Granted, but were the correct texts included in the last gen of the CPLOAD MODULE? He said he recently changed to CPACTION * REJECT. VMSECURE QCPCFG will show what is currently in the active nucleus. There are more than a few ways to have the rules running with parameters that aren't what you expect.
Bob Bates Enterprise Hosting Services w. (469)892-6660 c. (214) 907-5071 "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Monday, November 23, 2009 11:25 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system If the HCPRPx modules are included in the nucleus, your operators will be very aware of it if the Rules Facility is not running, they will get frequent messages to that effect. Regards, Richard Schuh ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bob Bates Sent: Sunday, November 22, 2009 6:43 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system This may have already been checked, but be sure the correct text were included in the last gen. VMSECURE QCPCFG will tell you what all the settings that are currently in use from the VMXRPI CONFIG. Bob Bates Enterprise Hosting Services w. (469)892-6660 c. (214) 907-5071 "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Ivica Brodaric Sent: Saturday, November 21, 2009 4:44 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system That's correct, and should be investigated, but if there are any other rules that allow this link, then VMSECURE QRULES JHUG LINK MAINT 123 should not tell you that the LINK would be rejected via NORULE DEFAULT. I agree, but if it says that the link would be rejected, then it should be rejected. Something is very wrong somewhere. I see one possible scenario: 1. 'CPACTION * ACCEPT' record in VMXRPI CONFIG (used to generate HCPRPx modules) telling CP to allow everything if the rules facility is not running and 2. Rules facility is not running. If rules are not running, would QRULES command tell you that? Or would it just check the rules database? I would: 1. Run VMSECURE QCPCFG from authorised user (VMRMAINT should be) to verify all CPACTION settings in the currently running CP. 2. Check that VMSECURE userid's directory entry has IUCV *RPI MSGLIMIT 65535 3. Check the VMSECURE console messages and make sure that rules facility initialises correctly. 4. Run VMSECURE RULEMAP USER <userid> to display all rules that apply to that userid. Run other RULEMAP commands 5. Check all system, group, and user rule files to know what should be happening. 6. Call CA support. Ivica