Background: The system service for recording an SMF record requires APF authorization. We chose to use the BPX1SMF (__smf_record()) library call, which doesn't require APF authorization but does require READ access to BPX.SMF.
We believe that most customers will prefer to grant READ to BPX.SMF rather than to run Co:Z sftp-server as APF authorized. It is apparently one thing for IBM to ship code APF authorized, but for us to do it is something else
We would appreciated any feedback from users on this point; please post your opinion as a response to this thread.
We would consider an enhancement so that IF a customer wanted to run APF authorized, THEN READ access to BPX.SMF would not be required. But if we did this, any security exposures would be the customer's responsibility. If this is something that you are interested in, please send me an email offline to
info@dovetail.com.
BTW: we do ship a sample script that can be used to relink sftp-server with AC=1 and to mark it APF authorized. This was done for a customer that had exits that needed to run APF authorized.
There is another possibility - Co:Z sftp and sftp-server support a network management interface whereby SMF records can be received in real-time by another job/program. This NMI uses a Unix-domain datagram socket to receive SMF records from any sftp or sftp-server job. One option would be to grant this job BPX.SMF access and delegate SMF recording to it. This would require, however, that a job be running all of the time to run this program.