Re: 3590 tape drive support in zLinux/zVM?
Quoting Schuh, Richard [EMAIL PROTECTED]: And for those, you might look at VSSI's VTAPE product. It can use a virtual tape for SPXTAPE. It might be cheaper than a tape drive (+ controller + cables + maintenance contract). I don't know what size your system is, but the VSSI products are priced based on MSU. You can check their website http://vsoftsys.com/ for information. Regards, Richard Schuh Don't forget Dave Jones' posting from last week: Can't use SPXTAPE dump as we have no tape drives attached to either of the VM systems.Is there a way to save the DCSSes and NSSes without a tape drive? Yup, there sure is we've got a freebie spool file backup/restore utility that can backup (to CMS files) and restore all types of spool files; DCSS, NSS, NLS, IMG, UCR, and unit record (PRT, PUN, RDR). Drop me a note off list if you'd like a copy of this free utility. (It sounds great to me, but we already have that functionality as part of the V/Spool commercial product) He is at www.vsoft-software.com - sorry I can't show an email address, but the archive hides them. Shimon
Re: 3590 tape drive support in zLinux/zVM?
Quoting Schuh, Richard [EMAIL PROTECTED]: [snip] For some reason this post came in right justified and reversed right-to-left. Is this a side-effect of writing in Hebrew mode, Shimon? If so, it's really cool. Easily amused today, -- db
Re: Security Updates
LOL -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Huegel, Thomas Sent: Wednesday, January 16, 2008 8:40 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Security Updates I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM?
Re: Security Updates
On Jan 16, 2008 3:39 PM, Huegel, Thomas [EMAIL PROTECTED] wrote: I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM? Oh yes... definitely in my previous job. And they're not used to folks who know what they are doing... so they don't care whether you run NFS or not, if there's a security PTF for it you must install it. Rob
Re: Security Updates
I'll go one better... I can't get management to stop calling z/VM... vmware. I correct them and lo and behold the next ting out of there mouth is blah blah vmware on the z box Mace From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Huegel, Thomas Sent: Wednesday, January 16, 2008 9:40 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Security Updates I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM? - The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.
Re: Security Updates
No, But I have had a 'security' auditor ask for a printout of my VM syste m's /etc/passwd file. When he saw the censored copy of our USER DIRECT, he stopped asking questions. /Tom Kern On Wed, 16 Jan 2008 08:39:49 -0600, Huegel, Thomas [EMAIL PROTECTED] wr ote: I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM?
Re: Spool file Origin / Tag question
We use a small mod which allows the origin to be *set*. I believe it was originally written by someone named Andreas, possibly at Swissair. If your server created the file, and set the origin to the id of the requestor, and then transferred it to RSCS, would that solve your problem? Shimon Original message Date: Wed, 16 Jan 2008 15:44:21 +0100 From: Colin Allinson [EMAIL PROTECTED] Subject: Spool file Origin / Tag question To: IBMVM@LISTSERV.UARK.EDU This is a bit of a weird question so I had better explain what is behind it. I have built a server that will collect jobs and submit them to an MVS system (over an RSCS link). Part of the validation on the MVS system is that the job has come (or appeared to come) from the user in the jobcard. Because I am sending the job from my server it appears to originate there and not from the original job builder. Is there anyway that I can convince RSCS to identify the originator by the 4th/5th tokens in the Tag Data rather than the spool file Originid. (or, in some other way, convince RSCS to identify the originator as the required userid rather than my server userid). Currently I am building the spool file with a URO stage in a pipeline after tagging the DEV PUN as :- targetnode targetuid 50 orignode origuid Has anyone any useful suggestions? Thanks in advance, Colin Allinson Amadeus Data Processing GmbH IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees. It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws. If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: Security Updates
Here I keep correcting people who talk about downloading stuff from the mainframe (z/OS) to z/Linux. Brian Nielsen On Wed, 16 Jan 2008 09:46:18 -0500, Macioce, Larry [EMAIL PROTECTED] wrote: I'll go one better... I can't get management to stop calling z/VM... vmware. I correct them and lo and behold the next ting out of there mouth is blah blah vmware on the z box
Re: Security Updates
Also fun is when they ask if your anti-virus software is up-to-date -- an d you tell them you don't run any. Brian Nielsen On Wed, 16 Jan 2008 08:51:46 -0600, Thomas Kern [EMAIL PROTECTED] wrote: No, But I have had a 'security' auditor ask for a printout of my VM system's /etc/passwd file. When he saw the censored copy of our USER DIRECT, he stopped asking questions. /Tom Kern On Wed, 16 Jan 2008 08:39:49 -0600, Huegel, Thomas [EMAIL PROTECTED] wrote: I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM? = ===
Re: Spool file Origin / Tag question
Shimon Lebowitz [EMAIL PROTECTED] wrote :- We use a small mod which allows the origin to be *set*. I believe it was originally written by someone named Andreas, possibly at Swissair. If your server created the file, and set the origin to the id of the requestor, and then transferred it to RSCS, would that solve your problem? Yes, Shimon, that would be great if you have details. Fran Hensler [EMAIL PROTECTED] wrote :- Take a look at the DIAGD4 package on my download site: http://zvm.sru.edu/~download I am using this package here with success. I will definitely have a look at that - thanks. Colin Allinson Amadeus Data Processing GmbH IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: Spool file Origin / Tag question
As Fran replied, your server should set its alternate userid to the job submitter (that is done using DIAG D4, and verified by the ESM). Spool files **created afterwards** get the alternate userid as origin. DIAG D4 also influences LINK permissions (at least if an ESM is involved) and also all **new** connections to DB2 and/or SFS. You can use CSL call DMSPURWU to remove any open SFS connections, hence force an SFS access to use the alternate userid. Our RxServer package has some use of DIAGD4 too (and includes a DIAGD4 asm program). The LCLQRY package provides a CP QUERY ALTUSER command. 2008/1/16, Shimon Lebowitz [EMAIL PROTECTED]: We use a small mod which allows the origin to be *set*. I believe it was originally written by someone named Andreas, possibly at Swissair. If your server created the file, and set the origin to the id of the requestor, and then transferred it to RSCS, would that solve your problem? Shimon Original message Date: Wed, 16 Jan 2008 15:44:21 +0100 From: Colin Allinson [EMAIL PROTECTED] Subject: Spool file Origin / Tag question To: IBMVM@LISTSERV.UARK.EDU This is a bit of a weird question so I had better explain what is behind it. I have built a server that will collect jobs and submit them to an MVS system (over an RSCS link). Part of the validation on the MVS system is that the job has come (or appeared to come) from the user in the jobcard. Because I am sending the job from my server it appears to originate there and not from the original job builder. Is there anyway that I can convince RSCS to identify the originator by the 4th/5th tokens in the Tag Data rather than the spool file Originid. (or, in some other way, convince RSCS to identify the originator as the required userid rather than my server userid). Currently I am building the spool file with a URO stage in a pipeline after tagging the DEV PUN as :- targetnode targetuid 50 orignode origuid Has anyone any useful suggestions? Thanks in advance, Colin Allinson Amadeus Data Processing GmbH IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees. It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws. If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany -- Kris Buelens, IBM Belgium, VM customer support
Re: Security Updates
When you 'download' from z/OS to z/LINUX over a GUEST LAN do you have to encrypt it? That makes sense right? -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Brian Nielsen Sent: Wednesday, January 16, 2008 9:08 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Security Updates Here I keep correcting people who talk about downloading stuff from the mainframe (z/OS) to z/Linux. Brian Nielsen On Wed, 16 Jan 2008 09:46:18 -0500, Macioce, Larry [EMAIL PROTECTED] wrote: I'll go one better... I can't get management to stop calling z/VM... vmware. I correct them and lo and behold the next ting out of there mouth is blah blah vmware on the z box
Re: Security Updates
On Wednesday, 01/16/2008 at 09:40 EST, Huegel, Thomas [EMAIL PROTECTED] wrote: I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM? In my experience talking to many customers, an auditor is an auditor is an auditor. They know what *they* know. They don't know what *you* know. It often turns out that they aren't *really* Windows auditors, but are just auditors who have never seen anything other than Windows. If they showed up asking to check some registry entries on your Linux box, you'd have a good chuckle, too. But, yes, it is SOP for companies to apply due diligence to mainframe software security issues, including z/VM. When we close a security or integrity APAR, it will be placed on an RSU. Note that z/VM 5.3 RSU 0703 contains VM64258 UM32131 CP INTEGRITY APAR (from http://www.vm.ibm.com/service/rsu/esa530.html) You may also see a description of SECURITY APAR. Alan Altmark z/VM Development IBM Endicott
need a z890, cheap?
Anybody need a spare z890? http://cgi.ebay.com/IBM-e-SERVER-zSERIES-890-2086-A04-MAINFRAME-COMPUTER_W0QQitemZ260202032717QQihZ016QQcategoryZ64030QQssPageNameZWDVWQQrdZ1QQcmdZViewItem (watch for line wrap, as well) -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: Spool file Origin / Tag question
On Wednesday, 01/16/2008 at 10:25 EST, Kris Buelens [EMAIL PROTECTED] wrote: As Fran replied, your server should set its alternate userid to the job submitter (that is done using DIAG D4, and verified by the ESM). A server should use diagnose 0xF8 (Set/Query Spool File Origin Information). The server will need OPTION SETORIG. The origin information is associated with a virtual printer or punch so that all spool files that device generates have the same origin. Different vdevs can have different origins. Alan Altmark z/VM Development IBM Endicott
Re: need a z890, cheap?
On Wednesday, 01/16/2008 at 10:51 EST, Dave Jones [EMAIL PROTECTED] wrote: Anybody need a spare z890? It was nice to see the z/VM logo on this IFL-only server! Alan Altmark z/VM Development IBM Endicott
Re: 3590 tape drive support in zLinux/zVM?
You need a better email reader. Thunderbird displayed it fine. The only thing was that the vertical line that shows copied text was on the right margin. David Boyes wrote: Quoting Schuh, Richard [EMAIL PROTECTED]: [snip] For some reason this post came in right justified and reversed right-to-left. Is this a side-effect of writing in Hebrew mode, Shimon? If so, it's really cool. Easily amused today, -- db -- Stephen Frazier Information Technology Unit Oklahoma Department of Corrections 3400 Martin Luther King Oklahoma City, Ok, 73111-4298 Tel.: (405) 425-2549 Fax: (405) 425-2554 Pager: (405) 690-1828 email: stevef%doc.state.ok.us
Re: Security Updates
Interesting that SIS responds: Item VM64258 is not available to display. But one can display the PTF. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Wednesday, January 16, 2008 10:47 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Security Updates On Wednesday, 01/16/2008 at 09:40 EST, Huegel, Thomas [EMAIL PROTECTED] wrote: I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM? In my experience talking to many customers, an auditor is an auditor is an auditor. They know what *they* know. They don't know what *you* know. It often turns out that they aren't *really* Windows auditors, but are just auditors who have never seen anything other than Windows. If they showed up asking to check some registry entries on your Linux box, you'd have a good chuckle, too. But, yes, it is SOP for companies to apply due diligence to mainframe software security issues, including z/VM. When we close a security or integrity APAR, it will be placed on an RSU. Note that z/VM 5.3 RSU 0703 contains VM64258 UM32131 CP INTEGRITY APAR (from http://www.vm.ibm.com/service/rsu/esa530.html) You may also see a description of SECURITY APAR. Alan Altmark z/VM Development IBM Endicott This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
Re: need a z890, cheap?
Dave Jones wrote: Anybody need a spare z890? The resale value of the box is exceeded by the cost of transporting it :-) -- Jack J. Woehr# Hipsters believe that irony has http://www.well.com/~jax # more resonance than reason. http://www.softwoehr.com # - Robert Lanham
Re: Spool file Origin / Tag question
Kris Buelens [EMAIL PROTECTED] wrote: As Fran replied, your server should set its alternate userid to the job submitter (that is done using DIAG D4, and verified by the ESM). Spool files **created afterwards** get the alternate userid as origin. DIAG D4 also influences LINK permissions (at least if an ESM is involved) and also all **new** connections to DB2 and/or SFS. You can use CSL call DMSPURWU to remove any open SFS connections, hence force an SFS access to use the alternate userid. Our RxServer package has some use of DIAGD4 too (and includes a DIAGD4 asm program). The LCLQRY package provides a CP QUERY ALTUSER command. Initially, I was rather fooled by the DIAGD4 EXEC in the package until I realised that it just checked the ability to do the command - but did not action it. Once I got past that it works fine - thanks. Colin Allinson Amadeus Data Processing GmbH IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system . Amadeus Data Processing GmbH Geschäftsführer: Eberhard Haag Sitz der Gesellschaft: Erding HR München 48 199 Berghamer Strasse 6 85435 Erding Germany
Re: 3590 tape drive support in zLinux/zVM?
And it is not even Friday. Regards, Richard Schuh For some reason this post came in right justified and reversed right-to-left. Is this a side-effect of writing in Hebrew mode, Shimon? If so, it's really cool. Easily amused today, -- db
Re: Security Updates
Yes, and that was the answer I gave. It was easier to say I was up to date than it would have been to try to explain that z/VM is not Windoze. Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Huegel, Thomas Sent: Wednesday, January 16, 2008 6:40 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Security Updates I just can't let this go. Has anyone ever had some 'WINDOZE' auditor come in and ask if you are up-to-date with your z/VM security patches from IBM?
EXECLOAD
I need a clarification on the EXECLOAD command. In my doc's User Notes 5 (for EXECLOAD) says that if a machine is in XC or XA mode then the EXEC can be loaded above the 16mb line. However the doc doesn't clearly state how to do this. So is it done with the optional SYSTEM parameter? My assumption is yes but I wanted to verify. Also, I came across, in my IBM docs a while back, how storage was laid out with a 16mb machine and a machine with a size greater than 16mb. It was a picture that showed what code was place where in storage. I can't find it now. Does anybody recall seeing this and if so what manual it is in? Thanks, Steve
Re: Security Updates
Don't laugh, we know a guy who failed a PCI audit because the data traffic moving between his LPAR's wasn't encrypted. No amount of convincing, coercing, pleading or reasoning would change that auditor's mind. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Schuh, Richard Sent: Wednesday, January 16, 2008 11:03 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Security Updates Perfect sense, and it will be required by SOX 32. Then we will have to put firewalls between memory and the cpus Each cpu will have rules established for it that are different than those of the other cpus in the box. Regards, Richard Schuh
CryptoExpress2 Processors and ZLinux SFTP/SSH
Does anyone know if the ssl/sftp servers that run under zLinux can use the CryptoExpress2 processors as a performance aid. We are seeing a performance hit when we perform SFTP's to zLinux as compared to using FTP. zVM 5.3, SLES10 -- Mark Jacobs Time Customer Service Tampa, FL Riley: Find the next number in the sequence: 313, 331, 367, ...? what? The Doctor: 379. It's a sequence of happy primes, 379. Martha: Happy what? The Doctor: Just enter it! Riley: Are you sure? We only get one chance. The Doctor: Any number that reduces to one when you take the sum of the square of its digits and continue iterating until it yields 1 is a happy number, any number that doesn't, isn't. A happy prime is both happy and prime. Doctor Who episode 42
Re: Security Updates
On Wednesday, 01/16/2008 at 12:10 EST, McBride, Catherine [EMAIL PROTECTED] wrote: Don't laugh, we know a guy who failed a PCI audit because the data traffic moving between his LPAR's wasn't encrypted. No amount of convincing, coercing, pleading or reasoning would change that auditor's mind. C'mon, folks. Auditors don't set policy, they monitor/enforce it. If your policy says All traffic between two hosts that carries personally identifiable information must be encrypted, then the policy is to blame, not the auditor. Consider what would happen if it were all of a sudden possible to sniff traffic on a HiperSocket. Trust me on this, you do NOT want your auditor setting policy! Security policies must be updated from time to time to reflect current technology. If you have failed to actually establish a security policy, then all bets are off and auditors can (and do) invent stuff on the spot based on what THEY know. You want a data protection policy to apply encryption any time it is possible for an anonymous or unauthorized person or machine to intercept it. The argument will be over possible. Guest LANs and Virtual Switches are sniffable. To allow clear-text transmission between two guests would require an auditor to verify that you can product a list of authorized sniffers, that you audit its use, and that you have a process to remove someone's authorization if their job no longer requires such access. Well, that's what *I* would be looking for. Alan Altmark z/VM Development IBM Endicott
Re: EXECLOAD
As far as I know, SYSTEM means that the exec remains loaded even after an abend or HX 2008/1/16, Gentry, Stephen [EMAIL PROTECTED]: I need a clarification on the EXECLOAD command. In my doc's User Notes 5 (for EXECLOAD) says that if a machine is in XC or XA mode then the EXEC can be loaded above the 16mb line. However the doc doesn't clearly state how to do this. So is it done with the optional SYSTEM parameter? My assumption is yes but I wanted to verify. Also, I came across, in my IBM docs a while back, how storage was laid out with a 16mb machine and a machine with a size greater than 16mb. It was a picture that showed what code was place where in storage. I can't find it now. Does anybody recall seeing this and if so what manual it is in? Thanks, Steve -- Kris Buelens, IBM Belgium, VM customer support
Re: Security Updates
For a SOX audit I'd almost agree with you, as you bring up some valid points. This was a PCI audit. The key difference that we've found between SOX and PCI is that for SOX you create policy statements to meet SOX guidelines and are tested on how well you adhere to your own policies. For PCI you are tested against the external PCI standards (as issued by the Payment Card Industry Council). A hipersocket would have more than met the standard of a private, dedicated connection, had anyone been willing to listen. But instead the guy formulated a strong opinion and would not alter his position. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Alan Altmark Sent: Wednesday, January 16, 2008 12:15 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Security Updates snip C'mon, folks. Auditors don't set policy, they monitor/enforce it. If your policy says All traffic between two hosts that carries personally identifiable information must be encrypted, then the policy is to blame, not the auditor. snip
Re: EXECLOAD
Stephen, If your CMS user is running with more than 16M of storage and you EXECLOAD a REXX exec, the EXECLOAD processing will automatically try to load the exec in free storage above 16M. You do not and cannot specify where the exec is loaded.As Kris pointed out, the SYSTEM option just tells CMS to leave the exec loaded after an ABEND or HX. Note that EXEC-2 and EXEC-Classic execs will only ever be loaded below the 16M line. Thanks! Mike --- Black holes are where God divided by zero. - Steven Wright, comedian (1955- ) Gentry, Stephen [EMAIL PROTECTED] AFAYETTELIFE.COM To Sent by: The IBM IBMVM@LISTSERV.UARK.EDU z/VM Operating cc System [EMAIL PROTECTED] Subject ARK.EDU EXECLOAD 01/16/2008 09:11 AM Please respond to The IBM z/VM Operating System [EMAIL PROTECTED] ARK.EDU I need a clarification on the EXECLOAD command. In my doc’s User Notes 5 (for EXECLOAD) says that if a machine is in XC or XA mode then the EXEC can be loaded above the 16mb line. However the doc doesn’t clearly state how to do this. So is it done with the optional SYSTEM parameter? My assumption is yes but I wanted to verify. Also, I came across, in my IBM docs a while back, how storage was laid out with a 16mb machine and a machine with a size greater than 16mb. It was a picture that showed what code was place where in storage. I can’t find it now. Does anybody recall seeing this and if so what manual it is in? Thanks, Steve
RSCS/CRI
Given a pipe that uses starmsg to trap replies and issues the command 'CP SMSG RSCS (ML.RSCHUH STOP V207' The reply that comes back is a multi-line response, in order of arrival: 0001RSCS RSCS 0154 0001 DEVVM MIKE M1L Link V207 autostart disabled 0001RSCS RSCS 0001 0002 DEVVM MIKE M1L End of command response 0001RSCS RSCS 0002 0001 DEVVM MIKE M1L Link V207 deactivated It seems that there is a reversal in order of the last two lines. Is this normal and documented somewhere? V207 is an LPR printer. Regards, Richard Schuh
Re: Security Updates
On Wednesday, 01/16/2008 at 01:48 EST, McBride, Catherine [EMAIL PROTECTED] wrote: For a SOX audit I'd almost agree with you, as you bring up some valid points. This was a PCI audit. The key difference that we've found between SOX and PCI is that for SOX you create policy statements to meet SOX guidelines and are tested on how well you adhere to your own policies. For PCI you are tested against the external PCI standards (as issued by the Payment Card Industry Council). A hipersocket would have more than met the standard of a private, dedicated connection, had anyone been willing to listen. But instead the guy formulated a strong opinion and would not alter his position. I doesn't really matter if it is SOX or PCI. The only difference is who establishes the policy. If you can establish an audit point that can be used to demonstrate that you have a private dedicated connection, then your auditor is wrong. Of course, the second you attach a 3rd LPAR (or another guest) to the HiperSocket, you no longer meet the criteria since you cannot establish access controls on a HiperSocket that allow LPARs 2 and 3 to talk only with LPAR 1, not with each other. It might be private, but it sure is hard to call it dedicated. Alan Altmark z/VM Development IBM Endicott
Re: EXECLOAD
Mike, thanks for the clarification. Kris, thanks for the reply. Steve G. ad infinitum From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Michael Donovan Sent: Wednesday, January 16, 2008 3:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: EXECLOAD Stephen, If your CMS user is running with more than 16M of storage and you EXECLOAD a REXX exec, the EXECLOAD processing will automatically try to load the exec in free storage above 16M. You do not and cannot specify where the exec is loaded. As Kris pointed out, the SYSTEM option just tells CMS to leave the exec loaded after an ABEND or HX. Note that EXEC-2 and EXEC-Classic execs will only ever be loaded below the 16M line. Thanks! Mike --- Black holes are where God divided by zero. - Steven Wright, comedian (1955- ) Inactive hide details for Gentry, Stephen [EMAIL PROTECTED]Gentry, Stephen [EMAIL PROTECTED] Gentry, Stephen [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 01/16/2008 09:11 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject EXECLOAD I need a clarification on the EXECLOAD command. In my doc's User Notes 5 (for EXECLOAD) says that if a machine is in XC or XA mode then the EXEC can be loaded above the 16mb line. However the doc doesn't clearly state how to do this. So is it done with the optional SYSTEM parameter? My assumption is yes but I wanted to verify. Also, I came across, in my IBM docs a while back, how storage was laid out with a 16mb machine and a machine with a size greater than 16mb. It was a picture that showed what code was place where in storage. I can't find it now. Does anybody recall seeing this and if so what manual it is in? Thanks, Steve
Re: RSCS/CRI
My guess is that the deactivation is happening asynchronously in RSCS, hence the delay in the last response. 2008/1/16, Schuh, Richard [EMAIL PROTECTED]: Given a pipe that uses starmsg to trap replies and issues the command 'CP SMSG RSCS (ML.RSCHUH STOP V207' The reply that comes back is a multi-line response, in order of arrival: 0001RSCS RSCS 0154 0001 DEVVM MIKE M1L Link V207 autostart disabled 0001RSCS RSCS 0001 0002 DEVVM MIKE M1L End of command response 0001RSCS RSCS 0002 0001 DEVVM MIKE M1L Link V207 deactivated It seems that there is a reversal in order of the last two lines. Is this normal and documented somewhere? V207 is an LPR printer. Regards, Richard Schuh -- Kris Buelens, IBM Belgium, VM customer support
Re: RSCS/CRI
Mine too. It may be that RSCS never gets feedback confirming that the printer has stopped. Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Kris Buelens Sent: Wednesday, January 16, 2008 1:33 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: RSCS/CRI My guess is that the deactivation is happening asynchronously in RSCS, hence the delay in the last response. 2008/1/16, Schuh, Richard [EMAIL PROTECTED] : Given a pipe that uses starmsg to trap replies and issues the command 'CP SMSG RSCS (ML.RSCHUH STOP V207' The reply that comes back is a multi-line response, in order of arrival: 0001RSCS RSCS 0154 0001 DEVVM MIKE M1L Link V207 autostart disabled 0001RSCS RSCS 0001 0002 DEVVM MIKE M1L End of command response 0001RSCS RSCS 0002 0001 DEVVM MIKE M1L Link V207 deactivated It seems that there is a reversal in order of the last two lines. Is this normal and documented somewhere? V207 is an LPR printer. Regards, Richard Schuh -- Kris Buelens, IBM Belgium, VM customer support
Re: CryptoExpress2 Processors and ZLinux SFTP/SSH
Openssl has the support in it to use them. OpenSSH needs a patch to turn them on. This is what we have implemented. Not sure how much it saves you though - we haven't really measured it lately. We got this from somewhere I can't remember!: diff -U 5 -Nr openssh-4.3p2/ssh.c openssh-4.3p2-mod/ssh.c --- ssh.c Fri Dec 30 22:33:38 2005 +++ ssh.c Mon Jul 17 15:58:24 2006 @@ -42,10 +42,11 @@ #include includes.h RCSID($OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $); #include openssl/evp.h #include openssl/err.h +#include openssl/engine.h #include ssh.h #include ssh1.h #include ssh2.h #include compat.h @@ -525,10 +526,14 @@ if (!host) usage(); SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); /* Initialize the command to execute on remote host. */ buffer_init(command); /* Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jacobs Sent: Wednesday, January 16, 2008 10:03 AM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] CryptoExpress2 Processors and ZLinux SFTP/SSH Does anyone know if the ssl/sftp servers that run under zLinux can use the CryptoExpress2 processors as a performance aid. We are seeing a performance hit when we perform SFTP's to zLinux as compared to using FTP. zVM 5.3, SLES10 -- Mark Jacobs Time Customer Service Tampa, FL Riley: Find the next number in the sequence: 313, 331, 367, ...? what? The Doctor: 379. It's a sequence of happy primes, 379. Martha: Happy what? The Doctor: Just enter it! Riley: Are you sure? We only get one chance. The Doctor: Any number that reduces to one when you take the sum of the square of its digits and continue iterating until it yields 1 is a happy number, any number that doesn't, isn't. A happy prime is both happy and prime. Doctor Who episode 42
Re: CryptoExpress2 Processors and ZLinux SFTP/SSH
Are your crypto processors configured as accelerators or as the default standard co-processors? Mark Jacobs -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Wednesday, January 16, 2008 4:58 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: CryptoExpress2 Processors and ZLinux SFTP/SSH Openssl has the support in it to use them. OpenSSH needs a patch to turn them on. This is what we have implemented. Not sure how much it saves you though - we haven't really measured it lately. We got this from somewhere I can't remember!: diff -U 5 -Nr openssh-4.3p2/ssh.c openssh-4.3p2-mod/ssh.c --- ssh.c Fri Dec 30 22:33:38 2005 +++ ssh.c Mon Jul 17 15:58:24 2006 @@ -42,10 +42,11 @@ #include includes.h RCSID($OpenBSD: ssh.c,v 1.257 2005/12/20 04:41:07 dtucker Exp $); #include openssl/evp.h #include openssl/err.h +#include openssl/engine.h #include ssh.h #include ssh1.h #include ssh2.h #include compat.h @@ -525,10 +526,14 @@ if (!host) usage(); SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); + + /* Init available hardware crypto engines. */ + ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); /* Initialize the command to execute on remote host. */ buffer_init(command); /* Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jacobs Sent: Wednesday, January 16, 2008 10:03 AM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] CryptoExpress2 Processors and ZLinux SFTP/SSH Does anyone know if the ssl/sftp servers that run under zLinux can use the CryptoExpress2 processors as a performance aid. We are seeing a performance hit when we perform SFTP's to zLinux as compared to using FTP. zVM 5.3, SLES10 -- Mark Jacobs Time Customer Service Tampa, FL Riley: Find the next number in the sequence: 313, 331, 367, ...? what? The Doctor: 379. It's a sequence of happy primes, 379. Martha: Happy what? The Doctor: Just enter it! Riley: Are you sure? We only get one chance. The Doctor: Any number that reduces to one when you take the sum of the square of its digits and continue iterating until it yields 1 is a happy number, any number that doesn't, isn't. A happy prime is both happy and prime. Doctor Who episode 42
Re: CryptoExpress2 Processors and ZLinux SFTP/SSH
Accelerators (type CEX2A) Marcy Cortes This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jacobs Sent: Wednesday, January 16, 2008 5:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] CryptoExpress2 Processors and ZLinux SFTP/SSH Are your crypto processors configured as accelerators or as the default standard co-processors? Mark Jacobs