APF-authorized libraries
APF-authorized programs must reside in the link pack area (pageable
LPA, modified LPA, fixed LPA, dynamic LPA) or in an authorized library:
- SYS1.LINKLIB
- SYS1.SVCLIB
- Another library in the linklist (depending on the LNKAUTH= parameter in your PARMLIB members)
- Another authorized library specified by your installation.
The LNKLSTxx parmlib member indicates the libraries that are to be concatenated to SYS1.LINKLIB. The libraries in the LNKLST concatenation are considered authorized unless the system programmer specifies LNKAUTH=APFTAB in the IEASYSxx parameter list. If the system accesses the libraries in the LNKLST concatenation through JOBLIB or STEPLIB DD statements, the system does not consider those libraries authorized unless you enter the library names in the APF list using one of the methods described in APF-authorized library list. For more information about the LNKLSTxx parmlib member, see z/OS MVS Initialization and Tuning Reference.
If a load module resides in the link pack area or in an authorized
library, an authorized program can load the module. To help avoid
integrity exposures, do not duplicate module names across the link
pack area or the authorized libraries.
Note:
- If a JCL DD statement concatenates an authorized library in any order with an unauthorized library, the entire set of concatenated libraries is treated as unauthorized.
- SYS1.LPALIB and other libraries that contribute to the link pack area (pageable LPA, modified LPA, fixed LPA, dynamic LPA) are treated as authorized when the system places modules into the link pack area. You should protect those libraries as you would protect any APF-authorized library. When accessed via a tasklib DCB, or via a STEPLIB or JOBLIB DD statement, these libraries are considered authorized only if you have specified them in the APF list.