RACF and protecting against the unknown
Hi, it's the RACF newbie again. RACF has been running fine for us and went in without a hitch thanks to all of y'all. But, because we have nothing better to do, we've been sitting around trying to think of scenarios that we may come up against in the future and we want to be able to recover from them. Here's one of 'em: We have removed the password from MAINT and the 2 of us sysprog wannabes have setup RACF to allow us to LOGONBY to MAINT. Works beautifully. But, what would happen if some malicious individual decided to attempt sufficient invalid logons to cause us our IDs to be revoked. How would we ever get back to MAINT? Now, add in the security admins ID to the mix. Then what? Also, any war stories about getting into a situation where no one could log on due to RACF being unavailable? Should we be concerned about a case like this? What recovery is possible? Okay, okay...so we're a couple of paranoid sysprog wannabes...I knew I shouldn't have smoked those alternative cigarettes when I was younger. :-) Thanks much, Leland
Re: Performance Tool Kit
Hi, Terry. The short answer is that you have enabled the PERFSVM's web interface but the VM TCPIP virtual machine is not configured to accept PERFSVM's request to listen on the port specified. Hope that helps, and good luck. Martin, Terry R. (CMS/CTR) (CTR) wrote: Hi I take that back I seem to be getting my MONITOR information. It will still be interesting to know what it really meant. The error message does not offer a whole lot of information. Thank You, Terry Martin Lockheed Martin - Information Technology z/OS z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] From: Martin, Terry R. (CMS/CTR) (CTR) Sent: Friday, July 11, 2008 5:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Performance Tool Kit Hi I am starting up the PERFSVM Machine and I am receiving the following error: FCXTCP576E Error number 13 for BIND call Does anyone know what this means. It is obviously causing me not to see most of the DATA fields in the MONITOR! Thank You, Terry Martin Lockheed Martin - Information Technology z/OS z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: code maint [was: Re: REXX coding question.]
Rick Troth [EMAIL PROTECTED] shared an anecdote about code maint. I have my own: Back in about 1982, at UofW, I wrote a tiny assembler routine to test a local DIAGNOSE. This unprivileged DIAG would return a userid's logon status and message flags, so you could tell if (s)he had MSG ON before writing a long msg (or sending an AYT?). Since it was just to test it, and was only a few lines, I didn't comment it, did no REGEQU, etc. Over the next few months, I kept tinkering, adding the ability to read a list of userids, output to the stack, etc., etc. Then someone put it on the Y-disk. Every summer when the Evil Students were gone, we'd run a local mod for a few weeks that monitored files read from the S- and Y-disks, so we could look at improving performance by putting stuff in the CMS nucleus (like COPYFILE, which we did long before IBM did). Summer of 1985, my MODULE was the most heavily used program on the Y-disk. At that point, it was over 2,000 lines of uncommented, un-REGEQU-ed assembler. I decided I'd better move to another country before something broke and I had to fix it... ...and since then, I've been more or less religious about commenting! ...phsiii
Re: Performance Tool Kit
Yes, and like I say does tell me a whole lot! Terry -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Kris Buelens Sent: Saturday, July 12, 2008 1:26 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Performance Tool Kit Have you issued HELP FCX576E? 2008/7/11 Martin, Terry R. (CMS/CTR) (CTR) [EMAIL PROTECTED]: Hi I am starting up the PERFSVM Machine and I am receiving the following error: FCXTCP576E Error number 13 for BIND call Does anyone know what this means. It is obviously causing me not to see most of the DATA fields in the MONITOR! Thank You, Terry Martin Lockheed Martin - Information Technology z/OS z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] -- Kris Buelens, IBM Belgium, VM customer support
Re: Performance Tool Kit
Oh OK. Yes I remember now. I did not complete this piece of the install. I was going to get back to it and never did. Thanks, Terry -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Dave Jones Sent: Saturday, July 12, 2008 9:12 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Performance Tool Kit Hi, Terry. The short answer is that you have enabled the PERFSVM's web interface but the VM TCPIP virtual machine is not configured to accept PERFSVM's request to listen on the port specified. Hope that helps, and good luck. Martin, Terry R. (CMS/CTR) (CTR) wrote: Hi I take that back I seem to be getting my MONITOR information. It will still be interesting to know what it really meant. The error message does not offer a whole lot of information. Thank You, Terry Martin Lockheed Martin - Information Technology z/OS z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] From: Martin, Terry R. (CMS/CTR) (CTR) Sent: Friday, July 11, 2008 5:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Performance Tool Kit Hi I am starting up the PERFSVM Machine and I am receiving the following error: FCXTCP576E Error number 13 for BIND call Does anyone know what this means. It is obviously causing me not to see most of the DATA fields in the MONITOR! Thank You, Terry Martin Lockheed Martin - Information Technology z/OS z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
RSU 0801 and the HELPSEG
Thought I'd throw this out there for the record since folks will be installing RSU 0801 and it threw us for a bit this morning. Put2prod may fail on building the helpseg if the segment is too small. It was C00-CFF 3 of our systems, and C00-DFF on the other 4. The message doesn't give you a clue about what it is: DMSGEN1279E Error(s) occurred during SEGGEN processing. VMFBDS1965E The command, SEGGEN HELPSEG PSEG A SYSTEM SEGID D2 ( NOTYPE, failed with return code 32 VMFBLD1851E (1 of 1) VMFBDSEG completed with return code 100. Some objects were not built If it happens, go into VMFSGMAP SEGBLD ESASEGS SEGBLIST, change the HELPSEG object, file that. (VM/SES intro and reference has the doc on vmfsgmap). Then just rerun put2prod. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Re: RACF and protecting against the unknown
On Sat, Jul 12, 2008 at 8:03 AM, Leland Lucius [EMAIL PROTECTED] wrote: We have removed the password from MAINT and the 2 of us sysprog wannabes have setup RACF to allow us to LOGONBY to MAINT. Works beautifully. But, what would happen if some malicious individual decided to attempt sufficient invalid logons to cause us our IDs to be revoked. How would we ever get back to MAINT? Now, add in the security admins ID to the mix. Then what? Yep. First, the idea is that userids of the individuals who have logonby is not disclosed, so chances of hitting (all) of them is harder (except that we found Q BYUSER practical, which does reveal this kind of info). As a next safety net, you could set up a group special would could resume you if you get revoked, or have OPERATOR be group special of IBMUSER (assuming OPERATOR will be logged on already while the system is running). This stuff is audited, so it's not that someone could sneak in like this without showing. Also, any war stories about getting into a situation where no one could log on due to RACF being unavailable? Should we be concerned about a case like this? What recovery is possible? Yes... our security officer started to look at Consul/RACF listings and started to remove profiles that his software did not understand, and then activated classes that he felt were good to enable and then remembered his appointment with the dentist that afternoon, so he left for the weekend. I was paged in the weekend when the system would not come up after the IPL. I believe I have been there several hours to get the system going again. Rob
Re: RACF and protecting against the unknown
Leland, I haven't verified it but if what you posit occurs, and you could access OPERATOR's console, how about: CP SET SECUSER RACFVM * *Make OPERATOR secuser of RACFVM CP SEND RACFVM blah blah command to unrevoke yourid *I don't know the command or CP XAUTOLOG racf_admin_id CP SET SECUSER racf_admin_id * CP SEND racf_admin_idblah blah command to unrevoke yourid If all else fails, disable RACF and use the CP directory passwords for MAINT, and others (you know what they are, right?) and restore a backup of RACF database in which yourid's not revoked (and you remember your logon password restored by the old backup) CP SEND RACFVM SET RACF INACTIVE and then reply YES to it's prompt to OPERATOR This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -Original Message- From: The IBM z/VM Operating System on behalf of Rob van der Heij Sent: Sat 7/12/2008 4:54 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: RACF and protecting against the unknown On Sat, Jul 12, 2008 at 8:03 AM, Leland Lucius [EMAIL PROTECTED] wrote: We have removed the password from MAINT and the 2 of us sysprog wannabes have setup RACF to allow us to LOGONBY to MAINT. Works beautifully. But, what would happen if some malicious individual decided to attempt sufficient invalid logons to cause us our IDs to be revoked. How would we ever get back to MAINT? Now, add in the security admins ID to the mix. Then what? Yep. First, the idea is that userids of the individuals who have logonby is not disclosed, so chances of hitting (all) of them is harder (except that we found Q BYUSER practical, which does reveal this kind of info). As a next safety net, you could set up a group special would could resume you if you get revoked, or have OPERATOR be group special of IBMUSER (assuming OPERATOR will be logged on already while the system is running). This stuff is audited, so it's not that someone could sneak in like this without showing. Also, any war stories about getting into a situation where no one could log on due to RACF being unavailable? Should we be concerned about a case like this? What recovery is possible? Yes... our security officer started to look at Consul/RACF listings and started to remove profiles that his software did not understand, and then activated classes that he felt were good to enable and then remembered his appointment with the dentist that afternoon, so he left for the weekend. I was paged in the weekend when the system would not come up after the IPL. I believe I have been there several hours to get the system going again. Rob
Re: RACF and protecting against the unknown
Thanks Rob and John. I'll set me up a 2nd level VM and give y'alls ideas a try. Leland