Re: Building NonRACF CP Module
Since z/VM 5.2, CP uses DAT itself, so it can map 64 bit real addresses in its 32bit address space (that's how I understand it). CP's view of the storage is called LOGICAL storage, hence the L in ST HL. 2007/3/23, Rich Greenberg <[EMAIL PROTECTED]>: On: Fri, Mar 23, 2007 at 05:45:46PM +0100,Colin Allinson Wrote: } I guess this is how I really should do it but, as we are talking about a } system with no RACF installed, I quite like the little workaround supplied } by Rich Greenberg. Incidentally, I have tested this and it works very well } although, on our 5.x systems, we need to use STORE HL. Thanks Colin. I assume that the change to STORE is an artifact of 64 bits? I retired just before my employer went to 64 bit VM. -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L -- Kris Buelens, IBM Belgium, VM customer support
Re: Building NonRACF CP Module
On: Fri, Mar 23, 2007 at 05:45:46PM +0100,Colin Allinson Wrote: } I guess this is how I really should do it but, as we are talking about a } system with no RACF installed, I quite like the little workaround supplied } by Rich Greenberg. Incidentally, I have tested this and it works very well } although, on our 5.x systems, we need to use STORE HL. Thanks Colin. I assume that the change to STORE is an artifact of 64 bits? I retired just before my employer went to 64 bit VM. -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Building NonRACF CP Module
I'll check it out if and when I get a system back. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bolch Sent: Friday, March 23, 2007 11:23 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module I mis-remembered. My files show it's on the VMSECURE 192. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Friday, March 23, 2007 1:44 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module We do not seem to have that command, at least not on the 176 disk. I cannot check further as our VM systems are all down due to h/w a failure that occurred at 1:00 am this morning. Regards, Richard Schuh
Re: Building NonRACF CP Module
I mis-remembered. My files show it's on the VMSECURE 192. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Friday, March 23, 2007 1:44 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module We do not seem to have that command, at least not on the 176 disk. I cannot check further as our VM systems are all down due to h/w a failure that occurred at 1:00 am this morning. Regards, Richard Schuh
Re: Building NonRACF CP Module
Look on VMSECURE 192. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: March 23, 2007 13:44 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module We do not seem to have that command, at least not on the 176 disk. I cannot check further as our VM systems are all down due to h/w a failure that occurred at 1:00 am this morning. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bolch Sent: Friday, March 23, 2007 8:42 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module If something doesn't meet your requirements, our support folks would be happy to create an enhancement request for you. As Dennis pointed out, using this command isn't really much different than just taking down the VM:Secure server. Taking down the server seems preferable to me, in that the special users defined in VMXRPI CONFIG are allowed to do things to aid in recovering your system. If this debug command helps you, that's fine. If something else would satisfy your business needs, please elaborate on your needs through our requirements process. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Stracka, James (GTI) Sent: Friday, March 23, 2007 9:30 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module No wonder it is not documented. It is a nasty command as it does not display on the VM:SECURE console nor the audit disk that anyone has executed that VMXYZZY command. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review retransmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient or delegate is strictly prohibited. If you received this in error please contact the sender and delete the material from any computer. The integrity and security of this message cannot by guaranteed on the Internet. The Sender accepts no liability for the content of this e-mail or for the consequences of any actions taken on basis of the information provided. The recipient should check this e-mail and any attachments for the presence of viruses. The sender accepts no liability for any damage caused by any virus transmitted by this e-mail. This disclaimer is the property of the TTC and must not be altered or circumvented in any manner.
Re: Building NonRACF CP Module
We do not seem to have that command, at least not on the 176 disk. I cannot check further as our VM systems are all down due to h/w a failure that occurred at 1:00 am this morning. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bolch Sent: Friday, March 23, 2007 8:42 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module If something doesn't meet your requirements, our support folks would be happy to create an enhancement request for you. As Dennis pointed out, using this command isn't really much different than just taking down the VM:Secure server. Taking down the server seems preferable to me, in that the special users defined in VMXRPI CONFIG are allowed to do things to aid in recovering your system. If this debug command helps you, that's fine. If something else would satisfy your business needs, please elaborate on your needs through our requirements process. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Stracka, James (GTI) Sent: Friday, March 23, 2007 9:30 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module No wonder it is not documented. It is a nasty command as it does not display on the VM:SECURE console nor the audit disk that anyone has executed that VMXYZZY command.
Re: Building NonRACF CP Module
Thankyou to everyone who has responded to this - particularly for the examples of how to do the PPF's for this. I guess this is how I really should do it but, as we are talking about a system with no RACF installed, I quite like the little workaround supplied by Rich Greenberg. Incidentally, I have tested this and it works very well although, on our 5.x systems, we need to use STORE HL. Colin G Allinson Technical Manager VM Amadeus Data Processing GmbH T +49 (0) 8122-43 49 75 F +49 (0) 8122-43 32 60 [EMAIL PROTECTED] http://www.amadeus.com IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: Building NonRACF CP Module
If something doesn't meet your requirements, our support folks would be happy to create an enhancement request for you. As Dennis pointed out, using this command isn't really much different than just taking down the VM:Secure server. Taking down the server seems preferable to me, in that the special users defined in VMXRPI CONFIG are allowed to do things to aid in recovering your system. If this debug command helps you, that's fine. If something else would satisfy your business needs, please elaborate on your needs through our requirements process. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Stracka, James (GTI) Sent: Friday, March 23, 2007 9:30 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module No wonder it is not documented. It is a nasty command as it does not display on the VM:SECURE console nor the audit disk that anyone has executed that VMXYZZY command.
Re: Building NonRACF CP Module
No wonder it is not documented. It is a nasty command as it does not display on the VM:SECURE console nor the audit disk that anyone has executed that VMXYZZY command. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of O'Brien, Dennis L Sent: Thursday, March 22, 2007 4:10 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module Richard, I saw Bob Bolch's not about the undocumented command. We've never needed to use it, because VM:Secure has a list of userids and ACI groups in VMXRPI CONFIG that have special powers when VM:Secure is down. That, and the fact that passwords are stored in the directory, have given us all the capability that we've needed when VM:Secure is down. Dennis O'Brien I miss the old Star [Jones], who said "talk to the hand", and the hand was covered with powdered sugar. -- Bill Maher -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Thursday, March 22, 2007 09:19 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Building NonRACF CP Module I heartily concur. It would be nice if VM:Secure had the same capability. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bill Munson Sent: Thursday, March 22, 2007 7:41 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module COOL - what a great feature! munson Alan Altmark wrote: > On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton <[EMAIL PROTECTED]> > wrote: >> I've had to do this where RACF was shared with MVS systems. If the MVS >> systems went down then VM was pretty much stuffed so we then just needed > to >> IPL with the alternate CPLOAD module. Naturally no RACF was available > but >> the way VM is built its pretty much secure for the average user. In fact >> googling showed a posting from me about this: >> >> http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T=0&P=34282 > > If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause > the CP-resident RACF code to begin to defer all requests back to CP, as > though RACF is not present, including LOGON. You don't have to deactivate > any classes or change any permissions. No auditing is performed. > > RACF will, however, prompt the OPERATOR for confirmation. A SETRACF > ACTIVE will start the wheels turning again and the OPERATOR will be > informed (but not prompted). > > Alan Altmark > z/VM Development > IBM Endicott > If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/
Re: Building NonRACF CP Module
Richard, I saw Bob Bolch's not about the undocumented command. We've never needed to use it, because VM:Secure has a list of userids and ACI groups in VMXRPI CONFIG that have special powers when VM:Secure is down. That, and the fact that passwords are stored in the directory, have given us all the capability that we've needed when VM:Secure is down. Dennis O'Brien I miss the old Star [Jones], who said "talk to the hand", and the hand was covered with powdered sugar. -- Bill Maher -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Thursday, March 22, 2007 09:19 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Building NonRACF CP Module I heartily concur. It would be nice if VM:Secure had the same capability. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bill Munson Sent: Thursday, March 22, 2007 7:41 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module COOL - what a great feature! munson Alan Altmark wrote: > On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton <[EMAIL PROTECTED]> > wrote: >> I've had to do this where RACF was shared with MVS systems. If the MVS >> systems went down then VM was pretty much stuffed so we then just needed > to >> IPL with the alternate CPLOAD module. Naturally no RACF was available > but >> the way VM is built its pretty much secure for the average user. In fact >> googling showed a posting from me about this: >> >> http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T=0&P=34282 > > If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause > the CP-resident RACF code to begin to defer all requests back to CP, as > though RACF is not present, including LOGON. You don't have to deactivate > any classes or change any permissions. No auditing is performed. > > RACF will, however, prompt the OPERATOR for confirmation. A SETRACF > ACTIVE will start the wheels turning again and the OPERATOR will be > informed (but not prompted). > > Alan Altmark > z/VM Development > IBM Endicott >
Re: Building NonRACF CP Module
Now the cat is out of the bag. I have asked if there was a way to do this several times over the years; however, not in this forum. Nobody ever offered this command. Thanks. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bolch Sent: Thursday, March 22, 2007 11:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module VM:Secure has an undocumented command for this purpose. It requires that the issuer ID be authorized by having an IUCV *RPI record in its directory entry. The command is (believe it or not): VMXYZZY [ENABLE|DISABLE] to DISABLE or ENABLE VM:Secure rules processing. ACI calls are defered to CP when processing is disabled. However, LINK and LOGON commands are still processed by the VM:Secure CP code, so that encrypted passwords in the object directory are resolved properly. The module is on the VMRMAINT 176, I believe. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Thursday, March 22, 2007 12:19 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module I heartily concur. It would be nice if VM:Secure had the same capability. Regards, Richard Schuh
Re: Building NonRACF CP Module
On Mar 22, 2007, at 1:07 PM, Neale Ferguson wrote: Too many games of adventur [sic] for those developers me thinks... ITYM ADVENT [sic] Adam
Re: Building NonRACF CP Module
Too many games of adventur [sic] for those developers me thinks... On Thu, 2007-03-22 at 14:02 -0400, Bob Bolch wrote: > VMXYZZY [ENABLE|DISABLE]
Re: Building NonRACF CP Module
VM:Secure has an undocumented command for this purpose. It requires that the issuer ID be authorized by having an IUCV *RPI record in its directory entry. The command is (believe it or not): VMXYZZY [ENABLE|DISABLE] to DISABLE or ENABLE VM:Secure rules processing. ACI calls are defered to CP when processing is disabled. However, LINK and LOGON commands are still processed by the VM:Secure CP code, so that encrypted passwords in the object directory are resolved properly. The module is on the VMRMAINT 176, I believe. Bob Bolch -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Thursday, March 22, 2007 12:19 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module I heartily concur. It would be nice if VM:Secure had the same capability. Regards, Richard Schuh
Re: Building NonRACF CP Module
My overrride makes I run VMFBLD ZVM CPNORACF CPLOAD * NUCTARG MODULE MODNAME CPNORACF (ALL (which is burried in an exec of a few lines) -- Kris Buelens, IBM Belgium, VM customer support
Re: Building NonRACF CP Module
While I do use a different name for my PPF file (POL PPF), I think the important thing to change is the *component* name. IBM has CP in ZVM (do you really use those long complicated base PPF names?), so I could have CPTYPE1 CPTYPE2 etc. Or, as I really do have: CPTEST CPPROD. (Since I am using a different PPF name I also allowed myself a component named CP). Shimon On 22 Mar 2007 at 13:15, Alan Altmark wrote: > On Thursday, 03/22/2007 at 12:40 AST, David Kreuter > <[EMAIL PROTECTED]> wrote: > > Why do you endorse circumventing ppf override? > > If the override can be a different name that the base, that's ok. You > don't want to end up with a modified (via overrides) 5VMCPRxx PPF, as > that would mess up the "real" CP builds. You want something like > "NORACF PPF". > > I last created a PPF override some 10 years ago and I'm too lazy to > look it up in the book. :-) > > Alan Altmark > z/VM Development > IBM Endicott -- ** ** Shimon Lebowitzmailto:[EMAIL PROTECTED] VM System Programmer . Israel Police National HQ. http://www.poboxes.com/shimonpgp Jerusalem, Israel phone: +972 2 542-9877 fax: 542-9308 ** **
Re: Building NonRACF CP Module
On: Thu, Mar 22, 2007 at 01:11:33PM -0400,David Kreuter Wrote: } Storing into CP? What does this gain that SEND RACFVM SETRACF INACTIVE doesn't? You can't do the SEND if RACFVM is dead and can't/won't come up. } Issuer will need class C or E. Which OPERATOR normally has. See the notes I added in another post. -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Building NonRACF CP Module
On: Thu, Mar 22, 2007 at 01:10:57PM -0400,Rich Greenberg Wrote: } Here is an exec that can disable RACF: I should have clarified why and when you would use this exec. Why: The RACF server can't be brought up or its database is missing or . and you need to get some functionally up and running. Once the bits in HCPRWA are cleared, its as if there is no RACF and the usual CP controls take over. When: As soon as OPERATOR is up and running after an IPL. Run it on OPERATOR of course, no other users can log on. } /* Disable RACF. } }Use with CAUTION! } */ } } false = (1=0) } true = (1=1) } Address COMMAND } Trace O } } /* } See if RACFVM is logged on. } Procede ONLY if its not. } */ } 'CP QUERY USER RACFVM' } if rc = 0 }then do } say 'RACFVM is logged on.' } say 'Enter "YES" to continue, anything else to abort.' } parse upper external qq } if qq ^= 'YES' }then exit 8 } end } } 'PIPE CP LOCATE HCPRWA', }'| Specs w3 1', }'| Specs /STORE H/ 1 w1 n /0/ nw', }'| CP' } } if rc = 0 }then say 'RACF disabled.' }else say 'Disable of RACF failed. } } exit rc } } } -- } Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 } Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 } Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L } Retired at the beach Asst Owner:Sibernet-L -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Building NonRACF CP Module
On Thursday, 03/22/2007 at 01:10 AST, Rich Greenberg <[EMAIL PROTECTED]> wrote: > Here is an exec that can disable RACF: Poking into CP? What's that all about? On your system please make sure no one has access to the STORE.C profile and that STORE.C is controlled. Your sysprogs are dangerous! :-) Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
I'm lazy too, and confess to doing something similar. But the official way would be to create an override, do your work, and regress back to the original. -Original Message- From: The IBM z/VM Operating System on behalf of Alan Altmark Sent: Thu 3/22/2007 1:15 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Building NonRACF CP Module On Thursday, 03/22/2007 at 12:40 AST, David Kreuter <[EMAIL PROTECTED]> wrote: > Why do you endorse circumventing ppf override? If the override can be a different name that the base, that's ok. You don't want to end up with a modified (via overrides) 5VMCPRxx PPF, as that would mess up the "real" CP builds. You want something like "NORACF PPF". I last created a PPF override some 10 years ago and I'm too lazy to look it up in the book. :-) Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
On Thursday, 03/22/2007 at 12:40 AST, David Kreuter <[EMAIL PROTECTED]> wrote: > Why do you endorse circumventing ppf override? If the override can be a different name that the base, that's ok. You don't want to end up with a modified (via overrides) 5VMCPRxx PPF, as that would mess up the "real" CP builds. You want something like "NORACF PPF". I last created a PPF override some 10 years ago and I'm too lazy to look it up in the book. :-) Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
Storing into CP? What does this gain that SEND RACFVM SETRACF INACTIVE doesn't? Issuer will need class C or E. David -Original Message- From: The IBM z/VM Operating System on behalf of Rich Greenberg Sent: Thu 3/22/2007 1:10 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Building NonRACF CP Module Here is an exec that can disable RACF: /* Disable RACF. Use with CAUTION! */ false = (1=0) true = (1=1) Address COMMAND Trace O /* See if RACFVM is logged on. Procede ONLY if its not. */ 'CP QUERY USER RACFVM' if rc = 0 then do say 'RACFVM is logged on.' say 'Enter "YES" to continue, anything else to abort.' parse upper external qq if qq ^= 'YES' then exit 8 end 'PIPE CP LOCATE HCPRWA', '| Specs w3 1', '| Specs /STORE H/ 1 w1 n /0/ nw', '| CP' if rc = 0 then say 'RACF disabled.' else say 'Disable of RACF failed. exit rc -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Building NonRACF CP Module
Here is an exec that can disable RACF: /* Disable RACF. Use with CAUTION! */ false = (1=0) true = (1=1) Address COMMAND Trace O /* See if RACFVM is logged on. Procede ONLY if its not. */ 'CP QUERY USER RACFVM' if rc = 0 then do say 'RACFVM is logged on.' say 'Enter "YES" to continue, anything else to abort.' parse upper external qq if qq ^= 'YES' then exit 8 end 'PIPE CP LOCATE HCPRWA', '| Specs w3 1', '| Specs /STORE H/ 1 w1 n /0/ nw', '| CP' if rc = 0 then say 'RACF disabled.' else say 'Disable of RACF failed. exit rc -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself & my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta & Casey (RIP), Red & Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Building NonRACF CP Module
I wondered the same thing. It appears to be at odds with everything Alan and Chuckie have taught us. Jim David Kreuter wrote: Why do you endorse circumventing ppf override? David Alan said: The general idea is: 1. Copy your 5vmcp... PPF file to something else. Don't do an = override.
Re: Building NonRACF CP Module
Why do you endorse circumventing ppf override? David Alan said: The general idea is: >1. Copy your 5vmcp... PPF file to something else. Don't do an override.
Re: Building NonRACF CP Module
On Thursday, 03/22/2007 at 03:52 CET, Colin Allinson <[EMAIL PROTECTED]> wrote: > The circumstance I am thinking about is where we have one (limited use) system > that has no RACF database and no RACFVM server. RACF would not be enabled in > the SYSTEM CONFIG (RACF will not be licensed on this processor so the code will > not be installed). In this case, building the system without the RACF modules is the right choice, IMO. The general idea is: 1. Copy your 5vmcp... PPF file to something else. Don't do an override. 2. Add a new disk to the :DCL section that is where you want the CP nuc to be written. 3. Remove the LOCALMOD reference from the :MDA section 4. Add your new disk to the :MDA section (before the BASE) 5. Change the CPLOAD entry in the :BLD section to use the new disk instead of the current value You should then be able to VMFBUILD with the new PPF and get a current copy of CP. After applying CP service, you will have to build the nuc manually as nothing in SES will know about it or automatically build it. If you use the $NUC file on MAINT's A-disk after you build a RACF nuc, you'll want to stash it somewhere or rename it before you VMFBUILD since it will be replaced. I haven't tested the above procedure, but I did have the advice of the VM installation & service folks. :-) Any mistakes are mine..er... Chuckie's...yeah, Chuckie's Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
I heartily concur. It would be nice if VM:Secure had the same capability. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Bill Munson Sent: Thursday, March 22, 2007 7:41 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Building NonRACF CP Module COOL - what a great feature! munson Alan Altmark wrote: > On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton <[EMAIL PROTECTED]> > wrote: >> I've had to do this where RACF was shared with MVS systems. If the MVS >> systems went down then VM was pretty much stuffed so we then just needed > to >> IPL with the alternate CPLOAD module. Naturally no RACF was available > but >> the way VM is built its pretty much secure for the average user. In fact >> googling showed a posting from me about this: >> >> http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T=0&P=34282 > > If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause > the CP-resident RACF code to begin to defer all requests back to CP, as > though RACF is not present, including LOGON. You don't have to deactivate > any classes or change any permissions. No auditing is performed. > > RACF will, however, prompt the OPERATOR for confirmation. A SETRACF > ACTIVE will start the wheels turning again and the OPERATOR will be > informed (but not prompted). > > Alan Altmark > z/VM Development > IBM Endicott >
Re: Building NonRACF CP Module
I create a non-RACF CP nuc for cases where we would not be able to start-up RACFVM, nor RACMAINT, so SETRACF INACTIVE would not be possible. (e.g. RACF DB on 200 & 300 damaged). We never needed it since we started with VM about 18 years ago. *Alan Altmark <[EMAIL PROTECTED]>* wrote: If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause the CP-resident RACF code to begin to defer all requests back to CP, as though RACF is not present, including LOGON. You don't have to deactivate any classes or change any permissions. No auditing is performed. RACF will, however, prompt the OPERATOR for confirmation. A SETRACF ACTIVE will start the wheels turning again and the OPERATOR will be informed (but not prompted). -- Kris Buelens, IBM Belgium, VM customer support
Re: Building NonRACF CP Module
Alan Altmark <[EMAIL PROTECTED]> wrote: > If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause > the CP-resident RACF code to begin to defer all requests back to CP, as > though RACF is not present, including LOGON. You don't have to deactivate > any classes or change any permissions. No auditing is performed. > RACF will, however, prompt the OPERATOR for confirmation. A SETRACF > ACTIVE will start the wheels turning again and the OPERATOR will be > informed (but not prompted). I did know about this but it had not occurred to me that we might be able to use it. The circumstance I am thinking about is where we have one (limited use) system that has no RACF database and no RACFVM server. RACF would not be enabled in the SYSTEM CONFIG (RACF will not be licensed on this processor so the code will not be installed). It would be nice, if possible, to use the same CPLOAD MODULE (including the RACF calls) that we generate for our other systems but the only way that seems possible would be to use the RACF 'cuckoo code fake RACF server' suggested by Rob - if we can find a way to get it to defer back to CP for normal directory password checking. The other situation is in my 2nd level build system where I also have no RACF database available. I have seen all the suggestions for selectable PPF files and will probably go with something based on that. Because I want the normal build (including RACFVM) to be completely standard (SERVICE ALL & PUT2PROD), I will probably build a PPF override file for NONRACF only that will do a Non - RACF build after all the normal service and build has been done. Colin G Allinson Technical Manager VM Amadeus Data Processing GmbH T +49 (0) 8122-43 49 75 F +49 (0) 8122-43 32 60 [EMAIL PROTECTED] http://www.amadeus.com IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: Building NonRACF CP Module
Alan: Will this command also work with "other" products - like Top Secret? David Wakser InfoCrossing > > If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will > cause the CP-resident RACF code to begin to defer all requests back to > CP, as though RACF is not present, including LOGON. You don't have to > deactivate any classes or change any permissions. No auditing is performed. > > RACF will, however, prompt the OPERATOR for confirmation. A SETRACF > ACTIVE will start the wheels turning again and the OPERATOR will be > informed (but not prompted). > > Alan Altmark > z/VM Development > IBM Endicott >
Re: Building NonRACF CP Module
COOL - what a great feature! munson Alan Altmark wrote: On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton <[EMAIL PROTECTED]> wrote: I've had to do this where RACF was shared with MVS systems. If the MVS systems went down then VM was pretty much stuffed so we then just needed to IPL with the alternate CPLOAD module. Naturally no RACF was available but the way VM is built its pretty much secure for the average user. In fact googling showed a posting from me about this: http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T=0&P=34282 If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause the CP-resident RACF code to begin to defer all requests back to CP, as though RACF is not present, including LOGON. You don't have to deactivate any classes or change any permissions. No auditing is performed. RACF will, however, prompt the OPERATOR for confirmation. A SETRACF ACTIVE will start the wheels turning again and the OPERATOR will be informed (but not prompted). Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton <[EMAIL PROTECTED]> wrote: > I've had to do this where RACF was shared with MVS systems. If the MVS > systems went down then VM was pretty much stuffed so we then just needed to > IPL with the alternate CPLOAD module. Naturally no RACF was available but > the way VM is built its pretty much secure for the average user. In fact > googling showed a posting from me about this: > > http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T=0&P=34282 If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will cause the CP-resident RACF code to begin to defer all requests back to CP, as though RACF is not present, including LOGON. You don't have to deactivate any classes or change any permissions. No auditing is performed. RACF will, however, prompt the OPERATOR for confirmation. A SETRACF ACTIVE will start the wheels turning again and the OPERATOR will be informed (but not prompted). Alan Altmark z/VM Development IBM Endicott
Re: Building NonRACF CP Module
I've had to do this where RACF was shared with MVS systems. If the MVS systems went down then VM was pretty much stuffed so we then just needed to IPL with the alternate CPLOAD module. Naturally no RACF was available but the way VM is built its pretty much secure for the average user. In fact googling showed a posting from me about this: http://listserv.uark.edu/scripts/wa.exe?A2=ind9711&L=ibmvm&T= 0&P=34282 Seb
Re: Building NonRACF CP Module
I too use some PPF overrides to make a CP nucleus a with and one without RACF. A piece of cake if you master PPFs. I don't have the details here. -- Kris Buelens, IBM Belgium, VM customer support
Re: Building NonRACF CP Module
A long time ago (1992) I had an EXEC I wrote that that after running setup it looked for a cntrl file setup for RACF. Racf was installed as a LOCAL MOD back then. 'State HCPVM CNTRLIBM * ' If it was there then RACF was on the system if not then RACF was not on the system (in the nucleus). there was an option to remove or add RACF to the system so that the CP Nucleus could be generated with RACF or not. (technically RACF was always on the system) the remove or add was a long list of renaming CNTRL, AUX, TXT, and LCL files. When the CP nucleus was generated it either found RACF or not. ADP at this time had over 50+ VM systems running with all kinds of work loads so some had RACF some did not. And this was the easiest way to to do it. Should still work today. Bill Munson IT Specialist Office of Information Technology State of New Jersey (609) 984-4065 President MVMUA http://www.marist.edu/~mvmua Colin Allinson wrote: We have RACF as our ESM and the RACF hooks are integrated into the CP build as per the RACF program directory. Occasionally I would like to build an updated Non-RACF CPLOAD MODULE for our build/maintenance system and one other small server that don't have an ESM. Up to now we have built just one Non-RACF system at the start and just stayed with that - not ideal without any service applied. Is there an easy way to switch between a RACF and a Non-RACF CP build. Colin G Allinson Technical Manager VM Amadeus Data Processing GmbH T +49 (0) 8122-43 49 75 F +49 (0) 8122-43 32 60 [EMAIL PROTECTED] http://www.amadeus.com IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschdftsf|hrer: Eberhard Haag Sitz der Gesellschaft: Erding HR M|nchen 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: Building NonRACF CP Module
I have one system with VMSECURE as the ESM, and one with my own "esm" (haha). I use two PPF files, but I wont be in the office till Thursday, and I don't remember exactly what the differences are. I seem to remember that I have 'conditional overrides' in a CNTL file too. I hope to send a better answer on Thursday. :-) Shimon > We have RACF as our ESM and the RACF hooks are integrated into the CP > build as per the RACF program directory. > > Occasionally I would like to build an updated Non-RACF CPLOAD MODULE for > our build/maintenance system and one other small server that don't have an > ESM. > > Up to now we have built just one Non-RACF system at the start and just > stayed with that - not ideal without any service applied. > > Is there an easy way to switch between a RACF and a Non-RACF CP build. > > > Colin G Allinson > Technical Manager VM > Amadeus Data Processing GmbH > T +49 (0) 8122-43 49 75 > F +49 (0) 8122-43 32 60 > [EMAIL PROTECTED] > http://www.amadeus.com > > > > IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for > the use of the individual or entity shown above as addressees . It may > contain information which is privileged, confidential or otherwise > protected from disclosure under applicable laws . If the reader of this > transmission is not the intended recipient, you are hereby notified that > any dissemination, printing, distribution, copying, disclosure or the > taking of any action in reliance on the contents of this information is > strictly prohibited. If you have received this transmission in error, > please immediately notify us by reply e-mail or using the address below > and delete the message and any attachments from your system . > > Amadeus Data Processing GmbH > Geschäftsführer: Eberhard Haag > Sitz der Gesellschaft: Erding > HR München 48 199 > Berghamer Strasse 6 > 85435 Erding > Germany -- Shimon Lebowitzmailto:[EMAIL PROTECTED] VM System Programmer mailto:[EMAIL PROTECTED] Israel Police National HQ. http://www.poboxes.com/shimonpgp Jerusalem, Israel phone: +972 2 530-9877 fax: 530-9308
Re: Building NonRACF CP Module
Colin, I don't have experience with RACF, so I'm not sure if it is installed as "a LOCALMOD" to the LOCALMOD disk/directory. If it is, we do this type of thing all the time. Each test system has its own PPF that points to a unique LOCALMOD disk/directory for CP and CMS corresponding to how we want that server configured (VM:Secure, ACF2, TSS, V/Seg, no V/Seg, etc.). The rest of the IBM code is all maintained and serviced on the primary test system. Then, as needed, we do a VMFBUILD on the other systems that share the system code to incorporate the IBM maintenance ... JR (Steven) Imler CA Senior Software Engineer Tel: +1 703 708 3479 Fax: +1 703 708 3267 [EMAIL PROTECTED] From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Colin Allinson Sent: Tuesday, March 20, 2007 10:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Building NonRACF CP Module We have RACF as our ESM and the RACF hooks are integrated into the CP build as per the RACF program directory. Occasionally I would like to build an updated Non-RACF CPLOAD MODULE for our build/maintenance system and one other small server that don't have an ESM. Up to now we have built just one Non-RACF system at the start and just stayed with that - not ideal without any service applied. Is there an easy way to switch between a RACF and a Non-RACF CP build. Colin G Allinson Technical Manager VM Amadeus Data Processing GmbH T +49 (0) 8122-43 49 75 F +49 (0) 8122-43 32 60 [EMAIL PROTECTED] http://www.amadeus.com IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany