|
|
|
Some data centers have as many as 100 or more APF libraries that contain as many as 4000 or 5000 programs. Good maintenance procedures are vital to system security and integrity in these environments.
When you review the contents of APF libraries, pay particular attention to the programs that the linkage editor marks APF‑authorized. Any program in an APF library is APF‑authorized, but only those that the linkage editor marks APF‑authorized can acquire that authorization when directly named in a JCL EXEC statement. Programs named in JCL are called job‑step programs. APF requires only that the job‑step program is marked as authorized. From that point on, other programs can be called, regardless of whether they are marked as authorized. The only requirement is that they come from an APF‑authorized library.
It is possible for an authorized program to attach an unauthorized program as another task, and for the authorized program to protect itself through storage keys. But normally, when an authorized program runs an unauthorized program, they both become unauthorized or abend. If the authorized program is already in key 0 or supervisor state, the system cannot protect itself and abends the program. If the authorized program was program state and user key when it attempted to execute the unauthorized program, it loses authorization and abends only if it attempts to modeset or execute privileged instructions or authorized programs.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |