Re: Def alias error in RACF
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman ---snip- Colleagues, follow up this problem Yes, the user for both purpose is the same (so as to execute the DEF through IDCAMS and run in the command line the DEF command) Separate, review the IKJTSOnn members on every Host and LPAR where the trouble exists (actually on the installation where we work, there are 10 mainframes between production and development environments; 4 of tall the mainframes are who have this problem; and the AUTHCMD section already contains the DEF and DEFINE (Rdef and Rdefine) commands. According a documentation of IBM, the last code after execute in the command line the RDEF means this next: RETURN CODE 56 Explanation: A security verification failed. Reason Code 36 Explanation: The caller is not authorized. When no profile exists for functions that require RACF authorization, the caller must be at least APF authorized. The question is, what kind of resource must be missing that protects this resources into APF definitions or which must be the root of this trouble? Thanks for your help. -unsnip--- - If I remember correctly, you also need ALTER access to the DSNAMES involved. But it would seem that, if that were the problem, he'd get the same or similar violation running IDCAMS in batch with the same user ID. At this point, the only other thing I can think of that hasn't been explicitly mentioned is to verify that IDCAMS is listed in the AUTHPGM section of IKJTSOnn. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
On Thu, 22 Jan 2009 17:34:04 -0600, Carlos Cordero jccorde...@hotmail.com wrote: Separate, review the IKJTSOnn members on every Host and LPAR where the trouble exists (actually on the installation where we work, there are 10 mainframes between production and development environments; 4 of tall the mainframes are who have this problem; and the AUTHCMD section already contains the DEF and DEFINE (Rdef and Rdefine) commands. Your user did not do an RDEFINE or an RDEF. He did a DEFINE or a DEF. Entirely different commands. You need to check IKJTSOxx to make sure that the AUTHCMD section has DEFINE and DEF in it, since those are the commands that failed. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
On Thu, 22 Jan 2009 18:08:40 -0600, Rick Fochtman rfocht...@ync.net wrote: If I remember correctly, you also need ALTER access to the DSNAMES involved. That's a good thought, Rick, but not relevant in this case, I believe. The OP has stated that the same user can perform the DEFINE ALIAS via IDCAMS but can not do it via the DEFINE command under TSO. So, whatever security he needs, he apparently has it or it would not work under IDCAMS. That leaves lack of APF authority as the prime suspect, I think, and the OP still needs to verify (as previously suggested) that he has DEFINE in IKJTSOxx under AUTHCMD. Unfortunately, he seems to have looked for RDEFINE, not DEFINE. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
Colleagues, follow up this problem
Yes, the user for both purpose is the same (so as to execute the DEF through
IDCAMS and run in the command line the DEF command)
Separate, review the IKJTSOnn members on every Host and LPAR where the trouble
exists (actually on the installation where we work, there are 10 mainframes
between production and development environments; 4 of tall the mainframes are
who have this problem; and the AUTHCMD section already contains the DEF and
DEFINE (Rdef and Rdefine) commands.
According a documentation of IBM, the last code after execute in the command
line the RDEF means this next:
RETURN CODE 56 Explanation: A security verification failed.
Reason Code 36
Explanation: The caller is not authorized. When no profile exists for functions
that require RACF authorization, the caller must be at least APF authorized.
The question is, what kind of resource must be missing that protects this
resources into APF definitions or which must be the root of this trouble?
Thanks for your help.
Date: Thu, 15 Jan 2009 07:40:06 -0600 From: jch...@ussco.com Subject: Re:
Def alias error in RACF To: IBM-MAIN@bama.ua.edu -Original
Message- From: IBM Mainframe Discussion List On Behalf Of Carlos
CorderoColleagues, Somebody can help me to know what
causes the next error at the moment to define an Alias in a RACF
environment with z/OS V1.7 release?At the moment to send the request
in command line (through the RACF command 'define alias'); not with the
idcams utility; appears the next error: Menu List Mode
Functions Utilities Help
sss
sss ISPF Command Shell Enter TSO or Workstation commands below:
=== def alias (name ('xm0007') relate ('UCATCOBD.USER')) [ snip ]
IDC3018I SECURITY VERIFICATION FAILED+ IDC0014I LASTCC=12 IDC3009I **
VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-36 ***
And of course, when we run the Define Alias through the idcams utility,
its ok. Actually, that's a TSO command, not a RACF command. Is the same
user ID issuing the TSO command as is running the batch IDCAMS job? My first
guess is that the TSO user issuing the DEFINE ALIAS command does not have
UPDATE authority to the master catalog, while the batch user ID does. AFAIK,
IDCAMS makes the same RACF checks in either environment (TSO or batch).
If the same user ID is used in both cases, you might inspect PARMLIB member
IKJTSOnn to ensure that DEFINE (and DEF) are listed in the AUTHCMD section.
-jc- Thanks for your Help Date: Wed, 14 Jan
2009 15:35:02 -0600 From: k...@dovetail.com Subject: Re: Eclipse
articles To: IBM-MAIN@bama.ua.edu Also of interest may be the IBM JZOS
Cookbook, which is a book and an Eclipse project containing lots of
sample code. It only requires that you have z/OS and the (free) z/OS
Java SDK along with free open source software such as Eclipse, Spring,
Ant, Apache java tools, etc. It is focused on using the JZOS batch
launcher and toolkit (part of the z/OS Java SDK). The examples in the
cookbook can also be used in conjunction with the RDz IDE. The JZOS
Cookbook is one of the downloads available from the JZOS alphaworks
site: http://www.alphaworks.ibm.com/tech/zosjavabatchtk Questions on
the cookbook or sample project can be posted to the JZOS alphaworks
forum Kirk Wolf Dovetailed Technologies On Wed, Jan 14, 2009 at
8:21 AM, John McKown joa...@swbell.net wrote: I know this is not
directly applicable. However, there may be mainframe shops which are
using the RDz (or whatever IBM is calling it this week) IDE in addition
to ISPF. RDz is based on Eclipse. I've never gotten the hang of
Eclipse. These articles may help.
http://www.ibm.com/developerworks/views/opensource/libraryview.jsp?sear
ch_by=mastering+eclipse+v3.4 Tiny URL:
http://preview.tinyurl.com/9u5phz -- John --
For IBM- MAIN
subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html ---
--- For
IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html
_ Chatea
en Messenger desde Hotmail. http://download.live.com
-- For
IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http
Re: Def alias error in RACF
---snip- Colleagues, follow up this problem Yes, the user for both purpose is the same (so as to execute the DEF through IDCAMS and run in the command line the DEF command) Separate, review the IKJTSOnn members on every Host and LPAR where the trouble exists (actually on the installation where we work, there are 10 mainframes between production and development environments; 4 of tall the mainframes are who have this problem; and the AUTHCMD section already contains the DEF and DEFINE (Rdef and Rdefine) commands. According a documentation of IBM, the last code after execute in the command line the RDEF means this next: RETURN CODE 56 Explanation: A security verification failed. Reason Code 36 Explanation: The caller is not authorized. When no profile exists for functions that require RACF authorization, the caller must be at least APF authorized. The question is, what kind of resource must be missing that protects this resources into APF definitions or which must be the root of this trouble? Thanks for your help. -unsnip If I remember correctly, you also need ALTER access to the DSNAMES involved. -- Rick -- Remember that if you’re not the lead dog, the view never changes. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
Hi Carlos, Rick is correct, you need to have ALTER for the dataset to run the define. If you are trying to define the high level qualifier, you must have RACF access to the master catalogue. Additionally, in most shops these days, RACF is setup not to allow 'unprotected resources' to be defined. A RACF dataset profile must exist first before the definecan run. A quick and easy way to check - without needing to know or run any RACF commands - is to attempt to rename a test dataset to the dataset name you are trying to work with. TSO 3.4 panel is what I use. If you have a RACF issue, the rename will fail and you should give some helpful messages. Linda Mooney -- Original message -- From: Rick Fochtman rfocht...@ync.net Colleagues, follow up this problem Yes, the user for both purpose is the same (so as to execute the DEF through IDCAMS and run in the command line the DEF command) Separate, review the IKJTSOnn members on every Host and LPAR where the trouble exists (actually on the installation where we work, there are 10 mainframes between production and development environments; 4 of tall the mainframes are who have this problem; and the AUTHCMD section already contains the DEF and DEFINE (Rdef and Rdefine) commands. According a documentation of IBM, the last code after execute in the command line the RDEF means this next: RETURN CODE 56 Explanation: A security verification failed. Reason Code 36 Explanation: The caller is not authorized. When no profile exists for functions that require RACF authorization, the caller must be at least APF authorized. The question is, what kind of resource must be missing that protects this resources into APF definitions or which must be the root of this trouble? Thanks for your help. - If I remember correctly, you also need ALTER access to the DSNAMES involved. -- Rick -- Remember that if youre not the lead dog, the view never changes. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Carlos Cordero
Colleagues,
Somebody can help me to know what causes the next error at the moment
to define an Alias in a RACF environment with z/OS V1.7 release?
At the moment to send the request in command line (through the RACF
command 'define alias'); not with the idcams utility; appears the next
error:
Menu List Mode Functions Utilities Help
sss
sssISPF Command Shell
Enter TSO or Workstation commands below:
=== def alias (name ('xm0007') relate ('UCATCOBD.USER'))
[ snip ]
IDC3018I SECURITY VERIFICATION FAILED+
IDC0014I LASTCC=12
IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS
IGG0CLFT-36
***
And of course, when we run the Define Alias through the idcams
utility,
its ok.
Actually, that's a TSO command, not a RACF command.
Is the same user ID issuing the TSO command as is running the batch
IDCAMS job? My first guess is that the TSO user issuing the DEFINE
ALIAS command does not have UPDATE authority to the master catalog,
while the batch user ID does. AFAIK, IDCAMS makes the same RACF checks
in either environment (TSO or batch).
If the same user ID is used in both cases, you might inspect PARMLIB
member IKJTSOnn to ensure that DEFINE (and DEF) are listed in the
AUTHCMD section.
-jc-
Thanks for your Help
Date: Wed, 14 Jan 2009 15:35:02 -0600 From: k...@dovetail.com
Subject: Re: Eclipse articles To: IBM-MAIN@bama.ua.edu Also of
interest may be the IBM JZOS Cookbook, which is a book and an Eclipse
project containing lots of sample code. It only requires that you
have
z/OS and the (free) z/OS Java SDK along with free open source
software
such as Eclipse, Spring, Ant, Apache java tools, etc. It is focused
on
using the JZOS batch launcher and toolkit (part of the z/OS Java
SDK).
The examples in the cookbook can also be used in conjunction with the
RDz IDE. The JZOS Cookbook is one of the downloads available from
the JZOS alphaworks site:
http://www.alphaworks.ibm.com/tech/zosjavabatchtk Questions on the
cookbook or sample project can be posted to the JZOS alphaworks
forum Kirk Wolf Dovetailed Technologies On Wed, Jan 14, 2009
at 8:21 AM, John McKown joa...@swbell.net wrote: I know this is
not directly applicable. However, there may be mainframe shops
which
are using the RDz (or whatever IBM is calling it this week) IDE in
addition to ISPF. RDz is based on Eclipse. I've never gotten the hang
of Eclipse. These articles may help.
http://www.ibm.com/developerworks/views/opensource/libraryview.jsp?sear
ch_by=mastering+eclipse+v3.4 Tiny URL:
http://preview.tinyurl.com/9u5phz -- John
--
For IBM-
MAIN subscribe / signoff / archive access instructions, send email
to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html
---
--- For
IBM-MAIN subscribe / signoff / archive access instructions, send
email
to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search
the
archives at http://bama.ua.edu/archives/ibm-main.html
_
Chatea en Messenger desde Hotmail.
http://download.live.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Def alias error in RACF
Sorry, the subject has been changed, must be like that...
Date: Wed, 14 Jan 2009 17:19:41 -0600 From: jccorde...@hotmail.com Subject:
Re: Eclipse articles To: IBM-MAIN@bama.ua.edu Colleagues,
Somebody can help me to know what causes the next error at the moment to
define an Alias in a RACF environment with z/OS V1.7 release? At the
moment to send the request in command line (through the RACF command 'define
alias'); not with the idcams utility; appears the next error: Menu List
Mode Functions Utilities Help
ss
ISPF Command Shell Enter TSO or Workstation commands below: === def alias
(name ('xm0007') relate ('UCATCOBD.USER')) Place cursor on choice and press
enter to Retrieve command = re xm02028 group(admprore = lu xm02028 = = =
= = = = IDC3018I SECURITY VERIFICATION FAILED+ IDC0014I LASTCC=12
IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-36 ***
And of course, when we run the Define Alias through the idcams utility, its
ok.Thanks for your HelpDate: Wed, 14 Jan 2009 15:35:02 -0600
From: k...@dovetail.com Subject: Re: Eclipse articles To:
IBM-MAIN@bama.ua.edu Also of interest may be the IBM JZOS Cookbook, which
is a book and an Eclipse project containing lots of sample code. It only
requires that you have z/OS and the (free) z/OS Java SDK along with free
open source software such as Eclipse, Spring, Ant, Apache java tools, etc.
It is focused on using the JZOS batch launcher and toolkit (part of the z/OS
Java SDK). The examples in the cookbook can also be used in conjunction with
the RDz IDE. The JZOS Cookbook is one of the downloads available from the
JZOS alphaworks site: http://www.alphaworks.ibm.com/tech/zosjavabatchtk
Questions on the cookbook or sample project can be posted to the JZOS
alphaworks forum Kirk Wolf Dovetailed Technologies On Wed, Jan 14,
2009 at 8:21 AM, John McKown joa...@swbell.net wrote: I know this is
not directly applicable. However, there may be mainframe shops which are
using the RDz (or whatever IBM is calling it this week) IDE in addition to
ISPF. RDz is based on Eclipse. I've never gotten the hang of Eclipse.
These articles may help.
http://www.ibm.com/developerworks/views/opensource/libraryview.jsp?search_by=mastering+eclipse+v3.4
Tiny URL: http://preview.tinyurl.com/9u5phz -- John
-- For
IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html
-- For
IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives
at http://bama.ua.edu/archives/ibm-main.html
_ Chatea en
Messenger desde Hotmail. http://download.live.com
-- For
IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives
at http://bama.ua.edu/archives/ibm-main.html
_
Comunícate rápido y fácil al compartir tu lista de contactos en Windows Live
http://download.live.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Def alias error in RACF
Carlos Cordero wrote:
Sorry, the subject has been changed, must be like that...
Date: Wed, 14 Jan 2009 17:19:41 -0600 From: jccorde...@hotmail.com Subject: Re: Eclipse articles To: IBM-MAIN@bama.ua.edu
Colleagues,Somebody can help me to know what causes the next error at the moment to define an Alias in a RACF environment with z/OS V1.7
release? At the moment to send the request in command line (through the RACF command 'define alias'); not with the idcams utility; appears the next
error: Menu List Mode Functions Utilities Help ss ISPF Command
Shell Enter TSO or Workstation commands below: === def alias (name ('xm0007') relate ('UCATCOBD.USER')) Place cursor on choice and press enter to
Retrieve command = re xm02028 group(admprore = lu xm02028 = = = = = = = IDC3018I SECURITY VERIFICATION FAILED+ IDC0014I
LASTCC=12 IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-36 *** And of course, when we run the Define Alias throug
h the idcams utility, its ok.Thanks for your HelpDate: Wed, 14 Jan 2009 15:35:02 -0600 From: k...@dovetail.com Subject: Re: Eclipse articles To:
IBM-MAIN@bama.ua.edu Also of interest may be the IBM JZOS Cookbook, which is a book and an Eclipse project containing lots of sample code. It only requires that you have z/OS and
the (free) z/OS Java SDK along with free open source software such as Eclipse, Spring, Ant, Apache java tools, etc. It is focused on using the JZOS batch launcher and toolkit (part of
the z/OS Java SDK). The examples in the cookbook can also be used in conjunction with the RDz IDE. The JZOS Cookbook is one of the downloads available from the JZOS alphaworks
site: http://www.alphaworks.ibm.com/tech/zosjavabatchtk Questions on the cookbook or sample project can be posted to the JZOS alphaworks forum Kirk Wolf
Dovetailed Technologies On Wed, Jan 14, 2009 at 8:21 AM, John McKown joa...@swbell.net wrote: I know
this is not directly applicable. However, there may be mainframe shops which are using the RDz (or whatever IBM is calling it this week) IDE in addition to ISPF. RDz is based on
Eclipse. I've never gotten the hang of Eclipse. These articles may help.
http://www.ibm.com/developerworks/views/opensource/libraryview.jsp?search_by=mastering+eclipse+v3.4 Tiny URL: http://preview.tinyurl.com/9u5phz --
John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
-- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message:
GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/i
bm-main.html _ Chatea en
Messenger desde Hotmail. http://download.live.com
-- For IBM-MAIN subscribe /
signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET
IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
What are you using to make your email so unreadable? I
see it as one long line.
Kind regards,
-Steve Comstock
The Trainer's Friend, Inc.
303-393-8716
http://www.trainersfriend.com
z/OS Application development made easier
* Our classes include
+ How things work
+ Programming examples with realistic applications
+ Starter / skeleton code
+ Complete working programs
+ Useful utilities and subroutines
+ Tips and techniques
== Check out the Trainer's Friend Store to purchase z/OS ==
== application developer toolkits. Sample code in four==
== programming languages, JCL to Assemble or compile, ==
== bind and test. ==
== http://www.trainersfriend.com/TTFStore/index.html==
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
