Re: allowuserkeycsa
As I understand it, IDMS specifically has a problem with NO. Patrick Loftus wrote: We've been using the default of YES up to z/OS 1.8, but will now take the default of NO for z/OS 1.9. Shouldn't be any problem, as we will discover any issues when rolling out through various systems. So far we've discovered a bug in our Sysprog sysplex with a BMC DB2 utility, but they've released a fix for that now. You can dynamically switch from NO to YES anyway, should it cause issues. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Time Zone and Change Management Implementation Start Times
We have over 30 LPARs in the same physical location. Some are running EST, 4 are running CST and 1 is running JST (Japan time). Our management made the decision that all times in the change records will be EST. So, if a change is scheduled for 3:00 am EST and is supposed to happen on a CST LPAR, the change happens at 2:00 CST, 3:00 EST. Mark T. Regan, K8MTR wrote: I'm thinking that too, but I was wondering if anyone else had encountered this issue too? I'm sure people have, due to all the data center consolations that have taken place. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
JES2 and $VS RACF protection
What is the process for checking commands entered when using $VS? I can protect the use of $VS using the JES2.$VS profile but there doesn't appear to be any granularity for which commands can be entered. Let's say the following is found in JCL. /*$VS,ROUTE node1,someCommand JES2 checks the $VS profile and if allowed with let the command proceed. But, does MVS/RACF also check to see if you have authority to MVS.ROUTE.CMD? Or is the check bypassed since you had auth to $VS? Also, to protect the /*ROUTE XEQ node1 command, I need the WRITER class active with a profile of JES2.NJE.node1, correct? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
JES2 and $VS RACF Protection
What is the process for checking commands entered when using $VS? I can protect the use of $VS using the JES2.$VS profile but there doesn't appear to be any granularity for which commands can be entered. Let's say the following is found in JCL. /*$VS,ROUTE node1,someCommand JES2 checks the $VS profile and if allowed with let the command proceed. But, does MVS/RACF also check to see if you have authority to MVS.ROUTE.CMD? Or is the check bypassed since you had auth to $VS? Also, to protect the /*ROUTE XEQ node1 command, I need the WRITER class active with a profile of JES2.NJE.node1, correct? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
sftp help
I have a client who is trying to execute sftp on z/OS. We have SSH installed and running. Can someone decipher the debug output? I can't tell if the problem is on the remote end or with the mainframe. The job originates with the mainframe. Connecting to xxx.xxx.xxx.xxx OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug3: Seeding PRNG from /usr/lib/ssh/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to xxx.xxx.xxx.xxx port 22. debug1: Connection established. debug1: identity file /.ssh/id_rsa type 1 debug1: identity file /.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1 debug1: no match: Sun_SSH_1.1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: en-CA,en-US,es,es-MX,fr,fr-CA,i-default debug2: kex_parse_kexinit: en-CA,en-US,es,es-MX,fr,fr-CA,i-default debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 140/256 debug2: bits set: 509/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'xxx.xxx.xxx.com' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:1 debug2: bits set: 481/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/id_rsa (15d1c080) debug2: key: /.ssh/id_dsa (15d1c0e0) debug3: input_userauth_banner |-| | This system is for the use of authorized users only. | | Individuals using this computer system without authority, or in | | excess of their authority, are subject to having all of their | | activities on this system monitored and recorded by system | | personnel. | | | | In the course of monitoring individuals improperly using this | | system, or in the course of system maintenance, the activities | | of authorized users may also be monitored. | | | | Anyone using this system expressly consents to such monitoring | | and is advised that if such monitoring reveals possible | | evidence of criminal activity, system personnel may provide the | | evidence of such monitoring to law enforcement officials. | |-| debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled
Re: sftp help
Mark Jacobs wrote: Michael Babcock wrote: I have a client who is trying to execute sftp on z/OS. We have SSH installed and running. Can someone decipher the debug output? I can't tell if the problem is on the remote end or with the mainframe. The job originates with the mainframe. This problem is usually (99+%) caused by a problem on the target server. This error message is being issued because the associated public key of the batch job either not in the target .ssh/authorized_keys file or permission/ownership errors in the .ssh directory structure. So you are saying that the authorized_keys file or the permissions on the .ssh dir on the target server is not setup correctly. I'll tell the client to fix their end, then. Thanks! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JES2 Exit Help
Bob Rutledge wrote: I believe the JCT you really want to be looking at is that of the submitter. In http://publibz.boulder.ibm.com/zoslib/pdf/J2migration_guide.pdf there's a section that describes how to do it in the new exits. Bob Yes, I was lost. Anyway, I modified the code to this and have it mostly working. USING XPL,R7 USING JCT,R8 USING JRW,R6 USING RIDCWKAR,JRW USING SJB,R3 LRR12,R15 LRR7,R0 COPY XPL L R6,X054AREA LOAD JRW TMX054IND,X054JECLTHIS A JECL STATEMENT? JNO NOTJECL NO, NO PROCESSING TO BE DONE WTO '$USRX54I - FOUND JECL STMT' L R2,X054STMT CLI X054STMV,C'$' THIS A JES2 COMMAND? JNE X54RET00 NO, LEAVE EXIT WTO '$USRX54I - FOUND $ JES STMT' ICM R3,B'',RIDSJB ENSURE SJB IS NOT ZERO BZX54RET00 NOT A BATCH SUBMIT, EXIT WTO '$USRX54I - RIDSJB WAS NOT ZERO' L R8,SJBJCT GET SUBMITTERS JCT ADDRESS TMJRWDEVTP,DCTINR INTERNAL READER? BZX54RET00 NOT INTRDR, EXIT WTO '$USRX54I - JRWDEVTP WAS INTERNAL READER' CLC =C'S',JCTJOBID IS RDR OWNED BY STC? BEX54RET00 ... YES,ALLOW WTO '$USRX54I - JCTJOBID WAS NOT STC' MVC 3(L'DMR0MSG,R2),DMR0MSG WTO '$USRX54I - CREATED ATTEMPTED MSG' MVC 9(8,R2),JCTJNAME SHOW JOBNAME OF USER WTO '$USRX54I - LOADED JCTJNAME IN MSG' B X54RET00 NOTJECL DS0H X54RET00 $RETURN RC=0 SPACE 2 DMR0MSG DC CL68'DMR0,'' ATTEMPTED JES2($) COMMAND''' I get this output: $USRX54I - FOUND JECL STMT $USRX54I - FOUND $ JES STMT $USRX54I - RIDSJB WAS NOT ZERO $USRX54I - JRWDEVTP WAS INTERNAL READER $USRX54I - JCTJOBID WAS NOT STC $USRX54I - CREATED ATTEMPTED MSG $USRX54I - LOADED JCTJNAME IN MSG $HASP120 INTRDR $VSDMR0,'SMMYBATTEMPTED JES2($) COMMAND' FROM TSU03427 SMMYB $HASP650 DMR0,'SMMY INVALID OPERAND OR MISPLACED OPERAND The above two lines are what I'm concerned about. What is the code doing in the two MVC instructions and how can I fix them to issue the proper message? I really wish I knew assembler better. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JES2 Exit Help
Bob Rutledge wrote: Michael Babcock wrote: MVC 3(L'DMR0MSG,R2),DMR0MSG WTO '$USRX54I - CREATED ATTEMPTED MSG' MVC 9(8,R2),JCTJNAME SHOW JOBNAME OF USER WTO '$USRX54I - LOADED JCTJNAME IN MSG' B X54RET00 NOTJECL DS0H X54RET00 $RETURN RC=0 SPACE 2 DMR0MSG DC CL68'DMR0,'' ATTEMPTED JES2($) COMMAND''' I get this output: I would issue a WTO showing the 8-byte X054STMV field and another showing the first 20 or so bytes at X054STMT. You should find that X054STMV is the JES2 command name, $VS and X054STMT has the rest of the command. If this turns out to be correct, try putting $DM into the verb field and everything following into the buffer at X054STMT. Also, you need to point X054STME to the byte after the end of the stuff you put into X054STMT. Bob I broke out the POP and looked at the MVC instruction. I was able to get a basic understanding of the code. R2 pointed to /*$VS in the old code but X054STMT parsed out the /*. I see they were replacing the VS with the DMR0 command. So I changed the instructions to MVC 0(L'DMR0MSG,R2),DMR0MSG MVC 7(8,R2),JCTJNAME SHOW JOBNAME OF USER DMR0MSG DC CL68'$DMR0,'' ATTEMPTED JES2($) COMMAND''' I just replaced the entire command with the message and added the $ to the DC CL68. It works now. Thanks for all of the assistance! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
JES2 Exit Help
All, We had a very simple JES2 exit 4 under z/OS 1.4 that simply did this: * PREVENT USE OF JES2 COMMANDS SUBMITTED THROUGH * INTERNAL READER UNLESS INTERNAL READER IS OWNED * BY A STARTED TASK. HASPE004 $ENTRY BASE=(R12) $SAVE USING HCT,R11 USING PCE,R13 LRR12,R15 L R2,0(R1)POINT TO STATEMENT IMAGE. LTR R0,R0 IS THIS A JES2 JECL STATEMENT? BNZ NOTJECL ... NO, IGNORE IT CLI 2(R2),C'$' JES2 COMMAND ? BNE EX4RET00... NO TMPCEID,PCEINRID INTERNAL READER ? BNO EX4RET00... NO L R15,PCEDCT DCT ADDRESS CLC =C'STC',RIDJBID-DCT(R15) STC OWNER OF INRDR ? BEEX4RET00 ... YES,ALLOW MVC 3(L'DMR0MSG,R2),DMR0MSG MVC 9(8,R2),RIDJNAM-DCT(R15) SHOW JOBNAME OF USER B EX4RET00 NOTJECL DS0H A colleague modified the exit for z/OS 1.7 and used exit 54 instead. Here's what it looks like. USING XPL,R7 USING JCT,R8 USING JRW,R6 LRR12,R15 LRR7,R0 COPY XPL L R6,X054AREA LOAD JRW TMX054IND,X054JECLTHIS A JECL STATEMENT? JNO NOTJECL NO, NO PROCESSING TO BE DONE L R2,X054STMT CLC X054STMV,=CL8'$'THIS A JES2 COMMAND? JNE X54RET00 NO, LEAVE EXIT CLC X054JCT,CCTZEROS IS THERE A JCT? BEX54RET00 ... NO, GET OUT CLI JRWDEVTP,DCTINR SUBMITTED VIA INTERNAL RDR? JNE X54RET00 NO CLC =C'S',JCTJOBID IS RDR OWNER JOB SUBMITTED? ZOS 1.7 BEX54RET00 ... YES,ALLOW MVC 3(L'DMR0MSG,R2),DMR0MSG MVC 9(8,R2),JCTJNAME SHOW JOBNAME OF USER B X54RET00 NOTJECL DS0H X54RET00 $RETURN RC=0 It's not working though and I was wondering if someone could spot the error. The person who modified the code is no longer with the company and I'm not an assembly language programmer. The code doesn't crash and burn, but simply allows everything through. Can anyone help? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JES2 Exit Help
Mark Zelden wrote: Michael, I agree with the others. Of course I assume you are actually calling the exit in JES2 also - $DEXIT(54). Also, I hope you realize that even though most of the processing that used to happen in EXIT4 now happens in EXIT54, you still need EXIT4 unless you don't care about the following as sources: LOCAL CARD READER REMOTE (RJE) CARD READER NJE JOB RECEIVERS (SNA AND BSC) SPOOL OFFLOAD JOB RECEIVERS EXECUTION BATCH MONITOR (XBM) JOBLET I don't think they care about those, but I'll check. The problem with the code doesn't seem to be these statements. CLC X054STMV,=CL8'$'THIS A JES2 COMMAND? JNE X54RET00 NO, LEAVE EXIT I put in some WTO's and the code does match on the $ character. It's this bit of code that is always zero. CLC X054JCT,CCTZEROS IS THERE A JCT? BEX54RET00 ... NO, GET OUT In the old exit, I could go to my JCL library, put in this, /*$VS,'D D,T' and type submit. The exit would fail it. Now, the exit lets it go. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
JES2 Exit 53
I'm not an assembly programmer but am trying to help modify our JES2 exit 3 to move it to exit 53. What I need is an example of an exit 53 that checks to see if a job came from an internal reader and if it did, was the job that owned the reader a CICS region (our CICS regions are started as batch jobs). As I say, I'm not very familiar with assembly code (I know enough to be dangerous!). We have someone else looking at the code, but he doesn't know a lot about JES2 exits. Anyone have such a beast? Here's the first part of the old exit 3: HASPE053 $ENTRY BASE=(R12) $SAVE USING HCT,R11 USING PCE,R13 USING JCT,R10 LRR12,R15 USING REGISTER LRR8,R1 SAVE R1 L R15,PCEDCT ADDRESS OF DCT USING DCT,R15 EX5302DS0H TMPCEID,PCEINRID INTERNAL READER SUBMITTING JOB ? BNO EX53RETN ... NO L R15,PCEDCT DCT ADDR CLI DCTDEVN,C'I' BATCH JOB INT RDR ?? BNE EX53RETN NO, HANDLE ONLY BATCH INT RDR. DROP R15 CLI JCTJUSID,C' 'USER NAME THERE ? BHINSTUSID NO, INSERT USER ID. CLI JCTPASS,C' ' PASS WORD THERE ?? BHEX53RETN DONE. What do I need to change to make this an exit 53? I understand R11 now points to the HCCT. So I think the first part of the code needs to look like this: HASPE053 $ENTRY BASE=(R12) $SAVE USING HCCT,R11 L R10,R0 USING XPL,R10 L R10,X053JCT USING JCT,R10 We have already set the ENVIRON=USER. I also assume we need to test whether the JCT is not zero, but what else needs to change? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Catalog Question
Mark Jacobs wrote: Thanks for the pointer. I looked at the manual and it seems like it says I can do a repro nomergecat. Change the master catalog option in iplparm, ipl and go. We can manage any updates in the master catalog(s) until all systems are reipled. Do you read it the same way I do? Mark Jacobs Be very careful. According to the manual, I see this: After a REPRO of one catalog to another, the VVRs are changed to point to the target catalog, and all subsequent processing must be done under the target catalog. Attention: Performing REPRO on a catalog while data sets are open in the source catalog might result in a loss of information if any of those data sets extend, or other catalog updates are made. The changes might not be copied to the target catalog, resulting in a mismatch between the information contained in the VVDS and the new target BCS. This might cause the data sets to be inaccessible or receive errors. We did a REPRO mergecat for a new MASTER in prep for a z/OS 1.7 upgrade. The client instituted a freeze for several months, so we didn't get to IPL with tbe new MASTER. HSM's CDS data sets were in the master catalog. When a quarterly REORG was ran for HSM, the job failed after the deletion of the CDS indicating wrong catalog in the VVR (or whatever it was). We had to define new CDSs to recover. Not pretty. Any VSAM in the master will have this problem. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Unicode Code Dynamic Table Loading
If I remember correctly, you must have SYS1.SCUNIMG in the linklist for the dynamic to work. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF and External Security
Robert S. Hansel (RSH) wrote: Michael, Your assumption is essentially correct. Depending on what you are attempting to do within SDSF, RACF will make authorization calls to the SDSF, JESSPOOL, WRITER, and/or OPERCMDS classes. It only makes these calls if the corresponding class is active, and in the case of OPERCMDS also RACLISTed. (The other classes can be optionally RACLISTed.) If RACF sends back a return code of 0 (authorized) or 8 (not authorized), SDSF grants or denies the access based on this. If RACF sends back a 4 (not protected), SDSF reverts to ISFPARMs. That's what I thought. Thanks! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SDSF and External Security
Sorry for the bad formatting. Hope this is better.
What's the best way to tell if SDSF is using external security? We have
some LPARs that have the SDSF class active, but few profiles. SDSF's
ISFPARMS don't appear to be using external security. Is there a way to
tell definitively? Or will SDSF use a combination?
I would assume it would use external security for those profiles that
are defined, but revert to ISFPARMs if no profile was defined. Am I correct?
For example, one LPAR has the SDSF class active (but not RACLISTed).
These are the profiles defined in the SDSF class (and there is no catchall).
ISFCMD.DSP
ISFOPER.ANYDEST
ISFOPER.SYSTEM
ISFATTR.** (G)
ISFCMD.DSP.SCHENV.** (G)
ISFCMD.DSP.** (G)
ISFCMD.ODSP.INITIATOR.** (G)
ISFCMD.ODSP.** (G)
ISFCMD.** (G)
ISFE.** (G)
ISFFRDR.** (G)
ISFINIT.** (G)
ISFJOBCL.** (G)
ISFLINE.** (G)
ISFMEMB.** (G)
ISFNODE.** (G)
ISFO.** (G)
ISFRES.** (G)
The SDSF parms for SYSPROGs contain these statements.
GROUP NAME(ISFSPROG), /* GROUP NAME */
TSOAUTH(JCL,OPER,ACCT), /*USER MUST HAVE JCL, OPER, ACCT */
ACTION(ALL),/* ALL ROUTE CODES DISPLAYED */
ACTIONBAR(YES), /* DISPLAY THE ACTION BAR ON PANELS*/
APPC(ON), /* INCLUDE APPC SYSOUT */
AUPDT(2), /* MINIMUM AUTO UPDATE INTERVAL*/
AUTH(LOG,I,O,H,DA,DEST,PREF, /* AUTHORIZED FUNCTIONS */
SYSID,ABEND,ACTION,INPUT,
FINDLIM,ST,INIT,PR,TRACE,
ULOG,MAS,SYSNAME,LI,SO,NO,PUN,RDR,JC,SE,RES),
CMDAUTH(ALL), /* COMMANDS ALLOWED FOR ALL JOBS */
CMDLEV(7), /* AUTHORIZED COMMAND LEVEL*/
CONFIRM(ON),/* ENABLE CANCEL CONFIRMATION */
CURSOR(ON), /* LEAVE CURSOR ON LAST ROW PROCESSED */
DADFLT(IN,OUT,TRANS,STC,TSU,JOB), /* DEFAULT ROWS SHOWN ON DA */
DATE(MMDD), /* DEFAULT DATE FORMAT */
DATESEP('/'), /* DEFAULT DATESEP FORMAT */
DFIELD2(DAFLD2),/* SAMPLE ALTERNATE FIELD LIST FOR DA */
DISPLAY(ON),/* DO NOT DISPLAY CURRENT VALUES */
DSPAUTH(ALL), /* BROWSE ALLOWED FOR ALL JOBS */
GPLEN(2), /* GROUP PREFIX LENGTH */
ILOGCOL(1), /* INITIAL DISPLAY COLUMN IN LOG */
ISYS(LOCAL),/* INITIAL SYSTEM DEFAULT FOR DA */
LANG(ENGLISH), /* DEFAULT LANGUAGE*/
LOGOPT(OPERACT),/* DEFAULT LOG OPTION */
OWNER(NONE),/* DEFAULT OWNER */
UPCTAB(TRTAB2), /* UPPER CASE TRANSLATE TABLE NAME */
VALTAB(TRTAB), /* VALID CHARACTER TRANSLATE TABLE */
VIO(SYSALLDA) /* UNIT NAME FOR PAGE MODE OUTPUT */
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
SDSF and External Security
What's the best way to tell if SDSF is using external security? We have
some LPARs that have the SDSF class active, but few profiles. SDSF's
ISFPARMS don't appear to be using external security. Is there a way to
tell definitively? Or will SDSF use a combination?
I would assume it would use external security for those profiles that are
defined, but revert to ISFPARMs if no profile was defined. Am I correct?
For example, one LPAR has the SDSF class active (but not RACLISTed). These are
the profiles defined in the SDSF class (and there is no catchall).
ISFCMD.DSP
ISFOPER.ANYDEST
ISFOPER.SYSTEM
ISFATTR.** (G)
ISFCMD.DSP.SCHENV.** (G)
ISFCMD.DSP.** (G)
ISFCMD.ODSP.INITIATOR.** (G)
ISFCMD.ODSP.** (G)
ISFCMD.** (G)
ISFE.** (G)
ISFFRDR.** (G)
ISFINIT.** (G)
ISFJOBCL.** (G)
ISFLINE.** (G)
ISFMEMB.** (G)
ISFNODE.** (G)
ISFO.** (G)
ISFRES.** (G)
The SDSF parms for SYSPROGs contain these statements.
GROUP NAME(ISFSPROG), /* GROUP NAME */
TSOAUTH(JCL,OPER,ACCT), /*USER MUST HAVE JCL, OPER, ACCT */
ACTION(ALL),/* ALL ROUTE CODES DISPLAYED */
ACTIONBAR(YES), /* DISPLAY THE ACTION BAR ON PANELS*/
APPC(ON), /* INCLUDE APPC SYSOUT */
AUPDT(2), /* MINIMUM AUTO UPDATE INTERVAL*/
AUTH(LOG,I,O,H,DA,DEST,PREF, /* AUTHORIZED FUNCTIONS */
SYSID,ABEND,ACTION,INPUT,
FINDLIM,ST,INIT,PR,TRACE,
ULOG,MAS,SYSNAME,LI,SO,NO,PUN,RDR,JC,SE,RES),
CMDAUTH(ALL), /* COMMANDS ALLOWED FOR ALL JOBS */
CMDLEV(7), /* AUTHORIZED COMMAND LEVEL*/
CONFIRM(ON),/* ENABLE CANCEL CONFIRMATION */
CURSOR(ON), /* LEAVE CURSOR ON LAST ROW PROCESSED */
DADFLT(IN,OUT,TRANS,STC,TSU,JOB), /* DEFAULT ROWS SHOWN ON DA */
DATE(MMDD), /* DEFAULT DATE FORMAT */
DATESEP('/'), /* DEFAULT DATESEP FORMAT */
DFIELD2(DAFLD2),/* SAMPLE ALTERNATE FIELD LIST FOR DA */
DISPLAY(ON),/* DO NOT DISPLAY CURRENT VALUES */
DSPAUTH(ALL), /* BROWSE ALLOWED FOR ALL JOBS */
GPLEN(2), /* GROUP PREFIX LENGTH */
ILOGCOL(1), /* INITIAL DISPLAY COLUMN IN LOG */
ISYS(LOCAL),/* INITIAL SYSTEM DEFAULT FOR DA */
LANG(ENGLISH), /* DEFAULT LANGUAGE*/
LOGOPT(OPERACT),/* DEFAULT LOG OPTION */
OWNER(NONE),/* DEFAULT OWNER */
UPCTAB(TRTAB2), /* UPPER CASE TRANSLATE TABLE NAME */
VALTAB(TRTAB), /* VALID CHARACTER TRANSLATE TABLE */
VIO(SYSALLDA) /* UNIT NAME FOR PAGE MODE OUTPUT */
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SMF Record Types 63, 67, 68 and 69
Beware, many FDA regulated companies must keep SMF records for many, many years. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Changing the SMF SID Parameter
Eric Bielefeld wrote: My question is, will this affect anything? Is there any program products that could be affected by changing the SID? I read the whole chapter in the Init Tuning Reference, and I didn't see anything that would matter to us. A lot of sites set SYSNAME=SID so just be aware. Also, some people identify data sets (LNKLST, JES2PARM, etc) using symbolics. So, if you have data sets allocated with the SID then you will need to reallocate them with the correct name. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Need ideas - IRADU00 output very large.
We had a situation last year with excessive records. Someone turned on AUDIT on an ID. That logged everything that ID did and he was a very active user. McKown, John wrote: On the off chance that anybody is interested, I have finally created a SAS dataset containing the input from all 21 tapes. It contains 35,122,765 observations. It is 903,000 tracks in 346 extents on 27 volumes. Now to try to run some statistics burr on those observations. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Sharing VTS Drives Under VM at Hotsite
Anyone been able to share VTS drives at a hotsite for MVS running as a guest under VM? I'm told it can be done, but how? Special software under VM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TCP/IP and CMC?
Ted MacNEIL wrote: ... Communication Management Configuration (or something very similar). ... Now, I need to know where to find doc on it with TCP/IP. And, is it supported (needed) with TCP/IP. -teD We run a CMC config. We have 5 LPARs (including the CMC) each running its own TCPIP stack (no VIPA, etc). We are eliminating the CMC in the next few weeks. We simply moved the SNA network ownership from the CMC LPAR to the PROD LPAR. We have two CISCO 7500 CIP routers attached to the mainframe. A lot of our SNA traffic flows through these two routers. Consequently, the CIP router csna config (it was pointing to the CMC) needed to change since the LPAR number was changing. TCPIP itself was unaffected. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
