Re: REXX determine library that is executed from

[Mike Shorkend]

Like Walt suggested, use the PARSE SOURCE function:

 /*rexx*/
 parse source . . . dd dataset .
 say "DD name is " dd
 say "dataset name is " dataset



On 20 November 2016 at 03:44, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sat, 19 Nov 2016 19:36:41 -0600, Walt Farrell wrote:
>
> >On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likens wrote:
> >
> >>Has anyone come up with a way for a REXX program to determine the
> library it resides in?
> >
> >Have you looked at the REXX parse source instruction?
> >
> To cite a recent statement by an expert:
>
> The DEB is buil[t] during OPEN. ... By the time ..., the information
> about an individual data set is long gone.
>
> I suppose the Rexx interpreter could find something in the TIOT.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Mike Shorkend
m...@shorkend.com
www.shorkend.com
Tel: +972524208743
Fax: +97239772196

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

[venkat kulkarni]

Hello Paul,

Yes, I think my requirement was not clear to all. Basically LDAP server is
running on  some Windows or Linux box and we want to integrate mainframe
with that as LDAP client for any sort of login to mainframe can be tso,
cics,db2 etc.

Please suggest

On Nov 20, 2016 05:24, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote:
>
> >Venkat, the base z/OS operating systems includes a terrific Lightweight
> >Directory Access Protocol (LDAP) server at no additional charge. It
> >supports industry standard LDAP v3 protocols. You can configure it in a
> >variety of ways, but if you want a simple, straightforward implementation
> >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
> >applications and middleware to share the same IDs and passwords then (in
> >basic outline):
> >
> I believe the OP was thinking of a client.
>
> I suspect that the mainframe LOB is less than 1% of my employer's
> enterprise.  The LDAP server is probably on Windows or Linux.
> Realistically, Single Signon will not extend to those mainframes
> until "the base z/OS operating systems includes a terrific Lightweight
> Directory Access Protocol (LDAP)" client "at no additional charge.
>
> I'll provide your sales personnel the name of our CEO if they
> promise anonymity.
>
> Our mainframes are probably considered laboratory equipment,
> below the company policy radar.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

[Paul Gilmartin]

On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote:

>Venkat, the base z/OS operating systems includes a terrific Lightweight
>Directory Access Protocol (LDAP) server at no additional charge. It
>supports industry standard LDAP v3 protocols. You can configure it in a
>variety of ways, but if you want a simple, straightforward implementation
>that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
>applications and middleware to share the same IDs and passwords then (in
>basic outline):
> 
I believe the OP was thinking of a client.

I suspect that the mainframe LOB is less than 1% of my employer's
enterprise.  The LDAP server is probably on Windows or Linux.
Realistically, Single Signon will not extend to those mainframes 
until "the base z/OS operating systems includes a terrific Lightweight
Directory Access Protocol (LDAP)" client "at no additional charge.

I'll provide your sales personnel the name of our CEO if they
promise anonymity.

Our mainframes are probably considered laboratory equipment,
below the company policy radar.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

[Timothy Sipples]

Venkat, the base z/OS operating systems includes a terrific Lightweight
Directory Access Protocol (LDAP) server at no additional charge. It
supports industry standard LDAP v3 protocols. You can configure it in a
variety of ways, but if you want a simple, straightforward implementation
that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other
applications and middleware to share the same IDs and passwords then (in
basic outline):

(a) Configure the z/OS LDAP Server so that it's able to access RACF;

(b) Ideally, preferably, configure RACF (and TSO, etc.) to use passphrases
(and with newer AES encryption of the database);

(c) Point everything you'd like to integrate to the z/OS LDAP Server,
including applications and middleware running on other platforms, and
manage your IDs, permissions, and other LDAP fields there. (TLS encrypted
connections are recommended and supported.)

This approach is quite appealing in many ways. For more information on the
z/OS LDAP Server, please visit:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.tds/tds.htm

Here is the direct link to information on the technical capabilities of the
z/OS 2.2 LDAP Server:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.glpa200/tivlcap.htm#tivlcap


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Sat, 19 Nov 2016 16:05:08 -0600, Paul Gilmartin wrote:
>
>Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS,
>RECFM-F,LRECL=256; could I read it as a PDS directory?
>
No.  And well documented; a limitation for strong technical reasons,
unlike some arbitrary limitations z/OS imposes.  But it has dismaying
consequences: it's probably a contributing factor to ISPF LM's inability
to process UNIX directories.

Researching this, I found instructions in Using Data Sets that cause
a JCL error.  RCF submitted.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REXX determine library that is executed from

[Paul Gilmartin]

On Sat, 19 Nov 2016 19:36:41 -0600, Walt Farrell wrote:

>On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likens wrote:
>
>>Has anyone come up with a way for a REXX program to determine the library it 
>>resides in?
>
>Have you looked at the REXX parse source instruction?
> 
To cite a recent statement by an expert:

The DEB is buil[t] during OPEN. ... By the time ..., the information
about an individual data set is long gone.

I suppose the Rexx interpreter could find something in the TIOT.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REXX determine library that is executed from

[Lizette Koehler]

What problem are you trying to solve?

Also, if you were not aware, there is a TSO-REXX list that also might be helpful

To join, if you have not done so Go to this Webpage and scroll to the bottom
TSO REXXhttp://www2.marist.edu/htbin/wlvindex?TSO-REXX

Lizette

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Donald Likens
> Sent: Saturday, November 19, 2016 6:30 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: REXX determine library that is executed from
> 
> Has anyone come up with a way for a REXX program to determine the library it
> resides in?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Invalid characters in JCL symbols passed to SYSIN within a PROC

[Paul Gilmartin]

On Sat, 19 Nov 2016 18:47:55 -0600, Mike Schwab wrote:

>If you use quotes, you can put in any character you want into a data
>set name.  If it uncataloged on a non-SMS volume, it will be created.
>You don't even have to limit yourself to 8 characters between dots.
> 
When I said "name", I didn't intend to imply "data set name".
Alas, the incorporeal first ply in this thread does little to
clarify the context.

But, have you ever tried a data set name beginning with a dot?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REXX determine library that is executed from

[Walt Farrell]

On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likens  
wrote:

>Has anyone come up with a way for a REXX program to determine the library it 
>resides in?

Have you looked at the REXX parse source instruction?

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

REXX determine library that is executed from

[Donald Likens]

Has anyone come up with a way for a REXX program to determine the library it 
resides in?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Invalid characters in JCL symbols passed to SYSIN within a PROC

[Mike Schwab]

If you use quotes, you can put in any character you want into a data
set name.  If it uncataloged on a non-SMS volume, it will be created.
You don't even have to limit yourself to 8 characters between dots.

On Fri, Nov 18, 2016 at 9:47 PM, Paul Gilmartin
<000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> On Fri, 18 Nov 2016 18:52:34 -0600, Wendell Lovewell wrote:
>>
> Yeah, what Lizette said.
>
> But if you believe there's an invalid character in the name of a
> symbol, that name is only the characters prior to the invalid
> character, and that truncated symbol is probably undefined,
> so its name is treated as its value.
>
> If there's an invalid character in its value, that value is substituted,
> properly.
>
> Have you a concise example?
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Tony Harminc]

On 18 November 2016 at 06:26, Charles Mills  wrote:
> As a software vendor, on new installs we often get customers saying "your
> product puts out a message saying it is not authorized but we're sure we
> authorized the library" and it is often a painful process taking them
> through checking each concatenation.
[...]
It's been an interesting discussion. But may I ask why you are in the
position of having your customers with a big pile of datasets in their
STEPLIB concatenation for your product? Well, you didn't say it's a
big pile, but if were one or two you surely wouldn't be asking...

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
> 
> As complicated this may sound, APF can be determined/diagnosed by inspection 
> with relative ease. It's not rocket surgery.
>  
Perhaps.  But it would be poor business practice for the OP
to address his customer so tactlessly.  IBM ought to help
its customers to help their customers.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Jesse 1 Robinson]

APF is defined in SYS1.PARMLIB(PROGxx) according to the installation defined 
concatenation in IEASYSxx. The result of that concatenation determines the set 
of APF libraries unless modified after IPL by SETPROG APF. Entries in PROGxx 
are of two types:

APF ADD DSN(dsn-1)   SMS
APF ADD DSN(dsn-2)   VOL(volser)

If 'SMS' is coded, then the library can be located anywhere, but it must be SMS 
defined. There can only be one dsn-1 because SMS does not allow duplicates in a 
system. If VOL(volser) is coded, then the library must be located on that 
specific volume. There can be multiple entries for dsn-2; as long as one entry 
matches dsn-2 in STEPLIB, then it is APF; otherwise not. 

APF is not indicated anywhere in the intrinsic definition of a library. No bit 
in catalog nor in VTOC nor anywhere else outside of the list of APF libraries 
built and managed by z/OS. At any moment a library may or may not be APF 
according to the current list, which may have additions or deletions or 
(effectively) updates since that last time it was checked.

As complicated this may sound, APF can be determined/diagnosed by inspection 
with relative ease. It's not rocket surgery.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Saturday, November 19, 2016 2:05 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote:
>
>I assume that the subject of this thread should have been "Which data 
>set in the STEPLIB concatenation is not APF-authorized".
>
Me, too.  And if that information were available the adress space could remain 
authorized as long as modules were loaded only from authorized catenands, and 
the failure of authorization could report "which data set", at least by 
catenand ordinal.

>The DEB is build during OPEN. That processing examines the APF status 
>of every individual data set forming the concatenation. If any data set 
>is found that is not APF-authorized, then the DEB is marked as not APF 
>authorized (bit DEBAPFIN). (I think the bit is initialized "on" and 
>then simply turned off when a non-APF-authorized data set is found). By 
>the time "load" is being done, the information about an individual data 
>set is long gone.
>
I'll accept that as almost true.  But BLDL (I assume LOAD uses that or 
something similar) needs to find the directories to search.  I'm trying to RTRM 
and understand.  I guess it can examine DEBAMLNG bytes in DEBEXTNM to find the 
first extent of each catenand which must contain the directory.

But that's not enough to really identify the data set; only unit and address.  
Bummer.  The pain customers endure because storage was so expensive a 
half-century ago that
32 bytes couldn't be spared for flags indicating which extents belong to 
authorized data sets.

>CSVAPF is the programming interface for querying if an individual data 
>set is APF-authorized. To do it completely correctly,  you have to know 
>if the data set is SMS-managed.
>
I've seen the SMS dependency mentioned earlier in this thread.
Why?  is it that APF is indicated in the DSCB for non-SMS and elsewhere for SMS?

And I found nothing in the DEB about PDSE or UNIX files although BPAM now 
supports UNIX directories in mixed concatenations.  How are those represented?  
Major and minor device numbers?  It must be documented somewhere, even if only 
"The following N bytes are not GUPI."

Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS, RECFM-F,LRECL=256; 
could I read it as a PDS directory?

-- gil


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Paul Gilmartin]

On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote:
>
>I assume that the subject of this thread should have been "Which data set 
>in the STEPLIB concatenation is not APF-authorized".
>
Me, too.  And if that information were available the adress space could
remain authorized as long as modules were loaded only from authorized
catenands, and the failure of authorization could report "which data set",
at least by catenand ordinal.

>The DEB is build during OPEN. That processing examines the APF status of 
>every individual data set forming the concatenation. If any data set is 
>found that is not APF-authorized, then the DEB is marked as not APF 
>authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then 
>simply turned off when a non-APF-authorized data set is found). By the 
>time "load" is being done, the information about an individual data set is 
>long gone.
>
I'll accept that as almost true.  But BLDL (I assume LOAD uses 
that or something similar) needs to find the directories to
search.  I'm trying to RTRM and understand.  I guess it can
examine DEBAMLNG bytes in DEBEXTNM to find the first extent
of each catenand which must contain the directory.

But that's not enough to really identify the data set; only
unit and address.  Bummer.  The pain customers endure
because storage was so expensive a half-century ago that
32 bytes couldn't be spared for flags indicating which
extents belong to authorized data sets.

>CSVAPF is the programming interface for querying if an individual data set 
>is APF-authorized. To do it completely correctly,  you have to know if the 
>data set is SMS-managed.
>
I've seen the SMS dependency mentioned earlier in this thread.
Why?  is it that APF is indicated in the DSCB for non-SMS and
elsewhere for SMS?

And I found nothing in the DEB about PDSE or UNIX files although BPAM
now supports UNIX directories in mixed concatenations.  How are those
represented?  Major and minor device numbers?  It must be documented
somewhere, even if only "The following N bytes are not GUPI."

Hmmm.  If I were to ALLOCATE a UNIX directory with DSORG=PS,
RECFM-F,LRECL=256; could I read it as a PDS directory?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sftp implementation

[Kirk Wolf]

FWIW, Microsoft is working on a port of OpenSSH for Powershell.

https://blogs.msdn.microsoft.com/powershell/2015/10/19/openssh-for-windows-update/

The lastest work-in-progress seems to be available here:
https://github.com/PowerShell/Win32-OpenSSH

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Sat, Nov 19, 2016 at 12:09 AM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sat, 19 Nov 2016 10:15:57 +0530, venkat kulkarni  wrote:
> >
> >In our shop, we are not allowed to install Ubuntu or any other except
> >windows7, which is currently installed on our work station. Can you help
> me
> >with any other option to test this sftp with mainframe from my work
> station.
> >
> I've seen mentioned in this thread WinSCP and PuTTY, and I'll add Cygwin,
> all of which run on top of Windows 7.  And VirtualBox might qualify since
> it doesn't displace Windows 7, It's an addition.  Obviously, if Windows 7
> doesn't have the function you need you must install something in addition,
> not necessarily instead.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

[Peter Relson]

>Thanks, but you might want to read my OP
>>There are various ways to check whether the current environment is APF 
authorized. 
>>For example, the TESTAUTH macro will give a return code to indicate 
>>APF or not. 

Charles, that response *was* an attempt to respond to a question of yours 
in your OP: "Even simpler question: is it possible for a program to check 
(only) its own
AC(1) bit?"

Checking a program's "AC(1)" bit is not usually overly relevant. Checking 
the resulting authorization of the jobstep is what is relevant, and 
TESTAUTH is the way to do that.

I assume that the subject of this thread should have been "Which data set 
in the STEPLIB concatenation is not APF-authorized".

The DEB is build during OPEN. That processing examines the APF status of 
every individual data set forming the concatenation. If any data set is 
found that is not APF-authorized, then the DEB is marked as not APF 
authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then 
simply turned off when a non-APF-authorized data set is found). By the 
time "load" is being done, the information about an individual data set is 
long gone.

CSVAPF is the programming interface for querying if an individual data set 
is APF-authorized. To do it completely correctly,  you have to know if the 
data set is SMS-managed.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN