STREAMX: It's Not Just For Passwords Anymore! by Stephen S. Hammond, AAMC Presented at 1992 INTEREX Conference, New Orleans, LA, USA Published by INTERACT Magazine, Nov. 1992. Published by VENEWS, #11, 1992. One of the features ballyhooed with the arrival of MPE/XL 3.0 was the ability to stream jobs which do not have embedded passwords. The job is streamed and the user streaming the job is prompted for the password of the user in the job card. Gee, we've been fending off DP auditors about this for years and now we have it!! I teach tutorials on VESOFT software and had a student tell me he had a DP auditor give him 'demerits' for having embedded passwords in his job streams on his HP3000, but not penalize him for having embedded passwords on the IBM mainframe. The reason was because the auditor knew "how hard it is to change passwords on the IBM". Somewhere someone is missing the point! If an embedded password is a security risk on one computer, it must be a security risk on all computers. But that's another issue. I'm here to talk about how you can use STREAMX to do a lot more than just prompt you for passwords. If you use none of the features of STREAMX other than replacing passwords, it will be better than the MPE/iX method of eliminating embedded passwords, but why use only part of what you have? Do you buy a television and only watch one channel? Do you only use Windows to play solitaire? I'm going to tell you how to use STREAMX to do more than just get rid of the passwords. I like to call them my 'Top Ten Reasons for Using STREAMX': 10 - You won't get those pesky password prompts STREAMX is intelligent. It checks the capabilities of the streaming user and if that user can determine the password through normal security procedures, then why prompt for the password? MPE/iX will prompt you for passwords no matter who is streaming the job, which brings us to... 9 - Do you really want your operator to know the MANAGER.SYS password? The answer is almost always no. MPE/iX's new streaming utility prompts for passwords whenever none is present in the job card. STREAMX has a very handy control file called STREAMX.DATA.VESOFT. (Author's Note: From this point on, I will refer to this control file as STREAMX.DATA.) In this file you can declare users who can stream a group or groups of jobs without being prompted for passwords, and the most likely choice in this category is OPERATOR.SYS. The keyword $NOPASS in this control file sets up the user, the fileset he can stream and the logon ID of the jobs he can stream. (see listing 1) These basically say that OPERATOR.SYS can stream any job in JOBS.PROD, no matter how those jobs log on. The user SOURCE.DEV can stream any file in JOBS.DEV which has a logon ID of COMPILE.DEV and any session with the session ID of DAVID can stream any file in the DEV account which has DEV as the logon account in the job card. 8 - Unlock the lockwords STREAMX lets you eliminate lockwords in jobs by either prompting the streaming user for the lockword at stream time, or with the use of the $NOPASS keyword followed by a $NOLOCK keyword in an entry in STREAMX.DATA to eliminate those prompts. The example in listing 2 will eliminate any lockword prompts on all lockworded files in PUB.SYS for OPERATOR.SYS streaming jobs in any JOBS group on the system. 7 - Nested jobs won't fly the coop In MPE/iX, any job which is streamed by an earlier job must have embedded passwords. The operating system only looks at the first job and prompts for the password. Any subsequent jobs in the sequence must have embedded passwords to run. STREAMX checks all the jobs in a sequence at the time the first job is streamed. The user will be prompted for any and all required passwords at that time. It is even possible to force STREAMX to ignore errors in subsequent jobs in a nest if necessary, such as the first job creates an account which is the logon account of the second job, or better yet, the firs t job builds the file which is the second job. To do this::SETJCW STREAMXPERMNONESTERROR=1 to set the JCW permanently, or :SETJCW STREAMXTEMPNONESTERROR=1 for only one job. These JCWs tell STREAMX to ignore any errors in the subsequent jobs, such as non-existent account, non-existent file,etc. You can also use the JCWs STREAMXPERMNONEST and STREAMXTEMPNONEST, which inhibit STREAMX from looking at any job in the sequence after the first. This is helpful when the first job modifies the file which is the second job. In both circumstances, STREAMX will stream the second job, so you need to ensure that either the logon user in the first job has the capability to stream the second j ob without a password prompt (log on with SM capability) or explicitly name the files in a $NOPASS entry in STREAMX.DATA. 6 - Avoid the 'big truck' syndrome Does your shop have one of those people who knows how every job is supposed to run but has never taken the time to write any of it down? What happens if that person gets run over by a big truck? You're in the middle of end-of-year closing and none of those jobs will run (can you say 'Chapter 11'?). Have 'Mr. Everything' modify all those jobs to use STREAMX to make the jobs 'smart'. STREAMX has a powerful expression environment which makes jobs 'smarter'. Do you have several jobs which run the same program with different input options ? Use STREAMX expressions in the job and have it prompt the user for the proper options. Statements preceded by a '::' or variables within '{}' are resolved prior to submission of the job. (see listing 3) In this job, a program processes data for a particular state or all the states. In the MPE/iX environment, the standard way to handle this would be by changing the line after the '!RUN' statement in the job stream every time the job needs to be run. As shown here using STREAMX, you can prompt the user for the state at the time of submission and if the user just gives a carriage return, the parameter 'ALL' is used. At my association, we often print membership directories using a COBOL program to produce the file and LPS to do the actual printing. Directories have a habit of having introductory pages which vary in number from year to year, so the user would tell us what page to start the directory on and then someone (usually me) would change the job stream. Instead , I let the user stream the job using STREAMX and prompted the user for the page number and the number of copies. And since the user usually runs this job several times to produce 'proof' copies of the directory before the final run, I put a default starting page number of 1. Presto! The user is now responsible for all the input parameters. The job in listing 4 prompts for a starting page number (PAGE) and a number of copies (NUM). The line after the '!run' command writes the numeric variable PAGE as a string, making it three places long and filling it with leading zeroes. It then prompts for the number of copies to be printed by LPS and places that number in the file equation. 5 - Nothing is foolproof because fools are so damn clever! So you've made this nice 'smart' job and then you turn it over to some stupid user to run. You need to be able to check the input and re-prompt or even exit without streaming the job. Again STREAMX gives you that power. In the job in listing 5, the monthly sales report uses a variable percentage which changes every month. This job prompts the user for that percent, but still establishes an upper and lower limit (inclusive). That way some wahoo in sales can't run the monthly report to impress some bar buddy with inflated figures. If that range changes, a modification to the job stream is simple. In listing 6, the user is prompted one time for the name of the data file and then the VESOFT file function FEXISTS is used to determine if the file exists. If the file is not there, the job will tell the user the file doesn't exist and terminate before it is ever streamed. If the file is there, the file name is inserted into the file equation in the job. 4 - Loop the loop! I just showed you an example of the IF...ELSE...ENDIF processing, but you can even do WHILE...DO...ENDWHILE processing to loop through a prompt any number of times. In listing 7, the QUIZ 'use' file has a CHOOSE statement which will keep prompting as long as there is any input other than ' '. The reason there are two "::prompt " commands is this is just like a programmatic primary and secondary read. There must be something in the variable which the 'WHILE' tests when it starts. Then the STREAMX ASSIGN command is used to force a blank line to terminate CHOOSE in the QUIZ code. This way the job can handle one school number or twenty-one. 3 - MPEX is lurking in the background! With the release of version 23. of the VESOFT software, you are able to do MPEX commands from a STREAMX job without running MPEX. In listing 8, I used the VESOFT file function VEFINFO("filename").OPENED to determine if a very large and very important file is open. If the file is open, the job tells the user, via ECHO commands, that the file is open, then does an MPEX LISTF,ACCESS command to show who is using the file, and then finally terminates the job before it is streamed. 2 - Looks can be deceiving My first career was as a sports writer. I spent about five years watching coaches and managers do their darndest to deceive the opposition. (I spent one summer covering George Allen, the master of deception.) If you view system security from the perspective of 'us against them', maybe a little deception can make a difference. If you just got STREAMX and you want to implement it right away, just change your passwords and start using it. STREAMX considers a bad password the same as no password. Leave those old passwords in the job streams. If someone is snooping for passwords, all they'll find are bogus passwords. On top of that you can use some keyword commands in STREAMX.DATA to restrict job submissions for certain accounts. $LOGON-FORBID @.GL-MGR.GL @.JOBS.GL MONTHLY.GL This prohibits anyone except MGR from streaming jobs in the JOBS.GL group which logon as MONTHLY.GL. Again we're just trying to prevent some of those untrustworthy employees from playing with the general ledger files. 1 - Avoid the OOPS STREAMX helps you avoid some of those embarrassing mistakes that crop up in our jobs. On more than one occasion, I've spent many hours testing a process in online mode. When I'm happy with the test, I set up the job stream and fire it off. But it doesn't work. I spend about the next five minutes to three hours looking at the STDLIST, having other people look at the STDLIST, trying to think who to call and then the bulb blinks on - file equations!! The STREAMX command ::SAVEFILEEQ will pick up the file equations from your session and carry them over to the job. Another nice feature keeps those sneaky programmers from running their compiles in the 'C' queue. $JOBPARMS-ALWAYS @.DEV @.@.DEV @.DEV "PRI=ES" This says that any streaming user in DEV, streaming any job in DEV, which logs on as any user in DEV will always have the job run in the ES queue, regardless of what the job card says. $JOBPARMS-DEFAULT @.@ @.@.@ @.@ "OUTCLASS=LJ,9,1" This says that any job which does not have an OUTCLASS parameter will be printed on the laserjet, with a priority of nine and one copy. You can use PARMs when you run STREAMX to debug the job if it gets complicated (or you try to get too fancy). PARM=%40 saves the stream to a file designated as STRMSAVE. Add %100 to the value (PARM=%140) and the file will be saved without embedded passwords, add %200, the file will be saved without lockwords. Thus "RUN STREAMX.PUB.VESOFT;PARM=%340" will save the file without embedded passwords or lockwords. Of course, on top of this, you can add %1 and make it a situation where STREAMX runs immediately and looks for the file designated as STRMFILE. But let 's not get too fancy!! 1'- And 11th in a list of 10 You bought it, use it! STREAMX comes when you purchase SECURITY/3000. You didn't have to pay extra, so it's a bonus. Use it's power and make your job streams smarter and your job a little easier. ACKNOWLEDGEMENTS: Several individuals helped with the preparation of this paper and I would like to thank them: from the tech support staff of VESOFT, Gil Milbauer and Paul Taffel and, of course, Eugene Volokh and Vladimir Volokh; and from SMP Associates, Sam Patsy. I am also grateful to my supervisors, Brendan Cassidy, Sandra Lehman and Maryn Goodson, who have allowed me to learn and teach what I've learned. I also wish to acknowledge, again, and thank Vladimir Volokh, who has given me an opportunity to work with the people at VESOFT and to help others learn about their products. LISTINGS: Listing 1 $NOPASS OPERATOR.SYS @.JOBS.PROD @.@ $NOPASS SOURCE.DEV @.JOBS.DEV COMPILE.DEV $NOPASS DAVID,@.@ @.@.DEV @.DEV Listing 2 !JOB QSRUN,.... !RUN ?$LOCKWORD=QUERY.PUB.SYS$? will prompt the user: What is the lockword of the file 'QUERY.PUB.SYS'? or $NOPASS OPERATOR.SYS @.JOBS.@ @.@ $NOLOCK @.PUB.SYS Listing 3 !job STATERPT,MANAGER.ACCTREC ::prompt string STATE="What state is this run for"; & :: default="ALL" !file.... !RUN STATPROG {STATE} !eoj Listing 4 !job CASDIRCT,casuser.diracct !comment... !file... ::prompt integer PAGE = "What page do you want to begin on";& :: default=001 ::prompt integer NUM = "Number of copies of the directory";& :: default=1 !run CASDIRCT.OBJECT {strwrite(PAGE:3:'zerofill')} !file LPSOUT=CASDRCT;dev=laser,8,{NUM} !run LPS.PUB.SYS 2680A CASENV.OBJECT N CASDRCT !eoj Listing 5 ::prompt integer PCT="What sales percentage are we using";& :: check=(BETWEEN(PCT,4,9);& :: checkerror="Sales percentage must be between 4% and 9%";& :: default=5 !job monthly,.... !run ... {PCT} !eoj Listing 6 ::prompt string INP = "What data file do you want to use" ::if not FEXISTS(INP) then :: echo The input file {INP} does not exist!! :: echo The job has not been submitted!! :: exit ::endif !job... !file input={INP} !run... Listing 7 !job... !run QUIZ.CURRENT.COGNOS use SCHOOLUSE ::prompt string SCHLNUM="Enter school code or // to exit" ::while SCHLNUM <> "//" do {SCHLNUM} ::prompt string SCHLNUM="Enter school code or // to exit" ::endwhile ::assign FILL=' ' {FILL} !eoj Listing 8 ::if vefinfo("MCATDATA.PUB.SSSAMCAS").opened then :: echo The MCATDATA file is in use!! :: echo The job cannot be run!! :: echo The following jobs/sessions have it open. :: %listf MCATDATA.PUB.SSSAMCAS,access :: echo Contact them and then re-submit the job! :: exit ::endif !job MCATLOAD,...