ca.portal.admin

Re:question about numbered user exits

Discussion created by ca.portal.admin on Oct 18, 2010
I am reading Chris Hoelscher's article on z/IIP exploitation in the
September 2010 ""IUA Connections"" with great interest as our site
experienced the problem that he describes. Chris indicates that the
numbered user exits can contribute to TCB/SRB swapping. We use exit 28
(security pre-processing) and I am wondering if this could account for
some of the high swapping rate that we saw.

Here is my question: Is there any way to determine how many times a
numbered user exit is actually being executed?

Kay Rozeboom
State of Iowa
Information Technology Enterprise
Department of Administrative Services
Telephone: 515.281.6139 Fax: 515.281.6137
Email: Kay.Rozeboom@Iowa.Gov

*****JuliusBaer Disclaimer***** This e-mail is for the intended
recipient only and may contain confidential or privileged information.
If you have received this e-mail by mistake, please contact us
immediately and completely delete it (and any attachments) and do not
forward it or inform any other person of its contents. If you send us
messages by e-mail, we take this as your authorization to correspond
with you by e-mail, however, we will not accept the electronic
transmission of orders/instructions without a specific agreement being
in place to govern the same. If you do not wish to receive any further
e-mail correspondence please let us know. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, amended, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. Neither the Julius Baer Group nor the
sender accept liability for any errors or omissions in the content of
this message which arise as a result of its e-mail transmission. Please
note that all e-mail communications to and from the Julius Baer Group
may be monitored. This communication is for informational purposes only.
It is not intended as an offer or solicitation for the purchase or sale
of any financial instrument or as an official confirmation of any
transaction.
"
IDMS Public Discussion Forum
IDMS-L@LISTSERV.IUASSN.COM
SMTP
IDMS-L@LISTSERV.IUASSN.COM
IDMS-L@LISTSERV.IUASSN.COM
SMTP








Normal

Normal
Re: question about numbered user exits
"The code path is a lot shorter using an exit linked with rhdcuxit=2E The B=
ALR is one instruction, the address of the exit already resolved, so it's o=
ne instruction and you're there=2E A #call, uses the stackchecker to get t=
o rhdcpctl and if you make a program resident, there's prolly less then a h=
undred instructions to get to the same place a BALR will with one instructi=
on=2E However, weighing the usabiliyt/visability of a signon/security exit=
as a program, I think outweighs the very small number of additional instru=
ctions=2E Especially when there are other exits invoked through rhdcuxit=
=2E From a beancounting perspective, the linked exit has fewer instructio=
ns, but from experience I think a signon/security exit that doesn't get cal=
led that frequently anyway, is far easier to manage=2E The cost is minimal=
=2E However, if this exit gets in the act for every program that's loaded=
, then of course the additional code path would mandate the use of a linked=
exit=2E =0D=0A=0D=0ALutz Petzold=0D=0ADBSS DB2 LUW/IDMS Support=0D=0A401-7=
82-2265=0D=0APage 860 366 0865 or Telalert=0D=0A=0D=0A=0D=0A=0D=0A =0D=0A=
=0D=0A-----Original Message-----=0D=0AFrom: IDMS Public Discussion Forum =
=0D=0A[mailTo:IDMS-L@LISTSERV=2EIUASSN=2ECOM] On Behalf Of Siraco, John A=
=0D=0ASent: Monday, October 18, 2010 11:16 AM=0D=0ATo: IDMS-L@LISTSERV=2EIU=
ASSN=2ECOM=0D=0ASubject: Re: question about numbered user exits=0D=0A=0D=0A=
Hi Chris,=0D=0A=0D=0AYou are correct=2E IDMSCOMP and IDMSCOM are allowed to=
run in SRB mode=2E=0D=0AAll others require TCB mode=2E (It has nothing to =
do with the =0D=0Aname=2E In other words, you couldn't name a DB proc IDMSC=
OMP and =0D=0Ahave it run in SRB mode)=2E The majority of ""overhead"" when u=
sing =0D=0Athe zIIP option comes from swapping back and forth so the less =
=0D=0Aswapping the better=2E=0D=0A=0D=0AIn my opinion, with respect to the =
question related to =0D=0Aperformance=2E I would suggest you hard link RHDC=
UXIT exits with =0D=0ARHDCUXIT as opposed to defining them as programs and =
having =0D=0Athem called using Standard DC services=2E A simple BALR is a l=
ot =0D=0Afaster than having the RHDCCXIT module issue a #CALL to a =0D=0Apr=
ogram=2E The call and the code path is a lot longer than the =0D=0ABALR=2E =
In a sense this is a lot like linking ""BIFS"" with ADS=2E=0D=0AI've heard of=
and seen some fairly impressive numbers on this subject=2E=0D=0AAs far as =
SRB/TCB/SRB swapping, we will always swap to TCB mode =0D=0Awhen calling an=
RHDCUXIT exit=2E=0D=0A=0D=0AIf you want to see where swaps are occurring y=
ou could specify =0D=0A""CSATST49"" in your SYSIDMS file=2E I would only do t=
his on a non =0D=0Aproduction system simply because in addition to counting=
the =0D=0Aswaps there are some WTORs produced which might not amuse the =
=0D=0Aoperators=2E Don't get me wrong, we can use this in production =0D=0A=
systems if the situation warrants but as a simple matter of =0D=0Agathering=
information over a period of time it might be a bit =0D=0Amuch=2E It is fi=
ne for TEST, QA, Pre-Production, development =0D=0Asystems or whatever your=
site refers to them as=2E=0D=0A=0D=0A""DCMT D SUBT"" will report on the swap=
s=2E Here's a sample:=0D=0A=0D=0A D SUBT=0D=0A=0D=0A *** Displ=
ay all subtasks ***=0D=0A=0D=0A Work Task dispatc=
h=0D=0A=0D=0A Name Nr type Status count Wakeup count=
Total=0D=0ACPU time =0D=0A ---- -- ---- ------ -----=
-------- ------------=0D=0A-------------- =0D=0A MAINTASK 01=
IDMS BUSY 1,327 1,228=0D=0A00:00:01=2E4315 =0D=0A=
=0D=0A=0D=0A CHGEMODE table display=0D=0A=0D=0A Address Program Offset=
Call cnt TCB->SRB SRB->TCB=0D=0A=0D=0A -------- -------- ----=
---- ---------- ---------- ----------=0D=0A=0D=0A 3D4B28EA RHDCWAIT =
000032EA 1 1 0=0D=0A=0D=0A 3D554058 RHDCTS=
KI 00000458 22 0 22=0D=0A=0D=0A 3D54C514 RH=
DCMSTR 00000114 1 1 0=0D=0A=0D=0A 3D52B8F2=
RHDCWTL 00001AF2 84 0 84=0D=0A=0D=0A=0D=
=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A-----Original Message-----=0D=0AFrom: IDMS=
Public Discussion Forum [mailTo:IDMS-L@LISTSERV=2EIUASSN=2ECOM]=0D=0AOn Be=
half Of Trayler, Christopher=0D=0ASent: Monday, October 18, 2010 10:46 AM=
=0D=0ATo: IDMS-L@LISTSERV=2EIUASSN=2ECOM=0D=0ASubject: Re: question about n=
umbered user exits=0D=0A=0D=0AI'm losing my memory now but I seem to recall=
that when I was =0D=0Aworking with John Siraco on this he said that User D=
B =0D=0AProcedures would swap but that CA had managed to get COMP/DCOM =0D=
=0Aand Presspack to z/IIP=2E But I can't find the old mails now=2E =0D=0APe=
rhaps John is reading the IDMS List? I mght be able to dig =0D=0Aout the ol=
d issue if I look hard enough=2E=0D=0A=0D=0AChris Trayler =0D=0A=0D=0A----=
-Original Message-----=0D=0AFrom: IDMS Public Discussion Forum [mailTo:IDMS=
-L@LISTSERV=2EIUASSN=2ECOM]=0D=0AOn Behalf Of peter=2Eg=2Echarles@BT=2ECOM=
=0D=0ASent: Montag, 18=2E Oktober 2010 16:32=0D=0ATo: IDMS-L@LISTSERV=2EIUA=
SSN=2ECOM=0D=0ASubject: Re: question about numbered user exits=0D=0A=0D=0AK=
ay,=0D=0A=0D=0AYes DB procedure are considered user code and they are calle=
d =0D=0Ain TCB mode so a swap is required whenever they are called=2E=0D=0A=
=0D=0APete =0D=0A=0D=0A-----Original Message-----=0D=0AFrom: IDMS Public =
Discussion Forum [mailTo:IDMS-L@LISTSERV=2EIUASSN=2ECOM]=0D=0AOn Behalf Of =
Rozeboom, Kay [DAS]=0D=0ASent: 18 October 2010 15:22=0D=0ATo: IDMS-L@LISTSE=
RV=2EIUASSN=2ECOM=0D=0ASubject: Re: question about numbered user exits=0D=
=0A=0D=0AOuch, I forgot about database procedures=2E We use those to =0D=
=0Adeath=2E Does anyone know whether they are considered ""user =0D=0Acode""=
and thus require a swap?=0D=0A=0D=0A=0D=0A-----Original Message-----=0D=0A=
From: IDMS Public Discussion Forum [mailTo:IDMS-L@LISTSERV=2EIUASSN=2ECOM]=
=0D=0AOn Behalf Of David E Matthews (DHL CZ)=0D=0ASent: Monday, October 18,=
2010 8:49 AM=0D=0ATo: IDMS-L@LISTSERV=2EIUASSN=2ECOM=0D=0ASubject: Re: que=
stion about numbered user exits=0D=0A=0D=0AIn a wholly uninformed and specu=
lative way, I wonder about this =2E =2E =2E=0D=0AThat is, I have no idea ho=
w to count user-exit calls, but =2E=2E=2E=0D=0AIf a user-exit is in SYSTEM =
mode, would it swap from TCB to PRB mode?=0D=0AAnd anyway, wouldn't the ADS=
O volume of swaps swamp a user-exit?=0D=0AWe use Exits 2, 21, 20, 22, but a=
ll of them only in specialized =0D=0Asituations, not-for-every-task, but fa=
irly often =2E=2E=2E and what =0D=0Aabout the Exit 17 & 18 stubs? Would tho=
se cause a swap =0D=0Aeverytime? What about Database Procedures, too?=0D=0A=
=0D=0AIt's a poser, alright=2E=0D=0A=0D=0A-----Original Message-----=0D=0AF=
From: IDMS Public Discussion Forum [mailTo:IDMS-L@LISTSERV=2EIUASSN=2ECOM]=
=0D=0AOn Behalf Of Rozeboom, Kay [DAS]=0D=0ASent: Monday, October 18, 2010 =
3:36 PM=0D=0ATo: IDMS-L@LISTSERV=2EIUASSN=2ECOM=0D=0ASubject: question abou=
t numbered user exits=0D=0A=0D=0AI am reading Chris Hoelscher's article on =
z/IIP exploitation in =0D=0Athe September 2010 ""IUA Connections"" with great=
interest as our =0D=0Asite experienced the problem that he describes=2E C=
hris =0D=0Aindicates that the numbered user exits can contribute to =0D=0AT=
CB/SRB swapping=2E We use exit 28 (security pre-processing) and =0D=0AI am=
wondering if this could account for some of the high =0D=0Aswapping rate t=
hat we saw=2E=0D=0A=0D=0AHere is my question: Is there any way to determin=
e how many =0D=0Atimes a numbered user exit is actually being executed?=0D=
=0A=0D=0AKay Rozeboom=0D=0AState of Iowa=0D=0AInformation Technology Enterp=
rise=0D=0ADepartment of Administrative Services=0D=0ATelephone: 515=2E281=
=2E6139 Fax: 515=2E281=2E6137=0D=0AEmail: Kay=2ERozeboom@Iowa=2EGov=0D=
=0A =0D=0A*****JuliusBaer Disclaimer***** This e-mail is for the intended =
=0D=0Arecipient only and may contain confidential or privileged information=
=2E=0D=0AIf you have received this e-mail by mistake, please contact us =0D=
=0Aimmediately and completely delete it (and any attachments) and =0D=0Ado =
not forward it or inform any other person of its contents=2E =0D=0AIf you s=
end us messages by e-mail, we take this as your =0D=0Aauthorization to corr=
espond with you by e-mail, however, we =0D=0Awill not accept the electronic=
transmission of =0D=0Aorders/instructions without a specific agreement bei=
ng in place =0D=0Ato govern the same=2E If you do not wish to receive any f=
urther =0D=0Ae-mail correspondence please let us know=2E E-mail transmissio=
n =0D=0Acannot be guaranteed to be secure or error-free as information =0D=
=0Acould be intercepted, amended, corrupted, lost, destroyed, =0D=0Aarrive =
late or incomplete, or contain viruses=2E Neither the =0D=0AJulius Baer Gro=
up nor the sender accept liability for any =0D=0Aerrors or omissions in the=
content of this message which arise =0D=0Aas a result of its e-mail transm=
ission=2E Please note that all =0D=0Ae-mail communications to and from the =
Julius Baer Group may be =0D=0Amonitored=2E This communication is for infor=
mational purposes only=2E=0D=0AIt is not intended as an offer or solicitati=
on for the purchase =0D=0Aor sale of any financial instrument or as an offi=
cial =0D=0Aconfirmation of any transaction=2E=0D=0AThis e-mail may contain =
confidential or privileged information=2E If=0Ayou think you have received =
this e-mail in error, please advise the=0Asender by reply e-mail and then d=
elete this e-mail immediately=2E=0AThank you=2E Aetna
"
IDMS 3rd-party providers forum
IDMSVENDOR-L@LISTSERV.IUASSN.COM
SMTP
IDMSVENDOR-L@LISTSERV.IUASSN.COM
IDMSVENDOR-L@LISTSERV.IUASSN.COM
SMTP








Normal

Normal
Re: question about numbered user exits
"The code path is a lot shorter using an exit linked with rhdcuxit. The BALR is one instruction, the address of the exit already resolved, so it's one instruction and you're there. A #call, uses the stackchecker to get to rhdcpctl and if you make a program resident, there's prolly less then a hundred instructions to get to the same place a BALR will with one instruction. However, weighing the usabiliyt/visability of a signon/security exit as a program, I think outweighs the very small number of additional instructions. Especially when there are other exits invoked through rhdcuxit. From a beancounting perspective, the linked exit has fewer instructions, but from experience I think a signon/security exit that doesn't get called that frequently anyway, is far easier to manage. The cost is minimal. However, if this exit gets in the act for every program that's loaded, then of course the additional code path would mandate the use of a linked exit.

Lutz Petzold
DBSS DB2 LUW/IDMS Support
401-782-2265
Page 860 366 0865 or Telalert

Outcomes