AC(1)

Discussion:

AC(1)

(too old to reply)

Ernest Nachtigall

2018-04-30 12:43:49 UTC

Permalink

Can a program (ASM) determine at run time if it has been linked AC(1)?

itzmainframe

2018-04-30 13:18:27 UTC

Permalink

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Not likely - especially if you did not LKED it properly.

Don

2018-04-30 13:56:11 UTC

Permalink

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Ernie,

There used to be (from old OS/VS2 debugging handbook) a flag in the CDE
(CDATTR2/CDAUTH) that indicated if the module was authorized, but I don't
know if that is only set via AC(1) linkage or is some combination of other
possible ways it could become authorized.

be seeing you ...Don

hobbitt

2018-04-30 23:20:47 UTC

Permalink

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Looks like CSVQUERY OUTATTR2= will give you that.

Daniel S. Dalby

2018-04-30 23:26:01 UTC

Permalink

Post by hobbitt

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Looks like CSVQUERY OUTATTR2= will give you that.

Charles Mills

2018-04-30 23:53:05 UTC

Permalink

Do you want to query AC(1) specifically or whether you are running
authorized, which requires AC(1) plus an all-APF-authorized STEPLIB
concatenation?

TESTAUTH FCTN=1 (as @Daniel writes) will give you whether or not you meet
*all* of the requirements and are actually running authorized. That is the
common test.

I've never used CSVQUERY but it looks like OUTATTR2 will split out each of
the details, including AC(1) specifically.

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
Behalf Of Daniel S. Dalby
Sent: Monday, April 30, 2018 4:27 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Post by hobbitt

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Looks like CSVQUERY OUTATTR2= will give you that.

How about TESTAUTH FCTN=1 ?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Ernest Nachtigall

2018-05-01 13:36:59 UTC

Permalink

Post by Daniel S. Dalby

Post by hobbitt

Post by Ernest Nachtigall
Can a program (ASM) determine at run time if it has been linked AC(1)?

Looks like CSVQUERY OUTATTR2= will give you that.

How about TESTAUTH FCTN=1 ?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,

TESTAUTH seems to be what I needed. Thanks.
My program (depending on environment) may need to be running authorized or not.
For example, environment in one location requires that ALL calls to ICSF crypto API's be done ONLY by code running in MODESET=SUP. I can now dynamically determine if I need to, or can, get into authorized state just before an ICSF call then back to problem state after.
Yes, I know RACF protecting each API rather than running authorized is the best mode, but one cannot always buck a ponderous bureaucracy.

Walt Farrell

2018-05-01 01:04:51 UTC

Permalink

Post by Charles Mills
Do you want to query AC(1) specifically or whether you are running
authorized, which requires AC(1) plus an all-APF-authorized STEPLIB
concatenation?

No, running authorized does not (necessarily) require AC(1).

Assuming consider only APF-authorization, and not forms like system key or supervisor state, and ignoring situations like TSO and perhaps some aspects of z/OS UNIX, it requires that the first program executed in the jobstep had AC(1). But subsequent programs run by that program don't need (and shouldn't have, in general) AC(1). They just need to come from an APF-authorized library or concatenation. So AC(1) is required only if you're the first program that was executed in the jobstep.

But it's a good question, as merely wanting to know if you were linked AC(1) seems not terribly useful to a running program.

--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Ed Jaffe

2018-05-01 03:40:49 UTC

Permalink

Post by Walt Farrell
But it's a good question, as merely wanting to know if you were linked AC(1) seems not terribly useful to a running program.

Charles Mills

2018-05-01 14:03:11 UTC

Permalink

I can think of one use: I have dealt with support calls from a customer or prospect of the form "your program reports it is running non-authorized but we are SURE we did everything you told us to do." It might be useful if a program could not only report it was non-authorized but also the possible reasons why.

Granted what @Ed says below, it would not always be possible of course, but usually the problem is simpler than that. Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Monday, April 30, 2018 8:42 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Post by Walt Farrell
But it's a good question, as merely wanting to know if you were linked AC(1) seems not terribly useful to a running program.

Seymour J Metz

2018-05-01 14:54:19 UTC

Permalink

If that's a common problem, do an RDJFCB for the STEPLIB and check each entry in the ARL to see if the dataset is authorized, reporting any that are not.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Tuesday, May 1, 2018 10:04 AM
To: IBM-***@listserv.ua.edu
Subject: Re: AC(1)

I can think of one use: I have dealt with support calls from a customer or prospect of the form "your program reports it is running non-authorized but we are SURE we did everything you told us to do." It might be useful if a program could not only report it was non-authorized but also the possible reasons why.

Granted what @Ed says below, it would not always be possible of course, but usually the problem is simpler than that. Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Monday, April 30, 2018 8:42 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Post by Walt Farrell
But it's a good question, as merely wanting to know if you were linked AC(1) seems not terribly useful to a running program.

Hardly useful at all since -- for the purposes of APF authorization --
even when loaded from an APF authorized library, AC(1) applies only to
the program listed on the EXEC PGM=program JCL statement.

Suppose EXEC PGM=program is AC(0) and then XCTLs to you and you are
AC(1) and residing in an APF authorized library. Now you're AC(1),
you're the job step program, and yet you're not APF authorized. Fab...

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://secure-web.cisco.com/1teoL8sEXlof6V7Mr_2h3mdnwC0q5ES95iwii2ydc2j2I9t7tvlnPqPeNVPnWBHOdrVkq7MRjwNiorSlJIFzfO83gMUZScbAOUXyfGwfuynoZ2nJvSlUkIpQ03nKvk87fb_71nvMK09LDpQAVl2v00GACvQAbk84H6gON83yp1UT_sfBxonN8wme6K3FNOED03GAODU2GfkvxmiJY15p4Ha7b2ejOEan3U9LH9FuVkd8JWHLR-Qq4ApeXwM9nRI2FL6kAj-xxEDnd1S9-8Fe_RVCj6XY5JoNpiOiZ-UHBfFG5yFZFdUFrU7WnERCMw_jl_4uDfJiqDcEfMaxk-uPZ-XRdvLRlMi2bhzPyAGRHdthW5zQf7kVIOrPL48dVW9YEQg_aJXyA-UUugxo_55pYzqkKWH4B3XGD5Bx86k9rwnLTnH0Pj9Z-oJkWmFyrkNA1/http%3A%2F%2Fwww.phoenixsoftware.com%2F
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not a intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Charles Mills

2018-05-01 14:58:33 UTC

Permalink

Yep. I have considered it.

CharlesSent from a mobile; please excuse the brevity.
-------- Original message --------From: Seymour J Metz <***@GMU.EDU> Date: 5/1/18 7:55 AM (GMT-08:00) To: IBM-***@LISTSERV.UA.EDU Subject: Re: AC(1)
If that's a common problem, do an RDJFCB for the STEPLIB and check each entry in the ARL to see if the dataset is authorized, reporting any that are not.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Tuesday, May 1, 2018 10:04 AM
To: IBM-***@listserv.ua.edu
Subject: Re: AC(1)

I can think of one use: I have dealt with support calls from a customer or prospect of the form "your program reports it is running non-authorized but we are SURE we did everything you told us to do." It might be useful if a program could not only report it was non-authorized but also the possible reasons why.

Granted what @Ed says below, it would not always be possible of course, but usually the problem is simpler than that. Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Monday, April 30, 2018 8:42 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Post by Walt Farrell
But it's a good question, as merely wanting to know if you were linked AC(1) seems not terribly useful to a running program.

Ed Jaffe

2018-05-01 15:02:05 UTC

Permalink

Post by Charles Mills
Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

Agreed. That is the problem 99% of the time.

I usually tell customers to resolve such problems by comparing the
suspect //STEPLIB against the list of data sets shown by the "APF"
subcommand of the free-and-included ISPF "DDLIST" command, paying
careful attention to volsers as well as data set names.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not a intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Charles Mills

2018-05-01 15:29:40 UTC

Permalink

If I have nothing better to do one of these days (ha!) I will write a program for the CBT that given a concatenated DD of load libraries will tell you the APF status of each. (Yes, the information is available via other routes, such as what @Ed suggests below.)

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Tuesday, May 1, 2018 8:03 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Post by Charles Mills
Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

Paul Gilmartin

2018-05-01 15:20:22 UTC

Permalink

Post by Ed Jaffe

Post by Charles Mills
Usually it turns out that "every library in the STEPLIB concatenation" means "EVERY library in the STEPLIB concatenation."

It's a shame that DDLIST MEMBER doesn't supply that information directly,
simply when a given member of a given concatenation is selected. (The
user could ALLOCATE it ad-hoc if needed.) RFE?

Even better, answer "Which catenand causes this concatenation to be
unauthorized?

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Ed Jaffe

2018-05-01 18:32:07 UTC

Permalink

Post by Paul Gilmartin

Post by Ed Jaffe
I usually tell customers to resolve such problems by comparing the
suspect //STEPLIB against the list of data sets shown by the "APF"
subcommand of the free-and-included ISPF "DDLIST" command, paying
careful attention to volsers as well as data set names.

It's a shame that DDLIST MEMBER doesn't supply that information directly,
simply when a given member of a given concatenation is selected. (The
user could ALLOCATE it ad-hoc if needed.) RFE?

It might be nice if DDLIST had an A[PF] column, with a checkbox to
indicate APF authorized, on the data set list you see at entry -- which
includes STEPLIB data sets. Or maybe just have APF authorized rows
displayed in a different color.

But that solves the problem only for your current TSO session. In this
case, we're discussing a general solution for any address space
including batch jobs, started tasks, etc.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not a intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

John Gateley

2018-05-01 17:19:50 UTC

Permalink

Hi Charles

File 953 on the CBT contains a program LISTAPF which checks every load library in the STEPLIB or JOBLIB against the APF list.

Regards
John

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Charles Mills

2018-05-01 18:00:43 UTC

Permalink

Ha!

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of John Gateley
Sent: Tuesday, May 1, 2018 10:21 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Hi Charles

File 953 on the CBT contains a program LISTAPF which checks every load library in the STEPLIB or JOBLIB against the APF list.

Regards
John

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Steve Beaver

2018-05-01 18:26:18 UTC

Permalink

D PROG, APF

Is a lot less work

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Charles Mills
Sent: Tuesday, May 1, 2018 1:02 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Ha!

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of John Gateley
Sent: Tuesday, May 1, 2018 10:21 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Hi Charles

File 953 on the CBT contains a program LISTAPF which checks every load library in the STEPLIB or JOBLIB against the APF list.

Regards
John

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Farley, Peter x23353

2018-05-01 19:04:42 UTC

Permalink

But that assumes you have authority to perform a console display command. Most large shops where I have been employed forbid application programmers any console authority at all, however innocuous Display may seem to be.

Peter

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Steve Beaver
Sent: Tuesday, May 1, 2018 2:28 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

D PROG, APF

Is a lot less work

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Charles Mills
Sent: Tuesday, May 1, 2018 1:02 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Ha!

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of John Gateley
Sent: Tuesday, May 1, 2018 10:21 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

Hi Charles

File 953 on the CBT contains a program LISTAPF which checks every load library in the STEPLIB or JOBLIB against the APF list.

Regards
John
--

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Charles Mills

2018-05-01 19:33:00 UTC

Permalink

You overestimate some customers. If a customer says "yes, we're sure all the libraries are authorized" and you say "do a D PROG,APF and see if all the libraries are in there" the customer will quite possibly respond "WE TOLD YOU ALL OF THE LIBRARIES ARE AUTHORIZED."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Steve Beaver
Sent: Tuesday, May 1, 2018 11:28 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

D PROG, APF

Is a lot less work

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Steve Beaver

2018-05-01 21:59:08 UTC

Permalink

"WE TOLD YOU ALL OF THE LIBRARIES ARE AUTHORIZED."

The reply of a novice or manager LOL

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Charles Mills
Sent: Tuesday, May 1, 2018 2:34 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

You overestimate some customers. If a customer says "yes, we're sure all the libraries are authorized" and you say "do a D PROG,APF and see if all the libraries are in there" the customer will quite possibly respond "WE TOLD YOU ALL OF THE LIBRARIES ARE AUTHORIZED."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Steve Beaver
Sent: Tuesday, May 1, 2018 11:28 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

D PROG, APF

Is a lot less work

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Seymour J Metz

2018-05-02 16:28:29 UTC

Permalink

I suppose that "No, you told me that YOU BELIEVED all libraries are authorized!" is not politically correct.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Tuesday, May 1, 2018 3:34 PM
To: IBM-***@listserv.ua.edu
Subject: Re: AC(1)

You overestimate some customers. If a customer says "yes, we're sure all the libraries are authorized" and you say "do a D PROG,APF and see if all the libraries are in there" the customer will quite possibly respond "WE TOLD YOU ALL OF THE LIBRARIES ARE AUTHORIZED."

Charles

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Steve Beaver
Sent: Tuesday, May 1, 2018 11:28 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: AC(1)

D PROG, APF

Is a lot less work

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Ed Jaffe

2018-05-02 16:51:23 UTC

Permalink

Post by Seymour J Metz
I suppose that "No, you told me that YOU BELIEVED all libraries are authorized!" is not politically correct.

I would simply state that abend047 proves the job step is not
authorized. Therefore, we must investigate every avenue to find out why...
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not a intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Paul Gilmartin

2018-05-01 18:50:47 UTC

Permalink

Post by Ed Jaffe
It might be nice if DDLIST had an A[PF] column, with a checkbox to
indicate APF authorized, on the data set list you see at entry -- which
includes STEPLIB data sets. Or maybe just have APF authorized rows
displayed in a different color.
But that solves the problem only for your current TSO session. In this
case, we're discussing a general solution for any address space
including batch jobs, started tasks, etc.

I had envisioned using TSO ALLOCATE ad hoc to make such concatenations
available in TSO. Of course it would be nicer if TSO understood JCL DD
statements with no need to translate then to ALLOCATE, or if DDLIST could
run in batch. (Can DDLIST run headless, under batch ISPF?)

History and risque wordplay aside, I take the first three characters of "UNIX"
to mean UNIform. I admire that single-language philosophy.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Peter Relson

2018-05-02 11:32:11 UTC

Permalink

Does the CBT Tape program mentioned take into account all of
Data set name (surely it does)
Volume (very likely)
whether the data set is SMS-managed or not
?

Peter Relson
z/OS Core Technology Design

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

John Gateley

2018-05-02 19:18:18 UTC

Permalink

Peter,

The CBT program uses code from Mark Zelden's IPLINFO to get a list of APF libraries (he is credited).
In assembler this is
L R1,16 point to CVT
L R1,140(,R1) point to CVTECVT
L R1,228(,R1) point to CSV table
L R1,12(,R1) point to APFA
L R4,8(,R1) point to first name
L R5,12(,R1) point to last name

it outputs all dataset names and volumes in this list to SYSOUT

then it does RDJFCB on STEPLIB and uses ARAJFCB to get dataset name and volume for all concatenated datasets. It outputs the dataset name and volume and flags any that are not in the APF list.

this is repeated for JOBLIB

Would the dataset being SMS-managed, or not, affect this?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Peter Relson

2018-05-03 11:46:34 UTC

Permalink

Whether a dataset is SMS-managed or not has no relevance to the
information displayed by the program, but has relevance to whether or not
there is a "match". That match is done as part of "Open" processing, for
example.

An APF list entry created by a specification such as DSN(MY.DSN) SMS will
match a dataset named MY.DSN that is SMS-managed. It will not match a data
set named MY.DSN that is not SMS-managed. The other side of that is that
an APF list entry created by DSN(MY.DSN) VOLUME(V) will match a dataset
named MY.DSN that is on VOLUME V whether or not the data set is
SMS-managed (but if the data set is SMS-managed and moves to a different
volume, there would no longer be a match from that APF list entry).

The DEBAPFIN bit is used to determine if the concatenation is considered
to be APF-authorized or not. It works approximately like this: initially,
the DEBAPFIN bit is turned on. If any data set is found in the
concatenation that is not APF-authorized, the DEBAPFIN bit is turned off.

Since the code you show does not use an intended programming interface, I
will not comment on its correctness. IPLINFO itself must have been changed
when dynamic APF was introduced but chose not to use the provided
programming interface (CSVAPF REQUEST=LIST) to gain access to the data.

Peter Relson
z/OS Core Technology Design

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

John McKown

2018-05-03 13:10:04 UTC

Permalink

Post by Peter Relson
Whether a dataset is SMS-managed or not has no relevance to the
information displayed by the program, but has relevance to whether or not
there is a "match". That match is done as part of "Open" processing, for
example.
An APF list entry created by a specification such as DSN(MY.DSN) SMS will
match a dataset named MY.DSN that is SMS-managed. It will not match a data
set named MY.DSN that is not SMS-managed. The other side of that is that
an APF list entry created by DSN(MY.DSN) VOLUME(V) will match a dataset
named MY.DSN that is on VOLUME V whether or not the data set is
SMS-managed (but if the data set is SMS-managed and moves to a different
volume, there would no longer be a match from that APF list entry).
The DEBAPFIN bit is used to determine if the concatenation is considered
to be APF-authorized or not. It works approximately like this: initially,
the DEBAPFIN bit is turned on. If any data set is found in the
concatenation that is not APF-authorized, the DEBAPFIN bit is turned off.
Since the code you show does not use an intended programming interface, I
will not comment on its correctness. IPLINFO itself must have been changed
when dynamic APF was introduced but chose not to use the provided
programming interface (CSVAPF REQUEST=LIST) to gain access to the data.
Peter Relson
z/OS Core Technology Design

That was very interesting. Thanks for the explanation. Just to be sure
that I understand, the logic above is done on _every_ OPEN for _every_ DD
name. Or is it only if the OPEN is for a DCB which is BPAM (i.e. the DD
concatenation is for libraries)? It doesn't really matter, I'm just
curious. One of the reasons that I really did (and do) dislike OCO is that
my understanding is "artificially" reduced (as opposed to "inherent" due to
my own lack of capability). That's why I'm an FSF member. And a Linux (vice
Windows / MacOS) partisan. And, yes, I do sometimes "use the Source, Luke!".
--
We all have skeletons in our closet.
Mine are so old, they have osteoporosis.

Maranatha! <><
John McKown

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

Ed Jaffe

2018-05-03 18:01:39 UTC

Permalink

... IPLINFO itself must have been changed
when dynamic APF was introduced but chose not to use the provided
programming interface (CSVAPF REQUEST=LIST) to gain access to the data.

Umm... IPLINFO is a REXX exec.

As such, it cannot invoke z/OS system services unless they support a
standard externally-callable interface.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not a intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN