RENT binder option

[Frank Swarbrick]

For our COBOL program binder step we've never specified the RENT (or REUS=RENT) 
option, even though we always use the RENT compiler option.  This has never 
seemed to cause us any problems.  I now see in the Enterprise COBOL manual, 
section "Compiling programs to create 
DLLs"(https://www.ibm.com/docs/en/cobol-zos/6.3?topic=application-compiling-programs-create-dlls),
 where it states "Applications that use DLL support must be reentrant. 
Therefore, you must compile them with the RENT compiler option and link them 
with the RENT binder option."  However, I've been doing testing with DLLs 
recently and have never had any (noticeable?) issues even though we are not 
specifying RENT or REUS=RENT.

So what's up with this?  And what about for non-DLL dynamic calls?  I've had no 
issues there, either.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: NVAS 2.1 zOS

[John S. Giltner, Jr.]

My initial look is that you need to modify and implement the  exit EMSELGNX.   
You may need to use EMSEADEX. 

--
John G.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Isabel]

Hello!

Yes we are out of date...

On Tuesday (Monday is a holiday in my country) I let you know if we have
more troubles. :)

Thanks.

On Fri, Aug 13, 2021 at 5:28 PM Eric D Rossman  wrote:

> I've got questions. :)
>
> > Our scenario:
> > We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0
>
> This is a little out of service but I think we can make this work.
>
> > We want to calculate a hash using sha-256 with a certain secret key (or
> > seed) that is provided by someone external (and given to us). We are not
> > sure how to store that key in the CKDS Dataset. The length of the key is
> 32
> > bits and has the form of n(1)n(2)n(32) where each n(i) is an
> > hexadecimal character (I don't know why...)
>
> I assume you mean 32 nibbles long (128 bits) because ICSF won't allow an
> HMAC key of less than 80 bits.
>
> Since you are on HCR77B0, you would convert it to binary and then use
> CSNBSKI2 to import clear key material as a secure key token. Doing this
> will require enabling SSM (special secure mode) in ICSF options dataset.
>
> Then, you can use CSNBKRC2 to put the token into the CKDS.
>
> > We already created and stored an AES master key in the cryptographic
> > hardware and we also changed the format of our CKDS in order to use
> HMAC.
>
> Perfect.
>
> > We tried different ways of putting this key in the CKDS using different
> > verbs, like using a REXX example from the web (HMAC Generation from a
> Clear
> > Key )
>
> Do you have a link to that example? CSNBHMG doesn't allow clear key tokens
> until "Cryptographic Support for z/OS V2R2 - z/OS V2R4 (HCR77D1)" (five
> releases after the release you have).
>
> > In our mainframe we want to use the callable service (verb) CSNBHMG in a
> > Cobol program to calculate the hash using the key stored in the CKDS.
> This
> > output should be the same as the output using
> > (with the same key).
>
> To be clear, that page is treating the data as ASCII, so you will need to
> account for that in your COBOL (ensure that the data is kept as binary
> until it is HMACed.
>
> > Our biggest issue is how to put this secret key (or seed) in the CKDS
> > dataset.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Digital Certificates (was:: ICSF Hash with a certain seed (Key))

[Charles Mills]

Really? I click on the link below and for me the audio/video for the 
presentation takes off and runs. (Chrome on Windows)

You want to send me the details privately? Anyone else, also? I will get with 
NewEra and get it straightened out.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Friday, August 13, 2021 1:59 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Digital Certificates (was:: ICSF Hash with a certain seed (Key))

On Fri, 13 Aug 2021 13:15:20 -0700, Charles Mills wrote:

>An excellent presentation indeed! Highly recommended! 
>
>I do recommend the audio/video rather than just browsing the slides. I tend to 
>use slides as illustrations and for emphasis, not as the entire content.
>
>  https://www.newera.com/INFO/Certificates_2021.mp4 
> 
I tried to find it, but there's too many Charles Millses.  (Imposters?)

>I don't spend a whole lot of time on digital hashes but I do cover.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: NVAS 2.1 zOS

[John S. Giltner, Jr.]

I have to try and remember the details, but I think it has something to do with 
External Groups and one of the user exits.

--
John G.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Digital Certificates (was:: ICSF Hash with a certain seed (Key))

[Paul Gilmartin]

On Fri, 13 Aug 2021 13:15:20 -0700, Charles Mills wrote:

>An excellent presentation indeed! Highly recommended! 
>
>I do recommend the audio/video rather than just browsing the slides. I tend to 
>use slides as illustrations and for emphasis, not as the entire content.
>
>  https://www.newera.com/INFO/Certificates_2021.mp4 
> 
I tried to find it, but there's too many Charles Millses.  (Imposters?)

>I don't spend a whole lot of time on digital hashes but I do cover.


>-Original Message-
>From: Paul Gilmartin
>Sent: Friday, August 13, 2021 1:11 PM
>> 
>Are you trying to generate a digital signature?  Or transmit a message
>securely?  It's a well-traveled winding trail:
>https://www.newera.com/INFO/Digital_Certificates_6-30-21.pdf
>
>There's also a video.  I don't find a URL readily.  Is "someone external"
>reinventing the wheel?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Eric D Rossman]

The CKDS holds both clear or secure keys (same with both the PKDS and 
TKDS).

Eric Rossman, CISSP®
ICSF Cryptographic Security Development
z/OS Enabling Technologies
edros...@us.ibm.com

Allan Staller wrote on 08/13/2021 04:24:53 PM:

> AFAIK, you do not want to use the CKDS. IIRC,  the CKDS is "Clear Key" .
> You most likely would use the PKDS or TKDS;
> 
> Check the fine manuals. I may be all wet here.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Eric D Rossman]

I've got questions. :)

> Our scenario:
> We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0

This is a little out of service but I think we can make this work.

> We want to calculate a hash using sha-256 with a certain secret key (or
> seed) that is provided by someone external (and given to us). We are not
> sure how to store that key in the CKDS Dataset. The length of the key is 
32
> bits and has the form of n(1)n(2)n(32) where each n(i) is an
> hexadecimal character (I don't know why...)

I assume you mean 32 nibbles long (128 bits) because ICSF won't allow an 
HMAC key of less than 80 bits.

Since you are on HCR77B0, you would convert it to binary and then use 
CSNBSKI2 to import clear key material as a secure key token. Doing this 
will require enabling SSM (special secure mode) in ICSF options dataset.

Then, you can use CSNBKRC2 to put the token into the CKDS.

> We already created and stored an AES master key in the cryptographic
> hardware and we also changed the format of our CKDS in order to use 
HMAC.

Perfect.

> We tried different ways of putting this key in the CKDS using different
> verbs, like using a REXX example from the web (HMAC Generation from a 
Clear
> Key )

Do you have a link to that example? CSNBHMG doesn't allow clear key tokens 
until "Cryptographic Support for z/OS V2R2 - z/OS V2R4 (HCR77D1)" (five 
releases after the release you have).

> In our mainframe we want to use the callable service (verb) CSNBHMG in a
> Cobol program to calculate the hash using the key stored in the CKDS. 
This
> output should be the same as the output using
> (with the same key).

To be clear, that page is treating the data as ASCII, so you will need to 
account for that in your COBOL (ensure that the data is kept as binary 
until it is HMACed.

> Our biggest issue is how to put this secret key (or seed) in the CKDS
> dataset.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Allan Staller]

Classification: Confidential

AFAIK, you do not want to use the CKDS. IIRC,  the CKDS is "Clear Key" .
You most likely would use the PKDS or TKDS;

Check the fine manuals. I may be all wet here.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Isabel
Sent: Friday, August 13, 2021 2:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: ICSF Hash with a certain seed (Key)

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don't click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Hello!

Our scenario:
We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0

We want to calculate a hash using sha-256 with a certain secret key (or
seed) that is provided by someone external (and given to us). We are not sure 
how to store that key in the CKDS Dataset. The length of the key is 32 bits and 
has the form of n(1)n(2)n(32) where each n(i) is an hexadecimal character 
(I don't know why...)

We already created and stored an AES master key in the cryptographic hardware 
and we also changed the format of our CKDS in order to use HMAC.

We tried different ways of putting this key in the CKDS using different verbs, 
like using a REXX example from the web (HMAC Generation from a Clear Key )

 In our mainframe we want to use the callable service (verb) CSNBHMG in a Cobol 
program to calculate the hash using the key stored in the CKDS. This output 
should be the same as the output using
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeformatter.com%2Fhmac-generator.html%23ad-outputdata=04%7C01%7Callan.staller%40HCL.COM%7C26b5cd1d2a284a35608e08d95e8ef12e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637644790303663384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=sasJyU4SUgXiJGNCZuMx6ferZERdTxgMvDs7kgYWJos%3Dreserved=0
 (with the same key).

Our biggest issue is how to put this secret key (or seed) in the CKDS dataset.

Any help will be appreciated,
Thanks in advance,
Andrea!

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Charles Mills]

An excellent presentation indeed! Highly recommended! 

I do recommend the audio/video rather than just browsing the slides. I tend to 
use slides as illustrations and for emphasis, not as the entire content.

https://www.newera.com/INFO/Certificates_2021.mp4 

I don't spend a whole lot of time on digital hashes but I do cover.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Friday, August 13, 2021 1:11 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF Hash with a certain seed (Key)

On Fri, 13 Aug 2021 16:16:37 -0300, Isabel wrote:
>
>Our scenario:
>We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0
>
>We want to calculate a hash using sha-256 with a certain secret key (or
>seed) that is provided by someone external (and given to us). We are not
>sure how to store that key in the CKDS Dataset. The length of the key is 32
>bits and has the form of n(1)n(2)n(32) where each n(i) is an
>hexadecimal character (I don't know why...)
> 
Are you trying to generate a digital signature?  Or transmit a message
securely?  It's a well-traveled winding trail:
https://www.newera.com/INFO/Digital_Certificates_6-30-21.pdf

There's also a video.  I don't find a URL readily.  Is "someone external"
reinventing the wheel?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Paul Gilmartin]

On Fri, 13 Aug 2021 16:16:37 -0300, Isabel wrote:
>
>Our scenario:
>We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0
>
>We want to calculate a hash using sha-256 with a certain secret key (or
>seed) that is provided by someone external (and given to us). We are not
>sure how to store that key in the CKDS Dataset. The length of the key is 32
>bits and has the form of n(1)n(2)n(32) where each n(i) is an
>hexadecimal character (I don't know why...)
> 
Are you trying to generate a digital signature?  Or transmit a message
securely?  It's a well-traveled winding trail:
https://www.newera.com/INFO/Digital_Certificates_6-30-21.pdf

There's also a video.  I don't find a URL readily.  Is "someone external"
reinventing the wheel?

>We already created and stored an AES master key in the cryptographic
>hardware and we also changed the format of our CKDS in order to use HMAC.
>
>We tried different ways of putting this key in the CKDS using different
>verbs, like using a REXX example from the web (HMAC Generation from a Clear
>Key )
>
> In our mainframe we want to use the callable service (verb) CSNBHMG in a
>Cobol program to calculate the hash using the key stored in the CKDS. This
>output should be the same as the output using
>https://www.freeformatter.com/hmac-generator.html#ad-output (with the same
>key).
>
>Our biggest issue is how to put this secret key (or seed) in the CKDS
>dataset.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Hash with a certain seed (Key)

[Carmen Vitullo]

Are you trying to store a transport key, one that is used to encrypt and 
decrypt data from another site?


I've always used the ICSF interface via ISPF to create and store these keys


Carmen

On 8/13/2021 2:16 PM, Isabel wrote:

Hello!

Our scenario:
We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0

We want to calculate a hash using sha-256 with a certain secret key (or
seed) that is provided by someone external (and given to us). We are not
sure how to store that key in the CKDS Dataset. The length of the key is 32
bits and has the form of n(1)n(2)n(32) where each n(i) is an
hexadecimal character (I don't know why...)

We already created and stored an AES master key in the cryptographic
hardware and we also changed the format of our CKDS in order to use HMAC.

We tried different ways of putting this key in the CKDS using different
verbs, like using a REXX example from the web (HMAC Generation from a Clear
Key )

  In our mainframe we want to use the callable service (verb) CSNBHMG in a
Cobol program to calculate the hash using the key stored in the CKDS. This
output should be the same as the output using
https://www.freeformatter.com/hmac-generator.html#ad-output (with the same
key).

Our biggest issue is how to put this secret key (or seed) in the CKDS
dataset.

Any help will be appreciated,
Thanks in advance,
Andrea!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
/I am not bound to win, but I am bound to be true. I am not bound to 
succeed, but I am bound to live by the light that I have. I must stand 
with anybody that stands right, and stand with him while he is right, 
and part with him when he goes wrong. *Abraham Lincoln*/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ICSF Hash with a certain seed (Key)

[Isabel]

Hello!

Our scenario:
We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0

We want to calculate a hash using sha-256 with a certain secret key (or
seed) that is provided by someone external (and given to us). We are not
sure how to store that key in the CKDS Dataset. The length of the key is 32
bits and has the form of n(1)n(2)n(32) where each n(i) is an
hexadecimal character (I don't know why...)

We already created and stored an AES master key in the cryptographic
hardware and we also changed the format of our CKDS in order to use HMAC.

We tried different ways of putting this key in the CKDS using different
verbs, like using a REXX example from the web (HMAC Generation from a Clear
Key )

 In our mainframe we want to use the callable service (verb) CSNBHMG in a
Cobol program to calculate the hash using the key stored in the CKDS. This
output should be the same as the output using
https://www.freeformatter.com/hmac-generator.html#ad-output (with the same
key).

Our biggest issue is how to put this secret key (or seed) in the CKDS
dataset.

Any help will be appreciated,
Thanks in advance,
Andrea!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secondary sources for DFP and DFSMS

[Charles Mills]

If you don't quote at least a tiny bit of what you are saying no to it is 
difficult to tell what the question was, and as a result difficult to gain much 
insight from your answer.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Glenn Wilcock
Sent: Friday, August 13, 2021 11:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

Unfortunately, no.  As the product owner of DFSMShsm, I was passed down the 
original announce for the product, but it's the internal IBM Confidential 
version.  You think that we would have all of this stuff Migrated off to a reel 
tape somewhere :)  

Friday fun fact... In an informal survey that I recently did of the clients 
that I regularly work with, the oldest migrated data set still managed by HSM 
was migrated 11 Dec 1980!!  Before many of today's other platforms even existed!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

NVAS 2.1 zOS

[Peter]

Hello

Cross posted

Is anyone still using NVAS 2.1 in your shop ?

I have inherited a support where NVAS in the sandbox environment is not
enabled via RACF and it asks for password.

Is there a way to enable ? I don't find the steps in NVAS guide

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Communication between two computer systems (LPARS or physical)

[Bob Bridges]

A few ideas (and perfectly willing to be slapped down by others more 
knowledgeable than I):

1) Isn't MQS designed to do just this sort of thing?  I gather it works across 
platforms of many types.

2) If you're in a roll-your-own mood, you could easily enough write a socket 
client/server in REXX.  (I did this once and it was great fun; I can't resist 
looking for opportunities to do it again.)

3) I once worked on a team for an ACF2 client that had recently acquired a TSS 
shop; we put together some code that sent every change in either security 
database to the other.  New ID created in TSS: create an equivalent in ACF2 on 
the other system, and so on.  That was just around the turn of the century, but 
as I recall we used NDM for the transmission, nowadays called Connect:Direct.  
Figuring out what constitutes the "equivalent" action in two unalike security 
systems required the combined thought of the whole team; the transmission 
itself turned out to be pretty simple.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* Instead of shooting clays on Thanksgiving, you can play great games with 
your family, like Monopoly: Nothing brings a family together like Monopoly!  
-from _Top 10 Reasons You Should Just Turn Your Guns Over to the Government 
TODAY_ (the Babylon Bee) */

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steff Gladstone
Sent: Tuesday, August 10, 2021 08:06

We have global data pointed to by a name-token that is available to all the 
address spaces in each computer system.  We want to make sure that any updates 
to the data in one system are broadcast to the other computer systems in the 
installation (LPARs or physical computers).  Or at the very least notify the 
other systems that their data is not up-to-date. What would be the simplest and 
cheapest way to send some kind of signal from one system to the other without 
requiring I/O to shared DASD?

We thought of issuing a console command starting a started task in each of the 
other computer systems (the JES2 spool is shared by all the systems).  But this 
is problematic since the required SVC (34) requires that the
program be authorized.   Any other ideas?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secondary sources for DFP and DFSMS

[Glenn Wilcock]

Unfortunately, no.  As the product owner of DFSMShsm, I was passed down the 
original announce for the product, but it's the internal IBM Confidential 
version.  You think that we would have all of this stuff Migrated off to a reel 
tape somewhere :)  

Friday fun fact... In an informal survey that I recently did of the clients 
that I regularly work with, the oldest migrated data set still managed by HSM 
was migrated 11 Dec 1980!!  Before many of today's other platforms even existed!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Joseph Reichman]

Will do 



> On Aug 13, 2021, at 11:43 AM, Seymour J Metz  wrote:
> 
> Then it's time to report the problem, but I'd advise including complete 
> descriptions of the two allocations.
> 
> 
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> 
> 
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> Joseph Reichman [reichman...@gmail.com]
> Sent: Friday, August 13, 2021 10:29 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Filemanger abend and dynamic allocation
> 
> The s0c9 is in file manager trying to bring up the initial panel
> 
> 
> 
>> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira  
>> wrote:
>> 
>> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz 
>> escreveu:
>> 
>>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>>> what are the TUs of the DYNALLOC?
>>> 
>>> 
>>> --
>>> Shmuel (Seymour J.) Metz
>>> http://mason.gmu.edu/~smetz3
>>> 
>>> 
>>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>>> of Joseph Reichman [reichman...@gmail.com]
>>> Sent: Thursday, August 12, 2021 5:23 PM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: Filemanger abend and dynamic allocation
>>> 
>>> I got a soc9 divide exception
>>> This abend is from my job joseph.reich...@irs.gov except I cannt post
>>> from that email
>>> You mentioned sysprint however I don’t remember allocating it in either
>>> case
>>> It seems that the file I want to browse just has to be pointed to my Rexx
>>> variable filein
>>> It also seems that file manager dynamically allocates filein that’s just
>>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>>> case where SVC 99 returns the ddname I think that’s key 1
>>> 
>>> Also when the abend happens I do actually get into the file manager panel
>>> as it trying to read the input the all of the sudden abends pgm=filemngr
>>> it’s from memory but I do believe that’s it with a s0c9
>>> 
>>> 
>>> 
 On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>>> jn.ls.mfrm...@letterboxes.org> wrote:
 
 On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
 
> If the input is multiple files then I allocate the output via ADDRESS
>>> TSO “ALLOC
 
 Why?  I mean, by all means decide the name of the output file(s) before
>>> you
 build the JCL, but let the JCL allocate it/them.
 
 
> File manger abends trying to display the output
 
 What abend code?
 
 Are the batch jobs finished at that point?
 
 
 --
 Jeremy Nicoll - my opinions are my own.
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Seymour J Metz]

Then it's time to report the problem, but I'd advise including complete 
descriptions of the two allocations.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Joseph Reichman [reichman...@gmail.com]
Sent: Friday, August 13, 2021 10:29 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Filemanger abend and dynamic allocation

The s0c9 is in file manager trying to bring up the initial panel



> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira  
> wrote:
>
> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz 
> escreveu:
>
>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>> what are the TUs of the DYNALLOC?
>>
>>
>> --
>> Shmuel (Seymour J.) Metz
>> http://mason.gmu.edu/~smetz3
>>
>> 
>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>> of Joseph Reichman [reichman...@gmail.com]
>> Sent: Thursday, August 12, 2021 5:23 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: Filemanger abend and dynamic allocation
>>
>> I got a soc9 divide exception
>> This abend is from my job joseph.reich...@irs.gov except I cannt post
>> from that email
>> You mentioned sysprint however I don’t remember allocating it in either
>> case
>> It seems that the file I want to browse just has to be pointed to my Rexx
>> variable filein
>> It also seems that file manager dynamically allocates filein that’s just
>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>> case where SVC 99 returns the ddname I think that’s key 1
>>
>> Also when the abend happens I do actually get into the file manager panel
>> as it trying to read the input the all of the sudden abends pgm=filemngr
>> it’s from memory but I do believe that’s it with a s0c9
>>
>>
>>
>>> On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>> jn.ls.mfrm...@letterboxes.org> wrote:
>>>
>>> On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
>>>
 If the input is multiple files then I allocate the output via ADDRESS
>> TSO “ALLOC
>>>
>>> Why?  I mean, by all means decide the name of the output file(s) before
>> you
>>> build the JCL, but let the JCL allocate it/them.
>>>
>>>
 File manger abends trying to display the output
>>>
>>> What abend code?
>>>
>>> Are the batch jobs finished at that point?
>>>
>>>
>>> --
>>> Jeremy Nicoll - my opinions are my own.
>>>
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secondary sources for DFP and DFSMS

[Seymour J Metz]

No: I don't trust GM. However, what is their incentive to lie in an owners' 
manual?

Reliability is a matter of statistics, not of logic.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Charles Mills [charl...@mcn.org]
Sent: Friday, August 13, 2021 11:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

Of course. The problem is however circular. You trust the article on the
Volt because you trust GM. Why do you trust GM?

Logically -- never mind external factors like "everybody knows who GM is --
logically the Volt owner's manual is no different than the Mills Computer
Company's manual for its perpetual motion machine.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Friday, August 13, 2021 7:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

Sure, a primary source can be bogus, but if you were writing an article on,
e.g., the Chevrolet Volt, would you put more credence on an article in the
National Enquirer than in the Volt Owners' manual?


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of
Charles Mills [charl...@mcn.org]
Sent: Thursday, August 12, 2021 4:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

I understand the issue with primary sources. Mills Computer Company could
announce a perpetual motion machine and publish documentation for it. That
would be a primary source, yet for an obviously fictitious thing. You would
have trouble, however, finding a press article or a SHARE presentation that
confirmed our product's existence.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, August 12, 2021 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

CW and Datamation articles on IBM announcements should satisfy wiki's Mickey
Mouse requirements.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Joseph Reichman]

The sysprog is in Monday 

Thanks 



> On Aug 13, 2021, at 11:22 AM, Rob Scott  wrote:
> 
> My advice is to get the module name and offset and report the problem to IBM.
> 
> Rob Scott
> Rocket Software
> 
> From: IBM Mainframe Discussion List  On Behalf Of 
> Joseph Reichman
> Sent: 13 August 2021 16:04
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Filemanger abend and dynamic allocation
> 
> EXTERNAL EMAIL
> 
> 
> 
> Mike don’t think it’s the number of records
> Even with a very small file I get the s0c9
> 
> I m trying to change the logic to use dynamic allocation and see if that 
> works as that’s the only difference in logic between a batch submit and 
> executing the program under TSO
> 
> Thanks
> 
> 
> 
>> On Aug 13, 2021, at 10:55 AM, mike.lamartina 
>> mailto:mike.lamart...@mcleansoft.com>> wrote:
>> 
>> Related: 
>> https://ibmmainframes.com/about59624.html
>> 
>> On 8/13/2021 7:29:33 AM, Joseph Reichman 
>> mailto:reichman...@gmail.com>> wrote:
>> The s0c9 is in file manager trying to bring up the initial panel
>> 
>> 
>> 
 On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira wrote:
>>> 
>>> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz
>>> escreveu:
>>> 
 Where is the S0C9? Has the batch job completed? What is in the ALLOC and
 what are the TUs of the DYNALLOC?
 
 
 --
 Shmuel (Seymour J.) Metz
 http://mason.gmu.edu/~smetz3
 
 
 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
 of Joseph Reichman [reichman...@gmail.com]
 Sent: Thursday, August 12, 2021 5:23 PM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: Filemanger abend and dynamic allocation
 
 I got a soc9 divide exception
 This abend is from my job 
 joseph.reich...@irs.gov except I cannt post
 from that email
 You mentioned sysprint however I don’t remember allocating it in either
 case
 It seems that the file I want to browse just has to be pointed to my Rexx
 variable filein
 It also seems that file manager dynamically allocates filein that’s just
 by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
 case where SVC 99 returns the ddname I think that’s key 1
 
 Also when the abend happens I do actually get into the file manager panel
 as it trying to read the input the all of the sudden abends pgm=filemngr
 it’s from memory but I do believe that’s it with a s0c9
 
 
 
> On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
 jn.ls.mfrm...@letterboxes.org> wrote:
> 
> On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
> 
>> If the input is multiple files then I allocate the output via ADDRESS
 TSO “ALLOC
> 
> Why? I mean, by all means decide the name of the output file(s) before
 you
> build the JCL, but let the JCL allocate it/them.
> 
> 
>> File manger abends trying to display the output
> 
> What abend code?
> 
> Are the batch jobs finished at that point?
> 
> 
> --
> Jeremy Nicoll - my opinions are my own.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu 
> with the message: INFO IBM-MAIN
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu 
 with the message: INFO IBM-MAIN
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu 
 with the message: INFO IBM-MAIN
 
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu 
>>> with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with 
>> the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with 
>> the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN 

Re: Filemanger abend and dynamic allocation

[Rob Scott]

My advice is to get the module name and offset and report the problem to IBM.

Rob Scott
Rocket Software

From: IBM Mainframe Discussion List  On Behalf Of 
Joseph Reichman
Sent: 13 August 2021 16:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Filemanger abend and dynamic allocation

EXTERNAL EMAIL



Mike don’t think it’s the number of records
Even with a very small file I get the s0c9

I m trying to change the logic to use dynamic allocation and see if that works 
as that’s the only difference in logic between a batch submit and executing the 
program under TSO

Thanks



> On Aug 13, 2021, at 10:55 AM, mike.lamartina 
> mailto:mike.lamart...@mcleansoft.com>> wrote:
>
> Related: 
> https://ibmmainframes.com/about59624.html
>
> On 8/13/2021 7:29:33 AM, Joseph Reichman 
> mailto:reichman...@gmail.com>> wrote:
> The s0c9 is in file manager trying to bring up the initial panel
>
>
>
>> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira wrote:
>>
>> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz
>> escreveu:
>>
>>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>>> what are the TUs of the DYNALLOC?
>>>
>>>
>>> --
>>> Shmuel (Seymour J.) Metz
>>> http://mason.gmu.edu/~smetz3
>>>
>>> 
>>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>>> of Joseph Reichman [reichman...@gmail.com]
>>> Sent: Thursday, August 12, 2021 5:23 PM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: Filemanger abend and dynamic allocation
>>>
>>> I got a soc9 divide exception
>>> This abend is from my job 
>>> joseph.reich...@irs.gov except I cannt post
>>> from that email
>>> You mentioned sysprint however I don’t remember allocating it in either
>>> case
>>> It seems that the file I want to browse just has to be pointed to my Rexx
>>> variable filein
>>> It also seems that file manager dynamically allocates filein that’s just
>>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>>> case where SVC 99 returns the ddname I think that’s key 1
>>>
>>> Also when the abend happens I do actually get into the file manager panel
>>> as it trying to read the input the all of the sudden abends pgm=filemngr
>>> it’s from memory but I do believe that’s it with a s0c9
>>>
>>>
>>>
 On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>>> jn.ls.mfrm...@letterboxes.org> wrote:

 On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:

> If the input is multiple files then I allocate the output via ADDRESS
>>> TSO “ALLOC

 Why? I mean, by all means decide the name of the output file(s) before
>>> you
 build the JCL, but let the JCL allocate it/them.


> File manger abends trying to display the output

 What abend code?

 Are the batch jobs finished at that point?


 --
 Jeremy Nicoll - my opinions are my own.

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu 
 with the message: INFO IBM-MAIN
>>>
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu 
>>> with the message: INFO IBM-MAIN
>>>
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu 
>>> with the message: INFO IBM-MAIN
>>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with 
>> the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with 
> the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with 
> the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN


Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ 
Main Office Toll 

Re: Secondary sources for DFP and DFSMS

[Charles Mills]

Of course. The problem is however circular. You trust the article on the
Volt because you trust GM. Why do you trust GM?

Logically -- never mind external factors like "everybody knows who GM is --
logically the Volt owner's manual is no different than the Mills Computer
Company's manual for its perpetual motion machine.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Friday, August 13, 2021 7:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

Sure, a primary source can be bogus, but if you were writing an article on,
e.g., the Chevrolet Volt, would you put more credence on an article in the
National Enquirer than in the Volt Owners' manual?


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of
Charles Mills [charl...@mcn.org]
Sent: Thursday, August 12, 2021 4:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

I understand the issue with primary sources. Mills Computer Company could
announce a perpetual motion machine and publish documentation for it. That
would be a primary source, yet for an obviously fictitious thing. You would
have trouble, however, finding a press article or a SHARE presentation that
confirmed our product's existence.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, August 12, 2021 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

CW and Datamation articles on IBM announcements should satisfy wiki's Mickey
Mouse requirements.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Joseph Reichman]

Mike don’t think it’s the number of records 
Even with a very small file I get the s0c9

I m trying to change the logic to use dynamic allocation and see if that works 
as that’s the only difference in logic between a batch submit and executing the 
program under TSO

Thanks 



> On Aug 13, 2021, at 10:55 AM, mike.lamartina  
> wrote:
> 
> Related: https://ibmmainframes.com/about59624.html
> 
> On 8/13/2021 7:29:33 AM, Joseph Reichman  wrote:
> The s0c9 is in file manager trying to bring up the initial panel
> 
> 
> 
>> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira wrote:
>> 
>> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz
>> escreveu:
>> 
>>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>>> what are the TUs of the DYNALLOC?
>>> 
>>> 
>>> --
>>> Shmuel (Seymour J.) Metz
>>> http://mason.gmu.edu/~smetz3
>>> 
>>> 
>>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>>> of Joseph Reichman [reichman...@gmail.com]
>>> Sent: Thursday, August 12, 2021 5:23 PM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: Filemanger abend and dynamic allocation
>>> 
>>> I got a soc9 divide exception
>>> This abend is from my job joseph.reich...@irs.gov except I cannt post
>>> from that email
>>> You mentioned sysprint however I don’t remember allocating it in either
>>> case
>>> It seems that the file I want to browse just has to be pointed to my Rexx
>>> variable filein
>>> It also seems that file manager dynamically allocates filein that’s just
>>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>>> case where SVC 99 returns the ddname I think that’s key 1
>>> 
>>> Also when the abend happens I do actually get into the file manager panel
>>> as it trying to read the input the all of the sudden abends pgm=filemngr
>>> it’s from memory but I do believe that’s it with a s0c9
>>> 
>>> 
>>> 
 On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>>> jn.ls.mfrm...@letterboxes.org> wrote:
 
 On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
 
> If the input is multiple files then I allocate the output via ADDRESS
>>> TSO “ALLOC
 
 Why? I mean, by all means decide the name of the output file(s) before
>>> you
 build the JCL, but let the JCL allocate it/them.
 
 
> File manger abends trying to display the output
 
 What abend code?
 
 Are the batch jobs finished at that point?
 
 
 --
 Jeremy Nicoll - my opinions are my own.
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[mike.lamartina]

Related: https://ibmmainframes.com/about59624.html

On 8/13/2021 7:29:33 AM, Joseph Reichman  wrote:
The s0c9 is in file manager trying to bring up the initial panel



> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira wrote:
>
> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz
> escreveu:
>
>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>> what are the TUs of the DYNALLOC?
>>
>>
>> --
>> Shmuel (Seymour J.) Metz
>> http://mason.gmu.edu/~smetz3
>>
>> 
>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>> of Joseph Reichman [reichman...@gmail.com]
>> Sent: Thursday, August 12, 2021 5:23 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: Filemanger abend and dynamic allocation
>>
>> I got a soc9 divide exception
>> This abend is from my job joseph.reich...@irs.gov except I cannt post
>> from that email
>> You mentioned sysprint however I don’t remember allocating it in either
>> case
>> It seems that the file I want to browse just has to be pointed to my Rexx
>> variable filein
>> It also seems that file manager dynamically allocates filein that’s just
>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>> case where SVC 99 returns the ddname I think that’s key 1
>>
>> Also when the abend happens I do actually get into the file manager panel
>> as it trying to read the input the all of the sudden abends pgm=filemngr
>> it’s from memory but I do believe that’s it with a s0c9
>>
>>
>>
>>> On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>> jn.ls.mfrm...@letterboxes.org> wrote:
>>>
>>> On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
>>>
 If the input is multiple files then I allocate the output via ADDRESS
>> TSO “ALLOC
>>>
>>> Why? I mean, by all means decide the name of the output file(s) before
>> you
>>> build the JCL, but let the JCL allocate it/them.
>>>
>>>
 File manger abends trying to display the output
>>>
>>> What abend code?
>>>
>>> Are the batch jobs finished at that point?
>>>
>>>
>>> --
>>> Jeremy Nicoll - my opinions are my own.
>>>
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Joseph Reichman]

The s0c9 is in file manager trying to bring up the initial panel 



> On Aug 13, 2021, at 9:42 AM, Gilson Cesar de Oliveira  
> wrote:
> 
> Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz 
> escreveu:
> 
>> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
>> what are the TUs of the DYNALLOC?
>> 
>> 
>> --
>> Shmuel (Seymour J.) Metz
>> http://mason.gmu.edu/~smetz3
>> 
>> 
>> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
>> of Joseph Reichman [reichman...@gmail.com]
>> Sent: Thursday, August 12, 2021 5:23 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: Filemanger abend and dynamic allocation
>> 
>> I got a soc9 divide exception
>> This abend is from my job joseph.reich...@irs.gov except I cannt post
>> from that email
>> You mentioned sysprint however I don’t remember allocating it in either
>> case
>> It seems that the file I want to browse just has to be pointed to my Rexx
>> variable filein
>> It also seems that file manager dynamically allocates filein that’s just
>> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
>> case where SVC 99 returns the ddname I think that’s key 1
>> 
>> Also when the abend happens I do actually get into the file manager panel
>> as it trying to read the input the all of the sudden abends pgm=filemngr
>> it’s from memory but I do believe that’s it with a s0c9
>> 
>> 
>> 
>>> On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
>> jn.ls.mfrm...@letterboxes.org> wrote:
>>> 
>>> On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
>>> 
 If the input is multiple files then I allocate the output via ADDRESS
>> TSO “ALLOC
>>> 
>>> Why?  I mean, by all means decide the name of the output file(s) before
>> you
>>> build the JCL, but let the JCL allocate it/them.
>>> 
>>> 
 File manger abends trying to display the output
>>> 
>>> What abend code?
>>> 
>>> Are the batch jobs finished at that point?
>>> 
>>> 
>>> --
>>> Jeremy Nicoll - my opinions are my own.
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Colin Paice]

Terri,
Ive sent you a program to do a better list ring command - it gives details
of the certificates instead of just the owner and labels.

Your racf keystore looks OK.  It has the CA certificates that it needs.

(In https://colinpaice.blog/2020/01/ are other examples I had of
CWPKI0022E.  As a last resort you might try them.   For example some
browsers require  a certificate  with “extendedKeyUsage = clientAuth”
during signing, they do not look relevant)

*The PKIX path building failed:* looks like a certificate cannot be seen on
the server side.  Ive seen this when it was expired, or was non trusted, so
try checking
RACDCERT LISTRING('ACWA Client Cert' ) ID(TSSTESA)
and making sure it is trusted.

regards

Colin

On Fri, 13 Aug 2021 at 14:23, Shaffer, Terri <
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> Hi Colin,
>   Yes I read your info and it was super helpful, but I could get past not
> having the ability for all PC's to do an HTTPS  TLS 1.2 connection from a
> browser.
>
> For example.
>
> Label:Corporate Root CA
> Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDZlpajQMPB
> Status:TRUST
> Start Date:2015/08/14 13:27:47
> End Date:  2114/08/14 13:37:46
> Serial Number:xxx
>
> Issuer's Name:CN=COV1CERT01VM
> Subject's Name:CN=COV1CERT01VM
>
> Label:Corporate IMMED CA
> Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDJ1NTFxEDDwUBA
> Status:TRUST
> Start Date:2016/04/25 13:00:14
> End Date:  2114/08/14 13:37:46
> Serial Number:xxx
>
> Issuer's Name:CN=COV1CERT01VM
> Subject's Name:CN=NRC1CERT03VM.am.tsacorp.com
>
> Label:ACWA Client Cert
> Certificate ID:2Qfj4uLjxeLBwcPmwUDDk4mFlaNAw4WZo0BA
> Status:TRUST
> Start Date:2021/08/11 08:34:50
> End Date:  2023/08/11 08:34:50
> Serial Number:
>
> Issuer's Name:CN=NRC1CERT03VM.am.tsacorp.com
> Subject's Name:CN=MFZ900ACWA.AM.TSACORP.COM
>
> Subject's AltNames:
>   ,IP:10.x.xx.xxx
>   ,Domain: MFZ900ACWA.AM.TSACORP.COM
>
> And lastly my keyring owned by IZUSVR
>
> Ring:
>  ,IZUKeyring.IZUDFLT
>
>  Certificate Label NameCert Owner   USAGE   DEFAULT
> -  ---  
>  ,Corporate Root CA,CERTAUTH,CERTAUTH   ,NO
>  ,Corporate IMMED CA   ,CERTAUTH,CERTAUTH   ,NO
>  ,ACWA Client Cert ,ID(TSSTESA) ,PERSONAL   ,YES
>
>
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide – Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Colin Paice
> Sent: Friday, August 13, 2021 9:13 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OSMF Certificates
>
> External Email
>
>
> Terri,
>
> I too had problems and wrote A practical guide to getting z/OSMF working <
> https://colinpaice.blog/2020/12/21/a-practical-guide-to-getting-z-osmf-working/
> >
> it mentions certificates.
>
> It sounds like someone is trying to connect to your server.   The CAs for
> this user are not in the server's keyring.
>
> Can you list your client's certificate and see the CA's for the client
> cert?
>
> on z try
> RACDCERT LISTRING(IZUKeyring.IZUDFLT ID(IZUSVR) to see what is in RACF.
>
> What are you using on your client  - browser or python etc?
>
> regards
>
> Colin
>
> On Fri, 13 Aug 2021 at 13:59, Shaffer, Terri <
> 017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:
>
> > So I am no expert when it comes to certificates,  So maybe someone can
> > shed some light for me.
> >
> > By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> > doesn't work or maybe seem to work for me. I can generate a client
> > certificate from it and download to me PC but will never establish an
> > SSL TLS 1.2 connection.  I also done have admin rights, so even if I
> > could it would only be for me, at least I think.
> >
> > So my corporate network team, gave me a root and immediate CA and then
> > generated a client certificate for me.
> >
> > I imported them to RACF as trusted and built my z/OSMF key ring off
> > those, which seemed to work...
> >
> > However now I am getting
> >
> > [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> > CN=xxx.xxx.xxx.xxx my IP
> > The signer might need to be added to local trust store
> > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL
> > configuration alias izuSSLConfig.
> > The extended error message from the SSL handshake exception is: PKIX
> > path building failed:
> > com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid
> certification path to requested target.
> >
> > Which I guess makes sense because my network team gave me all the Certs.
> > But is there a way to resolve this so all users get a TLS 1.2 htps
> > connection?
> >
> > Ms Terri E Shaffer
> > Senior Systems Engineer,
> > z/OS Support:
> > 

Re: Secondary sources for DFP and DFSMS

[Seymour J Metz]

Sure, a primary source can be bogus, but if you were writing an article on, 
e.g., the Chevrolet Volt, would you put more credence on an article in the 
National Enquirer than in the Volt Owners' manual?


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Charles Mills [charl...@mcn.org]
Sent: Thursday, August 12, 2021 4:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

I understand the issue with primary sources. Mills Computer Company could
announce a perpetual motion machine and publish documentation for it. That
would be a primary source, yet for an obviously fictitious thing. You would
have trouble, however, finding a press article or a SHARE presentation that
confirmed our product's existence.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, August 12, 2021 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

CW and Datamation articles on IBM announcements should satisfy wiki's Mickey
Mouse requirements.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Gilson Cesar de Oliveira]

Em sex., 13 de ago. de 2021 às 10:31, Seymour J Metz 
escreveu:

> Where is the S0C9? Has the batch job completed? What is in the ALLOC and
> what are the TUs of the DYNALLOC?
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> 
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf
> of Joseph Reichman [reichman...@gmail.com]
> Sent: Thursday, August 12, 2021 5:23 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Filemanger abend and dynamic allocation
>
> I got a soc9 divide exception
> This abend is from my job joseph.reich...@irs.gov except I cannt post
> from that email
> You mentioned sysprint however I don’t remember allocating it in either
> case
> It seems that the file I want to browse just has to be pointed to my Rexx
> variable filein
> It also seems that file manager dynamically allocates filein that’s just
> by doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the
> case where SVC 99 returns the ddname I think that’s key 1
>
> Also when the abend happens I do actually get into the file manager panel
> as it trying to read the input the all of the sudden abends pgm=filemngr
> it’s from memory but I do believe that’s it with a s0c9
>
>
>
> > On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll <
> jn.ls.mfrm...@letterboxes.org> wrote:
> >
> > On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
> >
> >> If the input is multiple files then I allocate the output via ADDRESS
> TSO “ALLOC
> >
> > Why?  I mean, by all means decide the name of the output file(s) before
> you
> > build the JCL, but let the JCL allocate it/them.
> >
> >
> >> File manger abends trying to display the output
> >
> > What abend code?
> >
> > Are the batch jobs finished at that point?
> >
> >
> > --
> > Jeremy Nicoll - my opinions are my own.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secondary sources for DFP and DFSMS

[Seymour J Metz]

Wikipedia policy does not consider wiki articles to be reliable sources. Still, 
the lack of SME moderation does lead to a lot of nonsense.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Radoslaw Skorupka [r.skoru...@hotmail.com]
Sent: Friday, August 13, 2021 5:01 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

https://secure-web.cisco.com/11SwSRBbK7gK2KytxDOSfLUVBpA42gjBMmpX1drhsJEEPTpCBhJKameawr_JKk7Iqb1Q8CykK_47DDVNxivG4-6cskVX5yMq2yhLeylG39h-r7cJAFS1RHkSYEvekUWd2nNZLxwMILEJHnmx-Cs-nWKTafa3rJ-LgABfkUINfyzkNs9cDvlNafdEaGiQmFxnP60EW3hNRhIlv8zG1WpAZ9YrXaF0vGrNTM_BclahZDOyeGcvYuIQb4lrKzA1J6VtZ8yiPKhulfzlKwORQmOqg18Gj7-v7-ml9UzmH2ziWB3TAkYI9XpmEUdxRw5gloeT-DAP3O8Yt70rHNsSrkJD2N_jvY-lKe8nKcn2IslkbKNeP1noTMqtEFgug396zaywwSqdZqQKbvusvuwkuPGtPSx2AAi5YdOG5rD8OrE392pUM0hWY45epxGVN-A-n5lUJ/https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FHenryk_Batuta_hoax

BTW: I'm aware of (non-IT) sources which are personal blogs or webpages
and quite inaccurate.

In fact it is quite possible to create such page under real name or fake
one and then use it as a source.

--
Radoslaw Skorupka
Lodz, Poland




W dniu 12.08.2021 o 22:52, Charles Mills pisze:
> I understand the issue with primary sources. Mills Computer Company could
> announce a perpetual motion machine and publish documentation for it. That
> would be a primary source, yet for an obviously fictitious thing. You would
> have trouble, however, finding a press article or a SHARE presentation that
> confirmed our product's existence.
>
> Charles
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Seymour J Metz
> Sent: Thursday, August 12, 2021 12:02 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Secondary sources for DFP and DFSMS
>
> CW and Datamation articles on IBM announcements should satisfy wiki's Mickey
> Mouse requirements.
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Seymour J Metz]

Where is the S0C9? Has the batch job completed? What is in the ALLOC and what 
are the TUs of the DYNALLOC?


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Joseph Reichman [reichman...@gmail.com]
Sent: Thursday, August 12, 2021 5:23 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Filemanger abend and dynamic allocation

I got a soc9 divide exception
This abend is from my job joseph.reich...@irs.gov except I cannt post from that 
email
You mentioned sysprint however I don’t remember allocating it in either case
It seems that the file I want to browse just has to be pointed to my Rexx 
variable filein
It also seems that file manager dynamically allocates filein that’s just by 
doing tso isrddn and seeing a sys…… DD allocated to the dsname as in the case 
where SVC 99 returns the ddname I think that’s key 1

Also when the abend happens I do actually get into the file manager panel as it 
trying to read the input the all of the sudden abends pgm=filemngr it’s from 
memory but I do believe that’s it with a s0c9



> On Aug 12, 2021, at 4:45 PM, Jeremy Nicoll  
> wrote:
>
> On Thu, 12 Aug 2021, at 20:28, Joseph Reichman wrote:
>
>> If the input is multiple files then I allocate the output via ADDRESS TSO 
>> “ALLOC
>
> Why?  I mean, by all means decide the name of the output file(s) before you
> build the JCL, but let the JCL allocate it/them.
>
>
>> File manger abends trying to display the output
>
> What abend code?
>
> Are the batch jobs finished at that point?
>
>
> --
> Jeremy Nicoll - my opinions are my own.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Shaffer, Terri]

I did that, I have 2 CA's and a client certificate when I view, but z/OSMF 
states its not in a local trust store.

CWPKI0022E: SSL HANDSHAKE FAILURE

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Colin Paice
Sent: Friday, August 13, 2021 9:22 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Certificates

External Email


Display the certificate in the browser for example with chrome use 
chrome://settings/certificates with firefox use view certificates in settings

On Fri, 13 Aug 2021 at 14:13, Shaffer, Terri < 
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> I thought that also,  but I am using the DNS name in my web browser.
>
> But they also my certificate with alias's.
>
> Subject Alt Names
> DNS Name   MFZ900ACWA.AM.TSACORP.COM
> DNS Name   MFZ900ACWA
> IP Address10.5.23.232
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide – Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Joe Monk
> Sent: Friday, August 13, 2021 9:04 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OSMF Certificates
>
> External Email
>
>
> This is being caused because you are trying to access something by IP,
> but the certificate was issued to your DNS name.
>
> Try using the DNS name, and the problem will go away.
>
> Joe
>
> On Fri, Aug 13, 2021 at 7:59 AM Shaffer, Terri <
> 017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:
>
> > So I am no expert when it comes to certificates,  So maybe someone
> > can shed some light for me.
> >
> > By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> > doesn't work or maybe seem to work for me. I can generate a client
> > certificate from it and download to me PC but will never establish
> > an SSL TLS 1.2 connection.  I also done have admin rights, so even
> > if I could it would only be for me, at least I think.
> >
> > So my corporate network team, gave me a root and immediate CA and
> > then generated a client certificate for me.
> >
> > I imported them to RACF as trusted and built my z/OSMF key ring off
> > those, which seemed to work...
> >
> > However now I am getting
> >
> > [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> > CN=xxx.xxx.xxx.xxx my IP
> > The signer might need to be added to local trust store
> > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL
> > configuration alias izuSSLConfig.
> > The extended error message from the SSL handshake exception is: PKIX
> > path building failed:
> > com.ibm.security.cert.IBMCertPathBuilderException: unable to find
> > valid
> certification path to requested target.
> >
> > Which I guess makes sense because my network team gave me all the Certs.
> > But is there a way to resolve this so all users get a TLS 1.2 htps
> > connection?
> >
> > Ms Terri E Shaffer
> > Senior Systems Engineer,
> > z/OS Support:
> > ACIWorldwide - Telecommuter
> > H(412-766-2697) C(412-519-2592)
> > terri.shaf...@aciworldwide.com
> >
> > 
> >  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg]
> > < http://www.aciworldwide.com> This email message and any
> > attachments may contain confidential, proprietary or non-public
> > information. The information is intended solely for the designated
> > recipient(s). If an addressing or transmission error has misdirected
> > this email, please notify the sender immediately and destroy this
> > email. Any review, dissemination, use or reliance upon this
> > information by unintended recipients is prohibited. Any opinions
> > expressed in this email are those of the author personally.
> >
> > 
> > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO
> > IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com> This email message and any attachments
> may contain confidential, proprietary or non-public information. The
> information is intended solely for the designated recipient(s). If an
> addressing or transmission error has misdirected this email, please
> notify the sender immediately and destroy this email. Any review,
> dissemination, use or reliance upon this information by unintended
> recipients is prohibited. Any opinions expressed in this email are
> those of the author personally.
>
> 

Re: z/OSMF Certificates

[Colin Paice]

Display the certificate in the browser for example
with chrome use chrome://settings/certificates
with firefox use view certificates in settings

On Fri, 13 Aug 2021 at 14:13, Shaffer, Terri <
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> I thought that also,  but I am using the DNS name in my web browser.
>
> But they also my certificate with alias's.
>
> Subject Alt Names
> DNS Name   MFZ900ACWA.AM.TSACORP.COM
> DNS Name   MFZ900ACWA
> IP Address10.5.23.232
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide – Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Joe Monk
> Sent: Friday, August 13, 2021 9:04 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OSMF Certificates
>
> External Email
>
>
> This is being caused because you are trying to access something by IP, but
> the certificate was issued to your DNS name.
>
> Try using the DNS name, and the problem will go away.
>
> Joe
>
> On Fri, Aug 13, 2021 at 7:59 AM Shaffer, Terri <
> 017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:
>
> > So I am no expert when it comes to certificates,  So maybe someone can
> > shed some light for me.
> >
> > By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> > doesn't work or maybe seem to work for me. I can generate a client
> > certificate from it and download to me PC but will never establish an
> > SSL TLS 1.2 connection.  I also done have admin rights, so even if I
> > could it would only be for me, at least I think.
> >
> > So my corporate network team, gave me a root and immediate CA and then
> > generated a client certificate for me.
> >
> > I imported them to RACF as trusted and built my z/OSMF key ring off
> > those, which seemed to work...
> >
> > However now I am getting
> >
> > [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> > CN=xxx.xxx.xxx.xxx my IP
> > The signer might need to be added to local trust store
> > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL
> > configuration alias izuSSLConfig.
> > The extended error message from the SSL handshake exception is: PKIX
> > path building failed:
> > com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid
> certification path to requested target.
> >
> > Which I guess makes sense because my network team gave me all the Certs.
> > But is there a way to resolve this so all users get a TLS 1.2 htps
> > connection?
> >
> > Ms Terri E Shaffer
> > Senior Systems Engineer,
> > z/OS Support:
> > ACIWorldwide - Telecommuter
> > H(412-766-2697) C(412-519-2592)
> > terri.shaf...@aciworldwide.com
> >
> > 
> >  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> > http://www.aciworldwide.com> This email message and any attachments
> > may contain confidential, proprietary or non-public information. The
> > information is intended solely for the designated recipient(s). If an
> > addressing or transmission error has misdirected this email, please
> > notify the sender immediately and destroy this email. Any review,
> > dissemination, use or reliance upon this information by unintended
> > recipients is prohibited. Any opinions expressed in this email are
> > those of the author personally.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
>  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com>
> This email message and any attachments may contain confidential,
> proprietary or non-public information. The information is intended solely
> for the designated recipient(s). If an addressing or transmission error has
> misdirected this email, please notify the sender immediately and destroy
> this email. Any review, dissemination, use or reliance upon this
> information by unintended recipients is prohibited. Any opinions expressed
> in this email are those of the author personally.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Shaffer, Terri]

Hi Colin,
  Yes I read your info and it was super helpful, but I could get past not 
having the ability for all PC's to do an HTTPS  TLS 1.2 connection from a 
browser.

For example.

Label:Corporate Root CA
Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDZlpajQMPB
Status:TRUST
Start Date:2015/08/14 13:27:47
End Date:  2114/08/14 13:37:46
Serial Number:xxx

Issuer's Name:CN=COV1CERT01VM
Subject's Name:CN=COV1CERT01VM

Label:Corporate IMMED CA
Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDJ1NTFxEDDwUBA
Status:TRUST
Start Date:2016/04/25 13:00:14
End Date:  2114/08/14 13:37:46
Serial Number:xxx

Issuer's Name:CN=COV1CERT01VM
Subject's Name:CN=NRC1CERT03VM.am.tsacorp.com

Label:ACWA Client Cert
Certificate ID:2Qfj4uLjxeLBwcPmwUDDk4mFlaNAw4WZo0BA
Status:TRUST
Start Date:2021/08/11 08:34:50
End Date:  2023/08/11 08:34:50
Serial Number:

Issuer's Name:CN=NRC1CERT03VM.am.tsacorp.com
Subject's Name:CN=MFZ900ACWA.AM.TSACORP.COM

Subject's AltNames:
  ,IP:10.x.xx.xxx
  ,Domain: MFZ900ACWA.AM.TSACORP.COM

And lastly my keyring owned by IZUSVR

Ring:
 ,IZUKeyring.IZUDFLT

 Certificate Label NameCert Owner   USAGE   DEFAULT
-  ---  
 ,Corporate Root CA,CERTAUTH,CERTAUTH   ,NO
 ,Corporate IMMED CA   ,CERTAUTH,CERTAUTH   ,NO
 ,ACWA Client Cert ,ID(TSSTESA) ,PERSONAL   ,YES



Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Colin Paice
Sent: Friday, August 13, 2021 9:13 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Certificates

External Email


Terri,

I too had problems and wrote A practical guide to getting z/OSMF working 

it mentions certificates.

It sounds like someone is trying to connect to your server.   The CAs for
this user are not in the server's keyring.

Can you list your client's certificate and see the CA's for the client cert?

on z try
RACDCERT LISTRING(IZUKeyring.IZUDFLT ID(IZUSVR) to see what is in RACF.

What are you using on your client  - browser or python etc?

regards

Colin

On Fri, 13 Aug 2021 at 13:59, Shaffer, Terri < 
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> So I am no expert when it comes to certificates,  So maybe someone can
> shed some light for me.
>
> By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> doesn't work or maybe seem to work for me. I can generate a client
> certificate from it and download to me PC but will never establish an
> SSL TLS 1.2 connection.  I also done have admin rights, so even if I
> could it would only be for me, at least I think.
>
> So my corporate network team, gave me a root and immediate CA and then
> generated a client certificate for me.
>
> I imported them to RACF as trusted and built my z/OSMF key ring off
> those, which seemed to work...
>
> However now I am getting
>
> [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> CN=xxx.xxx.xxx.xxx my IP
> The signer might need to be added to local trust store
> safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL
> configuration alias izuSSLConfig.
> The extended error message from the SSL handshake exception is: PKIX
> path building failed:
> com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid 
> certification path to requested target.
>
> Which I guess makes sense because my network team gave me all the Certs.
> But is there a way to resolve this so all users get a TLS 1.2 htps
> connection?
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide - Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> 
>  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com> This email message and any attachments
> may contain confidential, proprietary or non-public information. The
> information is intended solely for the designated recipient(s). If an
> addressing or transmission error has misdirected this email, please
> notify the sender immediately and destroy this email. Any review,
> dissemination, use or reliance upon this information by unintended
> recipients is prohibited. Any opinions expressed in this email are
> those of the author personally.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive 

Re: z/OSMF Certificates

[Shaffer, Terri]

I thought that also,  but I am using the DNS name in my web browser.

But they also my certificate with alias's.

Subject Alt Names
DNS Name   MFZ900ACWA.AM.TSACORP.COM
DNS Name   MFZ900ACWA
IP Address10.5.23.232

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Joe 
Monk
Sent: Friday, August 13, 2021 9:04 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Certificates

External Email


This is being caused because you are trying to access something by IP, but the 
certificate was issued to your DNS name.

Try using the DNS name, and the problem will go away.

Joe

On Fri, Aug 13, 2021 at 7:59 AM Shaffer, Terri < 
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> So I am no expert when it comes to certificates,  So maybe someone can
> shed some light for me.
>
> By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> doesn't work or maybe seem to work for me. I can generate a client
> certificate from it and download to me PC but will never establish an
> SSL TLS 1.2 connection.  I also done have admin rights, so even if I
> could it would only be for me, at least I think.
>
> So my corporate network team, gave me a root and immediate CA and then
> generated a client certificate for me.
>
> I imported them to RACF as trusted and built my z/OSMF key ring off
> those, which seemed to work...
>
> However now I am getting
>
> [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> CN=xxx.xxx.xxx.xxx my IP
> The signer might need to be added to local trust store
> safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL
> configuration alias izuSSLConfig.
> The extended error message from the SSL handshake exception is: PKIX
> path building failed:
> com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid 
> certification path to requested target.
>
> Which I guess makes sense because my network team gave me all the Certs.
> But is there a way to resolve this so all users get a TLS 1.2 htps
> connection?
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide - Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> 
>  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com> This email message and any attachments
> may contain confidential, proprietary or non-public information. The
> information is intended solely for the designated recipient(s). If an
> addressing or transmission error has misdirected this email, please
> notify the sender immediately and destroy this email. Any review,
> dissemination, use or reliance upon this information by unintended
> recipients is prohibited. Any opinions expressed in this email are
> those of the author personally.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 

This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Colin Paice]

Terri,

I too had problems and wrote A practical guide to getting z/OSMF working

it mentions certificates.

It sounds like someone is trying to connect to your server.   The CAs for
this user are not in the server's keyring.

Can you list your client's certificate and see the CA's for the client cert?

on z try
RACDCERT LISTRING(IZUKeyring.IZUDFLT ID(IZUSVR)
to see what is in RACF.

What are you using on your client  - browser or python etc?

regards

Colin

On Fri, 13 Aug 2021 at 13:59, Shaffer, Terri <
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> So I am no expert when it comes to certificates,  So maybe someone can
> shed some light for me.
>
> By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> doesn't work or maybe seem to work for me. I can generate a client
> certificate from it and download to me PC but will never establish an SSL
> TLS 1.2 connection.  I also done have admin rights, so even if I could it
> would only be for me, at least I think.
>
> So my corporate network team, gave me a root and immediate CA and then
> generated a client certificate for me.
>
> I imported them to RACF as trusted and built my z/OSMF key ring off those,
> which seemed to work...
>
> However now I am getting
>
> [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> CN=xxx.xxx.xxx.xxx my IP
> The signer might need to be added to local trust store
> safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration
> alias izuSSLConfig.
> The extended error message from the SSL handshake exception is: PKIX path
> building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable
> to find valid certification path to requested target.
>
> Which I guess makes sense because my network team gave me all the Certs.
> But is there a way to resolve this so all users get a TLS 1.2 htps
> connection?
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide - Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> 
>  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com>
> This email message and any attachments may contain confidential,
> proprietary or non-public information. The information is intended solely
> for the designated recipient(s). If an addressing or transmission error has
> misdirected this email, please notify the sender immediately and destroy
> this email. Any review, dissemination, use or reliance upon this
> information by unintended recipients is prohibited. Any opinions expressed
> in this email are those of the author personally.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Carmen Vitullo]

I am working with out security folks also, they are requiring TLS 1.2 
only connections, there's a local override file you can add to force all 
connections to TSL1.2, but be careful, if you use the JES2EDS (email 
delivery system) you also need to force TLS 1.2 via a SSH daemon or 
adding the TLS 1.2 parm in CEEPRMxx


for z/OS 2.3 and beyond

/global/zosmf/configuration - add

local_override.cfg

IZU_SSL_PROTOCOL=TSL1.2

if you need to force TLS 1.2 via LE

add

ENVAR=("GSK_PROTOCOL_TLSV1_2=ON")

I've tested with only the z/osmf local override file and this caused 
JES2EDS connections to fail.


there may be some other options, this is the only option that seemed to 
satisfy my security folks and still allow everything to work / connect


Carmen



On 8/13/2021 7:59 AM, Shaffer, Terri w
rote:

So I am no expert when it comes to certificates,  So maybe someone can shed 
some light for me.

By default z/OSMF is configured with a CA   or ZOSMFCA label.   That doesn't 
work or maybe seem to work for me. I can generate a client certificate from it 
and download to me PC but will never establish an SSL TLS 1.2 connection.  I 
also done have admin rights, so even if I could it would only be for me, at 
least I think.

So my corporate network team, gave me a root and immediate CA and then 
generated a client certificate for me.

I imported them to RACF as trusted and built my z/OSMF key ring off those, 
which seemed to work...

However now I am getting

[ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN 
CN=xxx.xxx.xxx.xxx my IP
The signer might need to be added to local trust store 
safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration 
alias izuSSLConfig.
The extended error message from the SSL handshake exception is: PKIX path 
building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to 
find valid certification path to requested target.

Which I guess makes sense because my network team gave me all the Certs.  But 
is there a way to resolve this so all users get a TLS 1.2 htps connection?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com


  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 

This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
/I am not bound to win, but I am bound to be true. I am not bound to 
succeed, but I am bound to live by the light that I have. I must stand 
with anybody that stands right, and stand with him while he is right, 
and part with him when he goes wrong. *Abraham Lincoln*/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Certificates

[Joe Monk]

This is being caused because you are trying to access something by IP, but
the certificate was issued to your DNS name.

Try using the DNS name, and the problem will go away.

Joe

On Fri, Aug 13, 2021 at 7:59 AM Shaffer, Terri <
017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:

> So I am no expert when it comes to certificates,  So maybe someone can
> shed some light for me.
>
> By default z/OSMF is configured with a CA   or ZOSMFCA label.   That
> doesn't work or maybe seem to work for me. I can generate a client
> certificate from it and download to me PC but will never establish an SSL
> TLS 1.2 connection.  I also done have admin rights, so even if I could it
> would only be for me, at least I think.
>
> So my corporate network team, gave me a root and immediate CA and then
> generated a client certificate for me.
>
> I imported them to RACF as trusted and built my z/OSMF key ring off those,
> which seemed to work...
>
> However now I am getting
>
> [ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
> CN=xxx.xxx.xxx.xxx my IP
> The signer might need to be added to local trust store
> safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration
> alias izuSSLConfig.
> The extended error message from the SSL handshake exception is: PKIX path
> building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable
> to find valid certification path to requested target.
>
> Which I guess makes sense because my network team gave me all the Certs.
> But is there a way to resolve this so all users get a TLS 1.2 htps
> connection?
>
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide - Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
>
> 
>  [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <
> http://www.aciworldwide.com>
> This email message and any attachments may contain confidential,
> proprietary or non-public information. The information is intended solely
> for the designated recipient(s). If an addressing or transmission error has
> misdirected this email, please notify the sender immediately and destroy
> this email. Any review, dissemination, use or reliance upon this
> information by unintended recipients is prohibited. Any opinions expressed
> in this email are those of the author personally.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OSMF Certificates

[Shaffer, Terri]

So I am no expert when it comes to certificates,  So maybe someone can shed 
some light for me.

By default z/OSMF is configured with a CA   or ZOSMFCA label.   That doesn't 
work or maybe seem to work for me. I can generate a client certificate from it 
and download to me PC but will never establish an SSL TLS 1.2 connection.  I 
also done have admin rights, so even if I could it would only be for me, at 
least I think.

So my corporate network team, gave me a root and immediate CA and then 
generated a client certificate for me.

I imported them to RACF as trusted and built my z/OSMF key ring off those, 
which seemed to work...

However now I am getting

[ERROR   ] CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN 
CN=xxx.xxx.xxx.xxx my IP
The signer might need to be added to local trust store 
safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration 
alias izuSSLConfig.
The extended error message from the SSL handshake exception is: PKIX path 
building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to 
find valid certification path to requested target.

Which I guess makes sense because my network team gave me all the Certs.  But 
is there a way to resolve this so all users get a TLS 1.2 htps connection?

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com


 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 

This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [External] Unix time zone

[Paul Gilmartin]

On Wed, 11 Aug 2021 13:06:59 -0500, Carmen Vitullo wrote:

>found it,
>
>in /etc/profile there is a execution of a script from CA
>
>agentsworks.profile
>
>  /cai/agent/agentworks.profile that sets many options, one.
>
>TZ=EST5EDT
>
>Thanks all for all your input
>
IBM blundered in not providing a more useful default behavior when TZ is unset
Most UNIX-like systems allow an administrator to supply a default in that case,
more useful than z/OS's inflexible default of GMT.  IBM has justified that 
choice
as providing compatibility with AIX.

z/OS then compounded the offense by providing multiple inconsistent ways in
which developers set TZ (Conway's Law).

There should be a single point of control for time offset interactive shells, 
servers,
and, yes, TSO and batch.  Anything less invites inconsistency.  And,for best 
results:
https://www.iana.org/time-zones

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Greg Price]

On 8/13/2021 8:26 AM, Sri h Kolusu wrote:

I got a soc9 divide exception

S0C9 abend is usually due to divide by zero.


Can also get it from a CVB where the decimal number is too big for 
32-bit binary, as I recently found out in one of my efforts...

:)

Cheers,
Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secondary sources for DFP and DFSMS

[Radoslaw Skorupka]

https://en.wikipedia.org/wiki/Henryk_Batuta_hoax

BTW: I'm aware of (non-IT) sources which are personal blogs or webpages 
and quite inaccurate.


In fact it is quite possible to create such page under real name or fake 
one and then use it as a source.


--
Radoslaw Skorupka
Lodz, Poland




W dniu 12.08.2021 o 22:52, Charles Mills pisze:

I understand the issue with primary sources. Mills Computer Company could
announce a perpetual motion machine and publish documentation for it. That
would be a primary source, yet for an obviously fictitious thing. You would
have trouble, however, finding a press article or a SHARE presentation that
confirmed our product's existence.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Thursday, August 12, 2021 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Secondary sources for DFP and DFSMS

CW and Datamation articles on IBM announcements should satisfy wiki's Mickey
Mouse requirements.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanger abend and dynamic allocation

[Jeremy Nicoll]

On Thu, 12 Aug 2021, at 23:51, Joseph Reichman wrote:

> The only difference using SVC 99 to allocate the file I am able to get 
> into file manager 
> With tso ALLOC I blow up

That suggests your ALLOC is not coded properly; it might work, but is 
not creating the same sort of file.

This information: 

> The rexx variables I assign 
> Are tclib for the template 
> TCIN for the template member 
> And filein for the dataset to browse 
> Then I invoke the following  command 
> Address ispexec
> “Select cmd(filemgr $dsv dsnin=‘“ || ‏filein || “ ‘ TCIN=‘“ || tclib || 
> “(“ || TCIN || “)”

is nearly useless (to us) and we cannot see what any of the variables
you defined actually contain.

Have you tried tracing the exec to make sure that 
the contents of the "select cmd" are actually what you expect?

Is there anything odd about the file names involved?

As other people have asked, are the file's characteristics (recfm lrecl
etc) identical in the working and failing instances?


-- 
Jeremy Nicoll - my opinions are my own.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN