OnDemand User Group
Support Forums => z/OS Server => Topic started by: Eli on April 12, 2021, 05:55:42 AM
-
Hello CMOD team,
I was defining ARS.PTGN exit to exploit RACF Passticket feature for CMOD environemnt.
The configuration was done and it is working with no problem when I submit a JOB directly calling ARSLOAD application.
For example, using the sample ARSIVPJ1, excluding the User and Password:
//STEP1 EXEC PGM=ARSLOAD,REGION=0M,
// PARM=('/-h ARCHIVE -n -v -s OBJINPT
// -Z ivp -g "ARSIVPR1" tempname')
The profile defined in the RACF PTKTDATA is:
RDEFINE PTKTDATA ARSSOCKD SSIGNON(KEYMASKED(415253534f434b44)) UACC(NONE)
However, when I try to exploit the passticket from the ARSYSPING (that should call the ARSLOAD to complete this Job), excluding the value of the parms ODUSER= and ODUSERPW= , in the //ARSYPARM card, the passticket does not work as expected and receive the message " ARS1105E Userid or password is invalid".
Following is how is defined the ODUSER= and ODUSERPW= in the //ARSPARM:
ARSY0103I <*NOSPINDELAY=
ARSY0103I < ODHOST=ARCHIVE
ARSY0103I < ODINSTANCE=ARCHIVE
ARSY0103I < ODUSER=
ARSY0103I < ODUSERPW=
ARSY0103I <*OUTCC=
The question is: How can the ARSYSPIN exploit the ARS.PTRN exit ?
Thanks,
Eli
eli@ibm.com
-
This is just a guess:
Following is how is defined the ODUSER= and ODUSERPW= in the //ARSPARM:
ARSY0103I <*NOSPINDELAY=
ARSY0103I < ODHOST=ARCHIVE
ARSY0103I < ODINSTANCE=ARCHIVE
ARSY0103I < ODUSER=
ARSY0103I < ODUSERPW=
ARSY0103I <*OUTCC=
If in ARSIVPR1 you completely omit the -u and -p, perhaps in ARSPARM you should completely omit the ODUSER and ODUSERPW parms?
Ed
-
Hello Ed,
Tks for returning...
I've tried without the parameters too, however, the same problem has occurred. That was my first try, and after I leave the parameters, without the values. All resulted the same msg indicating incorrect user/pw.
Regards, Eli.
-
When you submit the job what userid is it running under?
IRR010I USERID ODLOADER IS ASSIGNED TO THIS JOB.
What userid is ARSYSPIN running under?
IEF695I START ARSYP1QA WITH JOBNAME ARSYP1BL IS ASSIGNED TO USER ARSSV100, GROUP ODCMARS
Ed
-
Hello Ed,
Following answer:
IEF695I START ARSYSPIN WITH JOBNAME ARSYSPIN IS ASSIGNED TO USER ARSUSER , GROUP CMODGRP
=====
ARSUSER is the same user of ARSSOCKD started task.
-
Okay,
ARSYSPIN: ARSUSER
ARSSOCD: ARSUSER
> The configuration was done and it is working with no problem when I submit a JOB directly calling ARSLOAD application.
What userid is associated with that JOB?
Ed
-
Ed,
It sound some problem with CMOD security exit, after some changes in z/OS. I am just checking this. Here is why I am suspecting that something is wrong with z/OS definitions:
D PROG,EXIT,EXITNAME=ARS.SECURITY,DIAG
CSV463I NO MODULES ARE ASSOCIATED WITH EXIT ARS.SECURITY
I will also check PTGN and try to see if something is affecting the Passticket process. I'll let you know.
-
Yes, sounds something is wrong with ars.ptgn exit too:
D PROG,EXIT,EXITNAME=ARS.PTGN,DIAG
CSV463I NO MODULES ARE ASSOCIATED WITH EXIT ARS.PTGN
I will check this firstly and see if that was causing our problem.
I will let you know. Thanks.
-
Reminder that ARSYSPIN calls ARSLOAD under the covers.
I knew there was a doc out there somewhere on this which includes a checklist:
ARS.PTGN not active for ARSLOAD - Question and Answer
https://www.ibm.com/support/pages/node/81145
Ed
-
Hi Ed,
After a z/OS maintenance, the exit was incorrectly defined. The problem was fixed and the ARS.PTGN exit is working as designed.
Many thanks,
Eli