Re: Certificate problem

2022-09-08 Thread Phil Smith III 
Charles Mills wrote:
>Where did this self-signed certificate come from? What tool generated it?

 

It was internally generated. That's all I know. It's a test system.

 

>Case should not be a problem in a self-signed certificate. Technically I
guess it is possible but you would almost have to do it on purpose.

>I think the trace is pretty clear. I don't fully understand the big
picture, but I think the trace is pretty clear as to what it is objecting
to. Perhaps this is a tightened requirement in 1.3?

 

Well, I think you're right-it's perfectly clear *once you understand the
terms it uses*. This is sort of a classic software problem, eh? The
"obvious" message that means nothing to you when you receive it!

 

It's saying:

*   X509v3 Basic Constraints is/are set in this certificate, per RFC
3280*
*   But the Basic Constraints is NOT defined as Critical
*   This is a requirement per that RFC (odd IMHO: if it's only
meaningful if you set that, then why bother?)
*   And yes, I think this is new as of TLS 1.3

 

We regenerated a new cert with Critical and it works. Hopefully this thread
will help the next person who gets
ERROR check_cert_extensions_3280_and_later(): Basic Constraints extension
must be critical for CA Certificate

!

 

Thanks to all for your help. This wound up sorta being a rubber duck
debugging exercise, but ya got me there!

 

...phsiii

 

*Not the coder's fault that "3280" makes me think of a terminal


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Carmen Vitullo 

looks like TRACE need to be before VSTOR(S) ?

TRACE being a major parm, with VSTOR(S) and other options being minor 
parms under TRACE?


 I'm a CMF shop so I cannot test, but looking at my old RMF parms

NOTRACE

    VSTOR(S)

    WKLS

Carmen

On 9/8/2022 12:53 PM, Pierre Fichaud wrote:

Where do I find doc for the ERBFRMxx member in PARMLIB ?

I change NOTRACE to TRACE and I get a syntax error.

  .  33   IOQ(NOCOMM)/* NO 
COMMUNICATION I/O QUEUEING*/  .
  .  34   IOQ(NOGRAPH)   /* NO GRAPHICS 
DEVICE I/O QUEUEING  */  .
  .  35   IOQ(NONMBR)/* NO SELECTIVITY 
BY LCU NUMBERS*/  .
  .  36 NOFCD/* NO FICON 
DIRECTORS MEASURED  */  .
  .  37   PAGESP /* PAGE DATASET 
STATISTICS  */  .
  .  38   PAGING /* PAGING DATA 
 */  .
  .  39   TRACE  /* NO TRACE REPORT 
PRF-2022/09/08   */  .
  .  40   VSTOR(S)   /* VIRTUAL STORAGE 
SUMMARY DATA */  .
  .  41   WKLD   /* WORKLOAD 
MANAGER DATA*/  .

ERB100I RMF: ACTIVE
ERB300I ZZ : SYNTAX ERROR IN OR FOLLOWING TEXT BEGINNING '   */
ERB300I ZZ : VSTOR(S) ' IN LIBRARY 00 INPUT
ERB103I ZZ : OPTIONS IN EFFECT
ERB103I ZZ :   NOEXITS  -- MEMBER
ERB103I ZZ :   SYSOUT(A)  -- MEMBER
ERB103I ZZ :   NOREPORT  -- MEMBER
ERB103I ZZ :   RECORD  -- MEMBER
ERB103I ZZ :   NOOPTIONS  -- MEMBER
ERB103I ZZ :   SYNC(SMF)  -- MEMBER
ERB103I ZZ :   NOSTOP  -- MEMBER
ERB103I ZZ :   CYCLE(1000)  -- MEMBER
ERB103I ZZ :   NOVMGUEST  -- MEMBER
ERB103I ZZ :   WKLD  -- MEMBER
ERB103I ZZ :   VSTOR(S)  -- MEMBER
ERB103I ZZ :   NOTRACE  -- CHANGED
ERB103I ZZ :   PAGING  -- MEMBER

I don't see what I've done wrong.

Also, I can /S RMF but I can't /P RMF. It says that it is not active.
So I need to IPL to get rid of RMF.

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Michael Oujesky 
Depends on what level of zOS you are at,  RMF has been recently been 
split into the Data Gatherer and RMF components.

https://www.ibm.com/docs/en/zos/2.5.0?topic=zos-rmf
https://www.ibm.com/docs/en/zos/2.5.0?topic=zos-data-gatherer
Michael

At 12:53 PM 9/8/2022, Pierre Fichaud wrote:


Where do I find doc for the ERBFRMxx member in PARMLIB ?

I change NOTRACE to TRACE and I get a syntax error.

 .  33   IOQ(NOCOMM)/* NO 
COMMUNICATION I/O QUEUEING*/  .
 .  34   IOQ(NOGRAPH)   /* NO 
GRAPHICS DEVICE I/O QUEUEING  */  .
 .  35   IOQ(NONMBR)/* NO 
SELECTIVITY BY LCU NUMBERS*/  .
 .  36 NOFCD/* NO 
FICON DIRECTORS MEASURED  */  .
 .  37   PAGESP /* PAGE 
DATASET STATISTICS  */  .
 .  38   PAGING /* 
PAGING DATA  */  .
 .  39   TRACE  /* NO 
TRACE REPORT PRF-2022/09/08   */  .
 .  40   VSTOR(S)   /* 
VIRTUAL STORAGE SUMMARY DATA */  .
 .  41   WKLD   /* 
WORKLOAD MANAGER DATA*/  .


ERB100I RMF: ACTIVE
ERB300I ZZ : SYNTAX ERROR IN OR FOLLOWING TEXT BEGINNING '   */
ERB300I ZZ : VSTOR(S) ' IN LIBRARY 00 INPUT
ERB103I ZZ : OPTIONS IN EFFECT
ERB103I ZZ :   NOEXITS  -- MEMBER
ERB103I ZZ :   SYSOUT(A)  -- MEMBER
ERB103I ZZ :   NOREPORT  -- MEMBER
ERB103I ZZ :   RECORD  -- MEMBER
ERB103I ZZ :   NOOPTIONS  -- MEMBER
ERB103I ZZ :   SYNC(SMF)  -- MEMBER
ERB103I ZZ :   NOSTOP  -- MEMBER
ERB103I ZZ :   CYCLE(1000)  -- MEMBER
ERB103I ZZ :   NOVMGUEST  -- MEMBER
ERB103I ZZ :   WKLD  -- MEMBER
ERB103I ZZ :   VSTOR(S)  -- MEMBER
ERB103I ZZ :   NOTRACE  -- CHANGED
ERB103I ZZ :   PAGING  -- MEMBER

I don't see what I've done wrong.

Also, I can /S RMF but I can't /P RMF. It says that it is not active.
So I need to IPL to get rid of RMF.

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Online application delay

2022-09-08 Thread Matt Hogstrom 
Is there another synthetic transaction like a PING / CESN / something else they 
can run during the slowdown?  This might quickly assess if its a network versus 
CICS resource issue.

Matt Hogstrom

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom

> On Sep 8, 2022, at 3:01 AM, Brian Westerman  
> wrote:
> 
> It sounds like either you are not both doing "exactly" the same transaction, 
> or there could be a network issue between the two locations, although 
> networks tend to slow things down for a handful of seconds, not minutes.  Are 
> you sure that the transaction isn't waiting for something?  Is it always slow 
> at the remote site, and always fast at the local site or is it one of those 
> things where sometimes it's okay at the remote site, but just occasionally it 
> slows down.  If that is the case, then it's likely one of the CICS queues 
> that it's waiting for.
> 
> Brian
> 
> On Wed, 7 Sep 2022 12:12:05 +0400, Peter  wrote:

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Pierre Fichaud 
Where do I find doc for the ERBFRMxx member in PARMLIB ?

I change NOTRACE to TRACE and I get a syntax error.

 .  33   IOQ(NOCOMM)/* NO COMMUNICATION 
I/O QUEUEING*/  .
 .  34   IOQ(NOGRAPH)   /* NO GRAPHICS 
DEVICE I/O QUEUEING  */  .
 .  35   IOQ(NONMBR)/* NO SELECTIVITY 
BY LCU NUMBERS*/  .
 .  36 NOFCD/* NO FICON 
DIRECTORS MEASURED  */  .
 .  37   PAGESP /* PAGE DATASET 
STATISTICS  */  .
 .  38   PAGING /* PAGING DATA  
*/  .
 .  39   TRACE  /* NO TRACE REPORT 
PRF-2022/09/08   */  .
 .  40   VSTOR(S)   /* VIRTUAL STORAGE 
SUMMARY DATA */  .
 .  41   WKLD   /* WORKLOAD MANAGER 
DATA*/  .

ERB100I RMF: ACTIVE
ERB300I ZZ : SYNTAX ERROR IN OR FOLLOWING TEXT BEGINNING '   */
ERB300I ZZ : VSTOR(S) ' IN LIBRARY 00 INPUT
ERB103I ZZ : OPTIONS IN EFFECT
ERB103I ZZ :   NOEXITS  -- MEMBER
ERB103I ZZ :   SYSOUT(A)  -- MEMBER
ERB103I ZZ :   NOREPORT  -- MEMBER
ERB103I ZZ :   RECORD  -- MEMBER
ERB103I ZZ :   NOOPTIONS  -- MEMBER
ERB103I ZZ :   SYNC(SMF)  -- MEMBER
ERB103I ZZ :   NOSTOP  -- MEMBER
ERB103I ZZ :   CYCLE(1000)  -- MEMBER
ERB103I ZZ :   NOVMGUEST  -- MEMBER
ERB103I ZZ :   WKLD  -- MEMBER
ERB103I ZZ :   VSTOR(S)  -- MEMBER
ERB103I ZZ :   NOTRACE  -- CHANGED
ERB103I ZZ :   PAGING  -- MEMBER

I don't see what I've done wrong.

Also, I can /S RMF but I can't /P RMF. It says that it is not active.
So I need to IPL to get rid of RMF.

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Redbook SG24-8205-06 - zPDT Guide

2022-09-08 Thread Dean Kent 
So those who currently are licensed will be unable to renew next year?   
I guess there are enough System Z professionals out in the workforce now...


On 9/7/2022 4:10 AM, Jay Maynard wrote:

I got mine in May. I've been told that IBM has quietly discontinued the
program, though.

On Tue, Sep 6, 2022, 23:37 Brian Westerman 
wrote:


Has anyone successfully received the zD learners edition setup yet?  I
realize this is about zpdt, but it reminded me that I was told that I was
approved last November, but nothing seems to have happened after that time.

Brian



On Tue, 6 Sep 2022 10:54:26 -0500, Parwez Hamid 
wrote:


Wanted to make the List aware of the following which some might find

useful - especially those new to zPDT


IBM Redbook SG24-8205-06

IBM ISV zPDT Guide and Reference

https://www.redbooks.ibm.com/redpieces/abstracts/sg248205.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate problem

2022-09-08 Thread Charles Mills 
Where did this self-signed certificate come from? What tool generated it?

Case should not be a problem in a self-signed certificate. Technically I guess 
it is possible but you would almost have to do it on purpose.

I think the trace is pretty clear. I don't fully understand the big picture, 
but I think the trace is pretty clear as to what it is objecting to. Perhaps 
this is a tightened requirement in 1.3?

CM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: VSMLIST question

2022-09-08 Thread Joseph Reichman 
Peter

You are right while doing my analysis 

I found some erroneous data returned not really erroneous 

But I did screen print so it’s not made up 

The allocated block address is FF7A5000

Looking at the doc mapping macro 
IGVVSMD for the block descriptor it’s 

VSMDBLKDSA
Now I know that address is really 7F7A5000

In the mapping macro there is no EQU for the high order bit what significance 
it is 

But I know you know  the answer hoping you can share 

In addition would be nice nice if IARV64 REQUEST=LIST 

Would return this type of info 

But you said I could open an RFE


Thank you 

> On Sep 8, 2022, at 11:30 AM, Peter Relson  wrote:
> 
> Joe R wrote:
> 
> Let me use an example 0001 7000 01000 0001 7000 0800
> 
> So the allocated address is 7800 for 200
> 
> 
> Close.
> 
> The freed storage starts at 7000 and runs for 800.
> That means that allocated storage starts at 7800 and runs for 800.
> 
> If you showed more data that preceded this, you'd have the owning TCB address.
> Keep in mind that subpool 0 can be shared across tasks.
> The owning task might not be "yours" or a subtask of "yours".
> 
> 
> So for example I could get a block descriptor 0001  7F88 1000 
> 0001 7FF88 0500now it my understanding the
> first 12 bytes is the allocated block descriptor
> 
> However when I do a VSMLOC on that address I get nothing return in the TCB= 
> field
> 
> 
> This clearly is not real data from the VSMLIST that has been shown. Why did 
> you have to make up data? There cannot possibly be a x'1000' byte block 
> starting at 7F88 even if the 7000 page wasn't ineligible.
> 
> Peter Relson
> z/OS Core Technology Design
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Michael Oujesky 

And in Parmlib as:
BROWSESYS1.PARMLIB(ERBRMF02)   Line 42 Col 001 080
Command ===>  Scroll ===> CSR
 TRACE(RCVUICA,END) /* TRACE 'UIC AVERAGE'  */
 TRACE(RCVCPUA,END) /* TRACE 'CPU USAGE*16' */
 TRACE(RCVPTR,END)  /* TRACE 'PAGING RATE'  */
Michael

At 10:36 AM 9/8/2022, Michael Oujesky wrote:

 https://www.ibm.com/docs/en/zos/2.1.0?topic=rmf-zos-programmers-guide

See the sections on tracing.

Michael

ee the section on
At 09:23 AM 9/8/2022, Pierre Fichaud wrote:


In the RMF manuals, there is no mention of this SMF type.
How can I get these generated?

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate problem

2022-09-08 Thread Carmen Vitullo 

Phil,

Yes, it's TLSv1.3:

sorry I missed this.

You mean the label in the gskkyman entry?

I was thinking the entry, Cert that was added to RACF, that's where I had 
similar issues.
sorry I could not be more help
Carmen

On 9/8/2022 10:31 AM, Phil Smith III wrote:

Yes, it's TLSv1.3:


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Michael Oujesky 

 https://www.ibm.com/docs/en/zos/2.1.0?topic=rmf-zos-programmers-guide

See the sections on tracing.

Michael

ee the section on
At 09:23 AM 9/8/2022, Pierre Fichaud wrote:


In the RMF manuals, there is no mention of this SMF type.
How can I get these generated?

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate problem

2022-09-08 Thread Phil Smith III 
Carmen Vitullo asked:

>Phil, was this output from an SSL trace?

 

Yes.

 

>IIRC there's usually more data related to a cert error,  it's been 7, or

>8 years since I ran the trace but usually the trace data

>shows the TLS version also, it's a stretch but are you running TSL 1.1

>or higher?

 

Yes, it's TLSv1.3:
09/07/2022-17:30:14 Thd-1 INFO read_v3_server_hello(): Using TLSV1.3
protocol

 

>I'd agree with Attila also, I've had my security team load a cert for me

>that required mixed case, and they defined the LABEL with all caps

 

You mean the label in the gskkyman entry? I did that, no change. I also
tried it in RACF, via the *AUTH*/* virtual key ring; also same error:
09/08/2022-09:53:50 Thd-1 ERROR check_cert_extensions_3280_and_later():
Basic Constraints extension must be critical for CA Certificate

09/08/2022-09:53:50 Thd-1 EXIT check_cert_extensions_3280_and_later(): <---
Exit status 0x03353071 (53817457)

09/08/2022-09:53:50 Thd-1 ERROR validate_certificate_basics(): Unable to
verify certificate extensions: Error 0x03353071

09/08/2022-09:53:50 Thd-1 ERROR get_issuer_certificate(): Unable to validate
CA certificate: Error 0x03353071

09/08/2022-09:53:50 Thd-1 ERROR validate_certificate(): Unable to get issuer
certificate: Error 0x0335302f

09/08/2022-09:53:50 Thd-1 ERROR validate_certificate_mode(): Unable to
validate certificate: Error 0x0335302f

09/08/2022-09:53:50 Thd-1 ERROR cms_validate_certificate_mode_int(): Unable
to validate certificate: Error 0x0335302f

09/08/2022-09:53:50 Thd-1 EXIT cms_validate_certificate_mode_int(): <---
Exit status 0x0335302f (53817391)

09/08/2022-09:53:50 Thd-1 ERROR read_tls13_certificate(): Unable to validate
peer certificate: Error 0x0335302f

09/08/2022-09:53:50 Thd-1 ERROR send_tls13_alert(): Sent TLS 1.3 alert 42 to
140.236.144.55[443]

 

I'm 100% not trying to be one of those "No, your helpful advice can't be
right" people here! I just don't know how to apply it.

 

Thanks,
...phsiii 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: VSMLIST question

2022-09-08 Thread Peter Relson 
Joe R wrote:

Let me use an example 0001 7000 01000 0001 7000 0800

So the allocated address is 7800 for 200


Close.

The freed storage starts at 7000 and runs for 800.
That means that allocated storage starts at 7800 and runs for 800.

If you showed more data that preceded this, you'd have the owning TCB address.
Keep in mind that subpool 0 can be shared across tasks.
The owning task might not be "yours" or a subtask of "yours".


So for example I could get a block descriptor 0001  7F88 1000 
0001 7FF88 0500now it my understanding the
first 12 bytes is the allocated block descriptor

However when I do a VSMLOC on that address I get nothing return in the TCB= 
field


This clearly is not real data from the VSMLIST that has been shown. Why did you 
have to make up data? There cannot possibly be a x'1000' byte block starting at 
7F88 even if the 7000 page wasn't ineligible.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Redbook SG24-8205-06 - zPDT Guide

2022-09-08 Thread Bill Ogden 

>Has anyone successfully received the zD learners edition setup yet?  I 
>realize this is about zpdt, but it reminded me that I was told that I was 
>approved last November, but nothing seems to have happened after that time.

The SG24-8205-06 book covers basic zPDT functions in the ISV zPDT version. It 
also covers a few aspects of the z/OS configuration that is available with the 
ISV zPDT package. The book was not intended to cover other zPDT usage, such as 
the multiple IBM ZD offerings, the ZD Learners Edition, other prepared z/OS 
packages, or future IBM products. Nevertheless, the book might be useful for 
dealing with basic zPDT operation in these other areas. Specific documentation 
for these "other" areas might come from the groups providing the specific 
areas. 

The basic usage details about zPDT are likely to be the same in these other 
areas, but the ordering, installation, licensing, networking, integration with 
other operating systems, higher-level control interfaces, maintenance, and so 
forth, are probably different in these other areas and useful documentation 
would require the necessary skills and experience in the specific areas.

However, the questions are good ones!

Bill Ogden



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Carmen Vitullo 
unless I'm missing it, I don't see where you're telling SMF to write 
these records

snip from my SMFPRM
STATUS(SMF,SYNC) /* WRITE SMF STATS AT INTERVAL */

SYS(TYPE(0:3,6:19,21:33,36:39,41:98,99(1,6,12),100:255),

EXITS(IEFACTRT,IEFUTL,IEFU29,IEFU29L,IEFU83,IEFU84,IEFU85,IEFU86,

  IEFUJV,IEFUJI,IEFUSI),
INTERVAL(01),DETAIL)

On 9/8/2022 9:31 AM, Pierre Fichaud wrote:

My SMF parms include all SMF types.
  .  01 INTVAL(01) /* SET SMF INTERVAL A 01 
MIN MEASAP*/ .
  .  02 SYNCVAL(01)/* SYNC SMF AT 01 MIN  
MEASAP*/   .
  .  03 DDCONS(NO) /* SAVE CPU TIME */  
 .
  .  04 ACTIVE /*ACTIVE SMF RECORDING*/ 
 .
  .  05 DSNAME(SYS1.,SYS1.) 
 .
  .  06 NOPROMPT   /*DO NOT PROMPT OPERATOR 
FOR OPTIONS*/.
  .  07 REC(PERM)  /*TYPE 17 PERM RECORDS 
ONLY*/ .
  .  08 MEMLIMIT(01024M)
 .
  .  09 MAXDORM(3000)  /* WRITE AN IDLE BUFFER 
AFTER 30 MIN*/.
  .  10 STATUS(SMF,SYNC)   /* CREATE SMF STATUS 
TYPE 23 IN SYNC */   .
  .  11 JWT(2400)  /* 522 AFTER 24 HOURS  
*/ .
  .  12 SID((1:4)) /* SYSTEM ID 
  */ .
  .  13 LISTDSN/* LIST DATA SET STATUS 
AT IPL*/  .
  .  14 LASTDS(MSG)/* SEND A MESSAGE WHEN 
OUT OF BUFFERS */  .
  .  15 NOBUFFS(MSG)/*DEFAULT TO 
MESSAGE  */ .
  .  16 SYS(EXITS(IEFU83,IEFU84,IEFU85,IEFACTRT,
 .
  .  17  
IEFUJV,IEFUSI,IEFUJP,IEFUSO,IEFUJI,IEFUTL,IEFU29,IEFUAV),   .

Regards, Pierre.  .  18  INTERVAL(SMF,SYNC),DETAIL)  .


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Pierre Fichaud 
My SMF parms include all SMF types.
 .  01 INTVAL(01) /* SET SMF INTERVAL A 01 
MIN MEASAP*/ .
 .  02 SYNCVAL(01)/* SYNC SMF AT 01 MIN  
MEASAP*/   .
 .  03 DDCONS(NO) /* SAVE CPU TIME */   
.
 .  04 ACTIVE /*ACTIVE SMF RECORDING*/  
.
 .  05 DSNAME(SYS1.,SYS1.)  
.
 .  06 NOPROMPT   /*DO NOT PROMPT OPERATOR 
FOR OPTIONS*/.
 .  07 REC(PERM)  /*TYPE 17 PERM RECORDS 
ONLY*/ .
 .  08 MEMLIMIT(01024M) 
.
 .  09 MAXDORM(3000)  /* WRITE AN IDLE BUFFER 
AFTER 30 MIN*/.
 .  10 STATUS(SMF,SYNC)   /* CREATE SMF STATUS TYPE 
23 IN SYNC */   .
 .  11 JWT(2400)  /* 522 AFTER 24 HOURS  */ 
.
 .  12 SID((1:4)) /* SYSTEM ID  
 */ .
 .  13 LISTDSN/* LIST DATA SET STATUS 
AT IPL*/  .
 .  14 LASTDS(MSG)/* SEND A MESSAGE WHEN 
OUT OF BUFFERS */  .
 .  15 NOBUFFS(MSG)/*DEFAULT TO MESSAGE 
 */ .
 .  16 SYS(EXITS(IEFU83,IEFU84,IEFU85,IEFACTRT, 
.
 .  17  
IEFUJV,IEFUSI,IEFUJP,IEFUSO,IEFUJI,IEFUTL,IEFU29,IEFUAV),   .
   
Regards, Pierre.  .  18  INTERVAL(SMF,SYNC),DETAIL) 
 .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF type 76 records - RMF trace activity

2022-09-08 Thread Colin Paice 
I  think your SMF PARMS needs to specify the records are to be collected -
and where to put them.
Colin

On Thu, 8 Sept 2022 at 15:23, Pierre Fichaud  wrote:

> In the RMF manuals, there is no mention of this SMF type.
> How can I get these generated?
>
> Thanks in advance, Pierre.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

SMF type 76 records - RMF trace activity

2022-09-08 Thread Pierre Fichaud 
In the RMF manuals, there is no mention of this SMF type.
How can I get these generated?

Thanks in advance, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate problem

2022-09-08 Thread Carmen Vitullo 

Phil, was this output from an SSL trace?

IIRC there's usually more data related to a cert error,  it's been 7, or 
8 years since I ran the trace but usually the trace data


shows the TLS version also, it's a stretch but are you running TSL 1.1 
or higher?


I'd agree with Attila also, I've had my security team load a cert for me 
that required mixed case, and they defined the LABEL with all caps


Carmen


On 9/7/2022 5:51 PM, Phil Smith III wrote:

I'm getting this trying to use a self-signed certificate. I put it into
gskkyman and when I try to connect (outbound from z/OS) I get

Certificate validation error

from GSK_SECURE_SOCKET_INIT. Running a gsktrace shows:
09/07/2022-17:30:14 Thd-1 ERROR check_cert_extensions_3280_and_later():
Basic Constraints extension must be critical for CA Certificate

09/07/2022-17:30:14 Thd-1 EXIT check_cert_extensions_3280_and_later(): <---
Exit status 0x03353071 (53817457)

09/07/2022-17:30:14 Thd-1 ERROR validate_certificate_basics(): Unable to
verify certificate extensions: Error 0x03353071

09/07/2022-17:30:14 Thd-1 ERROR get_issuer_certificate(): Unable to validate
CA certificate: Error 0x03353071

  


I find nothing for that error in the doc (either the text or the error
number). https://colinpaice.blog/2021/11/03/using-z-os-ldap-with-tls-1-3/
discusses the error, but I don't know how to check it! Other clients work
but that doesn't prove much-we know z/OS is more stringent about following
the rules than many.

  


Ideas?


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate problem

2022-09-08 Thread Phil Smith III 
Attila Fogarasi kindly replied suggesting a case problem, which I'm
perfectly willing to believe but don't have any idea how to verify. Nothing
LOOKS off.

 

Meanwhile, some more digging suggests that it may be that the error message
is actually correct and clear, FSVO clear!

 

If I run
openssl x509 -in voltage-ca.crt -text -noout

against that cert I see:

X509v3 extensions:

X509v3 Basic Constraints:

CA:TRUE

But other reading suggests this should be:
X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

and that this is therefore an omission in creating the cert. This is an RFC
3280 
requirement, but I strongly suspect that it gets ignored by many stacks. I
find other discussions that support this conclusion indirectly. It certainly
fits with the typical IBM strict interpretation of RFCs, which is hard to
argue with. I have a handful of random certs from past tinkering, and
running that command against them finds most do NOT have the Basic
Constraints set and/or have critical.

 

I'm asking if we can regenerate the cert either without the Basic
Constraints or with critical.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Online application delay

2022-09-08 Thread Brian Westerman 
It sounds like either you are not both doing "exactly" the same transaction, or 
there could be a network issue between the two locations, although networks 
tend to slow things down for a handful of seconds, not minutes.  Are you sure 
that the transaction isn't waiting for something?  Is it always slow at the 
remote site, and always fast at the local site or is it one of those things 
where sometimes it's okay at the remote site, but just occasionally it slows 
down.  If that is the case, then it's likely one of the CICS queues that it's 
waiting for.

Brian

On Wed, 7 Sep 2022 12:12:05 +0400, Peter  wrote:

>Graham,
>
>It's random. It's only a specific location is complaining not all
>
>When they run a specific transaction it clocks for a minute and when we run
>the same from our location it's quite quick
>
>
>On Wed, Sep 7, 2022, 2:01 AM Graham Harris  wrote:
>
>> is the delay at regular intervals, or random?
>> If regular intervals, then that may give some clues.
>>
>> On Sat, 27 Aug 2022 at 18:30, Peter  wrote:
>>
>> > Steve
>> >
>> > It's a non CICS application
>> >
>> > On Sat, Aug 27, 2022, 9:18 PM Steve Beaver 
>> wrote:
>> >
>> > > You are going to hate this but you need to look at your CICS SMF
>> records
>> > > and you may have to turn on the 99 records for a very very short time
>> > > probably 3 minutes or less
>> > >
>> > > Sent from my iPhone
>> > >
>> > > No one said I could type with one thumb
>> > >
>> > > > On Aug 27, 2022, at 12:00, Peter  wrote:
>> > > >
>> > > > Hello
>> > > >
>> > > > Good morning to all
>> > > >
>> > > > I am just trying to understand a strange online application(non-CICS)
>> > > delay
>> > > > which is happening only for a specific location but not on all
>> region.
>> > > >
>> > > >
>> > > > During the delay, I don't see any delay from the zOS perspective
>> > whereas
>> > > > the clocking symbol or a few min of freeze is happening only within
>> the
>> > > > online application.
>> > > >
>> > > > From the SMF perspective, which record can tell me the reason for
>> > delay ?
>> > > > As I don't get any clue in RMF or SYSLOGS
>> > > >
>> > > > Any pointers are much appreciated
>> > > >
>> > > > We are at z/OS 2.4 and are just monoplex environment.
>> > > >
>> > > > Peter
>> > > >
>> > > >
>> --
>> > > > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > > > send email to lists...@listserv.ua.edu with the message: INFO
>> IBM-MAIN
>> > >
>> > > --
>> > > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > >
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Redbook SG24-8205-06 - zPDT Guide

2022-09-08 Thread Timothy Sipples 
Jay Maynard wrote:
>My understanding is that a Wazi user gets no access to the OS system level
>at all. A Wazi user cannot do any systems modifications, period: no access
>to system parameters, no ability to alter any specifications, no console
>access beyond what an application programmer might need.
>This is all what I have been told, so if I'm incorrect, I'll be happy to be
>corrected.

I don't think your understanding is accurate. The documentation describing 
current limitations and caveats is available here:

https://www.ibm.com/docs/en/wazi-aas/1.0.0?topic=known-limitations

Elsewhere in the documentation IBM refers to z/OS operator consoles (in the 
z/OSMF section describing default ports in the stock image). IBM describes 
installing PTFs (if you have access to them) in the stock image, adding users 
to RACF (including highly privileged ones), taking a stand-alone dump of your 
z/OS instance, installing additional software products, and some other 
interesting tasks.

— — — — —
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM zSystems/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN