> On Sunday, September 15, 2019, 10:40:53 PM PDT, Bill Soper
> wrote:
> With CICS 5.5... you can submit as the CICS logged on userid...
This could still become a headache for the security admin and others if not
managed correctly. Assigning surogat and maintaining dataset profiles for CICS
Apologies if I'm repeating ... With CICS 5.5... you can submit as the CICS
logged on userid...
https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.5.0/upgrading/process/upgrade_security.html#upgrade_security__jcl-submission
Short version:
Define surrogate checks to allow the region user ID to
On Wed, 11 Sep 2019 12:15:11 -0500, Paul Gilmartin wrote:
>As I follow this thread, I wonder why CICS doesn't submit batch jobs
>with the credentials of the requesting individual rather than the CICS
>region.
Some of the IBM CICS designers over the years have wanted to allow that. The
IBM z/OS
Back to the original question...
This is almost more comparable to asking the question "Who can submit JCL
using the ID(s) used by Control-M/CA-7/other scheduler"? I would dare say
that usually there are pretty tight controls... production
control/schedulers.?
If there are tight controls on subm
ason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, September 12, 2019 8:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don&#
> On 2019-09-12, at 14:26:36, Seymour J Metz wrote:
>
>> This implies that submitter must have an OMVS segment.
>
> No. If he can run in a Unix shell than he can use the Unix functions for
> REXX.
>
> I looked at Chapter 2. OMVS, a 3270 terminal interface to the z/OS shell in
> z/OS: UNIX
son.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Don
Poitras
Sent: Thursday, September 12, 2019 4:15 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
You mean like a BPX function? Not that I see. T
behalf of
Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, September 12, 2019 3:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
On Thu, 12 Sep 2019 18:50:00 +, Seymour J Metz wrote:
>ObNit submit() is a Unix System
_
> From: IBM Mainframe Discussion List on behalf of
> Don Poitras
> Sent: Wednesday, September 11, 2019 3:56 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Submitting batch if you don't have TSO
> In article <9767139758844518.wa.paulgboul
On Thu, 12 Sep 2019 18:50:00 +, Seymour J Metz wrote:
>ObNit submit() is a Unix System Services function that is written to be called
>from REXX. There are a bunch of them.
>
This implies that submitter must have an OMVS segment. Is Default User
or Unique User supported nowadays?
>ObRaised
/~smetz3
From: IBM Mainframe Discussion List on behalf of Don
Poitras
Sent: Wednesday, September 11, 2019 3:56 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
In article <9767139758844518.wa.paulgbo
As far as I can remember from the late 80's early 90's, I set up
submitting jobs through the CICS transient data queue to the internal
reader. These were print jobs to a local printer, issued from within a
transaction and under the CICS region's ID.
CP
On 11/09/2019 22:24, Joel C. Ewing wrote
On 9/11/19 12:15 PM, Paul Gilmartin wrote:
> On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote:
>
>> LOL. What gave me that idea is sheer, unadulterated ignorance. I came into
>> the mainframe world through applications development. I was given a solid
>> grounding in JCL back in the beginni
In article <9767139758844518.wa.paulgboulderaim@listserv.ua.edu> you wrote:
> On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote:
> >IBM Explorer for z/OS using the z/OS perspective is also an alternative to
> >TSO in submitting batch jobs.
> >
> Could do likewise with UNIX System Se
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
PINION, RICHARD W.
Sent: Wednesday, September 11, 2019 2:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't hav
: Wednesday, September 11, 2019 2:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
Been there, done that. Fortunately, the company still had a card reader and a
card punch, lat 1980's.
-Original Message-
From: IBM Mainframe Discussion List On Behalf
On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote:
>IBM Explorer for z/OS using the z/OS perspective is also an alternative to TSO
>in submitting batch jobs.
>
Could do likewise with UNIX System Services:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.
IBM Explorer for z/OS using the z/OS perspective is also an alternative to TSO
in submitting batch jobs.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message:
tting batch if you don't have TSO
[External Email]
This reminds me of the tale I related recently about having to revive a data
center 400 miles away after VTAM got broken in a sysres switch. It seems so
simple to 'run a job to rename a data set'. But if you cannot logon to a
syste
ers. But try
to get anything useful done without it.
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Paul Gilmartin
Sent: Wednesday, September 11, 2019 10:15 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Submitting batch if you don't have TSO
On Wed, 1
On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote:
>LOL. What gave me that idea is sheer, unadulterated ignorance. I came into
>the mainframe world through applications development. I was given a solid
>grounding in JCL back in the beginning of my training, decades ago; to me
>"INTRDR" is a
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Bob
Bridges
Sent: Wednesday, September 11, 2019 10:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
LO
readily seen. -Leonardo
Da Vinci */
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Tuesday, September 10, 2019 13:21
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
> Ok, b
lf of
Lennie Dymoke-Bradshaw
Sent: Tuesday, September 10, 2019 6:15 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
If users are able to specify userid and password in the JCL built by a CICS
transaction you can still use JESJOBS profiles to selectively allow o
List On Behalf Of
Seymour J Metz
Sent: 10 September 2019 22:05
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO
That's the same as any other address space. If you don't have a userid on the
job, or specify *, then the job inherits from
submit jobs, put in appropriate
controls.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
ITschak Mugzach
Sent: Tuesday, September 10, 2019 3:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Sub
nable
> the submissions.
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
>
>
> From: IBM Mainframe Discussion List on behalf
> of Jantje.
> Sent: Tuesday, September 10, 2019 7:04 AM
> To: IBM-MAIN@LISTSER
smetz3
From: IBM Mainframe Discussion List on behalf of Bob
Bridges
Sent: Monday, September 9, 2019 9:14 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have
J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Dr.
Rick Williams
Sent: Monday, September 9, 2019 9:43 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
Many ways to do this,,
batch if you don't have TSO
On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote:
>Not sure where to ask this,
Here is fine...
So, I've read the whole thread and unless I am missing something, I don't think
you run any more risk than what you would have if none of you
On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote:
>Not sure where to ask this,
Here is fine...
So, I've read the whole thread and unless I am missing something, I don't think
you run any more risk than what you would have if none of your users have a TSO
segment.
As others have pointed o
On Mon, 9 Sep 2019 at 21:15, Bob Bridges wrote:
>
> Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in
> the first place, right? What I'm asking is how users might submit batch who
> ~don't~ have TSO.
TSO isn't magic. Any running z/OS process (loosely speaking - not
n
Many ways to do this,, many use CICS, however there are security issues
doing this.. the easiest way would be to use the network...
This is quite simple.. if you have sockets experience, it’s easy enough to
submit from about anywhere,, z/os network socket, a pc, Mac, iPad, anything
that can access
Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in
the first place, right? What I'm asking is how users might submit batch who
~don't~ have TSO.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* In an emergency, a drawstring from a parka hood can be used to
Lots of folks replied to this to tell me how to do the same thing more
securely, and I'll save those up and read them if and when my management
provides any encouragement for any rewriting at all to those transactions.
What I was really looking for, though, was ammunition to hand to management:
On Thu, Sep 5, 2019 at 8:27 PM Jon Perryman wrote:
>
>
> On Thursday, September 5, 2019, 06:06:41 AM PDT, John McKown <
> john.archie.mck...@gmail.com> wrote:
> > I completely agree. Unfortunately, we have a number of batch jobs which
> are
>
> > submitted by CICS transactions run by users.
On Thursday, September 5, 2019, 06:06:41 AM PDT, John McKown
wrote:
> I completely agree. Unfortunately, we have a number of batch jobs which are
> submitted by CICS transactions run by users. The JCL is contained in an
> ASSEMBLER non-CICS program in the DFHRPL. These modules do go t
___
> From: IBM Mainframe Discussion List on behalf
> of John McKown
> Sent: Thursday, September 5, 2019 1:49 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Submitting batch if you don't have TSO
>
> On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote:
st on behalf of
John McKown
Sent: Thursday, September 5, 2019 1:49 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote:
> There's no way that adding a RACF segment would reduce the exposure. They
On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote:
> There's no way that adding a RACF segment would reduce the exposure. They
> need to close the loophole. I'm cheering for the auditor, assuming that
> he's not brain dead.
>
Most auditors that I've had to work with are absymally ignorant of
: IBM Mainframe Discussion List on behalf of
Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, September 5, 2019 1:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
On Thu, 5 Sep 2019 12:05:30 +, Lennie Dymoke-Bradshaw
On Thu, 5 Sep 2019 12:05:30 +, Lennie Dymoke-Bradshaw wrote:
>
>"The problem, of course, is that if I'm authorized to submit jobs with
>USER= on the JOB card then I can submit ~any~ such job, to do anything
>I want that the region can do."
>
>The CICS transaction runs under the security conte
On Thu, Sep 5, 2019 at 7:59 AM ITschak Mugzach wrote:
> I wouldn't allow a cics to submit jobs on behalf of the user. not as a copy
> to internal reader, nor by exec interface. I expect the jcl pass a change
> management process and be stored in a production jcl dataset. the formal
> and recommen
gt; Thomas Ambros
> zEnterprise Operating Systems
>
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf
> Of Lennie Dymoke-Bradshaw
> Sent: Thursday, September 05, 2019 08:06
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Submitting batch if you don'
gs together to do it.
Thomas Ambros
zEnterprise Operating Systems
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Lennie Dymoke-Bradshaw
Sent: Thursday, September 05, 2019 08:06
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Submitting batch if you don't have TSO
Bob,
On Thu, Sep 5, 2019 at 7:05 AM Lennie Dymoke-Bradshaw <
lenni...@rsmpartners.com> wrote:
> Bob,
>
> I think ITschak's words are good advice.
>
> However, I am concerned at your statement,
>
> "The problem, of course, is that if I'm authorized to submit jobs with
> USER= on the JOB card then I can
M Partners Ltd
Web: www.rsmpartners.com
‘Dance like no one is watching. Encrypt like everyone is.’
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
ITschak Mugzach
Sent: 04 September 2019 19:33
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] Submitting batch if you
> One argument management offers in mitigation is that most of these CICS
> users don't have TSO, so they
> haven't the ability to submit batch jobs.
Job's can easily be submitted from CICS or IMS thru your job scheduler (I think
IBM OPC or CA7). I can't remember the specifics for requesting
On Wed, 4 Sep 2019 22:46:24 +0300, ITschak Mugzach wrote:
>Not at all. Removing the user parameter from job card will limit use to
>cics. Surrohat will work on all environments.
True. But you can create one or more user IDs with less authority than
the CICS region's user ID has and give the CIC
Not at all. Removing the user parameter from job card will limit use to
cics. Surrohat will work on all environments.
ITschak
בתאריך יום ד׳, 4 בספט׳ 2019, 22:24, מאת Tom Marchant <
000a2a8c2020-dmarc-requ...@listserv.ua.edu>:
> Does surrogate authority help?
>
> https://www.ibm.com/support/
to submit batch jobs. It's a disaster
waiting to happen.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of Bob
Bridges
Sent: Wednesday, September 4, 2019 2:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subj
Does surrogate authority help?
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/surru.htm
--
Tom Marchant
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists
Bob,
few comments:
1. You don't need to specify user= in the job card. any job submitted
under CICS without propagation control, will be assigned the CICS userid.
2. can cics end users manipulate the jcl they are submitting or it is
just submitted by the transaction? I hope they can't
On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote:
>
>One argument management offers in mitigation is that most of these CICS users
>don't have TSO, so they haven't the ability to submit batch jobs. Off-hand I
>can't contradict them, but I'm skeptical. I'm thinking there's probably a way
>a
If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR)
On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote:
> Not sure where to ask this, but I've wondered about it off and on for a
> while and it's past time I asked. I'm responsible for security at a
> mainframe shop where they
PM
Subject: Re: [External] Submitting batch if you don't have TSO
SDSF has the capability of submitting jobs, FTP can copy JCL to an internal
reader for a couple ways just off the top of my head.
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Bob
Bridges
Sent:
On Wed, Sep 4, 2019 at 1:06 PM Bob Bridges wrote:
> Not sure where to ask this, but I've wondered about it off and on for a
> while and it's past time I asked. I'm responsible for security at a
> mainframe shop where they use a lot of CICS. There are CICS transactions
> that fire off batch jobs
Subject: [External] Submitting batch if you don't have TSO
Not sure where to ask this, but I've wondered about it off and on for a while
and it's past time I asked. I'm responsible for security at a mainframe shop
where they use a lot of CICS. There are CICS transactions that
Not sure where to ask this, but I've wondered about it off and on for a while
and it's past time I asked. I'm responsible for security at a mainframe shop
where they use a lot of CICS. There are CICS transactions that fire off batch
jobs; the way this place handles it is to submit the job unde
59 matches
Mail list logo
