OT:I/O in Emulated Mainframes (Was Re: PSI story)
--- Jeff Gribbin, EDS [EMAIL PROTECTED] wrote: With a small amount of trepidation (but inviting stomping from anybody who feels that I'm off-base here) can I remind folk that, on IBM mainframe hardware, MIPS aren't the whole story. There's channels too - and in an I/O-related situation their power needs to be ADDED to the CPU power to come up with a realistic, comparative MIPS figure. It's a very long time since I saw anything that indicated how much MIPpage is offloaded into the channels by a typical, mainframe workload but please remember that, unless you understand how channels are implemented when comparing two different solutions, you can quickly mislead yourself regarding the genuine value of the, MIPS comparison. (I have a similar problem regarding, channel bandwidth - each individual channel on a mainframe might be, slow but potentially I can have several hundred running in parallel - in the right circumstances doesn't this give me greater capacity to work with than a single but much faster I/O portal? Do I want a firehose or do I want the Mississippi? As a man to whom I would happily defer when it comes to performance issues has occasionally been heard to comment, I think, It depends ...) Regards Jeff Gribbin (Speaking only for himself.) Jeff, Hercules runs channel emulation and CPU emulation in separate threads, so in a multi CPU box with say n CPUS, if you define m Mainframe CPU, n-m are generally (pedants note generally) free for channel emulation. However whilst I have never tried to do a real benchmark, I am firmly convinced that I/O is not an issue on a modern PC. To expand a little, I have tried a few simple things to drive the I/O system up and bottleneck the I/O in Hercules.. Sadly, every time, I have failed. I do keep trying, but I have never been able to justify adding RAID, SATA, or even SCSI (other than for tape) to the box I use for Hercules. When I look in PERFMON the i/o queue length and the i/o service times remain short. As I only emulate one CPU and have (kind of two) on the Hyperthreaded box, I see the second CPUs utilization remains low. I have therefore concluded that emulating S/370 channels does not tax the system. Again it might be different for the XA I/O system , but I don't think so. (In fact I think it may be simpler) Dave. Also speaking for himself. Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
Jeff Beck is out of the office.
I will be out of the office starting 03/01/2007 and will not return until 03/05/2007. I will be out of the office Thursday 3/1 and will return Monday 3/5. I will respond to your note after 3/5. Thank you.
Re: PSI story
--- Paul Raulerson [EMAIL PROTECTED] wrote: I see two problems with this story - one is they quoted Phil Payne, whose has some kind of vendetta against IBM going. (I suspect he lost money in an emulator solution) and two, His input is pretty small and pretty accurate. Even for us Mainframe Software costs are hefty... I object more to the spin on that; Mr. Payne has a way of taking facts and presenting them in such as way as to lead people down the path he wants them to follow, even to the point where people will draw erroneous conclusions based on insufficient and/or incomplete facts. In specific, sure traditional mainframe software costs are high. zIIPs, zAAPs, and ILF's can be used to mitigate that cost, and the best part? IBM is producing those speciality engines in direct response to use complaints about cost. While I am not saying that a 10 person windows shop shoudl run out and but a mainframe as a file and print server, a 10 person shop with a high end software product just might find that a mainframe would host their product better than any other machine in the world. (Or not - it all depends doesn't it?) I simlpy don't know what Mr. Payne's agenda is, except I know he has an agenda, and that agenda is not compatible with getting lower cost high quality IBM products out on the market. Especially emulators. Itanium hardware is faster and more modern than a mainframe PC, but ... it is not running Itanium software, it is emulationg the zSeries arch. How does this make it slower? The zArch is implemented largely with microcode (well, millicode perhaps) which servers to somewhat isolate the hardware of the machine from the processor instruction set it presents to software and programmers. An IBM processor (PC) is tuned to run that instruction set and does so very well indeed. There is also a lot of hardware stuff in a CP that helps too. Hint: the iSeries and pSeries (or whatever they are called these days) run POWER processors, which descend from and borrow from mainframe technology. NOT the zArch instruction set, but some of the underlying CP technology. An Itanium chip is not tuned to run that processor instruction set; it is by definition a General Purpose Digitial Processor. To emulate a MVI or LHI instruction on an emulator can require an order of magnitude more processing than on a CP (or IFL). For one thing, it has to emulate the GPRs, and may have to emulate the Access Registers and more. Then it has to reliable produce the correct results from exectution of the instruction. And those are two of the most simple instructions in the processor to emulate. The emulation may also be required to do things like run a 31bit OS under a 64bit OS - such as running OS390 under zVM or something. That is even before you beging to consider the subject of I/O. On a mainframe, I/O is usually handled by a SAP (System Assist Processor) which is nothing more of less than an entire CP. Also, each channel controller is smart, about the equivalent of a fast PC. Mainframes will usually loose out on raw processing power to the new generation of microchips - but they can move some I/O brother. There are not other GPDC machines around that move I/O like a mainframe. In short, additional overhead and a speed reduction is unavoidable when using emulation. Now, the Itanium processor is fast enough that slowdown may not be that much of a big deal. Again, it depends entirely upon the application set and the way the system will be used. Heck, anyone with a P4 running at a couple gig can build an emulated mainframe system that will clock in with a sustained 40 to 60 MIPS. It isn't legal to run anything other than Linux and some very old copies of VM and MVS on it, but it will run just about anything. That's on a X86 chip base. (BTW: Mentioning that to Mr. Payne will usually produce a strong reaction.) Anyway, point it, the article did not present the complexity and true situation very well, at least in my opinion. Your milage may vary. :) I'm not sure the authors of this article really get those ideas. :) -Paul From: Phil Smith III [EMAIL PROTECTED] To: IBMVM@LISTSERV.UARK.EDU Date: Wed, 28 Feb 2007 13:17:00 + Subject: PSI story Interesting -- if not particularly accurate, at least in some areas I know about -- story about PSI and IBM: http://www.theregister.co.uk/2007/02/16/psi_ibm_hp/print.html ...phsiii
Re: Multiple Guests using the Same Crypto Domain
On Wed, 28 Feb 2007 20:06:52 -0500, Lloyd Fuller [EMAIL PROTECTED] wrote: On Wed, 28 Feb 2007 15:06:48 -0600, Don W. wrote: I am trying to define two z/OS guests that are using CRYPTO. The mainfr ame supposedly has two CRYPTO Coprocessors. The guests need to have the sam e DOMAIN. I thought I should be able to dedicate a CRYPTO Coprocessor to each guest and use the same domain. When I bring up the first guest, it seem s to reserve both CRYPTO processors. The first guest gets msg HCPAPJ1708I No Processor is available to service virtual crypto unit (0/1). The second guest gets a msg that the DOMAIN is in use and CRYPTO is not available. Should I be able to run two guests using crypto with the same domain? To answer this we will need to know what type of processor. The differe nt processors handle things different. In addition, if this is a z800/z900 or older, you can only bind them to CPU 0 and CPU1. Lloyd = We are currently using a z900 but will soon have a z9.
Installing DFSMS/VM RMSONLY
Hello all, I'm installing RMS and have come upon a problem. I'm guessing I fumble fingered and deleted this earlier, but I've come to the step COPYFILE RMSPROF EXEC T PROFILE = V (OLDDATE in the program directory (step 10) and RMSPROF EXEC is nowhere to be found. So I have a question: How do I pull just this file from the envelope? Thanks Chris
Re: Active Directory from CMS
On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915
Re: OT:I/O in Emulated Mainframes (Was Re: PSI story)
--- Paul Raulerson [EMAIL PROTECTED] wrote: Hey Dave - (Also speaking for myself) I agree with you in part. But add 100 users to a PC and watch what happens to the IO. Or add a heavily used database with a few hundred users. PC Servers just do not scale in terms of I/O the same way. iSCSI and other technologies are starting to change that, but... -Paul I would like to disagree. Our busiest servers, i/o wise is our mail server. It normally runs around 1000 concurrent connected users. It does slow on busy days, such as the first day after a holiday period, when users have a few hundred e-mails to process. I did investiagate and found the bottle neck is either the SAN switches or the SAN proper. That is the same SAN and Switchs that the mainframe uses. The reason they slow is beacuse of the way the I/O is designed in the SAN, that is down to a price not up to an commited I/O bandwidth and throughput. We recently upgraded the SAN and saw a significant improvement in both Mainframe and PC operation. A quick question. Do users with Sharks dedicate them to their Mainframes? or share with PCs? From: Dave Wade [EMAIL PROTECTED] To: IBMVM@LISTSERV.UARK.EDU Date: Thu, 1 Mar 2007 08:17:00 + Subject: OT:I/O in Emulated Mainframes (Was Re: PSI story) --- Jeff Gribbin, EDS [EMAIL PROTECTED] wrote: With a small amount of trepidation (but inviting stomping from anybody who feels that I'm off-base here) can I remind folk that, on IBM mainframe hardware, MIPS aren't the whole story. There's channels too - and in an I/O-related situation their power needs to be ADDED to the CPU power to come up with a realistic, comparative MIPS figure. It's a very long time since I saw anything that indicated how much MIPpage is offloaded into the channels by a typical, mainframe workload but please remember that, unless you understand how channels are implemented when comparing two different solutions, you can quickly mislead yourself regarding the genuine value of the, MIPS comparison. (I have a similar problem regarding, channel bandwidth - each individual channel on a mainframe might be, slow but potentially I can have several hundred running in parallel - in the right circumstances doesn't this give me greater capacity to work with than a single but much faster I/O portal? Do I want a firehose or do I want the Mississippi? As a man to whom I would happily defer when it comes to performance issues has occasionally been heard to comment, I think, It depends ...) Regards Jeff Gribbin (Speaking only for himself.) Jeff, Hercules runs channel emulation and CPU emulation in separate threads, so in a multi CPU box with say n CPUS, if you define m Mainframe CPU, n-m are generally (pedants note generally) free for channel emulation. However whilst I have never tried to do a real benchmark, I am firmly convinced that I/O is not an issue on a modern PC. To expand a little, I have tried a few simple things to drive the I/O system up and bottleneck the I/O in Hercules.. Sadly, every time, I have failed. I do keep trying, but I have never been able to justify adding RAID, SATA, or even SCSI (other than for tape) to the box I use for Hercules. When I look in PERFMON the i/o queue length and the i/o service times remain short. As I only emulate one CPU and have (kind of two) on the Hyperthreaded box, I see the second CPUs utilization remains low. I have therefore concluded that emulating S/370 channels does not tax the system. Again it might be different for the XA I/O system , but I don't think so. (In fact I think it may be simpler) Dave. Also speaking for himself. Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited
Re: Active Directory from CMS
Not likely since it's been out of support for 6 months. Pradip Pandya wrote: On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915 -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
Re: Active Directory from CMS
I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Both LDAP server and client implementations for VM OpenEdition have existed for quite some time.
Re: Installing DFSMS/VM RMSONLY
On 3/1/07, Little, Chris [EMAIL PROTECTED] wrote: Hello all, I'm installing RMS and have come upon a problem. I'm guessing I fumble fingered and deleted this earlier, but I've come to the step COPYFILE RMSPROF EXEC T PROFILE = V (OLDDATE in the program directory (step 10) and RMSPROF EXEC is nowhere to be found. So I have a question: I thought this was RMSPROF SAMPEXEC -- Mark Pace Mainline Information Systems
Re: Installing DFSMS/VM RMSONLY
A friendly neighborhood VMer (thanks, Steve!) Sent it to me. I copy verbatim from the docs; however FILELIST RMSPROF * * shows nothing. From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mark Pace Sent: Thursday, March 01, 2007 11:42 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Installing DFSMS/VM RMSONLY On 3/1/07, Little, Chris [EMAIL PROTECTED] wrote: Hello all, I'm installing RMS and have come upon a problem. I'm guessing I fumble fingered and deleted this earlier, but I've come to the step COPYFILE RMSPROF EXEC T PROFILE = V (OLDDATE in the program directory (step 10) and RMSPROF EXEC is nowhere to be found. So I have a question: I thought this was RMSPROF SAMPEXEC -- Mark Pace Mainline Information Systems
Re: Installing DFSMS/VM RMSONLY
see previous. I have it now. It was installed with RMSONLY as the component. I would still be curious to know how to pull a single file in the future if i need. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Les Geer (607-429-3580) Sent: Thursday, March 01, 2007 11:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Installing DFSMS/VM RMSONLY Hello all, I'm installing RMS and have come upon a problem. I'm guessing I fumble fingered and deleted this earlier, but I've come to the step COPYFILE RMSPROF EXEC T PROFILE = V (OLDDATE in the program directory (step 10) and RMSPROF EXEC is nowhere to be found. So I have a question: I thought this was RMSPROF SAMPEXEC The part is RMSPROF EXEC and it should reside on the 1C2 and 1B1 minidisks. What was the component used during the install of DFSMS? Best Regards, Les Geer IBM z/VM and Linux Development
Re: Installing DFSMS/VM RMSONLY
It's not on my 1C2, but it is on 1B1. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Les Geer (607-429-3580) Sent: Thursday, March 01, 2007 11:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Installing DFSMS/VM RMSONLY Hello all, I'm installing RMS and have come upon a problem. I'm guessing I fumble fingered and deleted this earlier, but I've come to the step COPYFILE RMSPROF EXEC T PROFILE = V (OLDDATE in the program directory (step 10) and RMSPROF EXEC is nowhere to be found. So I have a question: I thought this was RMSPROF SAMPEXEC The part is RMSPROF EXEC and it should reside on the 1C2 and 1B1 minidisks. What was the component used during the install of DFSMS? Best Regards, Les Geer IBM z/VM and Linux Development
Re: PSI story
With the loss of the Flex 64-bit capability for general use Sorry to nitpick, but I don't believe there has ever been a FLEX 64-bit capability for general use. I'd say that the unavailability of the 64 bit FLEX *is* the loss I'm talking about. On this list (and others), we've been discussing the problems between FSI and IBM on public release of the 64 bit FLEX for months. It will not see the light of day for general customers due to IBM and FSI being unable to come to an agreement. We've seen Cornerstone and T3 present different sides of the case, and you have also responded to the discussion. I call that inability to find common ground a loss. It's an obvious loss to FSI who did follow the rules and tried to work it out with IBM, for obvious reasons. It's a loss to IBM for people who a) don't have the space for a z9, b) don't have the environmentals for a z9, and c) can't afford a z9. IBM is losing, and will continue to lose unless there is a different approach from System z marketing, those small to medium Z customers -- not to the z9 BC, pSeries or iSeries, but to *other vendors* who can deliver a solution that doesn't require a lot of renovation. Ultimately, the loser is the poor schmuck at the customer who's stuck with having to cope with the switch when some finance bozo cuts off the funding for a working solution because it would require renovating the machine room. IBM certainly has the RD capability to out-innovate these upstarts -- the patent IP that seems to be the point of the PSI discussion makes it clear that there's plenty more brains at IBM than elsewhere. The question is how quickly it can be transformed into *something people want to buy*. Clearly there's a desire for a solution in this space that IBM is not providing. How long can IBM afford to bleed small customers that eventually might grow up to be bigger customers -- but have already switched to competing technology? That's really the open question. The current marketing strategy is killing your pipeline of new workload. (We won't raise the general dumbness of the current software marketing campaigns, although it's hardly helping the story...) IMHO, it comes down to the statement that if you can keep a small customer on z until they *are* bigger, then it becomes an inertial decision to STAY on z. The longer you keep them, the harder it is to switch either to -- or from -- System z. So, call it what you will. Loss suits me.
Re: PSI story
Well, just my $0.02, and I have no inside knowledge at all... But... My guess is IBM is doing it's level (and legal) best to get out from under encumbering agreements, and will sooner or later, embrace Hercules as the platform of choice for Sub 200 mips Mainframe platforms. Yep - Hercules. There are no downsides to this from IBM's point of view - they only license mainframe software, such as z/OS, to IBM branded hardware and they build in a hardware dongle to make sure. They can of course do exactly that, since the source code is open and there is no restriction on how you use Hercules that would apply. They simply *do not charge for Hercules*. If and when they do so, it is a great financial advantage to everyone, and they may just open up and restructe the PWD program to be very much more cost effective to developers. At least, that is the pattern IBM seems to follow - every time a PWD program dies off, there is a better one to replace at less cost and with more functionality to the user. (Except for the innumerable an annoying times the website is redesigned. That just keeps getting worse, in my no so humble opinion.) Anyways, it could happen. :) -Paul ---BeginMessage--- With the loss of the Flex 64-bit capability for general use Sorry to nitpick, but I don't believe there has ever been a FLEX 64-bit capability for general use. I'd say that the unavailability of the 64 bit FLEX *is* the loss I'm talking about. On this list (and others), we've been discussing the problems between FSI and IBM on public release of the 64 bit FLEX for months. It will not see the light of day for general customers due to IBM and FSI being unable to come to an agreement. We've seen Cornerstone and T3 present different sides of the case, and you have also responded to the discussion. I call that inability to find common ground a loss. It's an obvious loss to FSI who did follow the rules and tried to work it out with IBM, for obvious reasons. It's a loss to IBM for people who a) don't have the space for a z9, b) don't have the environmentals for a z9, and c) can't afford a z9. IBM is losing, and will continue to lose unless there is a different approach from System z marketing, those small to medium Z customers -- not to the z9 BC, pSeries or iSeries, but to *other vendors* who can deliver a solution that doesn't require a lot of renovation. Ultimately, the loser is the poor schmuck at the customer who's stuck with having to cope with the switch when some finance bozo cuts off the funding for a working solution because it would require renovating the machine room. IBM certainly has the RD capability to out-innovate these upstarts -- the patent IP that seems to be the point of the PSI discussion makes it clear that there's plenty more brains at IBM than elsewhere. The question is how quickly it can be transformed into *something people want to buy*. Clearly there's a desire for a solution in this space that IBM is not providing. How long can IBM afford to bleed small customers that eventually might grow up to be bigger customers -- but have already switched to competing technology? That's really the open question. The current marketing strategy is killing your pipeline of new workload. (We won't raise the general dumbness of the current software marketing campaigns, although it's hardly helping the story...) IMHO, it comes down to the statement that if you can keep a small customer on z until they *are* bigger, then it becomes an inertial decision to STAY on z. The longer you keep them, the harder it is to switch either to -- or from -- System z. So, call it what you will. Loss suits me. ---End Message---
Re: Active Directory from CMS
Hello Pradip Pandya, I can say NO. When I wanted to get PTF's for our z/VM 4.3 system to upgrade to our z890, I was told that they could not help me. I found them on IBMLINK and the like and ordered them via FTP, BUT IBM said NO to everything I wanted from them. I was out of service too. Ed Martin Aultman Health Foundation 330-588-4723 [EMAIL PROTECTED] ext. 40441 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Pradip Pandya Sent: Thursday, March 01, 2007 11:57 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Active Directory from CMS On Wednesday, 02/28/2007 at 06:26 CST, Alan Ackerman [EMAIL PROTECTED] wrote: But mostly I am looking for anyone who has actually tried to use CMS with Active Directory, either for authorization or to extract data out of the LDAP directory. In addition to an LDAP server, z/VM V5.3 will have ldap (e.g. ldapsrch) commands. They have bind (authentication) capability, as well as SSL/TLS to protect the session. Alan Altmark z/VM Development IBM Endicott I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Pradip M Pandya National Institute of Standard Technology (301) 975-4915
Re: PSI story
To both Paul Raulerson and David Boyes. I believe that you are Preaching to the Choir. It is a loss. And some day Hercules may be supplied/support/allowed by IBM, but when small to medium companies switch it takes a long time for them to get the bad taste of what IBM did to us out of their mouths. Such is life! Ed Martin Aultman Health Foundation 330-588-4723 [EMAIL PROTECTED] ext. 40441
Re: PSI story
I believe that you are Preaching to the Choir. Very possibly. On the other hand, you guys write bigger checks to IBM than I do. There are also some quiet people lurking on this list that do have the ear of senior IBMers -- and others -- in ways that I don't. Don't kid yourself -- HP and Sun folks read this list closely. but when small to medium companies switch it takes a long time for them to get the bad taste of what IBM did to us out of their mouths. Judging by the continuing reaction to the DECsystem 10 and 20 cancellation and IBM's failed SNA-will-take-over-the-world networking strategy, we've got a long wait coming. HP is *still* paying for DEC cancelling Jupiter way back in 1982, even two companies later.
Re: Installing DFSMS/VM RMSONLY
It's not on my 1C2, but it is on 1B1. That's not good, the RMSPROF EXEC is supposed to be on the 1C2. What files are on that disk? Best Regards, Les Geer IBM z/VM and Linux Development
Re: Multiple Guests using the Same Crypto Domain
From the planning and admin: Should I be able to run two guests using crypto with the same domain? Only one virtual machine may use a domain at a time. If more than one virtual machine has a CRYPTO statement for a given domain, only the first virtual machine that logs on receives use of the domain. Also, as a processor migration is mentioned, here is some info that is within our hardware buckets: 1. 06/01/18 RUNNING Z/OS GUESTS ON Z/VM USING PCI CRYPTO CARDS ON Z890, Z990, AND LATER PROCESSORS. Changes in crypto set-up are necessary when migrating from the Cryptographic Coprocessor Facility (CCF) on the zSeries z800 and z900 servers to the PCI cryptographic cards on the z890 (2086device), z990 (2084device), and later processors. With the z990 and z890, the Cryptographic Coprocessor Facility has been removed and replaced with the Central Processor Assist for Cryptographic Functions (CPACF) and the PCI cryptographic accelerators and coprocessors. This requires changes to the z/VM CRYPTO directory control statement. For CCF, it was necessary to include the CRYPTO Directory Control Statement with the following operands: DOMAIN, CSU, KEYENTRY, SPECIAL, and MODIFY. For PCI crypto, the CSU, KEYENTRY, SPECIAL, and MODIFY operands are no longer needed and are ignored if specified. The operands used for PCI crypto are DOMAIN, APDEDICATED, and APVIRT. The APVIRT operand is intended to authorize hardware for SSL acceleration for Linux and VSE guests and is not used for z/OS guests. If the APVIRT operand is specified for z/OS guests, the Integrated Cryptographic Services Facility (ICSF) component of z/OS will not function properly. An example of the CRYPTO directory control statement authorizing a z/OS guest to access the PCI crypto cards is: CRYPTO DOMAIN 1 APDEDICATED 2 3 This statement authorizes the z/OS guest to have dedicated access to crypto queue 1 on both AP 2 and AP 3. The APs specified on the above statement must be selected from the set of APs selected on the PCI Cryptographic Online List on the Crypto Image Profile Page for the VM logical partition. The DOMAINs specified must be selected from the set of domains specified on the Usage Domain Index selections on the Crypto Image Profile Page for the logical partition. For CCF, an additional required step was to define a virtual crypto facility by using either the CRYPTO operand on the CPU directory statement or the DEFINE CRYPTO command. Neither of these are required for PCI crypto. It is recommended that these no longer be used in orde to avoid the following message at logon: HCP663E The crypto cannot be defined because no real crypto facility is installed. An additional hardware requirement for z/OS guests is that the CP Crypto Assist functions (CPACF) must be enabled on the processor. Once CPACF is enabled on the hardware, no z/VM set-up is required to authorize guests to access these functions and they will be available to all guests. Hopefully this helps answer things, Kurt Acker Don W. [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 03/01/2007 11:24 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Multiple Guests using the Same Crypto Domain On Wed, 28 Feb 2007 20:06:52 -0500, Lloyd Fuller [EMAIL PROTECTED] wrote: On Wed, 28 Feb 2007 15:06:48 -0600, Don W. wrote: I am trying to define two z/OS guests that are using CRYPTO. The mainframe supposedly has two CRYPTO Coprocessors. The guests need to have the same DOMAIN. I thought I should be able to dedicate a CRYPTO Coprocessor to each guest and use the same domain. When I bring up the first guest, it seems to reserve both CRYPTO processors. The first guest gets msg HCPAPJ1708I No Processor is available to service virtual crypto unit (0/1). The second guest gets a msg that the DOMAIN is in use and CRYPTO is not available. Should I be able to run two guests using crypto with the same domain? To answer this we will need to know what type of processor. The different processors handle things different. In addition, if this is a z800/z900 or older, you can only bind them to CPU0 and CPU1. Lloyd
Re: Installing DFSMS/VM RMSONLY
VMSESPARTCAT SMPACSL ACS SMPACSS ACS SMPACS2 ACS SMPREXX EXEC FSMPROF EXEC DGTVCNTL SAMPDATA DGTVAUTH SAMPDATA RMCONFIG SAMPCNFG SMPCNFGR CONFIG SMPCNFG2 CONFIG SMPCNFGS CONFIG SMPCNFGL CONFIG -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Les Geer (607-429-3580) Sent: Thursday, March 01, 2007 4:01 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Installing DFSMS/VM RMSONLY It's not on my 1C2, but it is on 1B1. That's not good, the RMSPROF EXEC is supposed to be on the 1C2. What files are on that disk? Best Regards, Les Geer IBM z/VM and Linux Development
Re: Multiple Guests using the Same Crypto Domain
We have multiple z/OS guests successfully using the same Crypto Domain, but they use separate cards (on a z9 EC). Maybe an example will help... here's what we have in the directory and on the HMC... From our USER DIRECT (really -- no directory management product on that system!)... USER DIRECT ... USER ZOSGUEST1 ... --- (obviously a pseudonym to protect the innocent) ... * DOMAIN = regs, APDED=cards; VM can't share DOM in same APDED -- Comments for my weary mind CRYPTO DOMAIN 1 APDEDICATED 2 3 CSU * ... USER ZOSGUEST2 ... * DOMAIN = regs, APDED=cards; VM can't share DOM in same APDED CRYPTO DOMAIN 2 APDEDICATED 2 3 CSU * ... USER ZOSGUEST3 ... * DOMAIN = regs, APDED=cards; VM can't share DOM in same APDED CRYPTO DOMAIN 3 APDEDICATED 2 3 CSU * ... Notice that the DOMAIN n changes for each guest, while the APDEDICATED args remain the same. From the HMC for the LPAR running the z/VM (5.2) system which hosts these (and other) z/OS guests (where x replaces the checkmark in the box before the numbers on that Crypto screen) Control Domain Index Usage Domain Index 0 0 x 1x 1 x 2x 2 x 3x 3 x 4x 4 x 5x 5 x 6x 6 x 7x 7 x 8x 8 9 9 ...... Cryptographic Candidate ListCryptographic Online list 00 11 x 2 x 2 x 3 x 3 44 ... ... IBM Crypto hardware seems partly governed by security by ignorance. I spent a good deal of time with nice IBM folks in product support and pubs getting the PRSM manual updated with clearer explanations, definitions, and examples. I asked that the HMC contain better doc (which I have not checked since the HMC was upgraded from OS/2 to Linux). Hope a real-life example helps. This is tough stuff to get working. Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Kurt Acker [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 03/01/2007 04:08 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Multiple Guests using the Same Crypto Domain From the planning and admin: Should I be able to run two guests using crypto with the same domain? Only one virtual machine may use a domain at a time. If more than one virtual machine has a CRYPTO statement for a given domain, only the first virtual machine that logs on receives use of the domain. Also, as a processor migration is mentioned, here is some info that is within our hardware buckets: 1. 06/01/18 RUNNING Z/OS GUESTS ON Z/VM USING PCI CRYPTO CARDS ON Z890, Z990, AND LATER PROCESSORS. Changes in crypto set-up are necessary when migrating from the Cryptographic Coprocessor Facility (CCF) on the zSeries z800 and z900 servers to the PCI cryptographic cards on the z890 (2086device), z990 (2084device), and later processors. With the z990 and z890, the Cryptographic Coprocessor Facility has been removed and replaced with the Central Processor Assist for Cryptographic Functions (CPACF) and the PCI cryptographic accelerators and coprocessors. This requires changes to the z/VM CRYPTO directory control statement. For CCF, it was necessary to include the CRYPTO Directory Control Statement with the following operands: DOMAIN, CSU, KEYENTRY, SPECIAL, and MODIFY. For PCI crypto, the CSU, KEYENTRY, SPECIAL, and MODIFY operands are no longer needed and are ignored if specified. The operands used for PCI crypto are DOMAIN, APDEDICATED, and APVIRT. The APVIRT operand is intended to authorize hardware for SSL acceleration for Linux and VSE guests and is not used for z/OS guests. If the APVIRT operand is specified for z/OS guests, the Integrated Cryptographic Services Facility (ICSF) component of z/OS will not function properly. An example of the CRYPTO directory control statement authorizing a z/OS guest to access the PCI crypto cards is: CRYPTO DOMAIN 1 APDEDICATED 2 3 This statement authorizes the z/OS guest to have dedicated access to crypto queue 1 on both AP 2 and AP 3. The APs specified on
Re: Max size 3270 screen SHOW
After raising my TCPIP DATABUFFERPOOLSIZE to 12K and enjoying my big screens I have found that SHOW will not work on a screen with more than 66 lines. I get: DMSABE141T Addressing exception occurred at 808D6B6C in routine SHOW on a 67 x 81 screen. Does anyone have a fix for this? /Fran Hensler at Slippery Rock University of Pennsylvania USA for 43 years [EMAIL PROTECTED] +1.724.738.2153 Yes, Virginia, there is a Slippery Rock
Re: PSI story
On Thursday, 03/01/2007 at 02:16 EST, David Boyes [EMAIL PROTECTED] wrote: With the loss of the Flex 64-bit capability for general use Sorry to nitpick, but I don't believe there has ever been a FLEX 64-bit capability for general use. I'd say that the unavailability of the 64 bit FLEX *is* the loss I'm talking about. I just wanted it clear that 64-bit FLEX is not now, and has never been, available for general use. To the uninitiated your statement was ambiguous. You have clarified your meaning of the word loss and I am a happy camper now. :-) Alan Altmark z/VM Development IBM Endicott
Re: Multiple Guests using the Same Crypto Domain
On Thu, 1 Mar 2007 10:24:38 -0600, Don W. wrote: On Wed, 28 Feb 2007 20:06:52 -0500, Lloyd Fuller [EMAIL PROTECTED] wrote: On Wed, 28 Feb 2007 15:06:48 -0600, Don W. wrote: I am trying to define two z/OS guests that are using CRYPTO. The mainframe supposedly has two CRYPTO Coprocessors. The guests need to have the same DOMAIN. I thought I should be able to dedicate a CRYPTO Coprocessor to each guest and use the same domain. When I bring up the first guest, it seems to reserve both CRYPTO processors. The first guest gets msg HCPAPJ1708I No Processor is available to service virtual crypto unit (0/1). The second guest gets a msg that the DOMAIN is in use and CRYPTO is not available. Should I be able to run two guests using crypto with the same domain? To answer this we will need to know what type of processor. The different processors handle things different. In addition, if this is a z800/z900 or older, you can only bind them to CPU0 and CPU1. Lloyd = We are currently using a z900 but will soon have a z9. There are significant differences between the crypto engines on a z900 and on a z9. Some of the differences are good and some are bad. As I said, on a z900 you only have two possible crypto engines (disregarding the PCI / PCI-X cards). And they have to be tied to CPU0 and/or CPU1. The z9 has one crypto engine per CPU to be enabled. However, these are different engines and do things differently. There are several good white papers, Redbooks and Redpapers available. Search on the IBM main web site for Cryptographic and you will find lots. Also, search on exactly Cryptographic Performance and you will find a document that describes the throughput that you can expect with your crypto engine on the z9. I did not find a similar one (in detail at least) for the z900, but there are several presentations on Technotes that describe the differences in the various engines. Note that MOST of the documents that I have found have been for z/OS, and not for z/VM. I think there were one or two on z/VM and one or more on z/Linux (particularly with SSL). Lloyd
Re: Active Directory from CMS
On Thursday, 03/01/2007 at 11:57 EST, Pradip Pandya [EMAIL PROTECTED] wrote: I am wondering if IBM can provide support to older version of z/VM 4.4, considering the fact that it is another protocol similar to the http. Sorry, but no. 1. z/VM 4.4 is no longer supported 2. We rarely add new features to older releases. Typically we add only support for newer hardware. Alan Altmark z/VM Development IBM Endicott
Re: Error during command authentication
What, this isn't the IBM Virtual Library? Anyway, the problem went away by Wednesday night. On Wed, 28 Feb 2007 08:34:33 -0800, Schuh, Richard [EMAIL PROTECTED] wrot e: You might try the IBMVM list :-) Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Ackerman Sent: Tuesday, February 27, 2007 4:48 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Error during command authentication Error during command authentication Error - unable to initiate communication with LISTSERV (errno=10061, phase=CONNECT, target=127.0.0.1:2306). The server is probably not started. Every time I try to login to the IBMVL list, I get the above messages. I can still read the list, but not post or search it. Attempting this append by email. Alan Ackerman alan(dot)ackerman(at)bank of anerica(dot)com = == =