 17 Aug 2009 11:54:07 -0500, Elardus Engelbrecht elardus.engelbre...@sita.co.za wrote: Another possibility is to reroute console messages to another alternate console upon logoff? Console Switch never worked well and we were very glad that we were finally able to get rid of it as part of the Console Restructure. I don't think you will be able to convince us to bring anything like it back. W. Kevin Kelley -- IBM POK Lab -- z/OS Core Technical Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Hello Peter, A Reconnect function, or a logon here, function, when you accidentally lose the connection. A simple remote LOGOFF function, so that any active console user can be logged off the system, from any other console. (of course RACF protectable!) - Logoff users after period of inactivity. == Yes Please - Concurrent user logon to multiple consoles. == not so much, but OK. On Mon, 17 Aug 2009 10:34:14 -0500, Peter Fatzinger f...@us.ibm.com wrote: We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service Regards Bruce Hewson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Check out the INIT LOGLIM( ) statement in CONSOLExx Set to 1. The WTO buffer shortage I am talking about is not caused by JES2 not being up yet (and hence not taking the syslog buffer from IPL), it is caused by consoles defined with rtme=1 and del=rd (and yes, I know I can change those values to something else, doesn't help - operating opposes this quite loudly! They don't want to set the consoles to their preferred operational values later.) The display area is further diminished by some of the set prog=xx commands that add things to LPA. The response messages to that always come out like the response to a command just typed in (and not flowing away in hardcopy), which makes the area to roll lines even smaller. Besides, when a sysprog monitors the IPL, it is usually because changes were made and we need to check if there are problems, It is really hard to sit in front of the console and wait for the messages to scrawl by. (Hence my wish to be able to use K to change rtme and del to *my* preferred values.) So I at least usually use my TSO/SDSF session to check the log, and hence forget that the console might not have an area to display anything anymore, resulting in first the buffer buildup and then the wto buffer shortage. At which point automation resets the console. In my opinion, the buildup isn't necessary and should be prevented, if possible. The convoluted situation I find myself in not withstanding. LOGON(AUTO) is a definite no-no, Audit insists on LOGON(REQUIRED). I think the ability to refresh console definitions without an ipl would be useful. Oh very yes, that's the first thing I thought of. Can you elaborate what you mean by 'refresh console defnitions without an IPL'? Do you mean addition and deletion of consoles? Or do you mean console attributes? Best regards, Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter Fatzinger z/OS Core Components Development and Service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Peter Fatzinger wrote: We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? What about this: after the id has been logoff, then only allow 'display' commands without logons? If someone does need for example a 'SET SMF=' command, a logon is required. I'm thinking of selective acceptance of commands based on logon/logoff status. Another possibility is to reroute console messages to another alternate console upon logoff? Am I asking too much? :-D Thanks for soliciting requests via IBM-MAIN. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Elardus Engelbrecht pisze: Peter Fatzinger wrote: We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? What about this: after the id has been logoff, then only allow 'display' commands without logons? If someone does need for example a 'SET SMF=' command, a logon is required. I'm thinking of selective acceptance of commands based on logon/logoff status. Another possibility is to reroute console messages to another alternate console upon logoff? Am I asking too much? :-D You ask for something which is available FOR YEARS. It is enough to define console with LOGON(AUTO) or LOGON(REQUIRED). In case of REQUIRED your console does not support ANY commands (including DISPLAYs) until you log on. In case of AUTO the console has a userid assigned (similar mechanism to STARTED class profile), but you can re-logon to your own userid. Default userid can be allowed to do DISPLAY or any other actions of your choice (OPERCMDS). my $0.02 We lack auto-logoff function and possibility to logon on multiple consoles concurrently. The last function could be enabled by some software switch (possibly SETR) to keep compatibility -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Peter Fatzinger wrote: We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. - Concurrent user logon to multiple consoles. - Anything else?? Peter, this might not be in the same area of code but... It would be nice to be able to associate a default SAF userid with consoles that have not yet logged on. That way, OPERCMDS resources can be used to protect commands issued from those consoles. -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Hi Peter, nice to see you're still working in this area! :-) We may have a future opportunity to make some changes in this area of the code. While we're in there, what would you like to see changed? - Logoff users after period of inactivity. This should be configurable. autologoff would cause a lot of complaints here. - Concurrent user logon to multiple consoles. - Anything else?? What I would really like to have is the ability to issue a K E,1 command *without* logging on. Or better yet, being able to set the console into roll mode *without* logon. On those pesky weekends IPLs I get to do I tend to forget that I can use my own id to logon to the console and never remember the supposed name of the console, much more the passowrd for that console name. Unfortunately, they all come up with del=rd and rtme=1, which isn't really nice during IPL and usually leads to WTO buffer shortages. At which point automation issues the commands. Without the need for commands, I would also go for a new parm in consolxx per console that allows to reset the console to del=rd and the specified rtme *after* IPL is through. (I know, how does one define the point where an IPL is done? Especially, as IPL are the few architected hardware instructions...) Also, I would not allow even display commands without logon. If someone knows enough to be able to issue a valid display command, they can spy on things. Best regards, Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Vernooij, CP - SPLXM wrote: We are considering moving the oposite way: eliminate console logon. The consoles are in a highly controlled area, where only operators come. Passwords must be carried over from shif to shift, so they are easy to remember, shouted through the room, widely known and hardly add any security. Because of further minor inconviniences caused by these passwords, we consider eliminating them. Keep in mind that allowing not-logged-on consoles exposes you to, what some might call, a gaping hole in z/OS security. I discussed this in the short subject entitled Console Me in Bit Bucket x'23' from SHARE in Orlando. -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
Wissink, Brad [ITSYS] bjwi...@iastate.edu wrote in message news:d827850abe9b7143b0a8d00087200b8c02d58...@exchs018.its.iastate.edu ... We are moving our operations staff to another building from where our processor is. Due to this change we are looking at making operations logon to the consoles. One thing I don't see is a timeout that would logoff an operator after some time period. Is there such a thing? Do most shops auto logon the console or make their staff logon? Any concerns, experience or gotcha's would be appreciated. Brad Wissink We are considering moving the oposite way: eliminate console logon. The consoles are in a highly controlled area, where only operators come. Passwords must be carried over from shif to shift, so they are easy to remember, shouted through the room, widely known and hardly add any security. Because of further minor inconviniences caused by these passwords, we consider eliminating them. Your situation might differ of course, but generally you would protect/control physical access to those and other devices in the same room, hence to the room. Gotchas: we use TSS and had some chicken-and-egg situation where the operator had to logon to the console, but TSS was waiting for an operator action but not yet accepting (logon) commands from the console. Kees. ** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ** -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Console Logon timeout?
AFAIK there is no built in timeout function. We put one together with our auto ops package (Control/O from BMC) that notices a logon then issues a logoff after 30 minutes. Timer is cancelled if the operator performs their own logoff. We do run with LOGON=AUTO but commands are protected (Top Secret from CA) and only display commands are allowed from the default userid. Only issue we found was that within a plex you could only be logged on to one console at a time and that it was possible to strand yourself when shutting down one system if you didn't logoff and had to wait for the IPL to free your userid. Ken Porowski AVP Systems Software CIT Group E: ken.porow...@cit.com -Original Message- Wissink, Brad [ITSYS] We are moving our operations staff to another building from where our processor is. Due to this change we are looking at making operations logon to the consoles. One thing I don't see is a timeout that would logoff an operator after some time period. Is there such a thing? Do most shops auto logon the console or make their staff logon? Any concerns, experience or gotcha's would be appreciated. Brad Wissink Information Technology Services Iowa State University 515-294-3088 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html