Re: Iin Defense of FTP. FUD rules

[Grant Taylor]

I'm replying to multiple messages in one message in chronological order.



On 9/28/24 20:00, Steve Estle wrote:
Hmm - Interesting conversation.  The account I'm supporting uses 
Tectia for ZOS product set (SSH.COM) which allows for proxy to be 
setup to convert all ZOS FTP to SFTP without any script changes.


Interesting.

It's my understanding that the `sftp` command was intended to be a drop 
in replacement for the `ftp` command for interactive and scripted 
interactive use.  As in steps were taken to make `sftp` behave as 
similar to `ftp` as possible.  But that's a client swap.


What you're describing is -- effectively -- a monkey in the middle doing 
a protocol translation from clear-text / unencrypted FTP to SFTP or FTP 
over SSH.


I would have naively assumed that the Tectia product did unencrypted / 
clear-text FTP to encrypted / cypher-text FTP over SSL -> TLS.  But I'll 
take your word for it.


This product was already in place when I arrived so I was not involved 
in the decisions to procure or rationale other than it was needed 
to be properly "secure".  But I am now wondering from a security / 
audit perspective if a secondary software product such as Tectia 
is truly required to provide a secure and audit proof FTP, Telnet, 
TN3270 environment or is the correct answer is it is just a matter 
of properly configuring ZOS Comm Server, FTP, & ATTLS properly which 
in essence fully secures the FTP service adequately?


I wonder if it's more a line of business reasoning than it is a 
technological reasoning.  As in the external system, combined with 
proper firewalling can guarantee that no unencrypted / clear-text FTP, 
etc. is sent and that ONLY encrypted / cypher-text data is allowed to 
leave the secure LAN / environment.


This is similar to some reasons why I've seen people REQUIRE that the 
TLS encryption is done on system instead of external systems.  When done 
on system, it's possible for software to verify that the traffic is 
encrypted.  Conversely, software running on the system may have trouble 
differentiating between traffic that was encrypted to the external 
system and unencrypted to the local program vs traffic that came to the 
local program directly in an unencrypted form.


That ability to say "it's not possible for unencrypted / clear-text 
traffic to get to / leave from the system" checks some more boxes than 
"(we think) we configured all the processes to use encryption".




On 9/29/24 10:23, Radoslaw Skorupka wrote:
1. People are lazy or reluctant to make changes "because it works". 
Sometimes we inherit old setup with tons of obsoleted settings, 
etc. And it is a psychological challenge to change old things (with 
some risk of mistake - as always),  convince managers, etc.


I think there is something to be said for inertia of a system and the 
perceived need to change *EVERYTHING* to use the new configuration *ALL* 
*AT* *THE* *SAME* *TIME*.


Conversely something that can be changed one part at a time is more 
likely to have individual parts changed out.


3. Distributed systems world tend to prefer sftp over ftps. However 
sftp implementation on z/OS lacks some features.


I know from a firewalling point of view encrypted FTPS is a PITA.  With 
FTP's use of multiple ports, the firewall needs knowledge of the 
ephemeral ports to be able to dynamically alter itself to allow the 
traffic through.  When the FTP control traffic is encrypted, it's much 
more difficult if not neigh impossible for a bump-in-the-wire firewall 
to be able to learn the ephemeral ports.


Conversely encrypted SFTP over SSH is a single port and thus much, Much, 
MUCH easier to deal with from a firewalling point of view.




On 9/29/24 14:58, Phil Smith III wrote:
Can you elaborate? If via AT-TLS I'd be surprised. Unless there's 
some additional login majicks (2FA?) that you're referring to?


I'm surprised by the combination of AT-TLS ans SFTP.  Does AT-TLS 
support SFTP / SCP / SSH?  --  A quick search doesn't seem to indicate 
that AT-TLS has gained support for SFTP / SCP / SSH since I last looked. 
  --  Please elaborate.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Open SSH vulnerability

[Grant Taylor]

On 7/2/24 10:32 AM, Ed Jaffe wrote:
According to the write-up on openssh.com/txt/release-9.8 
, regreSSHion affects OpenSSH 
releases 8.5p1 through 9.7p1 inclusive.


Based on what I just read (Qualys Security Advisory sent to the 
oss-security mailing list), there is also a dependency on glibc and thus 
I assume that systems using different C libraries probably aren't affected.


What C library is z/OS using?  I assume it's not glibc.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: grep ascii files...

[Grant Taylor]

On 4/18/24 11:03 AM, Paul Gilmartin wrote:
someone conversant with such languages has posted here that the spoken 
convention is low-to-high order: "four and twenty blackbirds."


Would you please clarify / confirm the example language?  "four and 
twenty blackbirds" sort of breaks my brain and I'd like to research and 
learn more.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Technical Reason? - Why you can't encrypt load libraries (PDSE format)?

[Grant Taylor]

On 1/13/24 13:39, Gibney, Dave wrote:
It should be obvious, but as a practical matter, you can't encrypt 
the modules that do the decryption and it also follows that you can't 
encrypt the modules that provide the execution environment (z/OS) 
for these modules.


I would like to agree with you.

Viruses (for PCs) have been self-decrypting for a long time.

Given how people espouse that the mainframe can do everything that a PC 
can do ... I think it stands to reason that someone with sufficient 
motivation /could/ write a mainframe program that would decrypt itself.


If we accept that it's hypothetically possible to write a mainframe 
program that can decrypt itself, then could we also accept the 
hypothetical possibility to do the same with a program that is part of 
the OS?


It's been a very long time since I've looked at low level mainframe OS 
IPL / boot strap methods and procedures.  But I'm confident that the 
first part of the program that IPLs off of DASD doesn't know how to do 
most of what the OS ultimately does.


It's all about have just enough recognizable -> executable code that can 
decode / decrypt more recognizable -> executable code that can decrypt 
even more.


Hence in /concept/ I don't agree with you.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Technical Reason? - Why you can't encrypt load libraries (PDSE format)?

[Grant Taylor]

On 1/13/24 11:06, Radoslaw Skorupka wrote:

However encryption is a kind of data protection.


Conversely encryption is a kind of data authentication / verification.


Data. Not programs.


Programs are special data used to manipulate / act on other data.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: netcat for z/OS?

[Grant Taylor]

On 1/12/24 10:02 AM, Kirk Wolf wrote:
IBM ships a command with z/OS:  "ssh-proxyc  - HTTP SOCKS-5 Proxy 
command for ssh client"


Based on the name, that seems to support SOCKS(5) proxy servers.

The (BSD) netcat (nc) `-X` means to use the HTTP(S) CONNECT protocol proxy.


See the IBM z/OS OpenSSH User's Guide for more information.


I don't have convenient access to that document.  Though I should find a 
copy as I hope it's as interesting as it could be.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSH tunneling for unattended process.

[Grant Taylor]

+10 for everything that Rick has said.

On 1/8/24 1:26 PM, Rick Troth wrote:

Clarification on -L and -R ...


N.B. the -L and -R are reference to the ssh /client/.

This is important to keep in mind when you are considering which way the 
port forwarded traffic will go in relation to which end is the SSH client.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HMC hardware messages

[Grant Taylor]

On 11/28/23 2:46 PM, Radoslaw Skorupka wrote:
Of course ticket creation is another topic. But it cannot be simply 
automatic creation of ticket for every message, because many of them are 
just notification.

Example: REIPL.


I don't know about ticketing systems, but with email, I create rules to 
detect things that are known okay; REIPL, and mark the message as read. 
That way it's there and I can got to the folder if I want to see it. 
But it's not unread and vying for my attention.


Our old ticketing system had the ability to do similar.  There were 
multiple macros set up to assign the ticket to me / my group, add 
comments, and mark the ticket as resolved.


I'm still trying to figure out if our new ticketing system can do 
anything like that.


Ideally don't send notifications that are largely noise.  If you can't 
avoid that, automate resolving them.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TN3270, EBCDIC and ASCII

[Grant Taylor]

On 10/11/23 6:39 AM, jgmauta...@yahoo.com.ar wrote:

Thanks guys for all you instructive answers!


:-)

As it usually happens when you try to understand something, new 
questions often arise and you realize that things are fairly more 
complicated than you initially beleived.


I think that's a natural part of learning.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TN3270, EBCDIC and ASCII

[Grant Taylor]

On 10/10/23 3:15 PM, Rick Troth wrote:
The copy-n-paste point makes me wonder if the fonts are actually mapped 
to ASCII values.


I was wondering the same thing.

I'm watching the thread to learn more.

I don't know graphical environments well enough to analyze it. But it 
would mean that, yes, there *is* A/E translation happening even in the 
graphical 3270 emulators. (In hopes of not steering Juan wrong with what 
I said before.)


I would have naively assumed that the A/E translation is happening 
between the TN3270* protocol and the in memory screen buffer.


This would mean that the buffer can be displayed with any font the user 
chooses /and/ it would more cleanly support copy / paste.


*I actually assume that similar would happen with communications using 
more traditional SNA on the LAN; e.g. DLC.  --  If memory even remotely 
serves after a long day.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Compile mod_wsgi Python Apache module

[Grant Taylor]

I've not seen any other replies to this thread, so I'll go ahead and 
send what I had drafted before waiting in the hopes that someone more 
knowledgeable than I would reply.  But, maybe my experience compiling 
things will get you on the proper path.


On 9/6/23 10:16 AM, Oscar wrote:

Hello,


Hi,

Everything is fine until we run make to compile the plugin. Tt fails 
because somehow a file is missing, but AFAIK the file is where is 
supposed to be.


Please elaborate on "what file" and "where (it) is supposed to be". What 
file name are you looking for and where are you looking.



Has anyone succeeded in compiling mod_wsgi on z/OS (we are at 2.4)?


I've never tried.


make output: https://pastebin.com/raw/AhW6UMSh


Having spent a lot of time looking at make output and compiling things 
in years past, my thoughts are below.


libtoolexe: cc -Wl,DLL -o src/server/mod_wsgi.so -Wc,-qcpluscmt 
-Wc,-qlanglvl=extc99 -Wc,XPLINK,lp64,dll,expo -Wl,XPLINK,lp64 -O3 
-U_NO_PROTO -DSIGPROCMASK_SETS_THREAD_MASK -DTCP_NODELAY=1 
-L/u/ames/fixpack/blddir/destdir/home/oscar/apache/lib 
-L/u/ames/fixpack/blddir/destdir/u/ames/fixpack/blddir/destdir/home/oscar/apache/lib 
src/server/wsgi_apache.o src/server/mod_wsgi.o 
-L/STAGIN/IBM/python39/usr/lpp/IBM/cyp/v3r9/pyz/lib 
-L/STAGIN/IBM/python39/usr/lpp/IBM/cyp/v3r9/pyz/lib/python3.9/config-3.9 
-lpython3.9 -ldl -lm 
/STAGIN/IBM/python39/usr/lpp/IBM/cyp/v3r9/pyz/lib/python3.9/config-3.9/libpython3.9.x 
/home/oscar/apache/lib/apachecore.x /home/oscar/apache/lib/apachecore.x 
/home/oscar/apache/lib/libapr-1.x /home/oscar/apache/lib/libaprutil-1.x 
/home/oscar/apache/lib/liblua.x

FSUM3067 The archive library python3.9 (libpython3.9.a) cannot be found.

libtoolexe / cc can't find a library that they are looking for.

I assume that they are looking for libpython3.9.a in a typical library 
location.


This may be that the library itself can't be found and / or the headers 
therefor can't be found.


If you recently added said library / headers, try runing ldconfig to 
update the dynamic linker's cache of what libraries are where.



make file: https://pastebin.com/raw/PJs2d5C7

Thanks in advance!




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unanswered questions regarding P390 systems

[Grant Taylor]

On 9/10/23 3:40 PM, Tony Thigpen wrote:
The box you put the P390 card into is important. It's been a long time 
since you could get a box with long enough slots.


Newer technology makes things entertaining.

For a little while I had my P/390-E in a machine that was running the 
OS/2 as a VM with PCI pass-through.


It functioned, but it wasn't stable.

I've since moved my P/390-E to a different dedicated system.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unanswered questions regarding P390 systems

[Grant Taylor]

On 9/10/23 2:00 PM, Alexander Huemer wrote:

Hi


Hi,


As a proud owner of a P390 system, I've collected some questions that i
wasn't able to find answers to at [1].


Welcome to the club.


If you have knowledge regarding those or related systems, I kindly ask
that you read through the page. Maybe you can shed some light!

[1] https://ahuemer.xx.vu/non-volatile/p390-questions.html


Hardware

1)  It's my understanding that there are some companion cards that go 
with the processor card.


 - Bus & Tag
 - ESCON

I think you're also missing any information on the older ISA card sets. 
E.g. the ISA System 370 CPU+RAM card that goes in the PC/370 and the likes.


Do the R/390 et al. cards have different FRUs?  Or is it the same 
hardware with different software; OS/2 vs AIX?


2)  I would guess where and / or when 08J5941 and 08J5882 were made.

3)  I have no idea.  Debugging indicator for the card?  Maybe this 
speaks to question 2.


I wonder if there is any relation to the LEDs with any bits of the 
Program Status Word.


OS/2 Software

I've used my P/390-E with OS/2 4.x and ArcaOS.

AIX Software

I have no idea of #1 nor #2.

I wonder if part of the difference with OS/2 console vs AIX console is 
related to the fact that dtterm / aixterm / xterm are inherently text 
(especially with the version that I think they are).  As such, some of 
the more special characters that are used in the status line to indicate 
connected, waiting, offline, etc. probably don't display as cleanly in 
pure text.  Remember that the console in OS/2 was it's own GUI that did 
it's own terminal emulation and could thus support special characters.


You can see similar with the difference between X3270 and it's console 
counterpart C3270 from the same source code.


LIC

I have no idea about versions of the LIC.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: extracting "*.pax.Z" without USS

[Grant Taylor]

On 9/9/23 8:50 AM, william giannelli wrote:

I tried renaming the file with a ".zip" extension but that made the file
unreadable.


That's because ".Z" is "compress(ed)" file format which is different 
than ".zip" which is "zip" file format.


They are two very different things.

.Z is not just a permutation of .zip as a file extension.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Somewhat OT: 3279 front bezel needed

[Grant Taylor]

On 9/5/23 8:56 AM, Jay Maynard wrote:

I do! And two P/390s and two P/370s for it to talk to.


Does that mean that you also have the associated B&T cards to connect 
said P/390s / P370s to the 3174?


I'd be very interested reading an article about and pictures of such a 
setup.  Even if it's an ongoing work in progress.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Asking questions and learning.

[Grant Taylor]

Old Subject: Re: With regrets, after many years I will no longer be 
following IBM-MAIN

New Subject: Re: Asking questions and learning.

On 9/4/23 12:36 AM, Brian Westerman wrote:
I think even the ones that abuse the list the most still provide 
assistance from time to time that is very useful.


This is why -- if I feel the need -- I'll create a filter rule to mark 
messages as read for specific criteria; sender, subject, age, etc., but 
leave them in situ.  That way I can go back and read them if I want to.


I completely understand that oftentimes they want the person to RTFM, 
which makes a lot of sense because you also don't want the list to 
become a primary school.


Ya, "do my homework for me" type statements, not even questions, tend to 
become quite annoying quite quickly.


The "new guys" need to learn how to use the manuals and I think the 
"old guys" are trying to, in their own way, help them to see that 
using the manuals and figuring stuff out is a good thing.


Most of the time I try to refer people to specific sections of specific 
manuals or suggest a set of search criteria that I think will get people 
close to what they are looking for or trying to understand. 
Occasionally I'll even suggest something that's more background reading, 
telling them as such, and a reason why they should read more than just 
the section with the answer they seek.  Often I append after you've done 
that, let's have a conversation based on what you will have read.  Or 
something to that effect.


N.B. I'm perfectly fine with shoes on the other feet and find advice 
like above to be quite helpful.


Where it becomes an issue is when the newbie honestly can't figure 
it out and may have truly tried to find the solution on their own.


Agreed.

It might be helpful for them, in fact everyone, to disclose what you 
have already tried or read about, that way everyone will see that they 
are trying and won't just kiss them off as using the list instead of 
manuals (and the internet) as opposed to using it in conjunction with 
attempting to learn.


Absolutely.

This is the "do my homework assignment" thing I was describing above.

What have you read on the topic, what have you tried, why were the 
results not satisfactory, what are you trying to achieve, etc.  These 
are all things that help the people who you are trying to get to help you.


Sometimes they may have actually read the solution, but just don't 
see it as such, and by disclosing what they have tried so far will 
allow people to let them know where they missed something.  I think 
that no one likes to think that the guy asking the question is not 
even really trying to work the problem.  But without disclosing the 
path they are currently on, we have no way to know otherwise.


I was talking with someone the other day whom, for various reasons, they 
felt that they could not demonstrate failure in front of others.  As 
such, asking for help was sometimes very hard for them.  They felt it 
easier to try multiple different things and fail than to potentially 
demonstrate failure.


There are many reasons people do what they do and there are as many 
different ways that people learn.



Just a thought.


:-)



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 9/2/23 11:41 AM, Peter Sylvester wrote:

Hi,


Hi,


I do not really know what I am trying to explain, but anyway.


I've found that sharing what I understand something to be beneficial for 
multiple reasons:


1)  articulating it often helps clarify what I'm trying to articulate
2)  it gives others more in the know an opportunity to see what I'm 
thinking and hopefully correct me if I'm wrong


Ibm has made a kind of minimal security approach to access an HMCusing 
https, i.e. a self signed cert.


It's not just IBM.

Using self-signed certificates is sort of the minimum bar for entering 
the TLS / encrypted HTTPS ecosystem.  A minimum if you will.


Hopefully there are supported and easily accessible ways to change and 
use the TLS certificate provided by the end user and / or (re)generate a 
new self-signed certificate.


I'm simplifying by eliding the associated key which should also be 
changed from factory default.


If TLS / encrypted HTTPS is enabled by default -- something that I would 
hope is the case in 2023 -- I hope that it is generated upon first power 
up.  As in if it doesn't exist (in the distribution image) one is 
automatically generated on IPL.


Ibm also documents how one can change this,i.e. generate a key pair,, a 
csr, get certified by "some" CA, then upload the key and cert. Example 
uses openssl on windows :-)


:-)


Who cares


More people than you might realize.  Probably for different reasons.

You need to have the cert chain as trusted in your browser, so far, pure 
technical.


which "PKI" to select?  The global web pki, probably not, at least not 
necessary/, the HMCis in some intranet, or so.


There is a decent chance that you can't use a public CA / public PKI 
because of restrictions on externally unique names.  This extends into 
problems with private IP addresses.


A company PKI (intranet). Yes, if it exists. The first thing iIMO is to 
find out if there is a company PKI or at least policy etc.


Agreed.


Tom went for the "minimal" solution, create a minimal dedicated "PKI" :


:-)

Technically, take whatever vanilla pc, create a root, create a cert, 
take the server key end cert and CA cet to an USB and the delete the 
content of the PC. Lifetime long enough so either the HMC or you can 
retire :-) Well, I'm provoking.


Agreed, some technical minutia not withstanding.  The CA doesn't need 
and shouldn't have access to the HMC's key.



On linux you could use "script" to have log.

Upload the server cert/key to the HMC, and delete them.


Ideally, the HMC will (re)generate it's own key and CSR.  Take /just/ 
the CSR and have it signed by the CA.



install the CA cert on any PC that needs access to the HMC.


Yep.


This is what Tom has done, at least some parts.

Thus, there is only one certificate created by the CA.


Technically, there are two, the CA's (self-signed) certificate used to 
sign CSRs and the HMC's cert.


All this documented but maybe not necessarily using the IETF text as 
template, it is very detailed, and if you understand it at once, I'll 
kill myself :-) or not.


Ya  I've been less than thrilled with IETF working groups more times 
than I can remember.  The process leaves me wanting.



Anyway, validate the procedure with the company CISO.


Ya.  That could be an interesting conversation.  Probably educational.

What's better overall security posture?

 - Using self-signed certificates and teaching employees to ignore 
certificate warnings?

 - Installing a bunch of certificates in the client systems?
 - Installing one certificate from the Enterprise CA in the client systems?
 - Exposing internal system names via Certificate Transparency when 
using a public CA / public PKI?


If the company has a "company" PKI, and is able to make server certs, 
well, do this.


I largely agree.  But depending on how old said PKI is, it might not 
generate certificates up to contemporary standards.


One usual question? Who is generating the server private key? IBM could 
have made an HMC function to generate it and create a CSR to download btw.


That's a very good question.


Have fun


:-)

You too.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/30/23 12:42 AM, Tom Brennan wrote:
I've been told by IBMer's not to talk about such things, so I need to 
drop out now.


Chuckle.

Fair enough.

I'm just talking about a special purpose Linux box from a vendor to run 
a vendor application.  ;-)


I hoist my coffee to you.

Have a good day.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 9:49 PM, Tom Brennan wrote:
Just to be clear, I'm not talking about doing anything to the HMC that 
isn't sanctioned by IBM.


I assumed as much.

And pardon me if you already know this, but HMC's are really locked 
down.


Well ... IBM took a reasonable pass at making the older HMCs that I've 
worked on recently take a little bit of effort to get in and do things.



For example, no command line access even when standing at the machine.


I was poking around on $WORK's older HMCs three weeks ago and, as a well 
seasoned Linux administrator, found it not quite trivial to get into the 
underlying Linux OS and do whatever I wanted to.


I'll just say that if you're familiar with how Linux boots and what 
different things do, it's one transient non-persistent edit away from 
dropping you at a root shell prompt where you can make any change that 
you want to on the system.


Obviously this is not sanctioned by IBM.

I'm dealing with hardware that is so far out of support that it's not 
even funny.


But under the hood, it's Linux that looks STRIKINGLY like a heavily 
modified Red Hat / CentOS 6.x generation with all visible branding removed.


I've since had someone tell me that there is a method to get a normal 
shell on an HMC.  I speculate it's reminiscent of padmin on VIOS where 
you log in for vtmenu and then do something not well documented.


A quick web search reveals that there is a root account with a less well 
known password.


When you're willing to do unsupported things on hardware that isn't 
capable of being supported, you can do some amazing things if you want 
to.  }:-)


PSA, the HMC that I looked at used file system labels to identify which 
file system was to be mounted where.  So ... which file system with the 
label of "/" is mounted when there are two of them?  }:-)




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 6:39 PM, Tom Brennan wrote:
It's those last couple of steps that I assume would need to be done 
manually on an HMC via GUI.


I have no idea if IBM offers a supported solution or not.

I would waver that there are some unsupported solutions that IBM would 
wag a finger at you for doing.  But who's going to do that on a piece of 
equipment supporting a mainframe?


The three things that come to mind in the order of most benign to most 
radical are:


 - Script interactions across the HTTP(S) ports pretending to be a user 
walking through the motions with the necessary GET / POST / etc. method 
calls.


 - Enable -- what I assume is unsupported SSH access to an HMC and 
remotely run commands to manage certificates.


 - Really throw caution to the wind and install an ACME client on the 
HMC and get it some sort of Internet connectivity (likely via proxy).


The first is probably the only thing that IBM would say doesn't 
invalidate support / warranty.



Or maybe IBM has addressed this and provides an API or similar?


I hope so.  But I'm not holding my breath.

I never asked, possibly because every HMC I've ever touched, whether 
mainframe or peripheral, came up with a self-signed key warning.


Ya  Pardon while I go over into a corner and cry.

But in their defense, most are only accessible in the datacenter or 
behind a difficult-to-access jump box.


I've had the broken TLS cert cause problems, particularly when Java gets 
involved.


I've found it far better to make the client system be as happy with the 
cert as possible usually yields the best / most long term results.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: it's all about trust [was: Firefox and HMC self-signed cert]

[Grant Taylor]

On 8/29/23 6:10 PM, Charles Mills wrote:
Not browser publishers and CAs; ONE particular browser publisher! The 
CAs were on the other side of this one.


Apple may have been the first to the microphone, but I know that other 
browser manufacturers were writing similar speeches.


About the only thing I can say in their defense is that the revocation 
system is broken.


On a technical level, I don't know that I agree with that.

I believe that there were things in place that someone that wanted to 
could have checked revocation.


Sadly, too many people -- probably the vast majority -- didn't do so for 
one reason or another.


This might even partially be the tyranny of the default.  I think most, 
if not all, browsers opted to forego much of the revocation check in the 
name of performance and page load time.


Most people didn't know better, and most of those that did didn't know 
enough or weren't motivated to change it.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 3:38 PM, Charles Mills wrote:

Not true for a CA root.

Thought experiment: if DigiCert were to misplace their root private 
key, would you now be unable to log into amazon.com? (There would be 
very disruptive long-term implications, but things would continue to 
work in the medium term even without the private key.)


The private key is necessary to be able to*issue*  certificates. Tom's 
scenario, while it may have some other shortcomings, would work 
exactly as Tom supposes.


Fair enough.

I was thinking about a web / email / etc. server not being able to 
provide encrypted connections without the key being accessible.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: securing the trust store [was: Firefox and HMC self-signed cert]

[Grant Taylor]

On 8/29/23 3:16 PM, Rick Troth wrote:
And making it harder (more expensive) for the attacker (relative to his 
ROI).


Some of it is also about making it more noisy and thus likely easier to 
detect when something inappropriate is going on.


I've heard that some Chinese emperors purposely had floors designed 
expressly so that they squeaked when you walked on them specifically so 
that they could more easily hear when attackers were coming.


Door chimes can be annoying, but they do serve a purpose, especially 
when they are unobtrusive.


YubiKey is part of that because it can become a new single point of 
failure.


Ya.

I really hate the idea of needing to rely on an external party.  Even 
more so when that external party becomes a SPOF.


I want to host things myself.

Thankfully, YubiKey, as I've mentioned them, is fully self hosted and 
doesn't rely on anything external beyond initial utility installation.


In all of this, one of the biggest overlooked thingies is new points of 
failure. We forget that locking out bad guys kinda sucks for US when WE 
suddenly look like one of the bad guys. (Machines cannot tell the 
difference.)


#truth


This is not a slam on YubiKey.


Nope.  It's an unpleasant fact about the situation.

It's an observation that our systems need failover factors and most 
developers still don't think about that.


Agreed.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: it's all about trust [was: Firefox and HMC self-signed cert]

[Grant Taylor]

On 8/29/23 2:49 PM, Rick Troth wrote:
When they say "certificates shall only last a year", there's little we 
can do about it, whether they're right or wrong.


The browser manufacturers have power in the browser ecosystem and the 
ecosystems that pander to them (*cough* CAs *couth*).


But browser manufacturers have exceedingly little say in how I configure 
TLS on my email server.


Crypto alone doesn't make your systems secure. Faster refresh does not 
improve your posture all by itself.


I believe the faster refresh is all about shortening the exposure window.

If the CA is breached, then the issued certs are just as invalid on day 
one as they are on day 398. In that case, what has the shortened 
lifetime bought us?


Recent history (last 10-20 years) has demonstrated that not enough 
people update their system (think software updates, not hardware 
upgrades) nearly as often as they should.


As such, these people don't get the updates wherein the compromised root 
cert / public key therein is distrusted / banned.


So, many in the industry are responding by shortening the natural 
lifetime of such certificates.


Shortening the lifetime of a certificate does shorten the possible 
amount of time when that given compromised certificate can be used 
against people that updated to learn to not trust it.


This is not to say that fast cycle advocates are idiots. Most of them 
are prolly way smarter than I am. It's just that they stopped short of 
solving the real problem. (And some of them are opportunists: if they 
can get you to buy their wares in a panic, then they've made a pretty 
penny and can retire sooner.)


There have been at least three major attempts to convey that 
certificates should be distrusted before their expiration:


 - Certificate Revocation Lists (CRL)  --  Client checks remote data
 - Online Certificate Status Protocol (OCSP)  --  Client checks remote data
 - OCSP Stapling  --  Server fetches remote data, hands it to the 
client, client check verifiable data it was handed.


Sadly, all three of these have left more exposure than people are 
comfortable with.


So, rather than trying to deal with early distrust of certificates, the 
Certificate Authority / Browser Forum (CA/B Forum) has decided to tackle 
things differently by shortening the possible exposure window.



I almost regret this note because I haven't really offered a solution.


Lots of really smart people have put forth multiple solutions.  Some 
were widely deployed.  Most were not as successful as many had hoped.


Some say "security is a process". I hate that slogan, but it's kinda 
true. I DO say that we're foolish to try and shrink-wrap security into 
store-shelf remedies. There's no alternative to educating the staff.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 2:32 PM, Tom Brennan wrote:
Sorry - not clear.  What I meant was that in this case I ran openssl on 
Linux, not on Windows as Charles thought.


Fair enough.

What if I deleted the CA key file after creating the one web cert I 
needed?  That would probably solve the security issue Charles mentioned, 
but then I would need a long-term web cert, maybe not possible anymore 
with the browser cap you mentioned.


That's not going to work the way you want.

The certificate is only good if you have the associated key.

If you don't have the key, the certificate isn't worth the disk space 
that it takes up.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 12:58 PM, Charles Mills wrote:
https://letsencrypt.org/  provides free automated "real CA" 
certificates. IIRC they only support requests made using the "ACME" 
automation protocol. Will the HMC support that?


Let's Encrypt supports multiple authentication methods.  One of which is 
DNS based and can be used to authenticate an FQDN that can be resolved 
via the public DNS tree.


This means that you can use an ACME client which supports DNS 
authentication -- there are multiple -- to request a certificate for an 
FQDN that is not accessible from the Internet.  Ergo it is possible to 
get a certificate that is signed by Let's Encrypt, a well known CA, 
which you can then install in your HMC.


However, this will become labor intensive as you will need to do this 
roughly every 90 days.


You could also play other games wherein you have an Internet accessible 
web server running a fully automated ACME client.  Have it act as a 
proxy of sorts to provide a certificate and key for use on the HMC.  -- 
Is this advisable, nope, not at all.  Would it work, I think so.  I'd 
bet a fast food meal that it would work.


Aside:  What is a "real CA" other than one that has their root 
certificate(s) installed in clients?  }:-)




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 12:13 PM, Tom Brennan wrote:
I trust your certificate experience.  But let's get back to the HMC 
issue for a second.  So the only secure way to get rid of the Firefox 
warnings and red messages is to use an externally-signed certificate 
(paid for), and I think that means a manual process to update the HMC 
web cert/key every year.  Or is there an easier way?


Can you bust the HMC down to use unencrypted HTTP instead of encrypted 
HTTPS?  --  It would get rid of the red bar.  }:-)


If you want encrypted HTTPS, you will need a certificate that the client 
you are using trusts.


Where that certificate comes from is up to you / your organization.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 10:46 AM, Charles Mills wrote:
Don't want to get into one of the peeing contests that have become 
all too common here.


Neither do I.

I do want to have a polite and professional discussion about what things 
are capable of.


Hopefully I'll learn things from you -- I usually do.  :-D  Maybe, if 
I'm very lucky, I'll teach you something.  :-)


Let me just say that never mind any enterprise PKI CA constraints, 
I think Tom was talking about OpenSSL on a PC.


Why elide what is a very germane safety component?  That being 
restricting what a given CA is allowed to sign?


OpenSSL stores private keys -- private keys -- in a pretty accessible 
format.


OpenSSL /can/ store the private key in a file.

OpenSSL /can/ /also/ depend something like a YubiKey to store the 
private key.


If I can get into Tom's PC -- perhaps while he is at lunch, or with a 
clever phish -- and get that private key, then I can generate server 
certificates for any site in the world and Tom's associates will 
trust those certificates.


Maybe, maybe not.  It will depend if the private key is password 
protected or not.  If there is a password, it won't be a walk up and 
sign without knowing the password.


Not criticizing Tom or his processes here. Just pointing out to 
readers that there are some significant risks in general to the 
approach of "oh, I will just create an ad hoc CA and have my users 
trust it."


I agree that there are risks.

It's a question of which is more risky long term:

1)  training users to click past certificate warnings
2)  the potential for someone to abuse Tom's CA which is constrained to 
the enterprise domain name and has a hardware token (YubiKey)?


It's all about the lesser of the evils.

Trusting a CA is implicitly trusting everything that anyone does with 
its root private key.


That's where a constrained CA / root key comes into play.

Trusting the key to sign *. is very bad.

Trusting the key to sign *.example.com, not so much so.  Especially if 
example.com is a private internal domain not possible to use in the real 
world.


Yes, it is no different in some ways than trusting DigiCert. The 
difference is that DigiCert has very rigorous protocols for protecting 
its root private keys. OpenSSL does not.


It's possible for Tom, et al., to make reasonable approximations of what 
DigiCert, et al., are doing.  If Tom's company wanted to, they can 
purchase a more professional Hardware Security Module (HSM) that can get 
quite close to what more professional entities do if they so choose.


But using something like a YubiKey to hold the root key of for an 
enterprise CA constrained to the internal domain is probably reasonably 
safe.  Especially if said YubiKey is used to sign an intermediate 
certificatte -- like the big kids do -- and storing said YubiKey 
disconnected, in a safe in between uses once a quarter.  Especially if 
the system that does the signing is disconnected from the network.


I think it's well within reason for individuals, and especially 
businesses to fairly safely have an (Enterprise) CA that is constrained 
to their organization.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 12:07 PM, Tom Brennan wrote:

All true I think, except it's openssl on Linux not Windows.


OpenSSL is multi-platform and can run on Windows a myriad of ways, if 
not natively.


Aside:  The Enterprise CA can also be done with things other than OpenSSL.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 10:07 AM, Tom Brennan wrote:

And you can specify an expiration far in the future.


Remember, some web browsers are capping the limit on the lifetime of 
certificates they will work with.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LISTSERV Trivia: Deleting drafts?

[Grant Taylor]

On 8/28/23 6:35 PM, Paul Gilmartin wrote:

I'll copy/paste a couple lines from:

Let's see how what appears on the forum compares with
the original:


Thank you for the clarification Paul.

&&	To identify a temporary data set name, for example, 
&&TEMPDS, and, to identify an in-stream or sysout data set name, 
for example, &&PAYOUT


I would expect that to be "&&TEMPDS".

Sadly, the way that IBM constructs their sight, using content 
dynamically loaded by JavaScript, makes it difficult to find the 
underlying HTML.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/29/23 8:31 AM, Charles Mills wrote:
Just being a security PITA here, but that solution makes the security 
of their systems subject to whatever safeguards you do or do not put 
on yours.


Remember, Certificate Authorities can be constrained.  E.g. it's 
possible to create an Enterprise Certificate Authority that can only 
sign things in the enterprise.example.net domain and nothing outside of 
it.  Thereby significantly limiting exposure to things outside of the 
enterprise.


If I can extract the CA private key from your PC than it is trivial 
for me to create a www.chase.com certificate that will be trusted by 
their browsers without any question, and mount a man-in-the-middle 
attack on their banking.


I question the veracity of that statement.

I can't tell for sure if you are referring to extracting data (possibly 
the /public/ key) from communications in flight -or- speaking to the 
security of the CA and it's ecosystem by breaching the CA for it's 
signing key directly.


There is little difference in breaching an Enterprise CA's signing key 
than there is in breaching Verisign's CA signing key.  The effective 
difference is related to security around the key.  The concept is the 
same.  Just how many fences do you have to get through.


Thankfully, this can be largely mitigated by leveraging things like a 
YoubiKey and / or a Trusted Platform Module on the CA system wherein the 
YoubiKey / TPM / etc. hold the actual signing certificate and the main 
OS connected to them doesn't have access to and can't get access to the 
signing key.


This comes down to risk vs reward.  One system that must be tightly 
secured, possibly operated at physical console, vs many people ignoring 
~> defeating certificate security warnings on the regular.  Which is the 
lesser of the evils / better security posture?


If you are truly worried about the security of an Enterprise CA signing 
key, there are commercial solutions that can go a long way towards this. 
 But this is small potatoes to training users to defeat certificate 
warnings.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Firefox and HMC self-signed cert

[Grant Taylor]

On 8/28/23 6:23 PM, Tom Brennan wrote:
Does that work?  In the past when I created a self-signed cert (for 
Apache on Linux), adding it to the trusted certs didn't work (at least 
in Chrome).  I still got the evil warnings.


I've been running into this with many self-signed certs at work.

One of the primary problems is the use of a mixture of unqualified host 
names, qualified host names, and IP addresses.  Often, self-signed 
certificates that equipment generate only use one of the forms of 
identification.  They tend to not play well with a mixture of them.


This is where the Subject Alternate Name field comes into play in the 
certificate.


I ended up creating my own CA, used that to sign the web cert, and 
then copied the CA to the trusted certs in Chrome.  Then I gave out 
the CA to the folks I work with who needed to access the web page, 
and they did the same.  That was easy and cheap for a small group of 
known users.



This is the route that I'm doing background research about the 
environment (I've been there a few months and don't know all the 
history) before standing up a CA explicitly for this reason.


I want to do the following things:

1)  Create an Enterprise Certificate Authority.  (More comments about 
this in my forthcoming reply to Charles about trust.)
2)  Create Certificate Signing Requests which use the following forms of 
identification:

 - IP address
 - Fully Qualified Domain Name (full host name)
 - Short host name (no dots)
3)  Sign said CSRs to generate certificates
4)  Install said certificates in equipment.

Why am I planing on going this route?  I have (at least) 33 devices 
currently using self-signed certificates with a single name exclusive or 
IP address that we interact with which on the near weekly basis.  We are 
constantly dealing with should I use the FQDN, UQDN, or IP for this 
particular device type issues.  We have multiple people on our team.  We 
collectively use multiple jump servers.  This culminates in a lot of 
maintenance for each self-signed certificate to be able to consume it. 
Even with that maintenance, the FQDN vs UQDN vs IP tends to cause problems.


Ultimately we end up in what I think is a poor -- at best -- security 
posture that encourages, if not requires, that users push past security 
warnings from web browsers about untrusted certificates.


I think we will end up in a much better security posture if we (I) take 
the time to stand up an Enterprise Certificate Authority and install 
it's root (or chained) public certificate on client systems.


This should mean that we have much less maintenance to in that we only 
need to install the root public certificate on client systems and they 
will inherently trust what said ECA signs.  No need to install many 
self-signed certificates.  1 vs 33 type thing.


I also think the FQDN vs UQDN vs IP will help things considerably.



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LISTSERV Trivia: Deleting drafts?

[Grant Taylor]

On 8/28/23 4:21 PM, Paul Gilmartin wrote:

Yes.  I see your message has headers:
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-701-g9b2f44d3ee-fm-20230823.001-g9b2f44d3
Mime-Version: 1.0
References:<7241413257405975.wa.paulgboulderaol@listserv.ua.edu>
 ...
In-Reply-To:<7241413257405975.wa.paulgboulderaol@listserv.ua.edu>

Mine lacks the last two.  Are those threading?


Yes.


LISTSERV is broken.  The vendor should be made aware.


Are you sure that it's the LISTSERV software and not a 
(mis)configuration thereof?



(Of that, and of the "&" misbehavior, among others.)

(This should show two ampersands:  "&&SYMBOL.")


I don't have context of that.

But what you have in quotes of the first of the two lines should only 
show up as one ampersand if I'm remembering HTML correctly.


What you have written in quotes on the second line seems broken to me. 
I'm seeing ampersand, ampersand, a, m, p, semicolon, S, Y, M, B, O, L, 
period.


I have no idea what you were trying to write.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Shell Level - was Strange results for the PS1 prompt with z/OS

[Grant Taylor]

Pre-script:  I'm glad that you got your problem solved.

On 8/20/23 1:17 PM, Tom Longfellow wrote:
I don't know all the technical aspects of SHLVL  (shell level?) - 
but they did not match.



Yes, "SHLVL" is short for "shell level".

Shell level is simply a count of how many shells deep you are.  Shell 
level in and of itself shouldn't have any impact on how the sell operates.


It is possible to have profile et al. files behave differently by 
testing shell level and acting differently based on it's value.  --  I 
have done this myself to decide if I want the shell level shown in the 
prompt if it's > 1.


N.B. shell level is a read-write variable.  You can easily change it to 
anything you want.  I had a system a while ago that the GUI desktop 
environment that it had caused shells started in terminal emulators to 
have a shell level of three.  I simply altered my logic to test if it 
was three and on a given host.  If that was the case, I'd re-set it back 
to one.  This was a hack to not have to fight figuring out why the shell 
level was three upon invoking the shell.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange results for the PS1 prompt with z/OS Unix

[Grant Taylor]

On 8/18/23 11:57 AM, Rick Troth wrote:
EXPECT IT, where "expect" means "to require" not "to presume upon". Hold 
their feet to the fire when the break shit.


ACK


It's not difficult, but it does count for "eternal vigilance".


Yep, making sure that someone / something constantly does things 
properly is an eternal task.


SUSE have worked hard to make stuff work, even in the fact of contrary 
popular trends. (I won't enumerate now for sake of brevity.)


I've not had the pleasure of using SuSE.  But I know many that highly 
regard it.


Aside, I'd be curious to read your enumeration, either privately or here.

Stephen Bourne recognized the overlap between interactive commands and 
scripted commands and *intentionally* made his shell a language 
interpreter.
Bill Joy criticized it as unfriendly for interactive work, and Bourne 
conceeded. If one must use a different shell for keyboard input than for 
scripting, there is the C shell.


There are MANY scripting et al. interpreters that I would loath to use 
interactively.  Perl, Python, and PHP come to mind.


But BASH has absorbed many of the conveniences of C shell. I expect KSH 
has too (but I don't know it as well as you do). With KSH and BASH, who 
needs CSH?


I have always encouraged fellow administrators to understand, if not be 
fluent in the native shell.  As in whatever /bin/sh is (sym-linked to). 
Or similarly, whatever root's shell is.


I similarly encouraged fellow administrators to not change their shell 
in the account definition system.  Instead, have the default shell check 
to see if the preferred shell is accessible and exec it if it is.  That 
way their account is still somewhat functional in the event that their 
preferred shell is inaccessible for any reason.  E.g. file system 
containing the preferred shell isn't mounted, network problems breaking 
NFS, etc.


The problem is, when people use the C shell (Joy's brainchild) and then 
think to script a sequence of commands they had entered interactively 
... train wreck.


ACK

While C shell may be better for interactive work (than olde Bourne), it 
is widely criticized as poor on the scripting front. And people use what 
they know.


ACK

I've chosen to "know" and teach Bourne-ish shells in both modes. When I 
cobble-up a nifty sequence, I can immediately copy-n-paste that into a 
file for re-use later. This is good practice.


I routinely wend up recording (part of) my shell history and using that 
as the basis for automation and refinement.


Meanwhile, ALL Bourne-compatible shells are supposed to source 
/etc/profile when invoked in "login" mode. I know that BASH, ZSH, PDKSH, 
and DASH all do. It's when the per-shell custom variant exists that 
/etc/profile gets skipped.


Yep.  I've seen some complex matrices of what files are read when both 
from upstream shell maintainer and downstream distro maintainer.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has anyone

[Grant Taylor]

On 8/18/23 9:57 AM, Seymour J Metz wrote:

Understood, but vi and emacs are still on my list of software to learn.


It's been a LONG time since I've gone through it, but I can say that 
vimtutor (command) worked well for me back in the day.


I've had fun playing VIM Adventures (https://vim-adventures.com/) to 
refresh basics and learn more advanced things.  --  I think one of the 
things that VIM Adventures teaches is think about what you want to do 
and how to direct VIM to do it in the fewest keystrokes possible. 
Mostly because of things like . (dot) repeatability, macros, and the likes.


I've found Practical Vim and Vim Casts from Drew Neil and -- I think -- 
his Vim Casts to be worth watching.


I don't remember the last time I launched emacs.  I chose vi(m) more 
than 20 years ago because it started multiple times faster than emacs on 
the same system.  I go into and out of editors and live on the command 
line.  I don't boot an editor and live therein.



I found multiple views of the same file to be quite useful in XEDIT.


Yep.  I'll do similar in vim.

N.B. when I said multiple cursors, I was thinking multiple people on 
different systems editing different parts of the file.  I'm sure there 
are legitimate use cases for that, just not in the text files that I'm 
editing.


Take away CPAN and I would have abandoned Perl years ago. Libraries 
like CTAN are too useful to ignore. I regard them as part of the 
ecosystem.


ACK

Take emacs. There's a plethora of stuff that has grown up around it, 
and that makes it more useful than it would have been in isolation.


Yep.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has anyone

[Grant Taylor]

On 8/17/23 6:28 AM, David Crayford wrote:
This joke never fails to amuse me: 
https://jokejet.com/lady-gaga-tries-to-exit-vim/.


I'm as tired of exit vi jokes as I am people acting as if the mainframe 
doesn't include contemporary technology.



Is there anyone left who still uses vi?


I use a mixture of vim, vi, and ed.  Probably each to a lesser order of 
magnitude to the previous.


I have a system that I periodically edit config files on that has -- 
what I consider to be -- a bad vim profile wherein frequently, but not 
always, it will replace the first character on the line with a lower 
case g.  So I use vi rather than spending time trying to figure out why 
this is.  The powers that be keep saying that this system is going away 
any day now.


Vim has practically become the standard on most systems, and NeoVim 
is following suit with Vim. When I hear someone griping about Vim's 
lack of intuitiveness or labeling it the "editor from hell," I quickly 
realize that they probably haven't put in the effort to truly learn how 
to harness Vim's capabilities.


I agree.

But I'll counter with, why should people need to learn -- what I'll 
politely call -- a non-intuitive editor to do occasional simple edits of 
text files?


This is a case of where discoverability comes into play.  Can a user put 
in front of it discover on their own how to do what they want to do?  Or 
do they need to be taught how to do it?


The ed, ex, vi, vim, etc. all fail at discoverability.  But that's okay. 
 Discoverability is not their domain of expertise.  Their domain of 
expertise is doing things with text that a less complex editor couldn't 
fathom doing.


I think the same ding also applies to emacs.  Though emacs at least puts 
a little bit more direction on screen as hints of what to do.


It's likely that they gave it a shot, grappled with its unique modes, 
may have even struggled to exit the application, and as a result, 
developed a negative impression that has persisted since that 
initial unpleasing encounter.


I think the same thing could be said about MS-DOS's edlin.

Vim's learning curve is steep, but the benefits are significant for 
those in search of a lightweight editor that's arguably more powerful 
than even the most intricate GUI applications. Moreover, it performs 
efficiently even on resource-constrained setups.


I agree.

Occasionally, I still turn to ISPF for editing JCL or REXX programs that 
reside in PDS datasets. In a recent WebEx session with my millennial 
teammates, I was demonstrating some new JCL. While performing a 
multi-line edit involving COPY/OVERLAY after column adjustments, they 
playfully laughed and teased me. Phrases like "Is ISPF your IDE?", "Does 
ISPF support multiple cursors?" and "Why not use Vim?" were thrown my 
way. I clarified that Vim can't manage MVS datasets, although the DSFS 
might eventually address that limitation. I then proceeded to showcase 
the usage of SRCHFOR from a member list. However, their response wasn't 
as impressed as it was with vimgrep, NerdTree, Telescope and the 
numerous plugins that operate seamlessly on z/OS ports of Vim.


I'm not a fan of multiple cursors / editors in the same file.

It's worth mentioning that young developers are actively embracing Vim, 
not just the seasoned Unix programmers. It has emerged as one of the 
preferred editors for full stack web development. Take a look at the 
videos and commit history for NeoVim, and you'll be amazed by the 
dominance of a TUI (Text User Interface) editor in a rapidly evolving 
tech landscape.


I've been seeing that trend for many years.  Though most of what I see 
is that most of the time these users have many plugins that 
significantly alter the behavior of the system.


Take those plugins away and these same users will scoff at the base 
unextended editor.


Now, let's delve into Git integration. We're all on the Git bandwagon, 
right? There are plugins available that empower me to delve into the Git 
history of files, providing inline annotations to pinpoint which 
developer modified a specific line of code in which commit and when!


Yep.

Now do those same things without the integration into $EDITOR.

Of course, it's all a matter of perspective, and to a young individual 
entering the realm of z/OS, ISPF might very well seem like the "editor 
from hell."


Perspective, discoverability, task at hand, terminal capability all help 
influence what editor is used at a given time.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange results for the PS1 prompt with z/OS Unix

[Grant Taylor]

On 8/18/23 8:33 AM, Rick Troth wrote:
About profiling, I regularly setPS1='\$ ' which for BASH renders a 
prompt as "$" for normal users but as "#" for superuser. It's convenient.

ZSH shows that as "\$" and does not change it when I change UID.


Zsh has similar behavior.

Zsh uses different escape sequences for the prompt PS1 et al. than Bash 
does.


Check out the PROMPT EXPANSION of the zshmis (or zshall) manual pages.

Look into %# in the Zsh prompt as it will give you # for root and % for 
non-root.



This is *not* a slam on ZSH, just an observation.


There are many differences between Zsh and Bash.  Prompt (PS1 et al.) is 
just one that surprises a lot of people.


In search of better profiling, /etc/zprofile should source /etc/profile 
and then override as needed. (PS1 being a prime example, eh?)

Or ~.zprofile sourcing ~.profile, same logic and rationale.


I want to agree, but I can't.  I've seen too many differences across too 
many platforms and too many Unix (like) OSs.  Getting consistent 
behavior can become very tricky and you quickly end up away from the 
purity that -- I think -- that you are talking about.


There are two levels: profiling which should happen when you sign on 
(once) and "resource config" which gets invoked every time a program 
starts.


Eh

The water starts to get murky when you start using the same shell for 
both interactive (ostensibly with a TTY) and non-interactive (ostensibly 
without a TTY) use.  E.g. the former is your login shell and the latter 
is a script using the same shell.  Sometimes you want different 
configurations of that shell based on it's use case.


Then you get into even more esoteric things like is your interactive 
shell a login shell or a non-login shell (possibly started from inside 
your login shell).


Aside:  Some people start additional interactive non-login shells from 
their interactive login shell as a way to divide command history or have 
different features for a task at hand.  E.g. in the long process of 
working on something that takes many hours and need a shell briefly to 
fix something / unclog a printer, then start an interactive non-login 
shell, do the maintenance work therein, then exit back to the original 
shell without significantly altering your outer shell's command history. 
 Think something along the lines of an "interrupt" button on copiers.


What ""profile to use when can be complicated.

RC scripts for shells should look for a sacred "I have been profiled" 
environment variable and source appropriate profiles if it is not set.


That's why there are ~/.bash_profile exists and is separate from 
~/.bash_login exists and is separate from ~/.profile exists and is 
separate from ~/.bashrc.


The shell maintainers intention for the different files often gets 
corrupted by distributors who have one file include another file.


I've not had enough coffee to remember which is for what purpose.  But I 
am confident that they are separated on purpose.


But RC scripts should not completely re-profile because they (the RC 
scripts) get sourced every time a shell starts.


Hence ~/.bash_login vs ~/.bashrc.

RC scripts of interest in this context would be ~.zshrc and ~.bashrc (or 
/etc/zshrc and /etc/bashrc if you're the sysadmin).


Zsh has similar separation of files like Bash does.  But mostly* with 
different names.


Many shells in the Bourn shell family; Bourn, Bash, Zsh, will also read 
~/.profile and /etc/profile as a way of being backwards compatible and 
cross shell compatible (for a given value of compatible).


#needMoreCoffee


Does this make sense?

I started the Chicory collection when I worked in academia because I 
didn't want to be on [name your platform] and not have various tools. 
BASH was one. (I didn't know about ZSH in those days.)
It has grown and gotten honed. Most open source packages build really 
easily. (Not as easy on USS, but that's a whole nutha story.) The 
collection includes *five* shells, currently  ...


  * bash-5.2.15
  * zsh-5.9
  * pdksh-5.2.14
  * dash-0.5.12
  * tcsh-6.24.10


So that's BASH, ZSH, KSH, DASH, and a C-shell variant. (Long story about 
C-shell. Let's just say, you don't wanna.)


I assume that you're using Public Domain Korn Shell because Korn Shell 
proper source code / license wasn't available when you started that 
list.  I learned a few years ago that Korn Shell proper is now available.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has anyone

[Grant Taylor]

On 8/16/2023 5:41 PM, Phil Smith III wrote:
As Shmuel suggests, that sounds like vi or one of its relatives. The 
best description of vi I've ever heard is:>
"vi has two modes: one where it corrupts your data, and one where it 
beeps at you."


Chuckle.

That's good.

But there are more modes.  I just can't come up with any comparably 
witty descriptions.


On 8/16/23 5:27 PM, Steve Thompson wrote:

++1

I have a cert for being able to use vi from the U of Akron.. I can start 
it and kill it. Apparently that qualifies as being able to use it.


I used the following today:

:0,/^$/s/\s\+/\t/

It saved me a lot of time working on / analyzing an email.

If there's interest, I'll expand it for people.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS users

[Grant Taylor]

On 8/15/23 10:12 AM, Phil Smith III wrote:
Wow! It sure is. How many of those represent real users who log on, 
and how many represent real users who access using something else?


+1

I'm really not going much of anywhere with this, but I think it's 
useful info to have to say "This is how much the platform still 
matters".


I too find the rough numbers interesting to hear / learn about.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Please do not attack / insult each other.

[Grant Taylor]

Please do not attack / insult each other.

Let's instead have conversations where it's okay to disagree with each 
other while still respecting each other and valuing each other's opinions.


It's okay to disagree.

It's not okay to insult the person that you disagree with.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS Features

[Grant Taylor]

On 8/14/23 4:30 PM, Jon Perryman wrote:
We don't ask people to follow blindly. Instead, we don't give them 
another option. JCL, VSAM, availability to specific products and more 
ensure you are choosing wisely. Kurbernettes containers, cloud and more 
are implemented by sysprogs in a manner that meets the business needs.


How did the business learn that Kubernettes could meet business needs, 
much less decide that is what the business wanted to do without first 
testing / evaluating it?


That initial testing of Kubernettes is the very type of testing that I'm 
talking about.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Help for US Talent

[Grant Taylor]

On 8/14/23 3:23 PM, Bob Bridges wrote:
Am I missing something?  Why the interest in making life hard for 
recruiters?  Ok, I'm a contractor so my continued employment depends 
on their existence.  Still, why?


Recruiters aren't a problem if they are /good/ recruiters.  As in they 
pay attention to what you tell them and they don't bother you with 
things that don't qualify.


I've dealt with some good recruiters.  I've also dealt with some 
exceedingly bad recruiters.


If I thought that you normally work under those conditions - $125/hr 
or outside the US half the time - then of course you're just stating 
up front one of your requirements.  From the tone, though, it sounds 
like you're trying to make them unhappy for the fun of it.  Is there 
something going on here that I'm not aware of?


I've dealt with way too many bad recruiters this year.  I've told them 
up front, what I'm looking for in very clear and concise manner.


I clearly provided; salary, location / remote, and job function.

Too many of them would inquire if I wanted to drive a forklift or 
install cable TV wiring in a completely different state across the country.


It got to the point that I would ban recruiter companies from my mail 
server after the 3rd such wildly incorrect inquiry.


It's routine for different recruiters from the same company to reach 
out, thinking that filtering is based on email address.  I've even had a 
recruiting company stop sending from their company email addresses and 
use Gmail in order to avoid email filters.


These are the low ball recruiters that I want to simply go away and stop 
talking to me.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The ultimate (another one!) definition of mainframe

[Grant Taylor]

On 8/14/23 3:16 PM, Bob Bridges wrote:
I sort of agree, but I think underneath we still disagree.  I agree 
that IBM didn't think the PC software was worth developing.  And if 
they had held onto MS-DOS and approached its development in the same 
way that Microsoft did, sure, they'd probably be worth bazillions.


My hang up is that -- as I understand it -- DOS was /never/ IBM's to 
start with.


DOS was /Microsoft's/.

Or are you suggesting that IBM should have purchased exclusive rights to 
use / distribute / etc DOS from Microsoft?




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS users

[Grant Taylor]

On 8/14/23 9:55 AM, Bob Bridges wrote:
If we're limiting the count to on-line in-house users - I'm talking 
about TSO, CICS etc - I suspect State Farm might have a thousand 
users logged on at a time (that's a massive system) but a few hundred 
is more usual in the companies I've worked for.


State Farm is one of the biggest install bases that I'm aware of.  But I 
question how many (emulated) terminals were actually connected to the 
mainframe.


I know that in the late '80s / early '90s State Farm had dumb terminals 
on many people's desks.  But there were also a lot of PCs running 
terminal emulation.


What I don't know is how many of those terminals were logged into the 
mainframe vs an AS/400.


I have a family member who was my visibility into the State Farm 
Regional Offices in the '80s and '90s before becoming an agent in the 
late '90s / early '00s.


I know for a fact that in their office as an agent that their dumb 
terminals and terminal emulators were connected to the in office AS/400 
and that they could do much of, if not all of, the day to day things on 
the AS/400 even if the WAN connection to the mainframe in the R.O. was 
disconnected.  They would run into problems if the link to the R.O. was 
down overnight as part of batched operations.  But day to day things 
worked perfectly fine disconnected from the R.O.


I would consider these users to be logged into the local AS/400 and 
/not/ logged into the mainframe.


Similarly, it's my understanding that State Farm has rows of AS/400s in 
the R.O. that were used to front end the terminals in the R.O.


I count people that spend any amount of time interacting with the system 
directly, be it a TSO READY prompt, or ISPF, or something with VM, et 
al.  But I don't count things that connect to a front end that make back 
end calls to the mainframe as being logged into the mainframe.


Currently I have an insurance company as my main client; in-house 
there are about 220 managers who review access, with let's guess an 
average of five mainframe reports each.  They also have about 400 
independent agents that use a system that ultimately connects them 
to the mainframe, and each of those may have one or two assistants 
with their own IDs.  That's probably typical for an insurance company.


If you can, please elaborate if those users can function for most of 
their job if the mainframe is inaccessible do to Backhoe Bob chewing on 
WAN connections again?


I couldn't guess about how many might be logged on at once.  Oh, sure 
I could, but it's just a guess:  If there are 2000 mainframe IDs, 
maybe 500 at a time?  Purest guess.


Do you have any idea how many of those are /active/ vs /idle/ logged in 
users?


But we've also been talking about banks and their ATMs.  Do we count 
ATM customers in the number for Bank of America, with their branches 
around the country?  That could run to thousands at one time, don't 
you think?


As alluded to above, the ATM patrons aren't /mainframe/ users 
themselves.  Rather the ATM /may/ be a mainframe user.  But I've seen 
ATMs for banks that have absolutely nothing to do with a mainframe. 
IMHO ATM != mainframe.  Sure, it suggests, but it doesn't guarantee.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS Features

[Grant Taylor]

On 8/14/23 12:54 AM, Jon Perryman wrote:
You're confusing z/OS with Unix where all programmers are 
systems programmers who can do anything they want.


No, I'm not confusing z/OS with Unix.

I'm speaking agnosticly about any OS that will run on the platform; 
z/OS, VM, z/TPF, or even Linux.


N.B. I don't consider USS/OMVS to be it's own independent OS.  This is 
despite it being an integral and important z/OS sub-system.


z/OS is NOT about be welcoming and encouraging. It's about what's best 
for the business.


What is better for the business, discouraging people from learning 
$THING to the point that there is nobody to support and maintain it or 
providing a safe place for newcomers to learn $THING in a controlled 
safe location.


I obviously think that a safe place is better.  Ideally said safe place 
is also accompanied by access to more experienced people to help guide / 
tutor newer more junior people to make sure the newcomers do things safely.



Your on a multi-million dollar computer shared by thousands.


If anything the cost of the system implies that it will be more 
difficult for newcomers to gain access to the platform to learn.  As 
such I think it's more important to provide a safe environment for 
people to learn.


As a business programmer (not Unix sysprog), you're not qualified 
nor authorized to make these decisions.


What gives you the impression that any and all things to be investigated 
don't go through the change approval board and don't have managerial 
support.


Once upon a time Java, or more recently Node.JS, was considered new and 
toy software.  Yet today, they are both critical.


It's my understanding that many, but definitely not all, companies have 
multiple CECs, one (or more) newer for production, and one (or maybe 
more) older for DR.


My experience is that these older DR systems gain some additional value 
to the business if they are /also/ used to host sandbox VMs / LPARs.



Programmers leave z/OS for Unix in order to be in full control.


I've never heard that before.

I question the veracity of the idea that everything is about control.  I 
think there is quite a bit that's about how to safely do tasks on the 
mainframe or z/OS in a way that utilizes it's unique capabilities not 
found on other platforms.



Why do you think it's difficult to get z/OS programmers.


Quite honestly, I think that the mainframe / z/OS is difficult for 
people to get access to in any capacity, and even more difficult for 
them to get access to a small safe sandbox environment for them to learn in.


Would you rather have someone that blindly follows directions that have 
been written out for 30 years with zero understanding of what problems 
any mis-step may cause, or would you rather have someone that has been 
coming up through the ranks and has lots of experience with a procedure 
and has learned what each step of the procedure is for and who it 
impacts the overall process?


I can't think of a single instance that providing a test / sandbox / lab 
instance has been a net negative.  I can think of many instances where 
having a test / sandbox / lab instance to mimic production and test 
changes before applying the changes to production has improved 
understanding, identified problems in procedures, optimized the process, 
or generally helped the overall process in many different ways.


If you believe that proof of concepts are not necessary, then please 
explain why a development system is needed as opposed to just making the 
changes in production directly.


N.B. Nothing about a what I'm advocating for negates, sidesteps, or 
usurps change control or approval process.  If anything I advocate for 
quite the opposite; work within and exercise the established process so 
that you understand it and are familiar with it.  I firmly believe that 
the only way to identify problems in a process and make the process 
better is to use the process.  I firmly believe that it's best to do 
this work in a non-production environment whenever possible.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Automount (was USS Features)

[Grant Taylor]

On 8/7/23 10:11 AM, Paul Gilmartin wrote:
Instead of a home directory for each user with Documents, 
etc. subdirectories there's a global Documents directory with 
subdirectories for individual users.


Which version of Windows are you talking about.  Did something MASSIVELY 
change in Windows 11?


For a *LONG* time it was C:\Documents and Settings\%UserName% for each 
user's home directory.


At some point, I don't remember when, it became C:\Users\%UserName% for 
each user's home directory.


I've not seen a version of Windows in 20 years that didn't have a 
dedicated home directory for each user where their files, documents, 
photos, etc. lived.


Please share details about where you are seeing global document directory?

That being said, I wouldn't be surprised if there was a -- as you say -- 
global directory that had sub-directories pointing into each user's 
directory as a convenience.  But I would expect that users still had 
individual directories.


C:\Global Documents\Bob -> C:\Users\Bob\Documents
C:\Global Documents\Tom -> C:\Users\Tom\Documents

C:\Global Pictures\Bob -> C:\Users\Bob\Pictures
C:\Global Pictures\Tom -> C:\Users\Tom\Pictures

C:\Users\Bob\Documents
C:\Users\Bob\Pictures

C:\Users\Tom\Documents
C:\Users\Tom\Pictures



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS Features

[Grant Taylor]

On 8/7/23 9:56 AM, Jon Perryman wrote:
It's absurd to allow everyone to do Proof Of Concept on z/OS. Are 
all POC vital to the business? Are POCs disruptive to the business?


These statements cause me to pause.  They seem somewhat antithetical to 
welcoming and encouraging people to use the mainframe / z/OS.


Why is it absurd to allow everyone to do a Proof Of Concept on z/OS?

Is there anything about z/OS that would cause you to worry about the 
security and stability of the system?


Do you not trust a tiny VM / LPAR running a test instance of z/OS with 
absolutely minimal resources explicitly for such PoCs?


I'd think that it would be a huge win for the platform to try to get 
more people to do things on it.


No, not all PoCs are vital to the business.  But I think that it's 
difficult to tell if any given PoC is vital until /after/ it has been 
tested.


I suspect that there were people that thought that TCP/IP wasn't vital 
to the system back in SNA's heyday.  Yet here we are 20+ years later and 
the idea of having any system without a TCP/IP stack is unthinkable. 
How long would TCP/IP for the mainframe have been delayed if someone 
didn't allow such a PoC until /after/ evidence showed that it was needed.


I sincerely doubt that operators /needed/ to create programs that 
printed interesting things to printers after hours.  But I suspect that 
many learned a thing or two about the system while doing so.


I would sincerely hope that VM / LPAR could contain anything running in 
a tiny z/OS instance such that it couldn't be disruptive to the system.


Or, if it was somehow disruptive to the system, that might be a good 
indicator that something needs to be tuned or a bug needs to be fixed 
thereby enhancing the larger mainframe z/OS / z/VM community.


I think that encouraging people to do things on the mainframe / z/OS is 
a *GOOD* thing.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The ultimate (another one!) definition of mainframe

[Grant Taylor]

On 8/7/23 12:26 PM, Jon Perryman wrote:
Was it a smart decision for IBM to sell the software that became 
Microsoft?


Please clarify what IBM sold to Microsoft.

My understanding is that Microsoft, an existing but small company, came 
to IBM and said "here, we have an operating system for the IBM PC that 
you are developing, would you like to license copies from us for each 
unit that you sell?".


Specifically:

 - Microsoft had (MS-)DOS independent of and without IBM.
 - Microsoft had a non-exclusive deal with IBM and therefor was allowed 
to sell it to whomever they wanted, including directly as MS-DOS.


Given your following statement, I doubt that you are referring to OS/2 
in your previous statement.



How about creating OS/2 a few years later to fill the void they sold?


My understanding was that IBM and Microsoft co-developed OS/2 ostensibly 
as a DOS successor.  One of the partners decided to end the partnership.


I'm not aware of Microsoft purchasing any rights from IBM at the time as 
Microsoft went on to develop Windows NT partially based on OS/2.  IBM 
went on to develop and enhance OS/2.


So I ask again, please clarify what did IBM sell to Microsoft in the 
context of this thread.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ransomware on z

[Grant Taylor]

On 8/12/23 4:49 PM, Tony Thigpen wrote:
You can not run that script remote without the Remote-CE option enabled. 
And, that option was not available until the DS8870. And, to run it you 
have to first log in as CE. A password that should have been changed at 
installation.


Do you want to hang your security on "SHOULD"?

I think the point is that there are ways that mainframes can have a 
denial of service performed against them without attacking the mainframe 
itself.


A well placed bullet diesel tanks and transformers will cripple a bunch 
of mainframes without touching the mainframe nor their data simply by 
rendering them inoperable without a working generator or utility power.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/3/23 3:27 PM, Rahim Azizarab wrote:
IBM is the standard bearer in computer design even when it came to 
laptops, just see how well IBM designed the Thinkpads.


I hope you mean "IBM /was/ the standard bearer in computer design".

I even question that or that hope you mean close to 30 years ago.

IBM was closely followed in the early days of the PC / AT / XT.  But 
other companies pulled along side and started leading the pack.  Notably 
Compaq servers in the late 386, 486, and Pentium time frame started 
eating IBM's lunch.


It seems like IBM jumped the shark with the PS/2 as far as PCs are 
concerned.  I think many in the industry -- though maybe not in this 
group -- will agree with me when I say that IBM was considered an "also 
built PCs" or "they still build PCs?" in the late '90s and early '00s.


The notable exception is the ThinkPad.  But IBM gave up on that with the 
sale to Lenovo in the early '00s.


I think that x Series servers have been good all along, but they are 
through the nose prices compared to competitors.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/3/23 12:47 PM, Joel C. Ewing wrote:
The hardware is designed with redundancy to detect failures in 
components (processors, memory, I/O subsystems, interconnection cables), 
correct any resulting data errors where possible, retry a failed 
operation using different hardware components where appropriate, vary a 
failing component off line, and in many cases allow concurrent repair of 
failing components while production continues.  Undetected hardware 
errors don't happen.


Save for retrying a failed operation the rest of those statements 
weren't specific to IBM mainframes.


I remember reading about a Unix server being demonstrated at a trade 
show that was running applications interactively wherein the 
demonstrators removed all but one CPU book from the system, reinserted 
the removed CPU books, then removed the one they hadn't removed, and 
then reinserted it.  At a later demonstration they took a cup of water 
and pored it into the top of the system.  What was running continued to 
run in both demonstrations.  The real time demo programs didn't even 
stutter.  What was obvious was that other non-real-time programs running 
on the system slowed down as the OS reacted to hardware going offline 
and rescheduling tasks on the remaining online CPUs.  Monitoring agents 
lit up like a Christmas tree as they removed CPU books but became 
happier as they were re-inserted.


My understanding was that this was a system that was shipping in the mid 
to late '90s and people were buying them.  Thus not a demonstration special.


I don't remember if this was an HP SuperDome running HP-UX or a Sun 
Enterprise 1 running Solaris.


RAS is not specific to IBM.  Though I do think that IBM trademarked the 
name / phrase.


I'm not aware of any x86_64 servers being anywhere near this level of 
reliability.


Aside:  I think much of the Unix industry decided to move complexity and 
cost out of the hardware and instead put it into software that runs on 
more commodity / inexpensive hardware.


Having a super reliable basket with all your eggs in it is still all 
your eggs in one basket.


z/OS not only coordinates with the hardware when resources visible to 
z/OS are affected by failures and concurrent maintenance, it is also 
designed with the philosophy that software failures may occur within 
parts of the operating system, either from a hardware failure or a 
system software bug.   System recovery routines exist to clean up after 
such failures, limit what running address spaces are affected, and allow 
production to continue in unaffected address spaces.


I can't enumerate things, but I feel like non-mainframes have things 
that can speak to this.


Another important feature of z/OS that requires some hardware 
coordination is the System Measurement Facility that gathers measurement 
of system activity and resource usage at a level to support performance 
tuning or billing based on resource usage.


How much of SMF is hardware vs software?

System accounting -- originally for billing -- has been used for a long 
time to provide information for system scaling.


Aside from fact that z/OS is closed-source and only licensed by IBM to 
specific hardware, if you could somehow succeed in running it under 
Linux or on non-z hardware, it would lose the reliability, availability, 
and serviceability it gets from that hardware/software synergy that 
makes it an ideal production platform for critical workloads.


There is an entire hobby genre doing exactly this.

I absolutely agree that it does not have anywhere near the same RAS that 
z Series has.  But I also realize that not everybody needs, much less is 
willing to pay for, such RAS features.


It doesn't matter how reliable the single basket is if the network 
connectivity into the facility is cut.  --  This is one of the places 
that having redundancy higher in the application stack and distributing 
load geographically starts to shine.


An IBM mainframe is a very impressive system.  A Cadillac is a very 
impressive car.  But using an IBM mainframe to serve files in a small 
office is about as appropriate as using the Cadillac to deliver pizzas.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/2/23 10:35 AM, Allan Staller wrote:
My vague recollection of the CRAY was that is used (at the time) 
a 370/158 to buffer up all of the data so the CRAY could run full tilt.


That may very well have been a possibility.

I read that the CRAY used a CDC mainframe a it's front end for this purpose.

But I would not be at all surprised if an IBM mainframe could function 
equivalently.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/1/23 10:26 PM, David Crayford wrote:
When you consider that a standard commodity rack server such as an 
AMD EPYC can support 128 PCIe lanes and up to 8 memory channels I 
would suggest x86 can handle a lot of I/O if you have the right gear.


I think it's important to note that all of these are distinct and germane:

 - what the hardware can theoretically support
 - what the OS can support
 - what is asked of them
 - what people are willing to pay for

Having the right gear is very important.  Effectively utilizing it is 
also important.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/1/23 7:20 PM, David Crayford wrote:
What’s the difference between between channelized I/O and a rack 
of x86 servers connected to a SAN using fibre channel driven by high 
speed HBAs?


I don't know.

My understanding is that Fibre Channel is an evolution of SCSI which is 
supposedly a somewhat intelligent controller wherein the OS asks said 
controller to fetch / store some data for it.  As I understand it, the 
OS & main CPU aren't involved in the transfer beyond asking the 
controller to do the transfer on it's behalf.


I'd have to reference documentation to see if / how much Direct Memory 
Access comes into play vs the CPU's involvement in the transfer to / 
from the controller.


But between the controller and the back end drive, as I understand it, 
the CPU ins't involved.


So I can't say that "a rack of x86 servers connected to a SAN using 
fibre channel" isn't using channelized I/O.  I think in many ways they are.


This is a place where minutia matters.



Grnat. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 8/1/23 3:10 PM, Rick Troth wrote:

Look for channelized I/O,


Didn't supers ~> cray use channelized I/O?

Also, I feel like there is another slippery slope discussion of what is 
channelized I/O in this context.


then other physical attributes (not just size, not just the instruction 
set).


Please elaborate on what "other physical attributes" means.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 8/1/23 2:49 AM, Colin Paice wrote:
Your Copy on Write - may be what I know as  dual write - where you 
write to different volumes - usually on different dasd subsystems, 
so if you lose one dasd subsystem - the data is available on another.


Nope.  "Copy on Write" is explicitly what you were previously describing 
where in multiple references to the data had the same singular copy of 
the data in the back-end and and things are copied only when one of the 
references to the data changes the data.  As long as COW instances use 
the exact same data, as in base OS data sets from the same OS version, 
then there's only the single instance, independent of how many 
references to it there are.


I see writing to multiple drives in parallel -- from an OS / software 
level -- referred to as software RAID / mirroring.


COW and RAID (mirroring) are different things meant to serve different 
purposes.


You can have synchronous write - used in same "site" and async - 
where the remote end is miles away.  This is used for media failure.


Yes.  Emphasis on /media/ failure.  This does nothing for /data/ 
failure, e.g. corruption / malicious activity.


Traditional offline backups address both /media/ failure and /data/ failure.

Note. This is not a backup.   If you delete the dataset, both copies 
will be deleted.


needMOREcoffee  We seem to be thinking very similar things but typing at 
different times.



I was talking about what I think is called snapshot.  It is used like

1- Issue Snapshot copy (of your database) - this takes a couple of 
seconds or less.


I usually see snapshots created a couple of different ways:

1)  The older way was to pause things and take an actual copy.  This was 
slower and took quite a while O(minutes ~> hours).


2)  The newer way seems to be some sort of -- what I would call -- COW 
system where changes to parts of the storage are written to a new 
location and access to the primary / live interface reflect the new 
data.  Conversely the snapshot interface reflects the old data from the 
point in time the snapshot was made.  This is faster and takes much less 
time O(seconds).


The gory details of how it's done are implementation specific.

2- Backup this copy - it may take a couple of hours to read from the 
DASD subsystem, and write to perhaps Virtual Tape.


Agreed.

3- The original data set continues to be updated, whereas the copy 
does not change, so you have point of time consistency


Agreed.

4- You can restore to the point of time, and for products like DB2 
and MQ, read the logs and reapply all of the updates.


I think I agree though I will say that depending on how the snapshot was 
taken and if the higher level applications are aware of the snapshot and 
quiesced in support of the snapshot may make the difference between a 
"crash consistent" snapshot / copy and a "suspend consistent" snapshot. 
This type of consistency and how the applications roll forward here from 
gets interesting and tricky.


But, even a crash consistency snapshot is almost always more current and 
easier to recover than a cold backup from hours / days ago.  Or at least 
looses less data / is more fresh / less effort to bring back current.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 7/31/23 12:45 PM, Colin Paice wrote:

A volume is a convenient picture - they no longer exist on modern DASD.


ACK

My limited understanding is that the S/360 or S/370 would probably not 
recognize anything in use today as DASD.  The S/390 /might/ see 
something that vaguely reminds it of DASD through ESCON / FICON.


It seems as if things are significant numbers of layers of abstraction 
and emulation.



Data is spread across many different PC sized disks.


Yep.

It's amazing if not mind blowing what can be done with abstraction and 
virtualization of storage.


We have extended volumes which are bigger than traditional volumes. 
It gives more space for the same number of volumes.


:-)

A "track" is mapped to one PC sized disk, and block on disk.. 
If you rewrite a track it will most probably go to a different 
PC disk.  In the storage controller there is a big array which has 
VOLID.CYL.Track -> pcdisk.position.


I'm not unpacking and scrutinizing that based on your "Some of the above 
is not true" comment.


I can "copy a dataset" on the same DASD subsystem just by copying 
the relevant bits of this array.  So if we have part of dataset1 
USER00.00.01 -> PCDISK1. 4000  the copy creates USER99.4002.12 -> 
PCDISK1.4000.  This copy takes a second or so.  There is no data 
transfer.  If you update dataset1, then its VOLID.CYL.track will 
point to a new block, and so the arrays diverge.


This sounds like what I generally hear referred to as "copy on write" 
and is frequent enough that it's abbreviated as C.O.W. and multiple 
things support this, one even with COW in the file name.



If we copy the dataset to a different DASD subsystem - then every block
will be read - and written to the other subsystem.


Yep.


Some of the above is not true - but it gives the picture.


;-)



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: bitmapped displays [was: Definition of mainframe?]

[Grant Taylor]

On 7/31/23 11:28 AM, Paul Gilmartin wrote:

I trust that you know alternatives.  Will you describe one?


As for how I'm using X11,

I'm currently typing this reply in Thunderbird (X11 client application) 
running on a different Linux system than the one that I'm using as the 
(X11 display) server.


I have Firefox and Lotus Notes do similar.


Though I suspect that these aren't the type of applications that would 
be commonly executed in USS / OMVS.


As for the environments,

I routinely configure an interactive shell the way that I want it and 
then spawn many different things from it, be it different window, or 
foreground / background / suspended processes, or even things like 
terminal multiplexers that allow me to completely {dis,re}connect from 
things that are running.



Another thing I find useful is to pipe stdout from a command into
"less" running in a fresh xterm window, leaving my parent session
available for interactive commands.  I have a script for this.


That is an interesting use case.  I like it.

Though I suspect that while the new XTerm is open, the first XTerm is 
busy running the command generating the output and less.


But *nix makes this easy to background things to release the terminal 
for interactive use while the new terminal is showing data.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives

[Grant Taylor]

On 7/31/23 10:40 AM, Steve Thompson wrote:

I just have to throw this in here.

IBM is not the only maker of Mainframes.


Nicely done.  :-)


I understand that Fujitsu still makes mainframes.


That's my understanding too.


Does UNISYS still make mainframes?


My understanding is that UNISYS is now primarily service on very large 
x86(_64) based systems.


I think they were one of the companies that made x86 systems in the late 
'90s / early '00s that were massively multi-CPU systems.  as in they 
(and the likes) are the reason Windows NT / 2000 support up to 32 CPUs.



How about Honeywell Bull?


I don't remember seeing anything about Honeywell computers in a LONG time.

Why don't we see these systems being discussed (or maybe I just don't 
frequent the right web sites)?


I suspect it's /where/ we are talking.  This list, IBM territory (if I 
can use such a loose comparison), geographic region, business region, etc.


Aren't Fujitsu much bigger in the Asia Pacific market?



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 7/31/23 9:28 AM, Schmitt, Michael wrote:
MAINFRAME: a computer that is larger than a midrange minicomputer 
and smaller than a supercomputer.


Chuckle.

pc < workstation < minicomputer < mainframe < supercomputer

I posit that we should word smith to be "single computer" to rule out 
large Google sized clusters of thousands of computers.


But if we rule out "single computer" how does that effect sysplex / CF?

If we say that sysplex / CF is a single computer, does that mean that we 
also include NUMA servers from the '90s which appeared to run a single 
system image?


Definitions get tricky and require discussion back and forth to arrive 
at a common definition accepted for the conversation at hand.


More seriously, http://catb.org/jargon/html/M/mainframe.html refers 
to http://catb.org/jargon/html/D/dinosaur.html, which is defined as 
"Any hardware requiring raised flooring and special power."


LOL  That tends to  put mains and supers in the same category.  At least 
most of them.  It might have included some mini's in the days of yore.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 7/31/23 6:37 AM, Jay Maynard wrote:
It's not just CPU power or number of cores, but the ability to connect 
thousands of volumes of data and access them simultaneously, and move 
that data from point A to point B efficiently.


Please elaborate, are those volumes separate DASD devices or are they 
possibly some logical component thereon?


I also wonder how common it is to have four digits of volumes (physical 
or logical) varied on at the same time.


I wonder this about both mainframes and some of the largest Open Systems 
that I've been exposed to.


Hundreds absolutely happens.  I don't know about a thousand or more.

Also, what constitutes a volume?  How different are FCP and FC LUNs? 
How different are they when the same back end storage system is 
exporting LUNs to both mainframe and Open Systems, with the primary 
difference being FCP vs traditional FC?




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: bitmapped displays [was: Definition of mainframe?]

[Grant Taylor]

On 7/31/23 9:54 AM, Paul Gilmartin wrote:
A benefit of xterm on MVS (any system, in fact) is the ability to 
launch a child job with the same environment tediously built by 
the parent.


I wouldn't think that would be limited to XTerm nor MVS.

My understanding is that once the current / active / running environment 
is configured, then anything started therefrom should inherit said 
environment.


Sort of like a tree wherein anything after the current point inherits 
the current point's configuration.  Going backwards to the thing that 
started the current environment may very well yield a different 
configuration.


I don't see how this is limited to XTerm nor MVS.  I'd expect this to 
apply to many things.




--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS Features

[Grant Taylor]

On 7/31/23 8:06 AM, Rick Troth wrote:

per-user automount does not necessarily waste space


IMHO automount is completely independent of shared / separate per user 
disk space.



The thing which is mounted might be a sub-directory of a shared space.


Agreed.

Also, automount is not exclusively for user home directories. It's great 
for selected program products.


ABSOLUTELY agreed.

I've got nearly half a dozen auto-mounts on a number of systems, only 
one of which is the home directory.


I've even got automount managing /boot on Linux.  It doesn't need to be 
mounted all the time.  If it's not mounted, it's a lot more difficult to 
get corrupted.


N.B. automount doesn't protect against file access / deletion / 
modification as automounts design goal is to mount the necessary file 
system to enable said A/D/M.  Much like RAID is not a backup.




---
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: They are *all* dinosaurs

[Grant Taylor]

On 7/31/23 9:28 AM, Seymour J Metz wrote:
But look at the dates and explain to me, e.g., how z is legacy but 
x86 is not, how z/OS is legacy but Unix is not, how COBOL and PL/I 
are legacy but C is not.


Oh!  That's simple.  "legacy" is what existed before the "new and hot 
thing" when someone was learning.


Translation, if it existed before you entered the field, it's "old".

I'm not saying that's correct.  I'm just saying that simple liptmus test 
seems to cover most old / current / new both in computers and outside of 
computers.


old - before you
current - is you
new - after you



--
Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: bitmapped displays [was: Definition of mainframe?]

[Grant Taylor]

On 7/29/23 5:47 PM, Rick Troth wrote:
Xwindows is used by Linux because it had been developed widely and was 
common on Unix when Linux came into popular view.  Xwindows itself 
is an excellent development. Sadly, Xwindows is way to "chatty" and 
has other issues.


I'm curious to know what you're thinking if you'd be willing to elaborate.

(But the reactions against it from the security community are WAY 
out of line, MUCH to aggressive. Xwindows is not and evil back door 
for the hackers. But I digress.)


X11 is not good.  I don't know how /bad/ it is.

I think the biggest thing is that most people don't think about it at 
all.  As such it has a way of biting many people.


X11 has a couple of authentication methods, per IP and MIT Magic Cookie. 
 Per IP is problematic when you have multiple users on either IP.  MIT 
Magic Cookie tends to help this and make t hings more per user.  But I 
don't think as many people use MIT Magic Cookie as should.  Almost all 
of the tutorials I've seen online still do things per IP or simply open 
up X11 to the any IP that can connect to it.


Despite the authentication issue, X11 makes it too easy for a client 
that can access the X11 display server to copy the screen to a file, 
manipulate the clipboard, capture keys, read / mess with the mouse, and 
various other surprising things.


You're right: z/OS already does Xwindows.  Mac doesn't use Xwindows, 
but its fore-runner NeXT did X just fine.  (personal experience)


macOS doesn't use X11 /by/ /default/.  But my understanding is that 
there are many ways to add X11 on top of -- what I think is called - 
Coco (?) -- thereby making it behave similar to Linux (et al.) and 
Windows with an X11 display server.


MS Windows doesn't do X, but there are numerous utilities bridging 
the gap. (Personally I go for CYGWIN/X when corp IT doesn't get in 
the way.  Works great!)  I rarely use X based apps on MVS, but I've 
used them occasionally for more than two decades. (Even used X from 
CMS. Tell the ARS Technica guy *that*, will ya?)


I'm curious what X11 based applications you ran as clients on MVS / CMS.

The nice thing about Xwindows is that it's the same from one platform 
to the next.


That's not as true as it used to be.

X11 used to be both BIGendian & littleENDIAN and supported byte swapping 
on the fly.  That functionality was disabled by default in a recent 
change (within the last year) and now must be enabled with a command 
line option on the X server.


Newer X11 servers should support older X11 clients.  I'm not as sure 
about the other way around.  Especially when you get to older releases 
or even X10.


Geek that I am, I started recompiling the compiler. (Gotta have the 
latest compiler for everything else. Besides, Linux is "open source", 
right?)  Mike was more sporty. He brought up DOOM. We had to borrow a 
nearby Sun workstation (I forget which model). There was no BITMAPPED 
DISPLAY on the mainframe.  But the beauty of this story is that DOOM 
was essentially the first application to run on Linux/390 native 
(outside of IBM).


LOL



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 7/30/23 7:58 PM, Andrew Rowley wrote:
They do dynamicaly expand. It's not growing that's the problem though, 
it's shrinking - releasing space so that it can be used by another user.


I feel like shrinking is a thing for many file systems.  The utility to 
shrink may not be included with the OS and need to be installed or even 
come from a 3rd party.


Not all file systems can be expanded much less shrunk while mounted. 
Many of the ones that I've worked with need to be unmounted to do such 
actions.


Usually, such actions also require the support of some sort of resizable 
container to put the file system in.  This is often Logical Volume 
Manager on Linux (across platforms).




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS Features

[Grant Taylor]

On 7/30/23 10:23 PM, Andrew Rowley wrote:
A low end laptop has 250GB available. How much space should a z/OS user 
be able to use (to do their job) before they have to make a special 
request to the storage management group? 10GB? 100GB?


Please forgive the ignorant question, but does z/OS support quota in any 
way other than a hard file system limit?


Some of my testing runs to (temporarily) 100GB+ for input and output 
files. I run it on the PC because the space isn't available on the 
mainframe, but It would be nice to be able to run it on z/OS. If you get 
a few users with usage spikes to 100GB the space might not be so trivial.


I've seen a few quota systems capable of allowing users to go above a 
soft limit for an amount of time while still being bounded by an 
absolute hard limit.


This soft limit allows users to burst for temporary things, usually for 
single digit number of hours or days.  Once the user exceeds the time, 
their soft quota kicks in and behaves as if it's the hard limit.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Definition of mainframe? Was: Ars Technica

[Grant Taylor]

On 7/29/23 11:28 AM, Jon Perryman wrote:
Can anyone provide the definition of MAINFRAME? The ARS Technica 
article is complete nonsense because the mainframe is a state of 
mind and nothing to do with reality. Can anyone prove me wrong?


I tend to agree that mainframe can be a state of mine which is formed by 
history and available associated technical solutions.


The IBM z16 is just 4 motherboards containing 16 CPU and many PCIe 
slots. Linux will run on an IBM z16. Is a PC also mainframe? Forget 
zPDT because I suspect it still uses a PCIe zCPU card. I can't say 
with any certainty, but I suspect that z/OS will run on a PC by using 
Hercules. What is the definition of MAINFRAME?


I'm fairly certain that zPDT and RDz are purely software emulated 
mainframes.  I've not seen anything like the P/390-E card in a long time.


I also know for a fact that people have gotten some versions of z/OS to 
run in Hercules.



1. CPU does not make a mainframe:


I think that the CPU and what it's optimized to do hints at what it is 
well suited to be used for.


I've seen video evidence of a single human being tugging an air plane 
from the gate.  But that doesn't mean that airports are giving up on 
their tug vehicles.



2. Hardware does not make a mainframe.


I think that the hardware and what it's optimized to do hints at what it 
is well suited to be used for.



3. OS does not make a mainframe.


I think that an OS and what it's optimized to do hints at it is well 
suited to be used for.


I know that my last three comments have effectively been an "it is what 
it is" type of answer.  But the crux of it is that the $THING has been 
optimized to do the task that it's employed to do.


I wouldn't use an El Camino to haul rolls of steal to a factory any more 
than I would use an eighteen wheeler to deliver a pizza.


Linux running on z16 doesn't make it mainframe Linux. There's nothing 
stopping Linux from taking advantage of every z16 hardware feature 
(e.g. 1,600 PCIe slots) but no one is willing to build the Linux 
software.


I question the veracity of that statement.

Let's start with this - please share one z16 feature that Linux doesn't 
use so that we can discuss it.


I'm sure there are a number of them.  But I suspect the reason that 
Linux doesn't use it is for possibly surprising reasons.  Reasons that 
are probably rooted in the origins of things.



IBM hasn't duplicated z/OS software features in Linux.


I actually largely agree with that statement.

To me, the biggest things that differentiates the mainframe / z/OS / 
etc. from Linux is the other facilities that the mainframe / z/OS provide.


I think the package suite / solution stack that is the mainframe to be 
the most salient thing that differentiates the mainframe from 
non-mainframes.


I've read many articles / heard (recordings of / videos of) some 
discussions where people say that porting applications from z/OS to 
Linux isn't a matter of re-compiling things.  Sure, the code will, or 
can be made to, compile on Linux.  But many the supporting facilities 
that z/OS provides are completely non-existent.


4. Software does not make a mainframe. IBM sells DB2 for Linux and DB2 
for z/OS.


I think that significant differentiators actually are software.  It's 
just not -- what I'm going to call -- the primary line of business 
software like DB2 / Domino / SAP / etc.


I think it's other software, CICS, RACF, IMS, etc. that provide 
supporting services afor the primary line of business applications.


DB2 for Linux runs on all hardware including z16. With Linux, you 
can still run DB2 on z16 but large customers choose DB2 for z/OS.


I take what others are doing with a huge grain of salt.  I've seen too 
many businesses continue to run something somewhere that it has been 
running for a long time because of non-technical reasons.  People. 
Support.  Technical debt.


ASK YOURSELF: Since design philosophy is the only difference, name 
the philosophy that makes a mainframe.


From what I've seen, the mainframe has integrated reliability, 
availability, and serviceability (RAS) at the hardware and OS level.


Conversely, Open Systems tend to not have the RAS capabilities that the 
mainframe has.  As such, Open Systems application designers have 
integrated RAS like features at different levels if they cared to have 
them because the hardware / OS didn't provide them.


Despite the story's false claims for z/OS relevance, it is ignorance 
in the Linux community that makes IBM z/OS relevant. Specifically, 
it's the lack of design in Linux. Consider DB2 for Linux and DB2 
for z/OS which are the same product both from IBM and available on 
an IBM z16. Linux people tell you they provide the same results, 
but they ignore the intrinsic capabilities of z/OS design.


Does ignoring the intrinsic capabilities of z/OS design alter what the 
DB2 on z/OS vs DB2 on Linux on z is capable of doing?


I'm talking brutal dollar for dollar, pound for pound, BTU 

Re: TCPIP Device/Link to Interface question???

[Grant Taylor]

On 7/26/23 9:45 PM, Jon Perryman wrote:

"HOME" was not in UNIX TCP so z/OS is the only doc available.


Based on a previous comment about HOME controlling the IP address that 
remote systems saw newly initiated connections coming from, this concept 
is in, and has been for a long time, Linux.  This is the source IP 
chosen as part of routing.  --  This very much so became a thing with 
policy based routing in the early 2000s if not before.



There is in fact many features that were (and probably still are)
specific to z/OS


I'll give you "were".  I question "still are".


(e.g. HOME, VIPA, port balancing, port forwarding, sysplex
workload balancing and much more).


By default Linux uses what is called the weak host model which means 
that the IP addresses belong to the kernel (IP stack) and not to an 
interface.  It's trivial to move any given IP address around to 
different interfaces.  --  There's some minutia to moving IPs, but I 
assume there is minutia to VIPA too.


Port balancing seems to be quite similar to what is usually called "load 
balancing" in Open Systems.  Linux kernel has this capability built in 
in at least a couple of different ways.


I don't know what "port forwarding" means in z/OS context, but port 
forwarding connections from one IP address and port pair to another is 
so common that $75 dollar routers running Linux / *BSD have been doing 
it for 25 years.  I can't even successfully do a search for what it 
means on the mainframe because of all the other collissions that I find 
in IBM i, AIX, and that's on top of all the other non-IBM related results.


I don't know if sysplex workload balnacing has a counter part, but I 
strongly suspect that load balancers described above and / or clusters 
of servers account for much of this all be it likely in a different way.



z/OS needed a more robust TCP because of sysplex.


I would never have considered using z/OS for a networking Swiss Army 
Knife.  Linux and *BSD or a Cisco / Juniper router jump to the top of 
that list.



Linux, Windows, Unix and others are single machines with unique resources.


That is their most common configuration.  But Linux and *BSD in 
particular can do so much more if you want them to.



For instance, DB2 on z/OS can be accessed from any z/OS within a sysplex


Sure.

Depending on the middleware, you can get the same IP / service instance 
to be accessible from multiple machines in a cluster.



but DB2 on Linux is available
from a single machine which cannot be transferred to another Linux.
I don't know about DB2, but I an quite certain that there are multiple 
ways to have the same IP be accessible from multiple machines.


There are even ways to transfer the connections between machines.

There are ways to synchronize firewall state between multiple machines.

I'm quite certain that how things would be done on the mainframe are 
different than how they would be done on Linux.


But I'm also fairly certain that Linux can do most of, if not all of, 
what you have mentioned.


Thank you for the additional information Jon.



Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TCPIP Device/Link to Interface question???

[Grant Taylor]

On 7/26/23 2:18 PM, Jon Perryman wrote:

Take this with a grain of salt because it's been a long time.


Obligatory salt dose taken.

The order should not matter in my opinion. z/OS TCP has a lot more 
features than TCP on other platforms.


Would you please elaborate on that statement?

Finding the Unix equivalent is 
often impossible when z/OS does not have clearly defined

terminology.


Agreed.  Having a clear explanation of what a feature does is required 
to be able to compare features, even if the nomenclature therefor differs.



z/OS HOME addresses doc was not clear when I last
looked. My interpretation was that it's the home IP address for a
sent TCP packet. In other words, when the packet is processed at the 
destination, HOME is where the response will be sent. I could easily 
be wrong and you will need to determine HOME current functionality.

Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SYSLOGD config question.

[Grant Taylor]

On 7/24/23 1:42 PM, Tom Longfellow wrote:
I am sure that all of Unix Gurus will laugh at my ignorance, but I still 
cannot break through this wall.


A /good/ Unix Guru worth their disk space will NOT laugh at you / your 
perceived ignorance.  A BOFH will laugh at most things, even legitimate 
questions.


The syntax of syslogd.conf is a complete 
mystery of arcane directives that I have been unable to juggle..


There are both simpler and more complex files.  But, syntax alone 
doesn't make a file simple or complex.


Aside:  There are multiple different SYSLOG implementations in the world 
and I don't have access to a mainframe to check the manual pages for USS 
/ OMVS.


I currently have a set up that send all messages from TASKA to LOGA... All 
messages from TASKB to LOGB.


Okay.


There is also a 'catchall' that sends all the messages to a common log file.


ACK

What I would 'like' to do is replace the 'catchall' with a selection screen 
that exclude TASKA and TASKB messages but still collects the rest of the 
syslog traffic.


I don't know what to think about the "selection screen" comment.

But I'm answering as an aspiring hope to be Unix Guru some day.

syslog.conf usually has an option to negate something, frequently with a 
leading exclamation mark.  Often the negation means not this priority 
level or higher levels.


E.g. to write all mail logs below the info priority to /var/log/mail 
you'd use something like the following:


mail.*;mail.!info   /var/log/mail

To write all mail logs except mail.info exactly, you'd use something 
like the following:


mail.*;mail.!=info  /var/log/mail

With negation in mind, you need to build a pattern that matches 
everything /except/ the things that you want to not receive.


I don't know how your "TASKA" refers to a service; mail, kern(el), cron, 
etc, or a level.


If you are referring to a service, you should be able to construct a 
rule that matches all services except mail by listing all the other 
services on the line.


I have long considered the service and priority to be akin to columns 
(services) and rows (priority) in a table.  You can easily write rules 
that match a (set of) given column(s) / services or a (set of) given 
row(s) (priorities).  Writing things to do an intersection of more than 
one row and column becomes interesting.


The tedious method is to write a separate rule that matches each and 
every intersecting pair of column(s) (services) and row(s) (priorities).


There should be no problem having multiple matches writing to the same 
log file.


I hope that helps provide some insight from an aspiring Unix Guru's 
perspective.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Early UNIX certifications for MVS

[Grant Taylor]

On 7/19/23 7:34 AM, Attila Fogarasi wrote:
MVS/SP 5.1 in April 1994 announcement letter stated X/OPEN 
certification was being applied for, my memory is that it was 
obtained by GA date. MVS/SP 4.3 which introduced Open Edition had 
NIST certification and some POSIX standards implemented but not all.

Interesting information.

Neither were actually complete enough to port any significant code, 
despite the certification.
I've seen multiple indications that POSIX compliance was effectively 
simply (ab)used as checkbox compliance.


I've seen a video / talked to someone about their efforts to compile 
simple Unix utilities using the POSIX subsystem in Windows NT and the 
herculean effort that they had to go through to get anything more than a 
simple Hello World to work.


I have yet to see any indication that POSIX was more than a paper tiger. 
 Though obviously my ignorance thereof does not preclude it from existing.




Grant. . . .

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How long for an experiened z/OS sysprog to come up to speed on a new environment?

[Grant Taylor]

On 2/26/23 7:59 PM, Leonard D Woren wrote:
What those panels should do, but I don't know whether they do this or 
not, is display the line command as it's executed.


SMIT(TY) in AIX does something like this.  I really like it.

I think it's great for new operators to use the forms to answer 
questions and then toggle the option to see the command that will be run.


There's also good context sensitive help in SMIT(TY).

I wish that more things were like this.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How long for an experiened z/OS sysprog to come up to speed on a new environment?

[Grant Taylor]

On 2/19/23 4:27 PM, Beverly Caldwell wrote:
But yes it has never been a problem for me. Sometimes takes a little 
deviousness to make the transfer work.


These people think they are so smart but there is usually a way round 
their little schemes.


I feel like this flies in the face of security policies that some 
organizations put in place.  What's more is that trying to circumvent 
the stated policy is often sufficient violation to become an HR ~> 
employment problem.


You should never have to try, or even attempt, to get around something.

You should have blessing and an approved method to bring something in.

If someone violates this precept to bring something in, how do you know 
that they won't also violate this precept to take something out?




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HMC and LDAP

[Grant Taylor]

On 1/17/23 6:25 AM, Carmen Vitullo wrote:
all the local accounts are still available, line sysprog, and acsadmin, 
sysprog is probobly the only account you can use remotely


Thank you for clarification Carmen.  :-)



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HMC and LDAP

[Grant Taylor]

On 1/14/23 1:18 PM, Roger Lowe wrote:
I have setup our System z HMCs to authenticate users to a zOS LDAP 
Server using RACF as the backend and has been working successfully 
for a number of years.


I like the self hosted nature.

But what happens when you need to get into the HMC when the LDAP server 
is unreachable for some reason?


Is there a local fall back account that is used?



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why email from z/OS SMTP rejected by Gmail?

[Grant Taylor]

On 12/12/22 4:49 AM, Seymour J Metz wrote:
That's a SHOULD, not a MUST. I don't recall whether the SMTP external 
writer (z"l) generated message-id or whether the application needed 
to include it in its sysout.


You're using RFC language.

Remember, each and every email operator is free to do what they want to.

Google / Gmail has recently (~3 months?) been requiring headers to exist 
that almost all legitimate email has that spam is more likely to not have.


Requiring a header to exist that all contemporary mail clients (MUAs) 
have added for more than 20 years, is a fairly safe thing.  It's only 
atypical email sending systems, which aren't MUAs, that have been 
running into this problem.  Or really old / unmaintained MUAs, likely 
from 20+ years ago.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why email from z/OS SMTP rejected by Gmail?

[Grant Taylor]

On 12/11/22 2:30 PM, Farley, Peter wrote:
At this Google support url there are eight different reasons that 
could apply to the error "550 5.7.1".


https://support.google.com/a/answer/3726730?hl=en


My bet is:

550, "5.7.1", Our system has detected that this message is likely 
unsolicited mail. To reduce the amount of spam sent to Gmail, this 
message has been blocked. For more information, visit Why has Gmail 
blocked my messages?


Google / Gmail is been ratcheting up the anti-spam measures as of the 
last 3+ months, including /requiring/ headers that RFCs may not actually 
require; e.g. SHOULD vs MUST.


There has been a lot of noise about this moving target of a change on 
Google / Gmail's part, at least in many circles that I travel.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why email from z/OS SMTP rejected by Gmail?

[Grant Taylor]

On 12/11/22 1:52 PM, Bob Bridges wrote:

I wonder whether any old string will do as a Message-ID?


There is some rough formatting to it.  It's fairly well documented in 
multiple internet email RFCs.  I'd suggest glancing at RFC 5322.


The Message-ID looks like an email address, but it is not.  Nor do the 
parts on either side actually matter beyond uniqueness.


It's by convention that the entity that adds the Message-ID header use 
(one of) their domain name(s).  The idea is that their domain name is 
somewhat of a stand-in as the identity of a "naming authority".


As long as you follow the patterns of what's on either side of the at 
sign, it could be purely random data.  --  I personally set mine to what 
looks like an email address that feeds a spam trap (which I manually go 
through).


I'm guessing the first part of that string is assigned by your email 
provider and is unique either to AOL or to your email address;


It /may/ be assigned by your email provider.  But you can easily assign 
it yourself.


if so, it'd be easy enough to include a header with some string using 
that format, and maybe that's all Google wants to see?


Yep.  You're *EXACTLY* correct on /both/ accounts; creating and what 
Google wants.


Although why Gmail fails text emails and not HTML I don't know. 
Wait, did you try sending an HTML email to a Gmail address?


I'm guessing that was luck of the random(draw).



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SPF/SE is available for free

[Grant Taylor]

On 11/1/22 9:56 AM, Schmitt, Michael wrote:

CTC had different iterations of the product:

  - SPF/PC: ran in DOS, but used special memory management to edit larger 
files. SPF/PC can still run under DOSBox but not very well


N.B. My boxed copy of version 4.0 of SPF/PC states that it is "for OS/2 
and DOS".  So SFP/PC apparently ran in OS/2 as well.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SPF/SE is available for free

[Grant Taylor]

On 11/1/22 9:56 AM, Schmitt, Michael wrote:

CTC had different iterations of the product:

  - SPF/PC: ran in DOS, but used special memory management to edit larger 
files. SPF/PC can still run under DOSBox but not very well


I have a boxed coy of SPF/PC.  Does, or can, Bonnie's gift extend to the 
SPF/PC files that I have?  If so, I'd be happy to get copies of them to 
the proper parties to grow the collection.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Is there such a thing as JCL to transfer files using https?

[Grant Taylor]

On 10/1/22 9:52 AM, Billy Ashton wrote:
Hi everyone! You have been so helpful in the past to help me with 
getting my file transfers working with sftp, and now, we have a manager 
who wants to explore using https in batch like we do online in our 
browsers. He thinks we can secure our ports better if we are not using 
as many. We would be using it to move files back and forth with a couple 
of our major business partners.


I'm going to assume that you need to both send and receive files via 
HTTPS.  --  This is germane because pushing and pulling files tends to 
be easier to do than hosting something that will receive files that 
others push or pull.  The former can be done with Unix commands.  The 
latter tends to require web applications (of a given value).


Another option might be to use an HTTPS server as a proxy server such 
that you adapt your SFTP et al. process to leverage the HTTP(S) 
"CONNECT" command.  Researching "ssh through http proxy" (or some 
permutation thereon) should give you lots of pointers.


Personally, I feel like judicious use of a firewall would take care of 
concerns.  I'm assuming that both you and your business partners are on 
static IPs.  Or at least in well scoped networks if IPs do change.


There are also some options on Linux, namely sslh, that allow re-using 
the same port for multiple protocols.


I strongly suspect that there are other ports that are lower value / 
used by fewer things than SSH / SFTP.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Once upon a time......

[Grant Taylor]

On 8/21/22 12:17 PM, Dave Jones wrote:
Now I am wondering if, perhaps, the time is right for IBM to 
re-consider that decision. On modern z processors, we already have IEEE 
floating point instructions in the hardware, Linux (a popular options 
for Intel-base number-crunch systems), and support for PCI.e IBM is 
already allowing 3rd-party SSD drives to be attached and accessed by 
the o/s.


Which "floating point" instruction are you referring to?  My 
understanding is that there are many.


My understanding is that Intel CPUs also have many different floating 
point instructions in the hardware.


What if we were able to connect a number, say, 40, of GPU cards (like 
the Nvida Tesla 1000) to a z box. Have the I/O system pass the GPU 
card directly an LPAR running on the system.


I would wonder about the ratio of GPUs to systems for failure domain.

40 GPUs per system vs 8 GPUs per system.  If there is a system failure, 
the former takes out all of the GPUs while the latter takes out 1/5 of 
the GPUs.


Porting the CUDO drives over to Linux (or z/OS, or CMS for that matter) 
does not appear to be that difficult and the hardware changes should 
be transparent to the o/s.


That sounds like programming effort in the porting whereas the requisite 
programs already exist on the Open Systems side.


Linux already supports a large number of scientific. software 
applications, runs the latest versions of popular scientific languages 
(FORTRAN, C/C++, Python).


I believe the IBM z would be well-suited to this, as the density of 
cards in the PCIe cages is far greater than the density that could 
be obtained in normal PCs.


I question the veracity of that statement.

There are multiple commercially available systems that will hold eight 
GPUs in a 3 RU server.  That means that it would be possible to put 104 
GPUs in a standard 40 RU cabinet.


The last time I checked, the smallest IBM Z would fit in a standard 19" 
cabinet, but it took up a considerable amount of the cabinet.  So how 
many I/O drawers ~> GPUs are you going to fit in that cabinet with the 
CEC(s)?


Then there's the fact that in most of the GPU based computing that I've 
seen, a disproportionate amount of the computing is done by the GPU and 
the CPU does little more than shuffle data around.  In some ways, the 
GPU might be thought of like the processor and the CPU thought of like 
I/O controllers.  SO with this in mind, just how much CPU is needed for 
an I/O controller?  Is it really worth consuming more RUs that can be 
dedicated to more GPUs?


This, combined with the strong sysplex clustering ability of z/OS (or 
SSI on z/VM) could allow the system Z platform to pack more computing 
power into a smaller footprint than a comparable Intel-based Linux 
cluster system, while being easier to use as programs would not have 
to be rewritten to take advantage of the system's clustering.


Despite z/OS having impressive clustering abilities, I don't think that 
GPU based computing would take advantage of it.


It might be an easy sell on it's energy-reduction assets alone, since 
everyone is now worried about how much energy data-centers now consume.


I don't have any numbers to back it up, but I question the veracity of that.

Thoughts/comments/objections welcome, of course. Full disclosure: 
this idea was first suggested to me by Enzo Damato after his tour of 
the POK lab.


I believe that putting GPUs in the mainframe would be very interesting. 
And would probably have some interesting applications.  But I don't 
think that using a mainframe to drive GPUs is going to be the next big 
thing in GPU heavy computing.


Also, look at all the BitCoin (et al.) miners out there that use PCIe 
expanders (fan-out) to connect many GPUs to a single CPU.  I've seen GPU 
to CPU ratios ten to one or greater.  So, again, the CPU workload isn't 
where the demand is.  I also think that the CPU workload is what the 
mainframe brings to the table.


I think this is an interesting thought experiment.  But I don't think 
that it will compete in the market.  Partially because if it would, I 
suspect that it would be doing so already.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Superuser (su) in batch

[Grant Taylor]

Drive by Unix comments below.

On 8/11/22 9:15 AM, Chen, Ya-Fang wrote:

echo 'date' ! su ;
echo 'mkdir -m 755 /home/y01' ! su ;
echo 'mkdir -m 755 /home/y01/.ssh2' ! su ;
echo 'chown -R y01:agroup  /home/y01' ! su ;


Is there a reason that you are echoing commands into su's STDIN verses 
passing the command to su directly?  E.g.


su -c 'date'
su -c 'mkdir -m 755 /home/y01'
su -c 'mkdir -m 755 /home/y01/.ssh2'
su -c 'chown -R y01:agroup /home/y01'

My experience is that explicitly specifying things works out better than 
implicitly piping things into STDIN.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Looking for old (fake) humorous IBM password memo

[Grant Taylor]

On 8/3/22 5:54 PM, Phil Smith III wrote:

There's this.


Interesting.

Do you have a document ID?

I'd like to find more on NIST's site and read it.

Thank you.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe outage affecting W.Va. state agencies could take 48, 72 hours to resolve Inbox

[Grant Taylor]

On 7/29/22 8:48 AM, Bob Bridges wrote:
Some of my favorite military authors talk about the dreaded post-battle 
analysis, in which a board sits on the officers involved and asks 
lots of penetrating questions:  Why did you make that choice? 
If the enemy had done this, what would have been your options? 
Did you receive intelligence notification SR-45T, dated such-and-such, 
about the enemy's new tech, and did you take that into account when 
you arranged your forces?


I remember the some time in the last 5-10 years hearing the "Blameless 
RCA" phrase and liking it.  Then people went and spoiled it.


My intention behind blameless RCAs is to understand what people did, why 
they did it.  Sort of like trying to glean insight into their brain's L1 
cache at the time during the incident.  --  There was /some/ amount of 
sanity checking of the data / algorithms people applied.  --  But I 
always wanted to understand their state and how altering the state next 
time might change things.


In some ways, it's like the Flight Data Recorder.  The FDR in and of 
itself doesn't place blame.  It may well show that the pilot did 
something in error.  It may also exonerate the pilot if there was a 
mechanical malfunction or external influence.


Sometimes the outcome of such an investigation will be training. 
Sometimes the outcome of such an investigation will be a process change. 
 Sometimes the outcome of such an investigation will be new safety 
guards so that someone doesn't stick their hand in front of a moving knife.


I understand why it feels to the victims as if the purpose is to 
spread blame around.


In my (not so) humble opinion, if the person being asked the questions 
feels like they are being blamed, then the person asking the questions 
is doing it wrong.


But this is the time to look at everything that happened and see 
what should have been done differently.  It's a great time to answer 
honestly "in the press of the moment, I never thought of that option", 
and "our logs show that we received that communication, but I don't 
recall it".


#truth

Blame, shmame; the board presumably knows what happens in "the 
press of the moment", and this is my best opportunity to improve 
my decision-making.


Sometimes it's best to mute a low priority alarm so that people can 
focus on higher priority alarms.  ;-)


(Which sounds heroically rational, but I still get all defensive 
during coding reviews.)


I think there is some room for improvement in how people ask questions 
during code reviews.  E.g. "Please help me understand what you are doing 
here and why you are doing it that way?"  As if a student asking a 
teacher a question.


Conversely, the ""teacher needs to be both receptive and open minded to 
such questions from the ""student.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe outage affecting W.Va. state agencies could take 48, 72 hours to resolve Inbox

[Grant Taylor]

On 7/28/22 3:22 PM, Bob Bridges wrote:
Belated comment: I got a couple of laughs out of this post originally, 
but it might be well to realize that these stories are not of failures. 
This is why we do DR tests.  It'd be a failure if you have an actual 
D and found you couldn't R.


So we try it out ahead of time, discover what we don't know, and 
repeat as necessary.  That discovery is success, not failure.


This is exactly why I *LOVED* the extra time at the end of the 
coordinated D.R. Test window.  We had extra hardware, we had copies of 
our systems (if we did our job correctly) and no threat of an outage.  I 
thought it was *GREAT* that we could test things /after/ the D.R. Test 
results were declared but before people went home.


Lots of learning and experiments happened in those 36-48 hours.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Mainframe outage affecting W.Va. state agencies could take 48, 72 hours to resolve"

[Grant Taylor]

On 7/26/22 1:34 PM, Enzo D'Amato wrote:
The first card probably failed months ago, and no one bothered to 
change it. When that happens, you are just asking for downtime.


I would speculate that people were acting on the 1st failed card in a 
lackadaisical manner, seeing as how it's probably out of service 
contract and needed to be procured outright.


Then their lackadaisical manner changed when the 2nd card failed.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: "Mainframe outage affecting W.Va. state agencies could take 48, 72 hours to resolve"

[Grant Taylor]

On 7/26/22 1:12 PM, Bill Johnson wrote:
It amazes me how little most laypeople know about IT and how easily 
they are brainwashed into believing the cloud will solve everything.


I was working on a project years ago when I overheard someone say "I'll 
be glad when we move to the cloud so that we don't need to worry about 
these REDACTED firewall changes / forms."


I clamped my mouth shut and walked away.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: EXTERNAL: Re: FedEx to move entirely to the cloud [Internal]

[Grant Taylor]

On 7/11/22 1:32 PM, Karl S Huf wrote:
I would refer anyone genuinely interested in sibling pend to 
download and review Dr. H. Pat Artis's "Sibling Pend: Like a Wheel 
Within a Wheel" 1996 CMG paper (available to download at Dr. Pat's 
site http://www.perfassoc.com ).  While the technology underpinning 
storage has changed a lot the concept of sibling pend really hasn't. 
I suspect this paper isn't new, though, for many on this list.


Thank you for the pointer to the paper as it's new to me.  The concept 
is not new, but the paper will be an interesting read.


Sibling PEND: Like a Wheel within a Wheel
Dr. H. Pat Artis - Published in 1996

Published in the Proceedings of CMG '96 Abstract: After more than 2 
decades of refining performance measurement and tuning strategies for 
traditional DASD devices and the MVS I/O subsystem, performance analysts 
are now presented with the vagaries of measurement and tuning for RAID-5 
based subsystems. While a variety of conceptual models might be proposed 
to explain the performance characteristics of these subsystems, this 
paper will focus on the author's paradigm of a physical I/O subsystem 
within the logical MVS I/O subsystem and the sibling PEND which results 
from collisions within the physical disk subsystem.


http://www.perfassoc.com/register.php/pdf/papers/sibling_pend_paper_96.pdf



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Own your own Z13 and Z16

[Grant Taylor]

On 7/1/22 6:20 AM, René Jansen wrote:

I want one with the Z Series instruction set.


Does using a Lenovo Z13 / Z16 to host IBM's zD&T or zPDT count?



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to Remove Ciphers in SSH

[Grant Taylor]

On 6/1/22 8:36 AM, Gilson Cesar de Oliveira wrote:

Hi list,


Hi,


I´m facing an issue related to remove ciphers from SSH configuration.


Oy vey.

When you execute ssh -Q cipher I can see the list with the ciphers 
and I´d like to remove some of them


From my understanding all I have to do is the following:

Include the Ciphers statement with the “-“ at the beginning of 
the cipher name and it´ll to be removed from the default set.


Ciphers -3des-cbc,--aes128-cbc


Maybe it's a little different on the mainframe, but I'm useed to 
something like the following on Open Systems:


   % ssh -o KexAlgorithms=+diffie-hellman-group-exchange-sha1 
root@100.64.1.100


You'd want to use a "-" in place of the "+" to remove something.  -- 
I'm adding something to make a new client talk to something old.  -- 
You'd probably also want to use "Ciphers" in place of "KeyAlgorithms".


One important bit is the "-o ..." parameter as it's how you tell the ssh 
client that you are providing options that don't have their own / bare 
command line options.


The ssh_config manual page has a lot more details.

You can also put the "KexAlgorithms=+diffie-hellman-group-exchange-sha1" 
in a "Host ..." section in the client ssh config file (individual 
~/.ssh/config or system wide /etc/ssh/ssh_config)


No errors when starting the SSHD but when I type ssh -Q cipher I 
still viewing those which I´ve included to be removed.


I'm not surprised that asking SSH what it supports is listing 
everything.  I'd expect it to be more of a what's compiled into the 
client verses what's enabled.


We are at z/OS V2R4 and OPENSSH is at version 7.6 that comes with 
the z/OS version.


If anyone could give some light I´ll really appreciate that.


I'd suggest that you skim the OpenSSH Legacy Options page as it has more 
details on this and is probably the opposite end of the candle that 
you're working on and can easily be adapted to influence things for you.


Link - OpenSSH Legacy Options
 - https://www.openssh.com/legacy.html



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: my new z114

[Grant Taylor]

On 5/29/22 12:26 PM, Seymour J Metz wrote:
You could theoretically add wires without removing the board. I've 
never seen it done and I suspect that it's not safe.


I'm now getting the impression that the wires were sort of latched into 
the board and the plugboard tool was used to unlatch wires for insertion 
and removal.


The idea of plugs & wires being latched into the board makes more sense 
as far as inserting & removing the entire board from the system.  As if 
the board is simply a passive frame that holds the plugs & wires in 
place while the actual jack for the plugs remains in the system.


I have no idea if this is remotely correct, but it does make a LOT more 
sense to me than removing and inserting boards with a bunch of jack in them.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: my new z114

[Grant Taylor]

On 5/29/22 12:00 PM, Seymour J Metz wrote:
ObBentPins FWIW, I've never seen anybody re-plugging a board without 
first removing it.


I've read about the boards being interchangeable before.  I never knew 
what sort of connector / interface would be used between the board and 
the rest of the system.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: my new z114

[Grant Taylor]

On 5/27/22 11:01 AM, Joe Monk wrote:

They do make 10 gig. Copper SFPs...


I assume that you mean copper RJ45s.  Yep.  I've seen and used them.

I've also seen and used copper Direct Attached Cables where the SFP+, 
intermediate cable, and SFP+ are one fixed unit.


This is why I said "vast majority".  ;-)



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: my new z114

[Grant Taylor]

On 5/27/22 9:41 AM, Mike Schwab wrote:

The RJ45 Ethernet should plug into your network just fine.


I've run into more than a little network hardware that is only one 
speed.  Especially if it's an early example from a generation.


Also, the vast majority of the 10GBase-T network equipment that I've 
seen is fiber.  So RJ45 won't /directly/ connect with fiber.  Though 
perhaps an in-line media converter would suffice.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: my new z114

[Grant Taylor]

On 5/27/22 8:43 AM, Enzo D'Amato wrote:
Most of my home network is 10GbE, and I wanted to put one of those 
cards in so I can directly network it to my core switch, but I don't 
want to order one if it will not activate.


Impressive.

I am currently working on sourcing FICON storage, and I will update 
you if I make any headway on that front.


Is there any way for one mainframe to export storage to another 
mainframe as something more than NFS?  E.g. could a zD&T-LE provide CKD 
storage to another CEC?


I also have a plan and I think I will be able to get some mainframe 
attached virtual tape set up.
I have no idea what it's capability is, but I've used a virtual tape 
package, I think it was named "MVT", for Open Systems.  Maybe it could 
be made to do something for you.


I would like to get in contact with someone about getting software 
disks/licences for my machine.


I wonder how flexible zD&T-LE licensing might be.  Could zD&T-LE's 
/licensed/ software run on your z114 /legally/?  --  I have no doubt 
that it's /technically/ /possible/ to do so.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/PD&T LE cost

[Grant Taylor]

On 4/25/22 6:00 AM, Lionel B. Dyck wrote:
And you are correct - in ALL my communications with IBM about the 
LE they repeated that it was for educational purposes and NOT to be 
used to create software for distribution - not for commercial and 
not for open-source.


Does anyone happen to know if there's any difference in the software 
included in the license between zD&T-Lerner's Edition and zD&T-Personal 
Edition?


I'm just curious as I expect that the zD&T-LE would do everything I want 
to do for my personal #edutainment.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN