Need Help in resolving SEC Error in JCL



JES, JES2, JCL utilities, IDCAMS, Compile & Run JCLs, PROCs etc...

Need Help in resolving SEC Error in JCL

Postby anks » Wed Nov 27, 2013 12:42 am

There is a series of JCLs which I need to submit daily; to reduce the manual effort I tried to connect/automate the entire flow so that if I submit one JCL it will automatically submit the next one in the series; however I have been stuck up in the resolution of SEC error in JCL. I am getting SEC error in some of the JCLs, when I searched on IBM Manuals the resolution of SEC error, I have applied the same but that is not feasible in this case.

The resolution of SEC Error mentioned in IBM Manuals is to give USER and PASSWORD parameters in the jobcard.

However in this case, the solution is not feasible as the project is very critical/confidential that we can't use PASSWORD parameter in the jobcard.

Is there any other way to get SEC error resolved apart from these? If so please share your views on this?
anks
 
Posts: 3
Joined: Tue Nov 26, 2013 11:50 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Need Help in resolving SEC Error in JCL

 

Re: Need Help in resolving SEC Error in JCL

Postby Akatsukami » Wed Nov 27, 2013 12:47 am

One presumes that "SEC error" is your personal jargon for a S913 abend?
"You have sat too long for any good you have been doing lately ... Depart, I say; and let us have done with you. In the name of God, go!" -- what I say to a junior programmer at least once a day
User avatar
Akatsukami
Global moderator
 
Posts: 1053
Joined: Sat Oct 16, 2010 2:31 am
Location: Bloomington, IL
Has thanked: 6 times
Been thanked: 51 times

Re: Need Help in resolving SEC Error in JCL

Postby anks » Wed Nov 27, 2013 1:02 am

Yes, I guess so as both the errors are due to Authorization failure but I am not sure as the SEC error is occurring because of the submitter of job is different to the executer of the job.

For example: If I am submitting the job manually, then it has been submitted using my ID and password will be automatically validated by RACF and job successfully executed; however if the job is being submitted by previous Job (using INTRDR), then submitter will not be my ID and it will be default ID which is not having access to that particular job and job fails with SEC error.
anks
 
Posts: 3
Joined: Tue Nov 26, 2013 11:50 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Need Help in resolving SEC Error in JCL

Postby dick scherrer » Wed Nov 27, 2013 2:12 am

Hello and welcome to the forum,

Suggest you Stop using your own terminology. As far as i know you are the Only one who calls an s9xx error a SEC error.

One way to fix your problem is to have the job submitted via the scheduler using an appropriate id.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6304
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 91 times

Re: Need Help in resolving SEC Error in JCL

Postby Akatsukami » Wed Nov 27, 2013 2:34 am

anks wrote:For example: If I am submitting the job manually, then it has been submitted using my ID and password will be automatically validated by RACF and job successfully executed; however if the job is being submitted by previous Job (using INTRDR), then submitter will not be my ID and it will be default ID which is not having access to that particular job and job fails with SEC error.

This appears not to be the case; a job on my machine submitted (via the internal reader or the TSO SUBMIT command) by another job inherits the userid (and therefore the RACF privileges) of the submitter. Look at the IRR010I message in the JES message log (if your shop displays it; not all do) and see what ID the job is assigned by RACF.
"You have sat too long for any good you have been doing lately ... Depart, I say; and let us have done with you. In the name of God, go!" -- what I say to a junior programmer at least once a day
User avatar
Akatsukami
Global moderator
 
Posts: 1053
Joined: Sat Oct 16, 2010 2:31 am
Location: Bloomington, IL
Has thanked: 6 times
Been thanked: 51 times

Re: Need Help in resolving SEC Error in JCL

Postby steve-myers » Wed Nov 27, 2013 3:22 am

anks wrote:... For example: If I am submitting the job manually, then it has been submitted using my ID and password will be automatically validated by RACF and job successfully executed; however if the job is being submitted by previous Job (using INTRDR), then submitter will not be my ID and it will be default ID which is not having access to that particular job and job fails with SEC error.
  • Ordinary job submission via an internal reader. In this case the submitted job automatically gets the userid of the job that submitted the new job.
  • Surrogate job submission via the internal reader. In this case the JOB statement specifies USER=xxx, but no password. The user change is authorized by a RACF profile that basically says the user submitting the new job is authorized to submit a job for the user specified on the new job's JOB statement. Surrogate job submission is designed for use with job scheduling packages, but it can be used for any situation where user A is submitting jobs to run using user B's userid.
  • Specify USER=xxx,PASSWORD=zzz, where zzz is plain text. Obviously not what you want.
This link discusses the RACF profiles used for surrogate job submission.
steve-myers
Global moderator
 
Posts: 1886
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: Need Help in resolving SEC Error in JCL

Postby anks » Wed Nov 27, 2013 11:34 am

Thanks Steve for the reply; however I am still bit confused after going through the note mentioned in the link provided that says:

A user should not allow another user to act as surrogate user unless |
| the surrogate user can be trusted as highly as the execution user is |
| trusted. This is because the surrogate user can do anything the |
| execution user can do (unless the surrogate user lacks access to a |
| security label that protects a resource). For example, the surrogate |
| user can submit a job to copy, alter, or delete the execution user's |
| data. |

In my case, the surrogate user is a default user like USER=TESTJOB (which comes due to automation);anybody can use i.e everybody is having access to USER=TESTJOB and if TESTJOB will get access rights to my ID then anybody can submit a job to copy, alter or delete my data.
anks
 
Posts: 3
Joined: Tue Nov 26, 2013 11:50 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Need Help in resolving SEC Error in JCL

Postby steve-myers » Wed Nov 27, 2013 9:05 pm

I do not understand this "default" userid TESTJOB. There is no concept of a "default" userid in any of the big 3 security systems, e.g., RACF, CA-ACF2 and CA-Top Secret. All users must identify themselves, either by
  • By specifying a USER=xxx,PASSWORD=yyy on a JOB statement submitted on a "real" card reader.
  • By specifying a userid and password to logon to TSO or other interactive system that can submit a job such as CA-Roscoe.
  • By inheriting a userid by submitting a job through the internal reader from an user identified by the first 2 bullets.
The only exception is a job submitted through a surrogate arrangement; the import of your quote is security administrators must be very careful about authorizing this capability.

Actually this is not quite true. RACF assigns a default userid to jobs being flushed out of the system because there is no valid userid for the job, but these jobs do not execute and cannot access system resources. Which reminds me of an incident from 40+ years ago. This system was operated by a large university that assigned some sort of allowed resource units to everything; jobs hat were flushed from the system because they did not have any resource units remaining were assigned a system ID that supposedly had an infinite amount of resource units. Well, that wasn't true. One day this system ID ran out of resource units. Oops!
steve-myers
Global moderator
 
Posts: 1886
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times


Return to JCL

 


  • Related topics
    Replies
    Views
    Last post