Re: REXX determine library that is executed from
Like Walt suggested, use the PARSE SOURCE function: /*rexx*/ parse source . . . dd dataset . say "DD name is " dd say "dataset name is " dataset On 20 November 2016 at 03:44, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Sat, 19 Nov 2016 19:36:41 -0600, Walt Farrell wrote: > > >On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likens wrote: > > > >>Has anyone come up with a way for a REXX program to determine the > library it resides in? > > > >Have you looked at the REXX parse source instruction? > > > To cite a recent statement by an expert: > > The DEB is buil[t] during OPEN. ... By the time ..., the information > about an individual data set is long gone. > > I suppose the Rexx interpreter could find something in the TIOT. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Mike Shorkend m...@shorkend.com www.shorkend.com Tel: +972524208743 Fax: +97239772196 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Hello Paul, Yes, I think my requirement was not clear to all. Basically LDAP server is running on some Windows or Linux box and we want to integrate mainframe with that as LDAP client for any sort of login to mainframe can be tso, cics,db2 etc. Please suggest On Nov 20, 2016 05:24, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote: > > >Venkat, the base z/OS operating systems includes a terrific Lightweight > >Directory Access Protocol (LDAP) server at no additional charge. It > >supports industry standard LDAP v3 protocols. You can configure it in a > >variety of ways, but if you want a simple, straightforward implementation > >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other > >applications and middleware to share the same IDs and passwords then (in > >basic outline): > > > I believe the OP was thinking of a client. > > I suspect that the mainframe LOB is less than 1% of my employer's > enterprise. The LDAP server is probably on Windows or Linux. > Realistically, Single Signon will not extend to those mainframes > until "the base z/OS operating systems includes a terrific Lightweight > Directory Access Protocol (LDAP)" client "at no additional charge. > > I'll provide your sales personnel the name of our CEO if they > promise anonymity. > > Our mainframes are probably considered laboratory equipment, > below the company policy radar. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Sun, 20 Nov 2016 10:00:53 +0800, Timothy Sipples wrote: >Venkat, the base z/OS operating systems includes a terrific Lightweight >Directory Access Protocol (LDAP) server at no additional charge. It >supports industry standard LDAP v3 protocols. You can configure it in a >variety of ways, but if you want a simple, straightforward implementation >that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other >applications and middleware to share the same IDs and passwords then (in >basic outline): > I believe the OP was thinking of a client. I suspect that the mainframe LOB is less than 1% of my employer's enterprise. The LDAP server is probably on Windows or Linux. Realistically, Single Signon will not extend to those mainframes until "the base z/OS operating systems includes a terrific Lightweight Directory Access Protocol (LDAP)" client "at no additional charge. I'll provide your sales personnel the name of our CEO if they promise anonymity. Our mainframes are probably considered laboratory equipment, below the company policy radar. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
Venkat, the base z/OS operating systems includes a terrific Lightweight Directory Access Protocol (LDAP) server at no additional charge. It supports industry standard LDAP v3 protocols. You can configure it in a variety of ways, but if you want a simple, straightforward implementation that allows TSO, CICS Transaction Server, DB2 for z/OS, and lots of other applications and middleware to share the same IDs and passwords then (in basic outline): (a) Configure the z/OS LDAP Server so that it's able to access RACF; (b) Ideally, preferably, configure RACF (and TSO, etc.) to use passphrases (and with newer AES encryption of the database); (c) Point everything you'd like to integrate to the z/OS LDAP Server, including applications and middleware running on other platforms, and manage your IDs, permissions, and other LDAP fields there. (TLS encrypted connections are recommended and supported.) This approach is quite appealing in many ways. For more information on the z/OS LDAP Server, please visit: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.tds/tds.htm Here is the direct link to information on the technical capabilities of the z/OS 2.2 LDAP Server: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.glpa200/tivlcap.htm#tivlcap Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On Sat, 19 Nov 2016 16:05:08 -0600, Paul Gilmartin wrote: > >Hmmm. If I were to ALLOCATE a UNIX directory with DSORG=PS, >RECFM-F,LRECL=256; could I read it as a PDS directory? > No. And well documented; a limitation for strong technical reasons, unlike some arbitrary limitations z/OS imposes. But it has dismaying consequences: it's probably a contributing factor to ISPF LM's inability to process UNIX directories. Researching this, I found instructions in Using Data Sets that cause a JCL error. RCF submitted. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: REXX determine library that is executed from
On Sat, 19 Nov 2016 19:36:41 -0600, Walt Farrell wrote: >On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likens wrote: > >>Has anyone come up with a way for a REXX program to determine the library it >>resides in? > >Have you looked at the REXX parse source instruction? > To cite a recent statement by an expert: The DEB is buil[t] during OPEN. ... By the time ..., the information about an individual data set is long gone. I suppose the Rexx interpreter could find something in the TIOT. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: REXX determine library that is executed from
What problem are you trying to solve? Also, if you were not aware, there is a TSO-REXX list that also might be helpful To join, if you have not done so Go to this Webpage and scroll to the bottom TSO REXXhttp://www2.marist.edu/htbin/wlvindex?TSO-REXX Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Donald Likens > Sent: Saturday, November 19, 2016 6:30 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: REXX determine library that is executed from > > Has anyone come up with a way for a REXX program to determine the library it > resides in? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Invalid characters in JCL symbols passed to SYSIN within a PROC
On Sat, 19 Nov 2016 18:47:55 -0600, Mike Schwab wrote: >If you use quotes, you can put in any character you want into a data >set name. If it uncataloged on a non-SMS volume, it will be created. >You don't even have to limit yourself to 8 characters between dots. > When I said "name", I didn't intend to imply "data set name". Alas, the incorporeal first ply in this thread does little to clarify the context. But, have you ever tried a data set name beginning with a dot? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: REXX determine library that is executed from
On Sat, 19 Nov 2016 19:30:28 -0600, Donald Likenswrote: >Has anyone come up with a way for a REXX program to determine the library it >resides in? Have you looked at the REXX parse source instruction? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
REXX determine library that is executed from
Has anyone come up with a way for a REXX program to determine the library it resides in? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Invalid characters in JCL symbols passed to SYSIN within a PROC
If you use quotes, you can put in any character you want into a data set name. If it uncataloged on a non-SMS volume, it will be created. You don't even have to limit yourself to 8 characters between dots. On Fri, Nov 18, 2016 at 9:47 PM, Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Fri, 18 Nov 2016 18:52:34 -0600, Wendell Lovewell wrote: >> > Yeah, what Lizette said. > > But if you believe there's an invalid character in the name of a > symbol, that name is only the characters prior to the invalid > character, and that truncated symbol is probably undefined, > so its name is treated as its value. > > If there's an invalid character in its value, that value is substituted, > properly. > > Have you a concise example? > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On 18 November 2016 at 06:26, Charles Millswrote: > As a software vendor, on new installs we often get customers saying "your > product puts out a message saying it is not authorized but we're sure we > authorized the library" and it is often a painful process taking them > through checking each concatenation. [...] It's been an interesting discussion. But may I ask why you are in the position of having your customers with a big pile of datasets in their STEPLIB concatenation for your product? Well, you didn't say it's a big pile, but if were one or two you surely wouldn't be asking... Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On 2016-11-19, at 15:32, Jesse 1 Robinson wrote: > > As complicated this may sound, APF can be determined/diagnosed by inspection > with relative ease. It's not rocket surgery. > Perhaps. But it would be poor business practice for the OP to address his customer so tactlessly. IBM ought to help its customers to help their customers. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
APF is defined in SYS1.PARMLIB(PROGxx) according to the installation defined concatenation in IEASYSxx. The result of that concatenation determines the set of APF libraries unless modified after IPL by SETPROG APF. Entries in PROGxx are of two types: APF ADD DSN(dsn-1) SMS APF ADD DSN(dsn-2) VOL(volser) If 'SMS' is coded, then the library can be located anywhere, but it must be SMS defined. There can only be one dsn-1 because SMS does not allow duplicates in a system. If VOL(volser) is coded, then the library must be located on that specific volume. There can be multiple entries for dsn-2; as long as one entry matches dsn-2 in STEPLIB, then it is APF; otherwise not. APF is not indicated anywhere in the intrinsic definition of a library. No bit in catalog nor in VTOC nor anywhere else outside of the list of APF libraries built and managed by z/OS. At any moment a library may or may not be APF according to the current list, which may have additions or deletions or (effectively) updates since that last time it was checked. As complicated this may sound, APF can be determined/diagnosed by inspection with relative ease. It's not rocket surgery. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Saturday, November 19, 2016 2:05 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Which STEPLIB concatenation is not authorized? On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote: > >I assume that the subject of this thread should have been "Which data >set in the STEPLIB concatenation is not APF-authorized". > Me, too. And if that information were available the adress space could remain authorized as long as modules were loaded only from authorized catenands, and the failure of authorization could report "which data set", at least by catenand ordinal. >The DEB is build during OPEN. That processing examines the APF status >of every individual data set forming the concatenation. If any data set >is found that is not APF-authorized, then the DEB is marked as not APF >authorized (bit DEBAPFIN). (I think the bit is initialized "on" and >then simply turned off when a non-APF-authorized data set is found). By >the time "load" is being done, the information about an individual data >set is long gone. > I'll accept that as almost true. But BLDL (I assume LOAD uses that or something similar) needs to find the directories to search. I'm trying to RTRM and understand. I guess it can examine DEBAMLNG bytes in DEBEXTNM to find the first extent of each catenand which must contain the directory. But that's not enough to really identify the data set; only unit and address. Bummer. The pain customers endure because storage was so expensive a half-century ago that 32 bytes couldn't be spared for flags indicating which extents belong to authorized data sets. >CSVAPF is the programming interface for querying if an individual data >set is APF-authorized. To do it completely correctly, you have to know >if the data set is SMS-managed. > I've seen the SMS dependency mentioned earlier in this thread. Why? is it that APF is indicated in the DSCB for non-SMS and elsewhere for SMS? And I found nothing in the DEB about PDSE or UNIX files although BPAM now supports UNIX directories in mixed concatenations. How are those represented? Major and minor device numbers? It must be documented somewhere, even if only "The following N bytes are not GUPI." Hmmm. If I were to ALLOCATE a UNIX directory with DSORG=PS, RECFM-F,LRECL=256; could I read it as a PDS directory? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On Sat, 19 Nov 2016 08:30:39 -0500, Peter Relson wrote: > >I assume that the subject of this thread should have been "Which data set >in the STEPLIB concatenation is not APF-authorized". > Me, too. And if that information were available the adress space could remain authorized as long as modules were loaded only from authorized catenands, and the failure of authorization could report "which data set", at least by catenand ordinal. >The DEB is build during OPEN. That processing examines the APF status of >every individual data set forming the concatenation. If any data set is >found that is not APF-authorized, then the DEB is marked as not APF >authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then >simply turned off when a non-APF-authorized data set is found). By the >time "load" is being done, the information about an individual data set is >long gone. > I'll accept that as almost true. But BLDL (I assume LOAD uses that or something similar) needs to find the directories to search. I'm trying to RTRM and understand. I guess it can examine DEBAMLNG bytes in DEBEXTNM to find the first extent of each catenand which must contain the directory. But that's not enough to really identify the data set; only unit and address. Bummer. The pain customers endure because storage was so expensive a half-century ago that 32 bytes couldn't be spared for flags indicating which extents belong to authorized data sets. >CSVAPF is the programming interface for querying if an individual data set >is APF-authorized. To do it completely correctly, you have to know if the >data set is SMS-managed. > I've seen the SMS dependency mentioned earlier in this thread. Why? is it that APF is indicated in the DSCB for non-SMS and elsewhere for SMS? And I found nothing in the DEB about PDSE or UNIX files although BPAM now supports UNIX directories in mixed concatenations. How are those represented? Major and minor device numbers? It must be documented somewhere, even if only "The following N bytes are not GUPI." Hmmm. If I were to ALLOCATE a UNIX directory with DSORG=PS, RECFM-F,LRECL=256; could I read it as a PDS directory? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Sftp implementation
FWIW, Microsoft is working on a port of OpenSSH for Powershell. https://blogs.msdn.microsoft.com/powershell/2015/10/19/openssh-for-windows-update/ The lastest work-in-progress seems to be available here: https://github.com/PowerShell/Win32-OpenSSH Kirk Wolf Dovetailed Technologies http://dovetail.com On Sat, Nov 19, 2016 at 12:09 AM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Sat, 19 Nov 2016 10:15:57 +0530, venkat kulkarni wrote: > > > >In our shop, we are not allowed to install Ubuntu or any other except > >windows7, which is currently installed on our work station. Can you help > me > >with any other option to test this sftp with mainframe from my work > station. > > > I've seen mentioned in this thread WinSCP and PuTTY, and I'll add Cygwin, > all of which run on top of Windows 7. And VirtualBox might qualify since > it doesn't displace Windows 7, It's an addition. Obviously, if Windows 7 > doesn't have the function you need you must install something in addition, > not necessarily instead. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
>Thanks, but you might want to read my OP >>There are various ways to check whether the current environment is APF authorized. >>For example, the TESTAUTH macro will give a return code to indicate >>APF or not. Charles, that response *was* an attempt to respond to a question of yours in your OP: "Even simpler question: is it possible for a program to check (only) its own AC(1) bit?" Checking a program's "AC(1)" bit is not usually overly relevant. Checking the resulting authorization of the jobstep is what is relevant, and TESTAUTH is the way to do that. I assume that the subject of this thread should have been "Which data set in the STEPLIB concatenation is not APF-authorized". The DEB is build during OPEN. That processing examines the APF status of every individual data set forming the concatenation. If any data set is found that is not APF-authorized, then the DEB is marked as not APF authorized (bit DEBAPFIN). (I think the bit is initialized "on" and then simply turned off when a non-APF-authorized data set is found). By the time "load" is being done, the information about an individual data set is long gone. CSVAPF is the programming interface for querying if an individual data set is APF-authorized. To do it completely correctly, you have to know if the data set is SMS-managed. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN