Re: Mini-survey: Linux usability
Sigh.. sorry people, wrong list (again)... apologies. -- Rod
Re: Mini-survey: Linux usability
When I first got my mitts on this stuff I had awful trouble getting anything working until Rob walked down the corridor and helped me out. We then had a series of discussions concerning a bog-standard DDR image that would get people up and running. That was nearly 10 years ago. Given the recent discussion about having to send notes to Novell to generate sufficient interest to get something similar, it depresses me to see just how far things have come in 10 years. -- Rod (Moan over - back to fixing Access dBs (sigh)...)
Ted Kotlowski is out of the office.
I will be out of the office starting 06/13/2007 and will not return until 06/19/2007. I will respond to your message when I return. If your request requires immediate attention, Please contact the MVS Technical Support Hotline at 1-866-866-4488 x12000 ** This e-mail message and all attachments transmitted with it may contain legally privileged and/or confidential information intended solely for the use of the addressee(s). If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, forwarding or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message and all copies and backups thereof. Thank you. **
Re: Scragging a disk
Mike Walter [EMAIL PROTECTED] wrote: Just how badly should the mdisk be scragged when you're done? Wouldn't the typical, tried-and-true method work? Two CMS users linking the disk MW, with one overlaying the other's files. It's worked (unintentionally) for CMS users for nearly 35 years now! :-) Ok, ok...I wasn't clear enough. I just need it to be un-ACCESS-able, to validate detection by an installer program. The Pipes solution R; provided will do it; I'd still like to understand what DDR's whining about, tho... ...phsiii
Re: Scragging a disk
As has been replied already: you asked to copy cylinder range 1-0 and copy that onto cylinder 0. You should have said COPY 1 1 REORDER 0 -- Kris Buelens, IBM Belgium, VM customer support 2007/6/13, Phil Smith III [EMAIL PROTECTED]: Mike Walter [EMAIL PROTECTED] wrote: Just how badly should the mdisk be scragged when you're done? Wouldn't the typical, tried-and-true method work? Two CMS users linking the disk MW, with one overlaying the other's files. It's worked (unintentionally) for CMS users for nearly 35 years now! :-) Ok, ok...I wasn't clear enough. I just need it to be un-ACCESS-able, to validate detection by an installer program. The Pipes solution R; provided will do it; I'd still like to understand what DDR's whining about, tho... ...phsiii
Insertion in 3494
Hi all, On our recovery site he have to insert dozen of thousands virtual tapes a nd that takes 10hours. It seems that FF00 is the only category attributed to the tapes. My question is how I could apply the category that belongs to a specific MVS behind the robot through its laptop. The dfsmsrm set volcat targetcat is too slow to do what I want. Alain
Re: Scragging a disk
Phil Smith III wrote: The Pipes solution R; provided will do it; I'd still like to understand what DDR's whining about, tho... ...phsiii .. The command COPY 1 0 REORDER 0 says copy beginning at cyl 1 ending at cyl 0, output starts at cyl 0 Ending cylinder should be greater or equal to start cylinder else HCP713E -- Chris Langford, Cestrian Software: Consulting services for: VM, VSE, MVS, z/VM, z/OS, OS/2, P/3x0 etc. z/FM - A toolbox for VM MVS at http://zfm.cestrian.com
Re: Linux question
Hi Andy, Did you get lost and end up in VM Land? Here we do not run any virus scan software on the VM guest Linux servers. None of these connect to the public internet. John Hanley (804) 786-7823 [EMAIL PROTECTED] m Sent by: The IBM To z/VM OperatingIBMVM@LISTSERV.UARK.EDU System cc [EMAIL PROTECTED] ARK.EDU Subject Linux question 06/13/2007 07:26 AM Please respond to The IBM z/VM Operating System [EMAIL PROTECTED] ARK.EDU To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Andy Internet: Mailto:[EMAIL PROTECTED] The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.
Re: Linux question
Andy, VM and RACF only control the access to VM level things like MDISK and VSWITCH connections. Once someone logs onto Linux itself they will not stop a virus from being introduced John Hanley (804) 786-7823 [EMAIL PROTECTED] m Sent by: The IBM To z/VM OperatingIBMVM@LISTSERV.UARK.EDU System cc [EMAIL PROTECTED] ARK.EDU Subject Re: Linux question 06/13/2007 08:45 AM Please respond to The IBM z/VM Operating System [EMAIL PROTECTED] ARK.EDU Hi John - You don't want to ask ;) So even if it was to the outside world I wonder if the MF could pick up a virus meaning under the Linux is z/VM which is RACF controlled etc. Im just wondering is it worth trying to make and run and what is it really protecting the Linux file system? Andy The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU wrote on 06/13/2007 08:26:53 AM: Hi Andy, Did you get lost and end up in VM Land? Here we do not run any virus scan software on the VM guest Linux servers. None of these connect to the public internet. John Hanley (804) 786-7823 [EMAIL PROTECTED] m Sent by: The IBM To z/VM OperatingIBMVM@LISTSERV.UARK.EDU System cc [EMAIL PROTECTED] ARK.EDU Subject Linux question 06/13/2007 07:26 AM Please respond to The IBM z/VM Operating System [EMAIL PROTECTED] ARK.EDU To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Andy Internet: Mailto:[EMAIL PROTECTED] The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.
Re: Encryption options for DDR
On Tuesday, 06/12/2007 at 04:11 MST, Thomas Kern [EMAIL PROTECTED] wrote: The hardware solution of encrypted tape drives is pushed alot because z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. Huh? Using an encrypting tape drive on z/VM is as easy as specifying the key label on ATTACH. What I haven't figured out about them is how to prove to the security auditors that the data is REALLY encrypted. Quoting some news articles on the web, IBM is in the process of having the TS1120 FIPS 140-2 certified. Alan Altmark z/VM Development IBM Endicott
Re: cp link security
Have you *seen* David lately? Obviously, as with many of us long-time mainframers, dementia is setting up shop... in this case apparently contracted by his exposure to RACF. ;-) Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. David Boyes [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 08:01 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: cp link security From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Kreuter What's happened to me? I no longer find RACF on VM that annoying. But I don't use ISPF so that helps lessen the annoyance. David Clearly brain lesions induced by prolonged contact with RACF. -- db The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
Re: cp link security
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Kreuter What's happened to me? I no longer find RACF on VM that annoying. But I don't use ISPF so that helps lessen the annoyance. David Clearly brain lesions induced by prolonged contact with RACF. -- db
Re: Encryption options for DDR
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Wednesday, June 13, 2007 09:11 AM The hardware solution of encrypted tape drives is pushed alot because z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. Huh? Using an encrypting tape drive on z/VM is as easy as specifying the key label on ATTACH. Only if you're willing to completely ignore all of the hardware and software PRE-REQs necessary to establish an out-of-band connection. Our storage management group (and my z/OS counterparts) thought I had lost my mind when I gave them the list. JR (Steven) Imler CA Senior Software Engineer Tel: +1 703 708 3479 Fax: +1 703 708 3267 [EMAIL PROTECTED]
Re: Linux question
To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Many do. It's a complete waste of cycles, but many sites answer with if it's Linux, it needs to be consistent with the Intel deployment - even though it's a completely different processor architecture and compiled binaries for viruses don't work. Pick your arguments, and this is one where you can profitably let it pass. There are good open-source ones (such as clam-av), and just say yep, we've already got that covered, it's in the package *at no extra charge*, including automatic updates. One less thing for the objectors to wheeze about.
Re: Encryption options for DDR
Hi Alan, I wish it were that simple, but aren't there Windows based key-servers involved that hold the keys? One of my concerns is replicating the contents of those Winblows key servers (somehow) to your DR site. Maybe you can answer this for me, if you have your encrypted tapes but no key-servers, is there a way (from a 3270 console) to provide a master key/passphrase or something to make the tapes usable/readable? By the way, what software is required on z/VM? I see lot's of references in the doc to RACF (which we don't use), but can't tell if that's required for this to work or not. I had access to a TS1120 recently, but couldn't test it because z/VM 5.3 is the first release to support the drive, and that doesn't go GA for a couple of weeks yet. Michael Coffin, President MC Consulting Company, Inc. 57 Tamarack Drive Stoughton, Massachusetts 02072 Voice: (781) 344-9837FAX: (781) 344-7683 [EMAIL PROTECTED] www.mccci.com -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Wednesday, June 13, 2007 9:11 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption options for DDR On Tuesday, 06/12/2007 at 04:11 MST, Thomas Kern [EMAIL PROTECTED] wrote: The hardware solution of encrypted tape drives is pushed alot because z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. Huh? Using an encrypting tape drive on z/VM is as easy as specifying the key label on ATTACH. What I haven't figured out about them is how to prove to the security auditors that the data is REALLY encrypted. Quoting some news articles on the web, IBM is in the process of having the TS1120 FIPS 140-2 certified. Alan Altmark z/VM Development IBM Endicott
Re: Encryption options for DDR
Hi Thomas, Talk to Dave Jones, my understanding is that he is working on a solution to allow Encrypt/Plus to encrypt DDR (when running under CMS). So you'd need an unencrypted starter system on file 1 of your restore tape with your Encrypt/Plus keys on it. Restore that unencrypted starter system and use it (with the Encrypt/Plus keys) to restore your production system from the encrypted tapes. PS: Feel free to contact me off-list if you like, as I am sure we have similar agendas.. :) Michael Coffin, President MC Consulting Company, Inc. 57 Tamarack Drive Stoughton, Massachusetts 02072 Voice: (781) 344-9837FAX: (781) 344-7683 [EMAIL PROTECTED] www.mccci.com -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Kern Sent: Tuesday, June 12, 2007 7:11 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption options for DDR I have tried to modify PIPEDDR to use a TAPE stage so that V/Soft's product will properly encrypt the data. It already works fine for TAPE|VMFPLC2|FILEDEF tape manipulations. There is also an OLD sourceless program on the IBM downloads page CKDSVRST (sp?) that might also be capable of reading/writing data that can be encrypted by a 3rd party product. I would be interested in talking to anyone who wants to code this stuff from scratch as an alternative to DDR. The hardware solution of encrypted tape drives is pushed alot because z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. What I haven't figured out about them is how to prove to the security auditors that the data is REALLY encrypted. I am at an IBM/Oracle class this week, but if you want, you can call me next week. /Thomas Kern /U.S. Dept of Energy /Germantown, MD /301-903-2211 --- Aria Bamdad [EMAIL PROTECTED] wrote: Rick, Thanks. Yes, I have looked at V/Soft's solution also. A minor correction, their web site has a dash in the domain name: http://www.vsoft-software.com Aria. Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather
Re: Linux question
So even if it was to the outside world I wonder if the MF could pick up a virus meaning under the Linux is z/VM which is RACF controlled etc. Im just wondering is it worth trying to make and run and what is it really protecting the Linux file system? If you run the Linux guest as a class G user (recommended -- more privileges are NOT necessary), then you're in a sealed box you can't get out of, and there is zero possibility of doing harm to the other virtual machines by memory corruption, etc. Network DOS attacks can happen, but that's a whole different class of intrusion. Obviously Windows-oriented attacks cannot work. One idea that just occurred to me: if the Linux instance is acting as a file server for Windows clients, an infected client machine can use it's access to stored data on the Linux guests to corrupt other stored files, spreading the infection to other client machines indirectly. Having a virus scanner as part of Samba or other services will allow the Linux guest to alert automation on the mainframe to cut off or limit the damage.
Re: Scragging a disk
It did, thanks -- ahhh. Now I get it. I was thinking it was copy from x to (output) y. I read your response but didn't grok it! Too early, I guess. Thanks. Of course, now I have a SCRAGEM EXEC on that ID that (after prompting!) uses the Pipes version, but at least I understand it better now. Copying the list for others' edification (or so they can laugh at me not understanding your perfectly clear explanation). ...phsiii -Original Message- From: Bill Munson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 13, 2007 9:35 AM To: Phil Smith III Subject: Re: Scragging a disk Did my answer not get through to the list ? Your copy statement is wrong your are asking to copy from cyl 1 through cyl 0 and reorder to cyl 0 maybe copy 1 1 reorder 0
Re: Mini-survey: Linux usability
Maybe not addressed to the most-affected list, but IBMVM subscribers are affected, too. Especially those getting into Linux for System z for the first time. It took us around a year to get the first P.O.C. server installed because our Internet Security group would not permit a CD drive on anyone's PC to be connected to the mainframe LAN - not even for a the time it takes to copy the ISO images. Eventually we received a DDR copy to tape of a running Linux FTP server which we quickly restored in our VM system, and by jumping through extensive hoops (inserting the CDs on a Linux blade server, then mounting them on USS in z/OS, and then again mounting them on the new Linux for System z FTP server to actually begin the installation). What a nightmare and what an absolute waste of time to begin a P.O.C (all in the name of security!). I began suggesting the following on July of 2006. Thus far there has been little-to-no response... If Novell wants to play in the z/VM market, they should provide an easy way for existing z/VM customers to download a stripped-down SLES FTP server using tools that every z/VM customer already has available: the z/VM TCP/IP FTPSERVE server, and (admittedly something requiring a download from the IBM VM Download site): the CMSDDR package. The new-to-Linux on System z customer could run CMSDDR to download a running Linux FTP server, bring that up, follow rather simple instructions to customize it for their network, and then bring it up. Novell could also supply access to the ISO images such that they could be downloaded directly through either the CMS FTPSERVE svm, and/or, the newly installed bare-bones SLES FTP server. There would be no need to permit access from someone's CD or DVD drive to the mainframe network, and... no need to go though MS Windows to perform the downloads... ugh! Before Mark Post moved to Novell, perhaps there were insufficient z/VM skills to make this or other ease/speed-of-installation techniques available at Novell. Now there may be a light shining at the end of the tunnel? Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Rod [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 02:08 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Mini-survey: Linux usability When I first got my mitts on this stuff I had awful trouble getting anything working until Rob walked down the corridor and helped me out. We then had a series of discussions concerning a bog-standard DDR image that would get people up and running. That was nearly 10 years ago. Given the recent discussion about having to send notes to Novell to generate sufficient interest to get something similar, it depresses me to see just how far things have come in 10 years. -- Rod (Moan over - back to fixing Access dBs (sigh)...) The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
Re: cp link security
Go to the VM Resources web site http://www.vm-resources.com/ and you will see a nice picture of David getting his award at SHARE Bill Munson IT Specialist VM System Programmer Office of Information Technology State of New Jersey (609) 984-4065 President MVMUA http://www.marist.edu/~mvmua Mike Walter wrote: Have you *seen* David lately? Obviously, as with many of us long-time mainframers, dementia is setting up shop... in this case apparently contracted by his exposure to RACF. ;-) Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. David Boyes [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 08:01 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: cp link security From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Kreuter What's happened to me? I no longer find RACF on VM that annoying. But I don't use ISPF so that helps lessen the annoyance. David Clearly brain lesions induced by prolonged contact with RACF. -- db The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
Re: Encryption options for DDR
Hi Eric, This looks like a giant SAN with the tape contents written to a virtual tape drive over ESCON and then transmitted to a remote SAN over the Internet - am I reading that right? I don't think my network admins would be happy about me dumping an entire mainframe across the network on a weekly basis... Michael Coffin, President MC Consulting Company, Inc. 57 Tamarack Drive Stoughton, Massachusetts 02072 Voice: (781) 344-9837FAX: (781) 344-7683 [EMAIL PROTECTED] www.mccci.com -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Eric Vaughan Sent: Tuesday, June 12, 2007 1:55 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption options for DDR Take a look at our solution, z/Encrypt. www.zencrypt.com. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Adam Thornton Sent: Tuesday, June 12, 2007 10:12 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption options for DDR On Jun 12, 2007, at 9:58 AM, Aria Bamdad wrote: Has anyone developed any solutions for encrypting DDR DASD dump output on tape? I am looking into encrypting DASD dumps by DDR that will be used for disaster recovery. One solution would be to use VMBackup's encryption option and do a physical dump of a DASD but was wondering if there are other options that are native to CMS. You could use ddr2cmsx, encrypt the result, and then dump that to real tape. With the (compact option it'll probably save you some tape space too. Obviously this requires restore-to-disk, decrypt, restore-to-real-target disk, so it makes your DR process take longer and require some temporary holding space. I am unaware of CMS-based encryption tools, but that by no means implies they don't exist. Me, I'd then VMARC my CMSDDR files (to eliminate blocksize issues and further shrink them), send 'em over to Linux, run them through something-openssl-based, ship 'em back, and stick them on tape, but that's a sort of icky workflow. Adam
Re: Encryption options for DDR
I like the clean system idea... On the hardware encryption: This would assume that your disaster recovery facility had those same encrypting tape drives in place, wouldn't it? It would limit your possible recovery sites considerably. And even if your DR vendor installed the same drives on one of their platforms, what if someone else declares before you, and is already in the shell that has your needed tape drives? -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but in practice, theory and practice are different. On 6/12/07 11:45 AM, Tom Duerbusch [EMAIL PROTECTED] wrote: Other than an encryption tape drive, there is no real other options for disaster recovery. i.e. standalone utilities don't like encrypted tapes. One of the items somewhat discussed at WAVV was having a clean system for standalone purposes. That is a copy of VM (VSE or Linux whatever your flavor), that doesn't have any of your data on it. You can backup and do standalone restores of the clean copy without hitting legal problems. Once you have this clean system running, you can take software based, encrypted tapes and restore them to other packs. Then IPL your production systems. I've had a disaster recovery starter system for years, but I never thought about making it a clean system. Obviously, much easier under VM, but also doable with LPARs. Tom Duerbusch THD Consulting
Re: Linux question
I stayed out of this business for a good reason, but wouldn't clam-av on s390 primarily check for signatures of found PC virus code? It also looks for some of the more common script-kiddie and worm attacks for Linux. Not very many, but then again, there aren't that many to look for. That would imply clam-av (and similar solutions) are meant to run on your mail server before passing e-mail attachments to your clients. Or maybe on a file server to nanny the end-users. We could certainly argue whether the mainframe is the most cost effective place to do this. Violent agreement, I think. It's dumb, but this is a battle you don't *have* to fight and it can be converted easily into an advantage, if needed.
Re: cp link security
On Jun 13, 2007, at 8:01 AM, David Boyes wrote: From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Kreuter What's happened to me? I no longer find RACF on VM that annoying. But I don't use ISPF so that helps lessen the annoyance. David Clearly brain lesions induced by prolonged contact with RACF. Sounds like a SOA to me. Adam
Re: Encryption options for DDR
Access to TS1120's at the DR site is likewise a concern of mine. Most DR sites have numerous 3590's, so obtaining as many as you need probably isn't an issue. TS1120's are mooocho expensive and I don't expect DR sites are going to have many available (at least not initially, MAYBE over time). The systems I support are low priority in the grand scheme of things, and I wouldn't want to be told Sorry, I know you are ready to go now and your systems have already been down for 7 days - but you won't be able to have access to any of our TS1120 drives until XYZ Group finishes with them, that'll be about 10 days from now.! Michael Coffin, President MC Consulting Company, Inc. 57 Tamarack Drive Stoughton, Massachusetts 02072 Voice: (781) 344-9837FAX: (781) 344-7683 [EMAIL PROTECTED] www.mccci.com -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Wednesday, June 13, 2007 9:56 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption options for DDR I like the clean system idea... On the hardware encryption: This would assume that your disaster recovery facility had those same encrypting tape drives in place, wouldn't it? It would limit your possible recovery sites considerably. And even if your DR vendor installed the same drives on one of their platforms, what if someone else declares before you, and is already in the shell that has your needed tape drives? -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but in practice, theory and practice are different. On 6/12/07 11:45 AM, Tom Duerbusch [EMAIL PROTECTED] wrote: Other than an encryption tape drive, there is no real other options for disaster recovery. i.e. standalone utilities don't like encrypted tapes. One of the items somewhat discussed at WAVV was having a clean system for standalone purposes. That is a copy of VM (VSE or Linux whatever your flavor), that doesn't have any of your data on it. You can backup and do standalone restores of the clean copy without hitting legal problems. Once you have this clean system running, you can take software based, encrypted tapes and restore them to other packs. Then IPL your production systems. I've had a disaster recovery starter system for years, but I never thought about making it a clean system. Obviously, much easier under VM, but also doable with LPARs. Tom Duerbusch THD Consulting
Re: Linux question
There is one situation where the virus scan is potentially useful: The mainframe Linux doesn¹t exist in a vacuum. It talks to and from other computers, which may be subject to a virus being passed on in files handled by Linux. It isn¹t good PR for someone to be walking around saying ³Yeah, I picked up a virus when I connected to that mainframe Linux...² If you have a Linux image that is serving as a mail server, or a file server, to other computers, virus checking might be a good thing. As I understand it (and I¹m not in that group, so it¹s second hand information), we find and remove well over 10,000 viruses a day here. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55 200 First Street SW / ( ) \ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but ³Join the story... Ride Ural.² in practice, theory and practice are different. On 6/13/07 8:29 AM, David Boyes [EMAIL PROTECTED] wrote: To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Many do. It¹s a complete waste of cycles, but many sites answer with ³if it¹s Linux, it needs to be consistent with the Intel deployment² even though it¹s a completely different processor architecture and compiled binaries for viruses don¹t work. Pick your arguments, and this is one where you can profitably let it pass. There are good open-source ones (such as clam-av), and just say ³yep, we¹ve already got that covered, it¹s in the package *at no extra charge*, including automatic updates². One less thing for the objectors to wheeze about.
Re: Linux question
To add to the conversation, look at this. The thing it doesn't talk about is platform. http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid 39_gci1260502,00.html?track=NL-383ad=592458HOUSEasrc=EM_NLT_1578942ui d=5701628 Mace From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of RPN01 Sent: Wednesday, June 13, 2007 10:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Linux question There is one situation where the virus scan is potentially useful: The mainframe Linux doesn't exist in a vacuum. It talks to and from other computers, which may be subject to a virus being passed on in files handled by Linux. It isn't good PR for someone to be walking around saying Yeah, I picked up a virus when I connected to that mainframe Linux... If you have a Linux image that is serving as a mail server, or a file server, to other computers, virus checking might be a good thing. As I understand it (and I'm not in that group, so it's second hand information), we find and remove well over 10,000 viruses a day here. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55 200 First Street SW / ( ) \ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but Join the story... Ride Ural. in practice, theory and practice are different. On 6/13/07 8:29 AM, David Boyes [EMAIL PROTECTED] wrote: To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Many do. It's a complete waste of cycles, but many sites answer with if it's Linux, it needs to be consistent with the Intel deployment - even though it's a completely different processor architecture and compiled binaries for viruses don't work. Pick your arguments, and this is one where you can profitably let it pass. There are good open-source ones (such as clam-av), and just say yep, we've already got that covered, it's in the package *at no extra charge*, including automatic updates. One less thing for the objectors to wheeze about. - The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.
Re: cp link security
On: Wed, Jun 13, 2007 at 09:11:26AM -0400,Alan Altmark Wrote: } On Tuesday, 06/12/2007 at 09:06 AST, Rich Greenberg [EMAIL PROTECTED] } wrote: } } And its a trivial CP mod to include the ALL pwd minidisks and some other } exceptions in the accounting data. } } (No, I don't have the mod, but I am sure somebody on the list can supply } it. My previous employer used it.) } } Come now, Rich. Only someone who is knowledgable about CP internals and } is comfortable modifying the system that way would classify such a thing } as trivial. :-) Yes Alan, I suppose your right. Mods to VM are depreciated these days, but SES makes it (relatively) easy to do, and ISTR that the mod consists of making a conditional branch into either a NOP or an unconditional branch. As mods I have done in the past go, *I* consider that one to be trivial. Peter, how about posting that mod? -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Linux question
Well, it depends on what Linux applications you have running. Obviously, if you have a Linux based email server running, it may not get infected, but it becomes a carrier of virus infected email. If the email is then sent to a Windows boxwho does the protection? A central site virus scan product? Or one on each of the desktops? Or both? I say both, as you need one on Windows if the users have access to the Web. And sometimes, the users don't allow the anti-virus package to be updated in a timely manor. Where as, on the server, you are in control. However, if you are talking about having an anti-virus product on each of the Linux images on the mainframe wellif you are not paying per image, the product would just sit there...idle. I start thinking about DB2/UDB or Oracle. I've not seen anyone concerned about viruses there. But then I start thinking about Samba or NFS. You could have a virus infected file, or trojan there. Perhaps files there need to be scanned. Anyway, good topic. Tom Duerbusch THD Consulting David Boyes [EMAIL PROTECTED] 6/13/2007 8:29 AM To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Many do. It's a complete waste of cycles, but many sites answer with if it's Linux, it needs to be consistent with the Intel deployment - even though it's a completely different processor architecture and compiled binaries for viruses don't work. Pick your arguments, and this is one where you can profitably let it pass. There are good open-source ones (such as clam-av), and just say yep, we've already got that covered, it's in the package *at no extra charge*, including automatic updates. One less thing for the objectors to wheeze about.
Re: cp link security
Any sufficiently advanced triviality is indistinguishable from magic. X-8^) Apologies to Mr Clarke Gregg No plan survives execution Rich Greenberg [EMAIL PROTECTED] To Sent by: The IBM IBMVM@LISTSERV.UARK.EDU z/VM Operating cc System [EMAIL PROTECTED] Subject ARK.EDU Re: cp link security 06/13/2007 10:37 Please respond to The IBM z/VM Operating System [EMAIL PROTECTED] ARK.EDU On: Wed, Jun 13, 2007 at 09:11:26AM -0400,Alan Altmark Wrote: } On Tuesday, 06/12/2007 at 09:06 AST, Rich Greenberg [EMAIL PROTECTED] } wrote: } } And its a trivial CP mod to include the ALL pwd minidisks and some other } exceptions in the accounting data. } } (No, I don't have the mod, but I am sure somebody on the list can supply } it. My previous employer used it.) } } Come now, Rich. Only someone who is knowledgable about CP internals and } is comfortable modifying the system that way would classify such a thing } as trivial. :-) Yes Alan, I suppose your right. Mods to VM are depreciated these days, but SES makes it (relatively) easy to do, and ISTR that the mod consists of making a conditional branch into either a NOP or an unconditional branch. As mods I have done in the past go, *I* consider that one to be trivial. Peter, how about posting that mod? -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Encryption options for DDR
On Wednesday, 06/13/2007 at 09:27 AST, Imler, Steven J [EMAIL PROTECTED] wrote: z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. Huh? Using an encrypting tape drive on z/VM is as easy as specifying the key label on ATTACH. Only if you're willing to completely ignore all of the hardware and software PRE-REQs necessary to establish an out-of-band connection. Our storage management group (and my z/OS counterparts) thought I had lost my mind when I gave them the list. There has to be a key manager *somewhere*. z/OS already has one in the form of ICSF, but for everyone else there's the Encryption Key Manager (EKM). It can run on Linux (incl. z), Windows, AIX, HP, Sun, or z/OS. Once you set up the EKM, all of your encrypting drives can use it. It's not just a VM thing. But I appreciate that installing an encrypting tape drive is more time consuming than a non-encrypting drive for non-z/OS use. Like everything, there's a first-time additional effort. Alan Altmark z/VM Development IBM Endicott
Re: Encryption options for DDR
On Wednesday, 06/13/2007 at 09:31 AST, Michael Coffin [EMAIL PROTECTED] wrote: Hi Alan, I wish it were that simple, but aren't there Windows based key-servers involved that hold the keys? One of my concerns is replicating the contents of those Winblows key servers (somehow) to your DR site. Maybe you can answer this for me, if you have your encrypted tapes but no key-servers, is there a way (from a 3270 console) to provide a master key/passphrase or something to make the tapes usable/readable? (I addressed the supported EKM platforms in my previous post.) A few things to understand: a. Every tape is encrypted with a randomly generated AES key. b. The key that was used to encrypt the tape is stored ONLY on the tape, not the keystore. c. The key stored on the tape is itself encrypted (wrapped) with the PUBLIC KEY associated with the drive. d. The paired PRIVATE key is required to decrypt the stored AES key e. The host (CP's ATTACH command) binds the public/private keypair to the drive f. The tape can record TWO encrypted AES keys With that in mind, there are four ways to handle DR (this is all discussed in the EKM book under Disaster Recovery Site Considerations): 1. Duplicate your own EKM at the DR site. Just run it in a Linux guest. In fact, your Linux guest could be the alternate EKM for your home site. (If memory serves, the control unit allows configuration of more than one EKM.) 2. Export your keys from your EKM and install them on the DR provider's EKM. 3. Import the DR provider's own public key into YOUR EKM. Specify BOTH your key AND the DR provider's key on the ATTACH. 4. Generate another keypair for the DR site. Specify BOTH your regular key AND your DR key on the the ATTACH. Export only the DR keypair from your EKM and import it into the DR provider's EKM. Personally, I like #3 or #4. That keeps your normal private keys out of others' hands. By the way, what software is required on z/VM? I see lot's of references in the doc to RACF (which we don't use), but can't tell if that's required for this to work or not. I had access to a TS1120 recently, but couldn't test it because z/VM 5.3 is the first release to support the drive, and that doesn't go GA for a couple of weeks yet. Not strictly true. There is an SPE to z/VM 5.2 that allows use of the drive's default keys. z/VM 5.3 is needed if you want to specify the key on ATTACH. There are no dependencies or interaction with RACF or any other ESM on z/VM. If you run the EKM on z/OS, then there are lots of z/OS RACF (or equivalent) things to be done if you choose to use ICSF as the EKM keystore and/or are using RACF on z/OS to generate the X.509 certficates. Alan Altmark z/VM Development IBM Endicott
Re: Encryption options for DDR
On Wednesday, 06/13/2007 at 08:56 EST, RPN01 [EMAIL PROTECTED] wrote: I like the clean system idea... On the hardware encryption: This would assume that your disaster recovery facility had those same encrypting tape drives in place, wouldn't it? It would limit your possible recovery sites considerably. And even if your DR vendor installed the same drives on one of their platforms, what if someone else declares before you, and is already in the shell that has your needed tape drives? I think any limit on DR will be short-lived. Remember the z/OS Encryption Facility? The demand for encrypted tapes was so strong that we chose to develop and release a software product as a stop-gap measure until the encrypting 3592s (aka TS1120) were ready. Even at the WAVV conference a few weeks ago, where z/OSers fear to go, there was lots of buzz (not by IBM) about the need for the drives. An amazing number of people stopped by the booth and said We have ours on order. Now is a good time to ask your DR provider about their plans for encrypting tapes. Maybe that DR contract is up for review? It's time to raise the bar and your expectations of what your DR provider has (Of course, we have encrypting 3592s! Who doesn't?) available in ALL of his venues. Alan Altmark z/VM Development IBM Endicott
Re: cp link security
Wash your mouth out with soap. You shouldn't use dirty words on a professional list. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Tuesday, June 12, 2007 8:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: cp link security yeah, that's just weird david. next you'll tell us you like doing things on z/os or windows! Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Kreuter Sent: Tuesday, June 12, 2007 5:37 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] cp link security What's happened to me? I no longer find RACF on VM that annoying. But I don't use ISPF so that helps lessen the annoyance. David -Original Message- From: The IBM z/VM Operating System on behalf of David Boyes Sent: Tue 6/12/2007 4:14 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] cp link security I'm not completely sure (offsite w/o manuals), but the CP journaling facility can at least catch failed links. I don't think it will report on successful links, or allow you to control who can perform a command - you need an ESM for that, and all of those are 3rd party (and expensive, either in cash (any of the CA products) or annoyance value (RACF)).
Re: cp link security
Did you mean deprecated? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Rich Greenberg Sent: Wednesday, June 13, 2007 7:38 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: cp link security On: Wed, Jun 13, 2007 at 09:11:26AM -0400,Alan Altmark Wrote: } On Tuesday, 06/12/2007 at 09:06 AST, Rich Greenberg [EMAIL PROTECTED] } wrote: } } And its a trivial CP mod to include the ALL pwd minidisks and some other } exceptions in the accounting data. } } (No, I don't have the mod, but I am sure somebody on the list can supply } it. My previous employer used it.) } } Come now, Rich. Only someone who is knowledgable about CP internals and } is comfortable modifying the system that way would classify such a thing } as trivial. :-) Yes Alan, I suppose your right. Mods to VM are depreciated these days, but SES makes it (relatively) easy to do, and ISTR that the mod consists of making a conditional branch into either a NOP or an unconditional branch. As mods I have done in the past go, *I* consider that one to be trivial. Peter, how about posting that mod? -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
HCPCRC8083I
I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Thanks again... -James
Re: cp link security
But who will correct his? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Rob van der Heij Sent: Wednesday, June 13, 2007 8:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: cp link security On 6/13/07, Schuh, Richard [EMAIL PROTECTED] wrote: Did you mean deprecated? That's when you want to use it, but it does not work anymore because the developer got a life. To me depreciated is when you don't want to use it anymore. :-) ( I just depreciated Fedora on my Linux PC ) /me thinks it's enough if Phil corrects our typos ;-)
Re: HCPCRC8083I
On 6/13/07, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Something must have started that userid and made it retrieve account records. If you don't need it to, you may want to RECORDING ACCOUNT OFF PURGE QID If you let account records queue long enough you will eventually fill up a CP warmstart. And you probably should remove the IUCV *ACCOUNT from users who don't need it... Rob
Re: HCPCRC8083I
If you are not retrieving and saving accounting records, turn them off (CP RECORDIND ACCOUNT OFF PURGE). If you do not do that, you are guaranteed that you will get the threshold exceeded messages very frequently. The other alternative is to actually retrieve the records. If you have been doing that, check the console logs for whichever machine has been recording the data. You may have filled a disk or done something else to cause it to fail. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of James M Sent: Wednesday, June 13, 2007 8:50 AM To: IBMVM@LISTSERV.UARK.EDU Subject: HCPCRC8083I I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Thanks again... -James
Re: cp link security
On: Wed, Jun 13, 2007 at 08:44:05AM -0700,Schuh, Richard Wrote: } Did you mean deprecated? Is that how its spelled? I said: } I suppose your right. Mods to VM are depreciated these days, but SES -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: cp link security
OK... how about More to VM are 'under-appreciated' as an incorrect alternative to depreciated (which is what one does in accounting)? Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Rich Greenberg [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 11:10 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: cp link security On: Wed, Jun 13, 2007 at 08:44:05AM -0700,Schuh, Richard Wrote: } Did you mean deprecated? Is that how its spelled? I said: } I suppose your right. Mods to VM are depreciated these days, but SES -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
Re: cp link security
It depends on your intended meaning. Both are legitimate words. Something that loses value over time is an example of depreciation. To deprecate something, especially in the current context, is to discourage its use, to frown upon it. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Rich Greenberg Sent: Wednesday, June 13, 2007 9:10 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: cp link security On: Wed, Jun 13, 2007 at 08:44:05AM -0700,Schuh, Richard Wrote: } Did you mean deprecated? Is that how its spelled? I said: } I suppose your right. Mods to VM are depreciated these days, but SES -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: cp link security
I've come this far without liking either one. At least I have a grudging admiration for z/os. David -Original Message- From: The IBM z/VM Operating System on behalf of Marcy Cortes Sent: Tue 6/12/2007 11:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] cp link security yeah, that's just weird david. next you'll tell us you like doing things on z/os or windows!
Re: Software encryption performance was: Encryption options for DDR
On a side tangent. At WAVV, one of the speakers said you never want to do software encryption. The performance impact will eat you up. Of course, I disagree. In my book, it all depends on how much you want to encrypt. I'll do it with spare cycles now, and pay for a hardware solution when there is a payback. Your mileage and experiences may differ. So, when you do software encryption (such as for DDR), how much more processor time do you see? (over a standard DDR disk to tape) Double? Tripple? 10X? Tom Duerbusch THD Consulting
Re: Software encryption performance was: Encryption options for DDR
Let me guess -- the speaker was from a company that provided hardware encryption solutions ? Jerry Whitteridge Safeway Inc 925 951 4184 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Duerbusch On a side tangent. At WAVV, one of the speakers said you never want to do software encryption. The performance impact will eat you up. Email Firewall made the following annotations. -- Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ==
TCPNJE
We have success of sorts. The link can now recover from the socket errors it experiences approximately every 20 minutes when it is not kept busy. The MVS folks are questioning why these timeouts occur. I see the same time-outs on a VM to VM link. The network people tell me that MVS is getting a getpeername socket error. Is this something that is normal? If not, how do I fix it? FWIW, our two VM systems have the following RSCS parameters: ITO=100 (default meaning do not enforce an Inactive Time Out interval) KEEPALIV=YES The definitions in TCPIP are: KEEPALIVEOPTIONS INTERVAL 20 SENDGARBAGE TRUE ENDKEEPALIVEOPTIONS I find nothing in either TCP/IP or RSCS that specifies a 20 minute interval for anything. Regards, Richard Schuh
Re: HCPCRC8083I
Rob- I did stop and purge his recording. I wonder though if purging was the right thing to do. Was that id in fact collecting system accounting info rather than the designated system id and if so have I now lost that info for the time in question? -James On 6/13/07, Rob van der Heij [EMAIL PROTECTED] wrote: On 6/13/07, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Something must have started that userid and made it retrieve account records. If you don't need it to, you may want to RECORDING ACCOUNT OFF PURGE QID If you let account records queue long enough you will eventually fill up a CP warmstart. And you probably should remove the IUCV *ACCOUNT from users who don't need it... Rob
Re: Software encryption performance was: Encryption options for DDR
Hi, Tom. Tom Duerbusch wrote: On a side tangent. At WAVV, one of the speakers said you never want to do software encryption. The performance impact will eat you up. Of course, I disagree. As do I... In my book, it all depends on how much you want to encrypt. I'll do it with spare cycles now, and pay for a hardware solution when there is a payback. Your mileage and experiences may differ. So, when you do software encryption (such as for DDR), how much more processor time do you see? (over a standard DDR disk to tape) Double? Tripple? 10X? It depends (tm, B. Bitner) on the encryption algorithm you choose to use (DES, TDES, AES, etc.), whither chaining is used or not, how well the algorithm was coded (in assembler?, a HLL?), and whither or not the the actual hardware support the new cipher instructions (KM, KMC) IBM makes available for the new zSeries boxes, and the encryption software takes advanced of them. The variations I have sen to date are in the range of 3x to 5x more processing needed for software over hardwareyour mileage will vary, of course. Tom Duerbusch THD Consulting -- DJ V/Soft
Re: HCPCRC8083I
Any id that has the proper authority (privilege class A, B, C, E, or F) can enter a RECORDING command and start receiving data from any of the many services (EREP, Monitor, etc.). Until recording for that id is stopped, it will continue to have records queued for it to retrieve. More than one machine can retrieve the records. If your normal recording id is up and running, you should be OK. You can use the QUERY RECORDING command to determine the current state. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of James M Sent: Wednesday, June 13, 2007 10:20 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: HCPCRC8083I Rob- I did stop and purge his recording. I wonder though if purging was the right thing to do. Was that id in fact collecting system accounting info rather than the designated system id and if so have I now lost that info for the time in question? -James On 6/13/07, Rob van der Heij [EMAIL PROTECTED] wrote: On 6/13/07, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Something must have started that userid and made it retrieve account records. If you don't need it to, you may want to RECORDING ACCOUNT OFF PURGE QID If you let account records queue long enough you will eventually fill up a CP warmstart. And you probably should remove the IUCV *ACCOUNT from users who don't need it... Rob
Re: Software encryption performance was: Encryption options for DDR
Thanks Dave About 5X is about what I was expecting. Doable.. I have a Linux guest as a GPG encryption server. So far, low volume (a few MB/day). I ftp a file to be encrypted from VSE to zLinux, and then do a REXEC to start the process. Linux encrypts the data based on the type passed by REXEC. When done, it then ftp the data to the selected remote site over the public internet. Obviously, those that are doing tapes have a greater load. I wanted to get a feel on how my process, scales up to offsite tapes. One of the negatives for this, is the disaster recovery requirement then has to include my zLinux GPG machine in order to reverse the process. Encrypting tape drives are the preferred solution. But that is another day, another dollar (or tens of thousand dollars). Software encryption will get me by for now. Tom Duerbusch THD Consulting Dave Jones [EMAIL PROTECTED] 6/13/2007 12:23 PM Hi, Tom. Tom Duerbusch wrote: On a side tangent. At WAVV, one of the speakers said you never want to do software encryption. The performance impact will eat you up. Of course, I disagree. As do I... In my book, it all depends on how much you want to encrypt. I'll do it with spare cycles now, and pay for a hardware solution when there is a payback. Your mileage and experiences may differ. So, when you do software encryption (such as for DDR), how much more processor time do you see? (over a standard DDR disk to tape) Double? Tripple? 10X? It depends (tm, B. Bitner) on the encryption algorithm you choose to use (DES, TDES, AES, etc.), whither chaining is used or not, how well the algorithm was coded (in assembler?, a HLL?), and whither or not the the actual hardware support the new cipher instructions (KM, KMC) IBM makes available for the new zSeries boxes, and the encryption software takes advanced of them. The variations I have sen to date are in the range of 3x to 5x more processing needed for software over hardwareyour mileage will vary, of course. Tom Duerbusch THD Consulting -- DJ V/Soft
Re: HCPCRC8083I
q recording shows that account is on for the designated system id and off for the rogue id. It seems that the issue may have started with a retrieve command being issued on the rogue id. That id is and always has been a class g user. It did at one point have iucv *account authority. How can a class g user get into trouble like that? -James On 6/13/07, Schuh, Richard [EMAIL PROTECTED] wrote: Any id that has the proper authority (privilege class A, B, C, E, or F) can enter a RECORDING command and start receiving data from any of the many services (EREP, Monitor, etc.). Until recording for that id is stopped, it will continue to have records queued for it to retrieve. More than one machine can retrieve the records. If your normal recording id is up and running, you should be OK. You can use the QUERY RECORDING command to determine the current state. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of James M Sent: Wednesday, June 13, 2007 10:20 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: HCPCRC8083I Rob- I did stop and purge his recording. I wonder though if purging was the right thing to do. Was that id in fact collecting system accounting info rather than the designated system id and if so have I now lost that info for the time in question? -James On 6/13/07, Rob van der Heij [EMAIL PROTECTED] wrote: On 6/13/07, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Something must have started that userid and made it retrieve account records. If you don't need it to, you may want to RECORDING ACCOUNT OFF PURGE QID If you let account records queue long enough you will eventually fill up a CP warmstart. And you probably should remove the IUCV *ACCOUNT from users who don't need it... Rob
Re: Software encryption performance was: Encryption options for DDR
At 01:14 PM 6/13/2007, you wrote: On a side tangent. At WAVV, one of the speakers said you never want to do software encryption.= The performance impact will eat you up. Of course, I disagree. In my book, it all depends on how much you want to encrypt. I'll do it with spare cycles now, and pay for a hardware solution when = there is a payback. Your mileage and experiences may differ. So, when you do software encryption (such as for DDR), how much more = processor time do you see? (over a standard DDR disk to tape) Double? Tripple? 10X? My guess is s/w encryption will take several times more processor. Remember that the data has to be compressed first before it is encrypted. Encrypted data does not compress well it at all... Try turning on VSAM compression on an IDCAMS backup and see how much more cpu is used just to compress the data... Tom Duerbusch THD Consulting Eric Schadow Mainframe Technical Support www.davisvision.com The information contained in this communication is intended only for the use of the recipient(s) named above. It may contain information that is privileged or confidential, and may be protected by State and/or Federal Regulations. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender.
Re: Software encryption performance was: Encryption options for DDR
I can't really remember. All the sessions seem to merge together in my memory. But I seem to think it was a general session on encryption (I hit a lot of encryption and disaster recovery sessions) and he said not to do encryption without buying the encryption processor for your mainframe. I don't know if my shops tend to be so small, they can be easily dis-regarded. Or some of the WAVV speakers where focused on BIG shops (z/OS with multiple engines), but some of them needed to talk to the WAVV size shops. For example, I asked on guy (a speaker on CICS/TS) about virtual storage requirements for CICS/TS. (This past weekend we moved 400 users to CICS/TS, which only had 7 users prior to this.) His opinion was the minimum virtual storage you should give to CICS/TS was 2 GB. HUH? Our production CICS/VS 2.3 system, with 2,000 users is running in a 30 MB partition and our programs there are all 24 bit. I didn't say it ran well. At peak times we would do 15 storage compressions per hour. But parsing what he didn't say, I found my answer. Which was that CICS/TS as delivered by VSE has no tuning absolutely necessary. Sure you might have storage compressions (we didn't), but it won't stop CICS/TS, it may just slow it down. My only problem in the last 2.5 days was I didn't redefine the temp stor dataset. The default 9 tracks wasn't sufficient. CICS/TS issued the first warning about 10 am, which gave me time to research and prep. And at 11:30 am we finally froze up. Forced off CICS/TS, redefined tempstor to 50 cylinders with 10 cylinders secondary, forced a cold start and back up, all within 10 minutes. Not bad for our only production outage for this conversion. Ooops, when off on a tangent. Back to the real world. Tom Duerbusch THD Consulting Jerry Whitteridge [EMAIL PROTECTED] 6/13/2007 12:18 PM Let me guess -- the speaker was from a company that provided hardware encryption solutions ? Jerry Whitteridge Safeway Inc 925 951 4184 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Duerbusch On a side tangent. At WAVV, one of the speakers said you never want to do software encryption. The performance impact will eat you up. Email Firewall made the following annotations. -- Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ==
Re: Mini-survey: Linux usability
Actually, your zVM doesn¹t even need FTPSERVE up; you only need the FTP client, which doesn¹t depend on the server at all to go out to another box. So the list is reduced to z/VM, TCP/IP and the FTP program, plus CMSDDR, if that is needed to deconstruct the package. Setting up an FTP / NFS server was one of the first things we did, and we serve all of the files from there by loopback mounting the various ISO files. With the advent of the DVD ISOs, we can use NFS for the installs; prior to that, having the various CDs loopback mounted confuses NFS, because it won¹t cross a filesystem boundary, so we could only use FTP. In any case, getting this install server up and running saved a lot of future effort. For a beginning site, being able to lay down this server from DDR would be a huge help. The issues would revolve around the customization of this image once it was laid down, such as changing its IP address to fit into the local network. Making sure it was built on globally available DASD (such as being sized for 3390 mod 3¹s) would help for the sites that have no defined mod 9 or 27 devices. I can see where giving the mainframer who is new to Linux an initial, running system, with the ability to support the creation of additional images, would be very helpful. I wish it had been available when I started doing this... -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55 200 First Street SW / ( ) \ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but ³Join the story... Ride Ural.² in practice, theory and practice are different. On 6/13/07 8:40 AM, Mike Walter [EMAIL PROTECTED] wrote: Maybe not addressed to the most-affected list, but IBMVM subscribers are affected, too. Especially those getting into Linux for System z for the first time. It took us around a year to get the first P.O.C. server installed because our Internet Security group would not permit a CD drive on anyone's PC to be connected to the mainframe LAN - not even for a the time it takes to copy the ISO images. Eventually we received a DDR copy to tape of a running Linux FTP server which we quickly restored in our VM system, and by jumping through extensive hoops (inserting the CDs on a Linux blade server, then mounting them on USS in z/OS, and then again mounting them on the new Linux for System z FTP server to actually begin the installation). What a nightmare and what an absolute waste of time to begin a P.O.C (all in the name of security!). I began suggesting the following on July of 2006. Thus far there has been little-to-no response... If Novell wants to play in the z/VM market, they should provide an easy way for existing z/VM customers to download a stripped-down SLES FTP server using tools that every z/VM customer already has available: the z/VM TCP/IP FTPSERVE server, and (admittedly something requiring a download from the IBM VM Download site): the CMSDDR package. The new-to-Linux on System z customer could run CMSDDR to download a running Linux FTP server, bring that up, follow rather simple instructions to customize it for their network, and then bring it up. Novell could also supply access to the ISO images such that they could be downloaded directly through either the CMS FTPSERVE svm, and/or, the newly installed bare-bones SLES FTP server. There would be no need to permit access from someone's CD or DVD drive to the mainframe network, and... no need to go though MS Windows to perform the downloads... ugh! Before Mark Post moved to Novell, perhaps there were insufficient z/VM skills to make this or other ease/speed-of-installation techniques available at Novell. Now there may be a light shining at the end of the tunnel? Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Rod [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 02:08 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Mini-survey: Linux usability When I first got my mitts on this stuff I had awful trouble getting anything working until Rob walked down the corridor and helped me out. We then had a series of discussions concerning a bog-standard DDR image that would get people up and running. That was nearly 10 years ago. Given the recent discussion about having to send notes to Novell to generate sufficient interest to get something similar, it depresses me to see just how far things have come in 10 years. -- Rod (Moan over - back to fixing Access dBs (sigh)...) The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the
Re: HCPCRC8083I
Check the 191 disk for userid and see if it's full. If so, archive (or just delete) the data files there and autolog it to clean out the backlog of accounting data. -- .~.Robert P. Nix Mayo Foundation /V\RO-OE-5-55200 First Street SW /( )\ 507-284-0844 Rochester, MN 55905 ^^-^^ - In theory, theory and practice are the same, but in practice, theory and practice are different. On 6/13/07 10:49 AM, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Thanks again... -James
Re: HCPCRC8083I
The RECORDING command allows an authorized user to turn recording on for another userid. The rogue id will show up in the responses until an IPL. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of James M Sent: Wednesday, June 13, 2007 10:43 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: HCPCRC8083I q recording shows that account is on for the designated system id and off for the rogue id. It seems that the issue may have started with a retrieve command being issued on the rogue id. That id is and always has been a class g user. It did at one point have iucv *account authority. How can a class g user get into trouble like that? -James On 6/13/07, Schuh, Richard [EMAIL PROTECTED] wrote: Any id that has the proper authority (privilege class A, B, C, E, or F) can enter a RECORDING command and start receiving data from any of the many services (EREP, Monitor, etc.). Until recording for that id is stopped, it will continue to have records queued for it to retrieve. More than one machine can retrieve the records. If your normal recording id is up and running, you should be OK. You can use the QUERY RECORDING command to determine the current state. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of James M Sent: Wednesday, June 13, 2007 10:20 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: HCPCRC8083I Rob- I did stop and purge his recording. I wonder though if purging was the right thing to do. Was that id in fact collecting system accounting info rather than the designated system id and if so have I now lost that info for the time in question? -James On 6/13/07, Rob van der Heij [EMAIL PROTECTED] wrote: On 6/13/07, James M [EMAIL PROTECTED] wrote: I'm getting these messages every two minutes w/records growing 07/06/13 11:42:17 : 11:42:17 HCPCRC8083I ACCOUNTING RECORD THR ESHOLD HAS BEEN EXCEEDED FOR USERID XXX. , 07/06/13 11:42:17 CURRENTLY 7980 RECORDS ARE ENQUEUED. The ID is never logged on - has minidisks that others link to. I'm wondering what to do and also if I did something wrong - I did change the account number for this user (and others who link to it) in the cp directory. Something must have started that userid and made it retrieve account records. If you don't need it to, you may want to RECORDING ACCOUNT OFF PURGE QID If you let account records queue long enough you will eventually fill up a CP warmstart. And you probably should remove the IUCV *ACCOUNT from users who don't need it... Rob
Re: Mini-survey: Linux usability
I can see where giving the mainframer who is new to Linux an initial, running system, with the ability to support the creation of additional images, would be very helpful. I wish it had been available when I started doing this... Done (yes, both RH and Novell). Now it's a question of convincing the distributors to make it available ... -- db
Re: Encryption options for DDR
And how do you change the encryption key for each tape drive? Talk to z/OS keymanager? Don't change keys? /Tom Kern --- Alan Altmark [EMAIL PROTECTED] wrote: On Tuesday, 06/12/2007 at 04:11 MST, Thomas Kern [EMAIL PROTECTED] wrote: The hardware solution of encrypted tape drives is pushed alot because z/OS has so much data that should be encrypted and z/VM can use them too, but not as friendly as if you were strictly z/OS. Huh? Using an encrypting tape drive on z/VM is as easy as specifying the key label on ATTACH. What I haven't figured out about them is how to prove to the security auditors that the data is REALLY encrypted. Quoting some news articles on the web, IBM is in the process of having the TS1120 FIPS 140-2 certified. Alan Altmark z/VM Development IBM Endicott Food fight? Enjoy some healthy debate in the Yahoo! Answers Food Drink QA. http://answers.yahoo.com/dir/?link=listsid=396545367
Re: Linux question
If I ran any system that accepted arbitrary files from untrusted sources that are then sent to other destinations, (ie email server) I would definately use a virus scanner. Our email gateway has eliminated a great portion of our virus problems by filtering all incoming email. For systems where I get known types of files from known, trusted sources, I don't feel that much of a need to scan all files, all the time. /Tom Kern --- David Boyes [EMAIL PROTECTED] wrote: To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Many do. It's a complete waste of cycles, but many sites answer with if it's Linux, it needs to be consistent with the Intel deployment - even though it's a completely different processor architecture and compiled binaries for viruses don't work. Pick your arguments, and this is one where you can profitably let it pass. There are good open-source ones (such as clam-av), and just say yep, we've already got that covered, it's in the package *at no extra charge*, including automatic updates. One less thing for the objectors to wheeze about. Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/
Re: TCPNJE
On: Wed, Jun 13, 2007 at 10:18:21AM -0700,Schuh, Richard Wrote: } The definitions in TCPIP are: } } KEEPALIVEOPTIONS } INTERVAL 20 } SENDGARBAGE TRUE } ENDKEEPALIVEOPTIONS } } I find nothing in either TCP/IP or RSCS that specifies a 20 minute } interval for anything. Well, one thing that jumps up would seem to be: } INTERVAL 20 Eh? -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Encryption options for DDR
On Wednesday, 06/13/2007 at 12:25 MST, Thomas Kern [EMAIL PROTECTED] wrote: And how do you change the encryption key for each tape drive? Talk to z/OS keymanager? Don't change keys? Tom, were your questions answered by the later discussions about the Encryption Key Manager? Alan Altmark z/VM Development IBM Endicott
Re: TCPNJE
That is 20 seconds, not 20 minutes. That jumped out and bit me, too :-) Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Rich Greenberg Sent: Wednesday, June 13, 2007 1:25 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TCPNJE On: Wed, Jun 13, 2007 at 10:18:21AM -0700,Schuh, Richard Wrote: } The definitions in TCPIP are: } } KEEPALIVEOPTIONS } INTERVAL 20 } SENDGARBAGE TRUE } ENDKEEPALIVEOPTIONS } } I find nothing in either TCP/IP or RSCS that specifies a 20 minute } interval for anything. Well, one thing that jumps up would seem to be: } INTERVAL 20 Eh? -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: TCPNJE
On Wednesday, 06/13/2007 at 10:18 MST, Schuh, Richard [EMAIL PROTECTED] wrote: We have success of sorts. The link can now recover from the socket errors it experiences approximately every 20 minutes when it is not kept busy. The MVS folks are questioning why these timeouts occur. I see the same time-outs on a VM to VM link. The network people tell me that MVS is getting a?getpeername? socket error. Is this something that is normal? If not, how do I fix it? The 20 minute timeout is likely because of your keepalive interval. Try changing it to SENDGARBAGE FALSE. Some IP implementations aren't happy with ill-formed TCP packets and z/OS or an intervening firewall may well believe it to be an attack of some sort and close the connection. Packet traces are, of course, de rigeur to solve such problems. Alan Altmark z/VM Development IBM Endicott
Re: TCPNJE
On: Wed, Jun 13, 2007 at 01:59:13PM -0700,Schuh, Richard Wrote: } That is 20 seconds, not 20 minutes. That jumped out and bit me, too :-) OK, it was just a WAG. :-) -- Rich Greenberg N Ft Myers, FL, USA richgr atsign panix.com + 1 239 543 1353 Eastern time. N6LRT I speak for myself my dogs only.VM'er since CP-67 Canines:Val, Red, Shasta Casey (RIP), Red Zero, Siberians Owner:Chinook-L Retired at the beach Asst Owner:Sibernet-L
Re: Encryption options for DDR
I think they are answered by the stuff about using your installation's key and the DR vendor's key on the ATTACH command. /Tom Kern --- Alan Altmark [EMAIL PROTECTED] wrote: On Wednesday, 06/13/2007 at 12:25 MST, Thomas Kern [EMAIL PROTECTED] wrote: And how do you change the encryption key for each tape drive? Talk to z/OS keymanager? Don't change keys? Tom, were your questions answered by the later discussions about the Encryption Key Manager? Alan Altmark z/VM Development IBM Endicott Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/
Re: TCPNJE
We have tried sendgarbage both ways and it did not affect the timeout. In the TCP/IP Keepalive options, the interval 20 is 20 seconds, not 20 minutes, so that is not too likely a suspect unless there is a 60 consecutive intervals limit buried someplace else. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Wednesday, June 13, 2007 2:06 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TCPNJE On Wednesday, 06/13/2007 at 10:18 MST, Schuh, Richard [EMAIL PROTECTED] wrote: We have success of sorts. The link can now recover from the socket errors it experiences approximately every 20 minutes when it is not kept busy. The MVS folks are questioning why these timeouts occur. I see the same time-outs on a VM to VM link. The network people tell me that MVS is getting a?getpeername? socket error. Is this something that is normal? If not, how do I fix it? The 20 minute timeout is likely because of your keepalive interval. Try changing it to SENDGARBAGE FALSE. Some IP implementations aren't happy with ill-formed TCP packets and z/OS or an intervening firewall may well believe it to be an attack of some sort and close the connection. Packet traces are, of course, de rigeur to solve such problems. Alan Altmark z/VM Development IBM Endicott
Re: TCPNJE
We have tried sendgarbage both ways and it did not affect the timeout. In the TCP/IP Keepalive options, the interval 20 is 20 seconds, not 20 minutes, so that is not too likely a suspect unless there is a 60 consecutive intervals limit buried someplace else. I think you might have said earlier, but is there any chance this traffic is passing through a firewall somehow? 20 minutes for idle connection RSET is the default setting for most of the mainstream firewall servers like the PIX and Nortel equivalent.
Re: Linux question
Not really, no. There are few virii that can infect z/Linux systems to begin with, and they are much more vulnerable to Trojans, worms, and other types of exploits. T here are two general exceptions though; if your z/Linux instance is acting as an e-mail server or if it is acting as a Windows SMB or NFS file server. In those cases, there are some serious advantages to running a virus scan product. -Paul From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 13, 2007 6:26 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Linux question To anyone running Linux under z/VM is it normal for companies to want to run a virus scan product when its on the mainframe? I'm more familiar with the z/OS world and I know we don't run any on that side of the shop. Thanks Andy Internet: Mailto:[EMAIL PROTECTED] The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.
Re: Mini-survey: Linux usability
Yowza. A couple other options you might have used are: Ask the BladeServer people to mount the ISO images on the bladeserver and either share them via NFS (easiest way) or else make them available over FTP. The use z/VM FTP to put the files necessary to IPL Linux on the Linux guest 191 drive (SLES9.PARM, SLES9.IMITRD, SLES9.IMAGE) Or, if the z/VM instance was allowed to access the internet, once you IPL'ed as above, you could have downloaded the rest of the install over the internet. Slow, but it works. Or if worse came to worse, you could have used the DVD drive on the console, if you have one. J If I had realized, we could have sent you a starter image. Sorry if I missed the request. -Paul From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mike Walter Sent: Wednesday, June 13, 2007 8:41 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Mini-survey: Linux usability Maybe not addressed to the most-affected list, but IBMVM subscribers are affected, too. Especially those getting into Linux for System z for the first time. It took us around a year to get the first P.O.C. server installed because our Internet Security group would not permit a CD drive on anyone's PC to be connected to the mainframe LAN - not even for a the time it takes to copy the ISO images. Eventually we received a DDR copy to tape of a running Linux FTP server which we quickly restored in our VM system, and by jumping through extensive hoops (inserting the CDs on a Linux blade server, then mounting them on USS in z/OS, and then again mounting them on the new Linux for System z FTP server to actually begin the installation). What a nightmare and what an absolute waste of time to begin a P.O.C (all in the name of security!). I began suggesting the following on July of 2006. Thus far there has been little-to-no response... If Novell wants to play in the z/VM market, they should provide an easy way for existing z/VM customers to download a stripped-down SLES FTP server using tools that every z/VM customer already has available: the z/VM TCP/IP FTPSERVE server, and (admittedly something requiring a download from the IBM VM Download site): the CMSDDR package. The new-to-Linux on System z customer could run CMSDDR to download a running Linux FTP server, bring that up, follow rather simple instructions to customize it for their network, and then bring it up. Novell could also supply access to the ISO images such that they could be downloaded directly through either the CMS FTPSERVE svm, and/or, the newly installed bare-bones SLES FTP server. There would be no need to permit access from someone's CD or DVD drive to the mainframe network, and... no need to go though MS Windows to perform the downloads... ugh! Before Mark Post moved to Novell, perhaps there were insufficient z/VM skills to make this or other ease/speed-of-installation techniques available at Novell. Now there may be a light shining at the end of the tunnel? Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Rod [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 06/13/2007 02:08 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Mini-survey: Linux usability When I first got my mitts on this stuff I had awful trouble getting anything working until Rob walked down the corridor and helped me out. We then had a series of discussions concerning a bog-standard DDR image that would get people up and running. That was nearly 10 years ago. Given the recent discussion about having to send notes to Novell to generate sufficient interest to get something similar, it depresses me to see just how far things have come in 10 years. -- Rod (Moan over - back to fixing Access dBs (sigh)...) _ The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
Re: TCPNJE
Interesting thought. Isn't the keepalive packet supposed to prevent that from being a problem? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Wednesday, June 13, 2007 2:30 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TCPNJE We have tried sendgarbage both ways and it did not affect the timeout. In the TCP/IP Keepalive options, the interval 20 is 20 seconds, not 20 minutes, so that is not too likely a suspect unless there is a 60 consecutive intervals limit buried someplace else. I think you might have said earlier, but is there any chance this traffic is passing through a firewall somehow? 20 minutes for idle connection RSET is the default setting for most of the mainstream firewall servers like the PIX and Nortel equivalent.
Re: TCPNJE
Interesting thought. Isn't the keepalive packet supposed to prevent that from being a problem? In theory, yes, but some firewalls try to be smart and look for simple repetitive traffic. A traceroute to determine a good sample of exactly how the packets are traversing the network might be a good next step. Then at least you'd have some idea of how A gets to B, and what might be in between. You might also try turning on the NJE keepalive -- wastes a little bandwidth, but that *definitely* doesn't look like repetitive traffic generated by J Random ScriptKiddie.
