Re: SR
I'm not feeling the hate, except for the one item just mentioned. The second sign on amounts to 9 keystrokes, one click and one enter - first character of userid, accept Chrome's prompt, enter password and hit enter. Once a day? No big deal. Leave the browser window open. Being able to attach files is convenient. The long outage was a head scratcher but with one exception I think SR is no worse than and in some ways better than ETR. The component choice, however, is utterly baffling. How that got into production is a complete mystery. No matter how I try I can not find a valid choice for Comm Server, for example. There's always a delay while they go out and figure out that, yes, we are entitled for the product when I force the choice. I really don't think it is a user issue, either. Something just isn't hooking up right. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: mvs1sp mvs...@yahoo.com To: IBM-MAIN@bama.ua.edu Date: 06/08/2012 11:11 Subject:Re: SR Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I have found it to be very unfriendly. I wish IBM would have incorporated the good features of ETR. I have not gotten emails when the record is updated ( my profile requests such), so I have to logon (twice) just to check - this is a time waster to me. I opened a SR to the SR Help Desk, but I do not think they understood the problem. I have found it incredibly difficult to choose a component. For example, using z/OS as a keyword and selecting the show only entitled check box results in 475 choices. Browsing through that list, I see far more products for which I am NOT licensed. Response time is slower than ETR. In short, ETR much better. --- On Thu, 6/7/12, Dick Bond dickbond...@gmail.com wrote: From: Dick Bond dickbond...@gmail.com Subject: SR To: IBM-MAIN@bama.ua.edu Date: Thursday, June 7, 2012, 5:12 PM Anyone else as disgusted with the SR replacement as I am? Half time, it doesn't updae the record correctly and you have to sign-on twice just to get into the thing. On a positive note, you can download files which is nice but does not make up for the generally poor design. Makes me wonder if anyone at IBM bothered to look at the ETR function and how easy that was to use before designing SR. I can't help but feel IBM is shooting itself in the foot by deploying stuff like SR while making it worse that the prior product. Sorry for rant but I see SR just one component of The Rise and Fall of IBM. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: IBM(r) z/OS(r) Management Facility (z/OSMF)
Do it. If you do any policy based networking you'll be happy you did. Incident packaging is nice, we don't use it a ton because we haven't seemed to have had too many incidents for a while but it does make it simpler to get all the diagnostics wrapped up with a bow. It looks like there's a fair amount of development going on with it, it is not like the old wizard setup that disappeared a while back and I already forgot the name of. Even the first iteration of zOSMF was far more useful than that interface, whatever it was called. Take good notes on your sandbox install and the rest is child's play. Upgrades at maintenance time are no big deal if you... took good notes in your sandbox install. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Dazzo, Matt mda...@pch.com To: IBM-MAIN@bama.ua.edu Date: 05/24/2012 10:58 Subject:IBM(r) z/OS(r) Management Facility (z/OSMF) Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu So what do you folks have to say about IBM(r) z/OS(r) Management Facility (z/OSMF)? We have zos1.13 up and running and considering configuring IBM(r) z/OS(r) Management Facility (z/OSMF). Looking to see find out how hard it is to configure and how useful it is? Or any other info you might find useful. Thanks Matthew Dazzo Sr MVS Systems Programmer Publishers Clearing House Port Washington NY 516-944-4816 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Servicelink, ETR and SR
Did I miss this in the discussion? I got this from srdonotreply this morning: 'We would like to inform you of an important change in opening and managing service requests with IBM for Passport Advantage and Passport Advantage Express products. Details of the change can be found at ... HTTP 404. I'll send it to my home email and see if it is something local but I doubt it. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Mary Anne Matyaz maryanne4...@gmail.com To: IBM-MAIN@bama.ua.edu Date: 05/17/2012 10:39 Subject:Re: Servicelink, ETR and SR Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu There might be another ramification. It seems that all of the docview's that come on a google now, the links are broken. For example, if you google IBM DOCVIEW, the hits that show up, similar to this: http://www-01.ibm.com/support/docview.wss?uid=swg21433581 get 404's. Another example, google PM60958. Even if you search for PM60958 from the IBM website, it brings up the broken link. :( I'm assuming the crawlers will update this stuff at some point, hopefully. I don't know if it's related to the SR change, I would think it would have had more to do with SIS than ETR, but it is pretty coincidental. Mary Anne On 5/16/2012 3:46 AM, Barbara Nitz wrote: Given that IBM took away ETR yesterday and has by now forced SR upon the mainframe world - do Americans coming from servicelink also have to login again to get to their ETRs??? Or is this 'privilege' reserved for EMEA? Until ETR was taken away (yesterday morning our time) no extra login from Servicelink was required, SR was reachable using the normal servicelink login. I consider this an error and have opened a ticket. I complained about this behavior during a closed meeting with Christian Gilmore and other IBMers at SHARE in Orlando back in February. Christian acknowledged the problem and made a note of it at the time, but nothing has been done to change it (yet). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: It's feeding time in Jurassic Park . . .
It depends on your definition of 'share'. The HMC is the seat of zManager, which has domain over all the nodes in the ensemble. There are the two network types - INMN, the intra-node management network and the IEDN intra-ensemble data network. The IEDN has the whole ensemble as its scope so here's where the idea of 'sharing' the zBX comes in, to my thinking. The zBX may sit in another node from a given CEC but the units of work are classified through the whole ensemble. As I say, all I know about it is from an Expo session or two, some reading and the Wildfire session. No real hands-on. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: George Henke gahe...@gmail.com To: IBM-MAIN@bama.ua.edu Date: 05/04/2012 21:11 Subject:Re: It's feeding time in Jurassic Park . . . Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu Thomas, This is very helpful. When you say You can couple up to eight nodes, do you mean 8 CECs to a zBx, that 8 CECs can share a zBx? If so, does zManager serialize the I/O? On Fri, May 4, 2012 at 4:18 PM, Tom Ambros thomas_amb...@keybank.comwrote: To be pedantic You have a zEnterprise node, which is a z196/z114 with zero or one attached zBX. A zBX may have one to four frames. You can couple up to eight nodes. This comprises the domain of a single zManager. I suppose you could get clever and set up some sort of recovery and failover system for your blades within the scope of this zManager, but with little to no hands on experience with one of these things I am not totally sure how. I am very confident that it can be done, however, I do believe that there are APIs at the customer's disposal. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Ken Porowski ken.porow...@cit.com To: IBM-MAIN@bama.ua.edu Date: 05/04/2012 16:11 Subject:Re: It's feeding time in Jurassic Park . . . Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I think the way it works is that you have a 'zEnterprise CEC' which is composed of a z114/z196 and optionally a zBX . The zBX is not standalone -- This email message and any accompanying materials may contain proprietary, privileged and confidential information of CIT Group Inc. or its subsidiaries or affiliates (collectively, CIT), and are intended solely for the recipient(s) named above. If you are not the intended recipient of this communication, any use, disclosure, printing, copying or distribution, or reliance on the contents, of this communication is strictly prohibited. CIT disclaims any liability for the review, retransmission, dissemination or other use of, or the taking of any action in reliance upon, this communication by persons other than the intended recipient(s). If you have received this communication in error, please reply to the sender advising of the error in transmission, and immediately delete and destroy the communication and any accompanying materials. To the extent permitted by applicable law, CIT and others may inspect, review, monitor, analyze, copy, record and retain any communications sen! t from or received at this email address. -- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of George Henke Sent: Friday, May 04, 2012 3:46 PM To: IBM-MAIN@bama.ua.edu Subject: Re: [IBM-MAIN] It's feeding time in Jurassic Park . . . I do not suppose there is any way of sharing a zBx between 2 CECs. On Fri, May 4, 2012 at 3:14 PM, Mark Post mp...@suse.com wrote: On 5/4/2012 at 02:55 PM, George Henke gahe...@gmail.com wrote: Do I need an Enterprise Class z114 box or will a Business Class one suffice? There are no such things. IBM marketing confusing things again. A z114 could be considered the equivalent of a BC model and the z196 and EC model. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- George Henke (C) 845 401 5614 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying
Re: It's feeding time in Jurassic Park . . .
To be pedantic You have a zEnterprise node, which is a z196/z114 with zero or one attached zBX. A zBX may have one to four frames. You can couple up to eight nodes. This comprises the domain of a single zManager. I suppose you could get clever and set up some sort of recovery and failover system for your blades within the scope of this zManager, but with little to no hands on experience with one of these things I am not totally sure how. I am very confident that it can be done, however, I do believe that there are APIs at the customer's disposal. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Ken Porowski ken.porow...@cit.com To: IBM-MAIN@bama.ua.edu Date: 05/04/2012 16:11 Subject:Re: It's feeding time in Jurassic Park . . . Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I think the way it works is that you have a 'zEnterprise CEC' which is composed of a z114/z196 and optionally a zBX . The zBX is not standalone -- This email message and any accompanying materials may contain proprietary, privileged and confidential information of CIT Group Inc. or its subsidiaries or affiliates (collectively, CIT), and are intended solely for the recipient(s) named above. If you are not the intended recipient of this communication, any use, disclosure, printing, copying or distribution, or reliance on the contents, of this communication is strictly prohibited. CIT disclaims any liability for the review, retransmission, dissemination or other use of, or the taking of any action in reliance upon, this communication by persons other than the intended recipient(s). If you have received this communication in error, please reply to the sender advising of the error in transmission, and immediately delete and destroy the communication and any accompanying materials. To the extent permitted by applicable law, CIT and others may inspect, review, monitor, analyze, copy, record and retain any communications sen! t from or received at this email address. -- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of George Henke Sent: Friday, May 04, 2012 3:46 PM To: IBM-MAIN@bama.ua.edu Subject: Re: [IBM-MAIN] It's feeding time in Jurassic Park . . . I do not suppose there is any way of sharing a zBx between 2 CECs. On Fri, May 4, 2012 at 3:14 PM, Mark Post mp...@suse.com wrote: On 5/4/2012 at 02:55 PM, George Henke gahe...@gmail.com wrote: Do I need an Enterprise Class z114 box or will a Business Class one suffice? There are no such things. IBM marketing confusing things again. A z114 could be considered the equivalent of a BC model and the z196 and EC model. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- George Henke (C) 845 401 5614 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
DMD and FILESYSTYPE(INET) stack name resolution question
I noticed that the ipsec -F add commands were appearing to work correctly, retcode 0 and the files in /var/dm/filters updated appropriately, but oddly no packet filtering took place. An ipsec -F display command showed no filters in the stack and defensive mode inactive. Specifying the stack name on the ipsec command makes no difference to either the add or the display results. This only occurrs on FILESYSTYPE(INET) stacks on our zOS 1.12 systems, zOS 1.11 INET or CINET stacks sharing the same dmd.conf file with the 1.12 systems work just fine. A 1.12 FILESYSTYPE(CINET) stack worked just fine in my systems sandbox sysplex until I changed it to FILESYSTYPE(INET). A trace reveals that DMD is not resolving the non-CINET stack name but no other errors (and frustratingly enough I can't seem to get details on the cause of the rc 121 from the trace...) DMStackConfig identifies the stack, mode active - according to DMD. The trace shows this getting parsed and dispatched just fine. The DMD log indicates everything is initializing correctly with the TCPIP stack. An analysis of the TCPIP ipsec info from a dump of the TCPIP address space makes it look like the filters simply aren't there. I've looked over my TCPIP and resolver setups but I can't find anything different from one system to the next that should cause issue like this, and in fact we define the stack name all over the place even though we are using what would be the default anyway. Anybody happen to know where DMD gets the stack name from, or how to display what search order it's using, or have a technique for tracing the ipsec command? Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: What are these facility classes
Compuware Xpediter, according to my pals at Google. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Lizette Koehler stars...@mindspring.com To: IBM-MAIN@bama.ua.edu Date: 02/23/2012 15:37 Subject:What are these facility classes Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I have two facility classes defined for dynamic LPA. CSVDYLPA.ADD.XPMDRVR CSVDYLPA.ADD.XPMMAIN I cannot find the program names or product associated with XPMDRVR or XPMMAIN. Any clues where I should go for them? Thanks Lizette Koehler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for things like OMPROUTE and use DELAYSTART if you're autologging things. We're considering whether it is worth changing up parent-child relationships in SA because it can be disconcerting to see lots of ICH408I messages before Policy Agent installs the TLS policy. Once you see some of those you are obliged to inspect to make sure that whatever issued it was intelligent enough to recover, the smart thing is to stamp them all out in your sandbox first. That's pretty much where we sit right now, we have questions about certain requirements with IKE and NSS which hold up our rollout so production experience is not to be had here yet. I believe your emulator needs to be capable, my old Attachmate was not. Encryption will run anywhere, but it's like what they ask you if you want to play baccarat. Do you have a lot of money? Crypto hardware not necessary but preferred. In our case, we're playing around with automatic VPN tunneling because relying on products on a desktop to be capable is not always possible. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Henke, George george.he...@hp.com To: IBM-MAIN@bama.ua.edu Date: 02/07/2012 14:32 Subject:TLS, AT-TLS, Encryption Requirements Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu Has anyone done this? Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does anything else, like enabling encryption cards, need to be done? Also, is TLS downward compatible with older TN3270 emulators, like PROCOMM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
RACF Passticket: password required on userid?
Forgive me for posting this here, it belongs on the RACF list I am sure but I do not have that address handy to register. It may be a simple enough question that it can be answered here. I am attempting to use the passticket authentication method for the IKE client to NSS. If I define a password on the client, no problem. IKE establishes a connection to the NSS task, I verify I use the Passticket: RACFQUAL 132:SUCC INIT USING PASSTICKET from an MXG SAS interpretation of SMF 80. If I remove the password from the client, ICH408I Invalid Password. I find no documentation that indicates it is input to the algorithm nor any documentation that a user employing passtickets requires a password. Why is a password necessary? Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: RACF Passticket: password required on userid?
I submitted an SR and the word I get from RACF L2 is that RACF simply won't evaluate a protected userid, logon is rejected unconditionally. I understand that this is documented as a basic principle. I am going to have to puzzle over the implications of allowing a protected userid to use passtickets, I am not immediately seeing what exposure would be introduced. At any rate, I have what it takes to proceed. Thanks... Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Charles Mills charl...@mcn.org To: IBM-MAIN@bama.ua.edu Date: 02/07/2012 17:27 Subject:Re: RACF Passticket: password required on userid? Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I am not familiar with IKE or NSS but I am something of a PassTicket expert IMHO. PassTickets are essentially an alternative to passwords. They are password-like; they do not depend on passwords. No password is input to the algorithm. The closest thing is the stored secure application key (name from memory) which is 16 hex digits. There are three inputs: - stored secure application key - current time of day - application name In my experience the second is a small gotcha and the third is a big gotcha. Are there two systems in your picture? Are both of their clocks set to Zulu time, and fairly accurately? Are you *sure* you have the application name correct. It is a HUGE gotcha. A wild guess is the reason it works with a password is because the password itself is being used for successful authentication, not the PassTicket. Well, you say that's not so. I don't know. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tom Ambros Sent: Tuesday, February 07, 2012 1:50 PM To: IBM-MAIN@bama.ua.edu Subject: RACF Passticket: password required on userid? Forgive me for posting this here, it belongs on the RACF list I am sure but I do not have that address handy to register. It may be a simple enough question that it can be answered here. I am attempting to use the passticket authentication method for the IKE client to NSS. If I define a password on the client, no problem. IKE establishes a connection to the NSS task, I verify I use the Passticket: RACFQUAL 132:SUCC INIT USING PASSTICKET from an MXG SAS interpretation of SMF 80. If I remove the password from the client, ICH408I Invalid Password. I find no documentation that indicates it is input to the algorithm nor any documentation that a user employing passtickets requires a password. Why is a password necessary? with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TCPIP question - on the subject of more than one stack per zOS image
There's no compelling reason, as far as I know, to run more than one stack with the progress that has been made. IBM recommends that you do not. There's a set of four very good redbooks on TCP/IIP Implementation, SG24-7798-00 through SG24-7801-00. I have leaned on them heavily recently, especially the fourth volume on security and policy based networking. Recently we collapsed a couple of dual stack systems down to one because of the improved flexibility possible in the IP filtering. We were able to restrict access to certain endpoints while letting general traffic flow and that was not something we figured out how to do with the stack based filters. I am crabbing about having to set up NSS to get IKEv2 and trust chains when I only have one sysplex involved (passtickets, AT-TLS etc etc) but that's another issue. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: SMF 119 report
Do you have MXG? If you do I may have something already coded. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Andy White awh...@metlife.com To: IBM-MAIN@bama.ua.edu Date: 11/10/2011 08:21 Subject:SMF 119 report Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu Does any one out there have a basic report (can be in SAS) which produces a report based on SMF 119 records. I wanted to see where FTP's are going and DSNS being sent. Thanks in advance. Andy S. White -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Naive BCPii questions
- I have the zSeries API documentation and the BCPii specific zOS docs but I am not able to find items related to returned values, for example HWIQUERY of HWI_OPERSTAT. I can probe and knowing the state of what I'm seeing can infer what I am getting but I'd like to find wherever these flags are defined to make sure I'm writing my app correctly. For example, querying a deactivated lpar I get x'0008', an activated lpar that's varied from the sysplex I see x'0002' and a running CF gives me x'0001'. That's great but I am concerned about what I don't know here. Where can I find this stuff? - Event notifications... I'd like to automate the responses when I start my sysplex on the DR machines. Activating and IPLing is pretty easy. Receiving events, I find not so easy. I do not have a C compiler at my disposal, so at least that part is easier... but the scheme I am not sure how to approach. I believe I'll call the event notification exit by virtue of the HWIEVENT registration, and I'm guessing that I let the exit do whatever processing I want. Two thoughts come to mind there. I can wait for the activation to complete by looping a bunch of queries until I get my x'0001' (or hit what loop limit I set) or I can register for the state change. How to return to my HWIEVENT registering program the state change so it can proceed to do the rest of its business? This is where my program management skills are showing their weakness. I'm guessing something like feeding Reg15 a return code would work but that has its limitations when I start dealing with things not so straightforward. I'd really like to register for operating system messages and process the various WTORs as they appear (IEA347A, IXC this and that for CFs, couple datasets, etc., subduing automation and so on... remember I don't have ProcOps on the first system in). When I call the exit, is it setting up connections of its own and processing the ENF info itself? The examples in the manuals are pretty amusing, responding with WTOs to the events, but that'd be a bit useless in this case. Probably the best answer I'm looking for is which docs I should be looking at so I can figure this stuff out... mostly I'm looking to shorten the research path as much as I can. Thanks... Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Internal This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Naive BCPii questions
Thanks. I knew they were there somewhere, I am embarrassed to admit I saw those earlier but lost track of where they were found. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Walt Farrell wfarr...@us.ibm.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 08/16/2011 10:07 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: Naive BCPii questions On Tue, 16 Aug 2011 08:50:38 -0400, Tom Ambros thomas_amb...@keybank.com wrote: - I have the zSeries API documentation and the BCPii specific zOS docs but I am not able to find items related to returned values, for example HWIQUERY of HWI_OPERSTAT. I can probe and knowing the state of what I'm seeing can infer what I am getting but I'd like to find wherever these flags are defined to make sure I'm writing my app correctly. For example, querying a deactivated lpar I get x'0008', an activated lpar that's varied from the sysplex I see x'0002' and a running CF gives me x'0001'. That's great but I am concerned about what I don't know here. Where can I find this stuff? Chapter 4 of the System z API book (SB10-7030-13) seems to have a lot of information, including some C #define statements giving values for various integer and bit flag values. I'm not quite sure how to map the names (such as HWI_OPERSTAT) used with BCPii into the object names shown in that book, but in the book you'll find these value definitions (for example) that seem meaningful for the results you saw: quote /**/ /* Defines for the Hardware Management Console Status Values. */ /**/ #define HWMCA_STATUS_OPERATING 0x0001 #define HWMCA_STATUS_NOT_OPERATING 0x0002 #define HWMCA_STATUS_NO_POWER 0x0004 #define HWMCA_STATUS_NOT_ACTIVATED 0x0008 #define HWMCA_STATUS_EXCEPTIONS 0x0010 #define HWMCA_STATUS_STATUS_CHECK 0x0020 #define HWMCA_STATUS_SERVICE 0x0040 #define HWMCA_STATUS_LINKNOTACTIVE 0x0080 #define HWMCA_STATUS_POWERSAVE 0x0100 #define HWMCA_STATUS_SERIOUSALERT 0x0200 #define HWMCA_STATUS_ALERT 0x0400 #define HWMCA_STATUS_ENVALERT 0x0800 #define HWMCA_STATUS_SERVICE_REQ 0x1000 #define HWMCA_STATUS_DEGRADED 0x2000 #define HWMCA_STATUS_STORAGE_EXCEEDED 0x0100 #define HWMCA_STATUS_LOGOFF_TIMEOUT 0x0200 #define HWMCA_STATUS_FORCED_SLEEP 0x0400 #define HWMCA_STATUS_IMAGE_NOT_OPERATING 0x0800 #define HWMCA_STATUS_IMAGE_NOT_ACTIVATED 0x1000 #define HWMCA_STATUS_IMAGE_NOT_CAPABLE 0x2000 #define HWMCA_STATUS_UNKNOWN 0x4000 /quote Note that I'm not claiming any BCPii expertise :) -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Anyone running cascaded Metro/Global Mirror?
We're being told that we are not going to see consistency groups formed on the GM side while we run MM until we suspend MM at which point we get one consistency group formed and can flash to our recovery volumes at the remote site. This is inconsistent with the DS8000 Copy Services documentation section 30.2 if I read that correctly. Can anyone confirm or deny the 'no consistency group while Metro Mirror running', how shall we phrase this delicately, hypothesis? Thanks... Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Internal /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
ITEM NAME(MSGBASED) - any considerations?
For various reasons I'm going back through and reading some stuf I haven't looked at in a long time... like before zOS 1.8, in this case. I see the CFRM couple dataset format parm MSGBASED. Is this a no-brainer or are there considerations sites have experienced that are not necessarily mentioned in the Setting up a Sysplex doc? Thanks... Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Internal /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
zOSMF: Site customizable user roles
As zOSMF includes more functions, it is more likely that an installation will want to add user roles beyond the few available today. For instance, I'd like to set it up so my Capacity Planning group can see Links and WLM admin, but not Comm Server Configuration. Certainly I can protect all those functions at the back end but I'd like to hide the doors, so to speak. After a while I know I'm going to run into some group that gets their feelings hurt if they see a choice but get SAF'ed out of it, and then their boss gets the violation report from Info Security so I end up getting a 'how can we stop this' requirment. I tried hacking around but clearly missed a piece. Results were unsatisfactory. Has anybody been successful in adding user roles beyond Admin/User/Unauth User/Guest? If not, are there plans in future releases for this sort of thing that anybody knows about? Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Internal /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
zOS Media Manager and encryption - practical?
Would it be practical to implement encryption at the Media Manager layer, key label and access rule definitions maintained in the SMS dataclass, similar to the way it's done in the distributed environment by the IBM Encryption Expert product. Basically, that product installs a shim in the kernel just above the I/O driver level and transparent to the application does the encrypt/decrypt operations. An appliance serves the keys and access rules to the affected servers, and from the sounds of things the product supports common OS and file systems in the distributed world. Storage based encryption is regarded as a secondary control, locally, which is a whole different conversation. The attraction to a MM level encryption scheme is that however we built our indices we can encrypt anything we need to without app changes. Layered on top of hardware encryption and with rules around what is encrypted or decrypted and whether utilities can perform it (think IDCAMS can't decrypt a cluster if some programmer repros it...) we have a solid case to convince just about any regulator we're secure. Enlighten me as to my naivete on the technical aspects of such a scheme. Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Public /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: zOSMF: Site customizable user roles
No joy. Talks about modifying predefined roles. no content on adding new ones. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Gary DiPillo gdipi...@axiosproducts.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 04/25/2011 10:21 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: zOSMF: Site customizable user roles Tom, A draft Redbook was just announced. It may provide more details for you. *z/OS Management Facility* Revised: April 19, 2011 More details are available at http://www.redbooks.ibm.com/redpieces/abstracts/sg247851.html?Open http://www.ibm.com/vrm/newsletter_10300_8855_192978_email_DYN_1IN/GDiPillo126694429 Regards, Gary DiPillo Axios Products On 04/25/2011 8:52 AM, Tom Ambros wrote: As zOSMF includes more functions, it is more likely that an installation will want to add user roles beyond the few available today. For instance, I'd like to set it up so my Capacity Planning group can see Links and WLM admin, but not Comm Server Configuration. Certainly I can protect all those functions at the back end but I'd like to hide the doors, so to speak. After a while I know I'm going to run into some group that gets their feelings hurt if they see a choice but get SAF'ed out of it, and then their boss gets the violation report from Info Security so I end up getting a 'how can we stop this' requirment. I tried hacking around but clearly missed a piece. Results were unsatisfactory. Has anybody been successful in adding user roles beyond Admin/User/Unauth User/Guest? If not, are there plans in future releases for this sort of thing that anybody knows about? Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Internal /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Axios Products, Inc. supp...@axiosproducts.com 631-864-3666 x133 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
z/OS Management Facility - Drift. Batch method to clean up Incident Log?
How do we clean up unreasonably large numbers of duplicate Incident Log entries? Is there a good programmatic way to do it? Aside from assigning the virtual equivalent of making somebody write on the chalkboard I will not leave MATCHLIM undefined 65535 times, telling them to clean up each Incident Log entry one by one. I'd also like to be able to easily locate all the Incident Log entries that don't have SVC dumps any more because somebody simply deleted them. I suppose one could hack into the /var directory and figure it out but I already tried similar things and broke my sandbox repeatedly. If nobody has such a thing, I'll take another run at it. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 Email Classification: KeyCorp Public /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
