Re: V3R2: Configuring SLIP dialout

Le 19/07/2022 à 12:08, Patrik Schindler a écrit :

Hello Marc,

Hello Patrick

thanks for providing some help!

Welcome, happy to help you.

Am 18.07.2022 um 23:16 schrieb Marc Rauzier <marc.rauzier@xxxxxxxxx>:

If I remember fine, PPP session is running in a batch job with QTCP user profile. Maybe this is the same with SLIP.

Yap. Thanks for this nudge in the right direction.

Is there a batch job starting at the same time which could be related to the SLIP session?

It was, indeed!

Maybe with the name of the dial profile? Maybe the authority issue happens within this job and is reported in your joblog?

Assuming there isn't a huge chain of programs calling each other, this sounds reasonable.

Adding QSECOFR with *ALL authority to QSYS/QTOCPPSM did not change the behavior.

Normally, no need to do so as QSECOFR has *ALLOBJ special authority. And the same applies with owner authority adoption. It is not used with an *ALLOBJ user profile.

You're right. My apology is: It was already late in the evening. ;-)

apologies accepted :-)

Any ideas?

What is the authority for other user profiles on that object? If needed, could it be possible to change it so that *PUBLIC can use the object?

I did and the behavior changed fundamentally. But the most interesting question is: Why did IBM ship the *PGM with *PUBLIC *EXCLUDE? Am I supposed to change this? Is there another, "correct" way?

This is a good question and I do not have the answer. However, thanks to google, I have found an IBM book for V5R3 named "Configure Your System For Common Criteria Security" where they say in "Chapter 22. Restrict the use of application program interfaces (APIs) and callable programs" that "Many APIs and callable programs are shipped with public authority of *EXCLUDE. In addition, the public authority for other programs and APIs is set to *EXCLUDE by the Common Criteria customization programs." They also say in the same chapter that "The QSYCCCPA program sets the public authority to *EXCLUDE for these APIs". And QSYS/QTOCPPSM program is in this list. However, still according to this book, in "Appendix A. Customization programs", they provide the actions of QSYCCCPA program, and QSYS/QTOCPPSM does not seem to be updated, so I conclude that it is indeed provided with *PUBLIC *EXCLUDE authority. My assumption is that your installation of QSYS/QTOCPPSM program was the one you have on your installation media. And QTCP user profile should have *USE authority on this program. You can try to set back *EXCLUDE for *PUBLIC and add *USE for QTCP for your SLIP setup to work. I do not find any information about an APAR or a fix for that issue, but I can only guess that a PTF was provided in the past.

You can find this book here ftp://ftp.www.ibm.com/systems/power/docs/systemi/v5r3/en_US/sc415336.pdf.

Not related to V3R2 but it might apply the same way.

Looking at the old BOOK format documentation about TCP/IP for V3R6 explains how to set up point to point links via OpNav. Wasn't OpNav relying on communication over TCP ports? Sounds recursive to me.

Not sure to understand what you mean with "recursive". On those versions, it was possible to use both TCP/IP and SNA communications for OpNav. But in any case, there is still a login with a valid user profile which will run all the actions driven by the OpNav interface, with related authority. Whatever the way you use to configure SLIP (OpNav or 5250 commands), the batch job handling the SLIP session will run with QTCP user profile.

However, thank you *very* much for your help. In the end, I got it to work!

Welcome again

koax-gw-buero#ping 10.59.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.59.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/145/152 ms

I'll document the necessary steps (as usual) on try-as400.pocnet.net, if any fellow hobbyist also wants to use TCP/IP on V3, over a serial connection (because no LAN).

:wq! PoC