The Protect Library tool helps prevent specified critical libraries
from an accidental use of CLRLIB or DLTLIB. The tool uses the system
provided command exit program technique. In addition to CLRLIB and
DLTLIB, the TAA Tools CLRLIB2 and DLTLIB2 are also protected. Not
even an *ALLOBJ user will be able to accidentally clear or delete a
protected library.
The 'Command Analyzer Retrieve Exit Program' function provided by the
system is designed to allow an exit program to occur before the
command is executed. The Protect Library (PROLIB) tool allows you to
identify the libraries that should be protected.
A different API that allows command changes is the 'Command Analyzer
Change Program'. This API has several restrictions such as not being
used when a command is library qualified. See the discussion with
the CMDEXIT TAA Tool. The 'Command Analyzer Retrieve Exit Program'
function does not have the same restrictions. The PROLIB tool will
protect a library regardless of how it is specified such as:
CLRLIB LIB(ABC)
CLRLIB ABC
QSYS/CLRLIB ABC
CALL QCMDEXC PARM('CLRLIB ABC' 10)
The protection also occurs for commands in CL programs. Note that a
RST command is not checked.
PROLIB tool demonstration
-------------------------
You should perform this simple demonstration to get acquainted with
the tool and how it works. You must have *ALLOBJ special authority
to run the demonstration.
** The PROLIB files must be created with the command:
CRTPROLIBD
This creates the files PROLIBP and PROLIBL in the QGPL
library. The files are created to allow *PUBLIC *USE
authority, but only the owner or an *ALLOBJ user can change
the data in the file. Other users may be specifically
authorized to *CHANGE authority.
** For this demonstration, create a new library (ABC is used in
the examples).
CRTLIB LIB(ABC) TEST('PROLIB test')
** Use WRKPROLIB to access the work display.
WRKPROLIB
** Use F6 to add the new library ABC. The default is for the
protect value to be *YES. A text discussion may be entered of
why the protection value is set one way or the other. Enter a
minimal amount of text. Press Enter to add the record and
then F3 to return to the work display.
** The work display describes the library and protection value.
** Option 2 will let you change the protection value and the text
discussion. Both Options 2 and 5 also provide information
about the user who made the last change to the record.
Option 9 is a toggle switch to simplify making a change for
the protection value for *YES to *NO or *NO to *YES. The text
discussion is not changed. Give it a try on the ABC library.
Be sure the value is reset to *YES before ending the display.
Return to a command entry display.
** Test the function with the command CHKPROLIB:
CHKPROLIB LIB(ABC)
** You should see an escape message that describes that the
library is protected.
** If you specify a library that is not described to the PROLIBP
file or the protection value is *NO, the command completes
normally. Try it on a library such as QTEMP.
CHKPROLIB LIB(QTEMP)
** You should see the command complete normally. A completion
message is sent when using CHKPROLIB to describe the results
if no checking occurred.
** Both the TAA Tools CLRLIB2 and DLTLIB2 use the CHKPROLIB
command internally. Try CLRLIB2:
CLRLIB2 LIB(ABC)
You should see the same failure message as previous.
** If you do not want to implement the PROLIB function, you
should delete the PROLIB files and stop reading. To delete
the files, enter:
DLTPROLIBD
** To fully implement the PROLIB function, you need to protect
the system commands CLRLIB and DLTLIB with the use of an exit
program. This is done by using the system command ADDEXITPGM
and identifying the TAA exit program. Because these are
complex commands to enter, a TAA program exists which can be
called which runs the required ADDEXITPGM commands for both
CLRLIB and DLTLIB. You may either call the program:
CALL TAALIDLC12
or enter the following commands:
ADDEXITPGM EXITPNT(QIBM_QCA_RTV_COMMAND) +
FORMAT(RTVC0100) PGMNBR(50) +
PGM(TAATOOL/TAALIDLC11) THDSAFE(*NO) +
TEXT('CLRLIB exit') CRTEXITPNT(*YES) +
PGMDTA(*JOB 20 'CLRLIB QSYS ')
ADDEXITPGM EXITPNT(QIBM_QCA_RTV_COMMAND) +
FORMAT(RTVC0100) PGMNBR(51) +
PGM(TAATOOL/TAALIDLC11) THDSAFE(*NO) +
TEXT('DLTLIB exit') CRTEXITPNT(*YES) +
PGMDTA(*JOB 20 'DLTLIB QSYS ')
** You can see the exit points by entering:
WRKREGINF
** There should be an entry for:
QIBM_QCA_RTV_COMMAND
** Use Option 8 (Work with exit programs) on that entry and roll
until you see exit program numbers 50 and 51. These are the
entries that were added by the program TAALIDLC12.
** You can check the results by trying to clear and/or delete the
test library:
CLRLIB ABC
DLTLIB ABC
** Both commands should fail with the same message seen earlier.
** Use WRKPROLIB:
WRKPROLIB
** Use Option 9 for library ABC which changes the protection
value to *NO. Use F3 to end WRKPROLIB.
** Now try to delete the library:
DLTLIB ABC
** Because the library is no longer protected, the library can be
cleared or deleted. If you need to clear or delete a
protected library, just change the protected value.
** Use WRKPROLIB again:
WRKPROLIB
You should see the highlighted text describing that the ABC
library does not exist. You can use Option 4 to delete the
record. No harm exists to leave the record in the file in
case the library is created again.
** To simplify adding libraries to PROLIBP, the ADDPROLIB command
may be used. It will add one library, a generic set of
libraries, or all libraries on the system. The text
discussion value applies to all libraries added. Leaving the
value blank should be considered when adding all libraries.
For example, you can add the TAA libraries as:
ADDPROLIB LIB(TAA*) OPTION(*YES)
** All library records added will have the same option. The
completion message describes how many library records were
added. If a library already exists in the file, it is not
changed and the protection value remains the same.
** If you add all libraries, you can check what new libraries
were added by using:
WRKPROLIB CHGDAT(*TODAY)
This provides a convenient method of reviewing what was added
on a specific date. If a library no longer exists, it is
highlighted in the Text description using WRKPROLIB. If the
library is created again, the protection will apply.
WRKPROLIB also supports the ability to select on the
protection value. *ALL is the default.
** If you add *ALL libraries or the generic name Q*, you should
change the QTEMP library to specify *NO as there is often a
need to clear QTEMP. The QRCL library (used by RCLSTG) may
need to be cleared periodically, but you may prefer to leave
the protection as *YES and make a change when needed.
The system prevents the use of CLRLIB against a few system
libraries such as QSYS and QRECOVERY.
The internal code for CLRLIB2 and DLTLIB2 prevents the use of
these commands on a library that is owned by a system profile
other than QPGMR.
With the exception of QTEMP, it is normally best to have the
system libraries protected unless you have a specific reason
not to.
Using Option 9 (Change protection) simplifies making several
changes, but does not allow the entry of a text discussion as
to why the protection was chosen.
** You could also scan your source for CLRLIB and DLTLIB to
determine other libraries that should not be protected. The
SCNALLSRC2 command allows this to be done by library or for
all libraries on the system:
SCNALLSRC2 ARGUMENT((CLRLIB)(DLTLIB))
LIB(*ALL) TYPE(*ALL)
This submits a batch job to do the scan of all source files in
all libraries. A spooled file will exist for each source file
where an argument was found. It is obviously a long running
function, but may assist you in determining what libraries
should not be protected.
** A CHGPROLIB command exists to change the protection type for a
library. A RTVPROLIB command exists to retrieve the
protection value as well as a DLTPROLIB command to delete a
library record. These commands may be used instead of the
WRKPROLIB interactive function.
** If the TAA Productivity Tools are installed and the TAATOOL
library is protected, special code changes the value before
clearing the library and then changes it back after the
library is cleared. You may use a similar technique for some
libraries.
** You have completed the test of PROLIB. You can now use
ADDPROLIB/WRKPROLIB to build the list of libraries and what
should be protected.
Other comments
--------------
** The CHKPROLIB command supports a constant parameter for the
usage type which is passed as *CMD to the TAALIDLC5 program
(the CPP for CHKPROLIB). The Exit program calls TAALIDLC5
directly and passes *PGM for the constant parameter. This
allows the TAALIDLC5 program to distinguish between the two
types so that error messages may be sent correctly. Sending
escape messages from the exit program requires special
handling because the system ignores any typical escape
messages and the message must be sent up the stack and not to
the calling program. The TAA9891 message ID is the escape
message that is sent.
** The CHKPROLIB command will send a completion message if the
library does not exist or is not protected.
** A user attribute of TAAPROLIB is used when the PROLIBP file is
created to ensure correct operations against what could be a
user file name.
Commands supported
------------------
CRTPROLIBD Create Protected Library Description
DLTPROLIBD Delete Protected Library Description
WRKPROLIB Work Protected Library
ADDPROLIB Add Protected Library
CHKPROLIB Check Protected Library
RTVPROLIB Retrieve Protected Library
CHGPROLIB Change Protected Library
DLTPROLIB Delete Protected Library
CHKPROLIB escape messages you can monitor for
---------------------------------------------
TAA9891 The library is protected
Escape messages from based on functions will be re-sent.
ADDPROLIB escape messages you can monitor for
---------------------------------------------
TAA9892 All libraries already exist in PROLIBP
Escape messages from based on functions will be re-sent.
RTVPROLIB escape messages you can monitor for
---------------------------------------------
TAA9893 The library record does not exist
Escape messages from based on functions will be re-sent.
CHGPROLIB escape messages you can monitor for
---------------------------------------------
TAA9893 The library record does not exist
Escape messages from based on functions will be re-sent.
DLTPROLIB escape messages you can monitor for
---------------------------------------------
TAA9893 The library record does not exist
Escape messages from based on functions will be re-sent.
CRTPROLIBD Command parameters *CMD
-----------------------------
SRCLIB The source library to use for the QATTDDS file
source. The default is *TAAARC.
A specific user library may be named, but the source
file name must be QATTDDS.
DLTPROLIBD Command parameters *CMD
-----------------------------
No parameters exist.
WRKPROLIB Command parameters *CMD
----------------------------
PROVAL The protection value to select. *ALL is the default
to select all records.
*YES may be specified to select only those library records
that are protected.
*NO may be specified to select only those library records that
are not protected.
CHGDAT The change date of the library records to be
displayed. This allows a review of what was changed
on a specific date particularly if you use ADDPROLIB
with LIB(*ALL) or a generic name.
*ALL is the default to display all records
regardless of the change date.
A specific date may be entered in job format or the
special value *TODAY meaning the current date.
ADDPROLIB Command parameters *CMD
----------------------------
LIB The library to be added as a library record in the
PROLIBP file. A generic name or the special value
*ALL for all libraries may be entered. If a library
already exists, the protection value is not changed
from its existing value.
PROVAL The protection value to be set for the library or
libraries.
*YES is the default to prevent the library from
being cleared by CLRLIB or CLRLIB2 and to prevent
the library from being deleted by DLTLIB or DLTLIB2.
*NO may be specified to allow the library to be
cleared or deleted.
DISCUSSION The text discussion to be added for all libraries
added. Up to 200 characters may be specified.
The text discussion value applies to all libraries
added. Leaving the value blank should be considered
when adding all libraries.
CHKPROLIB Command parameters *CMD
----------------------------
LIB The library to be checked to see if it can be
cleared or deleted.
RTVPROLIB Command parameters *CMD
----------------------------
LIB The library to retrieve information for from the
PROLIBP file.
PROVAL The library protection value to be returned. This
is an optional return variable that if used must be
specified as *CHAR LEN(4).
DISC The return value of the text discussion that was
entered when adding or changing a record with
WRKPROLIB. This is an optional return variable that
if used must be specified as *CHAR LEN(200).
CHGPROLIB Command parameters *CMD
----------------------------
LIB The library name to change the protection value for.
PROVAL The library protection value to be assigned.
*YES is the default to prevent the library from
being cleared by CLRLIB or CLRLIB2 and to prevent
the library from being deleted by DLTLIB or DLTLIB2.
*NO may be specified to allow the library to be
cleared or deleted.
DLTPROLIB Command parameters *CMD
----------------------------
LIB The library name to delete the corresponding record
for in the PROLIBP file.
Restrictions
------------
Only a user with *ALLOBJ authority may use CRTPROLIBD.
Prerequisites
-------------
The following TAA Tools must be on your system:
CHGOBJD2 Change object description 2
CHKDBFMBR Check data base file member
CPYTAADDS Copy TAA DDS source
EDTVAR Edit variable
RSNLSTMSG Resend last message
RTVDAT Retrieve date
SNDCOMPMSG Send completion message
SNDESCINF Send escape information
SNDESCMSG Send escape message
SNDESCMSG5 Send escape message 5
SNDSTSMSG Send status message
UPDPFILE Update PFILE keyword
Implementation
--------------
See the section on 'PROLIB tool demonstration'.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CRTPROLIBD *CMD TAALIDL QATTCMD
DLTPROLIBD *CMD TAALIDL2 QATTCMD
ADDPROLIB *CMD TAALIDL3 QATTCMD
WRKPROLIB *CMD TAALIDL4 QATTCMD
CHKPROLIB *CMD TAALIDL5 QATTCMD
RTVPROLIB *CMD TAALIDL6 QATTCMD
CHGPROLIB *CMD TAALIDL7 QATTCMD
DLTPROLIB *CMD TAALIDL8 QATTCMD
TAALIDLC *PGM CLP TAALIDLC QATTCL
TAALIDLC2 *PGM CLP TAALIDLC2 QATTCL
TAALIDLC3 *PGM CLP TAALIDLC3 QATTCL
TAALIDLC4 *PGM CLP TAALIDLC4 QATTCL
TAALIDLC5 *PGM CLP TAALIDLC5 QATTCL
TAALIDLC6 *PGM CLP TAALIDLC6 QATTCL
TAALIDLC7 *PGM CLP TAALIDLC7 QATTCL
TAALIDLC8 *PGM CLP TAALIDLC8 QATTCL
TAALIDLC11 *PGM CLP TAALIDLC11 QATTCL
TAALIDLC12 *PGM CLP TAALIDLC12 QATTCL
TAALIDLR3 *PGM RPG TAALIDLR3 QATTRPG
TAALIDLR4 *PGM RPG TAALIDLR4 QATTRPG
TAALIDLR6 *PGM RPG TAALIDLR6 QATTRPG
TAALIDLP *FILE PF TAALIDLP QATTDDS
TAALIDLL *FILE LF TAALIDLL QATTDDS
TAALIDLD *FILE DSPF TAALIDLD QATTDDS
Structure
---------
CRTPROLIBD Cmd
TAALIDLC CL pgm
DLTPROLIBD Cmd
TAALIDLC2 CL pgm
ADDPROLIB Cmd
TAALIDLC3 CL pgm
TAALIDLR3 RPG pgm
WRKPROLIB Cmd
TAALIDLC4 CL pgm
TAALIDLR4 RPG pgm
TAALIDLD Dsp file
CHKPROLIB Cmd
TAALIDLC5 CL pgm (also used via the Exit program)
RTVPROLIB Cmd
TAALIDLC6 CL pgm
TAALIDLR6 RPG pgm
CHGPROLIB Cmd
TAALIDLC7 CL pgm
TAALIDLR6 RPG pgm (same program used by RTVPROLIB)
DLTPROLIB Cmd
TAALIDLC8 CL pgm
TAALIDLR6 RPG pgm (same program used by RTVPROLIB)
TAALIDLC11 CL Pgm specified as the command exit which calls TAALIDLC5
TAALIDLC12 CL Pgm used for ADDEXITPGM
|
