Perfsvm daily reports
I have checked the Performance Toolkit Reference guide and still can't find the answer so I am asking the group. I am looking for the report to uncomment in FCONX REPORT so that I can get FCX112 reports for our specified time intervals. I have the User report uncommented : *-User Data--* USER (100 SORT %CPU This gives me the FCX112 report but only for the entire day. Not the specific intervals. This will help me correlate high CPU periods with a specific guest. Any ideas? Thanks, Tyler Koyl Management Analyst Regina Phone: 306/569-6122 | Fax: 306/569-4382 Mailto:tyler.k...@viterra.ca www.viterra.ca (Embedded image moved to file: pic16549.gif) This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: New CMS based SSLSERV problem... DTCSSL300E
I have tested the following with Telnet TLS and z/VM on 5.4. c3270 - Curses based x3270. Basically shell 3270. tn3270 - Version 3.2.2 with the additional SSL / SSH license. Seems to work good. I am a little concerned about the SSLSERVE overhead but no way to really tell at this point as z/vm 5.4 is still a second level guest on a Test LPAR. Not much driving SSL at this point. Hopefully 4 people telneted in and maybe periodic times for web PERFSVM (Also using SSL [Static]) won't do too much damage. We will see. :) Tyler This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
Sweet. The you would have to comment out or remove: ; 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER Tyler Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS 03/11/2009 12:49 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I have something like this .. INTERNALCLIENTPARMS PORT 992 SECURECONNECTION REQUIRED TLSLABEL ZVMCER0 ENDINTERNALCLIENTPARMS Also: In the SYSTEM DTCPARMS ... EXEMPT LOW makes it more secure.. :parms.KEYFile /etc/gskadm/Database.kdb EXEMPT LOW MAXUSERS 200 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Wednesday, March 11, 2009 1:17 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
Thanks for the info Alan. I will open an ETR with IBM about the incorrect message tomorrow. I have Telnet setup to negotiate sessions (TLS) now so I have done the setup both ways. going to stick with negotiated for Telnet and ftp. It took me 2 days, but I got it. :). Again, Thanks for your time. D. Tyler Koyl Management Analyst (Embedded image moved to file: pic04313.gif) Viterra Tel (306) 569-6122 Fax (306) 569-4382 mailto:tyler.k...@viterra.ca http://www.viterra.ca Alan Altmark alan_altm...@us.ib m.com To Sent by: The IBMIBMVM@LISTSERV.UARK.EDU z/VM Operating cc System ib...@listserv.uarSubject K.EDU Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS 03/11/2009 01:58 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU On Wednesday, 03/11/2009 at 02:17 EDT, Tyler Koyl tyler.k...@viterra.ca wrote: My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? That depends on your client capability. Some older telnet clients can't negotiate a secure connection. PORT 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Please call it in. The following are wrong: - The text should say Unable to negotiate secure connections with clients, no TLS label specified. - The explanation in Msgs Codes should be updated to say that static connections are not affected. The REQUIRED parameter means that a session must be negotiated to be secure OR it be statically protected. If a connection has been statically protected, the telnet server knows and will not negotate a secure connection. So as it is now, DTC335E is overstating the case IF there is a label present on the PORT statement. Of course, you won't really know if a static connection has a hope of working until you try it. (BTW, for those who care, static SSL is the same function that z/OS calls AT-TLS - Application Transparent TLS.) The general rule is that negotiating and non-negotating clients cannot go to the same port as, typically, the client will only connect in a single way rather than try both. I don't know of any client that will try to establish a TLS session first and then, if that fails, try to negotiate a TLS session on the same port. So to handle both static and negotiating telnet clients: - Add the same TLS label to the InternalClientParms as you have on the PORT statement - Add a second PORT entry for another INTCLIEN, e.g. 10023 - Add port 23 port 10023 to the InternalClientParms - Decide whether most of telnet client negotiate or if they require a static connection. This decides whether port 23 will require static connections. - If majority are static, leave port 23 as you have it. - If majority negotiate, move the SECURE option from port 23 to port 10023. - Assuming the telnet client software isn't smart enough to try both ways, the set of clients that lost the race for port 23 must change their configuration to go to port 10023
SSL Server on z/VM 5.4 RSU 802
Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802
Thanks. Thats was it. I found the enablement PTFs and installed them. This is a real PITA. From having to figure out that ssl needed to be enabled to finally getting SSLSERV to initialize properly only after storing the database password in a friggin stash file with the right permissions; made for a long day. I feel cooked. Tyler Koyl Viterra Inc. Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 03/10/2009 03:34 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I don't know.. do you have the SSL enabling PTF's on? -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Tuesday, March 10, 2009 4:31 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSL Server on z/VM 5.4 RSU 802 Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.