Re: Is There A List Of Who Plays The IFAPRDxx Game?
On Mon, 1 Jul 2013 07:11:46 -0500, Andrew Metcalfe andrew.metca...@barclays.com wrote: The product I'm looking at (OGL 5688- 191) pre-dates IFAPRDxx so I suspect that I am wasting my time looking. I tried putting a generic entry in IFAPRDxx only specifying: PRODUCT ID(5688-191) VERSION(*) RELEASE(*) MOD(*) STATE(DISABLED) but it still executes. If an IBM product supports IFAPRDxx you should find clear documentation of that fact. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: REXX Socket Calls
On Mon, 24 Jun 2013 10:22:34 -0500, Doug Henry doug_he...@usbank.com wrote: On Mon, 24 Jun 2013 09:29:57 -0500, John McKown john.archie.mck...@gmail.com wrote: I am not very knowledgeable on this sort of thing. Is AT-TLS something different from SSL? I don't really know. In the z/OS 1.12 Comm Server manuals, I found: Hi John, AT-TLS (Application Transparent Transport Layer Security) is ssl provided for TCP/IP connections. My comserver guys tell me that this is the IBM recommended way of providing ssl. It is then transparent to the application running on z/OS. http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/topic/com.ibm.iea.commserv_v1/commserv/1.7z/security/AT_TLS.pdf Some uses of SSL via AT-TLS can be transparent to the application, but some are not, as I understand it. For example, a server application or a client application can make use of AT-TLS transparently if they merely want an encrypted pipe between them. However, if the server wants to authenticate the client by accepting a client certificate and mapping it to a RACF user ID then that will require specific AT-TLS coding in the server application. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: System abend 800 reason code 4
On Thu, 30 May 2013 15:56:39 -0400, Micheal Butz michealb...@optonline.net wrote: For reason code 4 the explanation says A program issued a SVC 114 the EXCPVR macro That may be a possible clue to your problem. It says you're using EXCPVR, and from z/OS V1R13.0 DFSMSdfp Advanced Services we can see that In order to issue EXCPVR, your program must be executing in protection key zero to seven, executing in supervisor state, or be APF authorized. From your earlier note, you're trying to do this under TSO TEST, but TEST won't invoke programs in an authorized state. You would probably need to use the TESTAUTH command instead. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: To Backup or Not to Backup Data - That is the question
On Thu, 30 May 2013 16:15:42 -0500, Tom Marchant m42tom-ibmm...@yahoo.com wrote: On Thu, 30 May 2013 11:44:32 -0700, Lizette Koehler wrote: So do I have overkill? . Software disasters can be the hardest ones to plan for. What do you do if one of your critical applications has a program change that causes it to start corrupting data? How long will it take before it is noticed? This can be a lot harder than a hardware failure. Or human disasters, Tom. Someone deletes a data set, and because the DASD is mirrored everywhere, all your online copies are gone instantly. Oh, and if you didn't have any real backup copies of the DASD, then all copies of that data set are gone. That's one reason that IBM recommends using RACF's duplexing of it's database, rather than depending on hardware mirror copies, and also recommend taking nightly backups of the database. When an administrator makes a mistake it can save a lot of hassle. And, if RACF itself makes a mistake, there's a good chance that only the primary (or the duplex) copy will be damaged. But if you were depending on the hardware mirroring they're all broken. -- Walt (former RACF Designer) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Getting DD DISP
On Wed, 29 May 2013 16:54:49 -0500, Kirk Wolf k...@dovetail.com wrote: Is there an easy way for a program to get the DISP (NEW/MOD/SHR/OLD) of a DD from the TIOT, or do you have to do a RDJFCB? I'm somewhat curious why you'd want to know, from a program, Kirk. But however you get it, I'll mention that NEW and MOD are not necessarily distinct. That is, they are certainly separate keyword values, but if the data set does not already exist then MOD can act like NEW. That's a large part of my wondering why it's significant to the program, since I can't think of a way to make a meaningful distinction between those two values of DISP. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rather interesting article on hacking the mainframe using ftp
On Sat, 18 May 2013 15:17:22 -0500, John McKown john.archie.mck...@gmail.com wrote: http://mainframed767.tumblr.com/post/50574743147/big-iron-back-door-maintp-part-two basically the person must be able to ftp into a UNIX subdirectory and to submit a job. They upload a program called netcat into a data set starting with their RACF id. They then submit a job which copies the data set into the /tmp subdirectory with a random name, chmod the name to be executable, then executes does starts the netcat in the background (asynchronous to the batch job) and piping to/from the z/OS UNIX shell. The hacker simply connects to the port that netcat is listening on, and presto, they have a shell on their desktop. True, but they anything they can do using that shell they could have done directly within the batch job that they submitted. If the administrators did not want them running batch jobs, they could have prevented that quite easily. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Duplicate Batch Job
On Tue, 7 May 2013 12:49:32 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Tue, 7 May 2013 13:34:07 -0400, Gerhard Postpischil wrote: On 5/7/2013 5:02 AM, Lizette Koehler wrote: The only way I can think of restricting is an exit in JES2. Or if this is a TSO User you may wish to look at IKJEFT10 exit. You'd be surprised how many secure installations permit a TSO user to allocate an internal reader and write a job to it. Why is that a problem? I'm not sure why Gerhard thinks that is a security problem, gil. But certainy if users push jobs through the INTRDR directly (as opposed to via TSO/E SUBMIT or ISPF SUB) then you can't depend on any restrictions imposed by IKJEFF10; you would have to use JES or SMF exits. Actually, I'm not sure you can stop users from allocating an INTRDR and still allow them to submit jobs from TSO, since even SUBMIT goes through the INTRDR. So I've never believed in using IKJEFF10 to enforce installation restrictions on job content. Control resources, not tools. Definitely! -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: NDM RACF002 Error But No Password Used
On Wed, 17 Apr 2013 10:54:12 -0400, Biller, Charles A (CHUCK) chuck.bil...@verizon.com wrote: Release 5. User reports he's not aware of a password change attempt. The credentials are in a sysin and even though the racf id is protected (no password) the ndm statements in the sysin has included a password for years but has run ok until last week. Other batch jobs using that Id are still running OK. Sounds like I'll need to contact IBM. Are you sure the ID wasn't just made PROTECTED last week? Or that the password wasn't just added to the SYSIN? NDM almost certainly has no idea that the ID is PROTECTED, and simply passes along the password. And a PROTECTED ID is never usable if someone provides a password. That leaves 2 choices that I can see: (1) The ID was not PROTECTED previiously; or (2) The SYSIN did not have a PASSWORD specified previously. I do not know if NDM even allows possibility 2 (it's very rare to allow use of an ID without specifying the password), so I suspect that (1) applies. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 32760? (was: PARMDD?)
On Tue, 9 Apr 2013 09:21:59 -0500, Paul Gilmartin paulgboul...@aim.com wrote: I have an outlying case to test my understanding: // SET FOO='WOM' // SET BAR=BAT // SET WOMBAT='SDB=YES' //* //STEP EXEC PGM=IEBGENER,PARMDD=SYSUT1 //SYSUT2DD SYSOUT=(,) //SYSUT1DD *,SYMBOLS=JCL FOOBAR //SYSIN DD DUMMY //SYSPRINT DD SYSOUT=(,) Since symbols are substituted when SYSUT1 is created and GET performs no further transformation, the line written to SYSUT2 is WOMBAT. I'm pretty confident of that. But when SYSUT1 is processed as PARMDD, are symbols also resolved by the initiator, since the JCL symbol values are known and it's not too late, so the PARM passed to IEBGENER is SDB=YES? I think your understanding has a flaw, gil. As I understand the discussion, it is not the initiator doing the substitution. If it were, then symbols in non-instream PARMDD data sets would work. Rather, it is JES doing the substitution. The initiator merely passes along whatever GET provided, and GET in turn merely passes along exactly what was in the non-instream data set, or whatever JES provided for an instream data set. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 32760? (was: PARMDD?)
On Tue, 9 Apr 2013 13:28:57 +0100, Martin Packer martin_pac...@uk.ibm.com wrote: I'm running a residency in the Autumn on 2.1 code (and you'll see an announcement as this one is expected to welcome customer etc nominations shortly). I mention this because Symbol Substitution via PARMDD is quite likely to feature. What I'll want to figure out then is whether the only in instream restriction is going to be significant. We're likely to parameterise things that look like clone jobstream number as well as some character strings related thereto. But for now thanks Peter for pointing out this restriction. It might affect what we do. I think you're looking at it wrong, Martin. (And I'm serious in that statement.) There is no restriction. Rather, if you choose to use in-stream data, then as an added enhancement you get to use symbols. That applies any place you choose to use in-stream data, for any program reading the data. But no program that is reading data from a disk or tape data set, or from a UNIX file, gets symbol substitution unless it chooses to implement the substitution itself, and few (if any, as far as I know) do so. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 32760? (was: PARMDD?)
On Wed, 3 Apr 2013 07:29:11 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Wed, 3 Apr 2013 06:47:01 -0500, John Gilmore wrote: Peter's most recent response: begin extract The 100 character restriction is applied to the following case, only: environment is APF; and jobstep program is AC(1); and the program is not bound with LONGPARM. /end extract is admirable, unambiguous, and, I think, definitive. It leaves a couple holes. One question in the thread concerned: o Jobstep program is AC(1), from an authorized library, so the environment was authorized. o Jobstep program ATTACHEs a subprogram AC(0), from an authorized library, bound with NOLONGPARM, passing an argument longer than 100 bytes. o Is the 100 character restriction applied? My conjecture is, No,: - There's no such restriction under z/OS 1.13 and I doubt that IBM intends to impose a new restriction in 2.1. - The passed argument may not be structured with a halfword count field, so ATTACH has no way of knowing its length. I surmise the restriction is applied only by the initiator when ATTACHing the jobstep program. Is this right? Correct. It is the initiator that applies the restriction, just as it is the initiator that reads the PARMDD DD statement containing the parameter and passes it to the jobstep program. If an authorized program (running APF-authorized, supervisor state, or system key) were to invoke another program (to also run authorized) and pass a longer parm, without knowing (somehow) that the called program can accept the longer parm, that would be a System Integrity issue with the authorized program, since it cannot predict how the called program will react. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Long Passwords
On Fri, 22 Mar 2013 15:18:48 -0400, Tony Harminc t...@harminc.net wrote: In the long term, of course, RACF will surely change to allow phrases to be as short as anyone likes, subject only to installation control, and passwords to be optional, and then we'll have by a very long and roundabout route what everyone wanted in the first place: z/OS support for long passwords. I sincerely doubt RACF will ever allow passwords shorter than 9. They are too weak, unless the site has a new password phrase exit to apply some rules regarding allowable character content. It probably will someday allow a z/OS user to have a password phrase but no password. RACF on z/VM already allows that, and did from the beginning of its password phrase support if I remember correctly. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Long Passwords
On 22 March 2013 14:50, EXT-Schwarz, Barry barry.schw...@boeing.com wrote: My mistake about after. How about during? On the TSO logon panel, if you enter the correct passphrase, do you also need to enter the current password when you enter a new password? I would test it but we don't have phrases active. No. RACF only allows you to specify a new password if you specify the current password, or a new phrase if you specify the current phrase. You can't mix them. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Long Passwords
On Wed, 20 Mar 2013 10:44:41 -0400, Keith Smith keith.sm...@shawinc.com wrote: I stand corrected. The password is, in fact, the default group. There are way too many gotchas popping up... What happens if the password is expired? Will the password phrase still work? I guess I should test this too. As the RACF manuals clearly document, expiration of the password has no effect on using the password phrase, and vice versa. While they have the same expiration interval, they have separate expiration dates. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Long Passwords
Barry Schwarz wrote: Elardus Engelbrecht wrote: To avoid this exposure always enter a password value and never tell your users what the password is. Except the user can usually change his password after he has logged on with the phrase. Really? How would he do that, if he doesn't know his current password? Certainly not via the PASSWORD command, so what have I forgotten? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Weird ISPF scrolling problem
On Sat, 9 Mar 2013 18:31:15 +, Robert Prins robert.ah.pr...@gmail.com wrote: DOWN works without problems. If the penultimate line of the logical screen has an underlined sequence number, indicating that it's followed by hidden excluded lines, and the cursor is on the very last line of the logical screen, and the cursor is put on this last line, scrolling UP via PF7 (defined as UP) does not work. Putting the UP command on the command line, and the cursor back on the same last line of the logical screen has the same effect, the screen stays put! What is the scroll amount? Are there more lines hidden than that? For example, perhaps your scroll amount is 32, and there are 64 lines hidden, and so scrolling up would put you in the middle of the hidden area. So you stay where you are. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Retrieving output submitted by surrogates
On Wed, 6 Mar 2013 21:14:13 +0800, Robin Atwod abend...@gmail.com wrote: This is a rather arcane topic but hopefully one of you out there might have some insight. I am working on a problem where a customer uses our application to submit jobs to JES2, and then, when the output is available, the application reads it from the spool and sends it back to the customer. This uses the SAPI (function 79) JES2 call and has worked well for years. Now a customer wants to use a surrogate userid to submit the jobs which run under various different userids. Submission works fine, as long as the RACF rules are defined, but when I try to pick up the output, I get RC=4, nothing found. First, just to make sure we're using the same terminology, there are two important user IDs to consider here: (a) the execution user, specified in your case via USER= on the JOB statement, and (b) the user who submits the job (which is the surrogate user). JESSPOOL security processing will allow the execution user to view/retrieve output without any profiles defined. However, the submitter (surrogate user) does not have authority to the job output unless a JESSPOOL profile allows it. That will also affect the SAPI processing, but I really don't know what kind of return codes you'd get. You might be able to see some JES2 error messages if you first issue $T DEBUG,SECURITY=YES if the SAPI function works like normal spool access/selection does, but Im not sure. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Paul Gilmartin paulgboul...@aim.com
On Sun, 3 Mar 2013 08:51:34 -0500, John Gilmore jwgli...@gmail.com wrote: I come now to Tony Harminc's example: begin extract But SETRP generates a NOPR with an expression (related to the SDWA, I think) obviously intended (and I think commented) to fail if the length is not 0. However HLASM doesn't think the expression is a likely register value - a legal one, certainly - but still worth a warning if you have registers EQUated with the GR or GR32 or GR64 option. /end extract It is very different. Register equates are ubiquitous. What we thus have in this example is no or inadequate testing, and that is not defensible. None of us expects IBM code to be error-free. None of us writes such code. We do expect that IBM code will have been tested, in effect that such errors as we find in it will be subtle and not crudely obvious ones; and in this expectation we are now often disappointed. I'll have to disagree with you, John. What we have there is (I believe) an old macro, using techniques that work perfectly well, unless someone uses an HLASM option that did not exist when the macro was written. If IBM has not needed to change the macro since HLASM created that option, then there has been no need to test the macro. Even if IBM has had to change the macro, there is nothing that would require IBM's testers to try it with all possible HLASM options and combinations of options. Note that I'm not saying the macro is as good as it could be. And I'm not saying that IBM shouldn't improve it. But claiming inadequate testing, or claiming that the macro definitively has an error, seems inappropriate to me. -- Walt (who is, of course, no longer an IBMer but once was) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SDSF Rexx Issue - to copy SYSOUT into PDS
On Fri, 1 Mar 2013 08:59:58 +0530, saurabh khandelwal sourabhkhandelwal...@gmail.com wrote: Hello Walt, I am running this program under z/OS 1.13 system only. My concern doesn't affect you; the reply was specific to Steve, who is testing with IEBCOPY. Your problem should simply be that you don't have the parm or the alternate-ddname list variable setup correctly, but you've never shown us what they contain, as far as I know. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Secure Service Delivery
On Fri, 22 Feb 2013 12:14:52 -0500, John Gilmore jwgli...@gmail.com wrote: I have experimented with this number---Note that it includes professional development, e.g., journal reading, web browsing, meeting attendance and the like, things that are not immediately relevant to the task at hand ---and I do not think 5% is enough. It is low by the standards of other professions. Medical doctors, for example, devote as much as 25% of their time to this sort of thing. But do they do it during the day (taking time away from patients), or do they do it nights and weekends? Knowing how many hours my previous primary care provider worked in the office, and how much administrative work he did beyond that, I was never sure how he found the time even to read the journals let alone do any formal training. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: USPTO does another goodie.
On Wed, 20 Feb 2013 07:26:41 -0600, John McKown john.archie.mck...@gmail.com wrote: So, just put an expiration time as part of a file name and you can patent it? These people have their head where the sun don't shine. OK, maybe nobody else has done this _exact_ thing. But, really? Of course, in today's society, defensive patents are a requirement. So this may be along those lines. No, that's not what it said. It said that the single data file is split into chunks, the chunks are distributed among various file servers, and the application might modify one or more (but not necessarily all) of the chunks, meaning that each chunk might have a different modification date/time. The system will then base its decision on deleting the complete file by figuring out the most recent modification date/time among all the chunks of the file, across all the relevant servers, and comparing that with the time-to-live value. It's not a simple expiration date on one file located in one location, but a more complex network-oriented operation. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMS QUESTION - DATACLAS NOT DEFINED IN SMS ACS
On Mon, 18 Feb 2013 11:32:46 -0800, retired mainframer retired-mainfra...@q.com wrote: It is also possible for the RACF resource owner of a dataset (specified in the RESOWNER field of the DFP operand on the ADDSD command) to have a default data class (specified in the DATACLASS field of the DFP operand of the ADDUSER/ADDGROUP command). SMS will use this value if ACSDEFAULTS is set to YES in the PARMLIB member IGDSMSxx. There's one aspect of the processing you missed, as specified in the RESOWNER field of the DFP operand on the ADDSD command neglects the default processing. If there's no DFP segment in the relevant DATASET profile, or it doesn't specify a RESOWNER, then RACF will assign the HLQ of the DATASET profile (if it's a user ID or group name) as the RESOWNER. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do people lock down the compilers inside CA Endevor?
On Tue, 12 Feb 2013 09:11:03 -0600, Paul Gilmartin paulgboul...@aim.com wrote: On Tue, 12 Feb 2013 07:49:27 -0600, John McKown wrote: Another possible solution, which I did with different IBM module, is to write a small HLASM program. This program would verify how it was called by looking at the RB chain, to be sure it was not the first RB on the TCB is what I'm thinking. ... I invoke a lot of programs with Rexx address LINKMVS. How does that affect the RB chain? Just as you might expect. The program will be a new RB under whatever RB was running your REXX program. It certainly won't be the same as EXEC PGM=(the program) and so this would be a trivial bypass to that proposed security mechanism. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How do people lock down the compilers inside CA Endevor?
On Mon, 11 Feb 2013 14:32:36 -0800, Charles Mills charl...@mcn.org wrote: This is a theoretical question. I am *not* an Endevor user. I am trying to solve a *similar* problem and this is the best way to explain it. Here's the question: at shops that use Endevor for all compiles, how do you lock down the compilers so that programmers can only run the compilers under Endevor, not with plain old JCL? What about programmers who might have private copies of the compiler load libraries? (More generically, if X is a load module, is it possible to set things up such that program Y can run X, but PGM=X will never work? How? I have thought about engineering a rename to a name that JCL will not accept (but LINK will) but I would just as soon not get that weird; rather do things in a more supported way.) I'm curious why you would want to do that. Wouldn't it be better to protect the relevent load libraries such that your users cannot compile into them except under Endevor's control? Perhaps you should explain your actual problem, not have us try to guess at an answer by analogy. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: JSON format in ISPF Services Guide?
On Thu, 7 Feb 2013 08:04:20 -0600, Kevin Minerley k60ek...@us.ibm.com wrote: I think you should be able to get to unresolved reference at: z/OS V1R13.0 ISPF Services Guide IBM Library Server - http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ispzsg90/CCONTENTS?SHELF=all13be9DN=SC34-4819-10DT=20110601015450 The writer has been notified of the problem. But the more basic problem is that the ISPF Services Guide does not contain any mention of JSON. So it's not simply an unresolved reference in the other book, but missing documentation (or a pointer to the wrong book). -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS v2.1 preview
On Wed, 6 Feb 2013 08:16:52 -0600, Paul Gilmartin paulgboul...@aim.com wrote: On Tue, 5 Feb 2013 10:16:38 +0200, גדי בן אבי wrote: o IBM plans to remove support for unsecured FTP connections used for z/OS software and service delivery October 1, 2013. At that time, it is planned that new System z software (products and service) downloads will require the use of FTPS (FTP using Secure Sockets Layer) or of Download Director with encryption. FTPS, but not SFTP? Remember, SFTP is not FTP; it's SSH, a totally different protocol and set of programs. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SFTP vs. FTPS (was: z/OS v2.1 preview)
On Wed, 6 Feb 2013 09:27:18 -0600, Paul Gilmartin paulgboul...@aim.com wrote: On Wed, 6 Feb 2013 08:57:41 -0600, Walt Farrell wrote: ... new System z software (products and service) downloads will require the use of FTPS (FTP using Secure Sockets Layer) or of Download Director with encryption. FTPS, but not SFTP? Remember, SFTP is not FTP; it's SSH, a totally different protocol and set of programs. Exactly, notwithstanding some superficial similarity in line commands. But I'm set up for SSH on various hosts -- authorized_keys, etc. SFTP comes naturally, then. FTPS isn't in my skill set. What's the relative prevalence of SFTP and FTPS in the outside world? I have no idea of the prevalence. On the other hand, FTPS _is_ FTP, and it's likely that more z/OS sites have FTP servers than have SSH servers. And if you have FTP then setting up FTPS is (I think) largely a matter of putting the right certificate in the right key ring, which is all native to z/OS and doesn't require installing and configuring SSH (from Ported Tools) if you haven't done so already. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Check out Apple Q1 2013 hardware sales: By the numbers | ZDNet
On Wed, 30 Jan 2013 16:51:49 -0500, Ed Finnell efinnel...@aol.com wrote: _Apple Q1 2013 hardware sales: By the numbers | ZDNet_ (http://www.zdnet.com/apple-q1-2013-hardware-sales-by-the-numbers-710258/) So grasshopper, how's you mobile app on Z? This grasshopper is tempted to wonder why that article is at all relevant here. I mean, we're definitely comparing Apples and something else :) Might as well ask how many different users your iPad or iPhone will support at the same time, and how many apps it can run simultaneously, and how many petabytes of local storage it can have, and how long it runs without needing a reboot, and -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FTP z/OS to z/OS 501 Invalid data set name - codepage issue?
On Fri, 18 Jan 2013 14:47:13 +0100, Boris Lenz boris.l...@ims.sells.ch wrote: I can't get an FTP PUT to work with dataset names that contain a dollar sign (x'5B', which is the pound sign on the target system). Source system is z/OS, codepage IBM-500 Target system is z/OS, codepage IBM-285 FTP commands: TYPE E SITE ISPFSTATS PUT 'USERA.TSO.EXEC($TEST)' QUIT The output is: EZA1701I STOR 'USERA.TSO.EXEC($TEST)' 501 Invalid data set name ''USERA.TSO.EXEC($TEST)'. Use MVS Dsname conventions. EZA1735I Std Return Code = 27501, Error Code = 2 You could, of course, specify a second name on your PUT command to rename the data set or member to something different that will work on the remote site (i.e., that does not use the problematic national characters). PUT local-name remote-name -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF Symmetric Key being sent to a non-zOS system
On Thu, 17 Jan 2013 12:39:11 -0800, Phil Smith p...@voltage.com wrote: Mark Jacobs wrote: I've been reading the ICSF Applications Programmers guide and I understand the process on how to transport ICSF keys to another zOS system using importer/exporter keys, but I have no idea on how it would work on a non-zOS platform. Can anyone point me to some doc, or share their process if they've already done it? FYI, there's no such thing as an ICSF key. There are keys of various sorts that ICSF manages, but they aren't ICSF-ized per se. I guess if they're wrapped (encrypted) in a Crypto Express, they could be sort of thought of as being bound to ICSF, but they still are really just 56 or 64 or 128 or 192 or 256 or however many bits of key material. So...having said that, what do you mean by how it would work on a non-z/OS platform? How WHAT would work? An AES key is an AES key: if you have an AES algorithm and a key, you can encrypt data, and you'll get the same result on any platform (assuming you're using the same AES mode, etc.). I feel like I'm taking you to task here, and I don't mean to be - just trying to understand what your real question is! I read it as, how would I extract a key from ICSF and send it to a non-z/OS system? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Break a dataset into new record boundaries?
On Tue, 15 Jan 2013 09:04:30 -0800, Charles Mills charl...@mcn.org wrote: I've got a dataset that has been mangled through some misguided efforts such that original record boundaries have been lost. It used to be RECFM=V and now it is RECFM=F You did not say how it was mangled, and that can be important. In the simplest case, if the data is good but someone mangled the DCB characteristics, then if you know the proper DCB characteristics you can do something like this and largely or completely recover things: // EXEC PGM=IEBGENER //SYSIN DD DUMMY //SYSPRINT DD SYSOUT=* //SYSUT1DD DUMMY,DCB=(RECFM=VB,LRECL=proper-lrecl) //SYSUT2DD DSN=broken-data-set-name,DISP=MOD,DCB=(RECFM=VB,LRECL=proper-lrecl,BLKSIZE=proper-blksize) This will copy nothing to the end of the data set, and in the process reset the DCB characteristics. Of course, you should try that with a copy of the data set, not the original, so you don't accidentally make things worse. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Security vulnerability in IBM HTTP Server for z/OS Version 5.3 (PM79239)
On Sat, 5 Jan 2013 16:24:34 +0100, R.S. r.skoru...@bremultibank.com.pl wrote: BTW: I'm signed to both portals. Redalert is better, because it notifies me by email about news (no details in the mail AFAIR), but security portal does not send notifications. Maybe this is matter of some personalization? My understanding when we set up the security portal was that it would send email to notify you of changes, Radoslaw. If that's not happening for you I suggest checking your settings there. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Security vulnerability in IBM HTTP Server for z/OS Version 5.3 (PM79239)
On Thu, 3 Jan 2013 13:38:14 -0600, Robert Carballo robert.carba...@officedepot.com wrote: Does anyone have any thoughts on this? Here is the link explaining the issue: https://www-304.ibm.com/support/docview.wss?uid=swg21620945 I did some searching but can't seem to really find details about the exploit. How serious is this? IBM does not provide details about exploits. From its CVSS score given on the link you provided (base: 10) and from the ISS X-Force site linked from there(current temporal score: 7.4) it is a fairly severe (high risk) exposure if you run IBM HTTP Server for z/OS Version 5.3. -- Walt (former IBMer) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BPXP024I BPXAS INITIATOR STARTED ON BEHALF OF... ( was: JVMDUMP032I message)
On Sat, 29 Dec 2012 07:42:34 +0100, ibmmain nitz-...@gmx.net wrote: I have also seen this happen with IBMUSER, and the colleague doing the ftp swears that he didn't use IBMUSER for his ftp. If this was for an inbound FTP session, do you have the FTP server configured to run as IBMUSER? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BCPII and activation profile
On Sun, 16 Dec 2012 11:30:24 -0800, Skip Robinson jo.skip.robin...@sce.com wrote: I never saw a reply to Lizette's post. We also have an interest in the same topic. We want to encourage members of the technical staff to manage our sandbox LPARs rather than pester--er, request--Operations to shut down/IPL systems that 'we' own. The problem is how to allow these folks to manage sandbox LPARs only. Using our fine automation product together with the V XCF...REIPL command, they can reIPL a system on their own. Or we can write our own IPL command that does a SAF check before calling BCPII to do the deed. The difficulty occurs when a system is not currently running and/or when the sysres volume needs to be switched from its last used value to a different one. We have not found a way for BCPII to even query the current IPL profile, let alone switch to an alternate profile. Without this capability, we cannot insist that our folks do their own laundry. I'm not an expert in this, Skip, having never actually used BCPii, and upon leaving IBM I lost access to much of the info that would help me to provide a more definitive answer. But I had to do some research into it for purposes of the Common Criteria certification for z/OS, so I'll attempt an answer based on fading memories and the public doc that I have found. I'm not sure this is information you know already, but if not it might help. First, I'm curious why your IPL command would need to do a SAF check. There should be adequate SAF checking already built into the BCPii APIs, from what I remember. And the descriptions in MVS Callable Services for HLL indicate the SAF checks that are done. Next, it's critical to understand what books you need to be looking at. MVS Callable Services for HLL, http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IEA2C170/CCONTENTS?DT=20110614133049 or http://preview.tinyurl.com/bu8epwb describes how to invoke the functions, but as far as I know it does not describe the data objects and their formats that you need to use. The data objects and their contents are really the critical pieces of information, as I understand it. For that, you'll need to read and understand System z Application Programming Interfaces, SB10-7030 (currently, I think, -15), http://www-01.ibm.com/support/docview.wss?uid=isg2b09e422f170ffc9c85257075004bde92aid=1 or http://preview.tinyurl.com/cf4a93e which describes all the details. For example, from that latter manual I can see that there is a way to see what the last-used activation profile for an image was (as it is a field returned by -some- query), and there is a way to retrieve the contents of an activation profile, and (I think) to change the contents of an activation profile, and to specify which activation profile should be used for the image. I have not taken the time to try to understand all the relationships between the services and the data objects, but I -think- that everything you need is in those two manuals. It won't necessarily be easy to put all the info together to understand it, though. Searching SB10-7030 for the string activation profile should prove helpful. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BCPII and activation profile
On Mon, 17 Dec 2012 10:16:06 -0800, Skip Robinson jo.skip.robin...@sce.com wrote: As for the need to check SAF: if HMC provided full granularity of access control, we wouldn't even need BCPii. We could just let all Tech Support folks get to HMC and let him enforce the rules: allow Tech Support staff (nearly!) full control over sandbox LPARs by name and pretty much no control over other LPARs. We can write our own BCPii code to achieve that goal provided that activation profiles are visible and settable. As an aside, we don't need to modify profiles, only to select the appropriate profile at IPL. It's my impression, Skip, that BCPii has greater security granularity than HMC has. But I have not made a detailed study of it. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BPXWDYN missing dynalloc key.
On Mon, 10 Dec 2012 12:04:00 -0600, McKown, John john.mck...@healthmarkets.com wrote: I double checked and SVC 99 has two keys, DALEXPDT DALEXPDL, to assign expiration dates. It would be very helpful to me if BPXWDYN could use these as well because I want the equivalent of EXPDT=99000 for CA-1 to do catalog control on tapes which I create using BPXWDYN. Well, I'm actually using Dovetailed Technologies' Co:Z Data Set Pipes' todsn command to create tapes from UNIX files in interactive shell scripts (not JCL). fromdsn must use BPXWDYN because it accepts its parameters via a -x switch. Have I missed something in the documentation? Given that it's BPX... wouldn't the MVS-OE mailing list be likely to get you closer to the developer at IBM? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Storage Obtained By an SRB
On Mon, 10 Dec 2012 01:33:00 -0500, micheal butz michealb...@optonline.net wrote: SRB's are documented in CHapter 9 of The Authorized Assembler Guide I did a search using keyword subpool and came up with no hits for chapter 9 search on keyword storage yielded 3 hits for chapter 9 none of which were relevant But as your question was about STORAGE OBTAIN, the place you should have looked was in the Authorized Assembler Reference, at the macro description itself. Part of being a good z/OS programmer (especially in authorized code) is learning which manual to look at. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Common Data Space Basics
On Mon, 10 Dec 2012 10:30:11 -0600, Donald Likens dlik...@infosecinc.com wrote: My memory objects are much smaller than 1M and I do not want to do my own storage management (braking up the megabyte of storage). How were you planning on handling storage management within the data space you propose creating? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Class PROGRAM
On Fri, 7 Dec 2012 16:05:10 +0100, R.S. r.skoru...@bremultibank.com.pl wrote: In general you are 100% right. However many people use PROGRAM class only to fulfill requirements of TCPIP setup and other stuff. In this case they define CL(PROGRAM) ** profile and and several IBM-z/OS-provided libraries in ADDMEM. In such case BASIC-ENHANCED security has no special meaning, has it? (And for clarity I omited IRRDPI and few other programs which should be exclued from UACC(R)) There's a reason those TCP/IP programs (or the UNIX functions they invoke) require a program-controlled environment, Radoslaw. If any of those programs or functions can be invoked by a normal user, and will work if they're invoked in a clean program-controlled environment, then you should be running in enhanced program-control mode to ensure that the user can't attack them and cause them to do things that are unintended. In some ways, a clean program-controlled environment is like running APF-authorized. And in some ways, running with enhanced program-control mode rather than basic is like providing proper access control to control who can update your APF-authorized libraries. I honestly do not know whether, in the situation you hypothesized, you are exposed to attacks if you run in basic rather than enhanced mode. But why take the chance? Enhanced protects you from some attacks that basic allows. It's simpler to implement enhanced mode than to try to figure out what the attacks are, and whether they'll work in your situation if you remain in basic mode. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Class PROGRAM
On Fri, 7 Dec 2012 13:46:22 +0100, ibmmain nitz-...@gmx.net wrote: thanks for the confirmation. But: I have no clue how to run an experiment on this. I guess I'll be keeping what's left in the program class. (The * profile with certain data sets that I have shown). The experiment is simple, and harmless, Barbara. (1) Create a new program, perhaps simply copy IEFBR14 into SYS1.LINKLIB (or a library of your choice that you have listed in PROGRAM *) under a new name, say BARBTST (2) Define a PROGRAM profile for BARBTST, specifying that library in the ADDMEM, and UACC(NONE). (3) RLIST that profile and make sure there's no one in the access list. (4) SETR WHEN(PROGRAM) REFRESH (5) See if a random user can run that program. If the specific profile wins, the user can't. If the * profile wins, the user can. Delete the program, and the PROGRAM profile you created when you're done. SETR WHEN(PROGRAM) REFRESH again. It's actually a pity that IBM is incapable of implementing the 'good stuff' (in this case enhanced program mode) in the things IBM delivers themselves. I agree. Perhaps you should open a problem ticket with the group that supplies ADCD, or submit an enhancement request. It's possible they're not aware of the issue. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Class PROGRAM
On Fri, 7 Dec 2012 08:20:28 +0100, R.S. r.skoru...@bremultibank.com.pl wrote: BTW: IMHO BASIC mode is quite good mode, you don't have to move to EHANCED mode just because such mode exists. Sorry, Radoslaw, but even though I'm not an IBMer any more, I have to disagree with you. As the designer of the enhanced program security mode (and one of the developers/designers of the older basic mode), I'll agree that basic mode is good, but it has flaws that make it subject to attacks that can subvert the security of your system. Enhanced mode is not subject to those attacks. Every RACF shop that has program security enabled should be using enhanced mode, and we wouldn't have invested all the time and money in developing it (and in developing a smooth migration path to it) if we hadn't thought it was important. (Though, I suppose if you have 100% trust in all your users who can logon to TSO or run batch jobs it might not be as important.) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Class PROGRAM
On Fri, 7 Dec 2012 12:08:32 +0100, ibmmain nitz-...@gmx.net wrote: RACF use the best match principle. If it can't find a matching profile/member, it will move on to profiles with wildcards: So, for example, it will move from profile XYZ to XY* to X* to *. If no match are found, a default return code for PROGRAM is used. Well, the RACF admin guide (chapter 9.2.1 Simple program protection in BASIC or ENHANCED mode) states: If you have two PROGRAM profiles named ABC* and ABC, and both profiles specify the name of the library where the ABC program resides, RACF uses the ABC* profile for authorization checking of program ABC, not the ABC profile. From this I infered that * would be used instead of the specific name. (By the way, all those specific names are long gone from sys1.linklib, so they could have been cleaned up ages ago.) I believe that is an incorrect inference, Barbara. As I remember, that documentation is specific to the case it describes, having an exactly matching name (ABC) and that same exactly matching name but extended by the * (ABC*). For the case of ABC and * RACF should still use ABC if the library specification is appropriate. Of course, you can easily confirm that by using some unimportant program and running the experiment to see. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IKJ56500I COMMAND BURN NOT FOUND/ Which loadlib should command processor be located in
On Sun, 21 Oct 2012 09:19:48 -0400, micheal butz michealb...@optonline.net wrote: TSOLIB activate myloadlb I remember once debugging ISPF programs the way I should you in the example TESTAUTH 'LOADLIB(ISPF)' CP then Load myloadlib(commandprocessor) set breakpoints on commandprocessor type GO get into ispf however the TSOLIB dones't seem to work when running ISPF under TESTAUTH Have you made sure that the library containing your command processor is an APF-authorized library? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 047 in TSO command processor
On Sun, 30 Sep 2012 00:43:21 -0400, micheal butz michealb...@optonline.net wrote: Hi, I am running a TSO command processor which needs to be APF authorized The load library is in PROG00 marked as APF authorized The command name is both in AUTHPGM and AUTHNAMES in IKJTSO00 I know that both PROG00 and IKJTSO00 are the active members how ever I stil get a 047 If you invoke it as a command you need it in the AUTHCMD stanza in IKJTSOxx, not AUTHPGM. I have never heard of AUTHNAMES. Perhaps you need to issue the TSO command PARMLIB LIST(AUTHCMD) to make sure you have it specified properly. And if you're still having problems, you might show us the AUTHCMD section of your parmlib member. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ADDRESS LINKMVS - +IRX0250E System abend code 047, reason code 00000000
On Wed, 5 Sep 2012 01:05:26 -0500, Paul Gilmartin paulgboul...@aim.com wrote: On Wed, 5 Sep 2012 00:25:32 -0500, Kenneth J. Kripke wrote: DATA AT PSW 0001CE48 - 58101000 0A6B5023 Data shows a MODESET SVC which does require authorization. Check the AUTHPGM specifications in IKJTSOxx in SYS1.PARMLIB Probably need an entry there for IEHPROGM. Is LINKMVS (see Subject:) affected by AUTHPGM specifications in IKJTSOxx in SYS1.PARMLIB? No, it's not. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zFS auditfid support
On Mon, 20 Aug 2012 13:53:01 -0700, retired mainframer retired-mainfra...@q.com wrote: Both MXG (which requires SAS) and RACFICE (from SAMPLIB) provide the capability to adjust the selection criteria to anything you wish. But this assumes the data of interest is actually recorded. I found references to auditid in the BPXYATTR and BPXYSTAT macros. I could not find any reference in the SMF type 80 record description. I -think- it would be extended relocate section #264 (x'108'), listed in the RACF documentation for the type 80 record as File Identifier (16 bytes, binary), and in the IRRADU00 output as the File ID (e.g, FACC_FILE_ID, 32 bytes character in the check file access record extension). I have no way to check that, but a question on RACF-L might get a response from a developer or Level 2. Or someone with access to SMF records and especially an ICH408I containing the audit ID should be able to confirm it. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Authorized Rexx Assembler Function
On Tue, 24 Jul 2012 10:51:33 -0500, McKown, John john.mck...@healthmarkets.com wrote: Also, remember that we are talking about TSO. An archaic piece of software, which IBM has just seeming lost interest in. Imagine what could be done if the non-APF user code ran in a subspace, like CICS uses. Subspaces (as currently architected by the hardware) would not help if your goal is system integrity, John. Even in CICS subspace mode only helps protect against -accidental- storage overlays. While you can start some code running in a subspace, nothing stops it from switching out of subspace mode, at which time it has full access to the entire address space. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IGGCSI to retrieve tape volume serial
On Mon, 23 Jul 2012 08:41:57 -0500, Victor Zhang victor_wor...@yahoo.com.cn wrote: Can I interpret this to get non-vsam used or allocated size? DSCBTTR TTR of format-1 DSCB for non-VSAM data set No. IGGCSI00 simply returns information from the catalog. DSCBs are in the VTOC, not the catalog. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF question
On Sat, 7 Jul 2012 16:49:13 -0400, Scott Ford scott_j_f...@yahoo.com wrote: Joel, Hers the exact error: 11.51.03 STC00472 CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCESSED, USE 11.51.03 STC00472 IEF196I CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCES 11.51.03 STC00472 IEF196I UNAUTHORIZED 11.51.03 STC00472 CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF 11.51.03 STC00472 IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF That should indicate that they have not given the RACF subsystem address space access to whatever PROGRAM profile they have defined to control use of ADDUSER. And that they are not running the subsystem TRUSTED, which is always a good idea for recovery and availability purposes. Note that they should not use program control for ADDUSER, as there are adequate other controls in place, so they may have an overly broad PROGRAM generic, such as PROGRAM *, with an overly restrictive access list. It should have UACC(READ) or at a minimum ID(*) ACCESS(READ). That should be true, imho, even if they have hardened their system. And anyone who decides to harden a system certainly should have kept documentation about what they did, and why, with a good rationale for all the protections they've applied. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Searching for a cross=reference list of manuals ...
On Thu, 5 Jul 2012 08:18:11 -0700, Mark Yuhas mark.yu...@paccar.com wrote: Prior to Windows 7, the VIEW tab had a detail setting that would dispay the title. Windows 7 doesn't work that way for me. Have you made sure that in Windows Explorer, View-Show Details, that you have selected the Title detail? It was not selected by default on my system. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMF Type 80 relocation section detail mapping macro
On Thu, 28 Jun 2012 05:44:37 -0500, Donald Likens dlik...@infosecinc.com wrote: I've been looking through the books but have not found a detail mapping macro for the RACF SMF type 80 relocation sections. I'll keep looking but in the mean time, does anyone know what and where they are? Note: I have the standard mapping macro no problem. The best place to ask is probably on the RACF-L mailing list, not IBM-MAIN, Donald. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Calling idcams
On Wed, 20 Jun 2012 10:46:43 -0400, Scott Ford scott_j_f...@yahoo.com wrote: I am in the process of wanting to call idcams, principally, a define and delete alias function in Assembler. I have looked at IGGCSI00 and various examples, it doesn't appear I can use IGGCSI00 for this purpose. Can someone point the correct direction ? Just FYI, I'm pretty sure that to call IDCAMS to delete an alias your program will need to run authorized. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Calling idcams
On Wed, 20 Jun 2012 09:58:58 -0500, McKown, John john.mck...@healthmarkets.com wrote: Another possibility (not sure) is to set up a TSO environment in your code using IKJTSOEV and then invoking a REXX program to issue the TSO commands. I don't know if this will work. And, IMO, it is inelegant. I don't think that will work, John, because he wants to delete aliases, and in my experience DELETE needs to run APF-authorized to do that. And address TSO from REXX can not run APF-authorized commands in an environment setup by IKJTSOEV. Besides, it's inelegant :) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN