Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1
Hello again everyone Exist any book, manual or procedure to migrate RACF in z/VM 5.3 to RACF i n z/VM 6.1? I will migrate to z/VM 5.3 to z/VM 6.1 and I need to know the steps to migrate the version of RACF in 5.3 with all RACF definitions that have at this time. Anyone know or I could list the steps to follow to perform this migration ? Thanks in advance Victor Hugo Ochoa Avila BBVA CCR America
Re: Vswitch Grant as a CMD in User's Directory?
Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: MAILIT
For MAILIT is not technically required. This works fine too: 'EXEC MAILIT TO(kris_buel...@be.ibm.com) Using a NAMES file makes it easier to change the people that should be warned. For example, we've got a SUPPORT NAMES file on a public disk:: SUPPORT NAMESY2 V 255 Trunc=255 Size=30 Line=1 Col=1 Alt * In this file we will place the users that have to be informed * by some service execs. * *** Used by SRVFLHTP EXEC (in SYSDUMP1) :nick.FLASHCOPY :list.support@mycompany.com kris_buel...@be.ibm.com *** Used by SIGNVSE EXEC (in VMUTIL), and . :nick.IbmSupport :list.support@mycompany.com Then in your EXEC, you could code 'EXEC MAILIT TO FlashCopy NAMESFILES SUPPORT Subject(Problem xyz with FlashCopy) 2010/12/9 Bill Munson william.mun...@bbh.com Alan, The tcpip part is SMTP up and running. also the VM user sending the MAIL needs to have a names file. if your userid sending mail is NJ2W002 it is called NJ2W002 NAMESA and it would look like this :nick.Mike :list. mike.wal...@hewitt.com :nick.ROB :list. rvdh...@velocity-software.com :nick.IBM :userid.lunsford :node.us.ibm.com :name.Roger Lunsford as you can see there are 2 ways to set up the nicname and here is a copy of an exec I use to send mail /* */ trace off arg to sub fn ft fm . if fm='' then fm='A' if ft='' then ft='script' if fn='' then fn='testmail' 'EXEC mailit SUBJECT('sub')', 'TO('to') ', 'NAMES( nj2w002 ) ', 'REPLYTO( william.mun...@bbh.com ) ', ' FILE ('fn ft fm')' good luck munson 201-418-7588 From:Willimann, Alan (NIH/CIT) [C] alan.willim...@nih.gov To:IBMVM@LISTSERV.UARK.EDU Date:12/09/2010 08:52 AM Subject:MAILIT Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU -- I have down loaded MAILIT from the IBM VM Download page. I can send a message to another VM user, it can be found in the users pun queue. I can not figure out how to get an email to go out across the network. Do I have to define something in TCPIP? The operating system is z/VM 5.4 running on an IFL with LINUX guests. Thanks to everyone for your help. Alan Willimann alan.willim...@nih.govmailto:alan.willim...@nih.govalan.willim...@nih.gov *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus. -- Kris Buelens, IBM Belgium, VM customer support
Re: Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1
That should be simple: you need to run RACFCONV, using the RACF code of the 6.1 system. Did that often enough. So, install z/VM 6.2 Make the minidisk with the 6.1 RACF code available in the first level VM (should be 6VMRAC10 505 ) When nobody is changing passwords, etc, take a DDR BACKUP of RACFVM 200 and 300 (I use RACFVM 1200 and 1300 as backups, so if you'd have troubles user RACFVM can get these backup minidisks without requiring a LINK command #CP DET 200 300#DEFINE 1200 200#DERFINE 1300 300 would be enough to go back to the backup copy) Have the passsword of RACFVM as written in tye CP directory at your disposition Make sure RACFVM has a link to the backup disks CP SET SECUSER RACFVM * CP SEND CP RACFVM LINK * 1200 1200 CP SEND CP RACFVM LINK * 1300 1300 From MAINT for example, link and access (the copy of) 6VMRAC10 505 LINK RACFVM 200 200 MW LINK RACFVM 300 200 MW Assure RACFVM can no longer update 200/300, after this step RACFVM is dead for a while CP SEND CP RACFVM DEF 200 2200 CP SEND CP RACFVM DEF 300 2300 you could change this also in CP SEND CP LINK * 200 200 RR (same for 300), then RACF becomes R/O instead of dead, but I don't know if an end-user would see a message it he tried to chnage his pswd at this time... Run RACFCONV in MAINT When done: give RACF the converted disks back as 200/300 and restart it. CP DET 200 300 CP SEND CP RACFVM DEF 2200 200 CP SEND CP RACFVM DEF 2300 300 CP SEND CP IPL 490 2010/12/10 =?ISO-8859-1?Q?Victor_Hugo_Ochoa?= vhoa...@gmail.com Hello again everyone Exist any book, manual or procedure to migrate RACF in z/VM 5.3 to RACF in z/VM 6.1? I will migrate to z/VM 5.3 to z/VM 6.1 and I need to know the steps to migrate the version of RACF in 5.3 with all RACF definitions that have at this time. Anyone know or I could list the steps to follow to perform this migration? Thanks in advance Victor Hugo Ochoa Avila BBVA CCR America -- Kris Buelens, IBM Belgium, VM customer support
Re: Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1
Victor, I didn't do it yet, but I think the Program Directory have all the instructions. Basically: apply one PTF into 5.3, copy the DB (mdisks 200 and 300 to the new VM 6.1) and run RACFCONV when instructed. See this text, extracted from PD: If you are migrating from z/VM V5.3 RACF FL530, or if you plan to share your z/VM V6.1 RACF FL610 database with z/VM V5.3 RACF FL530, you must apply the PTF for APAR VM64383 to your z/VM V5.3 system (and restart your RACF FL530 server) before attempting any migration or sharing. The RACF database must have templates at the function level 610 for RACF to function properly. If you are migrating from a previous release of RACF to RACF FL610, you must run the RACFCONV EXEC to convert the existing database templates to the current release. The PD is here: http://www.vm.ibm.com/progdir/6vmrac10.pdf Good luck. __ Clovis From: =?ISO-8859-1?Q?Victor_Hugo_Ochoa?= vhoa...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 10/12/2010 08:05 Subject: Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1 Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Hello again everyone Exist any book, manual or procedure to migrate RACF in z/VM 5.3 to RACF i n z/VM 6.1? I will migrate to z/VM 5.3 to z/VM 6.1 and I need to know the steps to migrate the version of RACF in 5.3 with all RACF definitions that have at this time. Anyone know or I could list the steps to follow to perform this migration ? Thanks in advance Victor Hugo Ochoa Avila BBVA CCR America
Re: Vswitch Grant as a CMD in User's Directory?
Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservicesoffice: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Does anyone run applications in z/VM? Speaking just for us, YES! We continue to run and enhance existing CMS applications (which run cheaper on z/VM than anywhere else when ALL the expenses are taken into account). But with Aon's acquisition of Hewitt Associates, everything is being re-evaluated, so who knows? However, I have complete confidence in my belief that there are hundreds+ of older VM systems (pre-z/VM, and even perhaps pre-VM/ESA) still running CMS applications. Unfortunately, few of them would probably convert to z/VM as they continue to milk their cash cows, so in their cases your point still applies. But there are still paying z/VM customers running CMS applications, they cannot and must not be abandoned, or management will once again come to believe that VM is dead - ultimately damaging IBM's apparent Linux on System z goals. (See old SHARE conference NOTAGAIN MEMO). Mike Walter Aon Corporation The opinions expressed herein are mine alone, not my employer's. Tom Huegel tehue...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 08:15 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: Vswitch Grant as a CMD in User's Directory?
Yes - CMS is the operating system used to run 'z/VM applications' -- if that's what you mean. At one time - every IBMer had a z/VM CMS guest -- it's how they got their email (PROFS/OfficeVision), submitted expenses, claimed time, etc. Those apps have mostly moved off z/VM - but some still exist, mostly as back ends. CMS guests would link to minidisks containing the application code and data -- would send files (punch/reader) back and forth, etc. But that doesn't have much to do with readable passwords - including minidisk passwords - which can be used by a guest to gain access to another guest minidisk if they are used and known, regardless of the OS they are running. Same with allowing any guest access to a network path (our vswitch conversation). To 'just keep those systems isolated' - an ESM is the only way you can avoid violating most modern security requirements to be considered 'isolated'. Do you control access or don't you? Do you do it with open text passwords or don't you?You have to think about all the layers -- not just your guest OS. Scott Rohling On Fri, Dec 10, 2010 at 7:15 AM, Tom Huegel tehue...@gmail.com wrote: Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.comwrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From: Tom Huegel tehue...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus.
Re: Vswitch Grant as a CMD in User's Directory?
Tom Huegel tehue...@gmail.com wrote :- Does anyone run applications in z/VM? :- Speaking for ourselves - yes. We recently did an exercise to look at the support effort required to maintain our VM system and came to the conclusion that at least 80% was related to local applications and local code function. This in an installation where the primary purpose of VM is to host and support guest (TPF) systems. However, even if we ran no local applications, and only supported guest operating systems, the power of Vm to access data is so great that access really does need to be controlled. We would never consider running VM without an ESM (RACF in our case) and the auditors would skin us alive if we tried. Colin Allinson VM Systems Support Amadeus Data Processing GmbH
Re: Vswitch Grant as a CMD in User's Directory?
And not to mention Nomad. On 12/10/2010 09:57 AM, Bill Munson wrote: Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From: Tom Huegel tehue...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus. -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544
Re: Vswitch Grant as a CMD in User's Directory?
I just saw the comment on a long passwords where it would take two people to enter a single password. I remember back in the VAX/VMS days where there was a password option for a UserID to be setup where it required two passwords. Thank you, Scott From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Friday, December 10, 2010 8:16 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott Confidentiality Note: This e-mail, including any attachment to it, may contain material that is confidential, proprietary, privileged and/or Protected Health Information, within the meaning of the regulations under the Health Insurance Portability Accountability Act as amended. If it is not clear that you are the intended recipient, you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this e-mail, including any attachment to it, is strictly prohibited. If you have received this e-mail in error, please immediately return it to the sender and delete it from your system. Thank you.
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 05:46 EST, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. Preventing collusion between two class G users is why z/VM supports mandatory access controls and why you can change the privilege classes of commands and DIAGNOSE subcodes. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Well, not quite that bad, but EAL 6-level systems require two privileged users to make security-relevant changes to a system. Missile silo two-key concept. Multi-part keys CAN be used in the System z crypto cards for secure (encrypted) key operations. No one person has the entire key and so even if one of those people had a copy of the key dataset from z/OS or Linux, they wouldn't be able to use the keys to encrypt or decrypt data. By the way, you can see the two-key concept in RACF. If the security admin tries to deactivate RACF, CP prompts the operator to concur or deny. (A minor inconvenience and easily overcome [for the moment].) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus.
Re: Vswitch Grant as a CMD in User's Directory?
I loved CMS many years ago. I no longer work for a company with z/VM. Haven't for years. Using CMS and RSCS to submit jobs to MVS (yes, that long ago - MVS 3.8!) was so much better than TSO it wasn't even funny. Now I'm using a Linux desktop and writing code which allows me to use it for some things instead of TSO. OpenSSH is really helping on that. But I'm getting off-topic. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of George Henke/NYLIC Sent: Friday, December 10, 2010 10:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com mailto:vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com mailto:tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the
Re: Vswitch Grant as a CMD in User's Directory?
I do the same. Since I have so many VSE z/OS guests I find it easier to keep all my JCL and editing in CMS and submit to the appropriate guest. Better than having 5 or 6 Telnet sessions open to various guests. On Fri, Dec 10, 2010 at 11:57 AM, McKown, John john.mck...@healthmarkets.com wrote: I loved CMS many years ago. I no longer work for a company with z/VM. Haven't for years. Using CMS and RSCS to submit jobs to MVS (yes, that long ago - MVS 3.8!) was so much better than TSO it wasn't even funny. Now I'm using a Linux desktop and writing code which allows me to use it for some things instead of TSO. OpenSSH is really helping on that. But I'm getting off-topic. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of George Henke/NYLIC Sent: Friday, December 10, 2010 10:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com mailto:vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com mailto:tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access
Mandatory ESMs?
(Retitled because the current discussion has nothing to do with VSWITCH authorization...) Does anyone run applications in z/VM? That's the saddest statement I've seen in a long while. That used to be true across the board. It's really sad that IBM continues to constrain the ability to deploy applications in the CMS environment -- it's a decent system for writing really good applications, but without the tools and compilerswe're reduced to asking whether anyone can. -- db
Re: Mandatory ESMs?
Hello, Don't we have at least a GCC compiler that would run in z/VM? Michel Beaulieu |*| Date: Fri, 10 Dec 2010 14:51:56 -0600 From: dbo...@sinenomine.net Subject: Mandatory ESMs? To: IBMVM@LISTSERV.UARK.EDU (Retitled because the current discussion has nothing to do with VSWITCH authorization...) Does anyone run applications in z/VM? That's the saddest statement I've seen in a long while. That used to be true across the board. It's really sad that IBM continues to constrain the ability to deploy applications in the CMS environment -- it's a decent system for writing really good applications, but without the tools and compilerswe're reduced to asking whether anyone can. -- db
Re: Mandatory ESMs?
It has a robust POSIX feature set too. The only thing wrong is how fork() works, and there are substantial constructive reasons for that. It's up to us to use it or lose it. To this day, CMS is the single most efficient runtime environment available. One can only hope that the newbes who bring up z/VM for the sake of hypervisor hosting of Linux (and maybe VSE or even z/OS) will discover oh ... look at this!. -- R; Rick Troth Velocity Software http://www.velocitysoftware.com/ On Fri, Dec 10, 2010 at 15:51, David Boyes dbo...@sinenomine.net wrote: (Retitled because the current discussion has nothing to do with VSWITCH authorization...) Does anyone run applications in z/VM? That's the saddest statement I've seen in a long while. That used to be true across the board. It's really sad that IBM continues to constrain the ability to deploy applications in the CMS environment -- it's a decent system for writing really good applications, but without the tools and compilerswe're reduced to asking whether anyone can. -- db
Re: Mandatory ESMs?
There is a GCC which runs on CMS. I have not used it. Perhaps those on this list who have will chime in. GCC is a volunteer project, so the CMS port (which is closely related to the MVS port) will lack some features of compilers from IBM or Dignus. -- R; On Fri, Dec 10, 2010 at 16:10, Michel Beaulieu beaulieumic...@live.ca wrote: Hello, Don't we have at least a GCC compiler that would run in z/VM? Michel Beaulieu |*| Date: Fri, 10 Dec 2010 14:51:56 -0600 From: dbo...@sinenomine.net Subject: Mandatory ESMs? To: IBMVM@LISTSERV.UARK.EDU (Retitled because the current discussion has nothing to do with VSWITCH authorization...) Does anyone run applications in z/VM? That's the saddest statement I've seen in a long while. That used to be true across the board. It's really sad that IBM continues to constrain the ability to deploy applications in the CMS environment -- it's a decent system for writing really good applications, but without the tools and compilerswe're reduced to asking whether anyone can. -- db
Re: Mandatory ESMs?
-Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Richard Troth Sent: Friday, December 10, 2010 3:28 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Mandatory ESMs? There is a GCC which runs on CMS. I have not used it. Perhaps those on this list who have will chime in. GCC is a volunteer project, so the CMS port (which is closely related to the MVS port) will lack some features of compilers from IBM or Dignus. -- R; I am not very up on the Dignus or IBM compilers. But, although a volunteer effort, the GCC is a fairly advanced C/C++ compiler. As well as FORTRAN and Ada. I am not 100% sure, but I think that IBM Germany does a lot with the Linux on z version of GCC. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets® 9151 Boulevard 26 . N. Richland Hills . TX 76010 (817) 255-3225 phone . john.mck...@healthmarkets.com . www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets® is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company®, Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM
Re: Mandatory ESMs?
GCC for CMS [snip] Building a non-trivial program that involves existing libraries or code that must access things like CSL services is pretty hard to do with the CMS GCC port. It's a good tool for writing apps totally from scratch, but it's not something yet that I would rely on for really large mission-critical applications. The generated code is still very conservative in the instructions it uses and what machine functions it can/does exploit, to it's detriment. I'm concerned that there's no Enterprise COBOL, no more development on FORTRAN, no up to date PL/1… etc, etc. The IBM C/C++ compiler is still maintained and current, but only because it's necessary for CP development. You can't order CMS VSAM any longer, so there's no direct access file capability from the old compilers without directly interfacing to assembler yourself. Nothing's been touched in SQL/DS for VM for ages now. TSM is gone. 2/3 of the function of DFSMS/VM is pretty much gutted in terms of usability or functionality. ISPF/VM is ancient, and pretty much no longer maintained in any real sense (a lot has happened in ISPF since 3.2). No Java since 1.3 (although that's no real loss, IMHO). APL2 is frozen in time. Pascal is frozen in time (and only still exists to service the bits of the VM TCP stack that aren't in C or assembler). Ditto RXSQL. Ditto Kerberos (the shipped K4 is nothing you'd want to build new apps on). Interactive Debugger? DMS/CMS? All pretty much in a zombie state. OpenVM? Not much to see there either — although we finally have some reason for BFS to exist with the new SSL server (not that it's all that much fun to use). You're pretty much left with assembler, C, C++, XEDIT, REXX and CMS Pipelines as the supported application development languages on CMS. That's a pretty powerful set of tooling by itself, but if you're trying to preflight applications and do development in the CMS world that is intended for other places and other uses, that's not much. 3 out of 6 aren't widely portable outside VM at all, and the other 3 are restricted to a small number of interfaces with a tiny subset of their function on other platforms. The writing is pretty much on the wall. I know the reason why, but it's still sad. -- db
Re: Mandatory ESMs?
Go to Hercules-os380 yahoo group and talk to BFN. Paul. I believe he has one working on VM, MVS and VSE. His email is: kerravo...@yahoo.com From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Michel Beaulieu Sent: Friday, December 10, 2010 3:11 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Mandatory ESMs? Hello, Don't we have at least a GCC compiler that would run in z/VM? Michel Beaulieu |*| Date: Fri, 10 Dec 2010 14:51:56 -0600 From: dbo...@sinenomine.net Subject: Mandatory ESMs? To: IBMVM@LISTSERV.UARK.EDU (Retitled because the current discussion has nothing to do with VSWITCH authorization...) Does anyone run applications in z/VM? That's the saddest statement I've seen in a long while. That used to be true across the board. It's really sad that IBM continues to constrain the ability to deploy applications in the CMS environment -- it's a decent system for writing really good applications, but without the tools and compilerswe're reduced to asking whether anyone can. -- db == This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Re: Mandatory ESMs?
z/VM has LE ported over from z/OS. So things cannot be all that bad in the world of CMS compilers. I have heard people rant and rave and bellow That we're done and we might as well be dead But I'm only a cockeyed optimist And I can't get it into my head Oscar Hammerstein David Boyes dbo...@sinenomine.net Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 05:34 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Mandatory ESMs? GCC for CMS [snip] Building a non-trivial program that involves existing libraries or code that must access things like CSL services is pretty hard to do with the CMS GCC port. It's a good tool for writing apps totally from scratch, but it's not something yet that I would rely on for really large mission-critical applications. The generated code is still very conservative in the instructions it uses and what machine functions it can/does exploit, to it's detriment. I'm concerned that there's no Enterprise COBOL, no more development on FORTRAN, no up to date PL/1… etc, etc. The IBM C/C++ compiler is still maintained and current, but only because it's necessary for CP development. You can't order CMS VSAM any longer, so there's no direct access file capability from the old compilers without directly interfacing to assembler yourself. Nothing's been touched in SQL/DS for VM for ages now. TSM is gone. 2/3 of the function of DFSMS/VM is pretty much gutted in terms of usability or functionality. ISPF/VM is ancient, and pretty much no longer maintained in any real sense (a lot has happened in ISPF since 3.2). No Java since 1.3 (although that's no real loss, IMHO). APL2 is frozen in time. Pascal is frozen in time (and only still exists to service the bits of the VM TCP stack that aren't in C or assembler). Ditto RXSQL. Ditto Kerberos (the shipped K4 is nothing you'd want to build new apps on). Interactive Debugger? DMS/CMS? All pretty much in a zombie state. OpenVM? Not much to see there either — although we finally have some reason for BFS to exist with the new SSL server (not that it's all that much fun to use). You're pretty much left with assembler, C, C++, XEDIT, REXX and CMS Pipelines as the supported application development languages on CMS. That's a pretty powerful set of tooling by itself, but if you're trying to preflight applications and do development in the CMS world that is intended for other places and other uses, that's not much. 3 out of 6 aren't widely portable outside VM at all, and the other 3 are restricted to a small number of interfaces with a tiny subset of their function on other platforms. The writing is pretty much on the wall. I know the reason why, but it's still sad. -- db
Re: Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1
Thank you both, I will review very good documentation and any questions be bothering you again. Thanks again Victor Hugo Ochoa Avila BBVA CCR America 2010/12/10 gclo...@br.ibm.com Victor, I didn't do it yet, but I think the Program Directory have all the instructions. Basically: apply one PTF into 5.3, copy the DB (mdisks 200 and 300 to the new VM 6.1) and run RACFCONV when instructed. See this text, extracted from PD: If you are migrating from z/VM V5.3 RACF FL530, or if you plan to share your z/VM V6.1 RACF FL610 database with z/VM V5.3 RACF FL530, you must apply the PTF for APAR VM64383 to your z/VM V5.3 system (and restart your RACF FL530 server) before attempting any migration or sharing. The RACF database must have templates at the function level 610 for RACF to function properly. If you are migrating from a previous release of RACF to RACF FL610, you must run the RACFCONV EXEC to convert the existing database templates to the current release. The PD is here: http://www.vm.ibm.com/progdir/6vmrac10.pdf Good luck. __ Clovis From: =?ISO-8859-1?Q?Victor_Hugo_Ochoa?= vhoa...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 10/12/2010 08:05 Subject: Steps to migrate z/VM RACF 5.3 to z/VM RACF 6.1 Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU -- Hello again everyone Exist any book, manual or procedure to migrate RACF in z/VM 5.3 to RACF i n z/VM 6.1? I will migrate to z/VM 5.3 to z/VM 6.1 and I need to know the steps to migrate the version of RACF in 5.3 with all RACF definitions that have at this time. Anyone know or I could list the steps to follow to perform this migration ? Thanks in advance Victor Hugo Ochoa Avila BBVA CCR America -- Victor Hugo Ochoa Avila z/OS z/VM systems programmer Mexico, City.
Re: Mandatory ESMs?
LE has been kept up to date, as have things like the binder to support functions like MPROUTE which were also ported from z/OS. This makes acquiring and maintaining things like this so much easier. I'm a long time CMS fan. In an earlier life we had a lot of complex apps centered on SQL/DS including an online credit union system. Our MIS that supported our VSE-based homegrown OLTP was written using SQL/DS, Rexx, a 3270 Rexx interface (that could also drive the CMS GUI), and PL/I. We had a homegrown Dirmaint also built using SQL/DS and Rexx. When PL/I stopped being enhanced around 1996 we knew the writing was on the wall. I'm particularly proud of our Rexx fullscreen tool that allowed you to drive the 3270 (either your CMS console, a dialed device or CMS GUI) using Rexx variables (e.g. If you had a field on the screen called Surname then to change its color the simply say colour_surname = 'RED' or its protection attribute the prot_surname='Y'). It supported multiple windows and so on. The syntax was straightforward unlike DMS and it had a very small footprint. It also allowed me to learn a lot about LE, PIPI and enclaves. However, I know building apps based around logging on to a 3270 and the need to integrate with things like XML parsers like xerces mean that as an app hosting environment CMS's best day are behind it and that other than for nostalgic reasons (and the discipline to extract maximum function from a minimum if resources) I'm okay with it. All those systems are gone now as, after a takeover, TPTB decided the Alpha and Itanium were the way of the future and 30+ years of collaboration with IBM and 25+ years of VM ceased to be. Another couple of years later I think Linux would have complemented if nit supplanted our VSE systems, but it was not to be. I'm glad I left when the systems were in their prime and I didn't have to decommission our A$GREY, B$BLUE, C$BROWN and D$GREEN VM systems (they had those names for years and before they were LPARs, IBM used to supply the processors in those colours. It must be Friday and I must be getting old to indulge in such nostalgia. Time for a drink or ten. On Dec 10, 2010, at 18:41, George Henke/NYLIC george_he...@newyorklife.commailto:george_he...@newyorklife.com wrote: z/VM has LE ported over from z/OS. So things cannot be all that bad in the world of CMS compilers. I have heard people rant and rave and bellow That we're done and we might as well be dead But I'm only a cockeyed optimist And I can't get it into my head Oscar Hammerstein David Boyes dbo...@sinenomine.netmailto:dbo...@sinenomine.net Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDUmailto:IBMVM@LISTSERV.UARK.EDU 12/10/2010 05:34 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDUmailto:IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDUmailto:IBMVM@LISTSERV.UARK.EDU cc Subject Re: Mandatory ESMs? GCC for CMS [snip] Building a non-trivial program that involves existing libraries or code that must access things like CSL services is pretty hard to do with the CMS GCC port. It's a good tool for writing apps totally from scratch, but it's not something yet that I would rely on for really large mission-critical applications. The generated code is still very conservative in the instructions it uses and what machine functions it can/does exploit, to it's detriment. I'm concerned that there's no Enterprise COBOL, no more development on FORTRAN, no up to date PL/1… etc, etc. The IBM C/C++ compiler is still maintained and current, but only because it's necessary for CP development. You can't order CMS VSAM any longer, so there's no direct access file capability from the old compilers without directly interfacing to assembler yourself. Nothing's been touched in SQL/DS for VM for ages now. TSM is gone. 2/3 of the function of DFSMS/VM is pretty much gutted in terms of usability or functionality. ISPF/VM is ancient, and pretty much no longer maintained in any real sense (a lot has happened in ISPF since 3.2). No Java since 1.3 (although that's no real loss, IMHO). APL2 is frozen in time. Pascal is frozen in time (and only still exists to service the bits of the VM TCP stack that aren't in C or assembler). Ditto RXSQL. Ditto Kerberos (the shipped K4 is nothing you'd want to build new apps on). Interactive Debugger? DMS/CMS? All pretty much in a zombie state. OpenVM? Not much to see there either — although we finally have some reason for BFS to exist with the new SSL server (not that it's all that much fun to use). You're pretty much left with assembler, C, C++, XEDIT, REXX and CMS Pipelines as the supported application development languages on CMS. That's a pretty powerful set of tooling by itself, but if you're trying to preflight applications and do development in the CMS world that is intended for other places and other uses, that's
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 09:17 EST, Tom Huegel tehue...@gmail.com wrote: Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. While that protected data is owned by the guest, the data is *potentially* accessible by any virtual machine. It doesn't matter whether you run CMS, VSE, LINUX, MVS, TPF, or anything else. All virtualization platforms create virtual raised floors, and, like a real raised floor, you are obligated to define and enforce access controls on those floors. Some are physical, some are policy only. All persons must badge in; no tailgating. You touch THIS system and you die. You plug THAT cable into THERE, and you die. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott