Re: Interpreting SEND/RECV CIPHERs
COG, Can you get a wireshark trace from the client end? (If so I can help you look at the output) What are you using on z/OS? AT-TLS, CICS, Liberty etc? Colin On Sun, 11 Dec 2022 at 12:12, Keith Gooding < 034af3894af4-dmarc-requ...@listserv.ua.edu> wrote: > TCPIP invokes z/os System SSL so if there is any documentation provided by > IBM it will be in System SSL documentation but I could not find the record > formats. System SSL provides the gsk trace command and it is possible that > this will format the records for you. You will find the definitive > explanation if SSL/TLS handshake records in RFC 8446 for TLS 1.3 which has > references to earlier versions . These can be difficult to read but when I > needed to understand SSL messages some time ago Googling for terms such as > ‘SSL message format’ found several explanations of SSL message structure > with examples. BTW I remember reading that z/os 2.5 includes improved > diagnostics for handshake failures but I have not investigated further. > > Keith > > > On 9 Dec 2022, at 16:47, Crusty Old Guy > wrote: > > > > > >> > >>> 0090 EZD1285I TTLS Data CONNID: 0014 SEND CIPHER 1503020002020A > >> The 1503020002020A is an SSL alert packet with a fatal error: > Unexpected message > > > > This brief interchange comes from the archives. I need to find the > meaning of a different cipher. > > > > I've gone through "IP Diagnosis" and didn't find any clues. > > > > Can anyone help? > > > > Thank you, > > COG > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why email from z/OS SMTP rejected by Gmail?
That's a SHOULD, not a MUST. I don't recall whether the SMTP external writer (z"l) generated message-id or whether the application needed to include it in its sysout. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Paul Gilmartin [042bfe9c879d-dmarc-requ...@listserv.ua.edu] Sent: Sunday, December 11, 2022 9:42 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Why email from z/OS SMTP rejected by Gmail? On Dec 11, 2022, at 17:06:52, Seymour J Metz wrote: > > What happens if you generate a message-id : header field? > Isn't the Mail Agent supposed to do that for you? Where's sendmail when you need it? Did IBM end it because it was too useful? Ironically, the z/OS UNIX Command Ref. contains several vestigial references to sendmail which IBM no longer supplies. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
AT-TLS change prevents shopz download
We had AT-TLS modified to use a secured port for DB2 connection. But now my SMPe receive via HTTPS is failing with the following: EDC8121I Connection reset. (connect failed) What needs to be changed in order to allow HTTPS download from IBM? thanks Bill -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
A gsktrace is pretty easy to get and format. If it's an LE application, then in your LE options you can put: ENVAR(GSK_TRACE=0X,GSK_TRACE_FILE=/u/fred/myssltrace.file) Otherwise I assume just setting those environment variables should work. Then after you run the thing (and it fails) you'll see a file in that location. Issue: gsktrace /u/fred/myssltrace.file > /some/location/ssltrace.txt And you should wind up with a nice, moderately readable trace file. I've been learning a lot about various TLS errors from tracing our stuff, would be interested in seeing yours since I might learn something. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
I have had great results, clear to understand even for me, using an SSL TRACE I have documented the process I used if needed Carmen On 12/12/2022 12:10 PM, Phil Smith III wrote: A gsktrace is pretty easy to get and format. If it's an LE application, then in your LE options you can put: ENVAR(GSK_TRACE=0X,GSK_TRACE_FILE=/u/fred/myssltrace.file) Otherwise I assume just setting those environment variables should work. Then after you run the thing (and it fails) you'll see a file in that location. Issue: gsktrace /u/fred/myssltrace.file > /some/location/ssltrace.txt And you should wind up with a nice, moderately readable trace file. I've been learning a lot about various TLS errors from tracing our stuff, would be interested in seeing yours since I might learn something. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Carmen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
Carmen Vitullo wrote: >I have had great results, clear to understand even for me, using an SSL TRACE >I have documented the process I used if needed Is that gsktrace or the component trace? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
gsktrace - Carmen On 12/12/2022 12:20 PM, Phil Smith III wrote: Carmen Vitullo wrote: I have had great results, clear to understand even for me, using an SSL TRACE I have documented the process I used if needed Is that gsktrace or the component trace? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Carmen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
Carmen Vitullo wrote: >gsktrace - Darn. Was hoping for something else to use! Component trace looks tricky. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Interpreting SEND/RECV CIPHERs
Sorry Phil, the trace I used, gsktrace was suggested by IBM support to resolve and issue we had with db2 connections from internal and external sources . Carmen On 12/12/2022 12:36 PM, Phil Smith III wrote: Carmen Vitullo wrote: gsktrace - Darn. Was hoping for something else to use! Component trace looks tricky. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Carmen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
How to SORT Variable records with OVERLAY
Hi all, I am taking a file and using PUSH and OVERLAY to condense multiple input lines into a single line. That all works fine and I even get the correct format output when I use OPTION COPY or SORT FIELDS=COPY. However, I want to sort on my OVERLAY area fields, but I get an error message ICE218A 3 117 BYTE VARIABLE RECORD IS SHORTER THAN 138 BYTE MINIMUM FOR FIELDS Because my input is a VBA file (out of my control), some of the records are much shorter than my SORT FIELDS location. What do I need to do to use SORT FIELDS=(...) here? Do I need to just overlay the unneeded columns at the beginning of the record? All my sort keys will be shorter than the shortest record in the file, but I expected that by using INCLUDE statements to only keep the long records I needed, I would not run into this. My control cards say OPTION VLSCMP SORT FIELDS=(set1,set2, set3) INCLUDE COND=...,OR, ... INREC with multiple IFTHEN and PUSH and OVERLAYs OUTFIL VTOF, INCLUDE,BUILD There must be something simple I am missing (and there will be another question tomorrow if I get this fixed). Thank you and best regards, Billy Ashton -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to SORT Variable records with OVERLAY
>> Because my input is a VBA file (out of my control), some of the records are >> much shorter than my SORT FIELDS location. Billy, Ideally you can use VLSHRT for padding short records for SORTING. However, if you use INREC/OUTREC , it will not work. So, if you want to use INREC editing you need to PUSH the contents right after RDW to retain the variable length records. If you don't care about variable lengths of the output file then use IFOUTLEN= nnn ( where nnn= max length of the overlay/push record). Alternatively, if you show me the control cards I can show you the optimal way of achieving the results. Thanks, Kolusu DFSORT Development IBM Corporation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why email from z/OS SMTP rejected by Gmail?
On 12/11/22 1:52 PM, Bob Bridges wrote: I wonder whether any old string will do as a Message-ID? There is some rough formatting to it. It's fairly well documented in multiple internet email RFCs. I'd suggest glancing at RFC 5322. The Message-ID looks like an email address, but it is not. Nor do the parts on either side actually matter beyond uniqueness. It's by convention that the entity that adds the Message-ID header use (one of) their domain name(s). The idea is that their domain name is somewhat of a stand-in as the identity of a "naming authority". As long as you follow the patterns of what's on either side of the at sign, it could be purely random data. -- I personally set mine to what looks like an email address that feeds a spam trap (which I manually go through). I'm guessing the first part of that string is assigned by your email provider and is unique either to AOL or to your email address; It /may/ be assigned by your email provider. But you can easily assign it yourself. if so, it'd be easy enough to include a header with some string using that format, and maybe that's all Google wants to see? Yep. You're *EXACTLY* correct on /both/ accounts; creating and what Google wants. Although why Gmail fails text emails and not HTML I don't know. Wait, did you try sending an HTML email to a Gmail address? I'm guessing that was luck of the random(draw). -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why email from z/OS SMTP rejected by Gmail?
On 12/11/22 2:30 PM, Farley, Peter wrote: At this Google support url there are eight different reasons that could apply to the error "550 5.7.1". https://support.google.com/a/answer/3726730?hl=en My bet is: 550, "5.7.1", Our system has detected that this message is likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked. For more information, visit Why has Gmail blocked my messages? Google / Gmail is been ratcheting up the anti-spam measures as of the last 3+ months, including /requiring/ headers that RFCs may not actually require; e.g. SHOULD vs MUST. There has been a lot of noise about this moving target of a change on Google / Gmail's part, at least in many circles that I travel. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why email from z/OS SMTP rejected by Gmail?
On 12/12/22 4:49 AM, Seymour J Metz wrote: That's a SHOULD, not a MUST. I don't recall whether the SMTP external writer (z"l) generated message-id or whether the application needed to include it in its sysout. You're using RFC language. Remember, each and every email operator is free to do what they want to. Google / Gmail has recently (~3 months?) been requiring headers to exist that almost all legitimate email has that spam is more likely to not have. Requiring a header to exist that all contemporary mail clients (MUAs) have added for more than 20 years, is a fairly safe thing. It's only atypical email sending systems, which aren't MUAs, that have been running into this problem. Or really old / unmaintained MUAs, likely from 20+ years ago. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why email from z/OS SMTP rejected by Gmail?
The RFC language determines what the software must do in order to be RFC compliant. Violate a MAY or SHOULD and you're still compliant. Violate a MUST and you're not compliant. But nothing forces you to be compliant, although peer pressure might encourage it. Sending response codes 450 and 550, including 550 5.7.1, for policy reasons is RFC compliant. As you noted, it's the rare MUA and MSA that doesn't add them, so, yes, rheir servers, their rules. Similarly for checking DKIM or SPF; it is perfectly RFC compliant to reject mail that doesn't contain them or doesn't pass validation. One more potential issue is that it is RFC compliant to reject mail from domains or IP addresses that you consider problematical. The better the reutation of your provider, the more likely that your mail will get through. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Grant Taylor [023065957af1-dmarc-requ...@listserv.ua.edu] Sent: Monday, December 12, 2022 7:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Why email from z/OS SMTP rejected by Gmail? On 12/12/22 4:49 AM, Seymour J Metz wrote: > That's a SHOULD, not a MUST. I don't recall whether the SMTP external > writer (z"l) generated message-id or whether the application needed > to include it in its sysout. You're using RFC language. Remember, each and every email operator is free to do what they want to. Google / Gmail has recently (~3 months?) been requiring headers to exist that almost all legitimate email has that spam is more likely to not have. Requiring a header to exist that all contemporary mail clients (MUAs) have added for more than 20 years, is a fairly safe thing. It's only atypical email sending systems, which aren't MUAs, that have been running into this problem. Or really old / unmaintained MUAs, likely from 20+ years ago. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Sysplex environment perform DEFRAG
Hi all, Anyone can share how to perform disk DEFRAG at the parallel sysplex environment? Anything need to aware ? Thanks for sharing -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Sysplex environment perform DEFRAG
Run defrag. Files open will not be touched. On Mon, Dec 12, 2022 at 9:44 PM Tommy Tsui wrote: > > Hi all, > > Anyone can share how to perform disk DEFRAG at the parallel sysplex > environment? Anything need to aware ? > Thanks for sharing > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN