Re: changing batch job to use SSL

[Timothy Sipples]

IPsec is another option I should have also mentioned, also a Communications
Server for z/OS feature.


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[CM Poncelet]

A REFR program's page can be stolen (without having to save it first) by
the RSM if it has a higher UIC than other pages. If it then hits a page
fault, the ASM reloads the missing page from the paging dataset so the
program can continue executing. AFAIK It reloads only stolen pages, not
the whole module, while it is in the middle of being executed.

Chris Poncelet (retired sysprog)



On 12/06/2017 07:44, Binyamin Dissen wrote:
> On Mon, 12 Jun 2017 00:31:28 -0400 Randy Hudson  wrote:
> 
> :>In article <2376347398828975.wa.paulgboulderaim@listserv.ua.edu> you 
> write:
> :>
> :>> Point taken.  But it's not clear why the designers chose to allow a 
> program
> :>> to be both modifyable and reloadable.  This leads to dreadful 
> unpredictability:
> :>> Behavior may differ depending on whether the program has been reloaded.
> :>> OK.  Initialization code may set a flag (in each page?) that will be 
> cleared by
> :>> a reload.  Critical code paths may check (before and after) that the flag 
> remains
> :>> set and re-initialize if it's found cleared.  And the documentation should
> :>> conscientiously mention the need to do this.  Ugh!
> 
> :>The REFR attribute has existed since MVT version 19 or so.  Core storage
> :>then was really core storage... toroidal ferrite cores threaded on wires, at
> :>a cost of a dollar a bit, or more.
> 
> :>Saving a few bytes is sneered at as false economy, now.  It wasn't, then.
> 
> :>A refreshable load module might have inititalization code that needs to be
> :>run only once per time it's loaded, with that init code overwritten for
> :>scratch storage afterward.  If the module's space is needed, the whole thing
> :>gets overwritten.  Later it can be refreshed, and the initialization re-run.
> 
> :>Or, a module might contain a dynamically reorganized search table, such as a
> :>move-to-front table.  That's storage modification, and it's hard to make it
> :>re-entrant on a 360/65 with only TS as a locking mechanism.  But it can be
> :>refreshable, reloading the initial configuration each time.
> 
> That would only allow the refreshable module to be reloaded if it is started
> at the entry point. It cannot be refreshed while it is in the middle of being
> executed. 
> 
> --
> Binyamin Dissen 
> http://www.dissensoftware.com
> 
> Director, Dissen Software, Bar & Grill - Israel
> 
> 
> Should you use the mailblocks package and expect a response from me,
> you should preauthorize the dissensoftware.com domain.
> 
> I very rarely bother responding to challenge/response systems,
> especially those from irresponsible companies.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> .
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Estae and the Linkage Stack

[Joseph Reichman]

Thanks for getting back to me I see it now

I had recovery routine and abended in a subroutine which had a BAKR it
apparently deactivated it the documentation below is very unclear

Thanks 

 
 DeactivatinganESTAE-TypeRecoveryRoutine: A program may deactivate an
ESTAE-type recovery routine only under the same linkage stack level as the
level that existed when the program activated the recovery routine. This
rule affects programs that add entries to the linkage stack either through
the BAKR or PC instruction. Failure to follow this rule results in an error
return code of 36 from the ESTAE or ESTAEX macro. 
 When you issue a PR, the system automatically deactivates all ESTAE-type
recovery routines that were previously activated under that current linkage
stack entry.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Blaicher, Christopher Y.
Sent: Monday, June 12, 2017 6:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Estae and the Linkage Stack

It is a little tricky.  In the Assembler Services Guide there is a section
called Linkage Stack Considerations in chapter 8, the last paragraph of
which says:

When you issue a PR, the system automatically deactivates all ESTAE-type
recovery routines that were previously activated under that current linkage
stack entry.

What I was writing about was, being lazy and not wanting to allocate a save
area, I used BAKR/PR to save and restore the registers when I called a
subroutine to do some initialization including a setup of the ESTAE, and the
ESTAE was not there when the program later abended. (I thought I knew
everything and hadn't read the previous paragraph.)

So, what happened was the system very nicely setup my ESTAE in the
subroutine, and very nicely deactivated it when I exited the subroutine.
Now, if I hadn't use BAKR/PR and done a real subroutine call, all would have
been fine.

Chris Blaicher
Technical Architect
Mainframe Development
P: 201-930-8234  |  M: 512-627-3803
E: cblaic...@syncsort.com  

Syncsort Incorporated
2 Blue Hill Plaza #1563
Pearl River, NY 10965
www.syncsort.com  

Data quality leader Trillium Software is now a part of Syncsort.


