Locking a JCL or PDS but still executing



TSO Programming, ISPF, SDF, SDSF and PDF, FTP, TCP/IP Concepts, SNA & SNA/IP etc...

Re: Locking a JCL or PDS but still executing

Postby dick scherrer » Wed Jan 04, 2012 1:44 am

Hello,

To first lock this jcl so that no users other than me can see it.
Who in your management gave permission to do this?

Why do you believe this is so special that others should not even be able to read the code?

I suspect this was built/installed on your organization's computer(s) and as such probably belongs to the organization not one person. . .
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6304
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 91 times

Re: Re: Locking a JCL or PDS but still executing

 

Re: Locking a JCL or PDS but still executing

Postby zhinghur » Thu Jan 05, 2012 1:10 am

Well. Thank you everyone for your precious time. :)
zhinghur
 
Posts: 48
Joined: Sun Nov 20, 2011 12:25 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Locking a JCL or PDS but still executing

Postby Ed Goodman » Thu Jan 05, 2012 3:10 am

May I ask why you need to hide the REXX code? Does it contain sensitive information, like maybe a list of passwords or something? Maybe a pending layoff list? Or are you just trying to hide working code so that no one steals it and uses it in their project?

As you can see from the responses here, this type of activity is distasteful to most people.
Ed Goodman
 
Posts: 342
Joined: Thu Feb 24, 2011 12:05 am
Has thanked: 3 times
Been thanked: 17 times

Re: Locking a JCL or PDS but still executing

Postby zhinghur » Fri Jan 06, 2012 12:19 am

Ed Goodman wrote:May I ask why you need to hide the REXX code? Does it contain sensitive information, like maybe a list of passwords or something? Maybe a pending layoff list? Or are you just trying to hide working code so that no one steals it and uses it in their project?

As you can see from the responses here, this type of activity is distasteful to most people.



Hello Goodman,

You got it right. Actually I don't want to hide Rex, I want to hide JCL. But I thought if I hide the REX itself, even that can be good.

The JCL has got around 15 steps using SORT, IBPTCH, IBUPDATE,TELON, COBOL etc. It will reduce quite a manual effort for all users in a group. But the JCL has got some credential ID's(self) and pass to access data that is other wise not possible for all. So, I cannot let anyone access one.

My organization doesn't approved the idea of password protected, as it doesn't make sense to Business.

So, I was looking for an alternative soln. if possible.
zhinghur
 
Posts: 48
Joined: Sun Nov 20, 2011 12:25 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Locking a JCL or PDS but still executing

Postby dick scherrer » Fri Jan 06, 2012 12:33 am

Hello,

My organization doesn't approved the idea of password protected, as it doesn't make sense to Business.
Yup - most organizations will not permit passwords on mainframe datasets. . .

But the JCL has got some credential ID's(self) and pass to access data that is other wise not possible for all
One common way to do this is to remove the classified info from the process and insert it at run-time (using a front-end screen to enter the data that needs to be secured).
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6304
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 91 times

Re: Locking a JCL or PDS but still executing

Postby Ed Goodman » Fri Jan 06, 2012 1:45 am

If i was backed into that particular corner, I'd take advantage of our scheduler. It has a feature to submit jobs when datasets are created.

I would put the JCL in a directory that only the scheduler and I could read, and make the job name something private so no one else could see it in the spool. Then have the REXX create the flat file with the information in it, which would trigger the job to run.

In a similar process, I asked the user to provide THEIR userid/password and submitted the job with those credentials. That has the huge advantage of showing who actually requested the process.
Ed Goodman
 
Posts: 342
Joined: Thu Feb 24, 2011 12:05 am
Has thanked: 3 times
Been thanked: 17 times

Re: Locking a JCL or PDS but still executing

Postby steve-myers » Fri Jan 06, 2012 5:57 am

zhinghur wrote:... My organization doesn't approved the idea of password protected, as it doesn't make sense to Business. ...
The old OS/360 password protection business didn't make very much sense to anyone, so I guess it won't make sense to anyone these days.

The critical data would seem to be the password in the JCL, but there are two possible methods to eliminate that -
  • If the job is executing in the JES2 node where it is submitted, enable "surrogate" support for the user specified in the JCL. "Surrogate" support permits users as specified in RACF profiles to submit jobs with a user id that is different than the user submitting the job. "Surrogate" profiles are the common method for scheduling systems to submit job with userids different than the userid used to run the scheduling system.
  • If the job is being sent to another JESx node or you can't persuade your security folks to create surrogate profiles, use standard Rexx methods to prompt the user for the password and insert the password into the JCL as it is being submitted.
I still think you are trying to write a half-a**** scheduling system here; you really should be using a real scheduling system like I mentioned before.
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: Locking a JCL or PDS but still executing

Postby zhinghur » Sun Jan 08, 2012 2:08 pm

Thank You Ed and Steve for your valuable inputs.

I have come across a way to trick the system. Not pretty sure if its gonna work but looks like it should. If the solution works, I will post how I achieved.


Thanks once again, everyone.
zhinghur
 
Posts: 48
Joined: Sun Nov 20, 2011 12:25 pm
Has thanked: 0 time
Been thanked: 0 time

Re: Locking a JCL or PDS but still executing

Postby NicC » Sun Jan 08, 2012 6:55 pm

Why does your JCL have your password coded - TSO submit will supply that - no need to code it.
The problem I have is that people can explain things quickly but I can only comprehend slowly.
Regards
Nic
NicC
Global moderator
 
Posts: 2690
Joined: Sun Jul 04, 2010 12:13 am
Location: Pushing up the daisys (almost)
Has thanked: 4 times
Been thanked: 105 times

Previous

Return to TSO & ISPF

 


  • Related topics
    Replies
    Views
    Last post