Re: TSO Setup on SSH
Hello Paul, Thanks. So, in pcom session I should use o 992 instead of telnet port 23 which we are currently using it. If yes, then also suggest what more changes we need to make to have 992 tso connection work to access tso On Nov 22, 2016 10:27, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Tue, 22 Nov 2016 11:22:54 +0530, venkat kulkarni wrote: > > >Thanks. As I am in process of setting up open ssh on our zos system and > now > >I am able to log in to system on once using my tso I'd with ssh port 22. > >But was not able to connect to tso with port 22 by making changes in pcom > >session connection. > > > BTW, if you want a secure tn3270 connection, the conventional port is > 992. Lots of IBM documentation mentions this. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Tue, 22 Nov 2016 11:22:54 +0530, venkat kulkarni wrote: >Thanks. As I am in process of setting up open ssh on our zos system and now >I am able to log in to system on once using my tso I'd with ssh port 22. >But was not able to connect to tso with port 22 by making changes in pcom >session connection. > BTW, if you want a secure tn3270 connection, the conventional port is 992. Lots of IBM documentation mentions this. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Tue, 22 Nov 2016 14:20:34 +0800, Timothy Sipples wrote: > >In contrast, TN3270E tunneling over SSH is not that common. The >SSH Tectia Server for z/OS, a commercial product, officially supports 3270 >tunneling over SSH. As far as I know the OpenSSH server included with z/OS >2.2, and its predecessors provided with the IBM Ported Tools for z/OS, do >not. > It may work better than you expect. On my MacBook where I'm emperor of the universe can set up local forwarding of port 12345 to z/OS 23. Then I TELNET to localhost 12345 and get a linemode connection to z/OS TSO with old-fashioned LOGON prompt. Then it fails because allocation fails for ISPF350.LPALIB. I'm almost there. Can't set up remote forwarding at all which would be secure. But that may be due to security cofiguration. And I can't do some tests because there's no telnet client on z/OS. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
That's not how TN3270E protocols typically work. If you want encrypted TN3270E sessions (you should!), I recommend you enable TLS/SSL-encrypted TN3270E. That capability has been available for two decades now at no additional charge, starting way back in the OS/390 days, and progressively improved ever since. (DES and 3DES encrypted SNA has been around even longer than that.) There are a lot of references describing how to configure TLS/SSL-encrypted TN3270E, but try this one first: http://www.redbooks.ibm.com/abstracts/sg248099.html Chapter 16 is where you'll want to spend most of your time, and specifically with the AT-TLS configuration. Note that you'll most likely want to deploy a TLS/SSL server certificate signed by a well known CA as part of your setup. IBM Personal Communications, IBM Host On-Demand, and virtually all other 3270 emulation software products support TLS/SSL-encrypted TN3270E sessions and have for many years (also for a couple decades really) -- with nothing particularly exotic or strange for the end users to do when configuring sessions. In contrast, TN3270E tunneling over SSH is not that common. The SSH Tectia Server for z/OS, a commercial product, officially supports 3270 tunneling over SSH. As far as I know the OpenSSH server included with z/OS 2.2, and its predecessors provided with the IBM Ported Tools for z/OS, do not. Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Mon, 21 Nov 2016 23:03:17 -0700, Jack J. Woehr wrote: > >However, on the PCOMM workstation, *if* you have ssh, you can do an ssh port >redirect first, and then you can get >through to the Telnet3270E port on your z/OS machine. > I believe that requires an ssh *server* on the workstation. Until recently, I was able to run sshd under Cygwin on my employer's PC. Not lately; I suspect someone tightened security rules. > From a command line on the workstation you would do: > >ssh -Llocalhost:12345:myzosbox:23 myid@myzosbox > Even so, isn't forwarding being done on localhost which makes an unsecured connection to myzosbox:23, which may not meet the requirement? > >and after you have logged in via ssh a redirection is established from your >local port 12345 to z/OS's port 23. > >After establishing the redirect, use PCOMM to connect to localhost:12345 ... >Thus, you will be going into the z/OS port >23 via the redirect via SSH port 22 on the z/OS box. > When I try remote forwarding with the -R option, which should make a secured connection, I get: Warning: remote port forwarding failed for listen port 12345 >But really, using secure Telnet3270E is easier! > I assume there's some unstated requirement to get to the TSO READY prompt. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
venkat kulkarni wrote: So, I wanted to take help of expert to make this tso connection work with port 22. Please correct me if my understanding is wrong Well, I'm hardly an "expert". SSH and secure Telnet3270E essentially use the same security technology, that is, OpenSSL. Secure Telnet3270E works out of the box with z/OS. OpenSSH sshd running in Unix System Services will not, as far as I know, pass you directly through to TSO. Changing the settings in PCOMM won't affect that. However, on the PCOMM workstation, *if* you have ssh, you can do an ssh port redirect first, and then you can get through to the Telnet3270E port on your z/OS machine. From a command line on the workstation you would do: ssh -Llocalhost:12345:myzosbox:23 myid@myzosbox and after you have logged in via ssh a redirection is established from your local port 12345 to z/OS's port 23. After establishing the redirect, use PCOMM to connect to localhost:12345 ... Thus, you will be going into the z/OS port 23 via the redirect via SSH port 22 on the z/OS box. Does this help? But really, using secure Telnet3270E is easier! -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Tue, 22 Nov 2016 11:12:51 +0530, venkat kulkarni wrote: >It's on live system not on zpdt. But as I mentioned before I would like to >use secure port 22 to connect with tso instead of telnet port 23. > >Please suggest me the way to make this connection work. > Can you get a secure connection with a 3278? But does that put you directly in ISPF rather than at the TSO READY prompt? Would a READY prompt on a 3278 satisfy your needs? If so, you need to have an alternative logon PROCEDURE defined that doesn't automatically start ISPF. (I assume since you say you can use sftp that you have a well-featured client such as PuTTY, Hummingbird, Cygwin, Linux, OS X, whatever.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
Thanks. As I am in process of setting up open ssh on our zos system and now I am able to log in to system on once using my tso I'd with ssh port 22. But was not able to connect to tso with port 22 by making changes in pcom session connection. So, I wanted to take help of expert to make this tso connection work with port 22. Please correct me if my understanding is wrong On Nov 22, 2016 08:46, "Jack J. Woehr"wrote: > venkat kulkarni wrote: > >> It's on live system not on zpdt. But as I mentioned before I would like to >> use secure port 22 to connect with tso instead of telnet port 23. >> >> Please suggest me the way to make this connection work. >> > Don't you just want secure TN3270e? You don't need SSH itself. > > http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com. > ibm.zos.v2r1.halz002/security_tn3270e.htm > > -- > Jack J. Woehr # Science is more than a body of knowledge. It's a way of > www.well.com/~jax # thinking, a way of skeptically interrogating the > universe > www.softwoehr.com # with a fine understanding of human fallibility. - > Carl Sagan > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
venkat kulkarni wrote: It's on live system not on zpdt. But as I mentioned before I would like to use secure port 22 to connect with tso instead of telnet port 23. Please suggest me the way to make this connection work. Don't you just want secure TN3270e? You don't need SSH itself. http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz002/security_tn3270e.htm -- Jack J. Woehr # Science is more than a body of knowledge. It's a way of www.well.com/~jax # thinking, a way of skeptically interrogating the universe www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On 22/11/2016 1:42 PM, venkat kulkarni wrote: It's on live system not on zpdt. But as I mentioned before I would like to use secure port 22 to connect with tso instead of telnet port 23. Please suggest me the way to make this connection work. There is no way that I know of. Are you sure you don't really want to use telnet over an SSL connection? On Nov 22, 2016 08:17, "Amrith" < 00ae6d97fc6e-dmarc-requ...@listserv.ua.edu> wrote: I think thats the way it's supposed to be used, you can try using putty if you want to. Are you on real iron or zPDT ? On Tuesday, November 22, 2016 10:22 AM, venkat kulkarni < venkatkulkarn...@gmail.com> wrote: Hello, Thanks for reply. Sorry for not being clear. Basically I want to use SSH with port 22 duribg accessing tso using pcom session. Currently we use telnet with port 22. On Nov 22, 2016 06:11, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: On 2016-11-21 19:34, venkat kulkarni wrote: Hello Group, We are setting up open SSH with our z/OS system and we are done with making connection to omvs using SFTP and transfer file to the system and vice versa. But, I still not able to find way to setup secure connection to TSO using port 22 ( SSH). Can you please help me to define this setup on TSO level access. Ummm... you want to run TSO in linemode? Have you a specific objective? You might try ssh server-side port mapping (-R option) of some other port to 23. I suspect the protocols are dreadfully mismatched. Why? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
It's on live system not on zpdt. But as I mentioned before I would like to use secure port 22 to connect with tso instead of telnet port 23. Please suggest me the way to make this connection work. On Nov 22, 2016 08:17, "Amrith" < 00ae6d97fc6e-dmarc-requ...@listserv.ua.edu> wrote: > I think thats the way it's supposed to be used, you can try using putty if > you want to. Are you on real iron or zPDT ? > > > On Tuesday, November 22, 2016 10:22 AM, venkat kulkarni < > venkatkulkarn...@gmail.com> wrote: > > > Hello, > Thanks for reply. Sorry for not being clear. Basically I want to use SSH > with port 22 duribg accessing tso using pcom session. Currently we use > telnet with port 22. > > On Nov 22, 2016 06:11, "Paul Gilmartin" < > 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > > > On 2016-11-21 19:34, venkat kulkarni wrote: > > > Hello Group, > > > > > > We are setting up open SSH with our z/OS system and we are done with > > making > > > connection to omvs using SFTP and transfer file to the system and vice > > > versa. > > > > > > But, I still not able to find way to setup secure connection to TSO > using > > > port 22 ( SSH). Can you please help me to define this setup on TSO > level > > > access. > > > > > Ummm... you want to run TSO in linemode? Have you a specific objective? > > > > You might try ssh server-side port mapping (-R option) of some other > > port to 23. I suspect the protocols are dreadfully mismatched. > > > > Why? > > > > -- gil > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
I think thats the way it's supposed to be used, you can try using putty if you want to. Are you on real iron or zPDT ? On Tuesday, November 22, 2016 10:22 AM, venkat kulkarniwrote: Hello, Thanks for reply. Sorry for not being clear. Basically I want to use SSH with port 22 duribg accessing tso using pcom session. Currently we use telnet with port 22. On Nov 22, 2016 06:11, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On 2016-11-21 19:34, venkat kulkarni wrote: > > Hello Group, > > > > We are setting up open SSH with our z/OS system and we are done with > making > > connection to omvs using SFTP and transfer file to the system and vice > > versa. > > > > But, I still not able to find way to setup secure connection to TSO using > > port 22 ( SSH). Can you please help me to define this setup on TSO level > > access. > > > Ummm... you want to run TSO in linemode? Have you a specific objective? > > You might try ssh server-side port mapping (-R option) of some other > port to 23. I suspect the protocols are dreadfully mismatched. > > Why? > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Tue, 22 Nov 2016 10:22:09 +0530, venkat kulkarni wrote: > >Thanks for reply. Sorry for not being clear. Basically I want to use SSH >with port 22 duribg accessing tso using pcom session. Currently we use >telnet with port 22. > Looking at an arbitrarily selected /etc/services I see: ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp telnet 23/tcp ... but then your configuration may be idiosyncratic. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On Tue, 22 Nov 2016 08:04:06 +0530, venkat kulkarni wrote: > >We are setting up open SSH with our z/OS system and we are done with making >connection to omvs using SFTP and transfer file to the system and vice >versa. > >But, I still not able to find way to setup secure connection to TSO using >port 22 ( SSH). Can you please help me to define this setup on TSO level >access. > Let me guess. From the questions you've asked lately, you're confronting a new security regime which insists: o All logons be validated by LDAP and Timothy has been unable to sell them the Right Solution. o All network connections be secured by SSL. but you have some residue of users who depend on a linemode TELNET connection to TSO. The last time I remember something similar, the users needed to punch paper tapes. It was a while ago. Kermit with 7171 emulation and IND$FILE? More plausibly, they want to do scripting over the TELNET connection. Gasp. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
Hello, Thanks for reply. Sorry for not being clear. Basically I want to use SSH with port 22 duribg accessing tso using pcom session. Currently we use telnet with port 22. On Nov 22, 2016 06:11, "Paul Gilmartin" < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On 2016-11-21 19:34, venkat kulkarni wrote: > > Hello Group, > > > > We are setting up open SSH with our z/OS system and we are done with > making > > connection to omvs using SFTP and transfer file to the system and vice > > versa. > > > > But, I still not able to find way to setup secure connection to TSO using > > port 22 ( SSH). Can you please help me to define this setup on TSO level > > access. > > > Ummm... you want to run TSO in linemode? Have you a specific objective? > > You might try ssh server-side port mapping (-R option) of some other > port to 23. I suspect the protocols are dreadfully mismatched. > > Why? > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO Setup on SSH
On 2016-11-21 19:34, venkat kulkarni wrote: > Hello Group, > > We are setting up open SSH with our z/OS system and we are done with making > connection to omvs using SFTP and transfer file to the system and vice > versa. > > But, I still not able to find way to setup secure connection to TSO using > port 22 ( SSH). Can you please help me to define this setup on TSO level > access. > Ummm... you want to run TSO in linemode? Have you a specific objective? You might try ssh server-side port mapping (-R option) of some other port to 23. I suspect the protocols are dreadfully mismatched. Why? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
TSO Setup on SSH
Hello Group, We are setting up open SSH with our z/OS system and we are done with making connection to omvs using SFTP and transfer file to the system and vice versa. But, I still not able to find way to setup secure connection to TSO using port 22 ( SSH). Can you please help me to define this setup on TSO level access. Regards Venkat -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: EXTERNAL: Re: Catalogs in a SYSPLEX
All of my Sysplexes each have a shared single MCAT per plex. Setting up a Sysplex is probably where the recommendation to a single MCAT is located. In an emergency the LOADxx can be edited to point to any other MCAT and they will all serve to get a system up and running. Additionally in each physical Data Center we have a 3 pack Rescue system (built from Mark Zeldens sources - Thanks Mark !) that normally lives somewhat back level to ensure new maintenance etc. doesn't also render the system unusable. I wouldn't try to run a complex Sysplex with multiple Master Cats. Jerry Whitteridge Manager Mainframe Systems & Storage Albertsons - Safeway Inc. 925 738 9443 Corporate Tieline - 89443 If you feel in control you just aren't going fast enough. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 2:56 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: EXTERNAL: Re: Catalogs in a SYSPLEX I was doing some research and I cannot seem to find any specific mention of using a single shared master catalog in the manuals. It doesn't mean I was looking in the correct manuals it just means that what I had been told may not be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is the way to go but there is nothing recommending one over the other that I can see. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
So what is the intent of your configuration? To take advantage of all the wonderfulness that is SYSPLEX :) Separate but equal? Or are they running from a common SYSRES Set? Other??? We will have 2 systems that are identical. They are going to have a common SYSRES with a secondary SYSRES to swap to for maintenance and upgrades. They also will share DASD so whatever data sets are on those DASD are accessible by both systems. Hence the catalog question. Right now we have 3 LPAR's (Production, Test and Maintenance). We have DASD accessible to all three with data sets on them. In order for those data sets to be viewed on other LPAR's than the LPAR we create them on we must catalog them on each system. I would imagine that this is analogous to the processes involved with multiple master catalogs or shared master catalogs in a sysplex. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
You can do either and will some associated issues. Here are some: If you have a MCAT for each LPAR you will have so many MCAT's + its backup to maintain and garbage in it piles up with time. If you have a shared MCAT, you need to maintain one MCAT/SYSPLEX and one backup.At the time of z/OS upgrade create a new SYSPLEX MCAT (you may have one character in MCAT specific to z/OS versrion/release in MCAT name) ( gives you opportunity to cleanup / gives you opportunity to test z/OS upgrade in DR ahead of time). One will need to keep two MCAT SYNCed up during the upgrade. Regards, Rajesh -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 4:56 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Catalogs in a SYSPLEX I was doing some research and I cannot seem to find any specific mention of using a single shared master catalog in the manuals. It doesn't mean I was looking in the correct manuals it just means that what I had been told may not be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is the way to go but there is nothing recommending one over the other that I can see. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this e-mail, and any attachment, is confidential and is intended solely for the use of the intended recipient. Access, copying or re-use of the e-mail or any attachment, or any information contained therein, by any other person is not authorized. If you are not the intended recipient please return the e-mail to the sender and delete it from your computer. Although we attempt to sweep e-mail and attachments for viruses, we do not guarantee that either are virus-free and accept no liability for any damage sustained as a result of viruses. Please refer to http://disclaimer.bnymellon.com/eu.htm for certain disclosures relating to European legal entities. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
By using INDIRECT CATALOG you can use different SYSRES Sets, but the same SYS1.** names. Lizette -Original Message- >From: Lizette Koehler>Sent: Nov 21, 2016 3:10 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: Catalogs in a SYSPLEX > >So the answers are > > It depends on what you want to do > Your milage May Vary (YMMV) > >If you want to access the datasets from either Plex easily, a Shared Master is >okay. Remember the master cat should only have Aliases to usercats, and SYS1 >datasets for that environment. If you want SYS1.LINKLIB that is different >from both Plexes, then you probably want separate MCats. > >If both plexes can "share" the common datasets, then you can get by with one >MCAT. > >Or the Mcat on PLEX has the Mcat on Plex b as a user cat and vise versa. > > >So what is the intent of your configuration? > >Separate but equal? Or are they running from a common SYSRES Set? Other??? > > >Lizette > > >-Original Message- >>From: Travis >>Sent: Nov 21, 2016 1:53 PM >>To: IBM-MAIN@LISTSERV.UA.EDU >>Subject: Catalogs in a SYSPLEX >> >>We are creating a SYSPLEX of two systems and there seems to be some debate >>about using a single shared master catalog or multiple master catalogs on >>each system. The IBM manuals recommend a single shared master catalog but our >>CE has been advocating multiple catalogs. What are the pros and cons of >>running each? We have two identical systems in the PLEX and for right now >>there is no plan to add more, however that could change at any time in the >>near future. >> > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
Biggest problem I see with multiple master catalogs is that you have to keep entries in synch. First time you debug a weird problem resulting from out-of-synch catalogs, I think you'll want a single one. As for installing software maintenance, you should alternate between (at least) two sysres volumes. Swap from one to the other to migrate software upgrade. In case of problems, fall back to the older level. Sysres data sets are cataloged like this: VOLSER** DEVTYPE--X'' This will resolve to the volume you IPLed from on each system. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 1:56 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Catalogs in a SYSPLEX I was doing some research and I cannot seem to find any specific mention of using a single shared master catalog in the manuals. It doesn't mean I was looking in the correct manuals it just means that what I had been told may not be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is the way to go but there is nothing recommending one over the other that I can see. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
So the answers are It depends on what you want to do Your milage May Vary (YMMV) If you want to access the datasets from either Plex easily, a Shared Master is okay. Remember the master cat should only have Aliases to usercats, and SYS1 datasets for that environment. If you want SYS1.LINKLIB that is different from both Plexes, then you probably want separate MCats. If both plexes can "share" the common datasets, then you can get by with one MCAT. Or the Mcat on PLEX has the Mcat on Plex b as a user cat and vise versa. So what is the intent of your configuration? Separate but equal? Or are they running from a common SYSRES Set? Other??? Lizette -Original Message- >From: Travis>Sent: Nov 21, 2016 1:53 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Catalogs in a SYSPLEX > >We are creating a SYSPLEX of two systems and there seems to be some debate >about using a single shared master catalog or multiple master catalogs on each >system. The IBM manuals recommend a single shared master catalog but our CE >has been advocating multiple catalogs. What are the pros and cons of running >each? We have two identical systems in the PLEX and for right now there is no >plan to add more, however that could change at any time in the near future. > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
I was doing some research and I cannot seem to find any specific mention of using a single shared master catalog in the manuals. It doesn't mean I was looking in the correct manuals it just means that what I had been told may not be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is the way to go but there is nothing recommending one over the other that I can see. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
We currently have a 2 LPAR sysplex and the master catalog in not shared. Prior to this job I worked at a shop where we supported sysplexes from a single system to up to 10 LPARs in a single sysplex. The master catalogs were not shared , I think I would put forth one big reason for not sharing the master catalog, would be system upgrades, when we went through the z/OS upgrades, there were times where SYS1. Level data sets location changed from one release to the next and the catalog needed to point to the new location for the new release. We would upgrade one LPAR at a time in a sysplex, which was once a week, so it would be several weeks to complete a sysplex. I think there are a lot of questions you have to ask yourself about how you are going to handle the sysplex and what you are going to keep in the master catalog, besides SYS1. Note: I believe System Symbols are your friend when setting up the catalog, for both data set names and VOLSER. Al Nims Systems Admin/Programmer 3 UFIT University of Florida (352) 273-1298 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 3:54 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Catalogs in a SYSPLEX We are creating a SYSPLEX of two systems and there seems to be some debate about using a single shared master catalog or multiple master catalogs on each system. The IBM manuals recommend a single shared master catalog but our CE has been advocating multiple catalogs. What are the pros and cons of running each? We have two identical systems in the PLEX and for right now there is no plan to add more, however that could change at any time in the near future. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
A lot depends on whether you're creating a net new member or combining two existing systems into a single plex. As I said in a previous thread, combining systems is very tough unless you're willing to put up with the vagaries of a 'bronze-plex'. If you're creating a new system, you can clone the existing one. You should aim to share everything that can be shared. I don't know why anyone would stop short of total sharing: one master catalog; one RACF (or other security product) data base; one JES spool. If someone can give you a compelling reason for separate anything--like page data sets--then you could consider it. I would be very dubious about proposed subdivisions. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 12:54 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Catalogs in a SYSPLEX We are creating a SYSPLEX of two systems and there seems to be some debate about using a single shared master catalog or multiple master catalogs on each system. The IBM manuals recommend a single shared master catalog but our CE has been advocating multiple catalogs. What are the pros and cons of running each? We have two identical systems in the PLEX and for right now there is no plan to add more, however that could change at any time in the near future. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Catalogs in a SYSPLEX
At our shop we have three master catalogs in the same sysplex. We run three "levels" of lpars and the master catalogs are by level. Our three tech lpars share a master catalog. Our three application test lpars share a different master catalog. Our 6 production lpars share a different master catalog. So yes you can have more than one master catalog, it just depends on how things are laid out. We run with shared DASD across all the lpars. So depending on what we are doing we have to remember to update all three master catalogs or just update one master catalog. You have to be careful about any VSAM dataset that might be in your master catalog(s). You don't want a VSAM dataset in two master catalogs. We have the master catalogs on their own (different) volumes. You don't want more than one master catalog on a volume. Thanks.. Paul Feller AGT Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Travis Sent: Monday, November 21, 2016 14:54 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Catalogs in a SYSPLEX We are creating a SYSPLEX of two systems and there seems to be some debate about using a single shared master catalog or multiple master catalogs on each system. The IBM manuals recommend a single shared master catalog but our CE has been advocating multiple catalogs. What are the pros and cons of running each? We have two identical systems in the PLEX and for right now there is no plan to add more, however that could change at any time in the near future. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Catalogs in a SYSPLEX
We are creating a SYSPLEX of two systems and there seems to be some debate about using a single shared master catalog or multiple master catalogs on each system. The IBM manuals recommend a single shared master catalog but our CE has been advocating multiple catalogs. What are the pros and cons of running each? We have two identical systems in the PLEX and for right now there is no plan to add more, however that could change at any time in the near future. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ASMA033I Storage alignment for unfavorable for dependent DSECT?
On Sun, 20 Nov 2016 22:42:16 +0200, Binyamin Dissenwrote: >I am receiving > >ASMA033I Storage alignment for @DDNTXTU.S99TUPAR unfavorable > >where the value of S99TUPAR is 6, but it is a dependent using and the actual >offset is at a doubleword boundary. > >Working as designed?? Seems like a question perhaps better asked on assembler-list than on ibm-main :) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On Mon, 21 Nov 2016 09:33:20 -0800, Ed Jaffe wrote: >However, it's not trivial to determine from where you were loaded. It >could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. It shouldn't be that hard if you know the member name. Create a DCB for STEPLIB and open it. If that works, do a BLDL on the member name and if that works, you've found the module. If the BLDL fails, it's not in STEPLIB and JOBLIB isn't used. If the open fails, try the same with JOBLIB. But for this purpose, I don't think it matters where the module came from. If there is a STEPLIB with a non-authorized data set, the step is not authorized. If there is no STEPLIB and there is a JOBLIB, all data sets in it must be authorized. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On 11/21/2016 8:27 AM, Charles Mills wrote: Exactly. That is what I intend to do. Charles John McKown wrote: THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT APF AUTHORIZED. ... or migrated or is not SMS, not cataloged, etc. I love this idea!!! However, it's not trivial to determine from where you were loaded. It could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. CSVQUERY does have an ability to return a token that can, through some complex and circuitous logic, actually map back to a data set name or HFS path, but it's not easy and I have a nagging suspicion that at least part of that processing requires authorization. IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to return the fully-qualified data set name and volume and/or HFS path from which a module was actually fetched. (If it came from VLF, that information would need to be preserved at the time the module is cached so it can be provided to CSV.) Of course, there is an implied assumption here that you're invoking TESTAUTH from inside the program referenced by EXEC PGM=. If not, you would first need to determine which program name that is. (It's not difficult, but it is an extra step...) -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
I believe that's the right approach. For now anyway. You have control. You can build a common routine that any APF product can call during initialization. If IBM ever comes up with a more general solution, you can revisit your solution. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, November 21, 2016 8:27 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Which STEPLIB concatenation is not authorized? Exactly. That is what I intend to do. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Monday, November 21, 2016 2:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Which STEPLIB concatenation is not authorized? John McKown wrote: >But I can see where it would be _very_ nice if an application to do a >TESTAUTH to make sure that it is APF authorized. And, if not, then put out a >message similar to: >THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME >volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT >APF AUTHORIZED. ... or migrated or is not SMS, not cataloged, etc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
One caveat. APF can be modified dynamically without updating PARMLIB. Not necessarily an error if it's the first try with a new application, although in practice it's a red flag. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mike Schwab Sent: Sunday, November 20, 2016 10:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Which STEPLIB concatenation is not authorized? OK. How about 2 REXX commands. The first REXX command reads SYS*.PARMLIB members, parses out the DSN and Vol/SMS ignoring syntax errors, and checks each DSN for APF authorization. The second REXX command read any JCL member, parses out the steplib DSNs and Volumes ignoring syntax errors, and checks each DSN for APR authorization. This would be useful for any site or product that has z/OS APF libraries. On Sun, Nov 20, 2016 at 11:25 AM, Clark Morriswrote: > [Default] On 20 Nov 2016 08:47:04 -0800, in bit.listserv.ibm-main > charl...@mcn.org (Charles Mills) wrote: > >>Thanks @Gil, I think you get where I am trying to go with this. >> >>It's not that I don't know how to use TESTAUTH or think TESTAUTH is >>giving me the wrong answer. But now what? We say "one or more of your >>datasets is apparently not authorized" and the customer says "WE TOLD >>YOU THEY ARE ALL AUTHORIZED!" Now what does the poor support tech do? >>Say "Issue a 'D PROG,APF' and check all the libraries -- it's not rocket >>surgery!" > > It seems like a generic module that chases the chains would be useful > to a number of vendors and even for Roll your own code. I know that I > was enraged on earlier versions with the JCL message symbol not > defined in procedure mess and justified the effort to go to MVS SP > 1.3.2 or 1.3.3 because that was the version.release.modification level > that had the change telling you which symbol wasn't defined in the > procedure. In this case chasing down errant libraries when the > installing groups isn't responsible for setting up APF authorization > can be interesting. > > Clark Morris >> >>Would YOU buy a product from a vendor that talked to you like that? >> >>Charles >> >>-Original Message- >>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] >>On Behalf Of Paul Gilmartin >>Sent: Sunday, November 20, 2016 1:21 AM >>To: IBM-MAIN@LISTSERV.UA.EDU >>Subject: Re: Which STEPLIB concatenation is not authorized? >> >>On 2016-11-19, at 15:32, Jesse 1 Robinson wrote: >>> >>> As complicated this may sound, APF can be determined/diagnosed by >>inspection with relative ease. It's not rocket surgery. >>> >>Perhaps. But it would be poor business practice for the OP to address >>his customer so tactlessly. IBM ought to help its customers to help >>their customers. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
Exactly. That is what I intend to do. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Monday, November 21, 2016 2:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Which STEPLIB concatenation is not authorized? John McKown wrote: >But I can see where it would be _very_ nice if an application to do a >TESTAUTH to make sure that it is APF authorized. And, if not, then put out a >message similar to: >THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME >volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT >APF AUTHORIZED. ... or migrated or is not SMS, not cataloged, etc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ASMA033I Storage alignment for unfavorable for dependent DSECT?
I don't do 64Bit stuff at this point. But, as soon as I can today, I'll go look at the DSECTs... Sent from my iPhone > On Nov 21, 2016, at 12:03 AM, Binyamin Dissen> wrote: > > It is properly aligned in the main dsect. > > ZZZ DSECT >CNOP 2,8 > DDNTXTU DS 3H,CL8 > > > > @DDNTXTU USING S99TUNIT,DDNTXTU > >STG R1,@DDNTXTU.S99TUPAR > > The assembler knows that the resolved address is at a doubleword offset in ZZZ > > On Sun, 20 Nov 2016 15:01:04 -0800 "ste...@copper.net" > wrote: > > :>I don't have access to listings right now, but having just done a few > routines that were doing SVC99 and making use of all the DSECTs provided by > IBM, I found that I had to get alignment set up correctly. > :> > :>So, I would start Text Units on a fullword, so that you have (off the top > of my head): > :> DS 0A > :>verb DS H > :>count DS H > :>len DS H > :>parm DS X > :> > :>And then the parm value would be as long as needed. But, I made sure that > the next text unit started on a full world. I think that will solve your > problems. > :> > :>Sorry, I can't remember the correct names of the IBM DSECTs (and their > related variables) so I could answer you by their names. > :> > :>Regards, > :>Steve Thompson > :> > :>--- bdis...@dissensoftware.com wrote: > :> > :>From: Binyamin Dissen > :>To: IBM-MAIN@LISTSERV.UA.EDU > :>Subject: [IBM-MAIN] ASMA033I Storage alignment for unfavorable for > dependent DSECT? > :>Date: Sun, 20 Nov 2016 22:42:16 +0200 > :> > :>I am receiving > :> > :>ASMA033I Storage alignment for @DDNTXTU.S99TUPAR unfavorable > :> > :>where the value of S99TUPAR is 6, but it is a dependent using and the actual > :>offset is at a doubleword boundary. > :> > :>Working as designed?? > > -- > Binyamin Dissen > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMSdss DUMP and extended format
http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.idad400/coefsds.htm It uses the LBI (Large Block Interface). On Mon, Nov 21, 2016 at 9:25 AM, R.S.wrote: > Since (FAIK) z/OS 1.12 times DSS DUMP output dataset can be extended format > PS. > > It's strange: When you omit blocksize (use SDB), the blocksize of the dump > dataset will be 27998, for PS, PS-LARGE, and for extended format PS. > However for ext-fmt PS there is *one block per track*. Yes, when you dump > to regular PS you get i.e. 1500 blocks and 750 tracks, but when you dump to > extended format PS you get 1500 blocks and 1500 tracks occupied. > > Note, when you provide smaller (BLKSIZE=27900) you get 2 blocks per track. > > Is it documented? > Is it bug or feaure? > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > --- > Treść tej wiadomości może zawierać informacje prawnie chronione Banku > przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być > jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś > adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej > przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, > rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie > zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, > prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale > usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and is > intended solely for business use of the addressee. This e-mail may only be > received by the addressee and may not be disclosed to any third parties. If > you are not the intended addressee of this e-mail or the employee authorized > to forward it to the addressee, be advised that any dissemination, copying, > distribution or any other similar activity is legally prohibited and may be > punishable. If you received this e-mail by mistake please advise the sender > immediately by using the reply facility in your e-mail software and delete > permanently this e-mail including any copies of it either printed or saved > to hard drive. > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > www.mBank.pl, e-mail: kont...@mbank.pl > Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru > Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. > Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości > wpłacony) wynosi 168.955.696 złotych. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
DFSMSdss DUMP and extended format
Since (FAIK) z/OS 1.12 times DSS DUMP output dataset can be extended format PS. It's strange: When you omit blocksize (use SDB), the blocksize of the dump dataset will be 27998, for PS, PS-LARGE, and for extended format PS. However for ext-fmt PS there is *one block per track*. Yes, when you dump to regular PS you get i.e. 1500 blocks and 750 tracks, but when you dump to extended format PS you get 1500 blocks and 1500 tracks occupied. Note, when you provide smaller (BLKSIZE=27900) you get 2 blocks per track. Is it documented? Is it bug or feaure? -- Radoslaw Skorupka Lodz, Poland --- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
Not only STEPLIB (and JOBLIB) but also any tasklib, which in fact can be any ddname. And then the problem arises: when should the 'non-apf warming' be issued? You could have a ddname with a concatenation of loadlibraries, that are never going to be used to LOAD modules from, so the warning is useless and confusing. Kees. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: 21 November, 2016 14:58 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Which STEPLIB concatenation is not authorized? John McKown wrote: >But I can see where it would be _very_ nice if an application to do a >TESTAUTH to make sure that it is APF authorized. And, if not, then put out a >message similar to: >THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME >volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT >APF AUTHORIZED. ... or migrated or is not SMS, not cataloged, etc. It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB can show above message. Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ... ... with this one little variation - the FULL lists (all entries in that STEPLIB) must be APFed. That is ALL or nothing! H, ..ok, now drifting somewhat, but what about libraries in Linklist, but NOT APFed? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
John McKown wrote: >But I can see where it would be _very_ nice if an application to do a >TESTAUTH to make sure that it is APF authorized. And, if not, then put out a >message similar to: >THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME >volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT >APF AUTHORIZED. ... or migrated or is not SMS, not cataloged, etc. It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB can show above message. Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ... ... with this one little variation - the FULL lists (all entries in that STEPLIB) must be APFed. That is ALL or nothing! H, ..ok, now drifting somewhat, but what about libraries in Linklist, but NOT APFed? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Mon, Nov 21, 2016 at 7:27 AM, Tom Marchant < 000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote: > On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote: > > >... and may seriously hurt the performance, reliability, and availability > of your z/OS > >system and the applications running on it. > > Not to mention relying on a platform that is more subject to hacking than > a properly > configured z/OS system. And one that does not include the assurance > provided by > the z/OS System Integrity Statement. > > http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype= > WH=SA=ZSL03361USEN=ZSL03361USEN.PDF > > -- > Tom Marchant > > Although I agree with all that has been said in this thread, I am certain, at least if other Windows people are like the Windows people here, that the Windows people would excrete a masonry product (s--t a brick) if anyone said that their systems had to validate against a z/OS based repository. Not to mention that, although z/OS does support LDAP and Kerberos, it does not support Windows Active Directory protocols. The mere fact that said protocol is both unsupported, proprietary, and "fluid" (as most MS protocols are) is not germane to the discussion (to them). The only solution that I can think of for this is a product which in the data base world would be called "bidirectional replication". -- Heisenberg may have been here. Unicode: http://xkcd.com/1726/ Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On Mon, Nov 21, 2016 at 7:21 AM, Charles Millswrote: > > > YOU say it's all authorized. z/OS says it's not. Let's think who's > probably right here. > I agree, but I have a couple of friends who are / were in level 1 support. You'd be amazed by stories of ignorance and mental denseness. I've read comparable stories on "The Register" (http://www.theregister.co.uk). I loved the one where the end-user apparently didn't know that the "on" button for a PC was the same one as the "off" button. The one I remember was from a certain frozen state which shall remain nameless where the system's programmer reported that the product would immediately abend. He had not linked the supplied object decks into a load library, but put the data set containing the object decks in the STEPLIB. I guess he didn't read the installation documentation (Top Secret was the product). But I can see where it would be _very_ nice if an application to do a TESTAUTH to make sure that it is APF authorized. And, if not, then put out a message similar to: THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME volser BEING ON THE STEPLIB/JOBLIB. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT APF AUTHORIZED. -- Heisenberg may have been here. Unicode: http://xkcd.com/1726/ Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote: >... and may seriously hurt the performance, reliability, and availability of >your z/OS >system and the applications running on it. Not to mention relying on a platform that is more subject to hacking than a properly configured z/OS system. And one that does not include the assurance provided by the z/OS System Integrity Statement. http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH=SA=ZSL03361USEN=ZSL03361USEN.PDF -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
YOU say it's all authorized. z/OS says it's not. Let's think who's probably right here. CharlesSent from a mobile; please excuse the brevity Original message From: Peter RelsonDate: 11/21/16 2:12 PM (GMT+01:00) To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Which STEPLIB concatenation is not authorized? >Would YOU buy a product from a vendor that talked to >you like that? Maybe not. But why wouldn't helpful technical support say "please issue DISPLAY PROG,APF and let me see the output so that I can help you figure out what is wrong?" How do you think conversations go for just about anyone when customers report problems? An early step is for the customer to make available the data that can help to diagnose the problem. (unless you're talking to a helpless desk that tells you to power off and power on, or uninstall and re-install). And in the case at hand, what did the customer say if they had asserted that all the libraries were APF authorized and you found that there were 3 in the concatenation that weren't? Maybe your technical support should offer to make a friendly wager with the customer about the state of things (because "apparently not authorized" is a wimpy -- but possibly necessary -- way of stating the fact "is not considered by the system to be APF-authorized"). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
>Would YOU buy a product from a vendor that talked to >you like that? Maybe not. But why wouldn't helpful technical support say "please issue DISPLAY PROG,APF and let me see the output so that I can help you figure out what is wrong?" How do you think conversations go for just about anyone when customers report problems? An early step is for the customer to make available the data that can help to diagnose the problem. (unless you're talking to a helpless desk that tells you to power off and power on, or uninstall and re-install). And in the case at hand, what did the customer say if they had asserted that all the libraries were APF authorized and you found that there were 3 in the concatenation that weren't? Maybe your technical support should offer to make a friendly wager with the customer about the state of things (because "apparently not authorized" is a wimpy -- but possibly necessary -- way of stating the fact "is not considered by the system to be APF-authorized"). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Which STEPLIB concatenation is not authorized?
On Sun, 20 Nov 2016 13:41:20 -0600, Paul Gilmartin wrote: >On Sun, 20 Nov 2016 17:01:43 +, Jesse 1 Robinson wrote: > >>the requirements for APF concatenation were invented to protect the customer >> >The particular implementation protects the customer from nothing. Of course it does. Your contention that it could be better is not evidence that the requirements for APF concatenation does not protect the customer is not accurate. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Verifying callers Parameter Address upon entry to a PC Service Routine
It is frankly a bit scary to have this question being asked like this, since this is being asked by the owner of authorized code. Karl Schmitz of IBM has given many presentations to many customers and vendors on system integrity. This is a very basis system integrity question, the answer to which should be well understood before writing authorized code. You really don't "verify". It is in general impossible to "verify". You can "sanity check" but all that does is let you find some cases that are not valid. You still need to access data in the caller's key. Either use the MVCSK instruction (or use MVCDK if writing to it) or switch to the caller's key for the reference (SPKA instruction or MODESET macro) and then use that key to load into registers and switch back to your key for saving the data. It doesn't typically matter where you do the access as long as is done by authorized code and you copy (using the key) the data to protected storage that the unauthorized caller cannot modify and subsequently reference from that copy (unless you make sure that every reference is done in the unauthorized caller's key). I'm not sure what you mean by the "caller's interface routine". If it is something that runs in user state and key it cannot do any true validation. Only sanity checking (which you would typically have to re-do after you get to the target routine where you are authorized and where you can avoid a time of check to time of use exposure). Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Verifying callers Parameter Address upon entry to a PC Service Routine
Although performing validation in your interface routine is never a bad thing, the real validation must *always* be done in the PC routine itself as someone might attempt to invoke your PC by crafting the parameter list manually outside of your interface. Always access caller data in the key of the caller - you can extract the key of the caller from the PSW on the stack (ESTA instruction and then some bit shifting) MVCDK and MVCSK instructions are your friends when moving data between PC routine and caller. Once you have the caller key, immediately copy (MVCSK) the parameter list to your PC working storage *before* you inspect it so that it cannot be altered during the validation process. Never trust passed parameters and addresses - always use trusted sources for control block access including your own server control blocks. Length checking is always good - do not be the buffer-overflow root cause. If possible, do NOT run your server and PC routines in key0 - get a PPT entry for your server jobstep program in another key (for example, key2 or key4) and then specify this key on the ETDEF for the PC routine. Rather than repeatedly coding MVCDK/SK instructions, consider wrapping them up in a macro so that it can do 256-byte loops for larger amounts of data. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of esst...@juno.com Sent: Sunday, November 20, 2016 10:17 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Verifying callers Parameter Address upon entry to a PC Service Routine . Im looking for some guidelines when validating any address passed to a PC Service Routine. . Should the Validation be done in The PC Service Routine *or* in the callers interface routine provided by the Service Address Space. . What would be the recommended method to validate all Address Passed to the PC Service Routine ? What Instructions ? what Macros - Callable Services ? . Paul D'Angelo . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ +1 877.328.2932 ■ +1 781.577.4321 Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
InfoSphere Classic CDC for z/OS
Does anyone have any experience with the above software, as a tool to capture updates to a "classic" VSAM file on the mainframe and propagate them to a open-systems data base? Thanks, Steff Gladstone -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN