Don India - Out of Office
I will be out of the office starting 03/20/2009 and will not return until 03/23/2009. I will be out of the office Friday, March 20th with no access to email or voicemail. If your matter is urgent, please contact John Sutera at 913 535 5133. I will be returning on Monday March 23rd.
today in VM history
Hi, gang. Guess what's 30 years old today? Here' a hint.it starts with R and rhymes with -ex. :-) -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: New CMS based SSLSERV problem... DTCSSL300E
Hi Dennis, What you want to do (augment an existing tag value) can't be done using j ust DTCPARMS-defined tags and values, because (for a given :type.server and :type.class pairing) any tag present in the 'server' entry overrides any same-named tag that exists in the corresponding 'class' entry -- the valu es for the two tags are not combined. When I first saw your question, I had also intended to suggest use of the TCPRUNXT exit, but with it, you can't really do exactly what you've descr ibed... You can supply additional (or, replacement) tag/value overrides via the e xit (with some limitations, based on the exit call type -- SETUP or BEGIN), b ut there is no information provided with the current interface that allows inspection of the set of tags and values 'known' by TCPRUN at the point o f either call type. So, you can't modify or augment a tag value based on i ts current value. This is a design point that limits some usefulness of the exit, at least with respect to what you want to do. If you see the need for this capability, a formal request would be the avenue to pursue it. Though, having now given this some thought, there is likely a way to use the TCPRUNXT server exit (with a few updates) that would allow what you're interested in doing. I'll contact you off-line, after I've had a chance to see if my ideas for doing this pan out... Regards, Mark Cibula (z/VM TCP/IP Support)
Re: TN3270 emulator for Windows
h3270 is web based, and requires no local installation at all. See h3270.sourceforge.net. Also works on non-Windows systems...8-) On 3/20/09 8:49 AM, Westlund, Mats (Mainframe servers) mats.westl...@hp.com wrote: Do anyone know if there is a TN3270 emulator for Windows that can be installed and run from an USB-Stick without any updates on the PC windows registry or files stored at the PC harddrive. Mats Westlund HP Sverige AB
Re: TN3270 emulator for Windows
The x3270 package from State of Alaska is here http://www.state.ak.us/tssfiles/ I use the x3270 version because of the iso fonts, I cannot get the others to work. The c3270 version is a smaller footprint but my smallest USB-drive is now 128M and the x3270 version fits just fine. The changes necessary to make it work from an arbitrary subdirectory is t o edit the startx3270.bat in whatever directory you install it in, and chan ge the CYGWIN_ROOT=\x3270 to CYGWIN_ROOT=%CD% and change C:/x3270 to %CD%. Save that and run it to start the x-windows server and one 3270 session. To run more 3270 sessions, modify the newx3270.bat file, replacing \x327 0 with %CD% and run that for each additional 3270 session. /Tom Kern /301-903-2211 On Fri, 20 Mar 2009 12:49:59 +, Westlund, Mats (Mainframe servers) mats.westl...@hp.com wrote: Do anyone know if there is a TN3270 emulator for Windows that can be installed and run from an USB-Stick without any updates on the PC windows registry or files stored at the PC harddrive. Mats Westlund HP Sverige AB = ===
Re: today in VM history
...and 30 years ago, it rhymed with -ex not -exx. At least that was the case with the IBM internal version of what rhymed with -ex. Jim Dave Jones wrote: Hi, gang. Guess what's 30 years old today? Here' a hint.it starts with R and rhymes with -ex. :-) -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: SHUTDOWN REIPL
That will work, but doing so will cause the entire lists of consoles and emergency consoles to be ignored. That was not what we really wanted. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes Sent: Thursday, March 19, 2009 3:39 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SHUTDOWN REIPL Do you have a local address for yourself via OSA-ICC,9074, or something else? We have been known to deal with the long distance and busy ops this way: shutdown reipl iplparms cons=0315where 315 is my local session and then once you get the sapl screen put prompt cons=0315 So you have the whole thing yourself? When done, xautolog operator on nnn or just another shutdown reipl with the defaults. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Thursday, March 19, 2009 3:15 PM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] SHUTDOWN REIPL Is there any way short of updating SYSTEM CONFIG and reordering the page volumes to coax SHUTDOWN REIPL to not automatically perform a warm start. Having to involve operators who are 3000 miles away, and normally very busy, in the process is sometimes difficult (paperwork) and time consuming. Having the capability of entering NOAUTO would sometimes be very convenient. Regards, Richard Schuh
Re: SHUTDOWN REIPL
Please note the excerpt from your post included below, particularly the part about CP bounce processing. Regards, Richard Schuh The PROMPT parameter is only valid for the SAPL screen. This parameter is not acknowledged during CP bounce processing (SHUTDOWN REIPL or restarting after an abend). ---snip---
Re: SHUTDOWN REIPL
Yes, Dennis pointed the error of my post last night. That's what I get for trying to rush just one last helpful reply before leaving for the day (and... for not actually READING the doc!) sigh Consider my error as an Aw Sh.., uh, ahem, Shucks, wiping out both actually correct and helpful posts I've made of the years. :-( Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Schuh, Richard rsc...@visa.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 03/20/2009 10:45 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: SHUTDOWN REIPL Please note the excerpt from your post included below, particularly the part about CP bounce processing. Regards, Richard Schuh The PROMPT parameter is only valid for the SAPL screen. This parameter is not acknowledged during CP bounce processing (SHUTDOWN REIPL or restarting after an abend). ---snip--- The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: SHUTDOWN REIPL
No problem. Most of you, uh, us have done similar things over the years. I was reading my e-mail in order of receipt and had not yet paged to the point where I could see that Dennis had already corrected you :-) Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Mike Walter Sent: Friday, March 20, 2009 9:09 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SHUTDOWN REIPL Yes, Dennis pointed the error of my post last night. That's what I get for trying to rush just one last helpful reply before leaving for the day (and... for not actually READING the doc!) sigh Consider my error as an Aw Sh.., uh, ahem, Shucks, wiping out both actually correct and helpful posts I've made of the years. :-( Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Schuh, Richard rsc...@visa.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 03/20/2009 10:45 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: SHUTDOWN REIPL Please note the excerpt from your post included below, particularly the part about CP bounce processing. Regards, Richard Schuh The PROMPT parameter is only valid for the SAPL screen. This parameter is not acknowledged during CP bounce processing (SHUTDOWN REIPL or restarting after an abend). ---snip--- The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: today in VM history
it starts with R and rhymes with -ex. :-) What: Rolex? Is that brand only 30 years old? Really? Wow, it seems older. ;-) It really IS Friday. And it's the first day of spring today, too -- a double-dipping delight! A little VM rexx history from my misty memory: Ted Johnston of SLAC once told me late one night at SHARE that SLAC was an early tester of a new IBM processor (or was it a language?). They worked closely with IBM to get it working. When it reached GA, a grateful IBM asked if there was anything they could do in return. SLAC asked that the Rex code be released to all customers as a component of CMS. And then there was light... :-) Thank both Mike Cowlishaw and whomever at SLAC convinced IBM to make Rex publically available as Rexx. For more details about REXX's history, along with an incredible history of VM, read Melinda Varian's thorough paper VM and the VM Community: Past, Present, and Future, currently at: http://www.princeton.edu/~melinda/25paper.pdf Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. Jim Bohnsack jab...@cornell.edu Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 03/20/2009 10:14 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: today in VM history ...and 30 years ago, it rhymed with -ex not -exx. At least that was the case with the IBM internal version of what rhymed with -ex. Jim Dave Jones wrote: Hi, gang. Guess what's 30 years old today? Here' a hint.it starts with R and rhymes with -ex. :-) -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: TN3270 emulator for Windows
On 3/20/2009 at 8:49 AM, Westlund, Mats (Mainframe servers) mats.westl...@hp.com wrote: Do anyone know if there is a TN3270 emulator for Windows that can be installed and run from an USB-Stick without any updates on the PC windows registry or files stored at the PC harddrive. You could do that with Cygwin's x3270 package. It would require more than just that single package though. Or you can do as I did, and just install an entire Linux system on the USB stick and boot that up. I tried it out on a few other people's machines at SHARE and it worked quite nicely. Mark Post
Re: today in VM history
Mike Walter wrote: [snip] For more details about REXX's history, along with an incredible history of VM, read Melinda Varian's thorough paper VM and the VM Community: Past, Present, and Future, currently at: http://www.princeton.edu/~melinda/25paper.pdf And believe it or not, today is Melinda's birthday as well. :-) Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
BFS SSLSERV question
I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: BFS SSLSERV question
Jim, Did you enroll the ROOT, SSLSERV, and GSKSSLDB BFS filespaces in your SFS server? Did you create the objects that go in those filespaces? Take a look at your starter system to see what they should look like. I did my z/VM 5.4.0 upgrade by rotating in a new sysres set, so all that was done for me. Dennis O'Brien 39,516 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Jim Bohnsack Sent: Friday, March 20, 2009 10:13 To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] BFS SSLSERV question I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: New CMS based SSLSERV problem... DTCSSL300E
Mark, Thanks, but I think we're getting to a point where the solution is more trouble than the original problem. I'll just set a standard MAXSESSIONS value that's big enough for our largest system. That will be bigger than what our test systems need, but at least we will be testing the same value that we use in production. The alternative would be to maintain the list of exempt cipher suites in the node-specific file. While changing it on every system would be a pain, I don't expect it to change often. Dennis O'Brien 39,516 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Mark Cibula Sent: Friday, March 20, 2009 06:53 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] New CMS based SSLSERV problem... DTCSSL300E Hi Dennis, What you want to do (augment an existing tag value) can't be done using j ust DTCPARMS-defined tags and values, because (for a given :type.server and :type.class pairing) any tag present in the 'server' entry overrides any same-named tag that exists in the corresponding 'class' entry -- the valu es for the two tags are not combined. When I first saw your question, I had also intended to suggest use of the TCPRUNXT exit, but with it, you can't really do exactly what you've descr ibed... You can supply additional (or, replacement) tag/value overrides via the e xit (with some limitations, based on the exit call type -- SETUP or BEGIN), b ut there is no information provided with the current interface that allows inspection of the set of tags and values 'known' by TCPRUN at the point o f either call type. So, you can't modify or augment a tag value based on i ts current value. This is a design point that limits some usefulness of the exit, at least with respect to what you want to do. If you see the need for this capability, a formal request would be the avenue to pursue it. Though, having now given this some thought, there is likely a way to use the TCPRUNXT server exit (with a few updates) that would allow what you're interested in doing. I'll contact you off-line, after I've had a chance to see if my ideas for doing this pan out... Regards, Mark Cibula (z/VM TCP/IP Support)
Re: BFS SSLSERV question
On Friday, 03/20/2009 at 01:13 EDT, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Just as a reminder: Did you update HCPRWA to specify ICHNGMAX value 0? If you didn't, RACF is not in charge of POSIX UID/GIDs. Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. No, not reasonable. It's not going after files, it's going after directories that were created by LOADBFS. Since it works on your 2nd level system, I would guess that you didn't import the GSKSSLDB and SSLSERV filespaces into your first-level VMSYS filepool via FILEPOOL UNLOAD and FILEPOOL RELOAD. Alan Altmark z/VM Development IBM Endicott
Re: BFS SSLSERV question
I cannot say enough good about how Endicott implemented OpenVM ... now some 15+ years ago. The way the POSIX info is rolled into the CP Dir is spot on. There are issues, notably performance concerns and a gross lack of attention (thanks to the distracting popularity of Linux on VM). But the core features of POSIX on VM are truly outstanding. Okay ... but it is still a little weird for old CMS hacks. Sorry. I see you've gotten some good recommendations, better than I could give (not knowing the SSL server, though I do know BFS a little). The object does not exist message sounds like the directory over which GSKKYMAN wants to mount the filespace is simply not there. If you did not fully populate the OpenVM stuff, then yeah, a lot of stuff could be missing which is assumed (in Unix) to always be present. A good pre-req test would be to confirm that openvm shell works, prior to adding any other products to BFS land. You could then ls -la /etc from that shell and see if gskadm actually exists. So ... just addressing this one error message, when a filespace (other than the root) gets mounted, the mount point directory must already exist. (Should typically be empty.) And, of course, all this stuff is CaSe SeNsItIvE. I hope this helps. -- R; On Fri, Mar 20, 2009 at 1:12 PM, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
h3270 Phun Phact
If you have h3270 pointing at a recent s3270, then you can get SSL support for free by specifying: L:hostname:portnum instead of just hostname in the connect to field. Other Phun Phact: you're probably going to have to edit your Tomcat (or whatever) policy to allow the h3270 program to execute the s3270 executable. Once you've done that, though, it's really quite straightforward. All h3270 is is a little Java web app built on top of s3270 as a screen- scraper. It works rather nicely. I would imagine that with a little clever css you could even use proper 3270 fonts and colors, although I haven't actually bothered yet. Also, wrap your Tomcat in SSL (gee, that sounds dirty!) so that you're not exposing (gee, that sounds dirty!) your password in the web part of the session (even if you have SSL to the host, unless you have Tomcat protected by SSL you're still sending username/pw in the clear to the web interface). Adam
hello, VM group
This is my first time at Share. It was wonderful experience at Austin especially for the meal with Martha,McConaghy, Mark Post... Could you tell me Martha's email? Thanks! Sunny Hu I. M. Technical Services W.C.B. Alberta (780) 498-4739 sunny...@wcb.ab.ca This message is intended only for the addressee. It may contain privileged or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original email. Thank you. (Sent by Webgate2)
Re: New CMS based SSLSERV problem... DTCSSL300E
On Wed, 18 Mar 2009 10:53:08 -0400, Alan Altmark alan_altm...@us.ibm.com wrote: On Wednesday, 03/18/2009 at 09:49 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Neither Rumba nor Reflection work correctly. We are working with Attachmate to fix Reflection. Rumba has not responded to our attempts t o contact them. IBM Host on Demand doesn't work, either, at the moment. The common problem we are seeing is that the clients are bringing down t he session when the server requests a client certificate they don't posesss . The RFC specifies that the client should send an empty certificate lis t and that it is up to the server, not the client, to decide whether the lack of a client certificate is grounds for a divorce. Work with your client vendor. If they want someone in IBM to talk to, send them to me. Alan Altmark z/VM Development IBM Endicott = We have a problem with QWS3270. In 5.2.0/5.3.0 everything works fine with static SSL. In 5.4.0, QWS3270 prompts me for a certificate password. I provide one and everything works, but it sure slows me down. If I hit cancel instead I get disconnected with an unable to connect error. There is no way to turn off this behavior in QWS3270 -- is there any way to turn it off in the server? It doesn't make sense to me to that you say Work with your client vendor when the problem happens only in one release of z/VM and not in z/OS. Do you have any indication that there is a similar problem in z/OS? if so , which version and/or APAR? We might actually get something fixed if there is a z/OS problem. Attachmate Extra! works just fine, and so does IBM Pcomm. Alan Ackerman Alan (dot) Ackerman (at) Bank of America (dot) com
Re: hello, VM group
sunny...@wcb.ab.ca wrote: This is my first time at Share. It was wonderful experience at Austin especially for the meal with Martha,McConaghy, Mark Post... Could you tell me Martha's email? Thanks! Sunny Hu I. M. Technical Services W.C.B. Alberta (780) 498-4739 sunny...@wcb.ab.ca This message is intended only for the addressee. It may contain privileged or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original email. Thank you. (Sent by Webgate2) Sunny, It was great meeting you as well. We are all so glad that you had such a good first SHARE. You can contact Martha at u...@vm.marist.edu -- Rich Smrcina Phone: 414-491-6001 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009
Re: h3270 Phun Phact
On 3/20/09 4:42 PM, Adam Thornton athorn...@sinenomine.net wrote: I would imagine that with a little clever css you could even use proper 3270 fonts and colors, although I haven't actually bothered yet. There's one included in the package (color.css).
Re: DIRMAINT
Folks; Some joker put a DEFAULT_CMDLEVEL = 140A in CONFIGA DATADVH (probably the same joker who didn't install the help files). I was able to run DIRM GLOBALV CMDLEVEL 150A on an authorized user and get DIRM DIRECTORY ? to work, along with several other DIRM commands (CHECK, QUERY, etc.) which had been failing in the same way. Unfortunately there were no references that I was able to find in the DIRMAINT docs showing which commands were only valid at which command levels. I just happened to get lucky finding the config setting and then wondering, what would happen if... Thanks for helping us out. ok r. -Original Message- From: r.stricklin [mailto:b...@typewritten.org] Sent: Thursday, March 19, 2009 8:49 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: DIRMAINT On Mar 19, 2009, at 7:46 PM, Scott Rohling wrote: dirm directory ? DVHXMT1191I Your DIRECTORY request has been sent for processing. Ready; T=0.05/0.05 21:31:55 That's what we would've expected, but were unable to get. What userid are you doing this from, and is it fully authorized to do DIRMAINT admin things (very much like ADMIN users in VMSECURE IIRC)? We were trying it from several different user IDs, including MAINT. We checked the AUTHFOR CONTROL on DIRMAINT 1DF and it showed MAINT (and the others) having the whole string of auths (for both command levels 140 and 150), including S which is what the doc said was needed. ok bear
Re: DIRMAINT
Good catch -- I stopped using 140A commands a long time ago .. and wish they would just drop them -- because every once in awhile, I run into something like this where a command will work for me but not someone else and it turns out to be a different cmdlevel and everyone confused until the 'aha' moment. Glad you found you're way out of this one - good job --Scott On Fri, Mar 20, 2009 at 4:12 PM, Stricklin, Raymond J raymond.j.strick...@boeing.com wrote: Folks; Some joker put a DEFAULT_CMDLEVEL = 140A in CONFIGA DATADVH (probably the same joker who didn't install the help files). I was able to run DIRM GLOBALV CMDLEVEL 150A on an authorized user and get DIRM DIRECTORY ? to work, along with several other DIRM commands (CHECK, QUERY, etc.) which had been failing in the same way. Unfortunately there were no references that I was able to find in the DIRMAINT docs showing which commands were only valid at which command levels. I just happened to get lucky finding the config setting and then wondering, what would happen if... Thanks for helping us out. ok r. -Original Message- From: r.stricklin [mailto:b...@typewritten.org] Sent: Thursday, March 19, 2009 8:49 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: DIRMAINT On Mar 19, 2009, at 7:46 PM, Scott Rohling wrote: dirm directory ? DVHXMT1191I Your DIRECTORY request has been sent for processing. Ready; T=0.05/0.05 21:31:55 That's what we would've expected, but were unable to get. What userid are you doing this from, and is it fully authorized to do DIRMAINT admin things (very much like ADMIN users in VMSECURE IIRC)? We were trying it from several different user IDs, including MAINT. We checked the AUTHFOR CONTROL on DIRMAINT 1DF and it showed MAINT (and the others) having the whole string of auths (for both command levels 140 and 150), including S which is what the doc said was needed. ok bear
Re: hello, VM group
Hi, Sunny. Welcome to the group, Sunny. It was great meeting you at SHARE in Austin, too. You can reach Martha at u...@vm.marist.edu sunny...@wcb.ab.ca wrote: This is my first time at Share. It was wonderful experience at Austin especially for the meal with Martha,McConaghy, Mark Post... Could you tell me Martha's email? Thanks! Sunny Hu I. M. Technical Services W.C.B. Alberta (780) 498-4739 sunny...@wcb.ab.ca This message is intended only for the addressee. It may contain privileged or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original email. Thank you. (Sent by Webgate2) -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: hello, VM group
On Friday, 03/20/2009 at 05:42 EDT, sunny...@wcb.ab.ca wrote: This is my first time at Share. It was wonderful experience at Austin especially for the meal with Martha,McConaghy, Mark Post... Hello, Sunny. It was nice to meet you and I'm glad you had a good time. (Ribs. M'mmm m' good!) We all hope to see you in Denver! Alan Altmark z/VM Development IBM Endicott
Re: DIRMAINT
Scott, Have been around VM for quite a long time so the standard Directory is old hat and simple to manage with whatever -REXX, XEDIT or Assembler programs etc. DIRMAINT used to be an added cost item, maybe that is why it got bundled. Will be putting in 5.4 shortly and will give this free version of DIRMAINT a whirl. Maybe I will be assimilated... Doug - Original Message - From: Scott Rohling To: IBMVM@LISTSERV.UARK.EDU Sent: Thursday, March 19, 2009 21:23 Subject: [Norton AntiSpam] Re: DIRMAINT I just gave the procedure to do just that a few posts ago... Rather than me defend DIRMAINT, maybe you could explain what you don't understand first...? Scott On Thu, Mar 19, 2009 at 6:58 PM, Doug Shupe dsh...@bellsouth.net wrote: I never understood why anyone would use dirmaint to begin with. Can you make dirmaint produce a standard directory and start over? - Original Message - From: Stricklin, Raymond J To: IBMVM@LISTSERV.UARK.EDU Sent: Thursday, March 19, 2009 18:58 Subject: Re: DIRMAINT We've been trying that all day, it doesn't work. Why? dirm directory ?DVHADZ1252E An invalid keyword or value has been encountered. PleaseDVHADZ1252E check the command syntax.DVHADZ1270E DIRMaint directory ?Ready(01252); T=0.08/0.09 17:56:06 Some joker did not install the help files. ok r. From: Scott Rohling [mailto:scott.rohl...@gmail.com] Sent: Thursday, March 19, 2009 3:16 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: DIRMAINT DIRM HELP DIRECTORY .. DIRM DIRECTORY CHANGE 0123 etc etcshould do ya.. Scott On Thu, Mar 19, 2009 at 4:10 PM, Stricklin, Raymond J raymond.j.strick...@boeing.com wrote: Lance means --- using DIRMAINT, how do we do this? thanks, guys. (@: ok r. -Original Message- From: Preuett, Lance M Sent: Thursday, March 19, 2009 3:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: DIRMAINT need help How do you change the direct record in the directory DIRECT 0123 3390 VFARES 223 *A59FF-2086 I need to change it to DIRECT 0123 3390 VFARES 223 *A59FF-2066 Lance Preuett Enterprise Storage and Servers Delivery Systems M/S 7M-RE PO Box 3707 Seattle, WA 98124-2207 425-865-1525 lance.m.preu...@boeing.com
Re: DIRMAINT
Doug Shupe wrote: Scott, Have been around VM for quite a long timeso the standard Directory is old hat and simple to manage with whatever -REXX, XEDIT or Assembler programs etc. DIRMAINT used to be an added cost item, maybe that is why it got bundled. Will be putting in 5.4 shortly and will give this free version of DIRMAINT a whirl.Maybe I will be assimilated... Doug Don't be disillusioned by the fact that it's bundled with z/VM. It is still an additional cost item. You do not get to use it for free. -- Rich Smrcina Phone: 414-491-6001 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009
Re: DIRMAINT
Doug - Good deal -- feel free to contact me if you have any questions, etc -- I've been around DIRMAINT a long time and even wrote an admin front end around it that did RACF stuff as well - many years ago ... It really can help - it helps automate creation of new guests if you're interested in that.. makes DASD management simpler if you make good use of groups and does have a simplistic RACF interface you can make use of if you use RACF for security.. In the end - the directory is a simple flat file, so DIRMAINT often seems like overkill to some sysprogs.. but it can help free you from being the only guy who can make directory changes without breaking something. Scott On Fri, Mar 20, 2009 at 6:12 PM, Doug Shupe dsh...@bellsouth.net wrote: Scott, Have been around VM for quite a long time so the standard Directory is old hat and simple to manage with whatever -REXX, XEDIT or Assembler programs etc. DIRMAINT used to be an added cost item, maybe that is why it got bundled. Will be putting in 5.4 shortly and will give this free version of DIRMAINT a whirl. Maybe I will be assimilated... Doug - Original Message - *From:* Scott Rohling scott.rohl...@gmail.com *To:* IBMVM@LISTSERV.UARK.EDU *Sent:* Thursday, March 19, 2009 21:23 *Subject:* [Norton AntiSpam] Re: DIRMAINT I just gave the procedure to do just that a few posts ago... Rather than me defend DIRMAINT, maybe you could explain what you don't understand first...? Scott On Thu, Mar 19, 2009 at 6:58 PM, Doug Shupe dsh...@bellsouth.net wrote: I never understood why anyone would use dirmaint to begin with. Can you make dirmaint produce a standard directory and start over? - Original Message - *From:* Stricklin, Raymond J raymond.j.strick...@boeing.com *To:* IBMVM@LISTSERV.UARK.EDU *Sent:* Thursday, March 19, 2009 18:58 *Subject:* Re: DIRMAINT We've been trying that all day, it doesn't work. Why? dirm directory ? DVHADZ1252E An invalid keyword or value has been encountered. Please DVHADZ1252E check the command syntax. DVHADZ1270E DIRMaint directory ? Ready(01252); T=0.08/0.09 17:56:06 Some joker did not install the help files. ok r. -- *From:* Scott Rohling [mailto:scott.rohl...@gmail.com] *Sent:* Thursday, March 19, 2009 3:16 PM *To:* IBMVM@LISTSERV.UARK.EDU *Subject:* Re: DIRMAINT DIRM HELP DIRECTORY .. DIRM DIRECTORY CHANGE 0123 etc etcshould do ya.. Scott On Thu, Mar 19, 2009 at 4:10 PM, Stricklin, Raymond J raymond.j.strick...@boeing.com wrote: Lance means --- using DIRMAINT, how do we do this? thanks, guys. (@: ok r. -Original Message- From: Preuett, Lance M Sent: Thursday, March 19, 2009 3:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: DIRMAINT need help How do you change the direct record in the directory DIRECT 0123 3390 VFARES 223 *A59FF-2086 I need to change it to DIRECT 0123 3390 VFARES 223 *A59FF-2066 Lance Preuett Enterprise Storage and Servers Delivery Systems M/S 7M-RE PO Box 3707 Seattle, WA 98124-2207 425-865-1525 lance.m.preu...@boeing.com
Re: BFS SSLSERV question
Thank you all for your responses. It sounds as if it is as I suspected, a total lack of knowledge about BSF and almost as much of a lack of knowledge about SFS. It might be a good idea to include some of these SFS/BFS peculiar hints or ideas in the TCPIP doc, especially for the VM newbie (as well as for the old timer who still carries a pocket full of 5081 cards--for you kids, a 5081 card is an IBM punched card). Jim Alan Altmark wrote: On Friday, 03/20/2009 at 01:13 EDT, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
