BIM-ALERT/VSE ™ VSE External Resource Security Manager Installation and Operations Guide Release 5.1 • BIM-ALERT/VSE™ allows you to control user access to datasets, programs, libraries, sublibraries, JCL keywords, ICCF pseudo partitions, and other resources without changes to JCL. • Advantages of using BIM-ALERT/VSE™ include low overhead with no penalties for operation, comprehensive z/VSE resource security, security system auditability, and ease of use. • BIM-ALERT/VSE™ is unsurpassed in operating efficiency and ease of use for non-technical auditors, security administrators, and other personnel. BIM-ALERT/VSE™ provides comprehensive security for your z/VSE batch environment BIM-ALERT/CICS ™ CICS Security Manager • BIM-ALERT/CICS™ facilities are easy to use, even for non-technical personnel—no need to write programs, change JCL, or learn a “rules” language. • BIM-ALERT/CICS™ requires a minimum of memory and DASD, and was written with attention to minimizing the number of security- checking cycles. Your system does not bog down with BIM-ALERT/CICS, so your users won’t be slowed down, either. • BIM-ALERT/CICS™ provides online, menu-driven screens for defining security at all levels—for each user, department, and section. BIM-ALERT/CICS™ provides comprehensive security for CICS transactions, programs, files, and maps
• BIM-ALERT/VSE™ allows you to control user access to datasets, programs, libraries, sublibraries, JCL keywords, ICCF pseudo partitions, and other resources without changes to JCL.
• Advantages of using BIM-ALERT/VSE™ include low overhead with no penalties for operation, comprehensive z/VSE resource security, security system auditability, and ease of use.
• BIM-ALERT/VSE™ is unsurpassed in operating efficiency and ease of use for non-technical auditors, security administrators, and other personnel.
BIM-ALERT/VSE™ provides comprehensive security for your z/VSE batch environment
BIM-ALERT/CICS™CICS Security Manager
• BIM-ALERT/CICS™ facilities are easy to use, even for non-technical personnel—no need to write programs, change JCL, or learn a “rules” language.
• BIM-ALERT/CICS™ requires a minimum of memory and DASD, and was written with attention to minimizing the number of security-checking cycles. Your system does not bog down with
BIM-ALERT/CICS, so your users won’t be slowed down, either.
• BIM-ALERT/CICS™ provides online, menu-driven screens for defining security at all levels—for each user, department, and section.
BIM-ALERT/CICS™ provides comprehensive security for CICS transactions, programs, files, and maps
This documentation applies to Release 5.1 of the program product BIM-ALERT.
Original Printing .................03/14/2000 Last Revised .......................01/25/2002
Contents iii
Contents
Trademark Information ......................................................................................... vii Related Publications ............................................................................................. viii
Chapter 1 Preparing to Install BIM-ALERT................................................................ 1-1
If You Are Running a Version of BIM-ALERT Prior to 4.9 ...................................... 1-2 If You Are Installing BIM-ALERT/CICS and BIM-ALERT/VSE ............................. 1-3 Overview of Installing BIM-ALERT ......................................................................... 1-4 Checklist for Preinstallation Steps ............................................................................. 1-5 Deciding Which Components to Install ..................................................................... 1-6 System Requirements ................................................................................................ 1-7
Introduction .............................................................................................................. 3-3 About This Chapter .............................................................................................. 3-3 Using the Sample JCL .......................................................................................... 3-4 Sharing BIM-ALERT Files in a Multiple CPU Setting........................................ 3-10
Installation Procedure for Current Users ................................................................. 3-12 Step 1: Deactivate BIM-ALERT/VSE ................................................................. 3-14 Step 2: Catalog a New AXPPROC Procedure ...................................................... 3-15 Step 3: Prepare Online Files for Conversion to 5.1 Format .................................. 3-16 Step 4: Create the Version 5.1 Online Security Files ........................................... 3-18 Step 5: Create the Version 5.1 Messages File ...................................................... 3-21 Step 6: Create the Version 5.1 Administrator Audit File ..................................... 3-22 Step 7: Create the Version 5.1 Log Files ............................................................. 3-23 Step 8: Update IPL, BG, and F1 ASI Procedures ................................................. 3-24 Step 9: Update CICS Table Entries ..................................................................... 3-30 Step 10: Update Optional CICS Table Entries ..................................................... 3-34 Step 11: Adjust the Size of the CSA Common Work Area .................................. 3-35 Step 12: Add SET SDL Entries for MRO Control Modules ................................. 3-36 Step 13: Shut Down CICS .................................................................................. 3-38 Step 14: Reassemble User Exits .......................................................................... 3-39 Step 15: Reassemble Post Sign-On Programs ...................................................... 3-40
iv Installation and Operations Guide
Step 16: Reassemble Parameter-Driven Sign-On Programs ................................. 3-41 Step 17: Reassemble Custom Versions of S1S611 and S1S601 ........................... 3-42 Step 18: Remove BIM-ALERT/CICS from the PLT Startup................................ 3-43 Step 19: Update Your JCLLUSEX List ............................................................... 3-44 Step 20: Verify IJSYSRS.SYSLIB Standard Label .............................................. 3-46 Step 21: Activate Submittal Monitors and Security Exits .................................... 3-47 Step 22: Verify IJSYSRS Phases ......................................................................... 3-48 Step 23: Convert Rules Tables to 5.1 Format ...................................................... 3-49 Step 24: Assemble the Network Submittal Table ................................................. 3-51 Step 25: Perform an IPL to Activate BIM-ALERT 5.1 ........................................ 3-52
Installation Procedure for a New Installation .......................................................... 3-53 Step1: Verify BIM-ALERT VSAM Cluster Names ............................................. 3-55 Step 2: Define an Extent for Rules Assembly Work File ..................................... 3-56 Step 3: Catalog the AXPPROC Procedure........................................................... 3-57 Step 4: Define and Initialize the Log Files .......................................................... 3-60 Step 5: Define and Initialize the Control File ...................................................... 3-61 Step 6: Define and Initialize the Online Security Files ........................................ 3-62 Step 7: Define and Initialize the Message File .................................................... 3-63 Step 8: Define and Initialize the Audit File ......................................................... 3-64 Step 9: Add LIBDEF and DLBLs to CICS Partition Startup ............................... 3-65 Step 10: Catalog New IPL, BG, and F1 ASI Procedures ...................................... 3-66 Step 11: Add CICS Table Entries ....................................................................... 3-73 Step 12: Add Optional CICS Table Entries ......................................................... 3-77 Step 13: Adjust the Size of the CSA Common Work Area .................................. 3-78 Step 14: Add SET SDL Entries for MRO Control Modules ................................. 3-79 Step 15: BIM-ALERT/CICS PLT Entries ........................................................... 3-80 Step 16: Update Your JCLLUSEX List ............................................................... 3-81 Step 17: Verify the Standard Label for IJSYSRS.SYSLIB ................................... 3-82 Step 18: Trial IPL With SEC IPL Procedures...................................................... 3-83 Step 19: Catalog a New $ASIPROC Master Procedure........................................ 3-84 Step 20: Activate Submittal Monitors and Security Exits .................................... 3-86 Step 21: Verify IJSYSRS Phases ......................................................................... 3-87 Step 22: Perform an IPL to Activate BIM-ALERT .............................................. 3-88
Supporting the IUI Under CICS/TS 1.1 .................................................................. 3-89
Chapter 4 Security Migration Aids ............................................................................... 4-1
About This Chapter .................................................................................................. 4-3 IBM Security Migration Aids.................................................................................... 4-4
Using ALRTCRD1 ............................................................................................... 4-5 The Migration Process .......................................................................................... 4-6 Using ALRTCUP1................................................................................................ 4-8 The Migration Process .......................................................................................... 4-9
CA-TopSecret Security Migration Aids................................................................... 4-11 Using S1TSCNV ................................................................................................ 4-12 Resources Eligible for Conversion ...................................................................... 4-13 The Conversion Process ...................................................................................... 4-16 Using AXPTSCV ............................................................................................... 4-18 Product Differences ............................................................................................ 4-19 Assigning SECIDs.............................................................................................. 4-20 The Conversion Process ...................................................................................... 4-22
Contents v
Chapter 5 Submittal Monitors and Security Exits ........................................................ 5-1
About This Chapter .................................................................................................. 5-3 About the Submittal Monitor Facility ........................................................................ 5-4
Introduction .......................................................................................................... 5-4 Omitting ID Cards From Remote Jobs .................................................................. 5-6
Installing Security Exits .......................................................................................... 5-40 Introduction ........................................................................................................ 5-40 Installing a Security Exit for BIM-EPIC ............................................................. 5-41 Installing a Security Exit for CA-EXPLORE for CICS-VSE ............................... 5-42 Installing a Security Exit for CA-EXPLORE for VSE ......................................... 5-43 Installing a Member-Level Security Exit for BIM-FAQS/PCS ............................. 5-44 Installing a Job-Submittal Security Exit for BIM-FAQS/PCS .............................. 5-45 Installing a Security Exit for CA-FAVER for VSE.............................................. 5-46 Installing a Security Exit for CA-MASTERCAT for VSE ................................... 5-47 Installing a Security Exit for CA-XCOM ............................................................ 5-48 Installing a Security Exit for DITTO for VSE and DITTO/ESA .......................... 5-49
About This Chapter .................................................................................................. 6-3 BIM-ALERT Logging............................................................................................... 6-4
Managing the Log Data ........................................................................................ 6-4 Log File Merge Utility ALRTL10 ......................................................................... 6-6 Log File Purge Enqueue Mechanism ..................................................................... 6-7 Redefining the Log File ........................................................................................ 6-8 When the Log File Is Full ..................................................................................... 6-9 Logger Shutdown ............................................................................................... 6-10 Controlling the Logger From a Batch Partition ................................................... 6-11
Log File Report Program......................................................................................... 6-13 About The Log File Report Program ................................................................... 6-13 Report Program Control Statements .................................................................... 6-15 JCL and Control Statement Examples ................................................................. 6-22
SECID Summary Report Program ........................................................................... 6-23 Audit File Report Program ...................................................................................... 6-24 About the VSE Data Security Environment ............................................................. 6-25
Introduction ........................................................................................................ 6-25 Running Without BIM-ALERT/VSE Active ....................................................... 6-28
Performing VSE Maintenance with BIM-ALERT Active ........................................ 6-29 When Applying Maintenance ............................................................................. 6-29
Introduction ........................................................................................................ 6-35 Guidelines .......................................................................................................... 6-37 Determining the Status of $JOBEXIT Phases ..................................................... 6-39 Reloading a Local POWER JOBEXIT Program .................................................. 6-40
Implementing BIM-ALERT/CICS in an MRO Environment................................... 6-43 Running BIM-ALERT/CICS with the VSE/ESA Interactive User Interface ............ 6-45
AXPU4 Utility ........................................................................................................ 7-10 Introduction ........................................................................................................ 7-10 Control Statements ............................................................................................. 7-11 Syntax for Control Statements ............................................................................ 7-12 Format for Control Statements ............................................................................ 7-13 Special Character Sequences in Library Records ................................................. 7-16 Running AXPU4 During IPL/ASI ...................................................................... 7-17
Index ......................................................................................................................... Index.1
Trademark Information vii
Trademark Information
This manual refers to the following brand or product names, registered trademarks, and trademarks which are listed according to their respective owners.
Platinum Software: ZEKE
Computer Associates International, Inc.: CA-SCHEDULER CA-VOLLIE CA-ALERT for VM CA-EXPLORE for CICS-VSE CA-EXPLORE for VSE CA-FAVER CA-FLEE CA-MASTERCAT CA-TopSecret CA-XCOM
Dun & Bradstreet Software Services, Inc.: I.E.
International Business Machines: CICS CICS/ESA CICS/VSE IBM IDCAMS MVS/ESA VM VSE/ESA VSE/POWER VSE/SP VTAM
Phoenix Software Company: CONDOR
Software Engineering of America: CSAR
viii Installation and Operations Guide
Related Publications
This section lists the documentation that deals with BIM-ALERT/VSE and BIM-ALERT/CICS. Your BIM Account Manager can order any of these documents for you.
Subject Manual
Installation The BIM-ALERT Installation and Operations Guide explains how to install and maintain BIM-ALERT/VSE.
Using BIM-ALERT
The BIM-ALERT/VSE Security Administrator's Guide explains how to use BIM-ALERT/VSE to set up and maintain security.
Reports The BIM-ALERT Auditing and Report Writing Guide explains how to use the BIM-ALERT batch report writer.
Messages The BIM-ALERT Messages Guide contains explanations of all messages issued by BIM-ALERT/VSE.
Subject Manual
Installation The BIM-ALERT Installation and Operations Guide explains how to install BIM-ALERT/CICS.
Using BIM-ALERT
The BIM-ALERT/CICS Security Administrator's Guide explains how to use BIM-ALERT/CICS to set up and maintain security.
Reports The BIM-ALERT Auditing and Report Writing Guide explains how to use the BIM-ALERT batch report writer.
Messages The BIM-ALERT Messages Guide contains explanations of all messages issued by BIM-ALERT/CICS.
Overview
BIM-ALERT/VSE Manuals
BIM-ALERT/CICS Manuals
1-1
1
Preparing to Install BIM-ALERT
This chapter lists system requirements and tasks you should perform prior to installing BIM-ALERT/VSE and BIM-ALERT/CICS.
If You Are Running a Version of BIM-ALERT Prior to 4.9 ...................................... 1-2 If You Are Installing BIM-ALERT/CICS and BIM-ALERT/VSE ............................. 1-3 Overview of Installing BIM-ALERT ......................................................................... 1-4 Checklist for Preinstallation Steps ............................................................................. 1-5 Deciding Which Components to Install ..................................................................... 1-6 System Requirements ................................................................................................ 1-7
Identifying the BIM-ALERT Residence Sublibrary ................................................. 1-15 Introduction ........................................................................................................ 1-15 Sublibrary Size Requirements ............................................................................. 1-16 Sublibrary Member Names ................................................................................. 1-16
If You Are Running a Version of BIM-ALERT Prior to 4.9
1-2 Installation and Operations Guide
If You Are Running a Version of BIM-ALERT Prior to 4.9
If you are currently running a version of BIM-ALERT prior to 4.9, contact BIM Technical Support.
Do not attempt to use the procedures in this document to upgrade from a version of BIM-ALERT prior to 4.9.
If You Are Installing BIM-ALERT/CICS and BIM-ALERT/VSE
Chapter1. Preparing to Install BIM-ALERT 1-3
If You Are Installing BIM-ALERT/CICS and BIM-ALERT/VSE
If you are installing or converting existing releases of both BIM-ALERT/CICS and BIM-ALERT/VSE, you must convert them at the same time and in the manner described in this manual..
Overview of Installing BIM-ALERT
1-4 Installation and Operations Guide
Overview of Installing BIM-ALERT
When you install BIM-ALERT/VSE and BIM-ALERT/CICS, you will perform the following activities. In general, installation requires that these activities be completed in the sequence shown here.
Step Process Described in
1 Prepare for installation.
If you are a current user of BIM-ALERT/VSE or BIM-ALERT/CICS, back up your online security files and, in some cases, your messages file before proceeding with the rest of the installation. Refer to the Checklist for Preinstallation Steps on page 1-5 for lists of the files you should back up.
Chapter 1, "Preparing to Install BIM-ALERT"
2 Obtain jobstreams from the installation tape.
Jobstreams from the installation tape are read into the VSE/POWER reader queue.
Chapter 2, "Restoring the BIM-ALERT Installation Tape"
3 Tailor the installation procedure.
This process executes one of the jobstreams read into the POWER reader queue from the tape. When you run this jobstream, you answer questions on the VSE system console to tailor the installation procedure. You choose if you want to install both BIM-ALERT/VSE and BIM-ALERT/CICS, and the name of the VSE sublibrary you want to use.
Chapter 2, "Restoring the BIM-ALERT Installation Tape"
4 Execute the installation procedure.
This process restores the contents of one or more of the sublibraries from the installation tape into the sublibrary (or sublibraries) you chose in Step 3.
Chapter 2, "Restoring the BIM-ALERT Installation Tape"
5 Tailor BIM-ALERT files and tables, and modify your VSE procedures, jobstreams, and tables.
If you are currently using BIM-ALERT/VSE or BIM-ALERT/CICS, you must convert several files and tables to the 5.1 format by executing jobstreams and programs that were restored into your installation sublibrary.
All users must modify certain cataloged VSE procedures, jobstreams, and tables to include information required to use BIM-ALERT/VSE or BIM-ALERT/CICS.
Chapter 3, “Installing BIM-ALERT”
Chapter 5, “BIM-ALERT/VSE Submittal Monitors and Security Exits”
Chapter 6, “BIM-ALERT Operation”
Checklist for Preinstallation Steps
Chapter1. Preparing to Install BIM-ALERT 1-5
Checklist for Preinstallation Steps
Use the following checklist to keep track of the preinstallation steps you've completed.
( ) If you are currently running BIM-ALERT/VSE or BIM-ALERT/CICS make back up copies of your online rules, user profile, and messages files as follows:
If you are currently using BIM-ALERT/VSE, back up the following file: ( ) ALERTXP. ( ) AXPCTL. ( ) S1SCTY. If you are currently using BIM-ALERT/CICS, back up the following files: ( ) S1SCTY. ( ) S1SMS##. It is necessary to back up S1SMS## only if you have created
customized messages. ( ) Review compatibility issues If you are currently running any version of BIM-ALERT/VSE prior to 5.1, review the
compatibility issues discussed in the BIM-ALERT/VSE Security Administrator's Guide. Consult with the security administrator and decide whether any of these issues require additional preparation before installing version 5.1.
( ) Decide which of the following components of the BIM-ALERT installation tape you want to install:
( ) BIM-ALERT/VSE - Batch security for the VSE environment ( ) BIM-ALERT/CICS - Online security for the CICS environment ( ) Check system requirements. ( ) Identify the main residence sublibrary in which to install BIM-ALERT/VSE and
BIM-ALERT/CICS. Main residence sublibrary for both components: _____________________________ ( ) If you require both versions of BIM-ALERT/CICS — the one for CICS/VSE version
2.3 and the one for CICS/TS version 1.1 — identify a second sublibrary for the second version of BIM-ALERT/CICS.
Second residence sublibrary for BIM-ALERT/CICS: ___________________________
If you require only one version of BIM-ALERT/CICS — either the one for CICS/VSE version 2.3 or the one for CICS/TS version 1.1 — you do not need the second residence sublibrary. Your BIM-ALERT/CICS will be restored to the main residence sublibrary along with BIM-ALERT/VSE.
Deciding Which Components to Install
1-6 Installation and Operations Guide
Deciding Which Components to Install
The BIM-ALERT installation tape contains two main components:
BIM-ALERT/VSE - Batch security for the VSE/ESA environment BIM-ALERT/CICS - Online security for the CICS environment
You can install either or both of these components. Installing both allows you to enable either of them at your convenience. The extra overhead involved in installing both components at once is minimal.
System Requirements BIM-ALERT/CICS Requirements
Chapter1. Preparing to Install BIM-ALERT 1-7
System Requirements
BIM-ALERT/CICS Requirements
In order to properly install BIM-ALERT/CICS, your software must possess the following characteristics:
CICS/VSE release 2.3 or higher VSAM release 1.2 or higher SORT
In order to properly install BIM-ALERT/CICS, your hardware must possess the following characteristics:
3270-2 CRT or compatible devices 3287 printer (only if you use real-time audit to print) Disk space for five VSAM files
The BIM-ALERT/CICS GETVIS requirements vary greatly depending on the following:
Size of your network Number of resources to be protected Amount of security activated at CICS initialization
In order to help you determine your system requirements, BIM-ALERT/CICS displays messages during initialization showing the amount of storage allocated for BIM-ALERT/CICS use.
The storage that is allocated can come from either the partition GETVIS or the system GETVIS areas. You determine which GETVIS area will be used by specifying an appropriate value for the CONTROL SUFFIX field of the UPAR screen, as follows:
If you specify a zero, the storage comes from the partition area.
If you specify a number between one and nine, the storage comes from system GETVIS and is shared by all MRO partitions using the same BIM-ALERT/CICS security file. BIM-ALERT will use storage above the 16M line where possible.
(continued)
Software Requirements
Hardware
Requirements
GETVIS Requirements
BIM-ALERT/CICS Requirements System Requirements
1-8 Installation and Operations Guide
The following two tables show how to estimate how much GETVIS you need. Use the following table to estimate table space.
GETVIS Required for Internal Tables BYTES
SYSTEM OPTIONS ........................................ 512
TERMINAL TABLE 196 bytes fixed
+ variable number
(tran/8)+1
(prog/8)+1
(file/4)+1
(maps/8)+1
(flds/8)+1
(optional) + user area 53 bytes .................... _____
OPERATOR TABLE 177 bytes fixed
+ variable number
(one entry for each (tran/8)+1
secured terminal) (prog/8)+1
(file/4)+1
(maps/8)+1
(flds/8)+1 ........................... _____
TRANSACTION TABLE 18 X (# secured trans + 10) + 20 ........ _____
PROGRAM TABLE 22 X (# secured progs + 10) + 20 ........ _____
FIELD TABLE (1) 70 X (# secured flds + 10) + 20 ......... _____
TASK WORKAREA TABLE (2) 1184 X (value of MAXTASKS parm) ......... _____
(1) Field table entries are variable in length. 70 is a good estimate. (2) The size of the TASK WORKAREA TABLE is calculated by multiplying the value of
your MAXTASKS startup parameter by 1184. Issue the transaction CEMT INQ SYS
to determine the current MAXTASKS value.
(continued)
System Requirements BIM-ALERT/CICS Requirements
Chapter1. Preparing to Install BIM-ALERT 1-9
GETVIS Required for Modules Loaded by BIM-ALERT/CICS (in bytes) SYSTEM MONITORS: CICS/VSE 2.3 CICS/TS 1.1
ALRT100 Security Router N/A 12288
S1S110 Program Monitor 4096 N/A
S1S120 File Monitor 6144 N/A
S1S130 Map Monitor 4096 N/A
S1S131 HLPI Fast Path Map Monitor 2048 N/A
S1S180 Field Security (files) 4476 N/A
S1S181 Field Security (maps) 3008 N/A
S1SFCMON Field Security 3724 3724
SYSTEM SUPPLIED EXITS (optional)
(This figure may change if user –written exits are used.)
6668 6668
(continued)
BIM-ALERT/CICS Requirements System Requirements
1-10 Installation and Operations Guide
Example The following table illustrates the calculation of the GETVIS requirements for a CICS/VSE 2.3 network consisting of 150 operators using 100 secured terminals, 100 secured transactions, 100 secured programs, 100 secured files, and 0 secured maps. No user exits are specified. MAXTASKS is defined as 30.
BYTES
SYSTEM OPTIONS ........................................ 512
TERMINAL TABLE (196+14+14+14+0+0) x 100 ............... 23800
OPERATOR TABLE (177+14+14+14+0+0) x 100 ............... 21900
TOTAL ....................................... 98962
(continued)
System Requirements BIM-ALERT/CICS Requirements
Chapter1. Preparing to Install BIM-ALERT 1-11
Many CICS modules can be executed from the SVA. This is important if you run more than one CICS partition because you can avoid a double allocation of space for modules that can be shared. BIM-ALERT/CICS references some modules that are SVA eligible during activation in order to protect your resources. Since any change to a shared module affects all the partitions sharing the module, you must ensure that all of the following modules execute in the CICS partition and do not get loaded in the SVA. This applies to CICS/VSE 2.3 only.
Module to Not Reside in SVA Description
DFHZCP Terminal control
DFHPCP Program control
DFHFCP File control
DFHM32 3270 map program
DFHMCX HLPI map fast path
All other modules can reside in the SVA as usual.
CICS Running in the SVA
BIM-ALERT/VSE Requirements System Requirements
1-12 Installation and Operations Guide
BIM-ALERT/VSE Requirements
Before beginning the installation steps for BIM-ALERT/VSE, you must carry out the following required steps to make sure your operating system and SVA meet the specified requirements.
The following operating system requirements apply to BIM-ALERT/VSE:
BIM-ALERT/VSE version 5.1 runs in the VSE/ESA 2.3, 2.4, 2.5 or 2.6 operating system environments.
The logging facility requires VSAM.
The install jobstream catalogs three members into IJSYSRS.SYSLIB. Thesemembers are also copied into PRD2.SAVE and require a total of 47 blocks ineach sublibrary.
You must have enough free space in IJSYSRS.SYSLIB to catalog new versionsof your ASI IPL procedure and your ASI JCL procedures. Use the LIBR LDcommand to determine the sizes of these members.
The SORT program is required for the BIM-ALERT/VSE report programs.
If you have altered or re-cataloged your $SYSOPEN program, be aware that during installation, BIM-ALERT/VSE replaces the existing $SYSOPEN phase in IJSYSRS.SYSLIB with a BIM-ALERT/VSE program. The previous $SYSOPEN phase is retained under the name AXP$OPEN.PHASE. BIM-ALERT/VSE passes control to this phase after executing the BIM-ALERT/VSE program. See page 1-14 for a complete description of this process.
Additionally, be aware that if you are installing version 5.1 of BIM-ALERT/VSE on a system that shares IJSYSRS with other systems that will continue to run earlier versions of BIM-ALERT/VSE, you must take additional steps at the time you copy and rename $SYSOPEN to ensure that all versions of BIM-ALERT/VSE run correctly. Refer to page 2-16 for more information.
The logger requires approximately 80K of partition GETVIS in the partition where it executes (usually theVSE/POWER partition).
Introduction
Operating System Requirements
WARNING!
Partition GETVIS for the Logger
System Requirements BIM-ALERT/VSE Requirements
Chapter1. Preparing to Install BIM-ALERT 1-13
SVA requirements are shown in the following table.
SDL Entries 30
SVA Resident Phases 105K
System GETVIS Area 40K (25K fixed and 15K variable)
The logger uses system GETVIS space for temporary buffers. During periods of very high logging activity, the amount used may be significant. Under normal circumstances, the amount does not exceed 4K. If you are running VSE/ESA version 1.3 or above, this amount is obtained from above the 16M line.
You can determine the amount of SVA free space you currently have by running a job step similar to the following:
// EXEC LIBR,SIZE=200K
LD SDL
/*
Before you IPL with BIM-ALERT/VSE, be sure you have the required
Number of free entries SVA space System GETVIS space
Remember that you must always have adequate free space for reloading SVA resident phases as part of your day-to-day operations. And remember that many of the system components acquire and release system GETVIS space dynamically. This requirement may not be reflected in the USED statistics shown by a single LIBR display. Run the LIBR display several times while various other types of job are running to get an estimate of how much free space you have.
The amount shown for system GETVIS includes a small amount (2K) for a rules table. If you are running VSE/ESA version 1.3 or above, this amount is obtained from the 31-bit area. As larger tables are generated, this system GETVIS requirement will increase. Consult with the security administrator to determine anticipated rules table requirements. The size of a specific rules table may be determined from the final page of the rules assembly listing.
The total amount of system GETVIS required to start BIM-ALERT/VSE with a specific rules table (not including any amounts for SVA resident phases) is displayed by the start-up utility AXPI1.
SVA Requirements
BIM-ALERT/VSE Requirements System Requirements
1-14 Installation and Operations Guide
For VSE/ESA 2.3 If you are running VSE/ESA version 2.3, AXPI1 automatically adds required SDL entries and loads any required phases into the SVA, except for the $JOBEXIT phases, which you must load into the SVA using the $SVA0000 load list phase before activating BIM-ALERT/VSE.
For VSE/ESA 2.4, and Above If you are running VSE/ESA version 2.4 or above, AXPI001 automatically adds required SDL entries and loads any required phases into the SVA, except for the $JOBEXIT phases, which you must load into the SVA using the $SVA0000 load list phase before activating BIM-ALERT/VSE.
The VSE operating system provides a standard IPL exit facility. During IPL, the operating system passes control to whatever program is resident in IJSYSRS.SYSLIB under the name $SYSOPEN. The operating system supplies a skeleton $SYSOPEN program that does nothing but immediately return to the operating system. If an installation wants to perform IPL exit processing, they put their program in IJSYSRS.SYSLIB under the name $SYSOPEN, replacing the skeleton program supplied by the operating system.
BIM-ALERT/VSE's installation procedure renames the existing $SYSOPEN program AXP$OPEN and copies a BIM-ALERT/VSE program into IJSYSRS.SYSLIB under the name $SYSOPEN. After BIM-ALERT/VSE is installed, the operating system passes control to BIM-ALERT/VSE's $SYSOPEN program during IPL, and BIM-ALERT/VSE's program passes control to AXP$OPEN.
The BIM-ALERT/VSE installation process makes copies of $SYSOPEN and AXP$OPEN in sublibrary PRD2.SAVE. It is critical that you retain these programs in PRD2.SAVE so that they will be restored later when you apply VSE system maintenance. If the BIM-ALERT/VSE $SYSOPEN program is removed from IJSYSRS, BIM-ALERT/VSE will not activate.
If you replaced the skeleton $SYSOPEN program with your own program, change your procedures for modifying and re-cataloging your program as follows:
Change your procedure to use the name AXP$OPEN.PHASE instead of $SYSOPEN.PHASE. This will avoid eliminating the BIM-ALERT program when you re-catalog yours.
Change your procedure so that it catalogs your program into PRD2.SAVE first and then copies it into IJSYSRS.SYSLIB.
Phases Automatically Loaded into the SVA
BIM-ALERT Replaces $SYSOPEN During Installation
WARNING!
If You Have Your Own $SYSOPEN
Identifying the BIM-ALERT Residence Sublibrary Introduction
Chapter1. Preparing to Install BIM-ALERT 1-15
Identifying the BIM-ALERT Residence Sublibrary
Introduction
Before you can install BIM-ALERT, you must either create a sublibrary or select an existing sublibrary to serve as the residence sublibrary. The residence sublibrary is the sublibrary in which BIM-ALERT phases will reside.
The residence sublibrary can be any sublibrary except IJSYSRS.SYSLIB. The label information for the residence sublibrary should be in system standard labels.
Since all BIM-ALERT products share certain important features, they must be installed in the same sublibrary. These components must also be of the same version. Installing components in different sublibraries or installing components of different versions causes initialization problems. If you install both the CICS/VSE 2.3 and the CICS/TS 1.1 versions of BIM-ALERT/CICS, the residence sublibrary for the CICS/VSE 2.3 version must be different from the CICS/TS 1.1 version.
If you are currently running BIM-ALERT, you should install the new version of BIM-ALERT into a sublibrary other than your current BIM-ALERT residence sublibrary.
If you elect to install the new version of BIM-ALERT into your current BIM-ALERT residence sublibrary, you should back it up first.
Definition
About the Residence Sublibrary
Install All BIM-ALERT Products in the Same Sublibrary
If You Are Currently Running BIM-ALERT
Sublibrary Size Requirements Identifying the BIM-ALERT Residence Sublibrary
1-16 Installation and Operations Guide
Sublibrary Size Requirements
The approximate number of library blocks required for installing the BIM-ALERT component modules is as follows:
BIM-ALERT/VSE 2400 library blocks
BIM-ALERT/CICS 1400 library blocks
Common utilities 1800 library blocks
Sublibrary Member Names
The following member names are restored during the installation process. You must ensure that none of these names duplicates any member names already existing in the residence sublibrary.
Members of type PHASE whose names start with the characters S1S, S1A, S1B, S1M, S1U, or ALRT
Members of type A whose names start with the characters ALRT, ALERT, COMM or S1
Members of type C whose names start with the characters S1
Members of type PHASE whose names start with the characters AXP
Members of type PHASE whose names start with the characters A1M
Members of type A whose names are AXPFCT, AXPPCT, and AXPPPT
Members of type J whose names start with the characters AXP, ALRT, and COM
Member AXPPROC.MODEL
Members of type Z
BIM-ALERT Member Names
2-1
2
Restoring the BIM-ALERT Installation Tape
This chapter explains how to restore the BIM-ALERT installation tape.
Introduction .......................................................................................................... 2-5 Tailoring the Installation Procedure ...................................................................... 2-6
Step 3: Restoring the Installation Tape ................................................................... 2-15 Deferred Execution of the Generated Installation Procedure .................................... 2-17
Introduction
2-2 Installation and Operations Guide
Introduction
This chapter explains how to restore the BIM-ALERT installation tape. Restoring the installation tape consists of the following steps:
Step Action
1 If you have installed previous versions of BIM-ALERT, remove their entries from the MSHP history file.
2 Create the installation procedure.
3 Run the installation procedure to restore the installation tape.
Each of these steps is discussed in detail in the following sections.
The BIM-ALERT installation tape contains the following files:
File # Contents
1 The following VSE/POWER jobs:
IALERT1 Generates the installation procedure
IALERT3 Used if you defer executing the generated procedure
2-4 MSHP/LIBR backups of the BIM-ALERT common programs for CICS/TS 1.1
5-7 MSHP/LIBR backups of the BIM-ALERT common programs for CICS/VSE 2.3
8-10 MSHP/LIBR backups of BIM-ALERT/CICS for CICS/VSE 2.3
11-13 MSHP/LIBR backups of BIM-ALERT/CICS for CICS/TS 1.1
14-16 MSHP/LIBR backups of BIM-ALERT/VSE
About This Chapter
Contents of the BIM-ALERT Installation Tape
Step 1: Remove Existing BIM-ALERT MSHP Entries
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-3
Step 1: Remove Existing BIM-ALERT MSHP Entries
You should remove BIM-ALERT products from your MSHP history file prior to restoring version 5.1 from the tape if either of the following apply:
If you are installing BIM-ALERT into the same sublibrary as a previous release.
If you previously installed any of the following versions of BIM-ALERT/VSE orBIM-ALERT/CICS:
BIM-ALERT/VSE version 4.0x BIM-ALERT/CICS version 3.5x BIM-ALERT/CICS version 4.5x
Removing the prior version enables you to apply MSHP CORRECTs to version 5.1x.
If neither of the above applies, you can proceed to step 2 on page 2-5.
Use JCL similar to the following to remove BIM-ALERT entries from the MSHP history file. Substitute an appropriate BIM-ALERT product number and component number for prodnumber and compnumber, as listed in the next section.
// EXEC MSHP,SIZE=700K
REMOVE prodnumber
REMOVE compnumber
/*
Do You Need to Take This Step?
Sample REMOVE Jobstream
Step 1: Remove Existing BIM-ALERT MSHP Entries
2-4 Installation and Operations Guide
The following table shows the MSHP product names and component names for the various versions of BIM-ALERT:
BIM-ALERT/VSE
ALERT Version MSHP Product Number MSHP Component Number
4.92 - 4.93 ALT490 7965-ALT-00-490
5.0A ALT50A 2885-ALT-00-50A
5.0B ALT50B 2885-ALT-00-50B
BIM-ALERT/CICS
ALERT Version CICS Version MSHP Product Number MSHP Component Number
4.92 - 4.93 1.7 or 2.1 ALC901 7965-ALC-00-901
2.2 or 2.3 ALC903 7965-ALC-00-903
5.0A 1.7 or 2.1 ALC501 2885-ALC-00-501
2.2 or 2.3 ALC50A 2885-ALC-00-50A
5.0B 1.7 or 2.1 ALC502 2885-ALC-00-502
2.2 or 2.3 ALC50B 2885-ALC-00-50B
Common Component
ALERT Version CICS Version MSHP Product Number MSHP Component Number
4.92 - 4.93 1.7 or 2.1 ACV901 7965-ACV-00-901
2.2 or 2.3 ACV903 7965-ACV-00-903
5.0A 1.7 or 2.1 ACV501 2885-ACV-00-501
2.2 or 2.3 ACV50A 2885-ACV-00-50A
5.0B 1.7 or 2.1 ACV502 2885-ACV-00-502
2.2 or 2.3 ACV50B 2885-ACV-00-50B
MSHP Product and Component Names for BIM-ALERT Versions
Step 2: Create the Installation Procedure Introduction
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-5
Step 2: Create the Installation Procedure
Introduction
In this step, you run the IALERT1 jobstream. IALERT1 creates an installation procedure, DCMINST, which you execute to restore the contents of the installation tape.
When you run IALERT1, you answer questions on the VSE system console that tailor the installation procedure to your needs.
To run the IALERT1 job, take the following steps:
Step Action
2a Mount the BIM-ALERT installation tape.
2b Issue the following VSE/POWER command to read the IALERT1 jobstream from the tape into the VSE/POWER reader queue. Replace cuu with the address of the tape drive on which the installation tape is mounted:
S RDR,cuu
After you issue this command, the jobstreams from the tape (IALERT1 and IALERT3) will be in the VSE/POWER reader with a disposition of L.
2c Issue the following command to run the IALERT1 job:
R RDR,IALERT1
2d As the questions appear on your VSE system console, answer them as explained in the following sections.
Introduction
Procedure
Tailoring the Installation Procedure Step 2: Create the Installation Procedure
2-6 Installation and Operations Guide
Tailoring the Installation Procedure
This section explains how to tailor the installation procedure for your site by answering the questions posed by the IALERT1 job.
If you are running CICS version 2.2, follow the directions for CICS version 2.3.
What Is the Name of the BIM-ALERT Residence Sublibrary? Question You are first asked to name the sublibrary that will serve as the BIM-ALERT residence sublibrary. Refer to Chapter 1, "Preparing to Install BIM-ALERT", for information on residence sublibrary requirements.
BIM-ALERT/VSE AND BIM-ALERT/CICS
BIM-ALERT/VSE - BATCH SECURITY FOR THE VSE ENVIRONMENT
BIM-ALERT/CICS - ONLINE SECURITY FOR THE CICS ENVIRONMENT
SPECIFYING THE BIM-ALERT RESIDENCE SUBLIBRARY
0 SETPARM LIB='LIB.SUBLIB'
AT THE PAUSE, YOU WILL BE REQUIRED TO ENTER A SETPARM
FOR THE RESIDENCE SUBLIBRARY. ALL BIM-ALERT COMPONENTS
INSTALLED AS PART OF THIS PROCEDURE WILL BE CATALOGED
INTO THIS RESIDENCE SUBLIBRARY UNLESS YOU INSTALL BOTH
THE CICS/TS 1.1 AND CICS/VSE 2.3 VERSIONS OF BIM-ALERT/CICS
(SEE BELOW). IN THAT CASE, THE BIM-ALERT/CICS FOR
CICS/TS 1.1 WILL BE CATALOGED INTO THE RESIDENCE SUBLIBRARY
SPECIFIED AT THE PAUSE, AND THE CICS/VSE 2.3 VERSION OF
BIM-ALERT/CICS WILL BE CATALOGED INTO THE SUBLIBRARY YOU
WILL BE ASKED TO SPECIFY LATER.
A SINGLE VERSION OF BIM-ALERT/VSE IS INCLUDED ON THIS TAPE.
THE CICS PORTIONS OF THE BIM-ALERT/VSE COMPONENT ARE
COMPATIBLE WITH CICS/TS 1.1 AND CICS/VSE 2.3. THE
BIM-ALERT/VSE MATERIAL WILL BE CATALOGED INTO THE RESIDENCE
SUBLIBRARY THAT YOU SPECIFY AT THE FOLLOWING PAUSE,
REGARDLESS OF WHETHER YOU INSTALL BOTH VERSIONS OF
BIM-ALERT/CICS.
(continued)
Introduction
If You Are Running CICS Version 2.2
Question 1:
Step 2: Create the Installation Procedure Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-7
Your Response For example, if SAALRT.PROD is to be your residence sublibrary, enter
// SETPARM LIB='SAALRT.PROD'
Message Displayed When you enter the name of your residence sublibrary and press ENTER, the following message is displayed:
YOU ARE NOW IN THE BIM-ALERT INSTALL GENERATION PROGRAM.
THIS PROGRAM WILL PROMPT YOU FOR INFORMATION ABOUT
WHAT YOU WANT TO INSTALL AND HOW. THIS PROGRAM BUILDS
AN INSTALL PROC BASED UPON THE ANSWERS YOU SUPPLY TO
THESE PROMPTS. AFTER THE PROC HAS BEEN BUILT, YOU CAN
EXECUTE IT WHEN YOU ARE READY TO PERFORM THE INSTALL.
What Is the Tape Drive's Address? Question You are next asked to enter the CUU of the tape drive on which the BIM-ALERT installation tape is mounted, as follows:
ENTER TAPE DRIVE CUU FOR INSTALL. (E.G. 280)
Your Response Enter the same address you used in step 2b on page 2-5.
Are the Residence Sublibrary Name and Tape Drive Address Correct? Question Next, you are asked to confirm that the residence sublibrary name and tape drive address are correct, as follows:
DO YOU WISH TO INSTALL INTO SUBLIBRARY xxxx.xxxx FROM cuu?
ENTER YES OR CANCEL.
Your Response Enter YES if the residence sublibrary and tape drive indicated are correct. If either is incorrect, enter CANCEL. If you enter CANCEL, the job terminates, and you must begin again by releasing IALERT1 (step 2c on page 2-5).
Question 2:
Question 3:
Tailoring the Installation Procedure Step 2: Create the Installation Procedure
2-8 Installation and Operations Guide
Do You Want to Use MSHP or LIBR to Restore the Tape? Question You are next asked if you want to use the MSHP or the LIBR IBM utility program to restore the tape:
DO YOU WISH TO INSTALL USING MSHP OR LIBR?
ENTER MSHP OR LIBR.
Your Response Enter either MSHP or LIBR. It is recommended that you use MSHP.
If you enter MSHP in response to the preceding prompt, proceed to question 6. If you enter LIBR in response to the preceding prompt, proceed to question 5.
Do You Want to Archive the BIM-ALERT Components with MSHP? Question Next, you are asked if you want to archive the BIM-ALERT components with MSHP:
DO YOU WISH TO ARCHIVE THE BIM-ALERT COMPONENTS WITH
MSHP AFTER THE LIBR INSTALL?
ENTER YES OR NO.
Your Response If you want to have the BIM-ALERT products archived with MSHP after the LIBR install, enter YES. It is recommended that you archive the BIM-ALERT components so that fixes can be applied using MSHP CORRECT.
Otherwise, enter NO.
Do You Want to Install Both BIM-ALERT/VSE and BIM-ALERT/CICS? Question You are next asked whether you want to install both BIM-ALERT/VSE and BIM-ALERT/CICS:
DO YOU WISH TO INSTALL FULL BIM-ALERT SYSTEM
--- BIM-ALERT/VSE AND BIM-ALERT/CICS?
ENTER YES OR NO.
Question 4:
Question 5:
Question 6:
Step 2: Create the Installation Procedure Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-9
Your Response If you want to install both BIM-ALERT/VSE and BIM-ALERT/CICS, enter YES and proceed to question 9.
Otherwise, enter NO and proceed to question 7.
Do You Want to Install BIM-ALERT/CICS? Question Next, you are asked if you want to install BIM-ALERT/CICS:
DO YOU WISH TO INSTALL BIM-ALERT/CICS?
ENTER YES OR NO.
Your Response If you want to install BIM-ALERT/CICS, enter YES and proceed to question 9.
Otherwise, enter NO and proceed to question 8.
Do You Want to Install BIM-ALERT/VSE? Question Next, you are asked if you want to install BIM-ALERT/VSE:
DO YOU WISH TO INSTALL BIM-ALERT/VSE?
ENTER YES OR CANCEL.
Your Response If you want to install BIM-ALERT/VSE, enter YES. This completes the information necessary to generate the installation procedure. Proceed to step 3 on page 2-15.
Otherwise, enter CANCEL. The installation procedure is not generated because your answers indicate that you do not want to install any of the BIM-ALERT components. You can restart generation of the installation procedure by again releasing job IALERT1 from the VSE/POWER reader queue (step 2c on page 2-5).
Question 7:
Question 8:
Tailoring the Installation Procedure Step 2: Create the Installation Procedure
2-10 Installation and Operations Guide
Do You Need to Install Both the CICS/TS1.1 and the CICS/VSE 2.3 Versions of BIM-ALERT/CICS? Question Next you are asked whether you need to install both the CICS/TS 1.1 and the CICS/VSE 2.3 versions of BIM-ALERT/CICS:
DO YOU NEED TO INSTALL BOTH BIM-ALERT/CICS VERSIONS:
--- BIM-ALERT/CICS FOR CICS/TS 1.1 AND CICS/VSE 2.3?
ENTER YES OR NO
Your Response If you need to install both versions of BIM-ALERT/CICS (the one for CICS/TS 1.1 and the one for CICS/VSE 2.3), enter YES and then proceed to question 11.
Otherwise, enter NO and proceed to question 10.
Which Version of BIM-ALERT/CICS Do You Want? Question Next you are asked which version of BIM-ALERT/CICS you want to install, the version for CICS/TS 1.1 or the version for CICS/VSE 2.3:
CHOOSE EITHER THE BIM-ALERT/CICS VERSION FOR
CICS/TS 1.1 OR CICS/VSE 2.3.
ENTER 11 OR 23
Your Response If you want to install the version of BIM-ALERT/CICS for CICS /TS 1.1, enter 11 to the following prompt. Enter the number as 11 (without the period).
If you want to install the version of BIM-ALERT/CICS for CICS/VSE 2.3, enter 23. Enter the number as 23 (without the period).
After you enter your response to the preceding prompt, proceed to step 3 on page 2-15 to execute the generated installation procedure.
Question 9:
Question 10:
Step 2: Create the Installation Procedure Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-11
What Is the Name of the Sublibrary for the CICS/VSE 2.3 Version of BIM-ALERT/CICS? Question The next prompt asks for the name of the sublibrary where you want to install the CICS/VSE 2.3 version of BIM-ALERT/CICS:
PLEASE SPECIFY SUBLIBRARY FOR CICS/VSE 2.3 VERSION.
**** WARNING WARNING WARNING ****
YOU HAVE CHOSEN TO INSTALL BOTH VERSIONS OF
BIM-ALERT/CICS. THE BIM-ALERT/CICS THAT EXECUTES IN
THE CICS/TS 1.1 ENVIRONMENT WILL BE INSTALLED INTO THE
BIM-ALERT RESIDENCE SUBLIBRARY YOU CHOSE VIA THE
SETPARM AT THE BEGINNING OF THIS PROCEDURE. YOU MUST
CHOOSE A DIFFERENT SUBLIBRARY IN WHICH TO
INSTALL THE BIM-ALERT/CICS THAT EXECUTES IN THE
CICS/VSE 2.3 ENVIRONMENT. IF YOU CHOOSE THE SAME
SUBLIBRARY, UNPREDICTABLE RESULTS WILL OCCUR WHEN YOU
INITIALIZE BIM-ALERT/CICS.
**** WARNING WARNING WARNING ****
ENTER LIBRARY.SUBLIBRARY
Your Response Enter the name of the sublibrary for the CICS/VSE 2.3 version of BIM-ALERT/CICS. This sublibrary must be different from the one you specified for the BIM-ALERT residence sublibrary. (The version of BIM-ALERT/CICS for CICS/TS 1.1 will be installed in the BIM-ALERT residence sublibrary along with BIM-ALERT/VSE.)
Are the Sublibraries for BIM-ALERT/CICS Correct? Question The next prompt asks whether the sublibraries for BIM-ALERT/CICS are correct:
YOU HAVE ELECTED TO INSTALL BOTH VERSIONS OF
BIM-ALERT/CICS FROM THE TAPE.
THE CICS/TS 1.1 VERSION OF BIM-ALERT/CICS WILL BE
INSTALLED IN xxxxxxx.yyyyyyyy.
THE CICS/VSE 2.3 VERSION OF BIM-ALERT/CICS WILL BE
INSTALLED IN xxxxxxx.yyyyyyyy.
IS THIS CORRECT?
ENTER YES OR NO
(continued)
Question 11:
Question 12:
Tailoring the Installation Procedure Step 2: Create the Installation Procedure
2-12 Installation and Operations Guide
Your Response If the sublibraries shown are correct, enter YES. Remember that the sublibrary for CICS/TS 1.1 must not be the same as the one for CICS/VSE 2.3. Then proceed to step 3 on page 2-15 to execute the generated installation procedure.
If the name of the CICS/VSE 2.3 sublibrary shown is not correct, enter NO. If you enter NO, you are asked to re-specify and then verify the sublibrary for the CICS/VSE 2.3 version of BIM-ALERT/CICS.
What Is the Name of the Sublibrary for the CICS/VSE 2.3 Version of BIM-ALERT/CICS? Question The following prompt asks for the name of the sublibrary where you want to install the CICS/VSE 2.3 version of BIM-ALERT/CICS:
PLEASE RESPECIFY THE NAME OF THE SUBLIBRARY
IN WHICH THE VERSION OF BIM-ALERT/CICS THAT SUPPORTS
CICS/VSE 2.3 IS TO BE INSTALLED.
ENTER LIBRARY.SUBLIBRARY
Your Response Enter the name of the sublibrary where you want to install the CICS/VSE 2.3 version of BIM-ALERT/CICS.
Is the Name of the Sublibrary for the CICS/VSE 2.3 Version of BIM-ALERT/CICS Correct? Question The following prompt asks you to verify that the name of the sublibrary for the CICS/VSE 2.3 version of BIM-ALERT/CICS is correct:
THE CICS/VSE 2.3 VERSION OF BIM-ALERT/CICS WILL BE
INSTALLED IN xxxxxxx.yyyyyyyy.
IS THIS CORRECT?
ENTER YES OR CANCEL
(continued)
Question 13:
Question 14:
Step 2: Create the Installation Procedure Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-13
Your Response If the correct sublibrary is shown, enter YES. Otherwise, enter CANCEL.
If the Same Sublibrary is Specified for Both Versions of BIM-ALERT/CICS During the execution of the generated installation procedure, the names of the sublibraries for the two versions of BIM-ALERT/CICS will be compared. If they are the same, the warning shown in the following figure is displayed, and the installation procedure is canceled. If that happens, restart generation of the installation procedure by releasing job IALERT1 from the VSE/POWER reader queue (step 2c on page 2-5).
**** WARNING WARNING WARNING ****
YOU HAVE SELECTED THE SAME SUBLIBRARY
FOR BOTH THE CICS/TS 1.1 AND CICS/VSE 2.3 VERSIONS OF
BIM-ALERT/CICS. YOU MUST RERUN IALERT1 AND SPECIFY
A DIFFERENT SUBLIBRARY FOR THE CICS/VSE 2.3 VERSION
OF BIM-ALERT/CICS.
**** WARNING WARNING WARNING ****
Tailoring the Installation Procedure Step 2: Create the Installation Procedure
2-14 Installation and Operations Guide
When your answers to the IALERT1 questions provide enough information to customize the installation procedure for your requirements, you receive the following message:
INSTALL PROCEDURE GENERATED...
After you receive this message, proceed to step 3 on page 2-15.
Why Generation of the Installation Process Is Cancelled Generation of the installation procedure is canceled when you request it by responding CANCEL to one of the questions.
Message Displayed If the installation procedure was not generated, the following message is displayed:
INSTALL CANCELLED
To Restart Generation of the Installation Process You can restart generation of the installation process by releasing job IALERT1 from the VSE/POWER reader queue (step 2c on page 2-5).
Confirmation that the Installation Procedure Has Been Generated
Cancellation of the Installation Generation Process
Step 3: Restoring the Installation Tape Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-15
Step 3: Restoring the Installation Tape
After IALERT1 creates the installation procedure DCMINST, the following prompt is displayed:
DO YOU WISH TO RUN THE GENERATED INSTALL
PROCEDURE? IF SO REPLY AN EOB ELSE
REPLY // GOTO EOJ.
To execute the generated installation procedure, enter EOB. The tape should be mounted on the tape drive you specified in response to question 2 of step 2 on page 2-7.
If you want to defer execution of the generated procedure, enter // GOTO EOJ. For more information about deferred execution of the generated installation procedure, refer to page 2-17.
It is recommended that you not install version 5.1 into the same sublibrary as a previous version of BIM-ALERT. However, if you decided to do so and you did not remove the previous version from the MSHP history file, MSHP issues the following message during the restore operation:
M222D DOWNLEVEL CHECK FAILED. CONTINUATION WILL RESULT IN A LOSS OF
SERVICE. ENTER "GO" TO CONTINUE OR "CANCEL" TO TERMINATE.
This message is merely a reminder that you are installing the new version into the same sublibrary as the old version. If your intention is to install the new version into the same sublibrary as the old version, you can respond GO to the message.
Sample Prompt
Your Response
If You Install Version 5.1 into the Same Sublibrary as a Previous Version
Jobsteps Executed After the Sublibraries Are Restored
Tailoring the Installation Procedure Step 3: Restoring the Installation Tape
2-16 Installation and Operations Guide
After the selected sublibraries are restored from the tape, several jobsteps may be executed depending upon which BIM-ALERT components you installed, and whether you chose MSHP or LIBR to perform the installation.
If you installed with LIBR and chose to archive the BIM-ALERT products with MSHP (Step 2, Questions 4 and 5), the next jobstep archives the BIM-ALERT products with MSHP. This lets you apply fixes to BIM-ALERT with the MSHP CORRECT command.
If BIM-ALERT/VSE was installed, the next jobsteps rename and replace several phases in IJSYSRS.SYSLIB with phases from the BIM-ALERT residence sublibrary. These phases are also copied into PRD2.SAVE.
The following prompt is displayed before the jobsteps execute:
TYPE GOTO SKIPRES TO SKIP THE IJSYSRS.SYSLIB COPY/RENAME
PORTION OF THE INSTALL. IF YOU SKIP THIS THESE STEPS MUST
BE PERFORMED AT A LATER TIME, OR YOU WILL NOT BE ABLE TO
ACTIVATE BIM-ALERT.
TYPE GOTO SKIPRES TO SKIP THESE STEPS.
-OR-
ENTER EOB TO CONTINUE.
If you are installing version 5.1 on a system that shares IJSYSRS with other systems that will continue to run earlier versions of BIM-ALERT/VSE, type GOTO SKIPRES to skip these job steps. Then build a $SYSOPEN CPU ID table as described in JCL member AXPJCL82.J.
When the job is complete, you receive the following message:
BIM-ALERT VERSION 5.1
END OF INSTALL PROCESS
Review the printout of the installation listings. In particular, check the JCL completion code for each of the jobs. A completion code of 8 or 12 indicates a serious problem that must be resolved before you attempt to activate BIM-ALERT and before you attempt to IPL with SEC=YES.
The jobsteps that copy BIM-ALERT/VSE members into IJSYSRS.SYSLIB and PRD2.SAVE may produce a completion code of 4. This should not be considered an error.
After reviewing the printout of the installation listings, if you have any problems or questions, contact BIM Technical Support.
When the Job Is Complete
Deferred Execution of the Generated Installation Procedure Tailoring the Installation Procedure
Chapter 2. Restoring the BIM-ALERT Installation Tape 2-17
Deferred Execution of the Generated Installation Procedure
Perform the following steps to execute the generated installation procedure after you responded // GOTO EOJ at the prompt shown in step 3 on page 2-15.
Step Action
1 Mount the installation tape on the drive specified in question 2 of step 2 on page 2-7.
2 Release job IALERT3 from the VSE/POWER reader queue.
3 You will receive the following prompt:
ENTER A LIBDEF FOR THE BIM-ALERT
RESIDENCE SUBLIBRARY
Enter LIBDEF PROC,SEARCH=library.sublibrary, replacing library.sublibrary with the name of your residence sublibrary.
4 Proceed as described in step 3 on page 2-15.
Tailoring the Installation Procedure Deferred Execution of the Generated Installation Procedure
2-18 Installation and Operations Guide
3-1
3Installing BIM-ALERT
This chapter explains how to install BIM-ALERT/VSE and BIM-ALERT/CICS.
Introduction .............................................................................................................. 3-3 About This Chapter .............................................................................................. 3-3 Using the Sample JCL .......................................................................................... 3-4 Sharing BIM-ALERT Files in a Multiple CPU Setting........................................ 3-10
Installation Procedure for Current Users ................................................................. 3-12 Introduction ........................................................................................................ 3-12 Step 1: Deactivate BIM-ALERT/VSE ................................................................. 3-14 Step 2: Catalog a New AXPPROC Procedure ...................................................... 3-15 Step 3: Prepare Online Files for Conversion to 5.1 Format .................................. 3-16 Step 4: Create the Version 5.1 Online Security Files ........................................... 3-18 Step 5: Create the Version 5.1 Messages File ...................................................... 3-21 Step 6: Create the Version 5.1 Administrator Audit File ..................................... 3-22 Step 7: Create the Version 5.1 Log Files ............................................................. 3-23 Step 8: Update IPL, BG, and F1 ASI Procedures ................................................. 3-24 Step 9: Update CICS Table Entries ..................................................................... 3-30 Step 10: Update Optional CICS Table Entries ..................................................... 3-34 Step 11: Adjust the Size of the CSA Common Work Area .................................. 3-35 Step 12: Add SET SDL Entries for MRO Modules .............................................. 3-36 Step 13: Shut Down CICS .................................................................................. 3-38 Step 14: Reassemble User Exits .......................................................................... 3-39 Step 15: Reassemble Post Sign-On Programs ...................................................... 3-40 Step 16: Reassemble Parameter-Driven Sign-On Programs ................................. 3-41 Step 17: Reassemble Custom Versions of S1S611 and S1S601 ............................ 3-42 Step 18: Remove BIM-ALERT/CICS from the PLT Startup ................................ 3-43 Step 19: Update Your JCLLUSEX List ............................................................... 3-44 Step 20: Verify IJSYSRS.SYSLIB Standard Label .............................................. 3-46 Step 21: Activate Submittal Monitors and Security Exits .................................... 3-47 Step 22: Verify IJSYSRS Phases ......................................................................... 3-48
3-2 Installation and Operations Guide
Step 23: Convert Rules Tables to 5.1 Format ...................................................... 3-49 Step 24: Assemble the Network Submittal Table ................................................. 3-51 Step 25: Perform an IPL to Activate BIM-ALERT .............................................. 3-52
Installation Procedure for a New Installation .......................................................... 3-53 Introduction ........................................................................................................ 3-53 Step 1: Verify BIM-ALERT VSAM Cluster Names ............................................ 3-55 Step 2: Define an Extent for Rules Assembly Work File ..................................... 3-56 Step 3: Catalog the AXPPROC Procedure........................................................... 3-57 Step 4: Define and Initialize the Log Files .......................................................... 3-60 Step 5: Define and Initialize the Control File ...................................................... 3-61 Step 6: Define and Initialize the Online Security Files ........................................ 3-62 Step 7: Define and Initialize the Message File .................................................... 3-63 Step 8: Define and Initialize the Audit File ......................................................... 3-64 Step 9: Add LIBDEF and DLBLs to CICS Partition Startup ............................... 3-65 Step 10: Catalog New IPL, BG, and F1 ASI Procedures ...................................... 3-66 Step 11: Add CICS Table Entries ....................................................................... 3-73 Step 12: Add Optional CICS Table Entries ......................................................... 3-77 Step 13: Adjust the Size of the CSA Common Work Area .................................. 3-78 Step 14: Add SET SDL Entries for MRO Control Modules ................................. 3-79 Step 15: BIM-ALERT/CICS PLT Entries ........................................................... 3-80 Step 16: Update Your JCLLUSEX List ............................................................... 3-81 Step 17: Verify the Standard Label for IJSYSRS.SYSLIB ................................... 3-82 Step 18: Trial IPL With SEC IPL Procedures...................................................... 3-83 Step 19: Catalog a New $ASIPROC Master Procedure........................................ 3-84 Step 20: Activate Submittal Monitors and Security Exits .................................... 3-86 Step 21: Verify IJSYSRS Phases ......................................................................... 3-87 Step 22: Perform an IPL to Activate BIM-ALERT .............................................. 3-88
Supporting the IUI Under CICS/TS 1.1 .................................................................. 3-89 Introduction ........................................................................................................ 3-89
Introduction About This Chapter
Chapter 3. Installing BIM-ALERT 3-3
Introduction
About This Chapter
This chapter explains the steps you take to install BIM-ALERT/VSE after you have restored the installation tape. It includes the following topics:
The next section, "Using the Sample JCL," describes the contents of the jobstreams restored from the tape and how to tailor them for your needs.
The section "Sharing BIM-ALERT/VSE Files in a Multiple CPU Setting" on page 3-10 explains restrictions on sharing BIM-ALERT/VSE files across CPUs.
The remainder of this chapter contains separate installation procedures for current and new users, as follows:
If You Are Then Use This Section Page
Currently running version 4.9 or 5.0 of BIM-ALERT
"Installation Procedure for Current Users"
3-12
Installing BIM-ALERT for the first time
"Installation Procedure for a New Installation"
3-53
Do not attempt to use the procedures documented in this chapter to convert from a release of BIM-ALERT/VSE prior to 4.9. If you want to convert from a release of BIM-ALERT/VSE prior to 4.9, contact BIM Technical Support.
Using the Sample JCL Introduction
3-4 Installation and Operations Guide
Using the Sample JCL
There are a number of members in the BIM-ALERT residence sublibrary that contain sample JCL for performing the following types of tasks:
Initializing and converting files Installing submittal monitors Creating VSE library members and tables used for activating BIM-ALERT/VSE
and BIM-ALERT/CICS Activating and running BIM-ALERT/VSE
General guidelines for customizing sample JCL members begin on page 3-8. Specific instructions for customizing individual members are provided throughout the rest of this chapter and in the members themselves.
The following table lists the sample JCL members contained in the BIM-ALERT residence sublibrary.
Member Description
ALERTFCT.A DFHFCT entries for BIM-ALERT/CICS and BIM-ALERT/VSE combined
ALERTPCT.A DFHPCT entries for BIM-ALERT/CICS and BIM-ALERT/VSE combined
ALERTPPT.A DFHPPT entries for BIM-ALERT/CICS and BIM-ALERT/VSE combined
AXPAUTH.J AXPB001 execution
AXPD.J Assemble the program that illustrates AXP macro
AXPFCT.A DFHFCT entries for BIM-ALERT/VSE files
AXPHD3A.J Assemble AXPHD3A table using HD3TAB macro
AXPHD4A.J Assemble network submittal table
AXPHI4A.J Assemble AXPHI4A table
AXPH16X.A ZEKE exit to insert //JOB statement
AXPHJ21.A Sample BIM-EDIT submittal exit program
AXPHJ22X.A Example of a program to assign a user ID for CSAR submittal
(continued)
Introduction
JCL Members Contained in the Residence Sublibrary
Introduction Using the Sample JCL
Chapter 3. Installing BIM-ALERT 3-5
Member Description
AXPHJ5F.J Example of CICS command level submittal interface program
AXPHJ6.A CICS table entries for CA-VOLLIE submittal monitor
AXPHJ6.J Copy and rename commands for installing CA-VOLLIE submittal monitor
AXPHJ6B.J Catalog example local CA-VOLLIE exit
AXPHJ7A.J Assemble BIM-FAQS/PCS AXPX7A table to override user ID
AXPJCL00.J BIM-ALERT/VSE startup/shutdown (AXPI1)
AXPJCL10.J Define and initialize control file
AXPJCL20.J Make copies of ASI and IPL procedures and JCL for AXPHP6B
AXPJCL60.J Skeleton rules tables
AXPJCL70.J MSHP REMOVE for BIM-ALERT/VSE
AXPJCL80.J Sample JCL for installing the BIM-ALERT/VSE $JOBEXIT program under VSE/ESA/1.2 and higher
AXPJCL82.J Sample JCL for copying phases between the BIM-ALERT sublibrary, IJSYSRS.SYSLIB, and PRD2.SAVE
AXPJCL84.J Execute program AXPI16 to check level of VSE
AXPJCL90.J Sample JCL for installing the CONDOR submittal monitor
AXPJCL92.J Sample JCL for installing the ZEKE submittal monitor
AXPJCLB0.J File conversion JCL for versions prior to 4.7
AXPJCLB1.J Convert rules table phases for 5.1
AXPJCLB4.J Make backup copy of AXPPROC.PROC in IJSYSRS.SYSLIB
AXPJCLC0.J Generate a formatted listing of all the rules contained in one logical rules table of the ALERTXP file
AXPJCLC2.J Assemble and catalog a rules table from the ALERTXP file (normally performed by using the CALR online transaction)
AXPPCT.A DFHPCT entry for ALXP transaction
AXPPPT.A DFHPPT entries for BIM-ALERT/VSE programs
AXPPROC.MODEL Skeleton BIM-ALERT JCL procedure
AXPU004.J Batch maintenance and modeling of security file
COMMAUD2.J Print sample reports and archive audit file
COMMFCT.A DFHFCT entries for common BIM-ALERT file
COMMPPT.A DFHPPT entries for common BIM-ALERT programs
AXPPUNCH.Z Punch members of type Z to CMS reader file
(continued)
Using the Sample JCL Introduction
3-6 Installation and Operations Guide
Member Description
COMJCA00.J Convert ALERTXP file from 4.7 to 4.8 format
COMJCA02.J Convert ALERTXP file from 4.8 to 4.9 format
COMJCA04.J Convert ALERTXP file from 4.9 to 5.0 format
COMJCA0R.J Restore ALERTXP file
COMJCA10.J Convert ALERTXP file and S1SCTY file from 4.7 to 4.8 format
COMJCA12.J Convert ALERTXP file and S1SCTY file from 4.8 to 4.9 format
COMJCA14.J Convert ALERTXP file and S1SCTY file from 4.9 to 5.0 format
COMJCA20.J Create ALERTXP and S1SCTY files in 5.1 format
COMJCA30.J Convert S1SCTY file from 4.7 to 4.8 format
COMJCA32.J Create ALERTXP file in 4.9 format and convert S1SCTY file from 4.8 to 4.9 format
COMJCA34.J Create ALERTXP file in 5.0 format and convert S1SCTY file from 4.9 to 5.0 format
COMJCA40.J Convert S1SCTY file from 4.8 to 4.9 format
COMJCA44.J Convert S1SCTY file from 4.9 to 5.0 format
COMJCA50.J Create S1SCTY file in 5.1 format
COMJCB00.J Create S1SMS## file in 5.1 format
COMJCB10.J Convert S1SMS## file from 4.7 to 4.8 format
COMJCB12.J Convert S1SMS## file from 4.8 to 4.9 format
COMJCB14.J Convert S1SMS## file from 4.9 to 5.0 format
COMJCC00.J Define and initialize audit file
COMJCC04.J Convert S1SAUDT file to 5.0 format
COMJCD00.J Rename VSAM files
COMJCD02.J Rename VSAM files from 4.9 to 5.0 standards
DTSECTAB.J Assemble DTSECTAB phase for IJSRSRS
COMJCE00.J Migrate BIM-ALERT PPT and PCT table entries
COMJCE02.J Define BIM-ALERT resources for CICS/VSE 2.3
COMJCE04.J Define BIM-ALERT resources for CICS/TS 1.1
COMJCF30.J Define log files
COMJCF40.J Logger startup/shutdown/restart
COMJCF50.J Print/purge/archive log file
(continued)
Introduction Using the Sample JCL
Chapter 3. Installing BIM-ALERT 3-7
Member Description
ALRTCRD1.J IBM resource migration utility
ALRTCUP1.J IBM user profile migration utility
ALRTVCAU.J Sample ALRTVCAU report writer control statements
ALRTVCSC.J Sample ALRTVCSC report writer control statements
ALRTVVAU.J Sample ALRTVVAU report writer control statements
ALRTVVSC.J Sample ALRTVVSC report writer control statements
ALRTVCVI.J Sample ALRTVCVI report writer control statements
ALRTVVVI.J Sample ALRTVVVI report writer control statements
ALRTJCLD.J S1SCTY file reorganization using disk backup
ALRTJCLT.J S1SCTY file reorganization using tape backup
ALRTRPTS.J Sample report jobstreams for supplied report programs
ALRTFLCD.J ALTFLDCK and ALTSCNCK conversion
ALRTCNV.J S1SCTY file conversion jobstreams for versions of BIM-ALERT/CICS prior to 4.7
ALRTSDL.J Sample SET SDL jobstream for BIM-ALERT/CICS MRO control modules.
Using the Sample JCL Introduction
3-8 Installation and Operations Guide
Variable items are shown in the examples as question marks. When you customize the JCL examples, replace these question marks with data appropriate to your specific environment. For example, in the following line, the ?? represents the table ID, which you would replace with an actual table ID that is defined in your BIM-ALERT/VSE security file:
TABLE=??
Many of the examples contain a LIBDEF statement that refers to the BIM-ALERT residence sublibrary, which is shown as ?ALT.SUBLIB?. When you customize the sample JCL, replace ?ALT.SUBLIB? with the actual library and sublibrary name of your BIM-ALERT sublibrary. The following LIBDEF statement is an example of where you need to insert the name of the BIM-ALERT residence sublibrary:
// LIBDEF PHASE,SEARCH=?ALT.SUBLIB?
In a few cases, the BIM-ALERT sublibrary is referred to in a parameter of a VSE/Librarian (LIBR) command, where it is also shown as ?ALT.SUBLIB?.
Many of the examples refer to a VSAM catalog where the BIM-ALERT files are defined. In all the examples, this catalog is referred to as DD name ALTCAT and cluster name ?ALT.VSAM.CAT?. Replace ALTCAT and ?ALT.VSAM.CAT? with the DD name and cluster name of the VSAM catalog where your BIM-ALERT files are defined. The following DLBL is an example of this convention:
// DLBL ALTCAT,'?ALT.VSAM.CAT?',,VSAM
When you modify IDCAMS statements in the examples, take care to retain the continuation indicators (-) shown in the examples.
Variables in Sample JCL
LIBDEF Statements in Sample JCL
VSAM Catalogs in Sample JCL
Continuation Characters in IDCAMS Statements
Introduction Using the Sample JCL
Chapter 3. Installing BIM-ALERT 3-9
In IDCAMS examples, the comment information is placed in such a manner that the comment may either be removed or retained without causing an IDCAMS syntax error. In most cases, the comment is placed in a self-contained, continued, IDCAMS comment line following the parameter that the comment refers to. For example, in the following, the Insert volume serial comment refers to the IDCAMS VOL parameter that precedes it:
VOL(??????)-
/* <- Insert volume serial */ -
When the comment refers to the final parameter of an IDCAMS command and the line is not continued, the comment is placed on the same line as the parameter that it refers to. The comment BIM-ALERT catalog name in the following example illustrates this type of comment:
INDEX(NAME(ALERT.XP.ONLINE.SECURITY.INDEX)-
CISZ(2048))-
CATALOG(?ALT.VSAM.CAT?) /* <- BIM-ALERT catalog name */
Some sample JCL members (such as AXPJCLA2.J and AXPJCLB0.J) contain POWER JECL. POWER JECL in sample JCL members contains equal signs (==) in columns 1 and 2. Remove these equal signs when you customize the JECL.
Comments in IDCAMS Statements
VSE/POWER JECL
Sharing BIM-ALERT Files in a Multiple CPU Setting Introduction
3-10 Installation and Operations Guide
Sharing BIM-ALERT Files in a Multiple CPU Setting
If you are using BIM-ALERT in a multiple CPU setting, the following files cannot be shared:
The AXPLOG1 log file The AXPLOG3 log file
You must define a separate AXPLOG1 and AXPLOG3 log file for each CPU. The following sections explain alternative methods for setting up your security and audit files.
CICS transactions ALXP and SCTY maintain security information in the VSAM files ALERTXP and S1SCTY. They also keep an audit trail of changes to ALERTXP and S1SCTY in another VSAM file called S1SAUDT. If you use BIM-ALERT in a multiple CPU setting, we do not recommend sharing the ALERTXP, S1SCTY, or S1SAUDT files among the CPUs. Choose one of the following methods for using the ALXP and SCTY transactions and allocating the ALERTXP, S1SCTY, and S1SAUDT files in a multiple CPU setting. The second method is the recommended one.
Method 1: Define ALERTXP, S1SCTY, and S1SAUDT files on each CPU. The files contain information only for the specific CPU where they are defined. Execute ALXP on each CPU.
Method 2 (recommended method): Define a single ALERTXP, S1SCTY, and S1SAUDT file on one of the CPUs. The files contain information for each of the CPUs. Execute ALXP only on the CPU where the files are defined.
Method 3: Define a single ALERTXP, S1SCTY, and S1SAUDT file using VSAM Share Option (4,4). The files contain security information for all CPUs, and the ALXP and SCTY transactions are available in any CICS partition where they are defined.
Restrictions When Using Multiple CPUs
Defining the ALERTXP, S1SCTY, and S1SAUDT Files
Introduction Sharing BIM-ALERT Files in a Multiple CPU Setting
Chapter 3. Installing BIM-ALERT 3-11
The following are some guidelines for using the second method (single ALERTXP file, single S1SCTY file, and single S1SAUDT file).
The jobstreams generated by the SCFL and CALR subfunctions of the ALXP transaction execute the AXPPROC procedure. In your AXPPROC, include conditional JCL statements for CPU-specific information, such as DLBLs for non-shared files. Use program AXPI9X to execute CPU-specific JCL statements inside your AXPPROC, as described on page 7-2. If you have a separate AXPPROC for each CPU, and you have a permanent LIBDEF PROC pointing to the sublibrary where AXPPROC resides on each CPU, you do not need to use program AXPI9X.
Perform all rules table conversion and assembly jobs on the CPU where the ALERTXP file is defined, and catalog the assembled rules table into a sublibrary that is shared among all the CPUs. This enables you to load the rules table on each of the CPUs.
When you use the CALR subfunction of ALXP to submit a job to load a rules table, be certain to submit the job to each CPU where you want the rules table loaded. Use the CALR SYSID parameter or the XDEST parameter to specify where you want CALR to submit the job for execution.
When you use the SCFL subfunction of ALXP to submit a job to reload the control file or to modify the BIM-ALERT/VSE current parameter settings, be certain to submit the job to each CPU where you want the change to take place. Use the SYSID parameter or the XDEST parameter of the SCFL JCL/JECL PARAMETERS screen to specify where you want SCFL to submit the job for execution.
Guidelines for Using Method 2
Sharing BIM-ALERT Files in a Multiple CPU Setting Installation Procedure for Current Users
3-12 Installation and Operations Guide
Installation Procedure for Current Users
This section describes the steps necessary to install BIM-ALERT/VSE and BIM-ALERT/CICS. You should follow these steps if you are currently running version 4.9 or 5.0 of BIM-ALERT/VSE and/or BIM-ALERT/CICS.
You must complete the procedures described in chapters 1 and 2 before performing the steps listed below.
If you are installing both BIM-ALERT/VSE and BIM-ALERT/CICS, you must install both products at the same time.
Introduction
Prerequisite
If You Are Installing Both BIM-ALERT/VSE and BIM-ALERT/CICS
Procedure
Installation Procedure for Current Users Sharing BIM-ALERT Files in a Multiple CPU Setting
Chapter 3. Installing BIM-ALERT 3-13
The following table shows the steps you take if you are currently running versions 4.9 or 5.0 of BIM-ALERT, and whether each step is required for converting from either release or both:
Step Action Required if converting from
1 Deactivate BIM-ALERT/VSE. 4.9 or 5.0
2 Catalog a new AXPPROC. 4.9 or 5.0
3 Prepare the online security files for conversion to 5.1. 4.9
4 Create the version 5.1 online security files. 4.9 or 5.0
5 Create the version 5.1 online message file. 4.9
6 Create the version 5.1 administrator audit file. 4.9
7 Create the version 5.1 log files 4.9 or 5.0
8 Update IPL and BG ASI Procedures 4.9 or 5.0
9 Update CICS Table Entries 4.9 or 5.0
10 Update Optional CICS Table Entries 4.9 or 5.0
11 Adjust the Size of the CSA Common Work Area 4.9 or 5.0
12 Add SET SDL Entries for MRO Control Modules 4.9 or 5.0
13 Shut Down CICS 4.9 or 5.0
14 Reassemble User Exits 4.9 or 5.0
15 Reassemble Post Sign-On Programs 4.9 or 5.0
16 Reassemble Parameter-Driven Sign-On Programs 4.9 or 5.0
17 Reassemble Custom Versions of S1S611 and S1S601 4.9 or 5.0
18 Remove BIM-ALERT/CICS from PLT Startup 4.9 or 5.9
19 Add BIM-ALERT's $JOBEXIT phase to your JCLLUSEX list.
4.9 or 5.0
20 Verify the standard label for your system residence library.
4.9 or 5.0
21 Activate submittal monitors and security exits. 4.9 or 5.0
22 Verify IJSYSRS phases. 4.9 or 5.0
23 Convert the rules tables to 5.1 format. 4.9 or 5.0
24 Assemble the network submittal table. 4.9 or 5.0
25 Perform an IPL to activate BIM-ALERT version 5.1. 4.9 or 5.0
Step 1: Deactivate BIM-ALERT/VSE Installation Procedure for Current Users
3-14 Installation and Operations Guide
Step 1: Deactivate BIM-ALERT/VSE
You need to take this step if you are running version 4.9 or 5.0 of BIM-ALERT/VSE.
You must deactivate BIM-ALERT/VSE before you begin the installation procedure for version 5.1. To deactivate BIM-ALERT/VSE, execute a job similar to the following:
// JOB DEACT BIM-ALERT/VSE
// EXEC PROC=AXPPROC
// EXEC AXPI1
MODE=DEACT
/*
/&
Do You Need to Take This Step?
Procedure
Installation Procedure for Current Users Step 2: Catalog a New AXPPROC Procedure
Chapter 3. Installing BIM-ALERT 3-15
Step 2: Catalog a New AXPPROC Procedure
You need to take this step if you are running version 4.9 or 5.0 of BIM-ALERT/VSE.
To catalog a new AXPPROC, take the following steps:
Step Action
2a Make a backup copy of your AXPPROC. Member AXPJCLB4.J in the BIM-ALERT residence sublibrary contains sample JCL to back up AXPPROC by renaming it.
2b Modify the LIBDEF SEARCH to point to the 5.1 BIM-ALERT sublibrary.
2c After you make these modifications, re-catalog AXPPROC into IJSYSRS.SYSLIB.
Do You Need to Take This Step?
Procedure
Step 3: Prepare Online Files for Conversion to 5.1 Format Installation Procedure for Current Users
3-16 Installation and Operations Guide
Step 3: Prepare Online Files for Conversion to 5.1 Format
You need to take this step if you are running version 4.9 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In order to create the version 5.1 online security files in step 4, you must have the following to use as input to the conversion program:
An ALERTXP file in version 5.0 format
An S1SCTY file in version 5.0 format
In this step, you perform a conversion of the online security files to version 5.0 format. The converted files are used as input to the 5.1 conversion programs in Step 4.
The conversion programs executed in this step require input files in version 4.9 format. If you are converting from BIM-ALERT/VSE or BIM-ALERT/CICS version 4.7 or 4.8, please contact BIM Technical Support for conversion assistance.
You need to take this step if you are running version 4.9 of BIM-ALERT/VSE or BIM-ALERT/CICS.
Use the following table to select the appropriate JCL for converting version 4.9 online security files to version 5.0 format:
If you are converting from And you are Use the JCL in
Version 4.9 of BIM-ALERT/VSE
Not using or installing BIM-ALERT/CICS
COMJCA04.J
Version 4.9 of BIM-ALERT/VSE
Upgrading from version 4.9 of BIM-ALERT/CICS
COMJCA14.J
Version 4.9 of BIM-ALERT/VSE
Installing BIM-ALERT/CICS for the first time
COMJCA04.J
Version 4.9 of BIM-ALERT/CICS
Installing BIM-ALERT/VSE for the first time
COMJCA34.J
Version 4.9 of BIM-ALERT/CICS
Not using or installing BIM-ALERT/VSE
COMJCA44.J
Do You Need to Take This Step?
About This Step
Prerequisite
Step 3: Convert 4.9 Online Security Files to Version 5.0
Installation Procedure for Current Users Step 3: Prepare Online Files for Conversion to 5.1 Format
Chapter 3. Installing BIM-ALERT 3-17
Take the following steps to convert the online security files to version 5.0 format:
Step Action
3a Retrieve the sample JCL from the member you selected.
3b Tailor the sample JCL as described in the comments in the JCL.
3c Close the online security and control files by issuing the following CICS transaction: CEMT S DAT(ALERTXP AXPCTL) CLO
3d Submit the file conversion jobstream, which does the following: The first step in the conversion jobstream backs up the existing ALERTXP and
AXPCTL files. The jobstream the pauses to give you an opportunity to cancel if the backup step failed. Do not proceed if the backup step failed.
It is imperative that the existing file be backed up before conversion. The conversion program modifies the existing file in place, and if for any reason the program does not complete, the file will not be usable. In that event, you must be prepared to recover the file by performing a restore.
The next step in the conversion jobstream creates a new S1SCTY file and thenexecutes program S1C050, which converts information from your old 4.9 S1SCTY file into the new 5.0 S1SCTY file.
The last step in the conversion jobstream executes program AXPU050, whichconverts your ALERTXP file from 4.9 format to 5.0 format in place.
3e Verify that the jobstream ran to completion. If an IDCAMS step terminated with a non-zero JCL return code, return to step 3a.
3f Check the return code from the S1C050 conversion program. Refer to page 3-20 for a list of return codes.
If necessary, review the report produced by the S1C050 conversion program. This report will contain error messages that indicate why the S1SCTY file did not convert completely. Contact BIM Technical Support for assistance.
3g Check the return code from the AXPU050 conversion program. Refer to page 3-20 for a list of return codes. If the conversion failed, restore your previous ALERTXP and AXPCTL files using the JCL in member COMJCA0R.J. Contact BIM Technical Support for assistance.
Procedure
Step 4: Create the Version 5.1 Online Security Files Installation Procedure for Current Users
3-18 Installation and Operations Guide
Step 4: Create the Version 5.1 Online Security Files
You need to take this step if you are converting from version 4.9 or 5.0 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you convert the online security files ALERTXP and S1SCTY from version 5.0 format to version 5.1 format.
The conversion programs executed in this step require input files in version 5.0 format. If you are converting from BIM-ALERT/VSE or BIM-ALERT/CICS version 4.9, you must have successfully completed Step 3 prior to taking this step.
Use the following table to select the appropriate JCL for creating the version 5.1 online security files:
If you are upgrading from And you are Use the JCL in
Version 4.9 or 5.0 of BIM-ALERT/VSE
Not using or installing BIM-ALERT/CICS
COMJCA06.J
Version 4.9 or 5.0 of BIM-ALERT/VSE
Upgrading from a prior version of BIM-ALERT/CICS
COMJCA06.J
Version 4.9 or 5.0 of BIM-ALERT/VSE
Installing BIM-ALERT/CICS for the first time
COMJCA06.J
Version 4.9 or 5.0 of BIM-ALERT/CICS
Installing BIM-ALERT/VSE for the first time.
COMJCA36.J
Version 4.9 or 5.0 of BIM-ALERT/CICS
Not using or installing BIM-ALERT/VSE
COMJCA46.J
Do You Need to Take This Step?
About This Step
Prerequisite
Select the Appropriate JCL
Installation Procedure for Current Users Step 4: Create the Version 5.1 Online Security Files
Chapter 3. Installing BIM-ALERT 3-19
Take the following steps to convert the online security files to version 5.1 format:
Step Action
4a Retrieve the sample JCL from the member you selected.
4b Tailor the sample JCL as described in the comments in the JCL.
4c Close the online security and control files by issuing the following CICS transaction: CEMT S DAT(ALERTXP S1SCTY) CLO
4d Submit the file conversion jobstream, which does the following: The first step in the conversion jobstream creates a new S1SCTY file and then
executes program S1C051, which converts information from your old 5.0 S1SCTY file into the new 5.1 S1SCTY file.
The last step in the conversion jobstream creates a new ALERTXP file and thenexecutes program AXPU051, which converts information from your old 5.0ALERTXP file into the new 5.1 ALERTXP file.
4e Verify that the jobstream ran to completion.
4f Check the return code from the S1C051 conversion program. Refer to page 3-20 for a list of return codes.
If necessary, review the report produced by the S1C051 conversion program. This report will contain error messages that indicate why the S1SCTY file did not convert completely. Contact BIM Technical Support for assistance.
4g Check the return code from the AXPU051 conversion program. Refer to page 3-20 for a list of return codes. If the conversion failed, contact BIM Technical Support for assistance.
4h
Warning!
If you are installing BIM-ALERT into a VSE/ESA 2.4 or later system, and plan to run the Interactive User Interface (IUI) under CICS/TS 1.1, you will need to perform additional steps to convert the S1SCTY security file.
Please refer to the ‘Supporting the IUI Under CICS/TS 1.1’ section on page 3-89 for a complete discussion of the requirements to support the IUI under CICS/TS 1.1.
Procedure
Step 4: Create the Version 5.1 Online Security Files Installation Procedure for Current Users
3-20 Installation and Operations Guide
Program AXPU051 produces the following return code values. The maximum return code value returned determines whether it is safe to continue with the rest of the installation procedure.
Return Code Meaning Action
0 The file conversion was successful. Proceed with the rest of the installation procedure.
8 The file conversion was not successful. Resolve the problem and repeat the conversion before proceeding with the installation.
Program S1C051 produces the following return code values. The maximum return code value returned determines whether it is safe to continue with the rest of the installation procedure.
Return Code Meaning Action
0 The file conversion was successful. No invalid records were found.
Proceed with the rest of the installation procedure.
8 The file conversion was not successful. Resolve the problem and repeat the conversion before proceeding with the installation.
Return Codes for AXPU051
Return Codes for S1C051
Installation Procedure for Current Users Step 5: Create the Version 5.1 Messages File
Chapter 3. Installing BIM-ALERT 3-21
Step 5: Create the Version 5.1 Messages File
You need to take this step if you are converting from version 4.9 of BIM-ALERT/VSE or BIM-ALERT/CICS.
The BIM-ALERT message file S1SMS## contains all of the messages that are generated by BIM-ALERT/CICS and the BIM-ALERT common components. The text of the messages contained in this file can be viewed and modified by the BIM-ALERT/CICS function MMSG.
If you are converting from version 4.9 of BIM-ALERT/CICS but have NOT used the MMSG function to modify any message texts, then you can skip upgrading your current message file. You may initialize a new 5.1 message file as if you were installing BIM-ALERT for the first time. (See COMJCB00.J)
Use the following table to select the appropriate JCL for creating the version 5.1 online message file:
If you are upgrading from And you are Use the JCL in
Version 4.9 of BIM-ALERT/VSE
Not using or installing BIM-ALERT/CICS
COMJCB00.J
Version 4.9 of BIM-ALERT/VSE
Installing BIM-ALERT/CICS for the first time
COMJCB00.J
Version 4.9 of BIM-ALERT/VSE
Upgrading from version 4.9 of BIM-ALERT/CICS
COMJCB14.J
Take the following steps to define and initialize the new online message file:
Step Action
5a Retrieve the sample JCL from member(s) you selected.
5b Tailor the sample JCL as described in the comments in the JCL.
5c Execute the jobstream(s).
Do You Need to Take This Step?
About This Step
Select the Appropriate JCL
Procedure
Step 6: Create the Version 5.1 Administrator Audit File Installation Procedure for Current Users
3-22 Installation and Operations Guide
Step 6: Create the Version 5.1 Administrator Audit File
You need to take this step if you are converting from version 4.9 of BIM-ALERT/VSE or BIM-ALERT/CICS.
The BIM-ALERT administrator audit file S1SAUDT contains records that track any changes made to the security environment.
If you are converting from version 4.9 of BIM-ALERT you can use the JCL in member COMJCC04.J in the BIM-ALERT residence sublibrary to upgrade this file. If you wish to start with an empty S1SAUDT file, you may initialize a new 5.1 audit file as if you were installing BIM-ALERT for the first time. (See COMJCC00.J)
Take the following steps to upgrade the administrator audit file:
Step Action
6a Retrieve the sample JCL from member COMJCC04.J.
6b Tailor the sample JCL as described in the comments in the JCL.
6c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Procedure
Installation Procedure for Current Users Step 7: Create the Version 5.1 Log Files
Chapter 3. Installing BIM-ALERT 3-23
Step 7: Create the Version 5.1 Log Files
You need to take this step if you are converting from version 4.9 or 5.0 of BIM-ALERT/CICS and do not currently run BIM-ALERT/VSE.
BIM-ALERT uses a VSAM KSDS file for logging and a VSAM ESDS for log file reporting and auditing. These files must be defined before you start up the BIM-ALERT logger.
Because the log file resides in VSAM space, it is not critical to make a precise estimate of logging volume. The sample JCL specifies a primary allocation of 2 cylinders and a secondary allocation of 1 cylinder. This allocation for AXPLOG1 will handle very high levels of logging activity, and should be adequate if you empty the file daily. We recommend that you start with these allocations.
Remember that the volume of log data can vary dramatically with changes to the rules table or the monitor mode startup parameters.
If you use BIM-ALERT in a multiple CPU setting with shared DASD, you cannot share the log files. Define a separate set of log files for each CPU where you use BIM-ALERT.
BIM-ALERT/CICS no longer uses the S1SECLG security log file. Log records generated by BIM-ALERT/CICS will now be handled by the BIM-ALERT logger facility. The logger facility is shared with BIM-ALERT/VSE.
If you do not currently run BIM-ALERT/VSE, or do not have the BIM-ALERT/VSE logger facility active, you will need to start up the logger before any of the BIM-ALERT/CICS log records will be recorded.
Please refer to Chapter 6, BIM-ALERT Operation, for information about activating and using the BIM-ALERT logger facility.
Take the following steps to define the log files:
Step Action
7a Retrieve the sample JCL from member COMJCF30.J.
7b Tailor the sample JCL as described in the comments in the JCL.
7c Execute the jobstream.
Do You Need to Take This Step?
About This Step
WARNING!
Procedure
Step 8: Update IPL, BG, and F1 ASI Procedures Installation Procedure for Current Users
3-24 Installation and Operations Guide
Step 8: Update IPL, BG, and F1 ASI Procedures
You need to take this step if you are converting from version 4.9 or 5.0 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you will make the necessary changes to your IPL, BG, and F1 ASI procedures to support the BIM-ALERT 5.1 security environment.
Take the following steps to update your IPL, BG, and F1 ASI procedures if you are installing into a VSE/ESA 2.3 environment:
Step Action
1 If installing BIM-ALERT/VSE, you must activate VSE Access Control. Add a SYS SEC=YES command to your IPL procedure. SYS SEC=YES
If you are not planning to activate BIM-ALERT/VSE, you should set the SYS SEC= IPL parameter to NO. SYS SEC=NO
2 If installing BIM-ALERT/VSE for the first time or installing only BIM-ALERT/CICS, skip this step. This step only applies to users upgrading from an earlier release of BIM-ALERT/VSE.
In the BG ASI procedure, locate the step where BIM-ALERT/VSE is activated. The activation program has changed to ALRT001. Change the BIM-ALERT/VSE activation program name from AXPI1 to ALRT001.
ALRT001 requires a control card that defines which components of BIM-ALERT to initialize and activate. If you currently have a MODE=ACTIV control card after the execute of AXPI1, remove this card and replace it with the MODE=(INIT,cccccccc) card as described in the next step. If any other AXPI1 control file override cards are present after the MODE=ACTIV control card, these cards should now follow the MODE=(INIT,cccccccc) card.
(continued)
Do You Need to Take This Step?
About This Step
If Running in VSE/ESA 2.3
Installation Procedure for Current Users Step 8: Update IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-25
Step Action
3 This step applies to both BIM-ALERT/VSE and BIM-ALERT/CICS installations.
Add the BIM-ALERT initialization and startup JCL to to the $0JCL procedure.
Place the startup JCL ahead of the START command for the POWER partition so that BIM-ALERT is active before each partition is PSTARTed.
It is also recommend that you start up BIM-ALERT prior to other products normally started in your BG ASI procedure.
ALRT001 accepts a single control card. The card is in the format: MODE=(INIT,cccccccc)
Where ‘cccccccc’ will contain one of the following values:
Value Meaning
BIMALERT Initialize the security environment for both BIM-ALERT/VSE and BIM-ALERT/CICS, and initiate the BIM-ALERT/VSE product activation process.
ALTVONLY Initialize and activate only the BIM-ALERT/VSE security environment.
ALTCONLY Initialize only the BIM-ALERT/CICS security environment. BIM-ALERT/CICS will be fully activated when the CICS partition(s) are brought up.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC ALRT001
MODE=(INIT,ALTCONLY) INITIALIZE BIM-ALERT/CICS ONLY
/*
This will cause only the BIM-ALERT/CICS environment to be initialized.
Be sure the /* JCL statement is in the job to signal the end of the SYSIPT statements. The /* JCL statement is required even if there are no SYSIPT statements. Program ALRT001 will attempt to read control statements until it finds the /* JCL statement. If the /* JCL statement is not present, none of the commands after EXEC ALRT001 will execute.
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in $0JCLSEC.
The JCL you add to the $0JCL procedure and to the logger partition's procedure executes AXPPROC. Be sure that the DATA= parameter of AXPPROC and that of any procedure where it is executed are the same. AXPPROC is normally cataloged with DATA=YES.
(continued)
Step 8: Update IPL, BG, and F1 ASI Procedures Installation Procedure for Current Users
3-26 Installation and Operations Guide
Step Action
4 This step applies to both BIM-ALERT/VSE and BIM-ALERT/CICS installations.
BIM-ALERT/CICS now uses the logger facility that is provided with BIM-ALERT/VSE. If you currently run the BIM-ALERT/VSE logger, you will need to update the logger startup to use the new logger program names.
If you want the BIM-ALERT logger to run in the POWER partition, continue with this step. If you want it to run in a separate partition, go to Step 5.
Add the logger startup JCL to the POWER partition's $xJCL procedure. A sample of this JCL is cataloged in the BIM-ALERT residence sublibrary in member COMJCF40.J, and is shown below. Replace your // EXEC power phase with the // EXEC ALRTL9 statement.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC ALRTL9,SIZE=nnK,PARM='xxxxxxxx'
(Insert POWER startup commands after EXEC ALRTL9)
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in the POWER partition's $xJCL procedure.
If you currently use a SIZE parameter on the POWER startup EXEC statement, use the same value in the // EXEC ALRTL9 statement. If you do not currently use a SIZE parameter on the POWER startup // EXEC statement, you don't need one for ALRTL9 either. Finally, insert the name of your POWER phase (the one currently being executed in your POWER partition ASI) in the PARM= operand of the // EXEC ALRTL9 statement.
Do not comment out your EXEC card. POWER does not allow comment cards before the FORMAT= card.
The logger requires less than 2K of partition area and about 80K of partition GETVIS area. Unless your POWER partition currently has a lot of extra GETVIS area, you will probably need to increase the size of the POWER partition's GETVIS area by modifying the ALLOC command for the POWER partition. The ALLOC commands are all contained in the $0JCL procedure. Leave the POWER partition's SIZE command the same. With the increased amount on the ALLOC command, this results in a larger GETVIS area. Notice that increasing the POWER partition's ALLOC may require decreasing some other partition's ALLOC.
The logger must be active for BIM-ALERT to record violation data in the log file and on the system operator console.
5 If you decide to run the logger in a dedicated partition instead of the POWER partition, add the logger startup JCL to that partition's procedure. Or you may simply submit a jobstream with the logger startup JCL into the desired partition with the DISP=L, and add a PRELEASE statement to the $0JCL procedure to release this job as soon as Power has initialized. A sample of this JCL is shown in member COMJCF40.J, which is cataloged in the BIM-ALERT residence sublibrary.
6 Catalog the updated IPL, BG, and F1 ASI procedures to IJSYSRS.
Installation Procedure for Current Users Step 8: Update IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-27
Take the following steps to update your IPL and BG ASI procedures if you are installing into a VSE/ESA 2.4 or later environment:
Step Action
1 If installing BIM-ALERT/VSE, you must activate VSE Access Control. Add a SYS SEC=YES command to your IPL procedure. SYS SEC=YES
If you are not planning to activate BIM-ALERT/VSE, you should set the SYS SEC= IPL parameter to NO. SYS SEC=NO
2 Under VSE/ESA 2.4 and later, there is a new IPL parameter to specify the External Security Manager (ESM) initialization program. The BIM-ALERT 5.1 ESM initialization program ALRT001 is used by both BIM-ALERT/VSE and BIM-ALERT/CICS. Add a SYS ESM= command to your IPL procedure: SYS ESM=ALRT001
3 In the BG ASI procedure provided by IBM, locate the execution of the Basic Security Manager (BSM) initialization program BSSINIT.
During the BG ASI process, the BSSINIT program will pass control to the ESM initialization program that was specified in the SYS ESM= IPL parameter. After BIM-ALERT’s ESM initialization program ALRT001 gets control, it will read a control card from SYSIPT to determine which components of BIM-ALERT need to be initialized and/or activated.
ALRT001 accepts only a single control card. The card is in the format: MODE=(INIT,cccccccc)
Where ‘cccccccc’ will contain one of the following values:
Value Meaning
BIMALERT Initialize the ESM environment for both BIM-ALERT/VSE and BIM-ALERT/CICS, and initiate the BIM-ALERT/VSE product activation process.
ALTVONLY Initialize and activate only the BIM-ALERT/VSE security environment.
ALTCONLY Initialize only the BIM-ALERT/CICS security environment. BIM-ALERT/CICS will be fully activated when the CICS partition(s) are brought up.
This will cause only the BIM-ALERT/CICS environment to be initialized.
(continued)
If Running in VSE/ESA 2.4 or later
Step 8: Update IPL, BG, and F1 ASI Procedures Installation Procedure for Current Users
3-28 Installation and Operations Guide
Step Action
4 Several of the IBM supplied JCL procedures ($1JCLxx, $2JCLxx, etc.) include and execute card for the BSSINIT program in each partition start-up. BIM-ALERT does not require BSSINIT to be run in any partition except BG.
Review the JCL procedures you are using, and verify that the BSSINIT program is being executed only in the $0JCL procedure.
5 This step applies to both BIM-ALERT/VSE and BIM-ALERT/CICS installations.
BIM-ALERT/CICS now uses the logger facility that is provided with BIM-ALERT/VSE. If you currently run the BIM-ALERT/VSE logger, you will need to update the logger startup to use the new logger program names.
If you want the BIM-ALERT logger to run in the POWER partition, continue with this step. If you want it to run in a separate partition, go to Step 5.
Add the logger startup JCL to the POWER partition's $xJCL procedure. A sample of this JCL is cataloged in the BIM-ALERT residence sublibrary in member COMJCF40.J, and is shown below. Replace your // EXEC power phase with the // EXEC ALRTL9 statement.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC ALRTL9,SIZE=nnK,PARM='xxxxxxxx'
(Insert POWER startup commands after EXEC ALRTL9)
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in the POWER partition's $xJCL procedure.
If you currently use a SIZE parameter on the POWER startup EXEC statement, use the same value in the // EXEC ALRTL9 statement. If you do not currently use a SIZE parameter on the POWER startup // EXEC statement, you don't need one for ALRTL9 either. Finally, insert the name of your POWER phase (the one currently being executed in your POWER partition ASI) in the PARM= operand of the // EXEC ALRTL9 statement.
Do not comment out your EXEC card. POWER does not allow comment cards before the FORMAT= card.
The logger requires less than 2K of partition area and about 80K of partition GETVIS area. Unless your POWER partition currently has a lot of extra GETVIS area, you will probably need to increase the size of the POWER partition's GETVIS area by modifying the ALLOC command for the POWER partition. The ALLOC commands are all contained in the $0JCL procedure. Leave the POWER partition's SIZE command the same. With the increased amount on the ALLOC command, this results in a larger GETVIS area. Notice that increasing the POWER partition's ALLOC may require decreasing some other partition's ALLOC.
The logger must be active for BIM-ALERT to record violation data in the log file and on the system operator console.
(continued)
Installation Procedure for Current Users Step 8: Update IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-29
Step Action
6 If you decide to run the logger in a dedicated partition instead of the POWER partition, add the logger startup JCL to that partition's procedure. Or you may simply submit a jobstream with the logger startup JCL into the desired partition with the DISP=L, and add a PRELEASE statement to the $0JCLSEC procedure to release this job as soon as Power has initialized. A sample of this JCL is shown in member COMJCF40.J, which is cataloged in the BIM-ALERT residence sublibrary.
7 Catalog the updated IPL, BG, and F1 ASI procedures to IJSYSRS.
Step 9: Update CICS Table Entries Installation Procedure for Current Users
3-30 Installation and Operations Guide
Step 9: Update CICS Table Entries
You need to take this step if you are converting from version 4.9 or 5.0 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you add entries for BIM-ALERT/VSE and BIM-ALERT/CICS to various CICS tables. You must add entries for BIM-ALERT/VSE's ICCF submittal monitor and for BIM-ALERT's ALXP and SCTY transactions.
There have been many changes to the required PCT, PPT, and FCT entries for version 5.1 of BIM-ALERT/VSE and BIM-ALERT/CICS. To ensure that the security menu panels will work correctly, you must update your CICS tables with the new copybooks or RDO entries that are discussed below.
If you added the PLTPI entry during a previous installation of BIM-ALERT/VSE or BIM-ALERT/CICS, you do not need to add it again.
Do You Need to Take This Step?
About This Step
WARNING!
Current Users
Installation Procedure for Current Users Step 9: Update CICS Table Entries
Chapter 3. Installing BIM-ALERT 3-31
BIM-ALERT/VSE's ICCF submittal monitor is activated by executing program AXPHI7D in the CICS PLTPI. Program AXPHI7D starts transaction AX7C, which waits for ICCF and BIM-ALERT/VSE to become active, and then initializes the BIM-ALERT/VSE submittal monitor for ICCF.
Program AXPHI7D, transaction AX7C, and several related programs and transactions are required in the CICS partition where you run ICCF. If you added the entries for these items during a previous installation of BIM-ALERT/VSE, you do not need to add them again. Otherwise, take the following steps for the CICS partition where you run ICCF:
Step Action
1 Add the following entry to the PLTPI assembly for the CICS where you run ICCF:
DFHPLT TYPE=ENTRY,PROGRAM=AXPHI7D
2 Assemble and catalog the PLTPI phase.
3 If you run ICCF in a different partition from the one where you run the BIM-ALERT transaction ALXP, add the following entries to the ICCF partition's PCT and PPT and then re-assemble those tables. You can skip to step 3 if you run ICCF and ALXP in the same CICS partition, because these entries will be added in Step 8b, below.
PPT Entries PCT Entries
PROGRAM=AXPHI7A TRANSID=AX7A
PROGRAM=AXPHI7B TRANSID=AX7B
PROGRAM=AXPHI7C TRANSID=AX7C
PROGRAM=AXPHI7D
PROGRAM=A1MHI7A
Refer to JCL members AXPPPT.A and AXPPCT.A for the complete contents of these PPT and PCT entries.
4 If you took Step 3 above, assemble and catalog the PCT and PPT tables for the ICCF partition.
Step 9a: Add Entries for the ICCF Submittal Monitor
Step 9: Update CICS Table Entries Installation Procedure for Current Users
3-32 Installation and Operations Guide
BIM-ALERT requires entries in the CICS PPT, PCT, and FCT tables. You can incorporate these entries into your existing CICS tables in one of the following ways:
Add the BIM-ALERT entries to your existing assembly jobstreams for these tables.
Use RDO to update your CICS entries.
Requirement Under CICS/VSE 2.3, you must add the FCT entries to your existing assembly job. In the CICS/TS 1.1 environment, you will need to use RDO.
The BIM-ALERT residence sublibrary includes members that contain macro definition entries for BIM-ALERT's PPT, PCT, and FCT entries. The members you should add to your assembly jobstreams depend on whether you are also running BIM-ALERT/VSE, BIM-ALERT/CICS, or both.
If you are running Add these COPY statements to your jobstreams:
Be certain to reference the 5.1 BIM-ALERT sublibrary in the LIBDEF SEARCH statement, so that the proper version of these members will be included.
Step 9b: Add Entries for the ALXP and SCTY Transactions
Adding Entries to Your Existing Assembly Jobstreams
Installation Procedure for Current Users Step 9: Update CICS Table Entries
Chapter 3. Installing BIM-ALERT 3-33
If you are installing BIM-ALERT/CICS, you should do one of the following before you reassemble and re-catalog the CICS tables:
Change the name of the program specified for both the CSSN and CSSF entries in the PCT to be PROGRAM = S1S610 before the PCT is reassembled.
Ensure that the copy book ALRTPCT is copied into the PCT assembly jobstream before the group FN=SIGNON. Do not remove FN=SIGNON from your PCT or PPT tables.
After you add the entries, reassemble and re-catalog the CICS tables.
The BIM-ALERT residence sublibrary contains sample jobstreams that include the DFHCSDUP control statements to define the PCT and PPT entries required by BIM-ALERT/VSE and BIM-ALERT/CICS. The control statements to define the required FCT entries are also included for the CICS/TS 1.1 environment.
Take the following steps to define the BIM-ALERT PPT and PCT table entries in the CICS Resource Definition file DFHCSD:
Step Action
1 Retrieve the proper sample job stream for your environment: For CICS/VSE 2.3, use COMJCE02.J For CICS/TS 1.1, use COMJCE04.J
2 Tailor the sample JCL as described in the comments in the JCL.
3 Execute the job stream.
For More Information About DFHCSDUP For more information about using DFHCSDUP, refer to the IBM manual CICS Resource Definition (ONLINE).
If You Are Installing BIM-ALERT/CICS
After You Add the Entries
Using RDO to Update Your CICS Entries
Procedure
Step 10: Update Optional CICS Table Entries Installation Procedure for Current Users
3-34 Installation and Operations Guide
Step 10: Update Optional CICS Table Entries
If you are not running BIM-ALERT/CICS, you may skip to Step 19. If you are running BIM-ALERT/CICS, this step is optional.
Special copybook members have been provided to help you customize BIM-ALERT/CICS to your installation. The following are three of those members:
ALRTPCTL contains BIM-ALERT/CICS transactions in lower case.
ALRTPCTO contains optional transactions available in BIM-ALERT/CICS.
ALRTFCTM contains entries used in remote CICS partitions in an MRO environment. In an MRO environment the audit, message, and security files (S1SAUDT, S1SMS##, and S1SCTY) must be defined as local in one FCT and remote in the other FCTs in the complex to allow the files to be updated from all CICSs in the MRO complex. Copy ALRTFCT.A and COMMFCT.A into the local partition's FCT assembly. Edit ALRTFCTM to include the SYSIDNT of the local region, and then copy ALRTFCTM.A into the remote partition's FCT assemblies.
All normal BIM-ALERT/CICS functions can be performed if you copy the un-suffixed table of the proper type. For example, ALRTPCT, ALRTPPT, ALRTFCT, COMMPPT, and COMMFCT are for the normal system.
The various members contain additional information that should help you decide if you need to include them in the table or not.
Do You Need to Take This Step?
Special Supplied Copy Book Members
Installation Procedure for Current Users Step 11: Adjust the Size of the CSA Common Work Area
Chapter 3. Installing BIM-ALERT 3-35
Step 11: Adjust the Size of the CSA Common Work Area
If you are not running BIM-ALERT/CICS, you may skip this step.
BIM-ALERT/CICS reserves the last 64 bytes of the common work area (CWA) portion of the CSA for security processing. In this step you make sure that the size of the CWA meets the requirements of BIM-ALERT/CICS.
Check the size specified in the WRKAREA= parameter of the system initialization table (SIT) to ensure that the last 64 bytes are available for use by BIM-ALERT/CICS only. If the WRKAREA= parameter has not been specified or if it does not allow for the extra 64 bytes, change the WRKAREA= size and reassemble the SIT. (This parameter can also be specified as a system override during CICS initialization.)
If the CWA is also to be used by other systems, always ensure that the last 64 bytes are reserved for use by BIM-ALERT/CICS only. If this area is not available or is overlaid by other processing, CICS may cancel.
Do You Need to Take This Step?
About This Step
Procedure
WARNING!
Step 12: Add SET SDL Entries for MRO Control Modules Installation Procedure for Current Users
3-36 Installation and Operations Guide
Step 12: Add SET SDL Entries for MRO Control Modules
You can skip this step if one or more of the following is true:
You are not installing BIM-ALERT/CICS in an MRO environment.
You already have entries for the BIM-ALERT/CICS control modules S1SCNTR1-S1SCNTR9 in the SET SDL entries in the ASI procedure.
You do not want to build MRO security tables in the SVA.
To support the MRO environment, BIM-ALERT/CICS uses nine special control modules. These modules are cataloged as SVA eligible and are named S1SCNTR1 through S1SCNTR9. You must add these nine entries to the SET SDL entries in the ASI procedure.
Use the following format to add entries for MRO control modules to the SET SDL entries in the ASI procedure:
S1SCNTR1,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR2,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR3,SVA BIM-ALERT/CICS MRO CONTROL MODULE
. .
. .
. .
S1SCNTR8,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR9,SVA BIM-ALERT/CICS MRO CONTROL MODULE
You can take the following steps to immediately load the BIM-ALERT/CICS MRO control modules into the SVA without an IPL. A sample SET SDL jobstream can be found in the BIM-ALERT residence library in member ALRTSDL.J.
Step Action
12a Run a job that contains a // PAUSE statement in the BG partition.
12b Do the following from the console: Enter the SET SDL command. Enter the list of modules to be loaded into the SVA.
The modules must be in a sublibrary in the search chain for BG for this to be successful.
Do You Need to Take This Step?
About This Step
Procedure
Temporarily Loading MRO Control Modules Without an IPL
Installation Procedure for Current Users Step 12: Add SET SDL Entries for MRO Control Modules
Chapter 3. Installing BIM-ALERT 3-37
For additional information about running BIM-ALERT/CICS in an MRO environment, please refer to the “Implementation Notes for BIM-ALERT/CICS” section in Chapter 6.
Additional Information
Step 13: Shut Down CICS Installation Procedure for Current Users
3-38 Installation and Operations Guide
Step 13: Shut Down CICS
If you are not running BIM-ALERT/CICS, you may skip this step.
It is necessary to restart CICS after installation of BIM-ALERT/CICS, so it is better to shut CICS down normally prior to performing the following updates to avoid any problems with the files being open and so on.
Do You Need to Take This Step?
About This Step
Installation Procedure for Current Users Step 14: Reassemble User Exits
Chapter 3. Installing BIM-ALERT 3-39
Step 14: Reassemble User Exits
If you do not use BIM-ALERT/CICS user exits, you can skip this step.
Some of the copy books used by BIM-ALERT/CICS have changed due to the changes outlined in this document. Make sure the new install library is first in the search chain to ensure that the new copy books are located and brought into the programs.
Do You Need to Take This Step?
Verify LIBDEFs Are Correct
Step 15: Reassemble Post Sign-On Programs Installation Procedure for Current Users
3-40 Installation and Operations Guide
Step 15: Reassemble Post Sign-On Programs
If you do not use any BIM-ALERT/CICS operator or terminal post-sign-on programs that extract information from the BIM-ALERT/CICS operator or terminal tables, then you can skip this step.
If you use any operator or terminal post-sign-on programs that extract information from the BIM-ALERT/CICS operator or terminal tables, you must reassemble these before initializing BIM-ALERT.
The source for program U1S610 (which is provided) can be used as an example for gaining addressability to the BIM-ALERT tables.
Do You Need to Take This Step?
Procedure
Installation Procedure for Current Users Step 16: Reassemble Parameter-Driven Sign-On Programs
If you do not use any BIM-ALERT/CICS parameter-driven sign-on or sign-off programs, you can skip this step.
If you use parameter-driven sign-on or sign-off programs, reassemble them as explained in the section on parameter-driven sign-on and sign-off processing in the BIM-ALERT/CICS Security Administrator's Guide.
Do You Need to Take This Step?
Procedure
Step 17: Reassemble Custom Versions of S1S611 and S1S601 Installation Procedure for Current Users
3-42 Installation and Operations Guide
Step 17: Reassemble Custom Versions of S1S611 and S1S601
If you do not have your own versions of S1S611 or S1S601, you can skip this step.
Reassemble the sign-on programs S1S611 and S1S601 so that they obtain updated versions of the BIM-ALERT/CICS copybooks.
Do You Need to Take This Step?
Procedure
Installation Procedure for Current Users Step 18: Remove BIM-ALERT/CICS from the PLT Startup
Chapter 3. Installing BIM-ALERT 3-43
Step 18: Remove BIM-ALERT/CICS from the PLT Startup
If you are not running BIM-ALERT/CICS, you may skip this step.
You should always try starting up BIM-ALERT/CICS manually the first time a new release is installed. After the system has been successfully initialized via the UCOP transaction, you can put it back in the PLT for the next startup.
Do You Need to Take This Step?
About This Step
Step 19: Update Your JCLLUSEX List Installation Procedure for Current Users
3-44 Installation and Operations Guide
Step 19: Update Your JCLLUSEX List
If you are not running BIM-ALERT/VSE, please skip to Step 25.
For an explanation of $JOBEXIT processing under version 1.2 or higher of VSE/ESA and guidelines for managing $JOBEXIT, refer to page 6-41.
Refer to the JCL examples in AXPJCL80.J in the BIM-ALERT sublibrary for sample jobstreams for updating your JCLLUSEX list.
If Multiple Versions of BIM-ALERT Do Not Share IJSYSRS If you're converting from version 4.9 or above, but not installing version 5.1 into a shared IJSYSRS setting where some of the shared systems will continue to run an older version of BIM-ALERT, take the following steps to add BIM-ALERT's $JOBEXIT phase to your JCLLUSEX list. The member AXPJCL80.J in the BIM-ALERT sublibrary contains JCL for use in this procedure.
Step Action
19a Examine the assembly listing for your JCLLUSEX list to determine the name that you previously assigned to BIM-ALERT's $JOBEXIT phase. In the remainder of this procedure, this is referred to as $JOBEX0n.
19b Copy AXPHJ3.PHASE from the BIM-ALERT sublibrary to PRD2.SAVE.
19c Rename AXPHJ3.PHASE to $JOBEX0n.PHASE in PRD2.SAVE.
19d Copy $JOBEX0n.PHASE from PRD2.SAVE into IJSYSRS.SYSLIB.
(continued)
Do You Need to Take This Step?
For Further Information
Sample JCL
Procedures If You're Converting from Version 4.9 or Above
Installation Procedure for Current Users Step 19: Update Your JCLLUSEX List
Chapter 3. Installing BIM-ALERT 3-45
If Multiple Versions of BIM-ALERT Share IJSYSRS If you're converting from an older version of BIM-ALERT and installing version 5.1 into a shared IJSYSRS setting where some of the shared systems will continue to run an older version of BIM-ALERT, take the following steps to add the BIM-ALERT 5.1 $JOBEXIT phase to your JCLLUSEX list. The member AXPJCL80.J in the BIM-ALERT sublibrary contains JCL for use in this procedure.
Step Action
19a Examine the assembly listing for your JCLLUSEX list to determine the name that you previously assigned to BIM-ALERT's $JOBEXIT phase. In the remainder of this procedure, this phase is referred to as $JOBEX0a.
Determine an entry number (1 - 9) that you have not previously assigned to a $JOBEXIT phase or a dummy phase. Assign this number to the BIM-ALERT/VSE version 5.1 $JOBEXIT phase. In the remainder of this procedure, this phase is referred to as $JOBEX0b.
19b Copy AXPHJ3.PHASE from the BIM-ALERT 5.1 sublibrary into PRD2.SAVE.
19c Rename AXPHJ3.PHASE to $JOBEX0b.PHASE in PRD2.SAVE, where b is a number from 1 to 9 not currently used in your JCLLUSEX list.
It is recommended that you do not replace b with 0 because certain other programs dynamically use $JOBEX00 without explicitly placing it in the JCLLUSEX list.
19d Apply patch AO49003 to $JOBEX0b.PHASE in PRD2.SAVE. You can find patch AO49003 in job step AXP8070 in member AXPJCL80.J in the BIM-ALERT sublibrary.
19e Copy $JOBEX0b.PHASE from PRD2.SAVE into IJSYSRS.SYSLIB.
19f Assemble and catalog the JCLLUSEX list into PRD2.SAVE as $JOBEXIT.PHASE.
19g Copy the new $JOBEXIT.PHASE into IJSYSRS.SYSLIB.
19h Update your $SVA0000 load list to included an entry for JOBEX0b.
19i Add JCL for executing program AXPU3 to the BIM-ALERT startup JCL on those systems where you will run version 5.1.
This step disables $JOBEX0a (the older BIM-ALERT exit) and enables $JOBEX0b (the new exit) on 5.1 systems.
If you are certain that you have performed these steps properly, and you receive the following message when you activate BIM-ALERT, check to see if Job Control has disabled your exit list.
ALV031E AXPHJ3 Not Active In JCLLUSEX.
Refer to page 6-38 for information about why Job Control might disable your exit list.
If You Receive Message ALV031E
Step 20: Verify IJSYSRS.SYSLIB Standard Label Installation Procedure for Current Users
3-46 Installation and Operations Guide
Step 20: Verify IJSYSRS.SYSLIB Standard Label
If you are not running BIM-ALERT/VSE, you may skip this step.
If no label for the System Residence Library (IJSYSRS) is present in the standard label area, the VSE/Librarian skips certain sublibrary level authorization checks for IJSYSRS. In this step, you ensure that these are made for IJSYSRS by verifying that you have a label for IJSYSRS in the standard label area.
Execute the following JCL to determine whether your standard label area contains a label for IJSYSRS:
// JOB LSERV
// EXEC LSERV,PARM='STDLABEL'
/&
Examine the printout from this job. If you do not find an entry for IJSYSRS, add a DLBL for IJSYSRS to your standard label load procedure. Execute the following JCL:
// JOB LVTOC
// ASSGN SYS005,PRINTER
// ASSGN SYS004,SYSRES
// EXEC LVTOC
/&
Examine the printout from this job and locate the information for the IJSYSRS file. For CKD devices this file starts on track 1. For FBA devices this file starts on block 20 (pre-ESA) or 130 (ESA). Add a DLBL for IJSYSRS to your standard label area, specifying the file name from the LVTOC printout.
For more information about the LSERV program and the LVTOC program, refer to IBM manual VSE/ESA System Utilities.
Do You Need to Take This Step?
About This Step
Procedure
For More Information
Installation Procedure for Current Users Step 21: Activate Submittal Monitors and Security Exits
Chapter 3. Installing BIM-ALERT 3-47
Step 21: Activate Submittal Monitors and Security Exits
If you are not running BIM-ALERT/VSE, you may skip this step.
Perform the following tasks before you activate BIM-ALERT/VSE version 5.1:
Task Page Explained
Activate BIM-ALERT/VSE's submittal monitors. 5-4
Install required security exits. 5-40
Do You Need to Take This Step?
Procedure
Step 22: Verify IJSYSRS Phases Installation Procedure for Current Users
3-48 Installation and Operations Guide
Step 22: Verify IJSYSRS Phases
If you are not running BIM-ALERT/VSE, you may skip this step.
Follow the procedure described on page 6-32 to verify the BIM-ALERT/VSE phases in IJSYSRS.SYSLIB.
Do You Need to Take This Step?
Procedure
Installation Procedure for Current Users Step 23: Convert Rules Tables to 5.1 Format
Chapter 3. Installing BIM-ALERT 3-49
Step 23: Convert Rules Tables to 5.1 Format
If you are not running BIM-ALERT/VSE, you may skip this step.
If you received messages indicating that some records were not completely converted to 5.1 format during Step 3 or Step 4, you must make any necessary corrections to those records using the online component of BIM-ALERT/VSE, which runs under CICS as the transaction ALXP. You must terminate and restart the CICS where you run ALXP in order to access the 5.1 online component of BIM-ALERT/VSE.
At this point, you can do one of the following:
Make corrections to records that were not completely converted now by taking the following steps:
Step Action
1 Terminate the CICS where you run the ALXP transaction and restart with version 5.1 of the ALXP transaction.
2 Make necessary corrections to the invalid records listed by the conversion program.
Defer making corrections to records that were not completely converted until you
have performed an IPL and activated version 5.1. If you choose this option, be aware that until you make the necessary corrections some operations that depend on user profile information may be disrupted to the extent that your user profile information remains incomplete. You can start BIM-ALERT in monitor mode to ensure that your system initializes without disruption.
Do You Need to Take This Step?
If There Were Invalid Records in Your Rules Table
Step 23: Convert Rules Tables to 5.1 Format Installation Procedure for Current Users
3-50 Installation and Operations Guide
Take the following steps to convert your rules table phases for version 5.1. Although you must convert the rules table that you plan to use when you first activate version 5.1, it is not necessary to convert all your rules tables at this time.
Step Action
23a Retrieve the sample JCL from member AXPJCLB1.J in the BIM-ALERT residence sublibrary.
23b If you installed version 5.1 into the same sublibrary where you had installed the previous version of BIM-ALERT/VSE, execute the sublibrary backup step that is included in AXPJCLB1.J. This safeguard will simplify retrieval of the pre-5.1 versions of your rules tables if you decide to revert to the previous version of BIM-ALERT/VSE.
23c Tailor the sample JCL as described in comments in the JCL. This JCL is similar to the JCL that you submit using the ALXP CALR screen to assemble and catalog a rules table.
The JCL executes AXPPROC. Be certain that you have modified AXPPROC to reference the 5.1 sublibrary and the 5.1 security files.
23d Execute the AXPB120 job from AXPJCLB1 once for each rules table that you want to convert, each time specifying a different table number and table phase name in the JCL.
Procedure
Installation Procedure for Current Users Step 24: Assemble the Network Submittal Table
Chapter 3. Installing BIM-ALERT 3-51
Step 24: Assemble the Network Submittal Table
If you are not running BIM-ALERT/VSE, you may skip this step.
In order to fully activate version 5.1, you must assemble the network submittal table using the online component of BIM-ALERT/VSE, which runs under CICS as the transaction ALXP.
The data for the network submittal table is stored in the ALERTXP file. In this step, you create the assembled table (AXPHI4A) that BIM-ALERT/VSE loads into the SVA to monitor network job submittals.
At this point, you can do one of the following:
Assemble the network submittal table now. If you terminated and restarted the CICS where you run ALXP in Step 22, you should assemble the network submittal table now. Take the following steps to immediately assemble the network submittal table:
Step Action
1 Access the Network Submittal Control panel in the online component of version 5.1.
2 Select ASSEMBLE and CATALOG.
3 Press ENTER.
Defer assembling the network submittal table until you have performed an IPL
and activated version 5.1.
Do You Need to Take This Step?
About This Step
Step 25: Perform an IPL to Activate BIM-ALERT 5.1 Installation Procedure for Current Users
3-52 Installation and Operations Guide
Step 25: Perform an IPL to Activate BIM-ALERT 5.1
You need to take this step if you are converting from version 4.9 or 5.0 of BIM-ALERT/VSE or BIM-ALERT/CICS.
An IPL is necessary to activate version 5.1. Do not attempt to deactivate and reactivate without an IPL.
Do You Need to Take This Step?
About This Step
Installation Procedure for a New Installation Step 25: Perform an IPL to Activate BIM-ALERT 5.1
Chapter 3. Installing BIM-ALERT 3-53
Installation Procedure for a New Installation
This section describes the steps necessary to install BIM-ALERT/VSE and BIM-ALERT/CICS. You should follow these steps if you are not currently running BIM-ALERT/VSE or BIM-ALERT/CICS.
You must complete the procedures outlined in Chapters 1 and 2 before performing the steps listed below.
Introduction
Prerequisite
Step 25: Perform an IPL to Activate BIM-ALERT 5.1 Installation Procedure for a New Installation
3-54 Installation and Operations Guide
If you are not currently running any version of BIM-ALERT/VSE or BIM-ALERT/CICS, perform the following steps:
Step Action
1 Verify that BIM-ALERT VSAM cluster names do not conflict.
2 Define an extent for BIM-ALERT's rules assembly work file.
3 Catalog the AXPPROC procedure.
4 Define and initialize the log files.
5 Define and initialize the control file.
6 Define and initialize the online security files.
7 Define and initialize the message file.
8 Define and initialize the audit file.
9 Add LIBDEF and DLBLs to CICS partition startup.
10 Catalog New IPL, BG, and F1 ASI Procedures
11 Add BIM-ALERT entries to your CICS tables.
12 Add optional BIM-ALERT/CICS entries.
13 Adjust the size of the CSA common work area.
14 Add SET SDL entries for BIM-ALERT/CICS MRO control modules.
15 BIM-ALERT/CICS PLT Entries.
16 Add BIM-ALERT's $JOBEXIT phase to your JCLLUSEX list.
17 Verify the standard label for your system residence library (IJSYSRS.SYSLIB).
18 Trial IPL with the SEC IPL procedure.
19 Catalog a new $ASIPROC master procedure.
20 Activate submittal monitors and security exits.
21 Verify phases in IJSYSRS.
22 IPL to activate BIM-ALERT/VSE.
Procedure
Installation Procedure for a New Installation Step1: Verify BIM-ALERT VSAM Cluster Names
Chapter 3. Installing BIM-ALERT 3-55
Step1: Verify BIM-ALERT VSAM Cluster Names
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
Verify that none of the following BIM-ALERT VSAM cluster names duplicate any existing VSAM cluster names:
Step 2: Define an Extent for Rules Assembly Work File Installation Procedure for a New Installation
3-56 Installation and Operations Guide
Step 2: Define an Extent for Rules Assembly Work File
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE. If you are installing only BIM-ALERT/CICS, you may skip step this step.
In this step, you define an extent for the AXPORTA work file, which BIM-ALERT/VSE uses for assembling security rules tables.
AXPPROC.MODEL contains a DLBL and EXTENT for AXPORTA. An allocation of one cylinder is typically more than enough. AXPORTA may be an implicitly defined SAM-managed VSAM work file. The record size is 140 bytes.
Do You Need to Take This Step?
Introduction
Allocating AXPORTA
Installation Procedure for a New Installation Step 3: Catalog the AXPPROC Procedure
Chapter 3. Installing BIM-ALERT 3-57
Step 3: Catalog the AXPPROC Procedure
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
The AXPPROC.PROC member in the BIM-ALERT residence sublibrary includes several DLBLs and a LIBDEF for the BIM-ALERT residence sublibrary, which are required by many of the JCL examples cataloged during the installation. A skeleton AXPPROC.PROC (the member AXPPROC.MODEL) is cataloged into the residence sublibrary by the installation jobstream.
In this step, you catalog AXPPROC.PROC in IJSYSRS.SYSLIB.
The AXPPROC.PROC member must reside in IJSYSRS.SYSLIB. Jobstreams generated by the online definition transaction of BIM-ALERT/VSE contain an EXEC PROC=AXPPROC, but they do not contain a LIBDEF SEARCH for a PROC library. Keeping the AXPPROC procedure in IJSYSRS ensures that those jobstreams will find AXPPROC.
Do You Need to Take This Step?
Introduction
WARNING!
Step 3: Catalog the AXPPROC Procedure Installation Procedure for a New Installation
3-58 Installation and Operations Guide
It is recommended that you refrain from placing DLBLs for BIM-ALERT in both AXPPROC and system standard labels. The preferred method is to place them in AXPPROC. If you place DLBLs for BIM-ALERT in system standard labels, you still must catalog the AXPPROC procedure. AXPPROC is used in jobs submitted by the online component of BIM-ALERT/VSE.
Step Action
3a Access the member AXPPROC.MODEL in the BIM-ALERT residence sublibrary.
3b Fill in the variable items in AXPPROC.MODEL.
3c Catalog AXPPROC.MODEL as AXPPROC.PROC into IJSYSRS.SYSLIB.
AXPPROC is executed by the BIM-ALERT/VSE startup and by the BIM-ALERT logger startup. Normally these steps will occur during ASI, and so AXPPROC will probably be executed inside the ASI procedure. If this is the case, remember that the DATA= parameter of AXPPROC must be consistent with that of the procedure that executes it.
Typically the ASI procedures are cataloged with DATA=YES specified. If that is the case, you should catalog AXPPROC with DATA=YES also.
3d Copy AXPPROC.PROC from IJSYSRS.SYSLIB into PRD2.SAVE, using JCL similar to that in member AXPJCL70.J job AXP7030. Keeping a copy of AXPPROC.PROC in PRD2.SAVE ensures that it automatically gets restored into IJSYSRS.SYSLIB when you perform VSE operating system maintenance that rebuilds IJSYSRS.SYSLIB.
3e After you catalog the AXPPROC, and before you add it to any jobstream in the ASI procedures, run a job such as the following to verify that the procedure has been cataloged correctly:
// JOB AXPPROC
// OPTION LOG
// EXEC PROC=AXPPROC
/&
Recommendation
Procedure
Installation Procedure for a New Installation Step 3: Catalog the AXPPROC Procedure
Chapter 3. Installing BIM-ALERT 3-59
Introduction If you share IJSYSRS between several systems that use BIM-ALERT, your AXPPROC needs to contain CPU-specific information for files that cannot be shared. BIM-ALERT provides a program, AXPI9X, that sets a CPU ID value for a JCL symbolic parameter. You can test the value of this parameter in your AXPPROC in order to control execution of CPU-specific JCL. For information about using AXPI9X, refer to page 7-2.
Copying AXPI9X into IJSYSRS If you decide to use program AXPI9X, you should copy it into IJSYSRS.SYSLIB and into PRD2.SAVE using JCL similar to the JCL in job AXP7040 in example member AXPJCL70.J.
If you copy the program into IJSYSRS, it is essential that you also copy the program into PRD2.SAVE. This ensures that VSE system maintenance will restore the program after rebuilding IJSYSRS.SYSLIB.
Using Program AXPI9X for CPU-Specific JCL
WARNING!
Step 4: Define and Initialize the Log Files Installation Procedure for a New Installation
3-60 Installation and Operations Guide
Step 4: Define and Initialize the Log Files
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
BIM-ALERT uses a VSAM KSDS file for logging and a VSAM ESDS for log file reporting and auditing. These files must be defined before you start up the BIM-ALERT logger.
Because the log file resides in VSAM space, it is not critical to make a precise estimate of logging volume. The sample JCL specifies a primary allocation of 2 cylinders and a secondary allocation of 1 cylinder. This allocation for AXPLOG1 will handle very high levels of logging activity, and should be adequate if you empty the file daily. We recommend that you start with these allocations.
Remember that the volume of log data can vary dramatically with changes to the rules table or the monitor mode startup parameters.
If you use BIM-ALERT in a multiple CPU setting with shared DASD, you cannot share the log files. Define a separate set of log files for each CPU where you use BIM-ALERT.
Take the following steps to define the log files:
Step Action
4a Retrieve the sample JCL from member COMJCF30.J.
4b Tailor the sample JCL as described in the comments in the JCL.
4c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Procedure
Installation Procedure for a New Installation Step 5: Define and Initialize the Control File
Chapter 3. Installing BIM-ALERT 3-61
Step 5: Define and Initialize the Control File
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE. If you are installing only BIM-ALERT/CICS, you may skip step this step.
BIM-ALERT/VSE uses a control file at startup time. This file is a VSAM KSDS file that must be defined and loaded before you start up BIM-ALERT/VSE
If you use BIM-ALERT/VSE in a multiple CPU setting with shared DASD, and all the CPUs require the same BIM-ALERT/VSE system parameters, you can share the control file among the CPUs. Only one of the CPUs should have update access to the file. For information about using the SCFL subfunction of ALXP to update this file in a multiple CPU setting, refer to page 3-10.
The sample JCL includes three system parameter specifications that you should not alter during your initial implementation of BIM-ALERT/VSE. These are as follows:
Parameter Setting Function
MONITOR=(ALL) Sets up BIM-ALERT/VSE in monitor mode for static partitions. In monitor mode, BIM-ALERT records security violations in the log file and on the system operator console, but it does not cancel jobs. Run BIM-ALERT in this mode until the security administrator is ready for full security enforcement.
DMONITOR=(ALL) Same as MONITOR parameter above, except for dynamic partitions.
OBJ=AXPRULE Specifies a skeleton rules table that enforces no security at all and that does no logging. When you start using BIM-ALERT/VSE, leave this parameter in the control file, so that BIM-ALERT starts up with no security in force, minimizing any chance of disrupting the IPL/ASI process. During initial implementation, the security administrator can load another rules table, which enforces the security he has defined, after the IPL/ASI process is complete.
Take the following steps to define the log files:
Step Action
5a Retrieve the sample JCL from member AXPJCL10.J
5b Tailor the sample JCL as described in the comments in the JCL.
5c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Procedure
Step 6: Define and Initialize the Online Security Files Installation Procedure for a New Installation
3-62 Installation and Operations Guide
Step 6: Define and Initialize the Online Security Files
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you create the online security files S1SCTY and ALERTXP, which are VSAM files used by the online facility to store user profile information and resource access rules.
Use the following table to select the appropriate JCL for creating the version 5.1 online security files:
If you are And you are Use the JCL in
Installing BIM-ALERT/VSE for the first time
Not using or installing BIM-ALERT/CICS
COMJCA20.J
Installing BIM-ALERT/VSE for the first time
Installing BIM-ALERT/CICS for the first time
COMJCA20.J
Installing BIM-ALERT/CICS for the first time
Not using or installing BIM-ALERT/VSE
COMJCA50.J
Take the following steps to create the version 5.1 online security files:
Step Action
6a Retrieve the sample JCL from the member you selected.
6b Tailor the sample JCL as described in the comments in the JCL.
6c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Select the Appropriate JCL
Procedure
Installation Procedure for a New Installation Step 7: Define and Initialize the Message File
Chapter 3. Installing BIM-ALERT 3-63
Step 7: Define and Initialize the Message File
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
The BIM-ALERT message file contains all of the messages that are generated by BIM-ALERT/CICS and the BIM-ALERT common components. The text of the messages contained in this file can be viewed and modified by the BIM-ALERT/CICS function MMSG.
Take the following steps to define and initialize the 5.1 message file:
Step Action
7a Retrieve the sample JCL from member COMJCB00.J.
7b Tailor the sample JCL as described in the comments in the JCL.
7c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Procedure
Step 8: Define and Initialize the Audit File Installation Procedure for a New Installation
3-64 Installation and Operations Guide
Step 8: Define and Initialize the Audit File
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
The online security definition facilities (ALXP and SCTY) keep track of changes to the online security files in an audit file (S1SAUDT). S1SAUDT must be defined and initialized before you can use ALXP or SCTY.
If you use BIM-ALERT in a multiple CPU setting with shared DASD, you cannot share the audit file. Define a separate audit file for each CPU where you execute the ALXP or SCTY transaction. For more information about using ALXP or SCTY in a multiple CPU setting, refer to page 3-10.
Take the following steps to define and initialize the 5.1 audit file:
Step Action
8a Retrieve the sample JCL from member COMJCC00.J.
8b Tailor the sample JCL as described in the comments in the JCL.
8c Execute the jobstream.
Do You Need to Take This Step?
About This Step
Procedure
Installation Procedure for a New Installation Step 9: Add LIBDEF and DLBLs to CICS Partition Startup
Chapter 3. Installing BIM-ALERT 3-65
Step 9: Add LIBDEF and DLBLs to CICS Partition Startup
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
Perform the following steps to add LIBDEF and DLBLs to the CICS partition startup:
Step Action
9a Add a LIBDEF PHASE,SEARCH=... for the BIM-ALERT residence sublibrary to the JCL that starts the CICS partitions where you want to use the ALXP or SCTY transaction.
9b AXPPROC by default contains a LIBDEF for the BIM-ALERT residence sublibrary. Bypass the LIBDEF in AXPPROC by using the following JCL to execute AXPPROC:
// EXEC PROC=AXPPROC,LIBDEF=NO
Do You Need to Take This Step?
Procedure
Step 10: Catalog New IPL, BG, and F1 ASI Procedures Installation Procedure for a New Installation
3-66 Installation and Operations Guide
Step 10: Catalog New IPL, BG, and F1 ASI Procedures
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you modify your IPL procedure, your BG ASI, and your F1 ASI procedures so that BIM-ALERT/VSE and BIM-ALERT/CICS can be initialized and activated during ASI.
It is very important that you make backup copies of your ASI procedures.
In order to minimize the chance of any adverse effect on your production environment, the procedure described here uses a separate "trial-only" IPL with the new procedures.
The following checklist summarizes the modifications to cataloged IPL and ASI procedures that you make in this step:
Procedure Modifications
IPL Procedure ( ) Add SEC=YES IPL command.
( ) Add ESM=ALRT001 command.
BG ASI Procedure ( )
( )
Add JCL to activate BIM-ALERT.
Add JCL to activate BIM-ALERT's POWER reader exit (VSE/ESA version 1.3 or above only).
F1 (POWER) ASI Procedure ( )
( )
Add JCL to activate the BIM-ALERT logger.
Add command to execute POWER JOBEXIT.
Master Procedure $ASIPROC ( ) Change to use SEC procedure names.
Do You Need to Take This Step?
About This Step
WARNING!
Checklist
Installation Procedure for a New Installation Step 10: Catalog New IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-67
The following table describes the three types of ASI procedure members:
Procedure Type Description
Master ASI procedure This procedure is always named $ASIPROC.PROC. The IPL routines access $ASIPROC to determine the name of the IPL procedure to invoke and the names of the JCL procedures to invoke to start up each partition.
A Master ASI procedure is not required. If $ASIPROC is not present at IPL time, the IPL routines use default IPL and JCL procedure names. If neither $ASIPROC nor the procedure members with the default ASI names are present, the IPL routines prompt the operator for the name of the IPL procedure member and the prototype name of the JCL procedures.
ASI IPL procedure This procedure contains the IPL statements required to bring up the system. For example, the IPL procedure specifies the name of the supervisor. The default name of this procedure is $IPL370, $IPLE, or $IPLESA (VSE/ESA 1.3 or above).
ASI JCL procedures An ASI JCL procedure is invoked for each partition started during ASI. As each partition is started, its ASI JCL procedure is executed. The default names for these procedures are $0JCL370, $0JCLE, or $0JCLESA (BG partition), $1JCL370, $1JLCE, or $1JCLESA (F1 partition), etc.
The BG ASI JCL procedure is different from the others. It includes commands to initialize the overall system (such as ALLOC commands), as well as those to initialize the BG partition itself. Every other partition's JCL procedure affects only initialization of that partition itself.
Under certain circumstances, executing AXPPROC in your ASI procedures can cause a problem. AXPPROC performs a temporary LIBDEF. If a temporary LIBDEF appears ahead of AXPPROC in your ASI procedure, the one in AXPPROC negates it.
You can avoid such problems by taking the following steps:
Step Action
1 Add the BIM-ALERT sublibrary to the LIBDEF statement in your ASI procedure.
2 Use the following statement to execute AXPPROC:
EXEC PROC=AXPPROC,LIBDEF=NO
Relationship of ASI Procedures
Avoiding LIBDEF Conflicts
Step 10: Catalog New IPL, BG, and F1 ASI Procedures Installation Procedure for a New Installation
3-68 Installation and Operations Guide
Step Action
10a Run a jobstream similar to the one in AXPJCL20.J in the BIM-ALERT sublibrary, which uses LIBR to do the following: Make copies of your current ASI procedures in the BIM-ALERT residence sublibrary. Rename the ASI procedures. Copy the procedures back into IJSYSRS.SYSLIB.
The jobstream in AXPJCL20.J assumes default names for the procedures (ESA) and shows ?ALT.SUBLIB? as the BIM-ALERT sublibrary. Customize the procedure and sublibrary names before running the job.
After you have executed this job, you can make changes to the BIM-ALERT SEC procedures without affecting your current ones.
10b If you are installing only BIM-ALERT/CICS, skip this step. This step only applies to BIM-ALERT/VSE.
BIM-ALERT/VSE requires that you enable VSE/ESA’s Access Control Facility.
Add the following command to $IPLSEC. This command may appear anywhere after the supervisor parameters command (which is always the first command), and before the SVA command (which is always the last command). SYS SEC=YES
10c If you are installing in the VSE/ESA 2.3 environment, skip this step. This step only applies to VSE/ESA 2.4 or later.
Under VSE/ESA 2.4 and later, there is a new IPL parameter to specify the External Security Manager (ESM) initialization program. The BIM-ALERT 5.1 ESM initialization program ALRT001 is used by both BIM-ALERT/VSE and BIM-ALERT/CICS.
Add the following command to $IPLSEC. This command may appear anywhere after the supervisor parameters command (which is always the first command), and before the SVA command (which is always the last command). SYS ESM=ALRT001
(continued)
Modifying the ASI IPL and JCL Procedures
Installation Procedure for a New Installation Step 10: Catalog New IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-69
Step Action
10d If you want the logger to run in the POWER partition, continue with this step, if you want it to run in a separate partition, go to Step 10e.
Add the logger startup JCL to the POWER partition's $xJCLSEC procedure. A sample of this JCL is cataloged in the BIM-ALERT residence sublibrary in member COMJCF40.J, and is shown below. Replace your // EXEC power phase with the // EXEC ALRTL9 statement.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC ALRTL9,SIZE=nnK,PARM='xxxxxxxx'
(Insert POWER startup commands after EXEC ALRTL9)
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in the POWER partition's $xJCLSEC procedure.
If you currently use a SIZE parameter on the POWER startup EXEC statement, use the same value in the // EXEC ALRTL9 statement. If you do not currently use a SIZE parameter on the POWER startup // EXEC statement, you don't need one for ALRTL9 either. Finally, insert the name of your POWER phase (the one currently being executed in your POWER partition ASI) in the PARM= operand of the // EXEC ALRTL9 statement.
Do not comment out your EXEC card. POWER does not allow comment cards before the FORMAT= card.
The logger requires less than 2K of partition area and about 80K of partition GETVIS area. Unless your POWER partition currently has a lot of extra GETVIS area, you will probably need to increase the size of the POWER partition's GETVIS area by modifying the ALLOC command for the POWER partition. The ALLOC commands are all contained in the $0JCLSEC procedure. Leave the POWER partition's SIZE command the same. With the increased amount on the ALLOC command, this results in a larger GETVIS area. Notice that increasing the POWER partition's ALLOC may require decreasing some other partition's ALLOC.
The logger must be active for BIM-ALERT to record violation data in the log file and on the system operator console.
10e If you decide to run the logger in a dedicated partition instead of the POWER partition, add the logger startup JCL to that partition's procedure. Or you may simply submit a jobstream with the logger startup JCL into the desired partition with the DISP=L, and add a PRELEASE statement to the $0JCLSEC procedure to release this job as soon as Power has initialized. A sample of this JCL is shown in member COMJCF40.J, which is cataloged in the BIM-ALERT residence sublibrary.
(continued)
Step 10: Catalog New IPL, BG, and F1 ASI Procedures Installation Procedure for a New Installation
3-70 Installation and Operations Guide
Step Action
10f If you are installing in a VSE/ESA 2.4 or later environment, skip this step. This step only applies to VSE/ESA 2.3.
Add the BIM-ALERT startup JCL to $0JCLSEC.
Place the startup JCL ahead of the START command for the POWER partition so that BIM-ALERT is active before each partition is PSTARTed.
It is also recommend that you start up BIM-ALERT prior to other products normally started in your BG ASI procedure.
Program ALRT001 accepts a single control card. The card is in the format:
MODE=(INIT,cccccccc)
Where ‘cccccccc’ will contain one of the following values:
Value Meaning
BIMALERT Initialize the security environment for both BIM-ALERT/VSE and BIM-ALERT/CICS, and initiate the BIM-ALERT/VSE product activation process.
ALTVONLY Initialize and activate only the BIM-ALERT/VSE security environment.
ALTCONLY Initialize only the BIM-ALERT/CICS security environment. BIM-ALERT/CICS will be fully activated when the CICS partition(s) are brought up.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC ALRT001
MODE=(INIT,ALTCONLY) INITIALIZE BIM-ALERT/CICS ONLY
/*
This will cause only the BIM-ALERT/CICS environment to be initialized.
Be sure the /* JCL statement is in the job to signal the end of the SYSIPT statements. The /* JCL statement is required even if there are no SYSIPT statements. Program ALRT001 will attempt to read control statements until it finds the /* JCL statement. If the /* JCL statement is not present, none of the commands after EXEC ALRT001 will execute.
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in $0JCLSEC.
The JCL you add to $0JCLSEC and to the logger partition's procedure executes AXPPROC. Be sure that the DATA= parameter of AXPPROC and that of any procedure where it is executed are the same. AXPPROC is normally cataloged with DATA=YES.
(continued)
Installation Procedure for a New Installation Step 10: Catalog New IPL, BG, and F1 ASI Procedures
Chapter 3. Installing BIM-ALERT 3-71
Step Action
10g If you are installing in the VSE/ESA 2.3 environment, skip this step. This step only applies to VSE/ESA 2.4 and later.
Add the BIM-ALERT startup JCL to $0JCLSEC. In the procedure, as provided by IBM, locate the execution of the Basic Security Manager (BSM) initialization program BSSINIT.
During the BG ASI process, the BSSINIT program will pass control to the ESM initialization program that was specified in the SYS ESM= IPL parameter. After BIM-ALERT’s ESM initialization program ALRT001 gets control, it will read a control card from SYSIPT to determine which components of BIM-ALERT need to be initialized and/or activated.
A sample of the startup of BIM-ALERT is shown below. ALRT001 accepts a single control card. The card is in the format:
MODE=(INIT,cccccccc)
Where ‘cccccccc’ will contain one of the following values.
Value Meaning
BIMALERT Initialize the security environment for both BIM-ALERT/VSE and BIM-ALERT/CICS, and initiate the BIM-ALERT/VSE product activation process.
ALTVONLY Initialize and activate only the BIM-ALERT/VSE security environment.
ALTCONLY Initialize only the BIM-ALERT/CICS security environment. BIM-ALERT/CICS will be fully activated when the CICS partition(s) are brought up.
// EXEC PROC=AXPPROC,LIBDEF=NO
// EXEC BSSINIT INITIALIZE BSM/ESM ENVIRONMENT
MODE=(INIT,ALTCONLY) INITIALIZE BIM-ALERT/CICS ONLY
/*
This will cause only the BIM-ALERT/CICS environment to be initialized.
Be sure the /* JCL statement is in the job to signal the end of the SYSIPT statements. The /* JCL statement is required even if there are no SYSIPT statements. Program ALRT001 will attempt to read control statements until it finds the /* JCL statement. If the /* JCL statement is not present, none of the commands after EXEC ALRT001 will execute.
Make sure that you add the BIM-ALERT sublibrary to the LIBDEF statement in $0JCLSEC.
The JCL you add to $0JCLSEC and to the logger partition's procedure executes AXPPROC. Be sure that the DATA= parameter of AXPPROC and that of any procedure where it is executed are the same. AXPPROC is normally cataloged with DATA=YES.
(continued)
Step 10: Catalog New IPL, BG, and F1 ASI Procedures Installation Procedure for a New Installation
3-72 Installation and Operations Guide
Step Action
10h If you are installing in the VSE/ESA 2.3 environment, skip this step. This step only applies to VSE/ESA 2.4 or later.
Several of the IBM supplied JCL procedures ($1JCLxx, $2JCLxx, etc.) include and execute card for the BSSINIT program in each partition start-up. BIM-ALERT does not require BSSINIT to be run in any partition except BG.
Review the JCL procedures you are using, and verify that the BSSINIT program is being executed only in the $0JCL procedure.
10i If you are installing only BIM-ALERT/CICS, skip this step. This step only applies to BIM-ALERT/VSE. If You Do Not Have Your Own POWER JOBEXIT Program
Take the following steps to update your POWER startup JCL if you do not have your own POWER JOBEXIT program:
Step Action
1 Add the following command to your POWER startup JCL:
PLOAD JOBEXIT,AXPHP6,256
Place this command immediately after the FORMAT command. If the FORMAT command is not present, place the PLOAD command immediately after the EXEC POWER statement.
If You Have Your Own POWER JOBEXIT Program
Take the following steps to update your POWER startup JCL if you have your own POWER JOBEXIT program:
Step Action
1 Add the following command to your POWER startup JCL:
PLOAD JOBEXIT,AXPHP6,nnnnn
Replace nnnnn with the size of the work area required by your exit program + 256. Place this command immediately after the FORMAT command. If the FORMAT command is not present, place the PLOAD command immediately after the EXEC POWER statement.
2 Add the following command to your BG ASI procedure. This statement must precede the statement that starts the POWER partition (usually START F1).
EXEC AXPHP6B,PARM=‘PLOAD JOBEXIT,xxxxxxxx,nnnnn’
Replace xxxxxxxx with the name of your exit program. Replace nnnnn with the size of the work area required by your exit program.
10j Catalog the new IPL procedures into IJSYSRS.
Installation Procedure for a New Installation Step 11: Add CICS Table Entries
Chapter 3. Installing BIM-ALERT 3-73
Step 11: Add CICS Table Entries
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
In this step, you add entries for BIM-ALERT/VSE and BIM-ALERT/CICS to various CICS tables. You must add entries for BIM-ALERT/VSE's ICCF submittal monitor and for BIM-ALERT's ALXP and SCTY transactions.
Do You Need to Take This Step?
About This Step
Step 11: Add CICS Table Entries Installation Procedure for a New Installation
3-74 Installation and Operations Guide
BIM-ALERT/VSE's ICCF submittal monitor is activated by executing program AXPHI7D in the CICS PLTPI. Program AXPHI7D starts transaction AX7C, which waits for ICCF and BIM-ALERT/VSE to become active, and then initializes the BIM-ALERT/VSE submittal monitor for ICCF.
Program AXPHI7D, transaction AX7C, and several related programs and transactions are required in the CICS partition where you run ICCF. If you added the entries for these items during a previous installation of BIM-ALERT/VSE, you do not need to add them again. Otherwise, take the following steps for the CICS partition where you run ICCF:
Step Action
1 Add the following entry to the PLTPI assembly for the CICS where you run ICCF:
DFHPLT TYPE=ENTRY,PROGRAM=AXPHI7D
2 Assemble and catalog the PLTPI phase.
3 If you run ICCF in a different partition from the one where you run the BIM-ALERT transaction ALXP, add the following entries to the ICCF partition's PCT and PPT and then re-assemble those tables. You can skip to step 3 if you run ICCF and ALXP in the same CICS partition, because these entries will be added in Step 10b, below.
PPT Entries PCT Entries
PROGRAM=AXPHI7A TRANSID=AX7A
PROGRAM=AXPHI7B TRANSID=AX7B
PROGRAM=AXPHI7C TRANSID=AX7C
PROGRAM=AXPHI7D
PROGRAM=A1MHI7A
Refer to JCL members AXPPPT.A and AXPPCT.A for the complete contents of these PPT and PCT entries.
4 If you took Step 3 above, assemble and catalog the PCT and PPT tables for the ICCF partition.
Step 11a: Add Entries for the ICCF Submittal Monitor
Installation Procedure for a New Installation Step 11: Add CICS Table Entries
Chapter 3. Installing BIM-ALERT 3-75
BIM-ALERT requires entries in the CICS PPT, PCT, and FCT tables. You can incorporate these entries into your existing CICS tables in one of the following ways:
Add the BIM-ALERT entries to your existing assembly jobstreams for these tables.
Use RDO to update your CICS entries.
Requirement Under CICS/VSE 2.3, you must add the FCT entries to your existing assembly job. In the CICS/TS 1.1 environment, you will need to use RDO.
The BIM-ALERT residence sublibrary includes members that contain macro definition entries for BIM-ALERT's PPT, PCT, and FCT entries. The members you should add to your assembly jobstreams depend on whether you are also running BIM-ALERT/VSE, BIM-ALERT/CICS, or both.
If you are running Add these COPY statements to your jobstreams:
Be certain to reference the 5.1 BIM-ALERT sublibrary in the LIBDEF SEARCH statement, so that the proper version of these members will be included.
Step 11b: Add Entries for the ALXP and SCTY Transactions
Adding Entries to Your Existing Assembly Jobstreams
Step 11: Add CICS Table Entries Installation Procedure for a New Installation
3-76 Installation and Operations Guide
If you are installing BIM-ALERT/CICS, you should do one of the following before you reassemble and re-catalog the CICS tables:
Change the name of the program specified for both the CSSN and CSSF entries in the PCT to be PROGRAM = S1S610 before the PCT is reassembled.
Ensure that the copy book ALRTPCT is copied into the PCT assembly jobstream before the group FN=SIGNON. Do not remove FN=SIGNON from your PCT or PPT tables.
After you add the entries, reassemble and re-catalog the CICS tables.
The BIM-ALERT residence sublibrary contains sample jobstreams that include the DFHCSDUP control statements to define the PCT and PPT entries required by BIM-ALERT/VSE and BIM-ALERT/CICS. The control statements to define the required FCT entries are also included for the CICS/TS 1.1 environment.
Take the following steps to define the BIM-ALERT PPT and PCT table entries in the CICS Resource Definition file DFHCSD:
Step Action
1 Retrieve the proper sample job stream for your environment: For CICS/VSE 2.3, use COMJCE02.J For CICS/TS 1.1, use COMJCE04.J
2 Tailor the sample JCL as described in the comments in the JCL.
3 Execute the job stream.
For More Information About DFHCSDUP For more information about using DFHCSDUP, refer to the IBM manual CICS Resource Definition (ONLINE).
If You Are Installing BIM-ALERT/CICS
After You Add the Entries
Using RDO to Update Your CICS Entries
Procedure
Installation Procedure for a New Installation Step 12: Add Optional CICS Table Entries
Chapter 3. Installing BIM-ALERT 3-77
Step 12: Add Optional CICS Table Entries
If you are installing only BIM-ALERT/VSE, you may skip to Step 15. This step is optional if you are installing version 5.1 of BIM-ALERT/CICS.
Special copy book members have been provided to help you customize BIM-ALERT/CICS to your installation. The following are three of those members:
ALRTPCTL contains BIM-ALERT/CICS transactions in lower case.
ALRTPCTO contains optional transactions available in BIM-ALERT/CICS.
ALRTFCTM contains entries used in remote CICS partitions in an MRO environment. In an MRO environment the audit, message, and security files (S1SAUDT, S1SMS##, and S1SCTY) must be defined as local in one FCT and remote in the other FCTs in the complex to allow the files to be updated from all CICSs in the MRO complex. Copy ALRTFCT.A and COMMFCT.A into the local partition's FCT assembly. Edit ALRTFCTM to include the SYSIDNT of the local region, and then copy ALRTFCTM.A into the remote partition's FCT assemblies.
All normal BIM-ALERT/CICS functions can be performed if you copy the unsuffixed table of the proper type. For example, ALRTPCT, ALRTPPT, ALRTFCT, COMMPPT, and COMMFCT are for the normal system.
The various members contain additional information that should help you decide if you need to include them in the table or not.
Do You Need to Take This Step?
Special Supplied Copy Book Members
Step 13: Adjust the Size of the CSA Common Work Area Installation Procedure for a New Installation
3-78 Installation and Operations Guide
Step 13: Adjust the Size of the CSA Common Work Area
If you are installing only BIM-ALERT/VSE, you may skip step this step. You need to take this step if you are installing version 5.1 of BIM-ALERT/CICS.
BIM-ALERT/CICS reserves the last 64 bytes of the common work area (CWA) portion of the CSA for security processing. In this step you make sure that the size of the CWA meets the requirements of BIM-ALERT/CICS.
Check the size specified in the WRKAREA= parameter of the system initialization table (SIT) to ensure that the last 64 bytes are available for use by BIM-ALERT/CICS only. If the WRKAREA= parameter has not been specified or if it does not allow for the extra 64 bytes, change the WRKAREA= size and reassemble the SIT. (This parameter can also be specified as a system override during CICS initialization.)
If the CWA is also to be used by other systems, always ensure that the last 64 bytes are reserved for use by BIM-ALERT/CICS only. If this area is not available or is overlaid by other processing, CICS may cancel.
Do You Need to Take This Step?
About This Step
Procedure
WARNING!
Installation Procedure for a New Installation Step 14: Add SET SDL Entries for MRO Control Modules
Chapter 3. Installing BIM-ALERT 3-79
Step 14: Add SET SDL Entries for MRO Control Modules
If you are installing only BIM-ALERT/VSE, you may skip step this step. You need to take this step if you are installing version 5.1 of BIM-ALERT/CICS in a MRO environment.
To support the MRO environment, BIM-ALERT/CICS uses nine special control modules. These modules are cataloged as SVA eligible and are named S1SCNTR1 through S1SCNTR9. You must add these nine entries to the SET SDL entries in the ASI procedure.
Use the following format to add entries for MRO control modules to the SET SDL entries in the ASI procedure:
S1SCNTR1,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR2,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR3,SVA BIM-ALERT/CICS MRO CONTROL MODULE
. .
. .
. .
S1SCNTR8,SVA BIM-ALERT/CICS MRO CONTROL MODULE
S1SCNTR9,SVA BIM-ALERT/CICS MRO CONTROL MODULE
You can take the following steps to immediately load the BIM-ALERT/CICS MRO control modules into the SVA without an IPL. A sample SET SDL jobstream can be found in the BIM-ALERT residence library in member ALRTSDL.J.
Step Action
1 Run a job that contains a //PAUSE statement in the BG partition.
2 Do the following from the console: Enter the SET SDL command. Enter the list of modules to be loaded into the SVA.
The modules must be in a sublibrary in the search chain for BG for this to be successful.
Do You Need to Take This Step?
About This Step
Procedure
Temporarily Loading MRO Control Modules Without an IPL
Step 15: BIM-ALERT/CICS PLT Entries Installation Procedure for a New Installation
3-80 Installation and Operations Guide
Step 15: BIM-ALERT/CICS PLT Entries
If you are installing only BIM-ALERT/VSE, you may skip this step.
When you are prepared to initialize BIM-ALERT/CICS during CICS startup, you will need two programs specified in your PLTPI phase and one program in your PLTSD phase. The BIM-ALERT copybooks ALRTPLT.A and ALRTPLTS.A contain these programs for your PLT assemblies.
We recommend that you re-cycle CICS and perform some BIM-ALERT/CICS system administrator maintenance before you use the PLT startup method. You should define a main administrator and two secured terminals that require operator sign-on. You should also view the SCTY UPAR panel to decide upon some BIM-ALERT System Parameters. Finally, you will need to use the SCTY UPOP panel to specify the level of security that you want started during PLT startup processing. These functions are discussed in the BIM-ALERT/CICS Security Administrator’s Guide.
Do you need to take this step?
Procedure
WARNING!
Installation Procedure for a New Installation Step 16: Update Your JCLLUSEX List
Chapter 3. Installing BIM-ALERT 3-81
Step 16: Update Your JCLLUSEX List
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE. If you are installing only BIM-ALERT/CICS, you may skip step this step.
For an explanation of $JOBEXIT processing under version 1.2 or higher of VSE/ESA and guidelines for managing $JOBEXIT, refer to page 6-41.
Take the following steps to add BIM-ALERT's $JOBEXIT phase to your JCLLUSEX list. The member AXPJCL80.J in the BIM-ALERT sublibrary contains sample jobstreams you can use in these steps.
Step Action
16a Execute the JCLEXIT JCL command in a jobstream to display a list of phases currently in your JCLLUSEX list. Phases in this list are named $JOBEX0n, where n is a number between 0 and 9. If there are any phases in your JCLLUSEX list, note the numbers used in their names.
16b Copy AXPHJ3.PHASE from the BIM-ALERT sublibrary to PRD2.SAVE.
16c Rename AXPHJ3.PHASE to $JOBEX0n.PHASE in PRD2.SAVE, where n is a number from 1 to 9 not currently used in your JCLLUSEX list.
It is recommended that you do not replace n with 0 because certain other programs dynamically use $JOBEX00 without explicitly placing it in the JCLLUSEX list.
16d Modify your JCLLUSEX source code to specify the $JOBEX0n program.
16e Reassemble and re-catalog your JCLLUSEX.PHASE into PRD2.SAVE. The phase is cataloged as $JOBEXIT.PHASE.
16f Copy the newly cataloged $JOBEXIT.PHASE and the $JOBEX0n.PHASE from PRD2.SAVE into IJSYSRS.SYSLIB.
16g Update your $SVA0000 load list to included an entry for $JOBEX0n.
If you are certain that you have performed these steps properly, and you receive the following message when you activate BIM-ALERT, check to see if Job Control has disabled your exit list.
ALV031E AXPHJ3 Not Active In JCLLUSEX.
Refer to page 6-38 for information about why Job Control might disable your exit list.
Do You Need to Take This Step?
For Further Information
Procedure
If You Receive Message ALV031E
Step 17: Verify the Standard Label for IJSYSRS.SYSLIB Installation Procedure for a New Installation
3-82 Installation and Operations Guide
Step 17: Verify the Standard Label for IJSYSRS.SYSLIB
If no label for the System Residence Library (IJSYSRS) is present in the standard label area, the VSE/Librarian skips certain sublibrary level authorization checks for IJSYSRS. In this step, you ensure that these are made for IJSYSRS by verifying that you have a label for IJSYSRS in the standard label area.
Execute the following JCL to determine whether your standard label area contains a label for IJSYSRS:
// JOB LSERV
// EXEC LSERV,PARM='STDLABEL'
/&
Examine the printout from this job. If you do not find an entry for IJSYSRS, add a DLBL for IJSYSRS to your standard label load procedure. Execute the following JCL:
// JOB LVTOC
// ASSGN SYS005,PRINTER
// ASSGN SYS004,SYSRES
// EXEC LVTOC
/&
Examine the printout from this job and locate the information for the IJSYSRS file. For CKD devices this file starts on track 1. For FBA devices this file starts on block 20 (pre-ESA) or 130 (ESA). Add a DLBL for IJSYSRS to your standard label area, specifying the file name from the LVTOC printout.
For more information about the LSERV program and the LVTOC program, refer to IBM manual VSE/ESA System Utilities.
About This Step
Procedure
For More Information
Installation Procedure for a New Installation Step 18: Trial IPL With SEC IPL Procedures
Chapter 3. Installing BIM-ALERT 3-83
Step 18: Trial IPL With SEC IPL Procedures
After the preceding steps have been completed, you are ready to IPL with security enabled. Before you modify your $ASIPROC, which will cause the SEC IPL procedures to be invoked automatically, you should IPL with the new SEC procedures by interrupting the normal ASI IPL procedure. This process is described next. (This description has been paraphrased from the IBM VSE Operating Procedures Manual.)
Step Action
18a Shortly after you have performed power-on and IMPL procedures, a message like the following is issued:
0J01I IPL=iplproc,JCL=jclproc,SUPVR=supname
18b Immediately after message 0J01I, and before message 0J10I IPL RESTART POINT BYPASSED, do one of the following:
If you are running VSE/ESA version 1.3 or above, press the ENTER key.
18c When the WAIT state is entered, press REQUEST/ENTER from SYSLOG. (If you are running under VM, it may not be obvious that the VSE machine has entered the WAIT state. Normally, it enters the WAIT state almost immediately after you enter EXT.)
18d Wait for message 0I03A ENTER SUPERVISOR PARAMETERS OR ASI PARAMETERS.
18e Enter the names of the SEC ASI procedures as shown in the following example. Message 0J01I will be re-issued, showing the name of your BIM-ALERT procedures ($IPLSEC and $$JCLSEC), and the IPL will continue by invoking those procedures.
IPL=$IPLSEC,JCL=$$JCLSEC
Let the ASI proceed at least to the point where BIM-ALERT starts up and the logger starts up. If possible, let the ASI proceed until all partitions have been started.
Step 19: Catalog a New $ASIPROC Master Procedure Installation Procedure for a New Installation
3-84 Installation and Operations Guide
Step 19: Catalog a New $ASIPROC Master Procedure
After you have successfully started up BIM-ALERT at IPL using the preceding trial IPL procedure, you can modify the $ASIPROC IPL= and JCL= parameters as follows:
CPU=cpuid,IPL=$IPLSEC,JCL=$$JCLSEC
After you modify $ASIPROC, every IPL will automatically activate BIM-ALERT. After that, if you need to IPL without BIM-ALERT, you can do so by performing the preceding procedure (interrupting the ASI procedure) and specifying the old procedure names instead of the SEC procedure names.
If you don't currently use a $ASIPROC, and IPL is using default names for the IPL and JCL procedures, you need to rename the SEC procedures to the default names so that each IPL automatically activates BIM-ALERT. Run a job similar to the following:
// EXEC LIBR,SIZE=200K
AC S=IJSYSRS.SYSLIB
RENAME $IPL370.PROC:$IPLOLD.PROC
RENAME $0JCL370.PROC:$0JCLOLD.PROC
RENAME $1JCL370.PROC:$1JCLOLD.PROC /* etc */
RENAME $IPLSEC.PROC:$IPL370.PROC
RENAME $0JCLSEC.PROC:$0JCL370.PROC
RENAME $1JCLSEC.PROC:$1JCL370.PROC /* etc */
/*
/&
After you have run this job, every IPL will automatically activate BIM-ALERT.
If you don't currently use a $ASIPROC, and IPL is prompting the operator for the procedure names, then either rename the SEC procedures to the names you are currently using or instruct the operator to respond with the new SEC procedure names instead of the current ones.
Procedure
Installation Procedure for a New Installation Step 19: Catalog a New $ASIPROC Master Procedure
Chapter 3. Installing BIM-ALERT 3-85
We strongly recommend starting up BIM-ALERT/VSE as previously described; that is, in the ASI before POWER has PSTARTed any partition.
If you choose instead to start BIM-ALERT/VSE after partitions have been PSTARTed, BIM-ALERT/VSE's $JOBEXIT routine will not get control until after the first job that executes in each partition. Therefore, if you are using // ID information to develop a job's SECID, the first job's SECID will not be valid, since BIM-ALERT/VSE's $JOBEXIT is not present at that point. In this case you must ensure that the first job that runs in each partition after activating BIM-ALERT is a "do nothing" job, whose purpose is simply to initiate BIM-ALERT/VSE's $JOBEXIT. A job similar to the following will accomplish this. This JCL is also contained in member AXPJCL00.J.
// JOB BIM-ALERT AXPBR14
// LIBDEF PHASE,SEARCH=???????.???
// EXEC AXPBR14
/&
A job such as this must be run in each partition.
Remember, this procedure is required only if you start BIM-ALERT/VSE after partitions have been PSTARTed.
Also note that jobs that are already active when BIM-ALERT starts will get UNKNOWN SECID for resources that are accessed after BIM-ALERT starts.
Starting BIM-ALERT/VSE After Partitions Have Started
Step 20: Activate Submittal Monitors and Security Exits Installation Procedure for a New Installation
3-86 Installation and Operations Guide
Step 20: Activate Submittal Monitors and Security Exits
If you are not running BIM-ALERT/VSE, you may skip this step.
Perform the following tasks before you activate BIM-ALERT/VSE version 5.1:
Task Page Explained
Activate BIM-ALERT/VSE's submittal monitors. 5-4
Install required security exits. 5-40
Do You Need to Take This Step?
Procedure
Installation Procedure for a New Installation Step 21: Verify IJSYSRS Phases
Chapter 3. Installing BIM-ALERT 3-87
Step 21: Verify IJSYSRS Phases
If you are not running BIM-ALERT/VSE, you may skip this step.
Follow the procedure described on page 6-32 to verify the BIM-ALERT/VSE phases in IJSYSRS.SYSLIB.
Do You Need to Take This Step?
Procedure
Step 22: Perform an IPL to Activate BIM-ALERT Installation Procedure for a New Installation
3-88 Installation and Operations Guide
Step 22: Perform an IPL to Activate BIM-ALERT
You need to take this step if you are installing version 5.1 of BIM-ALERT/VSE or BIM-ALERT/CICS.
To activate BIM-ALERT/VSE or BIM-ALERT/CICS version 5.1, you must perform an IPL.
Do You Need to Take This Step?
Procedure
Supporting the IUI Under CICS/TS 1.1 Step 22: Perform an IPL to Activate BIM-ALERT
Chapter 3. Installing BIM-ALERT 3-89
Supporting the IUI Under CICS/TS 1.1
This section will discuss the differences in the BIM-ALERT security environment that are required to support the Interactive User Interface (IUI) under the CICS/TS 1.1 transaction server.
Under VSE/ESA 2.4 or later, BIM-ALERT is defined to the system as the External Security Manager (ESM). As the ESM, all user sign-on requests, including requests for the IUI, are passed to BIM-ALERT for validation. To properly handle these IUI sign-on requests, BIM-ALERT now stores the IUI profile information within the S1SCTY security file.
If you are a current user of BIM-ALERT, and you ran the S1C051 conversion utility program as part of the BIM-ALERT 5.1 install, then all of the user profiles currently defined in the S1SCTY security file now contain default entries for all of the IUI profile data fields. You can use the ALRTCUP1 migration utility program to load these data fields with the IUI profile data currently contained in the IESCNTL file.
The ALRTCUP1 profile migration utility can be used to load the BIM-ALERT security file with the IUI profile data fields from the IESCNTL file.
The utility will read each profile defined in the BIM-ALERT security file, and then attempt to find the matching record in the IBM IESCNTL control file. If a match is found, the IUI profile data fields are copied to the corresponding fields on the BIM-ALERT security file.
You will need to execute the ALRTCUP1 utility with an input control card that specifies ‘INPUT=S1SCTY’. Please refer to Chapter 4, “Security Migration Aids”, for information on how to use this migration utility.
Introduction
Overview
ALRTCUP1 IBM Profile Migration Utility
Step 22: Perform an IPL to Activate BIM-ALERT Supporting the IUI Under CICS/TS 1.1
3-90 Installation and Operations Guide
The interface between BIM-ALERT and the IUI is different under CICS/TS 1.1 than it was under CICS/VSE 2.3. Under CICS/VSE 2.3, the BIM-ALERT sign-on process was placed in front of the IUI sign-on process, and BIM-ALERT would automatically drive the IUI sign-on by passing control to the S1S613 post-sign-on program.
Under CICS/TS 1.1, the IUI sign-on panel will now be used during the sign-on process, and BIM-ALERT will get control via a RACROUTE call made during the sign-on process.
If you used the BIM-ALERT sign-on interface with the IUI under CICS/VSE 2.3, you will need to update the System Parameters for Operators to allow the interface to work under CICS/TS 1.1.
You will need to update the Operator Post Sign-On program field on the UTOP screen to no longer call S1S613. The post signoff program of S1SIGNOF will be left unchanged. Please refer to the BIM-ALERT/CICS Security Administrator’s Guide for complete information on how to implement this interface under CICS/TS 1.1.
In the CICS/TS environment, with an External Security Manager active, the Interactive User Interface requires the ESM to maintain user profile information. Thus, when a user enters his user-id and password to sign on to the IUI, the user-id and password must match the actual BIM-ALERT user-id and password. The previously supported fields of IUI-userid and IUI-password on the BIM-ALERT user profile panel are no longer meaningful in the CICS/TS environment.
BIM-ALERT System Parameter Updates
WARNING!
4-1
4
Security Migration Aids
This chapter explains how to use the security system migration aids that are provided with BIM-ALERT.
About This Chapter .................................................................................................. 4-3 IBM Security Migration Aids .................................................................................... 4-4
Overview .............................................................................................................. 4-4 Using ALRTCRD1 ............................................................................................... 4-5
Introduction ...................................................................................................... 4-5 System Requirements........................................................................................ 4-5 The Migration Process ...................................................................................... 4-6
DFHCSDUP Control Card Format ................................................................ 4-6 Migration Procedure ..................................................................................... 4-7
Using ALRTCUP1 ................................................................................................ 4-8 Introduction ...................................................................................................... 4-8 The Migration Process ...................................................................................... 4-9
ALRTCUP1 Control Card Format ................................................................ 4-9 Migration Procedure ................................................................................... 4-10
CA-TopSecret Security Migration Aids ................................................................... 4-11 Overview ............................................................................................................ 4-11 Using S1TSCNV ................................................................................................ 4-12
Introduction .................................................................................................... 4-12 Resources Eligible for Conversion .................................................................. 4-13
The Conversion Process .................................................................................. 4-16 Part One – Creating the TopSecret Reports ................................................. 4-16
4-2 Installation and Operations Guide
Part Two – Converting the File .................................................................. 4-16 Warning ......................................................................................................... 4-17
Using AXPTSCV ............................................................................................... 4-18 Introduction.................................................................................................... 4-18 Product Differences ........................................................................................ 4-19
LIBRxxxx Resources .................................................................................. 4-19 User vs. Resource Orientation .................................................................... 4-19
Assigning SECIDs ......................................................................................... 4-20 The Conversion Process.................................................................................. 4-22
Part One – Creating the TopSecret Reports ................................................ 4-22 Part Two – Converting the File .................................................................. 4-23 Generated Reports ...................................................................................... 4-25
About This Chapter
Chapter 4. Security Migration Aids 4-3
About This Chapter
This chapter contains information on the following topics:
Using the IBM security migration aids Using the CA-TopSecret security migration aids
IBM Security Migration Aids
4-4 Installation and Operations Guide
IBM Security Migration Aids
BIM-ALERT provides several utility programs to aid in the migration of security information from the native security environment provided by IBM.
The first utility, ALRTCRD1, is designed to migrate the transaction definitions found in the DFHCSD and assign them to BIM-ALERT security resource groups based on the transaction security key found in the transaction definition.
The second utility, ALRTCUP1, creates BIM-ALERT user profile definitions. Input to this utility is either the DFHSNT security table, or the IESCNTL control file provided by IBM.
Overview
IBM Security Migration Aids Using ALRTCRD1
Chapter 4. Security Migration Aids 4-5
Using ALRTCRD1
The BIM-ALERT ALRTCRD1 migration utility will scan resource groups contained in the DFHCSD resource definition file, and add a transaction resource record to the BIM-ALERT security file for each transaction definition that it finds. The transactions are then added to BIM-ALERT resource groups based on the security key that was contained in the transaction definition.
The ALRTCRD1 migration utility runs as an exit program to the DFHCSDUP utility program provided by IBM. If you currently use the DFHPCT table in the CICS/VSE system that you wish to convert, you will first need to load the DFHPCT table into the DFHCSD file.
Also, the DFHCSDUP utility program and DFHCSD file must be at the CICS/VSE 2.3 release level. The DFHCSD file provided with CICS/TS 1.1 no longer maintains the TRANSEC keyword, and it is this security key value that the ALRTCRD1 migration utility uses to determine which BIM-ALERT/CICS resource group the transaction should belong.
The BIM-ALERT installation tape contains the ALRTCRD1 migration utility program and a sample job stream (ALRTCRD1.J). During the BIM-ALERT installation process, both of these members are automatically loaded into your install library.
Introduction
System Requirements
Installation
The Migration Process IBM Security Migration Aids
4-6 Installation and Operations Guide
The Migration Process
The ALRTCRD1 migration utility provided runs as the user exit program to the IBM DFHCSDUP utility program.
The ALRTCRD1 migration utility program is requested on the DFHCSDUP utility EXTRACT control card. You can extract a single DFHCSD resource group, or an entire DFHCSD resource group list.
In the following example, the DFHCSDUP utility program will extract information about all resources contained in the BIMEDIT and pass the information to the ALRTCRD1 user exit program.
In this second example, the DFHCSDUP utility program will extract the resource information for all resources contained in all resource groups contained in the BIMLIST group list.
For additional information about the DFHCSDUP utility and the format of the EXTRACT control card, please refer to the IBM CICS/VSE 2.3 Resource Definition (Online) manual.
Introduction
DFHCSDUP Control Card Format
IBM Security Migration Aids The Migration Process
Chapter 4. Security Migration Aids 4-7
Perform the steps outlined below to migrate your transaction resources to BIM-ALERT/CICS:
Step Action
1 Retrieve sample job stream ALRTCRD1.J from the BIM-ALERT installation library. Edit the job stream and review the outlined job steps:
Define CNVWRKR conversion work VSAM file.
Backup currently defined S1SCTY security file.
Execute DFHCSDUP utility’s EXTRACT function specifying ALRTCRD1 as the User Exit program.
Run BIM-ALERT report writer job to list the created transaction resource groups.
You will need to modify the job the LIBDEF and VSAM catalog information in the supplied job stream so that it can successfully run in your environment.
2 Modify the EXTRACT input card to include the name of the DFHCSD resource group or group list that you wish to migrate. Refer to previous section for information about the format of the EXTRACT input card
3 Submit the ALRTCRD1 job stream.
The DFHCSDUP utility is CPU intensive. If you are extracting and processing a resource group list, the utility may appear to be in a processing loop as it retrieves all of the details for all the resources defined in the group list.
4 Review the console log message for any warnings or errors that were generated during the migration process.
5 Review resource report and check the list of migrated transaction definitions and the resource groups that were created. There should be a resource group for each security key value that was found in the transaction definitions that were migrated from the DFHCSD file.
Migration Procedure
Using ALRTCUP1 IBM Security Migration Aids
4-8 Installation and Operations Guide
Using ALRTCUP1
The BIM-ALERT ALRTCUP1 migration utility is designed to assist in the migration of user profile information from both the IESCNTL control file and the DFHSNT security table. In either case, the IBM profile information is read and placed in corresponding fields in the profile records being created in the BIM-ALERT/CICS security file.
The BIM-ALERT installation tape contains the ALRTCUP1 migration utility program and a sample job stream (ALRTCUP1.J). During the BIM-ALERT installation process, both of these members are automatically loaded into your install library.
Introduction
Installation
IBM Security Migration Aids The Migration Process
Chapter 4. Security Migration Aids 4-9
The Migration Process
The ALRTCUP1 migration utility has two primary purposes, depending on whether you a new users of BIM-ALERT, or an existing user migrating up to CICS/TS 1.1.
New users of BIM-ALERT would use the ALRTCUP1 migration utility to define new user profiles based on profile information that is currently stored in either the DFHSNT or IESCNTL control file.
Current BIM-ALERT users would use the ALRTCUP1 migration utility to bring over IUI profile information stored in the IESCNT file, and load this information into the expanded BIM-ALERT user profile record. This is only necessary when running BIM-ALERT with the IUI under CICS/TS 1.1.
The input to the ALRTCUP1 migration utility is controlled with an input control card.
Keyword Definition
INPUT=IESCNTL Read the user profile records contained in the IESCNTL control file and create a user profile entry in the S1SCTY security file for each user. This option is primarily for new users of BIM-ALERT/CICS.
INPUT=DFHSNT Load the DFHSNT table phase and create a user profile entry in the S1SCTY security file for each user. This option is primarily for new users of BIM-ALERT/CICS.
INPUT=S1SCTY Read profile entries already contained in the S1SCTY security file, and try to find the corresponding record in the IESCNTL control file. If a match is found, the IUI profile information is updated on S1SCTY user profile record. This option is primarily for users who already run BIM-ALERT/CICS.
INPUT=BATCH50 Read profile entries already contained in a 5.0 S1SCTY security file, and update the batch security fields on profile records already loaded in a 5.1 S1SCTY security file. These fields include TABLE NUMBER, SECID, and the BATCH=Y fields. This option is primarily for users who already run BIM-ALERT/VSE in the VSE/ESA 2.3 environment, but did not use BIM-ALERT/CICS.
Introduction
ALRTCUP1 Control Card Format
The Migration Process IBM Security Migration Aids
4-10 Installation and Operations Guide
Perform the steps outlined below to migrate your user profile information to BIM-ALERT/CICS:
Step Action
1 Retrieve sample job stream ALRTCUP1.J from the BIM-ALERT installation library. Edit the job stream and review the outlined job steps:
Define CNVWRKR conversion work VSAM file.
Backup currently defined S1SCTY security file.
Execute ALRTCUP1 migration utility.
Run BIM-ALERT report writer job to list the created user profile records.
You will need to modify the job the LIBDEF and VSAM catalog information in the supplied job stream so that it can successfully run in your environment.
2 Modify the INPUT= control card to reflect your choice of where to find the input profiles. Refer to previous section for information about the various settings for the INPUT= variable.
3 Submit the ALRTCUP1 job stream.
4 Review the console log message for any warnings or errors that were generated during the migration process.
5 Review the generated reports listing the profiles that were added, and their attributes.
Migration Procedure
CA-TopSecret Security Migration Aids The Migration Process
Chapter 4. Security Migration Aids 4-11
CA-TopSecret Security Migration Aids
BIM-ALERT provides several utility programs to aid in the migration of security information from the Top/Secret 2.3 security environment provided by Computer Associates.
Migration program S1TSCNV is available to convert elements from the TopSecret control file into the BIM-ALERT/CICS security file format. Program AXPTSCV is used convert elements into the BIM-ALERT/VSE security file format.
Program AXPTSCV deals only with BIM-ALERT/VSE batch security (the VSE/ESA component of BIM-ALERT). S1STSCNV deals with BIM-ALERT/CICS security (the CICS/VSE component of BIM-ALERT). If you want to use BIM-ALERT for both batch and CICS security, both programs must be executed to convert the TopSecret data.
Overview
Using S1TSCNV CA-TopSecret Security Migration Aids
4-12 Installation and Operations Guide
Using S1TSCNV
Through the use of a special conversion program, S1TSCNV, a tool is available to convert applicable elements from the TopSecret control file into the BIM-ALERT/CICS security file format. There are a number of elements contained in the TopSecret control file which have no relevance to BIM-ALERT/CICS. These elements will be ignored by the conversion process. Likewise, there are elements contained in the BIM-ALERT/CICS security file which have no counterparts in the TopSecret control file. These elements will be added to the BIM-ALERT/CICS security file with the default values.
The BIM-ALERT installation tape contains the S1TSCNV conversion program and 2 sample job streams (ALTTSCV1.J and S1TSNV.J). During the BIM-ALERT installation process, all of these members are automatically loaded into your install library.
Sample job streams:
Member Purpose
ALTTSCV1.J Sample job stream to create TopSecret reports that are used as input to the conversion program
S1TSCNV.J Sample job stream to execute the S1TSCNV conversion program. It should be modified to use the proper files/libraries before being used.
Introduction
Installation
CA-TopSecret Security Migration Aids Resources Eligible for Conversion
Chapter 4. Security Migration Aids 4-13
Resources Eligible for Conversion
The are a number of resources (terminals, transactions, etc.) defined on the TopSecret control file that will be automatically added to the BIM-ALERT/CICS security file as part of the conversion process. All transaction, programs, and files contained in either the TopSecret group or resource report will be added to the BIM-ALERT/CICS security file. All terminals included in the TopSecret facility report will be added. All operators included in the TopSecret user profile report will also be added to the BIM-ALERT/CICS security file.
All terminal records defined on the TopSecret control file will be converted and added to the BIM-ALERT/CICS security file automatically. The terminal record on the BIM-ALERT/CICS security file contains considerably more information (logo suffix, message suffix, sign-on exemption information, etc.) than its counterpart on the TopSecret control file. Any information required for a terminal definition which is not available from the terminal record defined on the TopSecret control file will default to the same values which would be used if the terminal were added using the online panels and that information were not supplied.
TopSecret supported generic terminal ids, and BIM-ALERT/CICS does not. If you were using generic terminal definitions as a means of grouping many terminals into one terminal resource, this will not convert correctly to the BIM-ALERT/CICS format, and you will have to add these terminals manually. The conversion program will add the generic terminal definition, but it will not function as expected. BIM-ALERT/CICS does support dynamic terminal security (see the BIM-ALERT/CICS Security Administrator’s Guide for more information on this), so you may not need to rely on generic terminal naming conventions after converting.
Also, TopSecret allowed a terminal to be defined in multiple groups. BIM-ALERT/CICS has no facility to do this. A terminal can only be a part of one terminal group. As the terminals are added by the conversion program, a report is produced showing which BIM-ALERT/CICS terminal group each terminal was included in when it was added.
Terminals
Resources Eligible for Conversion CA-TopSecret Security Migration Aids
4-14 Installation and Operations Guide
All transaction records defined on the TopSecret control file will be converted and added to the BIM-ALERT/CICS security file automatically. All information contained in the transaction record on the BIM-ALERT/CICS security file (other than the transid) will default. Time-of-day access will default to all time and status will default to 'P'. Status 'P' (preloaded or pseudo) is a special status used by BIM-ALERT/CICS to define resources which may or may not actually be defined to CICS. Whether the resource is actually a CICS resource or a user-defined resource makes no difference to BIM-ALERT/CICS; it will be treated the same if access to it is requested.
All program records defined on the TopSecret control file will be converted and added to the BIM-ALERT/CICS security file automatically. All information contained in the program record on the BIM-ALERT/CICS security file (other than the program name) will default as follows: time-of-day access will default to all time, status will default to 'P', and the description will default to a message stating that the program was added by the conversion process.
Since the programs contained in the TopSecret reports may be either a batch or online program, an input card can be used to direct the conversion program to validate that the program really is a CICS resource before adding it. If your CICS program resources are defined using RDO, then the input parameter CSD=YES instructs the conversion to validate the program against the CSD file prior to adding it. If the program is not found in the CSD, it will not be added. If your programs are defined to CICS via a PPT, then the input parameter PPT=xx can be used to specify the suffix of the PPT to use to validate the programs. If you use a combination of a PPT and CSD, then you can use both input parameters.
Transactions
Programs
Files
CA-TopSecret Security Migration Aids Resources Eligible for Conversion
Chapter 4. Security Migration Aids 4-15
All file records defined on the TopSecret control file will be converted and added to the BIM-ALERT/CICS security file automatically. All information contained in the file record on the BIM-ALERT/CICS security file (other than the file name) will default as follows: time-of-day access will default to all time, status will default to 'P', and the description will default to a message stating that the file was added by the conversion process. The access authorization for files at this level (the system level) will default to 'U' (update). When the model operator records are added, inquiry/update access authorization will be determined on an individual file level and set accordingly in the model records.
Since the files contained in the TopSecret reports may be either a batch or online file, an input card can be used to direct the conversion program to validate that the file really is a CICS resource before adding it. The input parameter FCT=xx can be used to specify the suffix of the FCT to use to validate the files.
Resource groups on TopSecret will be read from the group report and added to the BIM-ALERT/CICS security file. It is possible that not all groups will be added. Because of the flexibility provided by BIM-ALERT/CICS for maintaining operator resource profiles which include a mixture of groups and individual resources, any TopSecret group which only contains a single resource will not be added to BIM-ALERT/CICS as a group. Likewise, any groups which contain multiple resources that are identical except for one resource will not both be added. In these instances, BIM-ALERT/CICS will use its group include/exclude capabilities to insure that the operators will have the same resources with much fewer groups. For a complete explanation of grouping in BIM-ALERT/CICS, please refer to the BIM-ALERT/CICS Security Administrator’s Guide.
All operators defined in the TopSecret user profile report will be added to the BIM-ALERT/CICS security file automatically. All relevant information (whether the operator is an administrator, last logon date/time, etc.) will be carried forward. All other data will default.
Groups
Operators
The Conversion Process CA-TopSecret Security Migration Aids
4-16 Installation and Operations Guide
The Conversion Process
The conversion tool provided is a two-part process.
Part one of the conversion process involves creating the TopSecret batch reports. These reports must be left in the POWER LST queue. The conversion program will access them via the standard GETSPOOL macro. The jobstream ALTTSCV1.J in the BIM-ALERT install library must be used to create the reports. Do not change the POWER job name (JNM=) in the job stream.
Part two of the conversion process is the real workhorse of the whole process. It accomplishes all of the processing necessary to read and decipher the pertinent information from the TopSecret control file, reformat it into a format understandable to BIM-ALERT/CICS, and loading the information into the BIM-ALERT/CICS security file. As well as converting the data and loading the file, a report is produced which shows pertinent information as it is added to the file.
The conversion process uses the reports created in step one as input, and creates two VSAM files. The first VSAM file is a conversion work file. The raw data read from the input tape is reformatted into an intermediate flat file format, and written to a flat VSAM file. The data is then read from this file and formatted into the final BIM-ALERT/CICS format.
A sample jobstream to perform the conversion was cataloged during the installation as member S1TSCNV.J. This member can be extracted from the VSE library, and must be edited prior to submittal to provide information regarding libraries and VSAM catalog information. The items which need to be updated are marked in the sample jobstream.
Introduction
Part One – Creating the TopSecret Reports
Part Two – Converting the File
CA-TopSecret Security Migration Aids The Conversion Process
Chapter 4. Security Migration Aids 4-17
The S1TSCNV conversion program accepts three input parameters. They must be specified on the first card, and, if multiple parameters are provided, they must be separated with commas. The acceptable input parameters are as follows:
Keyword Definition
CSD=YES/NO This parameter directs the conversion whether to attempt to validate programs against the CSD file. If you do not use RDO to define your resources to CICS, then CSD=NO should be specified.
If you specify CSD=YES, you must include a DLBL for the RDO file in the jobstream.
PPT=xx Where xx is the two-character suffix of the PPT from your CICS startup. This parameter acts in a similar manner to the CSD parameter, in that it can provide a method to validate that the program being acted upon is really a CICS resource. If the program is not located in the PPT, it will not be added to BIM-ALERT/CICS as a secured program.
If this parameter is specified, the VSE sublibrary in which the member is cataloged must be included in the LIBDEF search chain.
FCT=xx Where xx is the two-character suffix of the FCT from your CICS startup. Files are validated against the FCT, and if not found, they will be ignored by the conversion.
If this parameter is specified, the VSE sublibrary in which the member is cataloged must be included in the LIBDEF search chain.
As mentioned earlier in this chapter, there is not a perfect one-to-one correlation between TopSecret and BIM-ALERT/CICS. After the conversion is complete, it may be necessary to go into the BIM-ALERT/CICS security file and change some things manually, especially in the area of terminals.
Input Parameters
WARNING!
Using AXPTSCV CA-TopSecret Security Migration Aids
4-18 Installation and Operations Guide
Using AXPTSCV
The AXPTSCV conversion program reads the TopSecret control file reports from the POWER LST queue and creates a BIM-ALERT/VSE security file. TopSecret user profiles are converted to BIM-ALERT user profiles, and TopSecret resource profiles are converted to equivalent BIM-ALERT/VSE resource rulesets.
The BIM-ALERT installation tape contains the AXPTSCV conversion program and 2 sample job streams (ALTTSCV1.J and ALTTSCV2.J). During the BIM-ALERT installation process, all of these members are automatically loaded into your install library.
Sample job streams:
Member Purpose
ALTTSCV1.J Sample job stream to create TopSecret reports that are used as input to the conversion program
ALTTSCV2.J Sample job stream to execute the AXPTSCV conversion program. It should be modified to use the proper files/libraries before being used.
The ALTTSCV2.J job stream executes the AXPPROC JCL procedure, so this member must already have been cataloged. If you have not already cataloged AXPPROC, refer to Step 3 on page 3-57.
Introduction
Installation
CA-TopSecret Security Migration Aids Product Differences
Chapter 4. Security Migration Aids 4-19
Product Differences
The AXPTSCV conversion program converts all TopSecret resource types except terminals and transactions to equivalent BIM-ALERT/VSE rulesets. All TopSecret program, file, library, sublibrary, member, and partition resources are converted. User resource types, except for LIBRxxxx resources (see below), are also converted.
There is no BIM-ALERT/VSE counterpart to TopSecret authorization groups, so there is no one-for-one conversion of these. However, the AXPTSCV program examines each user’s authorization groups and determines which resources the user is authorized to access. The converted data reflects exactly the same authorization for the same resources and users as the original TopSecret data.
BIM-ALERT/VSE does not provide for securing VSE/Librarian commands at the command level. Therefore, TopSecret LIBRxxxx resources are not converted. Adequate control over the various types of LIBR commands can be maintained with BIM-ALERT by using access level controls at the library, sublibrary, and member levels.
The BIM-ALERT/VSE and TopSecret views of the security data are fundamentally different. TopSecret views the data primarily from a user prospective: a user’s profile specifies which resources the user is allowed to access. BIM-ALERT/VSE views the data primarily form a resource perspective: a resource ruleset specifies which users are permitted to access the resource.
This difference does not prevent the AXPTSCV conversion program from creating BIM-ALERT/VSE resource rulesets that provide exactly the same security as the TopSecret control file. However, the security administrator(s) need to be aware of this difference when maintaining and understanding the BIM-ALERT/VSE security file.
TopSecret LIBRxxxx Resources
User vs. Resource Orientation
Assigning SECIDs CA-TopSecret Security Migration Aids
4-20 Installation and Operations Guide
Assigning SECIDs
BIM-ALERT/VSE associates an 8-character SECID (security ID) with each user. Users with access to the same resources (or most of the same resources) can be given SECIDs that are similar.
For example, suppose that five programmers have access to nearly all of the same resources. These users might be given SECIDs of PROGR001, PROGR002, PROGR003, PROGR004, and PROGR005. When defining resource rulesets to which these users share common access, the SEICD on the ruleset could then be specified as PROGR= (meaning “all users whose SECID start with the characters PROGR”). When defining resource ruleset to which only some of these users have access, the unique SECIDs of the individual authorized users could be used.
Assigning similar SECIS to users have access to most of the same resources can produce two benefits:
1. The resource rulesets are easier to understand because the SECIDs tend to identify functionally related groups of users,
2. The size of the security file and the storage required for the rules table are smaller.
Two Methods Provide for Assigning SECIDs
CA-TopSecret Security Migration Aids Assigning SECIDs
Chapter 4. Security Migration Aids 4-21
The AXPTSCV conversion program builds a unique SECID for each user. The SECID consists of two parts: a 5-character “generic” part and a 3-character unique part. The 3-character part is always the first 3 characters of the UserID.
Two methods are provided for defining the generic part of the SECID:
1. SECID based on department name When this method is chosen, the generic part of the SECID is formed from each
individual user’s department name. The main advantage to this method is that a user’s SECID is relatively easy to recognize. When reviewing existing rulesets, or defining new ones, the administrator can readily deduce the UserID associated with a given SECID. And because the department name is part of the SECID, the SECID probably suggests the type of resources to which the user has access.
If the TopSecret user profiles tend to have consistent department names, and if users’ authorized resources tend to be determined by what department they are in, this method will produces excellent results.
2. SECID based on access to the resources When this method is chosen, users are combined based upon having access to
exactly the same resources. Users who have access to the same resources are given SECIDs with the same generic part. The generic part of the SECID is formed from the department name (as in the other method of assigning SECIDs), but the department name chosen by the program is simply the first one encountered in the group of users who have the same access. Other users in the group may, or may not, have the same department name. When a user does not have the same department name as the one used for the generic part of the SECID, his SECID does not reflect their actual department. This can prove to be troublesome for the administrator when reviewing existing rulesets, or when defining new ones.
The main advantage to this method is that it can result in fewer individual resource rules, because it does a more precise job of assigning similar SECIDs to users who have access to exactly the same resources.
Although BIM-ALERT/VSE permits several users to be assigned the same SECID, the conversion process relies on each user having a unique SECID. Since there is no certainty that the first 3 characters of each UserID are unique, the conversion program must provide for the possibility that duplicate SECIDs may be developed by either of the above methods. When the conversion program develops a duplicate SECID, it substitutes a unique, 3-digit number for the 3 characters from the UserID. This retains the generic part of the SECID while ensuring that the full SECID is unique.
Avoiding Duplicate SECIDs
The Conversion Process CA-TopSecret Security Migration Aids
4-22 Installation and Operations Guide
The Conversion Process
The conversion tool provided is a two-part process.
Part one executes TopSecret program CASECMND to create four reports. An example of the JCL to create the reports is cataloged in the BIM-ALERT install library as member ALTTSCV1.J. Retrieve this member from the library, insert a LIBDEF statement, and provide information about the sort work file
The conversion program, AXPTSCV, expects to find the report data in the POWER LST queue under the specific names used in the example JCL. Create the four reports using four separate POWER job streams, as shown in the examples. Do not change the POWER job names (JNM=) used to create the reports.
Program AXPTSCV checks whether exactly one entry is present in the LST queue for each of the four reports. If no entry is present, or if multiple entries are present for the expected entry name, the program issues an error message and terminates. If you have previously executed the example job streams to create these reports, delete them from the POWER LST queue before executing the job streams again.
The expected LST queue entry names are:
Entry Name Report Contents
ALTTSCAP TopSecret Authorization Profiles
ALTTSCRP TopSecret Resource Profiles
ALTTSCFP TopSecret Facility Profiles
ALTTSCUP TopSecret User Profiles
Introduction
Part One – Creating the TopSecret Reports
Part Two – Converting the File
CA-TopSecret Security Migration Aids The Conversion Process
Chapter 4. Security Migration Aids 4-23
Part two of the conversion process executes program AXPTSCV. This program reads the POWER LST queue members created in the part one, places the data in storage, sorts, searches, combines, and formats the data into BIM-ALERT/VSE records, and finally adds the records to the BIM-ALERT/VSE security file. While the program is executing, it issues console messages to track the progress of the conversion.
During the course of the conversion, program AXPTSCV produces reports on SYSLST. These reports serve two purposes:
1. They provide a modest audit trail of the conversion process and can be used to verify that all the data was converted
2. They provide exception information about TopSecret data that was not in the format expected, and that therefore was not converted, or was only partially converted.
The AXPTSCV conversion program requires a rather large amount of partition GETVIS storage. The actual amount required depends upon several factors, including the number of TopSecret user profiles to be converted, the total number of batch resources, and the number of resources each user has access to. A 1 megabyte partition should be adequate for moderately large TopSecret control files, while a 2 megabyte partition should be adequate for a very large control file. It is recommended that you first try a 1 megabyte partition and, if that is inadequate, try again in a 2 megabyte partition.
Partition GETVIS Requirements
Input Parameters
The Conversion Process CA-TopSecret Security Migration Aids
4-24 Installation and Operations Guide
The AXPTSCV conversion program accepts several input parameters. These are entered in the EXEC PARM in any order and in any combination. They are separated from on another with one or more blank columns. All of these parameters are optional.
Most of these parameters have a default setting and one other setting. The “other” setting can be selected by specifying the parameter in the EXEC PARM, but the default setting cannot be explicitly selected. For example, PDUMPs for debugging can be selected by specifying DUMP=YES. The default, do not produce dumps, cannot be explicitly selected, but can only be implied by omitting the DUMP=YES. DUMP=NO is invalid and cannot be specified.
The following EXEC PARM parameters are supported:
Keyword Definition
DUMP=YES This indicates to get PDUMPs of various tables during the course of the conversion. This is primarily used for debugging. If DUMP=YES is omitted, no PDUMPs are produced.
NBUSERS=YES If this parameter is specified, the program adds a User Profile for each NO-BATCH user. If this parameter is omitted, these User Profiles are omitted from the BIM-ALERT security file. Omitting these user profiles can save about 60 bytes per profile in the BIM-ALERT/VSE rules table. (How a user is determined to be a “NO-BATCH” user is discussed elsewhere in this document.)
SECID=GROUPS If this parameter is specified, the program assigns SECIDs based on the user’s TopSecret authorization groups. Users with exactly the same TopSecret authorization groups are assigned a similar SECID, using the department abbreviation of one (random) user from the group. In some cases, this can result in considerably fewer BIM-ALERT/VSE resource records, because the conversion will then be able to employ generic SECIDs more effectively.
If this parameter is omitted, the program assigns SECIDs based on the user’s department name. In some cases, this can produce more descriptive SECIDs that the other method, but it may also result in a larger rules table.
Generated Reports
CA-TopSecret Security Migration Aids The Conversion Process
Chapter 4. Security Migration Aids 4-25
The AXPTSCV program produces several reports. These reports document the conversion process, and, in some cases, provide exception information that may indicate data that the program was unable to convert.
1. BUILDING BATCH GROUPS TABLE
During this step, the AXPTSCV program produces a listing of the TopSecret authorization groups that the program determined to be “batch groups”. This listing shows the name of each group and the number of resources in the group.
2. ASSIGNING SECIDS
During this step, AXPTSCV program produces a listing of the user information, including the department abbreviation and the SECID developed by the conversion program. The listing also shows the TopSecret batch authorization groups that were found for the user.
A user may be flagged as *DUPLICATE*. This means that two profiles were found that had exactly the same user name. Since BIM-ALERT requires that each user profile name be unique, the conversion program has changed the name by overlaying the last 8 bytes with the UserID.
A user may be flagged as *DEPT*. This means that the department name field is blank. Since BIM-ALERT requires a department name, the conversion program has substituted the user name for the blank department name.
3. BUILDING RESOURCE DIRECTORY
During this step, the AXPTSCV program produces a listing of resource-ID, resource type, and resource name for any TopSecret resource that was found to have an invalid resource name. For example, a sublibrary with a period in the sublibrary portion of the name is invalid. These are shown with **INVALID RESOURCE NAME**. These resources are not converted.
TopSecret permits a given resource to be defined more than once. The conversion program’s processing logic requires that each combination of resource type and resource name be unique. The program resolves duplicates by treating them as “alias” names and referring the duplicate back to the original resource. No loss of security occurs. Duplicate resources are flagged with **DUPLICATE RESOURCE**.
4. BUILDING WORK RESOURCE TABLE
During this step, the AXPTSCV program check for references to non-existent resources. This list shows the name of the authorization group that list the resource, the resource-ID, the resource type, and **UNDEFINED RESOURCE**.
These entries may be repeated several times, because:
The Conversion Process CA-TopSecret Security Migration Aids
4-26 Installation and Operations Guide
An undefined resource can be included in any number of different authorization groups.
Each group can be referenced by any number of users.
5. BUILDING FINAL RESOURCE TABLE
During this step, the AXPTSCV program list resources that were not referred to in any batch authorization group. These resources are converted, but no user is given access to them. The listing shows resource-ID, resource type, resource name, and **UNREFERENCED RESOURCE**.
CA-TopSecret Security Migration Aids The Conversion Process
Chapter 4. Security Migration Aids 4-27
5-1
5
Submittal Monitors and Security Exits
This chapter explains how to install submittal monitors and security exits used by BIM-ALERT/VSE.
About This Chapter .................................................................................................. 5-3 About the Submittal Monitor Facility ........................................................................ 5-4
Introduction .......................................................................................................... 5-4 Omitting ID Cards From Remote Jobs .................................................................. 5-6
Installing Security Exits .......................................................................................... 5-40 Introduction ........................................................................................................ 5-40 Installing a Security Exit for BIM-EPIC ............................................................. 5-41 Installing a Security Exit for CA-EXPLORE for CICS-VSE ............................... 5-42 Installing a Security Exit for CA-EXPLORE for VSE ......................................... 5-43 Installing a Member-Level Security Exit for BIM-FAQS/PCS ............................. 5-44 Installing a Job-Submittal Security Exit for BIM-FAQS/PCS .............................. 5-45 Installing a Security Exit for CA-FAVER for VSE.............................................. 5-46 Installing a Security Exit for CA-MASTERCAT for VSE ................................... 5-47 Installing a Security Exit for CA-XCOM ............................................................ 5-48
5-2 Installation and Operations Guide
Installing a Security Exit for DITTO for VSE and DITTO/ESA ......................... 5-49
About This Chapter
Chapter 5. Submittal Monitors and Security Exits 5-3
About This Chapter
This chapter contains information on the following topics:
A job's security authorization is usually based on the identity of the job's submittor. The VSE ID statement and, in VSE/ESA version 1.3 or above, the VSE/POWER SEC= parameter of the $$ JOB statement can be used to identify the submittor. BIM-ALERT's submittal monitors determine the identity of the submittor at the time the job is submitted and insert an ID statement or a SEC= parameter into the jobstream, so that the submittor is not required to do so.
BIM-ALERT/VSE provides job submittal monitor programs for the following environments:
Environment Page
BIM-EDIT 5-7
BIM-FAQS/PCS 5-8
CA-SCHEDULER 5-9
CA-VOLLIE 5-10
CMS 5-14
CONDOR 5-27
CSAR 5-30
EZ/KEY 5-33
GSERV 5-34
ICCF 5-35
I.E. (formerly MSA I.E.) 5-37
ZEKE 5-38
About BIM-ALERT's Submittal Monitors
Submittal Monitors Provided
About the Submittal Monitor Facility Introduction
Chapter 5. Submittal Monitors and Security Exits 5-5
If you reinstall a product listed in the preceding table, you generally must reinstall BIM-ALERT's submittal monitor for that product.
In releases of VSE prior to VSE/ESA 1.3, BIM-ALERT inserts the user ID information in a // ID statement. In VSE/ESA 1.3 or above, BIM-ALERT inserts user ID information as follows:
For These Submittal Monitors ALERT Inserts the Following
BIM-EDIT CA-SCHEDULER CONDOR CSAR EZ/KEY BIM-FAQS/PCS GSERV I.E. ZEKE
An encrypted // ID JCL statement
AXPSERV (CMS) ICCF CA-VOLLIE
An encrypted SEC= parameter in the * $$ JOB statement
If the system is IPL'd with SEC=NO, BIM-ALERT's submittal monitors do not insert ID information. The CMS submittal monitor, AXPSERV, is the exception. Because AXPSERV does not have access to the target VSE machine's IPL settings, it is not possible to determine whether the VSE machine is IPL'd with SEC=NO.
To omit ID information from AXPSERV submittals, remove the target machine's DEST statement from the AXPSERV configuration file.
If You Reinstall a Product for Which You Use a Submittal Monitor
How BIM-ALERT Inserts Information
Omitting ID Cards From Remote Jobs About the Submittal Monitor Facility
5-6 Installation and Operations Guide
Omitting ID Cards From Remote Jobs
A jobstream submitted from one system can be routed to another system by using certain JECL parameters. If BIM-ALERT's submittal monitor should insert ID information in a job that is destined for a system that is not running security, the ID information would be regarded as invalid at the destination site and might force an operator intervention.
To avoid this kind of problem, BIM-ALERT provides a way to define systems that do not run security. The security administrator can use the NETWORK SUBMITTAL CONTROL panel of the SCFL submenu of ALXP to define destinations where ID information should be omitted. This panel also provides for submitting a job to assemble these definitions into the table AXPHI4A that is loaded into the SVA. The various submittal monitors access this table and omit ID information for destinations that are not running security.
Because the CMS submittal monitor (AXPSERV) does not have access to the VSE SVA where AXPHI4A is resident, it cannot omit ID cards based on what you have defined in AXPHI4A. You can perform a similar function with the AXPSERV output exit. Refer to page 5-14 for more information about this exit. A sample EXEC to perform this type of function is provided on the CMS portion of the BIM-ALERT install tape.
The BIM-FAQS/PCS submittal monitor does not access AXPHI4. To omit ID statements using the XDEST parameter, use the BIM-FAQS/PCS PCSEX1 exit program.
Avoiding Invalid ID Statements for Routed Jobs
Submittal Monitors That Do Not Use the Network Submittal Control Table
Chapter 5. Submittal Monitors and Security Exits 5-7
Installing Submittal Monitors
BIM-EDIT Submittal Monitor
BIM-ALERT's submittal monitor for BIM-EDIT inserts an ID statement into jobstreams submitted from any BIM-EDIT session. The ID statement contains the submittor's BIM-EDIT user ID.
The submittal monitor runs as the BIM-EDIT SUBMITF exit program. Version 4.1 or higher of BIM-EDIT is required. The BIM-ALERT exit does not provide support for passing control to an installation's existing SUBMITF exit.
If you already have a local SUBMITF exit (BIXPWSB), you will need to put your local updates to BIXPWSB into the sample source provided in the BIM-ALERT residence sublibrary. BIM-ALERT's sample source member (AXPHJ21.A) contains the BIXPWSB skeleton normally provided on the BIM-EDIT install tape with the necessary updates to insert ID cards for use by BIM-ALERT security. Please see member AXPHJ21.A in the BIM-ALERT residence library for further instructions.
Perform the following steps to install the BIM-ALERT/VSE submittal monitor for BIM-EDIT. Once these steps have been completed, the BIM-ALERT/VSE submittal monitor is activated automatically each time BIM-EDIT is started:
Step
Action
1 Copy member AXPHJ21.PHASE from the BIM-ALERT residence sublibrary into the library where the BIM-EDIT programs reside.
2 Rename the current BIM-EDIT phase BIXPWSB in the BIM-EDIT library to a save name.
3 Rename member AXPHJ21.PHASE to BIXPWSB.PHASE in the BIM-EDIT library.
Chapter 5. Submittal Monitors and Security Exits 5-9
CA-SCHEDULER Submittal Monitor
BIM-ALERT/VSE provides a job submittal monitor for jobstreams that are placed in the VSE/POWER reader queue by CA-SCHEDULER. This submittal monitor differs from most of the others in that it does not attempt to associate a specific user's identity with these jobstreams. Instead, it inserts an ID statement with a pseudo-user ID of CA-SCHED into the jobstream.
The submittal monitor runs as the CA-SCHEDULER JCL Modification Exit program. Version 7.1 or higher of CA-SCHEDULER is required. The BIM-ALERT/VSE exit does not provide support for passing control to an installation's existing exit. If an installation already has its own JCL Modification Exit in place, BIM-ALERT/VSE's submittal monitor cannot be employed.
Perform the following steps to install the BIM-ALERT/VSE submittal monitor for CA-SCHEDULER. Once these steps have been completed, the BIM-ALERT/VSE submittal monitor is activated automatically each time CA-SCHEDULER is started.
Step Action
1 Copy AXPHJ20.PHASE from the BIM-ALERT/VSE residence sublibrary into the library where the CA-SCHEDULER programs reside.
2 Rename AXPHJ20.PHASE to CAJEJCLX.PHASE in the CA-SCHEDULER library.
If it is necessary to deactivate the submittal monitor, perform the following steps:
Step Action
1 Rename CAJEJCLX.PHASE to AXPHJ20.PHASE in the CA-SCHEDULER library.
CA-VOLLIE provides an exit facility for its submit process. BIM-ALERT/VSE supplies a program (AXPHJ6) that runs as the CA-VOLLIE submittal exit and performs BIM-ALERT's submittal monitor functions.
Chapter 5. Submittal Monitors and Security Exits 5-11
Perform the following steps to enable BIM-ALERT's submittal monitor for CA-VOLLIE. After you complete these steps, BIM-ALERT's submittal monitor will activate automatically each time you activate CA-VOLLIE.
Step Action
1 If the BIM-ALERT residence sublibrary is listed in the LIBDEF SEARCH chain for the partition where you run CA-VOLLIE, you can omit this step.
Otherwise, copy the BIM-ALERT submittal monitor programs into your CA-VOLLIE sublibrary. Refer to AXPHJ6.J in the BIM-ALERT residence sublibrary for an example of JCL and LIBR commands for copying these programs.
2 Add program AXPHJ6 to the CICS PPT. Refer to AXPHJ6.A in the BIM-ALERT residence sublibrary for an example of this PPT entry.
3 Depending on the version of CA-VOLLIE you are running, do one of the following: For early versions of CA-VOLLIE, modify your CA-VOLLIE installation parameters to specify
EXSUB=AXPHJ6. CA-VOLLIE's EXSUB parameter names the program you want to run as the submittal exit.
For later versions of CA-VOLLIE, an online panel is provided for you to specify the name of an exit program for submits. Specify AXPHJ6 in this field. Refer to your CA-VOLLIE documentation for further information.
4 Set up to have BIM-ALERT call your submittal exit program.
If you use a CA-VOLLIE submittal exit of your own (you already have a value specified for EXSUB), BIM-ALERT's program (AXPHJ6) will displace yours. However, because AXPHJ6 is designed to pass control to a local exit program, your program can still gain control as before. You tell AXPHJ6 to pass control to your program by renaming your program to AXPHJ6B.
Do the following if you want BIM-ALERT to pass control to your submittal exit program. Omit these steps if you do not use a submittal exit of your own.
Step Action
4a Rename your submittal exit program to AXPHJ6B.PHASE.
4b Add transaction AX6C to your CICS PCT.
4c Add programs AXPHJ6G and A1MHJ6G to the CICS PPT.
Refer to AXPHJ6.J for an example of JCL and LIBR commands to rename your program.
Refer to AXPHJ6.A in the BIM-ALERT residence sublibrary for examples of the PCT entry and the PPT entries.
5 Reinstall CA-VOLLIE. Refer to the CA-VOLLIE installation documentation for further information.
This section describes how BIM-ALERT's CA-VOLLIE submittal exit program (AXPHJ6) interacts with your CA-VOLLIE submittal exit program (renamed to AXPHJ6B). If you do not have a CA-VOLLIE submittal exit program of your own, you can skip this section.
