Re: TRANS13 , IND$FILE and CA-TPX
Mike, I just hopped on to TPX (I normally don't go through TPX to access z/VM ... only things that run on z/OS under CICS) and tried a file transfer here ... it worked without any problem. My emulator sessions is set to 3279-4E ... TPX says: Terminal - A55T2627 Model- 3192-4A Unfortunately at this time I don't know what VTAM logmode is being used. JR (Steven) Imler CA Senior Sustaining Engineer Tel: +1 703 708 3479 [EMAIL PROTECTED] From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Horlick, Michael Sent: Friday, December 05, 2008 03:18 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TRANS13 , IND$FILE and CA-TPX Hello Alan et all, Just a little update. I created a 24 record file with 1234567890 repeated for 80 characters and asked the client to test. This time he says the file transfer doesn't issue messages but also doesn't upload the file to the host. It completes but the CMS file is not there. Again, this only happens with the combination of CA-TPX and TCP/IP for VM. When he tries with CA-TPX and SNA it works. The same settings for the emulator (same size screen, etc...) How could the same 3270 datastream cause this? They have their terminal set up as a model 5 My only thought is that it must be how the device appears to VM/VTAM. For SNA, it is a remote device. When he is on SNA and TPX and I display the user I see: Termid: TX262144 Model: PC92-5AG Logmode: SNX32705 I have no idea where it gets that PC92-5AG model info from. Would you or anyone else know? Then when he creates a virtual terminal session on TPX he gets: SessionApplidStatus VTermid--Status Flags---Appl.Logmode VM2VM<== ACTIVE TPXGR052 400010C1 T3278M2E This application logmode of T3278M2E is a CA-TPX one and when I do a 'CP Q' on his CMS user I see him on TPXGR052. For TCP/IP for VM, there is a DIAL VTAM and I set the DLOGMOD to D4B3290. I think I have tried different DLOGMOD's (NSX32705) and even asked them to configure as a Model 2 but still no go. The SNA DLOG of SNX32705 looks like this: SNX32705 MODEENT LOGMODE=SNX32705,FMPROF=X'03',TSPROF=X'03', PRIPROT=X'B1',SECPROT=X'90',COMPROT=X'3080', RUSIZES=X'87F8', PSERVIC=X'028018501B847F00' I'm not much of a VTAM maven. Is there anything in that macro related to file transfer? Is there something I can use to replace IND$FILE with? I suggested native VM (whick works) and also ftp (but that's a hassle with write access to their A-disk) but they prefer the way they always work (but just with TCP/IP). Wednesday, I'll be visiting the client and be screwing around with DLOGMOD's etc... Regards, Mike
Re: SMSG Authorization
Thanks all, Yes, my manager doesn't want the operators to get into this so it has to be all hands on. I got something like you are talking about here now working. >>> Ed Zell <[EMAIL PROTECTED]> 12/5/2008 12:41 PM >>> Howard, Are you by chance trying to run your EREP stuff without actually logging on to the virtual machine? If so, you might want to look at CP SEND I haven’t tried it so I might be all wet, but I think you could SEND CP EREP EXT SEND EREP END SEND EREP EXEC RUNEREP or something similar to this. You might need to be authorized as a secondary console, I can’t remember for sure. Ed Zell Illinois Mutual Life (309) 636-0107 From:The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Friday, December 05, 2008 11:27 AM To: IBMVM@LISTSERV.UARK.EDU Subject: SMSG Authorization I'm trying to SMSG the EREP guest and although I have set SMSG on the command comes back stating that the EREP guest isn't authorized. Is there anyway around this to get EREP authorized for SMSG? Will IUCV do it? so I can get EREP to execute a REXX exec from a command issued from a different virtual machine guest. Thanks. Confidentiality: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, please notify the sender and delete this e-mail from your system. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: TRANS13 , IND$FILE and CA-TPX
Hello Micheal, TCP/IP to z/VM and IND$FILE works with a 40/140 connection using PCOM 5.6. Do you have to dial to VTAM? Ed Martin Aultman Health Foundation 330-588-4723 ext 40441 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Horlick, Michael Sent: Friday, December 05, 2008 3:18 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TRANS13 , IND$FILE and CA-TPX Hello Alan et all, Just a little update. I created a 24 record file with 1234567890 repeated for 80 characters and asked the client to test. This time he says the file transfer doesn't issue messages but also doesn't upload the file to the host. It completes but the CMS file is not there. Again, this only happens with the combination of CA-TPX and TCP/IP for VM. When he tries with CA-TPX and SNA it works. The same settings for the emulator (same size screen, etc...) How could the same 3270 datastream cause this? They have their terminal set up as a model 5 My only thought is that it must be how the device appears to VM/VTAM. For SNA, it is a remote device. When he is on SNA and TPX and I display the user I see: Termid: TX262144 Model: PC92-5AG Logmode: SNX32705 I have no idea where it gets that PC92-5AG model info from. Would you or anyone else know? Then when he creates a virtual terminal session on TPX he gets: SessionApplidStatus VTermid--Status Flags---Appl.Logmode VM2VM<== ACTIVE TPXGR052 400010C1 T3278M2E This application logmode of T3278M2E is a CA-TPX one and when I do a 'CP Q' on his CMS user I see him on TPXGR052. For TCP/IP for VM, there is a DIAL VTAM and I set the DLOGMOD to D4B3290. I think I have tried different DLOGMOD's (NSX32705) and even asked them to configure as a Model 2 but still no go. The SNA DLOG of SNX32705 looks like this: SNX32705 MODEENT LOGMODE=SNX32705,FMPROF=X'03',TSPROF=X'03', PRIPROT=X'B1',SECPROT=X'90',COMPROT=X'3080', RUSIZES=X'87F8', PSERVIC=X'028018501B847F00' I'm not much of a VTAM maven. Is there anything in that macro related to file transfer? Is there something I can use to replace IND$FILE with? I suggested native VM (whick works) and also ftp (but that's a hassle with write access to their A-disk) but they prefer the way they always work (but just with TCP/IP). Wednesday, I'll be visiting the client and be screwing around with DLOGMOD's etc... Regards, Mike
Re: perfsvm and reports
Guess I have to locate the subcommands associated with the different reports.
Re: perfsvm and reports
Roger, If you are using Performance Toolkit for 5.3.0 or 5.4.0, all the reports are listed in Chapter 2 of the "Performance Toolkit Reference". If you are using Performance Toolkit for 5.2.0, then all the documentation appears in the book "Performance Toolkit". If a given report has a command to match the number, the command appears at the end of a section heading. For example, you will see the section heading FCX103, Storage Utilization Screen - STORAGE This tells you that to get report FCX103, issue the subcommand STORAGE from MONITOR mode (or through VMC). Cheers! Mike "Wilson, Roger" <[EMAIL PROTECTED] waukee.gov>To Sent by: The IBM IBMVM@LISTSERV.UARK.EDU z/VM Operating cc System <[EMAIL PROTECTED] Subject ARK.EDU> Re: perfsvm and reports 12/05/2008 04:11 PM Please respond to The IBM z/VM Operating System <[EMAIL PROTECTED] ARK.EDU> I’ve been going through the manual and cant find the names. Are there examples? Sincerely, Roger Wilson From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Kris Buelens Sent: Friday, December 05, 2008 3:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: perfsvm and reports The Perfkit manual lists all reports you can query. 2008/12/5 Roger Wilson <[EMAIL PROTECTED]> Im attempting to write some simple rexx execs to perform a pipe command to PERFSVM to retrieve some reports Is there a list of reports that I can pulg into the exec? 'PIPE VMC ' WHERE ' CPU', ' | stem results. ', ' | > FCX100 RESULTS A' -- Kris Buelens, IBM Belgium, VM customer support
Re: perfsvm and reports
I've been going through the manual and cant find the names. Are there examples? Sincerely, Roger Wilson From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Kris Buelens Sent: Friday, December 05, 2008 3:08 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: perfsvm and reports The Perfkit manual lists all reports you can query. 2008/12/5 Roger Wilson <[EMAIL PROTECTED]> Im attempting to write some simple rexx execs to perform a pipe command to PERFSVM to retrieve some reports Is there a list of reports that I can pulg into the exec? 'PIPE VMC ' WHERE ' CPU', ' | stem results. ', ' | > FCX100 RESULTS A' -- Kris Buelens, IBM Belgium, VM customer support
Re: TRANS13 , IND$FILE and CA-TPX
On Friday, 12/05/2008 at 03:20 EST, "Horlick, Michael" <[EMAIL PROTECTED]> wrote: > I think I have tried different DLOGMOD's (NSX32705) and even asked them to > configure as a Model 2 but still no go. I would use D4A3290 to talk to an emulator in an SNA network, but that's just me. The days of needing logmodes that explicitly described the model were interesting when there were devices at the other end that would obey them. They don't. Further, the explicit logmode prevents the host from issuing a QUERY. What this means in the context of CA-TPX, I don't know. With VM/VTAM in place, CA-TPX app will simply create an LU2 session to VSCS on VM. It doesn't manipulate the data travelling back and forth, but simply acts as a proxy between the two LU-LU sessions. (VM-CA:TPX and CA:TPX-workstation) To use TN3270, CA-TPX has an LU2-TN3270 translator built into it. It must extract the 3270 data stream from one end and repackage it for sending to the other. This means that CA-TPX itself it the telnet client and is simply getting the data stream from the SNA 3270 emulator. But CA-TPX is responsible to connect to the VM telnet server and negotiate the TN3270 session. This includes any TN3270E issues. So, while the *emulator* may be sending the same things, CA-TPX may not. You need to compare the 3270 data stream that CA-TPX is sending to and receiving from VM. (Getting the trace from CA-TPX is probably best.) Alan Altmark z/VM Development IBM Endicott
Re: perfsvm and reports
The Perfkit manual lists all reports you can query. 2008/12/5 Roger Wilson <[EMAIL PROTECTED]> > Im attempting to write some simple rexx execs to perform a > pipe command to PERFSVM to retrieve some reports > Is there a list of reports that I can pulg into the exec? > > 'PIPE VMC ' WHERE ' CPU', > ' | stem results. ', > ' | > FCX100 RESULTS A' > -- Kris Buelens, IBM Belgium, VM customer support
Re: Starting an exec on a remote machine
CA ARCServe Backup for Mainframe Linux works with VM:Tape, but not VM:Backup. I'm not allowed to endorse products (or unendorse them?). I can say that we don't use the product. A reliable product that works with VM:Backup would at least get looked at here. Our current plan is to back z/VM up with VM:Backup, and back Linux guests up with the same product that we use for midrange Linux. Dennis "We have awakened a sleeping giant, and we have instilled in him a terrible resolve." -- Admiral Yamamoto, following the attack on Pearl Harbor -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Marcy Cortes Sent: Thursday, December 04, 2008 17:33 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Starting an exec on a remote machine >Personally, I'd like that product to work hand-in-hand with our existing VM:Backup product which we z/VM'ers control on our own. (Anyone at CA listening) Yes, what he said! Marcy "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation."
perfsvm and reports
Im attempting to write some simple rexx execs to perform a pipe command to PERFSVM to retrieve some reports Is there a list of reports that I can pulg into the exec? 'PIPE VMC ' WHERE ' CPU', ' | stem results. ', ' | > FCX100 RESULTS A'
Re: TRANS13 , IND$FILE and CA-TPX
To all, Some time ago I had a mysterious problem dealing with IND$FILE with symptoms similar to what you are having, although, mine was with CICS also. The problem that I encountered was with a getmain for storage to build additional messages. It turned out that the getmain was for 0 bytes and that wouldn't work. I had the source at the time and inserted my own check for 0 bytes and bypassed the getmain which allowed it to go to EOJ. I don't know whether this is the same, but that problem exhibited no symptoms at all and it was just plain luck that I found the error. I don't know if this is germane to the subject, but it was an undiscovered bug with the product. Even though it's been around a long time, you may be encountering a problem that heretofore has gone unreported. Just trying to help. Fred Hoffman -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Horlick, Michael Sent: Friday, December 05, 2008 2:18 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: TRANS13 , IND$FILE and CA-TPX Hello Alan et all, Just a little update. I created a 24 record file with 1234567890 repeated for 80 characters and asked the client to test. This time he says the file transfer doesn't issue messages but also doesn't upload the file to the host. It completes but the CMS file is not there. Again, this only happens with the combination of CA-TPX and TCP/IP for VM. When he tries with CA-TPX and SNA it works. The same settings for the emulator (same size screen, etc...) How could the same 3270 datastream cause this? They have their terminal set up as a model 5 My only thought is that it must be how the device appears to VM/VTAM. For SNA, it is a remote device. When he is on SNA and TPX and I display the user I see: Termid: TX262144 Model: PC92-5AG Logmode: SNX32705 I have no idea where it gets that PC92-5AG model info from. Would you or anyone else know? Then when he creates a virtual terminal session on TPX he gets: SessionApplidStatus VTermid--Status Flags---Appl.Logmode VM2VM<== ACTIVE TPXGR052 400010C1 T3278M2E This application logmode of T3278M2E is a CA-TPX one and when I do a 'CP Q' on his CMS user I see him on TPXGR052. For TCP/IP for VM, there is a DIAL VTAM and I set the DLOGMOD to D4B3290. I think I have tried different DLOGMOD's (NSX32705) and even asked them to configure as a Model 2 but still no go. The SNA DLOG of SNX32705 looks like this: SNX32705 MODEENT LOGMODE=SNX32705,FMPROF=X'03',TSPROF=X'03', PRIPROT=X'B1',SECPROT=X'90',COMPROT=X'3080', RUSIZES=X'87F8', PSERVIC=X'028018501B847F00' I'm not much of a VTAM maven. Is there anything in that macro related to file transfer? Is there something I can use to replace IND$FILE with? I suggested native VM (whick works) and also ftp (but that's a hassle with write access to their A-disk) but they prefer the way they always work (but just with TCP/IP). Wednesday, I'll be visiting the client and be screwing around with DLOGMOD's etc... Regards, Mike
Re: SMSG Authorization
On Friday, 12/05/2008 at 12:44 EST, "Huegel, Thomas" <[EMAIL PROTECTED]> wrote: > I think you are correct Rob, an application program (ie WAKEUP) must > establish it's ability to receive SMSG's before anyone can send one. Just > setting SMSG ON is not enough. The message HCPMFS057I not receiving; not authorized can be misleading, though it's obvious once someone tells you the answer! The message description isn't overly helpful (and an RCF would be nice). HCP057Iuserid not receiving; text Explanation: The user ID specified in the MESSAGE, WARNING, MSGNOH, or SMSG command is not receiving. text in this message identifies the reason why the user ID is not receiving. TextExplanation of text : not authorized The user is not authorized. : It refers to the VMCF AUTHORIZE function (via diagnose 0x68) that must be issued by a server in order for users to send it SMSGs and it has SET SMSG ON. VMCF AUTHORIZE is not required if the server has an IUCV connection to *MSG and has SET SMSG IUCV. Alan Altmark z/VM Development IBM Endicott
Re: TRANS13 , IND$FILE and CA-TPX
Hello Alan et all, Just a little update. I created a 24 record file with 1234567890 repeated for 80 characters and asked the client to test. This time he says the file transfer doesn't issue messages but also doesn't upload the file to the host. It completes but the CMS file is not there. Again, this only happens with the combination of CA-TPX and TCP/IP for VM. When he tries with CA-TPX and SNA it works. The same settings for the emulator (same size screen, etc...) How could the same 3270 datastream cause this? They have their terminal set up as a model 5 My only thought is that it must be how the device appears to VM/VTAM. For SNA, it is a remote device. When he is on SNA and TPX and I display the user I see: Termid: TX262144 Model: PC92-5AG Logmode: SNX32705 I have no idea where it gets that PC92-5AG model info from. Would you or anyone else know? Then when he creates a virtual terminal session on TPX he gets: SessionApplidStatus VTermid--Status Flags---Appl.Logmode VM2VM<== ACTIVE TPXGR052 400010C1 T3278M2E This application logmode of T3278M2E is a CA-TPX one and when I do a 'CP Q' on his CMS user I see him on TPXGR052. For TCP/IP for VM, there is a DIAL VTAM and I set the DLOGMOD to D4B3290. I think I have tried different DLOGMOD's (NSX32705) and even asked them to configure as a Model 2 but still no go. The SNA DLOG of SNX32705 looks like this: SNX32705 MODEENT LOGMODE=SNX32705,FMPROF=X'03',TSPROF=X'03', PRIPROT=X'B1',SECPROT=X'90',COMPROT=X'3080', RUSIZES=X'87F8', PSERVIC=X'028018501B847F00' I'm not much of a VTAM maven. Is there anything in that macro related to file transfer? Is there something I can use to replace IND$FILE with? I suggested native VM (whick works) and also ftp (but that's a hassle with write access to their A-disk) but they prefer the way they always work (but just with TCP/IP). Wednesday, I'll be visiting the client and be screwing around with DLOGMOD's etc... Regards, Mike
Re: SMSG Authorization
A class G user can only use CP SEND if he is secondary user of the target virtual machine A class C user can use SEND to any target, but he'll only see console response when he is secondary user (or OBSERVER) Newer is CP FOR: "CP FOR EREP CMD some-CP-command" But, as my sample indicates, FOR can only be used to send CP commands to a target, and you'll get the response back. SMSG is indeed to send a message a program that enables itself to get SMSGs, what the program does with the message depends on the program. It might interpret the message as a CP/CMS command, but it doesn't have to. WAKEUP is just a general program that amongst other things can react to SMSGs. But even WAKEUP doesn't execute SMSGs it gets as commands, that depends on the REXX EXEC that uses WAKEUP. 2008/12/5 Ed Zell <[EMAIL PROTECTED]>: > Howard, > >Are you by chance trying to run your EREP stuff without actually logging > on >to the virtual machine? If so, you might want to look at CP SEND > >I haven't tried it so I might be all wet, but I think you could > > SEND CP EREP EXT > SEND EREP END > SEND EREP EXEC RUNEREP > >or something similar to this. You might need to be authorized as a > secondary >console, I can't remember for sure. > > Ed Zell > Illinois Mutual Life > (309) 636-0107 > > > > > > From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On > Behalf Of Howard Rifkind > Sent: Friday, December 05, 2008 11:27 AM > To: IBMVM@LISTSERV.UARK.EDU > Subject: SMSG Authorization > > > > I'm trying to SMSG the EREP guest and although I have set SMSG on the > command comes back stating that the EREP guest isn't authorized. > > > > Is there anyway around this to get EREP authorized for SMSG? > > > > Will IUCV do it? so I can get EREP to execute a REXX exec from a command > issued from a different virtual machine guest. > > > > Thanks. > > > > Confidentiality: This e-mail (including any attachments) may contain > confidential, proprietary and privileged information, and unauthorized > disclosure or use is prohibited. If you receive this e-mail in error, > please notify the sender and delete this e-mail from your system. -- Kris Buelens, IBM Belgium, VM customer support
Re: Back to the Future at IBM
ohhh
nevermind
Mark Post <[EMAIL PROTECTED]>
Sent by: The IBM z/VM Operating System
12/05/2008 02:49 PM
Please respond to
The IBM z/VM Operating System
To
IBMVM@LISTSERV.UARK.EDU
cc
Subject
Re: Back to the Future at IBM
>>> On 12/5/2008 at 2:15 PM, Bill Munson <[EMAIL PROTECTED]> wrote:
> http://online.wsj.com/article/SB122834959883677705.html
>
> Applications running on a backroom server (maybe a Mainframe)
As it turns out, no, it's not a mainframe. This is an Intel/AMD
architecture. IBM is working with a number of Linux distribution
providers on this, and they don't have mainframe products.
Mark Post
*** IMPORTANT
NOTE* The opinions expressed in this
message and/or any attachments are those of the author and not
necessarily those of Brown Brothers Harriman & Co., its
subsidiaries and affiliates ("BBH"). There is no guarantee that
this message is either private or confidential, and it may have
been altered by unauthorized sources without your or our knowledge.
Nothing in the message is capable or intended to create any legally
binding obligations on either party and it is not intended to
provide legal advice. BBH accepts no responsibility for loss or
damage from its use, including damage from virus.
Re: Back to the Future at IBM
>>> On 12/5/2008 at 2:15 PM, Bill Munson <[EMAIL PROTECTED]> wrote: > http://online.wsj.com/article/SB122834959883677705.html > > Applications running on a backroom server (maybe a Mainframe) As it turns out, no, it's not a mainframe. This is an Intel/AMD architecture. IBM is working with a number of Linux distribution providers on this, and they don't have mainframe products. Mark Post
Back to the Future at IBM
http://online.wsj.com/article/SB122834959883677705.html
Applications running on a backroom server (maybe a Mainframe)
The Software package uses the LINUX operating system (FOCUS on VM, CICS on
VSE or MVS come to mind?)
Can be displayed on a Thin Client which does not have processing units or
disk drives (like a Dumb Terminal)
The new "Virtual LINUX Desktop"
Bill Munson
Brown Brothers Harriman
Sr. z/VM Systems Programmer
201-418-7588
President MVMUA
http://www2.marist.edu/~mvmua/
*** IMPORTANT
NOTE* The opinions expressed in this
message and/or any attachments are those of the author and not
necessarily those of Brown Brothers Harriman & Co., its
subsidiaries and affiliates ("BBH"). There is no guarantee that
this message is either private or confidential, and it may have
been altered by unauthorized sources without your or our knowledge.
Nothing in the message is capable or intended to create any legally
binding obligations on either party and it is not intended to
provide legal advice. BBH accepts no responsibility for loss or
damage from its use, including damage from virus.
Re: SMTRAP Program
The IBM z/VM Operating System wrote on 12/05/2008 10:16:33 AM: > In researching an answer to another posting, I stumbled upon what I had o > nce > used to automate EREP. It is the SMTRAP MODULE that would be loaded in th > e > EREP PROFILE EXEC. It would establish the SMSG/IUVC waiting configuration > > and would stop the EREP collection program when my VMUTIL server issued t > he > CP SMSG EREP END command. > > What I cannot find in my archives now, is the source for this nice little > > program. Does anyone remember it? > > /Tom Kern I believe I might be the guilty party. I'll see if I can find it, wrote it a couple of jobs back.
SMTRAP Program
In researching an answer to another posting, I stumbled upon what I had o nce used to automate EREP. It is the SMTRAP MODULE that would be loaded in th e EREP PROFILE EXEC. It would establish the SMSG/IUVC waiting configuration and would stop the EREP collection program when my VMUTIL server issued t he CP SMSG EREP END command. What I cannot find in my archives now, is the source for this nice little program. Does anyone remember it? /Tom Kern
Re: SMSG Authorization
Howard, in order for EREP to receive SMSG from any other user id, you must do the SET SMSG ON (or, for IUCV connections, SET SMSG IUCV) command on the EREP user id itself. Howard Rifkind wrote: I'm trying to SMSG the EREP guest and although I have set SMSG on the command comes back stating that the EREP guest isn't authorized. Is there anyway around this to get EREP authorized for SMSG? Will IUCV do it? so I can get EREP to execute a REXX exec from a command issued from a different virtual machine guest. Thanks. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: Configuartion question
Hi Alan, Yes, sorry it should have been EAL 5! Thank You, Terry Martin Lockheed Martin - Information Technology z/OS & z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Friday, December 05, 2008 9:15 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Configuartion question On Thursday, 12/04/2008 at 09:00 EST, "Martin, Terry R. (CMS/CTR) (CTR)" <[EMAIL PROTECTED]> wrote: > We are moving toward taking our POC into production. This workload is moving > from Solaris running UNIX. The environment is 3 zone architecture. Our client?s > business requirements calls for this 3 zone environment to remain separated. It > requires UAL5 security level. Did you mean Common Criteria EAL 5? (I can't find any relevant reference to "UAL".) If you actually meant "UAL5", can you point me to a reference? Alan Altmark z/VM Development IBM Endicott
Re: SMSG Authorization
I think you are correct Rob, an application program (ie WAKEUP) must establish it's ability to receive SMSG's before anyone can send one. Just setting SMSG ON is not enough. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of RPN01 Sent: Friday, December 05, 2008 11:34 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SMSG Authorization Wouldn't the EREP program actually have to be waiting and understand SMSG messages, otherwise, what do you expect it to do with the message once received? Of course, I could be blowing smoke, and EREP does indeed have features to do this that I'm unaware of or have forgotten. (Getting old is such a pain...) -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 12/5/08 11:26 AM, "Howard Rifkind" <[EMAIL PROTECTED]> wrote: I'm trying to SMSG the EREP guest and although I have set SMSG on the command comes back stating that the EREP guest isn't authorized. Is there anyway around this to get EREP authorized for SMSG? Will IUCV do it? so I can get EREP to execute a REXX exec from a command issued from a different virtual machine guest. Thanks. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: SMSG Authorization
Howard, Are you by chance trying to run your EREP stuff without actually logging on to the virtual machine? If so, you might want to look at CP SEND I haven't tried it so I might be all wet, but I think you could SEND CP EREP EXT SEND EREP END SEND EREP EXEC RUNEREP or something similar to this. You might need to be authorized as a secondary console, I can't remember for sure. Ed Zell Illinois Mutual Life (309) 636-0107 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Friday, December 05, 2008 11:27 AM To: IBMVM@LISTSERV.UARK.EDU Subject: SMSG Authorization I'm trying to SMSG the EREP guest and although I have set SMSG on the command comes back stating that the EREP guest isn't authorized. Is there anyway around this to get EREP authorized for SMSG? Will IUCV do it? so I can get EREP to execute a REXX exec from a command issued from a different virtual machine guest. Thanks. . CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, notify the sender and delete this e-mail from your system.
Re: SMSG Authorization
Wouldn¹t the EREP program actually have to be waiting and understand SMSG messages, otherwise, what do you expect it to do with the message once received? Of course, I could be blowing smoke, and EREP does indeed have features to do this that I¹m unaware of or have forgotten. (Getting old is such a pain...) -- Robert P. Nix Mayo Foundation.~. RO-OE-5-55 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." On 12/5/08 11:26 AM, "Howard Rifkind" <[EMAIL PROTECTED]> wrote: > I'm trying to SMSG the EREP guest and although I have set SMSG on the command > comes back stating that the EREP guest isn't authorized. > > Is there anyway around this to get EREP authorized for SMSG? > > Will IUCV do it? so I can get EREP to execute a REXX exec from a command > issued from a different virtual machine guest. > > Thanks. > > > > _ > LEGAL NOTICE > Unless expressly stated otherwise, this message is confidential > and may be privileged. It is intended for the addressee(s) only. > Access to this E-mail by anyone else is unauthorized. > If you are not an addressee, any disclosure or copying of the > contents of this E-mail or any action taken (or not taken) in > reliance on it is unauthorized and may be unlawful. If you are not an > addressee, please inform the sender immediately, then delete this > message and empty from your trash. >
Re: Configuartion question
Thanks Alan! This is really what I was looking for. The customer has the EAL 5 requirement and is set up with this requirement in mind in the current Solaris environment (Separate servers for each zone). So I guess regardless of what we can do with VM in terms of running multiple guests and such in this case we are bound by the requirement. Thanks for all of the information from everyone I learned some other interesting things from this! As usual the LIST is a great reference for people like me and I appreciate all who take the time to answer so thoughtfully! Thank You, Terry Martin Lockheed Martin - Information Technology z/OS & z/VM Systems - Performance and Tuning Cell - 443 632-4191 Work - 410 786-0386 [EMAIL PROTECTED] -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Friday, December 05, 2008 11:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Configuartion question On Friday, 12/05/2008 at 08:34 EST, Rick Troth <[EMAIL PROTECTED]> wrote: > You've already gotten great advice. > I would add that you do NOT need to split your workload > between the tiers or zones. It was not completely clear to me, > but it sounded like that was one of your expected LPAR splits. > > > You can achieve isolation of the zones without having to run > yet more VM partitions. You DO want to partionally isolate your > production and test/dev, but you don't need that added complexity > to defend a multi-tier architecture. VM insulates virtual machines > nicely along zone boundaries. HOWEVER, selling this to your > directors, developers, and security people might be difficult. (Assumption: Terry was actually referring to "EAL5" when he said "UAL5") Only LPARs provide that level of separation. EAL 5 is a reference to the quantity and quality of evidence that IBM has provided to evaluators for the separation of LPARs. In the evaluated configuration, that means no HiperSockets, no shared chpids, and no dynamic I/O. If, rather than discussing assurance levels, we move the discussion to capability, then, yes, z/VM is capable of separating the users. However, the issue inevitably turns to enforcement. (It has each time I have had this same discussion with customers.) That is, how do you ENFORCE the rule that you cannot connect the db server directly to the Internet? Or prevent the servers in tier 1 (Apache) to get to the inTRAnet? The only answer I have found that will consistently satisfy the Chief Security Weasel is one that says: 1. Dynamic I/O SHALL NOT be permitted to any z/VM or z/OS LPAR that is running workload. I/O SHALL be managed from a separate partition. The sysprogs may or may not have access to that partition, depending on the policy of Separation of Duties. (E.g. Only "the hardware people" can change the hardware I/O config) 2. Internet traffic SHALL be on a separate cable (because it goes to a separate switch). You SHALL NOT use VLANs to separate Internet and Intranet traffic. 3. All traffic between zones SHALL travel via a firewall that is under Network Security management control. This will typically preclude the use of IPtables on Linux and the use of HiperSockets for access to the database server. It also means that for an the web server to talk to the app server the traffic leaves the box, goes throught the firewall, and re-enters. (If you feel faint, sit with your head between your knees. Breathe. This is normal. You'll be fine in a few minutes.) It's ok. 4. Resource access (disks, users, spool, networks,...) SHALL be under the control of a security subsystem that implements mandatory access controls with security labels. This is required to avoid accidental authorization or collusion. This establishes the controls needed to stop, for example, User A (color code 'purple') and User B (color code 'mauve') from establishing any unauthorized communications path with each other (e.g. virtual CTC, IUCV, Guest LAN, VSWITCH, VMCF, shared DCSS, spool, secuser, ...) Only users and resources of the same 'color' can be connected. This mechanism (provided by RACF) has been certified on z/VM to EAL 4+. 5. The sysprog MAY (or may not!) be authorized to manage the security subsystem or the LPAR's settings in the HMC (based, again, on Separation of Duties). This is a subject I spoke on at the zExpo, and will be speaking about again at SHARE in March. Look for "Security Zones on z/VM". Alan Altmark z/VM Development IBM Endicott
SMSG Authorization
I'm trying to SMSG the EREP guest and although I have set SMSG on the command comes back stating that the EREP guest isn't authorized. Is there anyway around this to get EREP authorized for SMSG? Will IUCV do it? so I can get EREP to execute a REXX exec from a command issued from a different virtual machine guest. Thanks. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: EREP process question.
Having LRECL change does not imply that every record will change to that length. The LRECL of a V format file it the length of the longest record written. There may be only one record of length 256 in your example. Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Ray Waters Sent: Friday, December 05, 2008 5:37 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: EREP process question. Howard, Even if you clear the EREP file, or erase it, then once EREP start accumulating data in XAEREPIO RECORD on his A disk, the records are variable length and will start to grow in length. For example, if I clear EREP, the max record size usually start s out at 114, then will grow to Max of 256 in my shop. Ray From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 3:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: EREP process question. I'm using the EREP parameter below to go against the z/VM EREP machine. The file XAEREPIO RECORD is out there and is some what larger then yesterday. Shouldn't the above file be deleted by these parameter? SYSUM ACC=Y ZERO=Y ENDPARM _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. NOTICE: This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You.
Re: Configuartion question
On Friday, 12/05/2008 at 08:34 EST, Rick Troth <[EMAIL PROTECTED]> wrote: > You've already gotten great advice. > I would add that you do NOT need to split your workload > between the tiers or zones. It was not completely clear to me, > but it sounded like that was one of your expected LPAR splits. > > > You can achieve isolation of the zones without having to run > yet more VM partitions. You DO want to partionally isolate your > production and test/dev, but you don't need that added complexity > to defend a multi-tier architecture. VM insulates virtual machines > nicely along zone boundaries. HOWEVER, selling this to your > directors, developers, and security people might be difficult. (Assumption: Terry was actually referring to "EAL5" when he said "UAL5") Only LPARs provide that level of separation. EAL 5 is a reference to the quantity and quality of evidence that IBM has provided to evaluators for the separation of LPARs. In the evaluated configuration, that means no HiperSockets, no shared chpids, and no dynamic I/O. If, rather than discussing assurance levels, we move the discussion to capability, then, yes, z/VM is capable of separating the users. However, the issue inevitably turns to enforcement. (It has each time I have had this same discussion with customers.) That is, how do you ENFORCE the rule that you cannot connect the db server directly to the Internet? Or prevent the servers in tier 1 (Apache) to get to the inTRAnet? The only answer I have found that will consistently satisfy the Chief Security Weasel is one that says: 1. Dynamic I/O SHALL NOT be permitted to any z/VM or z/OS LPAR that is running workload. I/O SHALL be managed from a separate partition. The sysprogs may or may not have access to that partition, depending on the policy of Separation of Duties. (E.g. Only "the hardware people" can change the hardware I/O config) 2. Internet traffic SHALL be on a separate cable (because it goes to a separate switch). You SHALL NOT use VLANs to separate Internet and Intranet traffic. 3. All traffic between zones SHALL travel via a firewall that is under Network Security management control. This will typically preclude the use of IPtables on Linux and the use of HiperSockets for access to the database server. It also means that for an the web server to talk to the app server the traffic leaves the box, goes throught the firewall, and re-enters. (If you feel faint, sit with your head between your knees. Breathe. This is normal. You'll be fine in a few minutes.) It's ok. 4. Resource access (disks, users, spool, networks,...) SHALL be under the control of a security subsystem that implements mandatory access controls with security labels. This is required to avoid accidental authorization or collusion. This establishes the controls needed to stop, for example, User A (color code 'purple') and User B (color code 'mauve') from establishing any unauthorized communications path with each other (e.g. virtual CTC, IUCV, Guest LAN, VSWITCH, VMCF, shared DCSS, spool, secuser, ...) Only users and resources of the same 'color' can be connected. This mechanism (provided by RACF) has been certified on z/VM to EAL 4+. 5. The sysprog MAY (or may not!) be authorized to manage the security subsystem or the LPAR's settings in the HMC (based, again, on Separation of Duties). This is a subject I spoke on at the zExpo, and will be speaking about again at SHARE in March. Look for "Security Zones on z/VM". Alan Altmark z/VM Development IBM Endicott
Re: Starting an exec on a remote machine
Kris, the QDEMO/QCLIENT/QSERVER demo package of Brian's can be downloaded off of his VM web page here: http://www.vm.ibm.com/devpages/BKW/ Look for the IPCSAMP package. BTW, that's an intriguing idea to use CMS multitaskings queues as the transport mechanism Kris Buelens wrote: One could also use the CMS Multitasking queues as mechanism. For the exec logic itself it would be transparent if the both users are on different systems or not. For cross-system, non SNA, support this would be required: TCP/IP line driver for CMS distributed queues. http://www.vm.ibm.com/download/packages/descript.cgi?TLD Instead of sockets, one'd code things like at the client: call csl 'QueueOpen mtrc mtre qn qnl sv svl qh el' call csl 'QueueSend mtrc mtre qh cmscmd cmdlen ko kl' and at the server; call csl 'QueueCreate mtrc mtre qn qnl vm_ipc_nlevel qh' call csl 'QueueReceiveBlock mtrc mtre qh ', 'matchkey matchkeylen timeout ', 'cmscmd rcvbuflen cmdlen ', 'ko kl suid spid rt' I've got a QDEMO/QCLIENT/QSERVER example created by Brian Wade that sends a CMS command for execution, but I no longer remember where I got them from. I can send them. 2008/12/5 Rempel, Horst <[EMAIL PROTECTED]>: Hello Howard, I use execa in usera that will start an execb in cms-userb or a shellscript in Linux. When you do it in a pipe the execa will wait until the end of execb (or shellscript) before continuing. The pipe will write the output of execb in a file. So execa can continue depending on the content of this file. | 'pipe cms rexec ... !', 'console !', '>> 'remote_exec' output a' | This logic works well for me every night. If execb is a long running exec its possible that you have to code a timeout for rexec. But plan carefully ! REXEC can be a security risk ! I do it in a completly isolated network. Von: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Im Auftrag von Howard Rifkind Gesendet: Freitag, 5. Dezember 2008 00:52 An: IBMVM@LISTSERV.UARK.EDU Betreff: Starting an exec on a remote machine I'm running exec X on cms user 'A' I exec X has to start exec Y running on cms user 'B' and after exec Y terminates it has to return control to the exec on cms user 'A' I could use some suggestions as to the best way to do this. Thanks _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: Starting an exec on a remote machine
Thanks Alan, After spending some time last night I found some processess, like you suggest below, which are run daily on our system to drag output from z/VM Rexx execs over to z/OS. Thanks again... >>> Alan Altmark <[EMAIL PROTECTED]> 12/5/2008 9:34 AM >>> On Thursday, 12/04/2008 at 06:54 EST, Howard Rifkind <[EMAIL PROTECTED]> wrote: > I'm running exec X on cms user 'A' > > I exec X has to start exec Y running on cms user 'B' and after exec Y > terminates it has to return control to the exec on cms user 'A' > > I could use some suggestions as to the best way to do this. If you're on the same VM system, REXEC is the best way to do that, assuming that user 'B' is not already logged on. REXEC has all the function to autolog a user, run a command, watch the console for output, send the output back to user A (as output from the 'rexec' command, trappable by a Pipe), and then logoff the user B. Use LOGON BY support so that User A doesn't have to know User B's password, just his own. (You can't do it using rexec without authentication. Well, you can, but then anyone could run the program in User B, not just User A.) If you're not on the same system, life gets more difficult since rexec isn't appropriate for open network connections as it isn't encrypted. One might be tempted to rexec into a local Linux guest that uses ssh to reach the remote system and use rexec over there, piping the response all the way back to you. This all assumes you're not wanting to write a remote execution solution yourself. If you do, just remember that you will need some sort of authentication and authorization. Alan Altmark z/VM Development IBM Endicott _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: EREP process question.
Thanks Ed. >>> Ed Zell <[EMAIL PROTECTED]> 12/5/2008 8:31 AM >>> Hi Howard, That file is just a “print header” file that we use to separate the reports. Since I use ‘CP SPOOL PRT CONT’ everything comes out in one spool file. I wanted some kind of header to show me where one ended and the next began. You can either remove these lines, or create file with those names for separator pages. ' PRINT SYSEXN RPT-HDR (CC' ' PRINT SUMMARY RPT-HDR (CC ' ' PRINT CLEARIT RPT-HDR (CC ' Here is what one of them looks like: 1 * ** ** ** ** ** SYSTEM EXCEPTION REPORT ** ** ** ** ** ** Ed Zell Illinois Mutual Life (309) 636-0107 From:The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 5:19 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: EREP process question. Ed, Once again thanks, The RUNEREP exec, when it gets to the following statement: 'PRINT SYSEXN RPT-HDR (CC' states that it can't find file SYSEXN RPT-HDR Is this really a separate file or something else. If separate could you forward a sample of the file. Thanks >>> Ed Zell <[EMAIL PROTECTED]> 12/4/2008 4:55 PM >>> Howard, Here is how we process EREP. Operator logs on to EREP and issues#CP EXTand then responds END to the prompt. Operator types RUNEREP to fire up the EXEC to process the data and then clear it out After it runs, Operator typesPROFILE to start EREP back up again and then #CP DISC /* RUNEREP EXEC PROCESS EREP DATA */ ' ACC 201 C/A' ‘ CP SPOOL PRINTER TO SPOOLER CLASS Z NOHOLD CONT' ' PRINT SYSEXN RPT-HDR (CC' ' EXEC SYSEXN ' ' PRINT SUMMARY RPT-HDR (CC ' ' EXEC SUMMARY ' ' PRINT CLEARIT RPT-HDR (CC ' ' EXEC CLEARIT' ' CP SPOOL PRINTER CLOSE NAME EREP 12345' ‘ REL C’ /* SYSEXN EXEC SYSTEM EXCEPTION REPORT */ MAKEBUF QUEUE 'SYSEXN,TABSIZE=512K,ACC=N ' QUEUE 'CPEREP' /* SUMMARY EXEC PRODUCE SUMMARY REPORT */ MAKEBUF QUEUE 'PRINT=SU,ACC=N,TABSIZE=100K,LINECT=60 ' QUEUE 'CPEREP' /* CLEARIT EXECCLEAR OUT THE FILE */ MAKEBUF QUEUE 'PRINT=AL,ACC=N,TABSIZE=100K,LINECT=60,ZERO=Y ' QUEUE 'CPEREP' Ed Zell Illinois Mutual Life (309) 636-0107 From:The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 3:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: EREP process question. I'm using the EREP parameter below to go against the z/VM EREP machine. The file XAEREPIO RECORD is out there and is some what larger then yesterday. Shouldn't the above file be deleted by these parameter? SYSUM ACC=Y ZERO=Y ENDPARM _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. Confidentiality: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, please notify the sender and delete this e-mail from your system. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlaw
Re: Starting an exec on a remote machine
On Thursday, 12/04/2008 at 06:54 EST, Howard Rifkind <[EMAIL PROTECTED]> wrote: > I'm running exec X on cms user 'A' > > I exec X has to start exec Y running on cms user 'B' and after exec Y > terminates it has to return control to the exec on cms user 'A' > > I could use some suggestions as to the best way to do this. If you're on the same VM system, REXEC is the best way to do that, assuming that user 'B' is not already logged on. REXEC has all the function to autolog a user, run a command, watch the console for output, send the output back to user A (as output from the 'rexec' command, trappable by a Pipe), and then logoff the user B. Use LOGON BY support so that User A doesn't have to know User B's password, just his own. (You can't do it using rexec without authentication. Well, you can, but then anyone could run the program in User B, not just User A.) If you're not on the same system, life gets more difficult since rexec isn't appropriate for open network connections as it isn't encrypted. One might be tempted to rexec into a local Linux guest that uses ssh to reach the remote system and use rexec over there, piping the response all the way back to you. This all assumes you're not wanting to write a remote execution solution yourself. If you do, just remember that you will need some sort of authentication and authorization. Alan Altmark z/VM Development IBM Endicott
Re: Configuartion question
On Thursday, 12/04/2008 at 09:00 EST, "Martin, Terry R. (CMS/CTR) (CTR)" <[EMAIL PROTECTED]> wrote: > We are moving toward taking our POC into production. This workload is moving > from Solaris running UNIX. The environment is 3 zone architecture. Our client?s > business requirements calls for this 3 zone environment to remain separated. It > requires UAL5 security level. Did you mean Common Criteria EAL 5? (I can't find any relevant reference to "UAL".) If you actually meant "UAL5", can you point me to a reference? Alan Altmark z/VM Development IBM Endicott
Re: Configuration question
Terry,
I am pretty sure the Shop I work for now talked to Marcy.
We have 2 Production z/VM Lpars with 20 Production LINUX guests
We have 1 Development z/VM lpar with 60 Test/Development LINUX guests
We have 1 Play Ground z/VM lpar with 5 LINUX guests -
where a 2nd level z/VM runs for upgrades and maintenance
and where LINUX upgrades and patches are applied and first tested
along with 3 z/OS LPARS's Prod, Dev, and Test
It works very nicely for us
Bill Munson
Brown Brothers Harriman
Sr. z/VM Systems Programmer
201-418-7588
President MVMUA
http://www2.marist.edu/~mvmua/
Marcy Cortes <[EMAIL PROTECTED]>
Sent by: The IBM z/VM Operating System
12/04/2008 09:22 PM
Please respond to
The IBM z/VM Operating System
To
IBMVM@LISTSERV.UARK.EDU
cc
Subject
Re: Configuartion question
Terry wrote:
"We are moving toward taking our POC into production."
Good job!
If I had my druthers and had only 1 box, I would have a systems
programmers LPAR (mine mine mine), a LPAR that ran all of test/dev
linuxen, and 1 prod LPAR that ran all of prod. If you do have
servers that can't go down very often, run 2 prod lpars, make them
acquire a server on each (at least) and figure how some failover
(active-active or active-standby). Better if that 2nd prod lpar can be
on another box entirely, but if it can't, you'll still have all your
capacity if you lose 1 VM lpar due to some VM error (or VM person's
error).
I'm not sure how your EUAL5 requirements fit in, but you can do lots of
things with multiple OSAs, VSWITCHs, VLAN tagging, firewalls, etc.
Marcy (with too many LPARs)
"This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation."
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Martin, Terry R. (CMS/CTR) (CTR)
Sent: Thursday, December 04, 2008 5:57 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: [IBMVM] Configuartion question
Hi
We are moving toward taking our POC into production. This workload is
moving from Solaris running UNIX. The environment is 3 zone
architecture. Our client's business requirements calls for this 3 zone
environment to remain separated. It requires UAL5 security level.
To this end we have six LPARS each sharing 7 IFLS with plenty of real
memory on each. One of the six LPARS is our test LPAR that will have
multiple levels of VM for testing and such.
My question: some of our folks believe that this is an excessive number
of LPARS and that it defeats the purpose of VM. Now I understand how VM
works and its' ability to virtualize reducing the need for large LPAR
configurations. I know that we could, lets' say combine our PROD and
VAL/DEV environments that are currently running in separate LPARS into
one LPAR and run a second LEVEL VM for the VAL/DEV. My contention is
that if it is what is needed to fit the business requirements of the
client then having six LPARS is not catastrophic. We have plans for
another 16 z/Linux guests to run in the existing configuration in the
next few months not requiring additional LPARS. I am not an LPAR bigot.
Can anyone comment in general on the pros and cons of running LPARS as
opposed to running the multiple environments under one LPAR and getting
separation logically by having multi levels of VM rather then physical
separation by having the environments running under a single level of
VM?
In the end it probably will not matter if the client insists that we
need to proceed as we are. Just trying to get a prospective of those who
are more experienced then myself!!
Thanks,
Terry
*** IMPORTANT
NOTE* The opinions expressed in this
message and/or any attachments are those of the author and not
necessarily those of Brown Brothers Harriman & Co., its
subsidiaries and affiliates ("BBH"). There is no guarantee that
this message is either private or confidential, and it may have
been altered by unauthorized sources without your or our knowledge.
Nothing in the message is capable or intended to create any legally
binding obligations on either party and it is not intended to
provide legal advice. BBH accepts no responsibility for loss or
damage from its use, including damage from virus.
Re: EREP process question.
Howard, Even if you clear the EREP file, or erase it, then once EREP start accumulating data in XAEREPIO RECORD on his A disk, the records are variable length and will start to grow in length. For example, if I clear EREP, the max record size usually start s out at 114, then will grow to Max of 256 in my shop. Ray From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 3:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: EREP process question. I'm using the EREP parameter below to go against the z/VM EREP machine. The file XAEREPIO RECORD is out there and is some what larger then yesterday. Shouldn't the above file be deleted by these parameter? SYSUM ACC=Y ZERO=Y ENDPARM _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. NOTICE: This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You.
Re: Configuartion question
Terry -- You've already gotten great advice. I would add that you do NOT need to split your workload between the tiers or zones. It was not completely clear to me, but it sounded like that was one of your expected LPAR splits. You can achieve isolation of the zones without having to run yet more VM partitions. You DO want to partionally isolate your production and test/dev, but you don't need that added complexity to defend a multi-tier architecture. VM insulates virtual machines nicely along zone boundaries. HOWEVER, selling this to your directors, developers, and security people might be difficult. -- Rick; <><
Re: EREP process question.
Hi Howard, That file is just a "print header" file that we use to separate the reports. Since I use 'CP SPOOL PRT CONT' everything comes out in one spool file. I wanted some kind of header to show me where one ended and the next began. You can either remove these lines, or create file with those names for separator pages. ' PRINT SYSEXN RPT-HDR (CC' ' PRINT SUMMARY RPT-HDR (CC ' ' PRINT CLEARIT RPT-HDR (CC ' Here is what one of them looks like: 1 * ** ** ** ** ** SYSTEM EXCEPTION REPORT ** ** ** ** ** ** Ed Zell Illinois Mutual Life (309) 636-0107 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 5:19 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: EREP process question. Ed, Once again thanks, The RUNEREP exec, when it gets to the following statement: 'PRINT SYSEXN RPT-HDR (CC' states that it can't find file SYSEXN RPT-HDR Is this really a separate file or something else. If separate could you forward a sample of the file. Thanks >>> Ed Zell <[EMAIL PROTECTED]> 12/4/2008 4:55 PM >>> Howard, Here is how we process EREP. Operator logs on to EREP and issues#CP EXTand then responds END to the prompt. Operator types RUNEREP to fire up the EXEC to process the data and then clear it out After it runs, Operator typesPROFILE to start EREP back up again and then #CP DISC /* RUNEREP EXEC PROCESS EREP DATA */ ' ACC 201 C/A' ' CP SPOOL PRINTER TO SPOOLER CLASS Z NOHOLD CONT' ' PRINT SYSEXN RPT-HDR (CC' ' EXEC SYSEXN ' ' PRINT SUMMARY RPT-HDR (CC ' ' EXEC SUMMARY ' ' PRINT CLEARIT RPT-HDR (CC ' ' EXEC CLEARIT' ' CP SPOOL PRINTER CLOSE NAME EREP 12345' ' REL C' /* SYSEXN EXEC SYSTEM EXCEPTION REPORT */ MAKEBUF QUEUE 'SYSEXN,TABSIZE=512K,ACC=N ' QUEUE 'CPEREP' /* SUMMARY EXEC PRODUCE SUMMARY REPORT */ MAKEBUF QUEUE 'PRINT=SU,ACC=N,TABSIZE=100K,LINECT=60 ' QUEUE 'CPEREP' /* CLEARIT EXECCLEAR OUT THE FILE */ MAKEBUF QUEUE 'PRINT=AL,ACC=N,TABSIZE=100K,LINECT=60,ZERO=Y ' QUEUE 'CPEREP' Ed Zell Illinois Mutual Life (309) 636-0107 From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Thursday, December 04, 2008 3:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: EREP process question. I'm using the EREP parameter below to go against the z/VM EREP machine. The file XAEREPIO RECORD is out there and is some what larger then yesterday. Shouldn't the above file be deleted by these parameter? SYSUM ACC=Y ZERO=Y ENDPARM _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. Confidentiality: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, please notify the sender and delete this e-mail from your system. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash. . CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you receive this e-mail in error, notify the sender and delete th
Re: Starting an exec on a remote machine
One could also use the CMS Multitasking queues as mechanism. For the exec logic itself it would be transparent if the both users are on different systems or not. For cross-system, non SNA, support this would be required: TCP/IP line driver for CMS distributed queues. http://www.vm.ibm.com/download/packages/descript.cgi?TLD Instead of sockets, one'd code things like at the client: call csl 'QueueOpen mtrc mtre qn qnl sv svl qh el' call csl 'QueueSend mtrc mtre qh cmscmd cmdlen ko kl' and at the server; call csl 'QueueCreate mtrc mtre qn qnl vm_ipc_nlevel qh' call csl 'QueueReceiveBlock mtrc mtre qh ', 'matchkey matchkeylen timeout ', 'cmscmd rcvbuflen cmdlen ', 'ko kl suid spid rt' I've got a QDEMO/QCLIENT/QSERVER example created by Brian Wade that sends a CMS command for execution, but I no longer remember where I got them from. I can send them. 2008/12/5 Rempel, Horst <[EMAIL PROTECTED]>: > Hello Howard, > I use execa in usera that will start an execb in cms-userb or a shellscript > in Linux. > When you do it in a pipe the execa will wait until the end of execb (or > shellscript) before continuing. > The pipe will write the output of execb in a file. > So execa can continue depending on the content of this file. > > | > 'pipe cms rexec ... !', >'console !', >'>> 'remote_exec' output a' > | > > This logic works well for me every night. > If execb is a long running exec its possible that you have to code a timeout > for rexec. > But plan carefully ! REXEC can be a security risk ! > I do it in a completly isolated network. > > Von: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Im > Auftrag von Howard Rifkind > Gesendet: Freitag, 5. Dezember 2008 00:52 > An: IBMVM@LISTSERV.UARK.EDU > Betreff: Starting an exec on a remote machine > > I'm running exec X on cms user 'A' > > I exec X has to start exec Y running on cms user 'B' and after exec Y > terminates it has to return control to the exec on cms user 'A' > > I could use some suggestions as to the best way to do this. > > Thanks > > > _ > LEGAL NOTICE > Unless expressly stated otherwise, this message is confidential > and may be privileged. It is intended for the addressee(s) only. > Access to this E-mail by anyone else is unauthorized. > If you are not an addressee, any disclosure or copying of the > contents of this E-mail or any action taken (or not taken) in > reliance on it is unauthorized and may be unlawful. If you are not an > addressee, please inform the sender immediately, then delete this > message and empty from your trash. > -- Kris Buelens, IBM Belgium, VM customer support
AW: Starting an exec on a remote machine
Hello Howard, I use execa in usera that will start an execb in cms-userb or a shellscript in Linux. When you do it in a pipe the execa will wait until the end of execb (or shellscript) before continuing. The pipe will write the output of execb in a file. So execa can continue depending on the content of this file. | 'pipe cms rexec ... !', 'console !', '>> 'remote_exec' output a' | This logic works well for me every night. If execb is a long running exec its possible that you have to code a timeout for rexec. But plan carefully ! REXEC can be a security risk ! I do it in a completly isolated network. Von: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Im Auftrag von Howard Rifkind Gesendet: Freitag, 5. Dezember 2008 00:52 An: IBMVM@LISTSERV.UARK.EDU Betreff: Starting an exec on a remote machine I'm running exec X on cms user 'A' I exec X has to start exec Y running on cms user 'B' and after exec Y terminates it has to return control to the exec on cms user 'A' I could use some suggestions as to the best way to do this. Thanks _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: Configuartion question
To test/install a new VM level, I'd use a secondlevel VM system, no need to devote an LPAR to it. I still find it easier that one can use the host level VM; the main reasons:: - to provide the network to be able to log on to the second-level VM: -- no access to the HMC required to start it up -- even if TCP/IP in the secondlevel fails, I have access - the secondlevel system can easily get (R/O) access to selected minidisks of the host VM with a simple CP LINK command what enables fixing errors in the seciondlevel, and facilitates preparing put in production. However, testing Linuxes (or other guests) in a secondlevel VM system, would incur high CPU overhead. I used such a setup the 20 years I spend with my customer, but I didn't have anything else than CMS users, my SW test & installation VM system ran as guest under the main VM production system. It never caused problems. All sysprogs used this test system to install SW. -- Kris Buelens, IBM Belgium, VM customer support
