Re: Standalone DFDSS
The Visara is a CCA-3074. 3074 is FICON point-to-point connected. Visara terminals are connected by TCPIP through a switch on a private network, and defined as "hot" consoles. I don't think the SSL option was used since it is a simple private network. The HMC 3270 option was attempted and also got no response. We are preparing to build a new DR system environment. > Sent: Monday, October 21, 2019 at 7:02 AM > From: "Mazer Ken G" <01e8b07bfbbe-dmarc-requ...@listserv.ua.edu> > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Standalone DFDSS > > Don, > > Is your Visara connected via OSA-ICC? Does the console in question receive > the OSA-ICC three line display? > You didn't indicate the reason for running Standalone DFDSS, did you get a > new processor or are you setting up a new DR environment. > > The reason I ask these questions is that we just replaced z13's with z14's > and the OSA Express6s cards are a little different as they now have TLS 1.0 > enabled. > It could be that you need to update your certs on the Visara for the sessions > to connect. > > Ken Mazer > This Cranky Systems Programmer says “Share your knowledge, others may find it > useful” > > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Donald J > Sent: Saturday, October 19, 2019 9:26 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Standalone DFDSS > > Thanks Jim & Brian > We have Visara which seems to not be working. > Ticket is open on it. > > > Sent: Saturday, October 19, 2019 at 1:08 AM > > From: "Brian Westerman" > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: Standalone DFDSS > > > > Jim is correct, all it takes is for one of the consoles that is attached to > > the ICC, or which you have limited your DFDSS SA build to to press enter. > > I have found that almost any key that generates "something" seems to work > > though, the function keys, pageup etc. The ones that just move the cursor > > around (i.e. home) don't generate what it's looking for. > > > > In short, enter works fine. > > > > Brian > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Standalone DFDSS
Thanks Jim & Brian We have Visara which seems to not be working. Ticket is open on it. > Sent: Saturday, October 19, 2019 at 1:08 AM > From: "Brian Westerman" > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Standalone DFDSS > > Jim is correct, all it takes is for one of the consoles that is attached to > the ICC, or which you have limited your DFDSS SA build to to press enter. I > have found that almost any key that generates "something" seems to work > though, the function keys, pageup etc. The ones that just move the cursor > around (i.e. home) don't generate what it's looking for. > > In short, enter works fine. > > Brian > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Standalone DFDSS
Question is about generating an interrupt on a console for a standalone restore. I read this previous post: https://groups.google.com/forum/#!topic/bit.listserv.ibm-main/lX4ZGaoUH_s So for a z13 would the interrupt needed be the one described in zEnterprise System Support Element Operations Guide Version 2.11.1 SC28-6906-01 Chapter 11. CP Toolbox Interrupt An interrupt is a processor operation you can use to present an external interruption to a processor. If you have experience using other systems, you may have used an IRPT command or an Irpt key to interrupt a processor. Follow your local procedures for determining when to interrupt a processor. You can use the Support Element workplace to interrupt any eligible processor. Eligible processors include: v Physical processors that support the image of a central processor complex (CPC). v Logical processors that support the images of logical partitions activated in operating modes other than coupling facility mode. To interrupt a processor: 1. Log onto the Support Element on the Hardware Management Console through Single Object Operations in operator, advanced operator, system programmer or service representative role (see “Establishing a Support Element console session from a Hardware Management Console” on page 3). 2. Locate the CPs you want to work with. 3. Locate and start the Interrupt task. This immediately performs the operation; an interrupt request is generated for the processor. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: problem with FTP from Windows 10 to z/OS
> How does the V_PW (variable?) get set? I have another VBscript that reads the password using a masked input window. I use it for ServiceNow queries. A cookie is then created for ServiceNow which I can use after that. > Sent: Wednesday, June 06, 2018 at 8:00 AM > From: "Paul Gilmartin" <000433f07816-dmarc-requ...@listserv.ua.edu> > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: problem with FTP from Windows 10 to z/OS > > On Wed, 6 Jun 2018 13:50:22 +0200, Donald J wrote: > > >You could write a VBscript that creates your FTP script. > >Store the password in a Win10 user or volatile environment variable. > >The VBscript could run the FTP script, then delete the script file, > >so there is no password kept on disk for more than the duration of > >the ftp. > > > Why not pipe the script output to the FTP command and never have the > password on disk? > > I suggested bash, which is available on a greater variety of desktop > systems than VBscript. > > >I would also recommmend using FTPS with Curl. > > > I suggested something similar, but the OP is in an ISV position and can't > count > on customers' having optional products. > > >Set the password: > >set objShell = CreateObject( "WScript.Shell" ) > >Set objSystemEnv = objShell.Environment( "VOLATILE" ) > >objSystemEnv( "ZZPASS" )=V_PW > > > How does the V_PW (variable?) get set? > > >Retrieve the password: > >set objShell = CreateObject( "WScript.Shell" ) > >Set objSystemEnv = objShell.Environment( "VOLATILE" ) > >V_PW = objSystemEnv( "ZZPASS" ) > > > >> Sent: Monday, June 04, 2018 at 9:47 AM > >> From: "Kevin Merkley" > >> > >> This is something we send out to customers so we have to expect they may > >> not have anything available except their Windows FTP client to upload from > >> Windows to z/OS. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: problem with FTP from Windows 10 to z/OS
You could write a VBscript that creates your FTP script. Store the password in a Win10 user or volatile environment variable. The VBscript could run the FTP script, then delete the script file, so there is no password kept on disk for more than the duration of the ftp. I would also recommmend using FTPS with Curl. Set the password: set objShell = CreateObject( "WScript.Shell" ) Set objSystemEnv = objShell.Environment( "VOLATILE" ) objSystemEnv( "ZZPASS" )=V_PW Retrieve the password: set objShell = CreateObject( "WScript.Shell" ) Set objSystemEnv = objShell.Environment( "VOLATILE" ) V_PW = objSystemEnv( "ZZPASS" ) > Sent: Monday, June 04, 2018 at 9:47 AM > From: "Kevin Merkley" > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: problem with FTP from Windows 10 to z/OS > > Thanks for the responses. > I did receive an explanation that OPTS UTF8 ON is not the problem. The > Windows 10 FTP client uses a different function to read the password and > always reads it from stdin. > This is something we send out to customers so we have to expect they may not > have anything available except their Windows FTP client to upload from > Windows to z/OS. > We will have to take a different approach. > Thanks again! > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: The IRS Really Needs Some New Computers
>Though the IRS has periodically upgraded its computing system, >today’s system is still running the same code, which was written >nearly 60 years ago. Six years ago, they had job openings listed for 200 assembler programmers spread across a dozen cities. Guess maybe those people haven't installed a line of their code yet. > Sent: Tuesday, April 17, 2018 at 9:57 PM > From: "Joel C. Ewing"> To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: The IRS Really Needs Some New Computers > > I read the referenced article. The title was obviously written by > someone who isn't sufficiently computer-literate to understand that a > computer is hardware and that application code is NOT a computer. > > The text of the article flat out says the IRS has repeatedly updated > hardware over the years. The reported problem is that it's still > dependent on some code, written in assembler, that may be 60 years old > and difficult to maintain. That's an entirely different problem than > the title implies. > Joel C Ewing > > On 04/17/2018 01:14 PM, Gerhard Adam wrote: > > Nonsense, the IRS is running Z/13's , etc. > > > > Sent from my iPhone > > > >> On Apr 17, 2018, at 11:09 AM, Allan Staller wrote: > >> > >> The IRS has been trying to upgrade both hardware and software for at least > >> 30 years I am aware of. > >> It keeps getting shot down by Congress in the appropriations process. > >> > >> The opposite of PROGRESS is CON.. > >> > >> -Original Message- > >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > >> Behalf Of Paul Gilmartin > >> Sent: Tuesday, April 17, 2018 12:34 PM > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Subject: The IRS Really Needs Some New Computers > >> > >> Mostly historical: > >> > >> https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bloomberg.com%2Fview%2Farticles%2F2018-04-17%2Fthe-irs-computer-system-is-the-oldest-in-the-government=02%7C01%7Callan.staller%40HCL.COM%7C792c5b7241dd415a210308d5a48970ff%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636595832636753536=P6KLIEcmkgNFa4lZeymrTbaQ4XCmyBNo13loxSL1%2F9k%3D=0 > >> > >> -- gil > >> > >> ... > > > -- > Joel C. Ewing,Bentonville, AR jcew...@acm.org > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Sungard question - floor z/OS supports UNIX environment?
When the disaster hits, you may not be one of the survivors. So plan needs to be prepared and ready in advance such that any admin could execute it. For us, Sungard labels the floor volumes as SG. A VM guest definition should be provided to you in advance with dasd definitions such as: * * 3390-27 * LINK DASD 5800 5800 MW LINK DASD 5801 5801 MW LINK DASD 5802 5802 MW You should be able to use that as input to a script to generate the JCL. A prelimary step for us is to always issue vary online commands on the floor system to verify that they really gave us all the devices they were supposed to. Sometimes they miss a few which fouls up the DBS restore job. . I have a > UNIX program which would make selecting the DASD volsers onto which to > restore easier to find. And I could then use "awk", or maybe REXX, to > generate the ADRDSSU job JCL from this list. > > -- > We all have skeletons in our closet. > Mine are so old, they have osteoporosis. > > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What cryptographic algorithm is not supported?
I notice your cert display did not list a "Key Usage" section. X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment Digital Signature and Data Encipherment are defaults, but KeY Encipherment does not default and needs to be specified in Key Usage. X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate 82:7D:1F:EF:53:DB:3D:E1:14:62:03:49:34:16:A2:92:D9:46:51:1E > Sent: Tuesday, November 07, 2017 at 10:40 AM > From: "Charles Mills"> To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > That could be another thread "most useless diagnostic ever." > > Right, that is the API call (apparently) that failed, but I don't think one > knows that just from the error message. As I said, I got the same error > message for presenting a certificate with a SHA-1 digest (I think). > Presumably a different CMS API call but the same external message. Different > action for the user. > > I display certificates all the time. My script that issues OpenSSL > certificates displays them at the end. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Kirk Wolf > Sent: Tuesday, November 7, 2017 8:07 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What cryptographic algorithm is not supported? > > Its not the worst diagnostic situation that I have seen on z/OS ( that award > would go to the C-library OS I/O stuff IMO). > > In this case, the external API that failed is gsk_decode_import_key(), and if > you look it up the error that you are getting is documented: > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/msg34.htm > > The algorithm codes can be found in /usr/include gskcms.h > x509_alg_pbeWithSha1And40BitRc2Cbc = 36, /* 1.2.840.113549.1.12.1.6 */ > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > PS> If you want some "fun", take you X.509 cert and load it into a > PS> ASN.1 > tool that displays the whole ugly thing > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zAware?
We are continuing to use the zAware LPAR and its data, but not much with the zAware app. I download the zAware data to my laptop, manipulate and filter it with scripts, and output it to an updated web page every 10 minutes. Sent: Friday, September 08, 2017 at 2:44 AM From: "Styles, Andy (ITS zPlatform Services)" <00d68f765d25-dmarc-requ...@listserv.ua.edu> To: IBM-MAIN@LISTSERV.UA.EDU Subject: zAware? Classification: Public Morning folks, We've got a zAware partition running, but we've done almost nothing with since it was set up a couple of years back, so we're thinking of dropping it. Does anyone actively use zAware? Thanks, Andy Styles z/Series Systems Programmer Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637 Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority. Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc. HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813. This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Looking for mainframe shops Lexington/Cincinnati
>I have also heard that there is an old system at University of Kentucky >Medical Center I had a phone interview with them about 6 years ago. They were making all there IT employees "re-apply" for their current positions and compete with outsiders for their positions. I have never heard of that type of process being done anywhere else. Sent: Thursday, August 31, 2017 at 7:57 AM From: "Bill Bishop (TMNA)"To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Looking for mainframe shops Lexington/Cincinnati Joel; Lexington is going to be very tough. The only zOS shops in the area are the State of Kentucky in Frankfort, Toyota in Georgetown, Ashland Oil and Lexmark, both in Lexington itself. I have also heard that there is an old system at University of Kentucky Medical Center. Toyota is supported out of Plano, Texas now. Lexmark is all outsourced to IBM. There are several sites in Louisville. Besides those mentioned already, there is Kentucky Farm Bureau and Yum Brands that I know of. There may be more. Pickings are slim in Lexington. That is why I took the move from Georgetown to Plano. I was not ready to retire yet. Thanks Bill Bishop Consultant, Mainframe Engineer Mainframe and Scheduling | Infrastructure Technology Services Toyota Motor North America bill.bis...@toyota.com Office: (469) 292-5149 Cell: (502) 316-4386 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Joel M Ivey Sent: Wednesday, August 30, 2017 10:09 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Looking for mainframe shops Lexington/Cincinnati Thank you to all. Several good leads for me. I appreciate it. I'm looking hard at the Fort Knox opp, but also hoping to find something there in the Lexington area. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Looking for mainframe shops Lexington/Cincinnati
Toyota used to be in Georgetown KY. WPAFB used to hire a lot of mainframe contractors. There are also a couple of insurance companies in Cincinnati. Cincinnati bell possibly. State of KY might have a mainframe in Frankfort. There is a federal site in Fort Knox with mainframes, might be Army. Sent: Saturday, August 26, 2017 at 9:59 PM From: "Joel M Ivey"To: IBM-MAIN@LISTSERV.UA.EDU Subject: Looking for mainframe shops Lexington/Cincinnati Would appreciate info on zos shops in Lexington KY and Cincinnati OH, for possible relo. What mainframe shops are there??? Thanks, Joel Columbia SC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SYSLOG/OPERLOG Keyword Search
Splunk looks very interesting. Too bad they don't support z/Linux. -- Donald J. dona...@4email.net On Fri, Feb 10, 2017, at 06:44 AM, Pew, Curtis G wrote: > On Feb 10, 2017, at 8:30 AM, Donald J. <dona...@4email.net> wrote: > > > > What programs (free or IBM or other) are available for doing historical > > keyword > > searches against the SYSLOG or OPERLOG archives? ISPF or otherwise. > > I don’t think this is exactly what you’re asking for, but we forward our > OPERLOG to Splunk and then we can do all kinds of searches and reports. > > -- > Pew, Curtis G > curtis@austin.utexas.edu > ITS Systems/Core/Administrative Services > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The professional email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SYSLOG/OPERLOG Keyword Search
Another team member installed an ISPF product written at one of his former places of employment. We were investigating other products. The ISPF panel allows entering starting/end date and time, along with up to 3 keyword strings with AND or OR operatives. The console log lines with those keywords are then returned. -- Donald J. dona...@4email.net On Fri, Feb 10, 2017, at 06:36 AM, Lizette Koehler wrote: > So you can use (depending on level of z/OS) the SDSF REXX function. > REXX > DFSORT > SAS > CA EASYTRIEVE > CA EARL > SYNSORT > > And so on. If you have the SYSLOG copied off to a physical file, it is > easily read > > If you are asking about REAL TIME Processing, then you would need to look at > extracting data (ISFBATCH, or OPERLOG Function) then using one or more of the > above tools. You will be scanning a line for a string. > > > It will really depend on your requirements. REAL TIME or after the fact. > > What problem are you trying to solve? > > Lizette > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > > Behalf Of Donald J. > > Sent: Friday, February 10, 2017 7:31 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: SYSLOG/OPERLOG Keyword Search > > > > What programs (free or IBM or other) are available for doing historical > > keyword searches against the SYSLOG or OPERLOG archives? ISPF or otherwise. > > > > -- > > Donald J. > > dona...@4email.net > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
SYSLOG/OPERLOG Keyword Search
What programs (free or IBM or other) are available for doing historical keyword searches against the SYSLOG or OPERLOG archives? ISPF or otherwise. -- Donald J. dona...@4email.net -- http://www.fastmail.com - Email service worth paying for. Try it for free -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe printer connectivity
http://www.support.xerox.com/support/xpaf/support/enus.html -- Donald J. dona...@4email.net On Wed, Jan 18, 2017, at 09:51 PM, venkat kulkarni wrote: > Hello Group, > > Currently we are using mainframe printer with bus and tag connectivity with > Xerox printer via prism hardware, which help us to convert fcion to bus and > tag. > > But now, we would like to use tcpip connectivity for mainframe connectivity > with Xerox printer. > > Can you please guide that how this new connectivity can be establish and do > we need to buy any additional piece of hardware or software . I was reading > about info print but didn't get much detail . > > Please suggest. > > Regards > Venkat > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM Lays Out Plans to Hire 25,000 in U.S. Ahead of Trump Meeting
I tried to re-apply for an opening. Got to page 9 of the 10 page online form. It said something about if former employee, fill out item X. Unfortunately item X was not on that page, and hitting NEXT button asked again to complete item X. -- Donald J. dona...@4email.net On Tue, Dec 13, 2016, at 05:43 PM, Roger W Suhr wrote: > Yeah, but what kinds of jobs? It doesn't matter, I won't go back to work for > IBM, because ... -- http://www.fastmail.com - A fast, anti-spam email service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?
If you are connecting to z/os HTTP server, why not use curl client with https option. # Curl Configuration File c:\u\curl\curl.https.conf --tlsv1 --user user142 --url "https://mvs11.xyz.us/html/Index.html; --output sy11.index.html --cacert /u/data/cacerts.pem -X POST -H "content-type: text/html" #-trace /u/curl/curlhttp.trace.log -- Donald J. dona...@4email.net On Wed, Nov 30, 2016, at 08:16 AM, Dyck, Lionel B. (TRA) wrote: > Thank you - I'll pass that along as an option - was told ftp/sftp was not an > option but we'll see > > -- > Lionel B. Dyck (TRA Contractor) > Mainframe Systems Programmer > Enterprise Infrastructure Support (Station 200) (005OP6.3.10) > VA OI Service Delivery & Engineering > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Vitullo, Carmen P > Sent: Wednesday, November 30, 2016 10:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > I believe you can configure the Apache HTTP server on Z to allow a secure FTP > protocol https://httpd.apache.org/mod_ftp/ftp/ftp_tls.html > > > > Carmen Vitullo > Lead Systems Programmer > > Arkansas Blue Cross and Blue Shield > IT Infrastructure Services > 515 West Pershing Blvd. > North Little Rock, Arkansas 72114 > Office: 501.210.4705 > Cell: 501.514.4266 > cpvitu...@arkbluecross.com > arkansasbluecross.com > > > > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Dyck, Lionel B. (TRA) > Sent: Wednesday, November 30, 2016 10:02 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > Needs to be web based > > > -- > Lionel B. Dyck (TRA Contractor) > Mainframe Systems Programmer Enterprise > Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service Delivery & > Engineering > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Lizette Koehler > Sent: Wednesday, November 30, 2016 9:59 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > So FileZilla is perhaps an option? > > Lizette > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of Dyck, Lionel B. (TRA) > > Sent: Wednesday, November 30, 2016 8:48 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > > > I don't want to emulate DROPBOX - I want a place to upload and > > download files > > - bad choice of terms apparently. > > > > > > -- > > > > Lionel B. Dyck (TRA Contractor) > > Mainframe Systems Programmer Enterprise > > Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service > > Delivery & Engineering > > > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of Steve > > Sent: Wednesday, November 30, 2016 9:40 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > > > > > One way would be to use ADRDSSU to dump the files, The TERSE the > > output then FTP in BINARY to your PC then put it into DROPBOX > > > > > > Steve Beaver > > st...@stevebeaver.com > > > > > > > > > > -Original Message- > > From: "Dyck, Lionel B. (TRA)" <lionel.d...@va.gov> > > Sent: Wednesday, November 30, 2016 10:18am > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: [EXTERNAL] Re: z/OS Web Based Dropbox ? > > > > > > > > Looking for a simple way a user can upload a file to z/OS in a secure > > way and also download a file securely. A web interface would be fine > > where the user has to logon. Would expect it to use https for security. > > > > thx > > > > -- > > > > Lionel B. Dyck (TRA Contractor) > > Mainframe Systems Programmer Enterprise > > Infrastructure Support (Station 200) (005OP6.3.10) VA OI Service > > Delivery & Engineering > > > > > > -Original Message- > > From: IBM Mainframe Dis
Re: Sftp implementation
psftp is an sftp client available with the putty download. -- Donald J. dona...@4email.net On Fri, Nov 18, 2016, at 02:09 AM, venkat kulkarni wrote: > Hello, > > We are doing sftp implementation but I am not able to find way to test this > scenarios. For ftp, i can test using window cmd prompt and try transferring > files from mainframe to local system. > > But how do I test this new sftp. Also wanted to check that if we have any > constraint on sftp that only once files can be used for sftp not the z/os > files. > > Please help > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP on z/os
You have two issues to consider. a) what ldap strings the client is "programmed" to be able to send. check your ITDS log file (or trace) on z/os to see what is being sent and make adjustments if needed b) what ldap strings the Tivoli Directory Server will accept. Only a few filters are allowed for the RACF backend. The RACF backend schemas cannot be modified But also read up on native authentication. That allows a non-RACF userid to utilize the RACF password for some other (or same) userid using a separate ITDS backend. Then you can also define non-RACF userids with non-RACF passwords in a separate ITDS backend. And configure it as you please. -- Donald J. dona...@4email.net On Thu, Nov 17, 2016, at 01:44 AM, venkat kulkarni wrote: > We need LDAP for two user id authentication purpose. Do we have any way to > implement this change > > On Nov 17, 2016 12:32, "Elardus Engelbrecht" <elardus.engelbre...@sita.co.za> > wrote: > > > venkat kulkarni wrote: > > > > >Thanks for reply. We want to implement LDAP for initial login > > authentication purpose. > > > > That is somewhat another story. Here we use the LDAP to reset the ids > > after verification. Then thereafter the user logon to the application with > > the id. > > > > Please tell us for what application(s) do you want the authencation > > process? > > > > Groete / Greetings > > Elardus Engelbrecht > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TCP/IP SSL trace help please xposted to IBMMAIN
try tracing the batch job name. your job is a client which does not use your ftp server, it uses the ibm smp ftp server. -- Donald J. dona...@4email.net On Wed, Nov 16, 2016, at 11:19 AM, Ward, Mike S wrote: > Hello all, we are having a little FTPS problem. As you can see below we are > getting: EZA1735I Std Return Code = 10234, Error Code = 00017 > We are using the smpe secure procedure. We did this last month and it worked > fine now we are getting the above error. > We are trying to get an SSL trace of the problem, but we can't seem to get it > to work. Below are the commands that we are using to start the SSL trace. > After we run the job and stop the trace the dataset we use on GSKWTR is > empty. Can someone help us with the GSK trace? Oh the jobename of the FTP > started task is FTPD1. We have also tried tracing the TCPIP task same results. > > Thanks > > S GSKSRVR > TRACE CT,WTRSTART=GSKWTR > TRACE CT,ON,COMP=GSKSRVR > R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the > name of STC. > > SMPE FTP JOB > > TRACE CT,OFF,COMP=GSKSRVR > TRACE CT,WTRSTOP=GSKWTR > get into IPCS > update 0 DEFAULTS - Specify default dump and options with GSKWTR produced > > > > > > /bin/ftp -e -v -f "//'SSF1.SMPE.JCL(FTPDATA)'" deliverycb-bld.dhe.ibm.com > > EZY2640I Using 'SSF1.SMPE.JCL(FTPDATA)' for local site configuration > parameters. > > EZYFT25I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the > co > ntrol connection. > EZYFT31I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the > da > ta connection. > EZA1450I IBM FTP CS V1R13 > EZA1772I FTP: EXIT has been set. > EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages. > EZA1554I Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21. > 220-IBM's internal systems must only be used for conducting IBM's > 220-business or for purposes authorized by IBM management. > 220- > 220-dhebpcb01 secure FTP server > 220 ready. > EZA1701I >>> AUTH TLS > 234 TLSv1 > EZA2897I Authentication negotiation failed > EZA2898I Unable to successfully negotiate required authentication > EZA1735I Std Return Code = 10234, Error Code = 00017 > > EZA2897I Authentication negotiation failed > EZA2898I Unable to successfully negotiate required authentication > > > SSF1.SMPE.JCL(FTPDATA) contains the below. > > SECURE_MECHANISM TLS > TLSRFCLEVEL CCCNONOTIFY > TLSMECHANISM FTP > SECURE_FTP REQUIRED > SECURE_CTRLCONN CLEAR ; COMMANDS MAY BE CLEAR (UNENCRYPTED). > SECURE_DATACONN PRIVATE ; PAYLOAD MUST BE ENCRYPTED. > KEYRING S250SAC/IBMSHOPZ > EPSV4 TRUE > > == > This email, and any files transmitted with it, is confidential and intended > solely for the use of the individual or entity to which it is addressed. If > you have received this email in error, please notify the system manager. This > message contains confidential information and is intended only for the > individual named. If you are not the named addressee, you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this message by mistake and delete > this e-mail from your system. If you are not the intended recipient, you are > notified that disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly prohibited. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access your email from home and the web -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM FTPS connect
What is the output of : RACDCERT ID(MP81136) LISTRING(bexarftp) -- Donald J. dona...@4email.net On Wed, Sep 14, 2016, at 08:05 AM, Mark Pace wrote: > I'm having them look at the firewall. I tired HTTPS, but I believe at 1.13 > it required a PTF to support https. They must not have it applied as I get > a syntax error on the downloadmethod and the downloadkeyring parameters. > > On Wed, Sep 14, 2016 at 8:44 AM, Kurt Quackenbush <ku...@us.ibm.com> wrote: > > > On 9/12/2016 12:27 PM, Mark Pace wrote: > > > >> I'm setting up FTPS on a 1.13 system and am a little confused by this > >> sequence. It logs on okay showing a secure connect. But then it won't do > >> the actual download. So I'm confused if it's the certificate or not. > >> > > > > Not the certificate. > > > > 150 Opening BINARY mode SSL data connection for > >> /GIMPAF.XML. > >> EZA2870I TLS security mechanism negotiation failed - data connection > >> closed > >> 425 ftpd: (data conn) SSL_accept unspecified > >> error > >> > > > > I haven't seen this one before. Your FTP.DATA seems proper. Could be a > > firewall issue as someone suggested. Sorry, but I think you'll need to > > open a problem with IBM Comm Server support and ask for their help to debug > > further. Perhaps an IP trace is in order. > > > > As Skip suggested, HTTPS is usually way easier to use, especially with > > respect to firewalls. Check it out: > > http://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com. > > ibm.zos.v2r2.gim3000/dsetups.htm > > > > Kurt Quackenbush -- IBM, SMP/E Development > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > -- > The postings on this site are my own and don’t necessarily represent > Mainline’s positions or opinions > > Mark D Pace > Senior Systems Engineer > Mainline Information Systems > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Secure FTP to IBM ?
The testcase.boulder.ibm.com ftp server uses this certificate chain: Certificate chain 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=testcase.boulder.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority The ftp.ap.ecurep.ibm.com & ftp.ecurep.ibm.com ftp servers use these certificate chains: Certificate chain 0 s:/C=DE/ST=Rheinland-Pfalz/L=Mainz/O=IBM Deutschland GmbH/CN=ftp.ap.ecurep.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 Certificate chain 0 s:/C=DE/ST=Rheinland-Pfalz/L=Mainz/O=IBM Deutschland GmbH/CN=ftp.ecurep.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SHA256 SSL CA i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authori ty - G3 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authori ty - G3 i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authori ty - G3 So, the instructions will work for the last 2 ecurep ftp servers: >GeoTrust certificate installation instructions >MVS (OS/390, z/OS) FTP Clients only >Please follow the directives below to establish the necessary RACF definition. >Obtain the Equifax CA certificate. >Below you will find the contents of the CURRENT Equifax CA certificate. >Current Contents of the GeoTrust Trusted Root Certificate: Equifax Secure >Certificate Authority The last 3 comments above are incorrect. The contents listed are not for the "Equifax Secure Certificate Authority" CA certificate. The contents are for the "GeoTrust Primary Certification Authority - G3" CA certificate. The "Equifax Secure Certificate Authority" CA certificate contents would be: -BEGIN CERTIFICATE- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -END CERTIFICATE- -- Donald J. dona...@4email.net On Wed, Sep 7, 2016, at 02:02 PM, John Eells wrote: > Dyck, Lionel B. , TRA wrote: > > Is there a way to use FTP TLS from z/OS to testcase.boulder.ibm.com to > > upload dumps/etc. ? > > Both testcase and ecurep are supposed to support FTPS and SFTP. See > this page for instructions: > > http://www-05.ibm.com/de/support/ecurep/send_ftp.html#ftps > > > -- > John Eells > IBM Poughkeepsie > ee...@us.ibm.com > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SHARE Atlanta proceedings
Share 117 thru 125 were loaded at orderly locations: https://share.confex.com/share/117/webprogram/uploadlistall.html ... https://share.confex.com/share/125/webprogram/uploadlistall.html They seem to have migrated off that trail with 126. -- Donald J. dona...@4email.net On Mon, Aug 15, 2016, at 10:39 AM, Mark Post wrote: > >>> On 8/15/2016 at 11:48 AM, Norman Hollander on Desertwiz > <norman.hollan...@desertwiz.biz> wrote: > > Too bad they didn't ask for our preference. I like being able to download > > individual sessions, rather than then > > entire thing. > > You still can, it's just a PITA unless you know how to write scripts to > download and parse the HTML in use. I do this for the LVM program. > > > Don't know if an ISO image is that much smaller than all of > > the individual files. > > Almost certainly not, since there are some HTML files and images for the web > interface the DVD presents. It's not about reducing the amount of downloads, > it's about saving the costs of manufacturing and distribution. > > > Mark Post > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMPE receive order broken this morning?
It appears their ftp server is only accepting TLS1.0 at the moment. All other options fail. == Info: TLSv1.1, TLS handshake, Client hello (1): => Send SSL data, 512 bytes (0x200) == Info: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol == Info: Closing connection 0 The http server port 443 accepts 1.0/1.1/1.2. -- Donald J. dona...@4email.net On Mon, Aug 15, 2016, at 07:01 AM, Richards, Robert B. wrote: > Dave, > > It is not just you. I sent a note at 6:48am entitled " PTF order fulfillment > issues and getting HOLDDATA". > > I have not opened a SR yet, so if you get a quick reply, please post what > they say. > > In my case, a FTP GET for full HOLDDATA also failed. > > Bob > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Jousma, David > Sent: Monday, August 15, 2016 9:40 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: SMPE receive order broken this morning? > > All, > > I apologize if this has been asked, but I've been on vacation for the last > week or two. Last time it worked for me was prior to this. Seems like > something changed? Seems to be refused at IBM end. I do have ticket open > with them, but thought maybe I might have missed something. > > > /bin/ftp -e -v -f "//'SYS1.TCPPARMS(FTPSECUR)'" > > deliverycb-bld.dhe.ibm.com > > EZY2640I Using 'SYS1.TCPPARMS(FTPSECUR)' for local site configuration > parameters . > EZYFT25I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the > co ntrol connection. > EZYFT31I Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the > da ta connection. > EZA1450I IBM FTP CS V2R2 > EZA1772I FTP: EXIT has been set. > EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages. > EZA1554I Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21. > 220-IBM's internal systems must only be used for conducting IBM's > 220-business or for purposes authorized by IBM management. > 220- > 220-Use is subject to audit at any time by IBM management. > 220- > 220 dhebpcb01 secure FTP server ready. > EZA1701I >>> AUTH TLS > 234 SSLv23/TLSv1 > EZA2897I Authentication negotiation failed EZA2898I Unable to successfully > negotiate required authentication EZA1735I Std Return Code = 10234, Error > Code = 00017 > > _ > Dave Jousma > Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f > 616.653.2717 > > This e-mail transmission contains information that is confidential and may be > privileged. > It is intended only for the addressee(s) named above. If you receive this > e-mail in error, please do not read, copy or disseminate it in any manner. > If you are not the intended recipient, any disclosure, copying, distribution > or use of the contents of this information is prohibited. Please reply to the > message immediately by informing the sender that the message was misdirected. > After replying, please erase it from your computer system. Your assistance in > correcting this error is appreciated. > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Secure FTP process for IBM Download
Based on a brief amount of testing I did, running FTP with TLSMECHANISM ATTLS (Pagent) did not work for me, but running outside of Pagent (TLSMECHANISM FTP) did work. But using the HTTPS port 443 works fine and doesn't require you to setup and maintain yet another customized FTP.DATA for this one connection. -- Donald J. dona...@4email.net On Wed, Jul 20, 2016, at 07:51 AM, Walser, Susan L wrote: > Greetings All, > > Has anyone set this up using RACF and the GEO.Trust.Cert who would be > available to answer a few questions for me? I have the key ring added and > the Cert connected. > > Thanks, > Susan Walser > Lead RACF Engineer, Mainframe Engineering | IT Production Services > TIAA Financial Services > Tel: 404 374-3858 > susan.wal...@tiaa-cref.org > > * > This e-mail may contain confidential or privileged information. > If you are not the intended recipient, please notify the sender immediately > and then delete it. > > TIAA > * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS OpenSSL, SelfSigned Certs, etc
There is no confusion. When someone mentions a self-signed certificate, they are almost always not referrring to root certificates, but to simpleton user certificates where Issuer=Subject. The topic of my post was obviously user-generated self-signed certificate vs user-generated non-self-signed certs. The ranting about purchased vendor certificates is "off topic". -- Donald J. dona...@4email.net On Wed, Jun 22, 2016, at 08:17 AM, Charles Mills wrote: > Right. > > This is the confusion on what self-signed means. -- http://www.fastmail.com - IMAP accessible web-mail -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS OpenSSL, SelfSigned Certs, etc
I notice Rocket is including a copy of OpenSSL 1.0.2c in their ported tools Curl download. With the recent talk about negative aspects of using self signed certs, I attempted to see if that OpenSSL could be used to generate a root certificate and a user cert chained to that root cert. Looks like it only takes 5 or 6 commands: #!/bin/sh export CA_NAME=acme.domain.ca export SSL_HOME=/home/user123/openssl export OPENSSL_CONF=/home/user123/openssl/conf/openssl.cfg export SSL_USER=USER123 export SSL_SER=1234 # # Generate CA Root Cert openssl genrsa -out $SSL_HOME/certs/$CA_NAME.key 2048 openssl req -new -x509 -days 5000 -extensions v3_ca -key $SSL_HOME/certs/$CA_NAME.key -out$SSL_HOME/certs/$CA_NAME.pem # # Generate User Cert in pem and pkcs12 formats openssl genrsa -out $SSL_HOME/certs/$SSL_USER.key 2048 openssl req -new -sha256 -reqexts v3_csr -key $SSL_HOME/certs/$SSL_USER.key -out $SSL_HOME/certs/$SSL_USER.csr openssl x509 -req -sha256 -extfile $OPENSSL_CONF -extensions v3_req -days 730 -in $SSL_HOME/certs/$SSL_USER.csr -CA $SSL_HOME/certs/$CA_NAME.pem -CAkey $SSL_HOME/certs/$CA_NAME.key -set_serial $SSL_SER -out $SSL_HOME/certs/$SSL_USER.pem openssl pkcs12 -export -in $SSL_HOME/certs/$SSL_USER.pem -inkey $SSL_HOME/certs/$SSL_USER.key -out $SSL_HOME/certs/$SSL_USER.p12 -password file:$SSL_HOME/password.txt # End The PKCS12 certificate created was successfully tested using Curl FTPS. Note that the password.txt file must be in ASCII, not EBCDIC. Only other task is to prepare an openssl.cfg file [ and for IBM to include a working example in their manual(s) ]. I did have a problem trying to define crlDistributionPoints and authorityInfoAccess due to probable ASCII/EBCDIC issues. But those items aren't needed for basic testing. -- Donald J. dona...@4email.net -- http://www.fastmail.com - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mounting NFS Directory on zOS as Binary
The difficult part can be establishing security. What do you have in your export file for security? For initial testing, easiest to just allow access to the z/OS NFS from the IP address of your zLinux with a command like: /sandbox1 -rw=192.168.231.10 Then add better security after you get it working. Also do you have the host names defined in a host table or DNS server? -- Donald J. dona...@4email.net On Tue, Jun 21, 2016, at 01:47 PM, Jasi Grewal wrote: > Greetings, I am trying to mount this zLinux Filesystem on zOS using NFS with > the following command and it seems that either is not supported as Binary or > I am missing something. > > mount filesystem('lozlnx00:/sandbox') type(nfs) > mountpoint('/nfsmnts/lozlnx00/sandbox') > parm('lozlnx00:"/sandbox,binary",xlat(y),vers(3)') > > I get the following error: > BPXF162E ASYNCHRONOUS MOUNT FAILED FOR FILE SYSTEM LOZLNX00:/SANDBOX. > > BPXF135E RETURN CODE 046A, REASON CODE 6E2A1003. THE MOUNT FAILED FOR > FILE SYSTEM LOZLNX00:/SANDBOX. > > Any information would be grateful. > Thank You in advance, > Regards, > > Jasi Grewal. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS XL C/C++ Requirement
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.e0zb100/pgmreqs.htm IBM document above states IP Services has following requirements: - For user-written programs in C that interface to an X Window System client, Remote Procedure Call, TCP or UDP protocol boundary, DPI, IP, or z/OS UNIX feature (Rcommands, RPC, or X Window System), you require the z/OS XL C/C++ feature. - For TCP/IP functions written in C (C sample programs, Network Database System client and server, Network Computing System, Remote Procedure Call, non-z/OS UNIX X Window System) or z/OS UNIX features (ONC/RPC, X Window System), you require the z/OS XL C/C++ feature. First statement is about user written programs. So I assume 2nd statement is about non-user written programs. Why is the C/C++ compiler required by me for vendor written programs/features/functions? Only thing I have used the compiler on previous versions is to compile the XAUTH program, and it should be upward compatible for new releases. -- Donald J. dona...@4email.net -- http://www.fastmail.com - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: smp/e sha-2 support?
Yes. When I go to port 443 I also see the correct chain: openssl s_client -debug -connect dispby-117.boulder.ibm.com:443 -state SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=deliverycb-bld.dhe.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA When I go to port 21, I see: openssl s_client -debug -connect dispby-117.boulder.ibm.com:21 -state -starttls ftp SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=deliverycb-bld.dhe.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -- Donald J. dona...@4email.net On Tue, May 17, 2016, at 05:08 PM, Andrew Rowley wrote: > On 18/05/2016 0:53, John Eells wrote: > > - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.** > > - Put the package signing verification certificate where "anyone could > > get it" > > - Made the signing (certificate-based) check optional. > > - Continued to keep the integrity checking optional, whether based on > > SHA-2 or SHA-1. > > > > Would that meet the set of needs we've been talking about? > > > > * As usual, no promises. > > ** I think we have to keep the SHA-1 support because we create an > > incompatibility if we don't. > > From Donald's post it sounds like the original problem might be the > FTPS/HTTPS certificates, not the SHA1 verification of data already > transmitted over a secure channel. This makes more sense from an audit > point of view, and I think someone suggested a firewall was complaining > - it would have no awareness of what was done with the data after > transmission. In that case fixing the certificate is the simple solution. > > I just checked deliverycb-bld.dhe.ibm.com and I see a different > certificate chain to Donald - I see the 023456 GeoTrust Global CA. Is it > possible that it resolves to multiple hosts with different certificates > e.g. in different countries, or that it has just been fixed? > > On the question of package signing, I would suggest that it should be > done using the usual methods which means that you don't need to put a > certificate where anyone can get it. > > z/OS should have the common root CAs installed with the operating system > (if it doesn't already). Then (as I understand it) the signed > certificate is included with the signature. To verify it you then follow > the chain of signed certificates until you get to one signed by the root > CA that you already have. > > This means that you can verify the origin of something without knowing > the correct place to get that particular public key. > > Andrew Rowley > > > -- > Andrew Rowley > Black Hill Software > +61 413 302 386 > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: smp/e sha-2 support?
The new GeoTrust Global CA is serial# 023456, expiration 5/20/2022. The old GeoTrust Global CA is serial# 12bbe6, expiration 8/20/2018. At +5eF in the server cert chain being sent out, there is "12 bb e6". 05d0 - 25 b0 68 f9 de 08 5a f3-29 cc d4 92 00 03 81 30 %.h...Z.)..0 05e0 - 82 03 7d 30 82 02 e6 a0-03 02 01 02 02 03 12 bb ..}0 05f0 - e6 30 0d 06 09 2a 86 48-86 f7 0d 01 01 05 05 00 .0...*.H.... -- Donald J. dona...@4email.net On Tue, May 17, 2016, at 03:24 PM, Donald J. wrote: > John, > > I don't think you have the right GeoTrust certificate on your server. > > The server is sending out this cert chain: > Certificate chain > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES > CORPORATION/CN=deliverycb-bld.dhe.ibm.com >i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 >i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority >i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > It should be sending out this cert chain: > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES > CORPORATION/CN=deliverycb-bld.dhe.ibm.com >i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 >i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >i:/C=US/O=O=GeoTrust Inc./CN=GeoTrust Global CA > > GeoTrust issued a new "GeoTrust Global CA" cert several years ago > which does not chain to Equifax Secure Certificate Authority. > > Once you correct that, your IBM cert and the GeoTrust SSL CA - G3 cert > will both be sha2. It is not significant that the GeoTrust Global CA root > certificate is sha1. > > -- > Donald J. > dona...@4email.net > > On Tue, May 17, 2016, at 07:53 AM, John Eells wrote: > > So...suppose we were to do something like this*: > > > > - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.** > > - Put the package signing verification certificate where "anyone could > > get it" > > - Made the signing (certificate-based) check optional. > > - Continued to keep the integrity checking optional, whether based on > > SHA-2 or SHA-1. > > > > Would that meet the set of needs we've been talking about? > > > > * As usual, no promises. > > ** I think we have to keep the SHA-1 support because we create an > > incompatibility if we don't. > > > > Andrew Rowley wrote: > > > My further thoughts: > > > > > >> - Would a certificate-based signature do? > > >> - What requirements would you have for certificates? > > > The signature should use the same type of code signing certificates used > > > for other platforms. Any company delivering Windows software almost > > > certainly has a certificate already. There are various implementations, > > > e.g. Windows exe signing and Java jar signing. I'm pretty sure z/OS can > > > verify signatures on jars at least. Some thought would have to go into > > > how you attach a signature to a package and what you attach it to. > > > > > >> - Would you want signature verification to be optional? > > > Yes. For SMP/E it should be the default, probably at RECEIVE time but > > > able to be bypassed e.g. RECEIVE... BYPASS(SIGCHECK) . > > > Non-SMP/E is handicapped by the absence of a standard delivery format. > > > If you had a tool to deliver a set of non SMP/E datasets, the packaging > > > format should have an option to include a signature - perhaps with a > > > warning when extracting if unsigned and/or an option to force signature > > > checking. It depends on how useful the product would be inside a site - > > > you don't want to force customers to get their own certificate if they > > > decide a tool would be useful internally. > > > > > >> - If signature verification were to be optional, would it be > > >> acceptable to use the SHA-1 hash for integrity checking if the > > >> recipient chose not to verify the signature? Or, would it still be > > >> necessary to use a different algorithm? > > > > > > I'm not sure how useful it is. How likely is it that something be > > > corrupted in a situation where you can get a hash to verify but can't > > > verify a signature? > > > > > >> - Anything else to t
Re: [EXTERNAL] Re: smp/e sha-2 support?
John, I don't think you have the right GeoTrust certificate on your server. The server is sending out this cert chain: Certificate chain 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=deliverycb-bld.dhe.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority It should be sending out this cert chain: 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=deliverycb-bld.dhe.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=O=GeoTrust Inc./CN=GeoTrust Global CA GeoTrust issued a new "GeoTrust Global CA" cert several years ago which does not chain to Equifax Secure Certificate Authority. Once you correct that, your IBM cert and the GeoTrust SSL CA - G3 cert will both be sha2. It is not significant that the GeoTrust Global CA root certificate is sha1. -- Donald J. dona...@4email.net On Tue, May 17, 2016, at 07:53 AM, John Eells wrote: > So...suppose we were to do something like this*: > > - Added support for both SHA-2 (SHA-256) and 2048-bit RSA certificates.** > - Put the package signing verification certificate where "anyone could > get it" > - Made the signing (certificate-based) check optional. > - Continued to keep the integrity checking optional, whether based on > SHA-2 or SHA-1. > > Would that meet the set of needs we've been talking about? > > * As usual, no promises. > ** I think we have to keep the SHA-1 support because we create an > incompatibility if we don't. > > Andrew Rowley wrote: > > My further thoughts: > > > >> - Would a certificate-based signature do? > >> - What requirements would you have for certificates? > > The signature should use the same type of code signing certificates used > > for other platforms. Any company delivering Windows software almost > > certainly has a certificate already. There are various implementations, > > e.g. Windows exe signing and Java jar signing. I'm pretty sure z/OS can > > verify signatures on jars at least. Some thought would have to go into > > how you attach a signature to a package and what you attach it to. > > > >> - Would you want signature verification to be optional? > > Yes. For SMP/E it should be the default, probably at RECEIVE time but > > able to be bypassed e.g. RECEIVE... BYPASS(SIGCHECK) . > > Non-SMP/E is handicapped by the absence of a standard delivery format. > > If you had a tool to deliver a set of non SMP/E datasets, the packaging > > format should have an option to include a signature - perhaps with a > > warning when extracting if unsigned and/or an option to force signature > > checking. It depends on how useful the product would be inside a site - > > you don't want to force customers to get their own certificate if they > > decide a tool would be useful internally. > > > >> - If signature verification were to be optional, would it be > >> acceptable to use the SHA-1 hash for integrity checking if the > >> recipient chose not to verify the signature? Or, would it still be > >> necessary to use a different algorithm? > > > > I'm not sure how useful it is. How likely is it that something be > > corrupted in a situation where you can get a hash to verify but can't > > verify a signature? > > > >> - Anything else to think about? > > Lots, I'm sure! It's probably worth also looking at the implementation > > of signed SMF data to see how they do it. > > > > Andrew Rowley > > > > > > > -- > John Eells > IBM Poughkeepsie > ee...@us.ibm.com > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Java problem
Try doing your javac like below from your home directory. Then see if any useful info is in your file javac.log javac -J-Xverbosegclog:javac.log -J-XX:+PrintGCDetails -J-XX:+PrintGCTimeStamps -help -- Donald J. dona...@4email.net On Sat, May 7, 2016, at 08:25 AM, Phil Smith III wrote: > P.S. Scott, the same command still failed after -help was working. Do you > know what's wrong with it? Would love to grok this in fullness (well, "more > completely" -- I know I'll never grok in fullness!) > > -Original Message- > From: Phil Smith III [mailto:li...@akphs.com] > Sent: Saturday, May 07, 2016 11:23 AM > To: ibm-m...@bama.ua.edu > Subject: RE: Java problem > > Scott: > >/u/Java6_64/J6.0_64/bin/javac -J-Xmx64m help > error: Class names, 'help', are only accepted if annotation processing is > explicitly requested > 1 error > > VICTORY: > Lucas Rosalen wrote: > >H maybe MemLimit and SHMemMax on OMVS segment are also good parms to > check/increase > > Both of mine were 0; I set them to 512 with a multiplier of M and now javac > -help works! Have done the same for the user who was actually trying to use > this and sent him a note. At least we now have a model that works--we'll see > if that was the only parameter that mattered, or if we have to go back and > change the other things that I'd changed on the way. > > THANK YOU!!! Owe ya a beer or three at SCIDS. > > ...phsiii > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMTP question.
Does adding "NOSOURCEROUTE ENABLED" to your SMTP task config change anything? -- Donald J. dona...@4email.net On Wed, Apr 27, 2016, at 05:05 PM, Field, Alan wrote: > We run SMTP on one lpar (z/OS 2.1). > > Recently we switched our mail server from Notes to Exchange. > > Mostly transparent except for one lpar, and only some jobs even then. > > The failing jobs use SAS email. They run fine on 5 lpars, fail on one. > > One thing we see from the failing lpar (in the SMTP log) is > >MAIL FROM:<userid%noden...@xxx.yyy.com> > > My exchange guy says it is the % that is causing the problem. > > What I cannot find is where/how this is being generated and why it only > affects > SAS emails on the one lpar. XMITIP from the same lpar works correctly. > > I have compared the TCPDATA and PROFILE members for each lpar and apart from > the expected differences (like node names) they appear to be identical. > > Any SMTP wizards care to offer suggestions, please. > > Alan Field > Systems Engineer Principal > Blue Cross Blue Shield of MN > > 651.662.3546 > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you are not the named addressee you must not disseminate, distribute or copy > this e-mail. Please notify the sender immediately by e-mail if you have > received this e-mail by mistake and delete this e-mail from your system. If > you are not the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: New to Z/OSMF - SOLVED
Great. Now the difficult part begins - figuring out how to use it. I think the recommended procedure for the old method was to create a base config with no plugins, then add the plugins by running izusetup again with the -add parameter, and A values in your override file. -- Donald J. dona...@4email.net On Mon, Apr 4, 2016, at 11:31 AM, Tracy Adams wrote: > So what I found is that the UI90034 ptf was applied back in January during > the monthly compliance maintenance round and the ptf actions must have been > bypassed as the steps to complete the migration from V2r1 to V2r1 with the > ptf were not completed. The bottom line is this ptf requires you to create > a parmlib member if you want to use the plugins. Once I did that the > plugins are visible on the webpage. > > Thanks for you help! -- http://www.fastmail.com - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Apache Web Server running on z/OS unable to detect TLS 1.2
>...and I tried with Donald suggestion and unfortunately it did not worked. Post the output from the openssl s_client command. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Apache Web Server running on z/OS unable to detect TLS 1.2
Try SSLProtocolEnable TLSv12 instead of TLSv1.2 You can test with an openssl command similar to: openssl s_client -connect 12.34.56.78:443 -tls1_2 -- Donald J. dona...@4email.net On Tue, Mar 29, 2016, at 02:26 PM, Jasi Grewal wrote: > Greetings, We are using Apache Web Server on z/OS system and are seeing the > Nessus reports on Port 443 as it cannot detect TLS being enabled, though we > do have the statements. > > Our intention is to serve some non-secured pages but main provide our users > with controlled access to some more sensitive pages. When Listen 443 is > uncommented in the config file, the server fails the NESSUS scan. I can only > pass the scan by commenting out Listen 443. > > httpd.conf: > > #Listen 12.34.56.78:443 > Listen 443 > Listen 80 > > >ServerName xxx..x.xxx >SSLProtocolEnable TLSv1.2 >SSLProtocolDisable TLSv1.1 >SSLProtocolDisable SSLv2 >SSLProtocolDisable SSLv3 >SSLEnable >KeyFile /saf IHSASRV_KEYRING > > We are seeing the following Nessus scan results: > > High Severity Vulnerability > TLS Version 1.2 Protocol Detection > Synopsis : > The remote service encrypts communications but does not support TLS1.2. > Description : > This script detects whether TLS version 1.2 is supported by the remote > service for encrypting communications. > Solution : > Consult the application's documentation to enable TLS 1.2 or if not supported > ask vendor to add support for TLS 1.2 (with approved cipher suites) > Plugin Output : > TLS v1.2 is not enabled on this port. > Nessus Plugin ID : 951001 > > Any advise would be grateful. > Thank you in advance, > Regards, > > Jasi. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: PLEASE HELP TLS 1.2
he is on CICS 5.2, not 5.3. -- Donald J. dona...@4email.net On Thu, Mar 24, 2016, at 09:16 AM, McCabe, Ron wrote: > IBM would prefer that you use MINTLSLEVEL... > > The ENCRYPTION system initialization parameter has been deprecated. Use the > MINTLSLEVEL system initialization parameter instead. For more information > about the MINTLSLEVEL system initialization parameter, see MINTLSLEVEL. If > you specify the ENCRYPTION parameter, it will be treated as MINTLSLEVEL: > ENCRYPTION=STRONG is equivalent to MINTLSLEVEL=TLS10. This is the default. > ENCRYPTION=ALL is equivalent to MINTLSLEVEL=TLS11 > ENCRYPTION=TLS12 is equivalent to MINTLSLEVEL=TLS12 > End of change > > Thanks, > Ron McCabe > Mutual of Enumclaw > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Donald J. > Sent: Thursday, March 24, 2016 9:05 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: PLEASE HELP TLS 1.2 > > ENCRYPTION=ALL Allows the use of TLS v1.1 and v1.2 in > addition to the protocols allowed by STRONG (TLS v1.0). > > ENCRYPTION=TLS12FIPSAllows the use only TLS v1.2 with FIPS 140-2 > standards > ENCRYPTION=STRONG Allows the use of TLS v1.0 (this is the default). > > ENCRYPTION=SSLV3 Allows the use of TLS v1.0 and SSL V3.0. > > -- > Donald J. > dona...@4email.net > > On Thu, Mar 24, 2016, at 08:37 AM, Lopez, Sharon wrote: > > A federal agency changed to TLS v1.2 over the weekend and now we are not > > able to connect to them via CICS 5.2. We have on the TLS V1.2 ptf for z/OS > > 1.13 and we are starting with the correct SIT within CICS. We are missing > > something but cannot figure this out. Anyone else experiencing this? Are > > there parameters somewhere else that we need to specifiy TLS 1.2. We > > appreciate any help that you can give us. > > Thank you. > > > > > > > > > > > > Email correspondence to and from this address may be subject to the North > > Carolina Public Records Law and may be disclosed to third parties by an > > authorized state official. > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > http://www.fastmail.com - Access your email from home and the web > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > Confidentiality Notice: This e- mail and all attachments may contain > CONFIDENTIAL information and are meant solely for the intended recipient. It > may contain controlled, privileged, or proprietary information that is > protected under applicable law and shall not be disclosed to any unauthorized > third party. If you are not the intended recipient, you are hereby notified > that any unauthorized review, action, disclosure, distribution, or > reproduction of any information contained in this e- mail and any attachments > is strictly PROHIBITED. If you received this e- mail in error, please reply > to the sender immediately stating that this transmission was misdirected, and > delete or destroy all electronic and paper copies of this e-mail and > attachments without disclosing the contents. This e- mail does not grant or > assign rights of ownership in the proprietary subject matter herein, nor > shall it be construed as a joint venture, partnership, teaming agreement, or > any other formal business relationship. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: PLEASE HELP TLS 1.2
ENCRYPTION=ALL Allows the use of TLS v1.1 and v1.2 in addition to the protocols allowed by STRONG (TLS v1.0). ENCRYPTION=TLS12FIPSAllows the use only TLS v1.2 with FIPS 140-2 standards ENCRYPTION=STRONG Allows the use of TLS v1.0 (this is the default). ENCRYPTION=SSLV3 Allows the use of TLS v1.0 and SSL V3.0. -- Donald J. dona...@4email.net On Thu, Mar 24, 2016, at 08:37 AM, Lopez, Sharon wrote: > A federal agency changed to TLS v1.2 over the weekend and now we are not able > to connect to them via CICS 5.2. We have on the TLS V1.2 ptf for z/OS 1.13 > and we are starting with the correct SIT within CICS. We are missing > something but cannot figure this out. Anyone else experiencing this? Are > there parameters somewhere else that we need to specifiy TLS 1.2. We > appreciate any help that you can give us. > Thank you. > > > > > > Email correspondence to and from this address may be subject to the North > Carolina Public Records Law and may be disclosed to third parties by an > authorized state official. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access your email from home and the web -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!
>>I wonder if any errors you see with its use might be related to your firewall. I wonder if this process was tested with Pagent/ATTLS? Can you confirm IBM tested that mode? >> I'm curious what problems you get when doing so. The GET then fails with Error Code 10. I'm curious if IBM has tested that mode? Can you confirm? -- Donald J. dona...@4email.net On Fri, Mar 11, 2016, at 01:56 PM, Kurt Quackenbush wrote: > > Their server also seems to require use of the CCC subcommand to clear the > > command channel. > > To be clear, IBM's server does not require the FTP client to use the CCC > subcommand. SMP/E's default behavior is to use CCC, with the idea that > some local firewalls will be more accepting of FTPS if they can sniff > the clear text commands to intercept the exchanged port values. Perhaps > we're being naive, but that was the thought. > > > ... There is a client parameter setting ftpccc="no" to make the server > > quit using CCC, but that seems to cause a problem also. > > SMP/E does allow you to turn off using the CCC subcommand, but I'm > curious what problems you get when doing so. Since the server does not > require use of CCC, I wonder if any errors you see with its use might be > related to your firewall. We've seen examples of a firewall forbidding > CCC, hence the need for the option to turn it off. > > Kurt Quackenbush -- IBM, SMP/E Development > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!
You need RemotePortRangeRef for port 21. Port 21 is remote. -- Donald J. dona...@4email.net On Fri, Mar 11, 2016, at 12:21 PM, Gibney, David Allen wrote: > Actually, I do: > TTLSRule ftp_client1 > { > LocalPortRange 21 > Direction Outbound > TTLSGroupActionRef ftp_grp_act > TTLSEnvironmentActionRef ftp_client_env_act > } > TTLSGroupAction ftp_grp_act > { > TTLSEnabled On > Trace 7 > GroupUserInstance 1 > } > TTLSEnvironmentAction ftp_client_env_act > { > HandshakeRole Client > TTLSKeyringParms > { > Keyring FTPClientRing > } > TTLSEnvironmentAdvancedParms > { > ApplicationControlled On > SecondaryMap On > } > EnvironmentUserInstance 1 > } > > I'll have debug all in my next run. > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of Donald J. > > Sent: Friday, March 11, 2016 10:13 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get > > locked > > out! > > > > He is using TLSMECHANISM ATTLS. Yours uses TLSMECHANISM FTP (non- > > Pagent). > > He is getting the error because he has no PAGENT TTLSRule for Outbound Port > > 21. > > Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging. > > > > It is working ok for me with TLSMECHANISM FTP. > > I tried with ATTLS, but am getting a server error on the BINARY FTP > > SUBCOMMAND. > > Still looking in to that, but it is questionable if their FTPS server works > > with > > PAGENT ATTLS. > > Can't imagine why they would install a server incompatible with PAGENT > > though. > > > > >>> TYPE I > > SC3261 getReply: entered > > SC4327 getNextReply: entered with waitForData = TRUE > > Connection with dispby-117.boulder.ibm.com terminated > > SC4445 SETCEC code = 10 > > CZ1434 ftpClose: entered > > SC4067 inSession: entered > > SC4145 setLoggedIn: entered > > CT0282 binary: getReply failed. > > PC1047 logClientErrMsg: entered > > PC0945 setClientRC: entered > > SC4019 getLastReply: entered > > PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006 > > SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006 > > SC4019 getLastReply: entered > > CX0389 main: RC=-0001 cmd_in_progress=06 > > CX0392 main: last_reply= err=10 > > PC0945 setClientRC: entered > > SC4019 getLastReply: entered > > Std Return Code = 06000, Error Code = 00010 > > CZ1354 ftpQuit: entered > > CZ1434 ftpClose: entered > > > > Their server also seems to require use of the CCC subcommand to clear the > > command channel. > > So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN > > CLEAR, > > it might cause a problem also. There is a client parameter setting > > ftpccc="no" > > to make the server > > quit using CCC, but that seems to cause a problem also. > > > > Use of KEYRING *AUTH*/* should be sufficient for the FTPS portion of the > > job. > > > > The server web site also uses root certificate "GeoTrust Global CA" which > > has > > its share of > > issues also. See: > > https://urldefense.proofpoint.com/v2/url?u=http- > > 3A__security.stackexchange.com_questions_53231_google-2Dcertificates- > > 2Dcorrect-2Dca_53271- > > 2353271=CwIFaQ=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb- > > Je7sw=u9g8rUevBoyCPAdo5sWE9w=aamFb_mypnk4GycjqtSii-YrY-c2- > > IzeE0M17VgSPbY=Txk6MDp8o81j54Ojmpo1aZbHaoJxUawo1NHCS1JgDO0 > > = > > Openssl s_client reports the server cert chain to be: > > Certificate chain > > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES > > CORPORATION/CN=deliveryc
Re: (External):Re: IBM secure z/OS software delivery: Don't get locked out!
He is using TLSMECHANISM ATTLS. Yours uses TLSMECHANISM FTP (non-Pagent). He is getting the error because he has no PAGENT TTLSRule for Outbound Port 21. Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging. It is working ok for me with TLSMECHANISM FTP. I tried with ATTLS, but am getting a server error on the BINARY FTP SUBCOMMAND. Still looking in to that, but it is questionable if their FTPS server works with PAGENT ATTLS. Can't imagine why they would install a server incompatible with PAGENT though. >>> TYPE I SC3261 getReply: entered SC4327 getNextReply: entered with waitForData = TRUE Connection with dispby-117.boulder.ibm.com terminated SC4445 SETCEC code = 10 CZ1434 ftpClose: entered SC4067 inSession: entered SC4145 setLoggedIn: entered CT0282 binary: getReply failed. PC1047 logClientErrMsg: entered PC0945 setClientRC: entered SC4019 getLastReply: entered PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006 SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006 SC4019 getLastReply: entered CX0389 main: RC=-0001 cmd_in_progress=06 CX0392 main: last_reply= err=10 PC0945 setClientRC: entered SC4019 getLastReply: entered Std Return Code = 06000, Error Code = 00010 CZ1354 ftpQuit: entered CZ1434 ftpClose: entered Their server also seems to require use of the CCC subcommand to clear the command channel. So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN CLEAR, it might cause a problem also. There is a client parameter setting ftpccc="no" to make the server quit using CCC, but that seems to cause a problem also. Use of KEYRING *AUTH*/* should be sufficient for the FTPS portion of the job. The server web site also uses root certificate "GeoTrust Global CA" which has its share of issues also. See: http://security.stackexchange.com/questions/53231/google-certificates-correct-ca/53271#53271 Openssl s_client reports the server cert chain to be: Certificate chain 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES CORPORATION/CN=deliverycb-bld.dhe.ibm.com i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -- Donald J. dona...@4email.net On Thu, Mar 10, 2016, at 06:45 AM, Jousma, David wrote: > I had to come up with some alternate FTP client parms to make it work. > Possibly the one you are getting stuck on is this.Change FtpSecur to your > keyring name. this member happens to live in our SYS1.TCPPARMS dataset, but > the member can be anywhere, just gotta point to wherever it lives in your > RECEIVE ORDER job. > //CLIENT DD * >javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes"> > >-v -f "//'SYS1.TCPPARMS(FTPSECUR)'" > > > /* > > EDIT SYS1.TCPPARMS(FTPSECUR) - 01.01 Columns > 1 00080 . > Command ===> Scroll > ===> CSR . > 000642 ;CIPHERSUITE SSL_AES_256_SHA ; 35 > . > 000643 > . > 000644 KEYRING FtpSecur ; Name of the keyring for TLS > . > 000645 ; It can be the name of an HFS > . > 000646 ; file (name starts with /) or > . > 000647
Re: XML: Optimized Schema Representation (OSR) file generation
/u/appl/xsd is simply a user folder for user xsd files. xsdosrg binary is in /bin The OUTFILE and INFILE were obviously not needed either. They were used for additional STDIN input commands for co:z hybrid batch processing which I did not list. -- Donald J. dona...@4email.net >>... >>cd /u/appl/xsd >>xsdosrg -v -o IRS.osr IRS-EXT-ACA-AIR-7.0.xsd >> >Where does "/u/appl/xsd" come from? Is it bundled with COBOL? We don't >have one. (It looks hauntingly like the z/OS convention for a user's HOME >directory.) I'd more expect it in /usr/lpp/. > >Does this presume that "." is in your $PATH? That's considered unsafe >practice, particularly if the "." appears first. (Only Windows is so reckless >as to do that.) > >-- gil >- show quoted text - -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: XML: Optimized Schema Representation (OSR) file generation
I used COZBATCH from Dovetail, but I assume BPXBATCH could be used. //COZBTCH EXEC PGM=COZBATCH,REGION=0M //STEPLIB DD DISP=SHR,DSN=UTIL.TCP.COZ.LOADLIB //COZLOG DD SYSOUT=* //COZOUT DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1) //STDOUT DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1) //STDERR DD SYSOUT=*,DCB=(RECFM=VB,LRECL=255,BLKSIZE=1) //OUTFILE DD DISP=OLD,DSN=USERID.TEST.VB //INFILE DD DISP=SHR,DSN=USERID.IRS.XSD //STDINDD * cd /u/appl/xsd xsdosrg -v -o IRS.osr IRS-EXT-ACA-AIR-7.0.xsd -- Donald J. dona...@4email.net On Fri, Jan 29, 2016, at 12:23 PM, Zierdt, Richard A (IS) wrote: > IBM-Main is not the likely forum for this - and a more appropriate forum > would be appreciated - but is there a z/OS batch utility that creates an XML > "Optimized Schema Representation" (OSR) file from a text-based XML schema > file? > -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: System check stopped state - what is it?
Is you IODF volume address correct? Maybe try following these instructions to display the IPL Vector Table control block which is mapped by SYS1.MODGEN(IHAIVT) Using the hardware Alter/Display facility, read the real address in central storage at X'14'. This address points to the IPL diagnostic area. Add X'28' to the address in X'14', and also read this as a real address in central storage. The result is the 31-bit virtual address of the IPL vector table (IVT). -- Donald J. dona...@4email.net On Fri, Jan 22, 2016, at 06:35 AM, R.S. wrote: > I tried to perform LOAD on some LPAR. > I've got the following message: > > Logical partition LPAR01 is in the system check stopped state. Reason > code = 0C. > > Where to find the meaning of the code? > > > It is z13 machine. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > --- > Treść tej wiadomości może zawierać informacje prawnie chronione Banku > przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być > jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś > adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej > przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, > rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie > zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, > prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale > usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and is > intended solely for business use of the addressee. This e-mail may only be > received by the addressee and may not be disclosed to any third parties. If > you are not the intended addressee of this e-mail or the employee authorized > to forward it to the addressee, be advised that any dissemination, copying, > distribution or any other similar activity is legally prohibited and may be > punishable. If you received this e-mail by mistake please advise the sender > immediately by using the reply facility in your e-mail software and delete > permanently this e-mail including any copies of it either printed or saved to > hard drive. > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > www.mBank.pl, e-mail: kont...@mbank.pl > Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru > Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. > Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości > wpłacony) wynosi 168.955.696 złotych. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Or how I learned to stop worrying and love email again -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Where's Java!? (SMP/E needs to know.)
> Why? I'm interested why you would choose a symlink as opposed to a > config which sets an environment variable Installation of some java based programs causes various configuration files for that application which are based on the java environment variables. For example, when installing istrobe various .sh scripts such as /CleanConfig.sh are built by the install process which also need java environment variables defined. It would be desirable for those scripts to be built containing statements such as: JAVA_HOME=/usr/lpp/java/sdk6 so that when a new java 6 is installed that script will still run ok. Unfortunately with most installs, even though I use both a symlink and set an environment variable during the install.sh process, the resultant script generated will end up having something like this in the CleanConfig.sh script: JAVA_HOME=/usr/lpp/java/IBM/J6.0.1_64 which is less desirable than the above. -- Donald J. dona...@4email.net On Thu, Jan 21, 2016, at 05:06 AM, David Crayford wrote: > > I also manage manually with generic symlinks. I do this for Apache > > webserver as well. > > Why? I'm interested why you would choose a symlink as opposed to a > config which sets an environment variable. > > > > > _ > > Dave Jousma > > Assistant Vice President, Mainframe Engineering > > david.jou...@53.com > > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H > > p 616.653.8429 > > f 616.653.2717 > > > > -Original Message- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > > Behalf Of Paul Gilmartin > > Sent: Wednesday, January 20, 2016 4:35 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Where's Java!? (SMP/E needs to know.) > > > > Dammit! The path to Java changes with any z/OS release and/or any Java > > release. I need continually to add to my PATH variable to keep up. And > > there's nothing an ISV can supply in JCL samples for SMP/E's SMPJHOME; the > > example in the SMP/E Reference is woefully outdated. > > > > This makes as little sense as if programmers were required to code > > "//SYSLIB DD DSN=SYS1.ZOSV2R2.MACLIB". > > > > I'm inclined to submit an RFE for either a utility to find Java or for > > IBM's supplying a usable symbolic link to a preferred Java. > > Retroactive; I can't wait for everyone to be on z/OS 2.3 > > > > Any suggestions on form or rationale for such an RFE? > > > > Thanks, > > gil > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, send email > > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > This e-mail transmission contains information that is confidential and may > > be privileged. It is intended only for the addressee(s) named above. If > > you receive this e-mail in error, please do not read, copy or disseminate > > it in any manner. If you are not the intended recipient, any disclosure, > > copying, distribution or use of the contents of this information is > > prohibited. Please reply to the message immediately by informing the sender > > that the message was misdirected. After replying, please erase it from your > > computer system. Your assistance in correcting this error is appreciated. > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Strange HMC issue
There is also same option for the SE TCP menu item. BMC is probably the Baseboard Management Controller. You could check the bios and see if there is an option to turn DHCP on/off on the BMC. -- Donald J. dona...@4email.net On Mon, Nov 23, 2015, at 06:27 AM, Tony Thigpen wrote: > Attached is a .txt file with the info. > > Tony Thigpen > > Donald J. wrote on 11/23/2015 08:04 AM: > > Select the Network Diagnostics icon from both your HMC and SE and then click > > on the menu bar TCP option to display all socket connections. > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > Email had 1 attachment: > + listens.txt > 17k (text/plain) -- http://www.fastmail.com - Same, same, but different... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Strange HMC issue
Select the Network Diagnostics icon from both your HMC and SE and then click on the menu bar TCP option to display all socket connections. -- Donald J. dona...@4email.net On Fri, Nov 20, 2015, at 09:00 PM, Tony Thigpen wrote: > Background: HMC software version 2.11.1 connected to a z10. > > Thoughts on what is happening? > Anybody else seeing the same thing? > > -- > Tony Thigpen > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OSMF server startup error
The return code 12 / 11060 is because your Java provider list includes com.ibm.crypto.hdwrCCA.provider.IBMJCECCA zOSMF uses Java SSL, not System SSL. Java 7 SR3 is minimum requirement for zOSMF. You probably need some Java overrides to eliminate attempt to use hardware crypto. -- Donald J. dona...@4email.net On Wed, Sep 30, 2015, at 12:54 PM, Mark Pace wrote: > Trying to start OSMF for the first time. It appeared that all the setup > ran cleanly. > file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error from > call CSNDDSV returnCode 12 reasonCode 11060. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OSMF server startup error
For the Java override, you probably will need to contact IBM. I would guess you need to add a "PROVIDER=" override in the # /usr/lpp/java/J7.0_64/bin/java -version > java version "1.7.0" > Java(TM) SE Runtime Environment (build pmz6470-20110827_01) > IBM J9 VM (build 2.6, JRE 1.7.0 z/OS s390x-64 20110810_88604 (JIT enabled, > AOT enabled) > J9VM - R26_Java726_GA_20110810_1208_B88592 > JIT - r11_20110810_20466 > GC - R26_Java726_GA_20110810_1208_B88592 > J9CL - 20110810_88604) > JCL - 20110809_01 based on Oracle 7b147 > > I can't tell which SR level I have from this. I'm Java ignorant, so I'll > have to try to figure what these Java overrides you speak of. > > On Fri, Oct 2, 2015 at 9:50 AM, Donald J. <dona...@4email.net> wrote: > > > The return code 12 / 11060 is because your Java provider list includes > > com.ibm.crypto.hdwrCCA.provider.IBMJCECCA > > > > zOSMF uses Java SSL, not System SSL. > > Java 7 SR3 is minimum requirement for zOSMF. > > > > You probably need some Java overrides to eliminate attempt > > to use hardware crypto. > > > > -- > > Donald J. > > dona...@4email.net > > > > On Wed, Sep 30, 2015, at 12:54 PM, Mark Pace wrote: > > > Trying to start OSMF for the first time. It appeared that all the setup > > > ran cleanly. > > > > > file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error > > from > > > call CSNDDSV returnCode 12 reasonCode 11060. > > > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > http://www.fastmail.com - Choose from over 50 domains or use your own > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > -- > The postings on this site are my own and don’t necessarily represent > Mainline’s positions or opinions > > Mark D Pace > Senior Systems Engineer > Mainline Information Systems > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Accessible with your email software or over the web -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OSMF server startup error
What does this command list: RACDCERT ID(IZUSERV) LISTRING(IZUKeyring.IZUDFLT) Add your LPAR Site certificate and its root certs to that ring. Check Chapter 10: z/OSMF creates digital certificates that are used for secure communications between the user's web browser and the z/OSMF server, and between instances of z/OSMF servers. The z/OSMF keyring name is generated during the configuration phase. The keyring name format is IZUKeyring.. By default, the keyring name is IZUKeyring.IZUDFLT. In most cases, the default z/OSMF keyring name should be sufficient for your installation. -- Donald J. dona...@4email.net On Wed, Sep 30, 2015, at 01:06 PM, Mark Pace wrote: > One last piece of information - this system runs as a guest of z/VM. > > On Wed, Sep 30, 2015 at 3:59 PM, Mark Pace <pacemainl...@gmail.com> wrote: > > > One other piece of information - the reasonCode > > 2B34 (11060) The service could not be performed because the required > > PCICC, PCIXCC, CEX2C, or CEX3C was not active, or did not have a master key > > set. > > > > *User action*: If the service required a specific PCICC, PCIXCC, CEX2C, > > or CEX3C, verify that the value specified is correct. Reissue the request > > when the required PCICC, PCIXCC, CEX2C, or CEX3C is available, and has the > > master key set. > > No idea what any of this means. > > > > On Wed, Sep 30, 2015 at 3:54 PM, Mark Pace <pacemainl...@gmail.com> wrote: > > > >> Trying to start OSMF for the first time. It appeared that all the setup > >> ran cleanly. > >> > >> The first task starts up. > >> CWWKB0056I INITIALIZATION COMPLETE FOR ANGEL > >> > >> But the IZUSVR1 dies > >> > >> Launching zosmfServer > >> (wlp-1.0.2.cl0220130714-1602/websphere-kernel_1.0.2) on IBM J9 VM, version > >> pmz6470-20110827_01 (en_US) > >> AUDIT ¨ CWWKE0001I: The server zosmfServer has been > >> launched. > >> > >> AUDIT ¨ CWWKG0010I: The server zosmfServer is shutting down because of > >> a previous initialization error. > >> AUDIT ¨ CWWKE0036I: The server zosmfServer stopped after 2.443 > >> seconds. > >> ERROR ¨ CWWKG0047E: An error occurred while attempting to verify a > >> configuration document: > >> file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml, Hardware error from > >> call CSNDDSV returnCode 12 reasonCode 11060. > >> > >> FATAL ¨ CWWKG0044E: Server shutdown because a configuration document > >> does not contain a valid signature: > >> file:/SYSTEM/etc/zosmf/servers/zosmfServer/server.xml > >> > >> The documentation basically says something did work, fix it. During the > >> configuration I replied that I wanted a CA to be created. Has anyone seen > >> this error and point in the right direction? > >> I also don't get this Hardware error. > >> CWWKG0044E: Server shutdown because a configuration document does not > >> contain a valid signature: {0}. *Explanation* The designated > >> configuration document does not contain a valid signature, or a portion of > >> the document that is protected by the signature has been modified. This > >> message is preceded by an error message that provides more information on > >> the specific error in the document. *Action* Correct the error in the > >> configuration document that was identified in the preceding error message. > >> CWWKG0047E: An error occurred while attempting to verify a configuration > >> document: {0}, {1}. *Explanation* An exception was thrown while > >> attempting to verify that the designated configuration document contains a > >> valid signature. *Action* Correct the error in the configuration > >> document that is causing the exception to be thrown and then retry starting > >> the server. > >> > >> -- > >> The postings on this site are my own and don’t necessarily represent > >> Mainline’s positions or opinions > >> > >> Mark D Pace > >> Senior Systems Engineer > >> Mainline Information Systems > >> > >> > >> > >> > > > > > > -- > > The postings on this site are my own and don’t necessarily represent > > Mainline’s positions or opinions > > > > Mark D Pace > > Senior Systems Engineer > > Mainline Information Systems > > > > > > > > > > > -- > The postings on this site are my own and don’t necessarily represent > Mainline’s positions or opinions > > Mark D Pace > Senior Systems Engineer > Mainline Information Systems > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe Network Protection
Or am I naive in thinking that this is a for real and not a scam? No. Marco has posted a number of RACF questions previously. -- Donald J. dona...@4email.net On Wed, Jul 22, 2015, at 03:04 AM, Aled Hughes wrote: Marco, I have to ask in John McEnroe's famous words - you cannot be serious. I admit no one has commented so far, but that is to be expected. Are you really that naive? Or am I naive in thinking that this is a for real and not a scam? Security Consultant should be a clue. Duh. Is it Friday, yet? -Original Message- From: Marco Antonio Ferreira marcoafsi...@gmail.com To: IBM-MAIN IBM-MAIN@LISTSERV.UA.EDU Sent: Mon, 20 Jul 2015 16:55 Subject: Mainframe Network Protection Dear Friends, I'm doing a survey to find out how you are doing to protect the attacks mainframe environment if they can help me. I appreciate it. You protect your network TCPIP in attacks mainframe ? How do you do? A) Firewall before the Mainframe or inside B) Uses the SERVAUTH Class and defines all their access networks C) Use other technique? Describe? D) Use of TERMINAL class protection? E) Uses Digital Certificate to access the TN3270 emulator or Citrix. -- *Marco Ferreira* *Security Consultant* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - mmm... Fastmail... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS config help
after the Trace 15, add something like this: { SyslogFacility auth } -- Donald J. dona...@4email.net On Wed, Jun 10, 2015, at 12:16 PM, Scott Ford wrote: Guys/Gals: We have a Cobol CICS Sockets STC Server with a Java client. The Java client will send in requests and receive output from the Socket Server. We are on z/OS 1.13 ,,below is my ‘pagent.ttls.conf’ TTLSRule PioneerServer { LocalPortRange 5799 JobName PIONEER Direction Inbound Priority 1 TTLSGroupActionRef PionGrpAct TTLSEnvironmentActionRef PionEnvAct TTLSConnectionActionRef PionConn } TTLSGroupAction PionGrpAct { TTLSEnabled On FIPS140 Off Trace 15 # Log Errors to syslogd * IP joblog } TTLSEnvironmentActionPionEnvAct { HandShakeRole Client TTLSKeyRingParmsRefPionRing } TTLSKeyRingParmsPionRing { Keyring pionring } TTLSConnectionActionPionConn { TTLSConnectionAdvancedParms { SSLv2 Off SSLv3 On TLSv1 On } } I have SYSLOGD configured ..but I am not seeing trace output .. Can someone offer some help. -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ATTLS
0090 EZD1285I TTLS Data CONNID: 0014 SEND CIPHER 1503020002020A The 1503020002020A is an SSL alert packet with a fatal error: Unexpected message You should run GSK traces to see why the packet is unexpected. -- Donald J. dona...@4email.net On Fri, Jun 5, 2015, at 08:45 AM, Scott Ford wrote: All: I have setup a Server, Cobol - CICS-Sockets ( working no changes ) and a Java client. When we establish the connection we see this: 0090 BPXF024I (TCPIP) Jun 5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 361 0090 EZD1285I TTLS Data CONNID: 0014 SEND CIPHER 1503020002020A 0090 BPXF024I (TCPIP) Jun 5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 362 0090 EZD1284I TTLS Flow GRPID: 0001 ENVID: 0001 CONNID: 0014 0090 RC: 415 Call GSK_SECURE_SOCKET_INIT - 7EC65118 0090 BPXF024I (TCPIP) Jun 5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 363 0090 EZD1283I TTLS Event GRPID: 0001 ENVID: 0001 CONNID: 0014 0090 RC: 415 Initial Handshake 7ECCF118 0090 BPXF024I (TCPIP) Jun 5 19:28:45 TTLS 50397225 : 20:28:45 TCPIP 364 0090 EZD1286I TTLS Error GRPID: 0001 ENVID: 0001 CONNID: 0014 0090 LOCAL: 192.168.1.51..5799 REMOTE: 186.37.122.138..50443 JOBNAME: 0090 PIONEER USERID: PIONEER RULE: PioneerServer RC: 415 Initial 0090 Handshake 7ECCF118 The rc 415 says protocol invalid ..ok i am lost here ...I understand that the initial handshake is in the clear, then TCPIP talkes to System SSL. This is a z/OS 1.13 system without the V3 ciphers. I need a suggestion. We setup a simple Server..and client and can send 20 byte messages with the default cipher. We also have AES128 encryption inside our application. The above test program works without it. When we test the actual application , we see the above messages. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A fast, anti-spam email service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
Correction: This is the server supported cipher list Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Client ciphers are in the client hello. 2nd packet in ATTLS trace below: (002F 0035 0005 etc) RECV CIPHER 160301005F RECV CIPHER 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81 0002F00350005000A00320038 ... -- Donald J. dona...@4email.net On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote: If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter TRUST status on a certificate
You misspelled websphere. Try this with a capital S and no space. Label must exactly match. racdcert CERTAUTH alter(label('WebSphereCA')) notrust -- Donald J. dona...@4email.net On Wed, Apr 22, 2015, at 06:08 AM, nitz-...@gmx.net wrote: All, I am new to this certificate stuff. I have inherited this certificate in my RACF data base (apparently the only one that has a private key somewhere, no ICSF in use, and I have all RACF privileges): Label: WebSphereCA Certificate ID: 2QiJmZmDhZmjgeaFguKXiIWZhcPB Status: TRUST Start Date: 2009/11/12 07:00:00 End Date: 2019/01/01 06:59:59 Serial Number: 00 Issuer's Name: CN=WAS CertAuth for Security Domain.OU=BBNBASE Subject's Name: CN=WAS CertAuth for Security Domain.OU=BBNBASE Key Usage: CERTSIGN Key Type: RSA Key Size: 1024 Private Key: YES Ring Associations: *** No rings associated *** I want to change the trust status to NOTRUST, which I currently don't see a way (rlist digtcert tells me it has application data=irrcerta): racdcert alter(label('Websphere CA')) notrust - IRRD105I No certificate information was found for user myuserid. racdcert alter(label('Websphere CA')) notrust id(irrcerta) - IRRD102I The user ID specified is not defined to RACF (same for IBMUSER, which was the id it was installed under) racdcert alter(label('Websphere CA')) notrust certauth - IRRD107I No matching certificate was found for this user. (Is this irrcerta? If so, why isn't it found?) racdcert alter(label('Websphere CA')) notrust site - IRRD105I No certificate information was found for user irrsitec. How do I address this certificate? Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
DB2 Forum
Can someone recommend a good DB2 Forum? The one at IBM developerWorks is not very active. As example, 17 of the last 25 questions have gone with 0 replies. 6 of those with only 1 reply. I do see an IDUG DB2-L forum. -- Donald J. dona...@4email.net -- http://www.fastmail.com - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: PKI Services for z/OS
LDAP would be required if you want to check for revoked certificates from PAGENT or CICS. LDAP could be somewhere besides z/os though. -- Donald J. dona...@4email.net On Thu, Oct 30, 2014, at 12:18 PM, Dazzo, Matt wrote: We are starting to look at certificate management, I was wondering how many folks were using PKI Services for z/OS? 1. How is the install of PKI and setup to do, I read that LDAP is required how is that to install? -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ldapchangepwd
-nshow what would be done but don't actually search -n is not newpwd ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=MVS7SUFF -w oldpwd/newwd -s base -b objectclass=* This command should work from any platform. The ldapchangpwd is probably mainframe only. -- Donald J. dona...@4email.net On Wed, Oct 22, 2014, at 04:23 AM, Tim Brown wrote: This gets a 0 but the password is still the old one sh /bin/ldapsearch -h 127.0.0.1 -p 389 -s base -w oldpwd -n oldpwd -D racfid=TESTUSER,profiletype=user,sysplex=sysplex1 (objectclass=*) ; Tim -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Tuesday, 21 October, 2014 4:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd That would be your SUFFIX parameter value. -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote: Thanks , where is RACFSY7 referred to in DSCONFIG? -Original Message- From: IBM Mainframe Discussion List [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=05dc0b981d58253ccd44b3282c2354b893a58a1d3407a8fb674904a90e2a9cb2] On Behalf Of Donald J. Sent: Tuesday, 21 October, 2014 4:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd This works for me: ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7 -w oldpwd/ oldpwd -s base -b objectclass=* -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote: Attempting to use ldapchangepwd. Any idea what is causing error? ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ? -h 127.0.0.1 -p 389 Enter current password == old Enter new password == new ldap_sasl_bind: Credentials are not valid ldap_sasl_bind: additional info: R004062 Credentials are not valid (ldbm_authenticate_user:252) Thanks, Tim Brown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=p CpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6c tgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D%0A s=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=55c4f8f8f3de4baea66c410bd628464608789b1d23bb7c45612bc8cf586295ad - Faster than the air-speed velocity of an unladen european swallow -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Email service worth paying for. Try it for free -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ldapchangepwd
You are not supplying valid bind credentials. Suggest you get any ldapsearch to work first using TESTUSER's bind credentials. Then the password can be changed with just the addition of /newpwd after the current password on the ldapsearch. -- Donald J. dona...@4email.net On Wed, Oct 22, 2014, at 11:52 AM, Tim Brown wrote: If I use sh /bin/ldapsearch -h 127.0.0.1 -p 389 -s base -w oldpwd/newpwd -D racfid=TESTUSER,profiletype=user,sysplex=sysplex1 (objectclass=*) ; I get ldap_sasl_bind: Credentials are not valid ldap_sasl_bind: additional info: R000104 The password is not correct or the user is not completely defined (missing password or uid) (srv_authenticate_native Tim -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Wednesday, 22 October, 2014 7:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd -nshow what would be done but don't actually search -n is not newpwd ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=MVS7SUFF -w oldpwd/newwd -s base -b objectclass=* This command should work from any platform. The ldapchangpwd is probably mainframe only. -- Donald J. dona...@4email.net On Wed, Oct 22, 2014, at 04:23 AM, Tim Brown wrote: This gets a 0 but the password is still the old one sh /bin/ldapsearch -h 127.0.0.1 -p 389 -s base -w oldpwd -n oldpwd -D racfid=TESTUSER,profiletype=user,sysplex=sysplex1 (objectclass=*) ; Tim -Original Message- From: IBM Mainframe Discussion List [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=LvtsCzDNCf75euyc4fzn5EL5io%2BAybqG25QdZY9UXRM%3D%0As=834b9e0b9d05ee05e89e6f00605419e0203a44ff27e3c9f47248ecb9186369b2] On Behalf Of Donald J. Sent: Tuesday, 21 October, 2014 4:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd That would be your SUFFIX parameter value. -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote: Thanks , where is RACFSY7 referred to in DSCONFIG? -Original Message- From: IBM Mainframe Discussion List [https://urldefense.proofpoint.com/v1/url?u=http://mailto:IBM-MAIN%40LISTSERV.UA.EDUk=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=05dc0b981d58253ccd44b3282c2354b893a58a1d3407a8fb674904a90e2a9cb2] On Behalf Of Donald J. Sent: Tuesday, 21 October, 2014 4:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd This works for me: ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7 -w oldpwd/ oldpwd -s base -b objectclass=* -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote: Attempting to use ldapchangepwd. Any idea what is causing error? ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ? -h 127.0.0.1 -p 389 Enter current password == old Enter new password == new ldap_sasl_bind: Credentials are not valid ldap_sasl_bind: additional info: R004062 Credentials are not valid (ldbm_authenticate_user:252) Thanks, Tim Brown -- -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k =p CpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC 6c tgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D% 0A s=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZeARdsZMMXsaihBVF4w4otzQdqnzQnWZOfvpQ%2FfX%2FFY%3D%0As=55c4f8f8f3de4baea66c410bd628464608789b1d23bb7c45612bc8cf586295ad - Faster than the air
Re: ldapchangepwd
This works for me: ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7 -w oldpwd/newpwd -s base -b objectclass=* -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote: Attempting to use ldapchangepwd. Any idea what is causing error? ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ? -h 127.0.0.1 -p 389 Enter current password == old Enter new password == new ldap_sasl_bind: Credentials are not valid ldap_sasl_bind: additional info: R004062 Credentials are not valid (ldbm_authenticate_user:252) Thanks, Tim Brown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ldapchangepwd
That would be your SUFFIX parameter value. -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 01:30 PM, Tim Brown wrote: Thanks , where is RACFSY7 referred to in DSCONFIG? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Tuesday, 21 October, 2014 4:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ldapchangepwd This works for me: ldapsearch -h mvs7 -D racfid=jojo123,profiletype=user,cn=RACFSY7 -w oldpwd/newpwd -s base -b objectclass=* -- Donald J. dona...@4email.net On Tue, Oct 21, 2014, at 07:58 AM, Tim Brown wrote: Attempting to use ldapchangepwd. Any idea what is causing error? ldapchangepwd -D cn=TESTUSER,o=IBM,c=US -w ? -n ? -h 127.0.0.1 -p 389 Enter current password == old Enter new password == new ldap_sasl_bind: Credentials are not valid ldap_sasl_bind: additional info: R004062 Credentials are not valid (ldbm_authenticate_user:252) Thanks, Tim Brown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=ZLd7j94zTyQxa%2FVaBKKyHfxrRdjH%2FDYQ0OKhKqpVTKM%3D%0As=c46847a5cd0a26892078bc3d6e22a0bf2d595a9220741a4c514743596b3c7c0f - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: java on Z maintenance level question
The first is SDK V6.0.0 and the second is SDK V6.0.1 Each has its own levels as described here: http://www-03.ibm.com/systems/z/os/zos/tools/java/services/j6servsum31.html -- Donald J. dona...@4email.net On Tue, Aug 26, 2014, at 12:05 PM, Pommier, Rex wrote: Hi, I have a question on java versioning and maintenance levels on z/OS. I have 2 different copies of Java 1.6.0 and am trying to decipher which is the more current. I've been under the assumption that the SRmFPn gave the maintenance level, and that the higher the numbers, the more current the fix pack. However I have the following 2 levels of Java and don't know which is newer: # ./java -version java version 1.6.0 Java(TM) SE Runtime Environment (build pmz3160_26sr5fp2-20130423_01(SR5 FP2)) IBM J9 VM (build 2.6, JRE 1.6.0 z/OS s390-31 20130419_145740 (JIT enabled, AOT enabled) # ./java -version java version 1.6.0 Java(TM) SE Runtime Environment (build pmz3160sr13fp2-20130424_01(SR13 FP2)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 z/OS s390-31 jvmmz3160sr13fp2-20130423_146146 (JIT enabled, AOT enabled) -- http://www.fastmail.fm - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMF records for SYSOUT file
WAD. You can reduce the delay via a setting. If you're still having delay problems, check your JES3 performance. What type of setting are you referring to? This problem only occurs at a few random times, and not on all files, so I would not think it is a direct result of one parameter setting value. It appears application level tracing would be required to diagnose the issue. -- Donald J. dona...@4email.net On Thu, Aug 21, 2014, at 02:39 AM, Elardus Engelbrecht wrote: Barry Merrill wrote: There is no separate SMF record written when data is sent to the JES SPOOL. Indeed. And Type 6 records are be written by JES2 or by some SYSOUT processing packages; some packages that manage spooled output for viewing and/or printing write their own SMF User SMF records. True. VPS can do that too if you wish. Donald J. wrote: A user is complaining about a 15 minute delay in her print process showing up in the JES3 queue and beginning to print on the VPS printer. The VPS print time matches the SMF 6 record time. WAD. You can reduce the delay via a setting. If you're still having delay problems, check your JES3 performance. Note: I'm familiar with VPS from LRS. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - IMAP accessible web-mail -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMF records for SYSOUT file
The problem was that the file was not showing up yet in the JES3 queue. A display of the printer showed nothing queued, yet user said a transaction had been queued to the printer 10 minutes ago. 5 minutes later the file is queued to JES3 and VPS immediately printed it after 1 millisecond. Not a VPS issue. -- Donald J. dona...@4email.net What type of setting are you referring to? Some possible settings, YMMV: vps parameters listed All of the very best for you. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
SMF records for SYSOUT file
An SMF type 6 record is created at time a SYSOUT file is printed. Does anyone know if any SMF records are created for the process of writing to the SYSOUT file? Record type 15 is not written for data sets defined as SYSOUT data sets on DD statements. A user is complaining about a 15 minute delay in her print process showing up in the JES3 queue and beginning to print on the VPS printer. The VPS print time matches the SMF 6 record time. JESYSMSG shows following type output with no timestamps on the messages: IEF237I JES3 ALLOCATED TO SYSOUT IEF285I CTTH441.SDB1.JOB07555.D032.? SYSOUT -- Donald J. dona...@4email.net -- http://www.fastmail.fm - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: running ldapsearch via JVL
Try this: //STEPNAME EXEC PGM=BPXBATCH //STDOUT DD SYSOUT=*,LRECL=1024,RECFM=V //STDERR DD SYSOUT=*,LRECL=1024,RECFM=V //STDPARM DD * sh /bin/ldapsearch -h mvs6 -p 3289 -D cn=yyy -w zzz -b O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB (objectclass=*) ; // -- Donald J. dona...@4email.net On Wed, Aug 6, 2014, at 05:17 AM, Tim Brown wrote: Does anyone have an example of running ldapsearch via jcl -- http://www.fastmail.fm - The professional email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: running ldapsearch via JVL
Try typing the ldapsearch directly from an omvs command line. I usually use openldap on my pc for commands. An OMVS segment for your userid is probably a requirement. -- Donald J. dona...@4email.net On Wed, Aug 6, 2014, at 12:08 PM, Tim Brown wrote: Thanks, I ran this, it got rc=0 but there is no output? //LDAPSPRCH JOB 0,CLASS=A,PRTY=6,MSGLEVEL=(1,1),MSGCLASS=X, //STEP01 EXEC PGM=BPXBATCH //SYSOUT DD SYSOUT=*,LRECL=1024,RECFM=V //STDOUT DD SYSOUT=*,LRECL=1024,RECFM=V //STDERR DD SYSOUT=*,LRECL=1024,RECFM=V //STDPARM DD * sh /bin/ldapsearch -h 127.0.0.1 -p 389 -w -b racfid=IBMUSER,profiletype=user,sysplex=sysplex1 (objectclass=*) ; Tim -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Donald J. Sent: Wednesday, 06 August, 2014 10:53 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: running ldapsearch via JVL Try this: //STEPNAME EXEC PGM=BPXBATCH //STDOUT DD SYSOUT=*,LRECL=1024,RECFM=V //STDERR DD SYSOUT=*,LRECL=1024,RECFM=V //STDPARM DD * sh /bin/ldapsearch -h mvs6 -p 3289 -D cn=yyy -w zzz -b O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB (objectclass=*) ; // -- Donald J. dona...@4email.net On Wed, Aug 6, 2014, at 05:17 AM, Tim Brown wrote: Does anyone have an example of running ldapsearch via jcl -- https://urldefense.proofpoint.com/v1/url?u=http://www.fastmail.fm/k=pCpgOv%2FKLW5dYRss05kLEw%3D%3D%0Ar=tQq0J85k4w4CeO1cI0sWanGhPyb3Fq7EC6ctgNHLxNs%3D%0Am=N7Uq9CvF5SLWQVcSv7Mq1c4Y7D1XllqSO0lJ%2BICkNyo%3D%0As=d012baa45490c7257ac54e5e766f3c24f3c2bb220c96eab130f5007042c5bd40 - The professional email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
DR site CHPID TYPE=FC Console Question
Our z196 3174 consoles are defined on a TYPE=CNC escon chpid. We will be using a zEC12 at a DR site for testing. Can the console virtual devices on our IODF TYPE=CNC chpid be attached to DR site VM devices on a real TYPE=FC chpid? Will our chpid/devices vary online ok? -- Donald J. dona...@4email.net -- http://www.fastmail.fm - IMAP accessible web-mail -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Policy Agent, AT-TLS, and Ciphersuites
Do you have Security Level 3 FMID (JCPT3D1) installed? -- Donald J. dona...@4email.net On Thu, Jun 5, 2014, at 07:53 AM, Frank Chu wrote: Hello, I am trying to work out how to get the zOS 1.13 FTP client to connect to a FTP server (a FileZilla Server on Windows) via FTPS. I'm am having trouble getting Policy Agent setup to use the correct cipher suites. -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS Performance Analyst Job Posting
Job Opportunities Create application here: http://agency.governmentjobs.com/cpatx/default.cfm Job #: 2W11.14 Job Title: zEnterprise Performance Analyst (REOPENED) State Classification Title: Systems Analyst V Salary: $64,200.00 - $82,200.00 Annually Location: Austin, TX (LBJ) Department: Innovation Technology Performs advanced (senior-level) computer systems analysis work. Performs advanced and complex mainframe computer systems analysis with emphasis on mainframe performance and tuning. Work involves the analysis of mainframe performance issues with emphasis on DB2 performance. Will work with system analysts, application programmers, database administrators and vendors to resolve technical performance issues discovered and problems as they arise. Works under minimal direction with considerable latitude for the use of initiative and independent judgment. Essential Job Functions and Responsibilities: • Manages mainframe performance tuning by administering performance software products, monitors mainframe performance for availability and utilization. Provides technical support for users and mainframe software developers for performance-related issues; researches performance-related problems, either technical or performance related, and provides solutions. Provides utilization and performance reports to management. • Monitors resource utilization and makes recommendations for enhancements to performance (ex: CPU, Processing window, DASD and tape allocations). • Manages work activities for short and long range mainframe performance assignments, communicating with management and other team members in a timely and effective manner. • Performs mainframe disaster recovery activities for section including but not limited to, participating in disaster recovery hot site exercises and schedules and updating documentation. • Plans, installs, maintains, upgrades and administers IBM mainframe performance related software products and provides documentation for all software changes. • Performs other related duties as assigned. Minimum Qualifications Requirements: Education: • Graduation from an accredited four-year college or university with a bachelor’s degree. • Complete copies of college transcripts must be furnished to the divisional hiring representative at the time of the interview for positions requiring a college degree, and/or specific educational credits. Preferred Education: Graduation from an accredited four-year college or university with a bachelor’s degree in Computer Science, Management Information Systems or related field. Experience: Within the last 10 years • Six (6) years’ experience in analyzing mainframe performance issues • Two (2) years’ experience in analyzing mainframe DB2 performance issues. Preferred Experience: • BMC’s Apptune • Compuware’s STROBE • SAS • MXG • HTML • Control/M • Buffer Pool tuning • Experience with IBM utility programs and products including: SMF/RMF, IDCAMS, CLISTS/REXX, SORT, TSO, JCL, WLM and TMON • Teaching technical issues to developers • IBM mainframe software installation techniques and methodologies. Substitution: One (1) additional year of experience in analyzing mainframe performance issues work may substitute for thirty semester hours of educational requirement with a maximum substitution of 120 semester hours (four years). Knowledge, Skills, and Abilities: Knowledge of: • IBM mainframe (System z) performance analysis and administration • z/OS DB2 • IBM utility programs and products including SMF/RMF, IDCAMS, CLISTS/REXX, SORT, TSO, JCL, WLM and TMON • BMC Apptune • Compuware’s STROBE • SAS • MXG • HTML • Control/M • Teaching technical issues to developers • IBM mainframe software installation techniques and methodologies -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSH connectivity with OMVS
Your document has instructions for starting SSHD, but I didn't see any for stopping SSHD. I use the following to start/stop SSHD: S SSHD S SSHD,STOP=TRUE //SSHD PROC STOP='FALSE' //* // STOP THE SSHD TASK ( SFTP-SERVER FUNCTION ) // IF STOP THEN //* //SSHX EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT, // PARM='SH /u/local/sbin/killsshd.sh' //STDERR DD SYSOUT=* //* //* // START THE SSHD TASK ( SFTP-SERVER FUNCTION ) // ELSE //* //SSHD EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT, // PARM='PGM /bin/sh -c /u/local/sbin/sshd.sh' //STDERR DD SYSOUT=* //* // ENDIF -- Donald J. dona...@4email.net We would appreciate any comments or feedback on this material, which we will use to improve it for the community. Either send emails to i...@dovetail.com or use our community forum at http://dovetail.com/form Kirk Wolf Dovetailed Technologies http://dovetail.com -- http://www.fastmail.fm - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
You need ApplicationControlled On as well as SecondaryMap On. Issue this command to see your resultant config: pasearch -p TCPIP tcpip.pagent.dat -- Donald J. dona...@4email.net TTLSEnvironmentAdvancedParms { SecondaryMap On -- http://www.fastmail.fm - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
A GSK trace is most likely needed. Did you ever resolve the intermediate certificate issue I mentioned on my May 8 message? Your ftp.s390.mainline.com server certificate is issued by the GoDaddy intermediate cert: Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/ serialNumber=07969287 The GoDaddy intermediate cert above is issued by the root cert : Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority It appears you do not have the intermediate cert in the keyring at either end. If you have 100 clients and 1 server, it would be easier to put in the one server keystore. But you can probably put it in your z/OS client keystore instead. If you can't find it, you can download it from the 3rd cert (gd_intermediate.crt) on this page: https://certs.godaddy.com/anonymous/repository.pki -- Donald J. dona...@4email.net FC2903 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I Connection reset. (errno2=0x77B17343) EZA2897I Authentication negotiation failed EZA1534I *** Control connection with 10.6.0.10 dies. If I read this right the 7343 part of the errno2 says that it expected a secure response, but it was sent clear text. I've tried SECUREIMPLICITZOS both TRUE and FALSE - with true I don't see the 220- messages, but still get the same error. -- http://www.fastmail.fm - A fast, anti-spam email service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
Kevin is right about the complete chain. I issued this openssl command: openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1 -CAfile gd-class2-root.crt and got error: Verify return code: 21 (unable to verify the first certificate) I created a cacerts file with both the intermediate and root cert: copy gd_intermediate.crt+gd-class2-root.crt daddy.cacerts.crt Then I got code 0 with: openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1 -CAfile daddy.cacerts.crt So your rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt file probably does not have the chain of 3 certs in it: They should be stacked in the file as follows: -BEGIN CERTIFICATE- mainline server cert -END CERTIFICATE- -BEGIN CERTIFICATE- gd_intermediate.crt cert -END CERTIFICATE- -BEGIN CERTIFICATE- gd-class2-root.crt cert -END CERTIFICATE- Filezilla is not a good program to test with, as it appears to not do server cert authenticatation. It is better to use curl for windows or curl for z/OS. -- Donald J. dona...@4email.net On Wed, May 7, 2014, at 03:38 PM, Neubert, Kevin wrote: Is the chain complete? Check trust and Issuer's/Subject's Names. RACDCERT LIST(LABEL('Go Daddy Class 2')) CERTAUTH. Do you have all the names? SEARCH CLASS(DIGTCERT). Regards, Kevin Ring: FtpSecur Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO Go Daddy Class 2 CERTAUTH CERTAUTH YES -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
The root cert is all that should be needed on the z/OS side, if linux side is set up correctly. But as mentioned in my last email, it doesn't look like the linux side cert file is complete. Your server cert is issued by a GoDaddy intermediate cert, which is issued by a GoDaddy root cert. I would guess your linux file only has the server cert in it, and it needs the intermediate cert in it as well, and optionally the root cert. -- Donald J. dona...@4email.net On Thu, May 8, 2014, at 07:31 AM, Mark Pace wrote: I assume it's complete - I don't see an obvious error. -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
Make sure client and server have a common cipher. SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used than SSL_RC4_SHA. Make sure the linus root certificate is in your z/OS client keyring. -- Donald J. -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
racdcert id(userid) listring(ring.name) racdcert id(userid) connect(ring(ring.name) LABEL('GoDaddy Root Label') CERTAUTH usage(CERTAUTH) ) -- Donald J. On Wed, May 7, 2014, at 06:34 AM, Mark Pace wrote: The cipher was one of my early problems. But I figured that one out. vsftpd - ssl_ciphers=RC4-SHA z/OS - CIPHERSUITE SSL_RC4_SHA I'm certain that this Keyring is (part of) my problem. Stumbling through RACF I have found that the GoDaddy Root CA is already defined in z/OS, but still trying to determine if it is part of a keyring. On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote: Make sure client and server have a common cipher. SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used than SSL_RC4_SHA. Make sure the linus root certificate is in your z/OS client keyring. -- Donald J. -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - A fast, anti-spam email service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
SC24-5901 410 SSL message format is incorrect. Explanation: An incorrectly formatted SSL message is received from the communication partner. User response: Collect a System SSL trace containing a dump of the SSL message and then contact your service representative You usually have to run a GSK trace to track down these problems. Are you using AT-TLS environment for the FTPS client ? -- Donald J. dona...@4email.net On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote: Trying to turn on some DEBUG information DEBUG FLO FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message format is incorrect) So not to try to figure out where to find this error message. On Wed, May 7, 2014 at 10:19 AM, Mark Pace pacemainl...@gmail.com wrote: I remember setting up something very similar to connect to IBM. So I added the GoDady cert to the same keyring. sr cla(digtring) IBMUSER.smpemaint *IBMUSER.FtpSecur * IBMUSER.IBMRing IBMUSER.SecureFTPKeyRing IBMUSER.SMPEMAINT TN3270.TNRING *** racdcert id(ibmuser) listring(*FtpSecur*) Digital ring information for user IBMUSER: Ring: FtpSecur Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO * Go Daddy Class 2 CERTAUTH CERTAUTH YES* So I added to my ftp.data KEYRING IBMUSER/FtpSecur But that still isn't the final answer EZA2897I Authentication negotiation failed EZA2898I Unable to successfully negotiate required authentication EZA1735I Std Return Code = 1, Error Code = 00017 On Wed, May 7, 2014 at 9:44 AM, Chase, John jch...@ussco.com wrote: If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list defined key rings (format is userid.ringname), then RACDCERT ID(userid) LISTRING(ringname or *) to see the ring(s) contents. Also ensure that the root cert you're interested in has TRUST status (default is NOTRUST). -jc- -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace Sent: Wednesday, May 07, 2014 8:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: z/OS FTPS Client Linux FTP server The cipher was one of my early problems. But I figured that one out. vsftpd - ssl_ciphers=RC4-SHA z/OS - CIPHERSUITE SSL_RC4_SHA I'm certain that this Keyring is (part of) my problem. Stumbling through RACF I have found that the GoDaddy Root CA is already defined in z/OS, but still trying to determine if it is part of a keyring. On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote: Make sure client and server have a common cipher. SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used than SSL_RC4_SHA. Make sure the linus root certificate is in your z/OS client keyring. -- Donald J. -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists
Re: z/OS FTPS Client Linux FTP server
If you aren't using any client certs, it is easier to just use a RAC virtual keyring for CERTAUTH server authentication: KEYRING *AUTH*/* -- Donald J. dona...@4email.net On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote: Trying to turn on some DEBUG information DEBUG FLO FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message format is incorrect) So not to try to figure out where to find this error message. On Wed, May 7, 2014 at 10:19 AM, Mark Pace pacemainl...@gmail.com wrote: I remember setting up something very similar to connect to IBM. So I added the GoDady cert to the same keyring. sr cla(digtring) IBMUSER.smpemaint *IBMUSER.FtpSecur * IBMUSER.IBMRing IBMUSER.SecureFTPKeyRing IBMUSER.SMPEMAINT TN3270.TNRING *** racdcert id(ibmuser) listring(*FtpSecur*) Digital ring information for user IBMUSER: Ring: FtpSecur Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO * Go Daddy Class 2 CERTAUTH CERTAUTH YES* So I added to my ftp.data KEYRING IBMUSER/FtpSecur But that still isn't the final answer EZA2897I Authentication negotiation failed EZA2898I Unable to successfully negotiate required authentication EZA1735I Std Return Code = 1, Error Code = 00017 On Wed, May 7, 2014 at 9:44 AM, Chase, John jch...@ussco.com wrote: If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list defined key rings (format is userid.ringname), then RACDCERT ID(userid) LISTRING(ringname or *) to see the ring(s) contents. Also ensure that the root cert you're interested in has TRUST status (default is NOTRUST). -jc- -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace Sent: Wednesday, May 07, 2014 8:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: z/OS FTPS Client Linux FTP server The cipher was one of my early problems. But I figured that one out. vsftpd - ssl_ciphers=RC4-SHA z/OS - CIPHERSUITE SSL_RC4_SHA I'm certain that this Keyring is (part of) my problem. Stumbling through RACF I have found that the GoDaddy Root CA is already defined in z/OS, but still trying to determine if it is part of a keyring. On Wed, May 7, 2014 at 8:57 AM, Donald J. dona...@4email.net wrote: Make sure client and server have a common cipher. SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used than SSL_RC4_SHA. Make sure the linus root certificate is in your z/OS client keyring. -- Donald J. -- http://www.fastmail.fm - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe
Re: z/OS FTPS Client Linux FTP server
The DEFAULT YES would be used for a client certificate, not for a CERTAUTH entry. -- Donald J. Digital ring information for user IBMUSER: Ring: FtpSecur Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO * Go Daddy Class 2 CERTAUTH CERTAUTH YES* -- http://www.fastmail.fm - mmm... Fastmail... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
You did do a: SETROPTS RACLIST(DIGTCERT) REFRESH after last changing the keyring? What does the LISTRING show now? Does the userid submitting the batch job have any ICH408I errors in the log? -- Donald J. -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS FTPS Client Linux FTP server
You need to change that to DEFAULT NO. -- Donald J. dona...@4email.net On Wed, May 7, 2014, at 01:01 PM, Mark Pace wrote: Yes, I did the digtcert refresh Digital ring information for user IBMUSER: Ring: FtpSecur Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO Go Daddy Class 2 CERTAUTH CERTAUTH YES *** No ICH408I errors. On Wed, May 7, 2014 at 3:27 PM, Donald J. dona...@4email.net wrote: You did do a: SETROPTS RACLIST(DIGTCERT) REFRESH after last changing the keyring? What does the LISTRING show now? Does the userid submitting the batch job have any ICH408I errors in the log? -- Donald J. -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
APAR PI17244 was created yesterday for the problem with FTP server processing of hostIdMapping certificates (when not using AT-TLS). FTP server (z/OS 1.13) works fine when using AT-TLS. CICS Web Services works fine with hostIdMapping certificates. RDz works ok with hostIdMapping certificates if the mapping is the 1st entry in the set of hostIdMappings. A problem ticket is currently open on that issue. On Fri, Mar 14, 2014, at 06:30 AM, Phil Sidler wrote: On Wed, 12 Mar 2014 10:55:35 -0700, Donald J. wrote: It works when the certificate is associated to a userid. All I can think of then is that RACF isn't finding the matching hostname in a hostIdMapping. There doesn't seem to be doc on the specifics of this: upper/lower case, fully qualified or not, CNAMES or only ANAMES, etc. But you got this working with CICS, so presumably you've got it covered. Has IBM asked you for a RACF callable services trace? -- http://www.fastmail.fm - Access all of your messages and folders wherever you are -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
I have a ticket open with the RDz client issues. IBM hasn't provided a resolution yet. They have been questioning the validity of my certificates, but now that they work on CICS Web Services that issue should not be questioned. All I can think of then is that RACF isn't finding the matching hostname in a hostIdMapping. There doesn't seem to be doc on the specifics of this: upper/lower case, fully qualified or not, CNAMES or only ANAMES, etc. But you got this working with CICS, so presumably you've got it covered. Has IBM asked you for a RACF callable services trace? I still haven't gotten FTP server to work with HostIDMapping. I have another issue with certificates and FTP Server that I opened a ticket with IBM on, so I tacked on a 2nd issue of HostIdMapping not working to see what they say. My FTP tests are with a test server (different RACF system than production CICS web services), so there is a possiblitity of some RACF items missing. But I will try to test this weekend with the FTP server on the same RACF system as the CICS web services. FU0972 tlsLevel: entered GU4236 checkSpec: entered with 2F (0,3) FU1026 tlsLevel: using TLSV1 with SSL_AES_128_SHA (2F) FR1318 getUserid: entered FU1092 find_cert: entered for 19 elements FR1401 getUserid: cert query failed- safrc=8, rc=8, rsn=40 But did you complete the other setup steps to enable the use of HostIDMapping? See, for example, item 2 at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichzd1c0/2.12.4?SHELF=all13be9.bksDT=20110608113637 or http://preview.tinyurl.com/n63tfyf for details on the required SERVAUTH authority that CICS would need to make use of a HostIDMapping extension. (HostIDMapping, just like basic usage of Certificate Name Filtering, should be transparent to the application once all setup steps are completed.) -- Walt -- http://www.fastmail.fm - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
CLASS NAME - SERVAUTH IRR.HOST.MVS3.domain.removed USER ACCESS ACCESS COUNT -- -- - RDZRSEDREAD00 FTPSERV2 READ00 But I could not get HostIDMapping to work with FTP Server. You would think the RACF interface would be the same for all applications. RACF provides many interfaces, and the application chooses which one to use. Then the results may vary depending on other setup factors. In this case, even if the FTP server is using interfaces that support HostIDMapping, the server would need access to the appropriate SERVAUTH profile as I mentioned previously. Have you listed that profile to make sure the server user ID has access? -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Email service worth paying for. Try it for free -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
With a couple of tips from Phl's vbscript I was able to get the HostIDMappings to work. I was leaving the implicit tags off the IA5 strings. As Phil indicated, it does work with CICS Web Services even though no mention of that anywhere. But I could not get HostIDMapping to work with FTP Server. You would think the RACF interface would be the same for all applications. The GSK trace doesn't provide sufficient detail to see why. I will try running a RACF trace. With RDz client, there is never any session request sent to the server, so the server setup is not an issue yet. I did do an openssl s_client connection to RDz RSED and it is obvious the host end is not going to do mutual authentication, as it is not requesting a client certificate. Anyone know any parameters for a z/OS java app to turn on mutual authentication? Maybe something like -Dcom.ibm.ssl.clientAuthentication=true? I have a ticket open with IBM, but no response in almost a week. -- Donald J. dona...@4email.net On Tue, Mar 11, 2014, at 02:04 PM, Walt Farrell wrote: On Tue, 11 Mar 2014 05:54:24 -0700, Donald J. dona...@4email.net wrote: I am currently using openssl to create certificates for use with CICS Web Services that work fine. I haven't read anywhere that CICS Web Services supports authentication using HostIDMapping. I associate the certificate with a userid using command: RACDCERT ID(USERID1) ADD('USERID1.CERT1.PEM') WITHLABEL('USERID1test') ICSF(*) TRUST If I try to use a certificate with a HostIDMapping extension and no certificate associated with the userid I get error message: CWXN A client certificate that maps to a valid userid is required. But did you complete the other setup steps to enable the use of HostIDMapping? See, for example, item 2 at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichzd1c0/2.12.4?SHELF=all13be9.bksDT=20110608113637 or http://preview.tinyurl.com/n63tfyf for details on the required SERVAUTH authority that CICS would need to make use of a HostIDMapping extension. (HostIDMapping, just like basic usage of Certificate Name Filtering, should be transparent to the application once all setup steps are completed.) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
SECURE_LOGIN REQUIRED SECURE_PASSWORD OPTIONAL SECURE_CTRLCONN PRIVATE SECURE_DATACONN PRIVATE SECURE_FTP REQUIRED It works when the certificate is associated to a userid. -- Donald J. dona...@4email.net On Wed, Mar 12, 2014, at 10:53 AM, Phil Sidler wrote: On Wed, 12 Mar 2014 10:18:04 -0700, Donald J. dona...@4email.net wrote: even though no mention of that anywhere. But I could not get HostIDMapping to work with FTP Server. You would think the RACF interface would be the same for all applications. What setting do you have for SECURE_LOGIN on the ftp server? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Does exactly what it says on the tin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
I am currently using openssl to create certificates for use with CICS Web Services that work fine. I haven't read anywhere that CICS Web Services supports authentication using HostIDMapping. I associate the certificate with a userid using command: RACDCERT ID(USERID1) ADD('USERID1.CERT1.PEM') WITHLABEL('USERID1test') ICSF(*) TRUST If I try to use a certificate with a HostIDMapping extension and no certificate associated with the userid I get error message: CWXN A client certificate that maps to a valid userid is required. Did you also associate your certificate with your userid? If so, then the HostIDMapping extension was not needed or used. On Mon, Mar 10, 2014, at 02:38 PM, Phil Sidler wrote: On Mon, 10 Mar 2014 13:49:38 -0700, Donald J. dona...@4email.net wrote: Yes, the script helps to identify some things. What appilcation was it working with? IIRC, this was in combination with windows certreq to build send a cert request to a windows active directory server to be signed and then the signed cert was used for CICS web services over SSL (from a windows client or IE). -- http://www.fastmail.fm - mmm... Fastmail... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
I now have an openssl config which produces the same hex code as your vbsscript for lengths less than 128. For length above 128 openssl produces a different length code for the SET (x'31') which is x'318184'. Your script produces x'31820184'. I will do some testing with CICS Web Services and FTP server. Ensure the CA that signed the openssl certificate is on CICS's keyring and set for HIGHTRUST. Looks like you have to set up a profile in the SERVAUTH class as well. And of course, the hostName in the hostIdMapping has to match. I don't think this problem is on the host end as the RDz client will never attempt a session. (Wireshark trace is empty) it doesn't like the format of the certificate. My openssl config segment for HostIdMappings looks something like this: 1.3.18.0.2.18.1 = ASN1:SET:user_set # [user_set] HostIdMappings1.1 = SEQUENCE:HostIdMapping1 HostIdMappings1.2 = SEQUENCE:HostIdMapping2 # [HostIdMapping1] hostName1 = IMPLICIT:1,IA5STRING:MVS3.DOMAIN.NAME subjectId1= IMPLICIT:2,IA5STRING:USER448 # [HostIdMapping2] hostName2 = IMPLICIT:1,IA5STRING:MVS2.DOMAIN.NAME subjectId2= IMPLICIT:2,IA5STRING:USER448 -- http://www.fastmail.fm - Accessible with your email software or over the web -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS PKI Services HostIDMapping format
Could someone who is using z/OS PKI Services for z/OS post a sample certificate containing an arbitrary extension for HostIdMapping, or an openssl asn1parse display like below? I am trying to use openssl to generate the HostIdMapping extension, but am having problems with the format. Below is the openssl display for my certificate HostIdMapping {1.3.18.0.2.18.1} extension: openssl asn1parse -in luhe448.pem 691:d=4 hl=3 l= 132 cons: SEQUENCE 694:d=5 hl=2 l= 6 prim: OBJECT:1.3.18.0.2.18.1 702:d=5 hl=2 l= 122 prim: OCTET STRING [HEX DUMP]:30780C1C4C554845343438404D5653332E4350412E53544154452E54582E55530C1C4C554845343438406D7673332E6370612E 73746174652E74782E75730C1C6C756865343438404D5653332E4350412E53544154452E54582E55530C1C6C756865343438406D7673332E6370612E73746174652E74782E7573 -- Donald J. dona...@4email.net -- http://www.fastmail.fm - Email service worth paying for. Try it for free -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS PKI Services HostIDMapping format
Yes, the script helps to identify some things. What appilcation was it working with? I am trying to generate a cert for an RDz client. The RDz client appears to try to be intelligent and not allow bad parameters to be entered like a wrong passphrase for a PKCS12. It seems to reject all the certs I have tried. I'm thinking maybe there is a bug in the client. -- Donald J. dona...@4email.net On Mon, Mar 10, 2014, at 11:57 AM, Phil Sidler wrote: On Mon, 10 Mar 2014 08:59:55 -0700, Donald J. dona...@4email.net wrote: Could someone who is using z/OS PKI Services for z/OS post a sample certificate containing an arbitrary extension for HostIdMapping, or an Would some VBscript help? Did this a loong time ago and I'm not sure it's totally clean, but I did use it. -- http://www.fastmail.fm - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Is it possible to open PCOMM session up to 50?
From each of the 25 PCOMM telnet sessions, you could logon TSO and enter TSO TELNET MVSxyz to create another 25 sessions. -- Donald J. dona...@4email.net On Wed, Jul 17, 2013, at 02:26 AM, Alex Wang wrote: Hey, there. I'm curious about is it possible to open about 50 PCOMM sessions on one PC? Because I just want to test how many TSO user IDs which could logon the system at the same time. So I started PCOMM sessions and logon them using different TSO user ID one by one. The maximum number of sessions is 25. Because the PCOMM told me 'no more sessions could be started' until I have had 25. Is there any one who did such test before? It seems we couldn't start as many sessions as we want on one PC. :-) Note: 1. This is the default definition in our SYS1.PARMLIB(IEASYSXX) MAXUSER=500 But one of the SP told me the system is running as a z/VM guest machine ID and the allocated resources is limited. So she afraid that it could not afford 50+ people on the system at the same time. 2. I'm using PCOMM Version 5.7 for windows and the OS i'm using is Win7. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - A fast, anti-spam email service. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSH Performance
Mine from a SuSE linux to z/OS 1.13: real0m1.224s user0m0.008s sys 0m0.008s -- Donald J. dona...@4email.net From Solaris to MVS: 133$ time ssh user@MVS date Mon Jul 8 07:43:06 MDT 2013 real0m15.10s user0m0.07s sys 0m0.01s From Solaris to another Solaris: 134$ time ssh user@solaris date Monday, July 8, 2013 07:43:57 AM MDT real0m0.61s user0m0.15s sys 0m0.01s The MVS performance is awful (in the synchronic sense). Is there any way to tell where the overhead lies, or even whether ICSF is being used rather than ssh_rand_helper? How does this compare with other users' experience? (Once an interactive connection is established, response is quite good.) -- gil -- http://www.fastmail.fm - The professional email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: X11 forwarding
Check x11DisplayOffset value. If should be set to something like 10 if you want to forward directly via port 6010, or set to 0 if you want to tunnel through your SSH port 22 connection. My DISPLAY is set to 127.0.0.1:0 and my x11DisplayOffset is 0. -- Donald J. dona...@4email.net On Wed, Jun 26, 2013, at 10:09 AM, Mark Pace wrote: I've had some to time to go back and make this work properly through X11 forwarding. I've followed the Ported Tools guide to setup X11 forwarding, which included compling the xauth program and changing some parameters in the sshd_config. But when I connect via PuTTY with X11 forwarding turned on I receive these messages. Each time I see it creating a new .Xauthority file, yet I never see that file being created. Also I receive some errors about bad display names. And lastly I receive erros trying to run the X application. No amount of googleing has had an answer to the bad display name, which I assume also has something to do with the errors running the app. Anyone with experience with X11 on z/OS have an idea what I am doing wrong? -- http://www.fastmail.fm - Choose from over 50 domains or use your own -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ZFS MountCall / Osi Wait
A writable zfs must be cleanly unmounted or there will be a 65 second delay at IPL time for each one. This can be avoided by mounting it on another system and then immediately unmounting it. See Share 2012 document zFS Diagnosis II: Problem Determination and File System Monitoring. -- Donald J. dona...@4email.net On Sun, Jun 16, 2013, at 07:19 PM, Munif Sadek wrote: Is there a way we can expedite our unix system services startup in a monoplex system.. Best regards, Munif. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - The professional email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: X11 forwarding
You will also have to compile the xauth c program. I don't think IBM supplies a binary for it. -- Donald J. dona...@4email.net On Fri, Jun 7, 2013, at 06:07 AM, Mark Pace wrote: That was the problem. Some other issues with deprecated APIs. Maybe if I look at the sample C code I can figure out what to change in the java code. On Fri, Jun 7, 2013 at 9:00 AM, Martin Packer martin_pac...@uk.ibm.comwrote: Open and close square bracket, I expect. Cheers, Martin Martin Packer, zChampion, Principal Systems Investigator, Worldwide Banking Center of Excellence, IBM +44-7802-245-584 email: martin_pac...@uk.ibm.com Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker From: Mark Pace pacemainl...@gmail.com To: IBM-MAIN@listserv.ua.edu, Date: 06/07/2013 01:49 PM Subject:Re: X11 forwarding Sent by:IBM Mainframe Discussion List IBM-MAIN@listserv.ua.edu Thank you! But that main(Stringݨ What are those characters? On Thu, Jun 6, 2013 at 11:02 PM, Donald J. dona...@4email.net wrote: Here is a java program EmptyFrame1.java you can easily compile: // file: EmptyFrame1.java import java.awt.event.*; import javax.swing.*; class EmptyFrame1 extends JFrame { // Constructor: public EmptyFrame1() { setTitle(Donald's Empty Frame); setSize(300,200); // default size is 0,0 setLocation(10,200); // default is 0,0 (top left corner) // Window Listeners addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent e) { System.exit(0); } //windowClosing } ); } public static void main(Stringݨ args) { JFrame f = new EmptyFrame1(); f.show(); } //main } //class EmptyFrame1 -- Donald J. dona...@4email.net On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote: I want to test X11 forwarding using SSH in Unix System Services. But I can't find an executable X application like xclock. I find some sample programs, but not any executable code. Is there some executable files that I am not finding? -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: X11 forwarding
Commands like this will be needed when compiling xauth: export _C89_PSYSLIB=SYS1.IBM.CEE.SCEEOBJ:SYS1.IBM.CEE.SCEECPP:SYS1.IBM.CBC.SCLBDLL export _C89_LSYSLIB=SYS1.IBM.CEE.SCEELKEX:SYS1.IBM.CEE.SCEELKED:SYS1.IBM.CBC.SCCNOBJ:SYS1.CSSLIB _C89_CCMODE=1 make /home/sys/luhe338/xauth/output.log -- Donald J. dona...@4email.net On Fri, Jun 7, 2013, at 06:17 AM, Donald J. wrote: You will also have to compile the xauth c program. I don't think IBM supplies a binary for it. -- Donald J. dona...@4email.net On Fri, Jun 7, 2013, at 06:07 AM, Mark Pace wrote: That was the problem. Some other issues with deprecated APIs. Maybe if I look at the sample C code I can figure out what to change in the java code. On Fri, Jun 7, 2013 at 9:00 AM, Martin Packer martin_pac...@uk.ibm.comwrote: Open and close square bracket, I expect. Cheers, Martin Martin Packer, zChampion, Principal Systems Investigator, Worldwide Banking Center of Excellence, IBM +44-7802-245-584 email: martin_pac...@uk.ibm.com Twitter / Facebook IDs: MartinPacker Blog: https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker From: Mark Pace pacemainl...@gmail.com To: IBM-MAIN@listserv.ua.edu, Date: 06/07/2013 01:49 PM Subject:Re: X11 forwarding Sent by:IBM Mainframe Discussion List IBM-MAIN@listserv.ua.edu Thank you! But that main(Stringݨ What are those characters? On Thu, Jun 6, 2013 at 11:02 PM, Donald J. dona...@4email.net wrote: Here is a java program EmptyFrame1.java you can easily compile: // file: EmptyFrame1.java import java.awt.event.*; import javax.swing.*; class EmptyFrame1 extends JFrame { // Constructor: public EmptyFrame1() { setTitle(Donald's Empty Frame); setSize(300,200); // default size is 0,0 setLocation(10,200); // default is 0,0 (top left corner) // Window Listeners addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent e) { System.exit(0); } //windowClosing } ); } public static void main(Stringݨ args) { JFrame f = new EmptyFrame1(); f.show(); } //main } //class EmptyFrame1 -- Donald J. dona...@4email.net On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote: I want to test X11 forwarding using SSH in Unix System Services. But I can't find an executable X application like xclock. I find some sample programs, but not any executable code. Is there some executable files that I am not finding? -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions
Re: X11 forwarding
Here is a java program EmptyFrame1.java you can easily compile: // file: EmptyFrame1.java import java.awt.event.*; import javax.swing.*; class EmptyFrame1 extends JFrame { // Constructor: public EmptyFrame1() { setTitle(Donald's Empty Frame); setSize(300,200); // default size is 0,0 setLocation(10,200); // default is 0,0 (top left corner) // Window Listeners addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent e) { System.exit(0); } //windowClosing } ); } public static void main(Stringݨ args) { JFrame f = new EmptyFrame1(); f.show(); } //main } //class EmptyFrame1 -- Donald J. dona...@4email.net On Thu, Jun 6, 2013, at 07:42 AM, Mark Pace wrote: I want to test X11 forwarding using SSH in Unix System Services. But I can't find an executable X application like xclock. I find some sample programs, but not any executable code. Is there some executable files that I am not finding? -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Send your email first class -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN