Re: How do you Prove that you no longer need a working SKLM server or started task.

[Timothy Sipples]

Echoing some other comments, there’s security merit in having redundant 
external key managers with your IBM DS8000 systems (external to the storage 
device). As IBM explains, the Local Key Manager won’t protect the drives if 
someone manages to grab the whole IBM DS8000 unit — a law enforcement agency, 
co-location data center owner, invading army, etc. — regardless of whether your 
servers are up or down. Anything on the storage device that can be read will be 
readable in that event. And “grab” doesn’t really mean “cart away.”

An external key manager allows for some separation of duties. For example, 
storage administrators can be responsible for the IBM DS8000 systems while your 
security organization is responsible for the EKMs. If the security team shuts 
down the EKMs then the DS8000 systems cannot (re)start up and come online. In 
other words, at least two people in this equation have to be involved in 
providing (or at least maintaining) access to storage.

EKMs can also provide services to other devices and environments. For example, 
IBM Security Guardium Key Lifecycle Manager not only provides key management 
services for IBM DS8000 and other IBM/non-IBM storage devices, it also provides 
KMS to VMware environments (as a notable example).

I’m not arguing the LKM is “bad.” It’s convenient, and that counts. It provides 
some security, really for addressing the risks of individual drive thefts and 
storage retirement. (Remove the keys and the encrypted drives are safe to 
transfer/repurpose/sell.) But having EKMs is more secure by design because they 
address those risks and a few more. However, if you’ve implemented 
comprehensive z/OS Data Set Encryption (and Linux dm-crypt/LUKS2 and/or 
Spectrum Scale encryption) then I think the LKM could be reasonable even with 
demanding security requirements.

Yes, IBM recommends having a redundant pair of EKMs. But they don’t necessarily 
have to be your “on premises” EKMs. In fact, one fairly popular pattern now is 
to have one “primary” EKM on your premises and an alternate running in IBM 
Cloud Hyper Protect.

— — — — —
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cyber Security
IBM zSystems and LinuxONE
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: $HASP052 JES2 RESOURCE SHORTAGE OF BERT XX% UTILIZATION REACHED [EXTERNAL]

[Feller, Paul]

Kenneth, I would agree that when the jobs hit JES2 the damage is done.  To 
handle things in the future you could look at increasing the size of your 
checkpoint datasets.  Maybe double or triple the current size so that if needed 
you can dynamically adjust things.  Naturally if you are using a coupling 
facility structure as one of your checkpoint that would also have to increase.  
To refresh my memory I took a quick look in the JES2 Initialization and Tuning 
Guide for z/OS 2.4 and the max size a checkpoint dataset can be is 17,000 
tracks.

>From the manual:
If you don't want to calculate the size, you can use a trial-and-error approach 
by over-allocating the space
(two or three times your current allocation) and let JES2 tell you with the 
$HASP296 or $HASP542
message if you need more. The largest checkpoint that JES2 will currently use 
is approximately 17,000
tracks on a 3390 device (Approximately 200,000 4K records). Allocating a new 
data set of this size will
ensure that it can accommodate increasing any section to the maximum size.



Paul Feller
GTS Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Kenneth J. Kripke
Sent: Monday, May 9, 2022 8:00 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: $HASP052 JES2 RESOURCE SHORTAGE OF BERT XX% UTILIZATION REACHED 
[EXTERNAL]

Hello;

 We had an incident where about 8,000 jobs were submitted via a distributed 
process.  All the jobs were of the same name.  

It is my understanding that the BERT contains the CAT and JQE as well as the 
WSCQ as indicated in a bit indicator.  If the jobs were placed on hold via the 
$H GRP,JM=,  I am guessing 

The control blocks will still be built, hence, no benefit.  Is my assumption 
correct?  I would like to pose the question on how others have resolved the
problem.   

 

Sincerely; 

 

 Kenneth J. Kripke 

 

k.kri...@comcast.net   


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
Please note:  This message originated outside your organization. Please use 
caution when opening links or attachments.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: UCBIOQF and UCBIOQL

[Seymour J Metz]

That's fine; I just need them for the wiki hoops on reliable sources. Thanks.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Peter Relson [rel...@us.ibm.com]
Sent: Monday, May 9, 2022 10:42 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: UCBIOQF and UCBIOQL

UCBIOQF and UCBIOQL are pointers. If you search, you will find them under 
IOSDUPFX. They are not part of the programming interface.

FWIW, there are a lot of things mentioned in data areas commentary, for 
diagnostic reasons, that might have no further discussion.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: directory backup

[Paul Gilmartin]

On Mon, 9 May 2022 17:44:34 -0500, Glenn Wilcock wrote:

>DFSMShsm supports wildcards and has exclude capabilities.  It will even do a 
>DELETE if you want to delete all of the files after the backup.
> 
Can it preserve the access, modification, and change times if the
originals, the OP's requirement?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: directory backup

[Glenn Wilcock]

DFSMShsm supports wildcards and has exclude capabilities.  It will even do a 
DELETE if you want to delete all of the files after the backup.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.

[Michael Babcock]

Here's what our DS8K storage expert (from Mainline) said:

The DS8k’s need to be at code level 9.2 and have internal encryption 
licensed. Any of your DS8886’s would still need SKLM, the new DS8900’s 
can have internal encryption (no ISKLM needed).




On 5/9/2022 12:18 PM, Pommier, Rex wrote:

Mike,

Does the 8950 HMC based encryption require an ISKLM license?  We are currently 
replicating from an 8910 to an 8884 and the 8884 is falling off support at the 
end of the year so we'll be replacing it with another 8910 most likely.  I'm 
wondering if I'll still need ISKLM for disk if we move our encryption key 
serving to the HMCs.

Thanks,

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Monday, May 9, 2022 12:10 PM
To:IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM 
server or started task.

  We had DS8886 boxes and used a AP1 appliance with SKLM installed.  These are 
no longer offered by IBM.  We just upgraded to DS8950s and it has the option to 
do key management within the HMCs on the DS8950s.  We went this route.

On Mon, May 9, 2022 at 11:37 AM Tom Longfellow 
<03e29b607131-dmarc-requ...@listserv.ua.edu> wrote:


We have been doing hardware based tape and disk encryption for a very
long time.  So long in fact that I think we have 'upgraded' ourselves
out of the SKLM (or EKM) business.

The standalone servers were installed way back in our early years of
DS8000 technology (before they started offering the standalone feature code
for a dedicated box to handle keys).   In the meantime we have gone through
a few upgrades and we are currently at the DS8884 technology. I cannot
find any config info in the DS8884 on 'how to access' an external SKLM
server.   I think we have gone internal somehow.

The SKLM address spaces under z/OS were setup in our days of 3592
tapes with encryption labels on the tapes themselves.  3592 is another
technology no longer present in our current data center.  A TS7760 grid with 
encrypted
virtual tape disk cache handled the encryption requirement. Our SKLM
setup had two lpars, each backing the other in  a primary/secondary
relationship across an internal hipersockets link.

My gut reaction is to just turn them off and lets the chips fall where
they may, but that is not the 'professional' way to handle it.

Does anyone know how to prove the negative:  That I do not need these
servers.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN


--
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email 
tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Ituriel do Neto]

If you're looking for a product that intercepts SMF records, writes them to 
databases and, optionally, discards them before writing to SMF datasets or 
Logstreams, there is one named ZETALY Streaming Agent, from ZETALY.


Best Regards

Ituriel do Nascimento Neto
z/OS System Programmer






Em segunda-feira, 9 de maio de 2022 15:34:17 BRT, Larre Shiller 
<0102cb4997b0-dmarc-requ...@listserv.ua.edu> escreveu: 





Hi Mike -

I know it's not a "Product", but we use a simple SMF exit for this very purpose.

Larre Shiller
US Social Security Administration 
“The opinions expressed in this e-mail are mine personally and do not 
necessarily reflect the opinion of the US Social Security Administration or the 
US Government.”

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Larre Shiller]

Hi Mike -

I know it's not a "Product", but we use a simple SMF exit for this very purpose.

Larre Shiller
US Social Security Administration 
“The opinions expressed in this e-mail are mine personally and do not 
necessarily reflect the opinion of the US Social Security Administration or the 
US Government.”

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Pew, Curtis G]

On May 9, 2022, at 10:57 AM, MARTIN, MIKE  wrote:
> 
> Well, not exactly throwaway, but is there a way to produce SMF/RMF record 
> types (say CICS 110-2's) for sending to a product like Splunk, but not write 
> them to our SMF datasets (non-streams).
> 
> (I realize products like Splunk probably have a way to intercept/send the 
> data) but we may not want to save the data to our SMF datasets with the 110-2 
> records if we turn them on.

Have you considered converting your SMF setup to use logstreams instead if 
SYS1.MANx? You can have multiple logstreams and dedicate one of them to these 
records.


-- 
Pew, Curtis G
curtis@austin.utexas.edu

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.

[Michael Babcock]

I’m not sure but I can try to find out from our storage guys.

On Mon, May 9, 2022 at 12:18 PM Pommier, Rex 
wrote:

> Mike,
>
> Does the 8950 HMC based encryption require an ISKLM license?  We are
> currently replicating from an 8910 to an 8884 and the 8884 is falling off
> support at the end of the year so we'll be replacing it with another 8910
> most likely.  I'm wondering if I'll still need ISKLM for disk if we move
> our encryption key serving to the HMCs.
>
> Thanks,
>
> Rex
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Michael Babcock
> Sent: Monday, May 9, 2022 12:10 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working
> SKLM server or started task.
>
>  We had DS8886 boxes and used a AP1 appliance with SKLM installed.  These
> are no longer offered by IBM.  We just upgraded to DS8950s and it has the
> option to do key management within the HMCs on the DS8950s.  We went this
> route.
>
> On Mon, May 9, 2022 at 11:37 AM Tom Longfellow <
> 03e29b607131-dmarc-requ...@listserv.ua.edu> wrote:
>
> > We have been doing hardware based tape and disk encryption for a very
> > long time.  So long in fact that I think we have 'upgraded' ourselves
> > out of the SKLM (or EKM) business.
> >
> > The standalone servers were installed way back in our early years of
> > DS8000 technology (before they started offering the standalone feature
> code
> > for a dedicated box to handle keys).   In the meantime we have gone
> through
> > a few upgrades and we are currently at the DS8884 technology. I
> cannot
> > find any config info in the DS8884 on 'how to access' an external SKLM
> > server.   I think we have gone internal somehow.
> >
> > The SKLM address spaces under z/OS were setup in our days of 3592
> > tapes with encryption labels on the tapes themselves.  3592 is another
> > technology no longer present in our current data center.  A TS7760 grid
> with encrypted
> > virtual tape disk cache handled the encryption requirement. Our SKLM
> > setup had two lpars, each backing the other in  a primary/secondary
> > relationship across an internal hipersockets link.
> >
> > My gut reaction is to just turn them off and lets the chips fall where
> > they may, but that is not the 'professional' way to handle it.
> >
> > Does anyone know how to prove the negative:  That I do not need these
> > servers.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> The information contained in this message is confidential, protected from
> disclosure and may be legally privileged. If the reader of this message is
> not the intended recipient or an employee or agent responsible for
> delivering this message to the intended recipient, you are hereby notified
> that any disclosure, distribution, copying, or any action taken or action
> omitted in reliance on it, is strictly prohibited and may be unlawful. If
> you have received this communication in error, please notify us immediately
> by replying to this message and destroy the material in its entirety,
> whether in electronic or hard copy format. Thank you.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM server or started task.

[Pommier, Rex]

Mike,

Does the 8950 HMC based encryption require an ISKLM license?  We are currently 
replicating from an 8910 to an 8884 and the 8884 is falling off support at the 
end of the year so we'll be replacing it with another 8910 most likely.  I'm 
wondering if I'll still need ISKLM for disk if we move our encryption key 
serving to the HMCs.

Thanks,

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Monday, May 9, 2022 12:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: How do you Prove that you no longer need a working SKLM 
server or started task.

 We had DS8886 boxes and used a AP1 appliance with SKLM installed.  These are 
no longer offered by IBM.  We just upgraded to DS8950s and it has the option to 
do key management within the HMCs on the DS8950s.  We went this route.

On Mon, May 9, 2022 at 11:37 AM Tom Longfellow < 
03e29b607131-dmarc-requ...@listserv.ua.edu> wrote:

> We have been doing hardware based tape and disk encryption for a very 
> long time.  So long in fact that I think we have 'upgraded' ourselves 
> out of the SKLM (or EKM) business.
>
> The standalone servers were installed way back in our early years of
> DS8000 technology (before they started offering the standalone feature code
> for a dedicated box to handle keys).   In the meantime we have gone through
> a few upgrades and we are currently at the DS8884 technology. I cannot
> find any config info in the DS8884 on 'how to access' an external SKLM
> server.   I think we have gone internal somehow.
>
> The SKLM address spaces under z/OS were setup in our days of 3592 
> tapes with encryption labels on the tapes themselves.  3592 is another 
> technology no longer present in our current data center.  A TS7760 grid with 
> encrypted
> virtual tape disk cache handled the encryption requirement. Our SKLM
> setup had two lpars, each backing the other in  a primary/secondary 
> relationship across an internal hipersockets link.
>
> My gut reaction is to just turn them off and lets the chips fall where 
> they may, but that is not the 'professional' way to handle it.
>
> Does anyone know how to prove the negative:  That I do not need these 
> servers.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
--
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Charles Mills]

You will need to configure this in the product that is sending the SMF
records to Splunk, presumably Syncsort (whatever they call themselves now)
Ironstream.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of MARTIN, MIKE
Sent: Monday, May 9, 2022 8:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Producing throwaway SMF?

Well, not exactly throwaway, but is there a way to produce SMF/RMF record
types (say CICS 110-2's) for sending to a product like Splunk, but not write
them to our SMF datasets (non-streams).

(I realize products like Splunk probably have a way to intercept/send the
data) but we may not want to save the data to our SMF datasets with the
110-2 records if we turn them on.

Mike Martin

This email may contain confidential and privileged material for the sole use
of the intended recipient. If you are not the intended recipient, please
contact the sender and delete all copies. Any review or distribution by
others is strictly prohibited. Personal emails are restricted by policy of
the State Employees' Credit Union (SECU).  Therefore SECU specifically
disclaims any responsibility or liability for any personal information or
opinions of the author expressed in this email.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do you Prove that you no longer need a working SKLM server or started task.

[Michael Babcock]

 We had DS8886 boxes and used a AP1 appliance with SKLM installed.  These
are no longer offered by IBM.  We just upgraded to DS8950s and it has the
option to do key management within the HMCs on the DS8950s.  We went this
route.

On Mon, May 9, 2022 at 11:37 AM Tom Longfellow <
03e29b607131-dmarc-requ...@listserv.ua.edu> wrote:

> We have been doing hardware based tape and disk encryption for a very long
> time.  So long in fact that I think we have 'upgraded' ourselves out of the
> SKLM (or EKM) business.
>
> The standalone servers were installed way back in our early years of
> DS8000 technology (before they started offering the standalone feature code
> for a dedicated box to handle keys).   In the meantime we have gone through
> a few upgrades and we are currently at the DS8884 technology. I cannot
> find any config info in the DS8884 on 'how to access' an external SKLM
> server.   I think we have gone internal somehow.
>
> The SKLM address spaces under z/OS were setup in our days of 3592 tapes
> with encryption labels on the tapes themselves.  3592 is another technology
> no longer present in our current data center.  A TS7760 grid with encrypted
> virtual tape disk cache handled the encryption requirement. Our SKLM
> setup had two lpars, each backing the other in  a primary/secondary
> relationship across an internal hipersockets link.
>
> My gut reaction is to just turn them off and lets the chips fall where
> they may, but that is not the 'professional' way to handle it.
>
> Does anyone know how to prove the negative:  That I do not need these
> servers.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] How do you Prove that you no longer need a working SKLM server or started task.

[Pommier, Rex]

Hi Tom,

I'm not so sure you can eliminate your ISKLM servers.  You may want to log onto 
the DS8884 and check your security settings.   I have both an 8884 and an 8910F 
array and both of them have ISKLM servers assigned to them.  I believe the box 
needs the ISKLM server when it starts up.

On the 8884 go to settings then security then data at rest encryption.  Does 
the resulting window show data at rest encryption is enabled and does it show 
any key servers?  If not, you may want to revisit whether you actually have 
your disk encrypted.

We have our ISKLM servers running off the mainframe because we were concerned 
about if for some reason the disk array lost power and had to reboot, it would 
need the master key to start up which I believe is provided by the ISKLM 
server.  If the ISKLM server was running on z/OS and z/OS was down because the 
disk lost power, how do you bring z/OS up to get the key to bring the disk up 
which is needed to bring z/OS up.  Catch-22 situation so we made the decision 
to put the ISKLM servers on separate boxes.  I don't like it but didn't see we 
really had a choice.

Rex


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Longfellow
Sent: Monday, May 9, 2022 11:38 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] How do you Prove that you no longer need a working SKLM 
server or started task.

We have been doing hardware based tape and disk encryption for a very long 
time.  So long in fact that I think we have 'upgraded' ourselves out of the 
SKLM (or EKM) business.

The standalone servers were installed way back in our early years of DS8000 
technology (before they started offering the standalone feature code for a 
dedicated box to handle keys).   In the meantime we have gone through a few 
upgrades and we are currently at the DS8884 technology. I cannot find any 
config info in the DS8884 on 'how to access' an external SKLM server.   I think 
we have gone internal somehow.

The SKLM address spaces under z/OS were setup in our days of 3592 tapes with 
encryption labels on the tapes themselves.  3592 is another technology no 
longer present in our current data center.  A TS7760 grid with encrypted 
virtual tape disk cache handled the encryption requirement. Our SKLM setup 
had two lpars, each backing the other in  a primary/secondary relationship 
across an internal hipersockets link.

My gut reaction is to just turn them off and lets the chips fall where they 
may, but that is not the 'professional' way to handle it.

Does anyone know how to prove the negative:  That I do not need these servers.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Colin Paice]

There is SMF real-time interface

(

SMF provides an application programming interface (API) that offers
real-time access to SMF in-memory resources. You can use the callable
services that comprise the SMF real-time interface from an application
program to access SMF records from an in-memory resource *as they are
written*.)  ... so doesnt actually cover throwaway

SMF provides an application programming interface (API) that offers
real-time access to SMF in-memory resources.
The following callable services support real-time access to SMF records:

   - IFAMCON — Connect to an SMF in-memory resource
   

   - IFAMGET — Obtain data from an SMF in-memory resource
   

   - IFAMDSC — Disconnect from an SMF in-memory resource
   

   - IFAMQRY — Query SMF in-memory resources
   


The following steps describe the expected calling sequence:

   1. Optional: Call the IFAMQRY service to determine which SMF in-memory
   resources are available to the application.
   2. Call the IFAMCON service to connect to an in-memory resource.
   3. Call the IFAMGET service in a loop to collect SMF records that are
   already in the in-memory resource or that are being recorded in real time.
   4. Call the IFAMDSC service to disconnect from the in-memory resource
   and clean up resources.

For more information, see the topic on using the SMF real-time
interface in z/OS
MVS System Management Facilities (SMF)
.

On Mon, 9 May 2022 at 16:57, MARTIN, MIKE  wrote:

> Well, not exactly throwaway, but is there a way to produce SMF/RMF record
> types (say CICS 110-2's) for sending to a product like Splunk, but not
> write them to our SMF datasets (non-streams).
>
> (I realize products like Splunk probably have a way to intercept/send the
> data) but we may not want to save the data to our SMF datasets with the
> 110-2 records if we turn them on.
>
> Mike Martin
>
> This email may contain confidential and privileged material for the sole
> use of the intended recipient. If you are not the intended recipient,
> please contact the sender and delete all copies. Any review or distribution
> by others is strictly prohibited. Personal emails are restricted by policy
> of the State Employees' Credit Union (SECU).  Therefore SECU specifically
> disclaims any responsibility or liability for any personal information or
> opinions of the author expressed in this email.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF? [EXTERNAL]

[Feller, Paul]

What about setting up the SMF parms to tell SMF to ignore the 110-2 records?  
CICS will still create them but I would think SMF would just "throw them away" 
when it see them.  Before that happens would not an exit see the 110-2 records 
and then send them off to say Splunk?


Paul Feller
GTS Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Pommier, Rex
Sent: Monday, May 9, 2022 11:40 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Producing throwaway SMF? [EXTERNAL]

Hi Mike,

I believe that depends on what you mean by "not write them to the SMF 
datasets".  If you mean that you don't want them to go to the MANx datasets 
where SMF actually writes records, I believe the answer is no.  However, if you 
want them to not go to where your SMF DUMP process goes, absolutely.  You can 
do an SMF dump w/o clear to just pull the 110-2 records into a separate dataset 
then do a dump/clear of the MAN dataset to the SMF offload dataset excluding 
the 110-2 records.  But I don't think there's a way to tell CICS to send the 
110-2 records to someplace other than straight to the SMF MAN datasets.  

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
MARTIN, MIKE
Sent: Monday, May 9, 2022 10:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Producing throwaway SMF?

Well, not exactly throwaway, but is there a way to produce SMF/RMF record types 
(say CICS 110-2's) for sending to a product like Splunk, but not write them to 
our SMF datasets (non-streams).

(I realize products like Splunk probably have a way to intercept/send the data) 
but we may not want to save the data to our SMF datasets with the 110-2 records 
if we turn them on.

Mike Martin

This email may contain confidential and privileged material for the sole use of 
the intended recipient. If you are not the intended recipient, please contact 
the sender and delete all copies. Any review or distribution by others is 
strictly prohibited. Personal emails are restricted by policy of the State 
Employees' Credit Union (SECU).  Therefore SECU specifically disclaims any 
responsibility or liability for any personal information or opinions of the 
author expressed in this email.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
Please note:  This message originated outside your organization. Please use 
caution when opening links or attachments.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Producing throwaway SMF?

[Pommier, Rex]

Hi Mike,

I believe that depends on what you mean by "not write them to the SMF 
datasets".  If you mean that you don't want them to go to the MANx datasets 
where SMF actually writes records, I believe the answer is no.  However, if you 
want them to not go to where your SMF DUMP process goes, absolutely.  You can 
do an SMF dump w/o clear to just pull the 110-2 records into a separate dataset 
then do a dump/clear of the MAN dataset to the SMF offload dataset excluding 
the 110-2 records.  But I don't think there's a way to tell CICS to send the 
110-2 records to someplace other than straight to the SMF MAN datasets.  

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
MARTIN, MIKE
Sent: Monday, May 9, 2022 10:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Producing throwaway SMF?

Well, not exactly throwaway, but is there a way to produce SMF/RMF record types 
(say CICS 110-2's) for sending to a product like Splunk, but not write them to 
our SMF datasets (non-streams).

(I realize products like Splunk probably have a way to intercept/send the data) 
but we may not want to save the data to our SMF datasets with the 110-2 records 
if we turn them on.

Mike Martin

This email may contain confidential and privileged material for the sole use of 
the intended recipient. If you are not the intended recipient, please contact 
the sender and delete all copies. Any review or distribution by others is 
strictly prohibited. Personal emails are restricted by policy of the State 
Employees' Credit Union (SECU).  Therefore SECU specifically disclaims any 
responsibility or liability for any personal information or opinions of the 
author expressed in this email.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

How do you Prove that you no longer need a working SKLM server or started task.

[Tom Longfellow]

We have been doing hardware based tape and disk encryption for a very long 
time.  So long in fact that I think we have 'upgraded' ourselves out of the 
SKLM (or EKM) business.

The standalone servers were installed way back in our early years of DS8000 
technology (before they started offering the standalone feature code for a 
dedicated box to handle keys).   In the meantime we have gone through a few 
upgrades and we are currently at the DS8884 technology. I cannot find any 
config info in the DS8884 on 'how to access' an external SKLM server.   I think 
we have gone internal somehow.

The SKLM address spaces under z/OS were setup in our days of 3592 tapes with 
encryption labels on the tapes themselves.  3592 is another technology no 
longer present in our current data center.  A TS7760 grid with encrypted 
virtual tape disk cache handled the encryption requirement. Our SKLM setup 
had two lpars, each backing the other in  a primary/secondary relationship 
across an internal hipersockets link.

My gut reaction is to just turn them off and lets the chips fall where they 
may, but that is not the 'professional' way to handle it.

Does anyone know how to prove the negative:  That I do not need these servers.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Producing throwaway SMF?

[MARTIN, MIKE]

Well, not exactly throwaway, but is there a way to produce SMF/RMF record types 
(say CICS 110-2's) for sending to a product like Splunk, but not write them to 
our SMF datasets (non-streams).

(I realize products like Splunk probably have a way to intercept/send the data) 
but we may not want to save the data to our SMF datasets with the 110-2 records 
if we turn them on.

Mike Martin

This email may contain confidential and privileged material for the sole use of 
the intended recipient. If you are not the intended recipient, please contact 
the sender and delete all copies. Any review or distribution by others is 
strictly prohibited. Personal emails are restricted by policy of the State 
Employees' Credit Union (SECU).  Therefore SECU specifically disclaims any 
responsibility or liability for any personal information or opinions of the 
author expressed in this email.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: UCBIOQF and UCBIOQL

[Peter Relson]

UCBIOQF and UCBIOQL are pointers. If you search, you will find them under 
IOSDUPFX. They are not part of the programming interface.

FWIW, there are a lot of things mentioned in data areas commentary, for 
diagnostic reasons, that might have no further discussion.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

$HASP052 JES2 RESOURCE SHORTAGE OF BERT XX% UTILIZATION REACHED

[Kenneth J. Kripke]

Hello;

 We had an incident where about 8,000 jobs were submitted via a
distributed process.  All the jobs were of the same name.  

It is my understanding that the BERT contains the CAT and JQE as well as the
WSCQ as indicated in a bit indicator.  If the jobs were placed on hold via
the $H GRP,JM=,  I am guessing 

The control blocks will still be built, hence, no benefit.  Is my assumption
correct?  I would like to pose the question on how others have resolved the
problem.   

 

Sincerely; 

 

 Kenneth J. Kripke 

 

k.kri...@comcast.net   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: UCBIOQF and UCBIOQL

[Steve Kocik]

Look at IOSDUPFX in z/OS MVS Data Areas Volume 2 (IAX - ISG)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN