Hi
I have an APF authorized module running of out of the LNKLIST I try to load
a module from an non apf dsn concatenation and get CSV019I abend
I am in problem state key 8 when I do this
It seems than once I am in a APF concatenation library even though I am in
problem state key 8 I can'
Utterly and complete TRUE. Being APF authorized can bypass some security
checks. Therefore attempting to access a module from a non-APF library is a
security hole. Just ask a Windows programmer, if they're willing to talk
about it.
On May 25, 2014 5:44 PM, "MichealButz" wrote:
> Hi
>
>
>
> I hav
.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of MichealButz
Sent: Sunday, May 25, 2014 3:44 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: CSV019I Clarification
Hi
I have an APF authorized module running of out of the LNKLIST I
On Sun, 25 May 2014 18:43:48 -0400 MichealButz
wrote:
:>I have an APF authorized module running of out of the LNKLIST I try to load
:>a module from an non apf dsn concatenation and get CSV019I abend
:>I am in problem state key 8 when I do this
:>It seems than once I am in a APF concatenation l
Doesn't this come under the rule (at least in CICS) where in a multilib
concatenation, if one lib is APF all the libs must be APF authorized,
period.
John Clifford
On Sun, May 25, 2014 at 5:43 PM, MichealButz wrote:
> Hi
>
>
>
> I have an APF authorized module running of out of the LNKLIST I tr
In
,
on 05/25/2014
at 06:43 PM, MichealButz said:
>I have an APF authorized module
Keep that in mind.
>It seems than once I am in a APF concatenation library even
>though I am in problem state key 8 I can't load anything from a
>NON apf dsn concatenation
Then you forgot that you were in a
On 26 May 2014 01:47, Binyamin Dissen wrote:
> On Sun, 25 May 2014 18:43:48 -0400 MichealButz
> wrote:
>
> :>I have an APF authorized module running of out of the LNKLIST I try to load
> :>a module from an non apf dsn concatenation and get CSV019I abend
>
> :>I am in problem state key 8 when I d
>...the rule (at least in CICS) where in a multilib
>concatenation, if one lib is APF all the libs must be
>APF authorized, period.
I would say that the general rule would replace "period" with "if you want
the concatenation to be considered APF-authorized".
There is no intrinsic problem with ha
When we did add a non-apf authorized lib to our CICS concatenation, the
CICS startup abends immediately. Once we authorized it, CICS comes up OK. I
realize this is just one application but it is where you tend to get a lot
of libs concatenated (DB2 procs also). We did not try to execute anything
fr
Peter Relson wrote:
There is no intrinsic problem with having a concatenation that mixes
APF- and non-APF-authorized libraries.
By this he, I believe, means that such a concatenation is not illicit
per se, does not, for example, trigger a JCL error.
There is, however, a notorious extrinsic sid
If you're curious, what I've been told happens (Objection! That is hearsay,
your honor!) is that when a program does an BPAM OPEN of a DD, OPEN checks
every DSN allocated to the DD and if every single of of them is APF
authorized, then OPEN sets a bit in the DEB which basically says "this DEB
descr
John Gilmore
Sent: Tuesday, May 27, 2014 15:41
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSV019I Clarification
Peter Relson wrote:
There is no intrinsic problem with having a concatenation that mixes
APF- and non-APF-authorized libraries.
By this he, I believe, means that such a concatenation is
Kees,
Tastes and judgments differ. I think the non-problem you mention is
created by what, in my view, is the very bad practice of putting a
"non-authorized" routine in an an authorized library.
John Gilmore, Ashland, MA 01721 - USA
--
] On Behalf
Of John Gilmore
Sent: Tuesday, May 27, 2014 10:35 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSV019I Clarification
Kees,
Tastes and judgments differ. I think the non-problem you mention is created by
what, in my view, is the very bad practice of putting a "non-authorized"
Hum, I'm a bit confused by this John. What I am hearing is "In my opinion,
all modules in an APF library should be there only if they themselves do
APF authorized work." Maybe even "And should be marked as AC=1". I am sure
you can see where this would be very difficult. Take libraries such as
SYS1.
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Tony Harminc
>
> On 26 May 2014 01:47, Binyamin Dissen wrote:
> > On Sun, 25 May 2014 18:43:48 -0400 MichealButz wrote:
> >
> > :>I have an APF authorized module running of out of the LNKLIST I try
> > to load :>a modu
On Tue, 27 May 2014 10:34:32 -0400, John Gilmore wrote:
>
>Tastes and judgments differ. I think the non-problem you mention is
>created by what, in my view, is the very bad practice of putting a
>"non-authorized" routine in an an authorized library.
>
It allows an authorized program, with proper p
John [McKown]:
SYS1.LINKLIB is the obvious example of a mixed PDS library, but it is
not a good example of much of anything. It is very old, very much in
need of being "rearchitected"; but it is also essentially untouchable
because changing it would break too much old code.
My own practice is to
On 5/27/2014 7:51 AM, John McKown wrote:
Hum, I'm a bit confused by this John. What I am hearing is "In my opinion,
all modules in an APF library should be there only if they themselves do
APF authorized work." Maybe even "And should be marked as AC=1".
Modules in an APF-authorized library shou
Paul Gilmartin wrote:
>"Very bad practice", indeed. And IBM appears to have been unable to repair
>the flaw, and settled on building a RACF fence around it.
Indeed. But the RACF fence (FACILITY Class, profile GIM.) caused some
confusion as observed from past discussions in IBM-MAIN and RACF-L.
>It is suspected by many that the SMP/E integrity crisis discussed here at
>length four years ago
This is AFH. Why dredge it up again?
Bob Shannon
Rocket Software
--
For IBM-MAIN subscribe / signoff / archive access instruction
Bob Shannon wrote:
>This is AFH.
Ok, Bob, I'm not a rocket scientist, but after searching and finding
definitions of AFH, I still don't get it.
Could you please be kind to tell us old braincell-challenged guys and gals what
is 'AFH'?
Thanks in advance.
Groete / Greetings
Elardus Engelbrecht
/27/2014 02:03 PM
Subject:Re: CSV019I Clarification
Sent by:IBM Mainframe Discussion List
Bob Shannon wrote:
>This is AFH.
Ok, Bob, I'm not a rocket scientist, but after searching and finding
definitions of AFH, I still don't get it.
Could you please be kind t
: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSV019I Clarification
Bob Shannon wrote:
>This is AFH.
Ok, Bob, I'm not a rocket scientist, but after searching and finding
definitions of AFH, I still don't get it.
Could you please be kind to tell us old braincell-challenged guys and gals
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of John Gilmore
Sent: Tuesday, May 27, 2014 16:35
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSV019I Clarification
Kees,
Tastes and judgments differ. I think the non-problem you mention is
Kees,
Apples and oranges. I agree that, as EJ emphasized yesterday, only
executables like GUBBINS below that get immediate control via
// EXEC PGM=GUBBINS, . . .
should be AC=1; but that is a different issue.
John Gilmore, Ashland, MA 01721 - USA
--
Ed Jaffe is fully correct about AC=1. Never mark something AC=1 unless you
need it to be the target of EXEC PGM= (or its z/OS Unix analog).
Since SYS1.LINKLIB is considered APF-authorized, all modules in it are
available to an authorized requestor (there is no "mixing'). What
SYS1.LINKLIB "mixes
On Wed, 28 May 2014 08:19:28 -0400, Peter Relson wrote:
>Ed Jaffe is fully correct about AC=1. Never mark something AC=1 unless you
>need it to be the target of EXEC PGM= (or its z/OS Unix analog).
>Since SYS1.LINKLIB is considered APF-authorized, all modules in it are
>available to an authorized
On 2014-05-27, at 11:47, Bob Shannon wrote:
>> It is suspected by many that the SMP/E integrity crisis discussed here at
>> length four years ago
>
> This is AFH. Why dredge it up again?
>
Hardly AFH; the problem remains whitewashed, not repaired.
The matter remains current until IBM makes a p
29 matches
Mail list logo
