Re: Standalone DFDSS

[Donald J]

The Visara is a CCA-3074. 3074 is FICON point-to-point connected. 
Visara terminals are connected by TCPIP through a switch on a 
private network, and defined as "hot" consoles.  I don't think 
the SSL option was used since it is a simple private network.
The HMC 3270 option was attempted and also got no response.
We are preparing to build a new DR system environment.

> Sent: Monday, October 21, 2019 at 7:02 AM
> From: "Mazer Ken G" <01e8b07bfbbe-dmarc-requ...@listserv.ua.edu>
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Standalone DFDSS
>
> Don,
> 
> Is your Visara connected via OSA-ICC?  Does the console in question receive 
> the OSA-ICC three line display?
> You didn't indicate the reason for running Standalone DFDSS, did you get a 
> new processor or are you setting up a new DR environment.
> 
> The reason I ask these questions is that we just replaced z13's with z14's 
> and the OSA Express6s cards are a little different as they now have TLS 1.0 
> enabled.
> It could be that you need to update your certs on the Visara for the sessions 
> to connect.
> 
> Ken Mazer
> This Cranky Systems Programmer says “Share your knowledge, others may find it 
> useful”
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Donald J
> Sent: Saturday, October 19, 2019 9:26 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Standalone DFDSS
> 
> Thanks Jim & Brian
> We have Visara which seems to not be working.
> Ticket is open on it.
> 
> > Sent: Saturday, October 19, 2019 at 1:08 AM
> > From: "Brian Westerman" 
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: Standalone DFDSS
> >
> > Jim is correct, all it takes is for one of the consoles that is attached to 
> > the ICC, or which you have limited your DFDSS SA build to to press enter.  
> > I have found that almost any key that generates "something" seems to work 
> > though, the function keys, pageup etc.  The ones that just move the cursor 
> > around (i.e. home) don't generate what it's looking for.
> >
> > In short, enter works fine.
> >
> > Brian
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send 
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Standalone DFDSS

[Donald J]

Thanks Jim & Brian
We have Visara which seems to not be working.
Ticket is open on it.

> Sent: Saturday, October 19, 2019 at 1:08 AM
> From: "Brian Westerman" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Standalone DFDSS
>
> Jim is correct, all it takes is for one of the consoles that is attached to 
> the ICC, or which you have limited your DFDSS SA build to to press enter.  I 
> have found that almost any key that generates "something" seems to work 
> though, the function keys, pageup etc.  The ones that just move the cursor 
> around (i.e. home) don't generate what it's looking for.
>
> In short, enter works fine.
>
> Brian
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Standalone DFDSS

[Donald J]

Question is about generating an interrupt on a console for a standalone restore.
I read this previous post:
https://groups.google.com/forum/#!topic/bit.listserv.ibm-main/lX4ZGaoUH_s

So for a z13 would the interrupt needed be the one described in 
zEnterprise System
Support Element Operations Guide
Version 2.11.1
SC28-6906-01
Chapter 11. CP Toolbox

Interrupt
An interrupt is a processor operation you can use to present an external 
interruption to a processor. If you
have experience using other systems, you may have used an IRPT command or an 
Irpt key to interrupt a
processor.
Follow your local procedures for determining when to interrupt a processor. You 
can use the Support
Element workplace to interrupt any eligible processor. Eligible processors 
include:
v Physical processors that support the image of a central processor complex 
(CPC).
v Logical processors that support the images of logical partitions activated in 
operating modes other than
coupling facility mode.
To interrupt a processor:
1. Log onto the Support Element on the Hardware Management Console through 
Single Object
Operations in operator, advanced operator, system programmer or service 
representative role (see
“Establishing a Support Element console session from a Hardware Management 
Console” on page 3).
2. Locate the CPs you want to work with.
3. Locate and start the Interrupt task.
This immediately performs the operation; an interrupt request is generated for 
the processor.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: problem with FTP from Windows 10 to z/OS

[Donald J]

> How does the V_PW (variable?) get set?
I have another VBscript that reads the password using
a masked input window.  I use it for ServiceNow queries.
A cookie is then created for ServiceNow which I can use
after that.

> Sent: Wednesday, June 06, 2018 at 8:00 AM
> From: "Paul Gilmartin" <000433f07816-dmarc-requ...@listserv.ua.edu>
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: problem with FTP from Windows 10 to z/OS
>
> On Wed, 6 Jun 2018 13:50:22 +0200, Donald J wrote:
> 
> >You could write a VBscript that creates your FTP script.
> >Store the password in a Win10 user or volatile environment variable.
> >The VBscript could run the FTP script, then delete the script file,
> >so there is no password kept on disk for more than the duration of
> >the ftp.
> > 
> Why not pipe the script output to the FTP command and never have the
> password on disk?
> 
> I suggested bash, which is available on a greater variety of desktop
> systems than VBscript.
> 
> >I would also recommmend using FTPS with Curl.
> > 
> I suggested something similar, but the OP is in an ISV position and can't 
> count
> on customers' having optional products.
> 
> >Set the password:
> >set objShell = CreateObject( "WScript.Shell" )
> >Set objSystemEnv = objShell.Environment( "VOLATILE" )
> >objSystemEnv( "ZZPASS" )=V_PW
> >
> How does the V_PW (variable?) get set?
> 
> >Retrieve the password:
> >set objShell = CreateObject( "WScript.Shell" )
> >Set objSystemEnv = objShell.Environment( "VOLATILE" )
> >V_PW = objSystemEnv( "ZZPASS" )
> 
> 
> >> Sent: Monday, June 04, 2018 at 9:47 AM
> >> From: "Kevin Merkley"
> >>
> >> This is something we send out to customers so we have to expect they may 
> >> not have anything available except their Windows FTP client to upload from 
> >> Windows to z/OS.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: problem with FTP from Windows 10 to z/OS

[Donald J]

You could write a VBscript that creates your FTP script.
Store the password in a Win10 user or volatile environment variable.
The VBscript could run the FTP script, then delete the script file,
so there is no password kept on disk for more than the duration of
the ftp.

I would also recommmend using FTPS with Curl.

Set the password:
set objShell = CreateObject( "WScript.Shell" ) 
Set objSystemEnv = objShell.Environment( "VOLATILE" ) 
objSystemEnv( "ZZPASS" )=V_PW

Retrieve the password:
set objShell = CreateObject( "WScript.Shell" )  
Set objSystemEnv = objShell.Environment( "VOLATILE" ) 
V_PW = objSystemEnv( "ZZPASS" ) 


> Sent: Monday, June 04, 2018 at 9:47 AM
> From: "Kevin Merkley" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: problem with FTP from Windows 10 to z/OS
>
> Thanks for the responses.
> I did receive an explanation that OPTS UTF8 ON is not the problem. The 
> Windows 10 FTP client uses a different function to read the password and 
> always reads it from stdin.
> This is something we send out to customers so we have to expect they may not 
> have anything available except their Windows FTP client to upload from 
> Windows to z/OS.
> We will have to take a different approach.
> Thanks again!
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The IRS Really Needs Some New Computers

[Donald J]

>Though the IRS has periodically upgraded its computing system, 
>today’s system is still running the same code, which was written 
>nearly 60 years ago.

Six years ago, they had job openings listed for 200 assembler
programmers spread across a dozen cities.  Guess maybe those 
people haven't installed a line of their code yet.

> Sent: Tuesday, April 17, 2018 at 9:57 PM
> From: "Joel C. Ewing" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: The IRS Really Needs Some New Computers
>
> I read the referenced article.   The title was obviously written by
> someone who isn't sufficiently computer-literate to understand that a
> computer is hardware and that application code is NOT a computer.
> 
> The text of the article flat out says the IRS has repeatedly updated
> hardware over the years.  The reported problem is that it's still
> dependent on some code, written in assembler, that may be 60 years old
> and difficult to maintain.  That's an entirely different problem than
> the title implies.
>     Joel C Ewing
> 
> On 04/17/2018 01:14 PM, Gerhard Adam wrote:
> > Nonsense, the IRS is running Z/13's , etc.  
> >
> > Sent from my iPhone
> >
> >> On Apr 17, 2018, at 11:09 AM, Allan Staller  wrote:
> >>
> >> The IRS has been trying to upgrade both hardware and software for at least 
> >> 30 years I am aware of.
> >> It keeps getting shot down by Congress in the appropriations process.
> >>
> >> The opposite of PROGRESS is CON..
> >>
> >> -Original Message-
> >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> >> Behalf Of Paul Gilmartin
> >> Sent: Tuesday, April 17, 2018 12:34 PM
> >> To: IBM-MAIN@LISTSERV.UA.EDU
> >> Subject: The IRS Really Needs Some New Computers
> >>
> >> Mostly historical:
> >>
> >> https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bloomberg.com%2Fview%2Farticles%2F2018-04-17%2Fthe-irs-computer-system-is-the-oldest-in-the-government=02%7C01%7Callan.staller%40HCL.COM%7C792c5b7241dd415a210308d5a48970ff%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636595832636753536=P6KLIEcmkgNFa4lZeymrTbaQ4XCmyBNo13loxSL1%2F9k%3D=0
> >>
> >> -- gil
> >>
> >> ...
> 
> 
> -- 
> Joel C. Ewing,Bentonville, AR   jcew...@acm.org   
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sungard question - floor z/OS supports UNIX environment?

[Donald J]

When the disaster hits, you may not be one of the survivors.
So plan needs to be prepared and ready in advance such that
any admin could execute it.

For us, Sungard labels the floor volumes as SG.
A VM guest definition should be provided to you in advance with
dasd definitions such as:
*
* 3390-27
*
 LINK DASD 5800 5800 MW
 LINK DASD 5801 5801 MW
 LINK DASD 5802 5802 MW

You should be able to use that as input to a script to generate
the JCL.  A prelimary step for us is to always issue vary online 
commands on the floor system to verify that they really gave us 
all the devices they were supposed to.   Sometimes they miss a 
few which fouls up the DBS restore job.

. I have a
> UNIX program which would make selecting the DASD volsers onto which to
> restore easier to find. And I could then use "awk", or maybe REXX, to
> generate the ADRDSSU job JCL from this list.
> 
> -- 
> We all have skeletons in our closet.
> Mine are so old, they have osteoporosis.
> 
> Maranatha! <><
> John McKown
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: What cryptographic algorithm is not supported?

[Donald J]

I notice your cert display did not list a "Key Usage" section.  

X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment

Digital Signature and Data Encipherment are defaults, but
KeY Encipherment does not default and needs to be specified
in Key Usage.

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Comment:
OpenSSL Generated Certificate
82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E

> Sent: Tuesday, November 07, 2017 at 10:40 AM
> From: "Charles Mills" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
>
> That could be another thread "most useless diagnostic ever."
> 
> Right, that is the API call (apparently) that failed, but I don't think one 
> knows that just from the error message. As I said, I got the same error 
> message for presenting a certificate with a SHA-1 digest (I think). 
> Presumably a different CMS API call but the same external message. Different 
> action for the user.
> 
> I display certificates all the time. My script that issues OpenSSL 
> certificates displays them at the end.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Kirk Wolf
> Sent: Tuesday, November 7, 2017 8:07 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What cryptographic algorithm is not supported?
> 
> Its not the worst diagnostic situation that I have seen on z/OS ( that award 
> would go to the C-library OS I/O stuff IMO).
> 
> In this case, the external API that failed is gsk_decode_import_key(), and if 
> you look it up the error that you are getting is documented:
> https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm
> 
> The algorithm codes can be found in /usr/include gskcms.h
> x509_alg_pbeWithSha1And40BitRc2Cbc  = 36,  /* 1.2.840.113549.1.12.1.6   */
> 
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
> 
> PS>  If you want some "fun", take you X.509 cert and load it into a 
> PS> ASN.1
> tool that displays the whole ugly thing
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zAware?

[Donald J]

We are continuing to use the zAware LPAR and its data, but not much with the 
zAware app.
I download the zAware data to my laptop, manipulate and filter it with scripts, 
and output
it to an updated web page every 10 minutes.
 

Sent: Friday, September 08, 2017 at 2:44 AM
From: "Styles, Andy (ITS zPlatform Services)" 
<00d68f765d25-dmarc-requ...@listserv.ua.edu>
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: zAware?
Classification: Public

Morning folks,

We've got a zAware partition running, but we've done almost nothing with since 
it was set up a couple of years back, so we're thinking of dropping it.

Does anyone actively use zAware?

Thanks,

Andy Styles
z/Series Systems Programmer



Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. 
Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. 
Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England 
and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered 
Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. 
Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: 
Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. 
Telephone: 0345 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential 
Regulation Authority and regulated by the Financial Conduct Authority and 
Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial 
Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings 
is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in 
Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may 
contain privileged material. If you have received this e-mail in error, please 
notify the sender and delete it (including any attachments) immediately. You 
must not copy, distribute, disclose or use any of the information in it or any 
attachments. Telephone calls may be monitored or recorded.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Looking for mainframe shops Lexington/Cincinnati

[Donald J]

>I have also heard that there is an old system at University of Kentucky 
>Medical Center
I had a phone interview with them about 6 years ago.
They were making all there IT employees "re-apply" for their current positions 
and compete
with outsiders for their positions.   I have never heard of that type of 
process being done anywhere else.
 

Sent: Thursday, August 31, 2017 at 7:57 AM
From: "Bill Bishop (TMNA)" 
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Looking for mainframe shops Lexington/Cincinnati
Joel;

Lexington is going to be very tough.

The only zOS shops in the area are the State of Kentucky in Frankfort, Toyota 
in Georgetown, Ashland Oil and Lexmark, both in Lexington itself.

I have also heard that there is an old system at University of Kentucky Medical 
Center.

Toyota is supported out of Plano, Texas now. Lexmark is all outsourced to IBM.

There are several sites in Louisville. Besides those mentioned already, there 
is Kentucky Farm Bureau and Yum Brands that I know of. There may be more.

Pickings are slim in Lexington. That is why I took the move from Georgetown to 
Plano. I was not ready to retire yet.

Thanks

Bill Bishop
Consultant, Mainframe Engineer
Mainframe and Scheduling | Infrastructure Technology Services
Toyota Motor North America
bill.bis...@toyota.com
Office: (469) 292-5149
Cell: (502) 316-4386

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Joel M Ivey
Sent: Wednesday, August 30, 2017 10:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Looking for mainframe shops Lexington/Cincinnati

Thank you to all. Several good leads for me. I appreciate it. I'm looking hard 
at the Fort Knox opp, but also hoping to find something there in the Lexington 
area.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Looking for mainframe shops Lexington/Cincinnati

[Donald J]

Toyota used to be in Georgetown KY.
WPAFB used to hire a lot of mainframe contractors.
There are also a couple of insurance companies in Cincinnati. 
Cincinnati bell possibly.
State of KY might have a mainframe in Frankfort.
There is a federal site in Fort Knox with mainframes, might be Army.
 
 

Sent: Saturday, August 26, 2017 at 9:59 PM
From: "Joel M Ivey" 
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Looking for mainframe shops Lexington/Cincinnati
Would appreciate info on zos shops in Lexington KY and Cincinnati OH, for 
possible relo.
What mainframe shops are there???

Thanks,
Joel
Columbia SC

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SYSLOG/OPERLOG Keyword Search

[Donald J.]

Splunk looks very interesting.
Too bad they don't support z/Linux.

-- 
  Donald J.
  dona...@4email.net

On Fri, Feb 10, 2017, at 06:44 AM, Pew, Curtis G wrote:
> On Feb 10, 2017, at 8:30 AM, Donald J. <dona...@4email.net> wrote:
> > 
> > What programs (free or IBM or other) are available for doing historical 
> > keyword
> > searches against the SYSLOG or OPERLOG archives?  ISPF or otherwise.
> 
> I don’t think this is exactly what you’re asking for, but we forward our 
> OPERLOG to Splunk and then we can do all kinds of searches and reports.
> 
> -- 
> Pew, Curtis G
> curtis@austin.utexas.edu
> ITS Systems/Core/Administrative Services
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The professional email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SYSLOG/OPERLOG Keyword Search

[Donald J.]

Another team member  installed an ISPF product written at one of his
former places of employment.  We were investigating other products.
The ISPF panel allows entering starting/end date and time, along
with up to 3 keyword strings with AND or OR operatives.
The console log lines with those keywords are then returned.

-- 
  Donald J.
  dona...@4email.net

On Fri, Feb 10, 2017, at 06:36 AM, Lizette Koehler wrote:
>   So you can use (depending on level of z/OS) the SDSF REXX function.
>   REXX
>   DFSORT
>   SAS
>   CA EASYTRIEVE
>   CA EARL
>   SYNSORT
> 
> And so on.  If you have the SYSLOG copied off to a physical file, it is 
> easily read
> 
> If you are asking about REAL TIME Processing, then you would need to look at 
> extracting data (ISFBATCH, or OPERLOG Function) then using one or more of the 
> above tools.  You will be scanning a line for a string.
> 
> 
> It will really depend on your requirements.  REAL TIME or after the fact.
> 
> What problem are you trying to solve?
> 
> Lizette
> 
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> > Behalf Of Donald J.
> > Sent: Friday, February 10, 2017 7:31 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: SYSLOG/OPERLOG Keyword Search
> > 
> > What programs (free or IBM or other) are available for doing historical
> > keyword searches against the SYSLOG or OPERLOG archives?  ISPF or otherwise.
> > 
> > --
> >   Donald J.
> >   dona...@4email.net
> > 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

SYSLOG/OPERLOG Keyword Search

[Donald J.]

What programs (free or IBM or other) are available for doing historical keyword
searches against the SYSLOG or OPERLOG archives?  ISPF or otherwise.

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.com - Email service worth paying for. Try it for free

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe printer connectivity

[Donald J.]

http://www.support.xerox.com/support/xpaf/support/enus.html

-- 
  Donald J.
  dona...@4email.net

On Wed, Jan 18, 2017, at 09:51 PM, venkat kulkarni wrote:
> Hello Group,
> 
> Currently we are using mainframe printer with bus and tag connectivity with
> Xerox printer via prism hardware, which help us to convert fcion to bus and
> tag.
> 
> But now, we would like to use tcpip connectivity for mainframe connectivity
> with Xerox printer.
> 
> Can you please guide that how this new connectivity can be establish and do
> we need to buy any additional piece of hardware or software . I was reading
> about info print but didn't get much detail .
> 
> Please suggest.
> 
> Regards
> Venkat
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Lays Out Plans to Hire 25,000 in U.S. Ahead of Trump Meeting

[Donald J.]

I tried to re-apply for an opening.
Got to page 9 of the 10 page online form.
It said something about if former employee, fill out item X.
Unfortunately item X was not on that page, and hitting
NEXT button asked again to complete item X.

-- 
  Donald J.
  dona...@4email.net

On Tue, Dec 13, 2016, at 05:43 PM, Roger W Suhr wrote:
> Yeah, but what kinds of jobs?  It doesn't matter, I won't go back to work for 
> IBM,  because ...

-- 
http://www.fastmail.com - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?

[Donald J.]

If you are connecting to z/os HTTP server, why not use curl client with https 
option.

# Curl Configuration File c:\u\curl\curl.https.conf
--tlsv1
--user user142
--url "https://mvs11.xyz.us/html/Index.html;
--output sy11.index.html
--cacert /u/data/cacerts.pem
-X POST
-H "content-type: text/html"
#-trace  /u/curl/curlhttp.trace.log

-- 
  Donald J.
  dona...@4email.net

On Wed, Nov 30, 2016, at 08:16 AM, Dyck, Lionel B. (TRA) wrote:
> Thank you - I'll pass that along as an option - was told ftp/sftp was not an 
> option but we'll see
> 
> --
> Lionel B. Dyck (TRA Contractor)
> Mainframe Systems Programmer 
> Enterprise Infrastructure Support (Station 200) (005OP6.3.10)
> VA OI Service Delivery & Engineering
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Vitullo, Carmen P
> Sent: Wednesday, November 30, 2016 10:12 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> 
> I believe you can configure the Apache HTTP server on Z to allow a secure FTP 
> protocol https://httpd.apache.org/mod_ftp/ftp/ftp_tls.html
> 
> 
> 
> Carmen Vitullo
> Lead Systems Programmer
> 
> Arkansas Blue Cross and Blue Shield
> IT Infrastructure Services
> 515 West Pershing Blvd.
> North Little Rock, Arkansas 72114
> Office: 501.210.4705
> Cell: 501.514.4266
> cpvitu...@arkbluecross.com
> arkansasbluecross.com 
> 
> 
> 
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Dyck, Lionel B. (TRA)
> Sent: Wednesday, November 30, 2016 10:02 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> 
> Needs to be web based
> 
> 
> --
> Lionel B. Dyck (TRA Contractor)
> Mainframe Systems Programmer  Enterprise 
> Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service Delivery & 
> Engineering
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Lizette Koehler
> Sent: Wednesday, November 30, 2016 9:59 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> 
> So FileZilla is perhaps an option?
> 
> Lizette
> 
> 
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> > On Behalf Of Dyck, Lionel B. (TRA)
> > Sent: Wednesday, November 30, 2016 8:48 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> > 
> > I don't want to emulate DROPBOX - I want a place to upload and 
> > download files
> > - bad choice of terms apparently.
> > 
> > 
> > --
> > 
> > Lionel B. Dyck (TRA Contractor)
> > Mainframe Systems Programmer  Enterprise 
> > Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service 
> > Delivery & Engineering
> > 
> > 
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> > On Behalf Of Steve
> > Sent: Wednesday, November 30, 2016 9:40 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> > 
> > 
> > One way would be to use ADRDSSU to dump the files,  The TERSE the 
> > output then FTP in BINARY to your PC then put it into DROPBOX
> > 
> > 
> > Steve Beaver
> > st...@stevebeaver.com
> > 
> > 
> > 
> > 
> > -Original Message-
> > From: "Dyck, Lionel B. (TRA)" <lionel.d...@va.gov>
> > Sent: Wednesday, November 30, 2016 10:18am
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
> > 
> > 
> > 
> > Looking for a simple way a user can upload a file to z/OS in a secure 
> > way and also download a file securely. A web interface would be fine 
> > where the user has to logon. Would expect it to use https for security.
> > 
> > thx
> > 
> > --
> > 
> > Lionel B. Dyck (TRA Contractor)
> > Mainframe Systems Programmer  Enterprise 
> > Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service 
> > Delivery & Engineering
> > 
> > 
> > -Original Message-
> > From: IBM Mainframe Dis

Re: Sftp implementation

[Donald J.]

psftp is an sftp client available with the putty download.

-- 
  Donald J.
  dona...@4email.net

On Fri, Nov 18, 2016, at 02:09 AM, venkat kulkarni wrote:
> Hello,
> 
> We are doing sftp implementation but I am not able to find way to test this
> scenarios. For ftp, i can test using window cmd prompt and try transferring
> files from mainframe to local system.
> 
> But how do I test this new sftp. Also wanted to check that if we have any
> constraint on sftp that only once files can be used for sftp not the z/os
> files.
> 
> Please help
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP on z/os

[Donald J.]

You have two issues to consider.  

a) what ldap strings the client is "programmed" to be able to send.
check your ITDS log file (or trace) on z/os to see what is being sent
and make adjustments if needed

b) what ldap strings the Tivoli Directory Server will accept.
Only a few filters are allowed for the RACF backend.  The RACF
backend schemas cannot be modified

But also read up on native authentication.  That allows a 
non-RACF userid to utilize the RACF password for some other
(or same) userid using a separate ITDS backend.

Then you can also define non-RACF userids with non-RACF passwords
in a separate ITDS backend.  And configure it as you please.

-- 
  Donald J.
  dona...@4email.net

On Thu, Nov 17, 2016, at 01:44 AM, venkat kulkarni wrote:
> We need LDAP for two user id authentication purpose. Do we have any way to
> implement this change
> 
> On Nov 17, 2016 12:32, "Elardus Engelbrecht" <elardus.engelbre...@sita.co.za>
> wrote:
> 
> > venkat kulkarni wrote:
> >
> > >Thanks for reply. We want to implement LDAP for initial login
> > authentication purpose.
> >
> > That is somewhat another story. Here we use the LDAP to reset the ids
> > after verification. Then thereafter the user logon to the application with
> > the id.
> >
> > Please tell us for what application(s) do you want the authencation
> > process?
> >
> > Groete / Greetings
> > Elardus Engelbrecht
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TCP/IP SSL trace help please xposted to IBMMAIN

[Donald J.]

try tracing the batch job name.
your job is a client which does not use your ftp server,
it uses the ibm smp ftp server.

-- 
  Donald J.
  dona...@4email.net

On Wed, Nov 16, 2016, at 11:19 AM, Ward, Mike S wrote:
> Hello all, we are having a little FTPS problem. As you can see below we are 
> getting: EZA1735I Std Return Code = 10234, Error Code = 00017
> We are using the smpe secure procedure. We did this last month and it worked 
> fine now we are getting the above error.
> We are trying to get an SSL trace of the problem, but we can't seem to get it 
> to work. Below are the commands that we are using to start the SSL trace.
> After we run the job and stop the trace the dataset we use on GSKWTR is 
> empty. Can someone help us with the GSK trace? Oh the jobename of the FTP 
> started task is FTPD1. We have also tried tracing the TCPIP task same results.
> 
> Thanks
> 
> S GSKSRVR
> TRACE CT,WTRSTART=GSKWTR
> TRACE CT,ON,COMP=GSKSRVR
> R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the
> name of STC.
> 
> SMPE FTP JOB
> 
> TRACE CT,OFF,COMP=GSKSRVR
> TRACE CT,WTRSTOP=GSKWTR
> get into IPCS
> update 0 DEFAULTS - Specify default dump and options with GSKWTR produced
> 
> 
> 
> 
> > /bin/ftp -e -v -f "//'SSF1.SMPE.JCL(FTPDATA)'" deliverycb-bld.dhe.ibm.com
> 
> EZY2640I Using 'SSF1.SMPE.JCL(FTPDATA)' for local site configuration 
> parameters.
> 
> EZYFT25I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the 
> co
> ntrol connection.
> EZYFT31I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the 
> da
> ta connection.
> EZA1450I IBM FTP CS V1R13
> EZA1772I FTP: EXIT has been set.
> EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
> EZA1554I Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
> 220-IBM's internal systems must only be used for conducting IBM's
> 220-business or for purposes authorized by IBM management.
> 220-
> 220-dhebpcb01 secure FTP server
> 220  ready.
> EZA1701I >>> AUTH TLS
> 234 TLSv1
> EZA2897I Authentication negotiation failed
> EZA2898I Unable to successfully negotiate required authentication
> EZA1735I Std Return Code = 10234, Error Code = 00017
> 
> EZA2897I Authentication negotiation failed
> EZA2898I Unable to successfully negotiate required authentication
> 
> 
> SSF1.SMPE.JCL(FTPDATA) contains the below.
> 
> SECURE_MECHANISM TLS
> TLSRFCLEVEL CCCNONOTIFY
> TLSMECHANISM FTP
> SECURE_FTP REQUIRED
> SECURE_CTRLCONN CLEAR ; COMMANDS MAY BE CLEAR (UNENCRYPTED).
> SECURE_DATACONN PRIVATE ; PAYLOAD MUST BE ENCRYPTED.
> KEYRING S250SAC/IBMSHOPZ
> EPSV4 TRUE
> 
> ==
> This email, and any files transmitted with it, is confidential and intended 
> solely for the use of the individual or entity to which it is addressed. If 
> you have received this email in error, please notify the system manager. This 
> message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee, you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this message by mistake and delete 
> this e-mail from your system. If you are not the intended recipient, you are 
> notified that disclosing, copying, distributing or taking any action in 
> reliance on the contents of this information is strictly prohibited.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access your email from home and the web

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Donald J.]

What is the output of :

RACDCERT ID(MP81136) LISTRING(bexarftp)

-- 
  Donald J.
  dona...@4email.net

On Wed, Sep 14, 2016, at 08:05 AM, Mark Pace wrote:
> I'm having them look at the firewall.  I tired HTTPS, but I believe at 1.13
> it required a PTF to support https.  They must not have it applied as I get
> a syntax error on the downloadmethod and the downloadkeyring parameters.
> 
> On Wed, Sep 14, 2016 at 8:44 AM, Kurt Quackenbush <ku...@us.ibm.com> wrote:
> 
> > On 9/12/2016 12:27 PM, Mark Pace wrote:
> >
> >> I'm setting up FTPS on a 1.13 system and am a little confused by this
> >> sequence.  It logs on okay showing a secure connect.  But then it won't do
> >> the actual download. So I'm confused if it's the certificate or not.
> >>
> >
> > Not the certificate.
> >
> > 150 Opening BINARY mode SSL data connection for
> >> /GIMPAF.XML.
> >> EZA2870I TLS security mechanism negotiation failed - data connection
> >> closed
> >> 425 ftpd: (data conn) SSL_accept unspecified
> >> error
> >>
> >
> > I haven't seen this one before.  Your FTP.DATA seems proper.  Could be a
> > firewall issue as someone suggested.  Sorry, but I think you'll need to
> > open a problem with IBM Comm Server support and ask for their help to debug
> > further.  Perhaps an IP trace is in order.
> >
> > As Skip suggested, HTTPS is usually way easier to use, especially with
> > respect to firewalls.  Check it out:
> > http://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.
> > ibm.zos.v2r2.gim3000/dsetups.htm
> >
> > Kurt Quackenbush -- IBM, SMP/E Development
> >
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> -- 
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secure FTP to IBM ?

[Donald J.]

The testcase.boulder.ibm.com ftp server  uses this certificate chain:

Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=testcase.boulder.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

The ftp.ap.ecurep.ibm.com & ftp.ecurep.ibm.com ftp servers use these 
certificate chains:

Certificate chain
 0 s:/C=DE/ST=Rheinland-Pfalz/L=Mainz/O=IBM Deutschland 
GmbH/CN=ftp.ap.ecurep.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA
   i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authority - G3
 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authority - G3
   i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authority - G3

Certificate chain
 0 s:/C=DE/ST=Rheinland-Pfalz/L=Mainz/O=IBM Deutschland 
GmbH/CN=ftp.ecurep.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA
   i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authori
ty - G3
 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authori
ty - G3
   i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use 
only/CN=GeoTrust Primary Certification Authori
ty - G3

So, the instructions will work for the last 2 ecurep ftp servers:

>GeoTrust certificate installation instructions
>MVS (OS/390, z/OS) FTP Clients only
>Please follow the directives below to establish the necessary RACF definition.
>Obtain the Equifax CA certificate.
>Below you will find the contents of the CURRENT Equifax CA certificate.
>Current Contents of the GeoTrust Trusted Root Certificate: Equifax Secure 
>Certificate Authority

The last 3 comments above are incorrect.  The contents listed are not for the 
"Equifax Secure Certificate Authority"  CA certificate. The contents are for
 the "GeoTrust Primary Certification Authority - G3" CA certificate.

The "Equifax Secure Certificate Authority"  CA certificate contents would be:

-BEGIN CERTIFICATE-
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-END CERTIFICATE-
-- 
  Donald J.
  dona...@4email.net

On Wed, Sep 7, 2016, at 02:02 PM, John Eells wrote:
> Dyck, Lionel B. , TRA wrote:
> > Is there a way to use FTP TLS from z/OS to testcase.boulder.ibm.com to 
> > upload dumps/etc. ?
> 
> Both testcase and ecurep are supposed to support FTPS and SFTP.  See 
> this page for instructions:
> 
> http://www-05.ibm.com/de/support/ecurep/send_ftp.html#ftps
> 
> 
> -- 
> John Eells
> IBM Poughkeepsie
> ee...@us.ibm.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SHARE Atlanta proceedings

[Donald J.]

Share 117 thru 125 were loaded at orderly locations:
https://share.confex.com/share/117/webprogram/uploadlistall.html
...
https://share.confex.com/share/125/webprogram/uploadlistall.html

They seem to have migrated off that trail with 126.

-- 
  Donald J.
  dona...@4email.net

On Mon, Aug 15, 2016, at 10:39 AM, Mark Post wrote:
> >>> On 8/15/2016 at 11:48 AM, Norman Hollander on Desertwiz
> <norman.hollan...@desertwiz.biz> wrote: 
> > Too bad they didn't ask for our preference.  I like being able to download
> > individual sessions, rather than then 
> > entire thing.
> 
> You still can, it's just a PITA unless you know how to write scripts to 
> download and parse the HTML in use.  I do this for the LVM program.
> 
> > Don't know if an ISO image is that much smaller than all of
> > the individual files.
> 
> Almost certainly not, since there are some HTML files and images for the web 
> interface the DVD presents.  It's not about reducing the amount of downloads, 
> it's about saving the costs of manufacturing and distribution.
> 
> 
> Mark Post
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMPE receive order broken this morning?

[Donald J.]

It appears their ftp server is only accepting TLS1.0 at the moment.
All other options fail.

== Info: TLSv1.1, TLS handshake, Client hello (1):  
=> Send SSL data, 512 bytes (0x200) 
 == Info: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported 
protocol
 == Info: Closing connection 0

The http server port 443 accepts 1.0/1.1/1.2.   


-- 
  Donald J.
  dona...@4email.net

On Mon, Aug 15, 2016, at 07:01 AM, Richards, Robert B. wrote:
> Dave,
> 
> It is not just you. I sent a note at 6:48am entitled " PTF order fulfillment 
> issues and getting HOLDDATA". 
> 
> I have not opened a SR yet, so if you get a quick reply, please post what 
> they say. 
> 
> In my case, a FTP GET for full HOLDDATA also failed.
> 
> Bob
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Jousma, David
> Sent: Monday, August 15, 2016 9:40 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: SMPE receive order broken this morning?
> 
> All,
> 
> I apologize if this has been asked, but I've been on vacation for the last 
> week or two.  Last time it worked for me was prior to this.   Seems like 
> something changed?  Seems to be refused at IBM end.   I do have ticket open 
> with them, but thought maybe I might have missed something.
> 
> > /bin/ftp -e -v -f "//'SYS1.TCPPARMS(FTPSECUR)'" 
> > deliverycb-bld.dhe.ibm.com
> 
> EZY2640I Using 'SYS1.TCPPARMS(FTPSECUR)' for local site configuration 
> parameters .
> EZYFT25I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the 
> co ntrol connection.
> EZYFT31I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the 
> da ta connection.
> EZA1450I IBM FTP CS V2R2
> EZA1772I FTP: EXIT has been set.
> EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
> EZA1554I Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
> 220-IBM's internal systems must only be used for conducting IBM's 
> 220-business or for purposes authorized by IBM management.
> 220-
> 220-Use is subject to audit at any time by IBM management.
> 220-
> 220 dhebpcb01 secure FTP server ready.
> EZA1701I >>> AUTH TLS
> 234 SSLv23/TLSv1
> EZA2897I Authentication negotiation failed EZA2898I Unable to successfully 
> negotiate required authentication EZA1735I Std Return Code = 10234, Error 
> Code = 00017
> 
> _
> Dave Jousma
> Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 
> 616.653.2717
> 
> This e-mail transmission contains information that is confidential and may be 
> privileged.
> It is intended only for the addressee(s) named above. If you receive this 
> e-mail in error, please do not read, copy or disseminate it in any manner.  
> If you are not the intended recipient, any disclosure, copying, distribution 
> or use of the contents of this information is prohibited. Please reply to the 
> message immediately by informing the sender that the message was misdirected. 
> After replying, please erase it from your computer system. Your assistance in 
> correcting this error is appreciated.
> 
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Secure FTP process for IBM Download

[Donald J.]

Based on a brief amount of testing I did, running FTP with 
TLSMECHANISM ATTLS (Pagent) did not work for me, but
running outside of Pagent (TLSMECHANISM FTP) did work.

But using the HTTPS port 443 works fine and doesn't require
you to setup and maintain yet another customized FTP.DATA 
for this one connection.

-- 
  Donald J.
  dona...@4email.net

On Wed, Jul 20, 2016, at 07:51 AM, Walser, Susan L wrote:
> Greetings All,
> 
> Has anyone set this up using RACF and the GEO.Trust.Cert who would be 
> available to answer a few questions for me?  I have the key ring added and 
> the Cert connected.
> 
> Thanks,
> Susan Walser
> Lead RACF Engineer, Mainframe Engineering | IT Production Services
> TIAA Financial Services
> Tel:  404 374-3858
> susan.wal...@tiaa-cref.org
> 
> *
> This e-mail may contain confidential or privileged information.
> If you are not the intended recipient, please notify the sender immediately 
> and then delete it.
> 
> TIAA
> *
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS OpenSSL, SelfSigned Certs, etc

[Donald J.]

There is no confusion.   When someone mentions a self-signed certificate, 
they are almost always not referrring to root certificates, but to simpleton 
user certificates where Issuer=Subject.  The topic of my post was obviously 
user-generated self-signed certificate vs user-generated non-self-signed
certs.   The ranting about purchased vendor certificates is "off topic".

-- 
  Donald J.
  dona...@4email.net

On Wed, Jun 22, 2016, at 08:17 AM, Charles Mills wrote:
> Right.
> 
> This is the confusion on what self-signed means. 

-- 
http://www.fastmail.com - IMAP accessible web-mail

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS OpenSSL, SelfSigned Certs, etc

[Donald J.]

I notice Rocket is including a copy of OpenSSL 1.0.2c 
in their ported tools Curl download.   With the recent 
talk about negative aspects of using self signed certs, 
I attempted to see if that OpenSSL could be used to
generate a root certificate and a user cert chained to 
that root cert.  Looks like it only takes 5 or 6 commands:

#!/bin/sh  
export CA_NAME=acme.domain.ca
export SSL_HOME=/home/user123/openssl  
export OPENSSL_CONF=/home/user123/openssl/conf/openssl.cfg 
export SSL_USER=USER123
export SSL_SER=1234  
#
# Generate CA Root Cert 
openssl genrsa -out $SSL_HOME/certs/$CA_NAME.key 2048   
openssl req -new -x509 -days 5000 -extensions v3_ca -key 
$SSL_HOME/certs/$CA_NAME.key -out$SSL_HOME/certs/$CA_NAME.pem 
# 
# Generate User Cert in pem and pkcs12 formats
openssl genrsa -out $SSL_HOME/certs/$SSL_USER.key 2048 
openssl req -new -sha256 -reqexts v3_csr -key $SSL_HOME/certs/$SSL_USER.key 
-out $SSL_HOME/certs/$SSL_USER.csr
openssl x509 -req -sha256 -extfile $OPENSSL_CONF -extensions v3_req -days 730 
-in $SSL_HOME/certs/$SSL_USER.csr -CA $SSL_HOME/certs/$CA_NAME.pem -CAkey 
$SSL_HOME/certs/$CA_NAME.key -set_serial $SSL_SER -out 
$SSL_HOME/certs/$SSL_USER.pem
openssl pkcs12 -export -in $SSL_HOME/certs/$SSL_USER.pem -inkey 
$SSL_HOME/certs/$SSL_USER.key -out $SSL_HOME/certs/$SSL_USER.p12 -password 
file:$SSL_HOME/password.txt 
# End

The PKCS12 certificate created was successfully tested using Curl FTPS.
Note that the password.txt file must be in ASCII, not EBCDIC.
Only other task is to prepare an openssl.cfg file [ and for IBM to include
a working example in their manual(s)  ].

I did have a problem trying to define crlDistributionPoints and 
authorityInfoAccess due to probable ASCII/EBCDIC issues.  But
those items aren't needed for basic testing.

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.com - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mounting NFS Directory on zOS as Binary

[Donald J.]

The difficult part can be establishing security.  What do you
have in your export file for security?  For initial testing, 
easiest to just allow access to the z/OS NFS from the
IP address of your zLinux with a command like:
/sandbox1   -rw=192.168.231.10 
 Then add better security after you get it working.
 Also do you have the host names defined in a 
host table or DNS server?
-- 
  Donald J.
  dona...@4email.net

On Tue, Jun 21, 2016, at 01:47 PM, Jasi Grewal wrote:
> Greetings, I am trying to mount this zLinux Filesystem on zOS using NFS with 
> the following command and it seems that either is not supported as Binary or 
> I am missing something.
> 
> mount filesystem('lozlnx00:/sandbox') type(nfs) 
> mountpoint('/nfsmnts/lozlnx00/sandbox') 
> parm('lozlnx00:"/sandbox,binary",xlat(y),vers(3)') 
> 
> I get the following error:
> BPXF162E ASYNCHRONOUS MOUNT FAILED FOR FILE SYSTEM LOZLNX00:/SANDBOX. 
>
> BPXF135E RETURN CODE 046A, REASON CODE 6E2A1003.  THE MOUNT FAILED FOR 
> FILE SYSTEM LOZLNX00:/SANDBOX.
> 
> Any information would be grateful.
> Thank You in advance,
> Regards,
> 
> Jasi Grewal.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS XL C/C++ Requirement

[Donald J.]

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.e0zb100/pgmreqs.htm
IBM document above states IP Services has following requirements:
 
- For user-written programs in C that interface to an X Window System client, 
Remote Procedure Call, TCP or UDP protocol boundary, DPI, IP, or z/OS UNIX 
feature (Rcommands, RPC, or X Window System), you require the z/OS XL C/C++ 
feature.

- For TCP/IP functions written in C (C sample programs, Network Database System 
client and server, Network Computing System, Remote Procedure Call, non-z/OS 
UNIX X Window System) or z/OS UNIX features (ONC/RPC, X Window System), you 
require the z/OS XL C/C++ feature.

First statement is about user written programs.  So I assume 2nd statement is 
about non-user written programs.  Why is  the C/C++ compiler required by me for 
vendor written programs/features/functions?

Only thing I have used the compiler on previous versions is to compile the 
XAUTH program, and it should be upward compatible for new releases.

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.com - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: smp/e sha-2 support?

[Donald J.]

Yes.  When I go to port 443 I also see the correct chain:
openssl s_client -debug -connect dispby-117.boulder.ibm.com:443 -state

SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=deliverycb-bld.dhe.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

When I go to port 21, I see:
openssl s_client -debug -connect dispby-117.boulder.ibm.com:21 -state -starttls 
ftp

SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=deliverycb-bld.dhe.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-- 
  Donald J.
  dona...@4email.net

On Tue, May 17, 2016, at 05:08 PM, Andrew Rowley wrote:
> On 18/05/2016 0:53, John Eells wrote:
> > - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.**
> > - Put the package signing verification certificate where "anyone could 
> > get it"
> > - Made the signing (certificate-based) check optional.
> > - Continued to keep the integrity checking optional, whether based on 
> > SHA-2 or SHA-1.
> >
> > Would that meet the set of needs we've been talking about?
> >
> > * As usual, no promises.
> > ** I think we have to keep the SHA-1 support because we create an 
> > incompatibility if we don't.
> 
>  From Donald's post it sounds like the original problem might be the 
> FTPS/HTTPS certificates, not the SHA1 verification of data already 
> transmitted over a secure channel. This makes more sense from an audit 
> point of view, and I think someone suggested a firewall was complaining 
> -  it would have no awareness of what was done with the data after 
> transmission. In that case fixing the certificate is the simple solution.
> 
> I just checked deliverycb-bld.dhe.ibm.com and I see a different 
> certificate chain to Donald - I see the 023456 GeoTrust Global CA. Is it 
> possible that it resolves to multiple hosts with different certificates 
> e.g. in different countries, or that it has just been fixed?
> 
> On the question of package signing, I would suggest that it should be 
> done using the usual methods which means that you don't need to put a 
> certificate where anyone can get it.
> 
> z/OS should have the common root CAs installed with the operating system 
> (if it doesn't already). Then (as I understand it) the signed 
> certificate is included with the signature. To verify it you then follow 
> the chain of signed certificates until you get to one signed by the root 
> CA that you already have.
> 
> This means that you can verify the origin of something without knowing 
> the correct place to get that particular public key.
> 
> Andrew Rowley
> 
> 
> -- 
> Andrew Rowley
> Black Hill Software
> +61 413 302 386
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: smp/e sha-2 support?

[Donald J.]

The new GeoTrust Global CA is serial# 023456, expiration 5/20/2022.
The old GeoTrust Global CA is serial# 12bbe6, expiration 8/20/2018.

At +5eF in the server cert chain being sent out, there is "12 bb e6".
05d0 - 25 b0 68 f9 de 08 5a f3-29 cc d4 92 00 03 81 30   %.h...Z.)..0
05e0 - 82 03 7d 30 82 02 e6 a0-03 02 01 02 02 03 12 bb   ..}0
05f0 - e6 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00   .0...*.H....

-- 
  Donald J.
  dona...@4email.net

On Tue, May 17, 2016, at 03:24 PM, Donald J. wrote:
> John, 
> 
> I don't think you have the right GeoTrust certificate on your server.
> 
> The server is sending out this cert chain:
> Certificate chain
>  0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
> CORPORATION/CN=deliverycb-bld.dhe.ibm.com
>i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
>  1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
>i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>  3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> 
> It should be sending out this cert chain:
>  0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
> CORPORATION/CN=deliverycb-bld.dhe.ibm.com
>i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
>  1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
>i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>i:/C=US/O=O=GeoTrust Inc./CN=GeoTrust Global CA
> 
> GeoTrust issued a new "GeoTrust Global CA" cert several years ago
> which does not chain to Equifax Secure Certificate Authority.
> 
> Once you correct that, your IBM cert and the GeoTrust SSL CA - G3 cert
> will both be sha2.   It is not significant that the GeoTrust Global CA root
> certificate is sha1.
>  
> -- 
>   Donald J.
>   dona...@4email.net
> 
> On Tue, May 17, 2016, at 07:53 AM, John Eells wrote:
> > So...suppose we were to do something like this*:
> > 
> > - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.**
> > - Put the package signing verification certificate where "anyone could 
> > get it"
> > - Made the signing (certificate-based) check optional.
> > - Continued to keep the integrity checking optional, whether based on 
> > SHA-2 or SHA-1.
> > 
> > Would that meet the set of needs we've been talking about?
> > 
> > * As usual, no promises.
> > ** I think we have to keep the SHA-1 support because we create an 
> > incompatibility if we don't.
> > 
> > Andrew Rowley wrote:
> > > My further thoughts:
> > >
> > >> - Would a certificate-based signature do?
> > >> - What requirements would you have for certificates?
> > > The signature should use the same type of code signing certificates used
> > > for other platforms. Any company delivering Windows software almost
> > > certainly has a certificate already. There are various implementations,
> > > e.g. Windows exe signing and Java jar signing. I'm pretty sure z/OS can
> > > verify signatures on jars at least. Some thought would have to go into
> > > how you attach a signature to a package and what you attach it to.
> > >
> > >> - Would you want signature verification to be optional?
> > > Yes. For SMP/E it should be the default, probably at RECEIVE time but
> > > able to be bypassed e.g. RECEIVE... BYPASS(SIGCHECK) .
> > > Non-SMP/E is handicapped by the absence of a standard delivery format.
> > > If you had a tool to deliver a set of non SMP/E datasets, the packaging
> > > format should have an option to include a signature - perhaps with a
> > > warning when extracting if unsigned and/or an option to force signature
> > > checking. It depends on how useful the product would be inside a site -
> > > you don't want to force customers to get their own certificate if they
> > > decide a tool would be useful internally.
> > >
> > >> - If signature verification were to be optional, would it be
> > >> acceptable to use the SHA-1 hash for integrity checking if the
> > >> recipient chose not to verify the signature?  Or, would it still be
> > >> necessary to use a different algorithm?
> > >
> > > I'm not sure how useful it is. How likely is it that something be
> > > corrupted in a situation where you can get a hash to verify but can't
> > > verify a signature?
> > >
> > >> - Anything else to t

Re: [EXTERNAL] Re: smp/e sha-2 support?

[Donald J.]

John, 

I don't think you have the right GeoTrust certificate on your server.

The server is sending out this cert chain:
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=deliverycb-bld.dhe.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

It should be sending out this cert chain:
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=deliverycb-bld.dhe.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=O=GeoTrust Inc./CN=GeoTrust Global CA

GeoTrust issued a new "GeoTrust Global CA" cert several years ago
which does not chain to Equifax Secure Certificate Authority.

Once you correct that, your IBM cert and the GeoTrust SSL CA - G3 cert
will both be sha2.   It is not significant that the GeoTrust Global CA root
certificate is sha1.
 
-- 
  Donald J.
  dona...@4email.net

On Tue, May 17, 2016, at 07:53 AM, John Eells wrote:
> So...suppose we were to do something like this*:
> 
> - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.**
> - Put the package signing verification certificate where "anyone could 
> get it"
> - Made the signing (certificate-based) check optional.
> - Continued to keep the integrity checking optional, whether based on 
> SHA-2 or SHA-1.
> 
> Would that meet the set of needs we've been talking about?
> 
> * As usual, no promises.
> ** I think we have to keep the SHA-1 support because we create an 
> incompatibility if we don't.
> 
> Andrew Rowley wrote:
> > My further thoughts:
> >
> >> - Would a certificate-based signature do?
> >> - What requirements would you have for certificates?
> > The signature should use the same type of code signing certificates used
> > for other platforms. Any company delivering Windows software almost
> > certainly has a certificate already. There are various implementations,
> > e.g. Windows exe signing and Java jar signing. I'm pretty sure z/OS can
> > verify signatures on jars at least. Some thought would have to go into
> > how you attach a signature to a package and what you attach it to.
> >
> >> - Would you want signature verification to be optional?
> > Yes. For SMP/E it should be the default, probably at RECEIVE time but
> > able to be bypassed e.g. RECEIVE... BYPASS(SIGCHECK) .
> > Non-SMP/E is handicapped by the absence of a standard delivery format.
> > If you had a tool to deliver a set of non SMP/E datasets, the packaging
> > format should have an option to include a signature - perhaps with a
> > warning when extracting if unsigned and/or an option to force signature
> > checking. It depends on how useful the product would be inside a site -
> > you don't want to force customers to get their own certificate if they
> > decide a tool would be useful internally.
> >
> >> - If signature verification were to be optional, would it be
> >> acceptable to use the SHA-1 hash for integrity checking if the
> >> recipient chose not to verify the signature?  Or, would it still be
> >> necessary to use a different algorithm?
> >
> > I'm not sure how useful it is. How likely is it that something be
> > corrupted in a situation where you can get a hash to verify but can't
> > verify a signature?
> >
> >> - Anything else to think about?
> > Lots, I'm sure! It's probably worth also looking at the implementation
> > of signed SMF data to see how they do it.
> >
> > Andrew Rowley
> >
> >
> 
> 
> -- 
> John Eells
> IBM Poughkeepsie
> ee...@us.ibm.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Java problem

[Donald J.]

Try doing your javac like below from your home directory.  
Then see if any useful info is in your file javac.log

javac -J-Xverbosegclog:javac.log -J-XX:+PrintGCDetails -J-XX:+PrintGCTimeStamps 
-help

-- 
  Donald J.
  dona...@4email.net

On Sat, May 7, 2016, at 08:25 AM, Phil Smith III wrote:
> P.S. Scott, the same command still failed after -help was working. Do you
> know what's wrong with it? Would love to grok this in fullness (well, "more
> completely" -- I know I'll never grok in fullness!)
> 
> -Original Message-
> From: Phil Smith III [mailto:li...@akphs.com] 
> Sent: Saturday, May 07, 2016 11:23 AM
> To: ibm-m...@bama.ua.edu
> Subject: RE: Java problem
> 
> Scott:
> >/u/Java6_64/J6.0_64/bin/javac -J-Xmx64m help
> error: Class names, 'help', are only accepted if annotation processing is
> explicitly requested
> 1 error
> 
> VICTORY:
> Lucas Rosalen wrote:
> >H maybe MemLimit and SHMemMax on OMVS segment are also good parms to
> check/increase
> 
> Both of mine were 0; I set them to 512 with a multiplier of M and now javac
> -help works! Have done the same for the user who was actually trying to use
> this and sent him a note. At least we now have a model that works--we'll see
> if that was the only parameter that mattered, or if we have to go back and
> change the other things that I'd changed on the way.
> 
> THANK YOU!!! Owe ya a beer or three at SCIDS.
> 
> ...phsiii
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMTP question.

[Donald J.]

Does adding "NOSOURCEROUTE ENABLED" to your SMTP task config
change anything?

-- 
  Donald J.
  dona...@4email.net

On Wed, Apr 27, 2016, at 05:05 PM, Field, Alan wrote:
> We run SMTP on one lpar (z/OS 2.1).
> 
> Recently we switched our mail server from Notes to Exchange.
> 
> Mostly transparent except for one lpar, and only some jobs even then.
> 
> The failing jobs use SAS email. They run fine on 5 lpars, fail on one.
> 
> One thing we see from the failing lpar (in the SMTP log) is
> 
>MAIL FROM:<userid%noden...@xxx.yyy.com>
> 
> My exchange guy says it is the % that is causing the problem.
> 
> What I cannot find is where/how this is being generated and why it only 
> affects
> SAS emails on the one lpar. XMITIP from the same lpar works correctly.
> 
> I have compared the TCPDATA and PROFILE members for each lpar and apart from
> the expected differences (like node names) they appear to be identical.
> 
> Any SMTP wizards care to offer suggestions, please.
> 
> Alan Field
> Systems Engineer Principal
> Blue Cross Blue Shield of MN
> 
> 651.662.3546
> 
> 
> 
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. If 
> you are not the named addressee you must not disseminate, distribute or copy 
> this e-mail. Please notify the sender immediately by e-mail if you have 
> received this e-mail by mistake and delete this e-mail from your system. If 
> you are not the intended recipient you are notified that disclosing, copying, 
> distributing or taking any action in reliance on the contents of this 
> information is strictly prohibited.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: New to Z/OSMF - SOLVED

[Donald J.]

Great.  Now the difficult part begins - figuring out how to use it.

I think the recommended procedure for the old method was to create a base config
with no plugins, then add the plugins by running izusetup again with the -add 
parameter,
and A values in your override file.

-- 
  Donald J.
  dona...@4email.net

On Mon, Apr 4, 2016, at 11:31 AM, Tracy Adams wrote:
> So what I found is that the UI90034 ptf was applied back in January during 
> the monthly compliance maintenance round and the ptf actions must have been 
> bypassed as the steps to complete the migration from V2r1 to V2r1 with the 
> ptf  were not completed.  The bottom line is this ptf requires you to create 
> a parmlib member if you want to use the plugins.   Once I did that the 
> plugins are visible on the webpage.
> 
> Thanks for you help!   
 

-- 
http://www.fastmail.com - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Apache Web Server running on z/OS unable to detect TLS 1.2

[Donald J]

>...and I tried with Donald suggestion and unfortunately it did not worked.
Post the output from the openssl s_client command.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Apache Web Server running on z/OS unable to detect TLS 1.2

[Donald J.]

Try SSLProtocolEnable TLSv12 instead of TLSv1.2
You can test with an openssl command similar to:
openssl s_client -connect 12.34.56.78:443 -tls1_2

-- 
  Donald J.
  dona...@4email.net

On Tue, Mar 29, 2016, at 02:26 PM, Jasi Grewal wrote:
> Greetings, We are using Apache Web Server on z/OS system and are seeing the 
> Nessus reports on Port 443 as it cannot detect TLS being enabled, though we 
> do have the statements.
> 
> Our intention is to serve some non-secured pages but main provide our users 
> with controlled access to some more sensitive pages.   When Listen 443  is 
> uncommented in the config file, the server fails the NESSUS scan.  I can only 
> pass the scan by commenting out Listen 443. 
> 
> httpd.conf:
> 
> #Listen 12.34.56.78:443
> Listen 443
> Listen 80
> 
>   
>ServerName xxx..x.xxx   
>SSLProtocolEnable TLSv1.2 
>SSLProtocolDisable TLSv1.1
>SSLProtocolDisable SSLv2  
>SSLProtocolDisable SSLv3  
>SSLEnable 
>KeyFile /saf IHSASRV_KEYRING  
> 
> We are seeing the following Nessus scan results:
> 
> High Severity Vulnerability   
> TLS Version 1.2 Protocol Detection
> Synopsis :
> The remote service encrypts communications but does not support TLS1.2.
> Description :
> This script detects whether TLS version 1.2 is supported by the remote 
> service for encrypting communications.
> Solution :
> Consult the application's documentation to enable TLS 1.2 or if not supported 
> ask vendor to add support for TLS 1.2 (with approved cipher suites)
> Plugin Output :
> TLS v1.2 is not enabled on this port.
> Nessus Plugin ID : 951001
> 
> Any advise would be grateful.
> Thank you in advance,
> Regards,
> 
> Jasi.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PLEASE HELP TLS 1.2

[Donald J.]

he is on CICS 5.2, not 5.3.

-- 
  Donald J.
  dona...@4email.net

On Thu, Mar 24, 2016, at 09:16 AM, McCabe, Ron wrote:
> IBM would prefer that you use MINTLSLEVEL...
> 
> The ENCRYPTION system initialization parameter has been deprecated. Use the 
> MINTLSLEVEL system initialization parameter instead. For more information 
> about the MINTLSLEVEL system initialization parameter, see MINTLSLEVEL. If 
> you specify the ENCRYPTION parameter, it will be treated as MINTLSLEVEL:
> ENCRYPTION=STRONG is equivalent to MINTLSLEVEL=TLS10. This is the default.
> ENCRYPTION=ALL is equivalent to MINTLSLEVEL=TLS11
> ENCRYPTION=TLS12 is equivalent to MINTLSLEVEL=TLS12
> End of change
> 
> Thanks,
> Ron McCabe
> Mutual of Enumclaw
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Donald J.
> Sent: Thursday, March 24, 2016 9:05 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: PLEASE HELP TLS 1.2
> 
> ENCRYPTION=ALL   Allows the use of TLS v1.1 and v1.2 in 
> addition to the protocols allowed by STRONG (TLS v1.0).
> 
> ENCRYPTION=TLS12FIPSAllows the use only TLS v1.2 with FIPS 140-2 
> standards
> ENCRYPTION=STRONG   Allows the use of TLS v1.0 (this is the default).
> 
> ENCRYPTION=SSLV3   Allows the use of TLS v1.0 and SSL V3.0.
> 
> --
>   Donald J.
>   dona...@4email.net
> 
> On Thu, Mar 24, 2016, at 08:37 AM, Lopez, Sharon wrote:
> > A federal agency changed to TLS v1.2 over the weekend and now we are not 
> > able to connect to them via CICS 5.2.  We have on the TLS V1.2 ptf for z/OS 
> > 1.13 and we are starting with the correct SIT within CICS.  We are missing 
> > something but cannot figure this out.  Anyone else experiencing this?  Are 
> > there parameters somewhere else that we need to specifiy TLS 1.2.  We 
> > appreciate any help that you can give us.
> > Thank you.
> >
> >
> >
> > 
> >
> > Email correspondence to and from this address may be subject to the North 
> > Carolina Public Records Law and may be disclosed to third parties by an 
> > authorized state official.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> http://www.fastmail.com - Access your email from home and the web
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> Confidentiality Notice: This e- mail and all attachments may contain 
> CONFIDENTIAL information and are meant solely for the intended recipient. It 
> may contain controlled, privileged, or proprietary information that is 
> protected under applicable law and shall not be disclosed to any unauthorized 
> third party. If you are not the intended recipient, you are hereby notified 
> that any unauthorized review, action, disclosure, distribution, or 
> reproduction of any information contained in this e- mail and any attachments 
> is strictly PROHIBITED. If you received this e- mail in error, please reply 
> to the sender immediately stating that this transmission was misdirected, and 
> delete or destroy all electronic and paper copies of this e-mail and 
> attachments without disclosing the contents. This e- mail does not grant or 
> assign rights of ownership in the proprietary subject matter herein, nor 
> shall it be construed as a joint venture, partnership, teaming agreement, or 
> any other formal business relationship.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PLEASE HELP TLS 1.2

[Donald J.]

ENCRYPTION=ALL   Allows the use of TLS v1.1 and v1.2 in 
addition to the protocols allowed by STRONG (TLS v1.0).

ENCRYPTION=TLS12FIPSAllows the use only TLS v1.2 with FIPS 140-2 
standards
ENCRYPTION=STRONG   Allows the use of TLS v1.0 (this is the default).   


ENCRYPTION=SSLV3   Allows the use of TLS v1.0 and SSL V3.0. 

-- 
  Donald J.
  dona...@4email.net

On Thu, Mar 24, 2016, at 08:37 AM, Lopez, Sharon wrote:
> A federal agency changed to TLS v1.2 over the weekend and now we are not able 
> to connect to them via CICS 5.2.  We have on the TLS V1.2 ptf for z/OS 1.13 
> and we are starting with the correct SIT within CICS.  We are missing 
> something but cannot figure this out.  Anyone else experiencing this?  Are 
> there parameters somewhere else that we need to specifiy TLS 1.2.  We 
> appreciate any help that you can give us.
> Thank you.
> 
> 
> 
> 
> 
> Email correspondence to and from this address may be subject to the North 
> Carolina Public Records Law and may be disclosed to third parties by an 
> authorized state official.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access your email from home and the web

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!

[Donald J.]

>>I wonder if any errors you see with its use might be related to your firewall.

I wonder if this process was tested with Pagent/ATTLS? Can you confirm IBM
tested that mode?  

>> I'm curious what problems you get when doing so.
The GET then fails with Error Code 10.
I'm curious if IBM has tested that mode? Can you confirm?

-- 
  Donald J.
  dona...@4email.net

On Fri, Mar 11, 2016, at 01:56 PM, Kurt Quackenbush wrote:
> > Their server also seems to require use of the CCC subcommand to clear the 
> > command channel.
> 
> To be clear, IBM's server does not require the FTP client to use the CCC 
> subcommand.  SMP/E's default behavior is to use CCC, with the idea that 
> some local firewalls will be more accepting of FTPS if they can sniff 
> the clear text commands to intercept the exchanged port values.  Perhaps 
> we're being naive, but that was the thought.
> 
> > ... There is a client parameter setting ftpccc="no" to make the server
> > quit using CCC, but that seems to cause a problem also.
> 
> SMP/E does allow you to turn off using the CCC subcommand, but I'm 
> curious what problems you get when doing so.  Since the server does not 
> require use of CCC, I wonder if any errors you see with its use might be 
> related to your firewall.  We've seen examples of a firewall forbidding 
> CCC, hence the need for the option to turn it off.
> 
> Kurt Quackenbush -- IBM, SMP/E Development
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!

[Donald J.]

You need RemotePortRangeRef  for port 21.
Port 21 is remote.

-- 
  Donald J.
  dona...@4email.net

On Fri, Mar 11, 2016, at 12:21 PM, Gibney, David Allen wrote:
> Actually, I do:
> TTLSRule   ftp_client1   
> {
>   LocalPortRange 21  
>   Direction  Outbound
>   TTLSGroupActionRef ftp_grp_act 
>   TTLSEnvironmentActionRef ftp_client_env_act
> }
> TTLSGroupAction ftp_grp_act  
> {
>  TTLSEnabled On  
>  Trace  7
>  GroupUserInstance  1
> }
> TTLSEnvironmentAction   ftp_client_env_act
> { 
>   HandshakeRole Client
>   TTLSKeyringParms
>   {   
>  Keyring FTPClientRing
>   }   
>   TTLSEnvironmentAdvancedParms
>  {
>  ApplicationControlled On 
>  SecondaryMap On  
>  }
>  EnvironmentUserInstance  1   
>   }   
> 
> I'll have debug all in my next run.
> 
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Donald J.
> > Sent: Friday, March 11, 2016 10:13 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get 
> > locked
> > out!
> > 
> > He is using TLSMECHANISM  ATTLS.  Yours uses TLSMECHANISM FTP (non-
> > Pagent).
> > He is getting the error because he has no PAGENT TTLSRule for Outbound  Port
> > 21.
> > Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging.
> > 
> > It is working ok for me with TLSMECHANISM FTP.
> > I tried with ATTLS, but am getting a server error on the BINARY FTP
> > SUBCOMMAND.
> > Still looking in to that, but it is questionable if their FTPS server works 
> > with
> > PAGENT ATTLS.
> > Can't imagine why they would install a server incompatible with PAGENT
> > though.
> > 
> > >>> TYPE I
> > SC3261 getReply: entered
> > SC4327 getNextReply: entered with waitForData = TRUE
> > Connection with dispby-117.boulder.ibm.com terminated
> > SC4445 SETCEC code = 10
> > CZ1434 ftpClose: entered
> > SC4067 inSession: entered
> > SC4145 setLoggedIn: entered
> > CT0282 binary: getReply failed.
> > PC1047 logClientErrMsg: entered
> > PC0945 setClientRC: entered
> > SC4019 getLastReply: entered
> > PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006
> > SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006
> > SC4019 getLastReply: entered
> > CX0389 main: RC=-0001 cmd_in_progress=06
> > CX0392 main: last_reply= err=10
> > PC0945 setClientRC: entered
> > SC4019 getLastReply: entered
> > Std Return Code = 06000, Error Code = 00010
> > CZ1354 ftpQuit: entered
> > CZ1434 ftpClose: entered
> > 
> > Their server also seems to require use of the CCC subcommand to clear the
> > command channel.
> > So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN
> > CLEAR,
> > it might cause a problem also.   There is a client parameter setting 
> > ftpccc="no"
> > to make the server
> > quit using CCC, but that seems to cause a problem also.
> > 
> > Use of KEYRING  *AUTH*/*  should be sufficient for the FTPS portion of the 
> > job.
> > 
> > The server web site also uses root certificate "GeoTrust Global CA" which 
> > has
> > its share of
> > issues also.   See:
> > https://urldefense.proofpoint.com/v2/url?u=http-
> > 3A__security.stackexchange.com_questions_53231_google-2Dcertificates-
> > 2Dcorrect-2Dca_53271-
> > 2353271=CwIFaQ=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-
> > Je7sw=u9g8rUevBoyCPAdo5sWE9w=aamFb_mypnk4GycjqtSii-YrY-c2-
> > IzeE0M17VgSPbY=Txk6MDp8o81j54Ojmpo1aZbHaoJxUawo1NHCS1JgDO0
> > =
> > Openssl s_client reports the server cert chain to be:
> > Certificate chain
> >  0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES
> > CORPORATION/CN=deliveryc

Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!

[Donald J.]

He is using TLSMECHANISM  ATTLS.  Yours uses TLSMECHANISM FTP (non-Pagent).
He is getting the error because he has no PAGENT TTLSRule for Outbound  Port  
21.
Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging.

It is working ok for me with TLSMECHANISM FTP.
I tried with ATTLS, but am getting a server error on the BINARY FTP SUBCOMMAND.
Still looking in to that, but it is questionable if their FTPS server works 
with PAGENT ATTLS.
Can't imagine why they would install a server incompatible with PAGENT though.

>>> TYPE I  
SC3261 getReply: entered
SC4327 getNextReply: entered with waitForData = TRUE
Connection with dispby-117.boulder.ibm.com terminated   
SC4445 SETCEC code = 10 
CZ1434 ftpClose: entered
SC4067 inSession: entered   
SC4145 setLoggedIn: entered 
CT0282 binary: getReply failed. 
PC1047 logClientErrMsg: entered 
PC0945 setClientRC: entered 
SC4019 getLastReply: entered
PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006  
SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006  
SC4019 getLastReply: entered
CX0389 main: RC=-0001 cmd_in_progress=06
CX0392 main: last_reply= err=10 
PC0945 setClientRC: entered 
SC4019 getLastReply: entered
Std Return Code = 06000, Error Code = 00010  
CZ1354 ftpQuit: entered  
CZ1434 ftpClose: entered

Their server also seems to require use of the CCC subcommand to clear the 
command channel.
So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN CLEAR,
it might cause a problem also.   There is a client parameter setting 
ftpccc="no" to make the server
quit using CCC, but that seems to cause a problem also.

Use of KEYRING  *AUTH*/*  should be sufficient for the FTPS portion of the job.

The server web site also uses root certificate "GeoTrust Global CA" which has 
its share of 
issues also.   See:
http://security.stackexchange.com/questions/53231/google-certificates-correct-ca/53271#53271
Openssl s_client reports the server cert chain to be:
Certificate chain
 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES 
CORPORATION/CN=deliverycb-bld.dhe.ibm.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

-- 
  Donald J.
  dona...@4email.net

On Thu, Mar 10, 2016, at 06:45 AM, Jousma, David wrote:
> I had to come up with some alternate FTP client parms to make it work.  
> Possibly the one you are getting stuck on is this.Change FtpSecur to your 
> keyring name.   this member happens to live in our SYS1.TCPPARMS dataset, but 
> the member can be anywhere, just gotta point to wherever it lives in your 
> RECEIVE ORDER job.
> //CLIENT  DD  *
>javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes">
>
>-v -f "//'SYS1.TCPPARMS(FTPSECUR)'" 
>   
>   
> /* 
> 
> EDIT   SYS1.TCPPARMS(FTPSECUR) - 01.01 Columns 
> 1 00080  .
> Command ===>  Scroll 
> ===> CSR   .
> 000642 ;CIPHERSUITE   SSL_AES_256_SHA   ; 35  
>   .
> 000643
>   .
> 000644  KEYRING   FtpSecur  ; Name of the keyring for TLS 
>   .
> 000645  ; It can be the name of an HFS
>   .
> 000646  ; file (name starts with /) or
>   .
> 000647  

Re: XML: Optimized Schema Representation (OSR) file generation

[Donald J.]

/u/appl/xsd is simply a user folder for user xsd files.
xsdosrg binary is in /bin 
The OUTFILE and INFILE were obviously not needed either.
They were used for additional STDIN input commands for
co:z hybrid batch processing which I did not list.

-- 
  Donald J.
  dona...@4email.net

>>... 
>>cd /u/appl/xsd 
>>xsdosrg -v -o IRS.osr IRS-EXT-ACA-AIR-7.0.xsd 
>> 
>Where does "/u/appl/xsd" come from?  Is it bundled with COBOL?  We don't 
>have one.  (It looks hauntingly like the z/OS convention for a user's HOME 
>directory.)  I'd more expect it in /usr/lpp/. 
>
>Does this presume that "." is in your $PATH?  That's considered unsafe 
>practice, particularly if the "." appears first.  (Only Windows is so reckless 
>as to do that.) 
>
>-- gil 
>- show quoted text -

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: XML: Optimized Schema Representation (OSR) file generation

[Donald J.]

I used COZBATCH from Dovetail, but I assume BPXBATCH could be used.

//COZBTCH  EXEC PGM=COZBATCH,REGION=0M   
//STEPLIB  DD DISP=SHR,DSN=UTIL.TCP.COZ.LOADLIB  
//COZLOG   DD SYSOUT=*   
//COZOUT   DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1)
//STDOUT   DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1)
//STDERR   DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1)
//OUTFILE  DD DISP=OLD,DSN=USERID.TEST.VB   
//INFILE   DD DISP=SHR,DSN=USERID.IRS.XSD   
//STDINDD *  
cd /u/appl/xsd   
xsdosrg -v -o IRS.osr IRS-EXT-ACA-AIR-7.0.xsd

-- 
  Donald J.
  dona...@4email.net

On Fri, Jan 29, 2016, at 12:23 PM, Zierdt, Richard A (IS) wrote:
> IBM-Main is not the likely forum for this - and a more appropriate forum 
> would be appreciated - but is there a z/OS batch utility that creates an XML 
> "Optimized Schema Representation" (OSR) file from a text-based XML schema 
> file?  
> 

-- 
http://www.fastmail.com - Faster than the air-speed velocity of an
  unladen european swallow

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: System check stopped state - what is it?

[Donald J.]

Is you IODF volume address correct?

Maybe try following these instructions to display the
IPL Vector Table control block which is mapped by
SYS1.MODGEN(IHAIVT)

Using the hardware Alter/Display facility, read the real address in central 
storage at X'14'. 
This address points to the IPL diagnostic area.
Add X'28' to the address in X'14', and also read this as a real address in 
central storage. 
The result is the 31-bit virtual address of the IPL vector table (IVT).

-- 
  Donald J.
  dona...@4email.net

On Fri, Jan 22, 2016, at 06:35 AM, R.S. wrote:
> I tried to perform LOAD on some LPAR.
> I've got the following message:
> 
> Logical partition LPAR01 is in the system check stopped state. Reason 
> code = 0C.
> 
> Where to find the meaning of the code?
> 
> 
> It is z13 machine.
> 
> -- 
> Radoslaw Skorupka
> Lodz, Poland
> 
> 
> 
> 
> 
> 
> ---
> Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
> przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być 
> jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś 
> adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej 
> przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, 
> rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie 
> zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, 
> prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale 
> usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub 
> zapisane na dysku.
> 
> This e-mail may contain legally privileged information of the Bank and is 
> intended solely for business use of the addressee. This e-mail may only be 
> received by the addressee and may not be disclosed to any third parties. If 
> you are not the intended addressee of this e-mail or the employee authorized 
> to forward it to the addressee, be advised that any dissemination, copying, 
> distribution or any other similar activity is legally prohibited and may be 
> punishable. If you received this e-mail by mistake please advise the sender 
> immediately by using the reply facility in your e-mail software and delete 
> permanently this e-mail including any copies of it either printed or saved to 
> hard drive.
> 
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
> www.mBank.pl, e-mail: kont...@mbank.pl
> Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru 
> Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. 
> Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości 
> wpłacony) wynosi 168.955.696 złotych.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Or how I learned to stop worrying and
  love email again

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Where's Java!? (SMP/E needs to know.)

[Donald J.]

> Why? I'm interested why you would choose a symlink as opposed to a 
> config which sets an environment variable

Installation of some java based programs causes various configuration files for
that application which are based on the java environment variables.

For example, when installing istrobe various .sh scripts such as 
/CleanConfig.sh  are
built by the install process which also need java environment variables 
defined.  
It would be desirable for those scripts to be built containing statements such 
as:
JAVA_HOME=/usr/lpp/java/sdk6
so that when a new java 6 is installed that script will still run ok.

Unfortunately with most installs, even though I use both a symlink and set an 
environment
variable during the install.sh process, the resultant script generated will end 
up having
something like this in the CleanConfig.sh script:
JAVA_HOME=/usr/lpp/java/IBM/J6.0.1_64 
which is less desirable than the above.

-- 
  Donald J.
  dona...@4email.net

On Thu, Jan 21, 2016, at 05:06 AM, David Crayford wrote:
> > I also manage manually with generic symlinks.   I do this for Apache 
> > webserver as well.
> 
> Why? I'm interested why you would choose a symlink as opposed to a 
> config which sets an environment variable.
> 
> >
> > _
> > Dave Jousma
> > Assistant Vice President, Mainframe Engineering
> > david.jou...@53.com
> > 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
> > p 616.653.8429
> > f 616.653.2717
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> > Behalf Of Paul Gilmartin
> > Sent: Wednesday, January 20, 2016 4:35 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Where's Java!? (SMP/E needs to know.)
> >
> > Dammit!  The path to Java changes with any z/OS release and/or any Java 
> > release.  I need continually to add to my PATH variable to keep up.  And 
> > there's nothing an ISV can supply in JCL samples for SMP/E's SMPJHOME; the 
> > example in the SMP/E Reference is woefully outdated.
> >
> > This makes as little sense as if programmers were required to code 
> > "//SYSLIB  DD  DSN=SYS1.ZOSV2R2.MACLIB".
> >
> > I'm inclined to submit an RFE for either a utility to find Java or for 
> > IBM's supplying a usable symbolic  link to a preferred Java.
> > Retroactive; I can't wait for everyone to be on z/OS 2.3
> >
> > Any suggestions on form or rationale for such an RFE?
> >
> > Thanks,
> > gil
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > This e-mail transmission contains information that is confidential and may 
> > be privileged.   It is intended only for the addressee(s) named above. If 
> > you receive this e-mail in error, please do not read, copy or disseminate 
> > it in any manner. If you are not the intended recipient, any disclosure, 
> > copying, distribution or use of the contents of this information is 
> > prohibited. Please reply to the message immediately by informing the sender 
> > that the message was misdirected. After replying, please erase it from your 
> > computer system. Your assistance in correcting this error is appreciated.
> >
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange HMC issue

[Donald J.]

There is also same option for the SE TCP menu item.

BMC is probably the Baseboard Management Controller.  You could 
check the bios and see if there is an option to turn DHCP on/off on
the BMC.

-- 
  Donald J.
  dona...@4email.net

On Mon, Nov 23, 2015, at 06:27 AM, Tony Thigpen wrote:
> Attached is a .txt file with the info.
> 
> Tony Thigpen
> 
> Donald J. wrote on 11/23/2015 08:04 AM:
> > Select the Network Diagnostics icon from both your HMC and SE and then click
> > on the menu bar TCP option to display all socket connections.
> >
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> Email had 1 attachment:
> + listens.txt
>   17k (text/plain)

-- 
http://www.fastmail.com - Same, same, but different...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange HMC issue

[Donald J.]

Select the Network Diagnostics icon from both your HMC and SE and then click
on the menu bar TCP option to display all socket connections.

-- 
  Donald J.
  dona...@4email.net

On Fri, Nov 20, 2015, at 09:00 PM, Tony Thigpen wrote:
> Background: HMC software version 2.11.1 connected to a z10.
> 
 
> Thoughts on what is happening?
> Anybody else seeing the same thing?
> 
> -- 
> Tony Thigpen
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OSMF server startup error

[Donald J.]

The return code 12 / 11060 is because your Java provider list includes
com.ibm.crypto.hdwrCCA.provider.IBMJCECCA  

zOSMF uses Java SSL, not System SSL.
Java 7 SR3 is minimum requirement for zOSMF.

You probably need some Java overrides to eliminate attempt
to use hardware crypto.

-- 
  Donald J.
  dona...@4email.net

On Wed, Sep 30, 2015, at 12:54 PM, Mark Pace wrote:
> Trying to start OSMF for the first time.  It appeared that all the setup
> ran cleanly.

> file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error from
> call CSNDDSV returnCode 12 reasonCode 11060.
> 

> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OSMF server startup error

[Donald J.]

For the Java override, you probably will need to contact IBM.
I would guess you need to add a "PROVIDER=" override
in the   # /usr/lpp/java/J7.0_64/bin/java -version
> java version "1.7.0"
> Java(TM) SE Runtime Environment (build pmz6470-20110827_01)
> IBM J9 VM (build 2.6, JRE 1.7.0 z/OS s390x-64 20110810_88604 (JIT enabled,
> AOT enabled)
> J9VM - R26_Java726_GA_20110810_1208_B88592
> JIT  - r11_20110810_20466
> GC   - R26_Java726_GA_20110810_1208_B88592
> J9CL - 20110810_88604)
> JCL - 20110809_01 based on Oracle 7b147
> 
> I can't tell which SR level I have from this.  I'm Java ignorant, so I'll
> have to try to figure what these Java overrides you speak of.
> 
> On Fri, Oct 2, 2015 at 9:50 AM, Donald J. <dona...@4email.net> wrote:
> 
> > The return code 12 / 11060 is because your Java provider list includes
> > com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
> >
> > zOSMF uses Java SSL, not System SSL.
> > Java 7 SR3 is minimum requirement for zOSMF.
> >
> > You probably need some Java overrides to eliminate attempt
> > to use hardware crypto.
> >
> > --
> >   Donald J.
> >   dona...@4email.net
> >
> > On Wed, Sep 30, 2015, at 12:54 PM, Mark Pace wrote:
> > > Trying to start OSMF for the first time.  It appeared that all the setup
> > > ran cleanly.
> >
> > > file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error
> > from
> > > call CSNDDSV returnCode 12 reasonCode 11060.
> > >
> >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > http://www.fastmail.com - Choose from over 50 domains or use your own
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> -- 
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Accessible with your email software
  or over the web

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OSMF server startup error

[Donald J.]

What does this command list:
RACDCERT ID(IZUSERV) LISTRING(IZUKeyring.IZUDFLT) 
Add your LPAR Site certificate and its root certs to that ring.

Check Chapter 10:

z/OSMF creates digital certificates that are used for secure communications 
between the user's web
browser and the z/OSMF server, and between instances of z/OSMF servers.
The z/OSMF keyring name is generated during the configuration phase. The 
keyring name format is
IZUKeyring.. By default, the keyring name is 
IZUKeyring.IZUDFLT.
In most cases, the default z/OSMF keyring name should be sufficient for your 
installation.

-- 
  Donald J.
  dona...@4email.net

On Wed, Sep 30, 2015, at 01:06 PM, Mark Pace wrote:
> One last piece of information - this system runs as a guest of z/VM.
> 
> On Wed, Sep 30, 2015 at 3:59 PM, Mark Pace <pacemainl...@gmail.com> wrote:
> 
> > One other piece of information - the reasonCode
> > 2B34 (11060) The service could not be performed because the required
> > PCICC, PCIXCC, CEX2C, or CEX3C was not active, or did not have a master key
> > set.
> >
> > *User action*: If the service required a specific PCICC, PCIXCC, CEX2C,
> > or CEX3C, verify that the value specified is correct. Reissue the request
> > when the required PCICC, PCIXCC, CEX2C, or CEX3C is available, and has the
> > master key set.
> > No idea what any of this means.
> >
> > On Wed, Sep 30, 2015 at 3:54 PM, Mark Pace <pacemainl...@gmail.com> wrote:
> >
> >> Trying to start OSMF for the first time.  It appeared that all the setup
> >> ran cleanly.
> >>
> >> The first task starts up.
> >> CWWKB0056I INITIALIZATION COMPLETE FOR ANGEL
> >>
> >> But the IZUSVR1 dies
> >>
> >> Launching zosmfServer
> >> (wlp-1.0.2.cl0220130714-1602/websphere-kernel_1.0.2) on IBM J9 VM, version
> >> pmz6470-20110827_01 (en_US)
> >> AUDIT   ¨ CWWKE0001I: The server zosmfServer has been
> >> launched.
> >>
> >> AUDIT   ¨ CWWKG0010I: The server zosmfServer is shutting down because of
> >> a previous initialization error.
> >> AUDIT   ¨ CWWKE0036I: The server zosmfServer stopped after 2.443
> >> seconds.
> >> ERROR   ¨ CWWKG0047E: An error occurred while attempting to verify a
> >> configuration document:
> >> file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error from
> >> call CSNDDSV returnCode 12 reasonCode 11060.
> >>
> >> FATAL   ¨ CWWKG0044E: Server shutdown because a configuration document
> >> does not contain a valid signature:
> >> file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml
> >>
> >> The documentation basically says something did work, fix it.  During the
> >> configuration I replied that I wanted a CA to be created. Has anyone seen
> >> this error and point in the right direction?
> >> I also don't get this Hardware error.
> >> CWWKG0044E: Server shutdown because a configuration document does not
> >> contain a valid signature: {0}. *Explanation* The designated
> >> configuration document does not contain a valid signature, or a portion of
> >> the document that is protected by the signature has been modified. This
> >> message is preceded by an error message that provides more information on
> >> the specific error in the document. *Action* Correct the error in the
> >> configuration document that was identified in the preceding error message.
> >> CWWKG0047E: An error occurred while attempting to verify a configuration
> >> document: {0}, {1}. *Explanation* An exception was thrown while
> >> attempting to verify that the designated configuration document contains a
> >> valid signature. *Action* Correct the error in the configuration
> >> document that is causing the exception to be thrown and then retry starting
> >> the server.
> >>
> >> --
> >> The postings on this site are my own and don’t necessarily represent
> >> Mainline’s positions or opinions
> >>
> >> Mark D Pace
> >> Senior Systems Engineer
> >> Mainline Information Systems
> >>
> >>
> >>
> >>
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> >
> >
> >
> 
> 
> -- 
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Network Protection

[Donald J.]

Or am I naive in thinking that this is a for real and not a scam? 

No.  Marco has posted a number of RACF questions previously.

-- 
  Donald J.
  dona...@4email.net

On Wed, Jul 22, 2015, at 03:04 AM, Aled Hughes wrote:
 Marco, I have to ask in John McEnroe's famous words - you cannot be 
 serious. I admit no one has commented so far, but that is to be expected. 
 Are you really that naive? Or am I naive in thinking that this is a for real 
 and not a scam? 
 Security Consultant should be a clue. 
 Duh.
 
 Is it Friday, yet?
 
  
 
  
 
  
 
 -Original Message-
 From: Marco Antonio Ferreira marcoafsi...@gmail.com
 To: IBM-MAIN IBM-MAIN@LISTSERV.UA.EDU
 Sent: Mon, 20 Jul 2015 16:55
 Subject: Mainframe Network Protection
 
 
 Dear Friends,
 
 I'm doing a survey to find out how you are doing to protect the
 attacks
 mainframe environment if they can help me. I appreciate it.
 
 You
 protect your network TCPIP in attacks mainframe ?
 
  How do you do?
 
 A)
 Firewall before the Mainframe or inside
 B) Uses the SERVAUTH Class and defines
 all their access networks
 C) Use other technique? Describe?
 D) Use of TERMINAL
 class protection?
 E) Uses Digital Certificate to access the TN3270 emulator or
 Citrix.
 
 -- 
 *Marco Ferreira*
 *Security
 Consultant*
 
 --
 For
 IBM-MAIN subscribe / signoff / archive access instructions,
 send email to
 lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
  
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - mmm... Fastmail...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS config help

[Donald J.]

after the Trace 15, add something like this:
{   
   SyslogFacility   auth
}   

-- 
  Donald J.
  dona...@4email.net

On Wed, Jun 10, 2015, at 12:16 PM, Scott Ford wrote:
 Guys/Gals:
 
 We have a Cobol CICS Sockets STC Server with a Java client.
 The Java client will send in requests and receive output from the Socket
 Server.
 We are on z/OS 1.13 ,,below is my ‘pagent.ttls.conf’
 
 TTLSRule PioneerServer
 {
  LocalPortRange 5799
  JobName PIONEER
  Direction Inbound
  Priority 1
  TTLSGroupActionRef PionGrpAct
  TTLSEnvironmentActionRef PionEnvAct
  TTLSConnectionActionRef  PionConn
 }
 TTLSGroupAction PionGrpAct
 {
  TTLSEnabled On
  FIPS140 Off
  Trace 15  # Log Errors to syslogd * IP joblog
 }
 TTLSEnvironmentActionPionEnvAct
 {
  HandShakeRole  Client
  TTLSKeyRingParmsRefPionRing
 }
 TTLSKeyRingParmsPionRing
 {
   Keyring  pionring
 }
 TTLSConnectionActionPionConn
 {
  TTLSConnectionAdvancedParms
  {
SSLv2 Off
SSLv3 On
TLSv1 On
  }
 }
 
 I have SYSLOGD configured ..but I am not seeing trace output ..
 Can someone offer some help.
 
 

-- 
http://www.fastmail.com - Faster than the air-speed velocity of an
  unladen european swallow

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ATTLS

[Donald J.]

 0090  EZD1285I TTLS Data  CONNID: 0014 SEND CIPHER 1503020002020A

The 1503020002020A is an SSL alert packet with a fatal error:
Unexpected message

You should run GSK traces to see why the packet is unexpected.

-- 
  Donald J.
  dona...@4email.net

On Fri, Jun 5, 2015, at 08:45 AM, Scott Ford wrote:
 All:
 
 I have setup a Server, Cobol - CICS-Sockets ( working no changes ) and a
 Java client.  When we establish the connection we see this:
 
 0090  BPXF024I (TCPIP) Jun  5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 361
 0090  EZD1285I TTLS Data  CONNID: 0014 SEND CIPHER 1503020002020A
 0090  BPXF024I (TCPIP) Jun  5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 362
 0090  EZD1284I TTLS Flow  GRPID: 0001 ENVID: 0001 CONNID: 0014
 0090  RC:  415 Call GSK_SECURE_SOCKET_INIT - 7EC65118
 0090  BPXF024I (TCPIP) Jun  5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 363
 0090  EZD1283I TTLS Event GRPID: 0001 ENVID: 0001 CONNID: 0014
 0090  RC:  415 Initial Handshake  7ECCF118
 0090  BPXF024I (TCPIP) Jun  5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 364
 0090  EZD1286I TTLS Error GRPID: 0001 ENVID: 0001 CONNID: 0014
 0090  LOCAL: 192.168.1.51..5799 REMOTE: 186.37.122.138..50443 JOBNAME:
 0090  PIONEER USERID: PIONEER RULE: PioneerServer  RC:  415 Initial
 0090  Handshake  7ECCF118
 
 The rc 415 says protocol invalid ..ok i am lost here ...I understand that
 the initial handshake is in the clear, then TCPIP talkes to System SSL.
 This is a z/OS 1.13 system without the V3 ciphers.
 
 I need a suggestion.
 
 We setup a simple Server..and client and can send  20 byte messages with
 the default cipher.
 
 We also have AES128 encryption inside our application.  The above test
 program works without it.
 When we test the actual application , we see the above messages.
 
 Regards,
 Scott
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS question , issue

[Donald J.]

Correction: This is the server supported cipher list
Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  C02FC030009E009F009C009D002F0035000A

Client ciphers are in the client hello.  2nd packet in ATTLS trace below: (002F 
0035  0005 etc)
RECV CIPHER 160301005F  
  
RECV CIPHER 
015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81
0002F00350005000A00320038 ...
 
-- 
  Donald J.
  dona...@4email.net

On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote:
 If you use trace level: Trace   127   you will get debugging info 
 on ciphers and other things.
 Cipher list presented by client:
 CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  
 C02FC030009E009F009C009D002F0035000A
 Cipher chosen by server:
 CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1  
 CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F
 
 -- 
   Donald J.
   dona...@4email.net
 
 On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
  All,
  We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
  SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS
  Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:
   402 Initial Handshake. The server is showing a socket-read errno=54  -
  Econnreset. Does this imply the cipher is wrong ?
  The Java client is sending a self-signed certificate which we generated. We
  know it's ok locally in the same physical office with another server.  What
  I am not sure about is what ciphers, if this is the issue are supported on
  AT-TLS ..can someone be kind enough to help me out.
  
  Regards,
  Scott
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 -- 
 http://www.fastmail.com - The way an email service should be
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS question , issue

[Donald J.]

If you use trace level: Trace   127   you will get debugging info 
on ciphers and other things.
Cipher list presented by client:
CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  
C02FC030009E009F009C009D002F0035000A
Cipher chosen by server:
CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1  
CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F

-- 
  Donald J.
  dona...@4email.net

On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
 All,
 We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
 SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS
 Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:
  402 Initial Handshake. The server is showing a socket-read errno=54  -
 Econnreset. Does this imply the cipher is wrong ?
 The Java client is sending a self-signed certificate which we generated. We
 know it's ok locally in the same physical office with another server.  What
 I am not sure about is what ciphers, if this is the issue are supported on
 AT-TLS ..can someone be kind enough to help me out.
 
 Regards,
 Scott
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Alter TRUST status on a certificate

[Donald J.]

You misspelled websphere.
Try this with a capital S and no space.  Label must exactly match.
racdcert CERTAUTH alter(label('WebSphereCA')) notrust 
-- 
  Donald J.
  dona...@4email.net

On Wed, Apr 22, 2015, at 06:08 AM, nitz-...@gmx.net wrote:
 All, 
 
 I am new to this certificate stuff. I have inherited this certificate in my 
 RACF data base (apparently the only one that has a private key somewhere, no 
 ICSF in use, and I have all RACF privileges):
 
 Label: WebSphereCA
 Certificate ID: 2QiJmZmDhZmjgeaFguKXiIWZhcPB
 Status: TRUST
 Start Date: 2009/11/12 07:00:00
 End Date:   2019/01/01 06:59:59
 Serial Number:
  00
 Issuer's Name:
  CN=WAS CertAuth for Security Domain.OU=BBNBASE
 Subject's Name:
  CN=WAS CertAuth for Security Domain.OU=BBNBASE
 Key Usage: CERTSIGN
 Key Type: RSA
 Key Size: 1024
 Private Key: YES
 Ring Associations: *** No rings associated ***
 
 I want to change the trust status to NOTRUST, which I currently don't see a 
 way (rlist digtcert tells me it has application data=irrcerta):
 
 racdcert alter(label('Websphere CA')) notrust - IRRD105I No certificate 
 information was found for user myuserid.
 racdcert alter(label('Websphere CA')) notrust id(irrcerta) - IRRD102I The 
 user ID specified is not defined to RACF (same for IBMUSER, which was the id 
 it was installed under)
 racdcert alter(label('Websphere CA')) notrust certauth - IRRD107I No 
 matching certificate was found for this user. (Is this irrcerta? If so, why 
 isn't it found?)
 racdcert alter(label('Websphere CA')) notrust site - IRRD105I No certificate 
 information was found for user irrsitec.
 
 How do I address this certificate? 
 
 Barbara
   
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

DB2 Forum

[Donald J.]

Can someone recommend a good DB2 Forum?

The one at IBM developerWorks is not very active.
As example, 17 of the last 25 questions have gone
with 0 replies.  6 of those with only 1 reply.

I do see an IDUG DB2-L forum.

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.com - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PKI Services for z/OS

[Donald J.]

LDAP would be required if you want to check
for revoked certificates from PAGENT or CICS.
LDAP could be somewhere besides z/os though.

-- 
  Donald J.
  dona...@4email.net

On Thu, Oct 30, 2014, at 12:18 PM, Dazzo, Matt wrote:
 We are starting to look at certificate management, I was wondering how many 
 folks were using PKI Services for z/OS? 
 1. How is the install of PKI and setup to do, I read that LDAP is required 
 how is that to install?


-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/help/overview_quotes.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ldapchangepwd

[Donald J.]

-nshow what would be done but don't actually search 

-n is not newpwd 

 ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=MVS7SUFF  
   -w  oldpwd/newwd -s base  -b  objectclass=*

This command should work from any platform.  
The ldapchangpwd is probably mainframe only.

-- 
  Donald J.
  dona...@4email.net

On Wed, Oct 22, 2014, at 04:23 AM, Tim Brown wrote:
 This gets a 0 but the password is still the old one
 
 sh  /bin/ldapsearch -h 127.0.0.1 -p 389 -s base
   -w oldpwd
   -n oldpwd 
   -D racfid=TESTUSER,profiletype=user,sysplex=sysplex1 
  (objectclass=*) ;   
 
 Tim
 
 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
 Behalf Of Donald J.
 Sent: Tuesday, 21 October, 2014 4:38 PM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: ldapchangepwd
 
 That would be your SUFFIX parameter value.
 
 --
   Donald J.
   dona...@4email.net
 
 On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote:
  Thanks , where is RACFSY7 referred to in DSCONFIG?
  
  -Original Message-
  From: IBM Mainframe Discussion List 
  [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=05dc0b981d58253ccd44b3282c2354b893a58a1d3407a8fb674904a90e2a9cb2]
   On Behalf Of Donald J.
  Sent: Tuesday, 21 October, 2014 4:12 PM
  To: IBM-MAIN@LISTSERV.UA.EDU
  Subject: Re: ldapchangepwd
  
  This works for me:
  
  ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7  -w 
  oldpwd/ oldpwd -s base  -b  objectclass=*
  
  --
Donald J.
dona...@4email.net
  
  On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote:
   Attempting to use ldapchangepwd.  Any idea what is causing error?
   
   ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ?  -h 127.0.0.1  
   -p
   389
   
   Enter current password ==  old
   Enter new password ==   new
   
   ldap_sasl_bind: Credentials are not valid
   ldap_sasl_bind: additional info: R004062 Credentials are not valid
   (ldbm_authenticate_user:252)
   
   Thanks,
   
   Tim Brown
   
   
   
   
   
   -- For IBM-MAIN subscribe / signoff / archive access instructions, 
   send email to lists...@listserv.ua.edu with the message: INFO 
   IBM-MAIN
  
  --
  https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=p
  CpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6c
  tgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D%0A
  s=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f - 
  Send your email first class
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions, send 
  email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions, send 
  email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 --
 https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=55c4f8f8f3de4baea66c410bd628464608789b1d23bb7c45612bc8cf586295ad
  - Faster than the air-speed velocity of an
   unladen european swallow
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
 lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ldapchangepwd

[Donald J.]

You are not supplying valid bind credentials.  Suggest you get any ldapsearch 
to work first using
TESTUSER's bind credentials.  Then the password can be changed with just the 
addition of /newpwd 
after the current password on the ldapsearch.   


-- 
  Donald J.
  dona...@4email.net

On Wed, Oct 22, 2014, at 11:52 AM, Tim Brown wrote:
 If I use 
 
 sh  /bin/ldapsearch -h 127.0.0.1 -p 389 -s base 
   -w  oldpwd/newpwd
   -D racfid=TESTUSER,profiletype=user,sysplex=sysplex1  
  (objectclass=*) ;
 
 
 I get
 
 ldap_sasl_bind: Credentials are not valid 
   
 ldap_sasl_bind: additional info: R000104 The password is not correct or the 
 user is not completely defined (missing password or uid) 
 (srv_authenticate_native
 
 
 Tim
 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
 Behalf Of Donald J.
 Sent: Wednesday, 22 October, 2014 7:58 AM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: ldapchangepwd
 
 -nshow what would be done but don't actually search 
 
 -n is not newpwd 
 
  ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=MVS7SUFF  
-w  oldpwd/newwd -s base  -b  objectclass=*
 
 This command should work from any platform.  
 The ldapchangpwd is probably mainframe only.
 
 --
   Donald J.
   dona...@4email.net
 
 On Wed, Oct 22, 2014, at 04:23 AM, Tim Brown wrote:
  This gets a 0 but the password is still the old one
  
  sh  /bin/ldapsearch -h 127.0.0.1 -p 389 -s base
-w oldpwd
-n oldpwd 
-D racfid=TESTUSER,profiletype=user,sysplex=sysplex1 
   (objectclass=*) ;   
  
  Tim
  
  -Original Message-
  From: IBM Mainframe Discussion List 
  [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=LvtsCzDNCf75euyc4fzn5EL5io%2BAybqG25QdZY9UXRM%3D%0As=834b9e0b9d05ee05e89e6f00605419e0203a44ff27e3c9f47248ecb9186369b2]
   On Behalf Of Donald J.
  Sent: Tuesday, 21 October, 2014 4:38 PM
  To: IBM-MAIN@LISTSERV.UA.EDU
  Subject: Re: ldapchangepwd
  
  That would be your SUFFIX parameter value.
  
  --
Donald J.
dona...@4email.net
  
  On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote:
   Thanks , where is RACFSY7 referred to in DSCONFIG?
   
   -Original Message-
   From: IBM Mainframe Discussion List 
   [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=05dc0b981d58253ccd44b3282c2354b893a58a1d3407a8fb674904a90e2a9cb2]
On Behalf Of Donald J.
   Sent: Tuesday, 21 October, 2014 4:12 PM
   To: IBM-MAIN@LISTSERV.UA.EDU
   Subject: Re: ldapchangepwd
   
   This works for me:
   
   ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7  -w 
   oldpwd/ oldpwd -s base  -b  objectclass=*
   
   --
 Donald J.
 dona...@4email.net
   
   On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote:
Attempting to use ldapchangepwd.  Any idea what is causing error?

ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ?  -h 127.0.0.1 
-p
389

Enter current password ==  old
Enter new password ==   new

ldap_sasl_bind: Credentials are not valid
ldap_sasl_bind: additional info: R004062 Credentials are not valid
(ldbm_authenticate_user:252)

Thanks,

Tim Brown




--
--
-- For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO 
IBM-MAIN
   
   --
   https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k
   =p 
   CpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC
   6c 
   tgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D%
   0A 
   s=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f 
   - Send your email first class
   
   
   -- For IBM-MAIN subscribe / signoff / archive access instructions, 
   send email to lists...@listserv.ua.edu with the message: INFO 
   IBM-MAIN
   
   
   -- For IBM-MAIN subscribe / signoff / archive access instructions, 
   send email to lists...@listserv.ua.edu with the message: INFO 
   IBM-MAIN
  
  --
  https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=55c4f8f8f3de4baea66c410bd628464608789b1d23bb7c45612bc8cf586295ad
   - Faster than the air

Re: ldapchangepwd

[Donald J.]

This works for me:

ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7  -w 
oldpwd/newpwd -s base  -b  objectclass=*

-- 
  Donald J.
  dona...@4email.net

On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote:
 Attempting to use ldapchangepwd.  Any idea what is causing error?
 
 ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ?  -h 127.0.0.1  -p 389
 
 Enter current password ==  old
 Enter new password ==   new
 
 ldap_sasl_bind: Credentials are not valid
 ldap_sasl_bind: additional info: R004062 Credentials are not valid 
 (ldbm_authenticate_user:252)
 
 Thanks,
 
 Tim Brown
 
 
 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ldapchangepwd

[Donald J.]

That would be your SUFFIX parameter value.

-- 
  Donald J.
  dona...@4email.net

On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote:
 Thanks , where is RACFSY7 referred to in DSCONFIG?
 
 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
 Behalf Of Donald J.
 Sent: Tuesday, 21 October, 2014 4:12 PM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: ldapchangepwd
 
 This works for me:
 
 ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7  -w 
 oldpwd/newpwd -s base  -b  objectclass=*
 
 --
   Donald J.
   dona...@4email.net
 
 On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote:
  Attempting to use ldapchangepwd.  Any idea what is causing error?
  
  ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ?  -h 127.0.0.1  -p 
  389
  
  Enter current password ==  old
  Enter new password ==   new
  
  ldap_sasl_bind: Credentials are not valid
  ldap_sasl_bind: additional info: R004062 Credentials are not valid 
  (ldbm_authenticate_user:252)
  
  Thanks,
  
  Tim Brown
  
  
  
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions, send 
  email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 --
 https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D%0As=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f
  - Send your email first class
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
 lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
  unladen european swallow

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: java on Z maintenance level question

[Donald J.]

The first is SDK V6.0.0 and the second is SDK V6.0.1

Each has its own levels as described here:
http://www-03.ibm.com/systems/z/os/zos/tools/java/services/j6servsum31.html

-- 
  Donald J.
  dona...@4email.net

On Tue, Aug 26, 2014, at 12:05 PM, Pommier, Rex wrote:
 Hi,
 
 I have a question on java versioning and maintenance levels on z/OS.  I have 
 2 different copies of Java 1.6.0 and am trying to decipher which is the more 
 current.  I've been under the assumption that the SRmFPn gave the maintenance 
 level, and that the higher the numbers, the more current the fix pack.  
 However I have the following 2 levels of Java and don't know which is newer:
 
 # ./java -version  
 java version 1.6.0   
 Java(TM) SE Runtime Environment (build pmz3160_26sr5fp2-20130423_01(SR5 FP2))
 IBM J9 VM (build 2.6, JRE 1.6.0 z/OS s390-31 20130419_145740 (JIT enabled, 
 AOT enabled)
 
 # ./java -version
 java version 1.6.0
 Java(TM) SE Runtime Environment (build pmz3160sr13fp2-20130424_01(SR13 FP2))
 IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 z/OS s390-31 
 jvmmz3160sr13fp2-20130423_146146 (JIT enabled, AOT enabled)
 
 
 

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF records for SYSOUT file

[Donald J.]

 WAD. You can reduce the delay via a setting. If you're still having delay
 problems, check your JES3 performance. 

What type of setting are you referring to?
This problem only occurs at a few random times, 
and not on all files, so I would not think it is
a direct result of one parameter setting value.

It appears application level tracing would be
required to diagnose the issue.

-- 
  Donald J.
  dona...@4email.net

On Thu, Aug 21, 2014, at 02:39 AM, Elardus Engelbrecht wrote:
 Barry Merrill wrote:
 
 There is no separate SMF record written when data is sent to the JES SPOOL.
 
 Indeed.
 
 And Type 6 records are be written by JES2 or by some SYSOUT processing 
 packages; some packages that manage spooled output for viewing and/or 
 printing write their own SMF User SMF records.
 
 True. VPS can do that too if you wish.
 
 
 Donald J. wrote:
 
 A user is complaining about a 15 minute delay in her print process showing 
 up in the JES3 queue and beginning to print on the VPS printer.  The VPS 
 print time matches the SMF 6 record time.
 
 WAD. You can reduce the delay via a setting. If you're still having delay
 problems, check your JES3 performance. 
 
 Note: I'm familiar with VPS from LRS.
 
 Groete / Greetings
 Elardus Engelbrecht
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - IMAP accessible web-mail

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF records for SYSOUT file

[Donald J.]

The problem was that the file was not showing up yet
in the JES3 queue.  A display of the printer showed
nothing queued, yet user said a transaction had been
queued to the printer 10 minutes ago.  5 minutes later 
the file is queued to JES3 and VPS immediately 
printed it after 1 millisecond. Not a VPS issue.

-- 
  Donald J.
  dona...@4email.net

 What type of setting are you referring to?
 
 Some possible settings, YMMV:
   vps parameters listed
 All of the very best for you.
 
 Groete / Greetings
 Elardus Engelbrecht
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

SMF records for SYSOUT file

[Donald J.]

An SMF type 6 record is created at time a SYSOUT file is printed.  Does
anyone 
know if any SMF records are created for the process of writing to the
SYSOUT file?  
Record type 15 is not written for data sets defined as SYSOUT data sets
on DD 
statements.

A user is complaining about a 15 minute delay in her print process
showing up in
the JES3 queue and beginning to print on the VPS printer.  The VPS print
time
matches the SMF 6 record time.

JESYSMSG shows following type output with no timestamps on the messages:
IEF237I JES3 ALLOCATED TO SYSOUT   
IEF285I   CTTH441.SDB1.JOB07555.D032.? SYSOUT  

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: running ldapsearch via JVL

[Donald J.]

 
Try this:
  //STEPNAME EXEC PGM=BPXBATCH
  //STDOUT   DD SYSOUT=*,LRECL=1024,RECFM=V   
  //STDERR   DD SYSOUT=*,LRECL=1024,RECFM=V   
  //STDPARM  DD * 
  sh  /bin/ldapsearch -h mvs6 -p 3289  -D cn=yyy -w zzz
   -b O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB  
   (objectclass=*) ;
  // 
 
 -- 
   Donald J.
   dona...@4email.net
 
 On Wed, Aug 6, 2014, at 05:17 AM, Tim Brown wrote:
  Does anyone have an example of running ldapsearch via jcl
 
 

-- 
http://www.fastmail.fm - The professional email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: running ldapsearch via JVL

[Donald J.]

Try typing the ldapsearch directly from an omvs command line.
I usually use openldap on my pc for commands.
An OMVS segment for your userid is probably a requirement.

-- 
  Donald J.
  dona...@4email.net

On Wed, Aug 6, 2014, at 12:08 PM, Tim Brown wrote:
 Thanks, I ran this, it got  rc=0 but there is no output?
 
 //LDAPSPRCH JOB 0,CLASS=A,PRTY=6,MSGLEVEL=(1,1),MSGCLASS=X,
 //STEP01  EXEC PGM=BPXBATCH 
 //SYSOUT   DD SYSOUT=*,LRECL=1024,RECFM=V
 //STDOUT   DD SYSOUT=*,LRECL=1024,RECFM=V
 //STDERR   DD SYSOUT=*,LRECL=1024,RECFM=V
 //STDPARM  DD *  
 sh  /bin/ldapsearch -h 127.0.0.1 -p 389 
   -w 
   -b racfid=IBMUSER,profiletype=user,sysplex=sysplex1  
  (objectclass=*) ; 
 
 Tim
 
 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
 Behalf Of Donald J.
 Sent: Wednesday, 06 August, 2014 10:53 AM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: running ldapsearch via JVL
 
  
 Try this:
   //STEPNAME EXEC PGM=BPXBATCH
   //STDOUT   DD SYSOUT=*,LRECL=1024,RECFM=V   
   //STDERR   DD SYSOUT=*,LRECL=1024,RECFM=V   
   //STDPARM  DD * 
   sh  /bin/ldapsearch -h mvs6 -p 3289  -D cn=yyy -w zzz
-b O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB  
(objectclass=*) ;
   // 
  
  -- 
Donald J.
dona...@4email.net
  
  On Wed, Aug 6, 2014, at 05:17 AM, Tim Brown wrote:
   Does anyone have an example of running ldapsearch via jcl
  
  
 
 --
 https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=N7Uq9CvF5SLWQVcSv7Mq1c4Y7D1XllqSO0lJ%2BICkNyo%3D%0As=d012baa45490c7257ac54e5e766f3c24f3c2bb220c96eab130f5007042c5bd40
 - The professional email service
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send
 email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

DR site CHPID TYPE=FC Console Question

[Donald J.]

Our z196 3174 consoles are defined on a TYPE=CNC escon chpid.  We will
be using a zEC12 
at a DR site for testing.  Can the console virtual devices on our IODF
TYPE=CNC chpid be attached
to DR site VM devices on a real TYPE=FC chpid?   Will our chpid/devices
vary online ok?

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.fm - IMAP accessible web-mail

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Policy Agent, AT-TLS, and Ciphersuites

[Donald J.]

Do you have Security Level 3 FMID (JCPT3D1) installed?

-- 
  Donald J.
  dona...@4email.net

On Thu, Jun 5, 2014, at 07:53 AM, Frank Chu wrote:
 Hello,
 
 I am trying to work out how to get the zOS 1.13 FTP client to connect to 
 a FTP server (a FileZilla Server on Windows) via FTPS.   I'm am having 
 trouble getting Policy Agent setup to use the correct cipher suites.
 
 

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS Performance Analyst Job Posting

[Donald J.]

Job Opportunities 
Create application here:
http://agency.governmentjobs.com/cpatx/default.cfm

Job #:  2W11.14 
Job Title:  zEnterprise Performance Analyst (REOPENED) 
State Classification Title: Systems Analyst V 
Salary: $64,200.00 - $82,200.00 Annually 
Location:   Austin, TX (LBJ) 
Department: Innovation  Technology 

Performs advanced (senior-level) computer systems analysis work.
Performs advanced and complex mainframe computer systems analysis with
emphasis on mainframe performance and tuning.  Work involves the
analysis of mainframe performance issues with emphasis on DB2
performance.  Will work with system analysts, application programmers,
database administrators and vendors to resolve technical performance
issues discovered and problems as they arise. Works under minimal
direction with considerable latitude for the use of initiative and
independent judgment.
 Essential Job Functions and Responsibilities: 
•   Manages mainframe performance tuning by administering
performance software products, monitors mainframe performance for
availability and utilization. Provides technical support for users and
mainframe software developers for performance-related issues; researches
performance-related problems, either technical or performance related,
and provides solutions. Provides utilization and performance reports to
management.
•   Monitors resource utilization and makes recommendations for
enhancements to performance (ex:  CPU, Processing window, DASD and tape
allocations).
•   Manages work activities for short and long range mainframe
performance assignments, communicating with management and other team
members in a timely and effective manner.
•   Performs mainframe disaster recovery activities for section
including but not limited to, participating in disaster recovery hot
site exercises and schedules and updating documentation.
•   Plans, installs, maintains, upgrades and administers IBM
mainframe performance related software products and provides
documentation for all software changes.
•   Performs other related duties as assigned.

 Minimum Qualifications Requirements: 

Education:
•   Graduation from an accredited four-year college or university
with a bachelor’s degree.
•   Complete copies of college transcripts must be furnished to the
divisional hiring representative at the time of the interview for
positions requiring a college degree, and/or specific educational
credits.
Preferred Education:
Graduation from an accredited four-year college or university with a
bachelor’s degree in Computer Science, Management Information Systems or
related field.

Experience:
Within the last 10 years
•   Six (6) years’ experience in analyzing mainframe performance
issues
•   Two (2) years’ experience in analyzing mainframe DB2 performance
issues.
Preferred Experience:
•   BMC’s Apptune
•   Compuware’s STROBE
•   SAS
•   MXG
•   HTML
•   Control/M
•   Buffer Pool tuning
•   Experience with IBM utility programs and products including:
SMF/RMF,  IDCAMS, CLISTS/REXX, SORT, TSO, JCL, WLM and TMON
•   Teaching technical issues to developers
•   IBM mainframe software installation techniques and
methodologies.
Substitution:
One (1) additional year of experience in analyzing mainframe performance
issues work may substitute for thirty semester hours of educational
requirement with a maximum substitution of 120 semester hours (four
years).
 
 Knowledge, Skills, and Abilities: 
Knowledge of:
•   IBM mainframe (System z) performance analysis and administration
•   z/OS DB2
•   IBM utility programs and products including SMF/RMF,  IDCAMS,
CLISTS/REXX, SORT, TSO, JCL, WLM and TMON
•   BMC Apptune
•   Compuware’s STROBE
•   SAS
•   MXG
•   HTML
•   Control/M
•   Teaching technical issues to developers
•   IBM mainframe software installation techniques and methodologies
 



-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH connectivity with OMVS

[Donald J.]

Your document has instructions for starting SSHD, but I didn't see any
for stopping SSHD.
I use the following to start/stop SSHD:

S SSHD
S SSHD,STOP=TRUE


//SSHD PROC STOP='FALSE'
//* 
// STOP  THE SSHD TASK ( SFTP-SERVER FUNCTION ) 
//  IF STOP THEN   
//* 
//SSHX EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT,
//  PARM='SH /u/local/sbin/killsshd.sh' 
//STDERR  DD SYSOUT=*  
//* 
//* 
// START THE SSHD TASK ( SFTP-SERVER FUNCTION ) 
//  ELSE
//* 
//SSHD EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT,
//  PARM='PGM /bin/sh -c /u/local/sbin/sshd.sh' 
//STDERR  DD SYSOUT=*
//* 
//  ENDIF   

-- 
  Donald J.
  dona...@4email.net

 
 We would appreciate any comments or feedback on this material, which we
 will use to improve it for the community.   Either send emails to
 i...@dovetail.com or use our community forum at http://dovetail.com/form
 
 
 Kirk Wolf
 Dovetailed Technologies
 http://dovetail.com
 
  

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

You need ApplicationControlled On  as well as SecondaryMap On.

Issue this command to see your resultant config:
pasearch -p TCPIP  tcpip.pagent.dat   


-- 
  Donald J.
  dona...@4email.net
 TTLSEnvironmentAdvancedParms
{
  SecondaryMap  On
 

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

A GSK trace is most likely needed.
Did you ever resolve the intermediate certificate issue I mentioned on
my May 8 message?

Your ftp.s390.mainline.com server certificate is issued by the GoDaddy
intermediate cert:
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/
serialNumber=07969287

The GoDaddy intermediate cert above is issued by the root cert :
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority

It appears you do not have the intermediate cert in the keyring at
either end.  If you have 100 clients and 1 server, it would be easier to
put in the one server keystore.   But you can probably put it in your
z/OS client keystore instead.  

If you can't find it, you can download it from the 3rd cert
(gd_intermediate.crt) on this page:
https://certs.godaddy.com/anonymous/repository.pki

-- 
  Donald J.
  dona...@4email.net
 
 
 FC2903 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I
 Connection
 reset. (errno2=0x77B17343)
 EZA2897I Authentication negotiation
 failed
 EZA1534I *** Control connection with 10.6.0.10
 dies.
 
 If I read this right the 7343 part of the errno2 says that it expected a
 secure response, but it was sent clear text.
 I've tried
 SECUREIMPLICITZOS  both TRUE and FALSE - with true I don't see the 220-
 messages, but still get the same error.
 
 

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

Kevin is right about the complete chain.
I issued this openssl command:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile gd-class2-root.crt
and got error:
Verify return code: 21 (unable to verify the first certificate)

I created a cacerts file with both the intermediate and root cert:
copy gd_intermediate.crt+gd-class2-root.crt daddy.cacerts.crt

Then I got code 0 with:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile daddy.cacerts.crt

So your rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt file probably
does not have the chain
of 3 certs in it:  They should be stacked in the file as follows:

-BEGIN CERTIFICATE-
mainline server cert
-END CERTIFICATE-
-BEGIN CERTIFICATE-
gd_intermediate.crt cert
-END CERTIFICATE-
-BEGIN CERTIFICATE-
gd-class2-root.crt cert
-END CERTIFICATE-

Filezilla is not a good program to test with, as it appears to not do
server cert 
authenticatation.  It is better to use curl for windows or curl for
z/OS.

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 03:38 PM, Neubert, Kevin wrote:
 Is the chain complete?  Check trust and Issuer's/Subject's Names. 
 RACDCERT LIST(LABEL('Go Daddy Class 2')) CERTAUTH.  Do you have all the
 names?  SEARCH CLASS(DIGTCERT).
 
 Regards,
 
 Kevin
 
 
 
Ring:
 FtpSecur
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---
GeoTrust Global CA CERTAUTH   CERTAUTH NO
Go Daddy Class 2   CERTAUTH   CERTAUTH YES
 

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

The root cert is all that should be needed on the z/OS side,
if linux side is set up correctly.

But as mentioned in my last email, it doesn't look like the
linux side cert file is complete.  Your server cert is issued
by a GoDaddy intermediate cert, which is issued by a
GoDaddy root cert.  I would guess your linux file only
has the server cert in it, and it needs the intermediate
cert in it as well, and optionally the root cert.

-- 
  Donald J.
  dona...@4email.net

On Thu, May 8, 2014, at 07:31 AM, Mark Pace wrote:
 I assume it's complete  - I don't see an obvious error.
 

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/help/overview_quotes.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
commonly used than SSL_RC4_SHA.

Make sure the linus root certificate is in your z/OS client keyring.

-- 
  Donald J.
 

 

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

racdcert id(userid) listring(ring.name)   
racdcert id(userid) connect(ring(ring.name)  LABEL('GoDaddy Root Label')
CERTAUTH usage(CERTAUTH) )  

-- 
  Donald J.


On Wed, May 7, 2014, at 06:34 AM, Mark Pace wrote:
 The cipher was one of my early problems.  But I figured that one out.
 vsftpd -  ssl_ciphers=RC4-SHA
 z/OS - CIPHERSUITE SSL_RC4_SHA
 
 I'm certain that this Keyring  is (part of) my problem.   Stumbling
 through
 RACF I have found that the GoDaddy Root CA is already defined in z/OS,
 but
 still trying to determine if it is part of a keyring.
 
 
 
 On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote:
 
  Make sure client and server have a common cipher.
  SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
  commonly used than SSL_RC4_SHA.
 
  Make sure the linus root certificate is in your z/OS client keyring.
 
  --
Donald J.
 
 
 
 
  --
  http://www.fastmail.fm - A no graphics, no pop-ups email service
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

SC24-5901

410 SSL message format is incorrect.
Explanation: An incorrectly formatted SSL message is
received from the communication partner.
User response: Collect a System SSL trace
containing a dump of the SSL message and then
contact your service representative

You usually have to run a GSK trace to track down these problems.
Are you using AT-TLS environment for the FTPS client ?

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
 Trying to turn on some DEBUG information
 DEBUG FLO
 
 FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
 format is incorrect)
 
 So not to try to figure out where to find this error message.
 
 
 On Wed, May 7, 2014 at 10:19 AM, Mark Pace pacemainl...@gmail.com
 wrote:
 
  I remember setting up something very similar to connect to IBM.   So I
  added the GoDady cert to the same keyring.
 
  sr cla(digtring)
  IBMUSER.smpemaint
  *IBMUSER.FtpSecur *
  IBMUSER.IBMRing
  IBMUSER.SecureFTPKeyRing
  IBMUSER.SMPEMAINT
  TN3270.TNRING
  ***
 
 
 
  racdcert id(ibmuser) listring(*FtpSecur*)
  Digital ring information for user IBMUSER:
 
Ring:
 FtpSecur
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---
GeoTrust Global CA CERTAUTH   CERTAUTH NO
   * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
 
 
  So I added to my ftp.data
  KEYRING  IBMUSER/FtpSecur
 
  But that still isn't the final answer
 
  EZA2897I Authentication negotiation failed
  EZA2898I Unable to successfully negotiate required authentication
  EZA1735I Std Return Code = 1, Error Code = 00017
 
 
 
  On Wed, May 7, 2014 at 9:44 AM, Chase, John jch...@ussco.com wrote:
 
  If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
  defined key rings (format is userid.ringname), then RACDCERT ID(userid)
  LISTRING(ringname or *) to see the ring(s) contents.
 
  Also ensure that the root cert you're interested in has TRUST status
  (default is NOTRUST).
 
-jc-
 
   -Original Message-
   From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
  On Behalf Of Mark Pace
   Sent: Wednesday, May 07, 2014 8:34 AM
   To: IBM-MAIN@LISTSERV.UA.EDU
   Subject: Re: z/OS FTPS Client  Linux FTP server
  
   The cipher was one of my early problems.  But I figured that one out.
   vsftpd -  ssl_ciphers=RC4-SHA
   z/OS - CIPHERSUITE SSL_RC4_SHA
  
   I'm certain that this Keyring  is (part of) my problem.   Stumbling
  through
   RACF I have found that the GoDaddy Root CA is already defined in z/OS,
  but still trying to determine
   if it is part of a keyring.
  
  
  
   On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote:
  
Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
than SSL_RC4_SHA.
   
Make sure the linus root certificate is in your z/OS client keyring.
   
--
  Donald J.
   
   
   
   
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
   
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
   
  
  
  
   --
   The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
  
   Mark D Pace
   Senior Systems Engineer
   Mainline Information Systems
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions, send
  email to lists...@listserv.ua.edu
   with the message: INFO IBM-MAIN
 
  **
  Information contained in this e-mail message and in any attachments
  thereto is confidential. If you are not the intended recipient, please
  destroy this message, delete any copies held on your systems, notify the
  sender immediately, and refrain from using or disclosing all or any part of
  its content to any other person.
 
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
  --
  The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
 
  Mark D Pace
  Senior Systems Engineer
  Mainline Information Systems
 
 
 
 
 
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

If you aren't using any client certs, it is easier to just use a 
RAC virtual keyring  for CERTAUTH server authentication:
KEYRING *AUTH*/*

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
 Trying to turn on some DEBUG information
 DEBUG FLO
 
 FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
 format is incorrect)
 
 So not to try to figure out where to find this error message.
 
 
 On Wed, May 7, 2014 at 10:19 AM, Mark Pace pacemainl...@gmail.com
 wrote:
 
  I remember setting up something very similar to connect to IBM.   So I
  added the GoDady cert to the same keyring.
 
  sr cla(digtring)
  IBMUSER.smpemaint
  *IBMUSER.FtpSecur *
  IBMUSER.IBMRing
  IBMUSER.SecureFTPKeyRing
  IBMUSER.SMPEMAINT
  TN3270.TNRING
  ***
 
 
 
  racdcert id(ibmuser) listring(*FtpSecur*)
  Digital ring information for user IBMUSER:
 
Ring:
 FtpSecur
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---
GeoTrust Global CA CERTAUTH   CERTAUTH NO
   * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
 
 
  So I added to my ftp.data
  KEYRING  IBMUSER/FtpSecur
 
  But that still isn't the final answer
 
  EZA2897I Authentication negotiation failed
  EZA2898I Unable to successfully negotiate required authentication
  EZA1735I Std Return Code = 1, Error Code = 00017
 
 
 
  On Wed, May 7, 2014 at 9:44 AM, Chase, John jch...@ussco.com wrote:
 
  If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
  defined key rings (format is userid.ringname), then RACDCERT ID(userid)
  LISTRING(ringname or *) to see the ring(s) contents.
 
  Also ensure that the root cert you're interested in has TRUST status
  (default is NOTRUST).
 
-jc-
 
   -Original Message-
   From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
  On Behalf Of Mark Pace
   Sent: Wednesday, May 07, 2014 8:34 AM
   To: IBM-MAIN@LISTSERV.UA.EDU
   Subject: Re: z/OS FTPS Client  Linux FTP server
  
   The cipher was one of my early problems.  But I figured that one out.
   vsftpd -  ssl_ciphers=RC4-SHA
   z/OS - CIPHERSUITE SSL_RC4_SHA
  
   I'm certain that this Keyring  is (part of) my problem.   Stumbling
  through
   RACF I have found that the GoDaddy Root CA is already defined in z/OS,
  but still trying to determine
   if it is part of a keyring.
  
  
  
   On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote:
  
Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
than SSL_RC4_SHA.
   
Make sure the linus root certificate is in your z/OS client keyring.
   
--
  Donald J.
   
   
   
   
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
   
--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
   
  
  
  
   --
   The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
  
   Mark D Pace
   Senior Systems Engineer
   Mainline Information Systems
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions, send
  email to lists...@listserv.ua.edu
   with the message: INFO IBM-MAIN
 
  **
  Information contained in this e-mail message and in any attachments
  thereto is confidential. If you are not the intended recipient, please
  destroy this message, delete any copies held on your systems, notify the
  sender immediately, and refrain from using or disclosing all or any part of
  its content to any other person.
 
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
  --
  The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
 
  Mark D Pace
  Senior Systems Engineer
  Mainline Information Systems
 
 
 
 
 
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

The DEFAULT YES would be used for a client certificate,
not for a CERTAUTH entry.

-- 
  Donald J.
 
 Digital ring information for user IBMUSER:
 
   Ring:
FtpSecur
   Certificate Label Name Cert Owner USAGE  DEFAULT
            ---
   GeoTrust Global CA CERTAUTH   CERTAUTH NO
  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
   

-- 
http://www.fastmail.fm - mmm... Fastmail...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

You did do a:
SETROPTS RACLIST(DIGTCERT) REFRESH  
after last changing the keyring?

What does the LISTRING show now?

Does the userid submitting the batch job have any ICH408I 
errors in the log?

-- 
  Donald J.
 

-- 
http://www.fastmail.fm - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client Linux FTP server

[Donald J.]

You need to change that to DEFAULT NO.

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 01:01 PM, Mark Pace wrote:
 Yes, I did the digtcert refresh
  Digital ring information for user IBMUSER:
 
Ring:
 FtpSecur
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---
GeoTrust Global CA CERTAUTH   CERTAUTH NO
Go Daddy Class 2   CERTAUTH   CERTAUTH YES
 
  ***
 
 No ICH408I errors.
 
 
 
 On Wed, May 7, 2014 at 3:27 PM, Donald J. dona...@4email.net wrote:
 
  You did do a:
  SETROPTS RACLIST(DIGTCERT) REFRESH
  after last changing the keyring?
 
  What does the LISTRING show now?
 
  Does the userid submitting the batch job have any ICH408I
  errors in the log?
 
  --
Donald J.
 
 
  --
  http://www.fastmail.fm - Send your email first class
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
  love email again

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

APAR PI17244 was created yesterday for the problem with FTP server
processing of hostIdMapping certificates (when not using AT-TLS).

FTP server (z/OS 1.13) works fine when using AT-TLS.

CICS Web Services works fine with hostIdMapping certificates.

RDz works ok with hostIdMapping certificates if the mapping is the 
1st entry in the set of hostIdMappings.   A problem ticket is currently 
open on that issue.


On Fri, Mar 14, 2014, at 06:30 AM, Phil Sidler wrote:
 On Wed, 12 Mar 2014 10:55:35 -0700, Donald J. wrote:
 
 It works when the certificate is associated to a userid.
 
 All I can think of then is that RACF isn't finding the matching hostname
 in a hostIdMapping.  There doesn't seem to be doc on the specifics of
 this: upper/lower case, fully qualified or not, CNAMES or only ANAMES,
 etc.  But you got this working with CICS, so presumably you've got it
 covered.  Has IBM asked you for a RACF callable services trace? 
 
 

-- 
http://www.fastmail.fm - Access all of your messages and folders
  wherever you are

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

I have a ticket open with the RDz client issues.  IBM hasn't provided a
resolution yet.  They have been 
questioning the validity of my certificates, but now that they work on
CICS Web Services that issue should
not be questioned.
 
 
 All I can think of then is that RACF isn't finding the matching hostname
 in a hostIdMapping.  There doesn't seem to be doc on the specifics of
 this: upper/lower case, fully qualified or not, CNAMES or only ANAMES,
 etc.  But you got this working with CICS, so presumably you've got it
 covered.  Has IBM asked you for a RACF callable services trace? 

I still haven't gotten FTP server to work with HostIDMapping.  I have
another issue with certificates and FTP Server
that I opened a ticket with IBM on, so I tacked on a 2nd issue of
HostIdMapping not working to see what they say.
My FTP tests are with a test server (different RACF system than
production CICS web services), so there is a 
possiblitity of some RACF items missing.   But I will try to test this
weekend with the FTP server on the same RACF
system as the CICS web services.  

FU0972 tlsLevel: entered
GU4236 checkSpec: entered with 2F (0,3) 
FU1026 tlsLevel: using TLSV1 with SSL_AES_128_SHA (2F)  
FR1318 getUserid: entered   
FU1092 find_cert: entered for 19 elements   
FR1401 getUserid: cert query failed- safrc=8, rc=8, rsn=40

 But did you complete the other setup steps to enable the use of
 HostIDMapping? See, for example, item 2 at
 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichzd1c0/2.12.4?SHELF=all13be9.bksDT=20110608113637
 or http://preview.tinyurl.com/n63tfyf for details on the required
 SERVAUTH authority that CICS would need to make use of a HostIDMapping
 extension.
 
 (HostIDMapping, just like basic usage of Certificate Name Filtering,
 should be transparent to the application once all setup steps are
 completed.)
 
 -- 
 Walt

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

CLASS  NAME   
-     
SERVAUTH   IRR.HOST.MVS3.domain.removed

USER  ACCESS   ACCESS COUNT  
  --   -- -  
RDZRSEDREAD00 
FTPSERV2  READ00 


  But I could
 not get HostIDMapping to work with FTP Server.  You would think the RACF
 interface would be the same for all applications.
 
 RACF provides many interfaces, and the application chooses which one to
 use. Then the results may vary depending on other setup factors. In this
 case, even if the FTP server is using interfaces that support
 HostIDMapping, the server would need access to the appropriate SERVAUTH
 profile as I mentioned previously. Have you listed that profile to make
 sure the server user ID has access?
 
 -- 
 Walt
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

With a couple of tips from Phl's vbscript I was able to get the
HostIDMappings to work.  I was leaving the implicit tags off the
IA5 strings.  As Phil indicated, it does work with CICS Web Services
even though no mention of that anywhere.  But I could
not get HostIDMapping to work with FTP Server.  You would think the RACF
interface would be the same for all applications.
The GSK trace doesn't provide sufficient detail to see why.  I will try
running a RACF trace.

With RDz client, there is never any session request sent to the server,
so the server setup is not an issue yet.  I did do an
openssl s_client connection to RDz RSED and it is obvious the host end
is not going to do mutual authentication, as it is
not requesting a client certificate.  Anyone know any parameters for a
z/OS java app to turn on mutual authentication?
Maybe something like -Dcom.ibm.ssl.clientAuthentication=true?  I have a
ticket open with IBM, but no response in almost a week.

-- 
  Donald J.
  dona...@4email.net

On Tue, Mar 11, 2014, at 02:04 PM, Walt Farrell wrote:
 On Tue, 11 Mar 2014 05:54:24 -0700, Donald J. dona...@4email.net wrote:
 
 I am currently using openssl to create certificates for use with CICS
 Web Services that work fine.  I haven't read anywhere that
 CICS Web Services supports authentication using HostIDMapping.   I
 associate the certificate with a userid using command:
 RACDCERT ID(USERID1) ADD('USERID1.CERT1.PEM') WITHLABEL('USERID1test')
 ICSF(*) TRUST
 If I try to use a certificate with a HostIDMapping extension and no
 certificate associated with the userid I get error message:
 CWXN A client certificate that maps to a valid userid is required.
 
 But did you complete the other setup steps to enable the use of
 HostIDMapping? See, for example, item 2 at
 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichzd1c0/2.12.4?SHELF=all13be9.bksDT=20110608113637
 or http://preview.tinyurl.com/n63tfyf for details on the required
 SERVAUTH authority that CICS would need to make use of a HostIDMapping
 extension.
 
 (HostIDMapping, just like basic usage of Certificate Name Filtering,
 should be transparent to the application once all setup steps are
 completed.)
 
 -- 
 Walt
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

SECURE_LOGIN REQUIRED  
SECURE_PASSWORD  OPTIONAL  
SECURE_CTRLCONN  PRIVATE 
SECURE_DATACONN  PRIVATE 
SECURE_FTP   REQUIRED 

It works when the certificate is associated to a userid.

-- 
  Donald J.
  dona...@4email.net

On Wed, Mar 12, 2014, at 10:53 AM, Phil Sidler wrote:
 On Wed, 12 Mar 2014 10:18:04 -0700, Donald J. dona...@4email.net wrote:
 
 even though no mention of that anywhere.  But I could
 not get HostIDMapping to work with FTP Server.  You would think the RACF
 interface would be the same for all applications.
 
 What setting do you have for SECURE_LOGIN on the ftp server?
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Does exactly what it says on the tin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

I am currently using openssl to create certificates for use with CICS
Web Services that work fine.  I haven't read anywhere that 
CICS Web Services supports authentication using HostIDMapping.   I
associate the certificate with a userid using command:
RACDCERT ID(USERID1) ADD('USERID1.CERT1.PEM') WITHLABEL('USERID1test')
ICSF(*) TRUST
If I try to use a certificate with a HostIDMapping extension and no
certificate associated with the userid I get error message:
CWXN A client certificate that maps to a valid userid is required.

Did you also associate your certificate with your userid?  If so, then
the HostIDMapping extension was not needed or used.

On Mon, Mar 10, 2014, at 02:38 PM, Phil Sidler wrote:
 On Mon, 10 Mar 2014 13:49:38 -0700, Donald J. dona...@4email.net wrote:
 
 Yes, the script helps to identify some things.  What appilcation was it
 working with?
 
 IIRC, this was in combination with windows certreq to build  send a cert
 request to a windows active directory server to be signed and then the
 signed cert was used for CICS web services over SSL (from a windows
 client or IE). 
 

-- 
http://www.fastmail.fm - mmm... Fastmail...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

I now have an openssl config which produces the same hex code as your
vbsscript for
lengths less than 128.  For length above 128 openssl produces a
different length code
for the SET (x'31') which is x'318184'.  Your script produces
x'31820184'.  I will do some
testing with CICS Web Services and FTP server.
 
 Ensure the CA that signed the openssl certificate is on CICS's keyring
 and set for HIGHTRUST.  
 Looks like you have to set up a profile in the SERVAUTH class as well.
 And of course, the hostName in the hostIdMapping has to match.
 
I don't think this problem is on the host end as the RDz client will
never attempt a session.
(Wireshark trace is empty) it doesn't like the format of the
certificate.

My openssl config segment for HostIdMappings looks something like this:

1.3.18.0.2.18.1 = ASN1:SET:user_set
#
[user_set]
HostIdMappings1.1   = SEQUENCE:HostIdMapping1
HostIdMappings1.2   = SEQUENCE:HostIdMapping2
#
[HostIdMapping1]
hostName1   = IMPLICIT:1,IA5STRING:MVS3.DOMAIN.NAME
subjectId1= IMPLICIT:2,IA5STRING:USER448
#
[HostIdMapping2]
hostName2   = IMPLICIT:1,IA5STRING:MVS2.DOMAIN.NAME
subjectId2= IMPLICIT:2,IA5STRING:USER448

-- 
http://www.fastmail.fm - Accessible with your email software
  or over the web

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS PKI Services HostIDMapping format

[Donald J.]

Could someone who is using z/OS PKI Services for z/OS post a sample
certificate containing an arbitrary extension for HostIdMapping, or an
openssl asn1parse display like below?   I am trying to use openssl to
generate the HostIdMapping extension, but am having problems with the
format.  Below is the openssl display for my certificate HostIdMapping
{1.3.18.0.2.18.1} extension:

openssl asn1parse -in luhe448.pem

  691:d=4  hl=3 l= 132 cons: SEQUENCE
  694:d=5  hl=2 l=   6 prim: OBJECT:1.3.18.0.2.18.1
  702:d=5  hl=2 l= 122 prim: OCTET STRING  [HEX
  
DUMP]:30780C1C4C554845343438404D5653332E4350412E53544154452E54582E55530C1C4C554845343438406D7673332E6370612E
73746174652E74782E75730C1C6C756865343438404D5653332E4350412E53544154452E54582E55530C1C6C756865343438406D7673332E6370612E73746174652E74782E7573

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS PKI Services HostIDMapping format

[Donald J.]

Yes, the script helps to identify some things.  What appilcation was it
working with?
I am trying to generate a cert for an RDz client.  The RDz client
appears to try to be
intelligent and not allow bad parameters to be entered like a wrong
passphrase for a PKCS12.
It seems to reject all the certs I have tried.  I'm thinking maybe there
is a bug in the client.

-- 
  Donald J.
  dona...@4email.net

On Mon, Mar 10, 2014, at 11:57 AM, Phil Sidler wrote:
 On Mon, 10 Mar 2014 08:59:55 -0700, Donald J. dona...@4email.net wrote:
 
 Could someone who is using z/OS PKI Services for z/OS post a sample
 certificate containing an arbitrary extension for HostIdMapping, or an
 
 Would some VBscript help?  Did this a loong time ago and I'm not sure
 it's totally clean, but I did use it.
 
   

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Is it possible to open PCOMM session up to 50?

[Donald J.]

From each of the 25 PCOMM telnet sessions, you could logon TSO and
enter TSO TELNET MVSxyz to create another 25 sessions.

-- 
  Donald J.
  dona...@4email.net

On Wed, Jul 17, 2013, at 02:26 AM, Alex Wang wrote:
 Hey, there.
 
 I'm curious about is it possible to open about 50 PCOMM sessions on one
 PC?
 
 Because I just want to test how many TSO user IDs which could logon the
 system at the same time. 
 So I started PCOMM sessions and logon them using different TSO user ID
 one by one. The maximum number of sessions is 25. Because the PCOMM told
 me 'no more sessions could be started' until I have had 25. 
 
 Is there any one who did such test before? It seems we couldn't start as
 many sessions as we want on one PC. :-)
 
 Note:
 1. This is the default definition in our SYS1.PARMLIB(IEASYSXX)
 MAXUSER=500 
 But one of the SP told me the system is running as a z/VM guest machine
 ID and the allocated resources is limited. So she afraid that it could
 not afford 50+ people on the system at the same time. 
 2. I'm using PCOMM Version 5.7 for windows and the OS i'm using is Win7. 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH Performance

[Donald J.]

Mine from a SuSE linux to z/OS 1.13:

real0m1.224s
user0m0.008s
sys 0m0.008s

-- 
  Donald J.
  dona...@4email.net


 
   From Solaris to MVS:
 
  133$ time ssh user@MVS date
  Mon Jul  8 07:43:06 MDT 2013
 
  real0m15.10s
  user0m0.07s
  sys 0m0.01s
 
   From Solaris to another Solaris:
 
  134$ time ssh user@solaris date
  Monday, July  8, 2013 07:43:57 AM MDT
 
  real0m0.61s
  user0m0.15s
  sys 0m0.01s
 
  The MVS performance is awful (in the synchronic sense).
  Is there any way to tell where the overhead lies, or
  even whether ICSF is being used rather than ssh_rand_helper?
 
  How does this compare with other users' experience?
 
  (Once an interactive connection is established, response
  is quite good.)
 
  -- gil


-- 
http://www.fastmail.fm - The professional email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: X11 forwarding

[Donald J.]

Check x11DisplayOffset value.   If should be set to something like 10 if
you want to forward directly via port 6010,
or set to 0 if you want to tunnel through your SSH port 22 connection.
My DISPLAY is set to 127.0.0.1:0 and my x11DisplayOffset is 0.

-- 
  Donald J.
  dona...@4email.net

On Wed, Jun 26, 2013, at 10:09 AM, Mark Pace wrote:
 I've had some to time to go back and make this work properly through X11
 forwarding.  I've followed the Ported Tools guide to setup X11
 forwarding,
 which included compling the xauth program and changing some parameters in
 the sshd_config.  But when I connect via PuTTY with X11 forwarding turned
 on I receive these messages.  Each time I see it creating a new
 .Xauthority
 file, yet I never see that file being created.  Also I receive some
 errors
 about bad display names.  And lastly I receive erros trying to run the X
 application.  No amount of googleing has had an answer to the bad display
 name, which I assume also has something to do with the errors running the
 app.  Anyone with experience with X11 on z/OS  have an idea what I am
 doing
 wrong?
 
 

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ZFS MountCall / Osi Wait

[Donald J.]

A writable zfs must be cleanly unmounted or there will be a 65 second
delay at IPL time for each one.
This can be avoided by mounting it on another system and then
immediately unmounting it.
See Share 2012 document zFS Diagnosis II: Problem Determination and
File System Monitoring.
-- 
  Donald J.
  dona...@4email.net

On Sun, Jun 16, 2013, at 07:19 PM, Munif Sadek wrote:
 Is there a way we can expedite our unix system services
 startup in a monoplex system..
 
 Best regards, Munif.
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - The professional email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: X11 forwarding

[Donald J.]

You will also have to compile the xauth c program.
I don't think IBM supplies a binary for it.

-- 
  Donald J.
  dona...@4email.net

On Fri, Jun 7, 2013, at 06:07 AM, Mark Pace wrote:
 That was the problem.
 Some other issues with deprecated APIs.  Maybe if I look at the sample C
 code I can figure out what to change in the java code.
 
 
 On Fri, Jun 7, 2013 at 9:00 AM, Martin Packer
 martin_pac...@uk.ibm.comwrote:
 
  Open and close square bracket, I expect.
 
  Cheers, Martin
 
  Martin Packer,
  zChampion, Principal Systems Investigator,
  Worldwide Banking Center of Excellence, IBM
 
  +44-7802-245-584
 
  email: martin_pac...@uk.ibm.com
 
  Twitter / Facebook IDs: MartinPacker
  Blog:
  https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker
 
 
 
  From:   Mark Pace pacemainl...@gmail.com
  To: IBM-MAIN@listserv.ua.edu,
  Date:   06/07/2013 01:49 PM
  Subject:Re: X11 forwarding
  Sent by:IBM Mainframe Discussion List IBM-MAIN@listserv.ua.edu
 
 
 
  Thank you!  But that main(Stringݨ     What are those characters?
 
 
  On Thu, Jun 6, 2013 at 11:02 PM, Donald J. dona...@4email.net wrote:
 
   Here is a java program EmptyFrame1.java you can easily compile:
  
  
   // file: EmptyFrame1.java
  
   import java.awt.event.*;
   import javax.swing.*;
  
   class EmptyFrame1 extends JFrame {
  
 // Constructor:
public EmptyFrame1() {
  setTitle(Donald's Empty Frame);
  setSize(300,200); // default size is 0,0
  setLocation(10,200); // default is 0,0 (top left corner)
  
  // Window Listeners
  addWindowListener(new WindowAdapter() {
  public void windowClosing(WindowEvent e) {
 System.exit(0);
  } //windowClosing
  } );
}
  
public static void main(Stringݨ args) {
  JFrame f = new EmptyFrame1();
  f.show();
} //main
   } //class EmptyFrame1
   --
 Donald J.
 dona...@4email.net
  
   On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote:
I want to test X11 forwarding using SSH in Unix System Services.  But
  I
can't find an executable X application like xclock.  I find some
  sample
programs, but not any executable code.  Is there some executable files
that
I am not finding?
   
--
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions
   
Mark D Pace
Senior Systems Engineer
Mainline Information Systems
   
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
   --
   http://www.fastmail.fm - Send your email first class
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions,
   send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
 
 
 
  --
  The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
 
  Mark D Pace
  Senior Systems Engineer
  Mainline Information Systems
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
 
 
 
 
  Unless stated otherwise above:
  IBM United Kingdom Limited - Registered in England and Wales with number
  741598.
  Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
 
 
 
 
 
 
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 
 
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: X11 forwarding

[Donald J.]

Commands like this will be needed when compiling xauth:

export
_C89_PSYSLIB=SYS1.IBM.CEE.SCEEOBJ:SYS1.IBM.CEE.SCEECPP:SYS1.IBM.CBC.SCLBDLL 
export
_C89_LSYSLIB=SYS1.IBM.CEE.SCEELKEX:SYS1.IBM.CEE.SCEELKED:SYS1.IBM.CBC.SCCNOBJ:SYS1.CSSLIB
_C89_CCMODE=1 make   /home/sys/luhe338/xauth/output.log 

-- 
  Donald J.
  dona...@4email.net

On Fri, Jun 7, 2013, at 06:17 AM, Donald J. wrote:
 You will also have to compile the xauth c program.
 I don't think IBM supplies a binary for it.
 
 -- 
   Donald J.
   dona...@4email.net
 
 On Fri, Jun 7, 2013, at 06:07 AM, Mark Pace wrote:
  That was the problem.
  Some other issues with deprecated APIs.  Maybe if I look at the sample C
  code I can figure out what to change in the java code.
  
  
  On Fri, Jun 7, 2013 at 9:00 AM, Martin Packer
  martin_pac...@uk.ibm.comwrote:
  
   Open and close square bracket, I expect.
  
   Cheers, Martin
  
   Martin Packer,
   zChampion, Principal Systems Investigator,
   Worldwide Banking Center of Excellence, IBM
  
   +44-7802-245-584
  
   email: martin_pac...@uk.ibm.com
  
   Twitter / Facebook IDs: MartinPacker
   Blog:
   https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker
  
  
  
   From:   Mark Pace pacemainl...@gmail.com
   To: IBM-MAIN@listserv.ua.edu,
   Date:   06/07/2013 01:49 PM
   Subject:Re: X11 forwarding
   Sent by:IBM Mainframe Discussion List IBM-MAIN@listserv.ua.edu
  
  
  
   Thank you!  But that main(Stringݨ     What are those characters?
  
  
   On Thu, Jun 6, 2013 at 11:02 PM, Donald J. dona...@4email.net wrote:
  
Here is a java program EmptyFrame1.java you can easily compile:
   
   
// file: EmptyFrame1.java
   
import java.awt.event.*;
import javax.swing.*;
   
class EmptyFrame1 extends JFrame {
   
  // Constructor:
 public EmptyFrame1() {
   setTitle(Donald's Empty Frame);
   setSize(300,200); // default size is 0,0
   setLocation(10,200); // default is 0,0 (top left corner)
   
   // Window Listeners
   addWindowListener(new WindowAdapter() {
   public void windowClosing(WindowEvent e) {
  System.exit(0);
   } //windowClosing
   } );
 }
   
 public static void main(Stringݨ args) {
   JFrame f = new EmptyFrame1();
   f.show();
 } //main
} //class EmptyFrame1
--
  Donald J.
  dona...@4email.net
   
On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote:
 I want to test X11 forwarding using SSH in Unix System Services.  But
   I
 can't find an executable X application like xclock.  I find some
   sample
 programs, but not any executable code.  Is there some executable files
 that
 I am not finding?

 --
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions

 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
   
--
http://www.fastmail.fm - Send your email first class
   
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
   
  
  
  
   --
   The postings on this site are my own and don’t necessarily represent
   Mainline’s positions or opinions
  
   Mark D Pace
   Senior Systems Engineer
   Mainline Information Systems
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions,
   send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
  
  
  
  
  
  
  
   Unless stated otherwise above:
   IBM United Kingdom Limited - Registered in England and Wales with number
   741598.
   Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
  
  
  
  
  
  
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions,
   send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  
  
  
  
  -- 
  The postings on this site are my own and don’t necessarily represent
  Mainline’s positions or opinions
  
  Mark D Pace
  Senior Systems Engineer
  Mainline Information Systems
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 -- 
 http://www.fastmail.fm - Send your email first class
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions

Re: X11 forwarding

[Donald J.]

Here is a java program EmptyFrame1.java you can easily compile:


// file: EmptyFrame1.java  
   
import java.awt.event.*;   
import javax.swing.*;  
   
class EmptyFrame1 extends JFrame { 
   
  // Constructor:  
 public EmptyFrame1() {  
   setTitle(Donald's Empty Frame);  
   setSize(300,200); // default size is 0,0  
   setLocation(10,200); // default is 0,0 (top left corner)  
 
   // Window Listeners   
   addWindowListener(new WindowAdapter() {   
   public void windowClosing(WindowEvent e) {
  System.exit(0);
   } //windowClosing 
   } );  
 }   
 
 public static void main(Stringݨ args) {
   JFrame f = new EmptyFrame1(); 
   f.show(); 
 } //main  
} //class EmptyFrame1   
-- 
  Donald J.
  dona...@4email.net

On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote:
 I want to test X11 forwarding using SSH in Unix System Services.  But I
 can't find an executable X application like xclock.  I find some sample
 programs, but not any executable code.  Is there some executable files
 that
 I am not finding?
 
 -- 
 The postings on this site are my own and don’t necessarily represent
 Mainline’s positions or opinions
 
 Mark D Pace
 Senior Systems Engineer
 Mainline Information Systems
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN