Re: IBM AOAR O44855

2020-01-23 Thread Peter Vander Woude 
The apar is meant to deal with those types of hacks, where someone has a list 
of userids and then just try to logon to TSO by connecting and attempting to 
logon to TSO.  Without the apar/parm, the normal logon screen shows the person 
IF the userid actually has a TSO profile.d

When the correct parm is in the IKJTSO00 parmlib member, they just get a prompt 
for the password.  There is no notification at that point that the user does, 
or does not, have TSO access.  Even the response does not tell the hacker that 
information.

While I agree that it could be a vein for a ddos of getting the users id 
revoked, the premise is valid to prevent the identification of someone with TSO 
access is very valid.


Subject:


Re: IBM AOAR O44855

From: Seymour J Metz 
Reply-To: IBM Mainframe Discussion List 

Date: Tue, 21 Jan 2020 16:31:42 +

That opens the way to a denial of service attack; someone can write a script to 
cause revocation of a long list of userids.


--
Shmuel (Seymour J.) Metz

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Catalogs in parallel sysplex ECS vs RLS

2020-04-23 Thread Peter Vander Woude 
Ok, building parallel sysplex.  For the catalogs I am planning on using ECS for 
the shared catalogs (which is all of them).

What is the recommended method for handling the catalogs in a parallel sysplex, 
ECS or VSAM RLS?

Thanks,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Catalogs in parallel sysplex ECS vs RLS

2020-04-24 Thread Peter Vander Woude 
Thank-you all for your responses.  Again the IBM-Main community shows it's 
strength.

I think I'll be sticking with ECS at the moment.

Much appreciated,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Thanks For All the Fish

2018-12-13 Thread Peter Vander Woude 
John,

Thanks for all that you have done and best wishes in your retirement!

Peter Vander Woude

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SCLM problem

2019-01-17 Thread Peter Vander Woude 
Do the datasets for the isv product happen to have the same high level 
qualifier as an SCLM project?  If so, that is the reason you are getting the 
warning.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

8 character userid and submit of batch jobs

2019-03-19 Thread Peter Vander Woude 
I'm testing out the TSO support of 8 character userids, and am running into the 
scenario where when that user, submits a job with it's userid as the jobname, 
I'm getting TSO messages, that say "jobname truncated" and "Userid plus jobname 
characters cannot exceed maximum jobname length of 8".

According to the doc I've read, when you have USERIDMAX set to 8, the TSO 
submit exit will not add an extra character to the jobname.

Did I read the wrong doc?  Or is there something else that I'm missing when it 
comes to using 8 character userids under TSO?

We do not have our own version of any of the TSO submit exits, just in case 
someone asks.

Thanks,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"?

2019-05-09 Thread Peter Vander Woude 
On Tue, 7 May 2019 09:26:58 -0300, Clark Morris  wrote:


>Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database
>and then download the dump of the database?
>
>Clark Morris
>>

Clark,

If they have read access to the database, yes.  That's what happened in the 
Swedish bank hack, back in 2012.  

In that, once they got the database copy on their pc, they used hacker tools 
that are out there, to crack all the passwords.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: File 228 CBT tape - HSM panel recovery

2019-05-17 Thread Peter Vander Woude 
I just submitted to the cbt site, an updated file 228, that works correctly.

The problem lies in how the clist was parsing the output from the hsm command.  

The format changed a long time ago.  I had got it working for me, just didn't 
think about submitting the changes.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IEFACTRT and flowerbox with excp consolidation

2017-11-27 Thread Peter Vander Woude 
Does anyone have an IEFACTRT exit, that produces a flower box AND processes all 
the smf30 extension records for when DDCONS is set to NO, so we just get one 
total for all the EXCP's done to each DDNAME?  I've tried the ones on the CBT 
tape, and none of them seem to do that.

Thank,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: VSAM Performance - CPU reduction

2018-01-17 Thread Peter Vander Woude 
Arun,

In the IDCAMS listing, I see that the files are defined NONSPANNED.  With the 
records being variable length, you could have as few as 2 records per ci, since 
the max is around 11000.  if all the records are the minimum of 170, then you 
would have around 156 records per ci.

Have you looked at changing NONSPANNED to SPANNED?  That will allow variable 
length records to go across CI's, and might help in some small way, by 
decreasing the actual space that the files use up.  As such the # of records 
read in, as defined by the BUFND, will be higher.

for the skip sequential file, if you are doing a point and then read next, what 
is the average number of records that are being processed?  Having the BUFND so 
high, if it's only processing a few records in the data component, then you are 
reading in, and spending higher cpu time, just to throw away those records and 
read in the next set of ci's.  Anytime you reduce the BUFND, of course your 
EXCP's will go up, as VSAM I/O counts are the number of times it had to read a 
group of ci's, as opposed to sequential files, where each block counts as an 
I/O, no matter what BUFNO is set to.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: how to: convince programmer something else is better.

2016-12-19 Thread Peter Vander Woude 
John,

Tell them that their cobol routine will probably run around 11 times longer 
than the current assembler routine.

Our programmers used to use a cobol to read in a file, for ebcdic to ascii 
translation, and then this subprogram would be called for each record to 
convert from ebcdic to ascii.  The job steps calling that routine spent over 
90% of their cpu time in that subprogram.

I re-wrote into hlasm, and eliminated at least 80-90% of the cpu time, just due 
to the efficiencies that the assembler code management of the data in a table, 
have vs cobol.

Of course, if they don't care about performance, that's their choice, however, 
they should use the routines supplied by microfocus as those will most likely 
be written in a higher performing language than cobol is in the type of data 
manipulation that your hlasm routine is using.

BTW, how much space are your SAN people complaining about?

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RFE for Windows 10 client support in DFS/SMB on z/OS

2016-12-19 Thread Peter Vander Woude 
We lost the ability to use it, after Active directory was updated to use 
signatures.  The only option is to turn disable the use of login signatures 
(not sure if that's the correct term, right now), and that ain't gonna happen, 
so DFS/SMB ended here.

Maybe this request will kick them so that they can add support for that.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Software vendor trying to force MSU based contract

2017-03-02 Thread Peter Vander Woude 
Brian,

Per your comment

"I don't think the vendor (or anyone) can change the language of a contract 
that has not expired in any way without the site's written approval.  If it's 
perpetual then I don't see how any vendor company can fight that.  They 
accepted the money and they have to stick with the terms. "

We actually had that occur.  Vendor B bought vendor A.  When Vendor B sent the 
next annual invoice, they automatically increased maintenance by 20%.  We 
didn't totally catch it until my boss, asked if the #'s were right, which was 
about 2 years later, and I after I saw it I went "what the @#$#*(@!", as over 2 
years, our annual maintenance cost had gone up by 50%.  Called Vendor B and 
their response was that 20%/year was their standard annual maintenance increase.

I pushed them that our contract for the 2 products from vendor A had totally 
different terms, that basically gave us flat charges and/or very minimal annual 
increases.  It took a bit, but they finally admitted, that they had not even 
pulled the contract language from Vendor A, and had to finally give in and 
lower the maintenance cost.

I'm not going to name the vendors, but that totally pissed me off.  

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

BPXWDYN and AVGREC usage

2017-04-28 Thread Peter Vander Woude 
I've run into an issue that I can't figure out.  When using BPXWDYN and trying 
to use AVGREC parm, the dynamic allocation request is using a HUGE (like 
65536000 KB) space allocation request, even though the request is for LRECL(32) 
and AVGREC(K) with SPACE(8000,500).  The REQUEST does have BLKSIZE(0) 
specified, but even if I code a BLKSIZE appropriate for this dataset, I still 
get the wacky allocation.

The actual command is:

ALLOC DSN('xx.xx.xx(+1)') FI(DD1)  NEW CATALOG RELEASE LRECL(32) MOUNT 
BLKSIZE(0)  AVGREC(K) GDGNT SPACE(8000,500) RECFM(F,B) DSORG(PS)

Why is it not using the right space allocation request?  BTW, this is on z/OS 
2.1.

Thanks,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: BPXWDYN and AVGREC usage

2017-04-28 Thread Peter Vander Woude 
Lizette,

The error message we see is

IGD17272I VOLUME SELECTION HAS FAILED FOR INSUFFICIENT SPACE
DATA SET xx.xx.xx.G0014V00
JOBNAME (CTEC004A) STEPNAME (STEP0100)
PROGNAME (IKJEFT01) DDNAME (DD1 )
REQUESTED SPACE QUANTITY = 65536000 KB
STORCLAS (SCTST) MGMTCLAS (MCEX180) DATACLAS (DCEXST)
STORGRPS (SGTST  )

Someone else, privately, asked if we had tried using BLOCK(32).  I had not 
tried that, as I though that related to the # of blocks to be allocated.

I did try it just now, and that took care of the issue.  I don't know what 
dynamic allocation was defaulting to for that parameter, but it's a strange 
value.

Thanks,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMP/e maintenance methodologies

2020-06-23 Thread Peter Vander Woude 
Jerry,

I take the SMPHRPT, write it to a dataset, then use TXT2PDF to create a pdf.  
Download it, and when reviewing it, I put post its in the doc and comments 
about what the action is, or just a reminder to look at the action doc.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IPSEC Configuration and Performance

2020-07-03 Thread Peter Vander Woude 
We did setup an ipsec tunnel between our z/os system down to a group of 
devices.  Our environment may be different in that the tunnel goes to our 
firewall, which the devices are in a secure vlan behind the firewall.

a couple of notes:
1) the ipsec tunnel definition is between your base (i.e./ primary) ip address 
and the remote end
2) your cics traffic will need to be coming from a different ip address (i.e. 
also referenced as "interesting traffic").  Use SRCIP to set the ip address of 
the cics region (if cics is the session initiator).  If the cics is the target, 
just make sure the listener is this secondary ip address

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Using NTP

2020-07-17 Thread Peter Vander Woude 
Gadi,

In order for your z/OS lpars to stay in line with the NTP servers time, you 
will need to change your CLOCKxx member to look like this:

OPERATOR NOPROMPT
STPZONE YES
STPMODE YES
TIMEDELTA 10

An IPL will be required to put this into effect. 

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Peter Vander Woude 
Brian,

I do use AT-TLS with CSSMTP to our internal e-mail relay.  For the keyring, you 
need to add the CA's that have signed the ssl cert for the server.

If the e-mail server is using a self-signed certificate, you need them to send 
a copy of it (only the public portion) and it has to be added as a certificate 
authority.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO timeout S622

2020-12-29 Thread Peter Vander Woude 
Dean,

It's not the SMF JWT that's kicking the users off.  That would be a S522 abend.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DAF (CBT 094) - Unknown Datatype x01BB

2018-06-11 Thread Peter Vander Woude 
>>Has anyone seen on z/OS2.2 I see DAF is reporting "Unknown Datatype x01BB" 
>>and while downloading and assemble/linkedit latest CBT 094 >>gives me 0255 
>>for various undefined symbol though I have checked the maclib .

I see that on z/os 2.1 also.  The issue is related to the RACF type 80 with the 
Relocate 2 section where the SMF8XTP2 value has a value of 443 (x1BB).  This 
extended relocate value is a 1 byte field that is documented  as being 
Authentication information.

What I've done is add to the DAFRR2 CSECT code after the branch to T080D408, 
that does

CLC   SMF8TPX2,=AL2(443)
BE  T080D443

Then further down, find the T080D408 label.  Do a repeat of it's comments thru 
the B RR2INCR.  Change the label to T080D443.

After you make this, you won't see the Unknown Datatype x01BB

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CBTTAPE - DAF and z/OS V2.1 and above

2018-07-23 Thread Peter Vander Woude 
The file out on his webpage shows that DAF hasn't been updated since 2010.  I 
know that recently, I was seeing invalid smf 80 records, but it turns out they 
are newer subtypes (x'1BB').  I just repeated a couple lines of code, that 
basically says it's ok, but doesn't process the data.

I see in the code, that currently DAF supports the NFS smf42 subtype 7 only.  
No code is in it for subtype 8.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: FYI: IEEE Survey Ranks Programming Languages

2018-08-15 Thread Peter Vander Woude 
Keep in mind that the article says that as it is IEEE doing the survey, and 
IEEE's primary membership is Electrical Engineers, the survey is primarily the 
languages that EE's would be using.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Anyone using Rocket Software Performance Essential

2015-12-17 Thread Peter Vander Woude 
Previously, I have used Performance Essential and when it was implemented it 
saved huge amounts of time, as it changed what the default vsam buffering mode 
of NSR and activated LSR.  In a prior job, we saved around 10 million i/o's per 
week for just one application.

The products like Performance Essential all will provide a great performance 
boost, if you currently do not have any form of vsam/qsam buffering tool (i.e. 
you may be coding BUFND and/or BUFNI).

IAM works differently than the tools such as BMC's Batch Optimizer, Performance 
Essential, etc.  IAM does not do buffering changes of the vsam datasets, like 
Batch Opt/Performance Essential.  Instead it becomes kind of the "media 
manager" (if I may use that term loosely).  A file gets defined and marked (via 
OWNER in define or via SMS construct) as an IAM dataset, and then IAM allocates 
the physical space as a DSORG PS dataset.  When the system goes to open it, IAM 
does all the file I/O and loads the entire index into memory.  With how IAM 
does things, it can also provide performance improvements above and beyond what 
Batch Optimizer/Performance Essential/etc. provide.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HMC & EoR SWITCH

2012-06-25 Thread Peter Vander Woude 
When was the modem connectivity abandoned?

>>2. Call home. Modem connectivity is abandoned, so VPN is (will be - 
>>depends on your HW level) the only option. That requires connectivity to 
>> corpo lan.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ADRDSSU performance degradation

2013-05-14 Thread Peter Vander Woude 
We are running z/OS 1.11 and in prep for our upgrade to 1.13, we IPL'd last 
week sunday to implement the ptf's for toleration/compatibility with 1.13.  In 
reviewing our performance last week, we are seeing large cpu time increases in 
programs such as ADRDSSU, where the week before the IPL, ADRDSSU used approx. 3 
hours of cpu time per day.  A couple days after the IPL, that jumped up to 7 
hours of cpu time per day, with no real change in the # of executions.

An example of the increase is a jobstep that before the IPL used approx. 12 
minutes tcb time, and 7.5 minutes srb time and approx. 15 million IOPS.  AFter 
the IPL we are now seeing the same step do the same 15 million IOPS, but TCB 
time has jumped to 26 minutes and SRB time has jumped to 23.5 minutes.

I know that 1.11 is out of support, so i can't ask them, but does anybody have 
an idea on this?  I did do a number of searches on ibmlink, but to no avail.

Thanks,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ADRDSSU performance degradation

2013-05-15 Thread Peter Vander Woude 
1) Full volume backups every 4 hours
2) no control cards were changed
3) no, maintenance was not applied to running libraries (never do that)
4) yes an IPL was done WITH CLPA (it's always done at IPL).
5) Yes maintenance was installed that affects ADRDSSU

One other item, during analysis that has been found.  The jump in cpu usage did 
not occur right away, but occurred about 24 hours after the IPL.  It seems to 
coincide with a config change to a ISV product, that occurred around the 
timeframe of the cpu usage increase. We are working with that vendor to see if 
there's anything about that product that may be affecting the system.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ADRDSSU performance degradation

2013-05-15 Thread Peter Vander Woude 
Here's some more info.  I've got a volume, that is online to our production 
lpar and one of our test lpars.  If I run a full volume dump on my test lpar, 
it uses 6.88 seconds of cpu time.  If I run the job on my production lpar, it 
uses 20.86 cpu seconds.

Using Mainview and doing a trace of where it's spending it's time, the test 
lpar trace shows that it is approx 62% of the samples were in IECVPST, followed 
by 11.7% in IAXPQ, then 10.4% in ADRDTDS, etc.

On my production lpar, the order is completely different, with 39% being in 
IAXPN, then 34% in IAXPQ then 11% in ADRDTDS and only 8% in IECVPST.

Why is it spending so much time in the IAXPN/IAXPQ modules?

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ADRDSSU performance degradation

2013-05-15 Thread Peter Vander Woude 
Ok, Finally figured out the problem.  I had inadvertently left component trace 
for SYSRSM on, after working on debugging a SA78-18 abend.  

Turned it off, and we're back to normal!  
Yeah!!!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GRS RESMIL setting on CPU consumption

2014-04-24 Thread Peter Vander Woude 
Yes RESMIL(5) will reduce cpu consumption, it will also potentially cause 
performance delays to your jobs, as each system will hold the enq request for a 
minimum of 5 ms.  If you have any applications that generate alot of enqueues, 
that need to be sent through the ring, they will run longer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: GRS RESMIL setting on CPU consumption

2014-04-25 Thread Peter Vander Woude 
Anthony,

If you have DB2 in that plex, I would think twice (or thrice) about increasing 
the resmil value, as DB2 does heavy enqueue activity.  I remember one 
presentation (I think it was at share or maybe another conference), where 
someone from IBM GRS presented the following item:

Company A implemented GRS Star and opened a ticket with ibm as a db2 
application, that normally ran 9 hours, ran in just a few minutes, so they were 
sure something had gone wrong.  Working with ibm, they went through testing, 
first back on GRS RING and the default of RESMIL=10.  Result: the application 
ran 9 hours

IBM had them change to RESMIL(1) (or maybe 0) and the elapsed time dropped to 
90 minutes

Change to GRS Star, and the application ran in 9 minutes.

Just an example of the impact of the RESMIL setting (and even of what GRS Star 
can give (yes it does require the Coupling Facility).

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zIIP simulation

2013-11-01 Thread Peter Vander Woude 
I know of at least one of our vendors whose product does not generate the srb's 
that would get dispatched on the zIIP, if it's not there.  However, they will, 
if you ask, take some of the smf data for the sorts and run their analysis of 
those records, and come back with projections based on your sort workload.  At 
least for us, it was very useful.  Unfortunately, we can't get the zIIP on our 
z9 anymore :(

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and Metasploit

2013-12-11 Thread Peter Vander Woude 
I'm not sure where everyone saw the ADCDMST userid being used.  When I viewed 
the video, I saw the userid used, for the ftp, to be bt0, and that is set at 
around the 30 second mark into the video.

I agree with many, who have participated in this discussion, that RACF can be 
configured to reduce exposure to breaches.  However, not all shops have their 
systems tied down as tight as z/OS can be.  To me this demonstrates the fact 
that they got logged into ftp server, submitted a job, that started a service, 
listening on a specific port, and then they utilized this port in order to 
examine parts of the system.  

It is a very basic demonstration, and of course one that does not show any 
specific exploit, that is true.  But that could just be the start.  How many of 
us, have in the past, had some sort of svc, that when called, would place the 
calling program into supervisor state?  How many have properly secured access 
to critical system datasets.

I recently read a presentation, where the presenter was a z/OS security system 
auditor, who would go into a shop, and then from a user with no special access, 
was able to in as little as 10 minutes, change the access that userid had on 
the system to a level where he could do just about anything.

For us to look at this simple demonstration, and claim "well that is a bogus 
video", just ask the companies who have been breached (remember the calls from 
IBM telling us to install certain fixes asap?).

We also tend to think about breaches being from external sites.  You can do 
everything you can to lock down that access, but what about your internal 
network?   That's probably not secured as tightly as any externally facing 
system/site.  As stats show that almost 80% of data breaches are from internal 
(anybody remember Snowden?) personnel, the security of our z/OS systems 
requires us to tighten down the hatches, so to speak.  Social engineering is 
one of the ways to find out and get into a system (ever had a user just come 
out and tell you their password when you were working on a problem they had 
reported?).

z/OS does have more controls that help to limit what someone can do, but that 
only works IF the controls are in place and IF we, as system programmers, have 
not installed something that is a backdoor (or found that someone had 
previously done that), that can be used for nefarious purposes.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and Metasploit

2013-12-11 Thread Peter Vander Woude 
>Wayne Bickerdike wrote

>To Peter Vander Woude

>Did you watch the video? If so you missed the display at 2:24 which clearly
>shows ADCDMST and SYS1 group access.

>In this case, I would wager with you that this is an ADCD system and the
>video maker set it all up.

>Yes I agree with your ramble but I'm glad you aren't an eye witness, you
>saw what you wanted to (not) see!


Wayne,

I did see that.  However, all that tells me is that the owner of files on that 
system are ADCDMST and owning group is SYS1.  That does not mean that the user 
logged in with that userid.  I agree with you that this may be an ADCD system, 
as I also see a directory called ADCD!

I stand by the rest of my statements though.  The presentation I referred to 
was one by Mark Wilson, of RSM Partners, given at SHARE, which was entitled 
"z/OS Ethical Hacking Vulnerability Scanning & Pen Testing".

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Crypto Facility performance.

2013-04-19 Thread Peter Vander Woude 
One other item for consideration is that the performance, thus response, from 
the CEX will also depend on the encryption algorithm being used.  If you are 
using Triple DES, it will take much longer than if you use AES, even at the 
256bit level.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AW: Re: Ported tools and z/OS 2.2

2015-09-21 Thread Peter Vander Woude 
Kirk,

When you switched over to the Rocket versions, did you have any issues with any 
perl or php code?

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Setup Filezila for MF to PC transfers

2023-08-28 Thread Peter Vander Woude 
Lizette,

When setting up the site in site manager, click on the Advanced tab and set 
server type to MVS,OS/390, z/OS.  Then specify the remote directory as your tso 
userid, in quotes.

Peter


On Sat, 26 Aug 2023 08:14:48 -0700, Lizette Koehler  
wrote:

>Dearest List
>
>
>
>I am hoping someone is using Filezila that can help me with a configuration
>issue.
>
>
>
>Everything is working well.  Only challenge I have is getting FZ to use my
>TSOID for mainframe datasets.
>
>
>
>Currently it keeps using uss file names in the remote directory
>
>
>
>I have tried
>
>'tsoid'
>'tsoid.'
>tsoid
>tsoid.
>
>
>
>And other variations in remote directory.  I am sure there is a trick I am
>missing.
>
>
>
>Each variation is met with  unable to parse directory name
>
>
>
>If someone has FZ working for Mainframe datasets and could share the secret,
>That would be amazing.
>
>
>
>I have been through the PDF, and Wiki and all seem to indicate that FZ
>should be able to do this
>
>
>
>I am not sure if I need to set up a network drive to my mf or other actions
>
>
>
>
>
>Thanks for any guidance
>
>
>
>Lizette
>
>
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Programs that work right the first time.

2021-08-25 Thread Peter Vander Woude 
I think the only time I wrote something that ran correctly the first time, was 
back in college coding in assembler on a Univac EXEC O/S system, where I was 
writing a program for a class, and I did have the program working, but didn't 
like how I had written one section, and completely rewrote the section of code, 
at the terminal (we only could use the terminal for like 30 minutes at a time), 
just working the logic in my head.  Submitted job to assemble and run and no 
assembly errors and the section I rewrote ran perfectly.

Nowadays, I do most of my development in rexx and some of them have some tricky 
logic in them.  Yes there are some that are small, but a number of them are 
close to 2,000 lines of code (with comments) and of course those longer ones do 
not usually run right the first time.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: System Programmer Titles

2021-10-12 Thread Peter Vander Woude 
I've had several different titles during my tenure at my current company.  
Currently it's Systems Administrator.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Words fail me!

2021-11-15 Thread Peter Vander Woude 
Prior to IBM introducing OMVS to z/OS, the term USS was used by VTAM as the 
acronym for Unformatted System Services.  Once OMVS was introduced, I do seem 
to remember a bit of discussion on the use of USS, as VTAM folks used it, and 
it was starting to be used by the folks pushing for more use of the Unix side 
of the house.

I'm not as involved in discussions here, as I used to be, so I do not know 
where things stand from the VTAM and OMVS groups.

Peter

On Sat, 13 Nov 2021 22:29:14 -0800, Matt Hogstrom  wrote:

>Unformatted System Services was used in VTAM to specify the screen and 
>responses to uses to logon to formal  VTAM sessions like TSO and CICS.  
>
>USS was Unix System Services IIRC
>
>Matt Hogstrom
>PGP key 0F143BC1
>
>> On Nov 13, 2021, at 21:02, greg.pr...@optusnet.com.au wrote:
>> 
>> Way back when (long before UNIX was added to MVS) the network sysprog told 
>> me that USS stood for Unformatted Screen Services.
>> 
>> Years after that but years (decades?) ago, I noticed that some VTAM books 
>> were talking about UNIX System Services in a context completely unrelated to 
>> UNIX.
>> 
>> I sent feedback that this was not the correct expansion of USS in this 
>> context. I expect others also did. References to UNIX were soon removed.
>> 
>> But I wonder if that is why VTAM books talk about Unformatted System 
>> Services now - because they changed UNIX to Unformatted, but not System to 
>> Screen.
>> 
>> Cheers,
>> Greg
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Long time between IPLs a security risk? was Re: What is OVMSKERN?

2021-12-22 Thread Peter Vander Woude 
Bill,

While red alerts can be good, they do not provide information on 
Security/Integrity apars that have been generated.  To get those, you have be 
subscribed to the IBM Z Security Portal portion of Resource Link.

Peter

On Wed, 22 Dec 2021 03:59:25 +, Bill Johnson  wrote:

>You’re thinking about $MSFT which pushes out security patches sometimes weekly 
>and certainly monthly. And is hacked easily and almost every day. Many of them 
>ransom attacks. Security patches on zOS are infrequent. If serious, I get red 
>alerts on them. (Red alerts are for more than just security) Then there is the 
>monthly RSU maintenance that can be perused for security issues and determined 
>as relevant or not for each shop.
>
>
>Sent from Yahoo Mail for iPhone
>
>
>On Tuesday, December 21, 2021, 6:09 PM, Clark Morris 
><03b2c618bdfc-dmarc-requ...@listserv.ua.edu> wrote:
>
>>On Monday 29/11/2021 at 12:41 pm, Charles Mills wrote: Problem is long gone, 
>>but FWIW this was 9 months after the last IPL.
>
>Given the need to apply security fixes that probably apply to
>SYS1.NUCLEUS or LPA modules, how is it possible to go 9 months without
>an IPL and maintain security?
>
>Clark Morris
>
>>Charles
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF data - Writing

2022-03-16 Thread Peter Vander Woude 
Peter,

Has anyone started working with Zowe on your system?  If so, you'll see a jump 
in the smf records for tcpip.  Just a thought.

Peter

On Tue, 15 Mar 2022 20:16:52 +0400, Peter  wrote:

>Hello
>
>In last few days our SMF man dataset is getting filled quickly and usually
>our SMF man datasets (all three fills up) gets filled in 2-3 days.
>
>Is there a way to track who is writing the data frequently ?
>
>Peter
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

FTPS/HTTPS to testcase sites via proxy (cross posted from IBMTCP-L)

2023-04-28 Thread Peter Vander Woude 
Has anyone been able to setup their jobs, that send diagnostic data to IBM, via 
ftps or https using a proxy?

Now for us, the https is not as straight forward as a normal proxy.  Ours 
requires us to pass and indicate it's to use ntlm authentication (that's what 
we have to specify in the smp/e receive order job).  In the receive order, we 
have to specify that information, in the java options.

Regards,
Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS Comm Server - LACP?

2023-06-05 Thread Peter Vander Woude 
Mike,

While z/OS doesn't support LACP, if your networking folks support OSPF areas, 
you can sort-of setup an environment where the OSPF is balancing the inbound 
traffic between the various OSA connections and your main IP address's are 
VIPA's.  

Long Long ago, when I was running ADSM on z/OS, I had to do that and it worked 
fairly well on the inbound balancing.  The outbound traffic was set to use 
perconnection (as was the OSPF area for inbound).  Yes it would have been 
simpler with LACP, as at the time, the networking group didn't use OSPF.

Peter

On Mon, 5 Jun 2023 05:06:01 -0500, Michael Babcock  
wrote:

>Thanks Timothy!  I suspected so, but wanted verification.   I don't know
>why z/OS Comm Server can't support LACP but the OSA cards can (and
>z/VM).  I'm not a networking guy though.
>
>On 6/4/2023 11:33 PM, Timothy Sipples wrote:
>> Michael Babcock asked:
>>> Does z/OS Communication Server support LACP?
>> No, I don't think so.
>>
>> Anticipating the next question, you can often configure network switches to 
>> handle LACP on z/OS's behalf. This IBM technical article illustrates one 
>> such scenario:
>>
>> https://www.ibm.com/support/pages/increasing-available-network-bandwidth-leveraging-link-aggregation-and-multipath-routing
>>
>> This article specifically concerns the IBM Db2 Analytics Accelerator when 
>> it's running on a separate physical machine. However, the same basic 
>> approach should work for other applications.
>>
>> When z/OS runs as a z/VM guest it should benefit from z/VM's support for 
>> link aggregation, so that's another possible option.
>>
>> —
>> Timothy Sipples
>> Senior Architect
>> Digital Assets, Industry Solutions, and Cybersecurity
>> IBM zSystems/LinuxONE, Asia-Pacific
>> sipp...@sg.ibm.com
>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

2023-06-12 Thread Peter Vander Woude 
What I have done, to get these certificates, is to look at the keystore on the 
pc, and save a copy of the certauth record from there, in base64 .cer format.  
Then edit it, copy and past into a dataset on the mainframe.

Peter

On Mon, 12 Jun 2023 08:13:54 -0500, Paul Gilmartin  wrote:

>On Mon, 12 Jun 2023 02:49:14 +, Timothy Sipples wrote:
>>...
>>When you get "bootstrapped" you'll probably want to install curl for z/OS (or 
>>something functionally similar) to make this process easier.
>>
>"Bootstrap" is a critical term here.  It reflects the antinomy in how can I
>elevate myself from a base state where "I trust no one," to the
>target state where "I trust you."
>
>But, yes, other systems I use come with certificates installed.  I must
>assume I can trust the vendor and auditing of the delivery path.
>
>IBM should incorporate curl in the base system as other suppliers do.
>It's too valuable to omit.
>
>
>
>-- 
>gil
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

2023-06-13 Thread Peter Vander Woude 
I open the file created by the export, using notepad.  Select all the text in 
the file, copy and then in an edit of a dataset with the following 
characteristics:

recfm=vb
lrecl=84

I paste the text from the pc file.  The  use that as the source for the 
RACDCERT import of the CA Cert, making sure to mark the certificate as trusted.

Peter

On Mon, 12 Jun 2023 08:36:34 -0500, Paul Gilmartin  wrote:

>On Mon, 12 Jun 2023 08:22:03 -0500, Peter Vander Woude wrote:
>
>>What I have done, to get these certificates, is to look at the keystore on 
>>the pc, and save a copy of the certauth record from there, in base64 .cer 
>>format.  Then edit it, copy and past into a dataset on the mainframe.
>> 
>Is it ASCII, EBCDIC, or neutral?  What must you edit?
>
>
>>><https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf>
>>>
>Of course you can trust the PC.  It's where you keep your credit cards.
>
>-- 
>gil
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Contents of TOD Programmable Field under z/OS?

2021-03-20 Thread Peter Vander Woude 
Peter,

I don't know if this could be the base of what you need, however I'd like to 
point you to a github page for something that Walmart did for generating unique 
zUID, guaranteed to be unique until the year 34,000 (built with patent pending 
algorithm).  It was built as a cloud solution, however it says in the initial 
page that it can be called from a cics program.

Here's the link: https://github.com/walmartlabs/zUID

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Upgrade from z/os 2.3 to 2.4 decrease PVT storage

2021-03-24 Thread Peter Vander Woude 
Carmen,

Do you have any usermods that move any of the LE runtime programs from SCEERUN 
to SCEELPA?  I tried this once, and with 30 programs moved over, I lost 1M in 
private region size.  I do load them into lpa, but I do it via a SET PROG of a 
member that does LPA ADD.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Encryption Facility for OpenPGP

2021-04-20 Thread Peter Vander Woude 
Paul,

In the normal pgp encryption processing, you encrypt the file using the public 
key of the target system/vendor.  There should be no need to use the 
passphrase, when encrypting a file to send to someone...  

The passphrase used on the other side would be so that they can get access to 
the private part of the pgp key, which is the only thing that can decrypt the 
file.

Peter

On Mon, 19 Apr 2021 10:52:17 +, Beesley, Paul  wrote:

>Hi
>
>Does anyone use IBM Encryption Facility for OpenPGP (FMID HCF7740), 
>specifically to encrypt files on z/OS and decrypt them on Windows or Linux?
>
>I can successfully encrypt a file using a PassPhrase (not keys) and can 
>decrypt it on another mainframe system.
>However, if I send the encrypted file to another platform I cannot decrypt it. 
>It detects that I've used a passphrase, and AES_256, but will not accept the 
>PassPhrase.
>
>This is what I get on Windows:
>C:\Users\xxx\Downloads>gpg -o D2021109.TEST3.TXT --decrypt 
>D2021109.TEST3.ENC
>gpg: AES256.CFB encrypted session key
>gpg: encrypted with 1 passphrase
>gpg: decryption failed: Bad session key
>
>On Linux it's similar but the message is
>gpg: decryption failed: no secret key
>
>Any help welcome. I do have a PMR open with IBM, but every little helps...
>
>Paul
>
>Atos is a trading name used by the Atos group. The trading entity is 
>registered in England and Wales: Atos IT Services UK Limited (registered 
>number 01245534). The registered office is located at: Second Floor, MidCity 
>Place, 71 High Holborn, London, WC1V 6EA. The VAT No. is: GB232327983.
>
>This e-mail and the documents attached are confidential and intended solely 
>for the addressee and may contain confidential or privileged information. If 
>you receive this e-mail in error, you are not authorised to copy, disclose, 
>use or retain it. Please notify the sender immediately and delete this email 
>from your systems. As emails may be intercepted, amended or lost, they are not 
>secure. Atos therefore can accept no liability for any errors or their 
>content. Although Atos endeavours to maintain a virus-free network, we do not 
>warrant that this transmission is virus-free and can accept no liability for 
>any damages resulting from any virus transmitted. The risks are deemed to be 
>accepted by everyone who communicates with Atos by email.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Now it's easier to find stuff on the CBT Tape

2021-05-03 Thread Peter Vander Woude 
locsite fwfriendly sets it so that the client is the source for all connections 
going to the remote ftp server (in ftp terms it's a PASV mode connection).

When the ftp server is running, the config on the server can specify a range of 
ports that it can tell the client to connect to it for the data connection, 
where the actual transfer occurs.  As it's a defined range, the firewall can be 
configured that way also.

When not in PASV mode, but PORT mode (default) - it's the ftp client that tells 
the ftp server to open the data connection, and what ip address and port the 
server is to connect to on the client side.  This mode is more difficult (and 
generally not liked), as there is no way to limit what ports the client will 
tell the server to connect to, and the firewall folks have to open outgoing 
sessions on all high ports (> 1024).

Peter

On Sun, 2 May 2021 12:38:29 -0500, Steve Horein  wrote:

>If I'm not mistaken, "locsite fwfriendly" accommodates data connections
>other than port 20.
>
>On Sun, May 2, 2021 at 1:22 AM Brian Westerman <
>brian_wester...@syzygyinc.com> wrote:
>
>> Thanks to some timely help from Peter Vels who suggested tracing the FTP
>> routine, I was able to find the problem. At my site the "locsite
>> fwfriendly" is required.  I still don't know why that is, but it has been
>> that way at several of the site I manage as well, (but not all).  Changing
>> that to be there (it was commented out in the CBT exec), made it work.
>>
>> Thanks again to Peter for pointing the way.
>>
>> Brian
>>
>> On Sun, 2 May 2021 00:03:15 -0500, Brian Westerman <
>> brian_wester...@syzygyinc.com> wrote:
>>
>> >Please ignore this problem.  When I went back and read the instructions I
>> saw that I'm suppose to UNZIP FILE001 before I upload it in binary format
>> to the sequential dataset.  Once I did that it loaded okay.
>> >
>> >Just goes to show you, read the instructions closely before you complain.
>> :)
>> >
>> >Now I have to work on getting the FTP part to work because it's not as
>> much use without that, (except I do like that you can see the comments when
>> you select the entry).
>> >
>> >Does anyone know how to turn DEBUG on to see what's going wrong with FTP?
>> >
>> >Brian
>> >
>> >
>> >On Sat, 1 May 2021 23:52:08 -0500, Brian Westerman <
>> brian_wester...@syzygyinc.com> wrote:
>> >
>> >>I can't get CBTVIEW to work,  I get to the part where it tries to
>> download the File001 and it fails, so I downloaded it to my workstation and
>> uploaded it to the mainframe as a FB 80 9440 file and now I get a message
>> that says build completed (then it pauses for about 60 seconds) and then I
>> get:
>> >>
>> >>IEC141I 013-18,IGG0191B,BRIANW,$SYSTEMS,CBT78000,1466,PROD04,
>>
>> >>BRIANW.FILEIDX.PDS(CBTINDEX)
>>
>> >>IRX0250E System abend code 013, reason code 0024.
>>
>> >>IRX0255E Abend in host command execio or address environment routine
>> TSO.
>> >>IEA995I SYMPTOM DUMP OUTPUT
>>
>> >>SYSTEM COMPLETION CODE=013  REASON CODE=0018
>>
>> >> TIME=21.40.14  SEQ=37529  CPU=  ASID=00E0
>>
>> >> PSW AT TIME OF ERROR  075C1000   80E74598  ILC 2  INTC 0D
>>
>> >>   NO ACTIVE MODULE FOUND
>>
>> >>   NAME=UNKNOWN
>>
>> >>   DATA AT PSW  00E74592 - 4100302C  0A0D010D  A7E5014B
>>
>> >>   AR/GR 0: 00AFBF84/_00E748A0   1: /00AA2D94_A4013000
>>
>> >> 2: /_00072250   3: /_00E74874
>>
>> >> 4: /_00AAA410   5: /_00AAA7A4
>>
>> >> 6: /_00AAA74C   7: /_00AAA7A4
>>
>> >> 8: /_00AAA76C   9: /_00072280
>>
>> >> A: /_00F9D658   B: /_7F515CE8
>>
>> >> C: /_0008   D: /_00AAA7A4
>>
>> >> E: /_80E73DF6   F: /_0018
>>
>> >> END OF SYMPTOM DUMP
>>
>> >>IRX0670E EXECIO error while trying to GET or PUT a record.
>>
>> >>***
>>
>> >>
>> >>I agree with the s013-18 because the CBTINDEX member is not there to
>> open, but so much of this is hidden behind the CBT rexx exec that I can't
>> tell where it's failing.
>> >>
>> >>I think that FILE001 being in ZIP format might be hurting this, but I
>> think the CBT exec is supposed to unzip it first, but maybe I'm wrong.  Has
>> anyone got this to work or should I just start debugging now?
>> >>
>> >>--
>> >>For IBM-MAIN subscribe / signoff / archive access instructions,
>> >>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >
>> >--
>> >For IBM-MAIN subscribe / signoff / archive access instructions,
>> >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>

Re: Storage Zoning clarification

2021-05-11 Thread Peter Vander Woude 
I can comment on this, as I do san admin (along with z/OS and a couple of other 
things).

From the z/OS perspective, it only deals with 3390 dasd architecture, and 
3490/3590 tapes, and is connected via FICON, which may or may not go thru a 
FICON director.  On the ficon director there is a configuration that tells the 
director, that traffic coming in/out of port x needs to go in/out of port y to 
get to the device on the other end of the channel configuration.  The ficon 
director can also be used for FCTC connections between lpars.

If you running a linux image on an IFL, that linux image could be using normal 
3390 DASD, in which case configuration is the same as with z/OS.  

If, however, you are configuring the linux on z vm's to use SAN storage, then 
there will be zone definitions that use the wwpn's for that vm's and define a 
mapping of which device(s), those wwpn's are allowed to communicate with.  That 
method is called "soft zoning", as if the cable for either the target device, 
or source hardware needs to be moved to another port, the systems will 
recognize that and just keep going (there are some O/S's that don't handle it 
that nicely, but I don't know if linux on z is one of them).  Soft zoning, to 
me, is the preferred way to go.

The other method of zoning that can be done is "hard zoning", where you define 
the zone members being the physical ports on the san switch/director.  If the 
cable for any of the devices in the zone gets moved, you have to update the 
zone and install the updated zoneset for those devices to be able to 
communicate to each other.

not having any zoning at all in a san configuration is defintely not 
recommended, as that would mean that any system could possibly see storage 
and/or devices that they are not supposed to see.  On san attached storage 
arrays, you typically define a host and it's wwpn's, so that does help reduce 
the possibility of a server, that's not supposed to see that disk, accessing 
that disk storage.  Tape devices are wide open, as there generallyif there is 
no zoneset defined, so that could cause problems, such as a system that isn't 
supposed to use tape, could possibly read data from the tape library, or write 
data to the tape library.

I hope that helps

Peter

On Mon, 10 May 2021 20:57:15 +0200, Radoslaw Skorupka  
wrote:

>I think, there is some misunderstanding here.
>First, basics:
>DAS - Direct Attached Storage - a disk connected directly, like your HDD
>in your PC. This model can be used in mainframe world - DASD array
>connected over FICON links to the host. No switches/directors between.
>SAN - In this case there is some switch/director between host and DASD
>array.
>
>Now, the switch - let's think about Ethernet switch. You plugged the
>following devices: PC #1, PC #2, printer, laptop. Usually any device can
>talk to any another device. Of course this is Ethernet level, maybe PC
>#2 won't accept any "Hello" from laptop.
>If fact SAN switch works very similar - any port can talk to any other
>port. No, not a port - device attached to the port. What device? follow
>the cable and you fill find something of the other end - it can be DASD
>array port or z15 CHPID or some tape controller, etc.
>
>Now we have zoning. By default "any can talk to any", so there is no
>zoning. And let's be honest: should you block communication between tape
>controller and DASD? Why? Or maybe CPC A should not see CPC B?
>However you may create zones. However my experience is zoning may
>provide you troubles only.
>Of course things may be more complex, but this is topic for SAN specialist.
>
>HTH
>
>--
>Radoslaw Skorupka
>(looking for new job)
>Lodz, Poland
>
>
>
>
>W dniu 10.05.2021 o 17:09, Jake Anderson pisze:
>> Hi
>>
>> So from the mainframe perspective zoning is done even if the connectivity
>> passes through SAN ? Sorry if my understanding is incorrect ?
>>
>> Jake
>>
>> On Mon, 10 May, 2021, 2:32 pm Radoslaw Skorupka, 
>> wrote:
>>
>>> W dniu 10.05.2021 o 06:36, Jake Anderson pisze:
 Hello All,

 Good evening

 I am trying to understand on how the ZONING part works when the
 connectivity to storage box or the tape device goes through a SAN switch.
 How does the ZONING is done and is there any documentation with an
>>> example
 to understand better. I am trying to google to see if I can find the one
>>> am
 looking but I am not successful yet.

 Is there any pointer or example if someone can help me with ? It will be
>>> of
 a big help to proceed further.
>>> Zoning is needed for distributed systems world and "discovery" of
>>> storage devices connected to the SAN. It is just to isolate/hide devices
>>> not intended to use with given server.
>>> In CKD world there is IODF/IOCDS configuration file which says what is
>>> accessible to given LPAR or OS Config.
>>> Of course your SAN can be used for various purposes like ISL, DASD array
>>> remote copy (usually FC, not FICON) and maybe some FCP devic

Re: Storage Zoning clarification

2021-05-11 Thread Peter Vander Woude 
FCP connected SCSI drives is done via san zoning.  Considering that IOSFBA is a 
function within z/OS.  I don't know how that connectivity works.

Peter

On Tue, 11 May 2021 15:47:31 +, Seymour J Metz  wrote:

>What about IOSFBA and FCP connected SCSI drives?
>
>
>--
>Shmuel (Seymour J.) Metz
>http://mason.gmu.edu/~smetz3
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Storage Zoning clarification

2021-05-12 Thread Peter Vander Woude 
Yes it does.  From the HCD manual, there's a section that talks about them


Defining a special FBA device (FBA)

You can use a new type of disk devices, known as Fixed Block Architecture (FBA) 
or Fixed Block (FB) devices. Devices of this type may be considered as a data 
bridge between z/OS systems and Linux, UNIX®, and Windows® operating systems. 
Hardware support comes in the form of an optional licensed z/OS Distributed 
Data Backup (zDDB) multi-platform access feature on DS8700 and disk controllers 
of subsequent model types. External software support comes in the form of the 
IOSFBA service (and the macro with the same name), introduced by APAR OA41040.
Both HCD and HCM allow to define FBA control units and FBA devices. To do this, 
you need to:

Define a new logical control unit of type 2107-FBA, attached to a z 
processor by no more than eight FICON channel paths.
Define from 1 to 256 I/O devices of type FBA in subchannel set 0.
Connect FBA devices to an operating system (OS) configuration.

Before allocation, FBA devices must be varied online. You can consider 
connecting them to an OS configuration with the OFFLINE NO attribute or using 
the regular VARY ONLINE system command. Since the FBA device type belongs to 
the Unit Record (UR) class of devices, an FBA device may be owned by only one 
address space at any given time and on the same system. However, FBA devices 
may be shared by systems in the GRS complex because the IOSFBA service uses 
ENQs with the scope of SYSTEMS (global ENQs) to serialize allocation of FBA 
devices. Sharing z/OS FBA devices between systems in different GRS complexes 
may cause allocation issues. See z/OS MVS Programming: Authorized Assembler 
Services Guide for more information on z/OS FBA services.




On Tue, 11 May 2021 17:55:18 +, Seymour J Metz  wrote:

>Yes, but that does mean that z/OS has at least limited support for DASD that 
>don't look like ECKD.
>
>
>--
>Shmuel (Seymour J.) Metz
>http://mason.gmu.edu/~smetz3
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Programe CCNDRVR not compiling-Event-Action blocking

2021-06-28 Thread Peter Vander Woude 
Vinoth,

Are you seeing any IDC3009I messages.  A s913 abend is usually a security 
related issue.  It looks like you have EventAction active on your system, and 
it is not allowing the CCNDRVR program to be run.  

I'm not conversant with how EventAction works, but maybe it has rules to limit 
on what system that program is allowed to be run on.  

Peter

On Sat, 26 Jun 2021 20:57:52 -0500, Vinoth  wrote:

>Hi,
>
>we are upgrading CFT product and we see a strange issue on C/C++ compiling on 
>one of the system, even after adding the SYS1.* to event-action for 
>Authorization, it didn't went well.
>
>MZC4824I PROGRAM NAME=CCNDRVRCalled by IEFIICCkpt=2A 
>MZC4830I The execution is disallowed by eventACTION  
>IEF450I A00CUSI COMPILE EDCC - ABEND=S913 U REASON=D4E9  753 
>  
>Appreciate your help on this.
>
>Thanks..
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Data Set Commander Monitor (DSCMON) Access Authority

2024-06-25 Thread Peter Vander Woude 
R.S.

One of the reasons to use ACCESS(READ) ID(*) and not UACC(READ) would be that 
the first forces the user accessing the programs to actually be a racf userid.  
I believe, that if you have a job, come across via NJE, it is possible that the 
submitting system did not provide a userid, and would then get assigned the JES 
UNDEFINEDUSER userid (which should not be an actual racf userid).  

That right there would deny the job from accessing datasets with UACC(NONE)  
and ACCESS(READ) ID(*). whereas UACC(READ) would allow that job (if it were 
allowed to execute of course), to access that dataset.

Peter

On Mon, 24 Jun 2024 12:48:42 +0200, Radoslaw Skorupka  
wrote:

>This is the way (one of few) to do this.
>In other words HOW to do this.
>However it doesn't answer WHY to do this.
>I still don't know any *reasonable* justification for UACC(NONE) for
>linklisted libraries.
>
>--
>Radoslaw Skorupka
>Lodz, Poland
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Data Set Commander Monitor (DSCMON) Access Authority

2024-06-26 Thread Peter Vander Woude 
Mike,

I have normally been on the RACF-L list, however, since changing jobs last 
year, I've had some problems with the e-mails from the list getting through to 
my new e-mail address.

I, personally, have not seen work running without a valid RACF userid 
associated with it, though I have been in smaller shops, most of my career, 
where it was nominally easier to know all the work running on the system.

Peter

On Tue, 25 Jun 2024 11:22:17 -0500, Mike Cairns  wrote:

>Hi Peter,
>
>Radoslaw and I probably spend more time over on the RACF_L list than here on 
>IBM-MAIN, but I still like to keep an eye open here.
>
>The use of ID(*) ACCESS(READ) is well known among the RACF community as the 
>'preferred' option to UACC nowadays, and the reason you cite is indeed 
>mentioned in the literature.  Though I'm not sure about the NJE port of entry 
>still being able to actually get a batch job running under the JES 
>UNDEFINEDUSER, I have a recollection that the RACF SETROPTS setting 
>BATCHALLRACF(YES) should prevent a batch job from initiating with the 
>UNDEFINEDUSER value, though I have a vague recollection that BATCHALLRACF 
>itself has been redundant also for many years now as well.
>
>I'm intrigued generally to ask of this community, just how often does anyone 
>observe work executing on their system *without* a valid RACF (or ACF2 or 
>TopSecret) identity associated with it?  
>
>I think there might still be one or two started tasks, probably running as 
>TRUSTED or PRIVILEGED, that are initiated in nucleus initialisation that may 
>still run with traditionally either the 8 plusses or the 8 question marks as 
>their ID, we can see them in SDSF, but realistically I don't believe that we 
>see work running under the UNDEFINEDUSER in modern systems for a long time 
>nowadays.  I'd be keen to hear otherwise if there is though.
>
>Cheers - Mike
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: PPRC between different vendor disk systems

2024-07-26 Thread Peter Vander Woude 
Alan,

Having worked with both Hitachi and IBM, for open systems storage replication, 
I can say that the method for handling replication on each vendor's storage is 
completely different and would not work at all with each other.  I can only 
guess, that it also works that way for mainframe disk.  That company never did 
replication of the mainframe storage (we just ran a ton of full volume backup 
jobs, at the time). 

Peter

On Fri, 26 Jul 2024 08:08:43 -0500, Alan Altmark  
wrote:

>On Fri, 26 Jul 2024 07:41:27 -0500, Alan Altmark  
>wrote:
>>Sorry I can't give you more definitive information.  I'll check with a 
>>storage architect and see if I can get a better answer.
>
>The answer came back faster than I expected.   No, you cannot connect 
>different vendors boxes together in pairs such as is done in hyperswap/GDPS 
>configurations.
>
>And I was also told that flashcopy is only between volumes in the same box.  I 
>actually knew that.  (sigh)
>
>Alan Altmark
>IBM
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: New IBM Processor Innovations To Accelerate AI

2024-08-28 Thread Peter Vander Woude 
Tim,

Thanks for the link.  While the initial discussion, from that link, seemed a 
little light on some of the details, I found a very good article, that seems to 
dive into the guts of the new TELUM II processor and Spyre card.

https://www.servethehome.com/ibm-telum-ii-processor-and-spyre-ai-updates-at-hot-chips-2024/

A few of the other articles I read, concentrate on the enhancements on the 
Telum II related to cache size, and specifically the AI accelerator 
performance, however the DPU has seemed to be glossed over.  I would put it out 
there, that those authors may not understand the Z platform and how it does 
things, internally (and yes, this has been discussed ad nauseum over the years 
- so no need to go into that arena again, please).

This article (above) seems to discuss it more, and it's very interesting.  If I 
am reading it correctly, is the DPU bringing, onto the Telum II processor chip, 
many of the functions, that we normally associate with the I/O subsystem?  It 
talks about a reduction in power usage by 70% in I/O handling, and direct 
access to the PCIe slots, so I am inferring, in my mind, that it is doing 
exactly that.  Very cool.

Also, nice to see that the core speed, of the full speed processor is going 
from 5.2 Ghz on the Telum up to 5.5 Ghz on the Telum II.

Overall, very cool improvements to the Z family processor.

Peter

On Tue, 27 Aug 2024 08:15:27 +, Timothy Sipples  wrote:

>IBM presented many details about the IBM Telum? II Processor (with a 
>completely new Data Processing Unit) and IBM Spyre? Accelerator yesterday at 
>the Hot Chips 2024 conference.
>
>https://newsroom.ibm.com/ai-on-z
>
>?
>Timothy Sipples
>Senior Architect
>Digital Assets, Industry Solutions, and Cybersecurity
>IBM Z/LinuxONE, Asia-Pacific
>sipp...@sg.ibm.com
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN