TSS
...
In the vein of Juan's much missed queries, how did TSS come about???
...
There was a discussion a couple of months ago on this.
DataCrown, then CrownTech, then DataCrown, then ISM, then IGS, all in Canada.
A few SYSPROGs wrote a security system called ACCESS.
It, in general, used RACF interfaces,
prior to SAF.
It was cumbersome, but they managed to improve it.
It was eventually acquired by CA.
Need I say more?
(8-{]}
[EMAIL PROTECTED]
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSS
In <[EMAIL PROTECTED]>, on 05/24/2005 at 12:00 AM, Ted MacNEIL <[EMAIL PROTECTED]> said: >Subject: TSS To some of us, TSS refers to software a good deal older than CA. Google for "360/67". -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see <http://patriot.net/~shmuel/resume/brief.html> We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSS PRIVPGM in RACF
Hello all, We're a TSS shop with option 14 configured. That means that our PRIVPGM programs can be executed from linklist or any other library if no LIB() parameter is especified. We're considering to switch off option 14. Then, all PRIVPGM programs without LIB(), only will be able to be executed from a library in linklist. Do you know if RACF works in this way? We don't want to do a change that move us away from the "RACF working way". Regards and thanks in advance. Josan Cardenosa z/OS system engineer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSS (Transaction Security System)
Hi If some help me to find something about TSS (I find only some very old descriptions) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSS PRIVPGM in RACF
I don't know what TSS option 14 and PRIVPGM are but the following may help. RACF enforces program control via two mechanisms: One mechanism is data set access. In order to execute a program, the user must have at least execute access to the library that the program resides in. It does not matter how the user is granted this access (UACC, ID(*), GAT, group or user ID in access list, operations authority, etc). This restriction does not apply to programs loaded via the LNKLST. The second mechanism is the PROGRAM resource class. If you look in the archives of the RACF list, Walt Farrell has provided expanded descriptions of what this class does. However, unless the security administrator creates profiles for programs, the default is to allow execution. Josan Cardenosa <[EMAIL PROTECTED]> wrote: Hello all, We're a TSS shop with option 14 configured. That means that our PRIVPGM programs can be executed from linklist or any other library if no LIB() parameter is especified. We're considering to switch off option 14. Then, all PRIVPGM programs without LIB(), only will be able to be executed from a library in linklist. Do you know if RACF works in this way? We don't want to do a change that move us away from the "RACF working way". Regards and thanks in advance. Josan Cardenosa z/OS system engineer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html - Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSS (Transaction Security System)
The TSS I know about is also known as TopSecret. It is a Computer Associates product. You should be able to get the information on the latest release here - http://www.ca.com/us/products/product.aspx?id=141. CA also has the product ACF2. Both TopSecret and ACF2 are products that replace RACF. Tom Kelman Capacity Planning Commerce Bank, Kansas City -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Miklos Szigetvari Sent: Tuesday, July 13, 2010 7:02 AM To: IBM-MAIN@bama.ua.edu Subject: TSS (Transaction Security System) Hi If some help me to find something about TSS (I find only some very old descriptions) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html * If you wish to communicate securely with Commerce Bank and its affiliates, you must log into your account under Online Services at http://www.commercebank.com or use the Commerce Bank Secure Email Message Center at https://securemail.commercebank.com NOTICE: This electronic mail message and any attached files are confidential. The information is exclusively for the use of the individual or entity intended as the recipient. If you are not the intended recipient, any use, copying, printing, reviewing, retention, disclosure, distribution or forwarding of the message or any attached file is not authorized and is strictly prohibited. If you have received this electronic mail message in error, please advise the sender by reply electronic mail immediately and permanently delete the original transmission, any attachments and any copies of this message from your computer system. * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSS (Transaction Security System)
On Tue, 2010-07-13 at 14:01 +0200, Miklos Szigetvari wrote: > Hi > > If some help me to find something about TSS > (I find only some very old descriptions) > TSS could be Top Secret Security - a replacement for RACF from CA. It is still an active product. CA could likely tell you more. Could you possibly mean TSS/360? It was an IBM operating system for the S/360. There was also a TSS/370. Time Sharing System is what it stood for. Some information here: http://en.wikipedia.org/wiki/TSS/360 -- John McKown Maranatha! <>< -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSS (Transaction Security System)
joa...@swbell.net (John McKown) writes: > TSS could be Top Secret Security - a replacement for RACF from CA. It is > still an active product. CA could likely tell you more. > > Could you possibly mean TSS/360? It was an IBM operating system for the > S/360. There was also a TSS/370. Time Sharing System is what it stood > for. Some information here: > http://en.wikipedia.org/wiki/TSS/360 aka, official product for the 360/67 virtual memory (i.e. pretty much 360/65 with hardware address translation added). science center had been hoping to win project mac ... with virtual memory system. project mac (aka something of followon to ctss) went to GE & multics. the science center decided to do a virtual memory system anyway ... they tried to get 360/50 to modify with hardware address translation ... but all the spare 360/50s were going to air traffic control system ... so they had to settle for 360/40 that they modified ... and built (virtual memory, virtual machine) cp/40. when a 360/67 machine was finally available, cp/40 morphed into cp/67. folklore is that at some point, there were a 100 people working on tss/360 for every person working on cp67/cms (& something about large number of people contributing to extremely bloated software). some amount of gory details are available in melinda's virtual machine history found here: http://www.princeton.edu/~melinda/ in various formats: http://www.princeton.edu/~melinda/25paper.listing http://www.princeton.edu/~melinda/25paper.ps http://www.princeton.edu/~melinda/25paper.pdf bitsaver has some number of old tss/360 documents http://www.bitsavers.org/pdf/ibm/360/tss/ as well as 360/67 functional characteristics http://www.bitsavers.org/pdf/ibm/360/funcChar/ a couple recent posts mentioning CTSS: http://www.garlic.com/~lynn/2010k.html#48 GML http://www.garlic.com/~lynn/2010k.html#55 GML http://www.garlic.com/~lynn/2010k.html#61 GML http://www.garlic.com/~lynn/2010k.html#69 GML other past posts mentioning science center http://www.garlic.com/~lynn/subtopic.html#545tech later tss/370 effort got a special deal with at&t to do a stripped down low-level tss/370 kernel (SSUP) that would have unix layered on top. -- virtualization experience starting Jan1968, online at home since Mar1970 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
CA-TSS R8 and CICS 4.1
Anyone successfully using CA's TSS release 8 with the old, unsupported CICS 4.1? We are trying to upgrade to z/OS 1.7 and found that TSS release 8 is required for z/OS 1.7. However, we have been told that TSS release 8 will not work with CICS 4.1. Thanks, Chuck Kreiter Lead Systems Programmer State Auto Insurance * This message was scanned by State Auto's mail server for viruses and objectionable content. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Sec:Tool for TSS for z/OS Announcement
HFD Technologies is pleased to announce the availability of Sec:Tool for TSS for z/OS. Sec:Tool is a CICS-based challenge-response system providing end-users the capability to reset their passwords and to remove threshold suspensions without any invention on the part of your corporate help desk. Administrative suspensions cannot be removed by end-users. Sec:Tool provides an immediate ROI. Sec:Tool reduces costs through self-service administration of selected user functions. Sec:Tool has no tier pricing! Sec:Tool has no per/user charge! Sec:Tool is competitively priced! Substantial discounts are available for multiple CPUs. John P. Baker Chief Software Architect HFD Technologies (856) 740-5038 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
RACF and TSS in the Parallel Sysplex
Good day: We are running a 3 system parallel sysplex secured with TSS. We want to introduce a 4th machine into the plex which will essentially be a DB2 server. In order to keep costs manageable we will be running our IBM software using the zNALC license model including RACF. Has anyone done this with success? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF and TSS in the Parallel Sysplex
I know there is an issue with console security in a sysplex with mixed security products. I think it can be manageable, but you have to understand it fully to be sure you avoid exposures. On Thu, Jun 16, 2011 at 10:33 AM, Perry Mayes wrote: > Good day: > > We are running a 3 system parallel sysplex secured with TSS. We want to > introduce a 4th machine into the plex which will essentially be a DB2 > server. In order to keep costs manageable we will be running our IBM > software using the zNALC license model including RACF. > > Has anyone done this with success? > > Thanks > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF and TSS in the Parallel Sysplex
Define 'success' :-) I'd be very concerned about the administration of such a multi headed beast. If there is shared DASD, then all would have to be kept in sync, a near impossibility. And, oh my, the passwords. You'd want some sort of common password management scheme or your users may form lynch mobs. I have two separate RACF environments (no shared DASD) to manage and it is a royal PITA. I'd ask CA to either play ball or strike out. To management I'd suggest that the TCO of such a beast might outweigh any difference in just software costs. But perhaps the real issue is that a knowledgeable auditor will burn you but good. They'd argue that shared dasd needs to be protected by a shared security database. The good news is that the two are close enough that conversion from TSS to RACF is not that bad. IMNSHO: pick one. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Perry Mayes Sent: Thursday, June 16, 2011 9:34 AM To: IBM-MAIN@bama.ua.edu Subject: RACF and TSS in the Parallel Sysplex Good day: We are running a 3 system parallel sysplex secured with TSS. We want to introduce a 4th machine into the plex which will essentially be a DB2 server. In order to keep costs manageable we will be running our IBM software using the zNALC license model including RACF. Has anyone done this with success? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF and TSS in the Parallel Sysplex
On Thu, 16 Jun 2011 10:33:48 -0400, Perry Mayes wrote: > >Has anyone done this with success? > >Thanks > I worked with a previous installation that had a mixture of RACF and TSS systems in a sysplex with no problems. Granted, this was a 'Bronzeplex' by IBM's definition, so there was a minimum of datasharing going on (Logger and GRS star). As far as I know this is still operating this way today. Dana -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF and TSS in the Parallel Sysplex
Hal, I think I would both respectively disagree and agree. Dang there I go hanging out on both sides of the fence. As a general matter of keeping things simple, sure going with just one security product would be a good idea. But in this case, the zNALC is going to have a very limited user base and the data set security layout should be able to be duplicated with some basic work (unless it is a mess ... in which case it represents an opportunity to clean things up and standardize). In the light of opportunity, it is a clear opportunity to beat CA over the head to fix licensing costs. It is always better to hold up the proverbial loaded gun when negotiating. Having RACF in-house give the opportunity to generally explore, compare, and gain some experience with RACF. Also, with all the conversion experts out there.. there are some tools to generally convert Top Secret into RACF without completing the rest of the conversion for the other LPARs. If there is a user provisioning product, it may be able to handle the added product as well. Rob Schramm Senior Systems Consultant Imperium Group LLC w: 513.305.6224 On Thu, Jun 16, 2011 at 11:53 AM, Dana Mitchell wrote: > On Thu, 16 Jun 2011 10:33:48 -0400, Perry Mayes GRC.GC.CA> wrote: > >> >>Has anyone done this with success? >> >>Thanks >> > I worked with a previous installation that had a mixture of RACF and TSS > systems in a sysplex with no problems. Granted, this was a 'Bronzeplex' by > IBM's definition, so there was a minimum of datasharing going on (Logger > and GRS star). As far as I know this is still operating this way today. > > Dana > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF and TSS in the Parallel Sysplex
We used the Vanguard Corporation to help with a project to convert one site's CA-TSS security to RACF. We also used the same corporation to convert another site from CA-ACF2 to RACF. We also use the Vanguard Security Administration and Reporting products to enhance the RACF security administration capabilities. We do not use the RACF SDSF panels for administration. These projects were initiated by the Ahold Corporation to support the security support for the companies it was providing computer support. These project eliminated the need to have expertise in all three mainframe security products. These projects were not initiated by HP. Regards Otto Schumacher HP Enterprise Services Infrastructure Specialist Ahold Account CICS & Capacity Technical Support P.O. Box 6462 2000 Wade Hampton Blvd. LC1-302 Greenville, South Carolina, 29606 Cell: 864 569--5338 Tel: 864 987-1417 Fax: 864 987-4500 E-mail: otto.schumac...@hp.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm Sent: Thursday, June 16, 2011 12:29 PM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF and TSS in the Parallel Sysplex Hal, I think I would both respectively disagree and agree. Dang there I go hanging out on both sides of the fence. As a general matter of keeping things simple, sure going with just one security product would be a good idea. But in this case, the zNALC is going to have a very limited user base and the data set security layout should be able to be duplicated with some basic work (unless it is a mess ... in which case it represents an opportunity to clean things up and standardize). In the light of opportunity, it is a clear opportunity to beat CA over the head to fix licensing costs. It is always better to hold up the proverbial loaded gun when negotiating. Having RACF in-house give the opportunity to generally explore, compare, and gain some experience with RACF. Also, with all the conversion experts out there.. there are some tools to generally convert Top Secret into RACF without completing the rest of the conversion for the other LPARs. If there is a user provisioning product, it may be able to handle the added product as well. Rob Schramm Senior Systems Consultant Imperium Group LLC w: 513.305.6224 On Thu, Jun 16, 2011 at 11:53 AM, Dana Mitchell wrote: > On Thu, 16 Jun 2011 10:33:48 -0400, Perry Mayes GRC.GC.CA> wrote: > >> >>Has anyone done this with success? >> >>Thanks >> > I worked with a previous installation that had a mixture of RACF and TSS > systems in a sysplex with no problems. Granted, this was a 'Bronzeplex' by > IBM's definition, so there was a minimum of datasharing going on (Logger > and GRS star). As far as I know this is still operating this way today. > > Dana > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
z/OS 1.8, TSS 9.0 and ALLOWUSERKEY(NO)
Does anyone have the above combination working? We are just kicking the tires of z/OS 1.8 in one of our sandboxes, and it seems as though TSS 9 has problems if ALLOWUSERKEY(NO) is set in DIAG00. I find it somewhat hard to believe, but I guess I am not surprised. I did a quick search on ca's support website and didn't see anything that caught my eye. Dave Dave Jousma Principal Systems Programmer [EMAIL PROTECTED] 616.653.8429 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
RACF/TSS reporting (was RE: Security Packages Percentages)
Bah humbug redux! Same mediocre programmer needed (me again). Slight twist in that the security system outsources the data store to SMF. Trivial for Top Secret, merely easy in RACF. Did it last night, in the dark hours.Fortunately our auditors only work in the daylight, but other interested parties do join us for late night hijinks. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman Sent: Tuesday, April 10, 2007 1:13 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Security Packages Percentages Bah humbug, any mediocre programmer (me for instance) can write every RACF report ever wanted. Freeware (Nigel's collectionand others) abounds. These require some knowledge of the IRRDBU00 file and some basic DF/SORT skills. I wrote a bunch of SAS stuff years ago but I'll changing most over to DFSORT, exploiting SPLICE and other goodies Mr. Yeager provides. OBTW, same comment applies for Top Secret, the extract files from that product and RACF are remarkably similar. I respectfully disagree. The contents of the database can be reported, as you say, by re-formatting the IRRDBU00 output. That doesn't help much when senior management calls you at o-dark-thirty in the morning and wants to know who's been updating a particular control PDS since 3:00 PM yesterday. Or who invoked a particularly destructive CICS transaction and clobbered several hundred customer-related account records. Reporting database contents is wonderful, especially when auditors show up, but those audit trails in SMF are also important, especially to a fiduciary and the inability to generate reports from those audit trails might be a career-limiting condition. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.8, TSS 9.0 and ALLOWUSERKEYCSA(NO)
Oops, that should have been ALLOWUSERKEYCSA(NO) Fixing subject for accuracy. Does anyone have the above combination working? We are just kicking the tires of z/OS 1.8 in one of our sandboxes, and it seems as though TSS 9 has problems if ALLOWUSERKEYCSA(NO) is set in DIAG00. I find it somewhat hard to believe, but I guess I am not surprised. I did a quick search on ca's support website and didn't see anything that caught my eye. Dave Dave Jousma Principal Systems Programmer [EMAIL PROTECTED] 616.653.8429 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.8, TSS 9.0 and ALLOWUSERKEYCSA(NO)
David, I will check with the Top Secret support people and get back to you on the list. I know that they are attempting to run all of CA's R&D LPAR's with ALLOWUSERKEYCSA(NO), but can't until all products support it (weakest link situation). But still, I know that Top Secret has access to mini-systems were this should have been tested and corrected by now. Russell Witt CA-1 Level-2 Support Manager -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of Jousma, David Sent: Monday, February 26, 2007 7:20 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: z/OS 1.8, TSS 9.0 and ALLOWUSERKEYCSA(NO) Oops, that should have been ALLOWUSERKEYCSA(NO) Fixing subject for accuracy. Does anyone have the above combination working? We are just kicking the tires of z/OS 1.8 in one of our sandboxes, and it seems as though TSS 9 has problems if ALLOWUSERKEYCSA(NO) is set in DIAG00. I find it somewhat hard to believe, but I guess I am not surprised. I did a quick search on ca's support website and didn't see anything that caught my eye. Dave Dave Jousma Principal Systems Programmer [EMAIL PROTECTED] 616.653.8429 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
R_Admin/IRRSEQ00 and non-IBM External Security Products (ACF2, TSS)
Has anyone heard of R_Admin/IRRSEQ00 invoking ACF2 or TSS at least for just a TSO admin command via function code ADMN_RUN_COMD? R_Admin/IRRSEQ00 is a SAF Callable Service. The SAF implies some standard usage across different ESM's (external security managers) like RACF, ACF2 & Top Secret. I think IRRSEQ00 invokes IRRREQ00 under the covers to invoke RACF. Is there an ACF2 or TSS version of IRRREQ00? Does ACF2 or TSS use the pre-RACF exit to massage RACF parameters? I assume TSOLINK (IKJEFTxx?) can be used to issue ACF2/TSS TSO commands but prefer to use IRRSEQ00/R_Admin in some instances. Thanks! Jim Keohane -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: R_Admin/IRRSEQ00 and non-IBM External Security Products (ACF2, TSS)
On 2/24/2006 12:46 PM, Jim Keohane wrote: Has anyone heard of R_Admin/IRRSEQ00 invoking ACF2 or TSS at least for just a TSO admin command via function code ADMN_RUN_COMD? R_Admin/IRRSEQ00 is a SAF Callable Service. The SAF implies some standard usage across different ESM's (external security managers) like RACF, ACF2 & Top Secret. No, SAF does not imply that. It implies that the other security products -should- support the function, but whether they -do- or not is entirely up to them. R_admin is a bit of an oddity, since with the exception of the "run command" option it is quite RACF-specific in format. However, the other security products could support that one, if they wish to, and they could (again if they wish) do some kind of mapping of the more structured formats into their own terms. I think IRRSEQ00 invokes IRRREQ00 under the covers to invoke RACF. Is there an ACF2 or TSS version of IRRREQ00? Does ACF2 or TSS use the pre-RACF exit to massage RACF parameters? RACF provides IRRREQ00. But that's too a level to look at. IRRSFR10 (the SAF2 callable service router) invokes whatever the SAF vector table points to. The security product initialization routines fill in the address in the SAF vector table. RACF provides the address of IRRRFR10 in the vector table in order to support the callable services. ACF2 and Top Secret would supply their own addresses. RACF's IRRFRF10 happens to invoke IRRREQ00 (a module also supplied by RACF). ACF2 or Top Secret would invoke whatever module they want, or no module at all if they do not want to support a particular function. I assume TSOLINK (IKJEFTxx?) can be used to issue ACF2/TSS TSO commands but prefer to use IRRSEQ00/R_Admin in some instances. I have no idea whether either approach would work. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
What facilties or conventions for ACF2 and TSS like RACF exit daisy-chaining?
Hi Folks, Doess TSS or ACF2 have facilities to allow multiple modules to be daisy-chained when an exit in invoked? If no facilities are there any popular conventions for doing same? This would be for the case where a vendor and the customer (or multiple vendors) supply the same exit (OCO). One roll-your-own approach would be to have one module have a weak extern to a name to which the other module is renamed. The first module gets control and, if weak extern resolved then invokes the second module (both linked togather) before or after its own processing. Thanks! - Jim Jim Keohane Multi-Platforms, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: What facilties or conventions for ACF2 and TSS like RACF exit daisy-chaining?
Last week Jim Keohane of Multi-Platforms, Inc. wrote: >Doess TSS or ACF2 have facilities to allow multiple > modules to be daisy-chained when an exit in invoked? > >If no facilities are there any popular conventions for doing same? > >This would be for the case where a vendor and the customer > (or multiple vendors) supply the same exit (OCO). > >One roll-your-own approach would be to have one module > have a weak extern to a name to which the other module is > renamed. The first module gets control and, if weak extern > resolved then invokes the second module (both linked > togather) before or after its own processing. I don't believe either product has any built-in facility for this. We have provided exits for RACF as well as TSS and ACF/2 for a long time, and generally have provided a small front-end module in source, that contains a vcon for our OCO exit code, and detailed instructions to allow the customer to link it in with either their own code or another vendor's, or both. Depending on the exit's function, it may be a requirement to have exits driven in a particular order, and to have subsequent exits honour (or not) the return codes from earlier ones. And there are exits from which a non-zero RC does not mean anything is wrong. Things can get ugly. In the case of RACF and ACF/2, it is feasible to install the exits dynamically, even though this is unsupported by IBM and CA respectively. This is extremely well received by customers who might otherwise face an IPL or at least a security system restart just to install (and remove...) a product. We load a tiny gateway module into CSA, and never delete it. Then if another product installs its own exit after ours or otherwise de- or re-chains itself with respect to our code, or we need to reload our exit(s), we avoid the risk of branching to code that isn't there anymore, and various other unpleasant results. We don't know how to do a dynamic exit in TSS. Although there are some pointers to the exit at various places in storage, we have chosen not to try to reverse engineer TSS's scheme. The nature of the one-and-only TSS exit also makes things a bit more complicated, as there is a matrix of supported functions, which must of course include those required for all exits that are linked together. We'd be happy to discuss details of what we do in this area with other vendors or customers, to the end of making life less complex and more reliable for all concerned. Tony Harminc Proginet Corporation [EMAIL PROTECTED] http://www.proginet.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
