On Wednesday, 12/16/2009 at 09:21 EST, David Boyes <dbo...@sinenomine.net> wrote: > :grump. > > On 12/16/09 5:03 PM, "Alan Altmark" <alan_altm...@us.ibm.com> wrote: > > > > So. You had to push the Do Not Push button? ;-) You are painting with a > > too-wide brush. "Better" is in the eye of the beholder. When choosing an > > ESM, you need to assess, aside from cost: > > *sigh* > > While your points are well argued, I spend a lot of time actually using both > product suites, and have recently done a point-by-point examination of both > the IBM suite and the CA suite in question. I'm not out to bash either > company -- I have no great love for CA or CA products -- but this is one > case where the IBM offering is just not yet as well integrated nor as > complete. CA (as the last in a chain of companies) has had a lot longer to > actually get VM:Manager working and polished during the time while IBM was > pretty much ignoring CMS management tooling, and it really, really shows. > > It's possible to implement anything with either one, but I would measure > "better" in this case by how much additional stuff I need to layer on top of > a product to make it easy to use and understand. I need to write or purchase > a lot more additional stuff to make the IBM suite easy to use and > understand. > > To your specific point about ESMs, for my recent comparison, I needed to > write about 2200 lines of EXECs to do a set of functions using VM:Secure. > Providing the same checklist of functions with DIRM and RACF required more > than 27,000 lines of additional code, and two additional program products, > both of which required a special bid process to run on IFLs.
Well, sure, if you're trying to write a Grand Unification program for the IBM toolset, then I would expect a far larger bill than for CA. They have done an admirable job of creating a *suite* of tools. No arguments there. > > - Functionality. If you need mandatory access controls, then RACF is, to > > the best of my knowledge, the only choice. > > Except the IBM backup and tape products don't pay any attention to RACF > whatsoever. Neither does DIRMAINT for authorization. You're in a maze of > twisty little config files, none alike. True, but that's not the functionality I was talking about. I meant the functionality of the ESM itself. > Yes, I wrote requirements. IBM even read them. SMOP. Someday. Play the Alan > "show us the business case" tape. Curtain. Two encores. Film at 11. Putting RACROUTE REQUEST=AUTH calls in the IBM subsystems is, in fact, on the to-do list. > I'd also question how much effort it takes to implement zSecure in a usable > way -- it needs a LOT of extra effort and thought to reach any kind of > configuration simplicity. Been there, done that, got the glitter jacket with > the diamond piano ring. Not for the faint of heart, or for the n00b. We, having never installed zSecure before, got it running in an afternoon. I did discover that they failed to document how to start it with ISPF (not ISPF/PDF!): ISPSTART CMD(%CKV) In fact, I modified my CKV exec as follows: : arg fname . '(' parms ')' "ISPQRY" if rc <> 0 then do "ISPSTART CMD(%CKV)" exit rc end : This information will be fed back to the zSecure folks. I'm not sure how they missed that. Alan Altmark z/VM Development IBM Endicott