| Data Access Services | SourceConnect for Windows Explorer and Workbench | |
The MFA E/Option provides for seamless access to elements stored inside of CA-Endevor. It allows Endevor elements to be displayed, retrieved, and added without requiring the laborious tasks of having the programmer sign on to TSO/ISPF, start up Endevor, going through the many Endevor panels required to access Endevor elements, and finally execute the required action to be performed.
For retrieving elements from the host, there is no longer a need to first retrieve the element into a partitioned dataset and subsequently perform a file transfer to the workstation. With the MFA E/Option, adding elements into Endevor is equally easy to use. Displaying an element is as simple as double-clicking on the mouse button.
For the PC Developer: No more signing onto TSO/ISPF to access source stored inside Endevor. The simple drag and drop capabilities allow direct access to Endevor without performing the task of signing into TSO/ISPF and subsequently invoking Endevor. The benefits of Endevor are now made available without the hassle.
For the Endevor Administrator: The easy of use provided via MERANT Drag and Drop in conjunction with the MFA E/Option make access to Endevor painless for the programmer. Application developers no longer needs to logon onto the mainframe to access elements stored in Endevor. As such, no more excuses for bypassing Endevor! Further, source code developed for distributed applications can now be stored under the control of Endevor.
For the Security Administrator: The MFA E/Option uses standard Endevor security. Whether native Endevor security is used or Endevor-ESI (Extended Security Interface), access to source stored inside in Endevor is controlled in the same manner as when the programmer would access elements via TSO/ISPF or in batch mode. In addition, the MFA E/Option is delivered with two security access modules (MFENDLOG and MFENDOPN) which can be customized, if desired, to provide even tighter security than is provided with security available through Endevor.
For the System Programmer: The application programmer no longer needs to sign onto TSO/ISPF in order to display, retrieve, or add Endevor elements. Resource savings in terms of reducing the concurrent number of TSO/ISPF users as well as the TSO/ISPF logon activity helps reduce the load on the mainframe.
For the Internal Auditor: Application developers can now follow standard procedure via use of the MFA E/Option. Since the MFA E/Option uses standard Endevor facilities, all controls and processes associated with Endevor can now be used during workstation application development.
For the Development Manager: Efforts can now be focused on problem solving and meeting development deadlines rather than sitting in meetings with auditors and Endevor administrators. Programmers will no longer need to logon to Endevor to perform add and retrieve actions. Mainframe training time can be reduced or eliminated allowing programmers to spend more time on application development and meeting deadlines rather than waiting on a TSO Logon to complete.
Mainframe Access Product Suite Integration: The MFA E/Option is an integrated component of the Mainframe Access Product Suite. Standard capabilities such as SAF (RACF) compliant security, APPC, and TCP/IP communication protocol support, data integrity, and data translation are provided. Refer to the Mainframe Access Product Suite documentation for a discussion of such capabilities.
The MFA E/Option executes inside the MFA server. More specifically, the MFA E/Option runs under Endevor as an element being generated.
The following sequence describes this process:
The processor support facility in Endevor must be turned on prior to running these jobs. A processor called MFCNTL to invoke the MFA E/Option must be defined to Endevor. An example jobstream named $ENDGEN3 in INSTLIB has been generated for this purpose. This processor, allows Endevor to start the MFA E/Option server under its control. You will need to alter some of the statements in this example, with the installation requirements for dataset names.
Many Endevor installations keep all processors in a common area. If this is the case at your installation, then you should add the MFA E/Option processor JCL to that common area. Otherwise, you will need to add the processor to an alternate system and subsystem. In the example jobstream, the Endevor Administrator had already established an Endevor system and subsystem to hold Endevor processors.
The MFCNTL processor must be associated with an Endevor type through a processor group. You must create a new processor group specifically for the MFCNTL processor. This processor group will be associated to the MFA E/Option control element. The processor group name should be MFCNTL. The MFCNTL processor must be generated by Endevor into executable form which includes translate, assemble and linkedit steps. The return code from this job must be 0.
CREATE --------- PROCESSOR GROUP DEFINITION ----------- COMMAND ===> CURRENT ENV: SPAIN STAGE ID: 1 SYSTEM: FASTLIST TYPE: MFCNTL NEXT ENV: SPAIN STAGE ID: 2 SYSTEM: FASTLIST TYPE: MFCNTL PROCESSOR GROUP: MFCNTL DESCRIPTION ===> MFA E/OPTION PROCESSOR GROUP NEXT PRCS GROUP ===> MFCNTL ---------------- OUTPUT MANAGEMENT INFORMATION ------------- PROCESSOR TO USE FOR MOVE ACTION ===> M (M/G) PROCESSOR TO USE FOR TRANSFER ACTION ===> G (M/G) S - Browse Symbolics L - List Processor U - Update Symbolics FOREGROUND EXECUTION GENERATE PROCESSOR ===> MFCNTL ===> Y (Y/N) DELETE PROCESSOR ===> ===> Y (Y/N) MOVE PROCESSOR ===> ===> Y (Y/N)
You may wish to define a new Endevor type to establish a relationship between the element, type, MFCNTL processor group, and MFCNTL processor. An alternative to defining a new type would be to add the MFA E/Option control element to an existing type and use the processor group override option when adding the element into Endevor. If a new type is defined then the type should be called MFCNTL.
Your installation may have already established a type specifically to manage common utilities. In this situation you would add the element (see the next step, below) to Endevor and assign the element to the processor group MFCNTL.
The MFCNTL processor is invoked via a GENERATE ELEMENT statement included in the MFA server start-up JCL via the ddname called BSTIPT01. The element being generated is known as the MFA E/Option control element. The example MFA E/Option control element jobstream is called $ENDGEN4 and can be found in the INSTLIB dataset.
Once the Endevor environmental work has been completed, you will need to add MFGENSCL into Endevor. A GENERATE ELEMENT SCL statement defined to the MFA server start-up JCL will cause MFGENSCL to be generated. Element generation will cause the MFA server to start the MFA E/Option.
Note: Ensure that the BYPASS GENERATE PROCESSOR option is specified the first time you add MFGENSCL to Endevor.
You may need to modify your C1DEFLTS table to support the MFA E/Option. It is recommended that if you do modify the C1DEFLTS table, that the resulting C1DEFLTS load module be stored in the STEPLIB of the MFA server start-up JCL to allow for a custom usage. Contact your Endevor administrator for the current C1DEFLTS source and JCL.
The following C1DEFLTS table changes are required:
The following illustrates changes made to the C1DEFLTS table to support the MFA E/Option:
C1DEFLTS TYPE=MAIN,
ACCSTBL=, ACCESS SECURITY TABLE X
APRVFLG=N, APPROVAL PROCESSING (Y/N) X
ASCM=0, ASCM CONTROL PASSWORD X
BATCHID=2, BATCH UID FROM JOBNAME/USER= X
CIPODSN=, CCID VALIDATION DSNAME X
RACFGRP=, ALTERNATE RACF SWITCHING X
RACFUID=, ALTERNATE RACF SWITCHING X
RACFPWD=, ALTERNATE RACF SWITCHING X
.
SMFREC#=0, SMF RECORD NUMBER X
.
.
.
C1DEFLTS TYPE=ENVRNMNT,
CFPDSN=, CSP FOOTPRINT DATASET NAME X
.
.
SMFACT=N, SMF ACT X
SMFSEC=N, SMF SEC X
.
.
USERTBL= USER SECURITY TABLE NAME
C1DEFLTS TYPE=END
END
Ensure all USERTBL references contained in the C1DEFLTS table are removed.
The MFA E/Option provides for full Endevor security support. Native Endevor security is fully supported. Endevor-ESI is supported through the MFA E/Option emulation feature. In addition, source code is provided in the INSTLIB for the security programs that will issue the SAF (RACF, ACF/2, and Top Secret) calls. You can review the code or customize the source to add even tighter security than the standard Endevor security. The MFA server security programs, MFENDLOG and MFENDOPN, are located in the INSTLIB and have been assembled as part of the installation process through the $MVSSEC jobstream.
