Re: /tmp space is full
Tracy,
If that is the display for /tmp then it is ZFS, I would go with one of the
prior posters suggestion about zfsadm grow.
Rob Schramm
On Fri, Jan 21, 2011 at 12:11 PM, Adams, Tracy wrote:
> I do not have a mount of /tmp in my active BPXPRMxx member. Actually there
> is no mounts at all in the member. I do have OMVS. Datasets for all the old
> reliables... var, etc/ tmp
>
> # df -v /tmp
> Mounted on FilesystemAvail/TotalFiles Status
> /SYSTEM/tmp(OMVS.SYSA.TMP) 28518/576004294967265
> Available
> ZFS, Read/Write, Device:3, ACLS=Y
> Filetag : T=off codeset=0
> Aggregate Name : OMVS.SYSA.TMP
>
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
> Behalf Of Craig Pace
> Sent: Friday, January 21, 2011 11:07 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: /tmp space is full
>
> Tracy,
>
> If you do not have a mount point for /tmp in your BPXPRMxx parmlib
> member(s), then that means you have it under the root which is not a good
> idea at all. You can issue the MVS command D OMVS to validate what active
> BPXPRMxx member(s) you are running off of. Then from there you can see if
> you have a mount point "MOUNTPOINT('/tmp')" for your /tmp directory and
> determine what type it is, if there. If not there, I would create a mount
> point for /tmp and I would recommand a TFS since it does clean itself up
> automatically.
>
>
> Thanks,
>
> Craig Pace
>
>
>
>
>
> "Adams, Tracy"
> Sent by: IBM Mainframe Discussion List
> 01/21/2011 09:57 AM
> Please respond to
> IBM Mainframe Discussion List
>
>
> To
> IBM-MAIN@bama.ua.edu
> cc
>
> Subject
> Re: /tmp space is full
>
>
>
>
>
>
>
> Thanks all. The ISHELL process allowed me to extend the directory to
> resolve the problem. When the day is quiet I will try the unmounting and
> mounting trick to see if the space gets cleaned up. The confighfs command
> returns that it is not mounted as HFS and there are no entries in the
> parmlib so I would conclude that it probably is a TFS filesystem.
>
> Thanks again for your quick responses!
>
> PS For additional reading on the topic I recommend the ABCs volume 9
> manual :-)
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
> Behalf Of Erik Janssen
> Sent: Friday, January 21, 2011 9:24 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: /tmp space is full
>
> Tracy,
>
> Did you do a 'ls -la /tmp' to make sure also hidden files (ie. starting
> with a '.') are shown?
> We use TFS for /tmp and doing umount / remount normally works perfectly to
> clean it up...
>
> Regards,
>
> Erik.
>
> -Oorspronkelijk bericht-
> Van: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] Namens
> Adams, Tracy
> Verzonden: vrijdag 21 januari 2011 14:34
> Aan: IBM-MAIN@bama.ua.edu
> Onderwerp: /tmp space is full
>
>
>
> First of let me apologize for my OMVS ignorance. Other than using the
> basic set it and forget it parameters of OMVS we have never had to touch
> it. Now we are developing an app that may keep the mainframe around a
> long time that provides and consumes Web Services.
>
> Long story short, my /tmp file is full and I cant figure out what is
> taking the space. Using the LS command there are only about 5 files in
> there and they are smal 30-50 blocks(?) apiece of the 28000 that are
> allocated. The syslog file is there also but when I cat that there only
> is a hand full of records in there. Other than that I see nothing. A.
> How do tell what is allocated that space and/or 2 how can I make /tmp
> larger on the fly?
>
> TIA,
>
> Tracy
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
> archives at http://bama.ua.edu/archives/ibm-main.html
> -
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
>
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files h
Re: IOS050I
Is it only when certain data is sent? I seem to remember a series of errors that was data dependent. The equipment was not supposed to look at the data, but it was and was producing errors... but only for one particular data set. Rob On Fri, Jan 28, 2011 at 8:25 AM, Ibm Main wrote: > Hi, > at our installation we ara having some conectivity problems. > We have two sites (S1 and S2), with two z10 EC (z/OS 1.11) each, connected > via FICON cascading. > When some system in S1 writes in tape or disc at S2 we get lot of IOS > messages: > IOS050I CHANNEL DETECTED ERROR ON 8AB9,98,E7,**02,PCHID=0400 > > At the beginning everything worked well, but in the last weeks some JOBs > are > failing. > > We have checked all fibers involved in the communication, changed FICON > SFPs, and no way to get rid of the message. > > Any ideas what can be issuing the message? > > Thanks! > > Regards, Chrstian. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IOS050I
This is a short description of a weird issue with two sites. There was a bug in the ASIC programming in the DWDM that calculated the CRC for a block of data. We had a very odd block in an image - a long run of zero-bits, I think - that caused an invalid CRC to be generated. It was a solid error. Every time the block tried to cross the river it got an I/O error. The fix was a patch to the ASIC code. Hopefully this helps, Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Does R OUND datas et allocat ion mean c ylinder bo undary?
I thought I heard that Greg was going to work on multi-tasking for DB2. I agree. Greg was a wonderful contributor for IBM-Main. Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Common Event Adapter
Alan, Have your reviewed the RACF/ACF2/TSS security and permission for /var/CEAServer http://www-01.ibm.com/support/docview.wss?uid=isg1OA23747 Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: LINKLIB in use
You forgot the unallocate to remove the enque. SETPROG LNKLST,UNALLOCATE SETPROG LNKLST,ALLOCATE And set it back to being safe... Rob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Mark Pace Sent: Thursday, February 03, 2011 1:32 PM To: IBM-MAIN@bama.ua.edu Subject: LINKLIB in use I want to change the size of a LINKLIB. So how I was going to tackle this was, define the new one, copy the contents from the old library to the new library. Remove the LINKLIB from the APF list and the LNKLST. Delete the old dataset, rename the new one, and then add it back to the PAF and LNKLSTs. setprog apf,delete,dsname=sys3.prod.linklib,volume=tusr01 SETPROG LNKLST,DEFINE,NAME=lnklst01,COPYFROM=lnklst00 SETPROG LNKLST,delete,NAME=lnklst01,dsname=sys3.prod.linklib SETPROG LNKLST,ACTIVATE,NAME=lnklst01 I then went to delete the old dataset, but it still says Dataset In Use. What did I miss? -- Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Common Event Adapter
Mary, If you follow the link I posted, there is a description of the OMVS segment and authority that is required. According to the doc, there was some debate/confusion about what was required. Rob On Thu, Feb 3, 2011 at 2:26 PM, Mary Anne Matyaz wrote: > Allan, does the started task userid that CEA is running under have an OMVS > segment? I think it used to need UID(0), but not sure about that now. > > MA > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Associate user with started task
Which security product do you have ACF2, RACF, Top Secret? Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: /tmp space is full
What does a LISTCAT of the ZFS data set say?
Our /tmp is a zfs file with secondary extents assigned and not sms managed,
the volume contains over 1800 free cyls. I got a msg that the file was full,
since this is a sand box system I just unmounted and remounted to clear this
up.
Why wouldn't this zfs file automatically grow? Tks Matt
MOUNT FILESYSTEM('SYS1.OMVS.MVSTECH.PCH.TMP')
MOUNTPOINT('/tmp')
TYPE(TFS)
MODE(RDWR)
SYS1.PARMLIB(IOEPRM00) contains aggrgrow=on
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Data Masking - 3270 Sceens
I would have to agree with HTH. Unless the actual SSN is required.. why serve it? There are a variety of strategies for how to deal with sensitive data, but (IMHO) masking at the client is among the last I would consider. If there is masking to be done it should be done before it is sent to the client to simply avoid the issue. Sometimes avoidance is valuable tool. Send what is "required" (slippery slope if there ever was one) and no more. As for 3270, SSL/TLS should take care of encrypting the conversation. Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Errno=86x The function is not implemented; Reason=05520044
For starters check the security bits? Can you issue a D OMVS,F I'd try it under omvs just to make sure it isn't some ISHELL weirdity. The return code should be able to be pulled apart... usually it is accompanied by the function that is failing. Cheers, Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Errno=86x The function is not implemented; Reason=05520044
Dominic, Is your root filesystem mounted read-only? Are you able to 1) unmount /omvsapps/moh_genesis_prod 2) perform the mkdir /omvsapps/moh_genesis_test 3) mount /omvsapps/moh_genesis_prod 4) mount whatever filesystem on /omvsapps/moh_genesis_prod Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: HFS file questions
Linda, In order to make sure you get a clean copy using FDRCOPY, you'll have to either quiese or unmount the filesystem before doing the copy to a new/backup data set. HFS is very intolerant of fuzzy copies. As for the expansion, this is way easier with zfs v.s. hfs. It has been a while since I have dealt with HFS... so maybe one of the other members knows the answer. If there isn't an easy way.. then: 1) make a new hfs/zfs file 2) mount it somewhere like /u/temp 3) there are various methods .. I have seen various documents indicating use of pax. I have just run a cp command with recursive and preserve cp -Rp. Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Default REGION Size
I worked at a place that had a similar setup with 8M. It was set artificially low because there were a bunch of assembler programs in the shop that did a variable getmains to give them everything below the line. By setting it to 8M, it meant that they couldn't get "everything below the line and thus the jobs would tend not to abend for exhausted storage below the line. Not a brilliant way to do things.. but it worked. Cheers, Rob -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Default REGION Size
I think there is a product to do this kind of stuff. OESM or something along those lines. I did a quick web search and obviously I don't have the right name. Rob On Wed, Feb 9, 2011 at 1:02 PM, Veilleux, Jon L wrote: > It would be great if IEFUSI limits could be externalized into PARMLIB. It > is a pain to have to recode an assembler exit whenever we need to change how > we handle these limits. Not to mention that there are not a lot of us left > who know how to code in assembler. > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Mark Zelden > Sent: Wednesday, February 09, 2011 12:57 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Default REGION Size > > On Wed, 9 Feb 2011 12:28:36 -0500, Haynes, Stan > > wrote: > > > >The issue with how much *low* private to allow is ensuring RTM can > successfully GETMAIN, so I'm wondering: if we change the default to 128M, > or 192M, etc, do we need to subtract some vstor for the low private ? > > > > That is why you need an IEFUSI (or IEALIMIT) exit. > > I really wish MVS would externalize LSQA reservation, above and below the > line region size defaults etc.. in a parmlib member. But of course an exit > is much more flexible since you may need more than a "one size fits all" > specification. (not that jobnames etc. couldn't be added to some parmlib > member to override the defaults) > > Mark > -- > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS > mailto:mzel...@flash.net > Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html > Systems Programming expert at http://expertanswercenter.techtarget.com/ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the > archives at http://bama.ua.edu/archives/ibm-main.html > This e-mail may contain confidential or privileged information. If > you think you have received this e-mail in error, please advise the > sender by reply e-mail and then delete this e-mail immediately. > Thank you. Aetna > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: HFS file questions
Chris, I have to admit that when I first saw this post, I assumed it was a tongue-n-cheek post and promptly deleted it. After reading it again... I can only apologize to the originator of this thread for the mean-spirited and completely unhelpful nature of your response. It is well documented that you have an unbelievable pet-peeve regarding the USS acronym. I think you have made your position abundantly clear. Perhaps you feel it has been too long since your last reasoned rant regarding the USS subject. In which case, please feel free to start a thread restating your opinion. BUT... It is just not ok to hijack a post and effectively belittle a poster. I shouldn't even have to post anything about etiquette to long time members. At the very least you should apologize. Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Chris Mason Sent: Friday, February 11, 2011 12:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: HFS file questions Dick > "USS" - meaning Unix System Services, not the VTAM term Unformatted Session Services :-))[1] Well, I thought I knew just about all that really mattered about VTAM but I was puzzled by "Unformatted Session Services" about which I could not recall previously having heard. Checking the manuals - z/OS V1R12 just to make sure they were the latest - I found - to my relief - that "USS" still meant "Unformatted *System* Services" as I remembered it and had not been transformed to "Unformatted *Session* Services" however plausible a sequence of words that might conceivably be in the context of VTAM and SNA. Perhaps there is a consideration that can be taken into account before sentencing in that there *are* two flavours of USS table, a "*session*-level USS table" and an "operation-level USS table". I suppose it's easy to get confused in this complex world of VTAM and so a caution can be handed down. Incidentally, earlier in the thread Stephen Mednick quoted a manual where "USS" in this unofficial context was introduced as "UNIX System Services (USS)" so I guess, because it is part of the same thread, "her" thread, of course, that Linda Mooney has an albeit tenuous excuse for the misappropriation! Chris Mason [1] I caught this travesty only because I have a digest from Google Groups every day as a way of making sure I don't miss the one in 10 or 20 or so threads within which I may have something to say. The reference to USS just happened to appear in the sample text offered with this digest system. Otherwise I would have passed all of this by in blissful ignorance of the malapropism. The Google Groups digest can also pick up threads from poor deluded individuals who imagine that they have posted a query or provided an answer only to be totally ignored because the post appears neither in subscribers' inboxes nor the archives. On Thu, 10 Feb 2011 17:44:47 +, Bond, Dick (DIS) wrote: >Hi Linda, > >"USS" - meaning Unix System Services, not the VTAM term Unformatted Session Services :-)) > ... > >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On >> Behalf Of Linda Mooney >> Sent: Wednesday, February 09, 2011 3:40 PM >> To: IBM-MAIN@bama.ua.edu >> Subject: Re: HFS file questions >> >> Hi Dick, >> >> Nobody here, me included, has ever used copytree. None of us know >> much about USS at all, although I am determined to learn - if it kills me! >> ... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: HFS file questions
I can safely say that I haven't seen any such nonsense on the USS list. On Sat, Feb 12, 2011 at 6:02 PM, Steve Comstock wrote: > On 2/12/2011 2:30 PM, Linda Mooney wrote: > >> Hi Peter, >> >> >> >> No, I was not aware of that list, just this one and the Marist VM >> list - through Share and zNextGen. Are you suggesting that I leave >> this list and go there? >> > > I'm sure he's suggesting you _add_ that list to your > list of lists! You'll find many of us ibm-main'ers > there, also, but the focus is strictly on what is now > called z/OS UNIX. > > mvs...@vm.marist.edu > > > > >> >> >> Linda >> >> >> - Original Message - >> From: "Peter Hunkeler" >> To: IBM-MAIN@bama.ua.edu >> Sent: Saturday, February 12, 2011 11:28:03 AM >> Subject: Re: HFS file questions >> >> Linda, >> are you aware of the MVS-OE list? It is dedicated to z/OS UNIX. >> >> > > -- > > Kind regards, > > -Steve Comstock > The Trainer's Friend, Inc. > > 303-393-8716 > http://www.trainersfriend.com > > * To get a good Return on your Investment, first make an investment! > + Training your people is an excellent investment > > * Try our new tool for calculating your Return On Investment >for training dollars at > http://www.trainersfriend.com/ROI/roi.html > > > ---------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Doubtful list etiquette (Should have been: USS misuse again, Was: HFS file questions)
Chris, I would only recommend to the others on the list that non-engagement is probably the only successful strategy. And to leave you to your opinion of USS. I would additionally ask that when you experience any outrage about USS uses, that you would channel the outrage into a new post. I do appreciate you finally starting your own thread. I have gone out to read some of your posts regarding a variety of subjects. While being a bit brittle at times, your posts did seem to indicate that you do possess a good handle on Communication Server issues. I can only say that you have not dissuaded me one bit from my current use of USS. I have the following "take aways": 1) Information regarding a "dirty look" from a person deeply ensconced in VTAM-speak when I use USS for Unix System Services. 2) You have inspired me to act rather than just disagree with you ad nauseum and to take a page from Dilbert. I encourage everyone that considers USS to be Unix System Services to write te...@ca.ibm.com requesting the modification of the USS acronym definition. I have sent my first e-mail requesting the change, and I plan to encourage all System Programmers that USS should be changed in the official IBM Terminology page. Cheers, Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Doubtful list etiquette (Should have been: USS misuse again, Was: HFS file questions)
Jim, I really should have caught that reference. I love "Big Bang Theory". I wonder what Dr. Sheldon Cooper would say? ;-) Probably that he should decide any such weighty matters. And that mere systems programmers are below engineers. ;-) Rob On Sun, Feb 13, 2011 at 3:15 PM, Jim Mulder wrote: > IBM Mainframe Discussion List wrote on 02/13/2011 > 08:48:13 AM: > > > I'd really love to understand why on earth people like you are defending > > that term in the name of VTAM. You won't change this anymore, like > nobody > > else will. "USS" has become the defacto standard name for z/OS UNIX > System > > Services. > > I am reminded once again of the pitfalls of attempting > written humor with an international audience. My entire > post was intended to be humorous, and my suggested acronym > was simply to set up the implied joke in the next paragraph, > with respect to what a similar acronym might be on a widely > used x86 operating system. However, recognition of the > intended humor does require familiarity with American > slang terminology. > > Instead of an industry standard icon such as :-) to > indicate humor, I used a quote from a fictional character > on a recent episode of a popular situation comedy show on > American television. That also is likely ill advised > with an international audience. Suitably chastened, > I will attempt to control my obsession with obscure > referential humor. For a while, at least. > > Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
VTAM acronym consistancy
I have been trading e-mails with the Terminology folks and reading the Terminology page and noticed the formatted system service which made me wonder: If unformatted system service is represented by the acronym USS. Why is there no FSS for formatted system service? Or is the FSS acronym already in use but neglected by the Terminology folks? Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: USS and FSS (Was: VTAM acronym consistency)
on which can be presented in the USS > messages can include IP-related information. > > There are no "hits" for FSS since, in effect, the TN3270 solicitor panel is > the > approximate equivalent of "Formatted System Services". > > If the designer behind the TN3270E RFCs had been on his toes, he might have > allowed an even more enhanced function but he regrettably removed one of > the most useful aspects of the USS function in not permitting USS messages > to appear while a session was in place.[1] What a lost opportunity - all > down > to ignorance of SNA's capabilities, an ignorance of which in those who > should > have known better I am perpetually reminded ... > > Chris Mason > > [1] Why? - the curious are asking. Because all those variables so helpful > for > problem determination while calling the "help desk" can be presented in an > USS > 5 message in a pure SNA environment but not with the unnecessarily > restrictive design of RFC 2355. > > P.S. You may have noticed that my spelling checker has been at work again. > > On Mon, 14 Feb 2011 20:59:20 -0500, Rob Schramm > wrote: > > >I have been trading e-mails with the Terminology folks and reading the > >Terminology page and noticed the formatted system service which made me > >wonder: > > > >If unformatted system service is represented by the acronym USS. Why is > >there no FSS for formatted system service? Or is the FSS acronym already > in > >use but neglected by the Terminology folks? > > > >Rob Schramm > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: VTAM acronym consistancy
I feel like an idiot. Got too focused on CS stuff. On Tue, Feb 15, 2011 at 8:27 AM, McKown, John wrote: > > -Original Message- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm > > Sent: Monday, February 14, 2011 7:59 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: VTAM acronym consistancy > > > > I have been trading e-mails with the Terminology folks and reading the > > Terminology page and noticed the formatted system service > > which made me > > wonder: > > > > If unformatted system service is represented by the acronym > > USS. Why is > > there no FSS for formatted system service? Or is the FSS > > acronym already in > > use but neglected by the Terminology folks? > > > > Rob Schramm > > FSS is Functional SubSystem (which is so much nicer than the NSS - > Nonfunctional SubSystem delivered by some vendors - and yes I know that NSS > is z/VM's Named Saved Segment). It refers to printers which are usually AFP > printers. They are driven in an address space (STC) separate from the JES > address space. > > Ref: > http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IEA2E510/CCONTENTS > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > ------ > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13
John, I am curious about your use of "repay attention". It attracted my attention. Is the intent to indicate that any attention to the announcement will be repaid to the reader? Or to refocus attention on z/OS? Regards, Rob Schramm On Tue, Feb 15, 2011 at 7:48 AM, john gilmore wrote: > This morning's IBM Announcement Letters contain a preview of 1.13 that will > repay attention. > > John Gilmore Ashland, MA 01721-1817 USA > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: VTAM acronym consistancy
Chris, You are correct. I did mean Cursor Stability, I actually confused my posts. I meant to send my post to the DB2 listserv. Thank you so much for the expansive explanation of my error. My appreciation for you grows by the hour. Rob Schramm On Tue, Feb 15, 2011 at 9:17 AM, Chris Mason wrote: > Rob > > > Got too focused on CS stuff. > > I don't expect you mean the following: > > > > cursor stability (CS) > > An isolation level that for cursors, after fetching and while positioned on > a > row, prevents the row from being changed by other applications until the > cursor position is moved from the row. CS also prevents any row that is > changed by other applications from being read until the change is > committed. > See also read stability, repeatable read, uncommitted read, isolation > level. > > > > http://www-01.ibm.com/software/globalization/terminology/c.html > > So you should do what I always do and which I'm content for anyone to do - > unless its an "official" abbreviation inside an "official" IBM manual - > which is to > introduce your abbreviations as follows: > > Communications Server (CS) > > Until informed that the official IBM standard was as above, I used to use > the > following form in my presentations: > > Communications Server, CS, > > so I changed since I'm all for uniformity! > > > I feel like an idiot. > > Don't take it so to heart! I'm sure none of the rest of us feel that. > > Chris Mason > > On Tue, 15 Feb 2011 08:31:54 -0500, Rob Schramm > wrote: > > >I feel like an idiot. Got too focused on CS stuff. > > > >On Tue, Feb 15, 2011 at 8:27 AM, McKown, John > >> wrote: > > > >> > -Original Message- > >> > From: IBM Mainframe Discussion List > >> > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm > >> > Sent: Monday, February 14, 2011 7:59 PM > >> > To: IBM-MAIN@bama.ua.edu > >> > Subject: VTAM acronym consistancy > >> > > >> > I have been trading e-mails with the Terminology folks and reading the > >> > Terminology page and noticed the formatted system service > >> > which made me > >> > wonder: > >> > > >> > If unformatted system service is represented by the acronym > >> > USS. Why is > >> > there no FSS for formatted system service? Or is the FSS > >> > acronym already in > >> > use but neglected by the Terminology folks? > >> > > >> > Rob Schramm > >> > >> FSS is Functional SubSystem (which is so much nicer than the NSS - > >> Nonfunctional SubSystem delivered by some vendors - and yes I know that > NSS > >> is z/VM's Named Saved Segment). It refers to printers which are usually > AFP > >> printers. They are driven in an address space (STC) separate from the > JES > >> address space. > >> > >> Ref: > >> http://publibz.boulder.ibm.com/cgi- > bin/bookmgr_OS390/BOOKS/IEA2E510/CCONTENTS > >> > >> -- > >> John McKown > > > >-- > >Rob Schramm > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13 preview
Does anyone else think that working with z/OS is completely the coolest thing since the invention of "sliced bread"? I am reading thru the 1.13 announcement and there is alot of really cool stuff. It is hard to just select a few things to talk about. Rob Schramm On Tue, Feb 15, 2011 at 10:07 AM, Steve Comstock wrote: > Today the IBM announcements newsletter included the > preview for z/OS 1.13. > > One point that caught my eye immediately: > > * Support is planned for in-stream data sets >to be used within JCL procedures and for >include statements. > > Well! That's been a long time coming. But I'm sure > more than a few on this list will appreciate it. > (Note: announced for JES2 only) > > > Another interesting change: > > * Support is planned for job return codes. >This support will be designed to allow you >to specify that the job return code be set >to the highest return code encountered by >any step, the last step, or a specified >step in the job. This will help make it >simpler to interpret the results of job >execution. > > > For ISPF: > > * Line command level Edit macros > > > There are _tons_ of other enhancements listed: > this looks to be one of the most complex new > releases in quite a while. I'll report on the > ones that seem significant to the application > development community in my annual post after > the docs are available and I've had a chance > to through them more carefully. But the > above seemed significant and easy to grasp > right away. > > > > -- > > Kind regards, > > -Steve Comstock > The Trainer's Friend, Inc. > > 303-393-8716 > http://www.trainersfriend.com > > * To get a good Return on your Investment, first make an investment! > + Training your people is an excellent investment > > * Try our new tool for calculating your Return On Investment >for training dollars at > http://www.trainersfriend.com/ROI/roi.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13 preview
I think VM is cool too. I don't really have an opinion about VSE. Although, it has been my experience that each of the Operating Systems out there have their "cool points". I just am really excited about the 1.13 things... and I am not finished reading the whole thing. Rob On Tue, Feb 15, 2011 at 11:02 AM, August Carideo wrote: > I like VM/VSE better > Ok now don't beat me up here > LOL > > > > > Rob Schramm > L.COM> To > Sent by: IBM IBM-MAIN@bama.ua.edu > Mainframe cc > Discussion List > .edu> Re: z/OS 1.13 preview > > > 02/15/2011 10:59 > AM > > > Please respond to > IBM Mainframe > Discussion List >.edu> > > > > > > > Does anyone else think that working with z/OS is completely the coolest > thing since the invention of "sliced bread"? > > I am reading thru the 1.13 announcement and there is alot of really cool > stuff. It is hard to just select a few things to talk about. > > Rob Schramm > > On Tue, Feb 15, 2011 at 10:07 AM, Steve Comstock > wrote: > > > Today the IBM announcements newsletter included the > > preview for z/OS 1.13. > > > > One point that caught my eye immediately: > > > > * Support is planned for in-stream data sets > >to be used within JCL procedures and for > >include statements. > > > > Well! That's been a long time coming. But I'm sure > > more than a few on this list will appreciate it. > > (Note: announced for JES2 only) > > > > > > Another interesting change: > > > > * Support is planned for job return codes. > >This support will be designed to allow you > >to specify that the job return code be set > >to the highest return code encountered by > >any step, the last step, or a specified > >step in the job. This will help make it > >simpler to interpret the results of job > >execution. > > > > > > For ISPF: > > > > * Line command level Edit macros > > > > > > There are _tons_ of other enhancements listed: > > this looks to be one of the most complex new > > releases in quite a while. I'll report on the > > ones that seem significant to the application > > development community in my annual post after > > the docs are available and I've had a chance > > to through them more carefully. But the > > above seemed significant and easy to grasp > > right away. > > > > > > > > -- > > > > Kind regards, > > > > -Steve Comstock > > The Trainer's Friend, Inc. > > > > 303-393-8716 > > http://www.trainersfriend.com > > > > * To get a good Return on your Investment, first make an investment! > > + Training your people is an excellent investment > > > > * Try our new tool for calculating your Return On Investment > >for training dollars at > > http://www.trainersfriend.com/ROI/roi.html > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > -- > Rob Schramm > Senior Systems Engineer > > w: 513.305.6224 > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13 preview
John, Not that I am a firm advocate of vi ... (I used to complain endlessly about it when I was working on AIX and grew to more of a grudging acceptance because it was one of the few things I could count on when moving in between the various UNIX flavors) but it is nice to know the basics. I am encouraged that even vi made the list for 1.13. I have to agree that additional movement in Unix System Services shell would be a good thing. Although, I think I see the writing clearly when it comes to zOSMF. I think that zOSMF will become the defacto delivery for all new interactions with z/OS. It is just way too much of a no-brainer. Not that I see them dropping TSO/ISPF because having a fairly simple way to interact with z/OS is always going to be a requirement. Rob On Tue, Feb 15, 2011 at 11:07 AM, McKown, John < john.mck...@healthmarkets.com> wrote: > > -Original Message- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm > > Sent: Tuesday, February 15, 2011 9:59 AM > > To: IBM-MAIN@bama.ua.edu > > Subject: Re: z/OS 1.13 preview > > > > Does anyone else think that working with z/OS is completely > > the coolest > > thing since the invention of "sliced bread"? > > > > I am reading thru the 1.13 announcement and there is alot of > > really cool > > stuff. It is hard to just select a few things to talk about. > > > > Rob Schramm > > For a general purpose, all around, reliable operating system, z/OS is > excellent. It may fall behind others in specific areas. Eg: TSO on z/OS > stinks (IMO) compared to a CMS on z/VM. With some enhancements, a z/OS UNIX > shell could easily become my interactive environment of choice. The main > enhancement would be an ISPF for UNIX which would allow me to do SDSF, > edit/view/browse, DSLIST, and HCD in a X window on my desktop. And if IBM > were to embrace the GNU versions of the UNIX utilities instead of their own > versions, I'd be in nerd-vana. > > Too bad most managers truly believe that "Windows is faster, better, > cheaper!" than z/OS. That was a mantra around here about 3 years ago. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > ---------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13 preview
Is anyone using BIND DNS to provide DNS resolution? On Tue, Feb 15, 2011 at 1:22 PM, Ward, Mike S wrote: > John, I'm not trying to be funny, but have you tried obrowse or oedit. > Or maybe the environment that you connect with doesn't support it? > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of McKown, John > Sent: Tuesday, February 15, 2011 11:10 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: z/OS 1.13 preview > > > -Original Message- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm > > Sent: Tuesday, February 15, 2011 10:20 AM > > To: IBM-MAIN@bama.ua.edu > > Subject: Re: z/OS 1.13 preview > > > > John, > > > > Not that I am a firm advocate of vi ... (I used to complain > > endlessly about > > it when I was working on AIX and grew to more of a grudging acceptance > > because it was one of the few things I could count on when > > moving in between > > the various UNIX flavors) but it is nice to know the basics. I am > > encouraged that even vi made the list for 1.13. I have to agree that > > additional movement in Unix System Services shell would be a > > good thing. > > Although, I think I see the writing clearly when it comes to > > zOSMF. I > > think that zOSMF will become the defacto delivery for all new > > interactions > > with z/OS. It is just way too much of a no-brainer. Not > > that I see them > > dropping TSO/ISPF because having a fairly simple way to > > interact with z/OS > > is always going to be a requirement. > > > > Rob > > I'd prefer that they replace their "vi" clone with the FOSS "vim". All > that I see in the announcement about "vi" is enhanced support of ASCII, > not functionality. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the > original message. HealthMarkets(r) is the brand name for products > underwritten and issued by the insurance subsidiaries of HealthMarkets, > Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life > Insurance Company of TennesseeSM and The MEGA Life and Health Insurance > Company.SM > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > == > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity > to which they are addressed. If you have received this email in error > please notify the system manager. This message > contains confidential information and is intended only for the individual > named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please notify the > sender immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this > information is strictly prohibited. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS 1.13 preview
I was curious about plans to replace the functionality. Statement of Direction "z/OS V1.13 is planned to be the last release in which the BIND 9.2.0 function will be available. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a caching-only name server should use the resolver function, which became generally available in z/OS V1.11, to cache Domain Name Server (DNS) responses. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a primary or secondary authoritative name server should investigate using BIND on Linux for System z or BIND on an IBM blade in an IBM zEnterprise BladeCenter® Extension (zBX)." On Tue, Feb 15, 2011 at 1:26 PM, Ward, Mike S wrote: > Yes > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Rob Schramm > Sent: Tuesday, February 15, 2011 12:25 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: z/OS 1.13 preview > > Is anyone using BIND DNS to provide DNS resolution? > > On Tue, Feb 15, 2011 at 1:22 PM, Ward, Mike S wrote: > > > John, I'm not trying to be funny, but have you tried obrowse or oedit. > > Or maybe the environment that you connect with doesn't support it? > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > > Behalf Of McKown, John > > Sent: Tuesday, February 15, 2011 11:10 AM > > To: IBM-MAIN@bama.ua.edu > > Subject: Re: z/OS 1.13 preview > > > > > -Original Message- > > > From: IBM Mainframe Discussion List > > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm > > > Sent: Tuesday, February 15, 2011 10:20 AM > > > To: IBM-MAIN@bama.ua.edu > > > Subject: Re: z/OS 1.13 preview > > > > > > John, > > > > > > Not that I am a firm advocate of vi ... (I used to complain > > > endlessly about > > > it when I was working on AIX and grew to more of a grudging > acceptance > > > because it was one of the few things I could count on when > > > moving in between > > > the various UNIX flavors) but it is nice to know the basics. I am > > > encouraged that even vi made the list for 1.13. I have to agree > that > > > additional movement in Unix System Services shell would be a > > > good thing. > > > Although, I think I see the writing clearly when it comes to > > > zOSMF. I > > > think that zOSMF will become the defacto delivery for all new > > > interactions > > > with z/OS. It is just way too much of a no-brainer. Not > > > that I see them > > > dropping TSO/ISPF because having a fairly simple way to > > > interact with z/OS > > > is always going to be a requirement. > > > > > > Rob > > > > I'd prefer that they replace their "vi" clone with the FOSS "vim". All > > that I see in the announcement about "vi" is enhanced support of > ASCII, > > not functionality. > > > > -- > > John McKown > > Systems Engineer IV > > IT > > > > Administrative Services Group > > > > HealthMarkets(r) > > > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > > (817) 255-3225 phone * > > john.mck...@healthmarkets.com * www.HealthMarkets.com > > > > Confidentiality Notice: This e-mail message may contain confidential > or > > proprietary information. If you are not the intended recipient, please > > contact the sender by reply e-mail and destroy all copies of the > > original message. HealthMarkets(r) is the brand name for products > > underwritten and issued by the insurance subsidiaries of > HealthMarkets, > > Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life > > Insurance Company of TennesseeSM and The MEGA Life and Health > Insurance > > Company.SM > > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > == > > This email and any files transmitted with it are confidential and > intended > > solely for the use of the individual or entity > > to which they are addressed. If you have received this email in error > > please notify the system manager. This message > > contains confidential information and is intended only for the > individual > > named. If you
Re: z/OS 1.13 preview
Chris, Consider the topic of "z/OS 1.13 Preview". Seems a fairly open invitation to discuss anything that has to do with "z/OS 1.13 Preview". I am not sure how someone would misinterpret a subject that is clearly bounded within "z/OS 1.13 Preview" to be a general discussion of BIND for PC's. But I guess history lessons are always valuable. As you stated " I see the others responding to the initial question - ...- referring to the z/OS CS BIND server as you intended" everyone seemed to follow along based upon the initial framework." There are a lot of smart people on IBM-Main. I am not sure that I understand the ambiguity. IBM is getting rid of the BIND DNS 9.2 on z/OS. From the 1st part of the statement, it is a no-brainer to use RESOLVER for DNS caching/lookups. I agree that using RESOLVER has generally been a good thing. I would only add that sometimes changing to "LOOKUP LOCAL DNS" (see z/OS Communication Server IP Configuration Reference Chapter "TCPIP.DATA Configuration Statements") to sometime help with some applications. The 2nd part of the BIND DNS removal statement is pretty clear that I would interpret as "If you are using BIND DNS 9.2 on z/OS as a primary DNS server... you'd better make plans to use something else.". The 2nd part of the removal statement seems to be of greater impact to those that "drank the kool-aid", ran BIND DNS on z/OS and now have to change find another platform to deliver the service. I certainly had considered advocating running BIND DNS x.x on z/OS in the past. I am somewhat glad that I was not successful. I had remembered seeing at least one post on running BIND DNS on z/OS in the past. I thought I would ask to see if the announcement/"statement of direction" adversely affects anyone. Cheers, Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS security for SSL sockets
Jim, Did you find the "TCPIP Implementation Vol 4 Policy Based Network Security" Redbook? There are quite a few versions. Here is a link to the 1.11 one http://www.redbooks.ibm.com/abstracts/sg247801.html?Open <http://www.redbooks.ibm.com/abstracts/sg247801.html?Open>It will help you get some of the predecessor parts going with the policy agent and there is a whole chapter on AT-TLS. If you print it.. it can be used to weight the bed of a truck to help in snowy conditions. ;-) Rob Schramm On Thu, Feb 17, 2011 at 4:08 AM, Jim McAlpine wrote: > Anyone got experience of setting this up. I'm particularily interested in > CICS Sockets, but any help would be appreciated. > > Jim McAlpine > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ISPF : Some Characters are displayed in edit mode but not in browse ...
My first guess would be emulator problem. What TN3270 emulator are you using? Rob Schramm On Thu, Feb 17, 2011 at 8:23 AM, CUNY Yann wrote: > Hi all, > >We got '\' characters (X'48') that are not displayed when we browse > a dataset. But when we edit it, we can see it. > > For exemple : > > In browse mode : > > E: StoneBranch UCmdHome SVC_Scheduling.SIEGE>call E: prod CFCR scripts > > > In edit mode : > > E:\StoneBranch\UCmdHome\SVC_Scheduling.SIEGE>call E:\prod\CFCR\scripts\ > > (we are just submitting scripts on Windows with our Mainframe TWS). > > Any explication ? > > > Cordialement, > > ___ > YANN CUNY > AXA TECH > IDST OUTILS > > ( + 33 1 55 67 22 49 > ___ > > -Message d'origine- > De : IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] De la > part de Hunkeler Peter (KIUP 4) > Envoyé : lundi 14 février 2011 08:43 > À : IBM-MAIN@bama.ua.edu > Objet : Re: /tmp space is full > > >(I seem to vaguely remember that some PFS types have got > >some dependency on that name in never releases. I know the > >above worked in earlier OS/390 releases; I tried) > > For the records: I've been searching my old notes and found > that > > - ZFS must be ZFS. You'll get a message from ZFS when > you try to start it with some other name. > > - Automount needs to be called AUTOMNT. You'll get a > message when running /usr/sbin/automount if the name > is not correct. > > - HFS, TFS and INET can be started with different names. > (I don't mean to say anyone should do this. It was just > part of "prove myself I understand how this works" :-) > > > -- > Peter Hunkeler > CREDIT SUISSE AG > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > Ce message est confidentiel; Son contenu ne represente en aucun cas > un engagement de la part de AXA Technology Services (AXA Tech) sous > reserve de tout accord conclu par ecrit entre vous et AXA Technology > Services (AXA Tech).Toute publication, utilisation ou diffusion,meme > partielle, doit etre autorisee prealablement. Si vous n'etes pas > destinataire de ce message, merci d'en avertir immediatement l'expe- > diteur. > > This message is confidential; its contents do not constitute a > commitment by AXA Technology Services (AXA Tech) except where provi- > ded for in a written agreement between you and AXA Technology > Services (AXA Tech). Any unauthorised disclosure, use or dissemina- > tion, either whole or partial, is prohibited. If you are not the > intended recipient of the message, please notify the sender imme- > diately. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ISPF : Some Characters are displayed in edit mode but not in browse ...(USS?)
My initial reaction was codepage problem. But then emulator seemed a better guess. Maybe we can entice some additional help. I notice anytime I use an acronym incorrectly Chris will chime in. USS? Do you have a monitor to trace sessions? My next step would be to verify whether there is really a x'48' there in browse mode. On Thu, Feb 17, 2011 at 8:51 AM, CUNY Yann wrote: > I use VIVA Station. But, I got the same with PCOM or XTRA. > Any difference between View or Browse ? You don't have the same ? > > Maybe a codepage problem (France 1147) ? > > Cordialement, > > ___ > YANN CUNY > AXA TECH > IDST OUTILS > > ( + 33 1 55 67 22 49 > ___ > > > -Message d'origine- > De : IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] De la > part de Rob Schramm > Envoyé : jeudi 17 février 2011 14:45 > À : IBM-MAIN@bama.ua.edu > Objet : Re: ISPF : Some Characters are displayed in edit mode but not in > browse ... > > My first guess would be emulator problem. What TN3270 emulator are you > using? > > Rob Schramm > > On Thu, Feb 17, 2011 at 8:23 AM, CUNY Yann > wrote: > > > Hi all, > > > >We got '\' characters (X'48') that are not displayed when we > browse > > a dataset. But when we edit it, we can see it. > > > > For exemple : > > > > In browse mode : > > > > E: StoneBranch UCmdHome SVC_Scheduling.SIEGE>call E: prod CFCR scripts > > > > > > In edit mode : > > > > E:\StoneBranch\UCmdHome\SVC_Scheduling.SIEGE>call E:\prod\CFCR\scripts\ > > > > (we are just submitting scripts on Windows with our Mainframe TWS). > > > > Any explication ? > > > > > > Cordialement, > > > > ___ > > YANN CUNY > > AXA TECH > > IDST OUTILS > > > > ( + 33 1 55 67 22 49 > > ___ > > > > -Message d'origine- > > De : IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] De la > > part de Hunkeler Peter (KIUP 4) > > Envoyé : lundi 14 février 2011 08:43 > > À : IBM-MAIN@bama.ua.edu > > Objet : Re: /tmp space is full > > > > >(I seem to vaguely remember that some PFS types have got > > >some dependency on that name in never releases. I know the > > >above worked in earlier OS/390 releases; I tried) > > > > For the records: I've been searching my old notes and found > > that > > > > - ZFS must be ZFS. You'll get a message from ZFS when > > you try to start it with some other name. > > > > - Automount needs to be called AUTOMNT. You'll get a > > message when running /usr/sbin/automount if the name > > is not correct. > > > > - HFS, TFS and INET can be started with different names. > > (I don't mean to say anyone should do this. It was just > > part of "prove myself I understand how this works" :-) > > > > > > -- > > Peter Hunkeler > > CREDIT SUISSE AG > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > Ce message est confidentiel; Son contenu ne represente en aucun cas > > un engagement de la part de AXA Technology Services (AXA Tech) sous > > reserve de tout accord conclu par ecrit entre vous et AXA Technology > > Services (AXA Tech).Toute publication, utilisation ou diffusion,meme > > partielle, doit etre autorisee prealablement. Si vous n'etes pas > > destinataire de ce message, merci d'en avertir immediatement l'expe- > > diteur. > > > > This message is confidential; its contents do not constitute a > > commitment by AXA Technology Services (AXA Tech) except where provi- > > ded for in a written agreement between you and AXA Technology > > Services (AXA Tech). Any unauthorised disclosure, use or dissemina- > > tion, either whole or partial, is prohibited. If you are not the > > intended recipient of the message, please notify the sender imme- > > diately. > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MA
Re: ISPF : Some Characters are displayed in edit mode but not in browse ...
Thanks Chris! On Thu, Feb 17, 2011 at 10:31 PM, Chris Mason wrote: > Yann > > I've been inveigled into participating in this thread on no sound grounds > whatsoever! > > > However, since I've taken a look I would say that, if having used the > hexadecimal option which I believe you can use in both BROWSE and EDIT, > you see precisely the same encoding, you have a problem which is purely a > matter for ISPF and you should ask on the ISPF list: > > https://listserv.nd.edu/cgi-bin/wa?A0=ISPF-L > > Actually, I think that's what Rob Schramm was suggesting anyhow. > > Chris Mason > > On Thu, 17 Feb 2011 14:23:22 +0100, CUNY Yann TECH.COM> wrote: > > >Hi all, > > > > We got '\' characters (X'48') that are not displayed when we browse > a dataset. But when we edit it, we can see it. > > > >For exemple : > > > >In browse mode : > > > >E: StoneBranch UCmdHome SVC_Scheduling.SIEGE>call E: prod CFCR scripts > > > > > >In edit mode : > > > >E:\StoneBranch\UCmdHome\SVC_Scheduling.SIEGE>call E:\prod\CFCR\scripts\ > > > >(we are just submitting scripts on Windows with our Mainframe TWS). > > > >Any explication ? > > > > > >Cordialement, > > > >___ > >YANN CUNY > >AXA TECH > >IDST OUTILS > > > >( + 33 1 55 67 22 49 > > ---------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Help with ADJSSCP
Chris, I think I can help. I ran across a similar issue a while ago. CICS is configured to reestablish a connection when it "sees" a abnormally terminated session such as the user closing a TN3270 window. The behavior is governed by CICS settings. I used to work with a certain awesome CommServ/CICS guy that indicated that the trouble is most likely the CREATESESS(YES) on the TYPETERM definition. When the terminal is autoinstalled, CICS will issue a message indicating what TYPETERM was used. Check the MSGUSR message DFHZC6935I for the details. If the TYPETERM has CREATESESS(YES) specified, then CICS will attempt to reestablish the connection after the initial auto-install of the terminal has been done. Normally, CREATESESS(YES) is used for things like printers to allow CICS to initiate the session. Of course VTAM is just doing what is normal and trying to be helpful but to no avail.. since no one is on the other side anymore. There is also the possibility of a customized Node Error Program. I am supplying a link for why a Node Error Program might be used. http://publib.boulder.ibm.com/infocenter/cicsts/v3r1/index.jsp?topic=/com.ib m.cics.ts31.doc/dfha3/dfha357.htm Rob Schramm And special thanks to a Mr. Eades -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Chris Mason Sent: Friday, February 18, 2011 10:29 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Help with ADJSSCP George I know I have a response outstanding regarding your "keep-alive" problem, but I just spotted this. I seem to be the only list contributor dealing with VTAM matters so I don't expect I'm taking the pleasure away from anyone else by trying to deal with it immediately - although I'd be delighted to know that I was - and all are invited to try to work out what I may be meaning with that! - Actually the first point that comes to mind is why are you asking this question because anyone who has been through usual VTAM subarea networking education and worked with it should know all about the famous 087D sense code, its various modifiers ands and IST663I messages and what they imply. This reeks to me of a "let go" where the "suits" have decided that their VTAM systems programmer was "superfluous to requirements" and has been allowed to spend all his time on the golf course or supporting the football team at away matches - or equivalent pursuits for a lady. - Now looking at the names of the LUs in this failed session setup, I see that the origin LU (OLU) is FLANWR41.CICSPRDT which looks like a CICS system and the destination LU (DLU) is one of your TN3270 APPL statements (for external users), FLANWR41.TELNE21E This implies that CICS is trying to initiate a session with the TN3270 APPL statement which is *not* usual. Usually, it is the TN3270 APPL statement which is trying to initiate a session with CICS. Note the message IST264I REQUIRED ADJSSCP TABLE UNDEFINED which, in conjunction with the IST663I message with sense code 087D0002, is saying that, the SSCP (VTAM) has a session setup request from an OLU destined for a DLU which can't be satisfied in the "home" domain - because the required DLU is not defined - or is inactive. Thus it needs to send the session setup request to other, "away", SSCPs (also known in this context as CDRMs) (VTAMs) and, to do this, it sends the request sequentially following the order defined by the "adjacent SSCP" table defined for the DLU, which, if it doesn't already exist, can be a default list for the "home" network, as defined by the "network identifier" (NETID) - assuming we don't have an SNI configuration, which in this case we don't since the NETIDs are the same. However, you don't have a suitable "home" network adjacent SSCP table available maybe because you haven't actually got any other, "away", systems running VTAM connected with subarea links to your "home" system which can be used to build a dynamic adjacent SSCP list under control of the DYNASSCP start option specified as DYNASSCP=YES, the default. All of which is consistent with the messages you see - assuming two things: 1. TELNE21E is not active 2. You have specified, perhaps by default, the DUPDEFS start option as DUPDEFS=APPL or DUPDEFS=ALL, the default. I had a look at the explanation of the DUPDEFS start option and there is a bit of a confusing comment under DUPDEFS=APPL. I think this means that what I have described is likely to be valid only because you have defined your TN3270 APPL statements as a *model* APPL statement - which, because of your other thread, still ongoing, I know is as follows: TN3270A VBUILD TYPE=APPL TN3270G GROUP EAS=1 TELNI??? APPL TELNE??? APPL Well, as it should be now after my previous comments! I think this means that the DUPDEFS start optio
Re: Help with ADJSSCP
George, I had one more thought. Can you post the CICS error message associated with the terminal? Thanks, Rob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of George Rodriguez Sent: Friday, February 18, 2011 2:52 PM To: IBM-MAIN@bama.ua.edu Subject: Fwd: Help with ADJSSCP Hi Chris, Rob could not help. * * *George Rodriguez* *Specialist II - IT Solutions* *Application Support / Quality Assurance* *PX - 47652* *(561) 357-7652 (office)* *(561) 707-3496 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District For Six Consecutive Years* -- Forwarded message -- From: George Rodriguez Date: Fri, Feb 18, 2011 at 1:45 PM Subject: Re: Help with ADJSSCP To: Rob Schramm Here you go: DFHZC6935 I 02/18/2011 08:24:06 CICSPRDT Autoinstall for terminal E0AD with netname TELNE0AD using model or template DFHLU2E2 successful. and when I looked at the TYPETERM(DFHLU2E2), this is that parm it has: CReatesess : No Thanks. . . * * *George Rodriguez* *Specialist II - IT Solutions* *Application Support / Quality Assurance* *PX - 47652* *(561) 357-7652 (office)* *(561) 707-3496 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District For Six Consecutive Years* On Fri, Feb 18, 2011 at 1:36 PM, Rob Schramm wrote: > George, > > Did you find the DFHZC6935I that indicates what TYPETERM was used > during the install of the terminal TELNE0AD? I would not necessarily > trust the GROUP definitions. The message is a better indicator of what is happening. > > Rob > > From: George Rodriguez [mailto:george.rodrig...@palmbeachschools.org] > Sent: Friday, February 18, 2011 1:27 PM > To: Rob Schramm > Subject: Re: Help with ADJSSCP > > From what I see in the CICS group definition, DFHTERM and DFHTYPE, > CREATESESS is set to NO. When I look at terminals in the TOR, this is > how it > looks: > > Ter(E0AD) Pri( 000 ) Pag Ins Ati Tti Loc >Net(TELNE0AD) AcqNqn(FLANWR41.TELNE0AD) > > and in the CICS that's designated as the AOR, this is how it looks: > > Ter(E0AD) Pri( 000 ) Pag Ins Ati Tti Rte >Net(TELNE0AD)Rem(CITR) > > Thanks for the help... > > George Rodriguez > Specialist II - IT Solutions > Application Support / Quality Assurance PX - 47652 > (561) 357-7652 (office) > (561) 707-3496 (mobile) > School District of Palm Beach County > 3348 Forest Hill Blvd. > Room B-332 > West Palm Beach, FL. 33406-5869 > Florida's Only A-Rated Urban District For Six Consecutive Years > > > On Fri, Feb 18, 2011 at 12:19 PM, Rob Schramm > wrote: > Did you confirm that you have CREATESESS(YES) on the TYPETERM definition > that was used to install the terminal? > > From: George Rodriguez [mailto:george.rodrig...@palmbeachschools.org] > Sent: Friday, February 18, 2011 11:55 AM > To: IBM Mainframe Discussion List > Cc: Rob Schramm > Subject: Re: Help with ADJSSCP > > Rob, > > So if I remove the option CREATESESS(YES) from the TYPETERM definition, > would that resolve my problem? > > > George Rodriguez > Specialist II - IT Solutions > Application Support / Quality Assurance > PX - 47652 > (561) 357-7652 (office) > (561) 707-3496 (mobile) > School District of Palm Beach County > 3348 Forest Hill Blvd. > Room B-332 > West Palm Beach, FL. 33406-5869 > Florida's Only A-Rated Urban District For Six Consecutive Years > > On Fri, Feb 18, 2011 at 11:40 AM, Rob Schramm > wrote: > Chris, > > I think I can help. I ran across a similar issue a while ago. CICS is > configured to reestablish a connection when it "sees" a abnormally > terminated session such as the user closing a TN3270 window. The behavior > is governed by CICS settings. I used to work with a certain awesome > CommServ/CICS guy that indicated that the trouble is most likely the > CREATESESS(YES) on the TYPETERM definition. When the terminal is > autoinstalled, CICS will issue a message indicating what TYPETERM was used. > Check the MSGUSR message DFHZC6935I for the details. If the TYPETERM has > CREATESESS(YES) specified, then CICS will attempt to reestablish the > connection after the initial auto-install of the terminal has been done. > Normally, CREATESESS(YES) is used for things like printers to allow CICS to > initiate the session. Of course VTAM is just doing what is normal and > trying to be helpful but to no avail.. since no one is on the other side > anymore. > > There is also the possibility of a customize
Re: Help with ADJSSCP
Chris, There should be a message associated with the disconnect or termination. The last one was for the session start. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of George Rodriguez Sent: Friday, February 18, 2011 2:52 PM To: IBM-MAIN@bama.ua.edu Subject: Fwd: Help with ADJSSCP Hi Chris, Rob could not help. * * *George Rodriguez* *Specialist II - IT Solutions* *Application Support / Quality Assurance* *PX - 47652* *(561) 357-7652 (office)* *(561) 707-3496 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District For Six Consecutive Years* -- Forwarded message -- From: George Rodriguez Date: Fri, Feb 18, 2011 at 1:45 PM Subject: Re: Help with ADJSSCP To: Rob Schramm Here you go: DFHZC6935 I 02/18/2011 08:24:06 CICSPRDT Autoinstall for terminal E0AD with netname TELNE0AD using model or template DFHLU2E2 successful. and when I looked at the TYPETERM(DFHLU2E2), this is that parm it has: CReatesess : No Thanks. . . * * *George Rodriguez* *Specialist II - IT Solutions* *Application Support / Quality Assurance* *PX - 47652* *(561) 357-7652 (office)* *(561) 707-3496 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District For Six Consecutive Years* On Fri, Feb 18, 2011 at 1:36 PM, Rob Schramm wrote: > George, > > Did you find the DFHZC6935I that indicates what TYPETERM was used > during the install of the terminal TELNE0AD? I would not necessarily > trust the GROUP definitions. The message is a better indicator of what is happening. > > Rob > > From: George Rodriguez [mailto:george.rodrig...@palmbeachschools.org] > Sent: Friday, February 18, 2011 1:27 PM > To: Rob Schramm > Subject: Re: Help with ADJSSCP > > From what I see in the CICS group definition, DFHTERM and DFHTYPE, > CREATESESS is set to NO. When I look at terminals in the TOR, this is > how it > looks: > > Ter(E0AD) Pri( 000 ) Pag Ins Ati Tti Loc >Net(TELNE0AD) AcqNqn(FLANWR41.TELNE0AD) > > and in the CICS that's designated as the AOR, this is how it looks: > > Ter(E0AD) Pri( 000 ) Pag Ins Ati Tti Rte >Net(TELNE0AD)Rem(CITR) > > Thanks for the help... > > George Rodriguez > Specialist II - IT Solutions > Application Support / Quality Assurance PX - 47652 > (561) 357-7652 (office) > (561) 707-3496 (mobile) > School District of Palm Beach County > 3348 Forest Hill Blvd. > Room B-332 > West Palm Beach, FL. 33406-5869 > Florida's Only A-Rated Urban District For Six Consecutive Years > > > On Fri, Feb 18, 2011 at 12:19 PM, Rob Schramm > wrote: > Did you confirm that you have CREATESESS(YES) on the TYPETERM definition > that was used to install the terminal? > > From: George Rodriguez [mailto:george.rodrig...@palmbeachschools.org] > Sent: Friday, February 18, 2011 11:55 AM > To: IBM Mainframe Discussion List > Cc: Rob Schramm > Subject: Re: Help with ADJSSCP > > Rob, > > So if I remove the option CREATESESS(YES) from the TYPETERM definition, > would that resolve my problem? > > > George Rodriguez > Specialist II - IT Solutions > Application Support / Quality Assurance > PX - 47652 > (561) 357-7652 (office) > (561) 707-3496 (mobile) > School District of Palm Beach County > 3348 Forest Hill Blvd. > Room B-332 > West Palm Beach, FL. 33406-5869 > Florida's Only A-Rated Urban District For Six Consecutive Years > > On Fri, Feb 18, 2011 at 11:40 AM, Rob Schramm > wrote: > Chris, > > I think I can help. I ran across a similar issue a while ago. CICS is > configured to reestablish a connection when it "sees" a abnormally > terminated session such as the user closing a TN3270 window. The behavior > is governed by CICS settings. I used to work with a certain awesome > CommServ/CICS guy that indicated that the trouble is most likely the > CREATESESS(YES) on the TYPETERM definition. When the terminal is > autoinstalled, CICS will issue a message indicating what TYPETERM was used. > Check the MSGUSR message DFHZC6935I for the details. If the TYPETERM has > CREATESESS(YES) specified, then CICS will attempt to reestablish the > connection after the initial auto-install of the terminal has been done. > Normally, CREATESESS(YES) is used for things like printers to allow CICS to > initiate the session. Of course VTAM is just doing what is normal and > trying to be helpful but to no avail.. since no one is on the other side > anymore. > > There is also the possibili
Re: Help with ADJSSCP
George, Is there another message prior to the DFHZC3424 regarding TELNE0AD? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of George Rodriguez Sent: Friday, February 18, 2011 3:20 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Help with ADJSSCP Rob, After I sent you the reply, I realized that there's more. Here's the rest: DFHZC3424 E 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Session failure. Session terminated immediately. ((1) Module name: DFHZNSP) NQNAME E0AD,CSNE,14:40:06,FLANWR41 TELNE0AD DFHZC3437 I 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Node TELNE0AD action taken: CLSDST ABTASK ABSEND ABRECV SIMLOGON ((1) Module name: DFHZNAC) DFHSN1200 02/18/2011 14:40:06 CICSPRDT Signoff at netname TELNE0AD by user POLETIC is complete. 265 transactions entered with 2 errors. DFHZC3462 I 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Node TELNE0AD session terminated. ((2) Module name: DFHZCLS) NQNAME E0AD,CSNE,14:40:06,FLANWR41 TELNE0AD DFHZC2405 E 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Node TELNE0AD not activated. VTAM RETURN CODE 1000 ((6) Module name: DFHZSYX) DFHZC3437 I 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Node TELNE0AD action taken: NOCREATE CLSDST ABTASK ABSEND ABRECV ((1) Module name: DFHZNAC) DFHZC3462 I 02/18/2011 14:40:06 CICSPRDT E0AD CSNE Node TELNE0AD session terminated. ((2) Module name: DFHZCLS) NQNAME E0AD,CSNE,14:40:06,FLANWR41 TELNE0AD DFHZC5966 I 02/18/2011 14:40:06 CICSPRDT DELETE started for TERMINAL ( E0AD) (Module name: DFHBSTZ). DFHZC6966 I 02/18/2011 14:40:06 CICSPRDT Autoinstall delete for terminal E0AD with netname TELNE0AD was successful. Sorry for missing those the first time... * * *George Rodriguez* *Specialist II - IT Solutions* *Application Support / Quality Assurance* *PX - 47652* *(561) 357-7652 (office)* *(561) 707-3496 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District For Six Consecutive Years* On Fri, Feb 18, 2011 at 3:01 PM, Rob Schramm wrote: > George, > > I had one more thought. Can you post the CICS error message > associated with the terminal? > > Thanks, > Rob > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of George Rodriguez > Sent: Friday, February 18, 2011 2:52 PM > To: IBM-MAIN@bama.ua.edu > Subject: Fwd: Help with ADJSSCP > > Hi Chris, > > Rob could not help. > * > * > *George Rodriguez* > *Specialist II - IT Solutions* > *Application Support / Quality Assurance* *PX - 47652* > *(561) 357-7652 (office)* > *(561) 707-3496 (mobile)* > *School District of Palm Beach County* > *3348 Forest Hill Blvd.* > *Room B-332* > *West Palm Beach, FL. 33406-5869* > *Florida's Only A-Rated Urban District For Six Consecutive Years* > > > > -- Forwarded message -- > From: George Rodriguez > Date: Fri, Feb 18, 2011 at 1:45 PM > Subject: Re: Help with ADJSSCP > To: Rob Schramm > > > Here you go: > > DFHZC6935 I 02/18/2011 08:24:06 CICSPRDT Autoinstall for terminal E0AD with > netname TELNE0AD using model or template DFHLU2E2 > successful. > > and when I looked at the TYPETERM(DFHLU2E2), this is that parm it has: > > CReatesess : No > > Thanks. . . > * > * > *George Rodriguez* > *Specialist II - IT Solutions* > *Application Support / Quality Assurance* *PX - 47652* > *(561) 357-7652 (office)* > *(561) 707-3496 (mobile)* > *School District of Palm Beach County* > *3348 Forest Hill Blvd.* > *Room B-332* > *West Palm Beach, FL. 33406-5869* > *Florida's Only A-Rated Urban District For Six Consecutive Years* > > > > On Fri, Feb 18, 2011 at 1:36 PM, Rob Schramm > wrote: > > > George, > > > > Did you find the DFHZC6935I that indicates what TYPETERM was used > > during the install of the terminal TELNE0AD? I would not > > necessarily trust the GROUP definitions. The message is a better > > indicator of what > is > happening. > > > > Rob > > > > From: George Rodriguez > > [mailto:george.rodrig...@palmbeachschools.org] > > Sent: Friday, February 18, 2011 1:27 PM > > To: Rob Schramm > > Subject: Re: Help with ADJSSCP > > > > From what I see in the CICS group definition, DFHTERM and DFHTYPE, > > CREATESESS is set to NO. When I look at terminals in the TOR, this > > is how it > > looks: > > > > Ter(E0AD) Pri( 000 ) Pag Ins Ati Tti Loc > >Net(TELNE0AD) AcqNqn(FLANWR41.TELNE0AD) > > > > and in the CICS that's designated as the AOR, this is how it looks: > > > > Ter(E0AD)
Re: CICS Session Failure and Model APPL Statements for SLUs (Was: Help with ADJSSCP)
Chris, That is pretty dang cool. I guess I was on the right track.. but in the wrong lane. I agree with you... I do not think CICS is playing fair. I am wondering if this is a bug and that the behavior for CICS should be fully honoring the CREATESESS option of CREATESESS(NO). While trying to be helpful is usually a good thing, I think giving control to CICS system programmer that setup the TYPETERM would be more advantageous. Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Chris Mason Sent: Sunday, February 20, 2011 11:28 PM To: IBM-MAIN@bama.ua.edu Subject: CICS Session Failure and Model APPL Statements for SLUs (Was: Help with ADJSSCP) George What you need to state in your initial post is the degree to which something matters. In the case of these IST663I message groups, it appears not really to matter since no end-user is noticing anything. Thus the problem is that there are potentially inconsequential messages which you do not understand, not that your end-users are unable to get their jobs done. You'll note I've changed the Subject since the problem has nothing to do with ADJSSCPs. - >...> Rob could not help. Quite on the contrary, Rob has helped a great deal! What Rob is suggesting is that, as a consequence of the way the CICS reacts to session failures, following a failure of the session between the CICS primary LU and the TN3270 secondary LU, CICS is attempting to, as it were, repair the damage, by re-establishing the session. Now that I have seen a full sequence of CICS messages at the time of the session failure and the attempt to restart the session, I can see that Rob's suggestion that the session setup originating in CICS is the result of a reaction to a session failure is correct. The key token in amongst the CICS messages is SIMLOGON. Here is an analysis of the sequence of events based on the messages you have posted. Note that I have adjusted the messages for better comprehension. Naturally I turned to the CICS "Messages" manual for one hopes complete clarification of the messages and it is the manual for "CICS Transaction Server for z/OS V3R1" in order to be using the latest I could find: CICS Transaction Server for z/OS, CICS Messages and Codes, Version 3 Release 1, GC34-6442-03 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/DFHG4B03/ You first posted a "session started" message, 3461: > DFHZC3461 I 02/18/2011 08:24:06 > CICSPRDT E0AD CSNE Node TELNE0AD session started. > ((2) Module name: DFHZOPX) NQNAME E0AD,CSNE, 8:24:06,FLANWR41 TELNE0AD > TNADDR E0AD,CSNE, 8:24:06, 10.50.14.22:1327 This tells us that a session has started between primary LU CICSPRDT and secondary LU TELNE0AD and not too much else[1] - except that, being a session supported by a TELNET server which concatenates a TCP connection to an SNA session, the TELNET server has the option to pass the TELNET client IP address and port number to the primary LU application - including the possibility for the session to pass through a session manager from z/OS V1R12 but only because the API was finally "exposed" and assuming that the developers of the session manager logic wear their socks/stockings with suspenders. You then posted a sequence of error messages associated with the ending of the session: - > DFHZC3424 E 02/18/2011 14:40:06 > CICSPRDT E0AD CSNE Session failure. Session terminated immediately. > ((1) Module name: DFHZNSP) > NQNAME E0AD,CSNE,14:40:06,FLANWR41 TELNE0AD >From the message text we learn two interesting points: 1. The session may be recovered later by VTAM. 2. ..., use the sense data and any associated messages to investigate the reason for the failure. Actually there was no sense data which hints to me that it was an UNBIND with one of the "unplanned" codes that caused the session to be terminated rather than any other sort of disaster - although the UNBIND is entitled to carry sense codes with the X'FE' "type" code - which, if I was the TN3270E server program developer, I think I would have used for a session ended because of a "timeout" but, without a trace of some sort, such as NLDM, we won't know for sure what was used. - > DFHZC3437 I 02/18/2011 14:40:06 > CICSPRDT E0AD CSNE Node TELNE0AD action taken: CLSDST ABTASK ABSEND ABRECV SIMLOGON > ((1) Module name: DFHZNAC) This is the key message from the "ZNAC" module. CICS tries not to reinvent the wheel, so it puts together a collection of potential "actions" as subroutines and, using a table, invokes a selection of those "actions" based on the situation which needs to be handled. Those "actions" are identified in those codes, some of them corresponding to macro calls over the VTAM API. In this case the "actions" are as follows, CICS -
Re: AT-TLS security for SSL sockets
Jim, Looks like the important part is that the SSL environment never fully initialized. There should be some additional messages in syslog that should be more indicative of the reason for the environmental failure. I am including the text from the 5006 AT-TLS return code. The connection is using a TTLSEnvironmentAction statement that failed to initialize a System SSL environment. ° Use the syslog to determine why the System SSL environment failed to initialize. ° If the TTLSEnvironmentAction statement is in error, make the necessary corrections. A System SSL environment is initialized for the corrected TTLSEnvironmentAction statement and new connections use that environment. ° If a SAF configuration change is needed (such as changing a certificate in the key ring), make that change and then update the EnvironmentUserInstance parameter in the TTLSEnvironmentAction statement to reflect a changed action. A System SSL environment is initialized using the modified RACF configuration and new connections uses that environment. If configuring using the z/OS Network Configuration Assistant to pick up changes made to a key ring, go to the AT-TLS Image Level Settings panel and click the Reaccess Key Rings button and update the Instance ID for the changed key ring. Thanks, Rob On Tue, Feb 22, 2011 at 11:08 AM, Jim McAlpine wrote: > > On Thu, Feb 17, 2011 at 1:38 PM, Rob Schramm wrote: > > > Jim, > > > > Did you find the "TCPIP Implementation Vol 4 Policy Based Network Security" > > Redbook? There are quite a few versions. Here is a link to the 1.11 one > > http://www.redbooks.ibm.com/abstracts/sg247801.html?Open > > > > <http://www.redbooks.ibm.com/abstracts/sg247801.html?Open>It will help you > > get some of the predecessor parts going with the policy agent and there is > > a > > whole chapter on AT-TLS. If you print it.. it can be used to weight the > > bed > > of a truck to help in snowy conditions. ;-) > > > > Rob Schramm > > > > OK, I've used the above redbook to configure what I think is required for > the certificates and the policy agent and have added TTLS to the TCPCONFIG > statement. I'm trying to use a site certificate and have used the jobs in > chapter 3 of the above to create the necessary certificates. However when > I try and connect, I get the following message in the TCPIP address space - > > BPXF024I (TCPIP) Feb 22 15:24:49 TTLSÝ65578¨: 16:24:49 TCPIP 543 > EZD1286I TTLS Error GRPID: 0001 ENVID: 0005 CONNID: 247E > LOCAL: 192.168.126.161..3026 REMOTE: 10.2.1.6..2904 JOBNAME: Z30DCICS > USERID: Z30DUSR RULE: CSKLrule RC: 5006 Initial Handshake > > and the following in the CICS TCPIP output - > > EZY1300E 02/22/11 16:22:02 RECV FAILURE TRANSID= CSKL TASKID= 036L > ERRNO= 54 INET ADDR= 10.2.1.6 PORT= 2879 > > Any ideas how where the problem might be ??? > > Jim McAlpine > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS security for SSL sockets
Jim, Have you checked syslogd? Rob On Tue, Feb 22, 2011 at 12:42 PM, Jousma, David wrote: > "System SSL: ICSF services are not available" > > We had this problem in the past when TCPIP initialized before ICSF did. > Things may have changed since then, but for us a recycle of TCPIP was > required. > > _ > Dave Jousma > Assistant Vice President, Mainframe Services > david.jou...@53.com > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G > p 616.653.8429 > f 616.653.8497 > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf > Of Jim McAlpine > Sent: Tuesday, February 22, 2011 11:56 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: AT-TLS security for SSL sockets > > On Tue, Feb 22, 2011 at 4:43 PM, Rob Schramm wrote: > >> Jim, >> Looks like the important part is that the SSL environment never fully >> initialized. There should be some additional messages in syslog that >> should be more indicative of the reason for the environmental failure. >> >> I am including the text from the 5006 AT-TLS return code. >> >> The connection is using a TTLSEnvironmentAction statement >> that failed to initialize a System SSL environment. >> >> ° Use the syslog to determine why the System SSL environment >> failed to initialize. >> >> ° If the TTLSEnvironmentAction statement is in error, make >> the necessary corrections. A System SSL environment is >> initialized for the corrected TTLSEnvironmentAction >> statement and new connections use that environment. >> >> ° If a SAF configuration change is needed (such as changing a >> certificate in the key ring), make that change and then >> update the EnvironmentUserInstance >> parameter in the TTLSEnvironmentAction >> statement to reflect a changed action. A System SSL >> environment is initialized using the modified RACF >> configuration and new connections uses that >> environment. >> >> If configuring using the z/OS Network Configuration Assistant to >> pick up changes made to a key ring, go to the AT-TLS Image Level >> Settings panel and click the Reaccess Key Rings button and >> update the Instance ID for the changed key ring. >> >> Thanks, >> Rob >> >> >> > Rob, the only other messages I can see are the following in the TCPIP > address space - > > System SSL: SHA-1 crypto assist is available > System SSL: SHA-224 crypto assist is available > System SSL: SHA-256 crypto assist is available > System SSL: SHA-384 crypto assist is not available > System SSL: SHA-512 crypto assist is not available > System SSL: DES crypto assist is available > System SSL: DES3 crypto assist is available > System SSL: AES 128-bit crypto assist is available > System SSL: AES 256-bit crypto assist is not available > System SSL: ICSF services are not available > Do I need to do some further config for ICSF. I can't see it mentioned in > the redbook. > > Jim McAlpine > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > This e-mail transmission contains information that is confidential and may be > privileged. It is intended only for the addressee(s) named above. If you > receive this e-mail in error, please do not read, copy or disseminate it in > any manner. If you are not the intended recipient, any disclosure, copying, > distribution or use of the contents of this information is prohibited. Please > reply to the message immediately by informing the sender that the message was > misdirected. After replying, please erase it from your computer system. Your > assistance in correcting this error is appreciated. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: cascading catalog dataset aliases.
John, I think that the aliases can work. Not so sure about the dynamic portion. Seems like it would be easier to create a short procedure for each product that would fix up the aliases by environment that would be used when you are doing maintenance to a product. SYS1.V1R0.LINKLIB might have an alias of SYS1.PROD.LINKLIB SYS1.V1R1.LINKLIB might have an alias of SYS1.DEV.LINKLIB. Ultimately, the migration would have SYS1.V1R1.LINKLIB have 2 aliases .. one for dev .. one for prod. And if you wanted to keep things consistent.. then one for your tech services system(s). I would have the JCL point to some DEV or PROD version as well. 1 JCL change.. lots of alias changes. Although.. is it a "pick your poison" that works best for you and your environment. If you have strong control of your JCL... maybe JCL change is a better choice. If you need to "slide" things in... and avoid JCL .. then aliases may be the trick. I like catalog tricks in general .. they are tons of fun. Of course there are those that are driven crazy by them. I used to be a "stupid catalog tricks" (Dave Letterman anyone?) were "always the way" kind of person. But I think now that it is better to step back and think about your environment and what will work best for the environment. Cheers, Rob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Don Imbriale Sent: Tuesday, February 22, 2011 1:11 PM To: IBM-MAIN@bama.ua.edu Subject: Re: cascading catalog dataset aliases. If management requires the dsnames to include the version number, then doesn't the JCL have to be changed anyway to avoid confusion? For example, if you're running V1R1 and want to upgrade to V1R2, if you use aliases then the JCL would say V1R1 but would resolve to V1R2. And you know who gets the blame when there's a problem. - Don Imbriale On Tue, Feb 22, 2011 at 9:52 AM, McKown, John wrote: > But then the job must run on that system. I would like the option to > run on any system using the identical JCL, but using the proper > system-specific version of the DSN. > > OK, I'm being extreme for my needs. But imagine a parallel sysplex > running > 6 systems. I guess those shops properly design things so that system > specific datasets are not needed. Or they exist with the same DSN, but > in different catalogs. > > I'll likely go with the system-specific ALIAS. If someone runs the job > on the wrong system, then that's their worry. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: System symbols in dynamic allocation
Looks like there are a few examples on the CBTTAPE. File 573: IEFUJV exit for System Symbolic substitution in JCL FILE 785: Substitute system symbols into JCL - K-H Doppelfeld Rob On Wed, Feb 23, 2011 at 11:00 AM, Charles Mills wrote: > Thanks. Your reply crossed in the mail with my follow-up. > > FWIW in the case in question I am not using SVC 99 directly but rather using > C fopen(); > > Yeah, the fact that you can't code &SYSNAME in JCL seems pretty lame. > > Charles > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf > Of Shmuel Metz (Seymour J.) > Sent: Wednesday, February 23, 2011 6:55 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: System symbols in dynamic allocation > > In <031b01cbd2c6$62366280$26a32780$@org>, on 02/22/2011 > at 11:26 AM, Charles Mills said: > >>Do the same restrictions on static system symbols exist for dynamic >>allocation as exist for JCL in the same environment > > I've seen no documentation for such a restriction, and the excuses IBM > gave for not allowing arbitrary system symbols in batch JCL do not > apply to execution time. > >>That seems to be what I am seeing but I don't see that restriction > > I would create a PMR. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS security for SSL sockets
They also need the resource that allows for listing of keyrings. Important: Any z/OS-based client or server that uses an RACF key ring issues internal RACDCERT LIST and RACDCERT LISTRING commands. The RACF user ID associated with the server must therefore be granted READ access to the RACF profiles controlling these commands, which are IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING. PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TCPIP) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TCPIP) ACCESS(READ) SETR RACLIST(FACILITY) REFRESH Rob On Wed, Feb 23, 2011 at 11:08 AM, Jim McAlpine wrote: > On Wed, Feb 23, 2011 at 9:04 AM, Jim McAlpine wrote: > >> On Wed, Feb 23, 2011 at 7:42 AM, Andrew Armstrong < >> androidarmstr...@gmail.com> wrote: >> >>> Jim, >>> >>> The EZY1300E message reports that errno 54 (Connection Reset by Peer) was >>> returned on a RECV socket call by the CICS listener (CSKL). I'd conclude >>> that the remote client has, for one reason or another, decided to drop the >>> connection - probably after the SSL handshake as completed since the >>> listener wouldn't see any action until after that (this would be the >>> "Application Transparent" part of AT-TLS). >>> >>> I've found in the past that using Wireshark (www.wireshark.org) really >>> helps >>> in situations like this. I either use Wireshark to capture the trace on >>> the >>> client side, or take a CTRACE on z/OS (SYSTCPDA) and use IPCS to format >>> the >>> trace into SNIFFER format which I download (in binary) to my PC and let >>> Wireshark decode it. >>> >>> At least you will see how far the SSL handshake progressed. Unfortunately, >>> after you have an encrypted connection decoding the payload is >>> difficult...but not impossible - if you can feed Wireshark your >>> certificate >>> info then it can decrypt the payload too! Although I have to admit to >>> never >>> getting that to work. >>> >>> Another thing you can try is to temporarily turn off encryption by >>> allowing >>> CipherSpec NULL to be negotiated during the SSL handshake. >>> >>> BTW what version of z/OS do you have? I remember trying to set up AT-TLS >>> on >>> a 1.7 system only to find that certificates with keys longer than 1024 >>> bits >>> were not supported by RACF at that level. >>> >>> Cheers, >>> Andrew. >>> >>> -- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >>> Search the archives at http://bama.ua.edu/archives/ibm-main.html >>> >> >> >> Andrew, thanks for that good info. We are on z/OS 1.11. Also, I've found >> another message which I missed previously which is this - >> >> EZD1286I TTLS Error GRPID: 0001 ENVID: 0006 CONNID: >> LOCAL: **N/A** REMOTE: **N/A** JOBNAME: **N/A** USERID: Z30DUSR RULE: >> **N/A** RC: 202 Environment Master Init >> The 202 RC is a permission error on the keyring which is much better. I'll >> check out that this afternoon. >> >> Thanks again. >> >> Jim McAlpine >> > > > This is doing my head in. I'm using the redbook to set up the certificates > and keyring. I'm using section 3.4.2 Shared site certificate and shared > keyring so I've run the 6 jobs specified. So I've then ftp'd the self > signed CA certificate to the client but when I try and connect I get the 202 > error which says - > "The key ring cannot be opened because the user does not have permission. " > > > However the error message says - > > BPXF024I (TCPIP) Feb 21 10:03:11 TTLSÝ65578¨: 11:03:11 TCPIP 158 > EZD1286I TTLS Error GRPID: 0001 ENVID: 0002 CONNID: > LOCAL: **N/A** REMOTE: **N/A** JOBNAME: **N/A** USERID: Z30DUSR RULE: > **N/A** RC: 202 Environment Master Init > > which includes the userid of Z30DUSR, and if I do RACDCERT LISTRING, I get > the following - > > RACDCERT LISTRING(*) ID(Z30DUSR) > > Digital ring information for user Z30DUSR: > > Ring: > >SHAREDRING1< > Certificate Label Name Cert Owner USAGE DEFAULT > --- > S0W1 CA1 CERTAUTH CERTAUTH NO > > S0W1 SHAREDSITE1 SITE PERSONAL
Re: System symbols in dynamic allocation
Charles, Are you looking for something like... S CICS,JOBNAME=CICS&SYSNAME. Or am I just completely not understanding what you are looking for... There is a section in the JCL Reference on System Symbols which after a few rules refers the reader to the JCL Symbols section and the Init and Tuning Reference. Rob On Wed, Feb 23, 2011 at 3:00 PM, Tom Marchant wrote: > On Wed, 23 Feb 2011 08:43:31 -0800, Charles Mills wrote: > >>I want to be able to use a >>single common control file to specify the name of a file for an STC that >>could be unique across systems: > > You can use system symbols in started task JCL. > >>Yes, I could just write an STC to try it with but gee, isn't the point of >>documentation so that you can know how things work WITHOUT having to run >>experiments? > > Sure, but it only works if you read it. It is in the JCL reference. > > -- > Tom Marchant > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ICSF Troubles
Hal, Care to post your csfparm (minus the ckds data set name plz) ... or look for any SYSPLEX keywords and post them? Thanks, Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Hal Merritt Sent: Thursday, March 03, 2011 12:36 PM To: IBM-MAIN@bama.ua.edu Subject: ICSF Troubles We are z/os 1.11. We almost never IPL. The last time we IPL'd, we received the following: 11.47.55 STC00014 CSFM450E UNEXPECTED ERROR PROCESSING PKDS, RETURN CODE = 000C, REASON CODE = 1780. 11.47.55 STC00014 CSFM401I CRYPTOGRAPHY - SERVICES ARE NO LONGER AVAILABLE. 11.47.55 STC00014 IEF352I ADDRESS SPACE UNAVAILABLE 11.47.55 STC00014 $HASP395 CSF ENDED We don't use PKI and have no current plans to do so. However, the CSF is critical. With a little experimentation in the testplex, I am currently of the opinion that it is some sort of file sharing issue. When I allocate a fresh PKDS, CSF on LparA comes up just fine. However, CSF on LparB sometimes fails with the above message. The FM seems to say that the PKDS is not completely initialized until the first key is stowed. Not sure how to do that. I'm thinking a PMR. But a user error is usually more likely. Right now my workaround is to point each LPAR to its own PKDS. Of course, I'm a bit nervous as I don't want to accidently break CSF. That would be equivalent to a full outage. What I'd really like to do is to completely shut off PKDS. I've tried starting with no PKDS specified, but CSF refuses to start. Thoughts? NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ADMIN failure using DUMP command in pgm ADRDSSU
Geez.. why bother having security at all.. just put yourself in MODE(WARN) ... you are almost there anyway. But.. I will say that when it comes to the IBM products, if you don't have a resource defined the resource check is returned with a RC(4) aka "No Decision" ... it is up to the individual product to decide what to do ... sometimes it lets you do whatever you are trying to do.. other times it will fail the request and not give you a lot of help as to the missing resource name. According to the ADR707E (which gives you all the info you need) TSS PER() IBMFAC(ADMINSTRATOR) Of course it is over 8 characters.. so you can probably get by with TSS ADD(dept) IBMFAC(ADMINIST) TSS PER() IBMFAC(ADMINIST) HTH Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Greg Caserta Sent: Monday, March 07, 2011 3:59 PM To: IBM-MAIN@bama.ua.edu Subject: ADMIN failure using DUMP command in pgm ADRDSSU RUNNING CA'S TOP SECRET 5.0 I'm trying to dump all my disk to tape for a DR test and I believe I need to use the ADMIN keyword. Error when using the ADMIN keyword on the Dump command of pgm ADRDSSU. PAGE 0001 5695-DF175 DFSMSDSS V1R3.0 DATA SET SERVICES 2011.066 DUMP FULL INDD(INVOL) OUTDD(OUTVOL) ADMIN ALLDATA(*) TOL(IOER) ALLEXCP ADR101I (R/I)-RI01 (01), TASKID 001 HAS BEEN ASSIGNED TO COMMAND 'DUMP ' ADR109I (R/I)-RI01 (01), 2011.066 15:43:57 INITIAL SCAN OF USER CONTROL S ADR707E (R/I)-RI03 (06), NOT AUTHORIZED TO USE ADMINISTRATOR KEYWORD ADR017E (001)-CLTSK(01), 2011.066 15:43:57 TASK NOT SCHEDULED DUE TO ERRO ADR012I (SCH)-DSSU (01), 2011.066 15:43:57 DFSMSDSS PROCESSING COMPLETE. Below is my Top Secret accesses but I can't figure out what else I need to use the ADMIN keyword. READY TSS LIST(GLC) DATA(ALL,PASSWORD) ACCESSORID = GLC NAME = CASERTA, GREG TYPE = CENTRAL SIZE = 512 BYTES FACILITY = *ALL* CREATED= 01/29/07 LAST MOD = 03/07/11 14:21 PROFILES = SYSTECP SYSPRGP SALARYP SMCTECH ATTRIBUTES = CONSOLE BYPASSING = NODSNCHK,NOVOLCHK,NORESCHK,NOLCFCHK,NOSUBCHK,NOVMDCHK LAST USED = 03/07/11 15:51 CPU(INCO) FAC(BATCH ) COUNT(25965) XA OTRAN = CEMT OWNER(SYSCOMP ACCESS = ALL INSTDATA = TECHNICAL SUPPORT --- SEGMENT CICS OPIDENT= GLC --- ADMINISTRATION AUTHORITIES RESOURCE = *ALL* ACCESS = ALL ACID = *ALL* FACILITIES = *ALL* LIST DATA = *ALL*,PROFILES,PASSWORD,SESSKEY MISC1 = *ALL* MISC2 = *ALL* MISC8 = *ALL* MISC9 = *ALL* PASSWORD = TSS0300I LIST FUNCTION SUCCESSFUL READY END This document has been scanned by Special Metals Corporation for viruses and inappropriate content. It contains information intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Special Metals Corporation, 3200 Riverside Drive, Huntington, WV 25705, USA, www.specialmetals.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ICSF Troubles
Hal, Ok. Let's look at a couple of things DISPLAY GRS,RES=(SYSZPKT.*) DISPLAY GRS,RES=(SYSDSN.*) <<= look for anyone using My.PKDS I can tell you that weird things start to happen if you have something accessing the PKDS that is not the ICSF task. The ENQ scheme does not take non-participants into account. The safe thing would be to code SYSPLEXPKDS(YES,FAIL(YES)) and let the system do the heavy lifting. You might try the PKDSLIST program to make sure that your PKDS is indeed empty. http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS1903 How many PKDS data sets are in your sysplex now? Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, March 08, 2011 5:59 PM To: IBM-MAIN@bama.ua.edu Subject: Re: ICSF Troubles Thanks for the replies so far! Rob: Here are my parms: CKDSN(My.CKDS) PKDSN(My.PKDS) COMPAT(NO) SSM(YES) DOMAIN(2) KEYAUTH(NO) CHECKAUTH(NO) TRACEENTRY(1000) USERPARM(USERPARM) COMPENC(DES) REASONCODES(ICSF) PKDSCACHE(64) Allen: The LRECL of the PKDS does not seem to be an issue. It occurs (or works) with either. John: No VM. There is nothing to suggest a real hardware issue. We use GRS for sharing. The member in SAMPLIB was used to define the clusters. The share options are 2,3. This was working just fine untill we upgraded from z/os 1.9 to z/os 1.11. Again, thanks all!! -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of zSeries Systems Programmer Sent: Thursday, March 03, 2011 10:35 PM To: IBM-MAIN@bama.ua.edu Subject: Re: ICSF Troubles Just a few items How are you sharing? GRS? CA-MIM? Etc. Were the files defined with the correct share options? Was this working before or new configuration? On Thursday, March 3, 2011, Ward, Mike S wrote: > We have one PKDS and one CKDS for all lpars. > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Hal Merritt > Sent: Thursday, March 03, 2011 11:36 AM > To: IBM-MAIN@bama.ua.edu > Subject: ICSF Troubles > > We are z/os 1.11. We almost never IPL. The last time we IPL'd, we > received the following: > > 11.47.55 STC00014 CSFM450E UNEXPECTED ERROR PROCESSING PKDS, RETURN > CODE = 000C, REASON CODE = 1780. > 11.47.55 STC00014 CSFM401I CRYPTOGRAPHY - SERVICES ARE NO LONGER > AVAILABLE. > 11.47.55 STC00014 IEF352I ADDRESS SPACE UNAVAILABLE > 11.47.55 STC00014 $HASP395 CSF ENDED > > We don't use PKI and have no current plans to do so. However, the CSF > is critical. With a little experimentation in the testplex, I am > currently of the opinion that it is some sort of file sharing issue. > > When I allocate a fresh PKDS, CSF on LparA comes up just fine. > However, CSF on LparB sometimes fails with the above message. The FM > seems to say that the PKDS is not completely initialized until the > first key is stowed. Not sure how to do that. > > I'm thinking a PMR. But a user error is usually more likely. Right now > my workaround is to point each LPAR to its own PKDS. Of course, I'm a > bit nervous as I don't want to accidently break CSF. That would be > equivalent to a full outage. > > What I'd really like to do is to completely shut off PKDS. I've tried > starting with no PKDS specified, but CSF refuses to start. > > Thoughts? > > > NOTICE: This electronic mail message and any files transmitted with it > are intended exclusively for the individual or entity to which it is > addressed. The message, together with any attachment, may contain > confidential and/or privileged information. > Any unauthorized review, use, printing, saving, copying, disclosure or > distribution is strictly prohibited. If you have received this message > in error, please immediately advise the sender by reply email and > delete all copies. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > == > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to which they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should no
Re: Dummy LPAR to store excess MIPS
I am assuming that you are on a z9. It is my understanding that under z10 such machinations are not needed. Rob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Walter Medenbach Sent: Friday, March 11, 2011 5:27 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Dummy LPAR to store excess MIPS Defined capacity capping uses a rolling 4 hour average. Usage before the cap kicks in can therefore exceed some license agreements. We have successfully use a dummy coupling facility soaker LPAR. The ICF must have dynamic dispatch set to OFF to ensure that it goes into a cpu loop. The amount of soak is controlled by capping the ICF LPAR and adjusting the weight as required. Walter Medenbach -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Auditing PDSE Libraries
I suppose you could just audit the data sets... but that probably won't give you what you need. There was a product.. Change Action (now there is a new name for it..) by Action Software that would keep track of all PDS/PDSE changes. I haven't used it.. just did some looking at it. There is some sort of PDS member level security from CA-Top Secret.. I don't know about RACF or ACF2. I haven't ever used it but I know it is there. I am hoping there are others.. I just thought I would respond with the things I could think of... HTH Rob Schramm -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Gary Snider Sent: Friday, March 11, 2011 2:21 PM To: IBM-MAIN@bama.ua.edu Subject: FW: Auditing PDSE Libraries We are trying to satisfy our auditors by providing reports that detail the activity in our PDSEs by using SMF Type42 records. This works fine unless IEBCOPY was used to add or replace a member in the PDSE. Then no SMF Type42 record is created. IBM pointed to APAR OA30503 which states: "SMF Type42 records are not created for PDS when application does not issue STOW. Only those applications which issue STOW and DESERV calls for PDS or PDSE directory processing will generate SMF TYPE42 SubType21 SubType24 or SubType25 records. Some applications do not issue STOW at times, such as IEBCOPY." We tried using ISPF LMCOPY with some success, however, in the case of load libraries, ISPF LMCOPY calls IEBCOPY so no SMF TYPE42 records are created. IBM simply states it is not supported and provides no solution. Has anyone else found a utility that will generate the SMF records? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: This is a TCP/IP USS Issue
Donald, Was there any additional message(s)? Opening multiple ports is not specifically restricted .. mostly because there are many example of address spaces that bind to multiple ports... DB2 is a perfect example. Although 514 falls in the "below 1024" category which means for additional security requirements. Rob Schramm On Mon, Mar 14, 2011 at 9:31 AM, Donald Likens wrote: > I have created a TCP/IP Socket Server that runs in Unix System Services. In > the TCP/IP Socket server I attempt to open a UDP port (specifically 514) > and > get a "Cannot Bind" message. I am guessing that I cannot bind to another > port since I already have a port open. Does this seem correct? > > > > Sincerely, > > > > Donald Likens > > InfoSec Inc. > > Home: 215-493-0852 > > Mobile: 267-981-0073 > > Email: dlik...@infosecinc.com > > Visit our new website at <http://www.infosecinc.com/> www.infosecinc.com > > Click here for the > < > http://www.facebook.com/pages/Centreville-VA/InfoSec-Inc/43693760902?ref=s > > > InfoSec, Inc. Face book page > > > > The information contained in this e-mail message may be proprietary and/or > confidential. It is for intended addressee(s) only. If you are not the > intended recipient, you are hereby notified that any disclosure, > reproduction, distribution or other use of this communication is strictly > prohibited and could, in certain circumstances, be a criminal offense. If > you have received this e-mail in error, please notify the sender by reply > and delete this message without copying or disclosing it. > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS and CICS Sockets performance
Jim, I seem to remember a paper that talks about the relative performance for CICS Sockets with encryption. From what I remember there was a big hit for not caching credentials. I will see if I can find it. Maybe someone else in the list can comment? Rob On Thu, Mar 17, 2011 at 12:09 PM, Jim McAlpine wrote: > Cross posted to the CICS list. > > I've set up the AT-TLS for CICS Sockets but the performance is very poor > (+10 secs per transaction) when running in pseudo conversational mode. If > I > run the same appplication in conversational mode the performance is fine > and > on par with running without SSL. Does anyone have any idea what is > happening for every pseudo transaction that could be causing this. > > Jim McAlpine > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS and CICS Sockets performance
Jim, IBM is continuing to enhance the performance... the 1.11 indicates that the short-lived AT-TLS may have been worse prior to 1.11. I suspect that the pseudo-conversational is falling into the short-lived camp... and conversational is keeping the "conversation going" so to speak. You might ask for clarification on the CICS-L about psuedo v.s. conversational. I am guessing that you are prior to 1.11 of z/OS. http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?topic=/com.ibm.iea.commserv_v1/commserv/1.12z/perf/PerformanceOther/player.html <http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?topic=/com.ibm.iea.commserv_v1/commserv/1.12z/perf/PerformanceOther/player.html> http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?topic=/com.ibm.iea.commserv_v1/commserv/1.11z/security/security/player.html <http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?topic=/com.ibm.iea.commserv_v1/commserv/1.11z/security/security/player.html> Cheers, Rob On Thu, Mar 17, 2011 at 12:55 PM, Rob Schramm wrote: > Jim, > > I seem to remember a paper that talks about the relative performance for > CICS Sockets with encryption. From what I remember there was a big hit for > not caching credentials. I will see if I can find it. Maybe someone else > in the list can comment? > > Rob > > On Thu, Mar 17, 2011 at 12:09 PM, Jim McAlpine wrote: > >> Cross posted to the CICS list. >> >> I've set up the AT-TLS for CICS Sockets but the performance is very poor >> (+10 secs per transaction) when running in pseudo conversational mode. If >> I >> run the same appplication in conversational mode the performance is fine >> and >> on par with running without SSL. Does anyone have any idea what is >> happening for every pseudo transaction that could be causing this. >> >> Jim McAlpine >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> > > > > -- > Rob Schramm > Senior Systems Engineer > > w: 513.305.6224 > > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AT-TLS and CICS Sockets performance
Jim, According to the document.. I can only infer it. Did you get any help from the CICS-List? Regarding the connection behavior for pseudo v.s. conversational and how it will affect the AT-TLS connection? There are additional performance gains in 1.12. Rob -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Jim McAlpine Sent: Friday, March 18, 2011 6:10 AM To: IBM-MAIN@bama.ua.edu Subject: Re: AT-TLS and CICS Sockets performance On Thu, Mar 17, 2011 at 6:06 PM, Rob Schramm wrote: > Jim, > > IBM is continuing to enhance the performance... the 1.11 indicates > that the short-lived AT-TLS may have been worse prior to 1.11. I > suspect that the pseudo-conversational is falling into the short-lived > camp... and conversational is keeping the "conversation going" so to speak. > > You might ask for clarification on the CICS-L about psuedo v.s. > conversational. I am guessing that you are prior to 1.11 of z/OS. > > > http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?to > pic=/com.ibm.iea.commserv_v1/commserv/1.12z/perf/PerformanceOther/play > er.html > > < > http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?to > pic=/com.ibm.iea.commserv_v1/commserv/1.12z/perf/PerformanceOther/play > er.html > > > > http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?to > pic=/com.ibm.iea.commserv_v1/commserv/1.11z/security/security/player.h > tml > > < > http://publib.boulder.ibm.com/infocenter/ieduasst/stgv1r0/index.jsp?to > pic=/com.ibm.iea.commserv_v1/commserv/1.11z/security/security/player.h > tml > > > Cheers, > Rob > > > Rob, we are at z/OS 1.11. Are you saying the performance was worse prior to that. Heaven forbid :-( Jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JZOS Java Job Launcher - z/OS Security questions
Just think JZOS just like any other batch job or STC. Bare minimum, it needs to be like any basic user of Unix System Services. Give it a UID/GID and a home.. it needs access to run java aka /usr/lpp/java.Anything else past there is dependent on what you are running. If it is just reading and writing data sets.. then give it data set auth... console commands ... it needs OPERCMDS or however else you are securing them. Do you have something specific that is running in JZOS that you are trying to secure? Rob Schramm On Sun, Mar 20, 2011 at 10:51 AM, Patrick Kappeler wrote: > Hello > I'm looking for answers to specific questions I have reading the JZOS > literature > I could find on the net (developper works, redbooks, ...)...and no real > answers > in these documents. Questions like: > - Does the RACF user starting the procedure or submitting need a UID with > spcific privileges (or just an "others" from the JRE permission bits > standpoint) ? > - Can it be a RACF protected user ? > - This one probably more on the z/OS side: If JZOS is enabled to transmit > operator commands I'm assuming that they can be protected via profiles in > the OPERCMDS class (or do I miss something) ? > > Would anybody know of a security oriented document for JZOS ? > Thanks a lot > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Downloading PoOps?
Seymour, I was able to do it by typing Z196 PRINCIPALS OF OPERATION into google.com which got me to http://www.vm.ibm.com/devpages/jelliott/cmosproc.html which had a link to http://publibfi.boulder.ibm.com/epubs/pdf/dz9zr008.pdf Probably not the proper way.. but got the job done. Rob Schramm On Thu, Mar 24, 2011 at 10:34 AM, Shmuel Metz (Seymour J.) < shmuel+ibm-m...@patriot.net> wrote: > I wanted to download the new Principles of Operations manual. Piece of > cake - just go to the web site[1] and select it. Surprise! > > It turns out that I have to have an IBM user id, and the page includes > a link for registering. So all I have to do is to register and use the > new userid and password to sign in. Surprise! > > It turns out that when I sign in and attempt to download PoOps, they > give me a different prompt for userid and password. > > Has anybody succeeded in downloading the current PoOps, and what is > the secret? Thanks. > > [1] > > http://www-01.ibm.com/support/docview.wss?uid=isg2b9de5f05a9d57819852571c500428f9a > > -- > Shmuel (Seymour J.) Metz, SysProg and JOAT > ISO position; see <http://patriot.net/~shmuel/resume/brief.html> > We don't care. We don't have to care, we're Congress. > (S877: The Shut up and Eat Your spam act of 2003) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Region size
There are plenty of ways to get SORT to do the SORTWK allocations for you. If you've gone thru the work to set it up ... I dislike coding SORTWK DDs if I don't have to. Of course there are also times that they are invaluable. I prefer to only code what is really needed... otherwise you endup with the silly JCL and pet peeves like on http://planetmvs.com/peeves/index.html under IEBCOPY Overdrive. *grin* Rob Schramm On Thu, Mar 24, 2011 at 4:24 PM, Rick Fochtman wrote: > > The DB2 people wanting 150GB in paging packs refused to code SORTWK DD > statements to force in-core sorts. I have always coded SORTWKs even if they > were never needed. > -- > Sounds like a terminal case of "Tunnel Vision" to me. How much do they know > about z/OS outside DB2? My guess: not much, if anything. > > The word you seek is "DUMB". :-) > > Rick > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Downloading PoOps?
I use Chrome for general use as part of the developer channel. Rob Schramm On Thu, Mar 24, 2011 at 11:47 AM, Shmuel Metz (Seymour J.) < shmuel+ibm-m...@patriot.net> wrote: > In > <90ec2e798a22854ebf67a14ec3fe093f74f9d7f...@scmbxc01.bcbad.state.sc.us>, > on 03/24/2011 > at 10:58 AM, "Bonno, Tuco" said: > > >what browser are/were you using? > > FireFox/2. Rob Schramm provide what seems to be a working URL. > > -- > Shmuel (Seymour J.) Metz, SysProg and JOAT > ISO position; see <http://patriot.net/~shmuel/resume/brief.html> > We don't care. We don't have to care, we're Congress. > (S877: The Shut up and Eat Your spam act of 2003) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EDC5111I Permission denied
The error says it all ...it is a bind problem. It is for a sub-1024 port so you need additional sign.. I would check the port statements as well... in either case it isn't a permission bit issue. Rob Schramm On Mar 26, 2011 9:09 AM, "Lizette Koehler" wrote: >> I have a very nagging problem where I cannot run a java program on > z/OS-USS that is >> attempting to use the network interface (UPD PORT >> 514) to write to the SYSLOG daemon. The following is the message I am > getting: >> >> java.net.BindException: EDC5111I Permission denied. >> >> Talking to IBM they say this is a security problem. Talking to my security > person I have >> the security required. I am able the edit the /var/log/2011/03/26/syslogd > using ISPF. >> >> Any ideas would be appreciated. > > What is the error code (8digit Unix errno)? Is it possible that this is a > port issue? I found this by googling EDC5111I > > job that attempts to open the port will have a jobname with a numeric suffix > allocated by UNIXR System Services and will not match the TCPIP.PROFILE > jobname. To solve this problem: > > Do not reserve the port > Use an eight character jobname > Add 'OMVS' to the list of IDs allocated the port in the TCPIP.PROFILE. > It is not advisable to anticipate the numeric character added by UNIX System > Services as an ID. > > Lizette > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Processing CICS SMF type 110 records
Plus if you use something like co:z ... you could run sas on the pc using datasets on zos Rob On Mar 26, 2011 9:40 PM, "Bruce Hewson" wrote: > Hi John, > > Did you price SAS for your PCnot so expensiveand then MXG runs there > as well. > > Ron H. has done this forever...at least since 1998. > >>> -Original Message- >>> From: IBM Mainframe Discussion List On Behalf Of McKown, John >>> >>> I know that MXG can do this. We can't run MXG. We don't have SAS or >>WPS and cannot get the money to >>> license them. We had them in the past. > > > > Regards > Bruce Hewson > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JMS and Z/os
Mike, Usually, JMS is associated with a container. Of course WebSphere Application Server has it. It looks like Tomcat can support it. Most of the java containers have some sort of support for JMS. Perhaps you could answer if you already have some sort of messaging product? Like MQ or one of the others? Rob Schramm On Tue, Mar 29, 2011 at 5:13 PM, Ward, Mike S wrote: > Hello all, we are z/os v1.11. I was asked today if z/os could talk JMS > and I wasn't sure how to answer that. I know we can use Java and that > JMS means Java messaging service. Can anyone help me answer that > question? > > Thanks > > == > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity > to which they are addressed. If you have received this email in error > please notify the system manager. This message > contains confidential information and is intended only for the individual > named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please notify the > sender immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this > information is strictly prohibited. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JMS and Z/os
Websphere, tomcat, weblogic, glassfish, geronimo, jboss .. J2EE type containers... which usually have a bunch of built-in services. The initial support for MQ in websphere JMS (going back a ways 4.x) was kinda tacked on Of course it really depends on how you are thinking to use it? For example.. a WAS sitting out on Unix could have JMS using MQ which sends it to z/OS MQ where CICS is picking off and processing messages. Rob Schramm On Tue, Mar 29, 2011 at 5:59 PM, Ward, Mike S wrote: > We have MQ V7 on the mainframe along with the brokers V7. What do you > mean by containers? > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Rob Schramm > Sent: Tuesday, March 29, 2011 4:48 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: JMS and Z/os > > Mike, > > Usually, JMS is associated with a container. Of course WebSphere > Application Server has it. It looks like Tomcat can support it. Most > of > the java containers have some sort of support for JMS. > > Perhaps you could answer if you already have some sort of messaging > product? > Like MQ or one of the others? > > Rob Schramm > > On Tue, Mar 29, 2011 at 5:13 PM, Ward, Mike S wrote: > > > Hello all, we are z/os v1.11. I was asked today if z/os could talk JMS > > and I wasn't sure how to answer that. I know we can use Java and that > > JMS means Java messaging service. Can anyone help me answer that > > question? > > > > Thanks > > > > == > > This email and any files transmitted with it are confidential and > intended > > solely for the use of the individual or entity > > to which they are addressed. If you have received this email in error > > please notify the system manager. This message > > contains confidential information and is intended only for the > individual > > named. If you are not the named addressee you > > should not disseminate, distribute or copy this e-mail. Please notify > the > > sender immediately by e-mail if you > > have received this e-mail by mistake and delete this e-mail from your > > system. If you are not the intended recipient > > you are notified that disclosing, copying, distributing or taking any > > action in reliance on the contents of this > > information is strictly prohibited. > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > -- > Rob Schramm > Senior Systems Engineer > > w: 513.305.6224 > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > == > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity > to which they are addressed. If you have received this email in error > please notify the system manager. This message > contains confidential information and is intended only for the individual > named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please notify the > sender immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this > information is strictly prohibited. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: JMS and Z/os
I stand altered. I brought up the container .. because that is where I have seen it used most. but I thought I would add... http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.mqovervw.doc/mq50032_.htm Rob Schramm On Mar 29, 2011 7:10 PM, "Kirk Wolf" wrote: > JMS is not a container-related API per se. > > It is a standard Java API (http://www.jcp.org/en/jsr/detail?id=914) that > deals with asynchronous messaging. > > WebSphere MQ (which is completely distinct from WebSphere AS - the > container) has a JMS interface, as do other commercial and free JMS > compliant products. > > With WebSphere MQ, you can either use the JMS API or you can use > WebSphere's proprietary Java API which gives you more functionality and > control (at the cost of portability). > > If you have WebSphere MQ on z/OS, you can use either JMS or the WMQ Java API > from your Java applications and can be accessed from any Java application on > z/OS - including Java running under WebSphere AS, batch, CICS, IMS, etc. > > Even if you don't have a WMQ Server running on z/OS, I believe that you can > use a Java JMS client to connect to a WMQ server (aka "queue manager") on > another box. But I'm not a WMQ expert - it could be that you need to > license a "client" product/feature on z/OS to enable this, so check with > your friendly IBM rep for details. > > Decent references: > http://en.wikipedia.org/wiki/IBM_WebSphere_MQ > http://en.wikipedia.org/wiki/Java_Message_Service > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Indirect Cataloging
You can generate the entries manually DEL SYS1.LINKLIB NOSCRATCH CAT(MASTER.CATALOG) DEFINE NONVSAM(NAME(SYS1.LINKLIB) DEVT(X'') VOLUME(**)) CATALOG(NEW.MASTER.CATALOG) You could use the MCNVTCAT utility on the CBT that will help you generate the commands. www.cbttape.org File # 542 Alastair Gray-replacement for MCNVTCAT, other tools You can do as Mark indicated just go to http://www.mzelden.com/mvsutil.html and do a find on INDIRECR.TXT (which looks simpler than using MCNVTCAT) Of course if both these suggestions aren't clear, you may want to retain someone to help guide you through the process. I am sure there are any number of folks (myself included) on IBM-MAIN open to contract work. Rob Schramm On Fri, Apr 1, 2011 at 11:19 AM, Mark Zelden wrote: > > On Fri, 1 Apr 2011 20:31:26 +0530, SAURABH KHANDELWAL > wrote: > > >Hello, > > Thanks Mark. Can you please help me to setup this indirect > >cataloging into my system. What are all steps has to be followed and > >what are all dataset are required to be indirect cataloged. > > > > If you take a list from the SYSRES vtoc (and take out data sets > like VTOCIX) you can create the delete/define statements for IDCAMS > with the help of the INDIRECR exec from my web site / CBT file 434. > > URL of my web site below ... > > -- > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS > mailto:m...@mzelden.com > Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html > Systems Programming expert at http://expertanswercenter.techtarget.com/ > > *** Please note the new URL for Mark's MVS Utilities *** > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Indirect Cataloging
CBTTAPE.ORG is a great site for all sorts of useful stuff. 1) http://www.cbttape.org/njw/index.html and download & install the XMIT Manager V3. It is a handy little utility for viewing *.XMI files. 2) goto www.cbttape.org 2) do a "find" on MCNVTCAT 3) click on the link and download the file, unzip it then provided you installed XMIT Manager.. you can open the FILE542.XMI and look at the README For Mark's just upload the REXX utility and read the instructions. As far as the NOSCRATCH, you can always test the process on a data set before trying it for real. Rob Schramm On Fri, Apr 1, 2011 at 12:07 PM, Stan Weyman wrote: > heavy emphasis on the NOSCRATCH > > It is wise to keep in mind that neither > success nor failure is ever final... > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Rob Schramm > Sent: Friday, April 01, 2011 12:01 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Indirect Cataloging > > You can generate the entries manually > > DEL SYS1.LINKLIB NOSCRATCH CAT(MASTER.CATALOG) > DEFINE NONVSAM(NAME(SYS1.LINKLIB) DEVT(X'') VOLUME(**)) > CATALOG(NEW.MASTER.CATALOG) > > You could use the MCNVTCAT utility on the CBT that will help you > generate the commands. > > www.cbttape.org > File # 542 Alastair Gray-replacement for MCNVTCAT, other tools > > You can do as Mark indicated just go to > http://www.mzelden.com/mvsutil.html and do a find on INDIRECR.TXT > (which looks simpler than using MCNVTCAT) > > Of course if both these suggestions aren't clear, you may want to > retain someone to help guide you through the process. I am sure there > are any number of folks (myself included) on IBM-MAIN open to contract > work. > > Rob Schramm > > > On Fri, Apr 1, 2011 at 11:19 AM, Mark Zelden wrote: > > > > On Fri, 1 Apr 2011 20:31:26 +0530, SAURABH KHANDELWAL > > wrote: > > > > >Hello, > > >Thanks Mark. Can you please help me to setup this indirect > > >cataloging into my system. What are all steps has to be followed and > > >what are all dataset are required to be indirect cataloged. > > > > > > > If you take a list from the SYSRES vtoc (and take out data sets > > like VTOCIX) you can create the delete/define statements for IDCAMS > > with the help of the INDIRECR exec from my web site / CBT file 434. > > > > URL of my web site below ... > > > > -- > > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS > > mailto:m...@mzelden.com > > Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html > > Systems Programming expert at http://expertanswercenter.techtarget.com/ > > > > *** Please note the new URL for Mark's MVS Utilities *** > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > -- > Rob Schramm > Senior Systems Engineer > w: 513.305.6224 > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cool Things You Can Do in z/OS
Of course the usage of the Linux instance will have to be of a certain "type" in order to support such a high ratio. But given the right workload, you could support a very high number of virtual servers. I think like most things that we end up involved in.. "it depends" can certainly lead you in a direction that having Linux running on a zBX would be attractive... in addition to running it within z/VM. Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to start RMF Monitor III automatically after IPL the system.
You can always jam it into the end of the JES2 parms. $VS,'any old mvs command here' The problem with COMMNDxx is there is absolutely no order to the execution... which is documented in the manual. Getting some sort of automation working is probably a good idea in general and should return the amount of effort to get something in place over time. Rob Schramm On Fri, Apr 8, 2011 at 10:09 AM, Mark Zelden wrote: > On Fri, 8 Apr 2011 16:46:11 +0800, ibmnew wrote: > > > > do I prepare a proc and put COM='S RMFIII' statement in the COMMND00 > >after COM='S RMF.RMF,,,MEMBER(00)' statement > > > > //RMFIIIPROC > > //COMMAND EXEC PGM=COMMAND > > //IEFRDER DD * > >D R,R > >DELAY 10 > >F RMF,START II > > > In my sandbox LPARs I have 2 STCs - STARTSYS and SHUTSYS. These > are procs that execute the COMMAND program and get their input from > parmlib members. > > You could continue to put COM='S RMF.RMF,,,MEMBER(00) in your > COMMNDxx member and do the F RMF,START III from a COMMAND STC, > but I put just about everything in my "STARTSYS" process. The only > things in COMMNDxx are things started SUB=MSTR and "STARTSYS" itself. > Although there is no reason a COMMAND STC can't run SUB=MSTR and > as a matter of fact, I run it that way at shutdown so it can shutdown > JES2 before it does a VARY XCF OFFLINE and shuts itself down. > > Example COMMNDxx: > > COM='TRACE ST,128K' > COM='START JES2,PARM='WARM,NOREQ'' > COM='START VLF,SUB=MSTR' > COM='START RRS,SUB=MSTR' > COM='START STARTSYS.STARTSYS' > > Example STARTSYS proc: > > //STARTSYS PROC > //** > //* COMMAND IS FROM CBT FILE 019 - HTTP://WWW.CBTTAPE.ORG > //** > //STARTSYS EXEC PGM=COMMAND,TIME=1439 > //STEPLIB DD DISP=SHR,DSN=authorized.loadlib > //IEFRDER DD DISP=SHR,DSN=sandbox.parmlib(STRT&SYSNAME.) > > Example input from "sandbox.parmlib" > > * CHANGE VVDSSPACE FROM DEFAULT OF (10,10) - Z/OS 1.7 & ABOVE > F CATALOG,VVDSSPACE(30,15) > * DYNAMIC LPA ADDS FROM PDSE LIBRARIES > SETPROG LPA,ADD,MASK=GSK*,DSN=SYS1.SIEALNKE > * START TASKS > S CSF > S NET > DELAY=15 > S TCPIP > DELAY=10 > S OMPROUTE > S TN3270 > S RMF,,,MEMBER(M0) > S SDSF > S HCHECKER > DELAY=10 > S TSO > F RMF,START III > > > Hope this explains it all more clearly. > > Regards, > > Mark > -- > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS > mailto:m...@mzelden.com > Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html > Systems Programming expert at http://expertanswercenter.techtarget.com/ > > *** Please note the new URL for Mark's MVS Utilities *** > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: COBOL abend debug question with AbendAid/CICS dump
Can't you get the offsets from a compile and use them to help debug? Rob Schramm On Apr 8, 2011 3:36 PM, "McKown, John" wrote: >> -Original Message- >> From: IBM Mainframe Discussion List >> [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Dan Skomsky, PSTI >> Sent: Friday, April 08, 2011 2:30 PM >> To: IBM-MAIN@bama.ua.edu >> Subject: Re: COBOL abend debug question with AbendAid/CICS dump >> >> Just change the source to place some literal into >> working-storage prior to >> performing paragraph DO-READ. > > Can't change source in production without a lot of political pull that I don't have. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: AC(authorization code) value change.
These are the most common APF issues I have seen over the years. 1) loosing APF Probably getting "knocked out" of authorization. If any library in a JOBLIB or STEPLIB is not APF, then the whole list is marked as "not apf" so it then doesn't matter whether you think you have an authorized library or not. 2) someone moved it or volser is wrong Even if the library is in the APF list.. check the volsers to be sure. 3) if TSO was involved, then not having the command authorized IKJTSOxx Usually # 1 or combination of # 1 and # 2. Rob Schramm On Mon, Apr 11, 2011 at 4:20 PM, Paul Peplinski wrote: > On Mon, 11 Apr 2011 12:25:20 +0530, jagadishan perumal > wrote: > > >Hi, > > > >For running a stored procedure from the DB2CONNECT, we were getting an > error > >as " > > > >DSNU003I DSNUTILS - NOT INVOKED APF AUTHORIZED " For getting removing > this > >error. The IBM manual has suggested few things like > > > > > >The DSNUTILS or DSNUTILU load module is link edited with AC(1) > >The DSNUTILS or DSNUTILU load module is in an APF authorized library . > > All the libraries in STEPLIB JOBLIB are APF authorized > > > >The last two Points has been done from our end, but we are unable to > perform > >the first point i.e ... > >The DSNUTILS or DSNUTILU load module is link edited with AC(1) > > > The only DSNUT* module that I have linked AC=1 is DSNUTILB - and we run > utilities in a WLM address space (a different one than the one that > typically > includes RUNLIB.LOAD). > > Paul > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: moving extends for allocated VSAM linear data set
Depending on the filesystem .. you should be able to at least minimize the downtime... and not require an IPL. OMVS is restartable. Just create a new filesystem/dataset, copy everything into it, stop the application and swap the new one for the old one, restart app, copy any missing files from old to new one... then delete the old data set. Downtime should mostly be just the time to shutdown and startup the app. Rob Schramm On Tue, Apr 12, 2011 at 6:56 AM, John McKown wrote: > On Tue, 2011-04-12 at 07:26 +0200, Michael Klaeschen wrote: > > Ravi, thanks for your reply. I was told a "Softek" product may provide > > this function as part of data migration support. But no, we just have > z/OS > > and a couple of Redbooks, Whitepapers and the ringing sound of IBM sales > > representatives that "z means zero downtime". Now we have to move the > > underlying volser of the TCPIP unix file system portion and face a > sysplex > > shutdown! > > How can be that we have vast problem moving content of some physical > > storage volume?!?! With AIX no problem, with Linux no problem, with > > Windows no problem -- comes out of the box, I was doing myself a couple > of > > times, really easy. And the best of breed OS ever in history suffers? We > > have to buy additional products for a simple task like that? I cannot > > believe! > > So, c'mon IBM, which spell do I have to type into my SYSIN card for > > IDCAMS? > > Thank you, cheers > > Michael > > The IBM rep should have said: "The z means zero __unplanned__ > downtime.". I am not aware of any OS on any platform which does not > require an occasional re-initialization (reboot, IPL, whatever you call > it.) The closest that I'm personally aware of is Linux. With the new > ksplice, it is even possible to patch a running kernel. > > -- > John McKown > Maranatha! <>< > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Copy OMVS file system after service to production system
Sounds like you are not setting up your test system like your production system to me. Until you tackle the differences between the systems and either keep track of the differences and create a procedure to deal with them or resolve them to allow for smooth maintenance, there are always going to be unknowns and surprises. Of course you can just mount your root READ-ONLY and any truly goofy stuff will disappear ... forcing you to plan your changes and mount points well in advance. Rob Schramm On Tue, Apr 12, 2011 at 2:49 PM, SAURABH KHANDELWAL < saurabh.khandel...@oracle.com> wrote: > Hello, > I have followed the suggested way to make copy root file system > before applying service. > > But we have couple of z/OS running with same version of OS level > (example z/OS 1.8). In this we have test system, where we apply RSU and test > it. We also have couple of production system with same OS level. In > production system there might be changes in sub directories and Symbolic > link. > > So the problem is, If I just copy the root file system from test system to > production system after applying service on test root file system, there > might be a chances to loose some symbolic link and sub directories. > > The solution which I can think of is, manually checking each of the > production system and note all the sub directories and symbolic detail. > > Is there any other way, which can reduce my lots of manual effort and make > process easy. > > > Regards > Saurabh Khandelwal > > On 4/12/2011 10:57 PM, Shmuel Metz (Seymour J.) wrote: > >> In<4da33ed7.9090...@oracle.com>, on 04/11/2011 >>at 11:18 PM, SAURABH KHANDELWAL >> said: >> >>Can you please suggest me , what approach I should follow >>> before applying RSU to make sure, everything will work in root file >>> system after that. >>> >> How was your system originally installed? How was the last service >> done? In paricular, is your root the original target or a copy? >> >> As others have pointed out, you should never install service on the >> running system. You should have a deployment plan for either rotating >> among a set of target libraries or for cloning target libraries, >> including Unix file systems. >> >> > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Regarding IEASYS member
The system will always use IEASYS00. If you specify another IEASYSxx member, the two will be merged. The only way to not use IEASYS00 is to eliminate it from parmlib concatenation. Rob Schramm On Thu, Apr 14, 2011 at 9:27 AM, sunil mirchandani < sunilmirchandani1...@gmail.com> wrote: > Hello John, > > The first time when we ipled, OPI=YES system prompts for the IEASYS member. > But in second time we changed OPI=NO again got the same response and system > prompted for the same. > > OPI=Yes means operator can override any of the parameter specified in > IEASYS. But here system is not picking IEASYS what we define in LOADXX > member.All the time its prompting for operator to reply. > > > Thanks > Sunil > > On Thu, Apr 14, 2011 at 6:51 PM, McKown, John < > john.mck...@healthmarkets.com > > wrote: > > > > -Original Message- > > > From: IBM Mainframe Discussion List > > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of sunil mirchandani > > > Sent: Thursday, April 14, 2011 8:03 AM > > > To: IBM-MAIN@bama.ua.edu > > > Subject: Regarding IEASYS member > > > > > > Hello Team, > > > > > > Today we Ipled one of our test system, and while doing it > > > system prompts for > > > operator to specify IEASYS member and then operator replied > > > by R 00,SYSP=XX. > > > > > > Can anybody help me here to know why system prompts for ieasys member > > > however i defined this specifically in LOADxx member while using > > > SYSPARM (XX,L)(with correct syntax). > > > > > > In the same time the default one IEASYS00 is *not* available > > > any of the > > > parmlib( Is this the reason?) > > > > > > IMSI character used is 'M' in LOADPARM > > > > > > Please suggest. > > > > > > -- > > > Thanks & regards: > > > Sunil > > > > Does your IEASYSXX contain OPI=NO in it? If not, OPI defaults to YES, > which > > results in the prompt which you see. > > > > -- > > John McKown > > Systems Engineer IV > > IT > > > > Administrative Services Group > > > > HealthMarkets(r) > > > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > > (817) 255-3225 phone * > > john.mck...@healthmarkets.com * www.HealthMarkets.com > > > > Confidentiality Notice: This e-mail message may contain confidential or > > proprietary information. If you are not the intended recipient, please > > contact the sender by reply e-mail and destroy all copies of the original > > message. HealthMarkets(r) is the brand name for products underwritten and > > issued by the insurance subsidiaries of HealthMarkets, Inc. -The > Chesapeake > > Life Insurance Company(r), Mid-West National Life Insurance Company of > > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > -- > Thanks & Regards: > Sunil Mirchandani > 9243116830 > > "Yesterday I dared to struggle. Today I dare to win" > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Regarding IEASYS member
Been a while since I played with the elimination (may have been one of the things I tried that failed.. which is why it stuck in my memory). I usually ended up using IEASYS00 as a common for all systems, then used system specific members for system specific setups. But as you indicated, IEASYS00 could effectively be (sans the comments) an empty member. Rob Schramm On Thu, Apr 14, 2011 at 9:55 AM, Mark Zelden wrote: > On Thu, 14 Apr 2011 09:31:57 -0400, Rob Schramm > wrote: > > >The system will always use IEASYS00. If you specify another IEASYSxx > >member, the two will be merged. The only way to not use IEASYS00 is to > >eliminate it from parmlib concatenation. > > > > Last time I checked, the system always looks for IEASYS00 and > eliminating it completely from the parmlib concatenation resulted in a > failed IPL.This is what mine looks like (one blank line and comments): > > > ** * Top of Data ** > 000100 > 000200 /* LIB: SYS1.PARMLIB(IEASYS00) */ > 000300 /* DOC: DO NOT DELETE THIS MEMBER! IEASYS00 MUST BE PRESENT */ > 000400 /* SOMEWHERE IN THE LOGICAL PARMLIB CONCATENATION. */ > 000500 /* NOTE: DO NOT DELETE THE BLANK LINE AT THE TOP OF THIS MBR! */ > ** Bottom of Data > > -- > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS > mailto:m...@mzelden.com > Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html > Systems Programming expert at http://expertanswercenter.techtarget.com/ > > *** Please note the new URL for Mark's MVS Utilities *** > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TCP/IP Available on MVS When?
IBM or ISV version? Rob On Thu, Apr 14, 2011 at 11:10 AM, Steve Conway wrote: > OK, let's invoke Jaffe's Law (Any ibm-main discussion will eventually > become a history lesson) immediately. > > In this case, I need a history lesson, preferably with citable references. > > When (year and OS release, if available) did TCP/IP become available for > VM? For MVS? > > No forum is more perfectly suited for my question. :-) > > > Cheers,,,Steve > > Steven F. Conway, CISSP > LA Systems > z/OS Systems Support > Phone: 703.295.1926 > steve_con...@ao.uscourts.gov > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: posting commands across systems in a plex
As long as it is the same plex.. Use the MVS command ROUTE to execute a command on a specific system and return the results. Just RTFM for any details. Cheers, Rob Schramm On Fri, Apr 15, 2011 at 12:17 AM, Munif Sadek wrote: > Thanks Chris > > > Problem with Netview solution is, > first we do not have it and > with our automation tool - BMC solution, we have to authorize console ((S) > MCS) for these commandsn and its not interactive (from TSO). > > > regards Munif > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixing Auth and Non-Auth Modules
Maybe some others are willing to comment... I thought that there was a short-cut to take for auth checking these days.. if you didn't really need to keep the ACEE around and you just want to do a quick check to see if someone is auth'd for something. Perhaps it was a dream or a wish. Anyone? Rob Schramm On Thu, Apr 21, 2011 at 4:40 PM, McKown, John wrote: > > -Original Message- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Patrick Roehl > > Sent: Thursday, April 21, 2011 2:57 PM > > To: IBM-MAIN@bama.ua.edu > > Subject: Mixing Auth and Non-Auth Modules > > > > I have a situation where APF-authorization is needed by a new > > subprogram > > that performs RACF functions. This was working fine until it > > came time to call > > the new subprogram from the main program, which does not need to be > > authorized. Making the whole process authorized seems silly > > (or worse), in > > addition to being inconvenient as there are many STEPLIB > > entries involved. > > > > I tried running the main program from an authorized LNKLST > > library, but quickly > > ran into S306-12 when trying to load a program from the STEPLIB. > > > > Is the best option to handle this setting up a separate > > region to handle the > > authorized calls and communicating via a PC? It looks like a > > PC client would > > have to be authorized, which defeats the purpose. > > > > How has this been solved in the past? > > > > Thanks for any suggestions and/or examples. > > APF is generally an "all or nothing" affair. z/OS, and MVS before it, was > not designed to swap between APF and non-APF authorized states. You can do > the APF to non-APF switch relatively easily. But it is generally a one way > street. TSO does it by having two TCB trees. TSO starts up APF authorized, > but resets the APF when the TMP does an ATTACH. But before that it creates > an APF authorized subtree. When you run an APF authorized TSO program, it is > run on the APF subtree and not the normal subtree. The normal subtree is > "frozen" via the STATUS STOP operation during APF authorized function to > decrease the likelihood of "cracking" the APF code. CICS switched back and > forth using its SVC somehow (I don't know the internals). > > Now, being the weirdo that I am, I'd likely do my APF authorized work by > using the UNIX fork() and exec(), where I exec() a module which is in the > UNIX filesystem marked as APF authorized. Depending on what I need to do, I > would either use shared memory (shmat) or set up a UNIX bidirectional > unnamed PIPE if the APF task worked more like a "server" and would be > invoked multiple times. It's just seems easier to me. Or use UNIX message > queues for communications. I have a better understanding of using pipes. > > The plus of the UNIX solution is that the invoker does not need to be APF > authorized at all. It just needs to be able to do the UNIX fork() and exec() > of the APF authorized "service" program. I'd likely secure the service > program by having the appropriate UNIX security on the executable file in > the UNIX filesystem (using ACLs if necessary). An alternative / enhancement > would be to have the UNIX program do a RACF security call of some sort to > see if the invoker is authorized. This latter would be better if the routine > is multifunction where the sub functions need to be individually authorized, > perhaps with differing access lists. Like what ISMF does. > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixing Auth and Non-Auth Modules
Super Secret (aka Security Through Obscurity) is always a bad idea. Security and integrity are difficult enough when balanced against allowing progress to occur. Adding in ridiculously risky back doors into your system is a recipe for disaster. An auditor that doesn't know enough to ask the right questions is not much of an auditor If the goal is to achieve rubber stamps that grant some sort of empty approval... then by all means hire the auditors that are ignorant and are just following scripts without regard to how your system works. Rob Schramm On Fri, Apr 22, 2011 at 3:11 PM, Rick Fochtman wrote: > --- > > > I hope that this SVC has been removed. These "super-secret" SVC's are >> nothing more than MASSIVE integrity exposures, that can be relatively easily >> spoofed, and should be banned from any and all z/OS sites. >> > > > I disagree. Checking a RACF FACILITY profile isn't that hard, nor is it all > that difficult to define another resource class that can be checked by > today's equivalent of FRACHECK. > > Rick > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixing Auth and Non-Auth Modules
Dang.. did I use Always again and left out the 1 or 2 use cases? Then lock them up in data sets only the trusted can use and certainly putting them in linklst would be something to be avoided. Or on sandbox systems that if co-opted would not adversely affect your business. Rob Schramm On Fri, Apr 22, 2011 at 5:45 PM, Gerhard Postpischil wrote: > On 4/22/2011 4:17 PM, Rob Schramm wrote: > >> Super Secret (aka Security Through Obscurity) is always a bad idea. >> Security and integrity are difficult enough when balanced against >> allowing >> progress to occur. Adding in ridiculously risky back doors into your >> system >> is a recipe for disaster. >> > > I take issue with "always", as a special SVC on a sandbox system may save > significant time debugging and writing new software, while presenting > minimal exposure. > > Gerhard Postpischil > Bradford, VT > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixing Auth and Non-Auth Modules
I made the original comment about the auditor and SVC. At the time the discussion sparked a memory of a SVC that was specifically used to gain authorization and circumvent security (quite a while ago) that I had encountered. It was a great trick and pretty useful and very dangerous at the same time (it had absolutely no controls on it). I am very aware that there are all sorts of cool things that can be done and that SVCs are a bit "yesterday's news". I think that Auditors should be working with the Systems Programmers and Security folks to achieve better controls and review what utilities are available on the system and "scope" the usage. However, usually the relationship with the Auditors is combative and full of suspicion. Instead the combative/suspicious relationship leads to trying to give only the minimum and thus forcing the Auditor to have to either "know the right questions" or just rubber stamp it out of ignorance. Of course the System Programmer should be just as concerned if not more so about such things. After all they are the ones that will be "holding the bag of responsibility" when a known hole or utility is used to the detriment of the system. There are a lot of very smart people out there and security is always a problem. The only truly secure system is one that sits in a corner unplugged... not very useful.. but at least secure until someone shows up with a truck. It seems putting people to work together and achieving more layered (as in an Onion and not a Parfait .. yes.. I know a Shrek reference) and resilient security/integrity would be a more desirable goal. More of a consistent model of incremental improvement being driven from multiple areas. Even after an auditor comes and goes.. it is those responsible for the various areas that have to live with which is usually trying to strike some balance between control and productivity. -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: zOSMF: Site customizable user roles
Tom, This is more of a brute force method... to possibly discover how things are setup. Did you already run a grep for one of the existing user role names to find all the places that it occurs? The search might reveal whether they already have setup some of the separation without implementing it yet. If the files are ascii you may have to tag them, then run the grep... chtag -tc ISO8859-1 ./filename <<== you may need the -R if you are doing a whole files within multiple directories export _BPXK_AUTOCVT=ON Of course if it is in a jar you might need to unpack it somewhere an then run the search. I guess another way would be to pull the ear file apart with Eclipse and search through it. Maybe one of the other java heavy folks would care to comment? Rob Schramm On Mon, Apr 25, 2011 at 10:26 AM, Tom Ambros wrote: > No joy. Talks about modifying predefined roles. no content on adding new > ones. > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > > > > > Gary DiPillo > Sent by: IBM Mainframe Discussion List > 04/25/2011 10:21 > Please respond to > IBM Mainframe Discussion List > > > To > IBM-MAIN@bama.ua.edu > cc > > Subject > Re: zOSMF: Site customizable user roles > > > > > > > Tom, > > A draft Redbook was just announced. It may provide more details for you. > > *z/OS Management Facility* > Revised: April 19, 2011 > More details are available at > http://www.redbooks.ibm.com/redpieces/abstracts/sg247851.html?Open > < > > http://www.ibm.com/vrm/newsletter_10300_8855_192978_email_DYN_1IN/GDiPillo126694429 > > > > Regards, > Gary DiPillo > Axios Products > > On 04/25/2011 8:52 AM, Tom Ambros wrote: > > As zOSMF includes more functions, it is more likely that an installation > > will want to add user roles beyond the few available today. For > instance, > > I'd like to set it up so my Capacity Planning group can see Links and > WLM > > admin, but not Comm Server Configuration. Certainly I can protect all > > those functions at the back end but I'd like to hide the doors, so to > > speak. After a while I know I'm going to run into some group that gets > > their feelings hurt if they see a choice but get SAF'ed out of it, and > > then their boss gets the violation report from Info Security so I end up > > getting a 'how can we stop this' requirment. > > > > I tried hacking around but clearly missed a piece. Results were > > unsatisfactory. Has anybody been successful in adding user roles beyond > > Admin/User/Unauth User/Guest? If not, are there plans in future > releases > > for this sort of thing that anybody knows about? > > > > Thomas Ambros > > Operating Systems and Connectivity Engineering > > 518-436-6433 > > > > > > > > Email Classification: KeyCorp Internal > > > > > > This communication may contain privileged and/or confidential > information. It > > is intended solely for the use of the addressee. If you are not the > intended > > recipient, you are strictly prohibited from disclosing, copying, > distributing > > or using any of this information. If you received this communication in > error, > > please contact the sender immediately and destroy the material in its > entirety, > > whether electronic or hard copy. This communication may contain > nonpublic personal > > information about consumers subject to the restrictions of the > > Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or > redisclose > > such information for any purpose other than to provide the services for > which > > you are receiving the information. > > > > 127 Public Square, Cleveland, OH 44114 > > > > > > > > > > If you prefer not to receive future e-mail offers for products or > services from Key > > send an e-mail to mailto:dnereque...@key.com with 'No Promotional > E-mails' in the > > SUBJECT line. > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > > > -- > Axios Products, Inc. supp...@axiosproducts.com 631-864-3666 x133 > > ---------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search t
Re: Mixing Auth and Non-Auth Modules
How about an auditors guide written by us and some of the other listservs? Rob Schramm On Apr 25, 2011 2:13 PM, "Ted MacNEIL" wrote: >>This preoccupation lends support to the theory that all auditors are > working from a z/OS playbook written somewhere around 1978. > > IIRC, it was called "MVS for Auditors". > It had a lot of inaccuracies, but the auditors treated it as a 'bible'. > It was a bain for many years. > - > Ted MacNEIL > eamacn...@yahoo.ca > Twitter: @TedMacNEIL > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Mixing Auth and Non-Auth Modules
I will take a look around to see if there is anything more recent. But I think the point would be to also help SysProgs and Security folks and to illuminate pet peeves and cautionary practices. Maybe something like a wiki. Make it something living then maybe use the original guide as a starting point and fix it to actually assist people. I don't think anyone need worry that it will take business away. There is always plenty to do. Certainly having some of the collective brain power demonstrated in IBM-Main on a regular basis could serve to help refine the rough edges. Rob Schramm On Mon, Apr 25, 2011 at 2:42 PM, Ted MacNEIL wrote: > >How about an auditors guide written by us and some of the other listservs? > > Does one exist? > - > Ted MacNEIL > eamacn...@yahoo.ca > Twitter: @TedMacNEIL > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SVC Screening (was Mixing Auth and Non-Auth Modules)
Peter, Since it appears that the majority of the usage of SVC screening is other than intended... has anyone ever submitted requirements to formalize the way it really gets used? Thereby securing against future changes that might break the unsupported feature? Rob Schramm On Tue, Apr 26, 2011 at 8:21 AM, Binyamin Dissen wrote: > On Tue, 26 Apr 2011 07:59:27 -0400 Peter Relson wrote: > > :>>Curious: Does anyone use SVC screening for its documented intended > :>>purpose: to define those SVCs that a particular task is allowed to issue > :>>(and conversely those that it is not allowed to issue)? > > :>I intentionally phrased the question the way I did, although no one > :>answered it in that spirit. The answer, based solely on the posts > :>so far, appears to be "no". > > SVC screening allows one to specify which SVCs will go to the coded routine > instead of the standard SVC. > > :>There are a lot of other entertaining, interesting, probably useful, > :>but nevertheless wholly unsupported, uses that have been found for > :>SVC screening. > > Is it your statement that the only "supported" use of this routine is to > fail > the SVC call, not to do alternate processing? > > :>I do mean to provoke thought; I do not mean to cause alarm. As long as > :>the SVC screening routine does everything right, so that the user > :>gets what the user should get in all cases, I don't have overly much > :>problem with this misuse. But very often that is not the case, including > :>functional problems or even system integrity problems, related to > :>examining the user parameters or due to making the SVC appear that it > :>had not come from the user who actually issued it. > > :>Note that users who use SVCUPDTE to front-end SVCs often inject > :>similar problems. > > Or supervisor state PC routines. Etc. Supervisor state routines callable by > problem state have to validate everything. > > -- > Binyamin Dissen > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > ---------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IT Auditors was Re: Mixing Auth and Non-Auth Modules
Well... maybe there is a way for the auditors to stay less than savvy. I sat in on a presentation for http://www.vatsecurity.com/ which, other than scarin the %^&* out of me, give an excellent way to look at the system from an integrity standpoint. I end up spending a lot of time on just working thru the controls that are in the security products, making sure that there are trails to follow about who did what when... looking out for inadvisable utilities, looking at the system when it first comes up to see what new "stuff" is there. But this is a different approach... one that just got added to my "list of thing" I need to look at. Rob Schramm On Wed, Apr 27, 2011 at 9:51 PM, Clark Morris wrote: > On 26 Apr 2011 06:43:16 -0700, in bit.listserv.ibm-main you wrote: > > While at a company which no longer is in the business it was when I > was there, headquarters IT auditors came to audit one of our systems. > They were informed that it was virtually non-existent and that we > would be very happy with any documentation they could add. They in > fact found the documentation situation as stated and were allowed by > their management to really check out the system and leave behind > documentation of what they found. Working with them was a pleasure > because they new what they were doing and we got some useful > documentation out of it. Since we didn't try to hide the > documentation situation, we apparently didn't get anything nasty from > headquarters. > > Later the division was sold to another company. Things had progressed > in the field so now we had TSO and other online access. This was > before RACF or equivalent was mandatory. The internal auditor came > through and I expressed my concern about the lack of security. My > boss was standing near me and rephrased the concerns in management > speak with the same message. In his report the major concern of the > auditor was that we were running JES3 on a single CPU (global only) > rather than JES2. In our conversation with him before the report, he > seemed to think lack of security was rather common. > > Clark Morris > >Perhaps this is a bit off topic, but I have yet to encounter an IT auditor > I > >could trust. > > > >At my very first job I was in a small shop running DOS on a 360/40. The > >company was scheduled for its annual outside audit. The IT auditors > typically > >wanted to completely take over the machine for the days of the IT audit. > It > >happened that our payroll process occurred during the period of the audit. > Our > >operations manager informed the auditors that payroll processing would > take > >priority over the audit if they came on those days, on any other days they > >could have the machine. Guess which days they came. We were written up > >because we did not give then dedicated use of the machine. It was noted in > >the audit report that the "uncooperative" data center manager had since > been > >demoted. Not true. He had decided to return to graduate school and was now > >only able to work third shift, so he became an operator. This was his > decision, > >and certainly not a demotion in the sense that the auditors implied. > > > >I think that when I was later in an MVS shop, our auditors used that same > >playbook, but I also think that they read slowly, as they seemed to find > one > >new thing in the book each year. > > > >-- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: HTTP Server for z/OS
Chris, Unless you have specifically done the research for the HTTP server, there is an assumption you are making that a Communication Server configuration is the only way to perform any of the setup. While CS can certainly be setup to do it and would be involved regardless, there are more than a few products that can perform binds and have specific configuration options to govern them. Rob Schramm On Thu, Apr 28, 2011 at 9:50 AM, Chris Mason wrote: > Maria > > This is a question for your local specialists supporting the IP component > of > Communications Server (CS). > > An application running on an IP node and relying on IP-based communications > will generally place no limitations on the IP addresses assigned to that IP > node. > > Thus any of the IP addresses which appear in what is called the "home" > list, > that is, the IP addresses corresponding to real or virtual interfaces to > the IP > node, can be used as the destination IP address for the application. > > Perhaps you should post again and describe more clearly what your > requirements are. > > Note that, since this is a question probably relating more to the IP > component > of CS, you should be posting for the widest audience on the IBMTCP-L list: > > For IBMTCP-L subscribe / signoff / archive access instructions, send email > to > lists...@vm.marist.edu with the message: INFO IBMTCP-L > > Chris Mason > > On Thu, 28 Apr 2011 08:12:36 -0500, Maria Mora > wrote: > > >Can you use Virtual Host or multiple IP addresses in HTTP Server for z/OS > ver > >5.3? > > > >Thanks, > >Maria > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: HTTP Server for z/OS
Chris, ... it was not my intent to waste time. Although, answering your posts may be up for debate about whether it is time wasting or a multi-faceted learning opportunity. My intent was simply to temper your typically "bull in a china shop" responses. And to indicate to the poster that while the TCP-L may offer answers to TCP/IP questions, the answer to the specific question of whether HTTP Server supports xx will not necessarily be answered. Surely a trip to the z/OS related HTTP Server manuals (of which there are 2 available) would be a better start. Meanwhile in the spirit of being somewhat pedantic... HTTP Server for z/OS V5R3 - See Basic Directives section http://publibz.boulder.ibm.com/epubs/pdf/imwziu18.pdf IBM Ported Tools for z/OS: IBM HTTP Server V7.0 - no specific references http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html Cheers from the cheap seats, Rob Schramm On Thu, Apr 28, 2011 at 12:04 PM, Chris Mason wrote: > > Rob > > I really believe you are set on simply wasting time and effort here. > > There was a judiciously placed "generally" which shades to "almost always" > and I would hazard the suggestion "always" for any general purpose > application as I, well, just assume something called "HTTP Server for z/OS" > would be. > > In order for a product to limit the destination address it would accept, it > would > need to issue a bind() call which, rather than specifying 0.0.0.0, a.k.a. > INADDR_ANY, would need to be an IP address which had been set up for a > specific IP node implementation - massively unlikely, wouldn't you say? I > really > can't see a product mandating a particular IP address! > > Now it is possible for an installation to configure a particular IP address > either > through product customisation - although this in my experience is unusual - or > by means of the BIND parameter of the PORT statement list entry for the > relevant port number. > > These days there are "tricks" which can be introduced with the SRCIP > statement with the SERVER parameter, just about the most counterintuitive > naming of a statement in relation to its purpose that could have been devised! > > Now all of these options involves performing some sort of customisation > somewhere and it is to be hoped that any such customisation would be done > with the full knowledge of whomever was performing the customisation. I > already indicated that the "local specialists supporting the IP component of > Communications Server" should be involved. I would hope that anyone actually > responsible for "HTTP Server for z/OS" would have known what he or she was > doing in the generally unlikely case that the specification of an IP address > through product customisation was possible. > > Note that the "sockaddr" or "name" structure used by the bind() call has room > for only one IP address. > > Do you have any other suggestions? > > Chris Mason > > On Thu, 28 Apr 2011 10:08:23 -0400, Rob Schramm > wrote: > > >Chris, > > > >Unless you have specifically done the research for the HTTP server, there is > >an assumption you are making that a Communication Server configuration is > >the only way to perform any of the setup. While CS can certainly be setup > >to do it and would be involved regardless, there are more than a few > >products that can perform binds and have specific configuration options to > >govern them. > > > >Rob Schramm > > > >On Thu, Apr 28, 2011 at 9:50 AM, Chris Mason > wrote: > > > >> Maria > >> > >> This is a question for your local specialists supporting the IP component > >> of > >> Communications Server (CS). > >> > >> An application running on an IP node and relying on IP-based > communications > >> will generally place no limitations on the IP addresses assigned to that IP > >> node. > >> > >> Thus any of the IP addresses which appear in what is called the "home" > >> list, > >> that is, the IP addresses corresponding to real or virtual interfaces to > >> the IP > >> node, can be used as the destination IP address for the application. > >> > >> Perhaps you should post again and describe more clearly what your > >> requirements are. > >> > >> Note that, since this is a question probably relating more to the IP > >> component > >> of CS, you should be posting for the widest audience on the IBMTCP-L list: > >> > >> For IBMTCP-L subscribe / signoff / archiv
Re: FTPed Load module Blank
I have used FTP to move load modules regularly between lpars. 1. make sure the destination data set is allocated with the same attributes 2. instead of bin, I always used directives "ebcdic" and "mode b" HTH, Rob Schramm On Thu, Apr 28, 2011 at 9:01 PM, Rick Fochtman wrote: > --- > >>> I have downloaded few internally developed Loadmodules. When I tried >>> uploading the FTP'd file to another LPAR I can see it was blank and >>> there no >>> content inside(Its specifically happening for load modules). Here in >>> our >>> shop we are having Monoplex so XMIT is not working. Is there a way to >>> download the Load modules and transfer them to other Lpar with same >>> Content. >>> >>> Any help on this would be much appreicated. >>> > > -- > I suggest that you simply XMIT the PDS to a shared volume and do a RECEIVE > on the other LPAR. > > Rick > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: An unnecessary controversy (Was: Ported tools for z/OS on ADCD)
Chris, I find it comforting that some things are to be relied upon. Most of us do not have the time to continue the fairly impressive amount of writing that you are able to produce on a subject that is well documented. I am sure that the outcome will also be the same as usual. I wait for the inevitable end. It cannot come anytime too soon. USS (unformatted system services) will continue to be defended vocally by you and some others. The rest that have been using USS for Unix System Services will continue to use it as such but will appear to give way to the onslaught of emails and apparently corrective prose. I do not believe that this tirade is of any value other than to watch the predictable marionette perform once again. Cheers to all this fine Monday morning! Rob Schramm On Mon, May 2, 2011 at 4:54 AM, Chris Mason wrote: > Mike > > > USS - Unformatted Screen Services. > > That's a new one! > > As it happens, I have just in the last few days in conjunction with sorting > out > another matter noticed that there is even a VTAM manual which gets USS > wrong!!! > > In the z/OS Communications Server SNA Messages manual, we find the > following: > > > > 17.0 Chapter 17. USS messages > > This chapter provides information on unformatted session services(USS) > messages that are sent to the VTAM operator or a program operator, and USS > messages that are sent to terminal users. For information on translating > USS > messages, see "User-selected message changes" in topic 1.7. > > > > Amazing! > > Returning to your imaginative interpretation, it is indeed true today that > it is > more than likely that Unformatted System Services commands are keyed at a > display device and both the commands and any associated messages appear > on a "screen". However, those of us with beards that have turned grey can > still dimly recall the 3767 typewriter which also required the use of USS > functions. > > Chris Mason > > On Sun, 1 May 2011 12:36:49 -0500, Mike Schwab > wrote: > > >USS - Unformatted Screen Services. > > >-- > >Mike A Schwab, Springfield IL USA > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ISKLM as a replacement for EKM
I will preface my next comment by saying .. I haven't looked at the licensing .. Not that I am advocating anything illegal... but can EKM be treated like BTAM and just pull forward the jar? I suppose it will break at some point, but you could always use cavaj to pull it apart and put it back together with whatever needed to be fixed. Just a thought. TKLM does bring some things to the table that EKM does not have (other than a DB2 requirement). I am sure that I know of at least 2 people that will not be sorry to see EKM go (since the support for EKM was rolled into the JAVA support instead of a separate product). But once people did go thru the work to get EKM running.. there seemed little reason to change what was working. Rob Schramm On Mon, May 2, 2011 at 9:35 AM, Knutson, Sam wrote: > It has a cost which I understand is comprised of value units for the > processors on which it operates and the amount of tape and DASD which are > encrypted. > Pricing encryption enablement by storage footprint is even worse than > processor capacity given the explosive data growth we see. > The one good thing that can be said is that ISKLM appears to be much less > complex than TKLM and may be easier to implement. > > IBM Security Key Lifecycle Manager for z/OS V1.1 manages encryption keys >for storage, simplifying deployment and maintaining availability to >data at rest > > http://www.ibm.com/common/ssi/rep_ca/4/897/ENUS211-104/ENUS211-104.PDF > > > EKM is free. The slow withdrawal of EKM has been somewhat stealthy. > > IBM seems to be pushing customers to migrate to ISKLM/TKLM even though I > have yet to see a > Statement Of Direction only this recent announcement that EKM was to be > removed from Java. > > "IBM 31-bit SDK for z/OS, Java Technology Edition Version 6 Release 0 > Modification 1 does not contain the Encryption Key Manager application > (EKM JAR, the jzosekm.jar and sample JCL) in this z/OS Java SDK. Note that > the EKM JAR and related material remain included in IBM 31-bit SDK for > z/OS, Java > Technology Edition Version 6 Release 0 Modification 0." > > from IBM United States Software Announcement > 211-003, dated March 15, 2011. IBM 31-bit SDK for z/OS, Java Technology > Edition Version 6 Release 0 Modification 1 lets application > developers use Java on IBM z/OS. > > ISKLM/TKLM has more function than EKM but it seem unreasonable to remove > the EKM jar files from Java while it is still supported and not SOD or EOS > has been announced. > > I don't think IBM has done enough to communicate to customers that EKM > would be removed from the current best performing Java distribution. > Replacing what has been a base feature on the platform included with z/OS > Java at no charge with a charged product is not well received here. > > I am a little frustrated with the lack of clear communication and the way > this continues to be handled. > > There are competitive options which if forced to purchase a product may be > worth consideration. > > http://www.ca.com/us/products/detail/CA-Encryption-Key-Manager.aspx > > If you don't need full disk encryption on DS8800 you can continue to use > EKM and provided with Java 6.0.0 which is what we are doing with our z/OS > 1.12 order. > > I cannot just make an unbudgeted purchase of ISKLM because they quietly > removed the .jar files from Java 6.0.1.so we won't use Java 6.0.1. > > > Best Regards, > > Sam Knutson, GEICO > System z Team Leader > mailto:sknut...@geico.com > (office) 301.986.3574 > (cell) 301.996.1318 > > "Think big, act bold, start simple, grow fast..." > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Mark Jacobs > Sent: Friday, April 29, 2011 7:02 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: ISKLM as a replacement for EKM > > Our IBM sales rep's told us that ISKLM is priced per tape drive that has > the encryption feature enabled. It would make more sense to me to just > bundle the license to utilize any encryption key manager product into the > price of the optional encryption feature and be done with it. > > Mark Jacobs > > On 04/29/11 05:55, Jousma, David wrote: > > I think it is free. This is the -lite version of TKLM that does not > > require WAS or a DB2 backend. > > > > And JAVA V6 (not 6.0.1) is still orderable in ShopZ, but I don't know > > for how long. V6 still has EKM code in it. > > > > _ > > Dave Jousma > > Assistant Vice President, Mainfr
Re: Ported tools for z/OS on ADCD
Are we ready to let this thread die? We go round and round with this without any meaningful movement from our relatively entrenched positions. Apart from some fairly humorous quips and some long winded prose there is little progress made. I did have an idea for helping the context (and google searches) that forces all to suffer (all suffering is the core of compromise? ) VTAM USS or zOS USS context is clear and google searches return the correct information. viva la evolution! Where is Amy Farrah Fowler when we need her? I am sure Sheldon would agree that USS would only have one use determined by him. I expect that this argument will go on for the next 20 or 30 years. After which USS will be ceded to Unix System Services as a "no-prize" (marvel reference) due to lack of opposition and the fact that no one will care anymore. Rob Schramm On Tue, May 3, 2011 at 8:52 AM, Shmuel Metz (Seymour J.) < shmuel+ibm-m...@patriot.net> wrote: > In , on 05/02/2011 >at 07:49 PM, Itschak Mugzach said: > > >Everybodu uses USS for Unix System Services, > > No. > > >including IBM. > > John Eels is from IBM. > > -- > Shmuel (Seymour J.) Metz, SysProg and JOAT > ISO position; see <http://patriot.net/~shmuel/resume/brief.html> > We don't care. We don't have to care, we're Congress. > (S877: The Shut up and Eat Your spam act of 2003) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IKJEFT01
AFAIK.. you can't issue Top Secret commands to an inactive data base. If there was a utility.. it would basically be running TSS under the covers to do the work. You can restart TSS with another DB and then issue commands and restart again to get it back to the original DB. The address spaces that are already active should continue to remain active with their associated ACEEs. The only thing (mostly true) you have to concern yourself with is creating new ACEEs during the time in which the "old" data base is active. And modifying a dead DB directly is a really bad idea... but you might be able to make small changes... but it would be a better idea to follow the restart TSS path. Rob Schramm On Tue, May 3, 2011 at 9:51 AM, Elardus Engelbrecht < elardus.engelbre...@sita.co.za> wrote: > Bill Johnson wrote: > > >Our security guy normally issues Top Secret commands using IKJEFT01. He > wants to be able to point to an old Top Secret database no the active one. > > Ok, now we are getting hot. The question is now about issuing a Top Secret > command using some keywords pointing to something else. Not about IKJEFT. > > Perhaps you could show here the command and all its keywords tried out? > > And give some output received too... > > Perhaps some Top Secret guru could helps? > > Groete / Greetings > Elardus Engelbrecht > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Editing Unicode Files in z/OS?
I had been using Putty connecting via openssh, tagging the file, setting the _BPXK_AUTOCVT=ON and editing with vi for quick edits. For longer ones I would SFTP it in binary to Ultraedit, fix it up and SFTP it back. Rob Schramm On Tue, May 3, 2011 at 9:52 AM, Steve Comstock wrote: > On 5/2/2011 11:30 PM, Timothy Sipples wrote: > >> This question isn't any sort of official IBM survey or anything like that >> -- just a question arising out of personal curiosity. >> >> I'm wondering what IBM-MAINers like to use for editing Unicode (UTF-8, >> UTF-16, and/or UTF-32) "files" on z/OS. There are of course graphical >> options (notably Rational Developer for System z) which work great, but >> for >> this question I'm more focused on text editors that meet the following >> attributes: >> >> 1. Accessible via TN3270E (i.e. "3270 editors") and/or Telnet (to z/OS >> UNIX >> System Services) -- i.e. "old school" terminal mode editors; >> 2. Support editing UTF-8, UTF-16, and/or UTF-32; >> 3. Support sequential (QSAM), VSAM, PDS/PDSE, HFS/zFS, DB2, and/or IMS >> data >> (i.e. "whatever you can imagine"). >> >> If you'd like to reply to me offline, that's perfectly fine -- either way. >> Thanks in advance. >> >> - - - - - >> Timothy Sipples >> Resident Enterprise Architect >> Value Creation& Complex Deals Team >> IBM Growth Markets (Based in Singapore) >> E-Mail: timothy.sipp...@us.ibm.com >> > > I think editing Unicode files from ISPF would be great. > It would allow you to build HTML pages in native mode > and avoid translation. Most emulators could handle > the extra characters (heck, even Notepad can handle > Unicode). One problem might be keyboard entry. I've > always thought this Russian keyboard could be modified > to provide keys for all characters since each key is > actually a small led screen: > > http://www.artlebedev.com/everything/optimus/ > > > > -- > > Kind regards, > > -Steve Comstock > The Trainer's Friend, Inc. > > 303-393-8716 > http://www.trainersfriend.com > > * To get a good Return on your Investment, first make an investment! > + Training your people is an excellent investment > > * Try our new tool for calculating your Return On Investment >for training dollars at > http://www.trainersfriend.com/ROI/roi.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Editing Unicode Files in z/OS?
As long as you tag the file. On May 3, 2011 10:43 AM, "Paul Gilmartin" wrote: > On Tue, 3 May 2011 10:25:29 -0400, Rob Schramm wrote: > >>I had been using Putty connecting via openssh, tagging the file, setting the >>_BPXK_AUTOCVT=ON and editing with vi for quick edits. For longer ones I >>would SFTP it in binary to Ultraedit, fix it up and SFTP it back. >> >>On Tue, May 3, 2011 at 9:52 AM, Steve Comstock wrote: >>> >>> I think editing Unicode files from ISPF would be great. >>> It would allow you to build HTML pages in native mode >>> and avoid translation. Most emulators could handle >>> the extra characters (heck, even Notepad can handle >>> Unicode). One problem might be keyboard entry. I've >>> always thought this Russian keyboard could be modified >>> to provide keys for all characters since each key is >>> actually a small led screen: >>> >>> http://www.artlebedev.com/everything/optimus/ >>> > The de facto standard for HTML is UTF-8. Can _BPXK_AUTOCVT=ON > deal with this? The Pigeonhole Principle comes to mind. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Problem with LPA=xx on IEASYSxx
If you specify the ",L" at the end most of the parms have a list option. At least it will give you a record in syslog of what you chose. Rob Schramm On Wed, May 4, 2011 at 9:44 AM, Casey Rhodes wrote: > The D IPLINFO,LPA and others is great but it would be even better if > that was something you could use to display all settings at once with > an ALL option or *. > > This will keep me from chasing the chain from LOADXX to parmlib to > IEASYSXX all the time. Thanks for the information. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Problem with LPA=xx on IEASYSxx
It can be a bit much to go thru.. but it also is a powerful record of what has been setup and what JCL is run... which is helpful when dealing with goofy problems that seem to be doing their best to hide. Rob Schramm On Wed, May 4, 2011 at 11:22 AM, Richard L Peurifoy wrote: > On 5/4/2011 8:52 AM, Rob Schramm wrote: > >> If you specify the ",L" at the end most of the parms have a list option. >> At >> least it will give you a record in syslog of what you chose. >> > > You might not want to do this on the MSTRJCL parm, IIRC it will cause > the JCL and messages for all started tasks to be written to the log, > not just the MSTR JCL. Otherwise, I specify this on most parms that > support it. > > -- > Richard > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: USS vs USS
Chris, I would successfully argue that the "universally understood, accepted and mandated expressions" is a bit wide and not at all in synch with reality. If it were universal, we would never be having these discussions. Wednesday and still Cheery, Rob Schramm On Wed, May 4, 2011 at 2:16 PM, Chris Mason wrote: > Don > > We are not dealing with a language - that would be another campaign such as > getting rid of the stupid misuse of "issue" or "issues" for "problem". We > are > dealing with explaining technical matters where there is an opportunity for > ambiguity if we don't stick to universally understood, accepted and > mandated > expressions. > > Chris Mason > > On Mon, 2 May 2011 17:53:54 -0400, Don Leahy > wrote: > > >Usage gives meaning. That's how languages evolve. Acronyms too, > >apparently. ;-) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: "Under z/OS Unix"
Peter, I am curious about your last statement. While I can understand not allowing telnet/rlogin, what would be the reasoning for denying SSH access? Rob Schramm On Thu, May 5, 2011 at 3:06 AM, Hunkeler Peter (KIUP 4) < peter.hunke...@credit-suisse.com> wrote: > >The OMVS TSO command is still a convenience for people primarily using > >foreground TSO. A separate telnet session is not always convenient, > >and in some cases[1] not even possible. > > You're right. But, using a unix shell through a 3270 data stream > interface the way TSO provides it, is a PITA, IMHO. > > "People primarily using TSO foreground" will not gain much from their > 3270 experience, because UNIX shell command line is so much different > from TSO/ISPF that you better start to learn it and then feel > comfortable working in that other environment. This is the background > for my statement "I consider it TSO/OMVS obsolete". > > It doesn't help, as you mentioned, when SSH/telnet/rlogin is not > available or not allowed. > > -- > Peter Hunkeler > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: "Under z/OS Unix"
I might understand (due to "I don't want to set it up") not setting up SSH. But are there any installations not running TCP/IP these days? Rob Schramm On Thu, May 5, 2011 at 8:12 AM, Hunkeler Peter (KIUP 4) < peter.hunke...@credit-suisse.com> wrote: > >I am curious about your last statement. While I can understand not > >allowing telnet/rlogin, what would be the reasoning for denying SSH > >access? > > Can't tell you (I think it was Shmuel that brought up this arument). > I can think of: > - Installation doesn't want to install SSH daemon software. > - Installation doesn't want to enable TCP/IP access to z/OS. > > Reasons? I don't have them handy :-) > > -- > Peter Hunkeler > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: A Pagent/zfs possible timing issue to be aware of
Mary Anne, What is your chosen solution to deal with the issue? 1) bring up PAGENT late in IPL 2) let PAGENT come up with default and install proper policy after IPL 3) remove shared file system -- Rob Schramm Senior Systems Engineer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: "Under z/OS Unix"
Helpful and a bit weird all at the same time. Wouldn't it have been easier to just fix the PRNG issue in the first place by creating a ssh_rand_helper that used an assembler module to gather entropy.. than creating an option to deal with the slow PRNG with OpenSSH? Rob Schramm On Thu, May 5, 2011 at 10:23 AM, Mullen, Patrick wrote: > Using the hardware is optional, there's a software implementation too. > Some smaller lpars may not have enough cpu share to drive the software > process though in Ported Tools 1.1, I know that this was the case with > some of our sandbox lpars that experienced chronic timeouts. IBM > remedied this in Ported Tools 1.2 with the new variable > _ZOS_SSH_PRNG_CMDS_TIMEOUT. > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Paul Gilmartin > Sent: May 5, 2011 8:55 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: "Under z/OS Unix" > > > On Thu, 5 May 2011 08:55:15 -0400, Rob Schramm wrote: > > >I might understand (due to "I don't want to set it up") not setting up > >SSH. But are there any installations not running TCP/IP these days? > > > I should add we have SSH installed but not successfully configured on > some of our systems because we lack the (separately priced? Am I > correct?) hardware feature required for /dev/random. The mind boggles; > z/OS /dev/random uses a PRNG, and for that specialized hardware is > necessary? > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search > the archives at http://bama.ua.edu/archives/ibm-main.html > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
