Re: APF authorization and JOBLIB DD card
>Would integrity be compromised somehow more by (from >my simplistic thinking) if I have a non-APF member in >JOBLIB/STEPLIB and the system fails the job with a S306 >than it would be compromised by bypassing the non-APF module >and loading and executing the same-named module from APF/LNKLST? You are correct that that that implementation would not compromise the integrity (specifically the "integrity" that relates to security) but would compromise the integrity (the "integrity" that is used in a more general term as to correct operation). It would mean that, in general, the system when authorized could not reliably use link or load or attach in a user-submitted job - it might abend. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> You mention below that the way MVS loads APF modules (bypassing an > unauthorized JOBLIB/STEPLIB module to load the same-named module > from an APF library in the LNKLST) is needed for system integrity. > Would integrity be compromised somehow more by (from my simplistic > thinking) if I have a non-APF member in JOBLIB/STEPLIB and the > system fails the job with a S306 than it would be compromised by > bypassing the non-APF module and loading and executing the same- > named module from APF/LNKLST? Integrity would be compromised if the system loaded an untrusted module which could be executed while running in an authorized state (in your case with EXEC PGM=IDCAMS, an APF-authorized job step). To prevent this situation, for requests made while running in an authorized state, the system loads modules only from trusted sources (APF authorized sources). The system bypasses modules from untrusted (unauthorized) sources. If the system finds a copy of the module in a trusted source, then it uses it, and there is no S306 abend. In your case, I am guessing that the search was limited to a single source (your STEPLIB DCB) because the requestor specified LSEARCH=YES with DCB=the steplib DCB. So LNKLST was not searched. If LSEARCH=YES had not been specified, the system would have continued on to search the LNKLST, found the requested module, and used it, with no S306 abend. This could be verified, and the requestor could be determined, from a dump of the S306 abend. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Mon, 23 Dec 2013 16:22:56 -0500, Robert A. Rosenberg wrote: > >If you REALLY want to fall back to JOBLIB if you do not find the >module in STEPLIB, you can just add the libraries that are in JOBLIB >but not in STEPLIB to the end of the STEPLIB concatenation. Changing >the search order to not fall-back from STEPLIB to JOBLIB at this time >is not IMO viable (even if this was made optional via a PARMLIB >setting). > Viable or not, if it were done it should be done as a JOBPARM setting, not PARMLIB. Let the programmer, not the sysadmin, make the choice. Too often IBM chooses "one size fits all" with scope of system rather than job. Celebrate diversity, gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
At 20:05 + on 12/23/2013, DASDBILL2 wrote about Re: APF authorization and JOBLIB DD card: I suspect that using the STEPLIB or JOBLIB mutually exclusively within one step was influenced heavily by the cost of "core" way back when the TCB and the initiator were being designed, maximum machine memory sizes were MUCH smaller than today, CPU cycle time was much longer, etc. Many other design decisions were forced by those constraints, also. Bill Fairchild Franklin, TN If you REALLY want to fall back to JOBLIB if you do not find the module in STEPLIB, you can just add the libraries that are in JOBLIB but not in STEPLIB to the end of the STEPLIB concatenation. Changing the search order to not fall-back from STEPLIB to JOBLIB at this time is not IMO viable (even if this was made optional via a PARMLIB setting). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
I suspect that using the STEPLIB or JOBLIB mutually exclusively within one step was influenced heavily by the cost of "core" way back when the TCB and the initiator were being designed, maximum machine memory sizes were MUCH smaller than today, CPU cycle time was much longer, etc. Many other design decisions were forced by those constraints, also. Bill Fairchild Franklin, TN - Original Message - From: "Rex Pommier" To: IBM-MAIN@LISTSERV.UA.EDU Sent: Monday, December 23, 2013 1:50:52 PM Subject: Re: APF authorization and JOBLIB DD card Peter, I'm asking this follow-up question, not to be confrontational, but because I would really like to know... You mention below that the way MVS loads APF modules (bypassing an unauthorized JOBLIB/STEPLIB module to load the same-named module from an APF library in the LNKLST) is needed for system integrity. Would integrity be compromised somehow more by (from my simplistic thinking) if I have a non-APF member in JOBLIB/STEPLIB and the system fails the job with a S306 than it would be compromised by bypassing the non-APF module and loading and executing the same-named module from APF/LNKLST? And to answer (from my own perspective) your question repeated here: "Just curious: how many people are not aware that the STEPLIB/JOBLIB (and TASKLIB) is represented solely by the TCBJLB address?" I knew it is either/or, not both/and, but hadn't had the reason behind the either/or explained to me before, so I thank you for that info. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Relson Sent: Saturday, December 21, 2013 10:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card With respect to the statement with respect to ignoring unauthorized steplib aside from the 306 abend: >That behavior, as you discovered, is more confusing than useful. That erroneous statement has been debunked before. It might be confusing. But it is more than useful. It is necessary for system integrity. Peter Relson z/OS Core Technology Design The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Jim, Obviously I don't have access to their source code, so I can't answer your question. I do appreciate the patient responses you gave to my questions and the help you (and others) gave me while I was trying to figure this one out. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jim Mulder Sent: Friday, December 20, 2013 2:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card > I stand 'slightly' corrected. Module SS14RC02 isn't in a LNKLST > library, it is in the LPA. Module SS14A32 is in the LNKLST and > that's the module my job abended on in my second attempt. > > I just got off the phone with SyncSort support and worked through > the issue. While it doesn't explain why I would sometimes get the > 306 and sometimes get a good run, I now know that I need to have my > SyncSort library APF authorized to run in my environment. Since you have an "authorized library" copy of SS14RC02 in LPA, and an "authorized library" (via LNKAUTH=LNKLST) copy of SS14A32 in the LNKLST, the only we can see that a 306-C could occur is if LSEARCH=YES is specified on the macro (LOAD, LINK, etc). I don't know why the issuer of the macro (presumably Syncsort) would be wanting to do that. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Peter, I'm asking this follow-up question, not to be confrontational, but because I would really like to know... You mention below that the way MVS loads APF modules (bypassing an unauthorized JOBLIB/STEPLIB module to load the same-named module from an APF library in the LNKLST) is needed for system integrity. Would integrity be compromised somehow more by (from my simplistic thinking) if I have a non-APF member in JOBLIB/STEPLIB and the system fails the job with a S306 than it would be compromised by bypassing the non-APF module and loading and executing the same-named module from APF/LNKLST? And to answer (from my own perspective) your question repeated here: "Just curious: how many people are not aware that the STEPLIB/JOBLIB (and TASKLIB) is represented solely by the TCBJLB address?" I knew it is either/or, not both/and, but hadn't had the reason behind the either/or explained to me before, so I thank you for that info. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Relson Sent: Saturday, December 21, 2013 10:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card With respect to the statement with respect to ignoring unauthorized steplib aside from the 306 abend: >That behavior, as you discovered, is more confusing than useful. That erroneous statement has been debunked before. It might be confusing. But it is more than useful. It is necessary for system integrity. Peter Relson z/OS Core Technology Design The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Fri, 20 Dec 2013 12:29:52 -0500, Jim Mulder wrote: >> ... > That is correct, and that's why I suggested that a dump may be >useful. We would also like to see the results from the >following commands: > >SETPROG LNKLST,TEST,NAME=CURRENT,MOD=SS14RC02 > >D PROG,LNK > Most useful here would be an enhancement to the text of the CSV019I message to show not only the module name but also the DDNAME, catenation ordinal, and DSNAME, often sparing the customer and IBM support reading of dumps and display output. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Does RMODE=ANY really provide useful information about where to find a copy of a load module or program object that has been brought into storage? I think not. I do of course concede, if that is the right word, that RMODE=24 is more helpful. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> >The directory is located on DASD with the data set, and is updated >whenever the module is changed. The directory entry contains >information about the module and where it is located in storage. > >which is at best misleading. The data-set directory contains no >information about where in virtual or real storage any copy of a >member may have been loaded and no indicator that it is currently >resident. The phrase 'in storage' should replaced by 'in the data >set'. I disagree. The "where" refers to "allowed to be above 16M", "must be below 16M" >And RMODE is a rough suggestion about where the module *should* >be located in main storage. But is that in the directory entry? I disagree. RMODE is a firm definition of where the module is allowed to be located. Yes, it is in the directory entry. >So perhaps the intent is not that the JOBLIB is ignored. But that searching >stops if the module is found in the STEPLIB Just curious: how many people are not aware that the STEPLIB/JOBLIB (and TASKLIB) is represented solely by the TCBJLB address? A given task can have only one. Thus, due to the implementation (which for all I know goes back to the dawn of time, as it were), it is not possible to search both steplib and joblib for a given jobstep. And the jobstep program task can have no other tasklib (which is fine because the system does the attach of the jobstep program task specifying the proper thing via the TASKLIB parameter which results in setting TCBJLB appropriately). Thus it is effectively true that if steplib and joblib exist for a given step, joblib is ignored. With respect to the statement with respect to ignoring unauthorized steplib aside from the 306 abend: >That behavior, as you discovered, is more confusing than useful. That erroneous statement has been debunked before. It might be confusing. But it is more than useful. It is necessary for system integrity. >The way I'm reading your explanation below, if I have >program ABCDE that needs to run APF authorized, and it >is sitting both in the LNKLST and in an unauthorized JOBLIB/STEPLIB, >the system will skip loading the unauthorized module from >STEPLIB and load the authorized version from LNKLST? Very close. Fully correct would be "if the program needs to be fetched from an authorized concatenation because the requestor is authorized". Then "yes". Only the program, not the system, needs to know if the program does need to run APF authorized. >If I have a STEPLIB and a JOBLIB and the module I need is only in the >JOBLIB, would not the step with the STEPLIB looking for that module fail? Correct. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
I started as a JCL-Jockey in 1981. This APF stuff seemed straight-forward back then. Why is it difficult for seasoned types 32 years later? - Ted MacNEIL eamacn...@yahoo.ca Twitter: @TedMacNEIL -Original Message- From: Jim Mulder Sender: IBM Mainframe Discussion List Date: Fri, 20 Dec 2013 15:43:07 To: Reply-To: IBM Mainframe Discussion List Subject: Re: APF authorization and JOBLIB DD card > I stand 'slightly' corrected. Module SS14RC02 isn't in a LNKLST > library, it is in the LPA. Module SS14A32 is in the LNKLST and > that's the module my job abended on in my second attempt. > > I just got off the phone with SyncSort support and worked through > the issue. While it doesn't explain why I would sometimes get the > 306 and sometimes get a good run, I now know that I need to have my > SyncSort library APF authorized to run in my environment. Since you have an "authorized library" copy of SS14RC02 in LPA, and an "authorized library" (via LNKAUTH=LNKLST) copy of SS14A32 in the LNKLST, the only we can see that a 306-C could occur is if LSEARCH=YES is specified on the macro (LOAD, LINK, etc). I don't know why the issuer of the macro (presumably Syncsort) would be wanting to do that. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> I stand 'slightly' corrected. Module SS14RC02 isn't in a LNKLST > library, it is in the LPA. Module SS14A32 is in the LNKLST and > that's the module my job abended on in my second attempt. > > I just got off the phone with SyncSort support and worked through > the issue. While it doesn't explain why I would sometimes get the > 306 and sometimes get a good run, I now know that I need to have my > SyncSort library APF authorized to run in my environment. Since you have an "authorized library" copy of SS14RC02 in LPA, and an "authorized library" (via LNKAUTH=LNKLST) copy of SS14A32 in the LNKLST, the only we can see that a 306-C could occur is if LSEARCH=YES is specified on the macro (LOAD, LINK, etc). I don't know why the issuer of the macro (presumably Syncsort) would be wanting to do that. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Jim, I stand 'slightly' corrected. Module SS14RC02 isn't in a LNKLST library, it is in the LPA. Module SS14A32 is in the LNKLST and that's the module my job abended on in my second attempt. I just got off the phone with SyncSort support and worked through the issue. While it doesn't explain why I would sometimes get the 306 and sometimes get a good run, I now know that I need to have my SyncSort library APF authorized to run in my environment. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jim Mulder Sent: Friday, December 20, 2013 11:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card > The way I'm reading your explanation below, if I have program ABCDE > that needs to run APF authorized, and it is sitting both in the > LNKLST and in an unauthorized JOBLIB/STEPLIB, the system will skip > loading the unauthorized module from STEPLIB and load the authorized > version from LNKLST? That is correct, and that's why I suggested that a dump may be useful. We would also like to see the results from the following commands: SETPROG LNKLST,TEST,NAME=CURRENT,MOD=SS14RC02 SETPROG LNKLST,TEST,NAME=CURRENT,MOD=SS14RC02 CSV503I MODULE SS14RC02 COULD NOT BE LOCATED USING LNKLST SET CURRENT SETPROG LNKLST,TEST,NAME=CURRENT,MOD=SS14A32 CSV502I MODULE SS14A32 WAS LOCATED 673 IN DATA SET SYS1.SFG1B.SYNCSORT.R14.SYNCLINK USING LNKLST SET CURRENT D PROG,LNK D PROG,LNK CSV470I 11.58.29 LNKLST DISPLAY 724 LNKLST SET LNKLST00 LNKAUTH=LNKLST ENTRY APF VOLUME DSNAME 1A Z1BR9A SYS1.LINKLIB 2A Z1BR9A SYS1.MIGLIB 3A Z1BR9A SYS1.CSSLIB 4A Z1BR9A SYS1.SIEALNKE 5A Z1BR9A SYS1.SIEAMIGE 6Z1BMSI SYS1.SFG1B.SYNCSORT.R14.SYNCLINK 7A Z1BR9A CEE.SCEERUN2 8A Z1BR9A CEE.SCEERUN 9A Z1BCAT CPAC.LINKLIB 10A Z1BCAT CPAC.VTAMLIB 11Z1BR9A SYS1.SICELINK 12A Z1BR9A TCPIP.SEZALOAD 13A Z1BR9A CSF.SCSFMOD0 14A Z1BR9A SCRIPT.R40.DCFLOAD 15A Z1BR9A SYS1.SHASLNKE 16Z1BR9A GIM.SGIMLMD0 17A Z1BR9A SYS1.CMDLIB 18A Z1BR9A SYS1.SIOALMOD 19A Z1BR9A SYS1.SHASMIG 20A Z1BR9A CBC.SCLBDLL 21A Z1BR9A SYS1.SBDTLIB 22A Z1BR9A ASM.SASMMOD1 23Z1BR9A EOX.SEPHLOD1 24A Z1BR9A CBC.SCLBDLL2 25A Z1BR9A SYS1.DFQLLIB 26A Z1BR9B IGY.SIGYCOMP 27A Z1BR9A FFST.V120ESA.SEPWMOD2 28A Z1BR9A SYS1.SBDTLINK 29A Z1BR9A REXX.SEAGALT 30A Z1BR9A SYS1.SBDTCMD 31Z1BR9B IXM.SIXMLOD1 32A Z1BR9A IOE.SIOELMOD 33A Z1BR9A SYS1.SCUNIMG 34Z1BR9A EUV.SEUVLINK 35A Z1BR9A SYS1.NFSLIBE 36Z1BR9A SYS1.SCBDHENU 37Z1BR9A GDDM.SADMMOD 38A Z1BR9A SYS1.DGTLLIB 39Z1BR9A FFST.V120ESA.SEPWMOD4 40A Z1BR9A ISP.SISPLOAD 41Z1BR9A EOY.SEOYLOAD Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> The way I'm reading your explanation below, if I have program ABCDE > that needs to run APF authorized, and it is sitting both in the > LNKLST and in an unauthorized JOBLIB/STEPLIB, the system will skip > loading the unauthorized module from STEPLIB and load the authorized > version from LNKLST? That is correct, and that's why I suggested that a dump may be useful. We would also like to see the results from the following commands: SETPROG LNKLST,TEST,NAME=CURRENT,MOD=SS14RC02 D PROG,LNK Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Peter, The way I'm reading your explanation below, if I have program ABCDE that needs to run APF authorized, and it is sitting both in the LNKLST and in an unauthorized JOBLIB/STEPLIB, the system will skip loading the unauthorized module from STEPLIB and load the authorized version from LNKLST? Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Peter Relson Sent: Friday, December 20, 2013 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card >Job 5: RC=0 It is extremely unlikely that syncsort does anything funky. The odds are really good that this job, for whatever reason, results in no fetches that are satisfied only from joblib/steplib. Does it matter, for the purpose of this discussion, that if the module exists both in (unauthorized) joblib/steplib and the lnklst, the fetch will succeed? For LNKAUTH=LNKLST, the only time you get the 306 is when the module exists only in an unauthorized concatenation. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Your RCF? Yes. To the contention that RMODE is something of an indicator of [loaded] location in virtual storage my response would be that it is a quondam indicator, but that providing support for the the value RMODE=ANY emptied it of any such indicative content. About JOBLIB and STEPLIB usage EJ's point is of course the conclusive one. A single pointer may be nul or point to one of two libraries. It cannot point to both. This implicit EXOR scheme is what we have; the question whether it is a good one is more complicated. I would not have painted myself into a corner in this way. A pair of pointers, even if one of them were currently always null, would have been a better choice. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On 12/20/2013 8:00 AM, Paul Gilmartin wrote: On Fri, 20 Dec 2013 07:51:12 -0800, Ed Jaffe wrote: I used to erroneously believe CSV would abend306 immediately when it found an unauthorized (spoofed?) copy, and years later discovered (the "hard" way - surely my fault for not reading the book carefully enough) that it simply ignores them until the module search is complete. If an unauthorized copy was found: 306; otherwise: 806. I remember trying to use a temporary STEPLIB to fix a problem and the problem was not fixed. Agonized over it for quite some with dumps, debug sessions, etc. until I finally understood what was going on. The STEPLIB was not authorized. Duh! That behavior, as you discovered, is more confusing than useful. It's useful from the system's perspective. Otherwise, "pranksters" could deliberately introduce unexpected S306 abends at highly inopportune moments simply by copying IEFBR14, with various strategically-chosen module names, into their own, someone else's, or a shared load library. IMHO, the current processing maintains better system integrity by not introducing "surprise" (aka "untested") abends into existing authorized module flow. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Fri, 20 Dec 2013 07:51:12 -0800, Ed Jaffe wrote: > >I used to erroneously believe CSV would abend306 immediately when it >found an unauthorized (spoofed?) copy, and years later discovered (the >"hard" way - surely my fault for not reading the book carefully enough) >that it simply ignores them until the module search is complete. If an >unauthorized copy was found: 306; otherwise: 806. > >I remember trying to use a temporary STEPLIB to fix a problem and the >problem was not fixed. Agonized over it for quite some with dumps, debug >sessions, etc. until I finally understood what was going on. The STEPLIB >was not authorized. Duh! > That behavior, as you discovered, is more confusing than useful. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On 12/20/2013 7:22 AM, Peter Relson wrote: Does it matter, for the purpose of this discussion, that if the module exists both in (unauthorized) joblib/steplib and the lnklst, the fetch will succeed? For LNKAUTH=LNKLST, the only time you get the 306 is when the module exists only in an unauthorized concatenation. I used to erroneously believe CSV would abend306 immediately when it found an unauthorized (spoofed?) copy, and years later discovered (the "hard" way - surely my fault for not reading the book carefully enough) that it simply ignores them until the module search is complete. If an unauthorized copy was found: 306; otherwise: 806. I remember trying to use a temporary STEPLIB to fix a problem and the problem was not fixed. Agonized over it for quite some with dumps, debug sessions, etc. until I finally understood what was going on. The STEPLIB was not authorized. Duh! -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
>OIDEBFLGS1,DEBAPFIN TURN ON APF LIBRARY BIT If you have enough control over your system not to have to worry about this blatant system integrity exposure, then why would you not just make the data set APF authorized? >ADRNAPF Regarding ADNAPF(64), yes they exist. And if you don't know exactly what you are doing you will almost certainly be introducing a system integrity exposure. To a large extent, they are intended for loading (non-executable) data. >Job 5: RC=0 It is extremely unlikely that syncsort does anything funky. The odds are really good that this job, for whatever reason, results in no fetches that are satisfied only from joblib/steplib. Does it matter, for the purpose of this discussion, that if the module exists both in (unauthorized) joblib/steplib and the lnklst, the fetch will succeed? For LNKAUTH=LNKLST, the only time you get the 306 is when the module exists only in an unauthorized concatenation. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On 12/20/2013 6:28 AM, Lizette Koehler wrote: I was always told STEPLIB then JOBLIB without any qualifications. This was discussed in another thread just last month. TCBJLB contains zero or points to an open DCB for either JOBLIB or STEPLIB -- not both. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
I just ran a test, and if a STEPLIB is present JOBLIB is definitely ignored. This works: //XYZ002 JOB 'BILL SKELDUM',MSGCLASS=H,CLASS=A,NOTIFY=&SYSUID //JOBLIB DDDISP=SHR,DSN=XYZ.LOADLIB //STEP1 EXEC PGM=HELLO This gets an 806 abend: //wyz002 JOB 'BILL SKELDUM',MSGCLASS=H,CLASS=A,NOTIFY=&SYSUID //JOBLIB DDDISP=SHR,DSN=XYZ.LOADLIB //STEP1 EXEC PGM=HELLO //STEPLIB DDDISP=SHR,DSN=SYSX.LPAR.LOADLIB The HELLO module resides in XYZ.LOADLIB. Bill Skeldum -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler Sent: Friday, December 20, 2013 7:51 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card And the other question is If I have a STEPLIB and a JOBLIB and the module I need is only in the JOBLIB, would not the step with the STEPLIB looking for that module fail? //JOBLIB DD DSN=MYLOAD.LIB,DISP=SHR Module XYZ resides here //S1 EXEC PGM=XYZ //STEPLIB DD DISP=SHR,DSN=APPL.LIB Module XYZ does not exist in this library Would not S1 then abend with a S806 due to the JOBLIB being ignored? My understanding has been that if you code a JOBLIB any module not found in the STEPLIB would then search the JOBLIB and hopefully not fail. This would also allow for testing a new version without having to alter JCL by swapping load libraries on JOBLIB and STEPLIB. I could have the production version of the module in JOBLIB and a testing version in the STEPLIB. If it is bad, I delete the version in STEPLIB and the job will find it in the JOBLIB. That as soon as the module was found, then no more searching no matter where it was found. So if it is in the STEPLIB, then searching stops If it is found in the JOBLIB then searching stops If it is found in the JPA, then searching stops. So perhaps the intent is not that the JOBLIB is ignored. But that searching stops if the module is found in the STEPLIB Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of John Gilmore > Sent: Friday, December 20, 2013 7:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APF authorization and JOBLIB DD card > > The last time I looked at the text Lizette quotes was a long time ago, > and its current > version contains the subtext > > > The directory is located on DASD with the data set, and is updated whenever the > module is changed. The directory entry contains information about the module and > where it is located in storage. > > > which is at best misleading. The data-set directory contains no information about > where in virtual or real storage any copy of a member may have been > loaded and > no indicator that it is currently resident. The phrase 'in storage' should replaced by > 'in the data set'. > > John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Fri, 20 Dec 2013 00:38:57 -0600, Elardus Engelbrecht wrote: >Pommier, Rex wrote: > >>Since I'm the OP, here is the detail of what has me so confused. [ ... >>snipped ... ] > >I'm also confused, but before you follow Jim Mulder's recommendation, could >you perhaps reread in 'MVS Initialization and Tuning Guide' these two parts: > >'Placing Modules in the System's Search Order for Programs' and 'The Search >Order the System uses for Programs ' > >I know above is about Linklist, not APF, but I suspect that you have a wrong >set (or combination) of modules. > DDLIST can be your friend here. ALLOCATE (to some other DDNAME) the data sets in your STEPLB and JOBLIB concatenation, and on the DDLIST command line type "MEMBER SS14RC02", where SS14RC02 is as named in the CSV019I message. Note what is reported. (DDLIST is sometimes not your friend. If a library is a mixed concatenation of legacy data sets and UNIX directories, DDLIST will report only a member in a legacy data set, even though BLDL may find a like named member in an earlier UNIX directory catenand. PMR, years ago. WAD. This misbehavior is irrelevant to CSV, I suspect. What would DESERV report for such a mixed concatenation?) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On 12/20/2013 7:50 AM, Lizette Koehler wrote: And the other question is If I have a STEPLIB and a JOBLIB and the module I need is only in the JOBLIB, would not the step with the STEPLIB looking for that module fail? //JOBLIB DD DSN=MYLOAD.LIB,DISP=SHR Module XYZ resides here //S1 EXEC PGM=XYZ //STEPLIB DD DISP=SHR,DSN=APPL.LIB Module XYZ does not exist in this library Would not S1 then abend with a S806 due to the JOBLIB being ignored? My understanding has been that if you code a JOBLIB any module not found in the STEPLIB would then search the JOBLIB and hopefully not fail. This would also allow for testing a new version without having to alter JCL by swapping load libraries on JOBLIB and STEPLIB. I could have the production version of the module in JOBLIB and a testing version in the STEPLIB. If it is bad, I delete the version in STEPLIB and the job will find it in the JOBLIB. That as soon as the module was found, then no more searching no matter where it was found. So if it is in the STEPLIB, then searching stops If it is found in the JOBLIB then searching stops If it is found in the JPA, then searching stops. So perhaps the intent is not that the JOBLIB is ignored. But that searching stops if the module is found in the STEPLIB Lizette Well, carry on with your experiment. But my understanding is if a step contains a STEPLIB then JOBLIB is ignored, and it's been that way for decades. -- Kind regards, -Steve Comstock The Trainer's Friend, Inc. 303-355-2752 http://www.trainersfriend.com * We are going out of business effective 30 December, 2013 * To purchase a set of our training materials at terrific prices, check out our Going Out Of Business Sale: http://www.trainersfriend.com/SpecialSale -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Gilmore Sent: Friday, December 20, 2013 7:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card The last time I looked at the text Lizette quotes was a long time ago, and its current version contains the subtext The directory is located on DASD with the data set, and is updated whenever the module is changed. The directory entry contains information about the module and where it is located in storage. which is at best misleading. The data-set directory contains no information about where in virtual or real storage any copy of a member may have been loaded and no indicator that it is currently resident. The phrase 'in storage' should replaced by 'in the data set'. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
And the other question is If I have a STEPLIB and a JOBLIB and the module I need is only in the JOBLIB, would not the step with the STEPLIB looking for that module fail? //JOBLIB DD DSN=MYLOAD.LIB,DISP=SHR Module XYZ resides here //S1 EXEC PGM=XYZ //STEPLIB DD DISP=SHR,DSN=APPL.LIB Module XYZ does not exist in this library Would not S1 then abend with a S806 due to the JOBLIB being ignored? My understanding has been that if you code a JOBLIB any module not found in the STEPLIB would then search the JOBLIB and hopefully not fail. This would also allow for testing a new version without having to alter JCL by swapping load libraries on JOBLIB and STEPLIB. I could have the production version of the module in JOBLIB and a testing version in the STEPLIB. If it is bad, I delete the version in STEPLIB and the job will find it in the JOBLIB. That as soon as the module was found, then no more searching no matter where it was found. So if it is in the STEPLIB, then searching stops If it is found in the JOBLIB then searching stops If it is found in the JPA, then searching stops. So perhaps the intent is not that the JOBLIB is ignored. But that searching stops if the module is found in the STEPLIB Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of John Gilmore > Sent: Friday, December 20, 2013 7:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APF authorization and JOBLIB DD card > > The last time I looked at the text Lizette quotes was a long time ago, and its current > version contains the subtext > > > The directory is located on DASD with the data set, and is updated whenever the > module is changed. The directory entry contains information about the module and > where it is located in storage. > > > which is at best misleading. The data-set directory contains no information about > where in virtual or real storage any copy of a member may have been loaded and > no indicator that it is currently resident. The phrase 'in storage' should replaced by > 'in the data set'. > > John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Fri, 20 Dec 2013 09:34:15 -0500, John Gilmore wrote: >The last time I looked at the text Lizette quotes was a long time ago, >and its current version contains the subtext > > >The directory is located on DASD with the data set, and is updated >whenever the module is changed. The directory entry contains >information about the module and where it is located in storage. > > >which is at best misleading. The data-set directory contains no >information about where in virtual or real storage any copy of a >member may have been loaded and no indicator that it is currently >resident. The phrase 'in storage' should replaced by 'in the data >set'. > "storage" can refer to DASD in some contexts, such as "3990 storage subsystem". But, yes, it should be clarified. Your RCF? And RMODE is a rough suggestion about where the module *should* be located in main storage. But is that in the directory entry? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Fri, 20 Dec 2013 07:28:49 -0700, Lizette Koehler wrote: > >Thanks. That explains the confusion. In the JCL manual it says ignore, >however in the INIT and TUNING, it does not clearly state it is ignored. > >I will do some testing. > >I was always told STEPLIB then JOBLIB without any qualifications. > >> >> On 12/20/13 09:22, Lizette Koehler wrote: >> > >> > LLA and Module Search Order >> > >> > z/OS V1R12.0 MVS Initialization and Tuning Guide SA22-7591-08 >> > >> > When a program requests a module, the system searches for the requested >> module in various system areas and libraries, in the following order: >> > >> > Modules that were loaded under the current task (LLEs) >> > The job pack area (JPA) >> > Tasklib, steplib, joblib, or any libraries that were indicated by a >> > DCB ... >> > ... >> > When searching TASKLIBs, STEPLIBs, JOBLIBs, a specified DCB, or the >> LNKLST concatenation for a module, the system searches *each* data set >> directory >> for the first directory entry that matches the name of the module. ... >> > [emphasis added -- gil] The word "each" is pretty unequivocal. Given that there's an unresolved contradiction, RCFs against both publications are in order -- let IBM resolve it rather than relying on user empiricism. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
The last time I looked at the text Lizette quotes was a long time ago, and its current version contains the subtext The directory is located on DASD with the data set, and is updated whenever the module is changed. The directory entry contains information about the module and where it is located in storage. which is at best misleading. The data-set directory contains no information about where in virtual or real storage any copy of a member may have been loaded and no indicator that it is currently resident. The phrase 'in storage' should replaced by 'in the data set'. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Mark, Thanks. That explains the confusion. In the JCL manual it says ignore, however in the INIT and TUNING, it does not clearly state it is ignored. I will do some testing. I was always told STEPLIB then JOBLIB without any qualifications. Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Mark Jacobs > Sent: Friday, December 20, 2013 7:25 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APF authorization and JOBLIB DD card > > From the JCL Reference manual; > > 13.3.5 Relationship of a STEPLIB to a JOBLIB > > > Use a JOBLIB DD statement to define a private library that the system is > to use for an entire job. If you include a JOBLIB DD statement for the job > and a STEPLIB DD statement for an individual job step, the system first > searches the step library and then the system library for the program > requested in the EXEC statement. The system ignores the JOBLIB library for > that step. > > Mark Jacobs > > On 12/20/13 09:22, Lizette Koehler wrote: > > Could someone point out the manual that states if a Steplib is present the Joblib is > ignored? > > > > I found this in the following manual and it does not lead me to the > > conclusion you have stated > > > > LLA and Module Search Order > > > > z/OS V1R12.0 MVS Initialization and Tuning Guide SA22-7591-08 > > > > When a program requests a module, the system searches for the requested > module in various system areas and libraries, in the following order: > > > > Modules that were loaded under the current task (LLEs) > > The job pack area (JPA) > > Tasklib, steplib, joblib, or any libraries that were indicated by a DCB specified > as an input parameter to the macro used to request the module (LINK, LINKX, > LOAD, ATTACH, ATTACHX, XCTL or XCTLX). > > Active link pack area (LPA), which contains the FLPA and MLPA > > Pageable link pack area (PLPA) > > SYS1.LINKLIB and libraries concatenated to it through the > > LNKLSTxx member of parmlib. (Placing Modules in the System's Search > > Order for Programs explains the performance improvements that can be > > achieved by moving modules from the LNKLST concatenation to LPA.) > > > > When searching TASKLIBs, STEPLIBs, JOBLIBs, a specified DCB, or the > LNKLST concatenation for a module, the system searches each data set directory > for the first directory entry that matches the name of the module. The directory is > located on DASD with the data set, and is updated whenever the module is > changed. The directory entry contains information about the module and where it is > located in storage. > > > > > > Thanks > > > > Lizette > > > > > >> -Original Message- > >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > >> On Behalf Of Blaicher, Christopher Y. > >> Sent: Friday, December 20, 2013 7:12 AM > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Subject: Re: APF authorization and JOBLIB DD card > >> > >> You are correct. > >> > >> Chris Blaicher > >> Principal Software Engineer, Software Development Syncsort > >> Incorporated > >> 50 Tice Boulevard, Woodcliff Lake, NJ 07677 > >> P: 201-930-8260 | M: 512-627-3803 > >> E: cblaic...@syncsort.com > >> > >> > >> -Original Message- > >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > >> On Behalf Of Tom Marchant > >> Sent: Friday, December 20, 2013 8:49 AM > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Subject: Re: APF authorization and JOBLIB DD card > >> > >> On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: > >> > >>> Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) > ... > >> Really? I thought that JOBLIB was ignored if there is a STEPLIB. > >> > >> -- > >> Tom Marchant > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > -- > Mark Jacobs > Time Customer Service > Tampa, FL > > > The quiet ones are the ones that change the universe... > The loud ones only take the credit. > > Londo Mollari - Babylon 5 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
From the JCL Reference manual; 13.3.5 Relationship of a STEPLIB to a JOBLIB Use a JOBLIB DD statement to define a private library that the system is to use for an entire job. If you include a JOBLIB DD statement for the job and a STEPLIB DD statement for an individual job step, the system first searches the step library and then the system library for the program requested in the EXEC statement. The system ignores the JOBLIB library for that step. Mark Jacobs On 12/20/13 09:22, Lizette Koehler wrote: Could someone point out the manual that states if a Steplib is present the Joblib is ignored? I found this in the following manual and it does not lead me to the conclusion you have stated LLA and Module Search Order z/OS V1R12.0 MVS Initialization and Tuning Guide SA22-7591-08 When a program requests a module, the system searches for the requested module in various system areas and libraries, in the following order: Modules that were loaded under the current task (LLEs) The job pack area (JPA) Tasklib, steplib, joblib, or any libraries that were indicated by a DCB specified as an input parameter to the macro used to request the module (LINK, LINKX, LOAD, ATTACH, ATTACHX, XCTL or XCTLX). Active link pack area (LPA), which contains the FLPA and MLPA Pageable link pack area (PLPA) SYS1.LINKLIB and libraries concatenated to it through the LNKLSTxx member of parmlib. (Placing Modules in the System's Search Order for Programs explains the performance improvements that can be achieved by moving modules from the LNKLST concatenation to LPA.) When searching TASKLIBs, STEPLIBs, JOBLIBs, a specified DCB, or the LNKLST concatenation for a module, the system searches each data set directory for the first directory entry that matches the name of the module. The directory is located on DASD with the data set, and is updated whenever the module is changed. The directory entry contains information about the module and where it is located in storage. Thanks Lizette -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Blaicher, Christopher Y. Sent: Friday, December 20, 2013 7:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card You are correct. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Marchant Sent: Friday, December 20, 2013 8:49 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) ... Really? I thought that JOBLIB was ignored if there is a STEPLIB. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mark Jacobs Time Customer Service Tampa, FL The quiet ones are the ones that change the universe... The loud ones only take the credit. Londo Mollari - Babylon 5 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Could someone point out the manual that states if a Steplib is present the Joblib is ignored? I found this in the following manual and it does not lead me to the conclusion you have stated LLA and Module Search Order z/OS V1R12.0 MVS Initialization and Tuning Guide SA22-7591-08 When a program requests a module, the system searches for the requested module in various system areas and libraries, in the following order: Modules that were loaded under the current task (LLEs) The job pack area (JPA) Tasklib, steplib, joblib, or any libraries that were indicated by a DCB specified as an input parameter to the macro used to request the module (LINK, LINKX, LOAD, ATTACH, ATTACHX, XCTL or XCTLX). Active link pack area (LPA), which contains the FLPA and MLPA Pageable link pack area (PLPA) SYS1.LINKLIB and libraries concatenated to it through the LNKLSTxx member of parmlib. (Placing Modules in the System's Search Order for Programs explains the performance improvements that can be achieved by moving modules from the LNKLST concatenation to LPA.) When searching TASKLIBs, STEPLIBs, JOBLIBs, a specified DCB, or the LNKLST concatenation for a module, the system searches each data set directory for the first directory entry that matches the name of the module. The directory is located on DASD with the data set, and is updated whenever the module is changed. The directory entry contains information about the module and where it is located in storage. Thanks Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Blaicher, Christopher Y. > Sent: Friday, December 20, 2013 7:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APF authorization and JOBLIB DD card > > You are correct. > > Chris Blaicher > Principal Software Engineer, Software Development Syncsort Incorporated > 50 Tice Boulevard, Woodcliff Lake, NJ 07677 > P: 201-930-8260 | M: 512-627-3803 > E: cblaic...@syncsort.com > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Tom Marchant > Sent: Friday, December 20, 2013 8:49 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APF authorization and JOBLIB DD card > > On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: > > >Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) > >... > > Really? I thought that JOBLIB was ignored if there is a STEPLIB. > > -- > Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
You are correct. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Marchant Sent: Friday, December 20, 2013 8:49 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: >Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) ... Really? I thought that JOBLIB was ignored if there is a STEPLIB. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Tom, You are correct, if the STEPLIB exists, the JOBLIB is ignored. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Marchant Sent: Friday, December 20, 2013 7:49 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: >Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) ... Really? I thought that JOBLIB was ignored if there is a STEPLIB. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Thu, 19 Dec 2013 00:58:00 +, Blaicher, Christopher Y. wrote: >Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) ... Really? I thought that JOBLIB was ignored if there is a STEPLIB. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Pommier, Rex wrote: >Since I'm the OP, here is the detail of what has me so confused. [ ... snipped >... ] I'm also confused, but before you follow Jim Mulder's recommendation, could you perhaps reread in 'MVS Initialization and Tuning Guide' these two parts: 'Placing Modules in the System's Search Order for Programs' and 'The Search Order the System uses for Programs ' I know above is about Linklist, not APF, but I suspect that you have a wrong set (or combination) of modules. HTH! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> Since I'm the OP, here is the detail of what has me so confused. > Sorry for the length of the post, but it's the only way to show why > I'm befuddled. I read your first post talking about the APF versus > LINKLIST versus JOBLIB and I agree with you - that was/is how I > understood APF to work. However, the chain of events below don't > bear this understanding out. My guess is that SyncSort might be > doing some funky things under the covers but that is a WAG. You are pretty much at the point now where I would want to look at a dump taken via SLIP SET,A=SVCD,C=306,RE=C,ML=1,ID=S306,SDATA=(ALLNUC,SQA,RGN,SUM,TRT),END Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Chris et al, Since I'm the OP, here is the detail of what has me so confused. Sorry for the length of the post, but it's the only way to show why I'm befuddled. I read your first post talking about the APF versus LINKLIST versus JOBLIB and I agree with you - that was/is how I understood APF to work. However, the chain of events below don't bear this understanding out. My guess is that SyncSort might be doing some funky things under the covers but that is a WAG. Here's the RD condensed version: Job 1: abend 306, 2 non-APF syncsort libs in JOBLIB, abend on module in SYNCRENT. Job 2: abend 306, 1 non-APF lib in JOBLIB (I removed SYNCRENT so it would pull from LNKLST), abend on module in SYNCLINK. Job 3: RC=0, no JOBLIB, all SS modules coming from LNKLST. Job 4: RC=0, APF authorized 2 SS libraries, only libraries in JOBLIB Job 5: RC=0, 6 libs in JOBLIB including 2 APF SS libs, 1 lib not LNKLST, not APF, 3 LNKLST, not specified APF (LNKAUTH=LNKLST) Job 6: RC=0, added 7th lib to JOBLIB, new library definitely not either LNKLST or APF Job 7: abend 306, production job containing same concatenation as job 5. Abend due to trying to load module from SYNCRENT - same as job 1. Job 8: not shown here, I APF authorized the libraries in the JOBLIB and reran job 7. First job (with some allocation type snippage for brevity' sake - I also am running something called VSAMTUNE but that doesn't seem to be having any bearing here) Module SS14RC02 is in the SYNCRENT library in the JOBLIB concatenation. 14.48.44 JOB01781 WEDNESDAY, 18 DEC 2013 14.48.44 JOB01781 IRR010I USERID RRP4912 IS ASSIGNED TO THIS JOB. 14.48.44 JOB01781 ICH70001I RRP4912 LAST ACCESS AT 14:48:09 ON WEDNESDAY, DECEMBER 18, 2013 14.48.44 JOB01781 $HASP373 RRPIDCM STARTED - INIT 29 - CLASS T - SYS ZOS1 14.48.44 JOB01781 IEF403I RRPIDCM - STARTED - TIME=14.48.44 14.48.45 JOB01781 CSV019I REQUESTED MODULE SS14RC02 NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION 14.48.45 JOB01781 CSV028I ABEND306-0C JOBNAME=RRPIDCM STEPNAME=STEP1 14.48.45 JOB01781 WER999A RRPIDCM ,STEP1 ,- UNSUCCESSFUL SORT 306 S REASON=000C 14.48.45 JOB01781 IEC130I SPYSET DD STATEMENT MISSING 14.48.45 JOB01781 IEA995I SYMPTOM DUMP OUTPUT 586 . . //RRPIDCM JOB (040423,495),RRP,CLASS=T,MSGCLASS=X,MSGLEVEL=(1,1), // NOTIFY=&SYSUID IEFC653I SUBSTITUTION JCL - (040423,495),RRP,CLASS=T,MSGCLASS=X,MSG //JOBLIB DD DSN=SYS1.SFG1B.SYNCSORT.R14.SYNCLINK.NEW,DISP=SHR <<<<<mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Blaicher, Christopher Y. Sent: Thursday, December 19, 2013 11:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card I think I covered that, but obviously not well enough. If no called/loaded modules exist in the JOBLIB/STEPLIB, and all are in the LINKLIST, then that meets the requirement that all LOADs occur from authorized libraries. It doesn't matter if JOBLIB/STEPLIB are authorized or not. I think he got away with it because one of the tests was run where all the sort modules were in the LINKLIST. He then ran it with the sort libraries also in the JOBLIB/STEPLIB concatenations that included an unauthorized library and that failed with a 306. It's all a question of where modules get loaded from. To be certain of things, I would need to see the concatenations and the APF library list at each run time. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Hahne Sent: Thursday, December 19, 2013 10:51 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card Hello Chris , This is a very good explanation . But that still leaves OP's last question "If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? " I assume OP ran the job by APF authorizing the JOBLIBS first , and then tried another run by adding an unauthorized library to the JOBLIB concatenation . TIA , Bob > Date: Thu, 19 Dec 2013 00:58:00 +0000 > From: cblaic...@syncsort.com > Subject: Re: APF authorization and JOBLIB DD card > To: IBM-MAIN@LISTSERV.UA.EDU > > I will answer the APF questions, but I strongly suggest that you call > SyncSort Support in the morni
Re: APF authorization and JOBLIB DD card
Gil, Like Jim, we call IDCAMs from a STC and we had to be APF authorized we process define/deletes for aliases... Scott ford www.identityforge.com from my IPAD 'Infinite wisdom through infinite means' On Dec 19, 2013, at 1:02 PM, Jim Mulder wrote: >> It's possible that IDCAMS loaded no modules from JOBLIB (or even that > IDCAMS >> was loaded unauthorized. Will IDCAMS run that way?) > > I believe I already answered that with a reference to the IDCAMS > documentation. > To quote the documentation: > > D.1 Authorized Program Facility (APF) > > An address space that calls IDCAMS to issue any of these commands must be > APF authorized, or the command will terminate: > > ALLOCATE command to allocate an SMS-managed data set. > > DCOLLECT command. > > DEFINE command, when the RECATALOG parameter is specified or when the > define is for an alias of a catalog. > > DELETE command, when the RECOVERY parameter is specified. > > EXPORT command, when the object to be exported is a BCS. > > IMPORT command, when the object to be imported is a BCS or the calling > program supplied an auxiliary list (aux list) and the list includes a > pointer to an ACERO. This would cause SMS to bypass ACS processing. This > will result in the message IDC31658I INVALID AUTHORIZATION TO BYPASS ACS > PROCESSING. > > PRINT command, when the object to be printed is a catalog. > > REPRO command, when a BCS is copied or merged. SHCDS command. > > VERIFY command, when a BCS is to be verified. > > Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> It's possible that IDCAMS loaded no modules from JOBLIB (or even that IDCAMS > was loaded unauthorized. Will IDCAMS run that way?) I believe I already answered that with a reference to the IDCAMS documentation. To quote the documentation: D.1 Authorized Program Facility (APF) An address space that calls IDCAMS to issue any of these commands must be APF authorized, or the command will terminate: ALLOCATE command to allocate an SMS-managed data set. DCOLLECT command. DEFINE command, when the RECATALOG parameter is specified or when the define is for an alias of a catalog. DELETE command, when the RECOVERY parameter is specified. EXPORT command, when the object to be exported is a BCS. IMPORT command, when the object to be imported is a BCS or the calling program supplied an auxiliary list (aux list) and the list includes a pointer to an ACERO. This would cause SMS to bypass ACS processing. This will result in the message IDC31658I INVALID AUTHORIZATION TO BYPASS ACS PROCESSING. PRINT command, when the object to be printed is a catalog. REPRO command, when a BCS is copied or merged. SHCDS command. VERIFY command, when a BCS is to be verified. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
I think I covered that, but obviously not well enough. If no called/loaded modules exist in the JOBLIB/STEPLIB, and all are in the LINKLIST, then that meets the requirement that all LOADs occur from authorized libraries. It doesn't matter if JOBLIB/STEPLIB are authorized or not. I think he got away with it because one of the tests was run where all the sort modules were in the LINKLIST. He then ran it with the sort libraries also in the JOBLIB/STEPLIB concatenations that included an unauthorized library and that failed with a 306. It's all a question of where modules get loaded from. To be certain of things, I would need to see the concatenations and the APF library list at each run time. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Hahne Sent: Thursday, December 19, 2013 10:51 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card Hello Chris , This is a very good explanation . But that still leaves OP's last question "If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? " I assume OP ran the job by APF authorizing the JOBLIBS first , and then tried another run by adding an unauthorized library to the JOBLIB concatenation . TIA , Bob > Date: Thu, 19 Dec 2013 00:58:00 + > From: cblaic...@syncsort.com > Subject: Re: APF authorization and JOBLIB DD card > To: IBM-MAIN@LISTSERV.UA.EDU > > I will answer the APF questions, but I strongly suggest that you call > SyncSort Support in the morning if you continue to have ABEND 306 problems. > > The short answer is that any module loaded by an authorized program must come > from an authorized library. Loaded modules don't have to be authorized > (AC=1), they just have to come from an authorized library. Now it gets more > complicated. > > Most people think that all LINKLIST libraries are authorized, but that isn't > always true. If your site has LNKAUTH=APFTAB as a parm in IEASYSxx rather > than taking the default or specifying LNKAUTH=LNKLST, then only those > libraries that are in the APF table are considered authorized. > > JOBLIB and STEPLIB libraries are handled a little differently. They are > either all authorized or all not authorized. So, if you have a three library > concatenation and they are all authorized, life is good. If you add a > non-authorized library to then, then they are all considered un-authorized. > > When you ran an IDCAMS job with all modules used in the linklist, it was OK > because it didn't get any modules from JOBLIB. Your site must be taking the > default or specifying LNKAUTH=LNKLST. When you put the same libraries in the > JOBLIB concatenation, and any one of them isn't in the APF table, then all of > the JOBLIB libraries become un-authorized, even if the libraries are still in > the LINKLIST. Because the search is STEPLIB first, JOBLIB second (or first > if no STEPLIB) and then the LINKLIST and it found the module it wanted in the > JOBLIB and the JOBLIB concatenation was not authorized because one or more > libraries weren't, then you get the ABEND 306. > > Confused enough? > > Chris Blaicher > Principal Software Engineer, Software Development Syncsort > Incorporated > 50 Tice Boulevard, Woodcliff Lake, NJ 07677 > P: 201-930-8260 | M: 512-627-3803 > E: cblaic...@syncsort.com > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Pommier, Rex > Sent: Wednesday, December 18, 2013 6:07 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: APF authorization and JOBLIB DD card > > Hi list, > > I'm confused - again. I thought I knew how APF authorization works with > JOBLIB statements but apparently I don't. Here's the background. I'm > installing a new maintenance level of SyncSort. According to the SyncSort > manual, the only library that needs APF authorization is the SYNCAUTH library > which contains the Dynamic Storage Management modules. > > In addition, IDCAMS internally calls a SORT module by default when performing > a BuildIndeX function. > > Here's my scenario. I have batch jobs with JOBLIB statements in them. In > order to test my SyncSort upgrade, I have added the SYNCLINK and SYNCRENT > libraries to the JOBLIB concatenation. > > Where I'm hitting the problem is IDCAMS BIX funct
Re: APF authorization and JOBLIB DD card
On Thu, 19 Dec 2013 21:21:01 +0530, Robert Hahne wrote: >Hello Chris , > >This is a very good explanation . But that still leaves OP's last question > >"If IDCAMS requires APF authorization for called modules, why does IDCAMS work >when the JOBLIB is supposedly not authorized by introducing a non-authorized >library to the JOBLIB? " > It's possible that IDCAMS loaded no modules from JOBLIB (or even that IDCAMS was loaded unauthorized. Will IDCAMS run that way?) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
Hello Chris , This is a very good explanation . But that still leaves OP's last question "If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? " I assume OP ran the job by APF authorizing the JOBLIBS first , and then tried another run by adding an unauthorized library to the JOBLIB concatenation . TIA , Bob > Date: Thu, 19 Dec 2013 00:58:00 + > From: cblaic...@syncsort.com > Subject: Re: APF authorization and JOBLIB DD card > To: IBM-MAIN@LISTSERV.UA.EDU > > I will answer the APF questions, but I strongly suggest that you call > SyncSort Support in the morning if you continue to have ABEND 306 problems. > > The short answer is that any module loaded by an authorized program must come > from an authorized library. Loaded modules don't have to be authorized > (AC=1), they just have to come from an authorized library. Now it gets more > complicated. > > Most people think that all LINKLIST libraries are authorized, but that isn't > always true. If your site has LNKAUTH=APFTAB as a parm in IEASYSxx rather > than taking the default or specifying LNKAUTH=LNKLST, then only those > libraries that are in the APF table are considered authorized. > > JOBLIB and STEPLIB libraries are handled a little differently. They are > either all authorized or all not authorized. So, if you have a three library > concatenation and they are all authorized, life is good. If you add a > non-authorized library to then, then they are all considered un-authorized. > > When you ran an IDCAMS job with all modules used in the linklist, it was OK > because it didn't get any modules from JOBLIB. Your site must be taking the > default or specifying LNKAUTH=LNKLST. When you put the same libraries in the > JOBLIB concatenation, and any one of them isn't in the APF table, then all of > the JOBLIB libraries become un-authorized, even if the libraries are still in > the LINKLIST. Because the search is STEPLIB first, JOBLIB second (or first > if no STEPLIB) and then the LINKLIST and it found the module it wanted in the > JOBLIB and the JOBLIB concatenation was not authorized because one or more > libraries weren't, then you get the ABEND 306. > > Confused enough? > > Chris Blaicher > Principal Software Engineer, Software Development > Syncsort Incorporated > 50 Tice Boulevard, Woodcliff Lake, NJ 07677 > P: 201-930-8260 | M: 512-627-3803 > E: cblaic...@syncsort.com > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Pommier, Rex > Sent: Wednesday, December 18, 2013 6:07 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: APF authorization and JOBLIB DD card > > Hi list, > > I'm confused - again. I thought I knew how APF authorization works with > JOBLIB statements but apparently I don't. Here's the background. I'm > installing a new maintenance level of SyncSort. According to the SyncSort > manual, the only library that needs APF authorization is the SYNCAUTH library > which contains the Dynamic Storage Management modules. > > In addition, IDCAMS internally calls a SORT module by default when performing > a BuildIndeX function. > > Here's my scenario. I have batch jobs with JOBLIB statements in them. In > order to test my SyncSort upgrade, I have added the SYNCLINK and SYNCRENT > libraries to the JOBLIB concatenation. > > Where I'm hitting the problem is IDCAMS BIX function. When I run the IDCAMS > job with just the normal JOBLIB without the SyncSort libraries in it, the job > runs fine - presumably using the SyncSort currently in the LinkList. The > JOBLIB is not APF authorized because it has a mixture of authorized and not > authorized libraries in it. I add the new SyncSort libraries to the JOBLIB > and the IDCAMS fails with a S306-0C abend and message "CSV019I REQUESTED > MODULE SS14RC02 NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION". Module > SS14RC02 is linked AC=0 and is in the SYNCRENT library. I added all the > JOBLIB libraries to the APF list and the IDCAMS step runs fine. I then add a > non-APF authorized library to the JOBLIB and the IDCAMS step STILL runs fine! > > > Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from an APF > authorized library? > > If IDCAMS requires APF authorization for called modules, why does IDCAMS work > when the JOBLIB is supposedly not authorized by introducing a non-authorized > library to the JOBLIB? > > TIA > > Rex > > The information contained in t
Re: APF authorization and JOBLIB DD card
> The short answer is that any module loaded by an authorized program > must come from an authorized library. I've been reading this post with interest since I've had to do a lot to deal with authorized services loading programs from unauthorized libraries. I have a utility that copies the joblib/steplib information and the load module information including its APF authorization from one address space and transmits the information via SRB to another which can load a copy of an unauthorized program (via IRB) from an unauthorized library into another address space for special testing. It uses the LOAD ADRNAPF which now also has an ADRNAPF64 parameter. Of course, this requires that the utility dynalloc the joblib/steplib in the IRB, open it, load, close it and unalloc it. It's a lot of code just to make a copy of a common program in another address space. The point being that an authorized program can load from an unauthorized library provided it has the code to manage it. It doesn't need to modify the APF setting for a library. Of course, the unauthorized program is still setup to be called unauthorized. This is done for special debugging functions used to isolate a common piece of code from other callers in other address spaces. Kenneth -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gerhard Postpischil Sent: Thursday, December 19, 2013 12:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card On 12/18/2013 7:58 PM, Blaicher, Christopher Y. wrote: > The short answer is that any module loaded by an authorized program > must come from an authorized library. Loaded modules don't have to be > authorized (AC=1), they just have to come from an authorized library. > Now it gets more complicated. I solved this problem a long time ago. First on OS/360 by having a special step account code, and on later (test) systems by having a utility program that authorizes the tasklib, then loads the needed program(s). RACF can keep it out of unwanted hands. It saves time and effort testing programs that need authorization, and it also has a ZAP function for testing. It's heavily modified code from Don Higgins that I found on the cbt tape, but I don't remember what he called it; his version only has the ZAP capability. The added code is: SPACE 1 APFSET ICM R7,15,TCBJLB TEST STEPLIB PRESENCE BZAPFQUIT NO STEPLIB USING IHADCB,R7 DECLARE IT L R7,DCBDEBAD LOAD DEB FOR STEPLIB N R7,=X'00FF' FIX HIGH BYTE USING DEBBASIC,R7 OIDEBFLGS1,DEBAPFIN TURN ON APF LIBRARY BIT Gerhard Postpischil Bradford, Vermont -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On 12/18/2013 7:58 PM, Blaicher, Christopher Y. wrote: The short answer is that any module loaded by an authorized program must come from an authorized library. Loaded modules don't have to be authorized (AC=1), they just have to come from an authorized library. Now it gets more complicated. I solved this problem a long time ago. First on OS/360 by having a special step account code, and on later (test) systems by having a utility program that authorizes the tasklib, then loads the needed program(s). RACF can keep it out of unwanted hands. It saves time and effort testing programs that need authorization, and it also has a ZAP function for testing. It's heavily modified code from Don Higgins that I found on the cbt tape, but I don't remember what he called it; his version only has the ZAP capability. The added code is: SPACE 1 APFSET ICM R7,15,TCBJLB TEST STEPLIB PRESENCE BZAPFQUIT NO STEPLIB USING IHADCB,R7 DECLARE IT L R7,DCBDEBAD LOAD DEB FOR STEPLIB N R7,=X'00FF' FIX HIGH BYTE USING DEBBASIC,R7 OIDEBFLGS1,DEBAPFIN TURN ON APF LIBRARY BIT Gerhard Postpischil Bradford, Vermont -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
> I'm confused - again. I thought I knew how APF authorization works > with JOBLIB statements but apparently I don't. Here's the > background. I'm installing a new maintenance level of SyncSort. > According to the SyncSort manual, the only library that needs APF > authorization is the SYNCAUTH library which contains the Dynamic > Storage Management modules. > > In addition, IDCAMS internally calls a SORT module by default when > performing a BuildIndeX function. > > Here's my scenario. I have batch jobs with JOBLIB statements in > them. In order to test my SyncSort upgrade, I have added the > SYNCLINK and SYNCRENT libraries to the JOBLIB concatenation. > > Where I'm hitting the problem is IDCAMS BIX function. When I run > the IDCAMS job with just the normal JOBLIB without the SyncSort > libraries in it, the job runs fine - presumably using the SyncSort > currently in the LinkList. The JOBLIB is not APF authorized because > it has a mixture of authorized and not authorized libraries in it. > I add the new SyncSort libraries to the JOBLIB and the IDCAMS fails > with a S306-0C abend and message "CSV019I REQUESTED MODULE SS14RC02 > NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION". Module SS14RC02 > is linked AC=0 and is in the SYNCRENT library. I added all the > JOBLIB libraries to the APF list and the IDCAMS step runs fine. I > then add a non-APF authorized library to the JOBLIB and the IDCAMS > step STILL runs fine! Did you do D PROG,APF to verify that your "non-APF authorized library" is really unauthorized? Or, does the "non-APF authorized library" contain a program named IDCAMS? > Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from > an APF authorized library? IDCAMS is not demanding any such thing. Since the job step is authorized, Contents Supervisor requires that things can only be loaded from APF authorized libraries. > If IDCAMS requires APF authorization for called modules, why does > IDCAMS work when the JOBLIB is supposedly not authorized by > introducing a non-authorized library to the JOBLIB? IDCAMS requires APF Authorization only for certain functions, as documented in "DFSMS AMS for Catalogs". BIX does not require APF authorization. So one possible solution to your issue would be to make a copy of IDCAMS into an unauthorized library, and include that library in your JOBLIB concatenation, so that your EXEC PGM=IDCAMS job step would run unauthorized. Or course, that would create a maintenance issue of keeping the copy of IDCAMS up-do-date. You could consider submitting a requirement to IBM to provide an AC=0 alias for IDCAMS (named, for example, IDCAMSA0). Then you could EXEC PGM=IDCASMA0 when you want an IDCAMS job step to run unauthorized. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
I will answer the APF questions, but I strongly suggest that you call SyncSort Support in the morning if you continue to have ABEND 306 problems. The short answer is that any module loaded by an authorized program must come from an authorized library. Loaded modules don't have to be authorized (AC=1), they just have to come from an authorized library. Now it gets more complicated. Most people think that all LINKLIST libraries are authorized, but that isn't always true. If your site has LNKAUTH=APFTAB as a parm in IEASYSxx rather than taking the default or specifying LNKAUTH=LNKLST, then only those libraries that are in the APF table are considered authorized. JOBLIB and STEPLIB libraries are handled a little differently. They are either all authorized or all not authorized. So, if you have a three library concatenation and they are all authorized, life is good. If you add a non-authorized library to then, then they are all considered un-authorized. When you ran an IDCAMS job with all modules used in the linklist, it was OK because it didn't get any modules from JOBLIB. Your site must be taking the default or specifying LNKAUTH=LNKLST. When you put the same libraries in the JOBLIB concatenation, and any one of them isn't in the APF table, then all of the JOBLIB libraries become un-authorized, even if the libraries are still in the LINKLIST. Because the search is STEPLIB first, JOBLIB second (or first if no STEPLIB) and then the LINKLIST and it found the module it wanted in the JOBLIB and the JOBLIB concatenation was not authorized because one or more libraries weren't, then you get the ABEND 306. Confused enough? Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Wednesday, December 18, 2013 6:07 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: APF authorization and JOBLIB DD card Hi list, I'm confused - again. I thought I knew how APF authorization works with JOBLIB statements but apparently I don't. Here's the background. I'm installing a new maintenance level of SyncSort. According to the SyncSort manual, the only library that needs APF authorization is the SYNCAUTH library which contains the Dynamic Storage Management modules. In addition, IDCAMS internally calls a SORT module by default when performing a BuildIndeX function. Here's my scenario. I have batch jobs with JOBLIB statements in them. In order to test my SyncSort upgrade, I have added the SYNCLINK and SYNCRENT libraries to the JOBLIB concatenation. Where I'm hitting the problem is IDCAMS BIX function. When I run the IDCAMS job with just the normal JOBLIB without the SyncSort libraries in it, the job runs fine - presumably using the SyncSort currently in the LinkList. The JOBLIB is not APF authorized because it has a mixture of authorized and not authorized libraries in it. I add the new SyncSort libraries to the JOBLIB and the IDCAMS fails with a S306-0C abend and message "CSV019I REQUESTED MODULE SS14RC02 NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION". Module SS14RC02 is linked AC=0 and is in the SYNCRENT library. I added all the JOBLIB libraries to the APF list and the IDCAMS step runs fine. I then add a non-APF authorized library to the JOBLIB and the IDCAMS step STILL runs fine! Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from an APF authorized library? If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? TIA Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF authorization and JOBLIB DD card
On Wed, 18 Dec 2013 23:06:40 +, Pommier, Rex wrote: > >Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from an APF >authorized library? > I know this one! From M&C: 17.21 CSV019I CSV019I REQUESTED MODULE mod NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION Explanation: An authorized program issued a LINK, LOAD, XCTL or ATTACH macro to access a module that is not in an authorized program facility (APF) authorized library or concatenation of libraries. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
APF authorization and JOBLIB DD card
Hi list, I'm confused - again. I thought I knew how APF authorization works with JOBLIB statements but apparently I don't. Here's the background. I'm installing a new maintenance level of SyncSort. According to the SyncSort manual, the only library that needs APF authorization is the SYNCAUTH library which contains the Dynamic Storage Management modules. In addition, IDCAMS internally calls a SORT module by default when performing a BuildIndeX function. Here's my scenario. I have batch jobs with JOBLIB statements in them. In order to test my SyncSort upgrade, I have added the SYNCLINK and SYNCRENT libraries to the JOBLIB concatenation. Where I'm hitting the problem is IDCAMS BIX function. When I run the IDCAMS job with just the normal JOBLIB without the SyncSort libraries in it, the job runs fine - presumably using the SyncSort currently in the LinkList. The JOBLIB is not APF authorized because it has a mixture of authorized and not authorized libraries in it. I add the new SyncSort libraries to the JOBLIB and the IDCAMS fails with a S306-0C abend and message "CSV019I REQUESTED MODULE SS14RC02 NOT ACCESSED, IS IN NON-APF LIBRARY/CONCATENATION". Module SS14RC02 is linked AC=0 and is in the SYNCRENT library. I added all the JOBLIB libraries to the APF list and the IDCAMS step runs fine. I then add a non-APF authorized library to the JOBLIB and the IDCAMS step STILL runs fine! Why is IDCAMS demanding that non-APF module SS14RC02 be loaded from an APF authorized library? If IDCAMS requires APF authorization for called modules, why does IDCAMS work when the JOBLIB is supposedly not authorized by introducing a non-authorized library to the JOBLIB? TIA Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
