Diverse oplevelser med COOL:GEN 5.1

September 2000
Carsten Olsen
Mærsk Data
COL@Maerskdata.dk
35872158

Dette er en samling af notater hastigt skrabet sammen umiddelbart før mødet i den danske COOL brugergruppe i September 2000.

Læs med det forbehold, at

Indhold:

5.1 Workstation:

5.1 MVS

LE370

Iflg. bogen, kan man ikke mixe LE- og non-LE compilerede programmer i CICSen. Men det går da helt fint.

TIRCFIGS
Compile cobol-exits with new compiler
COOL LE370 runtime-loadlib
RTM5102->RTM5101
RTM5105->RTM5104
RTM5108->RTM5107
RTM5110->RTM5109
RTM5112->RTM5111

MVS PTFer, som vi har lagt på:

Flere er replacet af hinanden ved overgang til LE370.

GEM5101 GEM5102 GEM5103 GEM5104
HEM5101 HEM5102 HEM5103 HEM5104 HEM5106
RTM5101 RTM5102 RTM5104 RTM5105 RTM5107 RTM5108 RTM5109 RTM5110
RTM5111 RTM5112 RTM5113 RTM5119

PTFer til Thai, Arabisk, IMS & enhanced screengenerator:
Irelevante => Skippet.

Partitionerede tablespaces har givet os nogle ekstra indexes:

DASC
Make the current clustering index (DASCI1) a non-clustering index.
Define a new, non-unique clustering and partitioning index on columns
ASSOC_FROM_OBJ_ID, ASSOC_TYPE_CODE.

DOBJ
Partition using the current clustering index (DOBJI1).

DPRP
Partition using the current clustering index (DPRPI1).

DSUBEX
Make the current clustering index (DSUBEXI1) a non-clustering index.
Define a new, unique clustering and partitioning index on columns
SE_SUBSET_ID, SE_OBJ_ID.

DTXT
Partition using the current clustering index (DTXTI1).

Accesspath-problemer 

(nogle opstår muligvis pga. vores nye indexes, der er oprettet for partitioning).

Upload generate new model.

Rebind DBRM TIEAPLY med katalog-fix:

UPDATE SYSIBM.SYSCOLUMNS SET COLCARD = 0000001000
WHERE NAME = 'OBJ_MODEL_ID' AND TBNAME = 'DOBJ' AND TBCREATOR = ..

UPDATE SYSIBM.SYSINDEXES SET FIRSTKEYCARD = 0000001000
WHERE NAME = 'IIEF2IA1' AND CREATOR = '.....;

IIEF2IA1: OBJ_MODEL_ID OBJ_TYPE_CODE OBJ_ID

Adoptions:

Rebind DBRMs TIVAMTX & TIVAVWS med katalog-fix:

UPDATE SYSIBM.SYSCOLUMNS SET COLCARD = 30000
WHERE TBNAME= 'DOBJ' AND NAME = 'OBJ_ORG_ID' AND TBCREATOR=..

UPDATE SYSIBM.SYSINDEXES SET FIRSTKEYCARD = 0000030000
WHERE NAME = 'IIEF2IA2' AND CREATOR = ...

UPDATE SYSIBM.SYSCOLUMNS SET COLCARD = 30000
WHERE TBNAME = 'DASC' AND NAME = 'ASSOC_TO_OBJ_ID' AND TBCREATOR=.

UPDATE SYSIBM.SYSINDEXES SET FIRSTKEYCARD = 0000030000
WHERE NAME = 'IIEF2I11' AND CREATOR = ...

IIEF2IA2: OBJ_ORG_ID OBJ_MODEL_ID
IIEF2I11: ASSOC_TO_OBJ_ID ASSOC_TYPE_CODE ASSOC_FROM_OBJ_ID

TIUEVAL:

Rebind DBRM TIUEVLU med katalog-fix:

UPDATE SYSIBM.SYSTABLES SET CARD=99000000
WHERE NAME='SASC' AND CREATOR='....';

UPDATE SYSIBM.SYSTABLES SET CARD=1
WHERE NAME='DASC' AND CREATOR='....';

UPDATE SYSIBM.SYSTABLES SET CARD=1
WHERE NAME='DOBJ' AND CREATOR='----';

NB New release of DB2: Update also COLCARDF & FIRSTKEYCARDF

TCP/IP:

- Den værste sikkerhedsbrist er løst med RTM5119

- Invalid codepage. Skulle give IEFT-abend, men hang bare.
Issue 10146673.
Ny codepage indført m. exit (SAMPLIB(EUROPEAN).

- Utrolig dårlig dokumentation.

NT         TCP/IP          MVS/CICS
     +--------+                   +------+
     !        !                   !      !
     ! Client +<- First request-->! TILL !
     !        !                   !      !
     +---+----+                   +--+---+
         !                           !
         !                           V
         !                        +------+
         !                        !      ! TIRTSEC: Reject unless
         +<-Subsequent requests-->! TICM ! enhanced security
            and replies           !      ! is requested
                                  +--+---+ (rtm5119)
                                     !
                                     ! START TRANSACTION <trk>
                                     ! USER <client_userid>
                                     V
                                  +------+
                                  !      !
                                  !<trk> +
                                  !      !
                                  +------+
                                   !
                                   !at entry to <trk>
                                   !
                                   !
                                   V
                                  +------+ TIRSECV:
                                  !      ! Verify Client_userid
                                  !exit  ! & -password
                                  !      ! Clear Client-password
                                  +------+

-+

The "Listener" (TILL) is started on CICS startup.

When a request is received on the given PORT, TILL invokes the Connection-manager (TICM).

From that point, the communication goes between the Connection-manager (TICM) and the client.

Both TILL and TICM runs under the CICS' own user .

TICM rejects unless enhanced security is requested WREXITN.C/WRE510n.DLL - RTM5119/TIRTSEC

TICM invokes <trk> with the command:

EXEC CICS START TRAN(<trk>) USER(<client_userid>).

=> Reject unless <client_userid> is a valid user with auth to run <trk>.

CICS user must have access to RACF surrogat-class *.DFHSTART

<trk> calls exit TIRSECV to RACF-verify client-userid & -password.
TIRSECV clear client-password, so it isn't accessable from the server-PAD.

Exits: NT WREXITN.C / WRE510N.DLL: Request enhanced security MVS TIRSDTN: Termid => CEDF-trace i CICS,
TIRSECV: Exec CICS verify client_userid & -password
Clear client_password !
TIRTSEC: (Med RTM5119): Reject unless WREXITN requests enhanced security.

How to implement TCP/IP connection from COOL:Gen clients to CICS

Fix WR510N.DLL in your NT COOL:Gen software directory as follows:

For eventual fallback: Rename existing WR510N.DLL to WR510N.SAV
Edit 'WREXITN.C' in the directory, that hold your COOL:Gen software.
Change the first and last of the 3 lines shown below
(It is the only place in the program bClntMgrSecurity is set)

*bClntMgrSecurity = TRUE;
*tokenLen = 0;
return SecurityUsed;

Compile the exit using command: MKEXITSN.BAT.
This creates a new 'WR510N.DLL'

The result of this is that the client will request the server
to use the special-attributes CLIENT_USERID & CLIENT_PASSWORD
to log-on to the CICS.

Make the "line" known to Client manager:

Click 'SERVER-CONFIG and enter in the pop-up:
SERVER NAME : <-identification of your choise->
Description : <-identification of your choise->
Test trans : ECHO
Transport API : Select from dropdown: Sockets.
API DLL : IOTCP51N
Security level: Select radiobuttom NONE (*)
USERID : Leave blank
PASSWORD : Leave blank

(*) Security level NONE tells the Client manager not to request the user to enter userid and password - we want the application and not Client Manager to handle this.

Click on buttom "DETAILS" and you get a new pop-up.

For __-cics enter:

HOST NAME or IP-address: __.___._._
Destination port-number: ____

Click on OK - and OK again.

Fix your COOL:Gen application to fill Client_USERID and CLIENT_PASSWORD with the end-users MVS userid and password.

One way to do this: When application starts, show a pop-up, that requests userid and password. Set CLIENT_USERID and CLIENT_PASSWORD to the values entered.

Trace:

- DTF trace works as usual.
- CDEF trace is possible, but requires fix in exit TIRSDTN.

Error-messages:

TIRM904E: Security: User ID Not Authorized for this function
=> WRE510N.DLL did not request enhanced security.

TIRM902E: Security: Invalid userid
=> Result of TICM invoking TRK with invalid userid.
That is: Client_userid is invalid. (lowercase userid is also rejected this way).

Maersk D: RACF accepted userid, but not password
=> From exit linked to TRK verifying userid/password.
You don't get there unless client_userid is valid and has access to TRK, so the client_userid is valid, but client_password is not.

Test:

Support har lagt en lille simpel test-model på deres WEB-side.
Den har været nyttig til test
* Request CLIENT_USERID & CLIENT_PASSWORD.
* USE eller flow til server

Performance / Concurrency:

* To be investigated...