On Wed, 29 Feb 2012 15:49:01 +0000, Rob Scott <[email protected]> wrote:
>Search the archives for IKJEFTSR. > >Overview of one way of doing it : > >(1) Write a separate non-auth stub REXX external function that processes the >parameters and sets up addressability to the IRX* control blocks and handles >the return data from the auth function. >(2) Ensure that the auth function module is in linklist (or authorized >STEPLIB/JOBLIB if you must) >(3) Add the auth function module name to AUTHTSF in IKJTSOxx and get your >friendly sysprog to update the system. >(4) In the stub function program, use IKJEFTSR to invoke the auth subroutine > >Depending on the capabilities of the auth function stub, you may wish to add >some sort of SAF check into its logic. I think you probably meant "auth function module" in that last sentence, not "auth function stub". Performing security checks in the stub (which runs unauthorized, and can be bypassed) are not really effective. If security checks are needed, they should be in the authorized program that is invoked by IKJEFTSR (your "auth function module"). Also, if the REXX exec merely needs to call an authorized assembler routine (not subroutine) then a simple "address TSO call *(modulename)" may be simpler. It would still need the system programmer to update IKJTSOxx, but the AUTHPGM section rather than AUTHTSF, but would not need the stub module and other REXX stuff. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
