Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized.
It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy ________________________________________ From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the "READY" prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach--> IKJEFT02 (authorized) --attach--> command (authorized) IKJEFT01 (authorized) --attach--> IKJEFT02 (authorized) --attach--> IKJEFT09 (non-authorized) --attach--> command (non-authorized) Hayim _____________________________________ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> wrote on 2010.12.28 14:51:07: > By asking these questions, I'm only curious, learning, and want to > know as much about z/OS as I can. Having said that... > > What exactly happens to cause an authorized Rexx assembler function > to be un-authorized, even if AC(1) and run from an authorized > library? Do you mainipulate the JSCBAUTH? Do you somehow mark the > library as unathorized? (or is that the same thing?) Or is this > simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? > > (I realize that some or all of the above shows a lack of knowledge > about TSO and authorized "stuff".) > > And if you know, why was it designed this way? > > Thank you! > Lindy > > ________________________________________ > From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf > Of Peter Relson [rel...@us.ibm.com] > Sent: 23 December 2010 16:00 > To: IBM-MAIN@bama.ua.edu > Subject: Re: Authorized Rexx Assembler Function > > >Call an SVC that flips the JSCBAUTH bit back on. > > DO NOT DO THIS. In the general case there is no way to do this without > introducing system integrity problems. > > And also do not use an SVC to return control to an unauthorized caller in > an authorized state. > > Peter Relson > z/OS Core Technology Design > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html <BR>_____________________________________________________________ <FONT size=2><BR> DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.</FONT> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html