Re: TSO Setup on SSH

2016-11-21 Thread venkat kulkarni 
Hello Paul,

Thanks. So, in pcom session I should use o
992 instead of telnet port 23 which we are currently using it.

If yes, then also suggest what more changes we need to make to have 992 tso
connection work to access tso

On Nov 22, 2016 10:27, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Tue, 22 Nov 2016 11:22:54 +0530, venkat kulkarni wrote:
>
> >Thanks. As I am in process of setting up open ssh on our zos system and
> now
> >I am able to log in to system on once using my tso I'd with ssh port 22.
> >But was not able to connect to tso with port 22 by making changes in pcom
> >session connection.
> >
> BTW, if you want a secure tn3270 connection, the conventional port is
> 992.  Lots of IBM documentation mentions this.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Tue, 22 Nov 2016 11:22:54 +0530, venkat kulkarni wrote:

>Thanks. As I am in process of setting up open ssh on our zos system and now
>I am able to log in to system on once using my tso I'd with ssh port 22.
>But was not able to connect to tso with port 22 by making changes in pcom
>session connection.
> 
BTW, if you want a secure tn3270 connection, the conventional port is
992.  Lots of IBM documentation mentions this.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Tue, 22 Nov 2016 14:20:34 +0800, Timothy Sipples wrote:
>
>In contrast, TN3270E tunneling over SSH is not that common. The
>SSH Tectia Server for z/OS, a commercial product, officially supports 3270
>tunneling over SSH. As far as I know the OpenSSH server included with z/OS
>2.2, and its predecessors provided with the IBM Ported Tools for z/OS, do
>not.
>
It may work better than you expect.  On my MacBook where I'm emperor of
the universe  can set up local forwarding of port 12345 to z/OS 23.  Then
I TELNET to localhost 12345 and get a linemode connection to z/OS TSO
with old-fashioned LOGON prompt. Then it fails because allocation fails
for ISPF350.LPALIB.  I'm almost there.

Can't set up remote forwarding at all which would be secure.  But that may
be due to security cofiguration.

And I can't do some tests because there's no telnet client on z/OS.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Timothy Sipples 
That's not how TN3270E protocols typically work. If you want encrypted
TN3270E sessions (you should!), I recommend you enable TLS/SSL-encrypted
TN3270E. That capability has been available for two decades now at no
additional charge, starting way back in the OS/390 days, and progressively
improved ever since. (DES and 3DES encrypted SNA has been around even
longer than that.) There are a lot of references describing how to
configure TLS/SSL-encrypted TN3270E, but try this one first:

http://www.redbooks.ibm.com/abstracts/sg248099.html

Chapter 16 is where you'll want to spend most of your time, and
specifically with the AT-TLS configuration. Note that you'll most likely
want to deploy a TLS/SSL server certificate signed by a well known CA as
part of your setup.

IBM Personal Communications, IBM Host On-Demand, and virtually all other
3270 emulation software products support TLS/SSL-encrypted TN3270E sessions
and have for many years (also for a couple decades really) -- with nothing
particularly exotic or strange for the end users to do when configuring
sessions. In contrast, TN3270E tunneling over SSH is not that common. The
SSH Tectia Server for z/OS, a commercial product, officially supports 3270
tunneling over SSH. As far as I know the OpenSSH server included with z/OS
2.2, and its predecessors provided with the IBM Ported Tools for z/OS, do
not.


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Mon, 21 Nov 2016 23:03:17 -0700, Jack J. Woehr wrote:
>
>However, on the PCOMM workstation, *if* you have ssh, you can do an ssh port 
>redirect first, and then you can get
>through to the Telnet3270E port on your z/OS machine.
>
I believe that requires an ssh *server* on the workstation.  Until recently,
I was able to run sshd under Cygwin on my employer's PC.  Not lately;
I suspect someone tightened security rules.

> From a command line on the workstation you would do:
>
>ssh -Llocalhost:12345:myzosbox:23 myid@myzosbox
>
Even so, isn't forwarding being done on localhost which makes an unsecured
connection to myzosbox:23, which may not meet the requirement?
>
>and after you have logged in via ssh a redirection is established from your 
>local port 12345 to z/OS's port 23.
>
>After establishing the redirect, use PCOMM to connect to localhost:12345 ... 
>Thus, you will be going into the z/OS port
>23 via the redirect via SSH port 22 on the z/OS box.
>
When I try remote forwarding with the -R option, which should make
a secured connection, I get:
Warning: remote port forwarding failed for listen port 12345

>But really, using secure Telnet3270E is easier!
>
I assume there's some unstated requirement to get to the TSO READY
prompt.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Jack J. Woehr 

venkat kulkarni wrote:

So, I wanted to take help of expert to make this tso connection work with
port 22. Please correct me if my understanding is wrong

Well, I'm hardly an "expert".

SSH and secure Telnet3270E essentially use the same security technology, that 
is, OpenSSL.

Secure Telnet3270E works out of the box with z/OS.

OpenSSH sshd running in Unix System Services will not, as far as I know, pass 
you directly through to TSO.

Changing the settings in PCOMM won't affect that.

However, on the PCOMM workstation, *if* you have ssh, you can do an ssh port redirect first, and then you can get 
through to the Telnet3270E port on your z/OS machine.


From a command line on the workstation you would do:

   ssh -Llocalhost:12345:myzosbox:23 myid@myzosbox


and after you have logged in via ssh a redirection is established from your 
local port 12345 to z/OS's port 23.

After establishing the redirect, use PCOMM to connect to localhost:12345 ... Thus, you will be going into the z/OS port 
23 via the redirect via SSH port 22 on the z/OS box.


Does this help?

But really, using secure Telnet3270E is easier!

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Tue, 22 Nov 2016 11:12:51 +0530, venkat kulkarni wrote:

>It's on live system not on zpdt. But as I mentioned before I would like to
>use secure port 22 to connect with tso instead of telnet port 23.
>
>Please suggest me the way to make this connection work.
>
Can you get a secure connection with a 3278?

But does that put you directly in ISPF rather than at the TSO READY prompt?

Would a READY prompt on a 3278 satisfy your needs?

If so, you need to have an alternative logon PROCEDURE defined that
doesn't automatically start ISPF.

(I assume since you say you can use sftp that you have a well-featured
client such as PuTTY, Hummingbird, Cygwin, Linux, OS X, whatever.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread venkat kulkarni 
Thanks. As I am in process of setting up open ssh on our zos system and now
I am able to log in to system on once using my tso I'd with ssh port 22.
But was not able to connect to tso with port 22 by making changes in pcom
session connection.

So, I wanted to take help of expert to make this tso connection work with
port 22. Please correct me if my understanding is wrong

On Nov 22, 2016 08:46, "Jack J. Woehr"  wrote:

> venkat kulkarni wrote:
>
>> It's on live system not on zpdt. But as I mentioned before I would like to
>> use secure port 22 to connect with tso instead of telnet port 23.
>>
>> Please suggest me the way to make this connection work.
>>
> Don't you just want secure TN3270e? You don't need SSH itself.
>
> http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.
> ibm.zos.v2r1.halz002/security_tn3270e.htm
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Jack J. Woehr 

venkat kulkarni wrote:

It's on live system not on zpdt. But as I mentioned before I would like to
use secure port 22 to connect with tso instead of telnet port 23.

Please suggest me the way to make this connection work.

Don't you just want secure TN3270e? You don't need SSH itself.

http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz002/security_tn3270e.htm

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread David Crayford 

On 22/11/2016 1:42 PM, venkat kulkarni wrote:

It's on live system not on zpdt. But as I mentioned before I would like to
use secure port 22 to connect with tso instead of telnet port 23.

Please suggest me the way to make this connection work.


There is no way that I know of. Are you sure you don't really want to 
use telnet over an SSL connection?




On Nov 22, 2016 08:17, "Amrith" <
00ae6d97fc6e-dmarc-requ...@listserv.ua.edu> wrote:


I think thats the way it's supposed to be used, you can try using putty if
you want to. Are you on real iron or zPDT ?


 On Tuesday, November 22, 2016 10:22 AM, venkat kulkarni <
venkatkulkarn...@gmail.com> wrote:


  Hello,
Thanks for reply. Sorry for not being clear. Basically I want to use SSH
with port 22 duribg accessing tso using pcom session. Currently we use
telnet with port 22.

On Nov 22, 2016 06:11, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:


On 2016-11-21 19:34, venkat kulkarni wrote:

Hello Group,

We are setting up open SSH with our z/OS system and we are done with

making

connection to omvs using SFTP and transfer file to the system and vice
versa.

But, I still not able to find way to setup secure connection to TSO

using

port 22 ( SSH). Can you please help me to define this setup on TSO

level

access.


Ummm... you want to run TSO in linemode?  Have you a specific objective?

You might try ssh server-side port mapping (-R option) of some other
port to 23.  I suspect the protocols are dreadfully mismatched.

Why?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread venkat kulkarni 
It's on live system not on zpdt. But as I mentioned before I would like to
use secure port 22 to connect with tso instead of telnet port 23.

Please suggest me the way to make this connection work.

On Nov 22, 2016 08:17, "Amrith" <
00ae6d97fc6e-dmarc-requ...@listserv.ua.edu> wrote:

> I think thats the way it's supposed to be used, you can try using putty if
> you want to. Are you on real iron or zPDT ?
>
>
> On Tuesday, November 22, 2016 10:22 AM, venkat kulkarni <
> venkatkulkarn...@gmail.com> wrote:
>
>
>  Hello,
> Thanks for reply. Sorry for not being clear. Basically I want to use SSH
> with port 22 duribg accessing tso using pcom session. Currently we use
> telnet with port 22.
>
> On Nov 22, 2016 06:11, "Paul Gilmartin" <
> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>
> > On 2016-11-21 19:34, venkat kulkarni wrote:
> > > Hello Group,
> > >
> > > We are setting up open SSH with our z/OS system and we are done with
> > making
> > > connection to omvs using SFTP and transfer file to the system and vice
> > > versa.
> > >
> > > But, I still not able to find way to setup secure connection to TSO
> using
> > > port 22 ( SSH). Can you please help me to define this setup on TSO
> level
> > > access.
> > >
> > Ummm... you want to run TSO in linemode?  Have you a specific objective?
> >
> > You might try ssh server-side port mapping (-R option) of some other
> > port to 23.  I suspect the protocols are dreadfully mismatched.
> >
> > Why?
> >
> > -- gil
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Amrith 
I think thats the way it's supposed to be used, you can try using putty if you 
want to. Are you on real iron or zPDT ?
 

On Tuesday, November 22, 2016 10:22 AM, venkat kulkarni 
 wrote:
 

 Hello,
Thanks for reply. Sorry for not being clear. Basically I want to use SSH
with port 22 duribg accessing tso using pcom session. Currently we use
telnet with port 22.

On Nov 22, 2016 06:11, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On 2016-11-21 19:34, venkat kulkarni wrote:
> > Hello Group,
> >
> > We are setting up open SSH with our z/OS system and we are done with
> making
> > connection to omvs using SFTP and transfer file to the system and vice
> > versa.
> >
> > But, I still not able to find way to setup secure connection to TSO using
> > port 22 ( SSH). Can you please help me to define this setup on TSO level
> > access.
> >
> Ummm... you want to run TSO in linemode?  Have you a specific objective?
>
> You might try ssh server-side port mapping (-R option) of some other
> port to 23.  I suspect the protocols are dreadfully mismatched.
>
> Why?
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Tue, 22 Nov 2016 10:22:09 +0530, venkat kulkarni wrote:
>
>Thanks for reply. Sorry for not being clear. Basically I want to use SSH
>with port 22 duribg accessing tso using pcom session. Currently we use
>telnet with port 22.
>
Looking at an arbitrarily selected /etc/services I see:

ssh 22/tcp  # SSH Remote Login Protocol
ssh 22/udp
telnet  23/tcp

... but then your configuration may be idiosyncratic.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On Tue, 22 Nov 2016 08:04:06 +0530, venkat kulkarni wrote:
>
>We are setting up open SSH with our z/OS system and we are done with making
>connection to omvs using SFTP and transfer file to the system and vice
>versa.
>
>But, I still not able to find way to setup secure connection to TSO using
>port 22 ( SSH). Can you please help me to define this setup on TSO level
>access.
> 
Let me guess.  From the questions you've asked lately, you're confronting
a new security regime which insists:

o All logons be validated by LDAP

and Timothy has been unable to sell them the Right Solution.

