Re: Basic CICS Question

[Jim Mulder]

> And why can't Content Supervision be as intelligent about a mixed
> authorized/unauthorized STEPLIB as it is about a mixed link list?
> (I know that if CS were changed to operate that way, programmers
> would lose the ability to force an otherwise authorized program to
> execute unauthorized by including it in STEPLIB.  This ought to
> be a tolerable behavioral change.)

  How useful would that be?  If the jobstep is running APF 
authorized, it cannot load anything from unauthorized libraries.

Jim Mulder   z/OS System Test   IBM Corp.  Poughkeepsie,  NY


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Jim Mulder]

Jim Mulder   z/OS System Test   IBM Corp.  Poughkeepsie,  NY

> >​... Most shops any more use the APFTAB value which indicates that a
> >data set's APF authorization is based on the APF table when a module is
> >accessed via the link list or a STEPLIB.
> >
> Does this mean that STEPLIB may nowadays contain a mixture of
> unauthorized and APFTAB-authorized catenands, and that loading
> a program marked AC=1 from one of the authorized catenands
> will retain authorization notwithstanding the presence of
> unauthorized catenands?  I know a more recent ply has said "No",
> but you seem to be implying "Yes".
 
   No.  LNKAUTH=APFTAB applies only to LNKLST.

> And why can't Content Supervision be as intelligent about a mixed
> authorized/unauthorized STEPLIB as it is about a mixed link list?
> (I know that if CS were changed to operate that way, programmers
> would lose the ability to force an otherwise authorized program to
> execute unauthorized by including it in STEPLIB.  This ought to
> be a tolerable behavioral change.)

  For a Joblib/Steplib/Tasklib, all CSV knows about is the DCB/DEB.
The DEB is flagged as authorized by OPEN if all of the data sets 
are authorized.  CSV does not know anything about the authorization 
of the individual data sets in the concatenation. 

  The LNKLST is built by CSV, so CSV does know about the individual
data sets in the concatenation.

   Jim Mulder 




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Lizette Koehler]

If you were not aware, there is a CICS List. If you have not joined, and wish to
do so, go to this URL
CICShttp://www.listserv.uga.edu/archives/cics-l.html

Next, CICS may handle the DFHRPL or STEPLIB a little differently than normal.

There are many internet entries for CICS APF STEPLIB

Basically, if SCEERUN and SCEERUN2 are in the Linklst, then you do not need them
(AFAIK) in the CICS STEPLIB.

Second, I think this trick still works,
If you code SYS1.LINKLIB at the top of the STEPLIB it will keep APF alive.  I am
not sure if you would get an S047 if a library farther down has an issue with
being APF Authorized, but SYS1.LINKLIB will not lose APF Authorization if it is
in a STEPLIB.

You might ask the CICS List about what really needs to be in the STEPLIB if it
is in the LINKLST.

Lizette




> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Adams, Anne (DTI)
> Sent: Thursday, June 16, 2016 12:15 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Basic CICS Question
> 
> Hey friends, this isn't necessarily a z/OS question but I'm hoping someone
> knows.
> 
> Do you have to STEPLIB all libraries for CICS, even if they're in the
> LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN,
> SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told this is
> because they all have to be APF authorized and you lose that with the
> linklist. All the appropriate libraries are APF authorized. I supposed I could
> create a little vanilla system and be certain, but I was sort of hoping
> someone would know.
> 
> ... and if the answer is yes, shame on IBM for making me do that.
> 
> 
> Anne R. Adams, CISSP
> DTI, Systems Engineering
> Sr. Mainframe Services Analyst

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Nims,Alva John (Al)]

From z/OS 1.13 version of "MVS Programming: Authorized Assembler Services 
Guide" Chapter 21: Protecting the System" about page 433, there is a "Note" in 
"APF-authorized libraries":
"Notes: 1. If a JCL DD statement concatenates an authorized library in any 
order with an unauthorized library, the entire set of concatenated libraries is 
treated as unauthorized."

And guess what, in "z/OS V2R2.0 MVS Authorized Assembler Services Guide" same 
chapter, same section, but page 455, it has the same note.

So "No" in STEPLIB, you CANNOT mix APF Authorized and Unauthorized libraries, 
LINKLST, on the other hand, you can mix it up.

Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Thursday, June 16, 2016 5:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Basic CICS Question

On Thu, 16 Jun 2016 14:27:28 -0500, John McKown wrote:
>
>​... Most shops any more use the APFTAB value which indicates that a 
>data set's APF authorization is based on the APF table when a module is 
>accessed via the link list or a STEPLIB.
>
Does this mean that STEPLIB may nowadays contain a mixture of unauthorized and 
APFTAB-authorized catenands, and that loading a program marked AC=1 from one of 
the authorized catenands will retain authorization notwithstanding the presence 
of unauthorized catenands?  I know a more recent ply has said "No", but you 
seem to be implying "Yes".

And why can't Content Supervision be as intelligent about a mixed 
authorized/unauthorized STEPLIB as it is about a mixed link list?
(I know that if CS were changed to operate that way, programmers would lose the 
ability to force an otherwise authorized program to execute unauthorized by 
including it in STEPLIB.  This ought to be a tolerable behavioral change.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Paul Gilmartin]

On Thu, 16 Jun 2016 14:27:28 -0500, John McKown wrote:
>
>​... Most shops any more use the APFTAB value which indicates that a
>data set's APF authorization is based on the APF table when a module is
>accessed via the link list or a STEPLIB.
>
Does this mean that STEPLIB may nowadays contain a mixture of
unauthorized and APFTAB-authorized catenands, and that loading
a program marked AC=1 from one of the authorized catenands
will retain authorization notwithstanding the presence of
unauthorized catenands?  I know a more recent ply has said "No",
but you seem to be implying "Yes".

And why can't Content Supervision be as intelligent about a mixed
authorized/unauthorized STEPLIB as it is about a mixed link list?
(I know that if CS were changed to operate that way, programmers
would lose the ability to force an otherwise authorized program to
execute unauthorized by including it in STEPLIB.  This ought to
be a tolerable behavioral change.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Charles Mills]

And there is no error message if you do an ADD and the volser is wrong --
MVS happily accepts it and will authorize the dataset ... if one with that
name ever shows up on that volume.

SMS makes things more foolproof.

FWIW -- not recommending this -- I think a correct volser works even if the
dataset is SMS managed.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Nims,Alva John (Al)
Sent: Thursday, June 16, 2016 12:29 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Basic CICS Question

Actually, I believe someone has it a little reversed.

If the Data Set is listed in APF list, it is authorized and will be so in
the LINKLST, BUT if you add that same data set to //STEPLIB, then ALL the
data sets listed in //STEPLIB must be APF authorized, if even 1 is not
authorized, then ALL are not.  Remember for APF, both the Data Set Name and
the Volume or SMS if it is SMS managed, MUST MATCH!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[Nims,Alva John (Al)]

Actually, I believe someone has it a little reversed.

If the Data Set is listed in APF list, it is authorized and will be so in the 
LINKLST, BUT if you add that same data set to //STEPLIB, then ALL the data sets 
listed in //STEPLIB must be APF authorized, if even 1 is not authorized, then 
ALL are not.  Remember for APF, both the Data Set Name and the Volume or SMS if 
it is SMS managed, MUST MATCH!


Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Adams, Anne (DTI)
Sent: Thursday, June 16, 2016 3:15 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Basic CICS Question

Hey friends, this isn't necessarily a z/OS question but I'm hoping someone 
knows. 

Do you have to STEPLIB all libraries for CICS, even if they're in the LINKLIST? 
We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN, SCEERUN2, 
RACF (or ACF2) have to be in the STEPLIB? I'm being told this is because they 
all have to be APF authorized and you lose that with the linklist. All the 
appropriate libraries are APF authorized. I supposed I could create a little 
vanilla system and be certain, but I was sort of hoping someone would know. 

... and if the answer is yes, shame on IBM for making me do that.


Anne R. Adams, CISSP
DTI, Systems Engineering
Sr. Mainframe Services Analyst 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Basic CICS Question

[John McKown]

On Thu, Jun 16, 2016 at 2:15 PM, Adams, Anne (DTI) 
wrote:

> Hey friends, this isn't necessarily a z/OS question but I'm hoping someone
> knows.
>
> Do you have to STEPLIB all libraries for CICS, even if they're in the
> LINKLIST? We're running 5.2 of CICS and z/OS 2.20. For instance, do
> SCEERUN, SCEERUN2, RACF (or ACF2) have to be in the STEPLIB? I'm being told
> this is because they all have to be APF authorized and you lose that with
> the linklist. All the appropriate libraries are APF authorized. I supposed
> I could create a little vanilla system and be certain, but I was sort of
> hoping someone would know.
>
> ... and if the answer is yes, shame on IBM for making me do that.
>

​No, you don't, in general, need those libraries to be in a STEPLIB for
CICS. You do _not_ lose APF authorization just because a data set is in the
​linklist. I don't know who told you that. There is a parameter called
LNKAUTH in the IEASYSnn member of PARMLIB. If it is set to LNKLIST, then
_every_ library on the link list is APF authorized when used via the link
list even if it is not in the APF table (STEPLIB remains dependent on APF
table). Most shops any more use the APFTAB value which indicates that a
data set's APF authorization is based on the APF table when a module is
accessed via the link list or a STEPLIB.

ref:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/ieae200306.htm


*LNKAUTH={LNKLST}|{APFTAB}*

This parameter specifies whether all libraries in the LNKLST concatenation
are to be treated as APF-authorized when accessed as part of the
concatenation, or whether only those libraries that are named in the APF
table are to be treated as APF-authorized.

*Value Range*: Not applicable

*Default Value*: LNKLST, meaning that all libraries in the LNKLST
concatenation are to be treated as APF-authorized when accessed as part of
the concatenation. If the default for the LNKAUTH system parameter is
taken, or is specified in IEASYSxx or by the operator, libraries in the
LNKLST concatenation are APF-authorized when accessed as part of the LNKLST
concatenation.

If a LNKLST library is not listed in the APF table, referencing the library
through a JOBLIB or STEPLIB DD statement causes the library to be
considered unauthorized for the duration of the job or step.




>
> Anne R. Adams, CISSP
> DTI, Systems Engineering
> Sr. Mainframe Services Analyst
>
>

-- 
"Pessimism is a admirable quality in an engineer. Pessimistic people check
their work three times, because they're sure that something won't be right.
Optimistic people check once, trust in Solis-de to keep the ship safe, then
blow everyone up."
"I think you're mistaking the word optimistic for inept."
"They've got a similar ring to my ear."

>From "Star Nomad" by Lindsay Buroker:

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Basic CICS Question

[Adams, Anne (DTI)]

Hey friends, this isn't necessarily a z/OS question but I'm hoping someone 
knows. 

Do you have to STEPLIB all libraries for CICS, even if they're in the LINKLIST? 
We're running 5.2 of CICS and z/OS 2.20. For instance, do SCEERUN, SCEERUN2, 
RACF (or ACF2) have to be in the STEPLIB? I'm being told this is because they 
all have to be APF authorized and you lose that with the linklist. All the 
appropriate libraries are APF authorized. I supposed I could create a little 
vanilla system and be certain, but I was sort of hoping someone would know. 

... and if the answer is yes, shame on IBM for making me do that.


Anne R. Adams, CISSP
DTI, Systems Engineering
Sr. Mainframe Services Analyst 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN