Let put some order. zAAP runs Java and XML parsing. zIIP can run Java (if no zAAP installed using zAAP on ZIIP started at z/os v11). Enclave SRB is just a requirement IBM put to use its interface into zIIP to run regular code, but you must invoke the interface. This to say this is a requirement, but not the only one. You have to write your code in this mode (not in TCB mode). It's ain't easy and I don't see many programs that are able to write & debug this code (athough it is running in the same asid that scheduled the SRB).
For risk involved, if your program already running in SRB mode (Enclave is just a WLM issue) why SPs are the issue? What about running this code on regular CPs? By the way, using the interface to run on a zIIP processir does not promise that your code run on it. It depend on the availability of your zIIP SP and it might run as is on a regular CP. ITschak On Mon, Mar 28, 2011 at 5:35 PM, McKown, John <[email protected] > wrote: > > -----Original Message----- > > From: IBM Mainframe Discussion List > > [mailto:[email protected]] On Behalf Of Paul Gilmartin > > Sent: Monday, March 28, 2011 10:22 AM > > To: [email protected] > > Subject: Re: zIIPs and zAAPs > > > > On Mon, 28 Mar 2011 16:42:49 +0200, Binyamin Dissen wrote: > > > > > >The security issue is allowing application programmers to > > write SRB code > > >(which implies the ability to update APF datasets). > > > > > I thought that zAAPs are for Java. Does this mean that applications > > programmers shouldn't write Java? Or that application Java is to be > > kept separate from system Java? Must the jars reside in APF > > data sets? > > Or is the JVM trustworthy enough that it is relied on to police the > > behavior of Java byte code. > > > > -- gil > > zIIPs require special SRB enclave coding, as I understand it. zAAPs run > java byte code. There is an option to run zAAP java byte code on zIIP > engines in some case that I forget all the details of. > > Java is no more dangerous than COBOL. And no less dangerous. It can't do > anything that COBOL can't in terms of security. Java code does not require > APF authorization and likely shouldn't have it. Any more than COBOL code > should. There is nothing "special" about the java byte code as far as > security is concerned. Java byte code is just another, rather high level, > set of assembler instructions. But there are no Java byte code instructions > which are likeunto "priviliged" or "semi-priviliged" instructions on the z. > They are more like normal "general instructions". Just like the COBOL > compiler does not generater any priviliged instructions. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > [email protected] * > www.HealthMarkets.com<http://www.healthmarkets.com/> > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
