Re: z/OSMF and ServerPac - dataset names

[Keith Gooding]

Hi Radoslaw.

Yes, you have to rename most of the datasets but it is not as bad as it sounds. 
I think I mapped the datasets to.target volumes and then filtered on the volume 
to get a list of all sysres datasets. Then you can change the CB. 
ST123456 prefix to null for all of those datasets in one operation. Repeat for 
DLIB datasets etc. you may want to leave some datasets as is - datasets such as 
PDMDIR and other package-related datasets which do not form part of the target 
system can be left as-is.

IIRC it helps is you can base you configuration on an existing software 
instance. If you did not use ZOsmf to create your previous z/os level you can 
get z/osmf to create a software instance - it examines the old DDDEFs. That is 
one of the things that surprised me - I could not see how it could set sensible 
defaults without a prior version of a ‘profile’ until I saw how it worked.

I do not understand all of the fuss about z/osmf - software installation works 
quite well and is an improvement on the ISPF dialogues in many areas. For 
instance you do not have to remember the dialogue commands which you may have 
used once every 2 years.

I am also very impressed how quickly IBM (Chinese labs) react to implement 
corrections and new features. The security checking feature is very good.

Keith 


> On 13 Jul 2024, at 13:45, Radoslaw Skorupka 
> <0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote:
> 
> I just started z/OS 3.1 installation using z/OSMF.
> 
> So far, so good.
> I am on "Configure this deployment  - Data Sets" stage.
> 
> I noticed all my datasets have a name like CB.ST123456.SYS1.LINKLIB.
> ST123456 is an order number.
> 
> Obviously I wan to have SYS1.LINKLIB, without two first qualifiers 
> CB.ST123456.
> 
> Q: Should I rename all datasets in an order?
> 
> It seems ridiculous to me, I don't believe it would be necessary. However I 
> haven't found any clue about it.
> 
> BTW: I'm really going to rename *some* datasets, i.e. mass-change ISP.** to 
> SYS1.**, etc. And slightly increase allocation for most.
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DSNTEP2 problem

[Keith Gooding]

TSO is then running the TSO Run command rather than a DB2 command - taking 
“PROGRAM(DSN2)” - which it expect to be a DSN - to be a PDS member and 
objecting to the PLAN parameter which is not a valid parameter for the TSO 
command.

Keith

> On 6 Jun 2024, at 14:52, Wayne Driscoll 
> <05791921711d-dmarc-requ...@listserv.ua.edu> wrote:
> 
> When the DSN command processor successfully starts up, the command prompt
> will be DSN, not READY. this implies that the DSN command wasn't found or
> some other error occurred.
> READY
>  DSN SYSTEM(DSN1)
> DSN
>  -DIS THREAD(*)
> DSNV401I  -DSN1 DISPLAY THREAD REPORT FOLLOWS -
> DSNV402I  -DSN1 ACTIVE THREADS -
> 
> Note "DSN" not "READY" after the DSN command was processed.
> 
>> On Thu, Jun 6, 2024 at 7:47 AM Attila Fogarasi <
>> 05b6fee9abb7-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> It's a Db2 bug, maybe made worse by the way parsing works.  The message
>> means that the bind for the plan specified doesn't match the Db2 level
>> being executed.  Full employment for Db2 DBAs.
>> 
>>> On Thu, Jun 6, 2024 at 9:58 PM Peter Relson  wrote:
>>> 
>>> 
>>> RUN  PROGRAM(DSNTEP2) PLAN(DSNTEP1) LIB('DB2.DBV.SDSNSAMP')
>>> IKJ56712I INVALID KEYWORD, PLAN(DSNTEP1)
>>> 
>>> 
>>> I'm surprised that TSO parsing (and given that we see an IKJ message, it
>>> seems that TSO parsing is being used, not necessarily by TSO itself)
>> would
>>> consider a "bad value" (especially when the possible values are not
>>> knowable to a parser) to be an "INVALID KEYWORD" (as opposed to if the
>> user
>>> had coded PLANN(DSNTEP1) it might have complained that PLANN was an
>> invalid
>>> keyword.
>>> 
>>> Peter Relson
>>> z/OS Core Technology Design
>>> 
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> 
> --
> Wayne Driscoll
> Software Engineer | Mainframe Software Division
> Broadcom Software
> 
> *Office: *630-300-1931* Mobile:* 630-247-1632
> wayne.drisc...@broadcom.com
> 
> --
> This electronic communication and the information and any files transmitted
> with it, or attached to it, are confidential and are intended solely for
> the use of the individual or entity to whom it is addressed and may contain
> information that is confidential, legally privileged, protected by privacy
> laws, or otherwise restricted from disclosure to anyone else. If you are
> not the intended recipient or the person responsible for delivering the
> e-mail to the intended recipient, you are hereby notified that any use,
> copying, distributing, dissemination, forwarding, printing, or copying of
> this e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer, and
> destroy any printed copy of it.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zOS and z16

[Keith Gooding]

Grant.

We have not done the upgrade yet. I hope to run 2.3 without z/vm. I applied 
whatever z16 maintenance was available without an extended support contract ( 
2.3 is out of support but was still supported when z16 A01 was released so I 
was able to apply the PTFs for the 32Gb card and other PTFs. We are upgrading 
to an A02. )

We have z/vm and I will use that if necessary. Our other LPARs are z/os 2.4 to 
3.1.

We have 8gb cards in the z14 because we needed to support some old disks. It 
would have been better to have upgraded to 16gb cards before the upgrade to z16.

Keith 

> On 16 Apr 2024, at 14:07, Grant Carson 
> <0620d2720937-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Thanks Keith,
> 
> Is that 2.3 running under VM? And did you apply the z16 toleration? We have 
> upgraded FICON cards in the current z14, these will be carried forward onto 
> the z16.
> 
> Thanks,
> Grant
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Keith Gooding
> Sent: Tuesday, April 16, 2024 1:02 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: zOS and z16
> 
> !---|
>  This message came from outside your organisation
>  Be cautious! Do not click links, supply credentials, open
>  attachments, or perform any requested actions unless you recognise
>  the sender and know the content is safe.
> |---!
> 
> It may also depend on whether you have any new OSA or FICON cards which are 
> not supported by z/os 2.1. For instance the Z16 does not support the 8 Gb 
> FICON cards which could be carried forward to z14 and the new ones are 32Gb 
> and PTFs are required for these . Under z/Vm it may depend on whether the 
> disks are dedicated so that z/os needs to understand the interface or whether 
> they are full-pack mini disks driven by z/vm.
> 
> I am interested to know but I have assumed that 2.1 will not work and have 
> upgraded the sole 2.1 lpar to 2.3.
> 
> Keith
> 
>> On 16 Apr 2024, at 12:41, Mark Jacobs 
>> <0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> One thing that might give you problems is WLM. It might behave wonky on a 
>> z16 processor. Is 2.5 even orderable any longer?
>> 
>> Mark Jacobs
>> 
>> Sent from ProtonMail, Swiss-based encrypted email.
>> 
>> GPG Public Key -
>> https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld
>> efense.com%2Fv3%2F__https%3A%2F%2Fapi.protonmail.ch%2Fpks%2Flookup%3Fo
>> p%3Dget%26search%3Dmarkjacobs%40protonmail.com__%3B!!CV2Qk8Gh!NakPsHZ3
>> AMQX-zStHg5wFkGOYsT8RTnmd9iW0srxbAErytrbX8CiPOgPSARov1P26ld339ihOlaWT3
>> 2p6gXc2CXYXgXqc2vEF4-f%24=05%7C02%7Cgrant.carson%40ZELLIS.COM%7C5
>> eeb08a67d0e46e6ee8f08dc5e0d0ed0%7Ce7dc028830f0432f82cc0864b31b7d4f%7C0
>> %7C0%7C638488657386979270%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
>> LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=ZOS%
>> 2FOLzECBPI6qVGhyLb5A4vEv0VtpPF73r%2B12%2BPd%2B0%3D=0
>> 
>> 
>>>> On Tuesday, April 16th, 2024 at 5:43 AM, Grant Carson 
>>>> <0620d2720937-dmarc-requ...@listserv.ua.edu> wrote:
>>> 
>>> Hi,
>>> 
>>> We are running zVM 7.3 with zOS 2.1 under it, on a z14. We are upgrading to 
>>> a z16 soon - will 2.1 run on the 16 under zVM? I know that the minimum 
>>> supported level is 2.2 but (as I have seen asked previously with some of 
>>> these supported-or-not queries) does that mean it won't actually come up or 
>>> just isn't supported? Obviously, we haven't applied any z16 toleration (as 
>>> there isn't any!). We are planning an upgrade to 2.5 but that's not yet 
>>> ordered...
>>> 
>>> Thanks
>>> Grant
>>> 
>>> 
>>> 
>>> Zellis is the trading name for Zellis Holdings Ltd and its associated 
>>> companies "Zellis".
>>> 
>>> The contents of this email are confidential to Zellis and are solely for 
>>> the use of the intended recipient. If you received this email in error, 
>>> please inform the sender immediately and delete the email from your system. 
>>> Unless Zellis have given you express permission to do so, please do not 
>>> disclose, distribute or copy the contents of this email.
>>> 
>>> Unless this email expressly states that it is a contractual offer or 
>>> acceptance, it is not sent with the intention of creating a legal 
>>> relationship and does not constitute an offer or acceptance which could 
>>

Re: zOS and z16

[Keith Gooding]

It may also depend on whether you have any new OSA or FICON cards which are not 
supported by z/os 2.1. For instance the Z16 does not support the 8 Gb FICON 
cards which could be carried forward to z14 and the new ones are 32Gb and PTFs 
are required for these . Under z/Vm it may depend on whether the disks are 
dedicated so that z/os needs to understand the interface or whether they are 
full-pack mini disks driven by z/vm.

I am interested to know but I have assumed that 2.1 will not work and have 
upgraded the sole 2.1 lpar to 2.3.

Keith

> On 16 Apr 2024, at 12:41, Mark Jacobs 
> <0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:
> 
> One thing that might give you problems is WLM. It might behave wonky on a 
> z16 processor. Is 2.5 even orderable any longer?
> 
> Mark Jacobs
> 
> Sent from ProtonMail, Swiss-based encrypted email.
> 
> GPG Public Key - 
> https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
> 
> 
>> On Tuesday, April 16th, 2024 at 5:43 AM, Grant Carson 
>> <0620d2720937-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> Hi,
>> 
>> We are running zVM 7.3 with zOS 2.1 under it, on a z14. We are upgrading to 
>> a z16 soon - will 2.1 run on the 16 under zVM? I know that the minimum 
>> supported level is 2.2 but (as I have seen asked previously with some of 
>> these supported-or-not queries) does that mean it won't actually come up or 
>> just isn't supported? Obviously, we haven't applied any z16 toleration (as 
>> there isn't any!). We are planning an upgrade to 2.5 but that's not yet 
>> ordered...
>> 
>> Thanks
>> Grant
>> 
>> 
>> 
>> Zellis is the trading name for Zellis Holdings Ltd and its associated 
>> companies "Zellis".
>> 
>> The contents of this email are confidential to Zellis and are solely for the 
>> use of the intended recipient. If you received this email in error, please 
>> inform the sender immediately and delete the email from your system. Unless 
>> Zellis have given you express permission to do so, please do not disclose, 
>> distribute or copy the contents of this email.
>> 
>> Unless this email expressly states that it is a contractual offer or 
>> acceptance, it is not sent with the intention of creating a legal 
>> relationship and does not constitute an offer or acceptance which could give 
>> rise to a contract.
>> 
>> Any views expressed in this email are those of the individual sender unless 
>> the email specifically states them to be the views of Zellis.
>> 
>> Zellis Holdings Ltd - registered in England and Wales - Company No: 10975623 
>> - Registered Office: 740 Waterside Drive, Aztec West, Almondsbury, Bristol, 
>> BS32 4UF, UK.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Tn3270 back door

[Keith Gooding]

My understanding is that a policy agent refresh only reloads the definitions if 
something has changed in the policy. I have certainly had a problem when a 
keyring had been changed - policy agent did not recognise a change so the 
cached keyring remains. The solution was to increment the connection instance 
value in the policy before the refresh. Have you tried restarting pagent ?

Keith

> On 16 Feb 2024, at 10:54, James Cradesh 
> <05a6576c6fa2-dmarc-requ...@listserv.ua.edu> wrote:
> 
> I’m locked out of my test lpar.  The ssl cert expired.  A new cert was 
> uploaded but the tn3270 doesn’t see it. I did refresh Pagent but it didn’t 
> help.  How do you get around this situation?  Is there a way to enable the 
> non ssl port?
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SSL Error

[Keith Gooding]

In TCPIP messages and codes socket return code 122 is ECLOSED but that may not 
help much either.

Is the client relying on ATTLS ? If so have you looked on z/os Unix syslog and 
MVS syslog for at-tls messages ?

Keith

> On 29 Nov 2023, at 13:51, Robin Atwood  wrote:
> 
> #define EIO 122  /* Input/output error */
> 
> Found in CEE.SCEEH.H(ERRNO). It doesn't really help, though!
> 
> Robin
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Roberto Halais
> Sent: Wednesday, November 29, 2023 8:28 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: SSL Error
> 
> Hi:
> 
> I am doing an FTPS from z/OS 2.4  to a server and am getting the following 
> GSK error:
> 
> SP01  MESSAGE   0004  08:47:20.122796  SSL_ERROR
> 
>  Job TCPIP Process 037C  Thread 0002  gsk_read_v3_record
> 
>  Errno 007A (122)
> 
>  Socket read failed from 192.168.99.25.21
> 
> 
> I have not been able to find the ERRNO 007A (122)
> 
> Any help would be appreciated.
> 
> 
> Thank you,
> 
> Roberto Halais
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DSS dump and migrated datasets

[Keith Gooding]

Jon.

I certainly would like the option to tell dss to recall datasets so that they 
can be copied or backed up. A common use case for me is to back up , or copy 
and rename, a set of software libraries for archiving or distribution to 
another system (a bit like a zOSMF portable software instance). It certainly 
should not be the case that dss routinely ignores migrated datasets unless a 
patch byte is set.

Keith Gooding

> On 23 Nov 2023, at 19:23, Jon Perryman  wrote:
> 
> On Thu, 23 Nov 2023 18:18:23 +0000, Keith Gooding  wrote:
> 
>> I do not know why IBM do not have an option for adrdssu to go the recall 
>> automatically - there have been some requests on IBM ideas.
> 
> The last thing you want is for ADRDSSU to become long running waiting on 
> multiple recalls from multiple tapes. There's also the problem that someone 
> inadvertently runs a backup that includes archived datasets. You have limited 
> disk space and unwitting users can potentially defeat the purposes of HSM 
> archiving.  
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DSS dump and migrated datasets

[Keith Gooding]

I usually run a batch TSO step which issues command HRECALL ‘HLQ.** WAIT’ 
immediately before the dump step. You may get a lot of messages  sent to your 
TSO session - either saying dataset not migrated or that migration is complete. 
There is also a ADRDSSU patch ( from memory patch area offset 17 but check in 
the admin guide) which will warn you if any of the datasets are still migrated 
when you run the dump command.

I do not know why IBM do not have an option for adrdssu to go the recall 
automatically - there have been some requests on IBM ideas. 

This recall method does not work for more complicated dss filters such as 
“MYID.**.DATA”

Keith Gooding

> On 23 Nov 2023, at 17:32, Radoslaw Skorupka 
> <0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Well, First, I DON'T WANT TO DELETE datasets. I wan to dump them to archive 
> file.
> Second, I want to avoid manual typing/clicking.
> :-)
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> 
> 
> W dniu 23.11.2023 o 18:01, Steve Beaver pisze:
>> Bring the list up in 3.4 then do a hdelete
>> By every dsn and hit enter
>> 
>> Sent from my iPhone
>> 
>> No one said I could type with one thumb
>> 
>>>> On Nov 23, 2023, at 10:57, Radoslaw 
>>>> Skorupka<0471ebeac275-dmarc-requ...@listserv.ua.edu>  wrote:
>>> 
>>> I need to dump a lot of small dataset with HLQ=user_to_be_deleted.
>>> Since the user is no longer active, most of datasets are migrated to ML1 
>>> and ML2.
>>> 
>>> By default ADRDSSU does not process migrated datasets.
>>> Is there any method to circumvent it?
>>> It can be anything, including scripted "touch".
>>> 
>>> --
>>> Radoslaw Skorupka
>>> Lodz, Poland
>>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM APAR Names

[Keith Gooding]

Should be OAx. I missed the memo too.

> On 3 Nov 2023, at 16:33, Shaffer, Terri 
> <017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Hi,
>  So I should know this but apparently I missed the memo along the way, Can 
> anyone give me the secret decoder
> 
> I know AHx went to PHx
> 
> But what do I search for CA and EA  APARs?
> 
> 
> 
> [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 
> 
> This email message and any attachments may contain confidential, proprietary 
> or non-public information. The information is intended solely for the 
> designated recipient(s). If an addressing or transmission error has 
> misdirected this email, please notify the sender immediately and destroy this 
> email. Any review, dissemination, use or reliance upon this information by 
> unintended recipients is prohibited. Any opinions expressed in this email are 
> those of the author personally.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question

[Keith Gooding]

That would have been very helpful - there should also be a reference to z/os 
3.1 rather than just the 2.5 PTFs . A mention in the PSP bucket for z/os 3.1 
would have been more helpful - my first thought of course when my first IPL 
failed was ‘what have I done wrong’ and part of the investigation was to make 
sure that I had not missed anything that I should have read and eventually I 
started searching on IBM Support.

Keith Gooding

> On 27 Oct 2023, at 03:09, Peter Relson  wrote:
> 
> We intend to add WAIT006 and WAIT074 to the VM66721 APAR description to help 
> with "search findability".
> 
> Peter Relson
> z/OS Core Technology Design
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question

[Keith Gooding]

Thanks Jim - it is always good to get an answer from an expert.

> On 24 Oct 2023, at 20:43, Jim Mulder  wrote:
> 
>   The Validated Boot enhancements to z/OS made a change to a channel program 
> that we
> use to build the nucleus.  The changed channel program is used regardless of 
> whether you are doing
> a validated boot or not.  z/VM minidisk caching screws up while emulating the 
> channel program.   Last
> I talked to the z/VM developers, they still had not figured out what the bug 
> is.  As long as minidisk caching (MDC)
> is turned off for at least the z/OS IPL device minidisk, the channel program 
> will be executed by the I/O subsystem, 
> which executes it correctly.  The problem only occurs when you are IPLing 
> z/OS from a minidisk to which you
> have LINKed (or is in your VM directory), with MDC enabled for that minidisk. 
>  If you instead ATTACH the device to
> the VM user, the problem will also not occur, since it is not being treated 
> as a minidisk in that case.
> The type of processor or DASD controller is not relevant to the problem.
> 
> Jim Mulder
> 
> 
> 
>> To: IBM-MAIN@LISTSERV.UA.EDU 
>> Subject: Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question
>> 
>> For my first z/OS 3.1 IPL (under z/VM) I got WAIT 006. After a long search I 
>> found z/VM APAR VM66721: Z/OS GUEST IPLS FAIL AFTER APPLYING 
>> UJ92591/UJ92728. There is no PTF as

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question

[Keith Gooding]

It was z/VM 7.2 (still in support) but the APAR states that the problem affects 
all z/VM releases.

> On 24 Oct 2023, at 18:33, Art Zeigler  wrote:
> 
> What relase of z/VM did you receive the Wait 006?
> 
> Thanks
> 
> Art Zeigler
> 
> 
> From: IBM Mainframe Discussion List  on behalf of 
> Keith Gooding <034af3894af4-dmarc-requ...@listserv.ua.edu>
> Sent: Tuesday, October 24, 2023 1:27 PM
> To: IBM-MAIN@LISTSERV.UA.EDU 
> Subject: Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question
> 
> For my first z/OS 3.1 IPL (under z/VM) I got WAIT 006. After a long search I 
> found z/VM APAR VM66721: Z/OS GUEST IPLS FAIL AFTER APPLYING UJ92591/UJ92728. 
> There is no PTF as yet but there is a work-around (turn off mini-disk 
> caching).
> 
> Those PTFa are the validated boot PTFs for z/OS 2.5 - the function is 
> incorporated into z/os 3.1.
> 
> I have no idea why the failure occurs but I thought maybe z/os is using some 
> I/o command sequence which z/Vm does not support properly. That got me 
> worrying about whether z/OS 3.1 (or 2.5 with the validated boot PTFs) will 
> work on old hardware, specifically DS6800 which we have at a backup site. Our 
> 3.1 test under z/Vm used DS8884.
> 
> Has anyone tried running 3.1 (or 2.5 with the validated boot PTFs), or have 
> any understanding of why an IPL may fail on DS6800 ?. We are not using 
> validated boot and have no intention of doing so.
> 
> Keith
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Heads up: z/os 3.1 WAIT 006 under z/VM + DS6800 question

[Keith Gooding]

For my first z/OS 3.1 IPL (under z/VM) I got WAIT 006. After a long search I 
found z/VM APAR VM66721: Z/OS GUEST IPLS FAIL AFTER APPLYING UJ92591/UJ92728. 
There is no PTF as yet but there is a work-around (turn off mini-disk caching).

Those PTFa are the validated boot PTFs for z/OS 2.5 - the function is 
incorporated into z/os 3.1.

I have no idea why the failure occurs but I thought maybe z/os is using some 
I/o command sequence which z/Vm does not support properly. That got me worrying 
about whether z/OS 3.1 (or 2.5 with the validated boot PTFs) will work on old 
hardware, specifically DS6800 which we have at a backup site. Our 3.1 test 
under z/Vm used DS8884.

Has anyone tried running 3.1 (or 2.5 with the validated boot PTFs), or have any 
understanding of why an IPL may fail on DS6800 ?. We are not using validated 
boot and have no intention of doing so.

Keith

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Creating an SMP install tape

[Keith Gooding]

Some sites do not have dfdss.

A common non-SMPE method is to use the XMIT command to convert each library 
into a sequential file, copy all of these XMIT datasets into a PDS and then run 
XMIT again to convert the PDS into a sequential file. To unpack you run RECEIVE 
to create the PDS of XMIT files then RECEIVE again for each member.

Or you could create a Portable Software Instance using an SMPE utility - this 
can be unpacked using z/OSMF (which runs an SMPE utility).

> On 23 Aug 2023, at 07:52, Colin Paice  wrote:
> 
> Ive blogged
> 
> about using DFDSS to backup datasets.
> You may then want to use AMATERSE to terse it.
> 
> I have some JCL to restore an MQ package
> //S1  EXEC PGM=AMATERSE,PARM=UNPACK
> //SYSPRINT DD  SYSOUT=*
> //SYSUT1 DD DISP=SHR,DSN=COLIN.MQ933.TRS
> //SYSUT2 DD DSN=&,SPACE=(CYL,(100,100)),DISP=(,PASS),
> // VOL=SER=(C4USS2,C4USS1),UNIT=3390,STORCLAS=SCNOSMS
> 
> //S2EXEC PGM=ADRDSSU,REGION=0M
> //SYSPRINT DD SYSOUT=*
> //DD1  DD DISP=SHR,DSN=*.S1.SYSUT2
> //SYSINDD *
>   RESTORE -
>   IMPORT -
>   INDDNAME(DD1) -
>   CANCELERROR -
>   DATASET(INCLUDE(**)) -
>   RENAMEU( -
>  (**.SCSQANLC,COLIN.MQ930.SCSQANLC) -
>  ...
>  (**.SCSQTBLU,COLIN.MQ930.SCSQTBLU) -
>  ) -
>  SHARE -
>  NULLMGMTCLAS -
>  NULLSTORCLAS -
>  CATALOG
> //*
> 
> This is s  much easier than trying to use SMP/E
> 
> Colin
> 
>> On Wed, 23 Aug 2023 at 07:30, Jon Perryman  wrote:
>> 
>> Since you don't have a good understanding of SMP/e, you might want to
>> consider DFDSS instead of SMP/e.
>> Creating a function is the easy part. SMP/e is a philosophy that requires
>> planning, setup and tools. Are you going to apply PTF's and apars, need
>> SMP/e zones, UCLIN, JCLIN, link to modules, object modules and much more.
>> If you have a problem with pre and coreqs, do you have the skills to
>> resolve it.
>> 
>>On Tuesday, August 22, 2023 at 04:12:03 AM PDT, Clem Clarke <
>> clementcla...@ozemail.com.au> wrote:
>> 
>> I have some PDSes that need to be installed with SMP on Z/OS.
>> 
>> A couple are text files, one an object file and one a load module PDS.
>> They all have multiple members.
>> 
>> What would be the easiest way to create a files that can be installed
>> with SMP?
>> 
>> Many thanks,
>> 
>> Clem Clarke
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Liberty Server on zOS

[Keith Gooding]

IIRC the Liberty server that comes with z/OS was first bundled with z/OSMF, 
then it became a separate feature but limited by licence to use with z/OSMF and 
then those restrictions were relaxed allowing limited internal use with other 
applications. I do not know the rules now or how to find them but the basic 
idea was that people should continue to pay for Webserver Lliberty profile if 
they were using it for production work.

> On 3 Aug 2023, at 19:59, Colin Paice  wrote:
> 
> Hi,
> Yes Liberty can  be installed on z/OS.   It came installed on my system,
> and the documentation is pretty good (just look for it).  Eg Installing
> Liberty on z/OS
> 
> It is the basis for z/OS SMF, Z/OS explorer, z/OS Connect, MQ Web server
> and others.
> I've written many posts  on
> using it.
> 
> Colin
> 
>> On Thu, 3 Aug 2023 at 19:19, esst...@juno.com  wrote:
>> 
>> Hello.Does anyone know if a Liberty Serer can be installed on ZOS without
>> CICS or WebSphere?Any documentation ? .paul dangelo
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Specific Question/Scenario on using Pass Tickets with RACF

[Keith Gooding]

The relevant documentation seems to be the section ‘Determining PTKTDATS 
profile names’ in the RACF security admin guide. This has a list of rules for 
determining the name for APPC, CICS,IMS, batch jobs, TSO etc and ends the list 
with ‘Other applications’ . That last paragraph states that if there is no APPL 
coded you should use the rules for batch jobs. I would be interested to know if 
that works - if you are able to change the application the surest way would be 
to code an APPL on the RACROUTE macro.

Keith

> On 2 Aug 2023, at 21:21, Robert Garrett  wrote:
> 
> Something that's been puzzling me:
> 
> Imagine an interactive application that requires valid user credentials (ID 
> and password) to access, but does NOT require specific authorization to the 
> application.
> In other words, the app does a RACROUTE REQUEST=VERIFY to validate 
> credentials and create the associated ACEE representing the user, but it does 
> NOT provide the APPL= parameter on the request, nor does it perform a 
> subsequent REQUEST=AUTH on an APPL resource.  In other words, if you've got a 
> valid ID/password, you can "log on" to the app - no PERMIT to the app itself 
> is required and there's also no corresponding APPL resource for it.
> 
> Now, what if I want to be able to generate pass tickets in place of passwords 
> to access this app?  Doing that requires a PTKTDATA resource whose name 
> matches the application to control pass ticket generation, but this 
> application doesn't provide a name for itself.
> Possible?
> Just plain not supported?
> Will RACF "assume" an application name (JOB/STC name, VTAM Applid, something 
> else) and use that to locate the applicable PTKTDATA resource (and if so, 
> what does it use)?
> 
> (If it matters, assume enhanced pass ticket via AES key in the ICSF CKDS).
> 
> Enquiring minds would really like an authoritative and accurate answer on 
> this one...
> 
> Thanks,
> Rob
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Installing a new version of z/OS using z/OSMF

[Keith Gooding]

Hi Gadi.

At last someone (Marna) has answered your question.

Once you have z/OSMF set up installing the z/OS libraries and SMPE datasets is 
simple. It is called ‘adding a software instance’ and in this case it is 
created from a portable software instance which is like a glorified tar ball. 
You use the filters on the dialogue panels to list subsets of the datasets (eg 
all target libraries) and a modify function to systematically change the 
dataset attributes, such as HLQ and volume. It is very similar to the first 
part of the ISPF Serverpac install where you configure the software and run a 
job which creates the datasets and renames them as required. I used to install 
a server pack every 2 years and always had to relearn the commands to select 
datasets and change their attributes. With z/OSMF you do not have to do that.

In addition to the software in the Serverpac the PSI also contains the RIMLIBs 
as in previous server packs, and some workflows. If allowed you can leave some 
of these with their default names (of the form CB.ST25.*) 

The workflows include a documentation-only workflow and one or two 
corresponding to the ISPF post-install dialogue steps. You do not have to run 
those if you want to do the pre- and post-IPL steps ‘manually’.

I always used to order Db2 as a CBPDO because a server pack is such a BIg Thing 
and creates a sample Db2 system which I do not want. After my experiences with 
a z/os server pack I ordered my last Db2 as a server pack and just did the ‘add 
software instance’ part.

I should add that it is possible to create a Software Instance from your 
existing z/os system - essentially you tell z/osmf the name of the global zone 
and the associated target and dlib zones and it will work out the dataset names 
from the DDDEFs. I cannot remember whether it is possible to use that as a 
model for your 2.5 dataset names but in any case changing the names via the 
dialogue (ie changing eg CB.ST12345.SYS1.LINKLIB) is quite easy using the ‘mass 
change’ facility in the PSI dialogue.

Also my systems are fairly simple development systems. I have no experience of 
using this in a real production world although I would expect it to be similar 
to the ISPF dialogue method.

Keith Gooding

Sent from my iPad

> On 25 May 2023, at 19:03, Marna WALLE  wrote:
> Gadi,
> You can learn about the z/OSMF Software Management installation process here: 
>  https://www.ibm.com/support/z-content-solutions/serverpac-install-zosmf/
> 
> I would strongly recommend that you watch the short videos (under Multimedia 
> at the bottom)  to get a flavor of what it looks like in action.  Then do a 
> practice install with a sample package which you can acquire from the "Try 
> it" tab on that website.  
> 
> z/OS V2.3 (with z/OSMF active) is a fine driving system level for installing 
> z/OS V2.5, but as you mention, is longer supported.  Just make sure you 
> follow the driving system requirements documented in the z/OS V2.5 Planning 
> for Installation book.  You could also acquire the Customized Offerings 
> Driver (free driving system, orderable on Shopz), if you wanted to use a 
> supported driving system level that has z/OSMF already active on it.  
> 
> -Marna WALLE
> z/OS Install and Upgrade
> IBM Poughkkeepsie
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: FTP client question

[Keith Gooding]

Hi Rex

Networking is not my speciality but you should be able to add a HOST route - 
see the BEGINROUTES statement in IP Config Reference. Something like this:

ROUTE windows server IP address.  HOST   =   OSA_INTERFACE2

where OSA_INTERFACE2 is the interface which you want to use.

This example assumes that the server is on the same subnet as the adapter - 
change - to the router IP address if not.

No guarantees.

Keith Gooding

Sent from my iPad

> On 25 May 2023, at 16:41, Pommier, Rex  wrote:
> 
> Hi all,
> 
> I have a question about routing FTP traffic.  First a bit about the 
> environment.  Z14-zr1 with (2) 1-GbE OSA adapters shared across 3 LPARs.  The 
> 2 adapters are not in a VIPA configuration.  Right now on this LPAR, only 1 
> of the adapters is defined to TCP/IP.  I can easily get the second OSA 
> configured into TCP/IP on the LPAR so that's not an issue.  
> 
> The situation/question.  I have 3 jobs that run on the mainframe that all 3 
> initiate an FTP process to Windows servers.  Between the 3 jobs they are 
> pushing between 1.5 and 2 terabytes to the servers.  The jobs are currently 
> single threaded and from looking at the FTP output, they are pushing the 
> Ethernet adapter that is in use at 100%.  My question is this: If I configure 
> the second adapter, is there a way that I can force one of these jobs to use 
> one of the OSA adapters and the other 2 to go to the second adapter?  From 
> what I recall, z/OS doesn't do any kind of trunking or load balancing so 
> setting up a VIPA won't improve throughput by using both adapters.   I've 
> meandered through the IP configuration reference and see nothing that would 
> give me this capability.  
> 
> TIA
> 
> Rex
> 
> --
> The information contained in this message is confidential, protected from 
> disclosure and may be legally privileged. If the reader of this message is 
> not the intended recipient or an employee or agent responsible for delivering 
> this message to the intended recipient, you are hereby notified that any 
> disclosure, distribution, copying, or any action taken or action omitted in 
> reliance on it, is strictly prohibited and may be unlawful. If you have 
> received this communication in error, please notify us immediately by 
> replying to this message and destroy the material in its entirety, whether in 
> electronic or hard copy format. Thank you.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

[Keith Gooding]

Matt.

As far as I know RACF cannot import from a z/os unix file. It has to be VB. I 
think there is an RFE/Idea requesting unix file support.

Also you said that the source file is ISO 8859-1 which suggests to me that is 
base-64 encoded. If so you will see “—— BEGIN” near the start and a similar 
END. In that case you must transfer in text mode rather than binary. The 
alternative format supported by RACF is DER - that has to be transferred in 
binary. RACF recognises the format - you do not need to tell it if it is DER or 
BASE64.

I also understand that if the package contains a personal certificate and its 
chain of CA certificates RACF will
Only import the first of the CA certificates.

Personally I use the RACF panels for one-off functions  like this - I seem to 
get more useful error messages.

Keith

> On 5 May 2023, at 10:34, Michael Babcock  wrote:
> 
> Before trying to add it to RACF use the RACDCERT CHECKCERT command.   Off
> the top of my head, I think it’s RACDCERT CHECKCERT(‘dataset-name’).   I
> always use that before adding a cert to RACF.And if there is a password
> on the cert add PASSWORD(‘password’) to the command.  Mind the quotes on
> both parms.
> 
>> On Thu, May 4, 2023 at 10:26 PM Matt Hogstrom  wrote:
>> 
>> I’m at 240 VB but I’ll try pulling it in …
>> 
>> I was hoping to find a roadmap that would help out.   Seems like there are
>> a number of variables in terms of how certs are delivered, how they get
>> uploaded, what encodings are used, etc.  At the end of the day I’d like to
>> get this documented to save the next guy a pile of work.
>> 
>> 
>> Matt Hogstrom
 On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
>>> 
>>> It could be that your data set attributes aren't quite right. Try
>> something
>>> like LRECL=84, RECFM=VB.
>>> 
 On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:
>>> 
 I’m attempting to import an x.509 cert for TLS.  The certificate is
>> valid
 and originates on a distributed system.  I have the cert and the private
 key.  I’m trying to import the cert into RACF.  I’ve tried creating a
>> pfx
 file (pkcs12) as well as importing the text based certs individually.
>> Each
 time I try I end up with an error.  The below was my attempt to import
>> the
 DigiCertCA against which my certificate was created.  I admit this is
>> not
 my area of speciality so I suspect I’m doing something stupid.  Here is
>> the
 ADD command.
 
 RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
 WITHLABEL('DigiCertCA’)
 
 IRRD103I An error was encountered processing the specified input data
 set.
 
 The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
 binary and tag is as ISO8859-1.
 
 Anyone have a workflow for adding a TLS cert ?   The IBM documentation
>> is
 accurate I’m sure  but not helpful.
 
 
 Matt Hogstrom
 
 “It may be cognitive, but, it ain’t intuitive."
 — Hogstrom
 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> -- 
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

[Keith Gooding]

Bill.

A AT-TLS rule consists of a number of tests and pointers to actions which are 
performed if all of the tests are true. One of the actions specifies if TLS is 
to be enabled or not.  You can test on  local and remote port numbers , local 
and remote IP addresses, connection direction (inbound or outbound) , local 
address space name etc. you may have a rule which says “if the remote port is 
443 (https ?) and direction is outbound then enable TLS”.  This would  enable 
TLS for an SMPE batch job connecting to an https server. To check you can 
either view the AT-TLS policy or,  to get a better formatted list, use the unix 
command “pasearch -t >  mylist.txt” and then view mylist.txt. See Comms Server 
IP diagnosis for details of pasearch and how to list a subset of the policy. If 
this is in fact the problem you  could add add another rule which says “if the 
remote IP address is the IBM https server then do not enable TLS“.

Keith
> On 1 May 2023, at 20:29, Michael Babcock  wrote:
> 
> Here's our simple DB2 Secure port definition in AT-TLS:
> 
> TTLSRule DBRTSecureServer# Secure DBRT
> {
>   LocalPortRange   4450# DBRT Secure Port
>   DirectionInbound # Inbound Only
>   Priority 1   # Lowest priority rule
>   TTLSGroupActionRef   grp_Production  # Uncomment once 
> debugging
>   TTLSEnvironmentActionRef DBRT_SecureServer_Action# DBRT Env Action
> }
> 
> TTLSEnvironmentAction DBRT_SecureServer_Action
> {
>   HandshakeRole   Server
>   TTLSKeyRingParmsRef DBRT_Keyring_Parms
>   TTLSCipherParmsRef  DB2_CipherParms
>   TTLSEnvironmentAdvancedParms
>   {
> ClientAuthTypePassThru
> SSLv2 Off
> SSLv3 Off
> TLSv1 Off
> TLSv1.1   Off
> TLSv1.2   On
>   }
> }
> 
> TTLSKeyRingParms  DBRT_Keyring_Parms
> {
>  Keyring  DBRT/DBRT.KEYRING
> }
>> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

[Keith Gooding]

Do you mean that you have an ATTLS rule which ‘converts’ your SMP/E job to an 
SSL client ?. Ie ATTLS acts as an SSL proxy, converting the data stream into 
and out of your SMP/E step to SSL ? But SMP/E implements SS itself so you must 
not convert that to SL using an AT-TLS rule. 

> On 1 May 2023, at 17:53, Bill Giannelli  wrote:
> 
> I am confused myself!
> we originally "reconfigured" TLS to provide for encrypted data transfer for 
> Db2 thru secured ports.
> part of that work (I do not know why) was specifying a rule for HTTPS.
> Now the only way we can download on this LPAR is when the HTTPS - TLS rule is 
> disabled.
> Does that make sense?
> thanks
> Bill  
>> On Mon, 1 May 2023 15:03:47 +, Kurt J. Quackenbush  
>> wrote:
>> 
>> I'm confused by your question.  Can you be more specific what you mean by 
>> "we have locked down HTTPS via TLS"?  Are you not allowing any HTTPS traffic 
>> at all?  That feels extreme.
>> 
>> Kurt Quackenbush
>> IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com
>> 
>> Chuck Norris never uses CHECK when he applies PTFs.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to remove an empty USS file shipped with z/OS

[Keith Gooding]

Lizette.

Isn’t the /etc provided by Serverpac just a sample which you may merge with 
your ‘real’ /etc ?. If you are running in a sysplex /etc is a link to 
//etc. I place the Serverpac ETC file system on the sysres pack and 
only mount it (at a temporary mount point) to merge its files with the 
operational ETC file system for a specific system. If Serverpac changes /etc 
for a new release I compare its files with those of the operational /etc and 
adjust the new operational /etc if appropriate.

Keith Gooding

Sent from my iPad

> On 18 Apr 2023, at 19:48, Marna WALLE  wrote:
> 
> Hi Lizette,
> /etc/security has been set up as 755 by z/OS itself (in BPXMKDIR), for many 
> releases now.  When you say "I have been asked to update the permissions 
> different that what is shipped
> or to remove this directory path (it is empty) " ...may I wonder who is 
> asking this and why?
> 
> Thanks.
> -Marna WALLE
> z/OS System Install and Upgrade
> IBM Poughkeepsie
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PKCS #7

[Keith Gooding]

Hi Isabel.

I have no knowledge or experience of this except for what I read in the System 
SSL manual. It does appear that you have to program in c/c++ but I cannot see 
that this is stated explicitly. The examples in the manual and the sample code 
and headers in /usr/lpp/gskssl are all c/c++

System SSL does appear to be a toolkit for certificate management functions, in 
addition to providing teh SSL apis.

Keith

Sent from my iPad

> On 18 Apr 2023, at 19:39, John Abell  
> wrote:
> Hi,
> 
> I am always happy to help you 2 and your group for this great cause.
> 
> Cheers,
> John T. Abell
> Tel:800-295-7608Option 4
> President 
> International:  1-416-593-5578  Option 4
> E-mail:  john.ab...@intnlsoftwareproducts.com
> Fax:800-295-7609
> 
> International:  1-416-593-5579
> 
> 
> International Software Products
> www.ispinfo.com
>
> This email may contain confidential and privileged material for the sole use 
> of the intended recipient(s). Any review, use, retention, distribution or 
> disclosure by others is strictly prohibited. If you are not the intended 
> recipient (or authorized to receive on behalf of the named recipient), please 
> contact the sender by reply email and delete all copies of this message. 
> Also,email is susceptible to data corruption, interception, 
> tampering, unauthorized amendment and viruses. We only send and receive 
> emails on the basis that we are not liable for any such corruption, 
> interception, tampering, amendment or viruses or any consequence thereof.
>
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Isabel
> Sent: Tuesday, April 18, 2023 1:17 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: PKCS #7
> 
> Hello and thanks Keith. Do we have to use C language for the gsk functions?
> 
> thanks in advance
> 
> On Fri, Apr 14, 2023 at 4:22 PM Keith Gooding < 
> 034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> Does gsk_export_certificate do what you need ?. It is documented in 
>> z/os Cryptographic Services System SSL Programming. There are several 
>> functions for handling certificates.
>> 
>> Sent from my iPad

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PKCS #7

[Keith Gooding]

Does gsk_export_certificate do what you need ?. It is documented in z/os 
Cryptographic Services System SSL Programming. There are several functions for 
handling certificates.

Sent from my iPad

> On 14 Apr 2023, at 20:07, Isabel  wrote:
> Hello, thanks for your answers, but I think I was not clear about what we
> want.
> 
> We need to build a CICS Transaction to create a PKCS #7 (pkcs7-signedData)
> containing a signature. We were thinking of using ICSF's PKCS #11 callable
> services, but we don't have the TKDS keystore.
> 
> Thanks in advance!
> 
> 
> 
> On Fri, Apr 14, 2023 at 2:20 AM Matthew Donald 
> wrote:
> 
>>> We need to build a CICS Transaction to obtain a PKCS #7 (token) to
>>> authenticate a user.
>>> I am confused if I have to use a RACF certificate, ICSF or both.
>> 
>> 
>> If you mean 2FA for CICS: see
>> 
>> https://www.ibm.com/docs/en/cics-ts/5.6?topic=securing-support-multi-factor-authentication-using-racf
>> 
>> Matthew
>> 
>> On Wed, 5 Apr 2023 at 00:16, Isabel  wrote:
>> 
>>> Hello!
>>> I have the following request:
>>> We need to build a CICS Transaction to obtain a PKCS #7 (token) to
>>> authenticate a user.
>>> I am confused if I have to use a RACF certificate, ICSF or both.
>>> Thanks in advance.
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: NTS

[Keith Gooding]

Steve.

Did you define your file system as extended addressable so that it can be 
bigger than 4GB ?. (If you define it as type ZFS rather than LINEAR this is 
implied). I cannot remember what happens if you do not define it as EA.

Keith

> On 7 Mar 2023, at 18:53, Steve Beaver  wrote:
> 
> I have run into a problem that I have never seen.  My NTS is a complete
> 
> MOD27.  But I'm told EDC5133I No space left on device.
> 
> 
> 
> Any easy ideas?
> 
> 
> 
> 
> 
> GIM66400ITHE TRANSFER IS COMPLETE FOR FILE
> 
> /u/smpe/smpnts/U02418528/GIMPAF.XML.
> 
> GIM44336S ** AN UNUSUAL CONDITION OCCURRED. GIMJVGET - java.io.IOException:
> 
> EDC5133I No space left on device.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> /*+*/
> 
> /*SMPe - SERVICE   */
> 
> /*+*/
> 
> MOUNT FILESYSTEM('SMPE.OMVS.SMPE.NTS.ZFS')
> 
>  MOUNTPOINT('/u/smpnts')
> 
>  TYPE(ZFS) MODE(RDWR) PARM('AGGRGROW')
> 
> 
> 
> GIM20501ISET PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 00.
> 
> 
> 
> 
> 
>  RECEIVE
> 0069
> 
>FROMNETWORK(
> 0070
> 
>  SERVER(SERVINFO)
> 0071
> 
> /*   TRANSFERONLY   <=== NOTE 5 */
> 0072
> 
>  CLIENT(CLNTINFO)
> 0073
> 
>  )
> 0074
> 
>   .
> 0075
> 
> 
> 
> GIM66400ITHE TRANSFER IS COMPLETE FOR FILE
> 
> /u/smpe/smpnts/U02418528/GIMPAF.XML.
> 
> GIM44336S ** AN UNUSUAL CONDITION OCCURRED. GIMJVGET - java.io.IOException:
> 
> EDC5133I No space left on device.
> 
> GIM47601IPACKAGE U02418528 WAS PARTIALLY STAGED TO THE SMPNTS.
> 
> GIM20501IRECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12.
> 
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zOS 3.1 - zosmf

[Keith Gooding]

A z/OS CBPDO a good alternative ?. Really ?. I would say a good alternative to 
z/OSMF on one of your systems to install z/OS is to get the customised offering 
driver system, although I have not used that for many years. 

Keith

> On 5 Mar 2023, at 03:54, Peter  wrote:
> 
> Thanks Kurt
> 
> CBPDO option is a good alternative. As we are a shop which predominantly
> uses Software ag product
> 
> On Sun, Mar 5, 2023, 1:56 AM Kurt J. Quackenbush  wrote:
> 
>>> I know it's early to ask but just trying my best or I have no missed .
>> Any idea if zOS 3.1 can be installed without using zosmf ? Just using the
>> previous serverpac method ?
>> 
>> No.  The CustomPac Installation Dialog version of IBM's ServerPac is no
>> longer available.  z/OS 3.1 will be available in either a z/OSMF Portable
>> Software Instance, or CBPDO.
>> More information:
>> https://www.ibm.com/support/z-content-solutions/serverpac-install-zosmf/
>> 
>> Kurt Quackenbush
>> IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com
>> 
>> Chuck Norris never uses CHECK when he applies PTFs.
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Can you connect to the PTF download site with z/OS FTP?

[Keith Gooding]

The download server supports FTP over SSL (FTPS) and HTTPS. See SMP/E User 
guide Zos 2.5 section “Preparing for secure Internet delivery”. That document 
states that you need at-tls because Tls 1.2 is used. This would be for pts 
ordering and download via SMP/E. When I have ordered PTFs outside of SMP/E the 
delivery package always included sample jobs for https or FTPs download. 

> On 27 Feb 2023, at 17:33, Paul Gilmartin 
> <042bfe9c879d-dmarc-requ...@listserv.ua.edu> wrote:
> 
> On Mon, 27 Feb 2023 10:54:33 -0600, Charles Mills wrote:
> 
>> Just to confirm, by that you mean "SSH FTP" only, and that "FTP over TLS" is 
>> not supported.
>> 
> FWIW, from a desktop system:
>1029 $ sftp public.dhe.ibm.com
>The authenticity of host 'public.dhe.ibm.com (170.225.126.18)' can't be 
> established.
>ED25519 key fingerprint is 
> SHA256:7eCHKMY8cjRJ7vM2NU70s9ETBNSWGYu4/BTCL2q4rCM.
>This key is not known by any other names
>Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
>Warning: Permanently added 'public.dhe.ibm.com' (ED25519) to the list of 
> known hosts.
>(g...@public.dhe.ibm.com) gil's Password:
> 
> ???
> 
>> (The confusingly similar acronyms SFTP and FTPS are unfortunate.)
>> 
> The English language and its acronyms abound with anagrams.  Pointless to
> complain.
> 
> Rather, complain to IBM about its depending on the increasingly obsolete FTP.
> Cbttape.org got better.  So should IBM; provide an HTTPS proxy, if necessary.
> 
> -- 
> gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Flashcopy dataset example

[Keith Gooding]

Bill,

ADRDSSU DATASET DUMP with the CONCURRENT(VIRTUALREQ) option will flash copy the 
dataset to a work dataset and then dump (backup) the work dataset. I have not 
tried this myself. You have to pre-define work datasets with a particular 
naming convention. See “virtual concurrent copy working space” in the Dfsmsdss 
Stirage Admin Guide.

Keith

Sent from my iPad

> On 18 Feb 2023, at 19:12, Pommier, Rex  wrote:
> 
> Bill,
> 
> Dump and restore is a different animal.  Dump creates a backup copy in DFDSS 
> format so it will NOT use flashcopy because it has to reformat the data into 
> the DFDSS format.  Restore takes the dump file and rebuilds the original 
> dataset.  COPY is what will use flashcopy if you're set up for it and have 
> the required software licenses.
> 
> Rex
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Bill Giannelli
> Sent: Saturday, February 18, 2023 5:17 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Flashcopy dataset example
> 
> hi rex,
> yes we have those utilities.
> But as far as your other questions, I have no idea. I am not a storage 
> systems guy.
> I think what I was after is the "dump" and "restore" commands.
> thanks
> Bill
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> The information contained in this message is confidential, protected from 
> disclosure and may be legally privileged. If the reader of this message is 
> not the intended recipient or an employee or agent responsible for delivering 
> this message to the intended recipient, you are hereby notified that any 
> disclosure, distribution, copying, or any action taken or action omitted in 
> reliance on it, is strictly prohibited and may be unlawful. If you have 
> received this communication in error, please notify us immediately by 
> replying to this message and destroy the material in its entirety, whether in 
> electronic or hard copy format. Thank you.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DB2 DSNTRVFY WLM verify job stops WLM

[Keith Gooding]

In my experience DB2 WLM environments are stopped because the associated 
started task failed - Eg abend or JCL error. Check the output and syslog. I 
also once forgot to copy the STC JCL from the proclib which I use for dB2 
installation to a system proclib library so no STC output just a syslog 
message. I do not know if there is a more general way to find the reason .

> On 14 Feb 2023, at 10:36, Bill Giannelli  wrote:
> 
> I am running the DB2 install job DSNTRVFY used to verify WLM Application 
> Environments. It seems it stop some of my Application Environments. How could 
> I find out why?
> I am posting here after not getting any responses on DB2-L.
> thanks for any help or direction.
> Bill
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Interpreting SEND/RECV CIPHERs

[Keith Gooding]

In a previous reply I mentioned that I recalled that there were some diagnostic 
enhancements for AT-TLS in z/os 2.5.  They are described in the z/os 2 .5 
education articles on GitHub :

https://github.com/IBM/IBM-Z-zOS/blob/main/zOS-Education/zOS-V2.5-Education/IEAV2R5%20Communications%20Server.pdf

If you are fortunate enough to have z/os 2.5 and use the default trace level 
(2) you should see additional information about handshake failures and more 
detail with level 8.

Keith

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Interpreting SEND/RECV CIPHERs

[Keith Gooding]

In a previous reply I mentioned that I recalled that there were some diagnostic 
enhancements for AT-TLS in z/os 2.5.  They are described in the z/os 2 .5 
education articles on GitHub :

https://github.com/IBM/IBM-Z-zOS/blob/main/zOS-Education/zOS-V2.5-Education/IEAV2R5%20Communications%20Server.pdf

If you are fortunate enough to have z/os 2.5 and use the default trace level 
(2) you should see additional information about handshake failures and more 
detail with level 8.

Keith

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Transmitting SMF records

[Keith Gooding]

Although not a solution to your problem you may know that the z/os AMAPDUPL 
utility solves this problem by automatically tersing the data, splitting it 
into chunks, and transmitting the chunks to the IBM support site in a number of 
overlapping ftp or https  streams. I think it  uses pipes to overlap some of 
the terse processing with transmission. At the other end a receiving process 
automatically re-assembles. The problem is that as far as I know the receiver 
code is not available to ISVs. AMAPDUPL processing can be performed by the 
z/OSMF Problem Management function and it would be nice if ISVs could receive 
data sent by AMAPDUPL. 

You can also direct AMAPDUPL to copy the chunks to a unix file system instead 
of transmitting them. 

BTW I think z/os ftp may be able to transmit from a unix pipe but AMATERSE 
cannot write to a pipe. 


  
Keith

> On 14 Dec 2022, at 13:57, Ituriel do Neto 
> <03427ec2837d-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Hi all,
> 
> I know we can TERSE or use XMIT a SMF dataset to generate a fixed-form 
> dataset,
> that can be downloaded in binary mode, transmitted, and then recovered 
> following
> the reverse order.
> My attempts of downloading the SMF dataset directly, in binary, and then 
> uploading
> it to another SMF dataset with the same DCB attributes did not work. The file 
> got 
> corrupted.
> 
> I have a customer that has a huge SMF dataset that can't be TERSED or XMITTED
> because of a lack of space.
> 
> Is there a way to send it, without previous use of XMIT or TRS ?
> 
> Thanks in advance.
> 
> 
> Best Regards
> 
> Ituriel do Nascimento Neto
> z/OS System Programmer
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Interpreting SEND/RECV CIPHERs

[Keith Gooding]

TCPIP invokes z/os System SSL so if there is any documentation provided by IBM 
it will be in System SSL documentation but I could not find the record formats. 
System SSL provides the gsk trace command and it is possible that this will 
format the records for you. You will find the definitive explanation if SSL/TLS 
handshake records in RFC 8446 for TLS 1.3 which has references to earlier 
versions . These can be difficult to read but when I needed to understand SSL 
messages some time ago Googling for terms such as ‘SSL message format’ found 
several explanations of SSL message structure with examples. BTW I remember 
reading that z/os 2.5 includes improved diagnostics for handshake failures but 
I have not investigated further.

Keith

> On 9 Dec 2022, at 16:47, Crusty Old Guy  wrote:
> 
> 
>> 
>>> 0090 EZD1285I TTLS Data CONNID: 0014 SEND CIPHER 1503020002020A
>> The 1503020002020A is an SSL alert packet with a fatal error: Unexpected 
>> message
> 
> This brief interchange comes from the archives.  I need to find the meaning 
> of a different cipher.
> 
> I've gone through "IP Diagnosis" and didn't find any clues.
> 
> Can anyone help?
> 
> Thank you,
> COG
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: JES3 SMPE zone in Serverpac

[Keith Gooding]

Thanks Paul.

We still need to have JES3 because as an ISV we do have to do some testing on a 
JES3 system. It would probably be safer to change our cloning jobs rather than 
ZONEMERGE the zones just in case an element with the same name as a JES3 
element is added to z/OS.

Keith

> On 6 Oct 2022, at 13:41, Paul Gorlinsky  wrote:
> 
> JES3 is no longer being maintained by IBM product. Phoenix Software 
> International - https://phoenixsoftware.com/jes3plus.htm - is licensed to 
> maintain and enhance JES3. This is probably the reason for the SMP/E split.
> 
> Note also that z/VSE is in a similar situation. As of June 1, 2021, 21st 
> Century Software Technologies, Inc. has a source code license agreement for 
> z/VSE. https://www.21stcenturysoftware.com/license-z-vse-code-from-ibm/ 
> 
> 
> IBM is investing every thing in z/OS w/JES2, z/VM and z/Linux. z/VM only as 
> far as a hosting environment and no longer an application development / 
> deployment environment. 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: JES3 SMPE zone in Serverpac

[Keith Gooding]

I found a partial explanation for the changes to Serverpac in “z/os v2.5: 
Planning for Installation” - SDSF and JES2 are now delivered in the BCP zone 
but JES3 is delivered only if ordered. It makes sense that the SDSF/JES2/JES3 
merge feature may not have been included in the z/OSMF version but having a 
separate target zone for JES3 upsets our cloning procedures.

Keith 

> On 6 Oct 2022, at 13:00, Keith Gooding 
> <034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:
> 
> I installed z/os 2.5 using z/OSMF in October last year and noticed that the 
> installation placed JES3 in a target zone separate from the rest of z/os. I 
> do not recall being given the option to put JES2 and JES3 in the same 
> zone but I may have skipped over it . I know that there was such an option in 
> the ISPF version.
> 
> Has anyone else experienced this and can anyone foresee any problems if I now 
> use the SMP/E ZONEMERGE command to merge the zones so that I can remove the 
> second target zone ? I see that the z/OS 2.5 program directory states that 
> all elements must be installed into the same target zone.
> 
> Keith Gooding

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

JES3 SMPE zone in Serverpac

[Keith Gooding]

I installed z/os 2.5 using z/OSMF in October last year and noticed that the 
installation placed JES3 in a target zone separate from the rest of z/os. I do 
not recall being given the option to put JES2 and JES3 in the same 
zone but I may have skipped over it . I know that there was such an option in 
the ISPF version.

Has anyone else experienced this and can anyone foresee any problems if I now 
use the SMP/E ZONEMERGE command to merge the zones so that I can remove the 
second target zone ? I see that the z/OS 2.5 program directory states that all 
elements must be installed into the same target zone.

Keith Gooding
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF - again, next issue

[Keith Gooding]

Why would anyone use CBPDO + SMP/E to install z/OS ? (Not a rhetorical 
question).

Z/OSMF Serverpac installation is good but you may not want to use a Serverpac 
to install a single product such as z/secure.

Keith

 

> On 31 Aug 2022, at 13:09, Carmen Vitullo  wrote:
> 
> thanks for that info Art, My teammate is not real familiar  with SHOP Z and 
> the options available.
> 
> she told me trying to order as CBPDO gave her an error, I'll work with her 
> some more to see why
> 
> again thanks
> 
> Carmen
> 
>> On 8/31/2022 4:59 AM, Art Gutowski wrote:
>> On Tue, 30 Aug 2022 08:01:53 -0500, Carmen Vitullo  
>> wrote:
>> 
>> >from what I was told by my teammate, Zsecure version 2.5 requires
>>> z/osmf, I could be wrong, she could be mistaken, but the issues she's
>>> having I think would affect Serverpac, or whatever it's called now,
>>> build JCL and submit JCL.
>>> 
>>> my case I opened was initially on the errors we were seeing on the
>>> submit errors, that was not addressed, just the easy stuff, now I have
>>> to recreate the issue again and make sure I have the correct error
>>> message for support. typical of z/osmf support; my first case I opened
>>> for z/osmf issues was open and not resolved for 364 days, so, so far I'm
>>> ahead of the game I support
>>> 
>>> Carmen
>> I installed zSecure 2.5 with CBPDO and SMP/E using ISPF just fine.  No 
>> issues.  CBPDO is available for products, and for z/OS itself, and as far as 
>> I'm aware, no timeline has been announced for phasing it out.  If you like 
>> z/OSMF, use it; if you prefer ISPF and SMP/E, use CBPDO...it's really not 
>> that difficult.
>> 
>> Art Gutowski
>> Mainframe Engineer
>> Huntington National Bank
>> arthur.gutow...@huntington.com
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF - again, next issue

[Keith Gooding]

Just curious - I thought that only Serverpac required the use of z/OSMF and 
CBPDOs are installed using traditional methods. Are there now products which 
have to be installed using z/OSMF ? Is it now possible to install a CNPDO using 
z/OSMF.

For the record my experience of z/OSMF for Serverpac installation has been 
positive - I would not want to go back to the ISPF dialogue method.

Keith Gooding

> On 30 Aug 2022, at 13:37, Carmen Vitullo  wrote:
> 
> I don't recall ever having to work or needing to use a product to install or 
> maintain a product that required another product as finicky as z/osmf
> 
> at my 2.4 level downloading a product to support that level, the json file 
> version was not compatible WTH,
> 
> opening a case with IBM apparently there's an APAR PTF, sorry this is just 
> insane using a product built on Java to support a Mainframe product and have 
> this much incompatibility :(
> 
> sad, very sad
> 
> MHO
> 
> Carmen
> 
>> On 8/29/2022 8:34 PM, Robert Garrett wrote:
>> zOSMF.  A reasonably good idea that has been extremely poorly and sloppily 
>> implemented.
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List  On Behalf Of 
>> Carmen Vitullo
>> Sent: Monday, August 29, 2022 1:13 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: z/OSMF - again, next issue
>> 
>> I'm working with a teammate that is required to use z/osmf to download an 
>> new zsecure release, we successfully added the portable software instance 
>> and provide the https server and client parms, updated the JOBCARD, the next 
>> parts we hunt and peck and guess what to do next, we found quite by accident 
>> we had to 'complete add' to get to the part to submit the job to download 
>> the product from IBM, selecting action/submit the job we get this error
>> 
>> The request could not be completed because an error occurred. Error:
>> 
>> IZUD999E
>> 
>> Aug 29, 2022, 1:02:08 PM
>> 
>> An error occurred when attempting to contact the application server. The 
>> server returned HTTP status code: 500.
>> 
>> IZUG857E
>> 
>> the IZU messages are no help, we checked the configuration for the system(s) 
>> and found nothing configured wrong we saw, the PDS where the JCL was stored 
>> we submitted via TSO /ISPF successfully, next we went on and selected NEXT 
>> to move to the next job/process then we got this error An error occurred 
>> when attempting to contact the application server. The server returned HTTP 
>> status code: 500.
>> 
>> IZUG857E
>> 
>> Aug 29, 2022, 1:02:45 PM
>> I did not see any error in the IZUSVR1 address space or in the syslog.
>> my question, has anyone been successful submitting from z/osmf? is there 
>> somewhere I can check that needs configuring I may have missed?
>> thanks
>> 
>> Carmen
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions, send email 
>> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Is there a mathematician in the house?

[Keith Gooding]

https://en.wikipedia.org/wiki/Euler%27s_totient_function

Sent from my iPad

> On 23 Aug 2022, at 23:45, Bob Bridges  wrote:
> 
> Comment from another knowledgeable cove:
> 
> "In number theory, Euler's totient function counts the positive integers up 
> to a given integer n that are relatively prime to n. It is written using the 
> Greek letter phi as φ(n) or ϕ(n), and may also be called Euler's phi 
> function. In other words, it is the number of integers k in the range 1 ≤ k ≤ 
> n for which the greatest common divisor gcd(n, k) is equal to 1. The integers 
> k of this form are sometimes referred to as totatives of n."
> 
> First of all, yeah, "relatively prime", not "mutually prime" as I wrote 
> below.  It didn't seem quite right even at the time, though I suppose it was 
> clear enough.
> 
> So "(a, 26) = 1", I guess, is just another way of specifying why φ(26) is 12. 
>  I can take up the chapter again, now.
> 
> ---
> Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
> 
> /* Canada could have had the culture of France, the entrepreneurial spirit of 
> the US and the British tradition of tolerance.  Instead it got the culture of 
> the US, the entrepreneurial spirit of Britain and the French tradition of 
> tolerance. */
> 
> -Original Message-
> From: robhbrid...@gmail.com  
> Sent: Tuesday, August 23, 2022 17:12
> 
> Ah, so "(a, 26) = 1" simply states what I had already figured out, that there 
> must be no common factors between them.  (Not counting 1 itself, of course.)  
> I think I read once that another way of saying that is " and 26 are 
> mutually prime".  Thanks, Horacio.
> 
> I'm thinking that in one sense there are actually an infinite number of 
> values that will work for , but once you get to 26 and past they're simply 
> repeating previous values.  For instance, if you use 3 (and I'll pretend b=0 
> just for simplicity here) then the ciphertext numbers are 3, 6, 9, 12, 15, 
> 18, 21, 24, 1, 4, 7, 10, 13, 16, 19, 22, 25, 2, 5, 8, 11, 14, 17, 20, 23, 26. 
>  I could also use a=29, 55, 81 and so on, but the ciphertext sequence is 
> identical so there's no point.
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Horacio Luis Villa
> Sent: Tuesday, August 23, 2022 17:01
> 
> (m,n) is the great common divisor between m and n.
> Can't tell what phi(26)=12 is, but I would say is something like "there are
> 12 coprimes among the 26 first natural numbers".
> 
> 
> De: IBM Mainframe Discussion List  en nombre de Bob 
> Bridges 
> Enviado: martes, 23 de agosto de 2022 17:50
> 
> I got to talking with a church friend about encryption, and at lunch 
> yesterday he lent me a book on number theory that has a chapter on asymmetric 
> encryption.  Cryptography has long been a hobby of mine, but it's only 
> recently that I came to understand a little of how asymmetric encryption can 
> work.
> 
> The chapter I'm perusing will get into asymmetric encryption eventually, but 
> it's starting with simple rotational ciphers.  Expanding on the simple 
> rotation, it then talks about something it calls "affine transformations", 
> which introduce an additional term into the formula used to encrypt or 
> decrypt the text:
> 
>  C ≡ P+ (mod 26) 0 ≤ C ≤ 25
> 
> ...where, it specifies, "(a, 26) = 1".  Here's where I pause:  What operation 
> is indicated by "(m, n)"?
> 
> It goes on to say that for 26 letters in the cipher, "there are ф(26) = 12 
> choices for ".  I can see that  and 26 must have no factors in common 
> for this to work, and without actually working out how many choices there are 
> I can easily believe the answer is 12, but what function is implied by phi?
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SDSF JS command cross-sysplex

[Keith Gooding]

Mark. 
Sorry for the confusing terminology. I meant cross-system within the same 
sysplex. As I have already posted, the problem seems to be the lack of a 
journal dataset for STCs - it is working OK for journaled job classes. 

A conversion to SDSF RACF security was involved in the migration but I am 
fairly sure that security is not related to the problem. 

Keith

> On 11 Aug 2022, at 19:37, Mark Zelden  wrote:
> 
> On Thu, 11 Aug 2022 13:32:46 -0500, Mark Zelden  wrote:
> 
>>> On Thu, 11 Aug 2022 15:34:20 +0100, Keith Gooding  wrote:
>>> 
>>> I found that the SDSF ‘JS’ (job steps) command issued from the SDSF panels 
>>> or via the REXX API  produces no output if the target job is running on a 
>>> different system in the sysplex. This is with z/os 2.5. On a 2.3 system the 
>>> same happens except that the heading says ‘no job steps found’ (or similar 
>>> message).
>>> 
>>> Is anyone able to use JS cross-system or is this working as designed?.  I 
>>> am able to use others commands such as JT (Job Tasks) so I know that the 
>>> SDSF address spaces are talking to each other.
>>> 
>>> Keith Gooding
>> 
>> Unfortunately I am getting a really late start on 2.5 and can't test this 
>> yet.  Not only that, this 
>> migration will be a pain because I have 9 sysplexes using ISFPARMs still.  
>> Which brings me to 
>> my point...   Was a migration from ISFPARMs involved with upgrading to 2.5 
>> and could
>> this just be a security related problem? I assume both LPARs are in the 
>> same JESplex.
>> Works fine under z/OS 2.4.  
>> 
>> 
>> Best Regards,
>> 
>> Mark
>> --
>> Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
>> ITIL v3 Foundation Certified
>> mailto:m...@mzelden.com
>> Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html
>> 
> 
> I just noticed (and caught up with messages) - your subject says 
> "cross-sysplex".   But
> your descriptions says "different system in the sysplex".   Which is it?  I 
> don't know how
> this could ever work cross-sysplex which implies JES2 is not shared.  As I 
> wrote, it
> works fine under z/OS 2.4.   
> 
> Best Regards,
> 
> Mark
> --
> Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS
> ITIL v3 Foundation Certified
> mailto:m...@mzelden.com
> Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SDSF JS command cross-sysplex [EXTERNAL]

[Keith Gooding]

Got it. The ‘special dataset’ is presumably $JOURNAL. I found that I had only 
tested with STCs. It works ok for JOBs where the jobclass has JOURNAL=Yes. It 
does not seem possible to set JOURNSL=YES for STCs. Back to the drawing board.

Keith

> On 11 Aug 2022, at 19:06, Keith Gooding  wrote:
> 
> Thank you Rob and Paul. At least I know that it should work. In fact I think 
> it *did* once work in the same sysplex at z/os 2.4 but I cannot be 100% sure.
> 
> The systems are in the same MAS (2 systems sharing a JES2 spool and 
> checkpoint). Are there any instructions in the SDSF configuration that I may 
> have missed ? . Should I open a case with IBM ?
> 
> Keith
> 
>> On 11 Aug 2022, at 17:28, Rob Scott  wrote:
>> 
>> The SDSF "JS" action does not get sent to remote systems in the sysplex. It 
>> reads data from a special JES2 dataset for the job locally.
>> 
>> A possible reason for no data being shown is that the job on the remote 
>> system is not in the same MAS.
>> 
>> Rob Scott
>> Rocket Software
>> 
>> Sent from Samsung Mobile on O2
>> Get Outlook for Android<https://aka.ms/AAb9ysg>
>> 
>> From: IBM Mainframe Discussion List  on behalf of 
>> Feller, Paul <02fc94e14c43-dmarc-requ...@listserv.ua.edu>
>> Sent: Thursday, August 11, 2022 4:12:37 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU 
>> Subject: Re: SDSF JS command cross-sysplex [EXTERNAL]
>> 
>> EXTERNAL EMAIL
>> 
>> 
>> 
>> 
>> 
>> Keith, I'm assuming you are talking about looking at job on a different lpar 
>> in the same sysplex, also part of the same JES MAS.
>> 
>> This is a display of a job running on a different lpars then the one I was 
>> logged on to.  This is a z/OS 2.4 environment.
>> 
>> SDSF JOB STEP DISPLAY - JOB DTSTM01D (JOB24586) SMFLINE 1-19 (19)
>> COMMAND INPUT ===>SCROLL ===> CSR
>> PREFIX=*  DEST=(ALL)  OWNER=*  SYSNAME=
>> NP   STEPNAME ProcStep Pgm-Name Step-CCAbendRsn StepNum Elapsed 
>> CPU-TimeSRB-Time
>>STEP000  TMSCOPY  TMSCOPY  CC    1  0:00:17.79  
>> 0:00:02.73  0:00:00.46
>>STEP005  STEP001  TMSDATA  CC    2  0:00:12.71  
>> 0:00:00.71  0:00:00.23
>>STEP005  STEP002  IDCAMS   CC    3  0:00:02.08  
>> 0:00:00.41  0:00:00.01
>>STEP003  SAS  SAS  CC    4  0:01:14.04  
>> 0:00:29.98  0:00:00.58
>>STEP005  STEP004  IKJEFT01 CC    5  0:00:00.06  
>> 0:00:00.02  0:00:00.00
>>STEP005  STEP04A  TMSUPDTE CC    6  0:00:01.08  
>> 0:00:00.14  0:00:00.01
>>STEP005  STEP005  IKJEFT01 CC    7  0:00:00.05  
>> 0:00:00.02  0:00:00.00
>>STEP005  STEP05A  TMSUDSNB CC    8  0:00:01.22  
>> 0:00:00.17  0:00:00.02
>>STEP005  STEP006  IKJEFT01 CC 0001   9  0:00:00.05  
>> 0:00:00.02  0:00:00.00
>>STEP005  STEP06A  TMSUPDTE FLUSH10
>>STEP005  STEP007  IKJEFT01 CC 0001  11  0:00:00.05  
>> 0:00:00.02  0:00:00.00
>>STEP005  STEP07A  TMSUDSNB FLUSH12
>>STEP010  TMSEXPDT TMSEXPDT CC   13  0:12:12.33  
>> 0:02:45.00  0:00:09.36
>>STEP010  EARL EARL CC   14  0:00:00.55  
>> 0:00:00.04  0:00:00.00
>>STEP020  TMSCTLG  TMSCTLG  CC   15  0:20:46.39  
>> 0:01:27.02  0:00:03.23
>>STEP020  EARL EARL CC   16  0:00:00.93  
>> 0:00:00.34  0:00:00.01
>>STEP030  TMSCYCLE TMSCYCLE CC   17  0:00:06.49  
>> 0:00:00.49  0:00:00.07
>>STEP030  EARL EARL CC   18  0:00:00.58  
>> 0:00:00.04  0:00:00.00
>>STEP040  TMSCLEAN TMSCLEAN ACTIVE   19
>> 
>> 
>> F SDSF,D JES
>> ISF304I Modify DISPLAY command accepted.
>> ISF351I SDSF JES Subsystems
>> Sysname  JES  Version  Status
>> CM01 JES2 z/OS 2.4 ACTIVE
>> PR05 JES2 z/OS 2.4 ACTIVE
>> CM02 JES2 z/OS 2.4 ACTIVE
>> PR03 JES2 z/OS 2.4 ACTIVE
>> PR02 JES2 z/OS 2.4 ACTIVE
>> PR01 JES2 z/OS 2.4 ACTIVE
>> 
>> 
>> Paul Feller
>> GTS Mainframe Technical Support
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List  On Behalf Of 
>> Keith Gooding
>> Sent: Thursday, August 11, 2022 9:34 AM

Re: SDSF JS command cross-sysplex [EXTERNAL]

[Keith Gooding]

Thank you Rob and Paul. At least I know that it should work. In fact I think it 
*did* once work in the same sysplex at z/os 2.4 but I cannot be 100% sure.

The systems are in the same MAS (2 systems sharing a JES2 spool and 
checkpoint). Are there any instructions in the SDSF configuration that I may 
have missed ? . Should I open a case with IBM ?

Keith

> On 11 Aug 2022, at 17:28, Rob Scott  wrote:
> 
> The SDSF "JS" action does not get sent to remote systems in the sysplex. It 
> reads data from a special JES2 dataset for the job locally.
> 
> A possible reason for no data being shown is that the job on the remote 
> system is not in the same MAS.
> 
> Rob Scott
> Rocket Software
> 
> Sent from Samsung Mobile on O2
> Get Outlook for Android<https://aka.ms/AAb9ysg>
> 
> From: IBM Mainframe Discussion List  on behalf of 
> Feller, Paul <02fc94e14c43-dmarc-requ...@listserv.ua.edu>
> Sent: Thursday, August 11, 2022 4:12:37 PM
> To: IBM-MAIN@LISTSERV.UA.EDU 
> Subject: Re: SDSF JS command cross-sysplex [EXTERNAL]
> 
> EXTERNAL EMAIL
> 
> 
> 
> 
> 
> Keith, I'm assuming you are talking about looking at job on a different lpar 
> in the same sysplex, also part of the same JES MAS.
> 
> This is a display of a job running on a different lpars then the one I was 
> logged on to.  This is a z/OS 2.4 environment.
> 
> SDSF JOB STEP DISPLAY - JOB DTSTM01D (JOB24586) SMFLINE 1-19 (19)
> COMMAND INPUT ===>SCROLL ===> CSR
> PREFIX=*  DEST=(ALL)  OWNER=*  SYSNAME=
> NP   STEPNAME ProcStep Pgm-Name Step-CCAbendRsn StepNum Elapsed 
> CPU-TimeSRB-Time
> STEP000  TMSCOPY  TMSCOPY  CC    1  0:00:17.79  
> 0:00:02.73  0:00:00.46
> STEP005  STEP001  TMSDATA  CC    2  0:00:12.71  
> 0:00:00.71  0:00:00.23
> STEP005  STEP002  IDCAMS   CC    3  0:00:02.08  
> 0:00:00.41  0:00:00.01
> STEP003  SAS  SAS  CC    4  0:01:14.04  
> 0:00:29.98  0:00:00.58
> STEP005  STEP004  IKJEFT01 CC    5  0:00:00.06  
> 0:00:00.02  0:00:00.00
> STEP005  STEP04A  TMSUPDTE CC    6  0:00:01.08  
> 0:00:00.14  0:00:00.01
> STEP005  STEP005  IKJEFT01 CC    7  0:00:00.05  
> 0:00:00.02  0:00:00.00
> STEP005  STEP05A  TMSUDSNB CC    8  0:00:01.22  
> 0:00:00.17  0:00:00.02
> STEP005  STEP006  IKJEFT01 CC 0001   9  0:00:00.05  
> 0:00:00.02  0:00:00.00
> STEP005  STEP06A  TMSUPDTE FLUSH10
> STEP005  STEP007  IKJEFT01 CC 0001  11  0:00:00.05  
> 0:00:00.02  0:00:00.00
> STEP005  STEP07A  TMSUDSNB FLUSH12
> STEP010  TMSEXPDT TMSEXPDT CC   13  0:12:12.33  
> 0:02:45.00  0:00:09.36
> STEP010  EARL EARL CC   14  0:00:00.55  
> 0:00:00.04  0:00:00.00
> STEP020  TMSCTLG  TMSCTLG  CC   15  0:20:46.39  
> 0:01:27.02  0:00:03.23
> STEP020  EARL EARL CC   16  0:00:00.93  
> 0:00:00.34  0:00:00.01
> STEP030  TMSCYCLE TMSCYCLE CC   17  0:00:06.49  
> 0:00:00.49  0:00:00.07
> STEP030  EARL EARL CC   18  0:00:00.58  
> 0:00:00.04  0:00:00.00
> STEP040  TMSCLEAN TMSCLEAN ACTIVE   19
> 
> 
> F SDSF,D JES
> ISF304I Modify DISPLAY command accepted.
> ISF351I SDSF JES Subsystems
> Sysname  JES  Version  Status
> CM01 JES2 z/OS 2.4 ACTIVE
> PR05 JES2 z/OS 2.4 ACTIVE
> CM02 JES2 z/OS 2.4 ACTIVE
> PR03 JES2 z/OS 2.4 ACTIVE
> PR02 JES2 z/OS 2.4 ACTIVE
> PR01 JES2 z/OS 2.4 ACTIVE
> 
> 
> Paul Feller
> GTS Mainframe Technical Support
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Keith Gooding
> Sent: Thursday, August 11, 2022 9:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: SDSF JS command cross-sysplex [EXTERNAL]
> 
> I found that the SDSF ‘JS’ (job steps) command issued from the SDSF panels or 
> via the REXX API  produces no output if the target job is running on a 
> different system in the sysplex. This is with z/os 2.5. On a 2.3 system the 
> same happens except that the heading says ‘no job steps found’ (or similar 
> message).
> 
> Is anyone able to use JS cross-system or is this working as designed?.  I am 
> able to use others commands such as JT (Job Tasks) so I know that the SDSF 
> address spaces are talking to each other.
> 
> Keith Gooding
> ---

SDSF JS command cross-sysplex

[Keith Gooding]

I found that the SDSF ‘JS’ (job steps) command issued from the SDSF panels or 
via the REXX API  produces no output if the target job is running on a 
different system in the sysplex. This is with z/os 2.5. On a 2.3 system the 
same happens except that the heading says ‘no job steps found’ (or similar 
message).

Is anyone able to use JS cross-system or is this working as designed?.  I am 
able to use others commands such as JT (Job Tasks) so I know that the SDSF 
address spaces are talking to each other.

Keith Gooding
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to change WLM classification rules

[Keith Gooding]

I think my question should be more bettrt presented as follows:

I know how to activate or reactivate the base service policy or an override 
service policy. How can other definitions in the service definition such as 
classification rules be activated ?

Does service policy activation use the policy in the currently active service 
definition or that in the currently installed service definition ?.  Does 
installation of a service definition do anything other than update the couple 
dataset ? . When a service policy is dynamically activated, and assuming that 
the system uses policies from the currently installed service definition, are 
the other definitions in the service definition (such as classification rules) 
also activated ?

My 10+ years old service definition uses the same name for the service 
definition as for the override policy that we use - I was probably confused 
then and am confused now.

Keith Gooding

> On 26 Jul 2022, at 12:38, Keith Gooding  wrote:
> 
> I meant to say of course that only one service definition can be installed 
> in the couple dataset, not coupling facility.
> 
> Sent from my iPad
> 
>> On 26 Jul 2022, at 12:34, Keith Gooding 
>> <034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> This is a ‘newbie’ question (from someone who has forgotten a lot about 
>> z/OS).
>> 
>> On a development system our WLM service definition does not get much 
>> attention. I wanted to make a simple change to classification rules and also 
>> to a service class definition. I used z/OSMF but I think I would have the 
>> same problem with ISPF.
>> 
>> I extracted the definition from the couple dataset and used it to create a 
>> new service definition and copied an existing policy definition (POLICY1) as 
>> POLICY2 in the new service definition and made my changes in the new service 
>> definition. I installed the new service definition but cannot see how to 
>> activate it, if that is indeed possible.
>> 
>> I had not realised that the coupling facility can contain only one service 
>> definition. I can activate policy overrides in the active service definition 
>> but those do not contain classification rules according to the WLM planning 
>> guide.
>> 
>> What should I do to change classification rules dynamically ?
>> 
>> Perplexed.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMC-R on other platforms

[Keith Gooding]

I did not get any replies here but I did get an excellent reply from someone in 
IBM on the IBMTCP-L list. For some reason my initial post there had not been 
echoed back to me.

Keith

Sent from my iPad

> On 18 Jul 2022, at 17:10, Keith Gooding 
> <034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:
> 
> I attempted to post this on IBMTCP-L but I am not sure that I did it 
> properly because I got no reply from the server. I am cross-posting it here.
> 
>  I know that acceptance of Smc-R (RFC 7609) on platforms other than z/os was 
> slow. Does anyone know of implementations other than on AIX and zlinux on Z 
> eg Windows or Linux on other platforms ?. Are these implementations 
> compatible with z/os - I think I remember that one of the IBM implementations 
> was not initially compatible but I may be wrong about that.
> 
> Keith Gooding
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to change WLM classification rules

[Keith Gooding]

I meant to say of course that only one service definition can be installed in 
the couple dataset, not coupling facility.

Sent from my iPad

> On 26 Jul 2022, at 12:34, Keith Gooding 
> <034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:
> 
> This is a ‘newbie’ question (from someone who has forgotten a lot about 
> z/OS).
> 
> On a development system our WLM service definition does not get much 
> attention. I wanted to make a simple change to classification rules and also 
> to a service class definition. I used z/OSMF but I think I would have the 
> same problem with ISPF.
> 
> I extracted the definition from the couple dataset and used it to create a 
> new service definition and copied an existing policy definition (POLICY1) as 
> POLICY2 in the new service definition and made my changes in the new service 
> definition. I installed the new service definition but cannot see how to 
> activate it, if that is indeed possible.
> 
> I had not realised that the coupling facility can contain only one service 
> definition. I can activate policy overrides in the active service definition 
> but those do not contain classification rules according to the WLM planning 
> guide.
> 
> What should I do to change classification rules dynamically ?
> 
> Perplexed.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

How to change WLM classification rules

[Keith Gooding]

This is a ‘newbie’ question (from someone who has forgotten a lot about z/OS).

On a development system our WLM service definition does not get much attention. 
I wanted to make a simple change to classification rules and also to a service 
class definition. I used z/OSMF but I think I would have the same problem with 
ISPF.

 I extracted the definition from the couple dataset and used it to create a new 
service definition and copied an existing policy definition (POLICY1) as 
POLICY2 in the new service definition and made my changes in the new service 
definition. I installed the new service definition but cannot see how to 
activate it, if that is indeed possible.

I had not realised that the coupling facility can contain only one service 
definition. I can activate policy overrides in the active service definition 
but those do not contain classification rules according to the WLM planning 
guide.

What should I do to change classification rules dynamically ?

Perplexed.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

SMC-R on other platforms

[Keith Gooding]

I attempted to post this on IBMTCP-L but I am not sure that I did it properly 
because I got no reply from the server. I am cross-posting it here.

 I know that acceptance of Smc-R (RFC 7609) on platforms other than z/os was 
slow. Does anyone know of implementations other than on AIX and zlinux on Z eg 
Windows or Linux on other platforms ?. Are these implementations compatible 
with z/os - I think I remember that one of the IBM implementations was not 
initially compatible but I may be wrong about that.

Keith Gooding
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

HICS - CBTTAPE overflow file 300

[Keith Gooding]

Is anyone using the HICS storage admin dialogue from the CBT overflow tape ? . 
It was installed on one of our systems several years ago but not used. I saw 
that it was a version from 2003 so I installed the latest CBT version - it is 
dated 2006. My problem in particular is that it is not clear how the ISPTABL 
data set should be used there has to be one for each system. I have come to the 
conclusion that the ISPTLIB and ISPTABL libraries should be the same but the 
documentation is not clear.

Also the daily housekeeping takes an inordinate time - one if the jobs took  10 
hours - has anyone been able to run this system in a reasonable time (it stores 
information in ISPF tables and I suspect it may be doing table updates for 
every dataset encountered).

Any replies appreciated. Lack of replies may suggest that this application is 
defunct !

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Serverpac installs January 2022 and beyond - Issues

[Keith Gooding]

Hi Maria.

Yes, I do believe that I can create the next z/os software instance very 
quickly now that we have a v2.5 instance. We use what the Serverpac dialog 
called ‘system upgrade’ , retain the existing master catalog and use indirect 
cataloging. 

In fact I was so confident that I could do this I re-ordered the Serverpac 
because the first order had two target zones (I had assumed that this was 
because I had accidentally ordered 2 releases of the same product - node.js 
IIRC - but it turned out to be because I received ISPF-case and upper case 
panels). Incidentally my shopz orders were shipped within 24 hours - it used to 
take a few days. This turned out to be a mistake because I had not actually 
finished the first install so it was not available as a model so I had to use 
the 2.4 instance. But with my experience of the first installation tailoring 
the dataset names and volumes was very quick. On reflection, using my first 2.5 
instance as a model may not have made much difference if only SMPE-managed 
datasets are modelled.
 
I much prefer z/osmf to the previous method. I never did learn all of the 
commands to edit the dataset names and volume layout. 

(Laying down the files in a couple of hours is a bit optimistic for me. I had 
to spend a lot of time freeing up disk space for the order etc and downloading 
the order and running the ‘unpack’ job took several hours. But the z/osmf 
dialogue part was quick and easy).


BTW I am the odd-ball who uses 2-level aliases for the ZFS datasets. I think 
the reason may be that when we moved to ZFS we could no longer use indirect 
cataloging for file systems so we added a second qualifier after “OMVS’  to 
create unique names. Then , when I realised that it was easier to put the ZFS 
datasets on the single large sysres, I needed to catalog them on a catalog 
residing on sysres to make cloning easier.  We ended up with 3 “qualifiers” 
associated with a particular software instance on sysres: the volser, the 
target zone name and the qualifier in the “OMVS” datasets. I know that it would 
be simpler to use the volser as the HLQ but we have to maintain and run several 
back levels of z/os and I am reluctant to change. I may however do that even 
though it is a minor ‘post install’ step to move the entries out of the ‘OMVS’ 
catalog to a catalog 

Keith Gooding

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Serverpac installs January 2022 and beyond - Issues Updated

[Keith Gooding]

Hi Kurt. In answer to your question about my previous post:

We put the SMP/E target zone datasets on the target volume. The names in this 
case are SMPE.ZOS250.MVST250.* which are unique in the system. The CSI is VSAM 
so it is directly cataloged. The installation process indirectly catalogs the 
non-VSAM ones and I assume that the DdDEFs for them include the specific 
volser. However when handling these datasets it is more convenient if they are 
directly cataloged. It is possible, so that is what we do (post install).

I also mentioned that I would like to be able to create a 2-level alias and 
associated catalog. That is because we use OMVS.ZOS250 as the qualifier for 
target zone file systems, and OMVS for most other file systems.

Not necessarily all logical or the best practice but we are where we are. 

Keith Gooding

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Serverpac installs January 2022 and beyond - Issues Updated

[Keith Gooding]

Hi Terri.

I had a more positive experience with z/osmf installation of a z/os serverpac 
after some initial confusion. 

A long time ago I had created a ‘software instance’ from a pair of z/os 2.4 
target/dlib zones. I used this as a model for my 2.5 installation and was very 
surprised when z/osmf proceeded to tailor the dataset names like the 2.4 
instance - surprised because I expected that the model had to be an instance 
created by a z/osmf installation. I now see that it probably looks for matching 
DDDEFs and adjusts the new dataset names accordingly. 

I had to adjust the names for new datasets and operational datasets. Here I 
found that z/osmf appears to look for common HLQs in a dataset filter list and 
gives the opportunity to change that common HLQ to something else. I did this 
for instance for some CPAC datasets where we want the HLQ to be SYS1.CPAC 
instead of CPAC - I filtered on HLQs to get a list of all CPAC datasets and 
excluded the ones I did not want to change.

If you do not have a model instance then of course to change all HLQs to SYS1 
you would have to change each HLQ (CEe, ISF etc) separately.

I still have some gripes but these occurred also with the old dialogue:
- only single level aliases are supported. We want to use OMVS.ZOS250 as a 2 
level alias pointing to a new catalog on sysres but this has to be done 
post-install.

- SMPE.ZOS250.* non-VSAM datasets on the sysres are indirectly cataloged 
because indirect cataloging by the installation dialogue works at the volume 
level.

- I always do what used to be called an ‘upgrade install’.  With z/osmf I 
instead answered ‘no’ to ‘do you want to create operational datasets’. In both 
cases we still get some operational datasets such as CPAC.PARMLIB. Most of 
these are not required but to avoid clashing with existing datasets of the same 
name I rename them as SYS!.CPAC.* and indirectly catalog them on sysres. 

Keith GOODING


> On 26 Oct 2021, at 18:05, Shaffer, Terri 
> <017d5f778222-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Okay I am going to retract the dataset names issue.  Either my z/OSMF 
> decided to play nice now, or I did something wrong.
> 
> I can modify all the names to my preferred names and HLQ..
> 
> So let me continue to see what happens.. It sure would have been nice to just 
> retrieve my CPAC.SAVE.CONFIG file.
> 
> But okay..
> 
> Ms Terri E Shaffer
> Senior Systems Engineer,
> z/OS Support:
> ACIWorldwide – Telecommuter
> H(412-766-2697) C(412-519-2592)
> terri.shaf...@aciworldwide.com
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Serverpac installation

[Keith Gooding]

Thank you for your reply, Kurt.

Things have moved on somewhat. Having cancelled the deployment dialogue and 
started again (possibly with a different 2.4 software instance - I am not sure 
which one I selected the first time) I found that most of the datasets were 
correctly matched against the 2.4 configuration and correctly renamed to match 
those 2.4 datasets. This clears up any confusion I may have had about what 
dataset names should be used - the eventual target dataset name (which it 
should in fact be), or the server pack source name or some other name involving 
an SSA. Maybe the first few datasets that I viewed on my first attempt were 
ones which could not be matched (eg not target or club zone datasets, or new 
datasets). Never mind - that is fixed now.

Incidentally I find it really irritating that I cannot log off or somehow save 
my configuration changes before they are complete. I have had to start again 
several times because my dodgy home internet connection has temporarily failed.

With regard to new volumes : I will initialise a new target and dlib volume 
before doing the configuration again (I had to start again because I left the 
session open for a few hours and the connection dropped).

I did select ‘use existing master catalog’. Most of the operational datasets 
(eg SYS1.RACF) will not be required but they still appear on the deployment 
configuration deployment panel. We do use a few of those (eg CPAC.PROCLIB and 
CPAC.Linklib, which we always rename as SYS1.CPAC.PROCLIB and indirectly 
catalog on the sysres) but I am considering leave no most of them with the 
source name CB.ST25.* - if these are indeed created by the dialogue I will 
be able to recognise them easily.

I also decided that the reason that there is no detailed documentation is that 
, after some initial confusion, the dialogue is intuitive . In general I am 
impressed - it is, or will be, better than the system it replaces.

Keith Gooding 

> On 12 Oct 2021, at 16:39, Kurt J. Quackenbush  wrote:
> 
> - I have attempted to model the configuration on a 2.4 software instance 
> which 
> I created, but although the zone names are primed with the 2.4 values none 
> of 
> the dataset names have been primed with the 2.4 names. Should I set the 
> names 
> to their eventual values (eg SYS1.Linklib) or leave them as the source 
> values 
> with the expectation that a later step will rename them ?
> 
> No later step will rename the data sets.  Not sure why the model 
> processing did not find matches for most of your data sets, but update the 
> target data set names on the Data Sets page to your desired data set 
> names.
> 
> - An attempt to change the target volser is rejected because the volume 
> does 
> not yet exist. In the ISPF version there was a job to initialise new 
> volumes. I 
> am aware that z/OSMF does not yet include all of the old method functions 
> but 
> have I missed something here ?
> 
> No, you have not missed anything.  z/OSMF does not provide a capability to 
> define a new volume.  You do have an option to initialize an existing 
> volume so it will be empty before any new data sets get created, but no 
> option to define a volume that does not already exist.
> 
> - I want to use the equivalent of a Serverpac upgrade ie the existing 
> master 
> catalog is used with indirect cataloging. On the ISPF version there was a 
> step 
> to validate the entries in the master catalog and create new entries as 
> required. On the Catalogs page, should I catalog the datasets or not ?
> 
> Yes, indicate the data sets will be cataloged.  An indirectly cataloged 
> data set is cataloged, not uncataloged.  Then, on the Volumes page, use 
> the Modify action to indicate data sets on that volume will be indirectly 
> cataloged and specify the symbol to use for the volume in the catalog 
> entries.  Curious, did you select the "Existing master catalog" option in 
> step 3 of the Deployment Checklist?
> 
> Kurt Quackenbush
> IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com
> 
> Chuck Norris never uses CHECK when he applies PTFs.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OSMF Serverpac installation

[Keith Gooding]

Can anyone share any experiences with this ?

My general problem is that I cannot find detailed documentation for this at a 
similar level to the ISPF “Installing Your Order” manual which was provided for 
the ISPF dialogue method. The “getting started” link with the order points to a 
video of a sample Serverpac install for a fictional product obviously much 
simpler than z/Os. 

I did the download OK and was impressed with the ease-of-use. I am now on the 
deployment step:

- I have attempted to model the configuration on a 2.4 software instance which 
I created, but although the zone names are primed with the 2.4 values none of 
the dataset names have been primed with the 2.4 names. Should I set the names 
to their eventual values (eg SYS1.Linklib) or leave them as the source values 
with the expectation that a later step will rename them ?

- An attempt to change the target volser is rejected because the volume does 
not yet exist. In the ISPF version there was a job to initialise new volumes. I 
am aware that z/OSMF does not yet include all of the old method functions but 
have I missed something here ?

- I want to use the equivalent of a Serverpac upgrade ie the existing master 
catalog is used with indirect cataloging. On the ISPF version there was a step 
to validate the entries in the master catalog and create new entries as 
required. On the Catalogs page, should I catalog the datasets or not ?

Keith Gooding 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Off Topic: Advanced Capacity Planning and Laundries

[Keith Gooding]

This is a long shot: Many years ago, probably early nineties, I attended a 1 
week IBM course with the title “MVS Advanced Capacity Planning” (or similar). 
It was given by a Canadian IBMer. At the start of the course he gave out, 
without further explanation, copies of some articles. One was a story about a 
student who used a Chinese laundry. The proprietor used the laundry items to 
make deductions about the student’s life, eventually concluding that the 
student had committed a murder. (All wrong of course - hence the link to 
capacity planning).

I think the story was from one of the Stephen Potter books (who wrote about 
“Gamesmanship etc in the 1950’s).

Does anyone else remember this and have details of the source ?

Keith Gooding

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Zcloud - is it just outsourcing ?

[Keith Gooding]

One of my reasons for asking about zCloud here was that I have been asked (at 
second- or third-hand) whether an ISV product is “supported” on zCloud, so 
there is clearly a case to answer. At first sight, if zCloud just means 
transferring LPARs to an IBM-owned machine, the answer would be ‘yes’. But 
there may be reasons why it would not be ‘supported’ - e.g. for licensing 
reasons, because IBM do not have the expertise to manage it, because IBM prefer 
to replace it with one of their owns products, etc.

Another reason is that I found a reference to “zcloud environments” in IMS v13 
documentation in regards to what is now called “cloud provisioning” ie using 
z/OSMF and possibly Z Cloud Broker) to create and manage middleware 
environments “on demand” using templates etc provided by the middleware 
developers. I now think that this use of the term “zcloud” here (or terms such 
as “Z cloud”, Z/cloud” etc rather than “zCloud” ) may refer generically to 
cloud services on Z rather than the “Managed Extended Cloud Infrastructure as a 
Service(IaaS) for IBM Z (zCloud)” offering.

There is still a nagging doubt that some ISV products may be required to “play 
nicely” on zCloud, especially in environments where instead of transferring an 
LPAR to zCloud a new z/OS system is created just for development purposes so 
that modern development tools can be used. In that case there could be a 
requirement for middleware to co-operate in the automatic provisioning of test 
environments.

At the risk of being contacted by an IBM salesperson I have attempted to get in 
touch with a “zCloud” person for information.

Keith Gooding

Sent from my iPad

> On 29 May 2021, at 15:13, Colin Paice  wrote:
> 
> I remember about 20+ years ago there was "dial a vm" from IBM for
> customers.  By the time you had phoned up, given your credit card details
> it had created a second level system for you to play with.
> 
> "We did it first on z"
> 
> Colin
> 
>> On Sat, 29 May 2021 at 12:45, Scott Chapman 
>> wrote:
>> 
>> I think one important distinction of cloud vs. outsourcing is the
>> ephemeral nature of the resources in cloud computing. I.E. the ability to
>> start from zero, provision compute and storage resources of some type
>> (either manually or automatically in response to changing conditions) and
>> then deprovision them similarly after using the resources for perhaps mere
>> minutes or hours. The cost is determined by what you used for the duration
>> you used it, typically billed to an interval of minutes or sometimes even
>> seconds. And since it has on-ramp starting at zero infrastructure and zero
>> cost, you can easily try out ideas at a cost of something you can put on a
>> credit card. Infrastructure is charged in increments of pennies. And if it
>> doesn't work out, you turn it off and your charges stop.*
>> 
>> Last I knew, and I would like to be proven wrong, zCloud didn't embody the
>> idea of "I want to play with z/OS for a few hours, stand up a z/OS image
>> with x CPU and y GB of disk and put it on my credit card".
>> 
>> *-Remember: in the cloud, you pay for what you forgot to turn off. And
>> those pennies can add up shockingly fast in some cases!
>> 
>> Scott Chapman
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IBM Zcloud - is it just outsourcing ?

[Keith Gooding]

I have been asked if a z/OS software product is supported on IBM Zcloud.

As far as I can see Zcloud is just old-fashioned outsourcing where a z/os 
system runs in an LPAR on someone else’s computer, albeit with the ability to 
dynamically add computing resources for temporary workload spikes etc. 

Am I missing something or is there ‘proper’ cloud technology, such provisioning 
of middleware using cloud provisioning like AWS etc.

Keith Gooding

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Need some help with SSL error

[Keith Gooding]

Did you get any messages from AT-TLS  (prefix EZY) ?. Trace level 7 should 
cause error messages to appear on the job log in addition to the unix syslog. 
Maybe the rule is not being triggered. If you are able to increase the trace 
level to 31 you should be able to see what System SSL options were set by 
At-Tls (if the rule was triggered) . The debug messages are sent to syslogd. .

Keith Gooding 

> On 16 Nov 2020, at 14:24, Joe Monk  wrote:
> 
> Error 100B:
> 
> 100B Unexpected SSL handshake encountered.An SSL handshake header was
> encountered on a basic port or the client immediately entered an SSL
> handshake for a CONNTYPE option value other than SECURE or ANY. Verify that
> the client and port settings are compatible.
> A quick google found this:
> 
> https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12
> 
> Joe
> 
> 
> 
> 
>> On Mon, Nov 16, 2020 at 6:27 AM Edgington, Jerry <
>> jerry.edging...@westernsouthernlife.com> wrote:
>> 
>> I need some help, please.  We have an automated system, using TN3270
>> screen scraping.  Over the weekend, we IPL'ed, first time in April, 2020
>> and now, when this "automated" system/client tries to connect over TN3270,
>> we are getting this error message:
>> 
>> M 410  20320 14:22:03.02 STC09624 0090  EZZ6034I TN3270
>> CONN 025C LU **N/A**  CONN DROP  ERR 100B 864
>> E 864 0090IP..PORT:
>> :::xx.xx.xx.xx..53084 EZBTTRCV
>> 
>> The AT/TLS policy has changed since August, 2020.  And we only have TLS
>> v1.2 turned on for only specific inbound IP addresses.  We are running z/OS
>> v2.1, at this point
>> 
>> Any suggestions, help or ideas, would be great.
>> 
>> Thanks,
>> Jerry Edgington
>> 
>> Here is the AT/TLS policy. I have masked the names for security reasons.
>> ##---
>> ## Rules for yyy servers using xx IP over port 923
>> ##---
>> TTLSRule  yyy-xx-SSL
>> {
>>  LocalAddrGroupRef x-Ip-Addr
>>  RemoteAddrGroupRef   yyy-Server-IpAddr
>>  LocalPortRange 923
>>  RemotePortRangeRef Port-Remote
>>  Direction Inbound
>>  Priority500
>>  TTLSGroupActionRef   gAct1
>>  TTLSEnvironmentActionRefeAct1
>>  TTLSConnectionActionRef cAct-x
>> }
>> 
>> TTLSConnectionAction  cAct-x
>> {
>>  HandshakeRole Server
>>  TTLSCipherParmsRef   cipher1~Default_Ciphers
>>  TTLSConnectionAdvancedParmsRef  cAdv-xx
>>  CtraceClearText Off
>>  Trace7
>> }
>> 
>> TTLSConnectionAdvancedParms   cAdv-
>> {
>>  HandshakeTimeout 30
>>  CertificateLabel ATTLS
>>  SecondaryMap  Off
>>  TLSv1.2On
>>  ApplicationControlled  On
>> }
>> 
>> TTLSEnvironmentAction eAct1
>> {
>>  HandshakeRole Server
>>  EnvironmentUserInstance 0
>>  TTLSKeyringParmsRef keyR~ZOS112
>> }
>> 
>> 
>> ##---
>> ## IP Address for yyy Servers
>> ##---
>> IpAddrGroup   yyy-Server-IpAddr  {
>>  IpAddr
>>  {
>> Addr xx.xx.xx.xx
>>  }
>> }
>> 
>> ##---
>> ## Ports Remote
>> ##---
>> PortRange Port-Remote
>> {
>>  Port1024-65535
>> }
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/osmf Network Configuration Assistant

[Keith Gooding]

Thank you all for your replies.

It appears that z/OSMF NCA is, as we say, the best thing since sliced 
bread, but many do not like sliced bread.


Our configuration is not typical because the system is used to test a 
SSL/TLS application and developers need to test z/OS servers and clients 
with a number of different AT-TLS rules. The original configuration was 
created many years ago with the Windows tool and thereafter was managed 
manually - usually by adding yet another rule based on a previous rule 
but sometimes requiring new actions or cipher suites.  It all got rather 
messy and the need for TLS 1.3 has prompted many changes. Using AT-TLS 
rather than native SSL/TLS support in z/OS-supplied components will also 
complicate matters.


I do like NCA but just importing our current configuration produces a 
complicated configuration with names based on 'mangled' profile 
construct names and a lot of requirement mapping tables each containing 
just one entry.


On the other hand I like the fact that NCA clearly presents the choices 
to be made - a list of cipher suites and elliptic curve groups specific 
to TLS 1.3 for instance - and although defaults can be taken we are 
aware that the default has been chosen rather than being something that 
was overlooked. Also I like the fact that I can print a configuration in 
a form that will make sense to a developer.


I think I may end up with a horrible compromise where I use NCA 'to 
create a set of definitions for TLS 1.3 testing 'from scratch' and merge 
them into the full policy.



Keith


On 27/10/2020 13:07, Tom Conley wrote:


Keith,

IBM decided that AT-TLS was so inscrutable that you needed an app to 
configure it.  Untrue.  You can manually configure AT-TLS for TN3270 
in less than a day, provided you can do all the tasks necessary.  
Please check out my presentation on this (WTW):


https://www.newera.com/INFO/Top_11_Things_032018.pdf

Please let me know if you have any questions or concerns.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/osmf Network Configuration Assistant

[Keith Gooding]

Is anyone using this to maintain AT-TLS policies or any other policies ?

Any views on NCA vs manual editing of the policy file ?

When I first encountered AT-TLS I used the Windows version to generate a simple 
policy file for one type of application and thereafter did manual edits to the 
policy file (all applications were similar). Using AT-TLS for z/OS-supplied 
applications such as Telnet and FTP will make the policy file more complicated 
and I am wondering whether NCA is the best way.

Keith
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN