Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
JES2 EXIT 6 QUESTION
Goto page 1, 2  Next
 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 5:47 pm    Post subject: JES2 EXIT 6 QUESTION
Reply with quote

Need to fail jobs that use non approved dataset names in steplib/joblib for specific users as specified in the JOB card. Therefore, once one of the specific users are found then the criteria for only approved dsns is to be applied so that an unapproved one will result in the job being terminated.
Question is this: Since this exit is called once per complete JCL card (job, exec or ddcard) what generalized technique can be used to set a switch when
a specific job is found in JES2 exits ? Since when the ddcard causes a call to the exit the job card is no longer available. I see fields in the JCT that are reserved for the user but does the JCT survive across calls to the exit ? This is similar to the use of COMMAREA in CICS. Take pity on me I am a CICS sys prog struggling with a JES2 EXIT assignment.
Back to top
View user's profile Send private message

steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 615
Location: The Universe

PostPosted: Tue Feb 06, 2018 8:16 pm    Post subject: Re: JES2 EXIT 6 QUESTION
Reply with quote

Randy Horowitz wrote:
Need to fail jobs that use non approved dataset names in steplib/joblib for specific users as specified in the JOB card. Therefore, once one of the specific users are found then the criteria for only approved dsns is to be applied so that an unapproved one will result in the job being terminated.
Question is this: Since this exit is called once per complete JCL card (job, exec or ddcard) what generalized technique can be used to set a switch when
a specific job is found in JES2 exits ? Since when the ddcard causes a call to the exit the job card is no longer available. I see fields in the JCT that are reserved for the user but does the JCT survive across calls to the exit ? This is similar to the use of COMMAREA in CICS. Take pity on me I am a CICS sys prog struggling with a JES2 EXIT assignment.
  1. What do you think RACF/ACF2/Top Secret are for? After all, data sets can be dynamically allocated.
  2. The JES2 JCT is more or less constant for the life of the job.
  3. There are methods to extend the JCT beyond JCTUSERn. The Network Job Header, for example is easily extendable, though I'm not sure if exit 6 can access or modify it.
  4. Look at the return codes as discussed in JES2 User Exits for your release. I think you will find one taylor made for you.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 8:31 pm    Post subject:
Reply with quote

1. These are jobs that come out of a scheduler, no one is going to dynamically allocate anything, they are COBOL batch jobs. We want to prevent a user from executing a load module from an "unapproved" loadlib.
2. Good to know.
3. Interesting fact.
4. I have studied Chapter 19 in detail. I need an area after processing the job card that I can use when processing a ddname, no mention of this anywhere.
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10456
Location: italy

PostPosted: Tue Feb 06, 2018 9:35 pm    Post subject: Reply to: JES2 EXIT 6 QUESTION
Reply with quote

why not look at the samples provided by IBM ???
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 9:41 pm    Post subject:
Reply with quote

Have done this. The exit name is HASPX06 and it is located in SYS1.SHASSAMP. However, it does NOT show a technique to use to which I am alluding to. I was using RTFM over 45 years ago and believe me I have RTFM !!
edited to remove an unpleasant remark
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 615
Location: The Universe

PostPosted: Tue Feb 06, 2018 9:52 pm    Post subject:
Reply with quote

1. I repeat. What you you think RACF et al are for? This "fact" that the jobs are coming from a scheduler is BS. If you want the jobs to have a unique userid you use surrogate controls, not what you seem to be proposing. "Surrogate" controls allow USER=userid but no password on the JOB statement to be submitted by a job (the scheduler job) with a different userid. Look into that.

4. You need 1 bit saved across exit calls that indicates you are processing a JOBLIB or STEPLIB to handle concatenation.

In any event, I'm sure you realize JES2 exits are intended to be fairly static. How are you going to update your black list?

In the 1990s I worked for a shop that did security stuff in JES2. Aside from locking the complex 3 or 4 times a year because the idiots that did this before I got there did RACF calls in JES2 main task while holding the checkpoint, a no no even then. I was able to fix this, but this code was essentially unreadable with black list type stuff (much of it surrogate type stuff) that required an IPL to change. Prodded by auditors all that c*** was offloaded to RACF. It took a year where I did little else.

Someone has not thought out this "requirement." A useful rule whenever there is a thought to do security stuff in JES2 is to figure out a way to process the requirement some other way. Yeah, it's great fun to write exits, but better not to write any sort of code.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 10:13 pm    Post subject:
Reply with quote

I am no RACF expert, mostly it just annoys me. We are already using USER= in the job card. For certain users they want the JOBLIB/STEPLIB to be limited to a few loadlibs. Can you write a RACF rule that for certain jobs run with a USER= that the steplib or joblib ddcard can only use a few datasets ? I thought RACF protects datasets. This is a rule to enforce that only certain datasets in certain ddcards for certain jobs run with certain users is allowed. Can RACF do this ?? Or is it setup to protect certain users from not being able to access some datasets which is entirely different.
To update the black list which is static a recompile of the exit would be needed.
I am not proposing RACF in JES2 exits - I merely need a technique for saving information from the JOB card call to exit 6 when it is called from ddnames. Any ideas ??
No it is not needed for concatenation since the concatenated ddcard is in the buffer for the call to the exit. I need it from the JOB card to the ddname call.
Every ddcard in total is presented to the exit. A jcl statement is converted
to CI text strings in a 8192 byte buffer and the key of the dataset name
is X'4A'. All of this from RTFMing. And the macro for scanning the buffer for the keys is $CALL XINTKEY,ERRRET= from the sample code.
Now any ideas ?
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10456
Location: italy

PostPosted: Wed Feb 07, 2018 1:36 am    Post subject: Reply to: JES2 EXIT 6 QUESTION
Reply with quote

did You ever consider using IEFUJV , where in a much simpler context You can do exactly the same things.
and You could find quite a few useful samples at cbttape.org
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 3:03 am    Post subject:
Reply with quote

O.K. read the doc on IEFUJV, not sure what makes this a much simpler context since the JCL is still presented to the exit in serial calls. But it seems to me I would have the same issue. Only saw 2 sanples in the CBTTAPE. I will continue my research, thanks
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 615
Location: The Universe

PostPosted: Wed Feb 07, 2018 9:08 am    Post subject:
Reply with quote

You still haven't told us the high level rational for this code. Nor, other than what appear to me to be BS reasons, have you told us why this requirement cannot be met by RACF. It seems to me you're saying these jobs can access these data set, but can't run code in these data sets. Huh!? Believe me, your code can easily be evaded.

I recall years ago I looked at using UJV to examine JCL, and rejected the idea because symbol substitution was not visible. Plus, the mechanics were more difficult than exit 6.
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10456
Location: italy

PostPosted: Wed Feb 07, 2018 1:01 pm    Post subject: Reply to: JES2 EXIT 6 QUESTION
Reply with quote

Quote:
Plus, the mechanics were more difficult than exit 6.


odd how different experiences lead to different conclusions
I was more comfortable wit the UJV stuff!
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 5:22 pm    Post subject:
Reply with quote

Sure, you want the reason, no problem.
Auditors want to prevent production jobs (batch) from executing programs from their private loadlibs. So you might think that this is a simple RACF protect the sched lib and only allow jobs (JCL) that meets the criteria in.
However, the application people demand access to the sched lib since they have always had it. And since nowadays the application people are inbedded with the business people who pay the bills - guess who wins that argument. In my "early" days IT ruled the roost and imposed the "rules".
O.K. so now how can we please the auditors - hence EXIT 6.
After consulting with the only people who maintain and know RACF they are kind of clueless how to write a rule that allows certain users coded in the JOB card with the USER parameter to only allow execution of programs from a subset of libraries. But I am no RACF expert.
So I am ready to write the exit but I do not know where on subsequent calls after the JOB card the program will know that this job needs to examine the steplib/joblib for "rogue" loadlibs stuck in by the app people who have access to the schedule library in our scheduling system.
Looking at the IBM example for the SMF exit recommended here they accomplish that task by using a field passed in however, USER is not passed in, they are using CLASS which is passed in via the REG1 parameter area. So this do not solve my problem.
Thanks for your help
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 710
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 6:21 pm    Post subject:
Reply with quote

Randy,

To me this appears the proper solution is RACF. This is not very difficult at all.

The names I give are just for an example, yours will vary of course.

You should have production ids (hopefully surrogate) that are used to run production jobs. Lets call them PRODID1, PRODID2, etc... You can have a RACF group PRODGRP that contains all your PRODIDs.

You have production load libraries, which contain production code:
PROD.LOADLIB1, PROD.LOADLIB2, etc...

You can have a RACF dataset profile for PROD.LOADLIB* which PRODGRP has read access to. Test users can have read access as well. Only your Deployment ids should have update access here.

The TEST.LOADLIBs are the one the application folks use for development and testing.

You can have a RACF dataset profile for TEST.LOADLIB* which PRODGRP has NONE access to.

This is a simple design, that I am surprised you do not have in place.

If I was an auditor (god forbid), I would insist on a RACF approach. I would not allow excuses for why this won't work, only solutions to make it work.
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 615
Location: The Universe

PostPosted: Wed Feb 07, 2018 6:49 pm    Post subject:
Reply with quote

I agree with Mr. porcelan. If I were an auditor and caught wind of this idea I'd reject the idea, too. It's far to easy to evade the TS's control.

Mr. Sorichetti.
  • Remember, in UJV you don't see symbol substitution.
  • You have to scan for DSN=xxxx, DSNAME=xxx over multiple possible JCL statements. In internal text you scan for the DSNAME key in one string of parameters, plus symbol substitution has already occurred. You can't persuade me that UJV is "easier!" I'll concede exit 6 is harder to to test and debug. Plus, since symbol substitution has not occurred, you add another path to evade the control.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 6:50 pm    Post subject:
Reply with quote

RACF is already set up as you suggest for the production libraries.
What you solution does not account for is this:
A rogue application person who desires to do some nefarious activity creates a program that he/she puts in a library which does not adhere to any known
standard. There is no rule for such a library as you suggest with TEST.LOADLIB. Such as HACK.TAKE.CORP.ASSETS. They then stick this library in a production job's JCL and place into the schedule library which they have access to. The rule you suggest where the production ids has no access to TEST.LOADLIB.* will have access to HACK.TAKE.CORP.ASSETS will it not ?
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 6:57 pm    Post subject:
Reply with quote

Steve
When searching through the internal text how does a concatenated ddname work ? Is there multiple keys for dsname for each of the concatenated datasets ?
What is "TS's control".
How can this be evaded ? A list of production libraries will be hard coded in the exit and if a dataset found in steplib/joblib is not in this list the job will be terminated.
Thanks
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 710
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 6:58 pm    Post subject:
Reply with quote

Quote:
They then stick this library in a production job's JCL and place into the schedule library which they have access to. The rule you suggest where the production ids has no access to TEST.LOADLIB.* will have access to HACK.TAKE.CORP.ASSETS will it not ?


Your JCL Deployment process should validate all JCL going to Production.
This should be a combination of products like JCLCHECK, in house utilities, and Prodco support staff. There should be no way this JCL will make it to production.

Additionally, any high level qualifier that application staff has alter access to, PRDGRP should have NONE to.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:02 pm    Post subject:
Reply with quote

daveporcelan,
That is the entire point which I made previously. There is NO control over the production schedule libraries. Of course it should but it never was and the application people will not stand for it. And the business people who know nothing agree with them and IT loses the battle... but the auditor's demand a solution. Please...
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:05 pm    Post subject:
Reply with quote

I started asking how I can remember in exit 6 how after a job card is passed and this job is flagged how I could "remember" this when a ddcard is passed which the rule should apply to. Any ideas about that ? Thanks
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 710
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 7:08 pm    Post subject:
Reply with quote

Quote:
but the auditor's demand a solution

This is a management problem that can not be solved here.

Your attempt of using an EXIT is an admirable approach. One I am unable to help with.

The auditors need to go to UPPER management and DEMAND a RACF solution.

Getting your Production JCL under proper controls is vital to a safe environment.

Good luck with your EXIT 6 effort.

Dave out.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts batch cobol/db2 paragraph fall thru a... alois eisshofer COBOL Programming 5 Wed Mar 14, 2018 12:21 am
No new posts Using multiple routines at exit 6 in ... Randy Horowitz All Other Mainframe Topics 2 Sat Feb 10, 2018 11:57 pm
No new posts COBOL - EXIT statement weird behavior anthony.pangestu COBOL Programming 0 Fri Oct 27, 2017 9:57 am
No new posts question about dfsms management clas... Hervey Martinez IBM Tools 0 Tue Oct 10, 2017 6:19 pm
No new posts JES2 job size field matching Windows ... SRICOBSAS All Other Mainframe Topics 4 Tue Sep 05, 2017 5:49 pm

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us