topic Re: SNA RJE in Operating System - OpenVMS

SNA RJE

David Kramer_2 — Fri, 11 Nov 2005 14:42:24 GMT

Setting up RJE on a new machine (alpha, openvms 7.3-2, rje v.7) Trying to do an RJE transaction and getting the following error:
-RMS-E-ACC, ACP file access failed
-SYSTEM-F-LINKEXIT, network partner exited

I'm missing a permissions thing somewhere (I can give the default FAL account SYSPRV and the thing works fine, but I figure this is a bad thing)

Directory that the JCL is in is W:RWED (as is it's parent directory) and I've gone so far as changing owner to the default FAL account. It's been about 15 years since I've had to mess with this (and have problems remembering anything past last week)

Thoughts as to what I'm missing? Thanks in advance for your help.

Re: SNA RJE

Mike Reznak — Fri, 11 Nov 2005 14:57:56 GMT

Hi,

check, if you have W:E for root 000000.dir. And all subdirs. W:RWED isn't necessary and wanted.
You can check netserver.log or net$server.log in FAL sys$login directory.

You can also set auditing for
FILE access:
Failure: read,write,execute,delete,control

Or set auditing for only specified dir
$ set security jcl.dir /acl= (AUDIT=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE)

and check audit log.

Mike

Re: SNA RJE

Michael Yu_3 — Sun, 13 Nov 2005 03:58:49 GMT

Hi David,

Which RJE server are you using? Host based or Gateway based? How are the streams set up? Which directory is each stream (RD,PR, PU) assigned to? The default account for FAL normally does not have enough privileges to access files for the above streams. You need to have either proxy access set up for the RJE server or set up proper access control for the directories (where the streams are assigned to).

Thanks and regards.

Michael

Re: SNA RJE

David Kramer_2 — Mon, 14 Nov 2005 09:13:37 GMT

>Which RJE server are you using? Host based or >Gateway based?
Host based

>How are the streams set up?
>Which directory is each stream (RD,PR, PU) >assigned to?
$MC SNARJE
USE MAIL
CLEAR WORK
SET WORKSTATION/GATEWAY=DIANE-
/ACCESS=MAILBOX/DATA=MR00022/SERVER=EAGLE
ASSIGN sys$sysdevice:[MAILBOX] PR1
ASSIGN MAIL$RD1 RD1
SET WORKSTATION/STATE=ON
SET MONI/PERM
EXIT
$SUBMIT/SNA/QUE=MAIL$RD1 DIR.JCL
$EXIT

>The default account for FAL normally does >not have enough privileges to access files >for the above streams. You need to have >either proxy access set up for the RJE >server or set up proper access control for >the directories (where the streams are >assigned to).
sys$sysdevice:[mailbox] is set (w:rwed). Did have a thought - the RJE work files are in the users directory - it would cause an issue if there was an attempt to access those with the default FAL account - migh this be the problem? Any way to specify where rje places the work files?

Re: SNA RJE

Michael Yu_3 — Mon, 14 Nov 2005 20:59:47 GMT

Hi David,

According to the user guide, only files with the following attributes can be transmitted to an IBM system on a workstation reader stream:

File organisation Sequential
Record format Fixed, stream CR, or variable
File protection World:R

The following is the reasoning.

When we submit a job using SNASUBMIT, the actual data handling is done by the RJE server. It reads the submited JCL file via DECnet or TCP/IP and then transmit the file to the IBM host.

When RJE server reads the submited JCL using DECnet, the FAL object (or session control application in Phase V terms) will be used. As you know, the default user for FAL only has NETMBX and TMPMBX privileges, it can only read files that has protection set to World:R.

So make sure that you have all your JCL files set to world readable.

Understanding the above, you can actually by-pass the setting of JCL files to world readable. The RJE server should be running under the system account, so you can add the following proxy in order to solve the file protection problem.

UAF> add/proxy 0::system system/default

Hope the above helps.

Thanks and regards.

Michael

Re: SNA RJE

Jan van den Ende — Tue, 15 Nov 2005 05:29:39 GMT

David, Michael:

Understanding the above, you can actually by-pass the setting of JCL files to world readable. The RJE server should be running under the system account, so you can add the following proxy in order to solve the file protection problem.

UAF> add/proxy 0::system system/default

I most strongly must advise against that!!

After this, ANYbody can do ANYthing to your system! And without an identifiable trave WHO did it.

If there are any objections to setting World:Read access (which I understood does not apply to you, but for completeness:) you may also make an ACL for the directory, which gives read access to only your FAL account.

hth

Proost.

Have one on me.

jpe

Re: SNA RJE

Michael Yu_3 — Tue, 15 Nov 2005 05:37:52 GMT

Hi Jan,

Please note the proxy is for 0::system which is the system account on the local node. I cannot see anyone else can use that proxy except the local system account.

Thanks and regards.

Michael