VESOFT FREQUENTLY ASKED QUESTIONS FILE 09:00am 96/07/29 ===================================================================== As for the many examples we offer our customers, some may not work in the same manner as in our testing. We cannot create examples with every possible variation that any given software or hardware environment may have. So, please read and test our examples thoroughly. Our examples are solely a guideline to aid in solving the particular problems you may be encountering. We don't take responsibility for updating our examples but welcome their testing and enhancements. We also welcome suggestions. ===================================================================== FAQ 001: Integrating STREAMX with native mode BRW 95/11/21 --------------------------------------------------------------------- The traditional method of integrating STREAMX with native mode applications is to run them through a VESOFT-supplied XL, for example: :RUN NMPROG; XL='STREAMNL.PUB.VESOFT' This won't work for BRW, because BRW programs call XL.PUB.SYS routines that actually STREAM jobs, and the above technique doesn't allow the VESOFT routines inside STREAMNL to intercept such STREAM attempts. We need to extract the BRW routines from XL.PUB.SYS, store them inside another file (for example BRWXL.PUB.SYS), and run the application this way: :RUN BRWPROG; XL='BRWXL.PUB.SYS,STREAMNL.PUB.VESOFT' Note that STREAMNL appears *AFTER* the XL containing the BRW routines. BRW procedures may be extracted from XL.PUB.SYS using these commands: :HELLO MANAGER.SYS,PUB :COPY XL.PUB.SYS, XLCOPY.PUB.SYS :LINKEDIT BUILDXL BRWXL.PUB.SYS COPYXL MODULE=HP35360; FROM=XLCOPY.PUB.SYS; TO=BRWXL.PUB.SYS CLEANXL BRWXL.PUB.SYS; COMPACT EXIT :PURGE XLCOPY Note that the BRWXL containing copies of all BRW routines should be re-built (using the same procedure) after every operating system update or patch. ===================================================================== FAQ 002: Integrating STREAMX with native mode TRANSACT 95/11/21 --------------------------------------------------------------------- The traditional method of integrating STREAMX with native mode applications is to run them through a VESOFT-supplied XL, for example: :RUN NMPROG; XL='STREAMNL.PUB.VESOFT' This won't work for Transact, because Transact calls XL.PUB.SYS routines that actually STREAM jobs, and the above technique doesn't allow the VESOFT routines inside STREAMNL to intercept such STREAM attempts. We need to extract the Transact routines from XL.PUB.SYS, store them inside another file (for example TRANXL.PUB.SYS), and run the applicatio this way: :RUN TRANPROG; XL='TRANXL.PUB.SYS,STREAMNL.PUB.VESOFT' Note that STREAMNL appears *AFTER* the XL containing the Transact routines. Transact procedures may be extracted from XL.PUB.SYS using these commands: :HELLO MANAGER.SYS,PUB :COPY XL.PUB.SYS, XLCOPY.PUB.SYS :LINKEDIT BUILDXL TRANXL.PUB.SYS COPYXL MODULE=HP30138; FROM=XLCOPY.PUB.SYS; TO=TRANXL.PUB.SYS CLEANXL TRANXL.PUB.SYS; COMPACT EXIT :PURGE XLCOPY Note that the TRANXL containing copies of all Transact routines should be re-built (using the same procedure) after every operating system or patch. ===================================================================== FAQ 003: Integrating VEOPEN with native mode BRW 95/11/21 --------------------------------------------------------------------- Use the same procedure described in FAQ 001, substituting VEOPENNL.PUB.VESOFT for STREAMNL.PUB.VESOFT. ===================================================================== FAQ 004: Integrating VEOPEN with native mode TRANSACT 95/11/21 --------------------------------------------------------------------- Use the same procedure described in FAQ 002, substituting VEOPENNL.PUB.VESOFT for STREAMNL.PUB.VESOFT. ===================================================================== FAQ 005: Multiple CPU security profile maintenance 95/11/30 --------------------------------------------------------------------- MULTI-CPU SECURITY MAINTENANCE INFORMATION One way example -- Pulling +--------------------------------------+ | "One Way Example--Pulling" | | (transmit changes from SYSA to SYSB) | +--------------------------------------+ | SYSA | SYSB ==== | ==== | | SECURCON.DATA | ------------- SECURCON.DATA | $SYS-NAME "SYSB" -------------- | $SYS-NAME "SYSA" | $NET-SEND SYSB | NETRECV.DATA | ------------ | $FROM-SYS DSDEVA SYSA | | | SYSA.NETRECV | ------------ | $RECEIVE @ | !HPJOBNAME,!HPUSER.!HPACCOUNT @.@ | | BACKG START, NETRECV ===================================================================== One way example -- Push Immediate +--------------------------------------+ | "One Way --- Pushing Immediately" | | (transmit changes from SYSA to SYSB) | +--------------------------------------+ | SYSA | SYSB ==== | ==== | | SECURCON.DATA | ------------- SECURCON.DATA | $SYS-NAME "SYSB" -------------- | $SYS-NAME "SYSA" | $NET-SEND SYSB | NETRECV.DATA | ------------ | $FROM-SYS-PUSHED DSDEVA SYSA NETRECV.DATA | ------------ | $PUSH-IMMEDIATE SYSB | SYSA.NETRECV | ------------ | $RECEIVE @ | !HPJOBNAME,!HPUSER.!HPACCOUNT | BACKG START, NETRECV | BACKG START, NETRECV | ==================================================================== One way example -- Push Intermittent +--------------------------------------+ | "One Way -- Pushing Intermittently" | | (transmit changes from SYSA to SYSB) | +--------------------------------------+ | SYSA | SYSB ==== | ==== | | SECURCON.DATA | ------------- SECURCON.DATA | $SYS-NAME "SYSB" -------------- | $SYS-NAME "SYSA" | $NET-SEND SYSB | NETRECV.DATA | ------------ | $FROM-SYS-PUSHED DSDEVA SYSA NETRECV.DATA | ------------ | $PUSH-INTERMITTENT SYSB | SYSA.NETRECV | ------------ | $RECEIVE @ | !HPJOBNAME,!HPUSER.!HPACCOUNT | BACKG START, NETPUSH or | BACKG START, NETRECV %SEC NETPUSH | | | ===================================================================== Two way example -- Pulling +----------------------------------------------------------+ | "Two Way Example - PULLING" | | (transmit changes from either SYSA or SYSB to the other) | +----------------------------------------------------------+ | | SYSA | SYSB ==== | ==== | SECURCON.DATA | SECURCON.DATA -------------- | ------------- $SYS-NAME "SYSA" | $SYS-NAME "SYSB" $NET-SEND SYSB | $NET-SEND SYSA | NETRECV.DATA | NETRECV.DATA ------------ | ------------ $FROM-SYS DSDEVB SYSB | $FROM-SYS DSDEVA SYSA | SYSB.NETRECV | SYSA.NETRECV ------------ | ------------ $RECEIVE @ !HPJOBNAME,& | $RECEIVE @ !HPJOBNAME,& !HPUSER.!HPACCOUNT @.@ | !HPUSER.!HPACCOUNT @.@ | | %BACKG START, NETRECV | %BACKG START, NETRECV ===================================================================== Two way example -- Push Immediate +----------------------------------------------------------+ | "Two Way Example - PUSH IMMEDIATE" | | (transmit changes from either SYSA or SYSB to the other) | +----------------------------------------------------------+ | | SYSA | SYSB ==== | ==== | SECURCON.DATA | SECURCON.DATA -------------- | ------------- $SYS-NAME "SYSA" | $SYS-NAME "SYSB" $NET-SEND SYSB | $NET-SEND SYSA | NETRECV.DATA | NETRECV.DATA ------------ | ------------ $FROM-SYS-PUSHED DSDEVB SYSB | $FROM-SYS-PUSHED DSDEVA SYSA $PUSH-INTERMITTENT SYSB | $PUSH-INTERMITTENT SYSA | SYSB.NETRECV | SYSA.NETRECV ------------ | ------------ $RECEIVE @ !HPJOBNAME,& | $RECEIVE @ !HPJOBNAME,& !HPUSER.!HPACCOUNT @.@ | !HPUSER.!HPACCOUNT @.@ | | %BACKG START, NETRECV | %BACKG START, NETRECV ===================================================================== Two way example -- Push Intermittent +----------------------------------------------------------+ | "Two Way Example - PUSH INTERMITTENT" | | (transmit changes from either SYSA or SYSB to the other) | +----------------------------------------------------------+ | SYSA | SYSB ==== | ==== | SECURCON.DATA | SECURCON.DATA -------------- | ------------- $SYS-NAME "SYSA" | $SYS-NAME "SYSB" $NET-SEND SYSB | $NET-SEND SYSA | NETRECV.DATA | NETRECV.DATA ------------ | ------------ $FROM-SYS-PUSHED DSDEVB SYSB | $FROM-SYS-PUSHED DSDEVA SYSA $PUSH-INTERMITTENT SYSB | $PUSH-INTERMITTENT SYSA | SYSB.NETRECV | SYSA.NETRECV ------------ | ------------ $RECEIVE @ !HPJOBNAME,& | $RECEIVE @ !HPJOBNAME,& !HPUSER.!HPACCOUNT @.@ | !HPUSER.!HPACCOUNT @.@ | | %BACKG START, NETRECV | %BACKG START, NETRECV %BACKG START, NETPUSH or | %BACKG START, NETPUSH or %SEC NETPUSH | %SEC NETPUSH ===================================================================== "Hub and Spoke" example +----------------------------------------------------------+ | "HUB and SPOKE EXAMPLE" | | (transmit changes from either SYSA or SYSB to the other) | | (hub does push intermittent and spokes do push immediate)| +----------------------------------------------------------+ | HUB | SPOKES === | ====== | SECURCON.DATA | SECURCON.DATA -------------- | ------------- $SYS-NAME "HUB" | $SYS-NAME "SPOKE01" $NET-SEND ^SPOKELIST | $NET-SEND HUB | NETRECV.DATA | NETRECV.DATA ------------ | ------------ $FROM-SYS-PUSHED ^SPOKELIST | $FROM-SYS-PUSHED DSHUB HUB SPOKECON | $PUSH-INTERMITTENT SPOKE01 | $PUSH-IMMEDIATE HUB $PUSH-INTERMITTENT SPOKE02 | ....... | or | $PUSH-INTERMITTENT ^SPOKELIST| | SPOKECON.NETRECV | HUB.NETRECV ---------------- | ----------- $RECEIVE @ !HPJOBNAME,& | $RECEIVE @ !HPJOBNAME,& !HPUSER.!HPACCOUNT @,@.@ | !HPUSER.!HPACCOUNT @,@.@ | SPOKELIST.NETRECV | ----------------- | SPOKE01 | SPOKE02 | ....... | | %BACKG START, NETRECV | %BACKG START, NETRECV %BACKG START, NETPUSH or | %SEC NETPUSH | ===================================================================== Files used by REMOTE SECURITY MAINTENANCE ------------------------------------------ A. SECURCON.DATA 1. $SYS-NAME "sysname" Required on all systems "sysname" is the name assigned to this system. 2. $NET-SEND remote-sysname Required on hosts transmitting changes. One for each node to which changes are broadcast or an indirect file with a list of hostnames. B. NETRECV.DATA ------------ 1a. $FROM-SYS remote-node-name filenameA Required on all systems which are pulling changes. Remote-node-name is the name of the NS node. FilenameA is the name of the file in the NETRECV group in which the updating permissions reside (may be the same as the remote-sysname in simple models. 1b. $FROM-SYS-PUSHED remote-node-name filenameA Required on all systems which have changes pushed to them Remote-node-name is the name of the NS node. FilenameA is the name of the file in the NETRECV group in which the updating permissions reside (may be the same as the remote-sysname in simple models. 2a. $PUSH-INTERMITTENT remote-sysname Required on systems doing push intermittent ( %SEC NETPUSH or BACKG START, NETPUSH) Remote-sysname is the name of the system being pushed to. 2b. $PUSH-IMMEDIATE remote-sysname Required on systems doing push immediate (%BACK START,NETRCV) Remote-sysname is the name of the system being pushed to. C. FILENAMEA.NETRCV (remote-sysname for simple models) ---------------- 1. $RECEIVE allowed-operations profiles-to-change remote-userset Required on systems which are being updated. Allowed-operations are the ways the allowed profiles may be alter i.e. ADD, DELETE, CHANGE. Profiles-to-change are the ones which may be altered by the data received from the sending system. Remote-userset designates which profiles from the remote system may be altered on the local system. D. SECURITY CHANGES 1. SECURCON.DATA ------------- $FORBID "TRUE" "This Logon is RESERVED" @,NETSEND.VESOFT-BACKG,MANAGER.VESOFT;HOST=@ This protects against logons as netsend.vesoft 2. STREAMX.DATA ------------ $NOPASS BACKG,MANAGER.VESOFT @.@.@ NETSEND.VESOFT;DSLINE=?@ 3. Remote-node-name.PASSFILE ------------------------- $USER NETSEND.VESOFT $EQUAL $ACCOUNT VESOFT $EQUAL If there are MPE passwords on the account or user. 4. LOGOFF.DATA ----------- $USERS-EXCLUDE @,NETSEND.VESOFT Exclude NETSEND.VESOFT from being logged off by LOGOFF. E. OTHER FILES INVOLVED 1. Remote-node-name.NETSEND ------------------------ Message file of data to be transmitted to REMOTE NODE. 2. Remote-node-name.NETPUSHD ------------------------- Message file of data pushed by remote system. Posted to SECURG by the local NETRECV process. 3. SNETRECV.DATA ------------- Standard list file for NETRECV process in BACKG. 4. SNETPUSH.DATA ------------- Standard list file for NETPUSH process in BACKG. F. REASONS FOR PROFILES NOT BEING POSTED ON SYSTEM B MODEL #1 ERROR MESSAGE POSSIBLE CAUSE ------------- -------------- NONE NETRECV NOT STARTED ON sysb (EOF of SYSB.NETSEND > 0*) POSTING (EOF of SYSB.NETSEND = 0*) NONEXISTENT PERMANENT FILE (FSERR 52) in SNETRECV.DATA.VESOFT Error: Doing Fopen of SYSA.NETRECV.$OWNACCT. Error handling pick-up from node SYSA, pick-up aborted SYSA.NETRECV DOES NOT EXIST MODEL #2 ERROR MESSAGE POSSIBLE CAUSE ------------- -------------- NONE NETRECV NOT STARTED ON sysa or NETRECV NOT STARTED ON sysb (EOF of SYSB.NETSEND > 0*) NONE $RECEIVE IN SYSA.NETRECV DOES NOT PERMIT POSTING (EOF of SYSB.NETSEND = 0*) MODEL #3 ERROR MESSAGE POSSIBLE CAUSE ------------- -------------- NONE NETRECV NOT STARTED ON sysb (EOF of SYSB.NETSEND > 0*) NONE $RECEIVE IN SYSA.NETRECV DOES NOT PERMIT POSTING (EOF of SYSB.NETSEND = 0*) NONE NETPUSH NOT EXECUTED in BACKG and NO %SEC NETPUSH (EOF of SYSB.NETSEND > 0*) G. ERROR MESSAGES AND POSSIBLE CAUSES 1. In SNETRECV.DATA.VESOFT a. NONEXISTENT PERMANENT FILE (FSERR 52) Error: Doing Fopen of SYSA.NETRECV.$OWNACCT. Error handling pick-up from node SYSA, pick-up aborted REASON: SYSA.NETRECV.VESOFT file missing on target system. FIX: Add File. ===================================================================== FAQ 006: How to modify your MESSAGE catalog. 95/11/30 --------------------------------------------------------------------- In order to improve the speed of SECURITY, virtually all messages printed are now contained within the MAIN program rather than in an external file. You can also customize messages in SECURCON.DATA.VESOFT. Use our %SEC HELP PROMPT to find the keywords. If you need to translate the most commonly used messages to another language, or if you simply want to customize certain messages, you need to create a MAKECAT-format message catalog. We provide a file (named MESSAGES.DATA.VESOFT) that contains all of the messages that can currently be replaced in this manner. Since this file will be overwritten each time you install or update our software, you should keep your copy of this file under a different name. As you translate the messages, be aware of the following restrictions and special character strings recognized by MAKECAT: * Message numbers must start in column 1 of the source file (leading zeros are ok) and must be in ascending order. They do not need to be consecutive. * "!"s are replaced, in order, with any parameters that need to be inserted into the message. Therefore, when changing existing messages, be sure to put in as many "!" characters in appropriate places as there were in our version of the message. * Long messages may be continued with an "&". They will be formatted into lines the width of your output device. * To format a message over several lines, use "%(CR)&" at the end of each line. The lines will be broken on output the same way they are in the source file. * A carriage return may be embedded in the middle of a line by using "%(CR)". (note, "CR" must be in upper case as shown) After you create your translated catalog source file, you convert it to a message catalog by doing the following: :HELLO MANAGER.VESOFT,PUB :FILE INPUT=yourfilename.group.account :FILE CATALOG=LOCALCAT.HELP.VESOFT :RUN MAKECAT.PUB.SYS VALID MESSAGE CATALOG :SAVE LOCALCAT.HELP Next, place the following SETJCW command in your option-logon UDC that runs our logon program: SETJCW VESOFTCHECKLOCALCAT 1 ===================================================================== FAQ 007: What if SL.PUB.SYS is full 96/02/19 --------------------------------------------------------------------- Problem : Cannot install VEPROC routines on MPE/iX systems. Symptoms : Job reports "in use", but nobody is actually using any of our routines. Cause : SL.PUB.SYS may be "full", so new routines cannot be added. The above symptom or problem has been reported recently -- apparently, some of the HP 4.0 installation tapes are being sent with the system SL completely filled up. Ordinarily, a "full" SL is not a problem, you simply use the SEGMENTER's COPYSL command to expand the SL and create more space. In the case of the SYSTEM SL, this is impossible. (The COPYSL command actually re-writes the file. Since the file SL.PUB.SYS is ALWAYS open when the system is running, it cannot be purged and re-written.) What to do then? Actually, it is not very difficult to expand the SYSTEM SL, but the process may seem a bit intimidating. Here are some detailed instructions on how to do this: COPY the SL to a new and bigger file. Log on as the system manager (MANAGER.SYS) and enter the following commands: :SEGMENTER -SL SL.PUB.SYS -COPYSL 100,NEWSL.PUB.SYS -EXIT According to the SEGMENTER's own HELP on COPYSL, this will create a new file with "100% more free space than the minimum needed to hold the segments." (be patient, this command is likely to take quite some time and a LOT of disk space...) Add, Remove, and Update segments in the copy of the SL. Since the VEPROC job already takes care of adding and updating segments in SL.PUB.SYS, you could stream the job after the system is up and running. You may find it a little more convenient to stream this job NOW (because you will be creating an SLT tape), rather than later (because you should create a SECOND SLT tape after making any changes to the system SL.) If you do this, you will have to modify our VEPROC job to refer to NEWSL.PUB.SYS everywhere the job refers to SL.PUB.SYS. Run SYSGEN to create a new SLT tape. Enter the following commands :SYSGEN sysgen>sy sysfile>cm sl=NEWSL.PUB.SYS sysfile>hold sysfile>exit sysgen>keep sysgen>tape sysgen>exit When you enter the TAPE command, SYSGEN will create a new SLT tape. Mount a tape large enough to hold the SLT files and reply to the tape request on the system console. Run SYSDUMP to create a new COLDLOAD tape. (CLASSIC systems) :SYSDUMP Reboot the system with the new SLT tape. Pretty standard stuff. put the tape back online, =SHUTDOWN the system, "TC" or "RS" the system, select ALTERNATE boot path (if the alternate correctly specifies the tape device) or enter a SPECIFIC boot path (i.e., the tape device), then sit back and relax as the system is loaded. After the tape is loaded, you will be left at the ISL> prompt Put the tape back ONLINE =SHUTDOWN the system (press CONTROL-A to get the "=" prompt) Enter "TC" or "RS" to restart the computer Select ALTERNATE boot path (if it refers to the correct tape drive) or enter a specific boot path that refers to the tape drive ISL> UPDATE This loads the system files including SL.PUB.SYS. Once this is finished the system will automatically reboot. Select the PRIMARY boot path and type the following: ISL> START NORECOVERY ===================================================================== FAQ 008: Menu Lockup Logoff 96/03/05 --------------------------------------------------------------------- To use LOCKUP with V24 and later versions of SECURITY/3000, please make the following changes. %COPY MAIN.PUB.VESOFT,LOCKUP.PUB.VESOFT Add the following $keyword to the LOGOFF.DATA file. $PROGRAMS EXCLUDE LOCKUP.PUB.VESOFT Add the following *ENTERSELECTION to your menus. *ENTERSELECTION SETVAR VEMENUSELECTION READSTRING & ("Enter Selection (E to EXIT, R to REDISPLAY, or L for LOCKUP): ",& "UPSHIFT") IF VEMENUSELECTION="L" THEN SETVAR VEMENUSELECTION "R" ECHO You've selected Lockup. RUN LOCKUP.PUB.VESOFT,LOCKUP ENDIF Or remove "L" as a selection and add LOCKUP as a *CAPTION. Modify the LOCKUP entry, in LOGONUDC.PUB.VESOFT, to read as follows. change RUN MAIN.PUB.VESOFT,LOCKUP to RUN LOCKUP.PUB.VESOFT,LOCKUP *CAPTION LOCKUP LOCKUP Below are examples of custom SEC MENUs, MENU USE files and custom *ENTERSELECTIONs. *CAPTIONL {TERMPOS(19,00)}!MENUOPTION.USE MUSELOCK (CAPTIONL(19,00)) SHOWME USE MUSELOCK.!MENU_GROUP *CAPTIONL {TERMPOS(19,40)}!MENUOPTION.LOCKUP (CAPTIONL(19,40)) SHOWME RUN LOCKUP.PUB.VESOFT,LOCKUP *CAPTIONL {TERMPOS(21,05)}{HPTIMEF} {HPDATEF} *CAPTIONL {TERMPOS(21,45)} {HPJOBNAME},{HPUSER}.{HPACCOUNT},{HPGROUP} *ENTERSELECTION USE MENTLOCK.!MENU_GROUP The contents of the MUSELOCK file: ECHO You've selected LOCKUP. RUN LOCKUP.PUB.VESOFT,LOCKUP The contents of the MENTLOCK file: SETVAR VEMENUSELECTION READSTRING & ("Enter Selection (or E to EXIT, R to REDISPLAY), L: ","UPSHIFT") IF VEMENUSELECTION="L" THEN SETVAR VEMENUSELECTION "R" ECHO You've selected LOCKUP as a selection. RUN LOCKUP.PUB.VESOFT,LOCKUP ENDIF ===================================================================== FAQ 009: NRJE Information 96/03/20 --------------------------------------------------------------------- Symptoms: when running Native Mode NRJE with XL=STREAMNL (version 2.3 of SECURITY/3000 or later), NRJE aborts with UNRESOLVED EXTERNALS, but does NOT list our VESOFT external routines. Although this primarily appears for NRJE, this problem may appear for other programs as well. Cause: Native Mode NRJE calls CREATEPROCESS for programs that were originally :LINKed with XL=NRJEXL.NRJE.SYS. when we intercept the CREATEPROCESS call, we are replacing the "XL=" list with XL=STREAMNL.PUB.SECURITY (2.3) or XL=STREAMNL.PUB.VESOFT (2.4). Solution: version 23.10314 (and later) allows you to set a variable to tell STREAMNL what libraries to include in the XL= list. This is a temporary workaround, in a future version we intend to automatically detect what "XL=" list the program was originally :LINKed with and append our STREAMNL file as appropriate. #To use this workaround, install version 23.10314 (or later), then simply issue the following :SETVAR command: :SETVAR VESOFTXLprogname_groupnam_acctname "liblist" before running the main program. NOTE: "progname_groupnam_acctname" is the fully qualified name of the program being created by CREATEPROCESS, and "liblist" is the "XL=" list that the program was :LINKed with originally. (NO embedded spaces are allowed!). Example: In ANY job that runs NRJE, replace !NRJECONTROL START;WSID=RMT3 with !SETVAR VESOFTXLNRJE_NRJE_SYS "NRJEXL.NRJE.SYS" !SETVAR VESOFTXLNRJELU_NRJE_SYS "NRJEXL.NRJE.SYS" !SETVAR VESOFTXLNRJEMON_NRJE_SYS "NRJEXL.NRJE.SYS" !RUN NRJEMON.NRJE.SYS;INFO="RMT3 "; & ! XL="NRJEXL.NRJE.SYS,STREAMNL.PUB.VESOFT" If the job already contains RUN NRJEMON.NRJE.SYS... then simply add the SETVAR lines shown above. NOTE: the spaces in the ;INFO= parameter are important for NRJE only, please make sure that the ;INFO= parameter is exactly eight characters long, including spaces as needed. ************************************************* #Problem: The :NRJECONTROL START command streams a JOB that controls NRJE access. This job is rejected by SECURITY/3000 at logon time with the message: Error: This job stream must be submitted using STREAMX. The question is how to use the NRJECONTROL START command to stream a job that will be authorized by SECURITY/3000. In addition, this job logs on as MANAGER.SYS, so without STREAMX, the MANAGER.SYS password must be embedded in the NRJE JCL file. #Solution: Since the NRJECONTROL START command streams a particular job without the benefit of STREAMX, we must change the job to log on as a low capability user and !RUN STREAMX to submit the actual job. By logging on without any special capabilities, this user does not need any passwords. Also, an entry must be made in the STREAMX.DATA.VESOFT file that allows this "low capability" user to submit a MANAGER.SYS job without knowing any passwords. The steps shown below will guide you in setting up this solution: NOTE: "RMTxx" is used as an example WSID, your WSID will most likely be different. 1. Create an account for the low-capability "startup" users (This only needs to be done once): :HELLO MANAGER.SYS :NEWACCT NRJESTRT,MANAGER 2. Stop NRJE for RMTxx. (This should be repeated for each WSID that you have) :NRJECONTROL STOP;WSID=RMTxx 3. Create a startup user for each WSID: :NEWUSER RMTxx.NRJESTRT;CAP=BA,ND;HOME=PUB Create an OPTION LOGON UDC for each RMTxx.NRJESTRT user. Name the file RMTxx.PUB.NRJESTRT, for example, and place the following commands in each file: STARTRMTxx OPTION LOGON,NOBREAK,NOHELP FILE STRMFILE=RMTxxZZ.NRJE.SYS RUN MAIN.PUB.VESOFT,STREAMX;PARM=1 CONTINUE SET STDLIST=DELETE CONTINUE BYE EOJ Don't forget to issue a SETCATALOG command for each user: :SETCATALOG RMTxx.PUB.NRJESTRT;USER=RMTxx.NRJESTRT 4. RENAME the current NRJE RMTxx.NRJE file to RMTxxZZ.NRJE and create a new RMTxx.NRJE JCL file. :RENAME RMTxx.NRJE,RMTxxZZ.NRJE The new RMTxx JCL file should look like this: !JOB START,RMTxx.NRJESTRT;OUTCLASS=,1 !EOJ 5. Add or update your STREAMX.DATA file to allow this user to submit the actual NRJE job as a MANAGER.SYS user: $NOPASS START,RMTxx.NRJESTRT RMTxxZZ.NRJE.SYS RMTxx,MANAGER.SYS And add a restricted SEC profile for that RMTxx,MANAGER.SYS NRJE job. %SEC ADD RMTxx,MANAGER.SYS;TERMINALS=10;VEPASS=![RANDOMNAME()] 6. Start NRJE for RMTxx. :NRJECONTROL START;WSID=RMTxx ************************************************* Problem: Reverse NRJE doesn't submit jobs using STREAMX. To have Reverse NRJE work with STREAMX you must modify your NRJE JCL files. When you issue a :NRJECONTROL START command, the operating system streams a file that monitors the NRJE data lines and submits jobs from a remote system. This jobstream runs a program called NRJEMON.NRJE.SYS, which in turn submits jobs from remote systems using the COMMAND intrinsic. Ordinarilly, for classic systems and older XL systems, this program is simply PATCHED for STREAMX the same as for any other CM program. However, on the latest MPE/iX systems, this is now a NATIVE MODE (NM) program, so we use a different method to force the use of STREAMX. When you issue a :NRJECONTROL START;WSID=RMTxx command, the file RMTxx.NRJE.SYS is streamed. Since the NRJEMON program actually creates several son processes, and it is these son processes that actually submit jobstreams, the following lines must be added to the RMTxx.NRJE.SYS jobstream: !SETVAR VESOFTXLNRJE_NRJE_SYS "NRJEXL.NRJE.SYS" !SETVAR VESOFTXLNRJELU_NRJE_SYS "NRJEXL.NRJE.SYS" !SETVAR VESOFTXLNRJEMON_NRJE_SYS "NRJEXL.NRJE.SYS" And the !RUN command should be changed from: !RUN NRJEMON.NRJE.SYS to !RUN NRJEMON.NRJE.SYS;INFO="RMTxx"; & ! XL="NRJEXL.NRJE.SYS,STREAMNL.PUB.VESOFT" Since it is not possible for the NRJE batch job to provide MPE passwords for the jobs being STREAMXed by Reverse NRJE you need to add a $NOPASS line to your STREAMX.DATA file: $NOPASS RMTxx,MANAGER.SYS @.@.@ @,@.@ This $NOPASS statement will not prompt the NRJE batch job RMTxx.NRJE.SYS (logon as RMTxx,MANAGER.SYS) for the MPE passwords for the job being submitted by Reverse NRJE. If all your reverse NRJE jobs logon as USER.SYSTEM, then your $NOPASS would be $NOPASS RMTxx,MANAGER.SYS @.@.@ @,USER.SYSTEM Since the Reverse NRJE jobs will be STREAMXed by a MANAGER.SYS user, they will be automatically authorized by STREAMX for security purposes. (Remember, MANAGER.SYS can stream ANYTHING, even jobs that do not have PROFILES) Also, you should make sure the job doesn't contain any special characters, such as the curly-braces ({}) and the question mark (?), since STREAMX will attempt to process these as expressions and prompts. You may want to review the ::SETBRACES and ::SETQUESTION commands in our STREAMX manual. ===================================================================== FAQ 010: NETBASE run together with VESOFT products. 96/05/06 --------------------------------------------------------------------- NETBASE is a data shadowing tool from QUEST software. Most access errors can be traced back to the use of NETBASE, when running in conjunction with VESOFT. One of these errors we ran across manifested itself as a SORTWRIT error. This error occurred when trying to I/O redirect the security listlog command. file seclist=secrept;dev=lp run main.pub.vesoft,sec;info='listlog';lp When attempting to activate the HELLO task it would abort with an error of PEARM AIFERR 12001. If a remote hello were attempted it would fail to NON-EXISTENT GROUP. Once you have encountered an error or wish to prevent an error caused by NETBASE you will need to follow the following steps. 1. Edit your MPEXMGR.PUB.VESOFT file. Add a line with the syntax SETJCW NBDISABLE=FATAL This JCW may be set at any level be it prior to running of any VESOFT product. The use of a $LOGON-EXECUTE in the SECURCON file is an option or include syntax in your own logon UDC. 2. Run NBDIR.PUB.NETBASE >PROGRAM @.@.VESOFT;NONB 3. Edit the ALLOCATE.data.netbase and remove any reference to VESOFT programs. 4. Our ALIAS command can be a great alternative towards the use of UDCs. If you are a user of NETBASE this command becomes even more effective in preventing errors caused by their COPY and PURGE UDCs. When you execute %ALIAS COPY XEQ COPY.CMD22.VESOFT & %ALIAS PURGE XEQ PURGE.CMD22.VESOFT it guarantees that MPEX will only do our commands bypassing their corresponding UDC commands. ===================================================================== FAQ 011: System Logging 96/05/17 --------------------------------------------------------------------- Problem: How to start System Logging without restarting your system? Solution: Create a command file that contains the following. # Re-enables system logging w/o system restart, # on MPE/iX 4.0, 5.0, and 5.5. # debug var log_addr [a.c0000000+(#248*8)+4];& mv log_addr+5c,,,bitd(1,0,8,u32([log_addr+5c]));c ===================================================================== FAQ 012: Ten point system (HP3000) detoxification program. 96/05/17 --------------------------------------------------------------------- Question: How to clean HP3000 from unnecessary objects? Answer: We offer a ten step algorithm (using MPEX, SECURITY & VEAUDIT). 1. Determine -- and remove -- all files unused for a long time. %file unused;save;cir;disc=15 %$listf @.@.@-@.pub.sys(accdateEXTENTONE THEN EXTENTONE := -1; IF INTCODE=-409 THEN WRITELN (' '+FILE[POS('.',FILE)-3:6], '':18, 'C', (IF EXTENTONE=-1 THEN '' ELSE STRWRITE(EXTENTONE)):4:'RIGHT ELSE WRITELN (FILE:8, ' ', SETNAME[0:16]:16, DBSETTYPE:1, (IF EXTENTONE=-1 THEN '' ELSE STRWRITE(EXTENTONE)):4:'RIGHT SETENTRIES:8, SETCAPACITY:8, DYNAMIC:1, (* If less than .1% full, output would be in E fmt *) (IF SETENTRIES//SETCAPACITY<=.0005 THEN 0 ELSE SETENTRIES//SETCAPACITY)*100:6:1, '%', DBSETBLOCKFACTOR:4, SECTORS:8, (IF WASTE<.0005 THEN 0 ELSE WASTE)*100:6:1, '%', INTEGER(WASTE*SECTORS):7); END; END; PREVGROUPACCT:=''; PREVROOT:=''; MPEXHEADER1:="FILENAME SET NAME TYPE LDEV ENTRY CAPA- %FULL"+ " BLK SECTORS %BLOCK SECTRS"; MPEXHEADER2:=" COUNT CITY "+ " FCT WASTED WASTED"; MPEXHEADER3:=""; FOR RFILE IN MPEXFILESETGENERAL (1, TRUE) SELECT INTCODE=-401 OR INTCODE=-408 OR INTCODE=-409 DO BEGIN IF GROUP+'.'+ACCOUNT=PREVGROUPACCT AND STRRDROP(TOKEN(FILE,'.'),2)<>PREVROOT THEN WRITELN; LINEITEM; PREVGROUPACCT:=GROUP+'.'+ACCOUNT; PREVROOT:=STRRDROP(TOKEN(FILE,'.'),2); END; ===================================================================== FAQ 014: How VESOFT products deal with the year 2000 96/11/18 ---------------------------------------------------------------------- MPEX, SECURITY, and VEAUDIT version 26. will work just fine in the year 2000 and beyond. All internal date manipulations use a special format that fully accomodates dates in the 21st century. You may enter dates with 4-digit years, and output dates in YYYY/MM/DD or MM/DD/YYYY or DD/MM/YYYY format. The one possible area of ambiguity happens when you enter a date with a two-digit year. In what century should VESOFT products assume this date goes? We thought that different people would have different views on this, so we decided to give you four different options: 1) BY DEFAULT, throughout the 1900s, all two-digit years will be assumed to be in the 1900s. The date 01/01/01 will be seen as January 1, 1901; the date 02/02/99 will be seen as February 2, 1999. This is compatible with the way things are in 25., and will thus give you plenty of time to change your STREAMX jobs, your MPEX comand files, and your SECURITY menus to use unambiguous 4-digit years. Once you run any of our products in the year 2000, though, we'll switch to the "50-50" principle. Every year that's less than 50 will be assumed to be in the 2000s; 01/01/01 will thus be January 1, 2001. Every year that's 50 or more will be assumed to be in the 1900s; 02/02/99 will be February 2, 1999. We think this will best fit with people's intuitions. 2) If you want ALL TWO-DIGIT YEARS TO REFER TO THE 1900'S, just do a :SETJCW VESOFTYEARBASE=1900 In this mode, 01/01/01 will be January 1, 1901, and 02/02/99 will be February 2, 1999, regardless of what the actual calendar date is. 3) If you want ALL TWO-DIGIT YEARS TO REFER TO THE 2000'S, just do a :SETJCW VESOFTYEARBASE=2000 In this mode, 01/01/01 will be January 1, 2001, and 02/02/99 will be February 2, 2099, regardless of what the actual calendar date is. 4) Finally, if you want ALL TWO-DIGIT YEARS LESS THAN 50 TO REFER TO THE 2000'S, and ALL TWO-DIGIT YEARS 50 OR MORE TO REFER TO THE 1900'S, just do a :SETJCW VESOFTYEARBASE=1950 In this mode, 01/01/01 will be January 1, 2001, and 02/02/99 will be February 2, 1999. This will probably be most intuitive for you and all your users; it's the setting we recommend. Why didn't we just make this the default right away? Well, we care a lot about compatibility, and we didn't want the new version to break any existing jobs, command files, or menus. We thought some of our users might, for instance, use 1/1/1 to refer to a date that's earlier than any other date (1/1/1901), and use this for sorting or comparison or subtraction purposes. We decided to, by default, give them a few years to fix their files to make sure that all their early 1900's dates use an explicit 4-digit yr. If you're sure, however, that you never use a 2-digit year less than 50 to refer to the 1900s -- and most people don't -- then we suggest you do the :SETJCW VESOFTYEARBASE=1950. This will let you use 2-digit years both for the 1900s and the 2000's safely, conveniently, and intuitively. ===================================================================== FAQ 015: What to do after an OS upgrade. 96/11/19 ---------------------------------------------------------------------- When you upgrade your operating system or get a patch from HP there are some things to remember. The FOS tape contains the generic environment HP needs to function correctly. Installing your FOS tape replaces the SL.PUB.SYS file with a new one which does not contain any 3rd party segments. Many customers have 3rd party software that may require you to use their segments (VESOFT is one of those packages). Instead of you being concerned with which segments need to be added or how to run the segmenter program we give you a job stream that contains all these commands. So just after your upgrade stream VEPROC.JOB.VESOFT. In just a few minutes when the job completes check the $STDLIST for any errors. The job documents what you should do if an error occurs. Next it's a good idea to clean up some of our compiled files that were executed on the older version of your operating software. You should logon as MANAGER.SYS. Run MAIN.PUB.VESOFT. If you are currently licensed to use MPEX or have a demo version execute the MPEX %PURGE command on files in the VESOFT account with the code of '176'. To do this the syntax of the command looks like: %PURGE @.@.VESOFT(INTCODE=176). The purge of the 176 coded files is not required. It would not hurt though to run MPEX and purge these files anyway. Finally, when you are done with your upgrade and have followed our suggestions it would be best now to create yourself a new coldload tape and store it away in a safe place. ===================================================================== FAQ 016: How you can convert CMKSAMs to NMKSAMs. 96/11/20 ---------------------------------------------------------------------- The following commands when put into a command file will aid you in converting CMKSAM file into NMKSAM files. ANYPARM FSET REPEAT FILE X=ZKSAMXL;TEMP FCOPY !MPEXCURRENTFILE,(*X);NEW RUNCREATE KSAMUTIL.PUB.SYS RUNINPUT VERIFY !MPEXCURRENTFILE RUNINPUT 4 RUNINPUT RUNINPUT PURGE !MPEXCURRENTFILE RUNINPUT EXIT RUNACTIVATE SAVE ZKSAMXL RESET X RENAME ZKSAMXL,!MPEXCURRENTFILE MPE LISTFILE !MPEXCURRENTFILE,5 FORFILES !FSET(CODE='KSAM') ===================================================================== FAQ 017: VECHECKLOGON Intrinsic use. 96/12/10 ---------------------------------------------------------------------- If you should ever want to create a program of your own which uses the SECURITY/3000 Logon intrinsics, heres an example that may help. It is written in COBOL and compiled to be a native mode program. To run the new native mode program you will need to do something like :RUN BUGGER;XL='PE.HELLO.VESOFT' $CONTROL MAP,VERBS IDENTIFICATION DIVISION. PROGRAM-ID. BUGGER. ENVIRONMENT DIVISION. DATA DIVISION. WORKING-STORAGE SECTION. 01 VMODE PIC S9(4) COMP. 01 WORKBUFF. 05 BINARY-ZERO-FIELD OCCURS 128 TIMES PIC S9(4) COMP. 01 RESPONSE. 05 RESPONSE-PREFIX PIC X(01) VALUE SPACE. 05 FILLER PIC X(07) VALUE SPACES. 01 USERID PIC X(08) VALUE SPACES. 01 ACCTID PIC X(08) VALUE SPACES. 01 GRPID PIC X(08) VALUE SPACES. 01 INBUFF. 05 SESSION-NAME PIC X(016). 05 USER-ID. 10 MPE-USER-NAME PIC X(016). 10 MPE-ACCOUNT PIC X(016). 10 MPE-GROUP PIC X(016). 05 FILLER PIC X(014). 05 TERMINAL-PASSWORD PIC X(008). 05 SECURITY-PASSWORD-NUMBER PIC S9(04) COMP. 05 SECURITY-PASSWORD PIC X(080). 05 FILLER PIC X(088). *** === *** 256 BYTES 01 OUTBUFF. 05 SECURITY-RESULT PIC X(30). 05 FILLER PIC X(50). 05 MPE-USER-OBS-DAYS PIC S9(4) COMP. 05 MPE-ACCT-OBS-DAYS PIC S9(4) COMP. 05 MPE-GROUP-OBS-DAYS PIC S9(4) COMP. 05 SEC-3000-OBS-DAYS PIC S9(4) COMP. 05 USERS-REAL-NAME PIC X(30). 05 FILLER PIC X(650). 01 OUTBUFF-ZERO-ARRAY REDEFINES OUTBUFF. 05 OUTBUFF-BINARY-ZERO-ELEMENT OCCURS 384 TIMES PIC S9(4) COMP. 01 IDX PIC S9(4) COMP. 01 PASSNUM PIC 9(4) DISPLAY. PROCEDURE DIVISION. BEGIN. PERFORM SELECT-DATA. PERFORM TERMINATE-PROGRAM. TERMINATE-PROGRAM. STOP RUN. SELECT-DATA. MOVE SPACES TO RESPONSE. DISPLAY "Enter Session Name or '/' to Stop " ACCEPT RESPONSE. IF RESPONSE-PREFIX = "/" THEN GO TO TERMINATE-PROGRAM ELSE PERFORM DISPLAY-ROW. DISPLAY-ROW. MOVE 1 TO VMODE. PERFORM CLEAR-ARRAYS. MOVE RESPONSE TO SESSION-NAME. DISPLAY "USER NAME: ". ACCEPT USERID FREE. MOVE USERID TO MPE-USER-NAME. DISPLAY "ACCOUNT NAME: ". ACCEPT ACCTID FREE. MOVE ACCTID TO MPE-ACCOUNT. DISPLAY "GROUP NAME: ". ACCEPT GRPID FREE. MOVE GRPID TO MPE-GROUP. DISPLAY "Which password (0=first)" ACCEPT PASSNUM FREE. MOVE PASSNUM TO SECURITY-PASSWORD-NUMBER. MOVE SPACES TO SECURITY-PASSWORD. DISPLAY "Enter your password: ". ACCEPT SECURITY-PASSWORD FREE. DISPLAY "Enter any related terminal password: ". ACCEPT TERMINAL-PASSWORD FREE. CALL "VECHECKLOGON" USING \VMODE\, WORKBUFF, INBUFF, OUTBUFF. DISPLAY "RESULTS:". DISPLAY " ", SECURITY-RESULT. DISPLAY " User: ", SESSION-NAME, ",", MPE-USER-NAME, ".", MPE-ACCOUNT. DISPLAY " real name: ", USERS-REAL-NAME. PERFORM SELECT-DATA. CLEAR-ARRAYS. MOVE 1 TO IDX. PERFORM ZERO-THIS-ELEMENT UNTIL IDX > 128. MOVE WORKBUFF TO INBUFF. MOVE 1 TO IDX. PERFORM ZERO-OUTBUFF-ELEMENT UNTIL IDX > 384. ZERO-THIS-ELEMENT. MOVE ZERO TO BINARY-ZERO-FIELD(IDX). ADD 1 TO IDX. ZERO-OUTBUFF-ELEMENT. MOVE ZERO TO OUTBUFF-BINARY-ZERO-ELEMENT(IDX). ADD 1 TO IDX. ===================================================================== FAQ 018: How to find a procedure in your SL. 97/01/15 --------------------------------------------------------------------- If you have ever wanted to know if a particular procedure is included in your system SL, then the following syntax will work for you. parm mysearch='' slset='' echo & ---Executing Segfinder searching for & for ![UPS('!mysearch')] in ![UPS('!slset.')] FILTER "RUN SEGDVR.PUB.SYS;INPUT='SL ![UPS("!slset")]';& INPUT='LISTSL'","![UPS('!mysearch')]";PREV="SEGMENT" ===================================================================== FAQ 019: How to execute commands in menu header. 97/01/15 --------------------------------------------------------------------- If you want to execute some special commands when the menu starts up use the following example. The syntax is fairly simple. *HEADER {BEGIN MPE('[command syntax]'); END} *HEADER {BEGIN MPE('%ECHO ***** GLOBAL HEADER ***** > GLOBLHED'); END} *HEADER {begin MPE('%PRINT GLOBLHED'); end} *START *CAPTION Do a SHOWME command. SHOWME ===================================================================== FAQ 020: How to hide a menu option. 97/01/15 --------------------------------------------------------------------- If you ever want to hide a menu option from your users the following example will help. You will need to add *ENTERSELECTION. In addition you will need an IF VEMENUSELECTION='value' THEN statement. What would follow after the IF can be just about any set of commands. I have a run of a program. It is better to also include ;NEW;KILL onto run statements so when you end the program it does not suspend. Once in place at the prompt you could then enter ABCD and it would run my program. However this option ABCD will not appear on your screen. *CAPTION Your current menu options. This one is a SHOWME command. SHOWME *ENTERSELECTION SETVAR VEMENUSELECTION READSTRING("ENTER OPTION: ","UPSHIFT",10) IF VEMENUSELECTION="ABCD" THEN RUN MAIN.PUB.VESOFT;NEW;KILL SETVAR VEMENUSELECTION "R" ENDIF IF VEMENUSELECTION="E" THEN SETVAR VEMENUSELECTION "E" ENDIF ===================================================================== FAQ 021: Highlighting output from %PRINT;SEARCH 97/01/22 --------------------------------------------------------------------- Wish to clearly see your search string in %PRINT - try the following: PARM cs$FSET, SRCH # If the line found does not have SRCH string highlighted, # it's there in different case ... PRINT !FSET;SEARCH=cl"!SRCH";keepAMdates;highlight;& FORMAT=STRCHANGE(R,"!SRCH",chr(27)+"&dB"+"!SRCH"+chr(27)+"&d@")