Discussion:
JCL Convertor
(too old to reply)
ITschak Mugzach
2017-07-26 19:48:12 UTC
Permalink
Raw Message
I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
--
ITschak Mugzach
*|** IronSphere Platform* *|** Automatic ISCM** (Information Security
Contiguous Monitoring) **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mitch Mccluhan
2017-07-26 20:23:02 UTC
Permalink
Raw Message
ITschak:

What are you trying to do? When you say "available products", which ones are you referring to?

Regards,



Mitch McCluhan
***@aol.com





-----Original Message-----
From: ITschak Mugzach <***@GMAIL.COM>
To: IBM-MAIN <IBM-***@LISTSERV.UA.EDU>
Sent: Wed, Jul 26, 2017 2:49 pm
Subject: JCL Convertor

I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
--
ITschak Mugzach
*|** IronSphere Platform* *|** Automatic ISCM** (Information Security
Contiguous Monitoring) **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-26 20:43:53 UTC
Permalink
Raw Message
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives incomplete
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not see
substitutions in PARMDD, done by the access method(?) during execution.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-26 20:57:59 UTC
Permalink
Raw Message
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.

ITschak

בתאריך 26 ביול 2017 23:45,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives incomplete
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not see
substitutions in PARMDD, done by the access method(?) during execution.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Vernooij, Kees - KLM , ITOPT1
2017-07-27 06:52:32 UTC
Permalink
Raw Message
RACF checks are not a task of the convertor.

Kees.
Post by Mitch Mccluhan
-----Original Message-----
Behalf Of ITschak Mugzach
Sent: 26 July, 2017 22:59
Subject: Re: JCL Convertor
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.
ITschak
בתאריך 26 ביול 2017 23:45,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program
Call
Post by Paul Gilmartin
Post by ITschak Mugzach
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are
not
Post by Paul Gilmartin
Post by ITschak Mugzach
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives
incomplete
Post by Paul Gilmartin
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not
see
Post by Paul Gilmartin
substitutions in PARMDD, done by the access method(?) during
execution.
Post by Paul Gilmartin
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
********************************************************
For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message.

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
********************************************************


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-27 07:55:00 UTC
Permalink
Raw Message
I know. This is a function i'll add if no product that doea that.

ITschak

בתאריך 27 ביול 2017 09:54,‏ "Vernooij, Kees (ITOPT1) - KLM" <
Post by Vernooij, Kees - KLM , ITOPT1
RACF checks are not a task of the convertor.
Kees.
Post by Mitch Mccluhan
-----Original Message-----
Behalf Of ITschak Mugzach
Sent: 26 July, 2017 22:59
Subject: Re: JCL Convertor
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.
ITschak
בתאריך 26 ביול 2017 23:45,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program
Call
Post by Paul Gilmartin
Post by ITschak Mugzach
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are
not
Post by Paul Gilmartin
Post by ITschak Mugzach
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives
incomplete
Post by Paul Gilmartin
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not
see
Post by Paul Gilmartin
substitutions in PARMDD, done by the access method(?) during
execution.
Post by Paul Gilmartin
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
********************************************************
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee only. If
you are not the addressee, you are notified that no part of the e-mail or
any attachment may be disclosed, copied or distributed, and that any other
action related to this e-mail or attachment is strictly prohibited, and may
be unlawful. If you have received this e-mail by error, please notify the
sender immediately by return e-mail, and delete this message.
Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its
employees shall not be liable for the incorrect or incomplete transmission
of this e-mail or any attachments, nor responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch
Airlines) is registered in Amstelveen, The Netherlands, with registered
number 33014286
********************************************************
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-26 21:01:19 UTC
Permalink
Raw Message
Post by ITschak Mugzach
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.
DYNALLOC makes all this effort futile.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Lizette Koehler
2017-07-26 21:06:57 UTC
Permalink
Raw Message
Sounds like you are validating access and a few other things. Trying to prevent JOB failures during production by preprocessing.

I know JCL+ by SEA and PROJCL by ASG will do that.

Lizette



-----Original Message-----
Sent: Jul 26, 2017 1:59 PM
Subject: Re: JCL Convertor
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.
ITschak
בתאריך 26 ביול 2017 23:45,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives incomplete
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not see
substitutions in PARMDD, done by the access method(?) during execution.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mitch Mccluhan
2017-07-26 21:14:57 UTC
Permalink
Raw Message
....and J-MAN from RES does even more.

Mitch Mccluhan
***@aol.com

On Wednesday, July 26, 2017 Lizette Koehler <***@MINDSPRING.COM> wrote:
Sounds like you are validating access and a few other things. Trying to prevent JOB failures during production by preprocessing.

I know JCL+ by SEA and PROJCL by ASG will do that.

Lizette



-----Original Message-----
Sent: Jul 26, 2017 1:59 PM
Subject: Re: JCL Convertor
Is submit the only way of doing this?
Extra functions needed, for example, is ensuring the user has sufficient
racf authority to resources used by the job.
ITschak
בתאריך 26 ביול 2017 23:45,‏ "Paul Gilmartin" <
Post by ITschak Mugzach
I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
Use a COND or an IF to make the job do nothing. (TYPRUN gives incomplete
conversion.) Scrape the JESJCLIN with SDSF. Even so, you will not see
substitutions in PARMDD, done by the access method(?) during execution.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steve Beaver
2017-07-26 22:16:41 UTC
Permalink
Raw Message
You are talking a ton of work. You would have to get access to the CI AFTER all the substitutions have been made.

I know of one (1) guy that was able to get that to work and it took him weeks upon weeks

Steve

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of ITschak Mugzach
Sent: Wednesday, July 26, 2017 2:49 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: JCL Convertor

I am sure this question was asked here before... Can a user program Call the converter, supplying input file and get the output? Don't want to reinvent the wheel, but was requested to had extra checks that are not offered by available products in the market.

--
ITschak Mugzach
*|** IronSphere Platform* *|** Automatic ISCM** (Information Security Contiguous Monitoring) **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-26 22:25:45 UTC
Permalink
Raw Message
Post by Steve Beaver
You are talking a ton of work. You would have to get access to the CI AFTER all the substitutions have been made.
I know of one (1) guy that was able to get that to work and it took him weeks upon weeks
Why is that so hard? Scrape the JESJCL with SDSF. (Not JESJCLIN I mentioned earlier;
that's before substitution.)

But DYNALLOC remains a problem. It would be useful to have a JOB statement
option that disables DYNALLOC for the rest of the job. And for any fork()ed
address spaces. And for any offspring submitted via INTRDR.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steve Beaver
2017-07-26 22:34:09 UTC
Permalink
Raw Message
He did it HLASM and called CI services

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin
Sent: Wednesday, July 26, 2017 5:27 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: JCL Convertor
Post by Steve Beaver
You are talking a ton of work. You would have to get access to the CI AFTER all the substitutions have been made.
I know of one (1) guy that was able to get that to work and it took him weeks upon weeks
Why is that so hard? Scrape the JESJCL with SDSF. (Not JESJCLIN I mentioned earlier; that's before substitution.)

But DYNALLOC remains a problem. It would be useful to have a JOB statement option that disables DYNALLOC for the rest of the job. And for any fork()ed address spaces. And for any offspring submitted via INTRDR.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Sri h Kolusu
2017-07-26 22:26:28 UTC
Permalink
Raw Message
If you are only interested in JCL convertor, then you can use TYPRUN=SCAN

TYPRUN=SCAN checks the JCL only through the converter, not the interpreter
. The difference is that the converter basically checks all expressions to
the LEFT of an equal sign plus SOME expressions to the right of an equal
sign (and issues messages that start with IEFC), while the interpreter
checks all expressions to the RIGHT of an equal sign (and issues messages
that start with IEF). For example, a data set name containing a qualifier
that exceeds eight characters, such as

DSN=L9755TB.JCL.TEST19970103

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.ieab600/iea3b6_Subparameter_definition99.htm

Thanks,
Kolusu




From: ITschak Mugzach <***@GMAIL.COM>
To: IBM-***@LISTSERV.UA.EDU
Date: 07/26/2017 12:49 PM
Subject: JCL Convertor
Sent by: IBM Mainframe Discussion List <IBM-***@LISTSERV.UA.EDU>



I am sure this question was asked here before... Can a user program Call
the converter, supplying input file and get the output? Don't want to
reinvent the wheel, but was requested to had extra checks that are not
offered by available products in the market.
--
ITschak Mugzach
*|** IronSphere Platform* *|** Automatic ISCM** (Information Security
Contiguous Monitoring) **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN






----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-26 23:03:17 UTC
Permalink
Raw Message
Post by Sri h Kolusu
If you are only interested in JCL convertor, then you can use TYPRUN=SCAN
TYPRUN=SCAN checks the JCL only through the converter, not the interpreter
. The difference is that the converter basically checks all expressions to
the LEFT of an equal sign plus SOME expressions to the right of an equal
sign (and issues messages that start with IEFC), while the interpreter
checks all expressions to the RIGHT of an equal sign (and issues messages
that start with IEF). For example, a data set name containing a qualifier
that exceeds eight characters, such as
DSN=L9755TB.JCL.TEST19970103
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.ieab600/iea3b6_Subparameter_definition99.htm
The rationale for TYPRUN=SCAN eludes me. Why would a programmer want
to be told of some, but not all, syntax errors? TYPRUN=HOLD reports more but,
I am told, still not all.

Most effective is bypassing all steps (except the first, which may be IEFBR14)
with IF. Or forcing a "JCL error" with such as a nonexistent DSN.

And there's still no passive SAF check. (But that would invite malicious browsing.)

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-27 04:03:56 UTC
Permalink
Raw Message
If to summerise this issue, submit is the only way to do jcl check. As for
the security check, dynalloc is not helpfull. Security checks should be at
the level required by the application (according to open attributes). This
is not a problem once jcl was fully converted.

ITschak

בתאריך 27 ביול 2017 02:04,‏ "Paul Gilmartin" <
Post by Sri h Kolusu
Post by Sri h Kolusu
If you are only interested in JCL convertor, then you can use TYPRUN=SCAN
TYPRUN=SCAN checks the JCL only through the converter, not the interpreter
. The difference is that the converter basically checks all expressions to
the LEFT of an equal sign plus SOME expressions to the right of an equal
sign (and issues messages that start with IEFC), while the interpreter
checks all expressions to the RIGHT of an equal sign (and issues messages
that start with IEF). For example, a data set name containing a qualifier
that exceeds eight characters, such as
DSN=L9755TB.JCL.TEST19970103
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.
0/com.ibm.zos.v2r2.ieab600/iea3b6_Subparameter_definition99.htm
The rationale for TYPRUN=SCAN eludes me. Why would a programmer want
to be told of some, but not all, syntax errors? TYPRUN=HOLD reports more but,
I am told, still not all.
Most effective is bypassing all steps (except the first, which may be IEFBR14)
with IF. Or forcing a "JCL error" with such as a nonexistent DSN.
And there's still no passive SAF check. (But that would invite malicious browsing.)
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-27 13:51:55 UTC
Permalink
Raw Message
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
This leaves a TOCTTOU exposure.
Post by ITschak Mugzach
Post by Vernooij, Kees - KLM , ITOPT1
RACF checks are not a task of the convertor.
-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-27 14:56:52 UTC
Permalink
Raw Message
Not realy. At end of the day, racf requirements will be directed for manual
execution and bw corrlated with other people.
It just make it easier to identify the gap.
ITschak

בתאריך 27 ביול 2017 16:53,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
This leaves a TOCTTOU exposure.
Post by ITschak Mugzach
Post by Vernooij, Kees - KLM , ITOPT1
RACF checks are not a task of the convertor.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Hunkeler
2017-07-28 12:44:51 UTC
Permalink
Raw Message
Post by ITschak Mugzach
It just make it easier to identify the gap.
So far, it seems to me, the talk was only about checking access to data sets. But there are many more RACF classes & profiles which can make the job fail when if finally runs. BPX.something in class FACILITY, all the profiles in class UNIXPRIV, etc., etc.


I doubt any tool will be able to detect any missing rights before the program runs and trues to do the access or call the function protected by any such profile.
--
Peter Hunkeler

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2017-07-28 12:48:28 UTC
Permalink
Raw Message
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
It is not possible to completely duplicate the checking that RACF will perform except by actually submitting the job and seeing what happens. For one, as others have mentioned, you have no way of accounting for dynamic allocations that may occur, as they are embedded in the program logic and not visible externally before the program runs.

For another, some accesses are granted conditionally. One example of that is accesses that are allowed only when the user is running a particular program. As your program is not the one allowed access, if you try to check whether the user has access the answer will be no, but when the job runs the answer will be yes. There are other flavors that you can't easily check, such as access granted but only when the user/job is running on a particular system.
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-28 13:45:32 UTC
Permalink
Raw Message
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
It is not possible to completely duplicate the checking that RACF will perform except by actually submitting the job and seeing what happens. ...
Even for data sets allocated with DD statements, JCL gives no indication
whether the data set will be written or only read.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mitch Mccluhan
2017-07-28 13:48:02 UTC
Permalink
Raw Message
One of the JCL automation products (J-MAN from RES) does that. It can read the source program and determine how the file is accessed.



Mitch McCluhan
***@aol.com





-----Original Message-----
From: Paul Gilmartin <0000000433f07816-dmarc-***@LISTSERV.UA.EDU>
To: IBM-MAIN <IBM-***@LISTSERV.UA.EDU>
Sent: Fri, Jul 28, 2017 8:46 am
Subject: Re: JCL Convertor
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
It is not possible to completely duplicate the checking that RACF will perform except by actually submitting the job and seeing what happens. ...
Even for data sets allocated with DD statements, JCL gives no indication
whether the data set will be written or only read.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2017-07-28 14:03:09 UTC
Permalink
Raw Message
JCL gives no indication whether the data set will be written or only read
Well, there's an *indication*. It is certainly not definitive, but it might be good enough for some purposes. DISP=SHR is an *indication* of only read.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin
Sent: Friday, July 28, 2017 6:47 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: JCL Convertor
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
It is not possible to completely duplicate the checking that RACF will perform except by actually submitting the job and seeing what happens. ...
Even for data sets allocated with DD statements, JCL gives no indication whether the data set will be written or only read.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-28 15:05:55 UTC
Permalink
Raw Message
The requirement is for application jcl only and the source code is
available.
The idea is ti perform 3rd party check based on the how the program opens
the datasets.
For utilities it is much more complex, Dfdss functions for example
At list a warning message can be generated in such cases.

Itschak
Post by Charles Mills
JCL gives no indication whether the data set will be written or only read
Well, there's an *indication*. It is certainly not definitive, but it
might be good enough for some purposes. DISP=SHR is an *indication* of only
read.
Charles
-----Original Message-----
Behalf Of Paul Gilmartin
Sent: Friday, July 28, 2017 6:47 AM
Subject: Re: JCL Convertor
Post by ITschak Mugzach
I know. This is a function i'll add if no product that doea that.
It is not possible to completely duplicate the checking that RACF will
perform except by actually submitting the job and seeing what happens. ...
Even for data sets allocated with DD statements, JCL gives no indication
whether the data set will be written or only read.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-07-28 16:02:18 UTC
Permalink
Raw Message
Post by Mitch Mccluhan
One of the JCL automation products (J-MAN from RES) does that. It can read the source program and determine how the file is accessed.
Oh.
Post by Mitch Mccluhan
JCL gives no indication whether the data set will be written or only read
Well, there's an *indication*. It is certainly not definitive, but it might be good enough for some purposes. DISP=SHR is an *indication* of only read.
Barely. an ISPF guide recommends allocating SHR and relying on serialization
options in LMINIT/LMOPEN to preserve integrity on member updates. Does
that "automation product" grok ISPF commands in the "source program"?

https://en.wikipedia.org/wiki/Undecidable_problem

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2017-07-28 17:11:40 UTC
Permalink
Raw Message
That would be the not definitive part.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin
Sent: Friday, July 28, 2017 9:03 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: JCL Convertor
Post by Mitch Mccluhan
One of the JCL automation products (J-MAN from RES) does that. It can read the source program and determine how the file is accessed.
Oh.
Post by Mitch Mccluhan
JCL gives no indication whether the data set will be written or only read
Well, there's an *indication*. It is certainly not definitive, but it might be good enough for some purposes. DISP=SHR is an *indication* of only read.
Barely. an ISPF guide recommends allocating SHR and relying on serialization options in LMINIT/LMOPEN to preserve integrity on member updates. Does that "automation product" grok ISPF commands in the "source program"?

https://en.wikipedia.org/wiki/Undecidable_problem

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-28 20:17:19 UTC
Permalink
Raw Message
Just to make sure... It is my understanding that JCL converter &
interpreter are only available by job submit and no direct call to these
services. My intent is to get the source code from the change management
product and look how files are opened. programs not found there, and none
common utilities will cause a warning message. A racf third party check
will be performed with the dsname & actual volser.
this function is intended to serve security administrators and product
developers that are not familiar with RACF and required to define the
security requirements of their applications. different users can be
specified as a parameter to the checker.

ITschak
Post by Charles Mills
That would be the not definitive part.
Charles
-----Original Message-----
Behalf Of Paul Gilmartin
Sent: Friday, July 28, 2017 9:03 AM
Subject: Re: JCL Convertor
Post by Mitch Mccluhan
One of the JCL automation products (J-MAN from RES) does that. It can
read the source program and determine how the file is accessed.
Oh.
Post by Mitch Mccluhan
JCL gives no indication whether the data set will be written or only read
Well, there's an *indication*. It is certainly not definitive, but it
might be good enough for some purposes. DISP=SHR is an *indication* of only
read.
Barely. an ISPF guide recommends allocating SHR and relying on
serialization options in LMINIT/LMOPEN to preserve integrity on member
updates. Does that "automation product" grok ISPF commands in the "source
program"?
https://en.wikipedia.org/wiki/Undecidable_problem
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
ITschak Mugzach
*|** IronSphere Platform* *|** Automatic ISCM** (Information Security
Contiguous Monitoring) **| *

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jeremy Nicoll
2017-07-28 20:41:08 UTC
Permalink
Raw Message
Post by ITschak Mugzach
Just to make sure... It is my understanding that JCL converter &
interpreter are only available by job submit and no direct call to these
services. My intent is to get the source code from the change management
product and look how files are opened.
But you won't be able to tell how files are opened, without looking at
the
program logic... which will require you to read all the program parms
and
files, and replicate what the program does. You can't do that... the
only
way to tell what a non-trivial program will do is to run it.
--
Jeremy Nicoll - my opinions are my own.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Farley, Peter x23353
2017-07-28 20:59:50 UTC
Permalink
Raw Message
I would have to somewhat disagree with that position. If a COBOL program issues OPEN INPUT for a file, that file *can* be READ by that program. If it issues OPEN OUTPUT or OPEN IO then that file *can* written to, and possibly also read for the IO case.

You are right about the most general case, but for ITschak's case whether a program DOES do read and/or write of a file isn't necessary to know, only that it is *possible*.

Other languages have similar syntax markers. It isn't always necessary to know everything about a program's logic, only that it has the possibility to read or write or both.

Various vendor "software inventory" products do this already. It isn't perfect, but it is "good enough" for most purposes. In ITschak's case, I also think it will be "good enough" to let his tool at least flag the possibility of access / SAF issues. It's still up to the application owner to decide if there is an issue or not.

Peter

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Jeremy Nicoll
Sent: Friday, July 28, 2017 4:42 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: JCL Convertor
Post by ITschak Mugzach
Just to make sure... It is my understanding that JCL converter &
interpreter are only available by job submit and no direct call to
these services. My intent is to get the source code from the change
management product and look how files are opened.
But you won't be able to tell how files are opened, without looking at the program logic... which will require you to read all the program parms and
files, and replicate what the program does. You can't do that... the
only way to tell what a non-trivial program will do is to run it.

--


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jeremy Nicoll
2017-07-28 21:53:08 UTC
Permalink
Raw Message
Post by Farley, Peter x23353
I would have to somewhat disagree with that position. If a COBOL program
issues OPEN INPUT for a file, that file *can* be READ by that program.
If it issues OPEN OUTPUT or OPEN IO then that file *can* written to, and
possibly also read for the IO case.
The trouble is, you're saying what might happen to the file associated
with
a particular DD. But in any specific piece of JCL you won't know which
of
those actions will take place on the specific files mentioned in that
instance
of the JCL.

I see no point in somehow auto-generating a list of datasets that might
need
to be written to, if in practice few or none of them will be.


Also... why is anyone, so-to-speak testing what a production program
will do?
Doesn't the site have any testbeds... where a corresponding set of test
datasets
are tested in the same overall relationship as the live ones?
--
Jeremy Nicoll - my opinions are my own.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Vernooij, Kees - KLM , ITOPT1
2017-07-31 06:54:56 UTC
Permalink
Raw Message
RACF (and others) are called when the file is opened, so it will check *then* whether the file is opened for INPUT or for OUTPUT/UPDATE and if that is allowed. That is why you get a 9*13* abend, from the OPEN SVC. What the program does after that, is not relevant.

Kees.
Post by Mitch Mccluhan
-----Original Message-----
Behalf Of Farley, Peter x23353
Sent: 28 July, 2017 23:01
Subject: Re: JCL Convertor
I would have to somewhat disagree with that position. If a COBOL
program issues OPEN INPUT for a file, that file *can* be READ by that
program. If it issues OPEN OUTPUT or OPEN IO then that file *can*
written to, and possibly also read for the IO case.
You are right about the most general case, but for ITschak's case
whether a program DOES do read and/or write of a file isn't necessary to
know, only that it is *possible*.
Other languages have similar syntax markers. It isn't always necessary
to know everything about a program's logic, only that it has the
possibility to read or write or both.
Various vendor "software inventory" products do this already. It isn't
perfect, but it is "good enough" for most purposes. In ITschak's case,
I also think it will be "good enough" to let his tool at least flag the
possibility of access / SAF issues. It's still up to the application
owner to decide if there is an issue or not.
Peter
-----Original Message-----
Behalf Of Jeremy Nicoll
Sent: Friday, July 28, 2017 4:42 PM
Subject: Re: JCL Convertor
Post by ITschak Mugzach
Just to make sure... It is my understanding that JCL converter &
interpreter are only available by job submit and no direct call to
these services. My intent is to get the source code from the change
management product and look how files are opened.
But you won't be able to tell how files are opened, without looking at
the program logic... which will require you to read all the program
parms and
files, and replicate what the program does. You can't do that... the
only way to tell what a non-trivial program will do is to run it.
--
This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and
confidential. If the reader of the message is not the intended recipient
or an authorized representative of the intended recipient, you are
hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, please
notify us immediately by e-mail and delete the message and any
attachments from your system.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
********************************************************
For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message.

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
********************************************************


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-07-31 07:05:19 UTC
Permalink
Raw Message
I know that for 35 years ir so ;-)
But the jcl checker program that suubmits the job for interpretation can
read the sysout and perform racf 3rd party checks (under many limitations
described by Walt and others).
Technically, it is easy to sevelop a program that aubmits a job for
interpetation, read the output and call racf to do the checks for the
specified user. If combined with irrxutil, a better understanding of how
the dataset is protected and a listcat may return the device.

ITschak

בתאריך 31 ביול 2017 09:56,‏ "Vernooij, Kees (ITOPT1) - KLM" <
Post by Vernooij, Kees - KLM , ITOPT1
RACF (and others) are called when the file is opened, so it will check
*then* whether the file is opened for INPUT or for OUTPUT/UPDATE and if
that is allowed. That is why you get a 9*13* abend, from the OPEN SVC. What
the program does after that, is not relevant.
Kees.
Post by Mitch Mccluhan
-----Original Message-----
Behalf Of Farley, Peter x23353
Sent: 28 July, 2017 23:01
Subject: Re: JCL Convertor
I would have to somewhat disagree with that position. If a COBOL
program issues OPEN INPUT for a file, that file *can* be READ by that
program. If it issues OPEN OUTPUT or OPEN IO then that file *can*
written to, and possibly also read for the IO case.
You are right about the most general case, but for ITschak's case
whether a program DOES do read and/or write of a file isn't necessary to
know, only that it is *possible*.
Other languages have similar syntax markers. It isn't always necessary
to know everything about a program's logic, only that it has the
possibility to read or write or both.
Various vendor "software inventory" products do this already. It isn't
perfect, but it is "good enough" for most purposes. In ITschak's case,
I also think it will be "good enough" to let his tool at least flag the
possibility of access / SAF issues. It's still up to the application
owner to decide if there is an issue or not.
Peter
-----Original Message-----
Behalf Of Jeremy Nicoll
Sent: Friday, July 28, 2017 4:42 PM
Subject: Re: JCL Convertor
Post by ITschak Mugzach
Just to make sure... It is my understanding that JCL converter &
interpreter are only available by job submit and no direct call to
these services. My intent is to get the source code from the change
management product and look how files are opened.
But you won't be able to tell how files are opened, without looking at
the program logic... which will require you to read all the program
parms and
files, and replicate what the program does. You can't do that... the
only way to tell what a non-trivial program will do is to run it.
--
This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and
confidential. If the reader of the message is not the intended recipient
or an authorized representative of the intended recipient, you are
hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, please
notify us immediately by e-mail and delete the message and any
attachments from your system.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
********************************************************
http://www.klm.com. This e-mail and any attachment may contain
confidential and privileged material intended for the addressee only. If
you are not the addressee, you are notified that no part of the e-mail or
any attachment may be disclosed, copied or distributed, and that any other
action related to this e-mail or attachment is strictly prohibited, and may
be unlawful. If you have received this e-mail by error, please notify the
sender immediately by return e-mail, and delete this message.
Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its
employees shall not be liable for the incorrect or incomplete transmission
of this e-mail or any attachments, nor responsible for any delay in receipt.
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch
Airlines) is registered in Amstelveen, The Netherlands, with registered
number 33014286
********************************************************
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2017-07-29 17:30:18 UTC
Permalink
Raw Message
On Fri, 28 Jul 2017 23:18:27 +0300, ITschak Mugzach <***@GMAIL.COM> wrote:

A racf third party check
Post by ITschak Mugzach
will be performed with the dsname & actual volser.
this function is intended to serve security administrators and product
developers that are not familiar with RACF and required to define the
security requirements of their applications. different users can be
specified as a parameter to the checker.
In the fully general case (that is, to handle everything that could occur) you also need to consider:
(a) Conditional access: Your 3rd-party check can fail when you do the check, but succeed when the real program does the check, because access is granted only to program X from library Y.

(b) Different users can have different security characteristics at different times. For example, a user's connection to the group that grants access to a data set might be set to expire tomorrow. The check you run today will succeed, but the job will fail when run.

(c) You say you're going to do a RACROUTE REQUEST=AUTH specifying the dsname, volser, and user. In addition:
(c1) For data sets being created, you need to do a RACROUTE REQUEST=VERIFY with ENVIR=VERIFY, not a REQUEST=AUTH. You will also need to know the storage group (I think) that the data set will be allocated to, and you may need to know information from the DFP segment of the covering profile or the user. You will also (again, for the general case) need to know whether a discrete profile will be created, and there are several aspects that control that. I won't get into further details now (as I would have to remember them, and do some research).

(c2) You'll need to know if the data set is VSAM or non-VSAM. For non-VSAM you need to pass the volume serial of the data set itself. For VSAM, you need to pass the volume serial of the catalog where it's cataloged, and you need to find and pass the cluster name, not the name in the JCL. For either VSAM or non-VSAM you also need to pass the RACF indicator (from the DSCB (non-VSAM) or the cluster's sphere record (VSAM), to handle the general case where discrete profiles may be in use.

(d) For the general case you need to handle security levels and/or security labels. Simply passing a user ID will not handle this if security labels are in use.

(e) The calls are different for data sets on TAPE, and how they are different depends on the settings in PARMLIB(DEVSUPxx) and/or the tape management system that may be in use.

I'm sure I've forgotten several other points I intended to make. The net, though, is that if you're writing this for a specific site then there may be some things that you can assume are true today (e.g., maybe they don't use conditional access, or maybe they don't use discrete profiles, or seclabels). But if you're writing a product you probably shouldn't make those assumptions. Also, even for a local program, the assumptions can easily become wrong, and then you'll be giving incorrect answers.
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
2017-07-30 12:31:32 UTC
Permalink
Raw Message
As a late comer to this thread... ;-)

First thing first:

Walter, I really appreciate that you are still willing to share your wisdom here on RACF-L and IBM-MAIN during your well deserved retirement!

Thanks Walter for your kind postings. Much appreciated!


To Itschak Mugzach, my replies below are also for YOU!
Post by Walt Farrell
(c2) You'll need to know if the data set is VSAM or non-VSAM.
If VSAM, you had to be careful what profile is [eventually] used for what component of that cluster. Ask me, I got burned there...
Post by Walt Farrell
(e) The calls are different for data sets on TAPE, and how they are different depends on the settings in PARMLIB(DEVSUPxx) and/or the tape management system that may be in use.
Absolutely. Add SETROPTS TAPEDSN and TAPEVOL class too to enlarge the possible confusion.

As per zSecure - 'RACF is not able to guarantee the integrity of tapevolumes.'

Also remember that little old trap of 17 chars versus 44 chars for a datasetname on a tape.

What about ICHBLP, ICHNL? Despite your best guess, RACF may eventually have another answer for checking accesses.

JES2 may have another say about ICHBLP [ for a specific job class as per HASPARM setup], but RACF ICHBLP certainly overrides JES2 setting ...
Post by Walt Farrell
I'm sure I've forgotten several other points I intended to make.
What about SETROPTS PREFIX, SETROPTS ADSP, SETROPTS NOCATDSNS/CATDSNS(???) and SETROPTS EGN?

All of these may or may not screw up your own checking and guessing the actual access.
Post by Walt Farrell
Also, even for a local program, the assumptions can easily become wrong, and then you'll be giving incorrect answers.
Why not let RACF do its homework? Even "access check" by zSecure may or may not be 100% correct, but I have to admit zSecure is 100% correct with those "access check" tests I have conducted many many many times.

Thanks to all for this interesting thread.

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Itschak Mugzach
2017-07-30 15:59:07 UTC
Permalink
Raw Message
For most setropts values, ractoute is sufficient. But I think that I can use irrxutil once I know the protecting profile for existing dataset. It is now more theoretical question as I am busy with IronSphere, but I may work on a free version next quarter.

ITschak

נשלח מה-iPad שלי
Post by Elardus Engelbrecht
As a late comer to this thread... ;-)
Walter, I really appreciate that you are still willing to share your wisdom here on RACF-L and IBM-MAIN during your well deserved retirement!
Thanks Walter for your kind postings. Much appreciated!
To Itschak Mugzach, my replies below are also for YOU!
Post by Walt Farrell
(c2) You'll need to know if the data set is VSAM or non-VSAM.
If VSAM, you had to be careful what profile is [eventually] used for what component of that cluster. Ask me, I got burned there...
Post by Walt Farrell
(e) The calls are different for data sets on TAPE, and how they are different depends on the settings in PARMLIB(DEVSUPxx) and/or the tape management system that may be in use.
Absolutely. Add SETROPTS TAPEDSN and TAPEVOL class too to enlarge the possible confusion.
As per zSecure - 'RACF is not able to guarantee the integrity of tapevolumes.'
Also remember that little old trap of 17 chars versus 44 chars for a datasetname on a tape.
What about ICHBLP, ICHNL? Despite your best guess, RACF may eventually have another answer for checking accesses.
JES2 may have another say about ICHBLP [ for a specific job class as per HASPARM setup], but RACF ICHBLP certainly overrides JES2 setting ...
Post by Walt Farrell
I'm sure I've forgotten several other points I intended to make.
What about SETROPTS PREFIX, SETROPTS ADSP, SETROPTS NOCATDSNS/CATDSNS(???) and SETROPTS EGN?
All of these may or may not screw up your own checking and guessing the actual access.
Post by Walt Farrell
Also, even for a local program, the assumptions can easily become wrong, and then you'll be giving incorrect answers.
Why not let RACF do its homework? Even "access check" by zSecure may or may not be 100% correct, but I have to admit zSecure is 100% correct with those "access check" tests I have conducted many many many times.
Thanks to all for this interesting thread.
Groete / Greetings
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-08-01 00:45:48 UTC
Permalink
Raw Message
​I had some time to play with the JCL converter & interpeter. I wrote a
small rexx program that submits a job (with IF as suggested by Gil). I had
BTW, note that IF can never skip the first step of a job. I believe the JCL
Ref. requires that IF appear after a job step. Violating this rule is not
diagnosed as a syntax error. Indolent implementors.
to cause a JCL error (at the end of the job), in order to be able to read
That puzzles me. What happens if no JCL error?
the sysout files. For some reason, SDSF Rex API only shows the original JCL
if the job not in output queue... I also needed to pause few seconds until
the job get into output queue!
RECFM=V rather than RECFM=VB may circumvent buffering.

Again, not my experience. I have a job in which a Rexx EXEC scrapes its
own ID (ISPF service) and extracts its spool files. The Rexx has TRACE R,
and the extracted SYSTSPRT is complete up to the statement that issues
the SDSF call to copy itself.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-08-01 05:21:29 UTC
Permalink
Raw Message
Paul.

I took your advice so i placed the IF after a iefbr14 stwp with a fack
label i can recognize.
If no jcl error, the job is placed in the input queue and only JESJCLIN is
listed in the dataset. Stem variable. So the purpose of the jcl error is to
move thee job to outout queue.
I created different stem variables for each of the stem variables and using
isfbrowse service so no datasets are involved.

ITschak

בתאריך 1 באוג 2017 03:47,‏ "Paul Gilmartin" <
​I had some time to play with the JCL converter & interpeter. I wrote a
small rexx program that submits a job (with IF as suggested by Gil). I had
BTW, note that IF can never skip the first step of a job. I believe the JCL
Ref. requires that IF appear after a job step. Violating this rule is not
diagnosed as a syntax error. Indolent implementors.
to cause a JCL error (at the end of the job), in order to be able to read
That puzzles me. What happens if no JCL error?
the sysout files. For some reason, SDSF Rex API only shows the original JCL
if the job not in output queue... I also needed to pause few seconds until
the job get into output queue!
RECFM=V rather than RECFM=VB may circumvent buffering.

Again, not my experience. I have a job in which a Rexx EXEC scrapes its
own ID (ISPF service) and extracts its spool files. The Rexx has TRACE R,
and the extracted SYSTSPRT is complete up to the statement that issues
the SDSF call to copy itself.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-08-01 14:05:01 UTC
Permalink
Raw Message
Post by ITschak Mugzach
I took your advice so i placed the IF after a iefbr14 stwp with a fack
label i can recognize.
If no jcl error, the job is placed in the input queue and only JESJCLIN is
listed in the dataset. Stem variable. So the purpose of the jcl error is to
move thee job to outout queue.
I remain curious. At least the IEFBR14 step should cause the job to be
executed and moved to the output queue. What does the sequence,
in interactive SDSF show:
ST /* show all jobs in all queues, held and not held data sets. */
INPUT ON /* Show SYSINs */
? /* Show all spool files. */
Post by ITschak Mugzach
I created different stem variables for each of the stem variables and using
isfbrowse service so no datasets are involved.
-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
ITschak Mugzach
2017-08-01 14:41:44 UTC
Permalink
Raw Message
You are right, but i then the chwcker will depend on initiator
availability, something i can't asure and the end user can't afford. So i
forced the converter to fail.
I do understand that thia is not yet a complete job interpetation, but this
ia something i can change and think of later. I went directly to parsing
because i needed dataset names, dispositions, program names, steplibs and
task libs for program access checks.

I almost finished that phase. I hope to have some time soon to do the racf
work.

ITschak

בתאריך 1 באוג 2017 17:06,‏ "Paul Gilmartin" <
Post by Paul Gilmartin
Post by ITschak Mugzach
I took your advice so i placed the IF after a iefbr14 stwp with a fack
label i can recognize.
If no jcl error, the job is placed in the input queue and only JESJCLIN is
listed in the dataset. Stem variable. So the purpose of the jcl error is
to
Post by ITschak Mugzach
move thee job to outout queue.
I remain curious. At least the IEFBR14 step should cause the job to be
executed and moved to the output queue. What does the sequence,
ST /* show all jobs in all queues, held and not held data sets. */
INPUT ON /* Show SYSINs */
? /* Show all spool files. */
Post by ITschak Mugzach
I created different stem variables for each of the stem variables and
using
Post by ITschak Mugzach
isfbrowse service so no datasets are involved.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...