The first time AXPHJ6 is invoked by CA-VOLLIE, it attempts to load phase AXPHJ6B. If this phase is present, it displays the following message on the system operator console:
AX419 AXPHJ6B LOADED
If this phase is not present, AXPHJ6 displays the following message on the system operator console:
AX802 PHASE=AXPHJ6B NOT FOUND BY CDLOAD
After this, AXPHJ6 does not try to load AXPHJ6B again, so it will not continue to issue messages.
During the course of each submit operation, if phase AXPHJ6B is present, AXPHJ6 passes control to it for each line of the file. Each time AXPHJ6B returns to AXPHJ6, AXPHJ6 analyzes the return code and the other CA-VOLLIE parameters, and processes these in the same way that CA-VOLLIE would. As a result, your program can operate as it did when it was being called directly by CA-VOLLIE. You don't need to modify it; you simply need to rename it to AXPHJ6B (see above) so that AXPHJ6 will pass control to it.
When your program runs as the CA-VOLLIE submittal exit, you can load a new copy of it with CEMT NEWCOPY. After you set up BIM-ALERT as the CA-VOLLIE submittal exit and your program is invoked by AXPHJ6, you can no longer use CEMT NEWCOPY to load a new copy of your program. Instead, you execute BIM-ALERT CICS transaction AX6C.
To execute AX6C, enter AX6C at any terminal that is accessible in the CICS partition where you run CA-VOLLIE. AX6C reloads AXPHJ6B and modifies a control record in storage to point to the new copy of the program. If AX6C succeeds in loading AXPHJ6B, it displays the following message:
AX419 AXPHJ6B LOADED
If this phase is not present, AXPHJ6 displays this message:
AX802 PHASE=AXPHJ6B NOT FOUND BY CDLOAD
AX6C displays these messages on both the system operator console and on the CICS user's terminal.
Chapter 5. Submittal Monitors and Security Exits 5-13
When AX6C reloads program AXPHJ6B, it releases the storage occupied by the old copy of the program. To avoid disrupting a submit operation when this storage is released, programs AX6C and AXPHJ6 use an enqueuing procedure, which enforces the following rules:
Any number of concurrent submit operations are permitted.
While AX6C is executing, a submit request is denied. The terminal operator must reissue the request after AX6C completes.
While any submit is in progress, a request to execute AX6C is temporarily suspended. The request is reissued (by AX6C itself) repeatedly for about 30 seconds. If, after 30 seconds, a submit is still in progress, AX6C terminates. The terminal operator must reissue the request after the submit operation completes.
An abend of AXPHJ6 or AX6C could leave the enqueuing record in a state that would prevent all subsequent submit operations and executions of AX6C. In this event, the record can be repaired by executing AX6C in a special mode that bypasses the enqueuing procedure. To execute in this mode, enter AX6C FORCE at your terminal (instead of just AX6C).
Use AX6C FORCE only as a last resort in dire circumstances, and then only after you take steps to keep CA-VOLLIE users from issuing submit requests while AX6C executes. If possible, take the CA-VOLLIE transaction temporarily out of service with CEMT before you execute AX6C FORCE.
AXPHJ6 and transaction AX6C display the following message when the local exit phase, AXPHJ6B, is not present in the library search chain. If your installation does not have a local CA-VOLLIE submittal exit, this message can be ignored.
If you use CMS to submit jobs to VSE machines, you should activate this part of the submittal monitor facility. The CMS submittal monitor uses a disconnected server machine named AXPSERV. After you define AXPSERV and modify users' SUBMIT EXECs, AXPSERV processes all their SUBMIT requests.
Define a CMS machine named AXPSERV. The following is an example of the directory for AXPSERV. The amount of disk space allocated is adequate to contain the data from the installation tape and to enlarge the configuration file.
Define the AXPSERV configuration file. The configuration file is called AXPSERV CONFIG. The following types of statements may be present in the file. (A statement that starts with an asterisk (*) in position 1 is treated as a comment.)
Statement Type Description
DEST Each DEST statement defines a VSE machine's CMS user ID, any remote RSCS node, and the kind of User ID information to insert. For information about processing of the DEST statement, refer to page 5-19.
To send a jobstream to another system that runs AXPSERV, use the AT node operand.
To send a jobstream to a remote machine running native VSE, specify the VIA RSCS parameter on the DEST statement. For further information and an example, refer to page 5-22.
The syntax of the DEST statement is as follows:
DEST targetid {VIA RSCS} {AT node} {CLASS class} {IDTYPE code}
Operand Description
targetid Specify the CMS ID of the target VSE machine.
VIA RSCS Indicates that the jobstream should be routed through RSCS, instead of being transferred directly to the target VSE machine or a remote AXPSERV. If you specify VIA RSCS, do not specify AT or CLASS.
AT node Specify the RSCS node ID where the target VSE machine is located. Do not include this operand if the target VSE machine is local or if you specify the VIA RSCS operand.
CLASS Specify the VM class you want AXPSERV to assign to the output punch file. If no CLASS is specified, the default is CLASS X.
IDTYPE code Indicates the type of user ID information to insert. Specify one of the following:
IDCARD For pre-VSE/ESA 1.3. Inserts an ID statement.
$$JOB For VSE/ESA 1.3 or above. Inserts the $$ JOB information.
Chapter 5. Submittal Monitors and Security Exits 5-17
Statement Type Description
ENCRONLY This statement defines a CMS user ID whose SUBMIT requests are processed in a special way. AXPSERV encrypts ID statements it finds in jobstreams from any user ID named by an ENCRONLY statement. It does not insert an ID statement containing the user ID of the actual SUBMIT requestor. You might use ENCRONLY processing for a machine that schedules and SUBMITs production jobs to VSE machines, where the jobstreams contain // ID information other than that of the service machine.
The ENCRONLY process creates a security exposure if the associated CMS user ID is not itself totally secure. Any user who can LOGON to a machine covered by an ENCRONLY statement may then submit jobstreams that will appear to have been submitted from any user ID the user chooses.
In most environments ENCRONLY processing is not required. As a general rule, we recommend that it only be used in special circumstances, and where additional VM and CMS security measures (outside BIM-ALERT/VSE) are in place. As a minimum precaution, any machine covered by an ENCRONLY statement should have the following features: A secure LOGON password (not the same as the LOGON user ID) Its minidisks should be defined without passwords (other users may not LINK to them)
If you employ extended VM security measures (local modifications or third-party software such as CA-ALERT for VM), you should apply these to any ENCRONLY machine to make it as secure as possible.
The format of the ENCRONLY statement is identical to that of the DEST statement. (The CLASS parameter is treated as a comment in the ENCRONLY statement.) The format of the DEST statement is illustrated in the example on page 5-19.
Note that the ENCRONLY statement will not be accepted by the normal AXPSERV module distributed on the installation tape. In order to use ENCRONLY, you must erase AXPSERV.MODULE.A and rename AXPSERV2.MODULE.A to AXPSERV.MODULE.A, as described in step 4 on page 5-19.
INVDEST The INVDEST statement specifies what you want AXPSERV to do with a request to SUBMIT to a machine not defined by a DEST statement. Valid options are PURGE and PASS, as follows:
PURGE Indicates not to perform the SUBMIT at all.
PASS Indicates to perform the SUBMIT, but not to insert any VSE ID statement in the jobstream. The INVDEST statement is not required. If none is present, AXPSERV defaults to INVDEST PASS.
LOCNODE Defines the RSCS local node name. This allows AXPSERV to determine whether a submittal is targeted for a local VSE machine or for a remote VSE machine. The following rules determine whether you must specify a LOCNODE statement: If your installation did not define a local RSCS node when VM was generated, a LOCNODE
statement is required. Specify only one LOCNODE statement. It must precede the first DEST statement.
If your installation defined a local RSCS node to VM, the LOCNODE statement is not required and is not allowed.
If you are uncertain whether your installation has a local RSCS node defined, issue the IDENTIFY CMS command from any local CMS machine. If the command displays AT * for the node ID, then no local RSCS node is defined. If the command displays AT nodeid, then a local RSCS node is defined.
SECOPR Use the SECOPR statement to specify the CMS user ID of the security administrator. AXPSERV routes certain error messages to the console of the security administrator. These same messages are also routed to the main operator console and to the AXPSERV machine's console.
This statement is not required. If no SECOPR statement is present, AXPSERV considers the user ID of the security operator to be AXPSERV.
Chapter 5. Submittal Monitors and Security Exits 5-19
Dest Statement Processing Each DEST statement in the AXPSERV configuration file defines the CMS user ID of a VSE machine and its remote RSCS node (if any). When AXPSERV receives a request to submit a jobstream, it compares the target CMS user ID and RSCS node, as designated by the TAG DEV PUN information, against the DEST statements in the configuration file, as follows:
If AXPSERV finds a match on both CMS user ID and RSCS node, it inserts user ID information in the jobstream.
If AXPSERV does not find a DEST statement that matches the requested target CMS user ID and RSCS node, its action depends on the INVDEST statement, as follows:
If INVDEST PURGE is specified, AXPSERV rejects the submittal request and issues the following message on the AXPSERV console: AXPSRV71E ... DEST NOT DEF ... - DISCARDED
If INVDEST PASS is specified, AXPSERV carries out the submittal
request, but does not insert user ID information in the jobstream. It issues the following message on the AXPSERV console: AXPSRV73I ... DEST NOT DEF ... - SENT
Supplied Configuration File The configuration file that is shipped on the installation tape is as follows:
* EXAMPLE AXPSERV.CONFIG FILE
* LOCNODE MYSITE
SECOPR MYSECOP
INVDEST PASS
DEST VSECAN AT TORONTO CLASS Q
DEST VSEX CLASS A
DEST VSEY CLASS Z
WARNING!
The AXPSERV configuration file must be fixed format. It is shipped in that format on the tape. When you XEDIT the file, be sure to specify RECFM F.
If you do not need the ENCRONLY option (see the preceding table), erase AXPSERV2.MODULE.A. If you need the ENCRONLY option, erase AXPSERV.MODULE.A and rename AXPSERV2.MODULE.A to AXPSERV.MODULE.A.
Change SUBMIT procedures (EXECs) to direct their output to AXPSERV instead of the target VSE machine. You can do this in either of the following two ways:
Method 1: Replace CP SP PUN, PUNCH, and CP CLOSE commands with an invocation of the AXPSEND EXEC, which is provided on the AXPSERV A disk on the installation tape. See the example on page 5-21.
Method 2: Modify CP SP PUN commands to specify AXPSERV as the target machine, and add a CP TAG DEV command that designates the target VSE machine. See the example on page 5-21. AXPSERV uses the TAG DEV PUN information to determine the destination for each input file. AXPSERV recognizes two positional parameters for this TAG information. The first parameter is the destination node ID. The second parameter is the destination user ID. Other tag information after the second parameter (if any) is not used by AXPSERV. If only a single parameter is present, AXPSERV treats it as the destination user ID. When the destination node ID is omitted, AXPSERV assumes that the destination user ID is local. For example, the following commands illustrate sending a file to AXPSERV for submittal to the user ID VSE at the remote RSCS node TORONTO:
SP PUN AXPSERV
TAG DEV PUN TORONTO VSE
PUNCH EXAMPLE JCL A
The following commands illustrate sending a file to AXPSERV for submittal to the local user ID VSE2:
Method 2: After changing the EXEC for AXPSERV using method 2, the EXEC looks like this:
/* Simple SUBMIT EXEC modified for AXPSERV */
Parse Upper Arg Name_of_VSE_Machine Filename .
"CP SPOOL PUN AXPSERV CLASS A NOHOLD CONT"
"CP TAG DEV 00D" Name_of_VSE_Machine
"PUNCH" Filename "JCL A (NOH"
"CP SPOOL D CLOSE"
Note that you do not control the CLASS of the spooled punch file to the target VSE machine in AXPSEND or in your SUBMIT procedure. Instead, use the CLASS parameter of the AXPSERV DEST configuration statement to designate the CLASS for each target VSE machine.
Add the AXPSERV machine to your list of machines that are AUTOLOGed.
Remember that BIM-ALERT/VSE must be active on any VSE machine defined to AXPSERV in a DEST statement. If BIM-ALERT/VSE is not active, the user ID information generated by AXPSERV will not be acceptable to VSE's job control processor.
Sending Jobstreams to Native VSE Machines You can send a jobstream to a remote VSE machine by routing the jobstream through RSCS to another AXPSERV machine at the remote location. To submit jobstreams to that machine using AXPSERV, you would define the following DEST statement:
DEST VSEMACH AT REMOTE
You can send a jobstream to a remote machine running native VSE but not running AXPSERV by specifying the VIA RSCS parameter on the DEST statement. For example, suppose the remote machine running native VSE is defined to the local RSCS (on the originating machine where AXPSERV is running) as link ID NATIVVSE. To submit jobstreams to that machine using AXPSERV, you would define the following DEST statement:
DEST NATIVVSE VIA RSCS
With this DEST statement, AXPSERV spools jobstreams for NATIVVSE to the local RSCS and sets up TAG information directing RSCS to route the jobstreams to the NATIVVSE machine's POWER reader queue. AXPSERV issues the following commands to transfer a jobstream to the NATIVVSE machine:
SP PUN RSCS
TAG DEV PUN NATIVVSE JOB
PUNCH fn ft fm
Recommendation for Testing Period During initial testing, you should specify INVDEST PASS in the AXPSERV CONFIG file. This will make it easier for you to direct AXPSERV not to insert // ID statements for a VSE machine where BIM-ALERT/VSE is not active, simply by removing its DEST statement from the configuration file.
To Make AXPSERV Ready to Accept SUBMIT Requests AXPSERV is designed to be AUTOLOGed. When AXPSERV is AUTOLOGed, it executes the AXPSERV program at the end of its PROFILE EXEC. This makes AXPSERV ready to accept SUBMIT requests (RDR input), without requiring any manual intervention.
If AXPSERV is logged on manually (not AUTOLOGed), it does not execute the AXPSERV program in its PROFILE EXEC. You can make it ready to accept SUBMIT requests by entering AXPSERV at the console.
Chapter 5. Submittal Monitors and Security Exits 5-23
Normally, AXPSERV picks up the user ID of the originating CMS machine and puts that user ID into the VSE jobstream. If you run CA-ALERT for VM, and users can log on to CMS machines via BIM-ALERT's alias logon facility, you can configure CA-ALERT for VM to pass the alias user ID to AXPSERV instead of passing the name of the CMS machine. AXPSERV then puts the alias user ID, rather than the user ID of the CMS machine, into the VSE jobstream.
For example, suppose user FRED is logged on to a CMS machine whose user ID is ALRTCICS. If the CA-ALERT for VM interface to AXPSERV is not in place, jobs that FRED submits from the ALRTCICS machine contain ALRTCICS for the user ID. But if the CA-ALERT for VM interface to AXPSERV is in place, jobs that FRED submits from the ALRTCICS machine contain FRED for the user ID.
BIM-ALERT/VSE version 5.0 supports this interface, which is available starting at version 5.1 of CA-ALERT for VM. For information about how to configure CA-ALERT for VM for this feature, refer to the CA-ALERT for VM Security Administrator's Guide.
Whenever the machine is waiting on SUBMIT request (that is, when it is executing AXPSERV or AXPSERV2), you can terminate the AXPSERV or AXPSERV2 program by typing any of the following commands on the AXPSERV console and pressing ENTER: TERM, QUIT, EOJ, STOP, HALT, or KILL.
It is essential that the AXPSERV machine itself be secure. The following steps are recommended as the minimum for securing AXPSERV:
Step Action
1 The AXPSERV machine should have a secure password, that is, one that is not easy for someone to guess. Choose a password that has no meaningful connection to the name AXPSERV or to the function that AXPSERV performs. For example, both AXPSERV and SECURE are very poor choices for passwords for AXPSERV. If you employ extended VM security measures (local modifications or third-party software such as CA-ALERT for VM) that permit or require you to change passwords regularly, these measures should be applied to AXPSERV.
2 The AXPSERV machine should be AUTOLOGed at VM IPL time. If you employ extended VM security measures (local modifications or third-party software such as CA-ALERT for VM) that enable you to prohibit a machine from being logged on manually, this feature should be applied to AXPSERV.
3 AXPSERV's A-disk should be defined without a password so that other users may not LINK to it.
4 If you are not using the ENCRONLY option in the CONFIG file, erase AXPSERV2.MODULE.A from AXPSERV so there is no possibility of someone using that option.
AXPSERV issues a number of console messages to permit tracking of SUBMIT activity. For example, each jobstream submitted by AXPSERV is identified with message AXPSRV04I. Other informational messages and error messages may also be issued.
We recommend that the AXPSERV console be spooled back to the AXPSERV RDR (the supplied AXPSERV PROFILE EXEC does this), or to a console file service machine if such a facility has been implemented. This ensures that the AXPSERV console data is available as an audit tool for the security administrator.
Chapter 5. Submittal Monitors and Security Exits 5-25
AXPSERV provides several exit points where locally developed programs can execute during AXPSERV's processing. These exits are optional. If you are interested in using these exits, contact BIM Technical Support.
A program can gain control at the following points:
As AXPSERV begins to initialize (initialization exit).
Immediately before AXPSERV terminates (termination exit).
Before AXPSERV writes each record of a jobstream (output exit). An output exit program can modify records, add records to the output jobstream, and delete records from the output jobstream.
Before AXPSERV inserts user ID information (user ID exit). The user ID exit is primarily intended to provide support for trapping alias user IDs for versions of CA-ALERT for VM prior to 5.1. Refer to page 5-23 for more information about BIM-ALERT/VSE support for the CA-ALERT for VM alias logon facility. The member AXPUSERX.EXEC on the BIM-ALERT installation tape contains a sample user ID exit.
Typical applications performed by an output exit program include the following:
Enforcement of local JCL standards Expansion of file-include statements Insertion of password information
Performing operations such as these in an exit routine is generally more efficient than performing the same operations as a separate front-end process to AXPSERV.
Examples of the output exit are supplied on AXPSERV's 191 disk as SLI.EXEC, AXPJCLXX.EXEC, and XINC.EXEC.
The following table shows the method used for initializing each type of AXPSERV exit:
Exit Type Initialization Method
Initialization exit The initialization exit uses a predefined name, AXPINITX. If a file named AXPINITX.EXEC is present when AXPSERV starts, control is passed to that program during initialization.
Termination exit The termination exit uses a predefined name, AXPTERMX. If a file named AXPTERMX.EXEC is present when AXPSERV terminates, control is passed to that program immediately before terminating.
Output exit The output exit name is specified in a configuration parameter.
OUTEXIT xxxxxxxx
Replace xxxxxxxx with the name of the output exit, whose file type must be EXEC.
User ID exit The user ID exit name is specified in a configuration parameter.
USEREXIT xxxxxxxx
Replace xxxxxxxx with the name of the user ID exit, whose file type must be EXEC.
Chapter 5. Submittal Monitors and Security Exits 5-27
CONDOR Submittal Monitor
A job submittal monitor is available for BIM-ALERT/VSE installations that use CONDOR to submit batch jobstreams. You can select this option by performing the installation procedure on page 5-29. After installation, the BIM-ALERT/VSE monitor is activated automatically each time CONDOR starts.
The BIM-ALERT/VSE submittal monitor performs the following activities:
Examines each jobstream submitted to VSE with the CONDOR submit command.
Discards any ID statement already present in the jobstream.
Inserts an ID statement containing the CONDOR user ID of the submittor. The ID statement is inserted after the first // JOB statement in each POWER job.
BIM-ALERT/VSE's monitor program gets control through the standard CONDOR submittal exit facility before each statement is placed in the POWER reader queue. BIM-ALERT/VSE must be specified to CONDOR as the submittal exit program, and thus displaces an installation's own submittal exit program if there is one. However, because BIM-ALERT/VSE's exit program is designed to give control to a second program, it is able to coexist with an installation's own CONDOR submittal exit program. If you are already using the CONDOR submittal exit facility, activating BIM-ALERT/VSE's submittal monitor does not interfere with the operation of that program.
No source code changes are required to your existing exit program; however, it must be recataloged under a new name. When you install BIM-ALERT/VSE's exit program, the following restrictions are placed on your exit program:
It may not add an ID statement to the jobstream.
It must not depend upon information from an ID statement already present in the jobstream, since any ID statement is discarded by BIM-ALERT/VSE before it is examined by the installation's program.
Its processing must not depend on adding the first statement after the // JOB statement. BIM-ALERT/VSE may insert an ID statement as the first one after the // JOB statement. If the installation's exit program attempts to add statements immediately following the // JOB statement, the statements will immediately follow BIM-ALERT/VSE's ID statement, not the // JOB statement.
BIM-ALERT/VSE's job submittal modules are initially cataloged into the BIM-ALERT residence sublibrary. Modules AXPHJ13A and AXPHJ13B are eventually required during the execution of CONDOR submit commands. Therefore, they must be copied into the CONDOR execution library. (The installation procedure described below takes this requirement into account.)
BIM-ALERT/VSE's modules for CONDOR job submittal are as follows:
Name Type Description
AXPHJ13 OBJ BIM-ALERT's PWRUEXIT module
AXPHJ13A PHASE BIM-ALERT's ID card processing program
AXPHJ13B PHASE Dummy phase for installation's program
Before you begin installation, develop a procedure to use if the BIM-ALERT/VSE monitor has to be backed out. Installing BIM-ALERT/VSE's monitor requires you to catalog a new version of the CONDOR phase OLPSRJE. Before you start the BIM-ALERT/VSE installation, make a copy of OLPSRJE using a backup, copy, or rename operation. Then your BIM-ALERT/VSE back-out procedure can just execute a restore or rename to reinstate the old, pre-BIM-ALERT/VSE version of that phase.
Make sure that your back-out jobstream is in a form that can be submitted without CONDOR. For example, you might want to place the jobstream in a VSE procedure library or in a held state in the POWER reader queue, so that it can be executed from the system operator's console, or simply released from the POWER reader queue.
Chapter 5. Submittal Monitors and Security Exits 5-29
After you create a back-out jobstream, perform the following steps to install the BIM-ALERT/VSE CONDOR submittal monitor:
Step Action
1 Copy phases AXPHJ13A, AXPHJ13B, and AXPHJ13D from the BIM-ALERT residence sublibrary into the sublibrary where the CONDOR phases reside (that is, into the sublibrary from which CONDOR is executed). To do this, execute a job similar to AXP9010.
The phases AXPHJ13A and AXPHJ13B must be accessible to the partition where CONDOR is executed because they are loaded during the execution of the CONDOR submit command. If either program is not present, a console message is issued. Although the submit process itself is not terminated on this condition, the resulting jobstream is probably incorrect or incomplete. Depending on other variables (such as security definitions in effect, and job naming standards implemented through the submittal exit program), the job may not be permitted to execute. To avoid this, place phases AXPHJ13A and AXPHJ13B into the same sublibrary where the CONDOR phases reside.
2 If you are not currently using a submittal exit, you can skip this step.
Rename PWRUEXIT.OBJ to AXPHJ13E.OBJ by executing a job similar to AXP9020. PWRUEXIT is the module name CONDOR expects for the submittal exit program.
3 If you are not currently using a submittal exit, you can skip this step.
Recatalog your submittal exit program to make it the one to be invoked by BIM-ALERT/VSE by executing a job similar to the one in AXP9030, which catalogs your exit program as AXPHJ13B. A dummy phase AXPHJ13B is distributed. The dummy phase is invoked by BIM-ALERT/VSE if you do not catalog your program under that name.
4 This step is required, even if you are not currently using the CONDOR submittal exit facility.
Establish BIM-ALERT/VSE as the CONDOR submittal exit program. First, rename BIM-ALERT/VSE module AXPHJ13.OBJ to PWRUEXIT.OBJ (see AXP9040). Then execute CONDOR's submittal exit program installation procedure. Refer to the CONDOR installation documentation for a complete description of that procedure. Briefly, it requires recataloging the CONDOR phase OLPSRJE with RDREXIT=YES specified for the CONDOR RJE macro. OLPSRJE must always be recataloged, even if you are not currently using the CONDOR submittal exit facility.
JCL examples for the jobs mentioned (AXP9010, AXP9020, AXP9030, and AXP9040) can be found in the BIM-ALERT residence sublibrary member AXPJCL90.J.
BIM-ALERT/VSE provides a job submittal monitor for jobstreams that are placed in the VSE/POWER reader queue by CSAR. The submittal monitor, AXPHJ22, runs as the CSAR job submission user exit (SCZUSR01) program. AXPHJ22 does not provide support for passing control to an installation's existing CSAR exit.
If your installation already has a CSAR job submission user exit in place, BIM-ALERT/VSE's submittal monitor cannot be used.
Unlike most of the other job submittal monitor's, AXPHJ22 does not associate a specific user's identity with each jobstream. Instead, the ID statement contains a pseudo-user ID of CSAR. To control these jobs, the security administrator defines a User Profile for the user ID CSAR and assigns an appropriate SECID.
In some installations, it may not be practical for all CSAR jobs to have the same user ID and SECID. AXPHJ22 provides a way for an installation to assign the user ID to each CSAR job. Before generating the ID statement, AXPHJ22 invokes an installation-supplied program, passing it the parameter area provided by CSAR. This program can develop a user ID based on the information in the CSAR parameter area (and any other pertinent information that is available to it) and pass back the user ID to AXPHJ22. AXPHJ22 then puts the user ID into the ID statement. Use of this installation-supplied program is optional. If the program is not present, AXPHJ22 assigns all CSAR jobs the user ID CSAR.
For more detailed information about the linkage conventions between AXPHJ22 and the installation-supplied program, refer to member AXPHJ22X.A from the install tape. This member contains an example of an installation-supplied program.
To deactivate the submittal monitor, perform the following steps:
Step Action
1 Delete AXPHJ22.OBJ from the CSAR sublibrary.
2 Rename SCZUSR01.SAVE to SCZUSR01.OBJ.
3 Relink CSAR programs SCZONMON, SCZMON1, and SCZVEOJ.
4 Terminate CSAR.
5 Restart CSAR.
The BIM-ALERT user profile does not provide a separate category of user ID specifically for CSAR. AXPHJ22 identifies the pseudo-user ID CSAR as a "CMS" user ID. To define a SECID for these jobs, define a user profile with a CMS user ID of CSAR and assign the desired SECID.
If you write a program that assigns different user IDs to different CSAR jobstreams, AXPHJ22 identifies these as "CMS" user IDs as well. Define a user profile with a CMS user ID for each pseudo-user ID and assign the desired SECIDs.
Chapter 5. Submittal Monitors and Security Exits 5-33
EZ/KEY Submittal Monitor
BIM-ALERT/VSE's EZ/KEY submittal monitor executes as the EZ/KEY installation submit user exit. The monitor examines each jobstream submitted to VSE from an EZ/KEY session and inserts an ID statement containing the EZ/KEY user ID of the submittor and a logon source code of K. The monitor discards any ID statement already present in the jobstream.
The EZ/KEY submittal monitor consists of the following two parts:
An object module (AXPHJ17.OBJ) A loadable module (AXPHJ17.PHASE)
Perform the following steps to install and activate the submittal monitor. After you complete these steps, BIM-ALERT's submittal monitor will activate automatically each time you start EZ/KEY.
Step Action
1 Copy AXPHJ17.PHASE from the BIM-ALERT residence sublibrary into the sublibrary from which you execute EZ/KEY.
2 Rename AXPHJ17.OBJ to PIEXIT01.OBJ, which is the module name expected by the EZ/KEY installation process.
3 Execute the procedure "Installation of the Submit User Exit Under CICS/DOS/VSE" as described in the EZ/KEY installation guide. This procedure linkedits EZ/KEY to include the BIM-ALERT PIEXIT01.OBJ module. Be certain to include the BIM-ALERT sublibrary in the object module search chain (LIBDEF OBJ,SEARCH=...). Or, copy PIEXIT01.OBJ from the BIM-ALERT sublibrary into one which is accessible to the EZ/KEY installation process.
After you complete the following steps, the GSERV submittal monitor is automatically in place whenever GSERV is started.
Step Action
1 Use the CA-FLEE/ONLINE FLIMREP Configuration Panel to add the following parameter:
POWEXIT=AXPHJ7
2 Use the CA-FLEE/ONLINE FLIMREP Configuration Panel to activate the new FLIMREP.
3 Add the BIM-ALERT residence sublibrary to the LIBDEF PHASE, SEARCH chain in all GSERV jobstreams. (Or, copy AXPHJ7.PHASE from the BIM-ALERT/VSE sublibrary into the CA-FLEE residence library.)
Chapter 5. Submittal Monitors and Security Exits 5-35
ICCF Submittal Monitor
BIM-ALERT's ICCF submittal monitor is activated by executing a program called AXPHI7D in the CICS PLTPI. Program AXPHI7D starts transaction AX7C, which waits for ICCF and BIM-ALERT to become active and then activates BIM-ALERT's submittal monitor for ICCF.
Entries are required in the CICS PPT, PCT, and PLT for the ICCF submittal monitor. Refer to page 3-74 for instructions on how to add these entries.
When AXPHI7D executes, it issues the following message on the system operator console:
AX256A AXPHI7D STARTING TRANSACTION AX7C
When transaction AX7C starts, it issues the following message on the system operator console:
AX256B AX7C IS ACTIVE
AX7C then awakens every 10 seconds to determine whether ICCF and BIM-ALERT are active. When both are active, AX7C activates the ICCF submittal monitor, displays the following message on the system operator console, and then terminates.
AX256 ICCF SUBMIT HOOK ENABLE RC=00
If after both ICCF and BIM-ALERT are active, AX7C is still unable to activate the ICCF submittal monitor, AX7C displays the AX256 message with a return code other than 00. These return codes are described in the BIM-ALERT Messages Guide under message AX256.
Take care not to purge AX7C simply because it appears not to be doing anything. You should let AX7C run until both ICCF and BIM-ALERT are active, at which time AX7C will terminate on its own. If you inadvertently start AX7C in a partition where ICCF does not run, it is okay to purge it.
BIM-ALERT's ICCF submittal monitor deactivates automatically when ICCF is shut down. If you need to deactivate the submittal monitor without deactivating ICCF, execute transaction AX7B from a terminal attached to the CICS where ICCF is active. AX7B issues the following message:
AX256 ICCF SUBMIT HOOK DISABLE RC=xx
A return code of 00 indicates the operation was successful. Refer to the BIM-ALERT Messages Guide for an explanation of other return codes.
If BIM-ALERT's submittal monitor is not active, you can activate it by executing transaction AX7A from a terminal attached to the CICS where ICCF is active. AX7A issues the following message:
AX256 ICCF SUBMIT HOOK ENABLE RC=00
A return code of 00 indicates the operation was successful. Refer to the BIM-ALERT Messages Guide for an explanation of other return codes.
Do not execute transaction AX7C (the one normally started during PLT) from a terminal. Use AX7A instead, or start AX7C with CECI:
CECI START TRANSID(AX7C)
Deactivating the ICCF Submittal Monitor
Manually Activating the ICCF Submittal Monitor
Installing Submittal Monitors I.E. Submittal Monitor
Chapter 5. Submittal Monitors and Security Exits 5-37
I.E. Submittal Monitor
A job submittal monitor is available for BIM-ALERT/VSE installations that use I.E. (formerly MSA I.E.) to submit batch jobs. After installation, the BIM-ALERT monitor is activated automatically each time I.E. starts.
The BIM-ALERT job submittal monitor runs as the I.E Job Submission User Exit. Its purpose is to place the User ID of the person who submitted the job into the jobstream.
The BIM-ALERT/VSE exit does not provide support for passing control to an installation's existing exit. If an installation already has its own Job Submission Exit, BIM-ALERT/VSE's submittal monitor cannot be employed.
Use the following procedure to install the BIM-ALERT job submittal monitor:
Step Action
1 Copy member AXPHJ19A.PHASE from the BIM-ALERT residence sublibrary to the library where I.E. resides.
-OR-
Include the BIM-ALERT residence sublibrary in the SEARCH chain for the partition where I.E. executes.
2 Add a PPT entry to the CICS region where I.E. executes for program AXPHJ19A. Be sure to define the program with the language setting of ASSEMBLER.
3 Update the I.E. Job Submission User Exit Table (JTJUSX) to include an entry for the Job Submission User Exit. The table entry will need to have the EXITFLAG set on, and should include the EXITNAME of AXPHJ19A. Follow the instructions for exit programs that were created using the DBSUSRXA skeleton. Please refer to the Information Expert System Administrator's Guide for complete details on defining the User Exit Table.
4 Cycle the I.E. CICS partiton to activate the BIM-ALERT / I.E. submittal monitor.
BIM-ALERT/VSE provides a submittal monitor for installations that use ZEKE-THE-CONTROLLER/VSE to submit batch jobstreams. After installation, the BIM-ALERT/VSE monitor activates automatically each time ZEKE is started.
The BIM-ALERT/VSE submittal monitor does the following:
Examines each jobstream submitted to VSE through ZEKE.
Discards any ID statement already present in the jobstream.
Inserts an ID statement containing ZEKE as the user ID. The ID statement is inserted after the first // JOB statement in each POWER job.
BIM-ALERT/VSE's monitor program gets control through the standard ZEKE JCL user exit facility. ZEKE passes control to the exit before each statement is placed in the POWER reader queue. BIM-ALERT/VSE must be specified to ZEKE as the JCL user exit program, and thus displaces an installation's own exit program (if there is one). However, because BIM-ALERT/VSE's exit program is designed to give control to a second program, it can coexist with an installation's own ZEKE JCL user exit program. Activating BIM-ALERT/VSE's submittal monitor does not interfere with the operation of your ZEKE JCL user exit.
No source code changes are required to your existing exit program; however, it must be renamed. When you install BIM-ALERT/VSE's submittal exit program, the following restrictions are placed on your exit program:
It cannot add an ID statement to the jobstream.
It must not depend upon information from an ID statement already present in the jobstream because any ID statement is discarded by BIM-ALERT/VSE before it is examined by your program.
Its processing must not depend on adding the first statement after the // JOB statement. BIM-ALERT/VSE may insert an ID statement as the first one after the // JOB statement. If your exit program attempts to add statements immediately following the // JOB statement, the statements will immediately follow BIM-ALERT/VSE's ID statement, not the // JOB statement.
Chapter 5. Submittal Monitors and Security Exits 5-39
BIM-ALERT/VSE modules related to the ZEKE submittal monitor process are initially cataloged into the BIM-ALERT residence sublibrary. These modules are as follows:
Name Type Description
AXPHJ16 PHASE BIM-ALERT's JCL user exit program
AXPHJ16B PHASE Dummy phase for installation's program
Perform the following steps to install the BIM-ALERT/VSE ZEKE submittal monitor. The JCL examples referred to (AXP9210, AXP9220, and AXP9230) are contained in member AXPJCL92.J in the BIM-ALERT residence sublibrary.
Step Action
1 Copy phases AXPHJ16, AXPHJ16B, and AXPHJ16D from the BIM-ALERT residence sublibrary into the sublibrary where the ZEKE phases reside (that is, into the sublibrary from which ZEKE is executed). To do this, execute a job similar to AXP9210.
The phases AXPHJ16 and AXPHJ16B must be accessible to the partition where ZEKE is executed because they will be loaded by ZEKE during the job submittal process. Absence of either phase results in improper jobstreams. To avoid this, place phases AXPHJ16 and AXPHJ16B into the sublibrary where the ZEKE phases reside.
2 One of the following, depending on whether you are a new or current user of the ZEKE JCL exit facility: If you are currently using the ZEKE JCL exit facility, rename your exit
program to AXPHJ16B so that BIM-ALERT's program can pass control to yours. Use JCL similar to that in sample job AXP9220 in the BIM-ALERT install library. After you rename your program, BIM-ALERT's program will CDLOAD it and pass control to it for each JCL statement.
If you are currently using the ZEKE JCL exit facility, you must complete this step. Otherwise, your exit program will never be invoked once you establish BIM-ALERT's program as the submittal exit program.
If you are not currently using the ZEKE JCL exit facility, check the library where your ZEKE phases reside for a phase called ZEKE14B. (Some releases of ZEKE include a dummy ZEKE14B.) If you have this phase, rename it to AXPHJ16B using JCL similar to that in sample job AXP9220 in the BIM-ALERT install library. If you do not have this phase, proceed to step 3.
3 Establish BIM-ALERT/VSE as the ZEKE submittal exit program by renaming the BIM-ALERT/VSE program AXPHJ16 to ZEKE14B. To do this, execute a job similar to AXP9230.
Module Names
Installation Procedure
Introduction Installing Security Exits
5-40 Installation and Operations Guide
Installing Security Exits
Introduction
With this version of BIM-ALERT/VSE, you can install security exits for the following products:
BIM-EPIC CA-EXPLORE for CICS-VSE CA-EXPLORE for VSE BIM-FAQS/PCS CA-FAVER for VSE CA-MASTERCAT for VSE CA-XCOM IBM DITTO
A security exit for CA-FLEE is automatically installed with BIM-ALERT/VSE.
Installing Security Exits Installing a Security Exit for BIM-EPIC
Chapter 5. Submittal Monitors and Security Exits 5-41
Installing a Security Exit for BIM-EPIC
At activation, BIM-EPIC looks for module TSIDSEC in the SVA. If this module is found, BIM-EPIC transfers control to TSIDSEC before opening disk dataset extents or tape dataset volumes.
With the BIM-ALERT/VSE module AXPX15 active as TSIDSEC, a security call will be made to BIM-ALERT/VSE for the dataset that is being opened before the BIM-EPIC catalog is updated. If the submitter of the job does not have authority to open the dataset at the requested access level, the job will be cancelled before any BIM-EPIC catalog updates have occurred insuring that the BIM-EPIC catalog and the disk VTOC remain in synchronization.
If the BIM-ALERT/VSE module AXPX15 is not active as TSIDSEC, an open request causes the BIM-EPIC catalog to be updated prior to the file open security call. If the job is then cancelled due to a security violation, the BIM-EPIC catalog updates remain, but the disk VTOC remains unchanged.
Take the following steps to install the BIM-ALERT/VSE security exit for BIM-EPIC:
Step Action
1 Copy AXPX15.PHASE to the BIM-EPIC residence library.
2 Rename AXPX15.PHASE to TSIDSEC.PHASE.
3 Add the following entry to your SDL load procedure:
TSIDSEC,SVA
Introduction
Installation Procedure
Installing a Security Exit for CA-EXPLORE for CICS-VSE Installing Security Exits
5-42 Installation and Operations Guide
Installing a Security Exit for CA-EXPLORE for CICS-VSE
Take the following steps to install the BIM-ALERT/VSE security exit for CA-EXPLORE for CICS-VSE:
Step Action
1 Copy AXPX12.PHASE to the CA-EXPLORE for CICS-VSE residence library.
2 Rename AXPX12.PHASE to ECDIALRT.PHASE.
3 Set the value of the SECURITY-MODULE configuration option to ECDIALRT.PHASE in the CA-EXPLORE for CICS configuration member or on the configuration panel.
Installation Procedure
Installing Security Exits Installing a Security Exit for CA-EXPLORE for VSE
Chapter 5. Submittal Monitors and Security Exits 5-43
Installing a Security Exit for CA-EXPLORE for VSE
Take the following steps to install the BIM-ALERT/VSE security exit for CA-EXPLORE for VSE:
Step Action
1 Copy AXPX2.PHASE to the CA-EXPLORE for VSE residence library.
2 Rename or delete the existing EVSESCTY.PHASE.
3 Rename the copy of AXPX2.PHASE in the CA-EXPLORE for VSE residence library to EVSESCTY.PHASE. (See the RO for VSE/ESA Installation Guide for more detail.)
4 Specify YES for the SECURITY configuration option in CA-EXPLORE for VSE.
Installation Procedure
Installing a Member-Level Security Exit for BIM-FAQS/PCS Installing Security Exits
5-44 Installation and Operations Guide
Installing a Member-Level Security Exit for BIM-FAQS/PCS
BIM-FAQS/PCS provides an exit that can be used to secure library members and
events.
The BIM-ALERT/VSE security exit for BIM-FAQS/PCS is valid only for the
following releases of BIM-FAQS/PCS:
Operating System Required Release of BIM-FAQS/PCS
VSE/SP 3.7.1 or higher
VSE/ESA 4.0.1 or higher
z/VSE 5.3A or higher
Take the following steps to install the BIM-ALERT/VSE security exit for BIM-
FAQS/PCS:
Step Action
1 Copy AXPX10.PHASE from the BIM-ALERT/VSE sublibrary into the BIM-
FAQS/PCS sublibrary.
2 Rename the existing PCSSECX.PHASE in the BIM-FAQS/PCS sublibrary if you
want to retain a copy of PCSSECX.PHASE.
3 Rename the copy of AXPX10.PHASE in the BIM-FAQS/PCS sublibrary to
PCSSECX.PHASE.
Introduction
Valid Releases of
FASQ/PCS
Installation
Procedure
Installing Security Exits Installing a Job-Submittal Security Exit for BIM-FAQS/PCS
Chapter 5. Submittal Monitors and Security Exits 5-45
Installing a Job-Submittal Security Exit for BIM-FAQS/PCS
The job-submittal security exit provided by BIM-ALERT/VSE for BIM-FAQS/PCS
allows you to assign a different user ID than &BATUSER to jobs submitted by the
BIM-FAQS/PCS scheduler.
The job submittal security exit for BIM-FAQS/PCS is valid only for the following
releases of BIM-FAQS/PCS:
Operating System Required Release of BIM-FAQS/PCS
VSE/SP 3.7.1 or higher
VSE/ESA 4.0.1 or higher
z/VSE 5.3A or higher
Take the following steps to install the BIM-ALERT/VSE security exit for BIM-
FAQS/PCS:
Step Action
1 Copy AXPX7.PHASE from the BIM-ALERT/VSE sublibrary into the BIM-
FAQS/PCS sublibrary.
2 Rename the existing PCSEX2.PHASE in the BIM-FAQS/PCS sublibrary if you
want to retain a copy of PCSEX2.PHASE.
3 Rename the copy of AXPX7.PHASE in the BIM-FAQS/PCS sublibrary to
PCSEX2.PHASE.
Introduction
Valid Releases of
BIM-FASQ/PCS
Installation
Procedure
Installing a Security Exit for CA-FAVER for VSE Installing Security Exits
5-46 Installation and Operations Guide
Installing a Security Exit for CA-FAVER for VSE
The CA-FAVER for VSE product backs up and restores VSAM clusters. CA-FAVER's method of accessing clusters for a backup operation bypasses the normal VSAM open process. Because this creates a security exposure, CA-FAVER provides a security exit for backup operations. (The CA-FAVER restore operation uses the normal VSAM open process, so it creates no security exposure.)
The BIM-ALERT/VSE security exit for CA-FAVER is valid only for release 2.25 or higher of CA-FAVER for VSE.
Perform the following steps to install the BIM-ALERT/VSE security exit for CA-FAVER for VSE. Once these steps have been completed, the BIM-ALERT/VSE security exit is activated automatically each time CA-FAVER for VSE runs.
Step Action
1 Copy AXPX3.PHASE from the BIM-ALERT/VSE sublibrary into the CA-FAVER for VSE sublibrary.
2 Rename the copy of AXPX3.PHASE in the CA-FAVER for VSE sublibrary to GVSECURE.PHASE.
Introduction
Valid Releases of CA-FAVER for VSE
Installation Procedure
Installing Security Exits Installing a Security Exit for CA-MASTERCAT for VSE
Chapter 5. Submittal Monitors and Security Exits 5-47
Installing a Security Exit for CA-MASTERCAT for VSE
BIM-ALERT/VSE provides a security exit for CA-MASTERCAT for VSE’s online browse and edit functions.
The BIM-ALERT/VSE security exit for CA-MASTERCAT is valid only for release 2.9 or higher of CA-MASTERCAT for VSE.
Take the following steps to install the BIM-ALERT/VSE security exit for CA-MASTERCAT for VSE:
Step Action
1 Copy AXPX9.PHASE from the BIM-ALERT/VSE sublibrary into the CA-MASTERCAT for VSE sublibrary.
2 Rename the existing MCSECXIT.PHASE in the CA-MASTERCAT for VSE sublibrary if you want to retain a copy of MCSECXIT.PHASE.
3 Rename the copy of AXPX9.PHASE in the CA-MASTERCAT for VSE sublibrary to MCSECXIT.PHASE.
4 Add a SET SDL statement for MCSECXIT.PHASE to your BIM-ALERT/VSE startup JCL.
5 Add a SET SDL statement for AXPI21A.PHASE to your BIM-ALERT/VSE startup JCL.
6 Add a SET SDL statement for AXPI21B.PHASE to your BIM-ALERT/VSE startup JCL.
Introduction
Valid Releases of CA-MASTERCAT for VSE
Installation Procedure
Installing a Security Exit for CA-XCOM Installing Security Exits
5-48 Installation and Operations Guide
Installing a Security Exit for CA-XCOM
BIM-ALERT/VSE provides an exit for securing CA-XCOM file transfers. Without this exit, BIM-ALERT can secure access to files by CA-XCOM, but has no way to prevent a user ID that has authority to open a file via CA-XCOM from transferring that file.
Take the following steps to install the BIM-ALERT/VSE security exit for CA-XCOM:
Step Action
1 Copy AXPX8.PHASE from the BIM-ALERT/VSE sublibrary into the CA-XCOM VSE sublibrary.
2 Rename the copy of AXPX8.PHASE in the CA-XCOM VSE sublibrary to CA-XCOMEX05.PHASE.
3 Add a SET SDL statement for AXPHV5.PHASE to the BIM-ALERT/VSE startup JCL.
3 Add a SET SDL statement for AXP121B.PHASE to the BIM-ALERT/VSE startup JCL.
4 Add JCL for executing program AXP121A to the BIM-ALERT/VSE startup JCL.
Introduction
Installation Procedure
Installing Security Exits Installing a Security Exit for DITTO for VSE and DITTO/ESA
Chapter 5. Submittal Monitors and Security Exits 5-49
Installing a Security Exit for DITTO for VSE and DITTO/ESA
BIM-ALERT/VSE provides the ability to secure commands of IBM’s Data Interfile Transfer, Testing, and Operations Utility for VSE (VSE/DITTO) and IBM’s Data Interfile Transfer, Testing, and Operations Utility/ESA (DITTO/ESA) products. When ALERT’s command level security for DITTO is active (DITTO= startup parameter is set to YES), BIM-ALERT phases AXPHDT8 and AXPHDT1 must be accessible to any job that executes DITTO.
DITTO/ESA provides an exit for securing commands that are executed within a DITTO/ESA session. This security exit, DITSECUR, is called when DITTO/ESA is executed in a batch partition, invoked by the Interactive User Interface (IUI), or the CICS/ESA 2.3 DITT transaction. BIM-ALERT/VSE provides an exit phase for the DITSECUR exit point to make authorization calls to BIM-ALERT when DITTO commands are being executed.
Take the following steps to install BIM-ALERT’s DITTO command level security:
Step Action
1 Make DITTO front-end phases accessible to all jobs that execute DITTO. Do one of the following: Include the BIM-ALERT sublibrary in each partition’s permanent LIBDEF
SEARCH chain. -OR- Copy phases AXPHDT8 and AXPHDT1 to the sublibrary where the DITTO
phases reside. 2 If you run DITTO for VSE ( pre-VSE/ESA 2.1) then skip to Step 3a. Perform this
step only if you run DITTO/ESA which is provided with the 2.1 and later levels of VSE/ESA. BIM-ALERT/VSE’s DITSECUR replacement module AXPX14 needs to be
accessible to all jobs that execute DITTO. Perform either Step 2a, 2b, or 2c. 2a Method 1: Include ALERT sublibrary in permanent LIBDEF
1. Rename AXPX14.PHASE member in the BIM-ALERT/VSE sublibrary to DITSECUR.PHASE.
2. Include the BIM-ALERT sublibrary in each partition’s permanent LIBDEF SEARCH chain in front of sublibrary where the DITTO phases reside.
(continued)
Introduction
DITSECUR User Exit with DITTO/ESA
Installing DITTO Security
Installing a Security Exit for DITTO for VSE and DITTO/ESA Installing Security Exits
5-50 Installation and Operations Guide
Step Action
2b Method 2: Move AXPX14 to DITTO sublibrary.
1. Copy AXPX14.PHASE member from the BIM-ALERT/VSE sublibrary to the sublibrary where the DITTO phases reside.
2. Rename IBM provided DITSECUR.PHASE member to any selected save name.
3. Rename AXPX14.PHASE to DITSECUR.PHASE.
2c Method 3: Put DITSECUR in SVA
1. Rename AXPX14.PHASE member in the BIM-ALERT/VSE sublibrary to DITSECUR.PHASE.
2. Add a SET SDL statement for DITSECUR.PHASE to the BIM-ALERT/VSE startup JCL.
3a Update ICCF procedures.
If you run DITTO for VSE ( pre-VSE/ESA 2.1) then proceed with this step. If you run DITTO/ESA which is provided with the 2.1 and later levels of VSE/ESA, skip this step, and go to Step 3b.
After you activate BIM-ALERT’s DITTO security, users can no longer initiate DITTO in an ICCF interactive session by directly executing the DITTO program. This restriction applies to the following types of ICCF commands, whether executed from the ICCF command line or inside and ICCF procedure or macro:
/LOAD DITTO
/RUN DITTO
$DITTO
The commands will result in an BIM-ALERT security violation with reason code 1A. To avoid this security violation, users should substitute program AXPHDT8 for program DITTO in these commands. For example, you may need to update the DITTO procedure supplied by IBM in ICCF library 2 to include the statement /LOAD AXPHDT8 instead of /LOAD DITTO.
3b Perform this step only if you run DITTO/ESA which is provided with the 2.1 and later levels of VSE/ESA.
The ICCF procedures that currently invoke DITTO will NOT need to be updated. But the security administrator will need to authorize the CICS nucleus program DFHSIP to be able to load the DITTO phase. This requires a DITTO:EXECUTE resource rule. Refer to the BIM-ALERT/VSE Security Administrator's Guide for further information about setting up this resource rule.
Installing Security Exits Installing a Security Exit for DITTO for VSE and DITTO/ESA
Chapter 5. Submittal Monitors and Security Exits 5-51
6-1
6
BIM-ALERT Operation
This chapter explains how to use BIM-ALERT’s logging and reporting programs, run VSE when BIM-ALERT/VSE is inactive, how to perform VSE maintenance while running BIM-ALERT/VSE, and how to manage $JOBEXIT phases. The last section deals with implementation issues for BIM-ALERT/CICS.
About This Chapter .................................................................................................. 6-3 BIM-ALERT Logging............................................................................................... 6-4
Managing the Log Data ........................................................................................ 6-4 Log File Merge Utility ALRTL10 ......................................................................... 6-6 Log File Purge Enqueue Mechanism ..................................................................... 6-7 Redefining the Log File ........................................................................................ 6-8 When the Log File Is Full ..................................................................................... 6-9 Logger Shutdown ............................................................................................... 6-10 Controlling the Logger From a Batch Partition ................................................... 6-11
Log File Report Program......................................................................................... 6-13 About The Log File Report Program ................................................................... 6-13 Report Program Control Statements .................................................................... 6-15 JCL and Control Statement Examples ................................................................. 6-22
SECID Summary Report Program ........................................................................... 6-23 Audit File Report Program ...................................................................................... 6-24 About the VSE Data Security Environment ............................................................. 6-25
Introduction ........................................................................................................ 6-25 Running Without BIM-ALERT/VSE Active ....................................................... 6-28
Performing VSE Maintenance with BIM-ALERT Active ........................................ 6-29 When Applying Maintenance ............................................................................. 6-29 Verifying Security Phases in IJSYSRS.SYSLIB .................................................. 6-31
Managing $JOBEXIT Phases .................................................................................. 6-35 Introduction ........................................................................................................ 6-35 Guidelines .......................................................................................................... 6-37 Determining the Status of $JOBEXIT Phases...................................................... 6-39 Reloading a Local POWER JOBEXIT Program .................................................. 6-40
Implementation Notes for BIM-ALERT/CICS ........................................................ 6-41
6-2 Installation and Operations Guide
Introduction ........................................................................................................ 6-41 Activating BIM-ALERT/CICS ........................................................................... 6-42 Implementing BIM-ALERT/CICS in an MRO Environment .............................. 6-43 Running BIM-ALERT/CICS with the VSE/ESA Interactive User Interface ........ 6-45
About This Chapter
Chapter 6. BIM-ALERT Operation 6-3
About This Chapter
This chapter contains information on the following topics:
Maintaining BIM-ALERT log files and producing reports from them Running VSE when BIM-ALERT/VSE is inactive Maintaining the operating system while running BIM-ALERT/VSE Managing the $JOBEXIT phases Implementation notes for BIM-ALERT/CICS
Managing the Log Data BIM-ALERT Logging
6-4 Installation and Operations Guide
BIM-ALERT Logging
Managing the Log Data
BIM-ALERT's logger runs separately from the authorization checking routines. It can run as a subtask in any long-running partition (such as the POWER partition) or it can occupy a dedicated partition. The logger does not start automatically when you activate BIM-ALERT. You must take separate steps to activate the logger.
The logger writes data to a VSAM KSDS file named AXPLOG1. BIM-ALERT provides utility programs to help you move data from the AXPLOG1 VSAM file to a cumulative file, either on disk or on tape. It is recommended that you define relatively small allocations for the log file and frequently move the most current log data to a cumulative file using these utility programs.
The logger runs either in a dedicated partition or in the POWER partition. Because batch security checking starts during the BG ASI procedure, before the POWER partition has been started, BIM-ALERT may need to generate log data before the logger is ready to record the data. When BIM-ALERT is in this state, it queues log data in the system GETVIS area, and this data remains there until the logger becomes active and is able to record it.
Conceivably, it could be a very long time before the logger is started, and a great deal of log data might accumulate in the system GETVIS area. To limit the amount of storage used in this manner, BIM-ALERT sets a threshold value of 32K for this data. Once this threshold is reached, BIM-ALERT stops queuing log data. When the logger becomes active, the data queued before BIM-ALERT reached the threshold is written to the log file, but data destined for the log file after that point is lost.
If BIM-ALERT has accumulated log data in the system GETVIS area and you do not plan to start the logger, the storage for this data can be freed using the FREEQ command of program ALRTL3. Refer to page 6-11 for an explanation of how to use this command.
Introduction
Logging Activity Before the Logger Is Started
BIM-ALERT Logging Managing the Log Data
Chapter 6. BIM-ALERT Operation 6-5
The following chart outlines one approach to collecting the log file data. The sample jobstreams can be found in member COMJCF50.J in the BIM-ALERT residence library.
Job Step Name Description
ALRT5010 Daily merge the most current log data into a cumulative VSAM file. Then reset (empty) the current log file.
ALRT5020 Once each week, dump the cumulative file to tape and produce the reports specified by the security administrator. Then reset (empty) the cumulative log file.
ALRT5070 Once each month, combine the four or five weekly tapes into a monthly archive tape. Reports can also be produced if desired.
The BIM-ALERT logger is designed to be very flexible and easy to use and manage.
Reports can be printed from the cumulative VSAM file (AXPLOG3) or the active VSAM file (AXPLOG1) at any time.
Reports can be produced from a combination of the tape files and the cumulative VSAM file.
If the log file fills up, it may be merged into the cumulative VSAM file at any time.
Other examples in residence library member COMJCF50.J illustrate reporting and archiving the log file data without use of the cumulative file.
Collecting Log File Data
Other Log File Concerns
Log File Merge Utility ALRTL10 BIM-ALERT Logging
6-6 Installation and Operations Guide
Log File Merge Utility ALRTL10
Program ALRTL10 performs the following three functions:
Resets (logically empties) the cumulative log file (AXPLOG3) Copies records from the active log file (AXPLOG1) into AXPLOG3 Resets (logically empties) the current log file (AXPLOG1)
The value of the JCL EXEC PARM determines which function, or combination of functions, ALRTL10 performs. ALRTL10 recognizes the following values for EXEC PARM:
Field Meaning
PARM='RESET' Directs ALRTL10 to perform all three functions. First, the program resets AXPLOG3 (empties it). Then the program copies from AXPLOG1. Finally, the program resets AXPLOG1 (empties it).
PARM='NORESET' or PARM='' or PARM omitted
Directs ALRTL10 to copy records from AXPLOG1 and then reset AXPLOG1, but to skip resetting AXPLOG3. The records in AXPLOG1 are merged with those already present in AXPLOG3.
PARM='ONLYRESET' Directs ALRTL10 to reset AXPLOG3, but to omit copying and resetting of AXPLOG1.
Before ALRTL10 resets AXPLOG1, the logger temporarily suspends logging activity. While the logger is in this state, log requests are queued in the System GETVIS area. After ALRTL10 closes AXPLOG1 and reopens it with reset (logically empties it), the logger writes to AXPLOG1 any records that have been queued in the System GETVIS area. These records are not copied to AXPLOG3 during the current execution of ALRTL10. They remain in AXPLOG1 pending a subsequent execution of ALRTL10.
The following example shows a JCL EXEC statement that resets AXPLOG3, copies records from AXPLOG1 to AXPLOG3, and then resets AXPLOG1. Member COMJCF50.J in the BIM-ALERT residence sublibrary shows a complete jobstream for executing the various functions of ALRTL10.
ALRTL10 and other programs that access the log file use the VSE LOCK mechanism to control ownership of a resource named AXPLOGPURGE. This provides a systematic method of testing for and resolving conflicting access requests to the log file.
Read-only tasks, such as the online log file display (DLOG) and the BIM-ALERT batch report writer program, request a shared lock before opening the log file. This shared lock prevents ALRTL10 from running while any of those read-only tasks are running, but it enables multiple read-only tasks to run concurrently. The logger can also run concurrently with read-only tasks, adding records to the log file while read-only tasks are reading the file.
At the beginning of the log file purge process, ALRTL10 opens the log file (AXPLOG1) for read access and copies it to the cumulative log file (AXPLOG3). While this copy operation is in progress, the logger still has the log file open for output, and it may add records to the log file. At the end of the copy operation, ALRTL10 signals the logger to temporarily close the log file and to suspend logging operations, so that ALRTL10 can copy any records that have been added, close the log file, and then open it with RESET to empty it. In order to do this open with RESET, ALRTL10 must have exclusive control of the log file -- no other task is permitted to have the log file open for any level of access.
Before beginning the copy operation, ALRTL10 issues an exclusive lock request for the AXPLOGPURGE resource. This ensures that it will be able to gain exclusive control of the log file, once it completes the copy operation. If DLOG or the report writer has the file open for read access when ALRTL10 requests the exclusive lock, ALRTL10's lock request is denied; ALRTL10 does not proceed until action is taken to release the locked resource. Similarly, once ALRTL10 owns the resource exclusively, if DLOG or the report writer requests the shared lock, that request is denied, and the DLOG or report writer task does not proceed.
Only BIM-ALERT programs implement this AXPLOGPURGE locking mechanism. If you use any other programs, such as CEMT, to open and manipulate the log file, you may encounter problems if the file is left open while ALRTL10 is executing; see the description of message ALT177I in the BIM-ALERT Messages Guide.
Introduction
Read-Only Tasks Use a Shared Lock
ALRTL10 Uses an Exclusive Lock
If You Use Other Programs to Open the Log File
Redefining the Log File BIM-ALERT Logging
6-8 Installation and Operations Guide
Redefining the Log File
It is possible to redefine the active log file (AXPLOG1) while BIM-ALERT is active. This may be necessary if you need to move the file, or consolidate secondary extents. If this situation occurs, you will first want to run an ALRTL10 job to merge the current log data (AXPLOG1) in to the cumulative log file (AXPLOG3) to ensure that no log records are lost.
The following chart outlines the steps needed to redefine the AXPLOG1 file if you run the logger in a dedicated partition. The sample jobstreams can be found in member COMJCF40.J in the BIM-ALERT residence library.
Job Step Name Description
ALRT4030 ‘FORCE’ the logger partition to close the active log file AXPLOG1 and come to end-of-job using the ALRTL3 utility.
IDCAMS Delete and redefine the AXPLOG1 cluster.
ALRT4010 Re-release the logger start up job stream.
The following chart outlines the steps needed to redefine the AXPLOG1 file if you run the logger in the power partition. The sample jobstreams can be found in member COMJCF40.J in the BIM-ALERT residence library.
Job Step Name Description
ALRT4040 ‘IDLE’ the logger subtask in the Power partition to close the active log file (AXPLOG1) using the ALRTL3 utility.
IDCAMS Delete and redefine the AXPLOG1 cluster
ALRT4045 ‘START’ the logger subtask in the Power partition to resume normal BIM-ALERT logging activity using the ALRTL3 utility.
Introduction
Logger in a Dedicated Partition
Logger in the Power Partition
BIM-ALERT Logging When the Log File Is Full
Chapter 6. BIM-ALERT Operation 6-9
When the Log File Is Full
When the active log file (AXPLOG1) is full, the logger issues the following message:
ALT067I Log File Full Or Unusable.
After the ALT067I message occurs, BIM-ALERT is still active and security rules are still enforced. However, the logger does not attempt to write anything to the log file. Run a job similar to the Emergency Merge After Log File Fills job (ALRT4060) in member COMJCF40.J in the BIM-ALERT residence sublibrary. This empties the current log file and restarts the logger. After this job completes, the logger begins writing log records again.
During the period when the log file is full, the logger may write log information to the operator console on each logging request. Whether this action is taken depends upon the LOGFULL option selected at the time BIM-ALERT/VSE is started. Consult with the security administrator to determine whether this option is desirable.
BIM-ALERT's Action
WARNING!
Logger Shutdown BIM-ALERT Logging
6-10 Installation and Operations Guide
Logger Shutdown
It is important to include BIM-ALERT logger shutdown JCL in your system shutdown process. Sample JCL to perform the BIM-ALERT logger shutdown can be found in member COMJCF40.J in the BIM-ALERT residence library. Orderly shutdown of the logger is important for the following reasons:
The logger may have log data in its VSAM buffers. If the logger is shut down in an orderly fashion, then these buffers will be written out as part of the VSAM CLOSE process. If it is not shut down, this data will be lost.
Not shutting down the logger may result in a loss of log data.
Each log record contains a serial number. At shutdown time, the logger records
the next log serial number in the BIM-ALERT log file control record. If the logger is not shut down, the file may not contain the correct serial number.
The logger will also shut down when the POWER partition goes to end of job as a result of a PEND command. Be aware, however, that POWER requires that a number of conditions be met before it actually goes to end of job. For example, all PSTARTed partitions must be inactive and not waiting for any console reply. So just entering the PEND command does not itself shut down the logger. The POWER partition must complete its PEND processing and go to end of job before the logger will shut down automatically.
BIM-ALERT Logging Controlling the Logger From a Batch Partition
Chapter 6. BIM-ALERT Operation 6-11
Controlling the Logger From a Batch Partition
Use program ALRTL3 to control the logger from a batch partition. The program may be executed from either SYSLOG or SYSRDR, and accepts commands from either device, depending upon where it is executed. The following commands are accepted by ALRTL3. They are entered one command per statement.
Command Function
CLOSE Use to direct the logger to close the log file (AXPLOG1) so that you can redefine it.
FORCE Use to direct the logger to go to the end of the job. If the logger is running in the POWER partition, after a FORCE it is not possible to restart the logger without an IPL.
FREEQ Use to free log data that has queued while BIM-ALERT was active and the logger was not active. Use this only when the logger is not yet active. After ALRTL3 processes this command, BIM-ALERT stops queuing log data even though the logger is not active. Data that was queued is discarded.
IDLE Use to direct the logger to go into an inactive state, but not go to end of job.
INQUIRE Use to determine the status of the logger and, if it is active, whether the log file is open.
RESET This command is useful after the log file fills. At that point the logger is still active, but is not logging anything to the log file. After the log files have been emptied, RESET causes the logger to start logging again.
START Use to direct the logger to start logging again when it is in the IDLE state.
Using ALRTL3
Controlling the Logger From a Batch Partition BIM-ALERT Logging
6-12 Installation and Operations Guide
In response to the INQUIRE command, program ALRTL3 displays message ALT102I on the system operator console. This message shows the status of the logger as ACTIVE, INACTIVE, or IDLE. Each is explained below.
Status Meaning
ACTIVE The logger has been activated. As log requests are received, the logger will write records to the log file, the operator console, or both.
INACTIVE The logger is not receiving log requests because it was either Never activated Activated and subsequently shut down with an ALRTL3 FORCE
IDLE The logger was activated, but it was subsequently placed in an idle state by an ALRTL3 IDLE command. Log requests are ignored when the logger is IDLE.
Examples of JCL for executing ALRTL3 are included in member COMJCF50.J in the BIM-ALERT residence library.
If the logger is active, the logger program displays several messages on the system operator console when you execute an ALRTL3 INQUIRE command. The following messages can be displayed by the logger:
Message Meaning
ALT062I Log File Is Open. The log file is open.
ALT105I Log File Is Not Open. The logger has closed the log file. The logger closes the file in response to a CLOSE or IDLE command from ALRTL3, and when the log file fills or becomes unusable for some other reason.
ALT067I Log File Is Full Or Unusable.
The logger has closed the log file because it filled or otherwise became unusable.
In addition to these messages, the logger displays messages that report current and historical statistics related to the logger's usage of storage. Use the statistical information to determine whether you need to make adjustments to the amount of storage available for the logger. For assistance in analyzing this information, contact BIM Technical Support.
For descriptions of all BIM-ALERT messages, refer to the BIM-ALERT Messages Guide.
INQUIRE Command Console Messages
Examples
When the Logger Has ACTIVE status
Log File Report Program About The Log File Report Program
Chapter 6. BIM-ALERT Operation 6-13
Log File Report Program
About The Log File Report Program
Program ALRTL7 writes reports from the log file data. It also performs an archiving function for log file data by merging together multiple input files of log data, as specified by the user.
This section describes operational aspects of the report program, including JCL requirements and control statement definition. The reports themselves are not illustrated here. For a complete description of the reports, refer to the BIM-ALERT Auditing and Report Writing Guide.
Program ALRTL7 can perform both archiving and reporting in a single execution. In this type of operation, you can use the INCLUDE TAPEIN or EXCLUDE TAPEIN parameter to control whether the input archival data is included in the reports. If neither INCLUDE TAPEIN nor EXCLUDE TAPEIN is present, the default setting excludes the input archival data from the reports.
The ALRTL7 program requires a minimum of 90K of partition storage (not GETVIS). To optimize performance of the SORT, at least 128K is recommended. Additional performance improvement may be obtained by increasing this above 128K, especially when a very large volume of log data is being processed.
The ALRTL7 program also uses partition GETVIS storage for input and output tape file buffers. Two buffers are used. The size of each is indicated by the BLKSIZE parameter. If VSAM YES is specified, the program will perform a VSAM OPEN, which requires substantial amounts of partition GETVIS. In general, a GETVIS area of about 128K is usually sufficient.
Introduction
Excluding Archival Data from the Reports
Partition Storage Requirements
About The Log File Report Program Log File Report Program
6-14 Installation and Operations Guide
The following table shows device assignments for program ALRTL7. Some of the assignments are used only if the related file is requested. For example the TLBL LOG is required only if a TAPEIN parameter indicates that there is an input log tape file.
TLBL/DLBL Description Unit Required?
LOG Input tapes SYS010 Optional
LOGOUT Output tape SYS013 Optional
AXPLOG3 Cumulative VSAM log file n/a Optional
AXPLOG1 Current VSAM log file n/a Optional
SORTWK1-n Sort work files SYS001-n Required
n/a Control statements SYSRDR Required
n/a Printer SYSLST Required
The program reads in all the input tape files before it opens the output tape file. So when both input and output tape files are specified, both may be assigned to the same device if desired.
Device Assignments
Log File Report Program Report Program Control Statements
Chapter 6. BIM-ALERT Operation 6-15
Report Program Control Statements
The first field of each control statement, the operation code, defines the type of statement. The operation code may start in any column, and is followed by one or more blank columns. The rest of the fields, or operands, in the control statement must be consistent with the type of statement indicated by the operation code. Multiple operands separated by commas are permitted. Continuation is not supported.
The following types of statements (operation codes) are recognized:
Statement Description
TAPEIN Describes input tapes
TAPEOUT Describes output tapes
VSAM Describes input VSAM log file
INCLUDE TAPEIN Includes archival data in the reports
EXCLUDE TAPEIN Omits archival data from reports
SELECT Describes selection criteria for reports
REPORTS Describes which reports to produce
DETAIL Defines whether detail lines are printed
LINE Defines number of print lines per page
BLKSIZE Defines size of input and output tape blocks
WORK Defines number of sort work files
Each type of control statement is explained in the following sections.
The TAPEIN control statement specifies whether you want to read in any tape files of log data. NO indicates that you do not want to read in any tape file. nnn is a one- to three-digit number that indicates the number of tape files to be read in. If no TAPEIN control statement is supplied, the program defaults to TAPEIN NO.
When a tape file is to be read, the program requires a TLBL for a file named LOG, and an assignment for SYS010.
General Syntax Rules
TAPEIN NO/nnn
Report Program Control Statements Log File Report Program
6-16 Installation and Operations Guide
The TAPEOUT control statement indicates whether an output tape is to be produced. If an output tape is produced, it will contain all of the input log data. If no TAPEOUT control statement is supplied, the program defaults to TAPEOUT NO.
When a tape file is to be produced, the program requires a TLBL for a file named LOGOUT and an assignment for SYS013.
This control statement indicates whether to include the following in the reports and the output archive file:
Data from the current log file (AXPLOG1) Data from the cumulative log file (AXPLOG3)
Parameter Meaning
YES or AXPLOG3 Indicates to include data from the cumulative log file.
NO Indicates not to include data from either AXPLOG1 or AXPLOG3.
AXPLOG1 Indicates to include data from the current log file.
When you include data from AXPLOG1 or AXPLOG3, and you have also specified an input archive tape, you can choose whether to have the archival data included in the reports. If you do not specify the INCLUDE TAPEIN parameter, only data from AXPLOG1 or AXPLOG3 is included in the reports. Data from the input archive tapes is omitted from the reports.
Note that this exception applies only to the inclusion of data in the reports. Both the archival data and the AXPLOG1 or AXPLOG3 data is always included in the output archive tape file.
TAPEOUT NO/YES
VSAM YES/NO/ AXPLOG1/ AXPLOG3
Log File Report Program Report Program Control Statements
Chapter 6. BIM-ALERT Operation 6-17
This parameter indicates whether reports include data from the input archive tape files when there is also data from AXPLOG1 or AXPLOG3.
Command Description
EXCLUDE TAPEIN Indicates to omit the archival data from the reports. This is the default.
INCLUDE TAPEIN Indicates to include data from the input archive tape files when there is also data from AXPLOG1 or AXPLOG3.
Note that this option applies only to the inclusion of data in the reports. Both the archival data and the AXPLOG1 or AXPLOG3 data are always included in the output archive tape file.
If there is no AXPLOG1 or AXPLOG3 data present (VSAM NO is specified), INCLUDE TAPEIN and EXCLUDE TAPEIN are still accepted but have no effect on the content of the reports.
This type of control statement lets you limit the reports to certain classes of log records. If you omit the SELECT statement, all records will be selected. The following types of selection are defined:
Command Description
SELECT DATE Selection based on the date of the log event
SELECT ACTION Selection based on the type of action that caused the log event
SELECT REASON Selection based upon the type of rule that caused the log event
SELECT SECID Selection based on the SECID in force when the log event occurred
SELECT USER Selection based on the USER who submitted the job
Multiple control statements of each type may be present. For example, if you define several SELECT DATE type control statements, records matching any one of the date selection operands would be considered to satisfy the date selection criteria.
Any combination of the five types of SELECT statements may be present. In order for a record to be selected, it has to satisfy the selection criteria of at least one of the control statements of each type that is present.
Example Suppose you define two SELECT DATE statements and one SELECT REASON statement. A record is selected only if it satisfies the SELECT REASON statement and also satisfies either one of the SELECT DATE statements.
EXCLUDE TAPEIN or INCLUDE TAPEIN
SELECT
Report Program Control Statements Log File Report Program
6-18 Installation and Operations Guide
This form of the SELECT DATE parameter defines a range of dates. aa/aa/aaaa and bb/bb/bbbb are dates in the format mm/dd/yyyy. For a given record to be selected, its date must be less than or equal to bb/bb/bbbb and greater than or equal to aa/aa/aaaa.
This form of the SELECT DATE parameter selects records by applying a comparison operator between the date of the log event in each log record and the specified date. Valid comparison operators are as follows:
LT Less than GT Greater than EQ Equal to LE Less than or equal to GE Greater than or equal to Example To select log records whose event date is equal to September 25, 1999, specify the following command:
SELECT DATE(EQ-09/25/1999)
The SELECT ACTION parameter selects records based upon the type of event that caused the log record to be written. The types of actions parallel those that can be specified on the Online Log File Selection Criteria screen (DLOG). They also reflect the EXC codes (V, M, and O) printed on the ALRTL7 reports, as follows:
Parameter Description
VIOLATION An access request was denied.
MONITOR An access request would have been denied but was allowed because monitor mode was in effect.
OVERRIDE Access was allowed. Emergency override was in effect.
LOG REQ Access was allowed, but a log record was written for some other reason. For example, an access request matched a rule whose action code is L, or the global LOG ALL parameter was in effect.
For compatibility with previous releases of BIM-ALERT/VSE, ACTION(LOG) is considered valid and is equivalent to ACTION(LOG REQ). ACTION(CANCEL) is likewise considered valid, and is equivalent to ACTION(VIOLATION).
SELECT DATE(aa/aa/aaaa-bb/bb/bbbb)
SELECT DATE(LT/GT/ EQ/LE/GE-mm/dd/yyyy)
SELECT ACTION(VIOLATION/MONITOR/LOG REQ/OVERRIDE)
Log File Report Program Report Program Control Statements
Chapter 6. BIM-ALERT Operation 6-19
The SELECT REASON parameter selects records based upon either the reason code or the reason description, as follows:
To select records based on the reason code, specify SELECT REASON(cc), where cc is the desired reason code.
To select records based on the reason description, specify SELECT REASON(ddd...ddd), where ddd...ddd is the 16-character reason description, including any blank columns. (For compatibility with previous releases, which required entering underscores in place of blanks, the program continues to accept underscores and treats them as blanks.)
For a list of valid reason codes, the corresponding 16-character descriptions, and an explanation of each code, refer to the BIM-ALERT/VSE Security Administrator's Guide.
Example The following control statement selects records for user profiles that are about to expire:
SELECT REASON(UPR EXPIRE WARN)
The SELECT SECID parameter selects records that are associated with the specified SECID. Enter a one- to eight-character SECID to be selected.
The SELECT USER parameter selects records that are associated with the specified USER. Enter a one- to eight-character USER to be selected.
SELECT REASON(cc/ddd...ddd)
SELECT SECID(xxxxxxxx)
SELECT USER(xxxxxxxx)
Report Program Control Statements Log File Report Program
6-20 Installation and Operations Guide
The REPORTS control statement specifies which reports are to be printed. Any combination of the valid operands, separated by a comma, may be specified on a single REPORTS control statement. The valid operands are as follows:
Parameter Meaning
USER Refers to the User Entry Report
DASDDS Refers to the DASD Dataset Name Report
TAPEDS Refers to the TAPE Dataset Name Report
RESOURCE Refers to the Resource Class Report
STATUS Refers to the Status Change Report
INTEGRITY Refers to the Logfile Integrity Report
SIGNON Refers to the CICS Signon/Signoff Report
CICSVIOL Refers to the CICS Violation Report
ALL Refers to all the reports
If no REPORTS statement is present, then no reports are printed.
Use the LINE parameter to specify the number of print lines per page. If no LINE parameter is present, the program defaults to the system line count value for the partition, which is established with the JCL SET LINECT=nn command.
Use the BLKSIZE parameter to specify the blocksize of the input and output tape files. When no BLKSIZE parameter is present, the program defaults to BLKSIZE 4096.
Use the WORK parameter to specify the number of sort work files. Remember that DLBL/EXTENT for SORTWK1/SYS001 through SORTWKn/SYS00n must be available.
REPORTS
LINE nn
BLKSIZE nnnnn
WORK n
DETAIL YES/NO
Log File Report Program Report Program Control Statements
Chapter 6. BIM-ALERT Operation 6-21
Use the DETAIL parameter to suppress detail lines on the DATASET NAME and RESOURCE CLASS reports. Specifying DETAIL NO directs the program to print only the dataset names (resource names). Individual SECIDs that accessed the dataset (resource) are not printed. In most cases this dramatically reduces the volume of printing. This type of report can be useful during the initial implementation of BIM-ALERT/VSE in order to determine what dataset names and what program names are being accessed.
JCL and Control Statement Examples Log File Report Program
6-22 Installation and Operations Guide
JCL and Control Statement Examples
Several examples of JCL for ALRTL7 are cataloged in the BIM-ALERT residence library in member COMJCF50.J. The following example illustrates use of some of the control statements:
// EXEC ALRTL7,SIZE=128K
TAPEIN 1 (1)
TAPEOUT NO (2)
SELECT DATE(10/01/1999-10/31/1999) (3)
SELECT ACTION(VIOLATION) (3)
REPORTS INTEGRITY,USER,DATASET (4)
/*
The control statements in the preceding example indicate the following:
1. TAPEIN 1 directs the program to read a single tape file. Since no VSAM parameter is present, the program defaults to VSAM NO, which means that neither the AXPLOG1 VSAM file nor the AXPLOG3 VSAM file is read.
2. TAPEOUT NO directs the program not to produce an output tape.
3. Access violations that occurred between 10/01/1999 and 10/31/1999 are printed. No other records are printed.
4. Only the Logfile Integrity Report, the User Entry Report, and the Dataset Name Report are to be printed.
SECID Summary Report Program
Chapter 6. BIM-ALERT Operation 6-23
SECID Summary Report Program
Program ALRTL11 produces the SECID/USER Job Summary Report. Control statements for ALRTL11 are similar to those of ALRTL7, except that ALRTL11 does not accept:
Use program S1B100 to produce reports from the BIM-ALERT/VSE Audit File (S1SAUDT). Refer to the BIM-ALERT Auditing and Report Writing Guide for information about how to execute this program.
About the VSE Data Security Environment Introduction
Chapter 6. BIM-ALERT Operation 6-25
About the VSE Data Security Environment
Introduction
The term VSE Data Security refers to security facilities provided by the VSE operating system. VSE Data Security is included as part of the VSE operating system, but is activated only if requested during IPL (SEC=YES). BIM-ALERT/VSE relies on VSE Data Security being active in order to perform some of its functions. The SEC=YES environment causes some of the operating system components to behave differently. These differences may have an impact upon operations if BIM-ALERT/VSE has not been activated.
VSE Data Security causes certain messages that may occur at tape-open time to be handled differently. Because of the method it uses to check tape labels, VSE Data Security forces the IGNORE response to several messages to be rejected.
BIM-ALERT/VSE employs a different method of checking tape labels. As a result, BIM-ALERT/VSE can permit the IGNORE responses without risking any security exposure. IGNORE is a valid response for the following messages when BIM-ALERT/VSE is active, even though in the normal VSE Data Security environment IGNORE would not be permitted:
4111D NO VOL1 LBL FOUND 4112D VOL SERIAL NO. ERROR 4113D NO HDR1 LBL FOUND 4115D FILE SER. NO. ERROR 4118D FILE ID ERROR, READBK 4119D FILE UNEXPIRED 4123D WRONG POSITN, READBK 4125D VOL1 LBL FOUND 4128I ACCESS TO FILE NOT ALLOWED 4132D ERROR IN FILE ID 4133D ERROR IN HDR LBL
Even though BIM-ALERT/VSE permits an IGNORE response to these messages, the security administrator may define a rule that restricts this type of processing. In such a case, the job may be canceled after you enter the IGNORE response.
Definition
Tape Message Differences
Introduction About the VSE Data Security Environment
6-26 Installation and Operations Guide
Permitting an unlabeled tape file to be opened with no rewind presents a security exposure. It permits someone to access a labeled dataset that is protected simply by forward spacing past the tape label, defining it as an unlabeled file, and then opening it with no rewind.
To cover this security exposure, VSE Data Security prohibits opening any unlabeled tape file with no rewind. Only certain programs (predetermined by VSE) are permitted to process such volumes. Unfortunately, this also restricts legitimate processing by any other program of multiple unlabeled tape files contained on a single volume, since these files can only be processed by opening them with no rewind.
BIM-ALERT/VSE handles this potential security exposure differently. The security administrator can define under what circumstances this type of tape processing is permitted. This approach provides greater operational flexibility.
Logical transient programs are those fetched using SVC 2. These programs automatically run in storage protect key zero. For this reason, VSE Data Security restricts access to this facility. This is implemented by restricting the right to catalog any program whose name starts with $$B, and then by canceling any program that uses SVC 2 to fetch a program whose name does not start with $$B.
BIM-ALERT/VSE lifts this restriction. A BIM-ALERT/VSE startup parameter is available to cause this restriction to be enforced if that mode of operation is preferred.
Multi-File Tape Volumes
Logical Transients
About the VSE Data Security Environment Introduction
Chapter 6. BIM-ALERT Operation 6-27
For VSE Prior to Version 1.3 In VSE releases prior to 1.3, VSE regards the ID statement as invalid unless the system is IPLed with SEC=YES. If an ID statement is found in a jobstream, Job Control displays an error message and requires the operator to intervene before permitting the job to continue. If you keep jobstreams that contain ID cards in the POWER reader, these jobs will require operator intervention if you run them without SEC=YES.
Also in VSE prior to version 1.3, Job Control requires the user ID on the ID statement to be exactly 4 characters and the password to be 3 to 6 characters. BIM-ALERT supports 8-character user IDs and passwords from 1 to 8 characters. If you run without BIM-ALERT active, jobstreams that contain ID statements from BIM-ALERT's submittal monitors may be regarded by VSE as invalid and will either require operator intervention or be canceled by Job Control.
For VSE Version 1.3 and Above In version 1.3 and above, VSE ignores ID statements when the system is IPLed with SEC=NO, and no operator intervention is required. VSE/ESA version 1.3 supports the 8-character user ID, but supports passwords of only 3 to 6 characters. If you IPL with SEC=YES and BIM-ALERT is not active, some jobs may be canceled by Job Control.
ID Statements
Running Without BIM-ALERT/VSE Active About the VSE Data Security Environment
6-28 Installation and Operations Guide
Running Without BIM-ALERT/VSE Active
If you IPL with SEC=YES but do not activate BIM-ALERT/VSE, the restrictions discussed above will not be lifted, and the following will apply:
You will not be able to respond IGNORE to certain tape messages.
You will not be able to process multi-file unlabeled tapes.
Programs using SVC 2 for non-$$B phases will be canceled.
Jobs may cancel or require operator intervention because they contain ID statements.
If you need to run without BIM-ALERT/VSE active, but with SEC=YES specified, you should temporarily activate BIM-ALERT/VSE and then immediately deactivate it. BIM-ALERT/VSE's lifting of these restrictions will remain intact, even though BIM-ALERT/VSE itself has been deactivated.
In VSE/ESA version 1.3, the IPL parameter SEC=NOTAPE changes the way tape-open processing deals with tape message differences and with multi-file unlabeled tapes. In general, the tape restrictions described above for SEC=YES do not apply when SEC=(YES,NOTAPE) is specified.
Performing VSE Maintenance with BIM-ALERT Active When Applying Maintenance
Chapter 6. BIM-ALERT Operation 6-29
Performing VSE Maintenance with BIM-ALERT Active
When Applying Maintenance
Applying maintenance can conflict with BIM-ALERT's operation. It is recommended that
You run BIM-ALERT in monitor mode while you apply maintenance to your VSE operating system.
You IPL after applying maintenance.
You execute AXPN4 before and after applying maintenance to verify phases in IJSYSRS.
The following sections explain these recommendations in more detail.
In general, BIM-ALERT does not interfere with the application of VSE operating system maintenance, such as PTF tapes and Fast Service Upgrades. Nevertheless, this type of activity may deviate from some of the standards prescribed for your operation and that you have incorporated into your security rules. For example, Maintain System History Program (MSHP) jobstreams may create temporary libraries, sublibraries, and library members, or datasets that deviate from your standards, and your BIM-ALERT security rules may cause these jobs to cancel.
Because of the difficulty in determining beforehand just what libraries and so on MSHP is going to create, you should turn on BIM-ALERT monitor mode during this type of activity.
To turn on monitor mode with full logging, use JCL similar to the following:
// EXEC PROC=AXPPROC
// EXEC AXPI1
MONITOR=(ALL,LOGALL)
/*
Recommendations
Why Run BIM-ALERT in Monitor Mode?
JCL for Monitor Mode with Full Logging
When Applying Maintenance Performing VSE Maintenance with BIM-ALERT Active
6-30 Installation and Operations Guide
To turn on monitor mode with logging of only requests that are violations, use JCL similar to the following:
// EXEC AXPI1
MONITOR=(ALL)
/*
BIM-ALERT front-ends the following modules that are resident in the SVA:
IKQVCAT IKQVOPEN $IJJGMSG $IJJTTOP $IJJHCVH
If the system maintenance activity reloads any of these phases, BIM-ALERT's front-end becomes ineffective, and BIM-ALERT stops making the security checks associated with the reloaded module. For this reason, we recommend that you IPL after applying any maintenance that might reload any VSE modules into the SVA.
JCL for Monitor Mode with Violation Logging
Why IPL After Applying Maintenance?
Performing VSE Maintenance with BIM-ALERT Active Verifying Security Phases in IJSYSRS.SYSLIB
Chapter 6. BIM-ALERT Operation 6-31
Verifying Security Phases in IJSYSRS.SYSLIB
VSE Security Phases and BIM-ALERT Replacement Phases
Verifying Security Phases in IJSYSRS.SYSLIB Performing VSE Maintenance with BIM-ALERT Active
6-32 Installation and Operations Guide
BIM-ALERT/VSE supplies replacement phases for certain programs that are usually present in IJSYSRS.SYSLIB. BIM-ALERT's replacement phases are needed when you activate BIM-ALERT (by executing AXPI1); they must be present in IJSYSRS.SYSLIB at IPL time or you will not be able to activate BIM-ALERT. These phases also ease the impact of IPLing with SEC=YES before activating BIM-ALERT.
Whenever VSE system maintenance is performed and the System Residence library is rebuilt, provision is made to restore to the rebuilt library any installation-specific phases that need to be resident there. VSE's method of restoring such phases is to copy phases from a library called PRD2.SAVE into IJSYSRS.SYSLIB. All members present in PRD2.SAVE will automatically be restored to the rebuilt IJSYSRS.SYSLIB.
When you install BIM-ALERT/VSE, the phases that BIM-ALERT puts into IJSYSRS.SYSLIB, as well as the ones that BIM-ALERT replaces, are copied into PRD2.SAVE. Later, when you perform VSE system maintenance, these phases will automatically be restored into IJSYSRS.SYSLIB.
Because of the importance of retaining BIM-ALERT's replacement phases in IJSYSRS.SYSLIB and PRD2.SAVE, we provide a program (AXPN4) to access these phases from each of these libraries and analyze whether the BIM-ALERT replacements and the renamed phases are as expected. We recommend that you execute this program both before and after performing VSE system maintenance.
Program AXPN4 displays a report showing the status of each phase, and it sets a return code to indicate the overall result of the analysis. Following is a list of the phases and what their content should be in each of the libraries after installing BIM-ALERT/VSE.
Phase Contents The following table shows each phase name and describes what each member should contain in IJSYSRS.SYSLIB and PDR2.SAVE after BIM-ALERT/VSE is installed:
Phase Name Expected Contents
$SYSOPEN The BIM-ALERT phase.
AXP$OPEN The VSE phase.
DTSECJCL The VSE phase. This phase is critical only for VSE/ESA version 1.3, and is not present in PRD2.SAVE.
DTSECTAB The BIM-ALERT phase.
XTSECTAB The VSE phase. This phase is not required and may not be present at all.
Executing AXPN4
Performing VSE Maintenance with BIM-ALERT Active Verifying Security Phases in IJSYSRS.SYSLIB
Chapter 6. BIM-ALERT Operation 6-33
Use JCL similar to the following to execute AXPN4:
// EXEC PROC=AXPPROC
// EXEC AXPN4
/&
This will produce a one-page report on SYSLST and set the JCL return code to one of the values described in the next section.
AXPN4 can also dump the contents of the phases on SYSLST. To obtain both the one-page report and a dump of the phases, execute AXPN4 as follows:
// EXEC AXPN4,PARM='DUMP'
Return
Code Meaning
Recommended Action
0 All of the phases expected in IJSYSRS.SYSLIB and in PRD2.SAVE were found, and their contents were as expected.
None.
2 A non-critical phase was not found or a phase's contents was not as expected. Usually this return code indicates that the XTSECTAB phase is not present.
None.
8 The phases in PRD2.SAVE were not as expected.
The phases in IJSYSRS.SYSLIB are intact, but they may be replaced by incorrect phases from PRD2.SAVE the next time you perform VSE system maintenance.
Take steps to copy the correct phases into PRD2.SAVE as soon as possible.
12 At least one of the phases required to be in IJSYSRS was not found, or its contents was not as expected.
The phases in IJSYSRS.SYSLIB are not as expected, and will probably cause problems when you IPL.
Take steps to copy the correct phases into IJSYSRS.SYSLIB immediately.
Return Codes from AXPN4
Verifying Security Phases in IJSYSRS.SYSLIB Performing VSE Maintenance with BIM-ALERT Active
6-34 Installation and Operations Guide
The following example was run on VSE/ESA version 1.2. Note that the phase DTSECJCL is not present.
B I MOYLE ASSOCIATES, INC. BIM-ALERT/VSE 5.0A AXPN4 - SCAN IJSYSRS PHASES - 04/21/1998 10.35.48 ESA/05.11
DTSECTAB IN IJSYSRS.SYSLIB IS FOUND
XTSECTAB IN IJSYSRS.SYSLIB IS FOUND
$SYSOPEN IN IJSYSRS.SYSLIB IS BIM-ALERT PHASE
AXP$OPEN IN IJSYSRS.SYSLIB IS VSE PHASE
DTSECTAB IN PRD2.SAVE NOT FOUND EXPECTED TO FIND
XTSECTAB IN PRD2.SAVE NOT FOUND EXPECTED TO FIND
$SYSOPEN IN PRD2.SAVE NOT FOUND EXPECTED BIM-ALERT PHASE
AXP$OPEN IN PRD2.SAVE NOT FOUND EXPECTED VSE PHASE
*END OF REPORT* RC=0008
* EXPLANATION OF RETURN CODE *
ONE OF THE PHASES IN PRD2.SAVE WAS NOT FOUND, OR WAS FOUND TO NOT BE THE CORRECT VERSION.
IF VSE MAINTENANCE REBUILDS IJSYSRS, THE PHASE MAY BE LOST,
AND PROBLEMS MAY OCCUR WHEN YOU IPL WITH SEC=YES.
** CONTACT B I MOYLE ASSOCIATES **
The following example was run on VSE/ESA version 1.3. Note that the phase DTSECJCL is present.
B I MOYLE ASSOCIATES, INC. BIM-ALERT/VSE 5.0A AXPN4 - SCAN IJSYSRS PHASES - 04/21/1998 10.46.13 ESA/05
DTSECTAB IN IJSYSRS.SYSLIB IS FOUND
XTSECTAB IN IJSYSRS.SYSLIB IS FOUND
DTSECJCL IN IJSYSRS.SYSLIB IS VSE PHASE
$SYSOPEN IN IJSYSRS.SYSLIB IS BIM-ALERT PHASE
AXP$OPEN IN IJSYSRS.SYSLIB IS VSE PHASE
DTSECTAB IN PRD2.SAVE IS FOUND
XTSECTAB IN PRD2.SAVE IS FOUND
DTSECJCL IN PRD2.SAVE NOT FOUND
$SYSOPEN IN PRD2.SAVE IS BIM-ALERT PHASE
AXP$OPEN IN PRD2.SAVE IS VSE PHASE
*END OF REPORT* RC=0000
* EXPLANATION OF RETURN CODE *
ALL PHASES EXPECTED IN IJSYSRS AND PRD2 WERE FOUND,
AND ALL WERE THE EXPECTED VERSION.
THIS IS THE NORMAL RETURN CODE. NO CORRECTIVE ACTION IS REQUIRED.
Sample Report
Managing $JOBEXIT Phases Introduction
Chapter 6. BIM-ALERT Operation 6-35
Managing $JOBEXIT Phases
Introduction
The information in this section applies only to version 1.2 and higher of VSE/ESA. If you are running a version of VSE prior to VSE/ESA version 1.2, you can ignore this section.
BIM-ALERT/VSE (as well as many other products) relies on $JOBEXIT processing to perform certain JCL-related functions. In the past, because VSE did not support multiple $JOBEXIT phases, these products employed other methods for installing their $JOBEXIT phases. The most common methods were SDL renames (sometimes called soft renames), hooking or front-ending FETCH, and (rarely) hard renaming of the $JOBEXIT phase. While these methods required dynamic hooks or other undesirable modifications to the operating system, most possessed the redeeming quality of being transparent to the user, and for the most part they relieved the user of maintaining and managing this process.
Starting with version 1.2 of ESA, VSE provides built-in support for multiple $JOBEXIT programs. VSE's method of implementing this support renders BIM-ALERT's technique for installing its $JOBEXIT phase ineffective. Unfortunately, the new VSE method also places the burden of managing and maintaining this process entirely on the systems programmer or other administrator of the operating system.
VSE's built-in support provides for a list of exit phase names to be given control at $JOBEXIT time. This list is called the JCLLUSEX list, and it is cataloged into IJSYSRS.SYSLIB under the name $JOBEXIT.PHASE. To specify an exit phase, you add its name to the JCLLUSEX source code, re-assemble it, and re-catalog it into IJSYSRS.SYSLIB as $JOBEXIT.PHASE. The exit phase names are fixed. Each name must be of the form $JOBEX0n.PHASE, where n is a number from 0 to 9. These phases must also reside in IJSYSRS.SYSLIB.
Should You Read This Section?
Background
Introduction Managing $JOBEXIT Phases
6-36 Installation and Operations Guide
BIM-ALERT's method of installing its $JOBEXIT program complies fully with IBM's documented standard for this process, which permits up to 10 separate exit programs. Thus, BIM-ALERT's exit program can be expected to coexist with other vendor products that also employ the standard procedure. Products that deviate from the standard procedure may cause BIM-ALERT's exit program to be bypassed or to be invoked in a way that is not expected by the BIM-ALERT program, and this may cause problems with the correct operation of the BIM-ALERT product.
Compatibility with Other Product's $JOBEXIT Programs
Managing $JOBEXIT Phases Guidelines
Chapter 6. BIM-ALERT Operation 6-37
Guidelines
The following are some guidelines for maintaining and managing your $JOBEXIT phases under the VSE/ESA 1.2 and above.
The $JOBEXIT.PHASE and each of the $JOBEX0n.PHASEs must be cataloged into IJSYSRS.SYSLIB. They will not work if you catalog them into a private sublibrary, if they are not present in any sublibrary, or if they are present in both IJSYSRS.SYSLIB and a private sublibrary that is LIBDEFed at the time you do the SET SDL. Furthermore, each $JOBEX0n.PHASE must be loaded into the SVA at IPL time with a SET SDL command.
If these requirements are not fulfilled, the Job Control processor disables all $JOBEXIT processing, and none of the exit phases are given control.
Keep current copies of $JOBEXIT and each of the $JOBEX0n phases in PRD2.SAVE. A good way to ensure this practice is to set up your JCLLUSEX assembly jobstream such that its output is cataloged into PRD2.SAVE and then copied into IJSYSRS.SYSLIB, along with the associated $JOBEX0n phases.
Any VSE system maintenance that completely rebuilds IJSYSRS is supposed to automatically restore phases from PRD2.SAVE as part of the maintenance process. If you have copied your $JOBEXIT phase and all $JOBEX0n phases to PRD2.SAVE, these should be restored automatically by this process. Nevertheless, after this or any other type of system maintenance, you should verify that your $JOBEXIT and $JOBEX0n phases are intact, before using the new system in a production environment.
The sample JCL uses $JOBEX01.PHASE for the name of the BIM-ALERT $JOBEXIT phase. Although you can use any name that conforms to the $JOBEX0n.PHASE format expected by VSE, it is recommended that you do not use $JOBEX00 because certain other programs dynamically use $JOBEX00 without explicitly placing it in the JCLLUSEX list.
Introduction
Phases Must be Cataloged into IJSYSRS
Keep Copies of All Your $JOBEXIT Phases in PRD2.SAVE
Verify $JOBEXIT Phases after System Maintenance
Almost Any $JOBEX0n Phasename is OK for BIM-ALERT
Guidelines Managing $JOBEXIT Phases
6-38 Installation and Operations Guide
In addition to supporting the JCLLUSEX.PHASE list of $JOBEXIT phases as described briefly above, VSE supports specifying a single phase under the name $JOBEXIT.PHASE. When the Job Control processor loads $JOBEXIT.PHASE, it examines the first 8 bytes of the phase to determine whether it is a list of $JOBEX0n phase names. If the first 8 bytes do not contain the characters JCLLUSEX, the Job Control processor simply passes control to that single $JOBEXIT.PHASE, and does not attempt to locate or pass control to any other exit phases.
If you currently have only a single exit phase (either a local exit or one from some other third-party product), and it is cataloged as $JOBEXIT.PHASE, you must rename it to a $JOBEX0n.PHASE name and specify that name in your JCLLUSEX list along with the BIM-ALERT phase. Then assemble and catalog the JCLLUSEX.PHASE as $JOBEXIT.PHASE as illustrated in the JCL examples in the BIM-ALERT sublibrary.
If you catalog an invalid $JOBEXIT list and do a SET SDL for it, the VSE Job Control processor disables all $JOBEXIT processing. None of the exit phases named in the list will gain control at $JOBEXIT time. The following are some of the errors that will produce an invalid $JOBEXIT list:
Specifying an exit name in JCLLUSEX that is not resident in IJSYSRS.SYSLIB
Specifying an exit name in JCLLUSEX that is not resident in the SVA
Failing to start the JCLLUSEX assembly with the DC for JCLLUSEX
Failing to end the JCLLUSEX assembly with the DC for X'FFFFFFFF'
Any of these errors will cause Job Control to disable $JOBEXIT list processing at the time you do the SET SDL for the invalid $JOBEXIT phase.
VSE also provides a command to disable all $JOBEXIT processing. If you must use this command, you should first deactivate BIM-ALERT, or put the system in BIM-ALERT MONITOR mode.
If $JOBEXIT processing has been disabled, or if you do not add BIM-ALERT's $JOBEXIT to the JCLLUSEX list, BIM-ALERT is unable to obtain the user ID for each job. Instead, BIM-ALERT assigns each job a fictitious user ID of NO-AXP, which it then uses to develop the SECID. Most likely, that SECID will not be permitted to access any protected resource, and most jobs will be canceled.
Specify Your Local Exit Phase in the JCLLUSEX Phase
Avoid Disabling the $JOBEXIT Phases
Jobs Will Cancel If BIM-ALERT's $JOBEXIT Is Not Present
Managing $JOBEXIT Phases Determining the Status of $JOBEXIT Phases
Chapter 6. BIM-ALERT Operation 6-39
Determining the Status of $JOBEXIT Phases
You can determine the status of the $JOBEXIT phases by executing the JCLEXIT job control command, as follows:
// JOB JCLEXIT
JCLEXIT
/&
The preceding JCL produces a display like the following on the VSE system console:
BG 000 1U76I PHASE NAME IDENTIFIER STATE
BG 000 1U76I $JOBEXIT TABLE
BG 000 1U76I $JOBEX00 AXPHJ3 ENABLED
BG 000 1U76I $JOBEX01 DUMMY-1 ENABLED
BG 000 1U76I $JOBEX02 TSIDJCL ENABLED
The IDENTIFIER column in the report shows the constant you specified for each phase name in your $JOBEXIT list assembly. However, if another product employs a non-standard procedure for installing its $JOBEXIT program, the JCLEXIT report may not show the true status of each program in your assembly.
To determine whether BIM-ALERT's $JOBEXIT program is active, execute a jobstream like the following:
// JOB AXPBR14
// OPTION LOG
// EXEC PROC=AXPPROC
// EXEC AXPBR14
/*
/&
This JCL produces printed output on SYSLST similar to the following:
// EXEC PROC=AXPPROC
[ Statements from AXPPROC ]
EOP AXPPROC
// EXEC AXPBR14,PARM='AXPHJ3 nnnnnnnn'
1S55I LAST RETURN CODE WAS 0000
nnnnnnnn is the load address of BIM-ALERT's $JOBEXIT program in the SVA. If BIM-ALERT's $JOBEXIT program is not active, the EXEC AXPBR14 statement does not show the PARM. Note that you need the OPTION LOG to cause this information to be logged on SYSLST.
Listing $JOBEXIT Phases
WARNING!
Determining If BIM-ALERT's $JOBEXIT Program Is Active
Reloading a Local POWER JOBEXIT Program Managing $JOBEXIT Phases
6-40 Installation and Operations Guide
Reloading a Local POWER JOBEXIT Program
Once you have activated BIM-ALERT's POWER JOBEXIT program, it is generally unnecessary to reload it. However, if you employ a JOBEXIT of your own, you may occasionally want to reload your program (to perform maintenance to it, for example).
If you have your own POWER JOBEXIT program, you must use the following procedure to reload it:
Step Action
1 Execute the program AXPHP6B using the following JCL:
EXEC AXPHP6B,PARM=‘PLOAD JOBEXIT,xxxxxxxx,nnnnn’
Replace xxxxxxxx with the name of your exit program. Replace nnnnn with the size of the work area required by your exit program.
2 If you are enlarging the size of your exit program’s workarea, stop all RDR tasks by issuing the following AR command for each RDR device:
PSTOP,cuu
3 Issue the following AR command:
PLOAD JOBEXIT,AXPHP6,nnnnn
Replace nnnnn with the size of the work area required by your exit program plus 256.
4 If you are enlarging the size of your exit program’s workarea, start all RDR tasks by issuing the following AR command for each RDR device:
PSTART RDR,cuu
Introduction
Procedure
Implementation Notes for BIM-ALERT/CICS Introduction
Chapter 6. BIM-ALERT Operation 6-41
Implementation Notes for BIM-ALERT/CICS
Introduction
This section contains information about how to initially implement BIM-ALERT/CICS, and more detailed discussions about using BIM-ALERT/CICS in a MRO environment or with the VSE/ESA Interactive User Interface (IUI)
Should You Read This Section?
Activating BIM-ALERT/CICS Implementation Notes for BIM-ALERT/CICS
6-42 Installation and Operations Guide
Activating BIM-ALERT/CICS
This section outlines the steps you should take to initially activate BIM-ALERT/CICS.
To activate BIM-ALERT/CICS, the CICS system must be restarted in order to include the new PCT, PPT, and FCT table entries.
Before You Use the PLT Start Up Method Do not use the PLT startup method until you have had a chance to define the main administrator and two secured terminals that require operator sign-ons. The SIT parameter PLTPI=NO can be specified to prevent automatic startup of BIM-ALERT/CICS. If your installation must run a PLTPI module, be sure to exclude the BIM-ALERT/CICS entry for your initial startup to allow you to add the necessary resources.
After CICS has been reinitialized, specify the BIM-ALERT/CICS system parameters by using the SCTY subtransaction UPAR, which can be selected from the SCTY System Functions Menu.
Specify the permanent security options that are to be used when BIM-ALERT/CICS is activated by the PLTPI entry. The permanent options are read only by the PLTPI startup process. Once BIM-ALERT/CICS has been activated, the main administrator can change the current options as necessary.
Changing the permanent options affects only automatic startups caused by the PLTPI option; it has no effect on the current CICS session. For information on using the SCTY subtransaction UPOP, refer to the BIM-ALERT/CICS Security Administrator's Guide.
You are ready to begin loading the security profiles for your installation. Once you complete this process, you can activate BIM-ALERT/CICS with the SCTY sub-transaction UCOP, as described in the BIM-ALERT/CICS Security Administrator's Guide.
Introduction
Step 1
Step 2
Step 3
Step 4
Implementing BIM-ALERT/CICS in an MRO Environment
Chapter 6. BIM-ALERT Operation 6-43
Implementing BIM-ALERT/CICS in an MRO Environment
BIM-ALERT/CICS is designed to secure an MRO complex with a single set of security tables. These tables must be built in the SVA in order to allow all partitions in the MRO complex to access them. Handling MRO in this way allows BIM-ALERT/CICS to
Use less storage because one set of security tables secures several CICS partitions
Provide security with low overhead because the tables are accessible in memory from all partitions and no I/O or cross-partition services are necessary to perform security
Provide a single sign-on to all CICS partitions in the MRO complex because all partitions are looking at the same table to determine sign-on information.
Introduction
Implementing BIM-ALERT/CICS in an MRO Environment
6-44 Installation and Operations Guide
Several steps, which have been mentioned throughout this manual and elsewhere in the BIM-ALERT/CICS Security Administrator's Guide are necessary to implement BIM-ALERT/CICS so that it executes correctly in the MRO environment. The following table shows all of the steps necessary to implement BIM-ALERT/CICS so that it will function correctly in the MRO environment. We cannot guarantee that BIM-ALERT/CICS will function correctly in this environment if you do not set it up following these guidelines.
Step Action Reference
1 Update SYSIDNT information in the ALRTFCTM copybook and reassemble your FCTs.
New users refer to page 3-34. Current users refer to page 3-77.
2 Put S1SCNTRx modules in the SVA. New users refer to page 3-79. Current users refer to page 3-36.
3 Update the CONTROL SUFFIX to a non-zero number. Refer to the section on system parameters in the BIM-ALERT/CICS Security Administrator's Guide.
4 Ensure the PLT startup phase contains the correct startup program. The TOR must use program S1S001T as the startup program, and the AORs must user S1S001P.
Ensure the PLT shutdown phase contains the shutdown program S1S998.
Refer to members ALRTPLT.A, ALRTPLTM.A and ALRTPLTS.A in the BIM-ALERT residence library.
5 Check your DLBL statements in the different startups to ensure the correct files are defined.
Refer to page 3-65.
6 Set up a S1U010 job to clear the shared tables. Refer to the section on S1U010 in the BIM-ALERT/CICS Security Administrator's Guide.
7 Shut down and restart all CICSs in the MRO complex to implement the security throughout the MRO complex.
None.
Procedure
Running BIM-ALERT/CICS with the VSE/ESA Interactive User Interface
Chapter 6. BIM-ALERT Operation 6-45
Running BIM-ALERT/CICS with the VSE/ESA Interactive User Interface
BIM-ALERT/CICS provides a method of interfacing with the Interactive User Interface (IUI) of VSE/ESA at sign-on time that preserves all the features of both systems, fully secures the IUI functions with standard BIM-ALERT/CICS security facilities, and requires only a single user sign-on. For information about this interface, refer to the BIM-ALERT/CICS Security Administrator's Guide.
Running BIM-ALERT/CICS with the VSE/ESA Interactive User Interface
6-46 Installation and Operations Guide
7-1
7
BIM-ALERT/VSE Utility Programs
This chapter explains how to use BIM-ALERT/VSE’s utility programs.
AXPU4 Utility ........................................................................................................ 7-10 Introduction ........................................................................................................ 7-10 Control Statements ............................................................................................. 7-11 Syntax for Control Statements ............................................................................ 7-12 Format for Control Statements ............................................................................ 7-13 Special Character Sequences in Library Records ................................................. 7-16 Running AXPU4 During IPL/ASI....................................................................... 7-17
AXPI9X Utility
7-2 Installation and Operations Guide
AXPI9X Utility
AXPI9X sets a JCL parameter called AXPSYS to one of two values, depending upon the JCL EXEC PARM that is specified when AXPI9X is executed.
If AXPI9X is executed with no EXEC PARM specified, it sets AXPSYS to the value of the serial number of the CPUID where it is executed.
If AXPI9X is executed with an EXEC PARM, it sets AXPSYS to the value specified in the EXEC PARM that corresponds to the serial number of the CPUID where it is executed. If the CPUID where it is executed is not defined in the EXEC PARM, AXPSYS is set to UNKNOWN.
You can use AXPI9X in any jobstream where you need to execute JCL conditionally, based upon the CPUID where the job executes. A typical use of AXPI9X is in BIM-ALERT's AXPPROC, when you share IJSYSRS between several systems that run BIM-ALERT.
The AXPI9X EXEC PARM has the following format:
cpu1:value1 cpu2:value2 cpun:valuen ...
Operand Description
cpu1, cpu2, ... cpun The serial number portion of a 12-character CPUID, which occupies positions 3 through 8 of the CPUID. For example, the serial number portion of the CPUID FF98765490210000 is 987654. In the AXPI9X EXEC PARM, you can specify the serial number as either a five-digit number or a six-digit number. If you specify a five-digit number, AXPI9X assumes that the serial number has a leading zero.
value1, value2, ... valuen One- to eight-character string to be set when AXPI9X executes on the corresponding CPUID.
Each cpun:valuen combination is separated from the next by either a comma or a blank.
Purpose
Format
AXPI9X Utility
Chapter 7. BIM-ALERT/VSE Utility Programs 7-3
The following example illustrates executing AXPI9X with an EXEC PARM value. If AXPI9X is executed on the CPU with serial number 500094, AXPSYS is set to TEST. If AXPI9X is executed on the CPU with serial number 400689, AXPSYS is set to PROD. If AXPI9X is executed on any other CPU, AXPSYS is set to UNKNOWN.
// EXEC AXPI9X,PARM='500094:TEST 400689:PROD'
// IF AXPSYS = 'TEST' THEN
// GOTO TEST
// IF AXPSYS = 'PROD' THEN
// GOTO PROD
// IF AXPSYS = 'UNKNOWN' THEN
// GOTO UNKNOWN
* INCONSISTENT VALUE RETURNED BY AXPI9X
// GOTO $EOJ
/. TEST
* EXECUTING ON CPU "TEST"
// EXEC PROC=AXPPROCesT <- execute proc for test cpu 500094
// GOTO $EOJ
/. PROD
* EXECUTING ON CPU "PROD"
// EXEC PROC=AXPPROCP <- execute proc for prod cpu 400689
// GOTO $EOJ
/. UNKNOWN
* EXECUTING ON UNKNOWN CPU
// GOTO $EOJ
/&
The following example illustrates executing AXPI9X without an EXEC PARM value. In this case, AXPSYS is set to the serial number of the CPU where AXPI9X is executed.
// EXEC AXPI9X
// IF AXPSYS = '500094' THEN
// GOTO TEST
// IF AXPSYS = '400689' THEN
// GOTO PROD
// GOTO UNKNOWN <- neither 500094 or 400689
/. TEST
* EXECUTING ON CPU "TEST"
// EXEC PROC=AXPPROCT <- execute proc for test cpu 500094
// GOTO $EOJ
/. PROD
* EXECUTING ON CPU "PROD"
// EXEC PROC=AXPPROCP <- execute proc for prod cpu 400689
// GOTO $EOJ
/. UNKNOWN
* EXECUTING ON UNKNOWN CPU
// GOTO $EOJ
/&
Examples
AXPI9X Utility
7-4 Installation and Operations Guide
AXPI9X sets a non-zero return code for unusual or unexpected conditions. The following return code values can be set by AXPI9X:
Code Meaning
0 One of the following: A CPUID corresponding to the execution CPUID was found in the EXEC
PARM, and AXPSYS has been set to the specified value.
No EXEC PARM was specified, and the AXPSYS parameter has been set to the execution CPUID itself.
4 An EXEC PARM was specified, but no CPUID was found that corresponds to the execution CPUID. AXPSYS has been set to UNKNOWN.
8 The EXEC PARM is invalid. AXPSYS has been set to INVALID.
12 Module $IJBPROC was not found in the SVA. AXPSYS has not been set.
16 Module $IJBPROC failed. Value of AXPSYS is unpredictable.
Return Code Values Set by AXPI9X
AXPU1 Utility
Chapter 7. BIM-ALERT/VSE Utility Programs 7-5
AXPU1 Utility
From time to time, it is useful to look at phases that are resident in the SVA. The AXPU1 utility accepts a phase name, finds the phase in the SVA, and dumps it to SYSLST using the PDUMP macro. For example, you can use AXPU1 to do the following:
Dump the currently active rules table or program AXPS1. AXPU1 is especially useful in this case, because these phases are not listed in the SDL even though they are resident in the system GETVIS area.
Obtain a machine- readable dump of a phase in the SVA by assigning SYSLST to a tape.
AXPU1 is especially useful for installations that do not have BIM-FAQS or some other storage display utility.
To use AXPU1, execute the following JCL:
// EXEC PROC=AXPPROC (or, LIBDEF SEARCH for BIM-ALERT sublibrary)
// EXEC AXPU1
AXPU1 prompts for the name of the phase from the system operator console. Enter either the name of the phase, or +RULES to dump the currently active rules table.
Enter END to terminate AXPU1.
Purpose
To Execute AXPU1
To Terminate AXPU1
Introduction AXPU2 and AXPU5 Utilities
7-6 Installation and Operations Guide
AXPU2 and AXPU5 Utilities
Introduction
Programs AXPU2 and AXPU5 both are designed to insert an ID card into a jobstream that is generated using PUN DISP=I, such as a two-stage CICS command-level compile jobstream. The ID statement contains the user ID of the user who submitted the AXPU2 execution.
At the time AXPU2 was conceived, the IESINSRT program was not known to exist, so AXPU2 does not use the IESINSRT convention for translating escape characters in input cards. Instead, AXPU2 employs a convention similar to that of the CA-FLEE GSERV component.
To use an existing IESINSRT jobstream with AXPU2, it is necessary to convert the JCL to make use of the AXPU2 conventions for input card escape characters. While this may not be a huge undertaking, it can be annoying and, furthermore, if the content of the IESINSRT jobstream is not under the direct control of the user (such as a jobstream generated by the Interactive Interface), converting the JCL may not even be possible.
Program AXPU5 has been developed as a replacement for AXPU2. The only difference between the two programs is that AXPU5 recognizes the escape characters of IESINSRT.
Purpose
AXPU2, AXPU5, and IESINSRT
AXPU2 and AXPU5 Utilities AXPU2 Utility
Chapter 7. BIM-ALERT/VSE Utility Programs 7-7
AXPU2 Utility
AXPU2 inserts an ID statement into a jobstream that is generated with PUN DISP=I. The ID statement contains the USERID of the user who submitted the AXPU2 execution.
The program reads input cards from IJSYSIN and punches them back out to SYSPCH. In order to avoid putting an ID statement after a // JOB card that will cataloged into a library, AXPU2 inserts its ID statement only after the first // JOB in each POWER jobstream that it processes. This feature lets the program communicate across multiple executions of the program within a single VSE job. Interstep communication is accomplished through a partition-based work area in the SVA.
The most common use of DISP=I is to wrap JCL around data that is produced on SYSPCH by some other process, such as the CICS command level preprocessor. Such jobstreams typically look something like this:
* PUN DISP=I
EXEC AXPU2
(Opening JECL/JCL)
EXEC DFHECPxx
(Input data for the pre-processor)
EXEC AXPU2
(Closing JECL/JCL)
/*
/&
Note that the second execution of AXPU2 just reproduces the input JECL/JCL and does not insert an ID statement because normally it would not find another $$ JOB statement at that point.
Input to AXPU2 may be prefixed with two equal signs to keep Job Control from getting confused about * $$ JOB statements, // JOB statements, and the like. If AXPU2 encounters an input card that has == in columns 1-2, it shifts the entire 78 columns (3-80) left 2 columns, leaving columns 79 and 80 blank. Input is delimited by either /* or /&.
Purpose
Input to AXPU2
AXPU2 Utility AXPU2 and AXPU5 Utilities
7-8 Installation and Operations Guide
If a PDEST or PUN DEST parameter is specified, the jobstream does not execute on the processor where the DISP=I job is executed. It instead is routed to the VSE machine specified by the DEST/PDEST parameter. When DEST/PDEST is specified, AXPU2 searches phase AXPU2B for the target NODE.USERID. If the target is not listed in AXPU2B, the program does not insert the ID statement.
Use MSHP to add entries to phase AXPU2B. The first 4 bytes of phase AXPU2B are reserved to define the size of the list. Start entries at location +C and then at every 16 bytes thereafter. You can add up to 20 entries.
NODE and USERID are both defined as eight characters each. Each entry is a NODE.USERID pair. Use an asterisk to force a match on NODE or USERID. Node LOCAL is reserved, so that you can code an entry that will match when DEST=(, userid) is specified.
Example The following MSHP statements add BIM.VSE and BIM.VSE2 to AXPU2B:
CORRECT 2885-ALT-00-50A : AO40398
RESOLVES 'NODE.USERIDs for AXPU2B'
AFFECTS PHASE=AXPU2B
ALTER C 00000000000000000000000000000000 : 'BIM VSE '
ALTER 1C 00000000000000000000000000000000 : 'BIM VSE2 '
In order to discourage use of this module as a tool for determining the ID encryption algorithm, or as a means of generating a jobstream containing someone else's already-encrypted ID statement, the program uses the following armor:
If the SYSPCH device is not spooled with DISP=I, an ID statement is not inserted.
If security is not active, an ID statement is not inserted.
If the jobstream contains a DEST or PDEST parameter that routes the output jobstream to a VSE machine not listed in phase AXPU2B, an ID statement is not inserted.
If the program determines not to insert the ID statement, it does not cancel, but simply reproduces the input cards.
Handling of PDEST/DEST Parameters
Integrity Checks Performed by AXPU2
AXPU2 and AXPU5 Utilities AXPU5 Utility
Chapter 7. BIM-ALERT/VSE Utility Programs 7-9
AXPU5 Utility
Program AXPU5 performs the same functions as AXPU2. The only difference between the two programs is that AXPU5 recognizes the escape characters of IESINSRT.
To use AXPU5 in place of IESINSRT, do one of the following:
Change existing jobstreams to execute AXPU5 in place of IESINSRT.
Rename AXPU5.PHASE to IESINSRT.PHASE so that AXPU5 is automatically executed in place of IESINSRT.
In either case, program AXPU5 must be moved to a sublibrary that is available to any jobstream that needs to execute IESINSRT.
Purpose
To Use AXPU5 Instead of IESINSRT
Introduction AXPU4 Utility
7-10 Installation and Operations Guide
AXPU4 Utility
Introduction
Program AXPU4 is a replacement for VSE/SP utility DTRIINIT. It performs the following activities:
Reads a VSE library member Inserts an BIM-ALERT ID statement Puts the jobstream into the POWER RDR queue
If the program finds an ID statement already present in the library member, it omits that statement from the job. The library member can contain multiple POWER jobs, and each POWER job can contain multiple VSE jobs (// JOB). AXPU4 inserts an ID statement after the first VSE // JOB in each POWER job.
No validation is performed on the JCL and JECL statements in the library member, and no JCL or JECL (except the ID statement) is added. If no JECL JOB statement is present, the jobstream will assume default JECL characteristics, such as JNM=AUTONAME.
Under VSE/ESA 1.3 or above, program AXPU4 does not insert an ID statement to identify the submittor. Instead, the program authorizes itself as a trusted submittal process to the operating system and identifies the submittor using an operating system control block.
Purpose
AXPU4 Utility Control Statements
Chapter 7. BIM-ALERT/VSE Utility Programs 7-11
Control Statements
The program reads control statements from SYSIPT or SYSLOG and logs them on SYSLST. The following table shows the types of statements allowed:
Statement Description
ACTION Selects the LOG, TEST, and CONTINUE options
USER Specifies a user ID for the inserted ID statement
ACCESS Specifies the name of the VSE sublibrary where the members to be submitted reside
LOAD Specifies the name of a library member to be submitted
Syntax for Control Statements AXPU4 Utility
7-12 Installation and Operations Guide
Syntax for Control Statements
The following rules apply to control statements:
The control statement type (ACTION, USER, ACCESS, or LOAD) can begin in any column.
The control statement type must be separated from the first operand by one or more blank columns.
Multiple operands are separated from one another by one or more blank columns.
After the last (or only) operand, a comment can be indicated with a slash followed by an asterisk (/*). The program ignores any characters that follow /*. For example, in the following statements the program would ignore the string this is a comment, but would flag as invalid the characters this is invalid.
ACTION LOG /*this is a comment
ACTION LOG this is invalid
AXPU4 Utility Format for Control Statements
Chapter 7. BIM-ALERT/VSE Utility Programs 7-13
Format for Control Statements
Description The ACTION statement is optional, and follows these rules:
Only one ACTION statement is permitted. The ACTION statement must precede the first ACCESS statement.
Syntax
ACTION {CONTINUE} {LOG} {TEST}
Operands
Operand Meaning
CONTINUE If the member specified by the LOAD statement is not found, the program is to continue with the rest of the control statements. The LOAD statement is described on page 7-15.
LOG Directs the program to print a listing of the jobstreams on SYSLST (in addition to placing the jobstream in the POWER reader queue). The listing shows an 80-character image of each statement in the jobstream, plus a code to indicate the source and disposition of each statement.
TEST Suppresses the output jobstream; the jobstream is not placed in the POWER reader queue. LOG and TEST can be used together to produce a listing of the jobstream without placing it into the reader queue.
ACTION Statement (Optional)
Format for Control Statements AXPU4 Utility
7-14 Installation and Operations Guide
Description The USER statement is optional, and follows these rules:
Only one USER statement is permitted. The USER statement must precede the first ACCESS statement.
Syntax
USER userid logonsource
Operands
Operand Meaning
userid Replace with a one- to eight-character user ID.
logonsource Replace with a one-character logon source code for the specified user ID. Any one-character value is accepted. The following codes are predefined: C CMS logon A BIM-ALERT/CICS logon O CICS operator ID (BIM-ALERT/CICS not present) I ICCF logon J JCLMAN logon
For ESA 1.3 and higher, no logon source code is required. If one is specified, it is ignored.
Default If no USER statement is present, the program uses the user ID and the logon source code of the AXPU4 user (the user who submitted the job to execute AXPU4).
If BIM-ALERT Is Not Active If you execute AXPU4 when BIM-ALERT is not active, AXPU4 is unable to validate the submittor's authorization level, so it will submit the job with the user ID NO-SEC instead of the one specified in the USER statement.
USER Statement (Optional)
AXPU4 Utility Format for Control Statements
Chapter 7. BIM-ALERT/VSE Utility Programs 7-15
Syntax
ACCESS lib.sublib
Operand Operand Meaning
lib.sublib Replace with a one- to seven-character library name, followed by a period, followed by a one- to eight-character sublibrary name. This operand designates the sublibrary that you want AXPU4 to retrieve members from.
Placement Multiple ACCESS and LOAD statements are permitted. An ACCESS statement defines the sublibrary for all LOAD statements that follow it, up to the next ACCESS statement.
Syntax
LOAD membername.membertype
Operand Operand Meaning
membername.membertype Replace with a one- to eight-character membername, followed by a period, followed by a one- to eight-character membertype. This operand specifies the name of the library member to be placed in the reader queue. A LOAD statement can include only one membername.membertype operand.
Placement Multiple ACCESS and LOAD statements are permitted. An ACCESS statement defines the sublibrary for all LOAD statements that follow it, up to the next ACCESS statement.
ACCESS Statement (At Least One Required)
LOAD Statement (At Least One Required)
Special Character Sequences in Library Records AXPU4 Utility
7-16 Installation and Operations Guide
Special Character Sequences in Library Records
DTRIINIT translates several special character sequences in order to allow the inclusion of certain JCL/JECL statements (for example, * $$ JOB) without confusing VSE Job Control during the catalog process. For compatibility, AXPU4 translates these sequences in the same manner as DTRIINIT. The following table shows the special character sequences and the character sequence to which they are translated. All sequences start in column 1 of the library member record.
This Sequence Translates to
$$$$ * $$
$$/* /*
$$/& /&
AXPU4 also supports the CA-FLEE's GSERV convention, where
A record with equal signs (==) in columns 1-2 is shifted to the left by two columns.
Columns 3-73 are shifted into columns 1-71.
Columns 72-73 are set to blanks.
This technique will not support continuation statements. If a statement needs continuation, do not use the equal signs. (The VSE Librarian now supports cataloging any VSE/JCL statement, including // JOB and /&, so it is not necessary to use the equal signs at all.)
The following job places members TESTU4.JCL1 and TESTU4.JCL2 from sublibrary PRODLIB.JCL into the reader queue, and produces a listing of the jobstreams on SYSLST. The jobstreams contain the CMS user ID FRED.
// JOB AXPU4
// LIBDEF PHASE,SEARCH=ALERT.SUBLIB
// EXEC AXPU4,SIZE=AXPU4
ACTION LOG
USER FRED C
ACCESS PRODLIB.JCL
LOAD TESTU4.JCL1
LOAD TESTU4.JCL2
/*
/&
Introduction
CA-FLEE's GSERV Convention
Example
AXPU4 Utility Running AXPU4 During IPL/ASI
Chapter 7. BIM-ALERT/VSE Utility Programs 7-17
Running AXPU4 During IPL/ASI
A typical use for AXPU4 is to reload the POWER reader queue during a cold start of POWER. The following requirements must be considered before you decide where to position the // EXEC AXPU4 inside your ASI (automated system initialization) procedure:
BIM-ALERT must be active when you execute AXPU4. If you execute AXPU4 while BIM-ALERT is inactive, or if AXPU4 receives an error indication when it calls BIM-ALERT, the program issues message AX801 and terminates.
The POWER XPCCB task that receives jobstreams must be active. If this task is not active, AXPU4 issues message AX801 and terminates.
The following rules describe where to place the AXPU4 execution in relation to other JCL statements inside your BG ASI procedure.
The AXPU4 execution must not precede the execution of AXPI1 that activates BIM-ALERT. If you do not activate BIM-ALERT during ASI, you cannot execute AXPU4 during ASI either.
The AXPU4 execution must not precede the START command for the POWER partition.
The AXPU4 execution must not precede the STOP command for the BG partition.
Some installations include JCL between the START command for the POWER partition and the STOP command for the BG partition. Do not execute AXPU4 there, because POWER might not be completely initialized at that point.
The best place to execute AXPU4 for a cold start is at the very end of the BG ASI procedure.
Requirements
Placement of AXPU4 Execution
Running AXPU4 During IPL/ASI AXPU4 Utility
7-18 Installation and Operations Guide
The following job places members TESTU4.JCL1 and TESTU4.JCL2 from sublibrary PRODLIB.JCL into the reader queue, and produces a listing of the jobstreams on SYSLST. The jobstreams contain the CMS user ID FRED.
I I.E. submittal monitor 5-36 IALERT1 2-5 IBM Security to BIM-ALERT
Migration 4-4 ICCF submittal monitor 3-31, 3-74,
5-34 IGNORE response 6-24
Index-3
IJSYSRS.SYSLIB 1-12 INCLUDE TAPEIN statement 6-17 Installation
BIM-ALERT/CICS GETVIS requirements 1-7 hardware requirements 1-7 libary space required 1-16 operating system requirements
1-7 software requirements 1-7 table space requirements 1-8
BIM-ALERT/VSE libary space required 1-16 operating system requirements
1-12 software requirements 1-12 SVA requirements 1-13
cancellation 2-14 checklist for preinstallation 1-5 components of 1-6 confirmation 2-14 deferred execution 2-17 members restored during 1-16 new users 3-53 overview of 1-4
