HPE Community
Operating System - OpenVMS
1822895 Members
4042 Online
109645 Solutions
New Discussion юеВ

Re: SNA RJE

 
David Kramer_2
Occasional Contributor

тАО11-11-2005 06:42 AM

тАО11-11-2005 06:42 AM

SNA RJE

Setting up RJE on a new machine (alpha, openvms 7.3-2, rje v.7) Trying to do an RJE transaction and getting the following error:
-RMS-E-ACC, ACP file access failed
-SYSTEM-F-LINKEXIT, network partner exited

I'm missing a permissions thing somewhere (I can give the default FAL account SYSPRV and the thing works fine, but I figure this is a bad thing)

Directory that the JCL is in is W:RWED (as is it's parent directory) and I've gone so far as changing owner to the default FAL account. It's been about 15 years since I've had to mess with this (and have problems remembering anything past last week)

Thoughts as to what I'm missing? Thanks in advance for your help.
0 Kudos
Reply
6 REPLIES 6
Mike Reznak
Trusted Contributor

тАО11-11-2005 06:57 AM

тАО11-11-2005 06:57 AM

Re: SNA RJE

Hi,

check, if you have W:E for root 000000.dir. And all subdirs. W:RWED isn't necessary and wanted.
You can check netserver.log or net$server.log in FAL sys$login directory.

You can also set auditing for
FILE access:
Failure: read,write,execute,delete,control

Or set auditing for only specified dir
$ set security jcl.dir /acl= (AUDIT=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE)

and check audit log.

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Reply
Michael Yu_3
Valued Contributor

тАО11-12-2005 07:58 PM

тАО11-12-2005 07:58 PM

Re: SNA RJE

Hi David,

Which RJE server are you using? Host based or Gateway based? How are the streams set up? Which directory is each stream (RD,PR, PU) assigned to? The default account for FAL normally does not have enough privileges to access files for the above streams. You need to have either proxy access set up for the RJE server or set up proper access control for the directories (where the streams are assigned to).

Thanks and regards.

Michael
0 Kudos
Reply
David Kramer_2
Occasional Contributor

тАО11-14-2005 01:13 AM

тАО11-14-2005 01:13 AM

Re: SNA RJE

>Which RJE server are you using? Host based or >Gateway based?
Host based

>How are the streams set up?
>Which directory is each stream (RD,PR, PU) >assigned to?
$MC SNARJE
USE MAIL
CLEAR WORK
SET WORKSTATION/GATEWAY=DIANE-
/ACCESS=MAILBOX/DATA=MR00022/SERVER=EAGLE
ASSIGN sys$sysdevice:[MAILBOX] PR1
ASSIGN MAIL$RD1 RD1
SET WORKSTATION/STATE=ON
SET MONI/PERM
EXIT
$SUBMIT/SNA/QUE=MAIL$RD1 DIR.JCL
$EXIT

>The default account for FAL normally does >not have enough privileges to access files >for the above streams. You need to have >either proxy access set up for the RJE >server or set up proper access control for >the directories (where the streams are >assigned to).
sys$sysdevice:[mailbox] is set (w:rwed). Did have a thought - the RJE work files are in the users directory - it would cause an issue if there was an attempt to access those with the default FAL account - migh this be the problem? Any way to specify where rje places the work files?
0 Kudos
Reply
Michael Yu_3
Valued Contributor

тАО11-14-2005 12:59 PM

тАО11-14-2005 12:59 PM

Re: SNA RJE

Hi David,

According to the user guide, only files with the following attributes can be transmitted to an IBM system on a workstation reader stream:

File organisation Sequential
Record format Fixed, stream CR, or variable
File protection World:R

The following is the reasoning.

When we submit a job using SNASUBMIT, the actual data handling is done by the RJE server. It reads the submited JCL file via DECnet or TCP/IP and then transmit the file to the IBM host.

When RJE server reads the submited JCL using DECnet, the FAL object (or session control application in Phase V terms) will be used. As you know, the default user for FAL only has NETMBX and TMPMBX privileges, it can only read files that has protection set to World:R.

So make sure that you have all your JCL files set to world readable.

Understanding the above, you can actually by-pass the setting of JCL files to world readable. The RJE server should be running under the system account, so you can add the following proxy in order to solve the file protection problem.

UAF> add/proxy 0::system system/default

Hope the above helps.

Thanks and regards.

Michael
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО11-14-2005 09:29 PM

тАО11-14-2005 09:29 PM

Re: SNA RJE

David, Michael:


Understanding the above, you can actually by-pass the setting of JCL files to world readable. The RJE server should be running under the system account, so you can add the following proxy in order to solve the file protection problem.

UAF> add/proxy 0::system system/default


I most strongly must advise against that!!

After this, ANYbody can do ANYthing to your system! And without an identifiable trave WHO did it.

If there are any objections to setting World:Read access (which I understood does not apply to you, but for completeness:) you may also make an ACL for the directory, which gives read access to only your FAL account.

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Michael Yu_3
Valued Contributor

тАО11-14-2005 09:37 PM

тАО11-14-2005 09:37 PM

Re: SNA RJE

Hi Jan,

Please note the proxy is for 0::system which is the system account on the local node. I cannot see anyone else can use that proxy except the local system account.

Thanks and regards.

Michael


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.