Re: Shell Scripts in EKM
We are going to try that next. I was hesitant since I was not sure if that would prevent us from using MODIFY commands against the STC. The other thing is I was always taught to ensure there were MESSAGE IDs on any messages I produced. It did mot matter if mainframe or other. I am not sure why JAVA seems to think it is s special it relies on something else on the mainframe to do it for them. Seems like an inconsistant coding technique in my opinion. Lizette Happy New Year to everybody! Lizette, I just read about BPX.CONSOLE and I must say that the description is rather fuzzy. However, my guess is that you have BPX.CONSOLE defined and that your EKM server's userid is permitted to BPX.CONSOLE. If so, as per description of the BPX1CCS, it has to provide it's own message prefix. Note that this requirement is *not clearly* documented in the XL C/C++ runtime reference for __console(), so how should someone coding in C/C++ know about that??. I'd try to take the permission to BPX.CONSOLE away from EKM's userid and see if that helps. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Happy New Year to everybody! Lizette, I just read about BPX.CONSOLE and I must say that the description is rather fuzzy. However, my guess is that you have BPX.CONSOLE defined and that your EKM server's userid is permitted to BPX.CONSOLE. If so, as per description of the BPX1CCS, it has to provide it's own message prefix. Note that this requirement is *not clearly* documented in the XL C/C++ runtime reference for __console(), so how should someone coding in C/C++ know about that??. I'd try to take the permission to BPX.CONSOLE away from EKM's userid and see if that helps. -- Peter Hunkeler CREDIT SUISSE -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Java (JZOS) console api uses the C-language _console2() function, which uses the BPX1CCS api (USS). Don't confuse villain with victim :-) But I agree with you re: BPX1CCS documentation. BPX.CONSOLE authority is what removes the BPX msgid prefix from messages written using BPX1CCS. If you want your own message ids, just write your message that begins with the ID and ensure that the user has this permission. Kirk Wolf Dovetailed Technologies On Mon, Jan 5, 2009 at 11:31 AM, Lizette Koehler stars...@mindspring.com wrote: We are going to try that next. I was hesitant since I was not sure if that would prevent us from using MODIFY commands against the STC. The other thing is I was always taught to ensure there were MESSAGE IDs on any messages I produced. It did mot matter if mainframe or other. I am not sure why JAVA seems to think it is s special it relies on something else on the mainframe to do it for them. Seems like an inconsistant coding technique in my opinion. Lizette Happy New Year to everybody! Lizette, I just read about BPX.CONSOLE and I must say that the description is rather fuzzy. However, my guess is that you have BPX.CONSOLE defined and that your EKM server's userid is permitted to BPX.CONSOLE. If so, as per description of the BPX1CCS, it has to provide it's own message prefix. Note that this requirement is *not clearly* documented in the XL C/C++ runtime reference for __console(), so how should someone coding in C/C++ know about that??. I'd try to take the permission to BPX.CONSOLE away from EKM's userid and see if that helps. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Are you running the EKM Server under MVS with JZOS batch loader? While I agree with you both concerning the lousy messaging, running the EKM Server as a started task with the batch loader modifies the message enough for automation (we use BMC) to pickup on the fact that EKM is up and available. When we start EKM we get the following: 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Processing 08363 02:52:24.47 STC09716 0090 BPXM023I (EKMSERV) Server is started 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Server is running. TCP port: 3801, SSL port: 5443 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Server is running. TCP port: 3801, SSL port: 5443 We key off the BPXM023I message looking for EKMSERV Jim Holloway - MetLife Hunkeler Peter (KIUK 3) wrote on 12/31/2008 10:41:13 +0100 Date:Wed, 31 Dec 2008 10:41:13 +0100 From:Hunkeler Peter (KIUK 3) peter.hunke...@credit-suisse.com Subject: Re: Shell Scripts in EKM The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 Seems like inacceptable behaviour for a software to be run on z/OS. I'd try to open a PMR requesting identifiable messages. -- Peter Hunkeler Credit Suisse Date:Wed, 31 Dec 2008 05:40:33 -0500 From:Lizette Koehler stars...@mindspring.com Subject: Re: Shell Scripts in EKM I have already done that. A requirements hasw been accepted. But with ported applications I am not sure how long it will take for IBM to action this. Not enough z/OS Users or tape encryption to put pressure on sooner than later. So in the meantime, I am hoping a shell script could be created that will give us the message we need for automation. Lizette The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Yes we are running JZOS batch loader and EKM as an STC. However, we have no BPXM023I messages. Only the text of the messages. I have asked IBM about this and they indicated it has to do with the BPX.CONSOLE profile. How is yours set for EKM STC? Is EKM STC in the access list? Lizette -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Jim Holloway Sent: Thursday, January 01, 2009 9:23 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Shell Scripts in EKM Are you running the EKM Server under MVS with JZOS batch loader? While I agree with you both concerning the lousy messaging, running the EKM Server as a started task with the batch loader modifies the message enough for automation (we use BMC) to pickup on the fact that EKM is up and available. When we start EKM we get the following: 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Processing 08363 02:52:24.47 STC09716 0090 BPXM023I (EKMSERV) Server is started 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Server is running. TCP port: 3801, SSL port: 5443 08363 02:52:24.47 STC09716 000A0294 BPXM023I (EKMSERV) Server is running. TCP port: 3801, SSL port: 5443 We key off the BPXM023I message looking for EKMSERV Jim Holloway - MetLife Hunkeler Peter (KIUK 3) wrote on 12/31/2008 10:41:13 +0100 Date:Wed, 31 Dec 2008 10:41:13 +0100 From:Hunkeler Peter (KIUK 3) peter.hunke...@credit-suisse.com Subject: Re: Shell Scripts in EKM The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 Seems like inacceptable behaviour for a software to be run on z/OS. I'd try to open a PMR requesting identifiable messages. -- Peter Hunkeler Credit Suisse Date:Wed, 31 Dec 2008 05:40:33 -0500 From:Lizette Koehler stars...@mindspring.com Subject: Re: Shell Scripts in EKM I have already done that. A requirements hasw been accepted. But with ported applications I am not sure how long it will take for IBM to action this. Not enough z/OS Users or tape encryption to put pressure on sooner than later. So in the meantime, I am hoping a shell script could be created that will give us the message we need for automation. Lizette The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. - - For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 Seems like inacceptable behaviour for a software to be run on z/OS. I'd try to open a PMR requesting identifiable messages. -- Peter Hunkeler Credit Suisse -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
I have already done that. A requirements hasw been accepted. But with ported applications I am not sure how long it will take for IBM to action this. Not enough z/OS Users or tape encryption to put pressure on sooner than later. So in the meantime, I am hoping a shell script could be created that will give us the message we need for automation. Lizette The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 Seems like inacceptable behaviour for a software to be run on z/OS. I'd try to open a PMR requesting identifiable messages. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Yes, it is in the manual. _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lizette Koehler Sent: Tuesday, December 30, 2008 8:17 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Shell Scripts in EKM Dave, Where is that documented? Is it in a manual? Lizette -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Jousma, David Sent: Tuesday, December 30, 2008 2:33 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Shell Scripts in EKM Lizette, You didn’t ask for it, but you might also want something like the following job. It is really the only way to prove that a tape is encrypted. It runs a supplied java program that lists all the tapes that have been encrypted. //STEP3 EXEC PGM=IKJEFT1B //SYSEXEC DD DSN=SYS1.SBPXEXEC,DISP=SHR //SYSTSPRT DD SYSOUT=* //SYSTSIN DD *,DLM=$$ OSHELL java com.ibm.keymanager.tools.EKMDataParser -filename+ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Lizette, You didn’t ask for it, but you might also want something like the following job. It is really the only way to prove that a tape is encrypted. It runs a supplied java program that lists all the tapes that have been encrypted. //STEP3 EXEC PGM=IKJEFT1B //SYSEXEC DD DSN=SYS1.SBPXEXEC,DISP=SHR //SYSTSPRT DD SYSOUT=* //SYSTSIN DD *,DLM=$$ OSHELL java com.ibm.keymanager.tools.EKMDataParser -filename+ /opt/ekm/metafile.xml -keyalias yourcertaliasname $$ I have yet to make this a production job, because my job scheduling guys have not figured out how to know what system to run the job on. Long story, but we don’t do shared filesystems, and EKM is setup to flip-flop between two systems automagically for IPL's or other failures. _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lizette Koehler Sent: Tuesday, December 30, 2008 1:48 PM To: IBM-MAIN@bama.ua.edu Subject: Shell Scripts in EKM Is it possible to create a shell script to execute at startup time in EKM to produce a startup message? Ad if I could do this at shutdown time as well - awesome. Have it say someting like EKM0001I EKMESRVER on SYSNAME is Up on date / time If so, since I am not shel oriented how could I do this? The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Shell Scripts in EKM
Dave, Where is that documented? Is it in a manual? Lizette -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Jousma, David Sent: Tuesday, December 30, 2008 2:33 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Shell Scripts in EKM Lizette, You didn’t ask for it, but you might also want something like the following job. It is really the only way to prove that a tape is encrypted. It runs a supplied java program that lists all the tapes that have been encrypted. //STEP3 EXEC PGM=IKJEFT1B //SYSEXEC DD DSN=SYS1.SBPXEXEC,DISP=SHR //SYSTSPRT DD SYSOUT=* //SYSTSIN DD *,DLM=$$ OSHELL java com.ibm.keymanager.tools.EKMDataParser -filename+ /opt/ekm/metafile.xml -keyalias yourcertaliasname $$ I have yet to make this a production job, because my job scheduling guys have not figured out how to know what system to run the job on. Long story, but we don’t do shared filesystems, and EKM is setup to flip-flop between two systems automagically for IPL's or other failures. _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lizette Koehler Sent: Tuesday, December 30, 2008 1:48 PM To: IBM-MAIN@bama.ua.edu Subject: Shell Scripts in EKM Is it possible to create a shell script to execute at startup time in EKM to produce a startup message? Ad if I could do this at shutdown time as well - awesome. Have it say someting like EKM0001I EKMESRVER on SYSNAME is Up on date / time If so, since I am not shel oriented how could I do this? The reason is our EMK server on z/OS V1.9 does not have any message IDs, so all we get is the following text: Server is running. TCP port: 3801, SSL port: 1443 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. - - For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html