o All network connections be secured by SSL.

but you have some residue of users who depend on a linemode TELNET
connection to TSO.  The last time I remember something similar, the users
needed to punch paper tapes.  It was a while ago.  Kermit with 7171
emulation and IND$FILE?  More plausibly, they want to do scripting
over the TELNET connection.

Gasp.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread venkat kulkarni 
Hello,
Thanks for reply. Sorry for not being clear. Basically I want to use SSH
with port 22 duribg accessing tso using pcom session. Currently we use
telnet with port 22.

On Nov 22, 2016 06:11, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On 2016-11-21 19:34, venkat kulkarni wrote:
> > Hello Group,
> >
> > We are setting up open SSH with our z/OS system and we are done with
> making
> > connection to omvs using SFTP and transfer file to the system and vice
> > versa.
> >
> > But, I still not able to find way to setup secure connection to TSO using
> > port 22 ( SSH). Can you please help me to define this setup on TSO level
> > access.
> >
> Ummm... you want to run TSO in linemode?  Have you a specific objective?
>
> You might try ssh server-side port mapping (-R option) of some other
> port to 23.  I suspect the protocols are dreadfully mismatched.
>
> Why?
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

2016-11-21 Thread Paul Gilmartin 
On 2016-11-21 19:34, venkat kulkarni wrote:
> Hello Group,
> 
> We are setting up open SSH with our z/OS system and we are done with making
> connection to omvs using SFTP and transfer file to the system and vice
> versa.
> 
> But, I still not able to find way to setup secure connection to TSO using
> port 22 ( SSH). Can you please help me to define this setup on TSO level
> access.
>  
Ummm... you want to run TSO in linemode?  Have you a specific objective?

You might try ssh server-side port mapping (-R option) of some other
port to 23.  I suspect the protocols are dreadfully mismatched.

Why?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

TSO Setup on SSH

2016-11-21 Thread venkat kulkarni 
Hello Group,

We are setting up open SSH with our z/OS system and we are done with making
connection to omvs using SFTP and transfer file to the system and vice
versa.

But, I still not able to find way to setup secure connection to TSO using
port 22 ( SSH). Can you please help me to define this setup on TSO level
access.

Regards
Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: EXTERNAL: Re: Catalogs in a SYSPLEX

2016-11-21 Thread Jerry Whitteridge 
All of my Sysplexes each have a shared single MCAT per plex. Setting up a 
Sysplex is probably where the recommendation to a single MCAT is located. In an 
emergency the LOADxx can be edited to point to any other MCAT and they will all 
serve to get a system up and running. Additionally in each physical Data Center 
we have a 3 pack Rescue system (built from Mark Zeldens sources - Thanks Mark 
!) that normally lives somewhat back level to ensure new maintenance etc. 
doesn't also render the system unusable.

I wouldn't try to run a complex Sysplex with multiple Master Cats.

Jerry Whitteridge
Manager Mainframe Systems & Storage
Albertsons - Safeway Inc.
925 738 9443
Corporate Tieline - 89443

If you feel in control
you just aren't going fast enough.




-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 2:56 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: EXTERNAL: Re: Catalogs in a SYSPLEX

I was doing some research and I cannot seem to find any specific mention of 
using a single shared master catalog in the manuals. It doesn't mean I was 
looking in the correct manuals it just means that what I had been told may not 
be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is 
the way to go but there is nothing recommending one over the other that I can 
see.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

 Warning: All e-mail sent to this address will be received by the corporate 
e-mail system, and is subject to archival and review by someone other than the 
recipient. This e-mail may contain proprietary information and is intended only 
for the use of the intended recipient(s). If the reader of this message is not 
the intended recipient(s), you are notified that you have received this message 
in error and that any review, dissemination, distribution or copying of this 
message is strictly prohibited. If you have received this message in error, 
please notify the sender immediately.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Travis Bream 
So what is the intent of your configuration?
To take advantage of all the wonderfulness that is SYSPLEX :)

Separate but equal?  Or are they running from a common SYSRES Set?  Other???
We will have 2 systems that are identical. They are going to have a common 
SYSRES with a secondary SYSRES to swap to for maintenance and upgrades. They 
also will share DASD so whatever data sets are on those DASD are accessible by 
both systems. Hence the catalog question.

Right now we have 3 LPAR's (Production, Test and Maintenance). We have DASD 
accessible to all three with data sets on them. In order for those data sets to 
be viewed on other LPAR's than the LPAR we create them on we must catalog them 
on each system. I would imagine that this is analogous to the processes 
involved with multiple master catalogs or shared master catalogs in a sysplex.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Srivastava, Rajesh K 
You can do either  and will some associated issues. Here are some:

If you have a MCAT for each LPAR you will have so many MCAT's + its backup to 
maintain and garbage in it piles up with time.

If you have a shared MCAT, you need to maintain one MCAT/SYSPLEX and one 
backup.At the time of z/OS upgrade create a new SYSPLEX MCAT (you may have one 
character in MCAT specific to z/OS versrion/release in MCAT name)  ( gives you 
opportunity to cleanup / gives you opportunity to test z/OS upgrade in DR ahead 
of time). One will need to keep two MCAT SYNCed up during the upgrade.

Regards,

Rajesh

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 4:56 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Catalogs in a SYSPLEX

I was doing some research and I cannot seem to find any specific mention of 
using a single shared master catalog in the manuals. It doesn't mean I was 
looking in the correct manuals it just means that what I had been told may not 
be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is 
the way to go but there is nothing recommending one over the other that I can 
see.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

The information contained in this e-mail, and any attachment, is confidential 
and is intended solely for the use of the intended recipient. Access, copying 
or re-use of the e-mail or any attachment, or any information contained 
therein, by any other person is not authorized. If you are not the intended 
recipient please return the e-mail to the sender and delete it from your 
computer. Although we attempt to sweep e-mail and attachments for viruses, we 
do not guarantee that either are virus-free and accept no liability for any 
damage sustained as a result of viruses. 

Please refer to http://disclaimer.bnymellon.com/eu.htm for certain disclosures 
relating to European legal entities.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Lizette Koehler 
By using INDIRECT CATALOG you can use different SYSRES Sets, but the same 
SYS1.** names.

Lizette


-Original Message-
>From: Lizette Koehler 
>Sent: Nov 21, 2016 3:10 PM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Re: Catalogs in a SYSPLEX
>
>So the answers are
>
>  It depends on what you want to do
>   Your milage May Vary (YMMV)
>
>If you want to access the datasets from either Plex easily, a Shared Master is 
>okay.  Remember the master cat should only have Aliases to usercats, and SYS1 
>datasets for that environment.  If you want SYS1.LINKLIB that is different 
>from both Plexes, then you probably want separate MCats.
>
>If both plexes can "share" the common datasets, then you can get by with one 
>MCAT.
>
>Or the Mcat on PLEX has the Mcat on Plex b as a user cat and vise versa.
>
>
>So what is the intent of your configuration?
>
>Separate but equal?  Or are they running from a common SYSRES Set?  Other???
>
>
>Lizette
>
>
>-Original Message-
>>From: Travis 
>>Sent: Nov 21, 2016 1:53 PM
>>To: IBM-MAIN@LISTSERV.UA.EDU
>>Subject: Catalogs in a SYSPLEX
>>
>>We are creating a SYSPLEX of two systems and there seems to be some debate 
>>about using a single shared master catalog or multiple master catalogs on 
>>each system. The IBM manuals recommend a single shared master catalog but our 
>>CE has been advocating multiple catalogs. What are the pros and cons of 
>>running each? We have two identical systems in the PLEX and for right now 
>>there is no plan to add more, however that could change at any time in the 
>>near future.
>>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Jesse 1 Robinson 
Biggest problem I see with multiple master catalogs is that you have to keep 
entries in synch. First time you debug a weird problem resulting from 
out-of-synch catalogs, I think you'll want a single one. 

As for installing software maintenance, you should alternate between (at least) 
two sysres volumes. Swap from one to the other to migrate software upgrade. In 
case of problems, fall back to the older level. Sysres data sets are cataloged 
like this:

VOLSER** DEVTYPE--X''

This will resolve to the volume you IPLed from on each system. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 1:56 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Catalogs in a SYSPLEX

I was doing some research and I cannot seem to find any specific mention of 
using a single shared master catalog in the manuals. It doesn't mean I was 
looking in the correct manuals it just means that what I had been told may not 
be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is 
the way to go but there is nothing recommending one over the other that I can 
see.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Lizette Koehler 
So the answers are

  It depends on what you want to do
   Your milage May Vary (YMMV)

If you want to access the datasets from either Plex easily, a Shared Master is 
okay.  Remember the master cat should only have Aliases to usercats, and SYS1 
datasets for that environment.  If you want SYS1.LINKLIB that is different from 
both Plexes, then you probably want separate MCats.

If both plexes can "share" the common datasets, then you can get by with one 
MCAT.

Or the Mcat on PLEX has the Mcat on Plex b as a user cat and vise versa.


So what is the intent of your configuration?

Separate but equal?  Or are they running from a common SYSRES Set?  Other???


Lizette


-Original Message-
>From: Travis 
>Sent: Nov 21, 2016 1:53 PM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Catalogs in a SYSPLEX
>
>We are creating a SYSPLEX of two systems and there seems to be some debate 
>about using a single shared master catalog or multiple master catalogs on each 
>system. The IBM manuals recommend a single shared master catalog but our CE 
>has been advocating multiple catalogs. What are the pros and cons of running 
>each? We have two identical systems in the PLEX and for right now there is no 
>plan to add more, however that could change at any time in the near future.
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Travis 
I was doing some research and I cannot seem to find any specific mention of 
using a single shared master catalog in the manuals. It doesn't mean I was 
looking in the correct manuals it just means that what I had been told may not 
be 100% accurate. The manuls do seem to IMPLY that a shared master catalog is 
the way to go but there is nothing recommending one over the other that I can 
see.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Nims,Alva John (Al) 
We currently have a 2 LPAR sysplex and the master catalog in not shared.  Prior 
to this job I worked at a shop where we supported sysplexes from a single 
system to up to 10 LPARs in a single sysplex.  The master catalogs were not 
shared , I think I would put forth one big reason for not sharing the master 
catalog, would be system upgrades, when we went through the z/OS upgrades, 
there were times where SYS1. Level data sets location changed from one release 
to the next and the catalog needed to point to the new location for the new 
release.  We would upgrade one LPAR at a time in a sysplex, which was once a 
week, so it would be several weeks to complete a sysplex.

I think there are a lot of questions you have to ask yourself about how you are 
going to handle the sysplex and what you are going to keep in the master 
catalog, besides SYS1.  Note: I believe System Symbols are your friend when 
setting up the catalog, for both data set names and VOLSER.


Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 3:54 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Catalogs in a SYSPLEX

We are creating a SYSPLEX of two systems and there seems to be some debate 
about using a single shared master catalog or multiple master catalogs on each 
system. The IBM manuals recommend a single shared master catalog but our CE has 
been advocating multiple catalogs. What are the pros and cons of running each? 
We have two identical systems in the PLEX and for right now there is no plan to 
add more, however that could change at any time in the near future.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Jesse 1 Robinson 
A lot depends on whether you're creating a net new member or combining two 
existing systems into a single plex. As I said in a previous thread, combining 
systems is very tough unless you're willing to put up with the vagaries of a 
'bronze-plex'. 

If you're creating a new system, you can clone the existing one. You should aim 
to share everything that can be shared. I don't know why anyone would stop 
short of total sharing: one master catalog; one RACF (or other security 
product) data base; one JES spool. If someone can give you a compelling reason 
for separate anything--like page data sets--then you could consider it. I would 
be very dubious about proposed subdivisions.  

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 12:54 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Catalogs in a SYSPLEX

We are creating a SYSPLEX of two systems and there seems to be some debate 
about using a single shared master catalog or multiple master catalogs on each 
system. The IBM manuals recommend a single shared master catalog but our CE has 
been advocating multiple catalogs. What are the pros and cons of running each? 
We have two identical systems in the PLEX and for right now there is no plan to 
add more, however that could change at any time in the near future.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in a SYSPLEX

2016-11-21 Thread Feller, Paul 
At our shop we have three master catalogs in the same sysplex.  We run three 
"levels" of lpars and the master catalogs are by level.  Our three tech lpars 
share a master catalog.  Our three application test lpars share a different 
master catalog.  Our 6 production lpars share a different master catalog.  So 
yes you can have more than one master catalog, it just depends on how things 
are laid out.

We run with shared DASD across all the lpars.  So depending on what we are 
doing we have to remember to update all three master catalogs or just update 
one master catalog.

You have to be careful about any VSAM dataset that might be in your master 
catalog(s).  You don't want a VSAM dataset in two master catalogs.

We have the master catalogs on their own (different) volumes.  You don't want 
more than one master catalog on a volume.


Thanks..

Paul Feller
AGT Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Travis
Sent: Monday, November 21, 2016 14:54
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Catalogs in a SYSPLEX

We are creating a SYSPLEX of two systems and there seems to be some debate 
about using a single shared master catalog or multiple master catalogs on each 
system. The IBM manuals recommend a single shared master catalog but our CE has 
been advocating multiple catalogs. What are the pros and cons of running each? 
We have two identical systems in the PLEX and for right now there is no plan to 
add more, however that could change at any time in the near future.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Catalogs in a SYSPLEX

2016-11-21 Thread Travis 
We are creating a SYSPLEX of two systems and there seems to be some debate 
about using a single shared master catalog or multiple master catalogs on each 
system. The IBM manuals recommend a single shared master catalog but our CE has 
been advocating multiple catalogs. What are the pros and cons of running each? 
We have two identical systems in the PLEX and for right now there is no plan to 
add more, however that could change at any time in the near future.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ASMA033I Storage alignment for unfavorable for dependent DSECT?

2016-11-21 Thread Walt Farrell 
On Sun, 20 Nov 2016 22:42:16 +0200, Binyamin Dissen 
 wrote:

>I am receiving
>
>ASMA033I Storage alignment for @DDNTXTU.S99TUPAR unfavorable
>
>where the value of S99TUPAR is 6, but it is a dependent using and the actual
>offset is at a doubleword boundary.
>
>Working as designed??

Seems like a question perhaps better asked on assembler-list than on ibm-main :)

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Tom Marchant 
On Mon, 21 Nov 2016 09:33:20 -0800, Ed Jaffe wrote:

>However, it's not trivial to determine from where you were loaded. It
>could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. 

It shouldn't be that hard if you know the member name. Create a DCB 
for STEPLIB and open it. If that works, do a BLDL on the member name 
and if that works, you've found the module. If the BLDL fails, it's not in 
STEPLIB and JOBLIB isn't used. If the open fails, try the same with 
JOBLIB.

But for this purpose, I don't think it matters where the module came 
from. If there is a STEPLIB with a non-authorized data set, the step 
is not authorized. If there is no STEPLIB and there is a JOBLIB, all 
data sets in it must be authorized.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Ed Jaffe 

On 11/21/2016 8:27 AM, Charles Mills wrote:

Exactly. That is what I intend to do.

Charles

John McKown wrote:

THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
APF AUTHORIZED.
... or migrated or is not SMS, not cataloged, etc.


I love this idea!!!

However, it's not trivial to determine from where you were loaded. It 
could be STEPLIB/JOBLIB, it could be LPA, it could be LNKLST. CSVQUERY 
does have an ability to return a token that can, through some complex 
and circuitous logic, actually map back to a data set name or HFS path, 
but it's not easy and I have a nagging suspicion that at least part of 
that processing requires authorization.


IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to 
return the fully-qualified data set name and volume and/or HFS path from 
which a module was actually fetched. (If it came from VLF, that 
information would need to be preserved at the time the module is cached 
so it can be provided to CSV.)


Of course, there is an implied assumption here that you're invoking 
TESTAUTH from inside the program referenced by EXEC PGM=. If not, you 
would first need to determine which program name that is. (It's not 
difficult, but it is an extra step...)


--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Jesse 1 Robinson 
I believe that's the right approach. For now anyway. You have control. You can 
build a common routine that any APF product can call during initialization. If 
IBM ever comes up with a more general solution, you can revisit your solution. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Monday, November 21, 2016 8:27 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

Exactly. That is what I intend to do.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Monday, November 21, 2016 2:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Jesse 1 Robinson 
One caveat. APF can be modified dynamically without updating PARMLIB. Not 
necessarily an error if it's the first try with a new application, although in 
practice it's a red flag.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mike Schwab
Sent: Sunday, November 20, 2016 10:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Which STEPLIB concatenation is not authorized?

OK.  How about 2 REXX commands.
The first REXX command reads SYS*.PARMLIB members, parses out the DSN and 
Vol/SMS ignoring syntax errors, and checks each DSN for APF authorization.
The second REXX command read any JCL member, parses out the steplib DSNs and 
Volumes ignoring syntax errors, and checks each DSN for APR authorization.
This would be useful for any site or product that has z/OS APF libraries.

On Sun, Nov 20, 2016 at 11:25 AM, Clark Morris  
wrote:
> [Default] On 20 Nov 2016 08:47:04 -0800, in bit.listserv.ibm-main 
> charl...@mcn.org (Charles Mills) wrote:
>
>>Thanks @Gil, I think you get where I am trying to go with this.
>>
>>It's not that I don't know how to use TESTAUTH or think TESTAUTH is 
>>giving me the wrong answer. But now what? We say "one or more of your 
>>datasets is apparently not authorized" and the customer says "WE TOLD 
>>YOU THEY ARE ALL AUTHORIZED!" Now what does the poor support tech do? 
>>Say "Issue a 'D PROG,APF' and check all the libraries -- it's not rocket 
>>surgery!"
>
> It seems like a generic module that chases the chains would be useful 
> to a number of vendors and even for Roll your own code.  I know that I 
> was enraged on earlier versions with the JCL message symbol not 
> defined in procedure mess and justified the effort to go to MVS SP
> 1.3.2 or 1.3.3 because that was the version.release.modification level 
> that had the change telling you which symbol wasn't defined in the 
> procedure.  In this case chasing down errant libraries when the 
> installing groups isn't responsible for setting up APF authorization 
> can be interesting.
>
> Clark Morris
>>
>>Would YOU buy a product from a vendor that talked to you like that?
>>
>>Charles
>>
>>-Original Message-
>>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>>On Behalf Of Paul Gilmartin
>>Sent: Sunday, November 20, 2016 1:21 AM
>>To: IBM-MAIN@LISTSERV.UA.EDU
>>Subject: Re: Which STEPLIB concatenation is not authorized?
>>
>>On 2016-11-19, at 15:32, Jesse 1 Robinson wrote:
>>>
>>> As complicated this may sound, APF can be determined/diagnosed by
>>inspection with relative ease. It's not rocket surgery.
>>>
>>Perhaps.  But it would be poor business practice for the OP to address 
>>his customer so tactlessly.  IBM ought to help its customers to help 
>>their customers.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Charles Mills 
Exactly. That is what I intend to do.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Monday, November 21, 2016 2:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ASMA033I Storage alignment for unfavorable for dependent DSECT?

2016-11-21 Thread Steve Thompson 
I don't do 64Bit stuff at this point. But, as soon as I can today, I'll go look 
at the DSECTs...


Sent from my iPhone

> On Nov 21, 2016, at 12:03 AM, Binyamin Dissen  
> wrote:
> 
> It is properly aligned in the main dsect.
> 
> ZZZ  DSECT
>CNOP   2,8
> DDNTXTU DS 3H,CL8
> 
> 
> 
> @DDNTXTU  USING S99TUNIT,DDNTXTU
> 
>STG   R1,@DDNTXTU.S99TUPAR
> 
> The assembler knows that the resolved address is at a doubleword offset in ZZZ
> 
> On Sun, 20 Nov 2016 15:01:04 -0800 "ste...@copper.net" 
> wrote:
> 
> :>I don't have access to listings right now, but having just done a few 
> routines that were doing SVC99 and making use of all the DSECTs provided by 
> IBM, I found that I had to get alignment set up correctly.
> :>
> :>So, I would start Text Units on a fullword, so that you have (off the top 
> of my head):
> :>  DS 0A
> :>verb  DS H
> :>count DS H
> :>len   DS H
> :>parm  DS X 
> :>
> :>And then the parm value would be as long as needed. But, I made sure that 
> the next text unit started on a full world. I think that will solve your 
> problems.
> :>
> :>Sorry, I can't remember the correct names of the IBM DSECTs (and their 
> related variables) so I could answer you by their names.
> :>
> :>Regards,
> :>Steve Thompson
> :>
> :>--- bdis...@dissensoftware.com wrote:
> :>
> :>From: Binyamin Dissen 
> :>To:   IBM-MAIN@LISTSERV.UA.EDU
> :>Subject: [IBM-MAIN] ASMA033I Storage alignment for unfavorable for 
> dependent DSECT?
> :>Date: Sun, 20 Nov 2016 22:42:16 +0200
> :>
> :>I am receiving
> :>
> :>ASMA033I Storage alignment for @DDNTXTU.S99TUPAR unfavorable 
> :>
> :>where the value of S99TUPAR is 6, but it is a dependent using and the actual
> :>offset is at a doubleword boundary.
> :>
> :>Working as designed??
> 
> --
> Binyamin Dissen 
> http://www.dissensoftware.com
> 
> Director, Dissen Software, Bar & Grill - Israel
> 
> 
> Should you use the mailblocks package and expect a response from me,
> you should preauthorize the dissensoftware.com domain.
> 
> I very rarely bother responding to challenge/response systems,
> especially those from irresponsible companies.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSMSdss DUMP and extended format

2016-11-21 Thread Mike Schwab 
http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.idad400/coefsds.htm
It uses the LBI (Large Block Interface).

On Mon, Nov 21, 2016 at 9:25 AM, R.S.  wrote:
> Since (FAIK) z/OS 1.12 times DSS DUMP output dataset can be extended format
> PS.
>
> It's strange: When you omit blocksize (use SDB), the blocksize of the dump
> dataset will be 27998, for PS, PS-LARGE, and for extended format PS.
> However for ext-fmt  PS there is *one block per track*. Yes, when you dump
> to regular PS you get i.e. 1500 blocks and 750 tracks, but when you dump to
> extended format PS you get 1500 blocks and 1500 tracks occupied.
>
> Note, when you provide smaller (BLKSIZE=27900) you get 2 blocks per track.
>
> Is it documented?
> Is it bug or feaure?
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
>
>
> ---
> Treść tej wiadomości może zawierać informacje prawnie chronione Banku
> przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być
> jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś
> adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej
> przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie,
> rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie
> zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo,
> prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale
> usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub
> zapisane na dysku.
>
> This e-mail may contain legally privileged information of the Bank and is
> intended solely for business use of the addressee. This e-mail may only be
> received by the addressee and may not be disclosed to any third parties. If
> you are not the intended addressee of this e-mail or the employee authorized
> to forward it to the addressee, be advised that any dissemination, copying,
> distribution or any other similar activity is legally prohibited and may be
> punishable. If you received this e-mail by mistake please advise the sender
> immediately by using the reply facility in your e-mail software and delete
> permanently this e-mail including any copies of it either printed or saved
> to hard drive.
>
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
> www.mBank.pl, e-mail: kont...@mbank.pl
> Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru
> Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88.
> Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości
> wpłacony) wynosi 168.955.696 złotych.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

DFSMSdss DUMP and extended format

2016-11-21 Thread R.S. 
Since (FAIK) z/OS 1.12 times DSS DUMP output dataset can be extended 
format PS.


It's strange: When you omit blocksize (use SDB), the blocksize of the 
dump dataset will be 27998, for PS, PS-LARGE, and for extended format PS.
However for ext-fmt  PS there is *one block per track*. Yes, when you 
dump to regular PS you get i.e. 1500 blocks and 750 tracks, but when you 
dump to extended format PS you get 1500 blocks and 1500 tracks occupied.


Note, when you provide smaller (BLKSIZE=27900) you get 2 blocks per track.

Is it documented?
Is it bug or feaure?

--
Radoslaw Skorupka
Lodz, Poland






---
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru 
Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. 
Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości 
wpłacony) wynosi 168.955.696 złotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Vernooij, Kees (ITOPT1) - KLM 
Not only STEPLIB (and JOBLIB) but also any tasklib, which in fact can be any 
ddname.

And then the problem arises: when should the 'non-apf warming' be issued? You 
could have a ddname with a concatenation of loadlibraries, that are never going 
to be used to LOAD modules from, so the warning is useless and confusing.

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: 21 November, 2016 14:58
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Which STEPLIB concatenation is not authorized?

John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB 
can show above message.


Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF 
Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ...

... with this one little variation - the FULL lists (all entries in that 
STEPLIB) must be APFed. That is ALL or nothing!

H, ..ok, now drifting somewhat, but what about libraries in Linklist, 
but NOT APFed?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Elardus Engelbrecht 
John McKown wrote:

>​But I can see where it would be _very_ nice if an application to do a 
>TESTAUTH to make sure that it is APF authorized. And, if not, then put out a 
>message similar to:

>THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON VOLUME 
>volser BEING ON THE STEPLIB/JOBLIB​. DSN=SOME.NONAPF.LIBRARY ON volser IS NOT 
>APF AUTHORIZED.

... or migrated or is not SMS, not cataloged, etc.

It would be very nice if the issuer of IGD103I SMS ALLOCATED TO DDNAME STEPLIB 
can show above message.


Or yet better - take that list of datasets in that STEPLIB, feed it to 'APF 
Dataset Report' in 'RACF_SENSITIVE_RESOURCES' in Health Checker ...

... with this one little variation - the FULL lists (all entries in that 
STEPLIB) must be APFed. That is ALL or nothing!

H, ..ok, now drifting somewhat, but what about libraries in Linklist, 
but NOT APFed?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-21 Thread John McKown 
On Mon, Nov 21, 2016 at 7:27 AM, Tom Marchant <
000a2a8c2020-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote:
>
> >... and may seriously hurt the performance, reliability, and availability
> of your z/OS
> >system and the applications running on it.
>
> Not to mention relying on a platform that is more subject to hacking than
> a properly
> configured z/OS system. And one that does not include the assurance
> provided by
> the z/OS System Integrity Statement.
>
> http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=
> WH=SA=ZSL03361USEN=ZSL03361USEN.PDF
>
> --
> Tom Marchant
>
>
​Although I agree with all that has been said in this thread, I am certain,
at least if other Windows people are like the Windows people here, that the
Windows people would excrete a masonry product (s--t a brick) if anyone
said that their systems had to validate against a z/OS based repository.
Not to mention that, although z/OS does support LDAP and Kerberos, it does
not support Windows Active Directory protocols. The mere fact that said
protocol is both unsupported, proprietary, and "fluid" (as most MS
protocols are) is not germane to the discussion (to them).

The only solution that I can think of for this is a product which in the
data base world would be called "bidirectional replication".


-- 
Heisenberg may have been here.

Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread John McKown 
On Mon, Nov 21, 2016 at 7:21 AM, Charles Mills  wrote:

>
>
> YOU say it's all authorized. z/OS says it's not. Let's think who's
> probably right here.
>

​I agree, but I have a couple of friends who are / were in level 1​
support. You'd be amazed by stories of ignorance and mental denseness. I've
read comparable stories on "The Register" (http://www.theregister.co.uk). I
loved the one where the end-user apparently didn't know that the "on"
button for a PC was the same one as the "off" button. The one I remember
was from a certain frozen state which shall remain nameless where the
system's programmer reported that the product would immediately abend. He
had not linked the supplied object decks into a load library, but put the
data set containing the object decks in the STEPLIB. I guess he didn't read
the installation documentation (Top Secret was the product).

​But I can see where it would be _very_ nice if an application to do a
TESTAUTH to make sure that it is APF authorized. And, if not, then put out
a message similar to:

THE PRODUCT IS NOT APF AUTHORIZED DUE TO THE DSN=SOME.NONAPF.LIBRARY ON
VOLUME volser BEING ON THE STEPLIB/JOBLIB​.
DSN=SOME.NONAPF.LIBRARY ON volser IS NOT APF AUTHORIZED.


-- 
Heisenberg may have been here.

Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

2016-11-21 Thread Tom Marchant 
On Sun, 20 Nov 2016 09:28:40 -0600, Walt Farrell wrote:

>... and may seriously hurt the performance, reliability, and availability of 
>your z/OS 
>system and the applications running on it.

Not to mention relying on a platform that is more subject to hacking than a 
properly 
configured z/OS system. And one that does not include the assurance provided by 
the z/OS System Integrity Statement.

http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH=SA=ZSL03361USEN=ZSL03361USEN.PDF

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Charles Mills 


YOU say it's all authorized. z/OS says it's not. Let's think who's probably 
right here.


CharlesSent from a mobile; please excuse the brevity

 Original message 
From: Peter Relson  
Date: 11/21/16  2:12 PM  (GMT+01:00) 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Which STEPLIB concatenation is not authorized? 

>Would YOU buy a product from a vendor that talked to 
>you like that?

Maybe not. But why wouldn't helpful technical support say
"please issue DISPLAY PROG,APF and let me see the output so that I can 
help you figure out what is wrong?"
How do you think conversations go for just about anyone when customers 
report problems?  An early step is for the customer to make available the 
data that can help to diagnose the problem. (unless you're talking to a 
helpless desk that tells you to power off and power on, or uninstall and 
re-install).

And in the case at hand, what did the customer say if they had asserted 
that all the libraries were APF authorized and you found that there were 3 
in the concatenation that weren't? Maybe your technical support should 
offer to make a friendly wager with the customer about the state of things 
(because "apparently not authorized" is a wimpy -- but possibly necessary 
-- way of stating the fact "is not considered by the system to be 
APF-authorized").

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Peter Relson 
>Would YOU buy a product from a vendor that talked to 
>you like that?

Maybe not. But why wouldn't helpful technical support say
"please issue DISPLAY PROG,APF and let me see the output so that I can 
help you figure out what is wrong?"
How do you think conversations go for just about anyone when customers 
report problems?  An early step is for the customer to make available the 
data that can help to diagnose the problem. (unless you're talking to a 
helpless desk that tells you to power off and power on, or uninstall and 
re-install).

And in the case at hand, what did the customer say if they had asserted 
that all the libraries were APF authorized and you found that there were 3 
in the concatenation that weren't? Maybe your technical support should 
offer to make a friendly wager with the customer about the state of things 
(because "apparently not authorized" is a wimpy -- but possibly necessary 
-- way of stating the fact "is not considered by the system to be 
APF-authorized").

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Which STEPLIB concatenation is not authorized?

2016-11-21 Thread Tom Marchant 
On Sun, 20 Nov 2016 13:41:20 -0600, Paul Gilmartin wrote:

>On Sun, 20 Nov 2016 17:01:43 +, Jesse 1 Robinson wrote:
>
>>the requirements for APF concatenation were invented to protect the customer
>> 
>The particular implementation protects the customer from nothing.

Of course it does. Your contention that it could be better is not evidence that 
the 
requirements for APF concatenation does not protect the customer is not 
accurate.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Verifying callers Parameter Address upon entry to a PC Service Routine

2016-11-21 Thread Peter Relson 
It is frankly a bit scary to have this question being asked like this, 
since this is being asked by the owner of authorized code. Karl Schmitz of 
IBM has given many presentations to many customers and vendors on system 
integrity. This is a very basis system integrity question, the answer to 
which should be well understood before writing authorized code.

You really don't "verify". It is in general impossible to "verify". You 
can "sanity check" but all that does is let you find some cases that are 
not valid.
You still need to access data in the caller's key.  Either use the MVCSK 
instruction (or use MVCDK if writing to it) or switch to the caller's key 
for the reference (SPKA instruction or MODESET macro) and then use that 
key to load into registers and switch back to your key for saving the 
data.

It doesn't typically matter where you do the access as long as is done by 
authorized code and you copy (using the key) the data to protected storage 
that the unauthorized caller cannot modify and subsequently reference from 
that copy (unless you make sure that every reference is done in the 
unauthorized caller's key).

I'm not sure what you mean by the "caller's interface routine".  If it is 
something that runs in user state and key it cannot do any true 
validation. Only sanity checking (which you would typically have to re-do 
after you get to the target routine where you are authorized and where you 
can avoid a time of check to time of use exposure).

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Verifying callers Parameter Address upon entry to a PC Service Routine

2016-11-21 Thread Rob Scott 
Although performing validation in your interface routine is never a bad thing, 
the real validation must *always* be done in the PC routine itself as someone 
might attempt to invoke your PC by crafting the parameter list manually outside 
of your interface.

Always access caller data in the key of the caller - you can extract the key of 
the caller from the PSW on the stack (ESTA instruction and then some bit 
shifting)

MVCDK and MVCSK instructions are your friends when moving data between PC 
routine and caller.

Once you have the caller key, immediately copy (MVCSK) the parameter list to 
your PC working storage *before* you inspect it so that it cannot be altered 
during the validation process.

Never trust passed parameters and addresses - always use trusted sources for 
control block access including your own server control blocks.

Length checking is always good - do not be the buffer-overflow root cause.

If possible, do NOT run your server and PC routines in key0 - get a PPT entry 
for your server jobstep program in another key (for example, key2 or key4) and 
then specify this key on the ETDEF for the PC routine.

Rather than repeatedly coding MVCDK/SK instructions, consider wrapping them up 
in a macro so that it can do 256-byte loops for larger amounts of data.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of esst...@juno.com
Sent: Sunday, November 20, 2016 10:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Verifying callers Parameter Address upon entry to a PC Service Routine

.
Im looking for some guidelines when validating any address passed to a PC 
Service Routine.
.
Should the Validation be done in The PC Service Routine *or* in the callers 
interface routine provided  by the Service Address Space.
.
What would be the recommended method to validate all Address Passed to the PC 
Service Routine ?
What Instructions ? what Macros - Callable Services ?
.
Paul D'Angelo
.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ 
+1 877.328.2932 ■ +1 781.577.4321
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - 
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy


This communication and any attachments may contain confidential information of 
Rocket Software, Inc. All unauthorized use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please notify Rocket 
Software immediately and destroy all copies of this communication. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

InfoSphere Classic CDC for z/OS

2016-11-21 Thread Steff Gladstone 
Does anyone have any experience with the above software, as a tool to
capture updates to a "classic" VSAM file on the mainframe and propagate
them to a open-systems data base?

Thanks,
Steff Gladstone

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN