Re: Anyone exploiting ZEDC?

[Timothy Sipples]

rpinion865 wrote:
> At a prior life, we got the zEDC cards on a z15, and turned that on
>for PS datasets.

Just to clarify, every IBM z15, LinuxONE III, and higher model machine has 
on-chip zEDC (compression). It’s formally called the “Integrated Accelerator 
for zEDC,” and you can expand the zEDC part if you want to be more verbose. 
On-chip zEDC is included at no additional charge in these more recent machines. 
No zEDC cards required, no machine feature code required. Moreover, it’s not 
possible to carry forward the zEDC cards to the newer machine models even if 
you wanted to.

I realize it’s not the major point of this thread, but here’s a quick comment 
about VSAM performance. I think it’s important to “sanity check” performance 
assumptions periodically because past assumptions often no longer reflect 
reality and time and technology progress. When I participate in such 
assessments (and write reports) I typically include an “expiration date.” I 
include a statement such as, “We recommend reassessing these performance 
metrics no later than April 30, 2028.” That sort of statement might be based on 
some educated guesswork, but I try to set a reasonable boundary in the 
circumstances. There’ve been lots of VSAM-related performance improvements over 
the years and decades, and they continue. zHyperWrite and the IBM Z Digital 
Integration Hub (zDIH) are only two examples.

In terms of zEDC applicability to VSAM, just in case anybody needs the official 
documentation here it is (z/OS 3.1 link):

https://www.ibm.com/docs/en/zos/3.1.0?topic=sets-characteristics-compressed-format-data

The “Requirements for Compression” subsection is also relevant.

There’s a lot of meaning packed into those two pages, more than usual I’d say. 
For example, these words are quite important: “A compressed format data set 
cannot be opened for update.” Those few words are doing some heavy lifting. I’d 
add that a non-compressed format data set (that can be opened for update) CAN 
contain data compressed with zEDC. As one example, a Java program can compress 
data with zEDC then store the compressed data in a data set (via JZOS for 
example).

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do one return a fullword binary to a C program from an assembler subroutine?

[Bernd Oppolzer]

The reason behind this is:

C passes arguments "by value", which means that int arguments like 
textlen are passed directly as values,
not as addresses. You get the value 120 in the address list, pointed to 
by reg 1, not the address of textlen,
which is different from COBOL or FORTRAN etc (COBOL and FORTRAN use 
"call by reference", by default).


That's why you have to pass the address explicitly, if you want to get 
values back from your C subroutine.


You can write like this:

 retcode = rxhlicpl (hlicmd, name, namelen, text, &textlen);

no need to define (and use) an explicit pointer.

Take care about namelen, by the way. This will behave the same way.

Different with char arrays; the name of a char array without an index is
equivalent with the address of its first element, so it works with char arrays 
(a.k.a. strings)
WITHOUT the & operand.

HTH, kind regards

Bernd


Am 16.04.2024 um 22:14 schrieb Willy Jensen:

Found it, it was down to C pointers as expected / feared.
This works, note the use of 'textlenp' in the call:

#pragma linkage (rxhlicpl, OS)
main () {
  extern int rxhlicpl();
  int retcode;
  char hlicmd[8];
  char name[61];   /* text + eod  */
  int  *namelenp, namelen;
  char text[121];  /* text + eod  */
  int  *textlenp, textlen;
  int  retval;
-  -  -
  retcode = 0;
  strcpy (hlicmd, "VGET");
  strcpy (name, "TESTVAR");
  namelen = 7 ;
  textlen = 120;
  textlenp=&textlen;
  retcode = rxhlicpl (hlicmd, name, namelen, text, textlenp);
  printf("rc is %d, text is %d '%s'\n\n", retcode, textlen, text);

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do one return a fullword binary to a C program from an assembler subroutine?

[Bernd Oppolzer]

The program has one more problem:

buffer overrun in this statement:

  char hlicmd[8];

  ...
  strcpy (hlicmd, "VGET    ");

the variable hlicmd has 8 bytes, but the strcpy copies 9 bytes,
the string VGET, 4 blanks and the terminating hex zero :-(

take care !!!

HTH, kind regards

Bernd


Am 17.04.2024 um 12:16 schrieb Bernd Oppolzer:

The reason behind this is:

C passes arguments "by value", which means that int arguments like 
textlen are passed directly as values,
not as addresses. You get the value 120 in the address list, pointed 
to by reg 1, not the address of textlen,
which is different from COBOL or FORTRAN etc (COBOL and FORTRAN use 
"call by reference", by default).


That's why you have to pass the address explicitly, if you want to get 
values back from your C subroutine.


You can write like this:

 retcode = rxhlicpl (hlicmd, name, namelen, text, &textlen);

no need to define (and use) an explicit pointer.

Take care about namelen, by the way. This will behave the same way.

Different with char arrays; the name of a char array without an index is
equivalent with the address of its first element, so it works with 
char arrays (a.k.a. strings)

WITHOUT the & operand.

HTH, kind regards

Bernd


Am 16.04.2024 um 22:14 schrieb Willy Jensen:

Found it, it was down to C pointers as expected / feared.
This works, note the use of 'textlenp' in the call:

#pragma linkage (rxhlicpl, OS)
main () {
  extern int rxhlicpl();
  int retcode;
  char hlicmd[8];
  char name[61];   /* text + eod  */
  int  *namelenp, namelen;
  char text[121];  /* text + eod  */
  int  *textlenp, textlen;
  int  retval;
-  -  -
  retcode = 0;
  strcpy (hlicmd, "VGET    ");
  strcpy (name, "TESTVAR");
  namelen = 7 ;
  textlen = 120;
  textlenp=&textlen;
  retcode = rxhlicpl (hlicmd, name, namelen, text, textlenp);
  printf("rc is %d, text is %d '%s'\n\n", retcode, textlen, text);

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do one return a fullword binary to a C program from an assembler subroutine?

[Willy Jensen]

Thanks Peter,
worked like a charm and makes the program much simpler.
Now I just wonder why it is neccessary to use a specific pointer specification 
for int fields and not for char fields. Anyway, it works.

Willy

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do one return a fullword binary to a C program from an assembler subroutine?

[Willy Jensen]

Thanks Bernd, 
yes I did wonder about that, I will fix it.

Willy

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: list Unix domain sockets

[David Crayford]

zlsof 
https://www.ibm.com/docs/en/zos/2.4.0?topic=scd-zlsof-display-information-about-open-files-sockets-pipes

> On 17 Apr 2024, at 06:42, Frank Swarbrick  wrote:
> 
> Is it possible to list Unix domain sockets?  I don't see any netstat option 
> to do so.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[rpinion865]

Is it not true that even though you get the zEDC engines on the z15 and z16, 
you still have to pay for the exploitation by enabling Featurename('ZEDC') in 
parmlib's IFAPRDxx?




Sent with Proton Mail secure email.

On Wednesday, April 17th, 2024 at 4:44 AM, Timothy Sipples  
wrote:

> rpinion865 wrote:
> 
> > At a prior life, we got the zEDC cards on a z15, and turned that on
> > for PS datasets.
> 
> 
> Just to clarify, every IBM z15, LinuxONE III, and higher model machine has 
> on-chip zEDC (compression). It’s formally called the “Integrated Accelerator 
> for zEDC,” and you can expand the zEDC part if you want to be more verbose. 
> On-chip zEDC is included at no additional charge in these more recent 
> machines. No zEDC cards required, no machine feature code required. Moreover, 
> it’s not possible to carry forward the zEDC cards to the newer machine models 
> even if you wanted to.
> 
> I realize it’s not the major point of this thread, but here’s a quick comment 
> about VSAM performance. I think it’s important to “sanity check” performance 
> assumptions periodically because past assumptions often no longer reflect 
> reality and time and technology progress. When I participate in such 
> assessments (and write reports) I typically include an “expiration date.” I 
> include a statement such as, “We recommend reassessing these performance 
> metrics no later than April 30, 2028.” That sort of statement might be based 
> on some educated guesswork, but I try to set a reasonable boundary in the 
> circumstances. There’ve been lots of VSAM-related performance improvements 
> over the years and decades, and they continue. zHyperWrite and the IBM Z 
> Digital Integration Hub (zDIH) are only two examples.
> 
> In terms of zEDC applicability to VSAM, just in case anybody needs the 
> official documentation here it is (z/OS 3.1 link):
> 
> https://www.ibm.com/docs/en/zos/3.1.0?topic=sets-characteristics-compressed-format-data
> 
> The “Requirements for Compression” subsection is also relevant.
> 
> There’s a lot of meaning packed into those two pages, more than usual I’d 
> say. For example, these words are quite important: “A compressed format data 
> set cannot be opened for update.” Those few words are doing some heavy 
> lifting. I’d add that a non-compressed format data set (that can be opened 
> for update) CAN contain data compressed with zEDC. As one example, a Java 
> program can compress data with zEDC then store the compressed data in a data 
> set (via JZOS for example).
> 
> —
> Timothy Sipples
> Senior Architect
> Digital Assets, Industry Solutions, and Cybersecurity
> IBM Z/LinuxONE, Asia-Pacific
> sipp...@sg.ibm.com
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Scott Chapman]

My recommendation has always been to leave Db2/CICS's RLE compression of SMF 
data enabled even with zEDC compression of the data.

1) Less data will be sent to the zEDC compression engine, which will then 
process faster. I believe at one point I had an IBM chart that showed this. 
2) The data might (likely) compress better because intervening repeated values 
are removed before it goes through the zEDC compression. (As Andrew shows 
below.) It might be dependent on the data, but it makes some sense when you 
realize that LZ77 relies on compressing in 32K blocks and by removing the 
duplicate zeros you potentially get more interesting repeated data into that 
32K block.  
3) When the data is read back from the zEDC-compressed store to be sent 
someplace for processing it will be smaller if the RLE compression was enabled. 
Depending on what you're doing with the data, that might be significant. 
4) The RLE compression is extremely lightweight in terms of CPU. I do not 
expect it to be noticeable: it's going to disappear in the normal variation in 
CPU time seen for running the same work on any shared system. The only 
CICS/Db2s that I would expect could have a measurable increase in CPU would be 
those that are completely idle and doing nothing but writing interval SMF 
records to say they haven't processed any data. 

Scott Chapman

On Wed, 17 Apr 2024 16:36:34 +1000, Andrew Rowley 
 wrote:

>On 17/04/2024 12:09 pm, Michael Oujesky wrote:
>> Yes and zEDC poorly compresses internally RLE compressed records.
>
>I was surprised how well zEDC compressed the already compressed records.
>Using my data:
>
>zEDC alone : 52000 tracks
>
>CICS compression + zEDC : 22000 tracks
>
>zEDC seems to be biased towards speed rather than compression ratio, so
>maybe the RLE compression helps by packing more repeated bytes into
>whatever compression window zEDC uses?
>
>> Plus CSRCESRV uses GP engine cycles
>
>That's true - CPU is probably more expensive than storage, so this could
>be just an interesting side-track. On the other hand, I think zEDC has
>to decompress and recompress the data for SMF dump etc. so CICS
>compression might save some overhead for SMF housekeeping type
>operations, reducing the amount of data going through zEDC?
>
>--
>Andrew Rowley
>Black Hill Software
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Jousma, David]

Thank-you very much for this!   I suspect this is the route we will have to 
take.   To answer your other question, yes, ZEDC is a chargeable feature 
(although very inexpensive) and is turned on in IFAPRD00.

Dave Jousma
Vice President | Director, Technology Engineering



From: IBM Mainframe Discussion List  on behalf of 
rpinion865 <042a019916dd-dmarc-requ...@listserv.ua.edu>
Date: Tuesday, April 16, 2024 at 3:41 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Anyone exploiting ZEDC?
FWIW, here is a snippet of the SMS ACS DC code that we were using for zEDC. /* 
DEFINE extra data sets to receive zEDC compression */ 
/**/ 
FILTLIST COMP_DSN INCLUDE(CCM. CCM. FDR. **,


FWIW, here is a snippet of the SMS ACS DC code that we were using for zEDC.



/* DEFINE extra data sets to receive zEDC compression */



/**/







FILTLIST COMP_DSN INCLUDE(CCM.CCM.FDR.**,

  RMS.PROD.MSA.BKUP.**,

  LOGR.IFASMF.**,

  DB2%.ARCHLOG%.**)



-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -   46 Line(s) not Displ



/* RULES FOR DISK zEDC HW data compression*/



/**/



   WHEN (&DSN = &COMP_DSN) SET &DATACLAS='COMP'

   WHEN (&DSTYPE = 'GDS' && &SIZE > 270MB)

 SET &DATACLAS='COMP'

   WHEN (&PGM = 'ADRDSSU' && &SIZE > 55MB)

 SET &DATACLAS='COMP'









This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: list Unix domain sockets

[roscoe5]

Wow! I learn so much just following this service. Thanks everyone!

Sent from [Proton Mail](https://proton.me/mail/home) for iOS

On Wed, Apr 17, 2024 at 7:55 AM, David Crayford 
<[0595a051454b-dmarc-requ...@listserv.ua.edu](mailto:On Wed, Apr 17, 2024 
at 7:55 AM, David Crayford < wrote:

> zlsof 
> https://www.ibm.com/docs/en/zos/2.4.0?topic=scd-zlsof-display-information-about-open-files-sockets-pipes
>
>> On 17 Apr 2024, at 06:42, Frank Swarbrick  
>> wrote:
>>
>> Is it possible to list Unix domain sockets? I don't see any netstat option 
>> to do so.
>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[rpinion865]

Also, you will need this for SMF compression.

ISRBROBA  PINIONR.BAS.PARMLIB(SMFPRM00) - 01.12Line 00 Col 00
Command ===>  Scroll ===>
 Top of Data 
INTVAL(30)  /* SMF GLOBAL RECORDING INTERVAL*/  
ACTIVE  /* ACTIVE SMF RECORDING */  
RECORDING(LOGSTREAM)
LSNAME(IFASMF.&SYSNAME..CICS,TYPE(110),COMPRESS)
LSNAME(IFASMF.&SYSNAME..DB2,TYPE(100:102),COMPRESS) 
LSNAME(IFASMF.&SYSNAME..SCRT,TYPE(70,89),COMPRESS)  
LSNAME(IFASMF.&SYSNAME..DEFAULT,TYPE(0:99,103:109,111:2047), 
   COMPRESS) 




Sent with Proton Mail secure email.

On Wednesday, April 17th, 2024 at 8:08 AM, Jousma, David 
<01a0403c5dc1-dmarc-requ...@listserv.ua.edu> wrote:

> Thank-you very much for this! I suspect this is the route we will have to 
> take. To answer your other question, yes, ZEDC is a chargeable feature 
> (although very inexpensive) and is turned on in IFAPRD00.
> 
> Dave Jousma
> Vice President | Director, Technology Engineering
> 
> 
> 
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU on behalf of 
> rpinion865 042a019916dd-dmarc-requ...@listserv.ua.edu
> 
> Date: Tuesday, April 16, 2024 at 3:41 PM
> To: IBM-MAIN@LISTSERV.UA.EDU IBM-MAIN@LISTSERV.UA.EDU
> 
> Subject: Re: Anyone exploiting ZEDC?
> FWIW, here is a snippet of the SMS ACS DC code that we were using for zEDC. 
> /* DEFINE extra data sets to receive zEDC compression / 
> // 
> FILTLIST COMP_DSN INCLUDE(CCM. CCM. FDR. *,
> 
> 
> FWIW, here is a snippet of the SMS ACS DC code that we were using for zEDC.
> 
> 
> 
> / DEFINE extra data sets to receive zEDC compression /
> 
> 
> 
> //
> 
> 
> 
> 
> 
> 
> 
> FILTLIST COMP_DSN INCLUDE(CCM.CCM.FDR.,
> 
> RMS.PROD.MSA.BKUP.,
> 
> LOGR.IFASMF.,
> 
> DB2%.ARCHLOG%.)
> 
> 
> 
> - - - - - - - - - - - - - - - - - - 46 Line(s) not Displ
> 
> 
> 
> /* RULES FOR DISK zEDC HW data compression /
> 
> 
> 
> /*/
> 
> 
> 
> WHEN (&DSN = &COMP_DSN) SET &DATACLAS='COMP'
> 
> WHEN (&DSTYPE = 'GDS' && &SIZE > 270MB)
> 
> 
> SET &DATACLAS='COMP'
> 
> WHEN (&PGM = 'ADRDSSU' && &SIZE > 55MB)
> 
> 
> SET &DATACLAS='COMP'
> 
> 
> 
> 
> 
> 
> 
> 
> 
> This e-mail transmission contains information that is confidential and may be 
> privileged. It is intended only for the addressee(s) named above. If you 
> receive this e-mail in error, please do not read, copy or disseminate it in 
> any manner. If you are not the intended recipient, any disclosure, copying, 
> distribution or use of the contents of this information is prohibited. Please 
> reply to the message immediately by informing the sender that the message was 
> misdirected. After replying, please erase it from your computer system. Your 
> assistance in correcting this error is appreciated.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Shaffer, Terri]

Hi,
  I would like to resurrect this question again, because my issue is back but 
not sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx  command.

$CJ(5138)
CANCEL   C30TCIE2,A=0051
IEE301I C30TCIE2  CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2)  STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G)  NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked.

As was mentioned, to cancel a job typically also requires ALTER access to the 
JESSPOOL resource guarding the job. Look into setting up appropriate JESSPOOL 
profiles to isolate and restrict ALTER access to these jobs. Also consider 
whether users have been (inadvertently) set up as Destination Operators. If 
they have READ access to SDSF resource ISFOPER.DEST.JES2 and ALTER access to 
SDSF resources prefixed ISFAUTH.DEST., they can cancel jobs while bypassing 
JESSPOOL profile checks.

If the CONSOLE class is active, you can permit ID(*) UPDATE access to 
JES2.CANCEL.BAT.** conditionally by adding operand WHEN(CONSOLE(SDSF)) to the 
PERMIT command so that users can only issue JES2 cancel job commands from 
within SDSF panels. This would prevent them from cancelling jobs outside of 
SDSF, to include when using the SDSF / command. You would need to remove 
UACC(UPDATE) or ID(*) UPDATE permission, whichever applies, for the conditional 
permission to take effect. Operations and Tech Support staff will need 
'regular' UPDATE access permission. (CONSOLE is a Default Return Code 8 class, 
so don't activate it without first creating a ** profile with UACC(READ).)

To see exactly what resource names are being checked that are allowing the 
unwanted job cancellations, issue the SDSF command SET SECTRACE ON, cancel the 
job, and then issue the SDSF command ULOG. ULOG will show you all the access 
checks SDSF is making along with the results of each of these checks. SECTRACE 
is a phenomenal diagnostic tool that we use often.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
http://www.linkedin.com/in/roberthansel
http://www.rshconsulting.com/

-Original Message-
Date:Tue, 7 Feb 2023 13:31:41 +
From:"Shaffer, Terri" 
Subject: RACF - SDSF question

Hi,
 I know there is a RACF group, but hopefully this is simple and I am just 
missing something I have done 100 times over with no issues.

We run our CI

Re: RACF - SDSF question

[Norbert Gál]

Hello Terri,


How does your JESJOBS class look like?

https://www.ibm.com/docs/en/zos/2.5.0?topic=cujn-controlling-who-can-cancel-jobs-by-job-name





-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, April 17, 2024 2:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: RACF - SDSF question

Hi,
  I would like to resurrect this question again, because my issue is back but 
not sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx  command.

$CJ(5138)
CANCEL   C30TCIE2,A=0051
IEE301I C30TCIE2  CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2)  STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G)  NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked.

As was mentioned, to cancel a job typically also requires ALTER access to the 
JESSPOOL resource guarding the job. Look into setting up appropriate JESSPOOL 
profiles to isolate and restrict ALTER access to these jobs. Also consider 
whether users have been (inadvertently) set up as Destination Operators. If 
they have READ access to SDSF resource ISFOPER.DEST.JES2 and ALTER access to 
SDSF resources prefixed ISFAUTH.DEST., they can cancel jobs while bypassing 
JESSPOOL profile checks.

If the CONSOLE class is active, you can permit ID(*) UPDATE access to 
JES2.CANCEL.BAT.** conditionally by adding operand WHEN(CONSOLE(SDSF)) to the 
PERMIT command so that users can only issue JES2 cancel job commands from 
within SDSF panels. This would prevent them from cancelling jobs outside of 
SDSF, to include when using the SDSF / command. You would need to remove 
UACC(UPDATE) or ID(*) UPDATE permission, whichever applies, for the conditional 
permission to take effect. Operations and Tech Support staff will need 
'regular' UPDATE access permission. (CONSOLE is a Default Return Code 8 class, 
so don't activate it without first creating a ** profile with UACC(READ).)

To see exactly what resource names are being checked that are allowing the 
unwanted job cancellations, issue the SDSF command SET SECTRACE ON, cancel the 
job, and then issue the SDSF command ULOG. ULOG will show you all the access 
checks SDSF is making along with the results of each of these checks. SECTRACE 
is a phenomenal diagnostic tool that we use often.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
61

Re: Anyone exploiting ZEDC?

[Timothy Sipples]

rpinion865
 wrote:
>Is it not true that even though you get the zEDC engines on the z15 and z16,
>you still have to pay for the exploitation by enabling Featurename('ZEDC') in
>parmlib's IFAPRDxx?

David Jousma wrote:

>To answer your other question, yes, ZEDC is a chargeable feature

>(although very inexpensive) and is turned on in IFAPRD00.

OK, I’ll try to clarify

On z15/LinuxONE III models and higher the zEDC hardware is on-chip, standard, 
no additional charge, no feature code needed. “It’s just there.”

In z/OS there’s an optional, chargeable software feature called “z/OS zEDC.” 
This licensed, chargeable feature (like other optional z/OS elements) is 
enabled in an IFAPRDxx parmlib member. However, if you don’t enable this 
chargeable element it’s still possible to exploit zEDC on z/OS to some degree. 
As one example, Java applications using java.util.zip’s zlib library (available 
in the IBM Semeru Runtimes) can exploit zEDC even without enabling the z/OS 
zEDC feature. Here’s how the z/OS 3.1 documentation explains it:

“...With IBM Integrated Accelerator for zEDC compression on the z15 [and 
higher], you use IFAPRDxx only for enabling asynchronous processing (by using 
the FPZ4 authorized services). Entitlement of the zEDC priced feature of z/OS 
is not required for using zlib-based functions.”

Anticipating the next question, I haven’t found a good, current list of zEDC 
exploiters and whether they require the z/OS zEDC feature or not. It’d be a 
fairly long list, and the list keeps growing. But if the product’s or 
component’s documentation lists the z/OS zEDC feature as a prerequisite (or a 
recommendation) then that’s an indicator it uses (or can use) the FPZ4 
authorized services.

IBM offers some tools that can help determine whether the z/OS zEDC feature 
would be of benefit, and how much. This whitepaper illustrates such an analysis:

https://www.ibm.com/support/pages/system/files/inline-files/zEDC_White_Paper.pdf

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Michael Oujesky]

Just a thought, but 30's compress quite well also.

Michael

At 07:18 AM 4/17/2024, rpinion865 wrote:


Also, you will need this for SMF compression.

ISRBROBA  PINIONR.BAS.PARMLIB(SMFPRM00) - 01.12Line 00 Col 00
Command ===>  Scroll ===>
 Top of Data 
INTVAL(30)  /* SMF GLOBAL RECORDING INTERVAL*/
ACTIVE  /* ACTIVE SMF RECORDING */
RECORDING(LOGSTREAM)
LSNAME(IFASMF.&SYSNAME..CICS,TYPE(110),COMPRESS)
LSNAME(IFASMF.&SYSNAME..DB2,TYPE(100:102),COMPRESS)
LSNAME(IFASMF.&SYSNAME..SCRT,TYPE(70,89),COMPRESS)
LSNAME(IFASMF.&SYSNAME..DEFAULT,TYPE(0:99,103:109,111:2047),
   COMPRESS)




Sent with Proton Mail secure email.

On Wednesday, April 17th, 2024 at 8:08 AM, 
Jousma, David <01a0403c5dc1-dmarc-requ...@listserv.ua.edu> wrote:


> Thank-you very much for this! I suspect this 
is the route we will have to take. To answer 
your other question, yes, ZEDC is a chargeable 
feature (although very inexpensive) and is turned on in IFAPRD00.

>
> Dave Jousma
> Vice President | Director, Technology Engineering
>
>
>
> From: IBM Mainframe Discussion List 
IBM-MAIN@LISTSERV.UA.EDU on behalf of 
rpinion865 042a019916dd-dmarc-requ...@listserv.ua.edu

>
> Date: Tuesday, April 16, 2024 at 3:41 PM
> To: IBM-MAIN@LISTSERV.UA.EDU IBM-MAIN@LISTSERV.UA.EDU
>
> Subject: Re: Anyone exploiting ZEDC?
> FWIW, here is a snippet of the SMS ACS DC 
code that we were using for zEDC. /* DEFINE 
extra data sets to receive zEDC compression / 
// 
FILTLIST COMP_DSN INCLUDE(CCM. CCM. FDR. *,

>
>
> FWIW, here is a snippet of the SMS ACS DC code that we were using for zEDC.
>
>
>
> / DEFINE extra data sets to receive zEDC compression /
>
>
>
> //
>
>
>
>
>
>
>
> FILTLIST COMP_DSN INCLUDE(CCM.CCM.FDR.,
>
> RMS.PROD.MSA.BKUP.,
>
> LOGR.IFASMF.,
>
> DB2%.ARCHLOG%.)
>
>
>
> - - - - - - - - - - - - - - - - - - 46 Line(s) not Displ
>
>
>
> /* RULES FOR DISK zEDC HW data compression /
>
>
>
> /*/
>
>
>
> WHEN (&DSN = &COMP_DSN) SET &DATACLAS='COMP'
>
> WHEN (&DSTYPE = 'GDS' && &SIZE > 270MB)
>
>
> SET &DATACLAS='COMP'
>
> WHEN (&PGM = 'ADRDSSU' && &SIZE > 55MB)
>
>
> SET &DATACLAS='COMP'
>
>
>
>
>
>
>
>
>
> This e-mail transmission contains information 
that is confidential and may be privileged. It 
is intended only for the addressee(s) named 
above. If you receive this e-mail in error, 
please do not read, copy or disseminate it in 
any manner. If you are not the intended 
recipient, any disclosure, copying, 
distribution or use of the contents of this 
information is prohibited. Please reply to the 
message immediately by informing the sender 
that the message was misdirected. After 
replying, please erase it from your computer 
system. Your assistance in correcting this error is appreciated.

>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Michael Oujesky]

Just a thought, but anyone processing internally compressed CICS or 
DB2 data on a non-z/OS platform (Windows/Unix) might see substantial 
CPU usage from RLE decompression.


Michael
At 07:02 AM 4/17/2024, Scott Chapman wrote:

My recommendation has always been to leave Db2/CICS's RLE 
compression of SMF data enabled even with zEDC compression of the data.


1) Less data will be sent to the zEDC compression engine, which will 
then process faster. I believe at one point I had an IBM chart that 
showed this.
2) The data might (likely) compress better because intervening 
repeated values are removed before it goes through the zEDC 
compression. (As Andrew shows below.) It might be dependent on the 
data, but it makes some sense when you realize that LZ77 relies on 
compressing in 32K blocks and by removing the duplicate zeros you 
potentially get more interesting repeated data into that 32K block.
3) When the data is read back from the zEDC-compressed store to be 
sent someplace for processing it will be smaller if the RLE 
compression was enabled. Depending on what you're doing with the 
data, that might be significant.
4) The RLE compression is extremely lightweight in terms of CPU. I 
do not expect it to be noticeable: it's going to disappear in the 
normal variation in CPU time seen for running the same work on any 
shared system. The only CICS/Db2s that I would expect could have a 
measurable increase in CPU would be those that are completely idle 
and doing nothing but writing interval SMF records to say they 
haven't processed any data.


Scott Chapman

On Wed, 17 Apr 2024 16:36:34 +1000, Andrew Rowley 
 wrote:


>On 17/04/2024 12:09 pm, Michael Oujesky wrote:
>> Yes and zEDC poorly compresses internally RLE compressed records.
>
>I was surprised how well zEDC compressed the already compressed records.
>Using my data:
>
>zEDC alone : 52000 tracks
>
>CICS compression + zEDC : 22000 tracks
>
>zEDC seems to be biased towards speed rather than compression ratio, so
>maybe the RLE compression helps by packing more repeated bytes into
>whatever compression window zEDC uses?
>
>> Plus CSRCESRV uses GP engine cycles
>
>That's true - CPU is probably more expensive than storage, so this could
>be just an interesting side-track. On the other hand, I think zEDC has
>to decompress and recompress the data for SMF dump etc. so CICS
>compression might save some overhead for SMF housekeeping type
>operations, reducing the amount of data going through zEDC?
>
>--
>Andrew Rowley
>Black Hill Software
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Michael Oujesky]

SORTWKxx are typically temporary and not SMS 
compression eligible (requires catalog entry to 
hold the SMS compression attributes).


Michael

At 02:31 PM 4/16/2024, Jousma, David wrote:


Michael,

Yes, thanks.  It is just the sortwk datsets that are the issue.

Dave Jousma
Vice President | Director, Technology Engineering




From: IBM Mainframe Discussion List 
 on behalf of Michael 
Oujesky 

Date: Tuesday, April 16, 2024 at 3:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Anyone exploiting ZEDC?
Food for thought. zEDC is block oriented rather 
than record oriented (i. e. reads/writes full 
track blocks on DASD and BLKSIZE become logical 
(i. e. the size of the buffer used to exchange 
data with the application)), so any processing that expects



Food for thought.  zEDC is block oriented rather than record oriented

(i.e. reads/writes full track blocks on DASD and BLKSIZE become

logical (i.e. the size of the buffer used to exchange data with the

application)), so any processing that expects to make use of BLKSIZE

to perform physical I/O (random, update, etc) will fail.



Thus DFSORT will have issues for SORTWK datasets, but not

SORTIN/SORTOUT datasets.



Michael



This e-mail transmission contains information 
that is confidential and may be privileged.   It 
is intended only for the addressee(s) named 
above. If you receive this e-mail in error, 
please do not read, copy or disseminate it in 
any manner. If you are not the intended 
recipient, any disclosure, copying, distribution 
or use of the contents of this information is 
prohibited. Please reply to the message 
immediately by informing the sender that the 
message was misdirected. After replying, please 
erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Rob Scott]

You can check what security activity is going on behind the scenes in SDSF, by 
doing the following :


  1.  Invoke SDSF and get to the point just before the user issues the action
  2.  Issue "SET SECTRACE ON"
  3.  Issue the "C" action
  4.  Issue "SET SECTRACE OFF"
  5.  Go into SDSF ULOG and there will new numerous security trace messages 
showing the resources checked by SDSF and the SAF result from each.

They look something like :

ISF051I SAF Access allowed SAFRC=0 ACCESS=ALTER CLASS=JESSPOOL 
RESOURCE=node.owner.jobnameetc

In your specific case, SDSF will do a JESSPOOL profile check and require UPDATE 
or UPDATE access for CANCEL style actions.

Note that this is a "value add" thing that SDSF does and might not be reflected 
in the behaviour of other products/methods that can issue MVS and JES2 commands.

Rob Scott
Rocket Software

From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, April 17, 2024 1:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL



Hi,
I would like to resurrect this question again, because my issue is back but not 
sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx command.

$CJ(5138)
CANCEL C30TCIE2,A=0051
IEE301I C30TCIE2 CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2) STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890 PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890 CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G) NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of 
Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Robert 
S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked.

As was mentioned, to cancel a job typically also requires ALTER access to the 
JESSPOOL resource guarding the job. Look into setting up appropriate JESSPOOL 
profiles to isolate and restrict ALTER access to these jobs. Also consider 
whether users have been (inadvertently) set up as Destination Operators. If 
they have READ access to SDSF resource ISFOPER.DEST.JES2 and ALTER access to 
SDSF resources prefixed ISFAUTH.DEST., they can cancel jobs while bypassing 
JESSPOOL profile checks.

If the CONSOLE class is active, you can permit ID(*) UPDATE access to 
JES2.CANCEL.BAT.** conditionally by adding operand WHEN(CONSOLE(SDSF)) to the 
PERMIT command so that users can only issue JES2 cancel job commands from 
within SDSF panels. This would prevent them from cancelling jobs outside of 
SDSF, to include when usin

Re: RACF - SDSF question

[Rob Scott]

Of course, that should read "UPDATE or ALTER access"

Rob

From: IBM Mainframe Discussion List  On Behalf Of Rob 
Scott
Sent: Wednesday, April 17, 2024 4:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL



You can check what security activity is going on behind the scenes in SDSF, by 
doing the following :


1. Invoke SDSF and get to the point just before the user issues the action
2. Issue "SET SECTRACE ON"
3. Issue the "C" action
4. Issue "SET SECTRACE OFF"
5. Go into SDSF ULOG and there will new numerous security trace messages 
showing the resources checked by SDSF and the SAF result from each.

They look something like :

ISF051I SAF Access allowed SAFRC=0 ACCESS=ALTER CLASS=JESSPOOL 
RESOURCE=node.owner.jobnameetc

In your specific case, SDSF will do a JESSPOOL profile check and require UPDATE 
or UPDATE access for CANCEL style actions.

Note that this is a "value add" thing that SDSF does and might not be reflected 
in the behaviour of other products/methods that can issue MVS and JES2 commands.

Rob Scott
Rocket Software

From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of 
Shaffer, Terri
Sent: Wednesday, April 17, 2024 1:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL



Hi,
I would like to resurrect this question again, because my issue is back but not 
sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx command.

$CJ(5138)
CANCEL C30TCIE2,A=0051
IEE301I C30TCIE2 CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2) STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890 PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890 CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G) NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com>

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>>
 On Behalf Of Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: 
IBM-MAIN@LISTSERV.UA.EDU>
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com>

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>>
 On Behalf Of Robert S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: 
IBM-MAIN@LISTSERV.UA.EDU>
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked.

As was mentioned, to cancel a job typically also requires ALTER access to the 
JESSPOOL resource g

zVSE 6.2 on z16-A02

[Grant Carson]

Has anyone tried IPLing a zVSE 6.2 system (under VM) on a z16-A02? It's not 
officially supported for this model of z16 (the A01 is) so we will need to move 
to 6.3 (from 21st Century).


Thanks,
Grant


Zellis is the trading name for Zellis Holdings Ltd and its associated companies 
"Zellis".

The contents of this email are confidential to Zellis and are solely for the 
use of the intended recipient. If you received this email in error, please 
inform the sender immediately and delete the email from your system. Unless 
Zellis have given you express permission to do so, please do not disclose, 
distribute or copy the contents of this email.

Unless this email expressly states that it is a contractual offer or 
acceptance, it is not sent with the intention of creating a legal relationship 
and does not constitute an offer or acceptance which could give rise to a 
contract.

Any views expressed in this email are those of the individual sender unless the 
email specifically states them to be the views of Zellis.

Zellis Holdings Ltd - registered in England and Wales - Company No: 10975623 - 
Registered Office: 740 Waterside Drive, Aztec West, Almondsbury, Bristol, BS32 
4UF, UK.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REXX vs other languages WAS: Rexx numeric digits and scientific notation question

[Rony G. Flatscher]

On 15.04.2024 19:08, Jon Perryman wrote:

Java's not perfect, but it is powerful and it is pretty much universally
available on z/OS.

People don't understand the ingenuity behind REXX and don't understand the real 
problems it solves. From a language standpoint, REXX is just another language 
but it's real strength is it's environment integration. Instead of the caller 
maintaining libraries, the environment automatically integrates with REXX. For 
instance, REXX in the TSO environment, gives you access to TSO commands 
(address TSO) and z/OS programs (address linkmvs). Start ISPF and address 
ISPEXEC is available. ISPF option 2 gives you address ISREDIT. SYSCALLS ON 
gives you address syscalls.

For product developers, REXX is simple to integrate environments as witnessed 
by the plethora of integrated environments on z/VM, z/OS and probably z/VSE 
(e.g. some addressable environments: automation, CICS, CMS, CP, TSO, UNIX, 
SYSCALLS and more)

OOREXX is not REXX because it does not have the automatic environment 
integration and as you say, using JAVA instead of OOREXX would be preferable. 
REXX on the other hand is preferable over JAVA in many IBM environments. For 
instance, why would you use JAVA as your system automation environment language?

The complication of using OOP REXX is rarely beneficial for most environments. 
Generally, you are not building complicated applications. For instance, system 
automation will be the most complex but managing events under objects would be 
complicated and unmanageable given the current automation environment design.


There is no "complication of using OOP REXX": ooRexx runs Rexx programs just like Rexx. It therefore 
needs to support addressable command environments it also supports the REXXSAA APIs including exits.


ooRexx adds the message expression to Rexx to simplify interactions with any kind of values. E.g. 
instead of coding


   say reverse("abc") /* yields a string "cba" */

you can optionally code:

   say "abc"~reverse  /* yields a string "cba" */

The message expression consists of a receiver value (synonyms: object, instance) on the left-hand 
side of the tilde (~), which is the message operator, followed by the name of a message on the right 
hand side. If the message has arguments you would supply them in parentheses.


The receiver is then responsible to search for a method (function) by the name of the received 
message, invokes it and returns the result, if any.


This is a quite simple concept.

Whether you take advantage of the message paradigm in ooRexx or not is up to you if working with 
strings as for strings there are the REXX built-in functions (BIFs).


In the context of message expressions please note that Alan Kaye, one of the most influential and 
seminal computer scientists who was working on Xerox PARC' SmallTalk gets cited Wikipedia 
(https://en.wikipedia.org/wiki/Alan_Kay):


   Along with some colleagues at PARC, Kay is one of the fathers of the idea of 
object-oriented
   programming  
(OOP), which he named.
   Some original object-oriented concepts, including the use of the words 
'object' and 'class', had
   been developed for Simula  67 at the 
Norwegian Computing
   Center . Kay said:

   I'm sorry that I long ago coined the term "objects" for this topic 
because it gets many
   people to focus on the lesser idea. The big idea is "messaging
   ".

The idea of messaging is what the IBM research team in Hursley added to REXX to come up with Object 
REXX, making it astonishingly simple to interact with any kind of value (object, instance) in any 
programming environment.


The message paradigm not only works with string values, but with any kind of values (objects, 
instances).


This is the reason why it is simple for novices who learn programming with ooRexx to interact with 
Windows and Windows programs like MS Office or OpenOffice or LibreOffice via OLE: the ooRexx 
programmer only needs to send messages to those Windows objects, how the receiver (an OLE object) 
carries them out is not necessary to be known by the ooRexx programmer.


The same is true for Java: the ooRexx programmer only needs to send messages to Java objects, how 
the receiver (a Java object) carries them out is not necessary to be known by the ooRexx programmer.


The same is true for DBus on Linux systems: the ooRexx programmer only needs to send messages to 
Java objects, how the receiver (a DBus object) carries them out is not necessary to be known by the 
ooRexx programmer.


And so on ...

---

The other addition of ooRexx to REXX are directive instructions. If present, they are put at the end 
of a program and direct the ooRexx interpreter to carry out services on behalf of the ooRexx 
programmer in the setup phase. E.g. the requires

Re: REXX vs other languages WAS: Rexx numeric digits and scientific notation question

[Rony G. Flatscher]

On 17.04.2024 02:12, Andrew Rowley wrote:

On 16/04/2024 3:08 am, Jon Perryman wrote:
From a language standpoint, REXX is just another language but it's real strength is it's 
environment integration. Instead of the caller maintaining libraries, the environment 
automatically integrates with REXX. For instance, REXX in the TSO environment, gives you access 
to TSO commands (address TSO) and z/OS programs (address linkmvs). Start ISPF and address ISPEXEC 
is available. ISPF option 2 gives you address ISREDIT. SYSCALLS ON gives you address syscalls.


Rexx has better integration with z/OS, but Java has better integration with the 
rest of the world.

I just wrote a piece about sending SMS text messages from z/OS:

https://www.blackhillsoftware.com/news/2024/04/15/text-message-alerts-from-the-z-os-smf-real-time-interface/ 



Spoiler: it's 2 Java statements using the Twilio API.

Twilio.init(ACCOUNT_SID, AUTH_TOKEN); Message message = Message.creator( new 
com.twilio.type.PhoneNumber("+14159352345"), // to new 
com.twilio.type.PhoneNumber("+14158141829"), // from args[0]) .create();


Twilio provide a library that can be used to send text messages from z/OS. Amazon provide a 
library that can be used to work with AWS services from z/OS. It's very common for cloud providers 
to provide Java libraries for working with their services. Most of them will work on z/OS and open 
up those features to the mainframe.


Java is also a much more powerful language. I used to write a lot of Rexx, but I hate to go back 
because it is so much easier to get things done in Java.


Rexx is good for small tasks where the overhead of starting the JVM is significant, or where there 
isn't functionality in Java. Otherwise, Java is my choice.


As you know already Rexx it would be easy for you to learn about what ooRexx adds to Rexx. Take half 
an hour and read "Proposing ooRexx and BSF4ooRexx for Teaching Programming and Fundamental 
Programming Concepts" at 
.


Using the ooRexx-Java bridge BSF4ooRexx (which I have been authoring for over twenty years and 
available for all major operating systems like Windows, Linux, macOS, also a s390x version is 
available) you can easily write ooRexx programs that use any of the Java class libraries on any of 
the supported operating systems.


Notabene: you write one ooRexx program that will be runnable without any changes on Windows, Linux 
and macOS. This means you develop it e.g. on Windows at home and execute it in a Linux s390x 
subsystem at work and vice versa. ;)


To give you an idea I transcribed your interesting example given in Java using the depicted code 
supplied by your link above which looks like:


   /* Java version, 
cf.
   import com.twilio.Twilio;
   import com.twilio.rest.api.v2010.account.Message;
   import com.twilio.type.PhoneNumber;

   public class TwilioTest {
// Find your Account SID and Auth Token at twilio.com/console
// and set the environment variables. Seehttp://twil.io/secure
public static final String ACCOUNT_SID = 
System.getenv("TWILIO_ACCOUNT_SID");
public static final String AUTH_TOKEN = 
System.getenv("TWILIO_AUTH_TOKEN");

public static void main(String[] args) {
Twilio.init(ACCOUNT_SID, AUTH_TOKEN);
Message message = Message.creator(
new com.twilio.type.PhoneNumber("+14159352345"), // to
new com.twilio.type.PhoneNumber("+14158141829"), // from
args[0])
.create();

System.out.println(message.getSid());
}
   }

As practically all Java classes get documented as interlinked HTML files and usually are published 
on the Internet one can get at these JavaDocs using Internet search engines. One of the possible 
hits is e.g.: .


So anyone could take a look at how JavaDocs look like and use Internet search engines to get 
additional information.


Using the above Java program as an example here the (untested) ooRexx code:

   /* ooRexx version (using BSF4ooRexx) */
   parse arg argument  /* get argument */

   /* get values from process environment */
   account_sid=value("TWILIO_ACCOUNT_SID", ,"ENVIRONMENT")
   auth_token =value("TWILIO_AUTH_TOKEN" , ,"ENVIRONMENT")

   /* initalize Twilio environment */
   bsf.loadClass("com.twilio.Twilio")~init(account_sid, auth_token)

   /* create phone numbers */
   phoneTo  =.bsf~new("com.twilio.type.PhoneNumber", "+14159352345")
   phoneFrom=.bsf~new("com.twilio.type.PhoneNumber", "+14158141829")

   /* load Message class and use its static method creator) */
   clzMsg=bsf.importClass("com.twilio.rest.api.v2010.account.Message")

   /* create message */
   message=c

Re: REXX vs other languages WAS: Rexx numeric digits and scientific notation question

[Bob Bridges]

This whole post was fascinating me, partly because I'm still a novice at 
ooRexx, still wrapping my head around certain concepts (messaging being one 
example).  I may as well say, though, that when I finally broke down and got 
myself a copy, I then took not one hour but two or three days off to read the 
documentation before I started writing the program I had in mind.  There was so 
much more to it than I expected, having believed that it would be simply 
TSO-REXX with object support.

Messaging...As I said, I'm still wrapping my head around that.  I'm used to 
creating classes and then invoking their methods; to use the term "message" in 
this connection causes my brain to pause temporarily.  So far the only thing 
I've worked out is that messaging ~is~ invoking a class' method, that is, it's 
just another way of saying the same thing.  But the way you describe it, I 
suspect I'm missing something.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* Taxation ~with~ representation isn't all that great, either. */


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Rony G. Flatscher
Sent: Wednesday, April 17, 2024 14:24

ooRexx adds the message expression to Rexx to simplify interactions with any 
kind of values. E.g. 
instead of coding

say reverse("abc")  /* yields a string "cba" */

you can optionally code:

say "abc"~reverse   /* yields a string "cba" */

The message expression consists of a receiver value (synonyms: object, 
instance) on the left-hand side of the tilde (~), which is the message 
operator, followed by the name of a message on the right hand side. If the 
message has arguments you would supply them in parentheses.

The receiver is then responsible to search for a method (function) by the name 
of the received message, invokes it and returns the result, if any.

This is a quite simple concept.

You may want to take a look at  the article 

 which introduces Rexx and ooRexx to engineering educators. Reading that 
article, any interested REXX programmer from this mailing list should be able 
to learn ooRexx in about half an hour!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Is there a free format only Abend-Aid program?

[Binyamin Dissen]

I have a received what appears to be an abend-aid dump.

Is there a free formatter for it (not the full product, just the ability to
format the dump into a readable format)?

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Is there a free format only Abend-Aid program?

[Schmitt, Michael]

I'm wondering what you mean. When we used Abend-AID, it did produce a readable 
format. It was a like a SYSUDUMP but better.

Do you mean some kind of internal abend capture file? Like an IBM Fault 
Analyzer fault history entry?

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Binyamin Dissen
Sent: Wednesday, April 17, 2024 2:37 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Is there a free format only Abend-Aid program?

I have a received what appears to be an abend-aid dump.

Is there a free formatter for it (not the full product, just the ability to
format the dump into a readable format)?

--
Binyamin Dissen 
http://www.dissensoftware.com/

Director, Dissen Software, Bar & Grill - Israel

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: list Unix domain sockets

[Frank Swarbrick]

Interesting.  Never would have thought of that.
Not very efficient, however!

From: IBM Mainframe Discussion List  on behalf of 
Alexander Huemer 
Sent: Tuesday, April 16, 2024 11:42 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: list Unix domain sockets

On Tue, Apr 16, 2024 at 10:42:01PM +, Frank Swarbrick wrote:
> Is it possible to list Unix domain sockets?  I don't see any netstat
> option to do so.

$ find / -type s

-Alex

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: list Unix domain sockets

[Frank Swarbrick]

There doesn't appear to be an option to display the names of the sockets.

From: IBM Mainframe Discussion List  on behalf of 
David Crayford <0595a051454b-dmarc-requ...@listserv.ua.edu>
Sent: Wednesday, April 17, 2024 5:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: list Unix domain sockets

zlsof 
https://www.ibm.com/docs/en/zos/2.4.0?topic=scd-zlsof-display-information-about-open-files-sockets-pipes

> On 17 Apr 2024, at 06:42, Frank Swarbrick  wrote:
>
> Is it possible to list Unix domain sockets?  I don't see any netstat option 
> to do so.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Hayim Sokolsky]

Terri,

This is somewhat of an all or nothing equation, with a twist or two.

In OPERCMDS, the permits should always be "WHEN(CONSOLE(SDSF))" instead of 
permitting their groups. This filters the ability to issue the OPERATOR 
commands - both MVS commands and JES2 commands to be limited to situations 
where SDSF has generated the command for the user. At this point the 
JES2.CANCEL.BAT can only be issued when the user is authorized to the job.

So:
PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(GROUP1) ACCESS(UPDATE)
 /* not recommended */
PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF)) 
 /* recommended */

The second part of this equation is the profiles in the JESSPOOL class. If they 
have ALTER to a given job's profiles, they can have SDSF generate the commands 
to cancel or purge the job. If they do not have ALTER, then they cannot.

The interesting twist is how specific or not specific you go in JESSPOOL. SDSF 
gets kind of creative when it comes to issuing checks against JESSPOOL. There 
are separate checks performed on rerouting and purging output files which are 
separate from the normal JESSPOOL profile names.

  *   If the user owns the job, that is the job runs under their UserID, they 
automatically have ALTER. So don't let them run CICS regions under their own 
personal UserIDs.
  *   Assuming you have non-human (surrogate) UserIDs, the JESSPOOL profile 
should always contain the UserID or non-human UserID prefix explicitly, such as 
*.UserID.*.** instead of *.*.jobname.**.

JESSPOOL Profile
Scope
nodeid.userid.jobname.jobid
The job itself. Not used for releasing output or viewing the job output.
nodeid.userid.jobname.jobid.Ddsid.dsname
View individual SYSIN or SYSOUT data sets.
nodeid.userid.jobname.jobid.GROUP.ogroupid
Releasing or purging output groups.

It's all in how well you structure the UserIDs, OPERCMDS, and JESSPOOL profiles.



Hayim Sokolsky (he/him/his)

Director, Software Engineering

Rocket Software, USA



E: hsokol...@rocketsoftware.com

W:RocketSoftware.com


From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, April 17, 2024 08:28
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL



Hi,
I would like to resurrect this question again, because my issue is back but not 
sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx command.

$CJ(5138)
CANCEL C30TCIE2,A=0051
IEE301I C30TCIE2 CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2) STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890 PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890 CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G) NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of 
Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Robert 
S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never

Re: RACF - SDSF question

[Shaffer, Terri]

Thanks Rob.  That showed what rules I was hitting.

I think I might have fixed it, but will have to see.  What I found was there 
was an *.* rule and an actual JESNODE.**, which was more specific and allowed 
all users ALTER ac cess

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Rob 
Scott
Sent: Wednesday, April 17, 2024 11:02 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

[You don't often get email from 0618c90e6fdf-dmarc-requ...@listserv.ua.edu. 
Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


You can check what security activity is going on behind the scenes in SDSF, by 
doing the following :


  1.  Invoke SDSF and get to the point just before the user issues the action
  2.  Issue "SET SECTRACE ON"
  3.  Issue the "C" action
  4.  Issue "SET SECTRACE OFF"
  5.  Go into SDSF ULOG and there will new numerous security trace messages 
showing the resources checked by SDSF and the SAF result from each.

They look something like :

ISF051I SAF Access allowed SAFRC=0 ACCESS=ALTER CLASS=JESSPOOL 
RESOURCE=node.owner.jobnameetc

In your specific case, SDSF will do a JESSPOOL profile check and require UPDATE 
or UPDATE access for CANCEL style actions.

Note that this is a "value add" thing that SDSF does and might not be reflected 
in the behaviour of other products/methods that can issue MVS and JES2 commands.

Rob Scott
Rocket Software

From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, April 17, 2024 1:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL



Hi,
I would like to resurrect this question again, because my issue is back but not 
sure if by design or my RACF setup...

Because we are a development shop, we allow our developers to start/stop and 
issue modify commands to shutdown their CICS regions that run as batch Jobs.

They are the owners/notify of said regions, However, what I would like to 
prevent to them Cancelling the regions, due to possible file corruption, etc.

They put a C beside a jobname which then issues a $CJ, which then translates 
into a CANCEL ,A=xx command.

$CJ(5138)
CANCEL C30TCIE2,A=0051
IEE301I C30TCIE2 CANCEL COMMAND ACCEPTED
$HASP890 JOB(C30TCIE2) 288
$HASP890 JOB(C30TCIE2) STATUS=(EXECUTING/SPS1),CLASS=Y,
$HASP890 PRIORITY=9,SYSAFF=(ANY),HOLD=(NONE
$HASP890 CANCEL=YES

So my question becomes is it even possible to stop this because technically 
they are the owners?

In RACF.
My JESSPOOL class has.
*.*.C30TCI*.** (G)

My OPERCMDS class has
JES2.CANCEL.BAT with them having UPDATE access

MVS.CANCEL.JOB.C30TCI* (G) NO access

So not sure this is possible or not?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of 
Shaffer, Terri
Sent: Wednesday, February 8, 2023 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you, with your input and Robs, I now know the order of the checks, which 
was the piece I didn't fully understand.

I have now cleaned up my extra rules and added rules under jesspool and they 
are now stopped.

Rob, thanks for the slides!

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Robert 
S. Hansel (RSH)
Sent: Wednesday, February 8, 2023 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't 

Re: Anyone exploiting ZEDC?

[Glenn Wilcock]

DFSMShsm is an excellent use case for zEDC and is our number one best practice 
for HSM.  When enabled, DSS zEDC compresses all blocks of data passed to HSM 
during Migration and Backup.  Because HSM is processing fewer data blocks, both 
cpu and elapsed time are reduced.  When going to ML1, the amount of storage is 
also significantly reduced.

Glenn Wilcock, DFSMS Chief Product Owner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Michael Oujesky]

Unless the file is already compressed.  For those they just get 
passed to ML2 or BACKUP as-is.


Michael

At 04:04 PM 4/17/2024, Glenn Wilcock wrote:

DFSMShsm is an excellent use case for zEDC and is our number one 
best practice for HSM.  When enabled, DSS zEDC compresses all blocks 
of data passed to HSM during Migration and Backup.  Because HSM is 
processing fewer data blocks, both cpu and elapsed time are 
reduced.  When going to ML1, the amount of storage is also 
significantly reduced.


Glenn Wilcock, DFSMS Chief Product Owner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Fwd: Converting TCPIP DEVICE and LINK statements in preparation for z/OS 3.1

[Albertus de Wet]

We are on z/OS 2.4 and need to goto 3.1. We never did the z/OS 2.5 upgrade
and as I understood, this was an action item for zOS 2.5. So, how do we
convert the "DEVICE", "LINK" and "HOME" statements for TCPIP V3.1
*This is what we currently use in TCPIP:*
; VIPA definition (EE)
*DEVICE* VIPA00 VIRTUAL 0
*LINK*   VIPAL00VIRTUAL 0 VIPA00
;

; Enterprise Extender Definitions (EE)
*DEVICE* IUTSAMEH MPCPTP
*LINK  * IUTSAMEHL MPCPTP IUTSAMEH
;

; OSA8100 is a OSA Express feature (CHPID=01)
*DEVICE *OSA8000 MPCIPA NONROUTER AUTORESTART
*LINK*   OSAL8000 IPAQENET OSA8000
;

According to:
https://www.ibm.com/docs/en/zos/2.5.0?topic=cnha-steps-converting-from-ipv4-ipaqenet-device-link-home-definitions-ipv4-ipaqenet-interface-statement
I come up with this, but obviously miss something:
; VIPA definition (EE)
;DEVICE VIPA00 VIRTUAL 0
;LINK   VIPAL00VIRTUAL 0 VIPA00
INTERFACE VIPAL00
  DEFINE VIRTUAL
  IPADDR 10.64.14.106
  PORTNAME VIPA00
  VIRTUAL 0
;
; Enterprise Extender Definitions (EE)
;DEVICE IUTSAMEH MPCPTP
;LINK   IUTSAMEHL MPCPTP IUTSAMEH
INTERFACE IUTSAMEHL
  DEFINE MPCPTP
  IPADDR 10.64.14.107
  PORTNAME IUTSAMEH
;
;DEVICE OSA8100 MPCIPA NONROUTER AUTORESTART
;LINK   OSAL8100 IPAQENET OSA8100
INTERFACE OSAL8100
  DEFINE IPAQENET
  IPADDR 10.64.14.105
  PORTNAME OSA8100
  NONROUTER AUTORESTART
and I commented out the HOME statements.

I cannot seem to get this to work. What is confusing to me is the VIRTUAL 0
part and we also do not have any "additional parameters" as per the
documentation.
I created another TCPIPX proc, pointing to the new PROFX member.
When I stopped the original TCPIP and start TCPIPX, it comes up, but not
happy with these messages:













*EZZ0162I HOST NAME FOR TCPIPX IS LP2
EZZ0300I OPENED PROFILE FILE DD:PROFILE
 EZZ0309I PROFILE PROCESSING BEGINNING FOR DD:PROFILE
EZZ0401I SYNTAX ERROR IN FILE: DD:PROFILE ON LINE: 180 AT:
'PORTNAME'EZZ0324I UNRECOGNIZED STATEMENT PORTNAME FOUND ON LINE 180
EZZ0318I MPCPTP WAS FOUND ON LINE 187 AND INTERFACE TYPE WAS
EXPECTEDEZZ0324I UNRECOGNIZED STATEMENT AUTORESTART FOUND ON LINE 197
 EZZ0328I DEVICE OSA8100 ON LINE 385 HAS NOT BEEN DEFINED OR HAS
BEEN DELETED
EZZ0328I DEVICE IUTSAMEH ON LINE 386 HAS NOT BEEN DEFINED OR HAS
BEEN DELETED EZZ0316I
PROFILE PROCESSING COMPLETE FOR FILE DD:PROFILE EZZ0303I
INITIAL PROFILE FILE CONTAINS ERRORSEZZ0641I IP
FORWARDING NOFWDMULTIPATH SUPPORT IS ENABLED EZZ0351I
SOURCEVIPA SUPPORT IS ENABLED   EZZ0338I TCP
PORTS 1 THRU 1023 ARE RESERVED  EZZ0338I UDP PORTS
1 THRU 1023 ARE RESERVED  EZZ4248E TCPIPX WAITING
FOR PAGENT TTLS POLICY*



*EZZ4202I Z/OS UNIX - TCP/IP CONNECTION ESTABLISHED FOR TCPIPX  EZB6473I
TCP/IP STACK FUNCTIONS INITIALIZATION COMPLETE.   EZAIN11I ALL TCPIP
SERVICES FOR PROC TCPIPX ARE AVAILABLE.*



*EZD1313I REQUIRED SAF SERVAUTH PROFILE NOT FOUND
  EZB.INITSTACK.MANZANA.TCPIPXEZD1176I
TCPIPX HAS SUCCESSFULLY JOINED THE TCP/IP SYSPLEX GROUP EZBTCPCS*

And it also did not start TN3270 as the original TCPIP did.

Any ideas, as I am obviously missing something?
Also, how can I test this new parms without stopping and starting TCPIP
address space each time? I knew my predessor used something like
"OBEYFILE", but I am not sure if this would be the best way to change these
definitions - after I figured out what needs to change to what.

Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: What is IEANTRTR in Authorized Assembler Services Reference?

[Peter Relson]

IEANTRTR, exactly like IEANTRT, has authorization-related "limitations" and 
authorization-related opportunities.
If you look closely, the non-authorized IEANTRT shows that the level parameter 
has 4 choices. The authorized IEANTRT shows that the level parameter has 7 
choices. The same is true for IEANTRTR (or would be if both authorized and 
non-authorized were documented). But neither is really true. It's just that an 
unauthorized IEANTRT would (in practice, not theory) not use one of the other 3 
choices. Those other three options are all "match only if the name/token was 
created by a supervisor state or system key creator". Could an unauthorized 
user go down that route? I suppose. They wouldn't be retrieving information 
that they set.

The authorized IEANTRT allows SRB-mode and allows locks to be held; the 
unauthorized does not allow SRB-mode. It incorrectly talks about locks that 
could be held. It should not.  But realize that these are not enforced 
requirements/restrictions. Unauthorized code cannot be in SRB mode and cannot 
have system locks; authorized code is expected to follow the rules, whether 
they are enforced or not.

Unlike IEANTRT for reasons that I do not recall (but should because I wrote it 
and it was only 10 years ago) but for which I'd hope you'd consider submitting 
"negative feedback" (such as via thumbs down within "was this topic helpful?" 
after which you get to enter your comment), IEANTRTR is documented only in the 
authorized assembler services reference. It should be documented in both, 
appropriately. It's hard to submit feedback for "this book doesn't have this 
chapter", with the current scheme available, so I'd suggest doing it from the 
authorized book's chapter.
Peter Relsonz/OS Core Technology Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REXX vs other languages WAS: Rexx numeric digits and scientific notation question

[Andrew Rowley]

On 18/04/2024 4:39 am, Rony G. Flatscher wrote:
As you know already Rexx it would be easy for you to learn about what 
ooRexx adds to Rexx.


...

Notabene: you write one ooRexx program that will be runnable without 
any changes on Windows, Linux and macOS. This means you develop it 
e.g. on Windows at home and execute it in a Linux s390x subsystem at 
work and vice versa. ;)

...
A dynamic and dynamically typed language as ooRexx allows to forgo 
many of the declarations a static and statically typed language 
mandates, thereby simplifying coding quite considerably.



I find Rexx difficult because explicit declarations and static typing 
(as well as tightly controlled scopes) actually make programming easier, 
in general. They show up bugs in the code and make it easier to write 
correct programs. The IDE is also an important factor.


I already write programs on my Windows laptop and run them on z/OS using 
Java :-)


--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Andrew Rowley]

On 18/04/2024 12:04 am, Michael Oujesky wrote:
Just a thought, but anyone processing internally compressed CICS or 
DB2 data on a non-z/OS platform (Windows/Unix) might see substantial 
CPU usage from RLE decompression.


If the compression is lightweight, decompression should be too. I can't 
speak for any other product, but I did an experiment with the EasySMF 
Java API.


Running a CICS report on my laptop I got:

Processing CICS compressed data: 1.2 GB/s (size after decompression)

Processing uncompressed data: 800 MB/s

So processing the compressed data was actually about 50% faster.

--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone exploiting ZEDC?

[Prashant Joshi]

I did zBNA study for few environments and every time I see increase (or very 
small decrease) in CPU seconds usage. I see big difference in IO delta and 
considerable saving in DASD storage but not much difference in CPU time? Or 
zBNA includes only batch jobs and no other beneficiary started tasks like HSM, 
CICS, DB2 etc

Thank you,
Prashant

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Glenn Wilcock
Sent: Thursday, April 18, 2024 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Anyone exploiting ZEDC?

DFSMShsm is an excellent use case for zEDC and is our number one best practice 
for HSM.  When enabled, DSS zEDC compresses all blocks of data passed to HSM 
during Migration and Backup.  Because HSM is processing fewer data blocks, both 
cpu and elapsed time are reduced.  When going to ML1, the amount of storage is 
also significantly reduced.

Glenn Wilcock, DFSMS Chief Product Owner

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN