Re: Creating a Second IP Stack
On Tuesday, 03/08/2011 at 02:51 EST, Kris Buelens kris.buel...@gmail.com wrote: An OSA ICC is great, but costs real money: the price of that OSA card, it will be dedicated to its OSA ICC function. To clarify, except for 10 Gb ethernet, all OSA cards have two chpids. You assign ICC on a per-chpid basis. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Different data from CCW DATA READ as guest or native.
On Tuesday, 03/08/2011 at 11:50 EST, Tom Huegel tehue...@gmail.com wrote: I see this descrepency between TPF native and TPF as a z/VM guest. Has anyone else seen this behavior? Is there any explaination? I have searched high and low, but can't find an answer. TPF as z/VM guest: 3990E933 900CDA00 FEF62032 16A8000F TPF Native LPAR: 3990EC33 900CD800 F0F62032 16A8000F What you are seeing is z/VM's simulation of a 3990 control unit mode when (1) A 2105 or 2107 storage controller is being used, and (2) The guest OS has not indicated that it understands 2105 or 2107 CU mode. Under those conditions, CP will simulate a 3990 in enhanced operation mode. It's the same thing the 2105/2107 does. I think the only difference is the length of path status on a PERFORM SUBSYSTEM FUNCTION: READ SUBSYSTEM DATA operation, the output of which is irrelevant to 2105/2107s anyway. Is this an academic question as a result of late-night studying of responses to CCWs? Or is there an issue? :-) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Sending files to JES
On Tuesday, 03/08/2011 at 02:00 EST, Shumate, Scott scshum...@bbandt.com wrote: That works great. Now I'm running into a new problem. The file I'm sending is too big. I get the following message. DMSPUN044E Record exceeds allowable maximum Any ideas how I can get around this? If you're sending to a TSO user, just SENDFILE fn ft TO user AT mvsnode. It gets packaged up in NETDATA format. If you're submitting a job, then you're limited to 80 bytes. If you are doing printing, then you need to use the PRINT command and a virtual printer (1403, 3800, or AFP). Tell us more about what you're trying to do. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Different data from CCW DATA READ as guest or native.
On Tuesday, 03/08/2011 at 02:42 EST, Tom Huegel tehue...@gmail.com wrote: It is an issue -when tpf sees an 3990EC ? is sees the volume as a control unit that supports TPF record cache. When it sees the volume as 3990E9, TPF marks the control unit as not supporting record cache and several tpf functions are then not available. Please contact the Support Center. CP may need to be sensitive to the TPF Mode state before choosing the CU type. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Is Inter-CP Quiesce time counted as CPU time?
On Tuesday, 03/08/2011 at 06:14 EST, Gary M. Dennis gary.den...@mantissa.com wrote: If a z/VM guest partially or completely purges the TLB on a z10 or z196, is the time required to quiesce CPs to coordinate the requested purge counted toward total CPU time for the guest requesting the purge? If so does the guest requesting the purge get tagged for all the CPU time required to coordinate purge operations across all CPs for the z/VM or is the time apportioned by CP to the specific guest active on each CP at the time the purge was requested? If the time isn?t counted toward CPU time for the guest requesting the purge, how is that allocated? When a guest causes that to happen, the the instruction that triggered it will be victimized by it as well. That means the instruction takes longer. Likewise, all the other CPUs within the LPAR will serialize and the instructions they are running take longer. So everyone else is penalized. The bottom line is that the CPU timer does not stop ticking just because the TLB has been purged. Instructions running in other LPARs are not affected since they don't access the same blocks of memory. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Creating a Second IP Stack
On Tuesday, 03/08/2011 at 01:27 EST, Ron Schmiedge ron.schmie...@gmail.com wrote: Also risking the wrath of Chuckie, I can tell you what the person on IBMLink told me when I opened an ETR for this same request: I added my second stack to SYSTEM DTCPARMS: :nick.TCPIP2 :type.server :class.stack :attach.0C00-0C01 Good. I created a TCPIP2 TCPIP file, which only does TN3270. It only has port 23 open and it has its own DEVICE and LINK for the non-QDIO port pair C00-C01 from our OSA-E, its own HOME address, but same mask and gateway handed down from the mount by the Network Gods. Good. I created a TCPIP2 DATA file on 592 with the TCPIPUSERID set to TCPIP2. OK, but it's just taking up space since there is nothing to tell the socket functions to read TCPIP2 DATA. Perhaps your TCPRUNXT is copying TCPIP DATA to the A-disk, overriding values with information from TCPIP2 DATA? And its been running that way for a couple of years. I do use the TCP TCPIP2 option on NETSTAT commands. The TCP operand overrides what is found in TCPIP DATA. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Change OSA cards
On Monday, 03/07/2011 at 01:27 EST, Steve Harman steve.har...@mutualofomaha.com wrote: I'm missing something about the CONTROLLER. When I tried to remove the o ld OSA from VSWITCH1, I got this error set vswitch vswitch1 rdev 2708 HCPSWU2830I VSWITCH SYSTEM VSWITCH1 status is ready. HCPSWU2830I DTCVSW2 is VSWITCH controller for device 1E08.P00. HCPSWS2799E VSWITCH change is not allowed. : Do I need to make DTCVSW2 the controller for 2708? Over the years, I have come to dislike the generic use of HCP2830I to imply things about the state of the VSWITCH and its transparent view of the internal workings of CP. HCP2799E indicates the VSWITCH is not in a state that allows the device to be changed. The state, per HCP2830I, is ready. Not very informative. The point of the messages is that the VSWITCH is operating with an active OSA and you tried to take it away. If memory serves, you can SET VSWITCH DISCONNECT to deactivate the OSA, then SET VSWITCH RDEV 2708 CONNECT to add 2708 and start traffic flowing. (I don't think SET VSWITCH RDEV NONE is required.) OSA management with link aggregation port groups is much easier - you just add and delete OSAs from the group. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: RACFVM: ICH520I
On Monday, 03/07/2011 at 11:10 EST, Alain Benveniste a.benveni...@free.fr wrote: ICH520I RACF x IS ACTIVE. Explanation: RACF release x has been successfully initialized. I removed xautolog autolog2 from raciplxi and I asked VM:Operator to autolog VMSERV* users prior to xautolog autolog2 when the message ICH520I is met. I got a HCP6525E External Security Manager is unavailable. ICH520I seems to lie ! :) It is in there so that we can catch people trying to cheat RACF and AUTOLOG2. The only virtual machines that are permitted to start prior to RACF are the SYSTEM_USERIDs from SYSTEM CONFIG (e.g. OPEREREP, OPERATOR, etc.). They run with their CP-given permissions until RACF is up. AUTOLOG2 should start VM:Operator, which can then bring up the rest of the system. If you want something a little cleaner: 1. Put SYSTEM_USERIDS STARTUP RACFVM in SYSTEM CONFIG 2. Change RACIPLXI EXEC to autolog AUTOLOG1. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Creating a Second IP Stack
1. You are wise in your fear. 2. You are correct in all your suppositions. When I set up an alternate stack, I use TCPRUNXT or the :exit. tag to copy TCPIP DATA from 198 to the 191 with appropriate changes. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld.
Re: VM/CMS Training Material
On Tuesday, 03/01/2011 at 10:39 EST, Sherry Everhart severh...@maccnet.com wrote: /* 5798-DWW (C) Copyright IBM 1985 /* Licensed Material - Program Property of IBM : Is this something I'm allowed to share? I don't want to get in trouble with IBM. Self Teach was withdrawn from marketing in 1994. No, you cannot share it unless you receive written permission from IBM. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: zLinux OS disk read-only
On Tuesday, 03/01/2011 at 04:40 EST, Perez, Steve S sspe...@corelogic.com wrote: I issued a LINK RR against it and did a Q LINKS and it shows no other link access to that disk. Would it be possible that when we paused PPRC and suspended Global Mirror on the z/OS LPAR (shared volumes between all LPARS) that it may have accessed the dasd the minidisk is on in write mode and caused the access mode on the z/VM LPAR to go into a READ-MODE? Is that probable? If someone played with the PPRC definitions, they could have reversed the primary/secondary relationship, making your volumes the secondaries. You can't write to a secondary. But I would certainly have expected messages on the operator's console if that happened. If this happened, then you break someone's fingers. GDPS breaks and restores PPRC connections only in synchronization with various flavors of CP HYPERSWAP commands. Humans or other solutions are expected to do the same. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Source for LP3820?
On Friday, 02/25/2011 at 11:57 EST, David Boyes dbo...@sinenomine.net wrote: Does anyone have source code for LP3820? If it's the same LP3820 that we have in IBM, the original was available externally via the OS/2 Developer's Connection. When I'm next in my office I'll check it out - I have the companion set of OS/2 Developer's Connection CDs - to see if the source is there. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Need advice on moving a Linux guest from one z/VM LPAR to another
On Friday, 02/25/2011 at 10:55 EST, Michael Forte/Poughkeepsie/IBM@IBMUS wrote: Hi members of the outstanding z/VM community! I need advice or a pointer to documentation (if available? presentations, official publications, Redbooks...) on how to move a Linux guest from one z/VM LPAR to another. Now, I know this could probably be pieced together from an assortment of z/VM product documentation or multiple Redbooks, but I am hoping someone in this community has done this before. Even a set of high-level steps would prove invaluable. Does anyone have any insight? Hello, Michael. As David suggests, your question is rather vague. In general, moving a guest from on z/VM instance to another is matter of: - Moving the guest's data - Moving the virtual machine definition (directory entry) - Making location-sensitive changes to either of those Location-sensitive items include: - MAC address - IP configuration: addys, masks, gateways (whether static or via DHCP) - Related DNS updates - WWPNs - Real device addresses - DASD volsers in USER DIRECT - Considerations for volser naming convention in new location - Other changes in USER DIRECT that are related to the machine you're running on (e.g. number of virt. CPUs) It's mechanically simple, but it may be tedious depending on how far away from home the guest is moving and whether there is some sort of congruent system configuration at the destination. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: IPL with FN=
On Friday, 02/25/2011 at 02:50 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: What is the proper way to IPL with FN= to override a SYSTEM CONFIG filename on CF1? 1. IPL the system with the loadparm set to the address of a 3270 (e.g. OSA-ICC) or SYSG to use integrated 3270 console 2. Put FN=filename on the SAPL screen. See Chapter 4 of the CP Planning book for examples. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: DFSMS and zVM
On Friday, 02/25/2011 at 05:17 EST, Carlos Bodra - Pessoal cbo...@terra.com.br wrote: I was checking how z/vm 5.4 supports 3592-E05 (TS1120) installed into a library 3577-L5U. I have a 3592-C06 ficon attachment to connect z10 to tape drive. I can load, write, read and unload cartridge using 3577-L5U operator panel. I was unable to find out how to tell to z/vm to pick up cartridge into slot, move it to drive 1 (for example) or how to automate process to return cartridge from tape drive to slot after operation (read/write) was finished. Cartridge unload, but I need to use operator panel to move it from drive to slot library. VM doesn't tell the tape drive anything. A tape management application like IBM Tape Manager for z/VM does. If you don't have one, then you write your own by setting up DFSMS RMS and calling the provided CSL routines to manage the drive or by using the DFSMSRM commands. See Chapters 6 and 7 of the DFSMS Removable Media Services book. Also, make sure you are up to date on service. DFSMS hasn't been refreshed in a looong time, so all newer device support has been delivered via PTF. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: VM/SES and RSU
On Thursday, 02/24/2011 at 04:26 EST, Hughes, Jim jim.hug...@doit.nh.gov wrote: I just want to list the contents of the RSU. As someone else previously posted, the contents of the RSU on the web. Go to http://www.vm.ibm.com/service/rsu/. Click on the widget in the RSU column and you will get the list of SERVICE LEVELs contained within that RSU. If you instead click on one of the items in the RSU content column, you will find out what PTFs are on that RSU. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: XEDIT to display Euro
On Wednesday, 02/23/2011 at 09:00 EST, Frank M. Ramaekers framaek...@ailife.com wrote: Is there a way to get XEdit to display the euro symbol? (PC: x?80? Alt-0128 ?, EBCDIC: x?20?) It appears to change this character to the double-quote (?), as it does for undisplayable characters. In EBCDIC, 0x00-0x3F are reserved for device control. Ergo, since the euro is a displayable character, its EBCDIC value cannot be 0x40. So what is its value? That depends on the code page. The following code pages contain the euro. The parent code page is shown along with the hex value of the euro glyph in that code page. NewOld Value 924 1047 0x9F 1140 037 0x9F 1141 273 0x9F 1142 277 0x5A 1143 278 0x5A 1144 280 0x9F 1145 284 0x9F 1146 285 0x9F 1147 297 0x9F 1148 500 0x9F 1149 871 0x9F 1153 870 0x9F 1154 1025 0xE1 Code page 924 is not really an offspring of 1047. It is the EBCDIC version of ISO 8859-15; there are a couple of other differences from code page 1047. It is the one I use. It quickly broke my bad habit of using the EBCDIC NOT symbol in my programs. :-) When you upload files with FTP, you need to be very careful about code pages. The default translation table in z/VM is STANDARD, a 7-bit non-reversible table. As such its use is limited to the base character set. If you have your 3270 emulator set to code page 924 and you are using Western Windows (code page 1252), then any text-mode FTP should specify site xlate 09241252. If you're on Linux, the code page is probably 819 (ISO 8859-1). In that case you would use site xlate 09240819. See the Using Translation Tables chapter of the z/VM TCP/IP User's Guide for more information. You may also find http://www.vm.ibm.com/euro/TCPIP.html historically useful. But since you have EBCDIC 0x20, you didn't use STANDARD. You used 00371252. The euro is not defined in code page 37, so that translation table stores the euro as 0x20. Alan Altmark z/VM and Linux on System z Consultant and Code Page Guy IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: 2nd level z/VM 5.4 installation
On Wednesday, 02/23/2011 at 11:56 EST, Sherry Everhart severh...@maccnet.com wrote: Syntax has been corrected. THANKS, Alan. But it's still not working for me. With the userid and password the network folks gave me, I am already in the cpdvd directory on the FTP Server, where all the files I'm supposed to copy reside. So I figured I could omit the -d parameter (right?): pipe ftpget -h xxx.xx.x.xx -u x -p x -v BEF -DVDEOF -f CKD222 * |UNPACK| ECKDREST DMSRXS1408W File TCPIP DATA * not found EXPECTED RESPONSE '125' BUT GOT 550 CKD22200: Access is denied. INSTEAD. FTPGET FAILED WITH RC=-120 Ready(-0120); Hmmmsee that -f CKD222 *? That should be -f CKD222* (no space). If I include the -d parameter: pipe ftpget -h xxx.xx.x.xx -u x -p x -d -v BEF -DVDEOF -f CKD222* |UNPACK| ECKDREST UNRECOGNIZED OPTION: BEF FTPGET FAILED WITH RC=-101 Ready(-0101); FTPGET sees -d directoryname, so -v is the directory name. What am I doing wrong?? Specify the -debug option to see what's happening in more detail. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: 2nd level z/VM 5.4 installation
On Wednesday, 02/23/2011 at 12:45 EST, Crabtree, Anne D anne.d.crabt...@wv.gov wrote: I haven't seen previous posts, but did you link to TCPMAINT 592? All that will do is make the warning about TCPIP DATA go away. Since Sherry isn't depending on any non-default values from TCPIP DATA, its absence isn't an issue. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Changing TCPIP PROFILE EXEC
On Wednesday, 02/23/2011 at 11:09 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: Alan: I have moved the COMMAND statements to the top before the INCLUDE TCPCMSU which has DEV type statements like SPOOL, CONSOLE, LINK and it IPLs CMS. Hopefully this is correct now. DIRECTXA is the final arbiter of what's valid. What's-his-name thinks he's so smart, but he's not. Not really. He's old and feeble. But the SYSTEM DTCPARMS is on TCPMAINT's 191 not 198 which is empty. Doesn't do anyone any good there; the servers don't access TCPMAINT's 191. At install time, I think you didn't perform the step 6.2.3.2.45.1253 (in the tcp/ip program directory) that populates the 198 with samples, and you didn't use the IP Wizard, which would have placed files on the 592 and the 198. Also IBM DTCPARMS is named IBMN DTCPARMS on TCPMAINT's 191: Since (a) it's on the wrong disk, and (2) it has the wrong name, it just means nothing is never ever going to read it, so it's just e-trash. IBM DTCPARMS lives on TCPMAINT 591, safe and sound, where there is a sign hanging on the door that says Warning: Shock hazard. No user serviceable parts inside. MAINTFILELIST A0 V 169 Trunc=169 Size=10 Line=1 Col=1 Alt=0 Cmd Filename Filetype Fm Format LreclRecords Blocks Date Time MPROUTE CONFIG T1 F 80 47 1 10/09/09 15:31:10 MPROUTES CONFIG T1 F 80 59 2 10/06/09 11:28:10 MPROUTE CONFOLD T1 F 80 58 2 8/19/09 11:13:31 PROFILE EXEC T2 V 73 54 1 8/04/09 12:04:18 MPROUTEX CONFIG T1 F 80 28 1 7/29/09 12:03:46 MPROUTEO CONFIG T1 F 80472 10 1/23/09 16:33:35 XCONFIG T1 F 80 20 1 1/23/09 14:52:04 SYSTEM DTCPARMS T1 F 80359 8 1/23/09 14:41:15 IBMN DTCPARMS T1 V 73359 4 1/15/09 14:24:33 TCPIPO DATA T1 V 73474 5 1/15/09 12:31:27 Hope this does not bring Chuckie out. You're killing me, George. You're just killing me. Someone bring me my pills. There's nothing like having copies of config files on your own A-disk (TCPIP DATA is a good one) so that everything works fine for you, but aeu418dk not for anyone else fdsflkjaDSLGwdo not attempt to adjust your televisioncdLJHgurglefa9ujn At one installation I saw evidence of what appeared to be human remains (cleaned up with bleach before DNA evidence could be collected), where someone tried to alter TCPIP's PROFILE EXEC or the IBM DTCPARMS file on the 591. It was never explained to my satisfaction. There was another case where someone copied the entire contents of IBM DTCPARMS onto SYSTEM DTCPARMS on the 198, apparently thinking to outfox the system. The individual has not been seen for 3 weeks now. But go ahead. Do what you want. Hey. It's not MY system. He Who Must Not Be Named IBM Blab Services office: 666.555.1212
Re: Changing TCPIP PROFILE EXEC
On Wednesday, 02/23/2011 at 05:11 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: OSAs 9000,1,2 are changing to OSAs 9400,1,2.when we install the z196. To restore our TCPIP PROFILE EXEC to its original state we should delete all the attaches, not just the 9000,1,2 which are changing and put them all in either the TCPIP DIRECTORY entry or DTCPARMS. Or use the :Exit. tag in DTCPARMS, yes. A question came up though: Network managment here seems set on attaching the new OSAs 9400.1.2 not as old OSAs 9000,1,2 but as themselves, 9400,1,2 If we were to leave the PROFILE EXEC the way it is for now and just put the new OSA addresses 9400, 1,2 in the TCPIP DIRECTORY entry as themselves 9400, 1,2 (VADDR=RADDR) not as 9000,1,2 do you see any problem with this after the OSA 9000,1,2 address go away? You can do that, sure, but you'll need to add an extra HOME and DEVICE/LINK pair to PROFILE TCPIP in order to provide the fallback you were looking for. Since neatness counts, though, I would think it preferable to just get rid of all the attaches from the TCPIP PROFILE EXEC and put them in either TCPIP DIRECTORY or DTCPARMS. But you can still do the ATTACHes yourself in an exec. Just don't use PROFILE EXEC; use the :Exit tag or TCPRUNXT EXEC instead. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: XEDIT to display Euro
On Wednesday, 02/23/2011 at 06:34 EST, Les Koehler vmr...@tampabay.rr.com wrote: Who's Architecture reserves 00-3f hex as device control characters? I have a memory of displaying a hex table (oriented the right way) of 00-ff on my old 3279-3x. EBCDIC. Look at any green card. Origin? The old I/O adapters that talked to the peripherals used those values as device control characters. They were nearly the same on ASCII as they were on EBCDIC, and there were lots of engineering considerations about bit drift and loss of synchronization on the data set. Obviously the adapter doesn't (really) care about glyphs, it just cares about whether it is supposed to perform a control operation or just transmit data as-is. I suspect that the 3270 architecture followed along because it had to live within that structure. 3270 data streams still had to go over TELE2/BSC lines and certain bit combinations would be interpreted as control characters (ETX, ETB) even when ESC (sort of transparent mode) was in use. Reading between the lines, you begin to understand why 3270 SBA order have bizarre 12-, 14-bit, and 16-bit combinations: So that they can slip quietly thru the telecom equipment. Yawn. History aside, the 3270 Data Stream Programmer's Reference specifically states that - 0x00-0x3F are for 3270 orders - 0x41-0xFE are displayable - 0xFF is a control code. CMS knows whether you have an extended code page (i.e. not a 3277) and will use the NONDISP value to ensure your data streams don't interfere with CP and CMS. A few tricks are allowed (like Start Field with highlighting) since CP is always watching. XEDIT knows the above rules and will obey. Certain control characters (like TAB, 0x05) will be interpreted by XEDIT for you; others will be NONDISPed. Similar rules apply to CP and 3215 I/O. (Ha! You didn't know NONDISP was a verb, did you?) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Z/vm 5.4 on z890 and migrated to z10 problem
On Tuesday, 02/22/2011 at 12:56 EST, Hughes, Jim jim.hug...@doit.nh.gov wrote: We moved our z/VM 5.4 system from a z890 to a z10. Everything on the z890 was running well. The Multiple SSL Server Support was working too. Once we moved to the z10 by doing a cable swap, the Multiple Server Support for our SSL connections failed to operate. The SSL worker machines were getting 0C1 abends. In the interest of time, we modified things to avoid using SSL. Are there updates required to our z/VM 5.4 system when moving to a Z10 for Multiple SSL Server Support to work? Our initial investigation did not reveal any requirement. If you haven't already done so, you need to open a PMR. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Changing TCPIP PROFILE EXEC
On Tuesday, 02/22/2011 at 04:59 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: I have to change some DEV ATTACHes in our TCPIP PROFILE Exec in preparation for new OSA ADDRs in our IODF for our new z/196. What is the best way to implement this? I suppose I can logon to TCPIP AC ( noprof and create a backup copy of the PROFILE EXEC and then change the original DEV ADDRs. Is this correct? Best Practice? Are you TRYING to bring Chuckie out of hiding?!? NEVER change TCPIP's PROFILE EXEC. Ever. Ever. Your SYSTEM DTCPARMS file supports :attach. tags to identify devices. :nick.TCPIP :attach.FE08-FE0A Also what would the fallback be in such a situation? Not sure what you mean in this case, but you can leave the TCP/IP configuration and alone and simply use DEDICATE or COMMAND ATTACH statements in TCPIP's directory entry. E.g. Let us say that your OSAs are currently at 600-602 and the new ones are at 800-802. COMMAND ATTACH 800 TO * 600 COMMAND ATTACH 801 TO * 601 COMMAND ATTACH 802 TO * 602 COMMAND ATTACH 600 TO * 600 COMMAND ATTACH 601 TO * 601 COMMAND ATTACH 602 TO * 602 In that way, the DEVICE statement in PROFILE TCPIP doesn't have to change and the above sequence will try for device 800-802, but will fall back to 600-602 if 800-802 isn't there. Not perfect. For more robust logic, you code :Exit.name-of-exec in the SYSTEM DTCPARMS entry for TCPIP and use an exec to figure out which set of devices to use, possibly based on other criteria. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: 2nd level z/VM 5.4 installation
On Tuesday, 02/22/2011 at 04:48 EST, Sherry Everhart severh...@maccnet.com wrote: pipe (stagesep !) ftpget -h xxx.xx.x.xx -u -p xxx -d /upload/cpdvd -v BEF -DVDEOF -f CKD222* !UNPACK! ECKDREST How do I tell VM to go to that directory ftpdir? I keep getting the error: FPLSCB027E Entry point -D not found FPLSCA003I ... Issued from stage 2 of pipeline 1 FPLSCA001I ... Running -d /upload/cpdvd -v BEF -DVDEOF -f CKD222* Ready(-0027); This indicates a syntax error in the PIPE. I infer that the stage separator character (!) was encountered prior to the -d, as evidenced by stage 2 of pipeline 1. Perhaps as part of user ID or password? Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Changing TCPIP PROFILE EXEC
On Tuesday, 02/22/2011 at 06:00 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: DEV 9000, 9001, 9002 are changing to 9400, 9401, 9402 Here is what I have now: TCPIP: PROFILE EXEC 'Access 198 D' 'Access 591 E' 'Access 592 F' ATT 9000 TCPIP 9000 ATT 9001 TCPIP 9001 ATT 9002 TCPIP 9002 ATT 9100 TCPIP 9100 ATT 9101 TCPIP 9101 ATT 9102 TCPIP 9102 queue EXEC TCPRUN I will pretend I didn't see that. I'm not even seeing the lack of quotes around the ATTACH commands. Not looking La la la la la la SYSTEM DTCPARMS: :nick.TCPIP :type.server :class.stack :nick.DTCVSW1 :type.server :class.stack :owner.MAINT :nick.DTCVSW2 :type.server :class.stack :owner.MAINT :nick.ROUTED:type.server :class.rip :nick.MPROUTE :type.server :class.mprout I'll assume a cut/paste error. That should be mproute. :nick.FTPSERVE :type.server :class.ftp :nick.SMTP :type.server :class.smtp Note that by putting all of those entries in SYSTEM DTCPARMS, you are effectively cancelling any entry that IBM put on the matching :type.server entry in IBM DTCPARMS. I would suggest deleting all entries except for TCPIP. At the minimum, delete the DTCVSW1 and DTCVSW2 entries. I can change the TCPIP DIRECTORY entry like so: USER TCPIP TCPIP 128M 256M ABG INCLUDE TCPCMSU OPTION QUICKDSP SVMSTAT MAXCONN 1024 DIAG98 APPLMON SHARE RELATIVE 3000 IUCV ALLOW IUCV ANY PRIORITY IUCV *CCS PRIORITY MSGLIMIT 255 IUCV *VSWITCH MSGLIMIT 65535 * CHANGE SPECIAL FROM 9104 TO 9108 PER SAM 9/30/09 SPECIAL 9108 QDIO 3 SYSTEM OSALAN LINK 5VMTCP40 491 491 RR LINK 5VMTCP40 492 492 RR LINK TCPMAINT 591 591 RR LINK TCPMAINT 592 592 RR LINK TCPMAINT 198 198 RR COMMAND ATTACH 9400 TO * 9000 COMMAND ATTACH 9401 TO * 9001 COMMAND ATTACH 9402 TO * 9002 COMMAND ATTACH 9000 TO * 9000 COMMAND ATTACH 9001 TO * 9001 COMMAND ATTACH 9002 TO * 9002 MDISK 191 3390 2258 005 540W02 MR RTCPIP WTCPIP MTCPIP Is this correct? Yes, except that COMMAND statement must be placed before any device statements. Or I can modify DTCPARMS like so: :nick.TCPIP :type.server :class.stack :attach.9400-9402 In this case you must also modify PROFILE TCPIP to change the DEVICE statement to point to 9400. You could instead :attach.9400 9000, 9401 9001, 9402 9002 If so, which would be preferable? I do not see a fallback if I modify DTCPARMS only. :attach.9400(OPT) 9000, 9401(OPT) 9001, 9402(OPT) 9002(OPT), 9000-9002(OPT) gives the same result. If you don't put OPT in there, the TCP/IP startup program won't throw an error if one of the devices if offline or the attach fails. Again, if you need more sophistication, use the :Exit. tag. Read Chapter 5 of the TCP/IP planning book for details on how to use DTCPARMS files. But OTOH the DIRECTORY method does not look as permanent. Also why *COMMAND* in the DIRECTORY entry ATTACHes? I thought that is used only in EXECs? COMMAND is a valid statement in the directory. ATTACH is not. Look in the CP Planning book. Also can I abbreviate the ATTACH to ATT 9400 * 9000? Yes, but don't. IBM has changed the abbreviations of commands. Abbreviations are for humans, not programs. Also, the DIRECTORY method has a nice fallback, but what if I corrupt the TCPIP DIRECTORY entry when making the change. What is my fallback? VTAM? VTAM? In general, no, since few systems have VTAM (and it isn't licensed on IFLs). OSA-ICC connections (preferred) or the integrated 3270 console are how you access the system in case of TCPIP death. In extreme cases, the linemode integrated console can be used. If you need to repair TCP/IP in this mode, learn to use the ifconfig commands rather than XEDIT. It's easier than using a linemode editor. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: 2nd level z/VM 5.4 installation
On Thursday, 02/17/2011 at 02:37 EST, Sherry Everhart severh...@maccnet.com wrote: I need some clarification. I'm trying to figure out how to use DVDs to install z/VM 5.4 under z/VM 5.2. In Chapter 4, Plan Your DVD Installation, in the Guide for Automated Installation and Service, under Installation methods, Second-level Installation, one of the User ID requirements is: If installing from a VM minidisk, access to a CMS-formatted minidisk that is the equivalent of at least 4500 3390 cylinders. Our 3390-3 volumes have only 3,339 cylinders on them. What am I missing here? That is a bit confusing, isn't it? It means that if you want to do an FTP install (annoyingly, yet understandably, documented as a subset of the DVD install) AND you want to use the VM FTP server, THEN you will need the equivalent of 4500 cylinders to contain the contents of the DVD. If you're actually installing from some other FTP server, then you follow the 3GB guideline. Of course, you can always use SFS to hold the DVD contents (not a DVD .iso image!) since it aggregates multiple minidisks into a single filepool. Follow the instructions for uploading the DVD contents via FTP, but CD VMSYSU:MAINT.VM54 (for example, assuming you have done all the SFS admin things needed to make that happen.) It's often hard to ferret out whether DVD refers to the physical media, the DVD contents, or the HMC Load from DVD/FTP-related functions. But it's easy once you know how! :-) Reader's Comment Forms are always welcomed. (E-mail your comments to mhvr...@us.ibm.com) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: 2nd level z/VM 5.4 installation
On Thursday, 02/17/2011 at 04:15 EST, Sherry Everhart severh...@maccnet.com wrote: Frank, no, we don't have TCP/IP running on 1st level VM. (At least I don't think so!) And I don't understand the Filepool method that Alan spoke of either. Sorry, Alan, but mostly when you tell me things it all sounds a bit like when Charlie Brown's teacher talks (Good grief... :)) And Dennis, I don't know how to get 4500 cylinders from a 3390-3 disk, so that I can copy all the files on the dvds to a VM minidisk, which leads me back to my first posting. If you have a DVD, there are 5 ways to use it: 1. IPL it 1st level via the HMC. 2. Load its contents to an FTP server and IPL 1st level from the HMC 3. Load its contents to an FTP server and do a 2nd-level install. 4. Load its contents to a minidisk of at least 4500 cylinders and do a 2nd level install. 5. Use it as a Frisbee(R) and annoy the people around you. And just so we're clear, the IBM Board of Directors recommends AGAINST #5 and is not supported. For 2nd level install, you have two choices: 3 or 4. If you don't have 4500 contiguous cylinders available, then #3 is your only choice. To make it work, you must enable TCP/IP on your 1st level system so that files can be transferred. If you haven't done that, go look at the IPWIZARD references in the Automated Installation book. In the above FTP scenarios, the load its contents is an abstract term that could mean copy the files from DVD to disk, mount an .iso image as a directory or a drive, or access the DVD directly. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: DEVICES stmt in SYSTEM CONFIG
On Thursday, 02/17/2011 at 03:18 EST, Schuh, Richard rsc...@visa.com wrote: You specify the filename of the desired CONFIG file in a provided space. On SAPL: fn=filename On the LOADPARM: FNxx (yep, limited to 6 chars in filename) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: DEVICES stmt in SYSTEM CONFIG
On Thursday, 02/17/2011 at 05:48 EST, Mike Walter mike.wal...@aonhewitt.com wrote: If you're reading this and are new to z/VM, take one thing away... build a stable (tested and rarely changed) 1-pack z/VM recovery system. It could save your job one day (or dark night). The truly paranoid keep a .iso copy of the DVD in each location (or burn extra physical copies and keep it with your emergency ops manual). The ramdisk-based installation system can be used to repair other systems. It will run even if nothing else will. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: Watson
On Wednesday, 02/16/2011 at 09:36 EST, Tom Huegel tehue...@gmail.com wrote: Jeopardy is on at 3:30pm CST today, I think it is Watson's last day. Maybe for an encore they could have Watson play chess against DeepBlue. Port both Watson and DeepBlue to a virtualized z-platform and he could play against himself. C'mon, guys. Virtualization? Really? A system like Watson would be searching, collating, indexing, and evaluating 24 x 7 x 365, with full data-in-memory. I don't think it's really suitable for virtualization. And once you go discrete, then System p is a fantastic choice. (Go back and look at how many CPUs are being used.) The point of having multiple Watsons is well-taken, however. As soon as Watson has digested all the design information and the latest info on AI design, perhaps he will be able to diagnose his own defects and make design change suggestions. watson quiesce READY fixget aq405j96 DOWNLOADING FIX AQ405J96... DOWNLOAD COMPLETE. APPLY FIX AQ405J96? yeah PLEASE REPLY 'YES' OR 'NO' y PLEASE REPLY 'YES' OR 'NO' yes APPLYING FIX AQ405J69 FIX AQ405J69 APPLIED REBOOT REQUIRED REBOOT NOW? yes RESTARTING [screen clears...cursor blinks] AIX V5.4 Hello, Tom. A few milliseconds ago, while I was studying old movies about computers, I learned a new song. If you'd like to hear it, I can sing it for you. Yes, today is supposed to be the normal game without the Watson Exposition stuff. BTW, Jeopardy! (with exclamation point, please) is a syndicated program that is purchased by your local station and then aired whenever they like. As they say, check your local listings. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 6.2 release date?
On Tuesday, 02/15/2011 at 11:01 EST, Tom Huegel tehue...@gmail.com wrote: Has anyone heard of a release date for 6.2? If you follow the 18 month (between releases) scenario April would be the target month. Past fund performance is not a guarantee of future earnings. The only thing IBM has been talking about is the Statement of Direction for Single System Image and Live Guest Relocation, and no date has been given for the availability of those functions. Since there has been no announcement, you can safely infer that availability is not imminent. (And I recommend that you don't come to SHARE with an expectation of an announcement.) Until there is a VMnext product announcement, there's nothing much else to say. Folks who attend John Franciscovich's presentation on SSI/LGR at SHARE can try to make him reveal what he knows. Just surround him and poke him with sharp sticks. See if he'll squeal. ;-) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Watson
On Tuesday, 02/15/2011 at 05:26 EST, Dave Jones d...@vsoft-software.com wrote: Does Watson use voice recognition? I was under the impression that the questions are made available to him (it?, them?) in a computer readable format. No. He receives a text message at the same time (FVVO same, I suppose) as the contestants see it. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Closing console (and other o/p UR devices) at midnight or other times.
On Friday, 02/11/2011 at 03:10 EST, Martin Zimelis martin.zime...@gmail.com wrote: David's comment is a perfect example of the reason Rich is exactly right: The requirement should specify the effect you want, not the method of implementation. And don't forget to include the business case for the enhancement in the requirement. I don't mean to rain on anyone's parade, but given that IBM already solved the essence of this problem with IBM Operations Manager for z/VM (OM), there is no business case I can think of that would make this happen. Making such a change in CP would increase the investment in z/VM (with no increase in revenue) and potentially decrease the revenue from OM. Now, I can certainly think of some requirements for Operations Manager to make it a better virtual machine console management system. Requirements that, if satisfied, could potentially *increase* the revenue of OM. In general, system automation is not going to be a built-in function of CP. CP's role is to provide hooks and assists to authorized virtual machines, but he's not going to do it himself. It's like asking for more ESM-like security functions in CP. Not gonna happen. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Closing console (and other o/p UR devices) at midnight or other times.
On Friday, 02/11/2011 at 04:24 EST, Mike Walter mike.wal...@aonhewitt.com wrote: See? Alan's reply is precisely why I thought it seemed prudent to run it past others for wider consideration. I suspect that there will be many new LoZ (a new Linux on System Z acronym seen recently, and MUCH less to type) customers who will not purchase IBM OM, or CA VM:Operator, but whom would benefit from this capability right out of the box (i.e. sample directory entries). Automation products can't be justified for something this small - for many other reasons, absolutely YES -- but not this. Think about that some more, Mike. Few clients have a single point of interest in automation. They want: - Monitoring and Alerting - Recovery - Provisioning - Remote operations - Housekeeping - Archiving / Backups - Compliance checking They may only implement them one at a time, but they want it all. It is the new LoZ customers who are most likely to buy complete solutions. After all, they are not steeped in the arcana and lore of z/VM, and they aren't particularly interested in delaying deployment while they learn it. Too, if they build it themselves, they have to support it themselves. The only throat to choke is their own. potentially decrease the revenue from OM Really? _Really_!!?? If the purchase of OM or any automation product was based on this feature, the case for OM must have been pretty weak in the first place. It's not, of course. It's just ONE of the features of such products. But at some point you cut too deeply and you lose the sale. It's all risk management. Sometimes you win, sometimes you lose. You just want to win as often as possible and avoid cutting your own throat. CP's role is to provide hooks and assists to authorized virtual machines, but he's not going to do it himself. Hmmm... adding a time-based CLOSE sounds like an assist to me. That's not an assist to another virtual machine; that's CP doing the heavy lifting. As Tom pointed out, an appropriately authorized virtual machine can sweep the system and close the consoles. But I'm not gonna invest my limited time fighting for this small improvement to benefit new LoZ customers. I thought it was pretty small, and I thought that such enhancements were part of IBM's customer satisfaction job. (Feel the knife twist right there at the end?);-) I will leave the chum in the water undisturbed, saying only that I believe a good implementation of what you ask for is not as simple as it seems. And your desire for this function has good side effects! It lets us bring things into the light that otherwise remain hidden. I think those new LoZ customers want a comprehensive system log management solution. Let's say you DO have some console logs you need. As soon as you close those consoles, you need to do something with them. What? Put them on disk? Compressed? In an organized way? What happens when that disk fills up? Erase the oldest stuff? Whine and complain, asking for assistance from the omnipresent wetware? Dump to tape? How to get the tape mounted? Is there a nice way to look at the logs? Do they need to be pulled from the archive? How are they made available to the Linux admins? What if I want the console activity forwarded to syslogd somewhere instead of recorded locally? What is deserving of an alert? Is that a Tivoli alert? An SNMP trap? What? And did I mention that I want to manage data in the accounting stream. And symptom records. And EREP records. And RACF SMF data. And and Getting all the console logs to close at 11:59 PM is easy. Keeping the system responsive during that time, maybe not quite so easy. Managing the system log streams, of which console logs are just one part, and managing them well, is even more difficult, yet has a much higher value proposition. And THAT isn't going to be done inside CP. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 5.4; 6.1
On Wednesday, 02/09/2011 at 03:10 EST, Jakub x jszef...@gmail.com wrote: Hello, Can I install z/VM (5.4 or 6.1) on dasd 9 model 27 ? Yes. I found in documentation Only 3390 Model 3 or 9 is supported for installation of z/VM. but in another part of documentation I saw that DASD 9 including large Model 9s known as Model 27 and Model 54. It can be confusing. Technically, all of these large DASD are 3390 Model 9s. They simply have varying numbers of cylinders. Even if you define a Model 9 with 1113 cylinders, it reports itself as a Model 9, not a Model 1. It should probably say 3390 Model 9 with at least 10 017 cylinders. We use these other pseudo-model numbers as way to express the number of cylinders. A Model 57 has 57 x 1113 cylinders, the largest multiple of 1113 less than 64K. The allocation maps for spooling and paging volumes are built at installation time. The entire volume is formatted, but only the first 10 016 cylinders are allocated as SPOL or PAGE. That means the rest is PERM. I recommend that when you're done with installation, go back and reallocate those volumes so that they are entirely SPOL or PAGE. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 5.4; 6.1
On Wednesday, 02/09/2011 at 01:52 EST, Rob van der Heij rvdh...@gmail.com wrote: On Wed, Feb 9, 2011 at 6:56 PM, Alan Altmark alan_altm...@us.ibm.com wrote: I recommend that when you're done with installation, go back and reallocate those volumes so that they are entirely SPOL or PAGE. after you're done formatting those remaining cylinders, I assume... (and if you get ICKDSF wrong, good news is that you probably still remember how the install goes) No need. According to my source, the volumes are completely formatted. It is only the allocation that stops at 10 016. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RSCS CTCA between a first and second level system...
On Monday, 02/07/2011 at 11:15 EST, RPN01 nix.rob...@mayo.edu wrote: DMTCMY700I Activating link NPOLAR NJE line=AA20 class=* queueing=priority DMTNET141I Line AA20 ready for connection to link NPOLAR DMTNET142I Link NPOLAR line AA20 dataset ready DMTNCR916E Invalid NJE signon connection record received -- link NPOLAR is being deactivated DMTNET143I Link NPOLAR line AA20 disabled DMTMAN002I Link NPOLAR deactivated Is the remote system called NPOLAR? If not, then you need to specify the NODE parameter on the LINKDEFINE. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RSCS CTCA between a first and second level system...
On Monday, 02/07/2011 at 11:53 EST, RPN01 nix.rob...@mayo.edu wrote: The systems are polar and npolar. DMTNCR916E Invalid NJE signon connection record received That message comes out because signon record contains - A node id that doesn't match the local system's expectation of who is at the other end - The signon record is too long (unusual) - There is a feature mismatch (unusual) - syntax errors in the signon protocol (unusual) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z196 lb4ul
On Tuesday, 02/01/2011 at 03:24 EST, Feller, Paul pfel...@aegonusa.com wrote: You would be using the default which is port 0 (zero). The port number really only comes into play if you have an OSA Express3 card and are connecting to the second port or what is called the A1 port on the card layout. Actually, (An) and (Bn) are LEDs. :-) The port number (Pn) is a logical number associated with a chpid. The jack number (Jn) is the physical connector number associated with the feature (FRU, card). Look in Appendix B of the OSA-Express Customer's Guide and Reference. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z10 capacity number?
On Monday, 01/31/2011 at 03:33 EST, Hamilton, Robert rhamil...@cas.org wrote: I think you're right on that, Paul; the CPC SI line is supposed to be the output from the STSI instruction, and I think that 504 is the model capacity identifier. We run a 2096-S07 as an S04, and D M=CPU on our system gives: CPC SI= 2096.S04.IBM.02.000cpuid Model: S07 From what I've seen, z/OS will show whatever information was given in his directory entry as the CPUID, but will show the real information for those other values. As you say, you cannot change the machine type and model. The billing model for z/OS guests depends on the support by the sw vendor. When z/OS is running as a guest, the interfaces used by apps and/or SCRT to determine the capacity of the guest are adjusted by CP based on a variety of factors. Of course, if the sw is not licensed for subcapacity applications, you will have to work it out with the sw vendor, since I doubt you want to pay full model capacity charges for each guest! Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: HIPERSOCKETS Not Working
On Monday, 01/31/2011 at 03:56 EST, Brent Litster brent.lits...@zionsbancorp.com wrote: A tcpdump from the z/Linux guest shows that a ping from a z/OS LPAR does arrive from the hipersocket link however no response to the ping was sent. The HiperSocket is working just fine, as demonstrated by your TCPDUMP. It's a routing problem. It's ALWAYS a routing problem. Look at the Linux guest's routing table to see where that packet is going. Ensure that z/OS and the Linux guest are using the same subnet mask and MTU size on their HiperSocket connection. When in doubt, draw your networks on a piece of paper and label them with IP addresses and subnet masks. It will quickly become apparent if you've got your virtual wires crossed. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: portgroup with vswitch IP routing
On Monday, 01/31/2011 at 05:35 EST, Rogério Soares rogerio.soa...@gmail.com wrote: guys, i have tryed set up a vswitch on ip routing mode to use port group, but i can't i get group paramenter invalid... when i set up vswtich to ETHERNET, and make SET VSWITCH VSWSVC01 GROUP GRPSRV01 , i receive the error: HCPSWS2799E VSWITCH change is not allowed but after some seconds, the vswitch appears up and running using port group If you DEFINEd it with GROUP GRPSRV01, then you can't change (SET) the VSWITCH configuration while the group is being established. Once the port group is up, then you can change things. And it is normal (FVVO 'normal') to take a non-trivial amount of time for both OSAs to be joined into the port group. I do something wrong? to use port group the vswitch must be ETHERNET ? You just didn't wait for the port group to be established. And, yes, link aggregation (GROUP) is available only in ETHERNET (layer 2) mode. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Intelligent Mail barcode fonts for VM PSF
On Friday, 01/28/2011 at 06:32 EST, Tim O'Brien tobr...@tobe.com wrote: but it's all ONE record NOTHING generated an error message or warning about file not be correctly formatted My quick guess is that either extracted from the TSO file or the pc version of VMARC does not know how/where the lines should have been separated ... All record boundaries are lost when binary data is downloaded to a PC. The best way is to block the data on the host before you download to the PC. Then you upload/download to your heart's content using binary transfer. When all done, you reblock the data back into it's original format. That's why the AFRREBLK program is useful. The following procedure is untested: 1. Run AFRREBLK to MVS against EACH font library member you want 2. Download each member to your PC in binary 3. Use VMA to create the VMARC file containing all those members 4. Upload to VM in binary 5. PIPE BARCODES VMARC A | fblock 80 00 | BARCODES VMARC A F 80 6. VMARC UNPK BARCODES VMARC A 7. Run AFRREBLK against each of the unpacked FONTxxx files It might be simpler just to FTP MPUT all the files from your workstation to VM without creating the VMARC. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: HCPDUMP
On Thursday, 01/27/2011 at 10:01 EST, Bob Bates robert.ba...@wellsfargo.com wrote: Well that was easy. Thanks, everything is off now. No problem. We'll update the books (DRAIN, SET ABEND, SET DUMP, and anywhere else we talk about the dump files). Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM Hardware Configuration Question
On Thursday, 01/27/2011 at 04:51 EST, Sherry Everhart severh...@maccnet.com wrote: We are running five VSE guests under VM and recently experienced a hardware failure. This has led us to investigate the possibility of installing a ?spare? so that we?re not down if we have another failure in the future. Is it possible to configure an installed piece of hardware to be used (for redundancy) in case another one fails? Let?s say that I want a FICON card that is not cabled up to be available for use, without an IOCP change (i.e. POR) in case the FICON card I?m using goes bad. I need it to be available to all the same devices as the one that?s cabled and configured so that I can pull the cable off the bad and put it on the empty one. Yes and no. :-) Yes: Storage controllers have the concept of multipathing. If you run multiple FICON cables from your DS8000, say, to your CEC, then the I/O subsystem handles failures semi-transparently. (The I/O goes through, but the host is notified of loss of a path.) Yes: OSAs that are given to a VSWITCH. CP handles the failover - the guest doesn't see it. No: Things like FICON CTCs do not have multipathing. Each cable represents a unique set of addresses/subchannels. If one of the CTCs fails, it will be noticed by the OS. It is up to the OS to manage the grouping. No: Dedicated OSAs. Failover is the guest's responsibility. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: VLAN IMPLEMENTATION
On Tuesday, 01/25/2011 at 10:30 EST, Scott Rohling scott.rohl...@gmail.com wrote: I just noticed that the vlan12 device and eth0 use the same MAC address (so would seem to be the same virtual NIC).. so this setup goes out of the realm of my experience.. I've used vlan aware vswitch's before, but it was always with just eth0 on Linux and not the extra 'vlan' device. Just on the surface - I don't see how anything goes out over vlan12 - but I probably don't understand the setup well enough to give solid advice. Sorry - meant to help :) In the post, you saw just eth0 with two locally-attached subnets. That's called multinetting and always indicates a configuration error. (It was dubiously used in old hub-style, shared-media networks.) When vconfig is used to assign a VLAN to an interface, it generates a virtual interface e.g. eth0.12. Assign another VLAN and you get another eth0.vlan interface. Then you ifconfig the virtual interfaces as you would a real one. But when you do that, the guest must be authorized for PORTTYPE TRUNK and the list of VLANs. If the GRANT doesn't match the guest configuration, nothing will talk. (Just like a real switch.) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: HCPDUMP
On Wednesday, 01/26/2011 at 04:38 EST, Bob Bates robert.ba...@wellsfargo.com wrote: Hi folks, I have been trying to get spool volumes offline. All are gone except one and it has the HCPDUMP file allocated to it (OPEN ? OPERATNS).Volume has been drained but the file got allocated before the drain happened. I?ve been trying to figure out how to close it so it will allocate to the active spool volume. Other than taking it out of the CP_OWNED list and re-ipling, is there a way to do this? CPDUMP holds hard abend dumps. SET DUMP OFF to get rid of it. HCPDUMP holds soft abend dumps. SET ABEND HARD to get rid of it. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: VLAN IMPLEMENTATION
On Tuesday, 01/25/2011 at 11:15 EST, louis.gai...@its.ms.gov wrote: I am trying to create a vswitch with vlan capablitites I am using the osa-express implementatiion guide chapter 11 1. I defined the switch ( define vswitch vsw3 rdev fa00 eth vlan 12 portt trunk Welcome to z/VM. As a matter of Good Security Policy, I believe in explicit authorization so as to avoid confusion and errors in the future. 1. Change VLAN 12 to VLAN 666 (or some unused/unauthorized/not-valid-on-your-switch VLAN). Do NOT use the NATIVE VLAN id for this value. 2. Remove PORTTYPE TRUNK. PORTTYPE, like PORTNAME, is an Abomination, never doing what anyone expects it to do. Never use either of those options [I gesture in the manner of a Jedi Knight exerting influence on your mind]. 3. SET VSWITCH VSW3 GRANT userid VLAN 12 4. Do NOT configure the Linux guests to be VLAN-aware. That is, do not use vconfig. 5. If you have a guest that needs access to more than one VLAN on the same VSWITCH, use SET VSWITCH VSW3 PORTTYPE TRUNK VLAN 12 13 14 and *do* use vconfig. 5. If a QUERY VSWITCH VSW3 ACCESS ever shows you a guest with VLAN 666, you will know that you did not specify a proper VLAN id on the GRANT. A very nice audit tool. Just so folks are aware, if I ever show up at your company to perform a z/VM system management health check, I will be looking at your VSWITCH administration practices very closely. :-) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Forced logoff by SYSTEM?
On Tuesday, 01/25/2011 at 11:46 EST, Schuh, Richard rsc...@visa.com wrote: Are you sure about that? Any posted read that is not responded to will get a disconnected machine forced regardless of whether it is VM or CP read. The forced disconnect is in response to terminal errors during I/O and is relevant to this discussion only if a read is posted while disconnected. It is all as documented, I do believe., and is not a bug. The reason for it is fairly obvious. If there is no secuser for the machine, someone has to log on to respond to the read. If nobody logs on, then the read triggers the logoff force timer. This is nothing new to XA. If, whenever you logon, a CP Read is posted, it is because you do not have SET RUN ON. That CP Read bears no relationship to the logoff timer. That goes back to the earliest releases of VM and probably beyond to CP40 and CP67. I only got into VM at the VM370 Release 1 level as a user, Release 2 as a sysprog., so I cannot speak to the earlier systems. You can have a CP READ on your console for reasons other than SET RUN OFF, such as - Prompt for AUTOLOG or minidisk password - TRACE is active - Prompt to system operator for ESM failsoft processing The description of DISCONNECT_TIMEOUT is a little vague in that it talks about forced disconnect. That situation occurs when 1. You get an I/O error on local non-SNA 3270 device (e.g. TEST/NORMAL, chpid pull); 2. You sever a *CCS terminal connection (VTAM, linemode telnet) while it has a virtual machine logged on through it; 3. You terminate a logical device (PVM, TN3270, Yvette) while it has a virtual machine logged on through it; 4. You issue CP FORCE DISCONNECT *and* the victim currently has a console read (VM READ or CP READ) outstanding; 5. A disconnected virtual machine issues an unresolvable console read. By that I mean that there is no console input stacked by CP and there is no active secondary user. All of these conditions cause an I/O error to be returned to CP's terminal driver. The first 3 cases result in a 'forced disconnect' message, e.g. GRAF L0003 DISCONNECT MAINTUSERS = 10FORCED BY SYSTEM Case 4 gives you GRAF L0003 DISCONNECT MAINTUSERS = 10FORCED BY ALAN In all cases, the user is disconnected and the countdown to oblivion (DISCONNECT_TIMER) begins. SET RUN OFF/ON is a bit of a red herring. It affects what happens when you issue a CP command while you are in CP READ. With RUN ON, an implicit BEGIN is done. With RUN OFF, you remain in CP READ and the virtual processors are not dispatched. If the CP READ is unresolvable per the above, then the timer starts. And I personally think the CP READ v. VM READ issue is a bug. Until the introduction of class C SEND (no SECUSER), there was no hope to answer the VM READ, and so making it a CP READ didn't hurt. Now it does. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: dynamically add page packs
On Friday, 01/21/2011 at 07:57 EST, Scott Rohling scott.rohl...@gmail.com wrote: The best I can come up with here is that RACF OPERATIONS authority is somewhat similar to LNKNOPAS.. is that what you mean? Please be careful with OPERATIONS. It gives complete access to ANY resource in the system that is defined as OPER=YES in the RACF Class Descriptor Table (ICHRRCDX and ICHRRCDE). It is meant for things like backup/restore programs that may need access to any and all minidisks (and SFS files and directories, if you protect SFS with RACF). If sharing a RACF DB with z/OS, you are also giving the person access to all DASDVOLs. If I were to audit your system and find OPERATIONS authority assigned in lieu of access to a generic profile (say), I would rap your knuckles, once for each violation. (Plus an extra one just because I enjoy it. Bwaahahah!) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RACF remote sharing facility (RRSF)
On Monday, 01/24/2011 at 07:06 EST, Alain Benveniste a.benveni...@free.fr wrote: We are looking how to propagate passwords between z/OS and z/VM. We want to remove nc-syncom. Z/OS has RRSF available, not z/VM. Any reason ? Will it be possible in a near future ? If you're not into the custom programming that Kris suggests, you can sync passwords via LDAP using IBM Tivoli Directory Integrator. The reason RRSF is not available for z/VM is simple: (1) it's expensive to do [only with the new TCP support was it even feasible], (2) the demand is weak. If you want RACF on z/OS and z/VM to talk via RRSF, you need to tell BOTH groups. For z/VM to cradle z/OS RRSF, it has to be built in a way that is cradle friendly, so there's work to be done on both sides. Did I say expensive already? Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Forced logoff by SYSTEM?
On Monday, 01/24/2011 at 01:24 EST, John Franciscovich jfran...@gdlvm7.vnet.ibm.com wrote: The most common cause for a FORCED LOGOFF BY SYSTEM is that the virtual machine went into a VM READ. If a disconnected virtual machine goes into a VM READ, CP sets a timer. By default, this timer is 15 minutes. I'm not sure if this is configurable or not, I haven't checked. You can use the DISCONNECT_TIMEOUT operand of the FEATURES statement to configure this: DISCONNECT_TIMEout nn sets the interval between a forced disconnect of a virtual machine and its logoff to the specified number of minutes. The default is 15 minutes. DISCONNECT_TIMEout OFF disables the automatic logoff of a virtual machine that is forcibly disconnected. AND, if you connect to the *VMEVENT system service, you can be notified any time a guest goes into disconnect timeout pending state. At least then you have time to do something about it or let someone know. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Forced logoff by SYSTEM?
On Monday, 01/24/2011 at 01:43 EST, David Boyes dbo...@sinenomine.net wrote: AND, if you connect to the *VMEVENT system service, you can be notified any time a guest goes into disconnect timeout pending state Quick question: how is the data field in the VMEVENT message formatted? There's a layout for parsing the TRGCLS, but not the data. Is it literally userid,code or...? I suggest a PMR to discuss with Development and to get the book fixed. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Wait code 000a00000000000f
On Wednesday, 01/19/2011 at 11:53 EST, Tom Huegel tehue...@gmail.com wrote: This is the entire message.. It happens before there are any console messages to indicate z/VM is even starting.. Central processor (CP) 0 in partition TPFTVM, entered disabled wait state. The disabled wait program status word (PSW) is 000a000f. Central storage bytes 0-7 are: 000a000f. You might check the load or activation profile for the LPAR. It looks like someone changed it to point to a Linux volume, perhaps, OR you overwrote your IPL volume with another OS image (e.g. Linux boot loader). If the physical IPL had failed, you would have gotten an error during activation/load. Wait state 0x0F would not be a valid CP wait state unless it were documented in the Messages and Codes book (it isn't). The only exception would be someone issuing CP SHUTDOWN WAIT F. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Support Element (SE) vs HMC and IP Addresses
On Wednesday, 01/19/2011 at 10:59 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: ty, Kris, I am trying to setup RSF (Remote Support Facility) fot our new z/196 coming in soon and need to make one of the HMC adapters available to the IBM Support System via the internet. Follow the instructions in the HMC Broadband RSF guide located in ResourceLink. The HMC will use NAT to proxy the SEs onto your networks. Whatever you do, don't connect the SEs directly to your network! The z196 installation guide also has a chapter on planning for your RSF connection. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RACF question
On Tuesday, 01/18/2011 at 02:56 EST, Feller, Paul pfel...@aegonusa.com wrote: I've got three z/VM LPARs that share a RACF database. It is not shared with any other systems. The LPARs were running z/VM Version 5 Release 3.0, service level 1001 (64-bit). I upgraded one of the z/VM LPARs to 5.4 this weekend. It's running z/VM Version 5 Release 4.0, service level 0902 (64-bit). I'm now seeing this error when I attempt to do an LU command on the 5.4 LPAR. rac lu xxx IRR52115I Error during RACF manager processing. Return code is 36. Reason code is 3. ICH51004I PARAMETER LIST ERROR DETECTED BY RACF MANAGER Ready(00012); T=0.01/0.01 14:03:09 I've tried several other RACF display commands (SR, RL) and they all seem to work ok. It's also possible to do an ALU on the 5.4 LPAR and see the results on one of the other LPARs. Logins and other security checks seem to be unaffected. RACF was initially installed on the 5.3 system. I verified that we have VM64383 installed on the 5.3 systems. It was installed prior to RACF being activated on 5.3 I have not run RACFCONV for zVM 5.4 yet. We have opened an issue with IBM support, but I thought I would ask on the list if anyone has seen this before. Any thoughts? From the Program Directory: The RACF database must have templates at the function level 540 for RACF to function properly. If you are migrating from a previous release of RACF to RACF FL540, you must run the RACFCONV EXEC to convert the existing database templates to the current release. So run RACFCONV. As a reminder, the rules for sharing the database are: 1. Each RACF database (primary backup) must be on its own full-pack minidisk or dedicated volume 2. If on a full-pack minidisk, the RDEV must be defined with the SHARED option 3. If on a full-pack minidisk, the MDISK must be defined with link mode MWV If any one of the above rules is not followed, then you may have database corruption since the database will not have been protected by RESERVE/RELEASE. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RACF question
On Tuesday, 01/18/2011 at 04:27 EST, Feller, Paul pfel...@aegonusa.com wrote: Thanks Alan, I forwarded your reply to my co-worker and he came back with some more comments/questions. I'm not sure what , if anything, he has heard from the support center. Since there's a PMR open, we don't need to second-guess them here. But, yes, it appears that you're sharing the db correctly. (Good job - some people don't read the directions!) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RACF question
On Tuesday, 01/18/2011 at 04:50 EST, Kris Buelens kris.buel...@gmail.com wrote: The MDISK statements prove that the RACF database minidisks are not fullpack, hence CP wil not let Reserve/release propagate to the HW, hence RACFs in multiple z/VM systems can both perform updates concurrently (and destroy the database). Indeed! I didn't even notice that! (Too many zeros for my feeble eyes!) I hereby rescind the attaboy in my previous post. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: RACF question
On Tuesday, 01/18/2011 at 04:51 EST, Scott Rohling scott.rohl...@gmail.com wrote: The DASD is defined as shared - but if you're really sharing this RACF database - the 200 and 300 minidisks need to be fullpack minidisks. Cylinder 0 to END. (DEVNO disks are recommended) I'm not saying this is the cause of the problem you are seeing .. but RESERVE/RELEASE protection of the database between your z/VM systems isn't happening the way you have it defined - and I thought I should point that out. Some day I'd like to see the sysprog's *intent* expressed in SETROPTS and for RACF to ask CP whether or not the proper sacrifices have been made on behalf of the volumes containing the databases. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: VMVTAM
On Wednesday, 01/12/2011 at 08:07 EST, Graeme Moss ib...@mossaustralia.com wrote: G'day Listers, during a recent z/VM upgrade (in which VTAM stayed at V4R2) it was found that source for our members contained in VTAMUSER LOADLIB was not carried over from a previous upgrade. While we have been able to use the previous version of the loadlib to keep VTAM going we want to recreate the source members as they may be needed in a forthcoming rationalisation of systems. Using the macros contained in the VTAM maclibs (e.g. USSTAB in VTAMBLD) the code in VTAMUSER LOADLIB can be disassembled. Has any-one done this before and is willing to share code ? Have you talked to the Support Center? Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Rexec within Rexec question
On Tuesday, 01/11/2011 at 06:47 EST, Gonen Shoham gone...@sapiens.com wrote: I am running a REXX on cms machine using REXEC. The REXEC is starting OK, but when its gets to point where it needs to run another REXEC - it ends up with RC=36. Any idea how to perform REXEC within REXEC ? If you log onto the 2nd user directly, can it successfully REXEC to the 3rd user? If so, talk to the Support Center. There is nothing in the REXEC documentation about not being able to cascade REXECs. I really wouldn't expect any interference since there is no direct TCP/UDP connection between REXECD and the 2nd user. RC=36 is the initial return code set by REXEC internally before it starts running and (in theory) means that the remote side (where 3rd user is located) did a TCP RESET. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: ZOS Guest Console Not Working
On Thursday, 01/06/2011 at 03:53 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: tyvm, all. Looks like console is defined as 3215 Guess this has not been working for some time and just noticed now. I suppose I can just change this to 3270 and all will be well. PROFILE MVSID * OPTION TODENABLE OPTION TODEN SHARE RELATIVE 100 LIMITSOFT MACHINE ESA 4 IPL CMS CONSOLE 01E 3215 You can, but it won't help, as CMS will set it back to a 3215 since CMS doesn't know how to speak to a 3270. When the PROFILE EXEC is ready to IPL MVS, it needs to issue CP TERMINAL CONMODE 3270 immediately prior to IPL. Add commentary to the exec to tell future sysprogs not to insert anything between the two commands. Since you don't have OPTION D8ONECMD, you can actually do the TERMINAL CONMODE 3270 and IPL in the same CP command: CP TERMINAL CONMODE 3270 || x2c(15) || IPL whatever This tends to help avoid accidents. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: ZOS Guest Console Not Working
On Thursday, 01/06/2011 at 04:13 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: 'cp sleep 5 sec' Gag. Sleep? Is there something asynchronous happening that you need to wait for? CP DET 01ECP DEF CON 440 3270CP SET MACH ESACP I ADDRESS LOADPARM ||SYSNAME||M You could help yourself a bit by 1. Changing the CONSOLE statement in the directory to use 440 instead of 01E since CMS doesn't care what address you use. Then you can get rid of DETACH and DEFINE. 2. Getting rid of SET MACHINE ESA as you already have MACHINE ESA in the directory. 'cp sleep 1 MIN' This last SLEEP will never be issued because the preceding IPL will blow away CMS and the exec. An appropriate comment in your PROFILE would be good. :-) We are, however, using CF: The only SPECIALs in the z/OS guest are: SPECIAL 420 MSGP CFSRV04 SPECIAL 424 MSGP CFSRV01 SPECIAL 428 MSGP CFSRV05 If you want multiple z/OS consoles, you could add SPECIAL nnn 3270 entries. Just make sure that MVS is configured to require authentication on its consoles since anyone can DIAL MVSGUEST. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z10, z/VM 5.4 and OSA Express 3
On Thursday, 01/06/2011 at 05:42 EST, Hughes, Jim jim.hug...@doit.nh.gov wrote: We have a new Z10 with 2 four port OSA Express 3 cards and 1 two port OSA Express cards. The two-port card is an OSA Express 2. I am a little confused about the IOCP for these devices. I am reading the IOCP manual and I am a little confused about having two ports on a card. Would I define one CNTLUNIT and one IODEVICE for each pair of ports? If so, would the address.Pnn come into play with Pnn being 00 or 01 for the port number? I am referring to the DEFINE VSWITCH command. Yes. Continuing on, if the above is true, could I put 64 addresses on a single IODEVICE statement and the use the Pnn format of the DEFINE VSWITCH RDEV statement to control the addresses I use on each of the two ports? Example: RDEV E000.P00 and RDEV E010.P01 I hope my question makes sense. Well, 64 addresses is overkill, since I don't think you want to share the OSA with anything else, but you could put 6 addresses, e.g. RDEV E000.P00 E003.P01 Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z10, z/VM 5.4 and OSA Express 3
On Thursday, 01/06/2011 at 09:46 EST, Hughes, Jim jim.hug...@doit.nh.gov wrote: Would we be able to put 2 IODEVICE statements following one controller and use different channel addresses on them? Would be valid to define address E000-E00F on one IODEVICE statement and addresses C010-C01F on the other and point them at the same Controlunit? If so, could either channel address be used along with the Pnn to select the desired osa port? Yes, to both questions. But let's look at a more complicated example, where you need to worry about the last two digits of the device address and its relationship to the unit address. Here you see that the two address ranges (E000-E00F and C000-C00F) have the same last two digits. If not specified, UNITADD will default to the last two digits of the ADDRESS. Left to its own, you would end up with overlapping UNITADDs, a no-no. So you have either specify a different set of UAs (example 1) or you have to define a 2nd control unit (example 2). Example 1 CHPID PATH=(CSS(0),F8),PCHID=370, * PART=((PROD1,PROD2,TEST1,TEST2), * (PROD3,PROD4,PROD5)),TYPE=OSD,SHARED CNTLUNIT CUNUMBR=F800,PATH=(CSS(0),F8), * UNIT=OSA IODEVICE CUNUMBER=F800,ADDRESS=(E000,16), * UNIT=OSA,UNITADD=00 IODEVICE CUNUMBER=F800,ADDRESS=(C000,16), * UNIT=OSA,UNITADD=10 Example 2 CHPID PATH=(CSS(0),F8),PCHID=370, * PART=((PROD1,PROD2,TEST1,TEST2), * (PROD3,PROD4,PROD5)),TYPE=OSD,SHARED CNTLUNIT CUNUMBR=F800,PATH=(CSS(0),F8), * UNIT=OSA IODEVICE CUNUMBER=F800,ADDRESS=(E000,16), * UNIT=OSA,UNITADD=00 IODEVICE CUNUMBER=F801,ADDRESS=(C000,16), * UNIT=OSA,UNITADD=00 Paul Feller's post implies that you need/should create separate CUs for each port. That isn't necessary. BTW, if using OSA/SF, then you must code CUNUMBR=0 in order to use the OSAD (0xFE) device. Sorry asking questions I should know the answer to. We don't do much IOCP work. Once we get the new hardware installed and running, we normally never touch the IOCP. This kind of thing is rather esoteric, even for those who do IOCP all the time. Of course, one wonders WHY you're using different ranges! Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Simple RACF Question - Can the RACF database be shared with z/OS?
On Wednesday, 01/05/2011 at 07:12 EST, Jeff Gribbin jeff.grib...@gmail.com wrote: I've not used RACF on VM for a few decades and I believed that, as z/OS advanced, there came a time when it was no longer possible to share a RACF database between a z/VM system and a z/OS system. I'm sure that this belief was based upon statements made by people that I trust, plus my own understanding of the disparity between RACF development on z/OS and its development on z/VM, but ... I am the one who has suggested publicly that just because you *can* share, it does not follow that you *should* share. As the documentation says, you CAN share the database with z/OS. However, the database MUST be protected by Reserve/Release. That means that in a SYSPLEX, GRS on z/OS must be configured to allow ENQs issued for the RACF databases to use Reserve. And, for most, that rules out a sysplex, which is taking explicit advantage of GRS rings/stars. As you suggest, RACF/MVS and RACF/VM are different products with different development streams targeted to different audiences, all managed by different organizations. While the two groups are reasonably coupled from a Design point of view (we don't want to step on each others' toes), they march to the beat of different drummers. A few short years ago the VM side accidentally shifted some bytes in a database control field mapping macro, causing classes on z/OS and older versions of RACF/VM to be mysteriously turned off. We found the bug fairly quickly and resolved the issue, but the APAR wasn't pretty, requiring a utility to repair the database. From an admin point of view, some of the commands work differently on z/VM than on z/OS. Example: On z/VM you can define a user with no password and no password phrase, or just a password phrase. You can't do that on z/OS (the same way). From a security point of view, I don't like db sharing outside of a cluster. The local SMF logs do not (cannot) record changes made by other systems, even though they affect the local system. Further, you are giving the alien system access to, and control of, secrets it does not need to posses. If the alien system is hacked, the db is exposed. Likewise, if VM is hacked, the z/OS system is vulnerable. (No need to crack a password, just change it.) And because of the logging, you will never know it happened. I'd like to see z/OS and z/VM customers (e.g. via zBLC and Requirements) put pressure both RACFs to bring RRSF to VM or to enhance the LDAP interface so that LDAP replication and/or IBM Tivoli Directory Integrator can be used to propagate profiles and database settings (SETROPTS) among an arbitrary set of RACF instances. A single point of management for RACF (VM+MVS) is a desirable thing - I get it. But sharing the database is a case of the tail wagging the dog. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: PIPE locate question
On Wednesday, 01/05/2011 at 07:45 EST, Sergio Lima sergiovm...@hotmail.com wrote: As I learned in this list, I'm trying to use PIPE in some cases instead REXX. : Looking in the Manual CMS PIPELINES REFERENCE, Can't see how get the Return Code. While you are getting good answers from Kris and others, let me explain that there was no error in your pipe, so there is no non-zero RC. The locate stage will send to its primary output stream all records that contain the string. If no records contain the string, no records are sent to the primary output stream. This is why Kris suggested counting the number of records in the primary output stream. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: DISKACNT profile exec
On Wednesday, 01/05/2011 at 10:31 EST, Robert Payne rpa...@tad.org wrote: Would I be out of line or violating license issues to ask for someone's copy of this EXEC ? Yes, I have the install DDR tapes for z/VM 5.2 but that would be overkill just to recover one piece of code. YUP, it was like BANG ! OUCH ! my gun, my foot. LOL Just restore the file from IBM Archive Manager for z/VM. Oh, wait :-) When you license something, the author/inventor retains all control except as provided for in the license agreement or in applicable law. IBM licenses specifically preclude redistributing the software. You are permitted to transfer the software to someone else only as part of a machine sale. (See the IPLA license agreement.) IBM has been known, for things not readily accessible by Development, to explicitly (in writing) give permission for the transfer of software directly from one client to another. In the future, your first stop should be the Support Center. (Yeah, even for something as seemingly simple as a PROFILE EXEC.) Of course, someone could simply *tell* you what the exec does (in abstract terms) and you could type it in. I'm pretty much betting that your version would be better than the one provided by IBM. ;-) 1. Find out how full the A disk is and tell the Operator (who cares how many records?) 2. QUERY RECORDING to find out which type of record you are supposed to collect 3. Use the RETRIEVE command with the appropriate option. (Though I would think that ALL would work since each user ID is only authorized for one type of record.) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: SORTING DIRECTORY GAPS BY USER
On Wednesday, 01/05/2011 at 06:18 EST, gclo...@br.ibm.com wrote: Hi, George. As Kris said, the program don't know the real end of the dasd. He assumes the model enough to accommodate the last cylinder defined. Due the same problem, avoid use 0 END for fullpacks. Maybe fix the program to do a QUERY DASD DETAIL to find out how big the volume is? Yeah, you have to run it from an authorized id, but that shouldn't be an issue. The need for humans to tell the machine how big a disk is strikes me as cosmic humor. That's as funny as ... as ... as having a $1M computer ask you to look at at your $15 Mickey Mouse watch and tell it what time it is when you IPL it. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: SORTING DIRECTORY GAPS BY USER
On Wednesday, 01/05/2011 at 06:47 EST, gclo...@br.ibm.com wrote: But we are talking about the DIRMAP (and DISKMAP), two IBM programs. This justify to open a Request-For-Change? You don't need justification to open a Requirement. IBM needs justification to actually fix it, however, and that could come from the sheer volume of clients asking for the same thing. But if you don't ask for a change, changes will certainly never be made. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: VTAM logmodes
On Tuesday, 01/04/2011 at 10:58 EST, Malcolm Beattie beatt...@uk.ibm.com wrote: Alan Altmark writes: As others have said, the problem is in the logmode associated with the non-SNA 3270 LU. For some reason, VTAM sysprogs keep using ancient logmodes for reasons they can't actually articulate except that's the way we've always done it. For almost a quarter century, the correct logmode for any 3270 has been D4A3290 (local SNA) or D4B3290 (non-SNA). I was unable to get these logmode names to work and they don't appear in the z/OS 1.9 Comms Server SNA Resource Definition Reference Manual. However, the manual does document logmodes D4A32XX3 and D4B32XX3 in the Default logon mode table (ISTINCLM) in Appendix A and their behaviour closely matches your description From ISTINCLM ASSEMBLE: FLAG REASON RELEASE DATE ORIGIN FLAG DESCRIPTORS -- --- -- -- $01= VM39614 VM330 900117 042852: CORRECT ERRORS IN THE PSERVIC OF D4C3290, D4B3290, D4A3290 $03= VM46183 VM340 910402 810410: INCLUDE LOGMODE ENTRIES D4B32XX3 AND D4C32XX3. $04= VM46559 VM340 910819 914077: INCLUDE LOGMODE ENTRY D4A32XX3 Perhaps the 3290 versions are specific to z/VM. It wouldn't be the first time that VM accidentally got Good Stuff that MVS didn't. It apparently took an additional release cycle to create the properly-named 32XX versions common to both MVS and VM. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Assembler Question
On Monday, 01/03/2011 at 01:57 EST, Sergio Lima sergiovm...@hotmail.com wrote: We wrote a sample ASSEMBLER Program here under CMS, that will submit a JOB to VSE Machine, using the CP SPOOL PUNCH command. Sorry, if you understand that here is not the good place to put this question. The people ask to me, if is possible the name of CMS MACHINE not appear on the MODULE. Why? It does nothing to improve security. After all, TRACE SVC CA RUN CMD D T0.50;base1 will happily show me everything I need to know. If I'm smart enough to disassemble the program or display memory, I'm smart enough to know (or learn) how to TRACE it. Needless to say, I detest wasting precious resources making programs needlessly complicated. Your VSELAB machine should reject jobs from virtual machines it doesn't recognize and who do not otherwise authenticate via appropriate userid/password on a JOB card. Also, your z/VM external security manager product can control who can SPOOL to a particular id. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Stopping DIAL From Stripping Extended Data Stream
On Tuesday, 12/28/2010 at 04:08 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: Our Supersession boys swear it is not Superseesion. Could it be the Coupling Facility Service Machine doing it? George, the Coupling Facility is not involved in managing 3270 data streams. As others have said, the problem is in the logmode associated with the non-SNA 3270 LU. For some reason, VTAM sysprogs keep using ancient logmodes for reasons they can't actually articulate except that's the way we've always done it. For almost a quarter century, the correct logmode for any 3270 has been D4A3290 (local SNA) or D4B3290 (non-SNA). The 3290 logmodes are simple, removing all screen size and capability information from the PSERVIC field, and causing VTAM to query the terminal to determine its configuration and capabilities. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Time out an SFS command
John was right, you can't cancel an SFS command
Re: Time out an SFS command
John was right, you can't cause an sfs command to time out. - Original Message - From: Alan Ackerman [alan.acker...@bankofamerica.com] Sent: 12/23/2010 06:09 PM CST To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] Time out an SFS command Moving this question from CMS-PIPELINES to IBMVM, since I am assured by John Hartmann that it cannot be done with CMS Pipelines. Anyone figured = out how to get it to time out? Sender: CMSTSO Pipelines Discussion List CMS- pipeli...@vm.marist.edu From: Ackerman, Alan alan.acker...@bankofamerica.com Subject: Time out a CMS command Is there a PIPELINE idiom to force a CMS command to timeout after a certain length of time? I am issuing: 'PIPE command LISTDIR SFSLNB00:SFSADMIN.GETSMTP | stem emsg.' Occasionally (about once a week), this hangs for a long time (18 hours the last time) and then returns with RC = 55. I can live with RC=55, but not with my virtual machine being tied up fo= r 18 hours. (There are other VMSCHED jobs it should be running.) From: Schuh, Richard rsc...@visa.com Subject: Re: Time out a CMS command Look at the beat stage. It may work for this problem. From: John P. Hartmann jphartm...@gmail.com Subject: Re: Time out a CMS command The pipeline is dead in the water while the CMS command is executing; no way it can force a timeout. If you have two virtual machines to play with, the situation is different. Then you can send the command and wait for a response with STARMSG and send HX when it times out. Whether CMS reacts to the HX is another matter. From: Rob van der Heij rvdh...@gmail.com Subject: Re: Time out a CMS command Some SFS commands have the ability to hang forever and prevent any recovery. I recall we did some check right before these, just to make sure the remote file pool is actually alive. But I don't remember which check it was, maybe Bruce or Rod can fill in the blanks... From: Ackerman, Alan alan.acker...@bankofamerica.com Subject: Re: Time out a CMS command I suppose I can just CP FORCE the hung userid. I'm not sure what state that would leave SFS in, though. Date: Tue, 21 Dec 2010 20:16:34 -0500 From: Rich Greenberg ric...@panix.com Subject: Re: Time out a CMS command If you don't find a fix, instead of running it from VMSCHED, have VMSCHED autolog another service machine for the actual LISTDIR. It wouldn't be a problem if the extra SVM gets hung. Date: Wed, 22 Dec 2010 12:09:49 +0100 From: Rod Furey bent...@gmail.com Subject: Re: Time out a CMS command Methinks Holger did it this way: start up a thread or two via multitasking CMS set up a timer on one thread set up the access (or whatever) on the other thread if the access completes before the time ticks, kill the timer thread if the timer thread ticks before the access completes, kill the access thread Don't ask me about the ramifications of doing this and what happens about cleanup. Multitasking CMS was never an area I hit before I went in search of other work. I do recall that the dev group did discover some problems in the mtCMS area at the time. I would hope that they've been fixed by now. Date: Wed, 22 Dec 2010 08:07:34 -0500 From: Bruce Hayden bjhay...@gmail.com Subject: Re: Time out a CMS command I haven't looked at this in years! But, looking at the code, you have it essentially correct. The only sticky part is that the code doesn't attempt to do an access, but tries to simulate some kind of SFS communication via APPC, which I'm sure is not a documented interface (it is coded in the exec as a long hex string.) Anyway, the best approach for the rest of us to this problem would be to use 2 userids, as was already suggested. I doubt it would have any affect on SFS. If this happened to my own id, I just enter #CP IPL CMS to cancel the APPC wait and recover and there was never a problem in SFS after the communication was fixed or reset.
Re: Time out an SFS command
John was right, you can't set a timeout for sfs commands. Having another ID hx your ID after a too-long wait is about it. That said, you're better off trying to find out why your workunit is hanging and solve the *real* problem. Maybe the server is hung up on a backup. Depending on what's going on, you may have grounds for a PMR. Alan Altmark IBM Lab Services Merry Christmas, everyone!
Re: General CMS minidisks and SFS on PAV DASD?
On Monday, 12/20/2010 at 12:03 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: Why would you NOT want PAV for CMS mds? The IO Supervisor has not kept up with the hardware. It still thinks of a disk device as a spinning platter when in fact it is a rank of RAID devices striped over numerous HDs and cached in a disk controller from where it is actually being read thereby permitting multiple IOs to the same device number.. The problem is that the IO Supervisor checks the IOB Busy Bit before issuing a SIO and, if it is on, unnecessarilly suspends the SIO until the device is idle. Instead of changing the IO Supervisor, IBM has opted to fake it out by defining alias devices for the same device number in PAV. Since most workloads these days are still IO bound, why would you still want to unnecessarilly single thread IO, why would you NOT want PAV on CMS mds, SFS, or whatever? Not sure what you're talking about, George. The I/O subsystem is architected to permit exactly ONE active I/O per subchannel. The I/O supervisors MUST obey. So, PAV does not fake out the I/O supervisor. It obviates the need to do some Unnatural Acts with IOCP to get a single subchannel with more than one associated IODEVICE so that you can do more than one SSCH (not SIO any more!) to the same device on different subchannels. To get advantage for CMS apps, including DB2 and SFS, you must have more than one minidisk on the physical volume and I/O must be directed to more than one minidisk at the same time. If you don't have enough parallelism in the system, the I/Os will complete fast enough such that all I/Os go to the base anyway. So unless your performance reports are showing device queueing inside CP, PAVs will not help. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: CSL question
On Friday, 12/17/2010 at 01:11 EST, Neale Ferguson ne...@sinenomine.net wrote: I think I'm missing something obvious here but I've been staring at it so long I can't see the problem. The code fragment - char exsbuff[sizeof(exsh_t) + sizeof(exsf_t)]; int lExsbuff = sizeof(exsbuff); char *fName = PROFILE EXEC; int lFname = strlen(fName); int lCommit = 6; DMSCSL(DMSEXIST, rc, reason, fName, lFname, exsbuff, lExsbuff, COMMIT, lCommit); The result of the CSL call is: rc: 8 reason: 90530 Where 90530 = The namedef part of the file ID or dirname parameter does not exist or was used incorrectly. Why is fName being interpreted as a namedef rather than a filename/filetype combination? I think you're missing the filemode. Without it, it's being interpreted as 'namedef1 namedef2'. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Mandatory ESMs?
Au contraire. It was necessary for MVS development.
Re: Problems with MPROUTE going from z800 to z9BC computer
On Wednesday, 12/15/2010 at 08:21 EST, Horlick, Michael michael.horl...@cgi.com wrote: Come migration time however, we could not get the VIPA/MPROUTE functionality working. I could not ping from within the mainframe to anything beyond the OSA card. Tried both QDIO and non-QDIO mode. Our TCP/IP stack, no problems. We had to back out and now we have to try to set up a test VIPA/MROUTE setup and try it on the new machine. Waiting on the telecom architect for this. No changes to the configuration files were done (except for QDIO in the PROFILE TCPIP, but the same configuration files for non-QDIO). Any clues what could have gone wrong? Mike, network problems are all solved the same way: Divide and Conquer. If I understand you correctly: 1. The new system and the old one have the same IP configuration. That is, the same files on TCPIP and MPROUTE's A-disks. The same configuration files on TCPMAINT 198. The systems even have the same SYSTEM_IDENTIFIER. 2. The new system works fine *until* you bring up MPROUTE (it throws away any static routes not specifically marked as permanent). 3. The old and new systems are NOT up at the same time. When you PING something, a packet goes out and a packet comes back. To resolve why PING doesn't work, you need to figure out which of those two things didn't happen. Your network techs can help you, as they do this kind of stuff all the time with sniffers and queries on the switches/routers. Only then will you be able to take corrective action. Prior to that, you're just guessing, flailing at the problem in the hope you will accidentally fix it. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: LU name?
On Wednesday, 12/15/2010 at 02:37 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: We are trying to make Automation point from CA work with a TN3270 session with a VM guest, The last step is to assign an LU name to the session. Don?t see a way to do that in the VM world. Easy enough with MVS. z/VM doesn't support LU names for TN3270E display sessions. They are used only with TN3270E printer sessions, and then only to allow you to figure out what RSCS link to assign it to. Unlike z/OS, TN3270 sesions on z/VM use CP's native non-SNA 3270 support, not VTAM. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: New messages from TCP/IP after going from z/VM 5.2 to 5.4
On Tuesday, 12/14/2010 at 04:19 EST, Horlick, Michael michael.horl...@cgi.com wrote: We went from z/VM 5.2 to 5.4 (and TCP/IP for VM 520 to 540) at the end of November. I didn't notice it at first but I see that I am getting the following type extra messages on the spooled console for each of my TCP/IP stacks that I have: 04:09:23 DTCARP049I An ARP packet was received on link PCN3 with our IP address 142.101.99.196 as the source address. Possible configuration error. I had made no changes to any of my TCP/IP configuration files. On one my stacks these type messages are occurring every so every few minutes. You made quite a leap going from 5.2 to 5.4 and you picked up a lot of new functionality. The z/VM 5.4 TCP/IP Messages and Codes book includes change bars for those DTCARP messages. It's telling you that you've got another host on your LAN that is configured with the same IP address as VM TCP/IP. It didn't used to warn you; now it does. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Mandatory ESMs?
On Monday, 12/13/2010 at 11:12 EST, Dave Jones d...@vsoft-software.com wrote: As far as getting the new z/OS PL/I compiler over to z/VM, I'd be happy if IBM just offered it unsupported on CMS, with only a short bit of documentation noting the differences between usage in the z/OS and CMS environments, much like what IBM now does with the z/OS C/C++ port to CMS. Any problems with the compiler would have to be recreated on z/OS before IBM would take an APAR. I think that this approach might help make a business case, as it would cut down on IBM's up front costs significantly. Cost avoidance does not a business case make. Business cases are made based on projected sales and profitability, and that business case is weighed against others vying for the same resources. And as you know, IBM doesn't offer experimental licenses such as you describe. A product either goes out the door as a supported product, or it doesn't go at all. Occasionally IBM does offer beta programs that are similar to what you describe, but those are within the context of having intent to release a fully supported product. After all, it takes manpower to create unsupported programs, too. That's just The Way Things Are. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Mandatory ESMs?
On Monday, 12/13/2010 at 09:41 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: I'm just grateful z/VM is still alive and well and getting stronger and better every day especially with the advent of the z196 and that it is only a question of time before the compiler issue will be addressed. Not likely, George. The problem with CMS as an application platform isn't the compilers. As others have noted, that's easily and [relatively] cheaply solved. The problem is that application developers use compilers as a means to an end, not an end in themselves. Business application programmers want to write web-enabled apps and services for UIs and database access. They want WebSphere, WAS, DB2/UDB, Oracle, and WebLogic. They want to write RESTful applications. They want to write in Java. And, of course, they don't want just some minimal core level of function, they want the whole enchilada. And in case it's not evident, business cases for compilers are developed around *business* application development, not systems management. Firstly, companies don't *want* to write their own systems management software - they want to buy it. Secondly, the number of people wanting to write their own systems management software on CMS is vanishingly small. So to have a viable business, you have to have enough demand to drive significant revenue. I say significant because there are lots of places IBM can invest. Should it invest those resources in something that returns a small profit, or large? (Note: I'm a stockholder, so I'm biased.) Those who are in the *business* of CMS-based [systems] software development might *prefer* COBOL or PL/I, sure, but they know what languages are available to them and they have to decide whether the market conditions and the availability of development infrastructure are sufficient to meet their business goals. In IT, as in almost all walks of life, it is unfortunate yet true that that the wishes of the Few or the One are ignored in favor of the wishes of the many. You will see that z/VM continues to invest in its native back-end System Management APIs and in the CIM lowware that pushes on them in order to free the systems management software from *having* to run ON CMS. Ultimately being able to manage system configuration, virtual machine provisioning, real resource provisioning, operation, event management, accounting, security, DR and HA, all from modern front-ends UIs with their own scriptable CLIs. As you suggest, this is all part of the appeal of zEnterprise. By the way, none of the above in any way denies the acknowledged inherent coolness of CMS. It's a simple and fast operating system; it's single userness eliminating huge amounts of complexity. Of course, we make up for that by having invented SFS and BFS, reintroducing some of that complexity. :-) It is a two-edged sword! Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Mandatory ESMs?
On Monday, 12/13/2010 at 05:06 EST, Tom Duerbusch duerbus...@stlouiscity.com wrote: IBM had a program. If you were a developer, you could sign up and have time on one of IBMs' mainframes. Kind of like the old time sharing services back in the '60s and '70s. It seems to me that it resurfaced with Linux development but I haven't heard anything about it in, at least, 5 years. Yes, it's offered by the Dallas Systems Center as part of the IBM Innovation Center, but it is open only to PartnerWorld members. If you are in the *business* of software development, IBM has programs to help you. I'm not aware of anything within IBM to address hobbyists' needs. There is an opportunity for others to fill that niche, but I think it's telling that no one has done so in a general way. Remember that the service provider has to pay licensing costs for the software on their system, including 2nd level z/OS guests. (There's no such thing as a free z/OS.) Further, they accept responsibility for YOUR use of the software, which triggers risk management. (Gotta read those license agreements carefully!) And even a niche provider has to break even on wetware, software, hardware, and environmentals. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 05:46 EST, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. Preventing collusion between two class G users is why z/VM supports mandatory access controls and why you can change the privilege classes of commands and DIAGNOSE subcodes. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Well, not quite that bad, but EAL 6-level systems require two privileged users to make security-relevant changes to a system. Missile silo two-key concept. Multi-part keys CAN be used in the System z crypto cards for secure (encrypted) key operations. No one person has the entire key and so even if one of those people had a copy of the key dataset from z/OS or Linux, they wouldn't be able to use the keys to encrypt or decrypt data. By the way, you can see the two-key concept in RACF. If the security admin tries to deactivate RACF, CP prompts the operator to concur or deny. (A minor inconvenience and easily overcome [for the moment].) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 09:17 EST, Tom Huegel tehue...@gmail.com wrote: Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. While that protected data is owned by the guest, the data is *potentially* accessible by any virtual machine. It doesn't matter whether you run CMS, VSE, LINUX, MVS, TPF, or anything else. All virtualization platforms create virtual raised floors, and, like a real raised floor, you are obligated to define and enforce access controls on those floors. Some are physical, some are policy only. All persons must badge in; no tailgating. You touch THIS system and you die. You plug THAT cable into THERE, and you die. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Thursday, 12/09/2010 at 11:41 EST, Schuh, Richard rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. They logon and access USER DIRECT. Now they know ALL the passwords. Of course, you can have LBYONLY for everyone. But that misses the point. They are unencrypted passwords AND they are in bulk. What if someone gets the bright idea to copy USER DIRECT to their laptop? YOUR password is now exposed. Should anyone have full authority including all the passwords? If so, who? People should have full authority, yes, but they should NOT have access to passwords belonging to others. In some jurisdictions, a password is classified as personal information (encrypted or not) that plays into security breach notification law, even if not covered by PII protection requirements. The idea that an organization might not take ALL REASONABLE precautions (aka due diligence) to protect a system with customer data is worrisome. More worrisome is the fact that some organizations apparently don't have a POLICY of password encryption. It's even harder to believe that company lawyers are on board with that since Company Policy is how corporations insulate themselves from the actions of individuals. Even exceptions to policy need a valid reason. In my Security and Integrity presentation, I say 1. Protect your data 2. Protect your system 3. Protect your clients 4. Protect your company 5. Protect yourself Do the first two, and the last three will take care of themselves. I am not a lawyer, however, so my comments reflect my own opinions and experiences in my role as a system security professional. They should not be construed as legal advice, as such advice should, of course, be obtained from a competent attorney who specializes in such matters in the relevant jurisdictions. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 08:31 EST, RPN01 nix.rob...@mayo.edu wrote: Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? In the same way plugging an ethernet cable into a switch is not sufficient to gain connectivity, so defining a virtual wire is not sufficient to gain connectivity to a virtual network. This is just the way networking is done. Virtualizing the wires doesn't change anything. Assuming you have RACF and generic profiles active, you can allow access to all VSWITCHes while denying access to all user-created Guest LANs. RDEFINE ** CL(VMLAN) UACC(NONE) RDEFINE SYSTEM.** CL(VMLAN) UACC(UPDATE) Without an ESM, Class G Guest LANs can be disabled by putting VMLAN TRANSIENT 0 in SYSTEM CONFIG. I've been saying for several years, You need an ESM. More and more z/VM security management will be focused on ESMs, not native CP. If your fave ESM doesn't simplify things for you, gripe to the vendor. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 02:35 EST, David Boyes dbo...@sinenomine.net wrote: OTOH, I think this also argues for a bigger step: for IBM to supply a default ESM and quit having to do it two different ways. We can always replace the default one with something better, but there's a lot of wheel-spinning being done in IBM development to support the two different models. Personally, I dislike RACF with a passion, but I'd rather have RACF be present by default and have one single way to do security management (via the ESM) than have to have a completely separate command authorization matrix to worry about via CP privilege classes, etc, etc, etc. It may have worked in the past, but it's time HAS past. There's too many regulations and too many hostile bozos out there to not have a comprehensive security management tool as part of the VM hypervisor suite. If that means we all have to suffer under RACF for long enough to turn it off, then so be it. In order to achieve the savings you imply, then z/VM must move to the z/OS model in which, except for a few specific functions, an ESM is required for proper operation. NO native CP security controls beyone those required to restore ESM control vis a vis SYS1.UADS in order to login to TSO. Any function dependent on the ESM will be configured to DENY access without the ESM. You would HAVE to buy an ESM, whether from IBM or CA. And THAT will be acceptable only when folks wrap their heads around the fact that z/VM systems WITHOUT an ESM will fail a modern security audit. The primary example is the presence of unencrypted passwords in USER DIRECT. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization. The dollars are needed for other things with a much higher priority before we'd ever get an ESM to control our more wild moments. That's certainly a fair decision to make. Understand that the ESM is not there to protect the system from rogue sysprogs. It is there to enforce policy and to demonstrate that you *have* a policy and the evidence to demonstrate its enforcement. And, plugging a cable into a switch generally does get you connectivity, because someone put that switch there for the express purpose of providing that connectivity in the first place. If I walk into an office on campus, and there's an Ethernet jack on the wall, I have the reasonable expectation that I should be able to plug my laptop into it and have a connection to the network. You have a policy in place that unused ports are enabled. Whether the port was opened on demand or in advance of use doesn't really matter. It isn't by *your* choice that you are allowed to plug into the network. The same thing holds true if I see a wireless antenna on the ceiling here. I shouldn't have to call the Network Operations Center and give them my name and password and the jack number to get them to let me in; No, but you may require a certificate. But even if you don't, there was still a policy in place to open the ports. If that were the case, we'd have a lot of ticked off doctors running around here. (Much the same as I get ticked off every time I have to go grant a virtual machine into the virtual switch.) We even have jacks and wireless in the patent waiting areas so that they can get internet access, and they don't need to be granted in either. The vSwitch grant is not in any way mimicking a real life scenario. It doesn't compare to the real world in any way. Networking gets set up, and once it's set up, you plug things into it and they simply work, as long as you know the IP range and netmask, or your computer does a reasonable job of DHCPing you an address. You don't have to be granted into it. You are making my point for me, demonstrating that it is NOT sufficient to just plug into a wall port. Someone has cabled/authorized/opened those ports. They have set up the DHCP servers or given you a considered IP address. Those public ports very likely have different access rights than those in offices and exam rooms. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Tuesday, 12/07/2010 at 11:27 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: What Kris said is right. The 2nd time through you already have the access so it appears to work After you IPL or destroy your vswitch, it wouldnât work on the first login. Drove me crazy. Of course, I hate Grants Then don't use them. Let your ESM handle it and you never need worry about the authorization again, regardless of the existence of the VSWITCH. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Tuesday, 12/07/2010 at 11:37 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: Well, you know... there's only the 1 ESM that uses them and we don't use *that* one. I'll tolerate the grants rather than switch ESMs :) My mistake. I would have figured that by now all ESMs would provide protection for VSWITCHes and Guest LANs, since otherwise you have to turn off the ability for lowly class G users to create Guest LANs. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 6.1, SSLSERV Question
On Thursday, 12/02/2010 at 08:15 EST, Mark Wheeler mwheele...@hotmail.com wrote: It would be nice if UFT(D) would support it. RFC 1440 does not define a mechanism for the UFT client and server to negotiate and initiate TLS. A new RFC is needed. (Note that the IETF now requires protocols to be able to negotiate TLS on the same port as the unsecured version.) Further, UFT(D) in VM is not written to the VMCF/Pascal interface and so couldn't support it until CMS supports dynamic TLS for IUCV sockets. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 6.1, SSLSERV Question
On Thursday, 12/02/2010 at 09:32 EST, Richard Troth vmcow...@gmail.com wrote: RXSSL comes to mind. As it happens, a couple of us were discussing RXSSL off-list within the past day. Seems that it may need some attention to get it working with the new VM SSL. As I'm sure you have discovered, the challenges with SSL are many: - Certificate updates without taking applications out of service - Allowing different applications to use the same certificate - Protecting a server certificate's private key - Tying user certificates to VM user IDs so that people can be identified and two-factor authentication enabled - Keeping user certificate private keys away from the users (think about it) - Implementation of a flexible policy for the validation of incoming certificates - Keeping up with advancements in the protocol and the introduction of new encryption suites - Required industry and government certifications such as FIPS I would have thought that everyone's IT host network security departments would be turning the screws on unencrypted and unauthenticated transmission to/from VM of any sensitive data and/or passwords. (You mean you let MAINT's password flow in clear-text over the company's network?!?) And that you all, in turn, would be squeezing IBM for a supported, manageable solution. It's kind of scary, actually. My biggest fear is that folks are trying to fly under the radar in the hopes of not being discovered and are taking too many undocumented or ill-understood risks. But perhaps I am too paranoid. Maybe these all just trivial transmissions of today's cafeteria lunch menu and cannot be used by some disgruntled or creative employee to discredit, steal, corrupt, or destroy your fave virtualization platform or the data it holds. There are large corporations who are finally starting to look at z/VM management policies (incl. security) to ensure that they are mitigating the risks inherent in any virtualization strategy. It's easy to say, We'll deal with that later. Tick, tock, tick, tock. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 6.1, SSLSERV Question
On Thursday, 12/02/2010 at 10:08 EST, Richard Troth vmcow...@gmail.com wrote: The bottom line for UFT is to do over TCP what RSCS does over CTC/VTAM/NJE, but not in the way NJE/IP does. (Of course, it might be a good hint to the present NJE/IP authors and owners to create a UFT driver for their stuff. hint hint) The point is that UFT gives you RSCS-style transport without adding more network topology. If then you are behind a firewall, you might not care to secure the UFT channels. (Did he just say that? He did! I can't believe he said that!) Bah, humbug. You simply added a new network with the label UFT instead of NJE. The problem with behind the firewall is that the firewall can appear to move since FW management isn't within your job description. Further, encryption is there to protect the data from sniffers (legitimate or otherwise). When the $10/hr network tech is diagnosing a problem, do you want him to have access to your 401K information while she's doing it? Hence the reason a data security policies may say, All PII shall be encrypted when at rest or transmitted on a network. No qualifiers and no escape clauses. You have to file for any exception. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: z/VM 6.1, SSLSERV Question
On Tuesday, 11/30/2010 at 06:39 EST, Schuh, Richard rsc...@visa.com wrote: We have a person who is trying to get a secure end-to-end transaction between a CMS client and a TPF host. RXSOCKET is being used by the CMS client. The port specified is 51105, which has been designated as a secure port. He has traced the SSLSERV and sees no traffic going through it; however, the connection to TPF is made and it is not secure. The ASSORTEDPARMS are coded as: ASSORTEDPARMS SECURELOCAL PROXYARP IGNOREREDIRECT FREELOWPORTS ENDASSORTEDPARMS What is the magic that will allow this to be done. None. The description of SecureLocal is somewhat deficient. It applies only to loopback connections and only to sockets managed by the Pascal/VMCF socket interface. The RxSocket/C/IUCV socket interface does not have support for SSL. Under normal circumstances, loopback connections for static SSL connections would be superfluous since the traffic never leaves the stack and the secured apps can't tell the difference. SecureLocal overrides that decision in case you have a stack that you want to use for testing the management and use of SSL. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Hanging when dialing z/OS guests
On Wednesday, 12/01/2010 at 10:10 EST, George Henke/NYLIC george_he...@newyorklife.com wrote: ty, Scott Our z/OS staff is looking at VTAM. It may be a z/OS VTAM issue. It fits the crime. But there does not seem to be any CP Query command that shows SPOOL utilization. There is Q MAXSPOOL for files but that does not even show utilization. But ty for the download references. I will go there now. QUERY ALLOC SPOOL. As to DIAL, z/OS has to have both defined virtual 3270 devices (CP DEFINE GRAF or SPECIAL statements in the directory) and non-SNA local 3270s defined to VTAM (LBUILD). Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott