Follow-up and resolution. We found it. “stupid sysprog trick”. I was missing a line in my TCPIP PROFILE member telling it to reserve port 443 for z/OSMF on our test LPAR. I looked at that member in production, even running compares against the one being used for test, about a half dozen times and missed it every time. One of my colleagues finally spotted the missing line.
Thanks, Rex -----Original Message----- From: Pommier, Rex Sent: Wednesday, March 27, 2024 10:02 AM To: 'IBM Mainframe Discussion List' <IBM-MAIN@LISTSERV.UA.EDU> Subject: RE: [EXTERNAL] Re: security fun with z/OSMF install - can't get there Hi Michael, I'm not following you on this one. SANs? In my vocabulary SAN is storage and we don't run a SAN for our mainframe disk. Direct attach, 2 LPARs on the same physical CEC, 1 DS8910F storage direct attached, and shared chpids for both the disk and OSA. I did find this - which I didn't see yesterday that is probably my problem but I can't see what I need to change to fix it: CWWKO0221E: TCP Channel defaultHttpEndpoint-ssl initialization did not succeed. The socket bind did not succeed for host * and port 443. The port might already be in use. Exception Message: EDC5111I Permission denied. (errno2=0x744C7246) I do a netstat on port 443 and get this: D TCPIP,TCPIP,NETSTAT,ALLCON,PORT=443 EZZ2500I NETSTAT CS V2R4 TCPIP 496 USER ID CONN LOCAL SOCKET FOREIGN SOCKET STATE 0 OF 0 RECORDS DISPLAYED END OF THE REPORT Over on the production LPAR I see that IZUSVR1 is bound to port 443. Within the z/OSMF active config file I see this on the non-working one: IZU_APPSERVER_HOSTNAME=TSTJES2.MNLIFE.COM IZU_JWKS_HOSTNAME=TSTJES2.MNLIFE.COM IZU_HTTP_SSL_PORT=443 IZU_HTTP_PORT=-1 TCPIP.DATA has my HOSTNAME TSTJES2 and both TSTJES2 and TSTJES2.MNLIFE.COM both correctly resolve to the test LPAR IP address. Over on the working one I do the same netstat and see the bind: D TCPIP,TCPIP,NETSTAT,ALLCON,PORT=443 EZZ2500I NETSTAT CS V2R4 TCPIP 600 USER ID CONN LOCAL SOCKET FOREIGN SOCKET STATE IZUSVR1 0004A344 172.16.128.14..443 10.53.240.151..34554 ESTBLSH IZUSVR1 000492CB 0.0.0.0..443 0.0.0.0..0 LISTEN 2 OF 2 RECORDS DISPLAYED END OF THE REPORT In active config: IZU_APPSERVER_HOSTNAME=MVSJES2.MNLIFE.COM IZU_JWKS_HOSTNAME=MVSJES2.MNLIFE.COM IZU_HTTP_SSL_PORT=443 IZU_HTTP_PORT=-1 TCPIP.DATA on working one has HOSTNAME MVSJES2 and everything resolves correctly. Thoughts/ideas? I'm chasing a couple other links people sent me. Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Michael Babcock Sent: Tuesday, March 26, 2024 9:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: security fun with z/OSMF install - can't get there Also, if you cloned prod and changed the IP added and/or domain name, I would check the certs. Do the certs match the SANs? On Tue, Mar 26, 2024 at 9:16 PM Michael Babcock <bigironp...@gmail.com> wrote: > Does this help? > > > https://urldefense.com/v3/__https://kinsta.com/knowledgebase/pr-end-of > -file-error/*what-causes-the-pr_end_of_file_error__;Iw!!KjMRP1Ixj6eLE0 > Fj!oaOvtuzKsu_CrFeLcgyUKF_gNSfdjsYOIW2qhL0UuZh7RZ70fpwMbhZmzveK6QkZRvM > nI2nXVMundFuGm1tmuiOd81fQsKoWqjD1$ > > > On Tue, Mar 26, 2024 at 6:28 PM Pommier, Rex <rpomm...@sfgmembers.com> > wrote: > >> Hi List, >> >> We are attempting our first foray into getting z/OSMF up and running. >> Scenario is we're backleveled maintenance-wise on our 2.4 system. We >> ran the security configuration setup etc and got z/OSMF up and >> running on the production LPAR we are planning on running it from. >> However when we started to load z/OS 3.1 we ran into a problem with >> missing PTFs. Got one set of PTFs installed and after adding a >> local_override.cfg file into the configuration directory we got >> z/OSMF up and running again and past that hurdle. We hit the next >> one requiring a dozen more PTFs to bypass it. We decided to move the >> install to our sandbox just to get z/OSMF working to the point we can >> use it to get our 3.1 software install back on track. I ran >> disk-level flashcopy copies of my entire production LPAR to the >> sandbox, made the required changes (IP addresses etc) to get the >> sandbox up and running. Started z/OSMF and it comes up with no >> errors or warnings (except the one telling me I'm using the local override >> file). However, when I try to get to the web server I get a "secure >> connection failure" >> with " PR_END_OF_FILE_ERROR" trying to connect with Firefox and " >> 172.16.128.108 unexpectedly closed the connection" using Chrome. >> Security >> (RACF) is identical to what it is on the production LPAR. z/OSMF >> config is identical as well. Does anybody have any idea what I'm missing? >> >> TIA, >> >> Rex >> >> --------------------------------------------------------------------- >> - The information contained in this message is confidential, >> protected from disclosure and may be legally privileged. If the >> reader of this message is not the intended recipient or an employee >> or agent responsible for delivering this message to the intended >> recipient, you are hereby notified that any disclosure, distribution, >> copying, or any action taken or action omitted in reliance on it, is >> strictly prohibited and may be unlawful. If you have received this >> communication in error, please notify us immediately by replying to >> this message and destroy the material in its entirety, whether in >> electronic or hard copy format. Thank you. >> >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO >> IBM-MAIN >> > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