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Joseph Reichman
Sent: Monday, June 12, 2017 6:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU  
Subject: Estae and the Linkage Stack

Hi



I thought for the longest time that an ESTAE was associated with a Task.
Then I saw a thread with Chris Blaicher where the upshot as that a BAKR
would deactivate it



I did a search on the archives but didn't come up with anything


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu   with the
message: INFO IBM-MAIN





ATTENTION: -

The information contained in this message (including any files transmitted
with this message) may contain proprietary, trade secret or other
confidential and/or legally privileged information. Any pricing information
contained in this message or in any files transmitted with this message is
always confidential and cannot be shared with any third parties without
prior written approval from Syncsort. This message is intended to be read
only by the individual or entity to whom it is addressed or by their
designee. If the reader of this message is not the intended recipient, you
are on notice that any use, disclosure, copying or distribution of this
message, in any form, is strictly prohibited. If you have received this
message in error, please immediately notify the sender and/or Syncsort and
destroy all copies of this message in your possession, custody or control.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu   with the
message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sorting a REXX STEM variable

[Paul Gilmartin]

On 2017-06-12, at 14:20, Jesse 1 Robinson wrote:

> I have a number of applications that sort a REXX array. My solution is to 
> load it into an ISPF table. Not only is a table easily sorted, but you can do 
> an instant search with single ISPF command. And so much more. 
>  
Rexx compound symbols do search, but only for match, not lower/upper bound.

> Yes, you need to run in a TSO environment, but I've never found much use for 
> a REXX that does not otherwise need some TSO service anyway.
>  
Which?  What I've missed, beyond ISPF itself, are TRANSMIT and RECEIVE.
And TSO provides shortcuts to many IDCAMS functions.

But I have a Rexx that extracts all the spool files for a job.
Runs fine under OMVS, TSO, or IRXJCL.

And it's irritating that a job can't extract its own ID without
either an ISPF function or chasing control blocks.


> -Original Message-
> From: Tony Harminc
> Sent: Monday, June 12, 2017 1:12 PM
> 
>> What I mean to ask is, how can I invoke an arbitrary utility or load 
>> module (not just SORT) associating all its files with Rexx stems, not 
>> just data sets.  SORT allows this because of the I/O exits; many 
>> utilities (other than HLASM) have no similar facility.
> 
> I'm thinking Howard Gilbert's GPSAM is the approach for this.
>  
Google tells me CBTTAPE 290, with high praise for the author.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Estae and the Linkage Stack

[Blaicher, Christopher Y.]

It is a little tricky.  In the Assembler Services Guide there is a section 
called Linkage Stack Considerations in chapter 8, the last paragraph of which 
says:

When you issue a PR, the system automatically deactivates all ESTAE-type
recovery routines that were previously activated under that current linkage 
stack
entry.

What I was writing about was, being lazy and not wanting to allocate a save 
area, I used BAKR/PR to save and restore the registers when I called a 
subroutine to do some initialization including a setup of the ESTAE, and the 
ESTAE was not there when the program later abended. (I thought I knew 
everything and hadn't read the previous paragraph.)

So, what happened was the system very nicely setup my ESTAE in the subroutine, 
and very nicely deactivated it when I exited the subroutine.  Now, if I hadn't 
use BAKR/PR and done a real subroutine call, all would have been fine.

Chris Blaicher
Technical Architect
Mainframe Development
P: 201-930-8234  |  M: 512-627-3803
E: cblaic...@syncsort.com

Syncsort Incorporated
2 Blue Hill Plaza #1563
Pearl River, NY 10965
www.syncsort.com

Data quality leader Trillium Software is now a part of Syncsort.


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Joseph Reichman
Sent: Monday, June 12, 2017 6:24 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Estae and the Linkage Stack

Hi



I thought for the longest time that an ESTAE was associated with a Task.
Then I saw a thread with Chris Blaicher where the upshot as that a BAKR would 
deactivate it



I did a search on the archives but didn't come up with anything


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN





ATTENTION: -

The information contained in this message (including any files transmitted with 
this message) may contain proprietary, trade secret or other confidential 
and/or legally privileged information. Any pricing information contained in 
this message or in any files transmitted with this message is always 
confidential and cannot be shared with any third parties without prior written 
approval from Syncsort. This message is intended to be read only by the 
individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any use, disclosure, copying or distribution of this message, in any form, is 
strictly prohibited. If you have received this message in error, please 
immediately notify the sender and/or Syncsort and destroy all copies of this 
message in your possession, custody or control.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Estae and the Linkage Stack

[Joseph Reichman]

Hi

 

I thought for the longest time that an ESTAE was associated with a Task.
Then I saw a thread with Chris Blaicher where the upshot as that a BAKR
would deactivate it

 

I did a search on the archives but didn't come up with anything  


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sorting a REXX STEM variable

[Jesse 1 Robinson]

I have a number of applications that sort a REXX array. My solution is to load 
it into an ISPF table. Not only is a table easily sorted, but you can do an 
instant search with single ISPF command. And so much more. 

Yes, you need to run in a TSO environment, but I've never found much use for a 
REXX that does not otherwise need some TSO service anyway.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Harminc
Sent: Monday, June 12, 2017 1:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Sorting a REXX STEM variable

On 12 June 2017 at 15:17, Paul Gilmartin < 
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> What I mean to ask is, how can I invoke an arbitrary utility or load 
> module (not just SORT) associating all its files with Rexx stems, not 
> just data sets.  SORT allows this because of the I/O exits; many 
> utilities (other than HLASM) have no similar facility.
>

I'm thinking Howard Gilbert's GPSAM is the approach for this.

Tony H.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sorting a REXX STEM variable

[Tony Harminc]

On 12 June 2017 at 15:17, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> What I mean to ask is, how can I invoke an arbitrary
> utility or load module (not just SORT) associating all its files with Rexx
> stems, not just data sets.  SORT allows this because of the I/O exits; many
> utilities (other than HLASM) have no similar facility.
>

I'm thinking Howard Gilbert's GPSAM is the approach for this.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sorting a REXX STEM variable

[Paul Gilmartin]

On Mon, 12 Jun 2017 20:58:24 +, Robert Prins wrote:

>On 2017-06-12 14:29, John Gateley wrote:
>>...   
>>   r_c = SORTSTEM(my_stem_name,'A')
>>...
>> It will be on File#953 of the CBT Tape soon, but it anyone wants a preview 
>> then the code is in IEBUPDTE format here
>> http://www.spurtle.biz/STEMASM.txt
>> and supporting macros here
>> http://www.spurtle.biz/STEMMAC.txt
> 
... where I see a lot of assembler code and little Rexx.

>Will your code handle non-numerical "indices"?
>
The key definition, not merely 'A', ought to be an argument to SORTSTEM.

But I fell into this discussion using SORT as an example, and replies took
that as the goal.  What I mean to ask is, how can I invoke an arbitrary
utility or load module (not just SORT) associating all its files with Rexx
stems, not just data sets.  SORT allows this because of the I/O exits; many
utilities (other than HLASM) have no similar facility.

BPXWUNIX supports this, but only for for UNIX utilities and three customary
files.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Paul Gilmartin]

On Mon, 12 Jun 2017 13:53:23 -0400, Tony Harminc wrote:
>
>> Name-token services does something related.  I understand it performs
>> no costly locking during searches, but tests a flag after a search to
>> detect that the data structure has been modified in-progress, and
>> re-drive the search, with less expected cost than locking for every search.
>>
>I've been waiting for IBM to convert this to use Transactional Execution.
>Well for all I know perhaps they have.
>
What performance cost does TE incur (there must be some)?  It's possible
that the existing cleverly recherché design, optimized for searches rather
than updates is better.  If it ain't broke ...

Of course, the update process is so designed that an unserialized search
never risks following an invalid pointer nor falling into an endless loop.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reddit AMA on CICS TS V5.4

[Anthony Giorgio]

Hello everyone!

IBM will be hosting a Reddit "Ask Me Anything" session to discuss the 
new release of CICS TS V5.4.  We're going to run a 1-hour session on 
r/mainframe, to informally chat about it.  The hosts will be Fraser Bohm 
(CICS Chief Architect, DE) and Andy Bates (CICS Principal Offering 
Manager).


The session will be this Wednesday, June 14th, at 11AM EDT (4PM London).

http://ibm.biz/cicsama


--
Anthony Giorgio
Advisory Software Engineer
IBM z Systems Platform Performance Manager
Twitter: @a_giorgio

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sorting a REXX STEM variable

[Robert Prins]

On 2017-06-12 14:29, John Gateley wrote:

Hi

Last weeks discussion on sorting a REXX stem inspired me to write a program to 
do it.

example call to sort ascending
  "ISPEXEC LIBDEF ISPLLIB DATASET ID ('my_loadlib') STACK"
  "ALLOC FI(SORTPRT)  DUMMY"
  r_c = SORTSTEM(my_stem_name,'A')
  "FREE FILE(SORTPRT)"
  "ISPEXEC LIBDEF ISPLLIB "

SORTSTEM gets the variable count from my_stem_name.0 and then looks at every 
variable in the stem to get the maximum length.

Then it getmains some storage big enough for the maximum record plus 4 bytes 
for the length of the variable

It then calls the system SORT passing E15 and E35 exits

  SORT FIELDS=(1,max_len,BI,A),FILSZ=stem_count
  OPTION MSGDDN=SORTPRT
  RECORD TYPE=F,LENGTH=(max_len+4)

On each call to the E15 exit the next stem variable is read, padded with spaces 
and the length put on the end

On each call to the E35 exit the variable is put back into the stem, starting 
at 1, using the original length


It will be on File#953 of the CBT Tape soon, but it anyone wants a preview then 
the code is in IEBUPDTE format here
http://www.spurtle.biz/STEMASM.txt
and supporting macros here
http://www.spurtle.biz/STEMMAC.txt
You will need to assemble the six modules then link
 INCLUDE SYSLIB(STEMSORT)
 ENTRY STEMSORT


Will your code handle non-numerical "indices"?

tom = 'dick'
my_stem.tom = 'Harry'

Robert
--
Robert AH Prins
robert.ah.prins(a)gmail.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Tony Harminc]

On 12 June 2017 at 12:35, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> Name-token services does something related.  I understand it performs
> no costly locking during searches, but tests a flag after a search to
> detect that the data structure has been modified in-progress, and
> re-drive the search, with less expected cost than locking for every search.
>

I've been waiting for IBM to convert this to use Transactional Execution.
Well for all I know perhaps they have.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

REFR protection (was: APF authorization and AC(00)

[David W Noon]

On Mon, 12 Jun 2017 11:35:33 -0500, Paul Gilmartin
(000433f07816-dmarc-requ...@listserv.ua.edu) wrote about "Re: APF
authorization and AC(00)" (in
<3613995808381310.wa.paulgboulderaim@listserv.ua.edu>):

[snip]
> Earlier, I said that REFRPROT could be made the default because load
> modules erroneously marked REFR could be re-linked.  OK. Not in
> every case.  So make REFRPROT the default except for load modules
> marked non-editable, because they can't be repaired.

The PDS utility and/or File-Aid can remove the REFR attribute, so there
is no need to re-link. The attribute is in the directory entry.

> REFRPROT should be made a JOB statement option rather than a system
> parm option, for flexibility in testing.

More granular than that, it should also be available on the EXEC
statement so that it can be selected on a step-by-step basis.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
david.w.n...@googlemail.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Paul Gilmartin]

On Mon, 12 Jun 2017 09:44:02 +0300, Binyamin Dissen wrote:

>On Mon, 12 Jun 2017 00:31:28 -0400 Randy Hudson wrote:
>
>:>Saving a few bytes is sneered at as false economy, now.  It wasn't, then.
>
Alas, code designed according to that criterion remains in use today (if it
weren't, REFRPROT could be made the default), with resulting lack of
robustness.  Programs that might then to be used thousands of times during
their lifetimes now run millions of times in an hour, magnifying the exposure
of flaws.

>:>A refreshable load module might have inititalization code that needs to be
>:>run only once per time it's loaded, with that init code overwritten for
>:>scratch storage afterward.  If the module's space is needed, the whole thing
>:>gets overwritten.  Later it can be refreshed, and the initialization re-run.
>
The coding requirements are onerous.  The program must be able to:
o detect that it's been refreshed and re-run the initialization.
o tolerate a refresh at any point within a critical code section with
  no misbehavior such as a wild STore.
o be tested to verify the above are true.

>:>Or, a module might contain a dynamically reorganized search table, such as a
>:>move-to-front table.  That's storage modification, and it's hard to make it
>:>re-entrant on a 360/65 with only TS as a locking mechanism.  But it can be
>:>refreshable, reloading the initial configuration each time.
>
And such a move-to-front table ought not span a page boundary, lest a
refresh of one page but not both during the move operation cause an
entry to be lost or duplicated, and that a refresh during a search result
in an entry's being bypassed.  And while the original design may have
the table in a single page it may grow with a design revision.

>That would only allow the refreshable module to be reloaded if it is started
>at the entry point. It cannot be refreshed while it is in the middle of being
>executed.
>
Name-token services does something related.  I understand it performs
no costly locking during searches, but tests a flag after a search to
detect that the data structure has been modified in-progress, and
re-drive the search, with less expected cost than locking for every search.

Earlier, I said that REFRPROT could be made the default because load
modules erroneously marked REFR could be re-linked.  OK. Not in
every case.  So make REFRPROT the default except for load modules
marked non-editable, because they can't be repaired.

REFRPROT should be made a JOB statement option rather than a system
parm option, for flexibility in testing.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[Phil Smith]

There are several things intertwined here.


*   CPACF is the "crypto on the chip" - z Systems instructions that do AES 
et al.

*   CEX is the z HSM.

*   ICSF is, of course, the z/OS service that talks to both (though you can 
do CPACF operations directly as well).

With just CPACF, you're forced to use what's called Clear Key operation: keys 
are stored (somewhere, somehow-perhaps in CKDS), are fetched, and are passed to 
CPACF to do operations.

With CEX in the mix, you add two more options: Secure Key and Protected Key.

Secure Key means that keys are generated by the CEX, wrapped (encrypted) using 
keys known only to the CEX, and then passed to z/OS, which stores them (usually 
in CKDS). When an operation is performed, that wrapped key and the data are 
passed to the CEX, which unwraps the key, does the operation, and returns the 
result. Very secure, if relatively slow.

Protected Key means that keys are generated by the CEX, wrapped, and stored in 
CKDS, like Secure Key. BUT when an operation is needed, an ICSF call takes that 
wrapped key and passes it to the CEX, where it is unwrapped, rewrapped using an 
ephemeral key generated just for the current IPL, and that key is returned. 
That ephemeral key is also passed to the firmware, so it's available to CPACF. 
Then the actual operation is performed by passing the rewrapped key: CPACF 
unwraps it using that ephemeral key, does the operation, returns the result. 
And ICSF remembers that it's done this, so the next operation using that key 
doesn't talk to the HSM at all. This gets you almost all of the performance and 
pretty well all of the security of Secure Key (arguably the firmware is 
slightly less secure than the tamper-resistant HSM, but the memory used in the 
firmware to hold that key is protected-it's apparently not even visible in HMC 
dumps).

So your customer can switch to using Protected Key, at least in theory. How 
hard this is will depend on how keys are generated and managed now, as well as 
whether they're using ICSF or 'raw' CPACF now, as well as whether they're up 
for reprotecting all of their existing data with the new key.

Does this help?
--
...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Distinguished Technologist
HPE Data Security

phs...@hpe.com
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

CSFSERV recommendations

[Roach, Dennis]

Does anyone know of a paper of recommendations or best practices for CSFSERV?
I can see two cases:

1.   Allow all users to use but not administer the feature.

2.   Restrict access to only those products/users we want to use the 
feature.

Questions:

1.   What profiles control the admin functions?

2.   What are the risks of allowing all users to use it?



Dennis Roach, CISSP, PMP
AIG

IAM Platform Administration | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | 
www.aig.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Sorting a REXX STEM variable

[John Gateley]

Hi

Last weeks discussion on sorting a REXX stem inspired me to write a program to 
do it.

example call to sort ascending
 "ISPEXEC LIBDEF ISPLLIB DATASET ID ('my_loadlib') STACK"
 "ALLOC FI(SORTPRT)  DUMMY" 
 r_c = SORTSTEM(my_stem_name,'A')
 "FREE FILE(SORTPRT)" 
 "ISPEXEC LIBDEF ISPLLIB "

SORTSTEM gets the variable count from my_stem_name.0 and then looks at every 
variable in the stem to get the maximum length.

Then it getmains some storage big enough for the maximum record plus 4 bytes 
for the length of the variable

It then calls the system SORT passing E15 and E35 exits

 SORT FIELDS=(1,max_len,BI,A),FILSZ=stem_count
 OPTION MSGDDN=SORTPRT 
 RECORD TYPE=F,LENGTH=(max_len+4)

On each call to the E15 exit the next stem variable is read, padded with spaces 
and the length put on the end

On each call to the E35 exit the variable is put back into the stem, starting 
at 1, using the original length


It will be on File#953 of the CBT Tape soon, but it anyone wants a preview then 
the code is in IEBUPDTE format here
http://www.spurtle.biz/STEMASM.txt
and supporting macros here
http://www.spurtle.biz/STEMMAC.txt
You will need to assemble the six modules then link
INCLUDE SYSLIB(STEMSORT)   
ENTRY STEMSORT 

Regards
John

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: changing batch job to use SSL

[Grinsell, Don]

You have laid the ground work to be able to use SSL in your program, however, 
the next step is the difficult part.  You will have to reengineer your 
application to create the SSL environment and make secure calls.  As others 
have suggested, AT-TLS is the route to follow here.  You will be able to use a 
secure connection without rewriting your code.

Regards.

--
 
Donald Grinsell, Systems Programmer
Enterprise Technology Services Bureau
SITSD/Montana Department of Administration
406.444.2983 (D)

"If you think training is expensive, try ignorance."
~ Peter Drucker

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Munif Sadek
> Sent: Friday, June 09, 2017 8:22 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: changing batch job to use SSL
> 
> Dear Listers
> I have a pure COBOL batch job that uses socket programming (EZASOCKET) to
> fetch some sensitive data from an external server. I would like to change
> this IP connection between Mainframe (Client)  and External server
> (Specialized Application Server that does support SSL/TLS) to be secure.
> 
> 
> I have installed Server Public Certificate ( with CA certificate /TRUST) to a
> key ring and made this batch user the owner of the ring. Still the batch job
> is not trying to communicate  SSL.
> 
> We are z/OS 2.1 and z/OS HTTP / HTTPS enabler is not available to us. Can
> Cobol program support SSL?
> 
> If I must implement TLS, can someone please give me some pointers.
> 
> regards Munif.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Gary Weinhold]

It could be practical when writing high-performance code to modify a RENT 
module if it is not in key 0 (or use a PC to make the modification if in key 
0).  An example would be if an extensive chain of indirect pointers (or  the 
NAME/TOKEN service), is used to locate life of IPL memory allocated for an 
application.  If a location in the RENT module is zero, it locates the memory 
and stores the address (using CS) in the RENT module; if it's non-zero, it uses 
the value as the address.  If CS fails, check for zero again.  Since all 
executions would  store the same value, no other serialization is needed.  I'm 
not sure CS is needed if it's a fullword on a word boundary.

Gary Weinhold
Senior Application Architect

DATAKINETICS | Data Performance & Optimization

Phone:  +1.613.523.5500 x216
Email:  weinh...@dkl.com

[http://www.dkl.com/wp-content/uploads/2015/07/dkl_logo.png]

Visit us online at www.DKL.com

[http://www.dkl.com/wp-content/uploads/2015/08/banner.png]

E-mail Notification: The information contained in this email and any 
attachments is confidential and may be subject to copyright or other 
intellectual property protection. If you are not the intended recipient, you 
are not authorized to use or disclose this information, and we request that you 
notify us by reply mail or telephone and delete the original message from your 
mail system.



__


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Does the JES2 ESTBYTE parm limit STC or just batch output?

[Allan Staller]

Cool. I learned something today. Maybe JOBCLASS(xxx) is a better place that 
ESTBYTE?

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Friday, June 9, 2017 8:13 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Does the JES2 ESTBYTE parm limit STC or just batch output?

I reran the job I used earlier, this time with TIME=NOLIMIT. Still got S722. 
This is with system wide ESTLINE parm, not a jobclass value.  

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Allan Staller
Sent: Friday, June 09, 2017 6:37 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Does the JES2 ESTBYTE parm limit STC or just batch 
output?

Aside from the ESTBYTE change, ensure the applicable JES2  JOBCLASS definitions 
specifications do not specify TIME=1440.
If TIME=1440 is specified at any point, I believe the whole thing will fail.


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Thursday, June 8, 2017 11:04 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Does the JES2 ESTBYTE parm limit STC or just batch output?

We have experienced a number of spool-full conditions in the recent past, 
always caused by runaway batch jobs that produce tens of millions of lines of 
garbage until the entire MAS grinds to a halt. So we're experimenting with 
JES2-defined limits. In researching the options, we came across the doc below. 
We're focused on batch, but this passage may be telling. If only we could 
understand it. May you be granted more insight that us. 

"Considerations for started tasks and TSO LOGONs

"Output limits for TSO/E transmits can be set by TSO/E using the  TSO/E OUTLIM= 
parameter. JES2 also sets a limit internally. When  SYSOUT is transmitted in 
the foreground for started tasks and TSO/E  LOGONs, the member uses the lower 
of these two limits. JES2 sets the  following output limits for started tasks 
and TSO LOGONs:

"999,999 for lines, cards, and pages
2,147,483 (in 1000s of bytes) for spool utilization.
An installation can change the limits for started tasks or TSO  LOGONs by using 
JES2 Exit 20 to change the limit for each particular  started task or TSO 
LOGONs The limit for TSO/E transmits which are  specified thorough the OUTLIM 
parameter, should not be greater than  the limit JES2 sets for punches or a 
X'722' abend will occur.
 See z/OS TSO/E Customization for information about limiting the  TSO/E 
TRANSMIT  command."

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lizette Koehler
Sent: Thursday, June 08, 2017 4:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Does the JES2 ESTBYTE parm limit STC or just batch 
output?

The EST Byte, Line, Page can be dynamically changed. 

The simplest way to avoid an IPL (and JES2 just stops when spool is full - but 
will respond to commands like PURGE)

Is to cycle the STC, add another spool volume, or see what is really going on.

If the STC is filling up spool, it needs to be determined why.  We have 
automated the HASP050 / HASP375 message to send emails and alerts when some of 
the JES2 functions are impacted (BERT, SPOOL, JNUM, etc.)

My understanding is the IEFUSO exit can cancel an STC if it exceeds its limits. 
 You can code the STCCLASS statement in JES2 and allow the IEFUSO to do its job.

You can also use automation tools to monitor for HASP375, HASP050 or other

You can use products like z/OSEM or EASYEXIT (DTS Software) to control your 
jobs names (STC, TSU, or JOB) for determining final action.

Lizette



> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> On Behalf Of George Henke
> Sent: Thursday, June 08, 2017 1:59 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Does the JES2 ESTBYTE parm limit STC or just batch output?
> 
> Just averted a near disaster, a mid-day IPL of 4 LPARs, with a STC 
> filling up the spool with 10B bytes of data because the ESTBYTE limit 
> was not turned on for termination, OPT=1.
> 
> But would it have done anything anyway for a STC or does it just apply 
> to batch and APPC.
> 
> The manual is silently ambiguous on this.
> 
> If anyone has had success limiting STC output so, please let me know, 
> else it will probably be JES2 Exit 20.
> 
> --
> George Henke
> (C) 845 401 5614

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[R.S.]

W dniu 2017-06-12 o 14:12, Tony Thigpen pisze:
We are talking about encrypting "Data at Rest". There is *no* key 
exchange involved. The only purpose for encrypting keys is so you can 
send them to someone else.


No. The purpose of encrypting keys is something called "secure key 
cryptography", as opposed to "clear key cryptography" and it is NOT 
related to kye exchange.

In short words:
Secure key cryptography (SKC) means the key is not available even for 
people with administration authorities, cannot be dumped with memory, 
etc. The key resides in clear form only inside secure (tamper-proof) 
crypto device.
Clear key cryptography (CKC) means a person with authorities and 
knowledge can obtain the key value.


Crypto cards are required for SKC, but it is slower than CPACF.
CPACF support CKC and something called "Protected Key Cryptography" - in 
such mode the key is masked, so even authorized insider is not able to 
obtain the key value, but it is not certified as SKC (but runs at the 
speed of CPACF).



Now key echange. In any mode it is possible to exchange keys securely or 
not securely.



--
Radoslaw Skorupka
Lodz, Poland




==


   --
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII 
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców 
KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał 
zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Walt Farrell]

On Sun, 11 Jun 2017 20:52:10 -0400, Steve Thompson  wrote:

>Question: Wasn't REFR for a program where, say a double-bit
>parity error could occur, and it would then get loaded to a new page?

I can't comment on the double-bit parity error, but I think that someone 
(Peter, Jim?) mentioned earlier in this thread that REFR was intended to help 
recover from storage-related machine checks.

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[Mark Jacobs - Listserv]

Has nothing to do with key exchange. The DEK used to encrypt the data 
will be in clear text rather than the DEK being encrypted by the KEK. ( 
ICSF Master Key ).


Mark Jacobs


Tony Thigpen 
June 12, 2017 at 8:12 AM
We are talking about encrypting "Data at Rest". There is *no* key 
exchange involved. The only purpose for encrypting keys is so you can 
send them to someone else.


Tony Thigpen



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Mark Jacobs - Listserv 
June 12, 2017 at 8:01 AM
Encryption/decryption without a CryptoExpress only supports clear 
keys, not protected or secured encryption keys. Might be enough for 
the OP, but wouldn't fly in my environment.




Tony Thigpen 
June 12, 2017 at 7:22 AM
For encrypting "data at rest", the CPACF is really all he needs. The
Crypto Express is intended to speed up key negotiations between sites,
something not needed for his intended plans.

Tony Thigpen



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.




--

Mark Jacobs
Time Customer Service
Global Technology Services

The standard you walk past is the standard you accept.
Lt. Gen. David Morrison


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Walt Farrell]

On Mon, 12 Jun 2017 02:24:30 +, Jesse 1 Robinson  
wrote:

>I got tired of guessing. I wrote a little program that saves registers into 
>itself via STM. I linked it with AC(1) and RENT. Did not specify  >either REUS 
>or REFR. The result according to StarTool is 

>--  ATTRIBUTES   - APF  
>RENT REUS   AC

>As suggested in the KC doc, REUS is set automatically as a subordinate of 
>RENT, but REFR is not set. Result at execution:

>If the module is executed from my personal non-APF library, it runs fine.

>If the module is executed from an APF library, it get S0C4. 

>I was dubious about 'RENT OK if execution is serialized'. This is a single 
>execution in batch. No competition. It abends. I don't see how  >it could be 
>otherwise. 

No one has said that a RENT program could modify itself, with serialziation, if 
it's loaded from an authorized library. However, it can do that if it's loaded 
from a non-authorized library (assuming it is not also REFR, or that REFRPROT 
is off).

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[Tony Thigpen]

We are talking about encrypting "Data at Rest". There is *no* key 
exchange involved. The only purpose for encrypting keys is so you can 
send them to someone else.


Tony Thigpen

Mark Jacobs - Listserv wrote on 06/12/2017 08:01 AM:

Encryption/decryption without a CryptoExpress only supports clear keys,
not protected or secured encryption keys. Might be enough for the OP,
but wouldn't fly in my environment.



Tony Thigpen 
June 12, 2017 at 7:22 AM
For encrypting "data at rest", the CPACF is really all he needs. The
Crypto Express is intended to speed up key negotiations between sites,
something not needed for his intended plans.

Tony Thigpen



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information
or directs you to login via a link. If you believe this message is a
phish or aren't sure whether this message is trustworthy, please send
the original message as an attachment to 'phish...@timeinc.com'.





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[Mark Jacobs - Listserv]

Encryption/decryption without a CryptoExpress only supports clear keys, 
not protected or secured encryption keys. Might be enough for the OP, 
but wouldn't fly in my environment.




Tony Thigpen 
June 12, 2017 at 7:22 AM
For encrypting "data at rest", the CPACF is really all he needs. The
Crypto Express is intended to speed up key negotiations between sites,
something not needed for his intended plans.

Tony Thigpen



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.




--

Mark Jacobs
Time Customer Service
Global Technology Services

The standard you walk past is the standard you accept.
Lt. Gen. David Morrison


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Customer is Using CPACF (Crypto) purchased Crypto Express

[Tony Thigpen]

For encrypting "data at rest", the CPACF is really all he needs. The 
Crypto Express is intended to speed up key negotiations between sites, 
something not needed for his intended plans.


Tony Thigpen

Arye Shemer wrote on 06/12/2017 02:00 AM:

Hello,

Customer is currently using CPACF to encrypt his data before writing to
disks.

Customer intent to purchased Crypto Express and want to use it to continue
to encrypt the data before writing  to the disks,

Are there any compatibility issues ?

Are there any know documents which deals/explain with  issues involved ?

Thanks,

Arye Shemer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[John Eells]

Paul Gilmartin wrote:

On Sat, 10 Jun 2017 07:27:15 -0400, Peter Relson wrote:


REFRPROT extends this to programs that are not loaded from an
APF authorized library.


Actually, REFRPROT extends this to programs that are bound with the REFR
option regardless of module authorization or library authorization.
And it goes further because it page-protects, which would cause the
program to blow up even if were running key 0 if it attempted to store
into itself.


I remain mystified,  Why was not the REFRPROT behavior the default
(or only) behavior ever since the inception of the REFR attribute?
o Is there a performance penalty for REFRPROT that developers
   wanted to circumvent for problem programs?  Contrariwise, it seems
   that coding a test for the authorized status of the load library was
   needless effort.
o Did the developers assume, very incorrectly IMO, that they were
   extending a courtesy to application programmers by permitting
   programs that modified themselves to be marked REFR?


z/OS was not created out of whole cloth in a single release, nor was the 
hardware architecture on which it runs.  In particular, page protection 
was not there when REFR was first implemented.  A quick search indicates 
the latter was new in the 3090 announcement.


REFR was implemented quite some time before that.

--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF authorization and AC(00)

[Elardus Engelbrecht]

Binyamin Dissen wrote:

>But if you lie to zOS and assert that a non-reentrant program is reentrant, 
>zOS will not stop you from walking off the roof.

Indeed. You will get burned badly. I once coded a SMF exit which modified 
itself in a macro's MF=L instead of modified that marco's copy in a GETMAINed 
area...  ps 

Result ... after one execution of that exit, the z/OS system automatically 
removed that exit from SMF. Re-enable it via T SMF=xx resulted in the same 
removal until I fixed it.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN