Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[Mark Zelden]

On Fri, 12 Jan 2024 14:56:18 -0600, Peter Ten Eyck 
 wrote:

>I have check with status (USS NOT AVAIL). I believe that needs to be cleared 
>up before I can enable and run it...
>
>
>NAMECheckOwner   State 
>   Status   
>USS_HFS_DETECTEDIBMUSS   ACTIVE(DISABLED)   USS NOT AVAIL
>--


1) D OMVS  (is it active)?Pretty hard not to be active these days, except 
perhaps a rescue system

2) Did you complete security setup for Health Checker.  Specifically, does it 
have a valid OMVS segment
in RACF or whatever security product you have active?  I believe it also 
needs UID(0). 

I provided the wrong link earlier from a search.  Here is the correct one:
https://www.ibm.com/docs/en/zos/2.4.0?topic=level-health-checker-zos-users-guide

Security setup:
https://www.ibm.com/docs/en/zos/2.4.0?topic=zos-create-security-definitions

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
ITIL v3 Foundation Certified
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html
Systems Programming expert at http://search390.techtarget.com/ateExperts/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[Peter Ten Eyck]

I have check with status (USS NOT AVAIL). I believe that needs to be cleared up 
before I can enable and run it...


NAMECheckOwner   State  
  Status   
USS_HFS_DETECTEDIBMUSS   ACTIVE(DISABLED)   USS NOT AVAIL
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[ITschak Mugzach]

>From sdsf ck panel enter E line command on the check line  to enable the
check

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*





בתאריך יום ו׳, 12 בינו׳ 2024 ב-22:08 מאת Peter Ten Eyck <
04d3761a18a7-dmarc-requ...@listserv.ua.edu>:

> Not sure I follow?
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[Mark Zelden]

On Fri, 12 Jan 2024 13:25:50 -0600, Peter Ten Eyck 
 wrote:

>Struggling to get HEALTH CHECKER check USS_FILESYS_CONFIG to a state of 
>ACTIVE(ENABLED) on z/OS 2.4. Currently ACTIVE(DISABLED).
>
>Trying commands like: F 
>HZSPROC,ADDREPLACE,CHECK=(IBMUSS,USS_HFS_DETECTED),USS=YES
>
>Is there a command to do this?
>

What are you trying to do?  Did you delete the check?  If so, you can use use 
"F hzsproc,ADDNEW"
or just stop/restart HZSPROC.

If you you are just trying to modify the check, you create a parmlib member 
like HZSPRMxx 
with the "ADDREPLACE" and the policy and do:

 F HZSPROC,REPLACE,PARMLIB=xx 

https://www.ibm.com/docs/en/zos/2.4.0?topic=guide-health-checker-zos

Regards,

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
ITIL v3 Foundation Certified
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[Peter Ten Eyck]

Not sure I follow?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Direct branch entry to ICSF routines

[Eric D Rossman]

Tony Harminc wrote:

> IBM has been quite mixed in its documentation for the various
> "new" callable services that ship with stub routines.

Perhaps IBM as a whole but ICSF has documented our interfaces
in the same way for at least 20 years.

> there is no requirement ... to re-bind with new stubs upon
> every z/OS release.

Correct. ICSF's stubs (and LE interfaces) are forward
compatible, so once you BIND (or link), you don't need to do
it again, in general.

> I find the whole "bind it with a stub" scheme causes all
> kinds of packaging issues

For non-LE, I agree with you.

> and IMHO IBM should just document
> all the calls (as UNIX and RACF do) and perhaps even provide
> their own CSRCALL-type macro.

As much as I think it's a good idea, it's not very high on our
list because there's not been much demand and, as far I know,
there has never been a formal requirement for this.

Eric Rossman

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Direct branch entry to ICSF routines

[Tony Harminc]

On Fri, 12 Jan 2024 at 09:24, Eric D Rossman  wrote:

> There is no documentation because this is not a supported interface. It
> has been suggested in passing but has never been put forward as an official
> requirement.
>
> All LE-capable applications have access to the CSFDLLxx (where xx is
> 31,3X,64) libraries and the csfbext.h C/C++ header to call directly
>
> All non-LE applications have the CSN* and CSN*6 (plus CSF*/CSF*6)
> assembler stubs.
>
> Eric Rossman
> ICSF Architect
>

IBM has been quite mixed in its documentation for the various "new"
callable services that ship with stub routines. UNIX and RACF document the
offsets and calling procedures, and some others (Unicode services) sort of
mention it but don't have a table of routines:offsets. IBM explicitly or
implicitly supports using these offsets in that there is no requirement
(and it would be unreasonable to have one) to re-bind with new stubs upon
every z/OS release.

Many years ago I wrote a macro I called BPXCALL that knew how to invoke any
of the UNIX CSRs by name. Later I extended it to support RACF and then
Unicode services and a few other handy things, and renamed it to CSRCALL.
It's my former employer's, so I can't post it here, but it's certainly not
difficult to write one. For the UNIX version I was able to cut from
the book into the macro. I used some of the HLASM features to make the
generated call code look nice, e.g. it generates (once) and then uses a
symbol for every routine it calls so you don't see a bunch of undocumented
numeric offsets starting from the CVT amd ending in a BASR.

I find the whole "bind it with a stub" scheme causes all kinds of packaging
issues, and IMHO IBM should just document all the calls (as UNIX and RACF
do) and perhaps even provide their own CSRCALL-type macro.

Tony H.

-Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Binyamin Dissen
> Sent: Friday, January 12, 2024 3:26 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Direct branch entry to ICSF routines
>
> I have been looking but I have not yet found the explicit doc that shows
> how to call ICSF routines via the CSFCCVT.
>
> Looking at a few of the stub routines I see that they create a linkage
> stack entry and then call the real routine via CSFCCVT but the labels in
> the CSFCCVT are not obviously related to the name of the stub routine.
>
> I am expecting to find something like for the name/token routines, where
> the stub can be used but the direct entry is also documented.
>
> Further research shows that the several routine that I am interested all
> branch to the same EP, but the stub loads a different value into R0. Don't
> ask me why there aren't a list of equated  values for the various functions
> and a parameter with the function code. At any rate, high level language
> routines cannot set R0 but assembler routines certainly can.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[ITschak Mugzach]

Try E.

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*





בתאריך יום ו׳, 12 בינו׳ 2024 ב-21:26 מאת Peter Ten Eyck <
04d3761a18a7-dmarc-requ...@listserv.ua.edu>:

> Struggling to get HEALTH CHECKER check USS_FILESYS_CONFIG to a state of
> ACTIVE(ENABLED) on z/OS 2.4. Currently ACTIVE(DISABLED).
>
> Trying commands like: F
> HZSPROC,ADDREPLACE,CHECK=(IBMUSS,USS_HFS_DETECTED),USS=YES
>
> Is there a command to do this?
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: netcat for z/OS?

[Kirk Wolf]

I can neither confirm nor deny that IBM's ssh-proxyc is based on BSD netcat.

Kirk Wolf
Dovetailed Technologies
http:// coztoolkit.com

On Fri, Jan 12, 2024, at 10:42 AM, Grant Taylor wrote:
> On 1/12/24 10:02 AM, Kirk Wolf wrote:
> > IBM ships a command with z/OS:  "ssh-proxyc  - HTTP SOCKS-5 Proxy 
> > command for ssh client"
> 
> Based on the name, that seems to support SOCKS(5) proxy servers.
> 
> The (BSD) netcat (nc) `-X` means to use the HTTP(S) CONNECT protocol proxy.
> 
> > See the IBM z/OS OpenSSH User's Guide for more information.
> 
> I don't have convenient access to that document.  Though I should find a 
> copy as I hope it's as interesting as it could be.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HEALTH CHECKER (USS_FILESYS_CONFIG)

[Peter Ten Eyck]

Sorry, did not included the error message:

F HZSPROC,ADDREPLACE,CHECK=(IBMUSS,USS_HFS_DETECTED),USS=YES  
ASA101I SYNTAX ERROR:  WAS SEEN, WHERE ONE OF 826
(CHECKROUTINE DATE EXEC INTERVAL  
REASON SEVERITY)  
WOULD BE CORRECT. 
DETECTING MODULE IS HZSIPMX

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

HEALTH CHECKER (USS_FILESYS_CONFIG)

[Peter Ten Eyck]

Struggling to get HEALTH CHECKER check USS_FILESYS_CONFIG to a state of 
ACTIVE(ENABLED) on z/OS 2.4. Currently ACTIVE(DISABLED).

Trying commands like: F 
HZSPROC,ADDREPLACE,CHECK=(IBMUSS,USS_HFS_DETECTED),USS=YES

Is there a command to do this?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: netcat for z/OS?

[Frank Swarbrick]

Yeah, I need a ssh-proxyh, I think!

From: IBM Mainframe Discussion List  on behalf of 
Grant Taylor <023065957af1-dmarc-requ...@listserv.ua.edu>
Sent: Friday, January 12, 2024 9:42 AM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: netcat for z/OS?

On 1/12/24 10:02 AM, Kirk Wolf wrote:
> IBM ships a command with z/OS:  "ssh-proxyc  - HTTP SOCKS-5 Proxy
> command for ssh client"

Based on the name, that seems to support SOCKS(5) proxy servers.

The (BSD) netcat (nc) `-X` means to use the HTTP(S) CONNECT protocol proxy.

> See the IBM z/OS OpenSSH User's Guide for more information.

I don't have convenient access to that document.  Though I should find a
copy as I hope it's as interesting as it could be.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: netcat for z/OS?

[Grant Taylor]

On 1/12/24 10:02 AM, Kirk Wolf wrote:
IBM ships a command with z/OS:  "ssh-proxyc  - HTTP SOCKS-5 Proxy 
command for ssh client"


Based on the name, that seems to support SOCKS(5) proxy servers.

The (BSD) netcat (nc) `-X` means to use the HTTP(S) CONNECT protocol proxy.


See the IBM z/OS OpenSSH User's Guide for more information.


I don't have convenient access to that document.  Though I should find a 
copy as I hope it's as interesting as it could be.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: netcat for z/OS?

[Kirk Wolf]

IBM ships a command with z/OS:  "ssh-proxyc  - HTTP SOCKS-5 Proxy command for 
ssh client"
See the IBM z/OS OpenSSH User's Guide for more information.

Kirk Wolf
Dovetailed Technologies
http:// coztoolkit.com

On Thu, Jan 11, 2024, at 10:16 PM, Frank Swarbrick wrote:
> Is there a netcat or netcat-like tool for z/OS?  Something that can connect 
> to an HTTP proxy?
> The goal is to tunnel an SSH session through an HTTPS proxy.  For example, 
> this works on Linux:
> 
> ssh -o "ProxyCommand nc -X connect -x myproxy:3128 %h %p" g...@ssh.github.com 
> -p 443
> I need nc or something similar on z/OS.  I did find something called 
> NC110-OMVS on github, but I would need to have a license for the C compiler 
> to build it; which I do not have.  There is a "binaries" directory with just 
> 'nc' in it, but it doesn't appear to be in z/OS executable format...
> 
> There's also one written in Go, so maybe that's a possibility, but if there's 
> something already built that would be great.
> 
> Thanks,
> Frank
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APPN networking - How can you confirm that you are the man in the middle.

[Tom Longfellow]

Yes John, this is APPN over IP Enterprise Extender Pipes.

You have summarized my initial  posting nicely.   My detective and logic skills 
have led me to the same conclusion.My system is being used to connect the 
NODEB and NODEC systems.
While we all know this is true based on inference, I have no proof, report, or 
other smoking gun that I can take to an outside agency as proof this is how it 
is happening.   (Think, really clueless auditors)

I need some sort of verifyable proof in the form of VTAM displays and the like 
that shows how this routing is being performed in the active systems,   How did 
NodeB select NodeA to find NodeC.  What hosts are involved from end to end. 
You can get some of this if you are one of the end nodes (nodeb or nodec) via 
analysis of the RTP links.   With all of the host hop counts and intermediate 
hosts. I need to find something that can be done on the intermediate host 
(nodea)   that shows "SEE, this is how I am being used"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Direct branch entry to ICSF routines

[Eric D Rossman]

There is no documentation because this is not a supported interface. It has 
been suggested in passing but has never been put forward as an official 
requirement.

All LE-capable applications have access to the CSFDLLxx (where xx is 31,3X,64) 
libraries and the csfbext.h C/C++ header to call directly

All non-LE applications have the CSN* and CSN*6 (plus CSF*/CSF*6) assembler 
stubs.

Eric Rossman
ICSF Architect

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Binyamin Dissen
Sent: Friday, January 12, 2024 3:26 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Direct branch entry to ICSF routines

I have been looking but I have not yet found the explicit doc that shows how to 
call ICSF routines via the CSFCCVT. 

Looking at a few of the stub routines I see that they create a linkage stack 
entry and then call the real routine via CSFCCVT but the labels in the CSFCCVT 
are not obviously related to the name of the stub routine.

I am expecting to find something like for the name/token routines, where the 
stub can be used but the direct entry is also documented.

Further research shows that the several routine that I am interested all branch 
to the same EP, but the stub loads a different value into R0. Don't ask me why 
there aren't a list of equated  values for the various functions and a 
parameter with the function code. At any rate, high level language routines 
cannot set R0 but assembler routines certainly can.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Direct branch entry to ICSF routines

[Binyamin Dissen]

I have been looking but I have not yet found the explicit doc that shows how
to call ICSF routines via the CSFCCVT. 

Looking at a few of the stub routines I see that they create a linkage stack
entry and then call the real routine via CSFCCVT but the labels in the CSFCCVT
are not obviously related to the name of the stub routine.

I am expecting to find something like for the name/token routines, where the
stub can be used but the direct entry is also documented.

Further research shows that the several routine that I am interested all
branch to the same EP, but the stub loads a different value into R0. Don't ask
me why there aren't a list of equated  values for the various functions and a
parameter with the function code. At any rate, high level language routines
cannot set R0 but assembler routines certainly can.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN