Basic CICS Question
Hey friends, this isn't necessarily a z/OS question but I'm hoping someone knows. Do you have to STEPLIB all libraries for CICS, even if they're in the LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN, SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told this is because they all have to be APF authorized and you lose that with the linklist. All the appropriate libraries are APF authorized. I supposed I could create a little vanilla system and be certain, but I was sort of hoping someone would know. ... and if the answer is yes, shame on IBM for making me do that. Anne R. Adams, CISSP DTI, Systems Engineering Sr. Mainframe Services Analyst -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
On Thu, Jun 16, 2016 at 2:15 PM, Adams, Anne (DTI) wrote: > Hey friends, this isn't necessarily a z/OS question but I'm hoping someone > knows. > > Do you have to STEPLIB all libraries for CICS, even if they're in the > LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do > SCEERUN, SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told > this is because they all have to be APF authorized and you lose that with > the linklist. All the appropriate libraries are APF authorized. I supposed > I could create a little vanilla system and be certain, but I was sort of > hoping someone would know. > > ... and if the answer is yes, shame on IBM for making me do that. > No, you don't, in general, need those libraries to be in a STEPLIB for CICS. You do _not_ lose APF authorization just because a data set is in the linklist. I don't know who told you that. There is a parameter called LNKAUTH in the IEASYSnn member of PARMLIB. If it is set to LNKLIST, then _every_ library on the link list is APF authorized when used via the link list even if it is not in the APF table (STEPLIB remains dependent on APF table). Most shops any more use the APFTAB value which indicates that a data set's APF authorization is based on the APF table when a module is accessed via the link list or a STEPLIB. ref: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/ieae200306.htm *LNKAUTH={LNKLST}|{APFTAB}* This parameter specifies whether all libraries in the LNKLST concatenation are to be treated as APF-authorized when accessed as part of the concatenation, or whether only those libraries that are named in the APF table are to be treated as APF-authorized. *Value Range*: Not applicable *Default Value*: LNKLST, meaning that all libraries in the LNKLST concatenation are to be treated as APF-authorized when accessed as part of the concatenation. If the default for the LNKAUTH system parameter is taken, or is specified in IEASYSxx or by the operator, libraries in the LNKLST concatenation are APF-authorized when accessed as part of the LNKLST concatenation. If a LNKLST library is not listed in the APF table, referencing the library through a JOBLIB or STEPLIB DD statement causes the library to be considered unauthorized for the duration of the job or step. > > Anne R. Adams, CISSP > DTI, Systems Engineering > Sr. Mainframe Services Analyst > > -- "Pessimism is a admirable quality in an engineer. Pessimistic people check their work three times, because they're sure that something won't be right. Optimistic people check once, trust in Solis-de to keep the ship safe, then blow everyone up." "I think you're mistaking the word optimistic for inept." "They've got a similar ring to my ear." >From "Star Nomad" by Lindsay Buroker: Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
Actually, I believe someone has it a little reversed. If the Data Set is listed in APF list, it is authorized and will be so in the LINKLST, BUT if you add that same data set to //STEPLIB, then ALL the data sets listed in //STEPLIB must be APF authorized, if even 1 is not authorized, then ALL are not. Remember for APF, both the Data Set Name and the Volume or SMS if it is SMS managed, MUST MATCH! Al Nims Systems Admin/Programmer 3 UFIT University of Florida (352) 273-1298 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Adams, Anne (DTI) Sent: Thursday, June 16, 2016 3:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Basic CICS Question Hey friends, this isn't necessarily a z/OS question but I'm hoping someone knows. Do you have to STEPLIB all libraries for CICS, even if they're in the LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN, SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told this is because they all have to be APF authorized and you lose that with the linklist. All the appropriate libraries are APF authorized. I supposed I could create a little vanilla system and be certain, but I was sort of hoping someone would know. ... and if the answer is yes, shame on IBM for making me do that. Anne R. Adams, CISSP DTI, Systems Engineering Sr. Mainframe Services Analyst -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
And there is no error message if you do an ADD and the volser is wrong -- MVS happily accepts it and will authorize the dataset ... if one with that name ever shows up on that volume. SMS makes things more foolproof. FWIW -- not recommending this -- I think a correct volser works even if the dataset is SMS managed. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Nims,Alva John (Al) Sent: Thursday, June 16, 2016 12:29 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Basic CICS Question Actually, I believe someone has it a little reversed. If the Data Set is listed in APF list, it is authorized and will be so in the LINKLST, BUT if you add that same data set to //STEPLIB, then ALL the data sets listed in //STEPLIB must be APF authorized, if even 1 is not authorized, then ALL are not. Remember for APF, both the Data Set Name and the Volume or SMS if it is SMS managed, MUST MATCH! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
On Thu, 16 Jun 2016 14:27:28 -0500, John McKown wrote: > >... Most shops any more use the APFTAB value which indicates that a >data set's APF authorization is based on the APF table when a module is >accessed via the link list or a STEPLIB. > Does this mean that STEPLIB may nowadays contain a mixture of unauthorized and APFTAB-authorized catenands, and that loading a program marked AC=1 from one of the authorized catenands will retain authorization notwithstanding the presence of unauthorized catenands? I know a more recent ply has said "No", but you seem to be implying "Yes". And why can't Content Supervision be as intelligent about a mixed authorized/unauthorized STEPLIB as it is about a mixed link list? (I know that if CS were changed to operate that way, programmers would lose the ability to force an otherwise authorized program to execute unauthorized by including it in STEPLIB. This ought to be a tolerable behavioral change.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
From z/OS 1.13 version of "MVS Programming: Authorized Assembler Services Guide" Chapter 21: Protecting the System" about page 433, there is a "Note" in "APF-authorized libraries": "Notes: 1. If a JCL DD statement concatenates an authorized library in any order with an unauthorized library, the entire set of concatenated libraries is treated as unauthorized." And guess what, in "z/OS V2R2.0 MVS Authorized Assembler Services Guide" same chapter, same section, but page 455, it has the same note. So "No" in STEPLIB, you CANNOT mix APF Authorized and Unauthorized libraries, LINKLST, on the other hand, you can mix it up. Al Nims Systems Admin/Programmer 3 UFIT University of Florida (352) 273-1298 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Thursday, June 16, 2016 5:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Basic CICS Question On Thu, 16 Jun 2016 14:27:28 -0500, John McKown wrote: > >... Most shops any more use the APFTAB value which indicates that a >data set's APF authorization is based on the APF table when a module is >accessed via the link list or a STEPLIB. > Does this mean that STEPLIB may nowadays contain a mixture of unauthorized and APFTAB-authorized catenands, and that loading a program marked AC=1 from one of the authorized catenands will retain authorization notwithstanding the presence of unauthorized catenands? I know a more recent ply has said "No", but you seem to be implying "Yes". And why can't Content Supervision be as intelligent about a mixed authorized/unauthorized STEPLIB as it is about a mixed link list? (I know that if CS were changed to operate that way, programmers would lose the ability to force an otherwise authorized program to execute unauthorized by including it in STEPLIB. This ought to be a tolerable behavioral change.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
If you were not aware, there is a CICS List. If you have not joined, and wish to do so, go to this URL CICShttp://www.listserv.uga.edu/archives/cics-l.html Next, CICS may handle the DFHRPL or STEPLIB a little differently than normal. There are many internet entries for CICS APF STEPLIB Basically, if SCEERUN and SCEERUN2 are in the Linklst, then you do not need them (AFAIK) in the CICS STEPLIB. Second, I think this trick still works, If you code SYS1.LINKLIB at the top of the STEPLIB it will keep APF alive. I am not sure if you would get an S047 if a library farther down has an issue with being APF Authorized, but SYS1.LINKLIB will not lose APF Authorization if it is in a STEPLIB. You might ask the CICS List about what really needs to be in the STEPLIB if it is in the LINKLST. Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Adams, Anne (DTI) > Sent: Thursday, June 16, 2016 12:15 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Basic CICS Question > > Hey friends, this isn't necessarily a z/OS question but I'm hoping someone > knows. > > Do you have to STEPLIB all libraries for CICS, even if they're in the > LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN, > SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told this is > because they all have to be APF authorized and you lose that with the > linklist. All the appropriate libraries are APF authorized. I supposed I could > create a little vanilla system and be certain, but I was sort of hoping > someone would know. > > ... and if the answer is yes, shame on IBM for making me do that. > > > Anne R. Adams, CISSP > DTI, Systems Engineering > Sr. Mainframe Services Analyst -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY > >... Most shops any more use the APFTAB value which indicates that a > >data set's APF authorization is based on the APF table when a module is > >accessed via the link list or a STEPLIB. > > > Does this mean that STEPLIB may nowadays contain a mixture of > unauthorized and APFTAB-authorized catenands, and that loading > a program marked AC=1 from one of the authorized catenands > will retain authorization notwithstanding the presence of > unauthorized catenands? I know a more recent ply has said "No", > but you seem to be implying "Yes". No. LNKAUTH=APFTAB applies only to LNKLST. > And why can't Content Supervision be as intelligent about a mixed > authorized/unauthorized STEPLIB as it is about a mixed link list? > (I know that if CS were changed to operate that way, programmers > would lose the ability to force an otherwise authorized program to > execute unauthorized by including it in STEPLIB. This ought to > be a tolerable behavioral change.) For a Joblib/Steplib/Tasklib, all CSV knows about is the DCB/DEB. The DEB is flagged as authorized by OPEN if all of the data sets are authorized. CSV does not know anything about the authorization of the individual data sets in the concatenation. The LNKLST is built by CSV, so CSV does know about the individual data sets in the concatenation. Jim Mulder -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Basic CICS Question
> And why can't Content Supervision be as intelligent about a mixed > authorized/unauthorized STEPLIB as it is about a mixed link list? > (I know that if CS were changed to operate that way, programmers > would lose the ability to force an otherwise authorized program to > execute unauthorized by including it in STEPLIB. This ought to > be a tolerable behavioral change.) How useful would that be? If the jobstep is running APF authorized, it cannot load anything from unauthorized libraries. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN