MVS auth for CONSOLE Commands in TSO/BATCH
Alessandro Brezzi
I experienced some problem when a REXX submit console commands under,
while running under TSO/BATCH: the user, authorized with all the
privileges, cannot use the MODIFY or START / STOP commands.
Any suggestion?
Thanks in advance
Alessandro
----------------------------------------------------------------------
For TSO-REXX subscribe / signoff / archive access instructions,
send email to LIST...@VM.MARIST.EDU with the message: INFO TSO-REXX
Keith Bower
question is unanswerable.
I think it would help if you gave more information. When you go to an auto
mechanic, you have to take your car along too. So...
Questions in my mind are:
1. What do you mean by "cannot use". Did you get any error messages? Or
did nothing happen when you expected something?
2. How are you issuing the commands?
It would be very helpful if you could post the REXX and JCL used, and any
error messages or output you are getting. Any examples of other,
successful, commands might help too.
Alessandro
Brezzi To: TSO-...@VM.MARIST.EDU
<alessandro.brez cc:
z...@TIN.IT> Subject: MVS auth for CONSOLE Commands in TSO/BATCH
Sent by: TSO
REXX Discussion
List
<TSO-...@VM.MAR
IST.EDU>
09/04/01 02:42
PM
Please respond
to TSO REXX
Discussion List
Mark Zelden
>
> Hi all,
> I experienced some problem when a REXX submit console commands under,
> while running under TSO/BATCH: the user, authorized with all the
> privileges, cannot use the MODIFY or START / STOP commands.
>
> Any suggestion?
>
> Thanks in advance
>
> Alessandro
>
You are probably missing the OPERPARM RACF segment (or equivilent).
You can probably search the archives at IBM-MAIN and find lots of
hits and info on similar problems.
http://bama.ua.edu/archives/ibm-main.html
--
+------------------------------------------------------------------+
| Mark Zelden - OS/390 Consultant: 3D Business Solutions, Chicago |
| mailto:mze...@flash.net mailto:mze...@3dsolutions.com |
| Mark's MVS Utilites: http://home.flash.net/~mzelden/mvsutil.html |
+------------------------------------------------------------------+
Alessandro Brezzi
>I didn't see any replies to this question. Maybe because as posed, the
>question is unanswerable.
>I think it would help if you gave more information. When you go to an auto
>mechanic, you have to take your car along too. So...
>
>Questions in my mind are:
>
>1. What do you mean by "cannot use". Did you get any error messages? Or
>did nothing happen when you expected something?
Yes, see the output later; I receive the message
IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS
I dont see any ICH408 message ...
But CONSOLE session is up and running, the D A command produce the
expected results ... I use the same EXEC to issue JES2 command like
$A ... or $D and this work fine.
>2. How are you issuing the commands?
The user submitting the JOB have SPECIAL and OPERATION, READ access
to the CONSOLE profile in TSOAUTH class, and UPDATE access to some
JES2.... profile in the OPERCMDS class.
>It would be very helpful if you could post the REXX and JCL used, and any
>error messages or output you are getting. Any examples of other,
>successful, commands might help too.
>
This is the EXEC:
-----------------------------------------------------
/*---------------- REXX --- (TSO only) ------------------*/
/* CGI Utility di Sistema */
/* */
/* Programma per leggere dalla DD CMDINP un insieme */
/* di comandi da sottomettere a CONSOLE, creando un */
/* file di LOG (DD CMDLOG) dei risultati */
/* */
/* Funzionamento: */
/* - inizializza l'ambiente */
/* - apre file CMDINP, ne carica il contenuto */
/* - se Ok stabilisce sessione Console */
/* (user deve essere abilitato in TSOAUTH */
/* profilo CONSOLE e deve avere il segmento */
/* TSO) */
/* - se Ko manda messaggio di errore e termina */
/* - passa i comandi alla sessione CONSOLE e */
/* legge i risultati. Gli stessi sono scritti */
/* nel file di LOG. */
/* */
/*-------------------------------------------------------*/
/* Inizializza, ambiente di lavoro TSO */
Trace 'e'
Address TSO
/* Legge il file di comandi da eseguire */
"EXECIO * DISKR CMDINP (FINIS STEM CMDI."
"FREE FILE(CMDINP)"
/* Salva setting correnti della console */
SolD = SysVar("SOLDISP")
UnSolD = SysVar("UNSDISP")
/* Non fa uscire a terminale i messaggi di risposta */
"CONSPROF SOLDISP(NO) UNSOLDISP(NO)"
UserId = UserId();
Call Logger UserId 'Ha iniziato l''elaborazione'
/* Esegue richieste */
Drop ConResp. /* pulisce lo stem per le risposte */
/* Attiva la console */
"CONSOLE ACTIVATE"
Address Console
/* Richiede il prefisso del JobId */
pJobId = SysVar('MFJOB')
If pJobId \= 'YES' Then "CONTROL S,MFORM=(J)"
Do i=1 to CMDi.0
If left(CMDi.i,1) = '*' Then Iterate /* Commento, lo scarta */
If Words(CMDi.i) = 0 Then Iterate /* Riga nulla, la scarta */
If translate(word(CMDi.i,1)) = 'WAKE' Then Do
Call wake word(CMDi.i,2) CMDi.i
iterate
End
Comm = Cmdi.i
Cart = "AB01Q"||Right("000"||strip(i),3)
"CART "Cart
Call Logger Cart Comm
Comm
RcMess = getmsg('ConResp.','sol',Cart,,5)
If RcMess \= 0 Then Exit RcMess
/* Legge e memorizza le risposte da JES2 */
Do While RcMess = 0 /* Do Over all CART messages */
Do j=1 to ConResp.0 /* Do Over ConResp. */
Call Logger Cart ConResp.j
End
RcMess = getmsg('ConResp.','sol',Cart,,5)
End
End
/* ripristina default per i messaggi di risposta */
Address TSO
"CONSOLE DEACTIVATE"
"CONSPROF SOLDISP("SolD") UNSOLDISP("UnSolD")"
"EXECIO 0 DISKW CMDLOG (FINIS"
"FREE FILE(CMDLOG)"
Exit 0;
/* Routine di logging dei comandi passati a console */
Logger: Procedure
Parse Arg Messaggio
Queue Date('S') Time() Messaggio
Queue ''
Address TSO "EXECIO * DISKW CMDLOG"
Return;
/* Wake: attende per il tempo specificato */
Wake: Procedure
Arg secWaitTime Comando
time = secWaitTime
hDelay = secWaitTime % 3600
time = time - hDelay * 3600
mDelay = time % 60
time = time - mDelay * 60
sDelay = time
rxwVal = right('00'||strip(hDelay),2)
rxwVal = rxwVal || right('00'||strip(mDelay),2)
rxwVal = rxwVal || right('00'||strip(sDelay),2)
rxwVal = rxwVal || '00'
Call Logger Copies('-',8) Comando
Call Logger Copies(' ',8) 'Attesa di 'secWaitTime' secondi'
/* Reset dell'elapsed */
x=rexxwait(rxwVal)
return 0
-----------------------------------------------------
This is the JCL invoking the EXEC
-----------------------------------------------------
//* --------------------------------------------------------------
//*
//* Esegue comandi forniti in input
//*
//* --------------------------------------------------------------
//EXCMND EXEC PGM=IKJEFT01,DYNAMNBR=10,TIME=100,REGION=6M,COND=(4,LT)
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD DUMMY
//CMDLOG DD SYSOUT=*
//CMDINP DD *
* il file dei comandi puË contenere commenti con * alla col 1
* puË anche contenere righe totalmente vuote come la precedente
*
* i comandi JES / MVS DEVONO iniziare a col 1, come da loro sintassi
*
* ¤ implementato anche il comando WAKE, di tipo free form, con la
* seguente sintassi:
*
* WAKE secs tutto ciË che segue ¤ commento
*
D A,L
* Ferma i CICS di produzione; arresto normale
* Aspetta 8 minuti; se non hanno chiuso, provvede con chiusura forzata
F CICSNORD,CEMT P SHUT
wake 5
F CICSEUVI,CEMT P SHUT
wake 480
* Se non hanno chiuso imposta chiusura forzata
F CICSNORD,CEMT P SHUT IMMED
wake 5
F CICSEUVI,CEMT P SHUT IMMED
/*
-----------------------------------------------------
And this is the result
-----------------------------------------------------
18.03.36 JOB01230 D A,L
18.03.41 JOB01230 F CICSNORD,CEMT P SHUT
18.03.41 JOB01230 IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS
18.03.51 JOB01230 F CICSEUVI,CEMT P SHUT
18.03.51 JOB01230 IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS
18.11.56 JOB01230 F CICSNORD,CEMT P SHUT IMMED
18.11.56 JOB01230 IEE341I CICSNORD NOT ACTIVE
18.12.06 JOB01230 F CICSEUVI,CEMT P SHUT IMMED
18.12.06 JOB01230 IEE341I CICSEUVI NOT ACTIVE
18.12.11 JOB01230 IEA631I OPERATOR YEXE01 NOW INACTIVE,
SYSTEM=DAVI , LU=
--
--
\\\|///
\\\ ~ ~ ///
( @ @ )
==================oOOo=(_)=oOOo===================
Alessandro Brezzi ISAC Srl Pavia
alessand...@tin.it Phone: +39-382-532029
Fax: +39-382-538367
Mobile: +39-335-8210727
===========================Oooo===================
oooO ( )
( ) ) /
\ ( (_/
\_)
Roach, Dennis
on the MODIFY command
+------------------------------+---------------+----------------------------
--------Ś
Ś MODIFY jobname Ś UPDATE Ś MVS.MODIFY.JOB.jobname
Ś
+---------------------------------------------------------------------------
--------Ś
Ś The previous command is for a job that is not a started task.
Ś
+---------------------------------------------------------------------------
--------Ś
Ś MODIFY userid Ś UPDATE Ś MVS.MODIFY.JOB.userid
Ś
+------------------------------+---------------+----------------------------
--------Ś
Ś MODIFY jobname Ś UPDATE Ś MVS.MODIFY.STC.mbrname.id
Ś
Ś MODIFY jobname.id Ś Ś
Ś
Ś MODIFY id Ś Ś
Ś
+---------------------------------------------------------------------------
--------Ś
Ś The previous command is for a started task for which an identifier was
provided. Ś
+---------------------------------------------------------------------------
--------Ś
Ś MODIFY jobname Ś UPDATE Ś
MVS.MODIFY.STC.mbrname.jobname Ś
+---------------------------------------------------------------------------
--------Ś
Ś The previous command is for a started task for which an identifier was not
Ś
Ś provided. mbrname is the name of the member containing the JCL source.
Ś
Ś
Ś
Ś Note: MODIFY might actually affect more than one job. For example:
Ś
Ś
Ś
Ś If START ABC.DEF and START ABC.GHI are issued, MODIFY ABC.* affects
both Ś
Ś jobs, and one authorization request is issued for each.
Ś
Ś If the START ABC command is issued twice, two started tasks named ABC
start Ś
Ś running on the system. MODIFY ABC affects both jobs, and one
authorization Ś
Ś request is issued for each.
Ś
+---------------------------------------------------------------------------
--------Ś
Dennis Roach
United Space Alliance
600 Gemini Avenue
Mail Code USH-4A3L
Houston, Texas 77058
Voice: (281) 282-2975
Page: (713) 736-8275
Fax: (281) 282-3583
E-Mail: Dennis...@USAHQ.UnitedSpaceAlliance.com
All opinions expressed by me are mine and may not agree with my employer or
any person, company, or thing, living or dead, on or near this or any other
planet, moon, asteroid, or other spatial object, natural or manufactured.
Keith Bower
As an example, we use profiles in the form:
MVS.MODIFY.STC.CICS*.**
See Dennis' message for more info on the profiles.
-Keith
Keith Bower
Someone will correct me if I'm wrong (please), but MVS.MODIFY.** with
Access of UPDATE should be sufficient to cover all MODIFY commands.
The profiles used for MVS commands can be found in the book "MVS Planning:
Operations", our document number is GC28-1760-07.
-Keith Bower
Alessandro
Brezzi To: TSO-...@VM.MARIST.EDU
<alessandro.brez cc:
z...@TIN.IT> Subject: Re: MVS auth for CONSOLE Commands in TSO/BATCH
Sent by: TSO
REXX Discussion
List
<TSO-...@VM.MAR
IST.EDU>
09/05/01 04:31
PM
Please respond
to TSO REXX
Discussion List
Keith, Roach
thanks for yours suggestions.
I have only MVS.MODIFY.** profile in my OPERCMDS class, and the user
have UPDATE access to this via TSOSY group.
Tomorrow I will try also the MVS.MODIFY.STC.CICS*.** and I take a
look to the OPERPARM (thank Mark).
I read the RACF Security Admin guide for guidance in OPERCMDS use,
and find link to the MVS System Commands manual, but I've no found
any reference to this class and how to define the profiles :(
I missing something?
Thanks
Alessandro
--
--
\\\|///
\\\ ~ ~ ///
( @ @ )
==================oOOo=(_)=oOOo===================
Alessandro Brezzi ISAC Srl Pavia
alessand...@tin.it Phone: +39-382-532029
Fax: +39-382-538367
Mobile: +39-335-8210727
===========================Oooo===================
oooO ( )
( ) ) /
\ ( (_/
\_)
----------------------------------------------------------------------
Alessandro Brezzi
thanks for yours suggestions.
I have only MVS.MODIFY.** profile in my OPERCMDS class, and the user
have UPDATE access to this via TSOSY group.
Tomorrow I will try also the MVS.MODIFY.STC.CICS*.** and I take a
look to the OPERPARM (thank Mark).
I read the RACF Security Admin guide for guidance in OPERCMDS use,
and find link to the MVS System Commands manual, but I've no found
any reference to this class and how to define the profiles :(
I missing something?
Thanks
Alessandro
>Have you checked your MVS.MODIFY profiles in your OPERCMDS class in RACF?
--
--
\\\|///
\\\ ~ ~ ///
( @ @ )
==================oOOo=(_)=oOOo===================
Alessandro Brezzi ISAC Srl Pavia
alessand...@tin.it Phone: +39-382-532029
Fax: +39-382-538367
Mobile: +39-335-8210727
===========================Oooo===================
oooO ( )
( ) ) /
\ ( (_/
\_)
----------------------------------------------------------------------
Jeremy C B Nicoll
> Yes, see the output later; I receive the message
> IEE345I MODIFY AUTHORITY INVALID, FAILED BY MVS
I don't think this is a problem with modify itself - if you were to try
issuing a modify command to something other than cics it would (perhaps)
work.
Unfortunately CICS systems need the consoles from which they will take
commands - especially CEMT - defined to that CICS system. This wasn't a
problem when a small number of hardware consoles were candidates but now
that there can be subsystem consoles it is a problem.
It's so long since I read anything about this that I can't be sure that
I'm remembering the terminology correctly. I think systems used to use
MCS consoles of which there could be up to 100 in each sysplex, and now
there can be many more (EMCS?) ones, each of which has a name assigned by
the system. One of the D C commands (D C,SUBSYS perhaps?) will show you
all the consoles defined in the sysplex at any one moment. The extended
consoles (software ones) might not be EMCS - perhaps the acronym is
something else.
Anyway, if you have the ordinary (MCS?) ones you are limited to 100 of
them, numbered 00-99 in the sysplex and your CICS sysprogs would need to
define all of those as candidates for MODIFY & CEMT.
If you have the software consoles too then your site should have a naming
convention for these so that foreground TSO users' consoles are named in
one way, and virtual consoles in other software are named another way -
it is important that no two pieces of software will try to set up and use
the same software console because there can only be one of each name
active at a time in the sysplex.
I assume from the fact that you have a command-issuing program that you
do not have NetView or any other operator automation product - if there
*is* one you will need to talk to whoever runs that as well as your
sysprogs to find out how to ensure that your program gets either a
standard console name, or one that is predictable (eg based on the SMFid
or SYSCLONE id values of whatever systen it is running on). Then you
will need to get that console name defined to each CICS system to which
you want to issue commands.
Hope that helps.
If you only have MCS consoles
--
Jeremy C B Nicoll - my opinions are my own.
Alessandro Brezzi
you are right: the MVS.MODIFY.** profile *IS* sufficient, but if present:
as usually I write small EXEC in a separate PDS RACF protected; I
copy/append and edit the profile and then EX the EXEC. This time I
made a big mistake, I write twice the permit for the .CANCEL.**
profile and forgotted the .MODIFY.** permit statement. :(
Also I forgot to verify the SYSLOG for ICH408 message, this time present.
Sorry, mybee to tired ...
Thanks
Alessandro