IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Multiple allocation of datasets

    Posted 25 days ago
    Hello everyone,
     
    I'm looking for a way to read PDS or PDSE datasets with CARLA and JCL script.
     
    Currently I have allocated CKFREEZE and UNLOAD
     
    alloc type=CKFREEZE DD=FREEZE1 complex=COMPLEX1  
    alloc type=CKFREEZE DD=FREEZE2 complex=COMPLEX2   
     
    alloc type=UNLOAD DD=UNLOAD1   complex=COMPLEX1  
    alloc type=UNLOAD DD=UNLOAD2   complex=COMPLEX2 
     
    Also I need to add my custom datasets with it's member:
     
    alloc type=CUSTOM_ALLOC DSN=MYDATA.SET1(MEMBER) complex=COMPLEX1  
    alloc type=CUSTOM_ALLOC DSN=MYDATA.SET2(MEMBER) complex=COMPLEX2   
     
    I face issues when I run JCL with newlist type compliance and/or compliance_rule_set
     
    Are there any way to add a multiple custom datasets? Member name is always the same, only the dataset would vary


    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------


  • 2.  RE: Multiple allocation of datasets

    Posted 24 days ago

    Hi Viktorija,

     just tested with zSecure 3.1 and I was pleasantly surprised how well the DEFTYPE capabilities support specification of COMPLEX on the ALLOC statement.  Look below, I have JCL with 2 separate CUST files, I have 2 RACF input sources, and I attempt a lookup from the PROFILE field to a value from the CUST dd, hoping that it uses the right CUST file:

    // JCLLIB ORDER=(SYS3.ZSEC.CKRPARM,SYS1.SCKRPROC)     
    // EXEC C2RC                                          
    //CUST1 DD *                                          
    IBMUSER aaaa                                          
    //CUST2 DD *                                          
    IBMUSER bbbb                                          
    //SYSIN DD *                                          
    alloc type=unload dsn=sys3.zsec.unload(0) complex=in1
    alloc type=racf backup complex=in2                    
                                                           
    deftype type=@cust                                    
    alloc type=@cust dd=cust1 complex=in1                 
    alloc type=@cust dd=cust2 complex=in2                 
    define  type=@cust key as word(record,1)              
    define  type=@cust val as word(record,2)              
                                                           
    newlist type=@cust                                    
      list complex record                                 
                                                           
    newlist type=racf                                     
      s key=ibmuser                                       
      sortlist complex profile(8) profile:@cust.key.val   
    //

    Guess, what, the value COMPLEX in the DEFTYPE newlist actually matches the value from the ALLOC command, and the lookup also takes into account the COMPLEX:

    I B M   S e c u r i t y   z S e

    IN1      IBMUSER aaaa          
    IN2      IBMUSER bbbb          

    P R O F I L E   L I S T I N G  

    Complex  Profile  VAL          
    IN1      IBMUSER  aaaa         
    IN2      IBMUSER  bbbb         
    ********************************

    Note, I only tested this with newlist type=racf, but it should work for all newlists that have a COMPLEX value defined.  Can you be more specific about the issues you're faced with when you run JCL?  Does my sample work for you, with the zSecure version you have installed?



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 3.  RE: Multiple allocation of datasets

    Posted 23 days ago

    Hello Rob,

    When I go with program CKRCARLA, and allocate 2 ckfreezes, 2 unloads and 2 custom datasets, like below:

    I receive 0 test total for the first complex, and the results are fine for the second complex. It doesn't matter, whether I use PDSE or PDS

    alloc type=CKFREEZE DD=FREEZE1 complex=COMPLEX1  
alloc type=CKFREEZE DD=FREEZE2 complex=COMPLEX2   
 
alloc type=UNLOAD DD=UNLOAD1   complex=COMPLEX1  
alloc type=UNLOAD DD=UNLOAD2   complex=COMPLEX2 
 
DEFTYPE TYPE=CUSTOM_ALLOC NOWARN
alloc type=CUSTOM_ALLOC DSN=MYDATA.SET1(MEMBER) complex=COMPLEX1  
alloc type=CUSTOM_ALLOC DSN=MYDATA.SET2(MEMBER) complex=COMPLEX2 
DEFINE TYPE=CUSTOM_ALLOC var1 as substr(record,1,10)

STANDARD X1

some carla code

ENDSTANDARD X1

N TYPE=COMPLIANCE_RULE_SET NOPAGE
 SORTLIST RULE_SET, COMPLEX(0), TEST_TOTALÆ


    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------

    Original Message


  • 4.  RE: Multiple allocation of datasets

    Posted 22 days ago

    I understand you cannot share the code of your STANDARD X1, but can you show at least how you use the value of VAR1 in your TEST commands?

    Also, test if your release of zSecure assigns the correct value of COMPLEX to the DEFTYPE newlist.  Please add right below the DEFINE for VAR1:

    newlist type=custom_alloc
      list ddname recno complex var1



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 5.  RE: Multiple allocation of datasets

    Posted 22 days ago

    I have tested your carla and looks like my zSecure release assigns correct value of complex. Didn't see the issue. Worth to mention that ddname is the same for all records.

    In my rule sets I just select my custom deftype and var1 for verification. But I do not assign complex value or select it



    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------

    Original Message


  • 6.  RE: Multiple allocation of datasets

    Posted 21 days ago
    Edited by Rob van Hoboken 21 days ago

    Ok... I added a rudimentary standard and verified that the results are shown for both complexes.  So far I don't see a defect in zSecure, so please test this code on your system.

    // JCLLIB ORDER=(SYS3.ZSEC.CKRPARM,SYS1.SCKRPROC)
    // EXEC C2RC
    //CUST1 DD *
    IBMUSER aaaa
    IBMUSER bbbb
    IBMUSER bbbb
    //CUST2 DD *
    IBMUSER aaaa
    IBMUSER aaaa
    IBMUSER cccc
    //SYSIN DD *
    alloc type=unload dsn=SYS3.ckr.unload(0) complex=in1
    alloc type=racf backup complex=in2
     
    deftype type=@cust  
    alloc type=@cust dd=cust1 complex=in1
    alloc type=@cust dd=cust2 complex=in2
    define  type=@cust key as word(record,1)
    define  type=@cust val as word(record,2)
     
    standard Y version(0)   
    domain cust select(@cust)
    rule custrule domain(cust)
      test custtest @cust(val=aaaa)
    endrule
    endstandard
     
    i m=ckalstds
    i m=ckalstd
    //

    It works just as well with a DD= allocation as with a DSN=.  The result shows compliant and non-compliant counts in both complexes (1 compliant, 2 non-compliant, and the other way around):

    S T A N D A R D   C O M P L I A N C E   S U M M A R Y                                                                      page    2
    Complex IN1
    Standard                 Pr Controls NonComp (Hi Med Low) Unknown N/A Sup Version  
    Y                        20        1       1   0   1    0       0   0   0 0

    S T A N D A R D   C O M P L I A N C E   S U M M A R Y                                                                      page    3
    Complex IN2
     Standard                 Pr Controls NonComp (Hi Med Low) Unknown N/A Sup Version  
    Y                        20        1       1   0   1    0       0   0   0 0

    C O M P L I A N C E   C O N T R O L   S U M M A R Y                                                                        page    4
    Complex IN1      Standard Y                        0   

    Control          Pr Cm% N/A Sup ObjGoals Complian NonCompl Unknown  Override RefrAssert Description

    custrule         20  33                3        1        2        0        0   

    C O M P L I A N C E   C O N T R O L   S U M M A R Y                                                                        page    5
    Complex IN2      Standard Y                        0   

    control          Pr Cm% N/A Sup ObjGoals Complian NonCompl Unknown  Override RefrAssert Description

    custrule         20  66                3        2        1        0        0                                                        

    By the way, you can debug the assignment of the value to COMPLEX by adding a dummy TEST command in your rule, like

      test complextest @cust(complex=in*)

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 7.  RE: Multiple allocation of datasets

    Posted 15 days ago
    Edited by Rob van Hoboken 15 days ago

    Problem solved, it turns out Viktorija had found out how to get the field from the external file into the reports, using DOMAIN ... SUMMARY:

    standard Y version(0)   
    domain cust select(@cust) summary(@cust(val))
    rule custrule domain(cust)
      test custtest @cust(val=aaaa)
    endrule
    endstandard

    However,  the manual also mentions that you should include the summary keys like COMPLEX and VER in the SUMMARY( ) parameter, and with COMPLEX omitted, well, COMPLEX was not initialized from the DEFTYPE file, which was the original problem.  See mumblings about COMPLEX SUMMARY.  All that was needed, was adding COMPLEX to the SUMMARY parameter, like so: 

    standard Y version(0)   
    domain cust select(@cust) summary(@cust(val complex))
    rule custrule domain(cust)
      test custtest @cust(val=aaaa)
    endrule
    endstandard

    Only took (me) a week to remember this side effect of DOMAIN SUMMARY.

    ------------------------------
    Rob van Hoboken
    ------------------------------



Related Content