IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

JES2 EXIT 6 QUESTION


IBM Mainframe Forums -> All Other Mainframe Topics
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 5:47 pm
Reply with quote

Need to fail jobs that use non approved dataset names in steplib/joblib for specific users as specified in the JOB card. Therefore, once one of the specific users are found then the criteria for only approved dsns is to be applied so that an unapproved one will result in the job being terminated.
Question is this: Since this exit is called once per complete JCL card (job, exec or ddcard) what generalized technique can be used to set a switch when
a specific job is found in JES2 exits ? Since when the ddcard causes a call to the exit the job card is no longer available. I see fields in the JCT that are reserved for the user but does the JCT survive across calls to the exit ? This is similar to the use of COMMAREA in CICS. Take pity on me I am a CICS sys prog struggling with a JES2 EXIT assignment.
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Tue Feb 06, 2018 8:16 pm
Reply with quote

Randy Horowitz wrote:
Need to fail jobs that use non approved dataset names in steplib/joblib for specific users as specified in the JOB card. Therefore, once one of the specific users are found then the criteria for only approved dsns is to be applied so that an unapproved one will result in the job being terminated.
Question is this: Since this exit is called once per complete JCL card (job, exec or ddcard) what generalized technique can be used to set a switch when
a specific job is found in JES2 exits ? Since when the ddcard causes a call to the exit the job card is no longer available. I see fields in the JCT that are reserved for the user but does the JCT survive across calls to the exit ? This is similar to the use of COMMAREA in CICS. Take pity on me I am a CICS sys prog struggling with a JES2 EXIT assignment.
  1. What do you think RACF/ACF2/Top Secret are for? After all, data sets can be dynamically allocated.
  2. The JES2 JCT is more or less constant for the life of the job.
  3. There are methods to extend the JCT beyond JCTUSERn. The Network Job Header, for example is easily extendable, though I'm not sure if exit 6 can access or modify it.
  4. Look at the return codes as discussed in JES2 User Exits for your release. I think you will find one taylor made for you.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 8:31 pm
Reply with quote

1. These are jobs that come out of a scheduler, no one is going to dynamically allocate anything, they are COBOL batch jobs. We want to prevent a user from executing a load module from an "unapproved" loadlib.
2. Good to know.
3. Interesting fact.
4. I have studied Chapter 19 in detail. I need an area after processing the job card that I can use when processing a ddname, no mention of this anywhere.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10872
Location: italy

PostPosted: Tue Feb 06, 2018 9:35 pm
Reply with quote

why not look at the samples provided by IBM ???
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 9:41 pm
Reply with quote

Have done this. The exit name is HASPX06 and it is located in SYS1.SHASSAMP. However, it does NOT show a technique to use to which I am alluding to. I was using RTFM over 45 years ago and believe me I have RTFM !!
edited to remove an unpleasant remark
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Tue Feb 06, 2018 9:52 pm
Reply with quote

1. I repeat. What you you think RACF et al are for? This "fact" that the jobs are coming from a scheduler is BS. If you want the jobs to have a unique userid you use surrogate controls, not what you seem to be proposing. "Surrogate" controls allow USER=userid but no password on the JOB statement to be submitted by a job (the scheduler job) with a different userid. Look into that.

4. You need 1 bit saved across exit calls that indicates you are processing a JOBLIB or STEPLIB to handle concatenation.

In any event, I'm sure you realize JES2 exits are intended to be fairly static. How are you going to update your black list?

In the 1990s I worked for a shop that did security stuff in JES2. Aside from locking the complex 3 or 4 times a year because the idiots that did this before I got there did RACF calls in JES2 main task while holding the checkpoint, a no no even then. I was able to fix this, but this code was essentially unreadable with black list type stuff (much of it surrogate type stuff) that required an IPL to change. Prodded by auditors all that c*** was offloaded to RACF. It took a year where I did little else.

Someone has not thought out this "requirement." A useful rule whenever there is a thought to do security stuff in JES2 is to figure out a way to process the requirement some other way. Yeah, it's great fun to write exits, but better not to write any sort of code.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Tue Feb 06, 2018 10:13 pm
Reply with quote

I am no RACF expert, mostly it just annoys me. We are already using USER= in the job card. For certain users they want the JOBLIB/STEPLIB to be limited to a few loadlibs. Can you write a RACF rule that for certain jobs run with a USER= that the steplib or joblib ddcard can only use a few datasets ? I thought RACF protects datasets. This is a rule to enforce that only certain datasets in certain ddcards for certain jobs run with certain users is allowed. Can RACF do this ?? Or is it setup to protect certain users from not being able to access some datasets which is entirely different.
To update the black list which is static a recompile of the exit would be needed.
I am not proposing RACF in JES2 exits - I merely need a technique for saving information from the JOB card call to exit 6 when it is called from ddnames. Any ideas ??
No it is not needed for concatenation since the concatenated ddcard is in the buffer for the call to the exit. I need it from the JOB card to the ddname call.
Every ddcard in total is presented to the exit. A jcl statement is converted
to CI text strings in a 8192 byte buffer and the key of the dataset name
is X'4A'. All of this from RTFMing. And the macro for scanning the buffer for the keys is $CALL XINTKEY,ERRRET= from the sample code.
Now any ideas ?
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10872
Location: italy

PostPosted: Wed Feb 07, 2018 1:36 am
Reply with quote

did You ever consider using IEFUJV , where in a much simpler context You can do exactly the same things.
and You could find quite a few useful samples at cbttape.org
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 3:03 am
Reply with quote

O.K. read the doc on IEFUJV, not sure what makes this a much simpler context since the JCL is still presented to the exit in serial calls. But it seems to me I would have the same issue. Only saw 2 sanples in the CBTTAPE. I will continue my research, thanks
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Wed Feb 07, 2018 9:08 am
Reply with quote

You still haven't told us the high level rational for this code. Nor, other than what appear to me to be BS reasons, have you told us why this requirement cannot be met by RACF. It seems to me you're saying these jobs can access these data set, but can't run code in these data sets. Huh!? Believe me, your code can easily be evaded.

I recall years ago I looked at using UJV to examine JCL, and rejected the idea because symbol substitution was not visible. Plus, the mechanics were more difficult than exit 6.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10872
Location: italy

PostPosted: Wed Feb 07, 2018 1:01 pm
Reply with quote

Quote:
Plus, the mechanics were more difficult than exit 6.


odd how different experiences lead to different conclusions
I was more comfortable wit the UJV stuff!
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 5:22 pm
Reply with quote

Sure, you want the reason, no problem.
Auditors want to prevent production jobs (batch) from executing programs from their private loadlibs. So you might think that this is a simple RACF protect the sched lib and only allow jobs (JCL) that meets the criteria in.
However, the application people demand access to the sched lib since they have always had it. And since nowadays the application people are inbedded with the business people who pay the bills - guess who wins that argument. In my "early" days IT ruled the roost and imposed the "rules".
O.K. so now how can we please the auditors - hence EXIT 6.
After consulting with the only people who maintain and know RACF they are kind of clueless how to write a rule that allows certain users coded in the JOB card with the USER parameter to only allow execution of programs from a subset of libraries. But I am no RACF expert.
So I am ready to write the exit but I do not know where on subsequent calls after the JOB card the program will know that this job needs to examine the steplib/joblib for "rogue" loadlibs stuck in by the app people who have access to the schedule library in our scheduling system.
Looking at the IBM example for the SMF exit recommended here they accomplish that task by using a field passed in however, USER is not passed in, they are using CLASS which is passed in via the REG1 parameter area. So this do not solve my problem.
Thanks for your help
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 792
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 6:21 pm
Reply with quote

Randy,

To me this appears the proper solution is RACF. This is not very difficult at all.

The names I give are just for an example, yours will vary of course.

You should have production ids (hopefully surrogate) that are used to run production jobs. Lets call them PRODID1, PRODID2, etc... You can have a RACF group PRODGRP that contains all your PRODIDs.

You have production load libraries, which contain production code:
PROD.LOADLIB1, PROD.LOADLIB2, etc...

You can have a RACF dataset profile for PROD.LOADLIB* which PRODGRP has read access to. Test users can have read access as well. Only your Deployment ids should have update access here.

The TEST.LOADLIBs are the one the application folks use for development and testing.

You can have a RACF dataset profile for TEST.LOADLIB* which PRODGRP has NONE access to.

This is a simple design, that I am surprised you do not have in place.

If I was an auditor (god forbid), I would insist on a RACF approach. I would not allow excuses for why this won't work, only solutions to make it work.
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Wed Feb 07, 2018 6:49 pm
Reply with quote

I agree with Mr. porcelan. If I were an auditor and caught wind of this idea I'd reject the idea, too. It's far to easy to evade the TS's control.

Mr. Sorichetti.
  • Remember, in UJV you don't see symbol substitution.
  • You have to scan for DSN=xxxx, DSNAME=xxx over multiple possible JCL statements. In internal text you scan for the DSNAME key in one string of parameters, plus symbol substitution has already occurred. You can't persuade me that UJV is "easier!" I'll concede exit 6 is harder to to test and debug. Plus, since symbol substitution has not occurred, you add another path to evade the control.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 6:50 pm
Reply with quote

RACF is already set up as you suggest for the production libraries.
What you solution does not account for is this:
A rogue application person who desires to do some nefarious activity creates a program that he/she puts in a library which does not adhere to any known
standard. There is no rule for such a library as you suggest with TEST.LOADLIB. Such as HACK.TAKE.CORP.ASSETS. They then stick this library in a production job's JCL and place into the schedule library which they have access to. The rule you suggest where the production ids has no access to TEST.LOADLIB.* will have access to HACK.TAKE.CORP.ASSETS will it not ?
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 6:57 pm
Reply with quote

Steve
When searching through the internal text how does a concatenated ddname work ? Is there multiple keys for dsname for each of the concatenated datasets ?
What is "TS's control".
How can this be evaded ? A list of production libraries will be hard coded in the exit and if a dataset found in steplib/joblib is not in this list the job will be terminated.
Thanks
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 792
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 6:58 pm
Reply with quote

Quote:
They then stick this library in a production job's JCL and place into the schedule library which they have access to. The rule you suggest where the production ids has no access to TEST.LOADLIB.* will have access to HACK.TAKE.CORP.ASSETS will it not ?


Your JCL Deployment process should validate all JCL going to Production.
This should be a combination of products like JCLCHECK, in house utilities, and Prodco support staff. There should be no way this JCL will make it to production.

Additionally, any high level qualifier that application staff has alter access to, PRDGRP should have NONE to.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:02 pm
Reply with quote

daveporcelan,
That is the entire point which I made previously. There is NO control over the production schedule libraries. Of course it should but it never was and the application people will not stand for it. And the business people who know nothing agree with them and IT loses the battle... but the auditor's demand a solution. Please...
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:05 pm
Reply with quote

I started asking how I can remember in exit 6 how after a job card is passed and this job is flagged how I could "remember" this when a ddcard is passed which the rule should apply to. Any ideas about that ? Thanks
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 792
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 7:08 pm
Reply with quote

Quote:
but the auditor's demand a solution

This is a management problem that can not be solved here.

Your attempt of using an EXIT is an admirable approach. One I am unable to help with.

The auditors need to go to UPPER management and DEMAND a RACF solution.

Getting your Production JCL under proper controls is vital to a safe environment.

Good luck with your EXIT 6 effort.

Dave out.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:12 pm
Reply with quote

daveporcelan,
I never asked for a solution to the control of the JCL library, you turned into that. I asked for a way for EXIT 6 to "remember" something about a previous call to it so that it may take action subsequently. This is very common to all transaction type processing such as CICS.
Thanks for your comments.
Back to top
View user's profile Send private message
daveporcelan

Active Member


Joined: 01 Dec 2006
Posts: 792
Location: Pennsylvania

PostPosted: Wed Feb 07, 2018 7:35 pm
Reply with quote

This is an expert forum, in which people who participate use their experience to provide assistance.

As you noticed, several of the experts asked for additional information to better understand the scope of the problem.

Providing a specific answer to a narrow question is not what we do here.

While that is done often, when the approach to the problem does not appear to be appropriate, alternate solutions are discussed.

Even if you do not come away to a specific answer to your original question, please take away the effort given by the experts here any value they may provide.

I would be amiss not to give my seasoned opinion to your issue.
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 7:47 pm
Reply with quote

daveporcelan
Thank you very much !
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Wed Feb 07, 2018 8:42 pm
Reply with quote

Randy Horowitz wrote:
Steve
When searching through the internal text how does a concatenated ddname work ? Is there multiple keys for dsname for each of the concatenated datasets ?
What is "TS's control".
How can this be evaded ? A list of production libraries will be hard coded in the exit and if a dataset found in steplib/joblib is not in this list the job will be terminated.
Thanks
  1. To be honest, I'm not 100% sure, but I think you continue to see two DD statements. It is not combined. When it goes to execution there are still two DD statements. It is "combined" only in the sense it is combined after they they have opened.
  2. TS generally means "topic starter," that is the first or initial query in the thread.
  3. Here is one way to evade your proposed to control.
    Code:
    //EVADE   EXEC PGM=IKJEFT01,
    // PARM='CALL ''TEST.LIBRARY(EVADEPGM)'' ''PARAMETER TEXT'''
    //SYSTSPRT DD  SYSOUT=*
    //SYSTSIN  DD  DUMMY
    // Other DD statements
    There are other variations, but that is a one example. TEST.LIBRARY becomes the equivalent of a STEPLIB in addition to any other STEPLIB established for the step until EVADEPGM terminates. The TSO CALL command has worked that way for almost 50 years.

    Another example -
    Code:
    //EVADE   EXEC PGM=IKJEFT01
    //SYSTSPRT DD  SYSOUT=*
    //SYSTSIN  DD  *
    CALL 'TEST.LIBRARY(EVADEPGM)' 'PARAMETER TEXT'
    // Other DD statements
Back to top
View user's profile Send private message
Randy Horowitz

New User


Joined: 06 Feb 2018
Posts: 18
Location: United States

PostPosted: Wed Feb 07, 2018 11:32 pm
Reply with quote

Steve,
O.K. so never got an answer to my question but it was an interesting conversation. Thanks for the work arounds. Funny my thought was that a concatenation is still one ddname and the Conversion/Interpreter leads me to think that more that one dsname concatenated in one ddname would mean that they would be multiple dsname keys.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> All Other Mainframe Topics Goto page 1, 2  Next

 


Similar Topics
Topic Forum Replies
No new posts Use of Perform Thru Exit COBOL Programming 6
No new posts user exit in IBM Infosphere Optim DB2 8
No new posts Question for file manager IBM Tools 7
No new posts question for Pedro TSO/ISPF 2
No new posts Jes2 command output All Other Mainframe Topics 4
Search our Forums:

Back to Top