Before you begin: You must know what the file name is for
your sanction list. This file might or might not exist, or it might
not be complete, or both. If this file exists, it must be properly
constructed as described in Formatting rules for sanction lists even
though it might not be complete.
Perform the following steps to activate the sanction list.
- Activate the sanction list processing by specifying a value for
AUTHPGMLIST. If you do not specify a value, the sanction list will
not be processed. Base your choice on your particular situation.
Table 1. Methods for activating the sanction
list. This table lists the methods of activating the sanction
list.If you choose this method. . . |
Then. . . |
---|
Use the AUTHPGMLIST statement in
BPXPRMxx. The sanction list might or might not have already been set
up. |
Customize BPXPRMxx to include the
AUTHPGMLIST parameter. For example:AUTHPGMLIST('/etc/authfile')
|
Use SETOMVS. Guideline: You
should already have set up the sanction list. Otherwise, you will
get an error message warning you that the file does not exist. The
path name, however, will be set. If you issue the same command with
the same file name, you will not get an error message. The DISPLAY
OMVS command will show the AUTHPGMLIST parameter being set. This file
name is used by the background task to check whether a sanction list
has been created or updated.
|
Issue the SETOMVS command. For example:SETOMVS AUTHPGMLIST='/etc/authfile'
Tip: To
turn off sanction list checking, issue: SETOMVS AUTHPGMLIST=NONE
|
A nonexistent sanction list. Guideline: Use
this feature only if the sanction list must not exist before it is
activated. It is possible to set the sanction list value and forget
that the sanction list has not been completely set up. The system
might appear to be operating with sanction list processing, but in
fact it is not. The background task will routinely check for the nonexistent
file, but sanctioning will not occur for spawns, execs, and so on.
This sanction list file must be set up for sanctioning to occur. The
background task will not warn that the sanction list does not exist.
|
Use either method described in this table (customize
the BPXPRMxx member of SYS1.PARMLIB or use SETOMVS). |
_______________________________________________________________
- If the sanction list has not already been created (see Steps for creating a sanction list), create one now.
_______________________________________________________________
When you are done, you have activated the sanction list. A background
task will sweep in the background every 15 minutes for updates. Its
only job is to check for the sanction list, and if it is there, to
process it. Alternatively, if a change needs to be activated sooner,
you can use SETOMVS or SET OMVS =(xx), where xx specifies
which BPXPRMxx file is to be used to reset the various z/OS® UNIX parameters.
Tip: You can turn off sanction list checking with the SETOMVS
command:
SETOMVS AUTHPGMLIST=NONE
Note: - If the sanction list was not created when the system is IPLed,
you can create it later and then use the SETOMVS command to dynamically
add it. Be careful because you will not get a message saying that
the sanction list file does not exist, although z/OS UNIX will continue
to check every 15 minutes.
- If the sanction list was created before the system is IPLed, and
there are errors, the sanction list processing is disabled.
- If the AUTHGPGMLIST statement in the BPXPRMxx member contains
a nonexistent value, you will not get an error message.
- If the sanction list is running on the system, you will get error
messages when you try to run program-controlled or APF-authorized
programs that are not in the sanction list. You will have to add them
to the sanction list.