Re: SSH tunneling for unattended process.

[kekronbekron]

Thank you.
You know how we sometimes only have vague understanding that somehow stays 
vague..
Your explanation below popped things into place and cleared the fog I had.
Thanks again!


On Saturday, December 30th, 2023 at 12:26, Jon Perryman  
wrote:


> On Sat, 30 Dec 2023 04:02:22 +, kekronbekron kekronbek...@protonmail.com 
> wrote:
> 
> > So SSH is used for auth and encryption,
> 
> 
> SSH has multiple features. Understand that SSH primary feature is "Secure 
> SHell" where you can issue UNIX commands on a remote UNIX system thru an 
> encrypted connection. You must login to that remote system thru SSH using one 
> of the implemented methods (e.g. userid / password). SSH is delivered on most 
> UNIX systems although it may require some configuration.
> 
> > and mainly just as a tunnel (as the first mail mentioned).
> 
> 
> Port tunneling is a second feature which I believe disables shell commands 
> (never bothered to try it). There's plenty of documentation on the internet 
> (e.g. https://linuxize.com/post/how-to-setup-ssh-tunneling/).
> 
> An unencrypted 3270 connection:
> tn3270 -host MVSsystem.com -port 3270
> 
> Encrypted 3270 connection
> ssh -L localhost:100:MVSsystem.com:3270 unix_use...@mvssystem.com
> TN3270 -host localhost -port 100
> 
> Specifying localhost is important because it limits access to his specific 
> machine. 0.0.0.0 would allow other machines to access MVSsystem.com thru this 
> machine.
> 
> The server and client can be on either side but I always used the client app 
> on the machine issuing the SSH with the server on the other machine.
> 
> > The traffic that's tunnelled may be any protocol or a TCP socket.
> 
> 
> In theory, yes but I've only used it with TCP.
> 
> > and the goal is to just use SSH's ubiquity (say port 22) to make life 
> > easier w.r.t firewalls and all that.
> 
> 
> The goal is encryption which is provided by SSH instead of building it into 
> the application. As for firewalls, I don't see how it changes anything. 
> Firewall implements NAT, filtering, proxy servers and ???. I would think that 
> implementing SSL into the client / server would be more secure.
> 
> > I wonder if spiped fits the bill - https://www.tarsnap.com/spiped.html
> 
> 
> I'm not familiar with SPIPED but from that documentation, it appears it could 
> be used for this purpose. The drawback is that you must install the client.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[Jon Perryman]

On Sat, 30 Dec 2023 04:02:22 +, kekronbekron  
wrote:

>So SSH is used for auth and encryption, 

SSH has multiple features. Understand that SSH primary feature is "Secure 
SHell" where you can issue UNIX commands on a remote UNIX system thru an 
encrypted connection. You must login to that remote system thru SSH using one 
of the implemented methods (e.g. userid / password). SSH is delivered on most 
UNIX systems although it may require some configuration.

> and mainly just as a tunnel (as the first mail mentioned).

Port tunneling is a second feature which I believe disables shell commands 
(never bothered to try it). There's plenty of documentation on the internet 
(e.g. https://linuxize.com/post/how-to-setup-ssh-tunneling/).

An unencrypted 3270 connection:
tn3270 -host MVSsystem.com -port 3270 

Encrypted 3270 connection
ssh -L localhost:100:MVSsystem.com:3270 unix_use...@mvssystem.com
TN3270 -host localhost -port 100

Specifying localhost is important because it limits access to his specific 
machine. 0.0.0.0 would allow other machines to access MVSsystem.com thru this 
machine.

The server and client can be on either side but I always used the client app on 
the machine issuing the SSH with the server on the other machine. 

>The traffic that's tunnelled may be any protocol or a TCP socket.

In theory, yes but I've only used it with TCP.

> and the goal is to just use SSH's ubiquity (say port 22) to make life easier 
> w.r.t firewalls and all that.

The goal is encryption which is provided by SSH instead of building it into the 
application. As for firewalls, I don't see how it changes anything. Firewall 
implements NAT, filtering, proxy servers and ???. I would think that 
implementing SSL into the client / server would be more secure.

>I wonder if spiped fits the bill - https://www.tarsnap.com/spiped.html

 I'm not familiar with SPIPED but from that documentation, it appears it could 
be used for this purpose. The drawback is that you must install the client.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Mike Schwab]

Our site used 6 minutes.

On Fri, Dec 29, 2023 at 7:36 PM Ed Jaffe 
wrote:

> On 12/29/2023 3:20 PM, Mark Zelden wrote:
> > This paper from Scott Chapman of EPS talks about the subject and he
> agrees with
> > me that it should be no longer than 15 minutes and that RMF/SMF should
> be synced.
> >
> >
> https://www.pivotor.com/library/content/Chapman_SMFRecommendations_2022.pdf
>
> Super helpful. Thanks, Mark!
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[kekronbekron]

Ah... ok.
So SSH is used for auth and encryption, and mainly just as a tunnel (as the 
first mail mentioned).
The traffic that's tunnelled may be any protocol or a TCP socket... and the 
goal is to just use SSH's ubiquity (say port 22) to make life easier w.r.t 
firewalls and all that.

Is this right?

I wonder if spiped fits the bill - https://www.tarsnap.com/spiped.html


On Saturday, December 30th, 2023 at 09:17, Paul Gilmartin 
<042bfe9c879d-dmarc-requ...@listserv.ua.edu> wrote:


> On Sat, 30 Dec 2023 02:47:28 +, kekronbekron wrote:
> 
> > Correct me if I'm wrong but I think "ssh -L ..." is just to get to SSH on a 
> > target machine via a non-standard port?
> 
> I believe that's "ssh -oPort=" which I use regularly to get to a 
> nonstandard
> (portmapped) port.
> 
> I once knew how to use ssh to set up an encrypted connection for a 
> non-encrypted
> service, such as ftp. I no longer remember how. Perhaps see "-L" in
> https://linux.die.net/man/1/ssh
> 
> > On Friday, December 29th, 2023 at 20:35, Rick Troth wrote:
> > 
> > > I can't speak for Frank, but he started his inquiry with this:
> > > 
> > > > We're looking at using an SSH tunnel (or reverse tunnel)to encrypt a
> > > 
> > > connection
> > > 
> > > > where the application on the other end does not support TLS.
> > > 
> > > SSH is an excellent choice for this kind of job.
> > > You can use SSH directly (with client invoking SSH to launch a service
> > > program on the target)
> > > or you can establish one or more TCP listeners (either direction) over
> > > an SSH session, or any combination.
> > > ALL of the traffic handled by way of the SSH session would be encrypted.
> > > 
> > > So I might not have understood exactly what Frank needs, but I'm a firm
> > > believer in SSH.
> > > 
> > > Authentication of the remote SSH host is done using the SSH host key(s)
> > > on the target system. That's standard.
> > > 
> > > Authentication of the client can be done using an SSH client key (as is
> > > my practice) or using PKI certificates (as Colin describes in his blog).
> > > Frank indicated that what he needs is unattended/automatic, easily
> > > supported using either method.
> > > 
> > > Does that help?
> > > 
> > > -- R; <><
> > > 
> > > On 12/29/23 09:20, kekronbekron wrote:
> > > 
> > > > Hi Rick/Frank,
> > > > 
> > > > If you have time, could you explain more about this setup.
> > > > I don't get what's desired..
> > > > 
> > > > On Friday, December 29th, 2023 at 19:04, Rick Troth tro...@gmail.com 
> > > > wrote:
> > > > 
> > > > > Hi Frank --
> > > > > 
> > > > > BT/DT and it works great.
> > > > > 
> > > > > I took the usual means of capturing the host key of the target: signed
> > > > > on as the service account and ran 'ssh' interactively. Ever after, the
> > > > > client would not be prompted, but it would fail if the key changed. 
> > > > > (And
> > > > > that's the point.)
> > > > > 
> > > > > The client signed on using an SSH client key. Of course, I had to 
> > > > > break
> > > > > a rule here and magically obviate the need for a pass phrase. (Dark
> > > > > magic. Not something we speak about in public.)
> > > > > 
> > > > > In this particular case, I ran it from/etc/inittab on a traditional 
> > > > > Unix
> > > > > (Linux) system. That way when the session would die it would be 
> > > > > restarted.
> > > > > 
> > > > > This hack used either -L or -R, I forget which, but established a TCP
> > > > > listener. All traffic was limited to local (which is the default), so 
> > > > > no
> > > > > risk of someone off-box sending or seeing cleartext.
> > > > > 
> > > > > -- R; <><
> > > > > 
> > > > > On 12/29/23 04:53, Colin Paice wrote:
> > > > > 
> > > > > > Frank,
> > > > > > What do you have on the z/OS end? If the back end supports it, it 
> > > > > > can map
> > > > > > from a certificate to a userid.
> > > > > > See Using certificates to logon to z/OS
> > > > > > https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/
> > > > > > andWhat’s the difference between RACDCERT MAP and RACMAP?
> > > > > > https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/
> > > > > > Colin
> > > > > > 
> > > > > > On Fri, 29 Dec 2023 at 06:27, Frank 
> > > > > > swarbrickfrank.swarbr...@outlook.com
> > > > > > wrote:
> > > > > > 
> > > > > > > We're looking at using an SSH tunnel (or reverse tunnel) to 
> > > > > > > encrypt a
> > > > > > > connection where the application on the other end does not 
> > > > > > > support TLS.
> > > > > > > The POC looks to be working. I am now pondering on the steps 
> > > > > > > required to
> > > > > > > make setting up the tunnel an automated process. It seems to me 
> > > > > > > that we'd
> > > > > > > want the z/OS user to be a "protected" user
> > > > > > > (NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use 
> > > > > > > SSH host
> > > > > > > based authentication? I imagine that the user would require an 
> > > > > > > OMVS
> > > > 

Re: SSH tunneling for unattended process.

[Paul Gilmartin]

On Sat, 30 Dec 2023 02:47:28 +, kekronbekron wrote:
>
>Correct me if I'm wrong but I think "ssh -L ..." is just to get to SSH on a 
>target machine via a non-standard port?
> 
I believe that's "ssh -oPort=" which I use regularly to get to a nonstandard
(portmapped) port.

I once knew how to use ssh to set up an encrypted connection for a non-encrypted
service, such as ftp.  I no longer remember how.  Perhaps see "-L" in

>
>
>On Friday, December 29th, 2023 at 20:35, Rick Troth wrote:
>
>
>> I can't speak for Frank, but he started his inquiry with this:
>> 
>> > We're looking at using an SSH tunnel (or reverse tunnel)to encrypt a
>> 
>> connection
>> 
>> > where the application on the other end does not support TLS.
>> 
>> 
>> SSH is an excellent choice for this kind of job.
>> You can use SSH directly (with client invoking SSH to launch a service
>> program on the target)
>> or you can establish one or more TCP listeners (either direction) over
>> an SSH session, or any combination.
>> ALL of the traffic handled by way of the SSH session would be encrypted.
>> 
>> So I might not have understood exactly what Frank needs, but I'm a firm
>> believer in SSH.
>> 
>> Authentication of the remote SSH host is done using the SSH host key(s)
>> on the target system. That's standard.
>> 
>> Authentication of the client can be done using an SSH client key (as is
>> my practice) or using PKI certificates (as Colin describes in his blog).
>> Frank indicated that what he needs is unattended/automatic, easily
>> supported using either method.
>> 
>> Does that help?
>> 
>> -- R; <><
>> 
>> 
>> 
>> On 12/29/23 09:20, kekronbekron wrote:
>> 
>> > Hi Rick/Frank,
>> > 
>> > If you have time, could you explain more about this setup.
>> > I don't get what's desired..
>> > 
>> > On Friday, December 29th, 2023 at 19:04, Rick Troth tro...@gmail.com wrote:
>> > 
>> > > Hi Frank --
>> > > 
>> > > BT/DT and it works great.
>> > > 
>> > > I took the usual means of capturing the host key of the target: signed
>> > > on as the service account and ran 'ssh' interactively. Ever after, the
>> > > client would not be prompted, but it would fail if the key changed. (And
>> > > that's the point.)
>> > > 
>> > > The client signed on using an SSH client key. Of course, I had to break
>> > > a rule here and magically obviate the need for a pass phrase. (Dark
>> > > magic. Not something we speak about in public.)
>> > > 
>> > > In this particular case, I ran it from/etc/inittab on a traditional Unix
>> > > (Linux) system. That way when the session would die it would be 
>> > > restarted.
>> > > 
>> > > This hack used either -L or -R, I forget which, but established a TCP
>> > > listener. All traffic was limited to local (which is the default), so no
>> > > risk of someone off-box sending or seeing cleartext.
>> > > 
>> > > -- R; <><
>> > > 
>> > > On 12/29/23 04:53, Colin Paice wrote:
>> > > 
>> > > > Frank,
>> > > > What do you have on the z/OS end? If the back end supports it, it can 
>> > > > map
>> > > > from a certificate to a userid.
>> > > > See Using certificates to logon to z/OS
>> > > > https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/
>> > > > andWhat’s the difference between RACDCERT MAP and RACMAP?
>> > > > https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/
>> > > > Colin
>> > > > 
>> > > > On Fri, 29 Dec 2023 at 06:27, Frank 
>> > > > swarbrickfrank.swarbr...@outlook.com
>> > > > wrote:
>> > > > 
>> > > > > We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
>> > > > > connection where the application on the other end does not support 
>> > > > > TLS.
>> > > > > The POC looks to be working. I am now pondering on the steps 
>> > > > > required to
>> > > > > make setting up the tunnel an automated process. It seems to me that 
>> > > > > we'd
>> > > > > want the z/OS user to be a "protected" user
>> > > > > (NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use SSH 
>> > > > > host
>> > > > > based authentication? I imagine that the user would require an OMVS
>> > > > > segment. I wonder if it would need a shell or home directory. Any 
>> > > > > other
>> > > > > thoughts?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Michael Oujesky]

Perhaps using RMF III VSAM data stores with a 60 second sampling 
interval would be a better a better approach.


Michael

At 03:46 AM 12/29/2023, Colin Paice wrote:


With MQ some customers would set the interval to one minute for a period to
get granular statistics and accounting to help with problem determination.
The MQ accounting would report maximum response time for the interval.  If
you have a "spiky" problem,  being able to identify the minute it occurred
in, was very useful, and being able to correlate to other events.
Note:   This can produce a lot of data!

On Fri, 29 Dec 2023 at 05:23, Ed Jaffe  wrote:

> What SMF interval do most folks use?
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 


> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[kekronbekron]

Thanks Rick.
This is the part I don't follow... "You can use SSH directly (with client 
invoking SSH to launch a service program on the target)".

Is it possible to make a simple example?
User A at Machine A wants to connect via port 4321 to machine B port 22, and 
it's just good old SSH connectivity.

I don't understand the "encrypt a connection" part.
Meaning, SSH-ing into machines is well known and there's encryption etc.

Correct me if I'm wrong but I think "ssh -L ..." is just to get to SSH on a 
target machine via a non-standard port?



On Friday, December 29th, 2023 at 20:35, Rick Troth  wrote:


> I can't speak for Frank, but he started his inquiry with this:
> 
> > We're looking at using an SSH tunnel (or reverse tunnel)to encrypt a
> 
> connection
> 
> > where the application on the other end does not support TLS.
> 
> 
> SSH is an excellent choice for this kind of job.
> You can use SSH directly (with client invoking SSH to launch a service
> program on the target)
> or you can establish one or more TCP listeners (either direction) over
> an SSH session, or any combination.
> ALL of the traffic handled by way of the SSH session would be encrypted.
> 
> So I might not have understood exactly what Frank needs, but I'm a firm
> believer in SSH.
> 
> Authentication of the remote SSH host is done using the SSH host key(s)
> on the target system. That's standard.
> 
> Authentication of the client can be done using an SSH client key (as is
> my practice) or using PKI certificates (as Colin describes in his blog).
> Frank indicated that what he needs is unattended/automatic, easily
> supported using either method.
> 
> Does that help?
> 
> -- R; <><
> 
> 
> 
> On 12/29/23 09:20, kekronbekron wrote:
> 
> > Hi Rick/Frank,
> > 
> > If you have time, could you explain more about this setup.
> > I don't get what's desired..
> > 
> > On Friday, December 29th, 2023 at 19:04, Rick Troth tro...@gmail.com wrote:
> > 
> > > Hi Frank --
> > > 
> > > BT/DT and it works great.
> > > 
> > > I took the usual means of capturing the host key of the target: signed
> > > on as the service account and ran 'ssh' interactively. Ever after, the
> > > client would not be prompted, but it would fail if the key changed. (And
> > > that's the point.)
> > > 
> > > The client signed on using an SSH client key. Of course, I had to break
> > > a rule here and magically obviate the need for a pass phrase. (Dark
> > > magic. Not something we speak about in public.)
> > > 
> > > In this particular case, I ran it from/etc/inittab on a traditional Unix
> > > (Linux) system. That way when the session would die it would be restarted.
> > > 
> > > This hack used either -L or -R, I forget which, but established a TCP
> > > listener. All traffic was limited to local (which is the default), so no
> > > risk of someone off-box sending or seeing cleartext.
> > > 
> > > -- R; <><
> > > 
> > > On 12/29/23 04:53, Colin Paice wrote:
> > > 
> > > > Frank,
> > > > What do you have on the z/OS end? If the back end supports it, it can 
> > > > map
> > > > from a certificate to a userid.
> > > > See Using certificates to logon to z/OS
> > > > https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/
> > > > andWhat’s the difference between RACDCERT MAP and RACMAP?
> > > > https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/
> > > > Colin
> > > > 
> > > > On Fri, 29 Dec 2023 at 06:27, Frank swarbrickfrank.swarbr...@outlook.com
> > > > wrote:
> > > > 
> > > > > We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
> > > > > connection where the application on the other end does not support 
> > > > > TLS.
> > > > > The POC looks to be working. I am now pondering on the steps required 
> > > > > to
> > > > > make setting up the tunnel an automated process. It seems to me that 
> > > > > we'd
> > > > > want the z/OS user to be a "protected" user
> > > > > (NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use SSH 
> > > > > host
> > > > > based authentication? I imagine that the user would require an OMVS
> > > > > segment. I wonder if it would need a shell or home directory. Any 
> > > > > other
> > > > > thoughts?
> > > > > 
> > > > > Thanks,
> > > > > Frank
> > > > > 
> > > > > --
> > > > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > > send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > > > --
> > > > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > > send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > 
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > 

Re: SMF Interval

[Ed Jaffe]

On 12/29/2023 3:20 PM, Mark Zelden wrote:

This paper from Scott Chapman of EPS talks about the subject and he agrees with
me that it should be no longer than 15 minutes and that RMF/SMF should be 
synced.

https://www.pivotor.com/library/content/Chapman_SMFRecommendations_2022.pdf


Super helpful. Thanks, Mark!

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 22:15:31 +, Seymour J Metz wrote:

>BPXWDYN may support concatenating FB and VB, but ISPF and TSO don't.
>
I don't see that would be very useful.  It might be more useful to concatenate
a mixture of DISPs.

But not concatenating DSN with PATH is a sore lack.

(Again, PATHOPTS, PATHOODE and PATHDISP can't have a mixture of values.)

>
>From:  Paul Gilmartin
>Sent: Friday, December 29, 2023 5:10 PM
>>
>TSO can CALL BPXWDYN, subject to an onerous 100-byte PARM limit.
>
>In one case, for a mixed concatenation, I used a sequence of ALLOCATE
>followed by a single CALL BPXWDYN 'CONCAT ...'
>
>CONCAT requires at least two operands; fails with just one.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Mark Zelden]

On Fri, 29 Dec 2023 13:57:35 -0600, Mark Zelden  wrote:

>On Thu, 28 Dec 2023 21:23:18 -0800, Ed Jaffe  
>wrote:
>
>>What SMF interval do most folks use?
>>
>
>In my experience (from many shops / clients over the years), it matches the 
>RMF interval
>and the most common if 15 minutes.  Second most common is probably 30 (along 
>with
>RMF) but I think most shops moved away from that to go to at least 15 years 
>ago. I have
>seen some use 5 minutes and sometimes IBM will request that for a period of 
>time - perhaps
>for a week to get a more accurate picture for a CP3000 study.   
>
>This is typically what I use in SMFPRMxx:
>
>INTVAL(15) 
>SYNCVAL(59)
>

You didn't way why you wanted to know.  But thinking about this more... I 
though i remembered
Cheryl Watson doing a poll on this once.  I searched her website and saw in 
2008 there was a 3 
part series on SMF / parms and she asked people to send in their parms, but I 
didn't see a follow
up on the results.  She did recommend setting INTVAL(30) and said using 
SYNCVAL(59) was no
longer required and to use SYNCVAL(0). I won't go into the history for why 
people 
started coded SYNVCAL(59) to begin with (she does).  Maybe someone on team 
Cheryl does
have poll results from back then or more recently. 

However she also recommended changing RMF invterval from 15 to 30 to match SMF 
INTVAL (she
previously suggested using RMF interval of 15, SMF INTVAL(30). Partially due to 
the number of 
SMF/RMF Type 74 records from DASD activity from the size of systems at the 
time.  That to me 
makes no sense because even though there is more RMF data to store and process, 
the CPUs 
are much faster, the disk & I/O is much faster and storage is "cheaper", so 
it's all relative. 
I know I'm talking RMF interval now as opposed to your question on SMF INTVAL, 
but 30
minutes is just not granular enough in the large installations I have worked 
in.  Be it for
typical performance report & capacity planning or looking at WLM reports 
(although I use
RMF III or Mainview CMF more for WLM tuning that post processing).  Even in 
small
environments I have always used 15 for both SMF and RMF/CMF.

Back to your question: While I have mostly seen 15 minutes to match RMF / CMF 
15 minutes,
in my personal experiences, 30 minutes is the default and lot of people listen 
to Cheryl's 
advise (because it is good), so without any scientific polling, I'm sure that 
it is still very
common to see INTVAL(30).I just don't agree and have never used anything 
higher
than 15.  

This paper from Scott Chapman of EPS talks about the subject and he agrees with
me that it should be no longer than 15 minutes and that RMF/SMF should be 
synced.  

https://www.pivotor.com/library/content/Chapman_SMFRecommendations_2022.pdf


Best Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
ITIL v3 Foundation Certified
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

BPXWDYN may support concatenating FB and VB, but ISPF and TSO don't.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 5:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

On Fri, 29 Dec 2023 21:13:17 +, Seymour J Metz wrote:

>In my case there is a CLIST effectively called from the READY prompt, so the 
>TSO environment should be fully initialized.
>
>The reason that it's CLIST is so I can use TSOLIB inline.
>
TSO can CALL BPXWDYN, subject to an onerous 100-byte PARM limit.

In one case, for a mixed concatenation, I used a sequence of ALLOCATE
followed by a single CALL BPXWDYN 'CONCAT ...'

CONCAT requires at least two operands; fails with just one.

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 21:13:17 +, Seymour J Metz wrote:

>In my case there is a CLIST effectively called from the READY prompt, so the 
>TSO environment should be fully initialized.
>
>The reason that it's CLIST is so I can use TSOLIB inline.
>
TSO can CALL BPXWDYN, subject to an onerous 100-byte PARM limit.

In one case, for a mixed concatenation, I used a sequence of ALLOCATE
followed by a single CALL BPXWDYN 'CONCAT ...'

CONCAT requires at least two operands; fails with just one.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

No, but neither does LISTDSI; either way I need separate tests for ddn and dsn.

I may throw in the towel, make everything FB and reallocate.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 12:36 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

On Fri, 29 Dec 2023 11:13:18 -0600, Jon Perryman  wrote:

>On Fri, 29 Dec 2023 09:40:33 -0600, Paul Gilmartin wrote:
>>>
>>How useful would BPXWDYN(INFO ,,,) be?
>>
>
>REXX function SYSDSN( ) will determine if a dataset exists without the 
>overhead of LISTDSI.
>
Does it report allocated status as the OP requested?

in 
 i 
see:
PROTECTED DATASET
UNAVAILABLE DATASET

What do those mean?  Write protected?  Read protected? ENQ SHR?  ENQ EXC?  ...?

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

As a contractor on the applications side, I have to live with whatever policies 
they set, and have no leverage. It's not comfortable, but it is what it is.

IAC, I would be more upset if resources that actually were critical were not 
adequately protected. The cases that you described were horrifying.

Copying from another installation would be legal if it did not violate local 
security policy. Further, I agree with a paranoid approach to outside code, 
absent official scrutiny and clearance, although it remains inconvenient.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Radoslaw Skorupka <0471ebeac275-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 4:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

W dniu 29.12.2023 o 19:29, Paul Gilmartin pisze:
> On Fri, 29 Dec 2023 18:10:08 +, Seymour J Metz wrote:
>
>> I'm in an applications role and installing external software, e.g., PDS86, 
>> is not allowed.
>>
>> I just discovered that I don't even have access to SYS1.SAMPLIB.
>>
> !?!?!?  What terrifies them?  "Need to know" gone berserk?  Fear of copyright 
> infringement?

Well, obviously I don't know the answer, however I saw cases where the
answer was mess. Or sometimes "AI is no match for  natural stupidity".
Example: STGADMIN IMPORT strictly prohibited, but ...ALTER to RACF db.
Some DISPLAY commands prohibited (and no chance to change it), but $JES2
commands not protected at all.
UACC(ALTER) to APF library, fully qualified generic profile.
etc.

BTW: SYS1.SAMPLIB is a big PDS with text members. It is copyrighted, but
it is included in z/OS license. So, it is possible and legal to copy
such PDS from other system, i.e. sandbox. Assumption: a user is allowed
to put/get datasets...

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Steve Beaver]

Sorry my bad. I was the thinking about JWT

Sent from my iPhone

No one said I could type with one thumb 

> On Dec 29, 2023, at 15:49, Steve Beaver  wrote:
> 
> Be careful setting in low. If TSO is
> On that system you will have a lot
> S322’s
> 
> Sent from my iPhone
> 
> No one said I could type with one thumb
> 
>>> On Dec 29, 2023, at 15:05, Ed Jaffe  wrote:
>>> 
>>> On 12/29/2023 1:46 AM, Colin Paice wrote:
>>> With MQ some customers would set the interval to one minute for a period to
>>> get granular statistics and accounting to help with problem determination.
>>> The MQ accounting would report maximum response time for the interval.  If
>>> you have a "spiky" problem,  being able to identify the minute it occurred
>>> in, was very useful, and being able to correlate to other events.
>>> Note:   This can produce a lot of data!
>> 
>> This sounds like something that would be done temporarily. No?
>> 
>> After that, they go back to "normal" and set it to: __ ?
>> 
>> --
>> Phoenix Software International
>> Edward E. Jaffe
>> 831 Parkview Drive North
>> El Segundo, CA 90245
>> https://www.phoenixsoftware.com/
>> 
>> 
>> 
>> This e-mail message, including any attachments, appended messages and the
>> information contained therein, is for the sole use of the intended
>> recipient(s). If you are not an intended recipient or have otherwise
>> received this email message in error, any use, dissemination, distribution,
>> review, storage or copying of this e-mail message and the information
>> contained therein is strictly prohibited. If you are not an intended
>> recipient, please contact the sender by reply e-mail and destroy all copies
>> of this email message and do not otherwise utilize or retain this email
>> message or any or all of the information contained therein. Although this
>> email message and any attachments or appended messages are believed to be
>> free of any virus or other defect that might affect any computer system into
>> which it is received and opened, it is the responsibility of the recipient
>> to ensure that it is virus free and no responsibility is accepted by the
>> sender for any loss or damage arising in any way from its opening or use.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Steve Beaver]

Be careful setting in low. If TSO is
On that system you will have a lot
S322’s

Sent from my iPhone

No one said I could type with one thumb 

> On Dec 29, 2023, at 15:05, Ed Jaffe  wrote:
> 
> On 12/29/2023 1:46 AM, Colin Paice wrote:
>> With MQ some customers would set the interval to one minute for a period to
>> get granular statistics and accounting to help with problem determination.
>> The MQ accounting would report maximum response time for the interval.  If
>> you have a "spiky" problem,  being able to identify the minute it occurred
>> in, was very useful, and being able to correlate to other events.
>> Note:   This can produce a lot of data!
> 
> This sounds like something that would be done temporarily. No?
> 
> After that, they go back to "normal" and set it to: __ ?
> 
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
> 
> 
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Radoslaw Skorupka]

W dniu 29.12.2023 o 19:29, Paul Gilmartin pisze:

On Fri, 29 Dec 2023 18:10:08 +, Seymour J Metz wrote:


I'm in an applications role and installing external software, e.g., PDS86, is 
not allowed.

I just discovered that I don't even have access to SYS1.SAMPLIB.


!?!?!?  What terrifies them?  "Need to know" gone berserk?  Fear of copyright 
infringement?


Well, obviously I don't know the answer, however I saw cases where the 
answer was mess. Or sometimes "AI is no match for  natural stupidity".

Example: STGADMIN IMPORT strictly prohibited, but ...ALTER to RACF db.
Some DISPLAY commands prohibited (and no chance to change it), but $JES2 
commands not protected at all.

UACC(ALTER) to APF library, fully qualified generic profile.
etc.

BTW: SYS1.SAMPLIB is a big PDS with text members. It is copyrighted, but 
it is included in z/OS license. So, it is possible and legal to copy 
such PDS from other system, i.e. sandbox. Assumption: a user is allowed 
to put/get datasets...


--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

In my case there is a CLIST effectively called from the READY prompt, so the 
TSO environment should be fully initialized.

The reason that it's CLIST is so I can use TSOLIB inline.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 1:29 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

On Fri, 29 Dec 2023 18:10:08 +, Seymour J Metz wrote:

>I'm in an applications role and installing external software, e.g., PDS86, is 
>not allowed.
>
>I just discovered that I don't even have access to SYS1.SAMPLIB.
>
!?!?!?  What terrifies them?  "Need to know" gone berserk?  Fear of copyright 
infringement?

>I should be able to use any BPXW... service that doesn't require dubbing.
>
Long ago it was reported here that BPXWDYN failed eary in startup, before a
descriptor not necessarily needed for messages could be created.  That
may have been fixed by APAR.

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Ed Jaffe]

On 12/29/2023 1:46 AM, Colin Paice wrote:

With MQ some customers would set the interval to one minute for a period to
get granular statistics and accounting to help with problem determination.
The MQ accounting would report maximum response time for the interval.  If
you have a "spiky" problem,  being able to identify the minute it occurred
in, was very useful, and being able to correlate to other events.
Note:   This can produce a lot of data!


This sounds like something that would be done temporarily. No?

After that, they go back to "normal" and set it to: __ ?

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Mark Zelden]

On Thu, 28 Dec 2023 21:23:18 -0800, Ed Jaffe  
wrote:

>What SMF interval do most folks use?
>

In my experience (from many shops / clients over the years), it matches the RMF 
interval
and the most common if 15 minutes.  Second most common is probably 30 (along 
with
RMF) but I think most shops moved away from that to go to at least 15 years 
ago. I have
seen some use 5 minutes and sometimes IBM will request that for a period of 
time - perhaps
for a week to get a more accurate picture for a CP3000 study.   

This is typically what I use in SMFPRMxx:

INTVAL(15) 
SYNCVAL(59)

Best Regards and Happy New Year! 

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
ITIL v3 Foundation Certified
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Willy Jensen]

SDSF has an ENQD command, which might be available via the API.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 12:15:31 -0600, Paul Gilmartin  wrote:

>Does that show DSNs that are ENQed but not allocated?

What ENQ are you referring? QNAME SYSVSAM as opposed to SYSDSN? You would need 
to include those QNAMEs in your query.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 12:35:58 -0600, Jon Perryman  wrote:

>QUERYENQ documents that it is "SYSTEM" enq level but datasets are "SYSTEMS". 

Sorry, my bad. I just saw a ZENSCOPE variable which implies bot SYSTEM and 
SYSTEMS are returned. STEP does not appear as a possible value.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 18:10:08 +, Seymour J Metz  wrote:

>I should be able to use any BPXW... service that doesn't require dubbing.

I doubt that BPXWDYN requires dubbing but Some minimal dubbing should be 
available because of TCP requirements.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 18:01:19 +, Sri h Kolusu  wrote:

>>> Does CLIST or REXX provide an interface to ENQ?
>
>Via ISPF service named QUERYENQ
>
>https://www.ibm.com/docs/en/zos/2.5.0?topic=services-queryenqquery-system-enq-data

QUERYENQ documents that it is "SYSTEM" enq level but datasets are "SYSTEMS". 
They are very different things. The XSYS=YES option is unclear about whether it 
switches to "SYSTEMS" enq but mentions high overhead. Since SYSTEMS enqueues 
are propogated throughout the SYSPLEX, I'm guessing that it queries each GRS in 
the SYSPLEX for SYSTEM enqueues because of this overhead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 18:10:08 +, Seymour J Metz wrote:

>I'm in an applications role and installing external software, e.g., PDS86, is 
>not allowed. 
>
>I just discovered that I don't even have access to SYS1.SAMPLIB. 
>
!?!?!?  What terrifies them?  "Need to know" gone berserk?  Fear of copyright 
infringement?

>I should be able to use any BPXW... service that doesn't require dubbing.
>
Long ago it was reported here that BPXWDYN failed eary in startup, before a
descriptor not necessarily needed for messages could be created.  That
may have been fixed by APAR.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 18:01:19 +, Sri h Kolusu wrote:

>>> Does CLIST or REXX provide an interface to ENQ?
>
>Via ISPF service named QUERYENQ
>
>https://www.ibm.com/docs/en/zos/2.5.0?topic=services-queryenqquery-system-enq-data
>
Does that show DSNs that are ENQed but not allocated?
Is the OP concerned with such cases?

>Examples :
>
>https://www.mainframesupport.dk/tips/tip1903.html
>
>http://www.naspa.net/magazine/2005/0305/T0503011.pdf

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 11:36:38 -0600, Paul Gilmartin  wrote:

>On Fri, 29 Dec 2023 11:13:18 -0600, Jon Perryman  wrote:

>>REXX function SYSDSN( ) will determine if a dataset exists without the 
>>overhead of LISTDSI.
>> 
>Does it report allocated status as the OP requested?

The OP had 2 requests. I believe BPXWDYN INFO only tells you about allocated 
datasets. It does not tell you if a dataset exists which is solved by using 
SYSDSN( ). You could BPXWDYN ALLOC to determine if it exists but SYSDSN( ) 
would be a better solution.

>in 
> 
>i see:
>PROTECTED DATASET
>UNAVAILABLE DATASET

These are documented at https://www.ibm.com/docs/sr/zos/2.1.0?topic=tef-sysdsn

Protected dataset requires member name be specified and means you don't have 
SAF access to the dataset.

Unavailable dataset means someone has exclusive enq for the dataset.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

I'm in an applications role and installing external software, e.g., PDS86, is 
not allowed. 

I just discovered that I don't even have access to SYS1.SAMPLIB. 

I should be able to use any BPXW... service that doesn't require dubbing.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of Jon 
Perryman 
Sent: Friday, December 29, 2023 12:48 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

On Fri, 29 Dec 2023 17:00:37 +, Sri h Kolusu  wrote:

>How about issuing ENQ in loop for all the datasets in the list?
>Once you hit a dataset that is already allocated you can quit the search.

ENQ is not appropriate for this type of problem. Dataset allocations are 
SYSTEMS ENQ which means the dataset is allocated somewhere in the SYSPLEX. 
While you could query the jobs enqueues, why not query the allocations.

My gut tells me that this question stemmed from the ISPF allocations question. 
The solution in that case would be to use BPXWDYN CONCAT if it exists or use 
the CONCAT command from the CBT tapes.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Sri h Kolusu]

>> Does CLIST or REXX provide an interface to ENQ?

Gil,

Via ISPF service named QUERYENQ

https://www.ibm.com/docs/en/zos/2.5.0?topic=services-queryenqquery-system-enq-data

Examples :

https://www.mainframesupport.dk/tips/tip1903.html

http://www.naspa.net/magazine/2005/0305/T0503011.pdf

Thanks,
Kolusu


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 17:00:37 +, Sri h Kolusu  wrote:

>How about issuing ENQ in loop for all the datasets in the list?  
>Once you hit a dataset that is already allocated you can quit the search.

ENQ is not appropriate for this type of problem. Dataset allocations are 
SYSTEMS ENQ which means the dataset is allocated somewhere in the SYSPLEX. 
While you could query the jobs enqueues, why not query the allocations.

My gut tells me that this question stemmed from the ISPF allocations question. 
The solution in that case would be to use BPXWDYN CONCAT if it exists or use 
the CONCAT command from the CBT tapes.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 11:13:18 -0600, Jon Perryman  wrote:

>On Fri, 29 Dec 2023 09:40:33 -0600, Paul Gilmartin wrote:
>>> 
>>How useful would BPXWDYN(INFO ,,,) be?
>>
>
>REXX function SYSDSN( ) will determine if a dataset exists without the 
>overhead of LISTDSI.
> 
Does it report allocated status as the OP requested?

in 
 i 
see:
PROTECTED DATASET
UNAVAILABLE DATASET

What do those mean?  Write protected?  Read protected? ENQ SHR?  ENQ EXC?  ...?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ISPF setup macro

[Jon Perryman]

On Fri, 29 Dec 2023 13:10:27 +, Seymour J Metz  wrote:

>I'm not trying to setuup an ISPF application environment.; I'm trying to set 
>up a TSO user environment. 

TSO user environment limits your options. LIBDEF is not suitable because it is 
lost or replaced at various times. ISPxUSR is not suitable because it is 
searched first and requires LIBDEF.

>At other shops I've done it by reallocating the standard concatenations when 
>the user libraries existed; I want an alternative to that.

I believe BPXWDYN has a CONCAT function. I believe it's a reallocation under 
the covers but won't swear to that.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 17:00:37 +, Sri h Kolusu wrote:

 I need to check whether any of a list of datasets exists and whether any 
 of a list of ddnames is allocated.
>
>Shmuel,
>
>How about issuing ENQ in loop for all the datasets in the list?  Once you hit 
>a dataset that is already allocated you can quit the search.
>  
Does CLIST or REXX provide an interface to ENQ?

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Jon Perryman]

On Fri, 29 Dec 2023 09:40:33 -0600, Paul Gilmartin  wrote:

>On Fri, 29 Dec 2023 14:47:29 +, Seymour J Metz wrote:
>>I need to check whether any of a list of datasets exists and whether any of a 
>>list of ddnames is allocated.
>> 
>How useful would BPXWDYN(INFO ,,,) be?
>

REXX function SYSDSN( ) will determine if a dataset exists without the overhead 
of LISTDSI.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Sri h Kolusu]

>>> I need to check whether any of a list of datasets exists and whether any of 
>>> a list of ddnames is allocated.

Shmuel,

How about issuing ENQ in loop for all the datasets in the list?  Once you hit a 
dataset that is already allocated you can quit the search.

Thanks,
Kolusu

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Lionel B. Dyck]

Paul is spot on - and you can use BPXWDYN to concatenate as well.

See examples here 
https://www.ibm.com/docs/en/zos/3.1.0?topic=output-examples-calling-bpxwdyn-from-rexx-program


Lionel B. Dyck <><
Github: https://github.com/lbdyck

“Worry more about your character than your reputation. Character is what you 
are, reputation merely what others think you are.”   - - - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gilmartin
Sent: Friday, December 29, 2023 9:41 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

On Fri, 29 Dec 2023 14:47:29 +, Seymour J Metz wrote:

>I need to check whether any of a list of datasets exists and whether any of a 
>list of ddnames is allocated. I'd rather not trap and parse the output of 
>LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
>simple way to do that in REXX, or would it be better to write a small service 
>routine in assembler?
> 
How useful would BPXWDYN(INFO ,,,) be?


--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Paul Gilmartin]

On Fri, 29 Dec 2023 14:47:29 +, Seymour J Metz wrote:

>I need to check whether any of a list of datasets exists and whether any of a 
>list of ddnames is allocated. I'd rather not trap and parse the output of 
>LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
>simple way to do that in REXX, or would it be better to write a small service 
>routine in assembler?
> 
How useful would BPXWDYN(INFO ,,,) be?


-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Steve Beaver]

If you write HLASM use a LOCATE with a CAMLIST


Sent from my iPhone

No one said I could type with one thumb 

> On Dec 29, 2023, at 09:08, kekronbekron 
> <02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Yup, I originally wanted to add a note saying it won't work for the second 
> part.
> Left it out as I then thought that'll be known already.
> 
> 
> 
>> On Friday, December 29th, 2023 at 20:35, David Spiegel 
>> <0468385049d1-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> 
>> Hi KB,
>> CSI won't tell you anything about ALLOCATEd DDNAMES.
>> 
>> Regards,
>> David
>> 
>>> On 2023-12-29 09:55, kekronbekron wrote:
>>> 
>>> There's a catalog search interface (CSI), and I think there's a sample REXX 
>>> for using it in SAMPLIB.
>>> 
 On Friday, December 29th, 2023 at 20:17, Seymour J Metz sme...@gmu.edu 
 wrote:
>>> 
 I need to check whether any of a list of datasets exists and whether any 
 of a list of ddnames is allocated. I'd rather not trap and parse the 
 output of LISTALC and LISTCAT, and I'd rather not call LISTDSI for each 
 one. Is there a simple way to do that in REXX, or would it be better to 
 write a small service routine in assembler?
 
 I don't have a requirement to handle XTIOT.
 
 --
 Shmuel (Seymour J.) Metz
 http://mason.gmu.edu/~smetz3
 עַם יִשְׂרָאֵל חַי
 נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[kekronbekron]

Yup, I originally wanted to add a note saying it won't work for the second part.
Left it out as I then thought that'll be known already.



On Friday, December 29th, 2023 at 20:35, David Spiegel 
<0468385049d1-dmarc-requ...@listserv.ua.edu> wrote:


> Hi KB,
> CSI won't tell you anything about ALLOCATEd DDNAMES.
> 
> Regards,
> David
> 
> On 2023-12-29 09:55, kekronbekron wrote:
> 
> > There's a catalog search interface (CSI), and I think there's a sample REXX 
> > for using it in SAMPLIB.
> > 
> > On Friday, December 29th, 2023 at 20:17, Seymour J Metz sme...@gmu.edu 
> > wrote:
> > 
> > > I need to check whether any of a list of datasets exists and whether any 
> > > of a list of ddnames is allocated. I'd rather not trap and parse the 
> > > output of LISTALC and LISTCAT, and I'd rather not call LISTDSI for each 
> > > one. Is there a simple way to do that in REXX, or would it be better to 
> > > write a small service routine in assembler?
> > > 
> > > I don't have a requirement to handle XTIOT.
> > > 
> > > --
> > > Shmuel (Seymour J.) Metz
> > > http://mason.gmu.edu/~smetz3
> > > עַם יִשְׂרָאֵל חַי
> > > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
> > > 
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[David Spiegel]

Hi KB,
CSI won't tell you anything about ALLOCATEd DDNAMES.

Regards,
David

On 2023-12-29 09:55, kekronbekron wrote:

There's a catalog search interface (CSI), and I think there's a sample REXX for 
using it in SAMPLIB.



On Friday, December 29th, 2023 at 20:17, Seymour J Metz  wrote:



I need to check whether any of a list of datasets exists and whether any of a 
list of ddnames is allocated. I'd rather not trap and parse the output of 
LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
simple way to do that in REXX, or would it be better to write a small service 
routine in assembler?

I don't have a requirement to handle XTIOT.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[Rick Troth]

I can't speak for Frank, but he started his inquiry with this:

> We're looking at using an SSH tunnel (or reverse tunnel)to encrypt a 
connection

> where the application on the other end does not support TLS.

SSH is an excellent choice for this kind of job.
You can use SSH directly (with client invoking SSH to launch a service 
program on the target)
*or* you can establish one or more TCP listeners (either direction) over 
an SSH session, or any combination.

ALL of the traffic handled by way of the SSH session would be encrypted.

So I might not have understood exactly what Frank needs, but I'm a firm 
believer in SSH.


Authentication of the remote SSH host is done using the SSH host key(s) 
on the target system. That's standard.


Authentication of the client can be done using an SSH client key (as is 
my practice) or using PKI certificates (as Colin describes in his blog).
Frank indicated that what he needs is unattended/automatic, easily 
supported using either method.


Does that help?

-- R; <><


On 12/29/23 09:20, kekronbekron wrote:

Hi Rick/Frank,

If you have time, could you explain more about this setup.
I don't get what's desired..


On Friday, December 29th, 2023 at 19:04, Rick Troth  wrote:



Hi Frank --

BT/DT and it works great.

I took the usual means of capturing the host key of the target: signed
on as the service account and ran 'ssh' interactively. Ever after, the
client would not be prompted, but it would fail if the key changed. (And
that's the point.)

The client signed on using an SSH client key. Of course, I had to break
a rule here and magically obviate the need for a pass phrase. (Dark
magic. Not something we speak about in public.)

In this particular case, I ran it from/etc/inittab on a traditional Unix
(Linux) system. That way when the session would die it would be restarted.

This hack used either -L or -R, I forget which, but established a TCP
listener. All traffic was limited to local (which is the default), so no
risk of someone off-box sending or seeing cleartext.

-- R; <><





On 12/29/23 04:53, Colin Paice wrote:


Frank,
What do you have on the z/OS end? If the back end supports it, it can map
from a certificate to a userid.
See Using certificates to logon to z/OS
https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/
andWhat’s the difference between RACDCERT MAP and RACMAP?
https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/
Colin

On Fri, 29 Dec 2023 at 06:27, Frank swarbrickfrank.swarbr...@outlook.com
wrote:


We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
connection where the application on the other end does not support TLS.
The POC looks to be working. I am now pondering on the steps required to
make setting up the tunnel an automated process. It seems to me that we'd
want the z/OS user to be a "protected" user
(NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use SSH host
based authentication? I imagine that the user would require an OMVS
segment. I wonder if it would need a shell or home directory. Any other
thoughts?

Thanks,
Frank

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Lionel B. Dyck]

That works well for checking the catalog status *but* not the allocation 
status. For that you'll need to trap LISTALC or write your own.


Lionel B. Dyck <><
Github: https://github.com/lbdyck

“Worry more about your character than your reputation. Character is what you 
are, reputation merely what others think you are.”   - - - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: Friday, December 29, 2023 8:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

Of course' how did I forget that :-(

Thanks.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
kekronbekron <02dee3fcae33-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 9:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

There's a catalog search interface (CSI), and I think there's a sample REXX for 
using it in SAMPLIB.



On Friday, December 29th, 2023 at 20:17, Seymour J Metz  wrote:


> I need to check whether any of a list of datasets exists and whether any of a 
> list of ddnames is allocated. I'd rather not trap and parse the output of 
> LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
> simple way to do that in REXX, or would it be better to write a small service 
> routine in assembler?
>
> I don't have a requirement to handle XTIOT.
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

Of course' how did I forget that :-(

Thanks.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
kekronbekron <02dee3fcae33-dmarc-requ...@listserv.ua.edu>
Sent: Friday, December 29, 2023 9:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Checking status of multiple datasets in CLIST and REXX

There's a catalog search interface (CSI), and I think there's a sample REXX for 
using it in SAMPLIB.



On Friday, December 29th, 2023 at 20:17, Seymour J Metz  wrote:


> I need to check whether any of a list of datasets exists and whether any of a 
> list of ddnames is allocated. I'd rather not trap and parse the output of 
> LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
> simple way to do that in REXX, or would it be better to write a small service 
> routine in assembler?
>
> I don't have a requirement to handle XTIOT.
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[kekronbekron]

https://www.ibm.com/support/pages/apar/II14316
https://public.dhe.ibm.com/servers/storage/support/software/dfsms/cattools/




On Friday, December 29th, 2023 at 20:25, kekronbekron 
<02dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote:


> There's a catalog search interface (CSI), and I think there's a sample REXX 
> for using it in SAMPLIB.
> 
> 
> 
> On Friday, December 29th, 2023 at 20:17, Seymour J Metz sme...@gmu.edu wrote:
> 
> 
> 
> > I need to check whether any of a list of datasets exists and whether any of 
> > a list of ddnames is allocated. I'd rather not trap and parse the output of 
> > LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there 
> > a simple way to do that in REXX, or would it be better to write a small 
> > service routine in assembler?
> > 
> > I don't have a requirement to handle XTIOT.
> > 
> > --
> > Shmuel (Seymour J.) Metz
> > http://mason.gmu.edu/~smetz3
> > עַם יִשְׂרָאֵל חַי
> > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
> > 
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Checking status of multiple datasets in CLIST and REXX

[kekronbekron]

There's a catalog search interface (CSI), and I think there's a sample REXX for 
using it in SAMPLIB.



On Friday, December 29th, 2023 at 20:17, Seymour J Metz  wrote:


> I need to check whether any of a list of datasets exists and whether any of a 
> list of ddnames is allocated. I'd rather not trap and parse the output of 
> LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
> simple way to do that in REXX, or would it be better to write a small service 
> routine in assembler?
> 
> I don't have a requirement to handle XTIOT.
> 
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Checking status of multiple datasets in CLIST and REXX

[Seymour J Metz]

I need to check whether any of a list of datasets exists and whether any of a 
list of ddnames is allocated. I'd rather not trap and parse the output of 
LISTALC and LISTCAT, and I'd rather not call LISTDSI for each one. Is there a 
simple way to do that in REXX, or would it be better to write a small service 
routine in assembler?

I don't have a requirement to handle XTIOT.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[kekronbekron]

Hi Rick/Frank,

If you have time, could you explain more about this setup.
I don't get what's desired..


On Friday, December 29th, 2023 at 19:04, Rick Troth  wrote:


> Hi Frank --
> 
> BT/DT and it works great.
> 
> I took the usual means of capturing the host key of the target: signed
> on as the service account and ran 'ssh' interactively. Ever after, the
> client would not be prompted, but it would fail if the key changed. (And
> that's the point.)
> 
> The client signed on using an SSH client key. Of course, I had to break
> a rule here and magically obviate the need for a pass phrase. (Dark
> magic. Not something we speak about in public.)
> 
> In this particular case, I ran it from/etc/inittab on a traditional Unix
> (Linux) system. That way when the session would die it would be restarted.
> 
> This hack used either -L or -R, I forget which, but established a TCP
> listener. All traffic was limited to local (which is the default), so no
> risk of someone off-box sending or seeing cleartext.
> 
> -- R; <><
> 
> 
> 
> 
> 
> On 12/29/23 04:53, Colin Paice wrote:
> 
> > Frank,
> > What do you have on the z/OS end? If the back end supports it, it can map
> > from a certificate to a userid.
> > See Using certificates to logon to z/OS
> > https://colinpaice.blog/2023/03/28/using-certificates-to-logon-to-z-os/
> > andWhat’s the difference between RACDCERT MAP and RACMAP?
> > https://colinpaice.blog/2020/07/28/whats-the-difference-between-racdcert-map-and-racmap/
> > Colin
> > 
> > On Fri, 29 Dec 2023 at 06:27, Frank swarbrickfrank.swarbr...@outlook.com
> > wrote:
> > 
> > > We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
> > > connection where the application on the other end does not support TLS.
> > > The POC looks to be working. I am now pondering on the steps required to
> > > make setting up the tunnel an automated process. It seems to me that we'd
> > > want the z/OS user to be a "protected" user
> > > (NOPASSWORD/NOPHRASE/NOOIDCARD). Would this require that we use SSH host
> > > based authentication? I imagine that the user would require an OMVS
> > > segment. I wonder if it would need a shell or home directory. Any other
> > > thoughts?
> > > 
> > > Thanks,
> > > Frank
> > > 
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > 
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[Rick Troth]

Hi Frank --

BT/DT and it works great.

I took the usual means of capturing the host key of the target: signed 
on as the service account and ran 'ssh' interactively. Ever after, the 
client would not be prompted, but it would fail if the key changed. (And 
that's the point.)


The client signed on using an SSH client key. Of course, I had to break 
a rule here and magically obviate the need for a pass phrase. (Dark 
magic. Not something we speak about in public.)


In this particular case, I ran it from/etc/inittab on a traditional Unix 
(Linux) system. That way when the session would die it would be restarted.


This hack used either -L or -R, I forget which, but established a TCP 
listener. All traffic was limited to local (which is the default), so no 
risk of someone off-box sending or seeing cleartext.


-- R; <><




On 12/29/23 04:53, Colin Paice wrote:

Frank,
What do you have on the z/OS end?   If the back end supports it, it can map
from a certificate to a userid.
See Using certificates to logon to z/OS

andWhat’s the difference between RACDCERT MAP and RACMAP?

Colin

On Fri, 29 Dec 2023 at 06:27, Frank Swarbrick
wrote:


We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
connection where the application on the other end does not support TLS.
The POC looks to be working.  I am now pondering on the steps required to
make setting up the tunnel an automated process.  It seems to me that we'd
want the z/OS user to be a "protected" user
(NOPASSWORD/NOPHRASE/NOOIDCARD).  Would this require that we use SSH host
based authentication?  I imagine that the user would require an OMVS
segment.  I wonder if it would need a shell or home directory.  Any other
thoughts?

Thanks,
Frank


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ISPF setup macro

[Seymour J Metz]

> ISPF application environment.

I'm not trying to set up an ISPF application environment.; I'm trying to set up 
a TSO user environment. I want to automatically activate user extensions to the 
standard conventions whenever the user has allocated libraries with appropriate 
names, e.g., userid,USER,EXEC, userid.USER.ISPP.

At other shops I've done it by reallocating the standard concatenations when 
the user libraries existed; I want an alternative to that.

> ISPF works as designed

NOVALUE is a REXX *style* issue  and has nothing to do with ISPF.

> everyone must follow these rules

There is no rule in REXX requiring the use of SIGNAL ON NOVALUE.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of Jon 
Perryman 
Sent: Thursday, December 28, 2023 9:55 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ISPF setup macro

On Thu, 28 Dec 2023 02:01:54 +, Seymour J Metz  wrote:

>I'm trying to use LIBDEF as an alternative to freeing and reallocating the 
>standard ISPF concatenations.

LIBDEF is commonly used to eliminate the need for reallocating standard ISPF 
DDs. There are situations where ISPxUSR is useful but I suspect most don't use 
it. I'm sure CBTTAPE.ORG has multiple examples of setting up the ISPF 
application environment.

>Yes, typo for ISPxUSR. The allocation is before starting ISPF. The 
>documentation shows
> those ddnames as being picked up automatically only for the DATASET keyword.

If you are developing an application, then I suggest avoiding ISPxUSR unless 
your requirements need it. Using LIBDEF for products means the datasets are 
freed when not in use.

>I'm aware of the contingent that advocates NOVALUE, but I don't agree with 
>that perspective.

ISPF works as designed and everyone must follow these rules or request they be 
changed.

>To clarify, my logon panel calls userid.AD.CLIST, which does allocations, 
>ALTLIB and TSOLIB before calling ISPF.

A requirement for products that I've worked on is that everything is contained 
within the REXX and nothing needs to be modified in TSO other than making the 
REXX available to the users who need it.

> I want to add, e.g., user panels, in a form that will persist across START 
> (ISPSTRT).

Persistence is typically achieved through REXX using the appropriate LIBDEFs. 
You would still need a REXX with permanent DD's because you should have a 
different ISPF ZAPPLID for your application.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Massimo Biancucci]

Ed,

in my experience 15 minutes for the most.
I've seen 10 minutes too.
IMHO big SMF DATA producers are DB2, CICS, IMS, MQ etc. with their
accounting records that are not SMF Interval related.
Choosing a maximum of 15 minutes may be better to correlate issues.

Best regards.
Max

Il giorno ven 29 dic 2023 alle ore 06:23 Ed Jaffe <
edja...@phoenixsoftware.com> ha scritto:

> What SMF interval do most folks use?
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[Colin Paice]

Frank,
What do you have on the z/OS end?   If the back end supports it, it can map
from a certificate to a userid.
See Using certificates to logon to z/OS

andWhat’s the difference between RACDCERT MAP and RACMAP?

Colin

On Fri, 29 Dec 2023 at 06:27, Frank Swarbrick 
wrote:

> We're looking at using an SSH tunnel (or reverse tunnel) to encrypt a
> connection where the application on the other end does not support TLS.
> The POC looks to be working.  I am now pondering on the steps required to
> make setting up the tunnel an automated process.  It seems to me that we'd
> want the z/OS user to be a "protected" user
> (NOPASSWORD/NOPHRASE/NOOIDCARD).  Would this require that we use SSH host
> based authentication?  I imagine that the user would require an OMVS
> segment.  I wonder if it would need a shell or home directory.  Any other
> thoughts?
>
> Thanks,
> Frank
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Colin Paice]

With MQ some customers would set the interval to one minute for a period to
get granular statistics and accounting to help with problem determination.
The MQ accounting would report maximum response time for the interval.  If
you have a "spiky" problem,  being able to identify the minute it occurred
in, was very useful, and being able to correlate to other events.
Note:   This can produce a lot of data!

On Fri, 29 Dec 2023 at 05:23, Ed Jaffe  wrote:

> What SMF interval do most folks use?
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF Interval

[Mike Shorkend]

Ed,
The most common I have seen is 30 minutes. 15 minutes is also not rare.

Mike

On Fri, 29 Dec 2023 at 07:23, Ed Jaffe  wrote:

> What SMF interval do most folks use?
>
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://www.phoenixsoftware.com/
>
>
>
> 
> This e-mail message, including any attachments, appended messages and the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to be
> free of any virus or other defect that might affect any computer system
> into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Mike Shorkend
m...@shorkend.com
Tel: +972524208743





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN