I suspect that in many shops, getting the security changes pushed through the channels is much more labor intensive than just uninstalling the parts you do not want.
Don’t get me wrong, I'm coming around on z/OSMF, but the considerable amount(understatement) of security work needed to implement is a daunting task. I don’t know that we are still where things need to be. We are also dealing with some of these same issues. I've opened tickets with IBM asking questions, the stock answer was "we recommend one ZOSMF instance per sysplex". While we do happen to have TECH, DEV and PROD in the same sysplex(pre-dates my employment), they are different JES MAS, so I have to run one instance per MAS. So, for SYSPROG's, ZOSMF use is more of a toolbox thing, for non-sysprogs, it’s a "cloud" thing. I want to make sysprog tools available in all instances, but the Workflows, etc that the general population might use, should be running the in "prod" instance, in my opinion. The other "itch" I have is that there is no mechanism to "administer" the zosmf instances in one place, and push the changes around. Today, we have to separately administer each instance (6) and is a repetitive exercise that I shouldn’t have to do. I do participate in this workgroup at zBLC, and a lot of this is talked about there, so I know there could be future plans for a lot of this stuff. _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John Eells Sent: Thursday, February 01, 2018 10:27 AM To: [email protected] Subject: Re: zOSMF - remove plug-in **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** Jousma, David wrote: > John, > > That would seem logical, but that’s not how it works. Once added to the > list, removal does not remove it, sadly. As someone else mentioned, the > only way to "remove" it, is to secure it in SAF. The ability to uninstall a > plug-in has been discussed, I just don’t know where or if there are any > development efforts under way to provide it. > <snip> > > Remove it from the list of enabled plug-ins in IZUPRMxx. See PDF p. 48 in > the Configuration Guide, here: > http://publibz.boulder.ibm.com/epubs/pdf/izu23215.pdf > > -- > John Eells > IBM Poughkeepsie > [email protected] <snip> First, my apologies for the misinformation. I just tried this and, as you say, it does not work. Second, I will get this information added to the configuration guide, which appears silent on this particular issue. Just out of curiosity, why would you want to remove one, as long as unauthorized people could not use it? -- John Eells IBM Poughkeepsie [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