The MFA E/Option runs under Endevor as a batch utility within an Endevor processor. The MFA E/Option must execute as an APF-authorized program within the processor. APF-authorization is required by the MFA E/Option to ensure SAF security checking is performed for each user attempting to access Endevor elements from the workstation.
Whenever a user accesses an Endevor element, RACF, ACF/2, or Top Security, security checking will be performed via the IBM Security Access Facility (SAF) in the same fashion that the Endevor-ESI option interfaces with SAF.
The MFA E/Option (MFLSCSV) must run as an APF-authorized program. The following considerations must be made to run the MFA E/Option as APF-authorized.
The MFA E/Option (MFLSCSV) will not properly execute if the above authorization requirements are not met.
The MFA E/Option fully supports native Endevor security. No modifications or special processing will occur if native Endevor security is used.
The MFA E/Option supports the Endevor-ESI (External Security Interface) through the MFA E/Option ESI Emulation feature. ESI Emulation performs the same level of functionality as provided by Endevor-ESI. In addition, the dataset name and file access rights generated by the ESI Emulation feature are passed the programs MFENDLOG and MFENDOPN. The source code for both programs is located in the INSTLIB. You can modify those programs if additional security is desired.
The ESI Emulation feature will access the Endevor-ESI Security Table (BC1TNEQU) and construct a dataset name based on the rules defined in the security table.
The MFA E/Option will invoke two programs to perform security: MFENDLOG and MFENDOPN. The source code for both programs can be found in the MFA E/Option installation library.
| MFENDLOG - This is the logon security program invoked when the user request an Endevor action. The program cause an SAF logon to occur thereby registering the user to RACF, ACF/2, or Top Secret. |
| MFENDOPN - This is the open file security program invoked whenever an Endevor action is attempted. |
The programs MFENDLOG and MFENDOPN are nearly identical to the programs FSSECLOG and FSSECOPN, respectively. (FSSECLOG and FSSECOPN are the security programs supplied with the Mainframe Access Product Suite.)
Unless the Bypass Generate Processor option is requested, the generate processor is invoked when an add action is performed immediately after Endevor complete the task of source management. To avoid running a foreground generate, the MFA E/Option will submit an Endevor JCL to generate the element in batch. A JCL library has been created and populated during the MFA E/Option installation. This JCL library contains two required members, @@JCRD@@, which is the default job card to use, and @@NDVR@@, which tells how to call the NDVRC1 Endevor module in the batch generate job. You may add additional JCL members to allow for unique job card information to be used. To indicate to the MFA E/Option on which job card member to use, see the JCARD parameter in the Endevor qualification line in the section of Data Access Services. Additionally, you may override the @@NDVR@@ member, with the JMBR parameter, and likewise, the actual JCL library to use, with the JLIB parameter.
This discusses the creation of JCL required to perform a batch generate action.
There are three components which make up a batch generate job:
The above three components are combined into a single job stream and submitted for batch processing through the internal reader (CIGJCLO) defined to the MFA server start-up JCL.
There are three alternatives in specifying a jobcard to be used when batch Endevor JCL is created.
The default installation jobcard information used by the MFA E/Option to create batch Endevor JCL is located in the JCL library defined to the DD name CIGJCLI as specified in the MFA server start-up JCL. MFA E/Option symbolics can be used to change the jobname on the jobcard. Symbolics are discussed later in this section. The default jobcard information member is called @@JCRD@@ and is located in JCLLIB.
The following shows the default jobcard member located in the product installation JCL library. In the @@JCRD@@ member, the &C1USERID symbolic was used.
//&C1USERID.0 JOB (000000),'MFA E/OPTION',REGION=4096K, // MSGCLASS=Q,MSGLEVEL=(1,1),NOTIFY=&C1USERID.,CLASS=X //* //********************************************************* //* //* MEMBER: @@JCRD@@ //* //* THE JOBCARD INFORMATION SHOWN ABOVE MUST BE //* MODIFIED TO REFLECT YOUR INSTALLATION STANDARDS. //* THE JOBCARD ABOVE IS THE DEFAULT USED BY ALL //* MFA E/OPTION USERS WHO PERFORM //* AN ADD ACTION WHERE "BYPASS GENERATE PROCESSOR" //* WAS NOT SPECIFIED. //* //*********************************************************
You can establish a default job card per user rather than having the MFA server use the @@JCRD@@ member. A user-specific jobcard member allows the accounting information as well other jobcard options to be tailored for each workstation user.
The user-specific jobcard member located in the JCL library defined to the DD name CIGJCLI is specified in the MFA server start-up JCL. The user-specific jobcard member must be the same name as the name of the workstation user signed onto the MFA server. This JCL library member will be searched for before the default member is used. For example, if the user CIG03 has signed onto the MFA server then the MFA E/Option will look for a jobcard member called CIG03 in the JCL library associated with the DD name CIGJCLI as specified in the MFA server start-up JCL.
The following shows an example of a user-specific job card member for user CIG03:
//CIG03MFA JOB (,,7975,BN07,1,10),'MFA E/OPTION USER', // MSGCLASS=Q,MSGLEVEL=(1,1),NOTIFY=CIG03,CLASS=N //* //***************************************************** //* //* MEMBER: CIG03 //* //* THIS MEMBER REFLECTS A USER-SPECIFIED JOBCARD FOR //* USER CIG03. //* //*****************************************************
The workstation user can request an alternate jobcard member to be used when the MFA E/Option creates the batch Endevor JCL. Using an alternate jobcard member provides the ability for the workstation user to override either the installation specific jobcard member or the default user-specific jobcard member as discussed in alternatives 2 and 3 above. This member name can be overridden by the JCARD parameter, and the library name can be overridden by the JLIB parameter in the Endevor qualification line in the section of Data Access Services. The workstation user will identify an alternative jobcard member by specifying the value JCARD 'member-name' in the Endevor qualification area. The Endevor qualification area can be accessed via the Configure pull-down from the Data Access Services dialog box.
The MFA E/Option will merge the jobcard information with Endevor JCL statements stored in the JCL (CIGJCLI) library specified in the MFA server start-up JCL. The Endevor JCL statements will execute Endevor (NDVRC1) in batch.
The default Endevor JCL member used by the MFA E/Option to create batch Endevor JCL is located in the JCL library defined to the DD name CIGJCLI as specified in the MFA E/Option start-up JCL. The Endevor JCL member name is @@NDVR@@ and can be found in the JCLLIB.
The member @@NDVR@@ is shown below.
//*********************************************************** //* //* MEMBER: @@NDVR@@ //* //*********************************************************** //SCL EXEC PGM=NDVRC1,PARM='C1BM3000' //CONLIB DD DSN=HLQ1.ENDEVOR.CONLIB,DISP=SHR //C1MSGS1 DD SYSOUT=* //* NOTE: BSTIPT01 MUST BE THE LAST JCL STATEMENT IN THIS FILE //BSTIPT01 DD *,DCB=LRECL=80
A few note about the JCL above:
The workstation user can request an alternate Endevor JCL member be used when the MFA E/Option creates the batch Endevor JCL. Using an alternate Endevor JCL member provides the workstation user the ability to override the default Endevor JCL member as discussed in alternative 1 above. This member name can be overridden by the JMBR parameter, and the library name can be overridden by the JLIB parameter in the Endevor qualification line in the section of Data Access Services. The workstation user will specify an alternative jobcard member by specifying the value JMBR 'member-name' in the Endevor qualification area. The Endevor qualification area can be accessed via the Configure pull-down from the Data Access Services dialog box.
The MFA E/Option will write a GENERATE ELEMENT statement at the end of the merged jobcard and Endevor JCL member. The GENERATE ELEMENT will contain the Endevor location information and Endevor options specified by the workstation user when an add to host is requested. Since the MFA E/Option appends the SCL statements to the end of the Endevor JCL member, it is critical that the last statement in the Endevor JCL member be the BSTIPT01 ddname.
The workstation user can request an alternate JCL library be used when accessing the jobcard member and Endevor JCL. The default JCL is defined to the MFA server start-up JCL via the ddname CIGJCLI. You would want to utilize a JCL library if jobcard members or Endevor JCL members are to be maintained in a decentralized manner. An alternative JCL library can be specified via the JLIB 'jcl-library' in the Endevor qualification area. The Endevor qualification area can be accessed via the Configure pull-down from the Data Access Services dialog box. Overriding the JCL library will cause the MFA E/Option to first look in the JLIB (override JCL library) for both the jobcard member and Endevor JCL member. If either the jobcard member or Endevor JCL member is not in the JLIB specification then the MFA E/Option will look in the CIGJCLI library for the members. CIGJCLI is a ddname specified in the MFA server start-up JCL.
The following illustrates specifying an alternate JLIB value in the Endevor qualification area:
| ENV 'DEVLOP' SYS 'FINANCE' JLIB 'CIGT.TEST.MYLIB' |
In the example above, the MFA E/Option will first search the dataset CIGT.TEST.MYLIB for the jobcard member and Endevor JCL member. If either the jobcard member nor the Endevor JCL member is located in the dataset CIGT.TEST.MYLIB then the DD name CIGJCLI specified in the MFA server start-up JCL will be searched for the jobcard member or Endevor JCL member.
The following summaries the logic of Endevor JCL creation performed by the MFA E/Option:
You can use symbolics to create a generic jobcard member and a generic Endevor JCL member used during Endevor batch element generation. MFA Endevor option Symbolics are very similar to symbolics used in Endevor processors.
| Symbolic | Length | Replacement value |
| &C1CCID | 12 | CCID associated with the action. |
| &C1DATE | 6 | Date of workstation request in the format YYMMDD. |
| &C1ELEMENT | 8 | Element name. |
| &C1ELTYPE | 8 | Element type |
| &C1EN | 8 | Environment name. |
| &C1ENVMNT | 8 | Same as &C1EN. |
| &C1PSWD | 8 | The user's password. |
| &C1RANDOM | 8 | A random 8-byte name.
The name will be formatted as cdhhmmss where: cd is the day of the month. c=A if day is between 1-9. c=B if day is between 10-19 c=C if day is between 20-29 c=D if day is 30 or 31. d is the second character of the day of month |
| &C1SI | 1 | Stage ID |
| &C1STGID | 1 | Same as &C1SI. |
| &C1SU | 8 | Subsystem name. |
| &C1SUBSYS | 8 | Same as &C1SI. |
| &C1SY | 8 | System name |
| &C1SYSTEM | 8 | Same as &C1SY |
| &C1TIME | 6 | Time of the workstation request in the format HHMMSS. |
| &C1TY | 8 | Same as &C1ELTYP. |
| &C1USERID | 8 | Workstation user ID. |
Symbolics can begin with either one or two ampersands - & or &&. The following action will be taken when a symbolic with an ampersand is encountered:
If the symbolic begins with a single ampersand (&) then the period will not be included in the final JCL statement.
| DSN=CIGT.&C1EN.LIB,DISP=SHR will become |
| DSN=CIGT.TESTLIB,DISP=SHR |
| DSN=CIGT.&C1ENV..LIB,DISP=SHR will become |
| DSN=CIGT.TEST.LIB,DISP=SHR |
If the symbolic begins with a double ampersand (&&) then the period will be kept in the resolved JCL statement.
| DSN=CIGT.&&C1ENLIB,DISP=SHR will become |
| DSN=CIGT.TESTLIB,DISP=SHR |
| DSN=CIGT.&&C1EN.LIB,DISP=SHR will become |
| DSN=CIGT.TEST.LIB,DISP=SHR |
Substring support is provided in a similar fashion to substring support included with Endevor processors. Substring support allows for part of the symbolic to be included in the final JCL. The substring expression is defined as follows:
&symbolic(start,length)
| &symbolic is the one of the symbolic listed in the symbolic table. |
| &start is the beginning position within the symbolic value. |
| &length is the length of the text beginning from the &start specification. |
Example:
| DSN=CIGT.Y&C1DATE(2,4),DISP=SHR will become |
| DSN=CIGT.Y0301,DISP=SHR if the current date is March 1. |
You can make the output that is created after the generate action available to the workstation through the use of the &C1RANDOM symbolic. The Endevor JCL member illustrates the use of the &C1RANDOM to create a member which contains listing output created from the batch generate action.
//********************************************************** //* //* MEMBER: @@NDVR@@ //* //* THIS MEMBER WILL BE MERGED WITH THE JOBCARD INFORMATION //* AND SCL GENERATED BY THE MFA E/OPTION. THE LAST //* STATEMENT IN THE JCL MUST BE BSTIPT01. //* //********************************************************** //SCL EXEC PGM=NDVRC1,PARM='C1BM3000' //CONLIB DD DSN=SYS2.ENDEVOR.CONLIB,DISP=SHR //C1MSGS1 DD DSN=&C1USERID..ENDEVOR.MESSAGES(&C1RANDOM.), // DISP=SHR //BSTIPT01 DD *
User XG6PNX3 signs onto the workstation and initiates an Endevor Add action at 10:00.30 am on January 5. The dataset name associated with C1MSGS1 will be
| DSN=XG6PNX3.ENDEVOR.MESSAGES(A5100030) |
To have Endevor successfully write the messages to the member A5100030 the user must first have allocated a dataset called XG6PNX3.ENDEVOR.MESSAGES with LRECL 132, and BLKSIZE a multiple of 132, RECFM FB, and DSORG PO.
Once Endevor completes the batch generate, the messages will be written to the A5100030 and the user can browse the created members from the workstation.
To assist in problem resolution, a trace facility was built into the MFA E/Option. This facility allows the amount of trace information to be controlled. The trace facility is specified via the CIGMFTR DD statement in the MFA server start-up JCL.
An overview of the MFA E/Option architecture is necessary to explain tracing. The MFA E/Option which executes inside the MFA server consists of two processing components: MFA E/Option Client tasks and MFA E/Option server task. There is one Client task for each workstation user concurrently issuing Endevor requests. Each client task represents a workstation user. The server task schedules activity to be performed by Endevor. There is only one MFA E/Option server task per MFA server region.
Tracing is controlled through trace syntax specified in the CIGMFTR file defined in the MFA server start-up JCL. The following shows the trace syntax.
| SERVER TRACE ON | causes MFA E/Option server summary level tracing messages to be written to the CIGSMSG DD name in the MFA server start-up JCL. |
| SHOW DETAIL MESSAGES | causes the server to write detail level tracing messages to the CIGSMSG DD name. |
| CLIENT TRACE ON | causes MFA E/Option Client to write summary level messages to the CIGCMSG DD name in the MFA server start-up JCL. |
| SHOW DETAIL MESSAGES | causes detailed client tracing messages to be written to the CIGCMSG DD name for each internal function within the MFA E/Option Client component. |
| SHOW ACTION DETAILS | causes Endevor messages to be written to the CIGCMSG DD name. |
| SHOW DATA BUFFERS | causes the Client application to write each text line associated with an element to the CIGCMSG DD name. |
| SHOW GENERATED SCL | causes the Client application to write a copy of the generated Endevor action SCL to the CIGCMSG DD name. |
| FOR USER userid | causes MFA E/Option Client to only write trace messages for a specific user. If this clause is omitted then client trace messages for all users will be written to the CIGCMSG DD name. |
| RACFUID = userid | specifies the user id if you are using RACF alternate id switching. This parameter was previously described. RACFUID= is not used for tracing. |
| RACFPWD = password | specifies the password if you are using RACF alternate id switching. This must be specified if RACFUID= is specified. |
To turn off tracing, do not specify any syntax in the CIGMFTR input file.
Copyright © 1999 MERANT International Limited. All rights reserved.
This document and the proprietary marks and names
used herein are protected by international law.
| Data Access Services | SourceConnect for Windows Explorer and Workbench | |