Re: BFS SSLSERV question
On my 2nd level system installed from the IBM ddr and then the SSL PTF, when I try what Richard suggested, I get the following: ls -la /etc Erwxrwxrwx 1 maint system 21 Oct 2 15:55 /etc - /../VMBFS:VMSYSU:E TC $ Is that normal? Why is it VMSYSU? I would have expected something in VMSYS. Jim--Still confused Richard Troth wrote: A good pre-req test would be to confirm that openvm shell works, prior to adding any other products to BFS land. You could then ls -la /etc from that shell and see if "gskadm" actually exists. So ... just addressing this one error message, when a filespace (other than the root) gets mounted, the mount point directory must already exist. (Should typically be empty.) And, of course, all this stuff is CaSe SeNsItIvE. I hope this helps. -- R; On Fri, Mar 20, 2009 at 1:12 PM, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the "rac alu sslserv ovm(uid(7))", "rac alu gskadmin ovm(uid(6))", and "rac alg security ovm(gid(7))". The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: BFS SSLSERV question
2009/3/30 Jim Bohnsack jab...@cornell.edu: On my 2nd level system installed from the IBM ddr and then the SSL PTF, when I try what Richard suggested, I get the following: ls -la /etc Erwxrwxrwx 1 maintsystem21 Oct 2 15:55 /etc - /../VMBFS:VMSYSU:E TC $ Is that normal? Why is it VMSYSU? I would have expected something in VMSYS. Jim--Still confused VMSYS or VMSYSU? The filepool depends on what you mount. That can be defined in the CP directory, such as: USER KRIS ... PosixInfo UID 0 GNAME staff IWDIR /home/kris/ FSROOT '/../V', 'MBFS:SFS72:ROOT/' Or with an OPENVM MOUNT command executed by SYSPROF or PROFILE EXEC. -- Kris Buelens, IBM Belgium, VM customer support
Re: BFS SSLSERV question
On 3/22/09 3:31 PM, Alan Altmark alan_altm...@us.ibm.com wrote: Sorry, David, that would just make things worse since we'd keep shipping a new CONFIG filepool in each release as we do with VMSYS and VMSYSU, and then there would be two *global* CONFIG filepools in the collection. Two objects would attempt to occupy the same space and one would be annihilated. There can be only one. Guess the automated filepool generation tool is still off the table? I think we've had that conversation before OTOH, what's to prevent you from shipping it with a release specific name (like you do with volsers on the boot system) like VnnnCFG and then documenting the SCOMDIR NAMES incantation to switch individual virtual machines on a case by case basis using a mechanism like you do with TCPRUNX. As you keep telling me, that's the way to alias generics to specific names on a local and global basis. At some point, IBM has got to bite the bullet and put configuration information OUTSIDE areas that are part of product code, and be really systematic about it. Having stuff in tons of different places is really starting to be a PITA for configuration management.
Re: BFS SSLSERV question
On Friday, 03/20/2009 at 09:29 EDT, Jim Bohnsack jab...@cornell.edu wrote: Thank you all for your responses. It sounds as if it is as I suspected, a total lack of knowledge about BSF and almost as much of a lack of knowledge about SFS. It might be a good idea to include some of these SFS/BFS peculiar hints or ideas in the TCPIP doc, especially for the VM newbie (as well as for the old timer who still carries a pocket full of 5081 cards--for you kids, a 5081 card is an IBM punched card). It's worth pointing out, too, that with certificates and private keys being held in BFS, it becomes a more valuable chunk of data than in prior decades. (For those who didn't use it for anything else.) You might find it worth the effort to create your own SFS filepool so that release-to-release migrations don't create a disruption since you have to actually migrate VMSYS content. With your own global filepool, your 2nd level system can down to the 1st level system (via TSAF) to pick up the BFS filesystem. If there is a need to migrate a prior release's database content to a new database for any reason, we will be very clear on that point in the Migration Guide. Alan Altmark z/VM Development IBM Endicott
Re: BFS SSLSERV question
You might find it worth the effort to create your own SFS filepool so that release-to-release migrations don't create a disruption since you have to actually migrate VMSYS content. With your own global filepool, your 2nd level system can down to the 1st level system (via TSAF) to pick up the BFS filesystem. Alan Altmark z/VM Development IBM Endicott Sounds like a good practice for the next release. Call it CONFIG or something like that, and fix the apps like DFSMS to put their config files there by default.
Re: BFS SSLSERV question
On Sunday, 03/22/2009 at 03:17 EDT, David Boyes dbo...@sinenomine.net wrote: Sounds like a good practice for the next release. Call it CONFIG or something like that, and fix the apps like DFSMS to put their config files there by default. Sorry, David, that would just make things worse since we'd keep shipping a new CONFIG filepool in each release as we do with VMSYS and VMSYSU, and then there would be two *global* CONFIG filepools in the collection. Two objects would attempt to occupy the same space and one would be annihilated. There can be only one. If you don't want IBM to touch it, you need to create it. Alan Altmark z/VM Development IBM Endicott
Re: BFS SSLSERV question
In this new redbook we do indeed recommend to create a special filepool as storage space for the certificates and the LDAP databases, this to avoid problems with release migrations. The principle: customer data in your filepool; software in IBM's VMSYS. This is definitely not the way things are explained in the TCP/IP manual, then everything goes in VMSYS. We detail the required steps, to create the new filepool; what to change in the LDAP setup, what to mount to run gskkyman, ... 2009/3/22 Alan Altmark alan_altm...@us.ibm.com On Sunday, 03/22/2009 at 03:17 EDT, David Boyes dbo...@sinenomine.net wrote: Sounds like a good practice for the next release. Call it CONFIG or something like that, and fix the apps like DFSMS to put their config files there by default. Sorry, David, that would just make things worse since we'd keep shipping a new CONFIG filepool in each release as we do with VMSYS and VMSYSU, and then there would be two *global* CONFIG filepools in the collection. Two objects would attempt to occupy the same space and one would be annihilated. There can be only one. If you don't want IBM to touch it, you need to create it. Alan Altmark z/VM Development IBM Endicott -- Kris Buelens, IBM Belgium, VM customer support
Re: BFS SSLSERV question
Seeking for some brief SFS/BFS overview: a certain DJ, well known here, might remember I asked him in 1998 to devote a small section of the VM/ESA Network computing with Java And NetRexx (SG24-5148) Redbook to it. I wrote something similar for the upcoming Redbook about password synchronization between z/VM and z/OS, using LDAP, gsykyman and BFS. I felt that the audience might be unfamiliar with SFS and/or BFS. Stay tuned. 2009/3/21 Jim Bohnsack jab...@cornell.edu: Thank you all for your responses. It sounds as if it is as I suspected, a total lack of knowledge about BSF and almost as much of a lack of knowledge about SFS. It might be a good idea to include some of these SFS/BFS peculiar hints or ideas in the TCPIP doc, especially for the VM newbie (as well as for the old timer who still carries a pocket full of 5081 cards--for you kids, a 5081 card is an IBM punched card). Jim Alan Altmark wrote: On Friday, 03/20/2009 at 01:13 EDT, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu -- Kris Buelens, IBM Belgium, VM customer support
Re: BFS SSLSERV question
The Redbook Kris is referring to can be found here: http://www.redbooks.ibm.com/abstracts/sg245148.html?Open. There is an overview of BFS is Chapter 2. Another Redbook that might be of interest is OpenEdition for VM/ESA A Implementation and Administration Guide (http://www.redbooks.ibm.com/abstracts/sg244747.html?Open). Have a good one. Jim Bohnsack wrote: A useful Redbook or Redpaper, or whatever category it could be put into, would be very useful. There must be others besides me who would benefit from everything being in one place and being complete. What Alan said in his response to my post was not mentioned anywhere that I've seen. As I've said before, I generally spread out new releases or maintenance by pointing the production systems to the new code. I never thought of something new being in the VMSYS filepool. I don't think I've had to do anything with the SFS file pool space since SFS first came out. It doesn't get much use other than DFSMS and that's pretty light. When will the new Redbook come out? I'd be happy to see a beta version of it. Jim Kris Buelens wrote: Seeking for some brief SFS/BFS overview: a certain DJ, well known here, might remember I asked him in 1998 to devote a small section of the VM/ESA Network computing with Java And NetRexx (SG24-5148) Redbook to it. I wrote something similar for the upcoming Redbook about password synchronization between z/VM and z/OS, using LDAP, gsykyman and BFS. I felt that the audience might be unfamiliar with SFS and/or BFS. Stay tuned. -- DJ V/Soft z/VM and mainframe Linux expertise, training, consulting, and software development www.vsoft-software.com
Re: BFS SSLSERV question
Jim, Did you enroll the ROOT, SSLSERV, and GSKSSLDB BFS filespaces in your SFS server? Did you create the objects that go in those filespaces? Take a look at your starter system to see what they should look like. I did my z/VM 5.4.0 upgrade by rotating in a new sysres set, so all that was done for me. Dennis O'Brien 39,516 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Jim Bohnsack Sent: Friday, March 20, 2009 10:13 To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] BFS SSLSERV question I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: BFS SSLSERV question
On Friday, 03/20/2009 at 01:13 EDT, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Just as a reminder: Did you update HCPRWA to specify ICHNGMAX value 0? If you didn't, RACF is not in charge of POSIX UID/GIDs. Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. No, not reasonable. It's not going after files, it's going after directories that were created by LOADBFS. Since it works on your 2nd level system, I would guess that you didn't import the GSKSSLDB and SSLSERV filespaces into your first-level VMSYS filepool via FILEPOOL UNLOAD and FILEPOOL RELOAD. Alan Altmark z/VM Development IBM Endicott
Re: BFS SSLSERV question
I cannot say enough good about how Endicott implemented OpenVM ... now some 15+ years ago. The way the POSIX info is rolled into the CP Dir is spot on. There are issues, notably performance concerns and a gross lack of attention (thanks to the distracting popularity of Linux on VM). But the core features of POSIX on VM are truly outstanding. Okay ... but it is still a little weird for old CMS hacks. Sorry. I see you've gotten some good recommendations, better than I could give (not knowing the SSL server, though I do know BFS a little). The object does not exist message sounds like the directory over which GSKKYMAN wants to mount the filespace is simply not there. If you did not fully populate the OpenVM stuff, then yeah, a lot of stuff could be missing which is assumed (in Unix) to always be present. A good pre-req test would be to confirm that openvm shell works, prior to adding any other products to BFS land. You could then ls -la /etc from that shell and see if gskadm actually exists. So ... just addressing this one error message, when a filespace (other than the root) gets mounted, the mount point directory must already exist. (Should typically be empty.) And, of course, all this stuff is CaSe SeNsItIvE. I hope this helps. -- R; On Fri, Mar 20, 2009 at 1:12 PM, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. We have SSLSERV working on our 2nd lvl z/VM 5.4 system, the one I loaded from the IBM DDR. I always bring up a new release on a 2nd level id and then move code piece by piece to our production systems. Almost everything is moved, but I am up against a brick wall with SSLSERV. I think it is a problem with BFS and my total lack of knowledge about BFS. I've never used BFS, so I suspect that I'm just missing something very obvious to anyone who knows anything at all about BFS. The GSKADMIN and SSLSERV userid's are defined along with the RACF SECURITY class as it was in the RACF db from IBM. GSKADMIN and SSLSERV are connected to SECURITY. I've done the rac alu sslserv ovm(uid(7)), rac alu gskadmin ovm(uid(6)), and rac alg security ovm(gid(7)). The directory entries for GSKADMIN and SSLSERV have the following POSIXINFO entries, respectively: POSIXINFO UID 6 GNAME security POSIXINFO UID 7 GNAME security Where I seem to be having a problem is in following the step by step procedures in chapter 20 of TCP/IP Plng and Cust. Step 4B sends me to Ch 15 of the TCPIP LDAP Admin. Guide. When I logon to GSKADMIN to use GSKKYMAN to create a new database, I get the messages: Profile..: Setting up BFS environment... Profile..: Determining what is currently mounted... Nothing is mounted Profile..: Mounting root file system... Profile..: Mounting GSKSSLDB file space at: /etc/gskadm/ Object does not exist: '/etc/gskadm/' Profile-- Unexpected error from command: OPENVM MOUNT /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm/ Profile..: RC = 28 Ready; T=0.04/0.07 09:16:20 which I guess are reasonable because I haven't created the database yet. GSKKYMAN gives me the database menu and my replies are as follows: Enter key database name (press ENTER to return to menu): /etc/gskADM/KeyDBT.kdb Enter database password (press ENTER to return to menu): Re-enter database password: Enter password expiration in days (press ENTER for no expiration): Enter database record length (press ENTER to use 5000): Unable to create database /etc/gskADM/KeyDBT.kdb. Status 0x0335303f - Database open failed. Press ENTER to continue. This is the point, above, where the results are different from doing this on the 2nd lvl system from IBM. DTCPARMS has the following :nick.SSL entry: :nick.SSL :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.JAB282 MAB GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm I'm sure that what is wrong to anyone who knows anything about BFS, but that excludes me. I would appreciate any help. Jim -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu
Re: BFS SSLSERV question
Thank you all for your responses. It sounds as if it is as I suspected, a total lack of knowledge about BSF and almost as much of a lack of knowledge about SFS. It might be a good idea to include some of these SFS/BFS peculiar hints or ideas in the TCPIP doc, especially for the VM newbie (as well as for the old timer who still carries a pocket full of 5081 cards--for you kids, a 5081 card is an IBM punched card). Jim Alan Altmark wrote: On Friday, 03/20/2009 at 01:13 EDT, Jim Bohnsack jab...@cornell.edu wrote: I have a dumb question and a long posting. Sorry. -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu