VSWITCH Recovery fail with error: detached after CISCO L2 switch is reset
Hello, We have zLinux(Redhat V5.5) running under z/VM V6.1 on z196. zLinux is coupled to VSWITCH which is defined IP and has two separate OSA adater devices for VSWITCH failover. and two OSA adapter are connected same CISCO L2 switch. We tested VSWITCH failover, and it worked well. But after CISCO L2 swtich was reset for preventive maintenance, zLinux cannot recover dynamically recover IP network. We delete and define VSWITCH and couple it to zlinux to recover zLinux network. After making network status normal, we did CISCO L2 swtich reset again. but zLinux cannot pinged and network cannot be dynamically recovered. When we query VSWITCH DETAIL, error : detached is found. Is it normal when L2 Switch is reset? Whenever L2 Switch is reset, do I have to recover VSWITCH manually? I want to VSWITCH can recover automatically whenever L2 SWITCH is reset. How can i fix this problem? Regards Tae Min Baek Mmaa Bldg, 467-12 Dogok-Dong Advisory IT Architect Seoul, 135700 z/Linux Team Korea IBM Sales Distribution, STG Sales Phone: +822-3781-8224 Mobile: +82-010-4995-8224 e-mail: tmb...@kr.ibm.com image/gif
Re: VSWITCH Recovery fail with error: detached after CISCO L2 switch is reset
TaeMin Baek writes: We have zLinux(Redhat V5.5) running under z/VM V6.1 on z196. zLinux is coupled to VSWITCH which is defined IP and has two separate OSA adater devices for VSWITCH failover. and two OSA adapter are connected same CISCO L2 switch. We tested VSWITCH failover, and it worked well. But after CISCO L2 swtich was reset for preventive maintenance, zLinux cannot recover dynamically recover IP network. If no uplink paths are available to the physical switch then the VSWITCH detaches its virtual uplink cable and waits for human intervention. We delete and define VSWITCH and couple it to zlinux to recover zLinux network. That's the virtual equivalent of throwing away your current physical switch, ordering a new one, installing it and plugging in its uplink cable... After making network status normal, we did CISCO L2 swtich reset again. but zLinux cannot pinged and network cannot be dynamically recovered. When we query VSWITCH DETAIL, error : detached is found. Is it normal when L2 Switch is reset? Whenever L2 Switch is reset, do I have to recover VSWITCH manually? I want to VSWITCH can recover automatically whenever L2 SWITCH is reset. How can i fix this problem? ...whereas the command SET VSWITCH vswname CONNECT is the virtual equivalent of just plugging in the uplink cable again. --Malcolm -- Malcolm Beattie Mainframe Systems and Software Business, Europe IBM UK
Create z/VM Layer 2 VLAN / VSwitch
Hi, i am not a networking expert, but need to build a layer 2 vlan in z/VM 5.4. Linux is Suse SLES 11 SP1. I was told to use layer 2 for VLAN 485 so i used these commands to create vswitch / vlan DEFINE VSWITCH VMT1VSW0 RDEV E606 E706 CONTROLLER * ETHERNET VLAN 485 native 485 DEFINE LAN VMT1LN01 OWNERID SYSTEM TYPE QDIO ETHERNET MAXCONN INFINITE UNRESTRICTED ACCOUNTING OFF the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So after defining / starting everything my system looks like this: q vmlan VMLAN maintenance level: Latest Service: VM64604 VMLAN MAC address assignment: MACADDR Prefix: 02 MACIDRANGE SYSTEM: 01-FF USER: 00-00 VMLAN default accounting status: SYSTEM Accounting: OFF USER Accounting: OFF VMLAN general activity: PERSISTENT Limit: INFINITE Current: 2 TRANSIENT Limit: INFINITE Current: 0 Ready; T=0.01/0.01 11:27:19 q vswitch details VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 VSWITCH Connection: RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 0 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: E606 Unit: 000 Role: DATA vPort: 0001 Index: 0001 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP Ready; T=0.01/0.01 11:28:10 q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED ETHERNET Accounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 81 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0065 Index: 0065 Options: Ethernet Broadcast Unicast MAC Addresses: 02-FF-FF-E3-22-00 Multicast MAC Addresses: 01-00-5E-00-00-01 33-33-00-00-00-01 33-33-FF-E3-22-00 VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP i also performed the proper RACF definitions for vlan 0485 (UACC(UPDATE)) + refresh nic defined in the linux guest using yast with proper ip address. but i can not get any ping to work from / to the linux system. i know this is also related to the routes which are not changed at the moment, but i should be able to see a ping comming in using tcpdump, or not ?!? any hint what is wrong in my configuraiton?!? Regards, Stefan - Deutsche Börse AG Chairman of the Supervisory Board/ Vorsitzender des Aufsichtsrats: Dr. Manfred Gentz Executive Board/Vorstand: Reto Francioni (Chief Executive Officer/Vorsitzender), Andreas Preuss (Deputy Chief Executive Officer/ stellv. Vorsitzender), Frank Gerstenschläger, Michael Kuhn, Gregor Pottmeyer, Jeffrey Tessler. Aktiengesellschaft with registered seat in/mit Sitz in Frankfurt am Main. Commercial register/Handelsregister: Local court/Amtsgericht Frankfurt am Main HRB 32232. - Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. Legally required information for business correspondence/ Gesetzliche Pflichtangaben fuer Geschaeftskorrespondenz: http://deutsche-boerse.com/letterhead
Re: Create z/VM Layer 2 VLAN / VSwitch
Stefan, you have connected your NIC device to a z/VM virtual LAN. Virt. LAN has no VLAN support nor can it connect to an OSA Adapter. Only the z/VM VSWITCH has both Layer 2 and VLAN support. So if you want to connect to a externel switch via a OSA adapter using VLAN tagging you must use a VSWITCH. I don't know what are the requierments you have, but keep in mind VLAN is IP where Layer 2 is Ethernet. Mit freundlichen Grüßen / Kind regards Joerg Haertel FTSS zSeries, z/VM, z/VSE, Linux on z, Virtualization, Performance IBM Sales Distribution, STG Sales STG Technical Sales Enterprise Systems FSS Phone: +49-89 4504-3240 IBM Deutschland Home: +49 89 1222 9775 Hollerithstr. 1 Mobile: +49-171 30 59 653 81829 München E-Mail: haer...@de.ibm.com Germany IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Martina Koederitz (Vorsitzende), Reinhard Reschke, Dieter Scholz, Michael Diemer, Gregor Pillen Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940 a virtuelimage/gif
Re: Create z/VM Layer 2 VLAN / VSwitch
Hello Joerg, thanks for the answer. Yes, the NIC is connected to the LAN, the LAN is connected via VSWITCH to the OSA. We also changed from layer 2 to layer 3 (IP), but still no connection to the outside world. i am able to ping another linux within the same vlan. this is how it looks like, but with only one of the two linux started. q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED IPAccounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 29 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0068 Index: 0068 Options: Broadcast Multicast IPv6 IPv4 VLAN Unicast IP Addresses: 172.25.3.101 MAC: 02-FF-FF-E3-22-00 FE80::2FF:FF00:1E3:2200 MAC: 02-FF-FF-E3-22-00 Multicast IP Addresses: 224.0.0.1MAC: 01-00-5E-00-00-01 FF02::1 MAC: 33-33-00-00-00-01 FF02::1:FFE3:2200MAC: 33-33-FF-E3-22-00 VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0001VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP it almost looks the same as an existing lan we have in a different z/MV, except that one is VLAN 0001 ans a name is shown on the Adapter Owner. q lan details LAN SYSTEM VMP3LN01 Type: QDIOConnected: 6Maxconn: INFINITE PERSISTENT UNRESTRICTED IPAccounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBSP50 NIC: 9000.P00 Name: DGE900 RX Packets: 6 Discarded: 0 Errors: 0 TX Packets: 6 Discarded: 8 Errors: 0 RX Bytes: 1656 TX Bytes: 1656 Device: 9002 Unit: 002 Role: DATA vPort: 0072 Index: 0072 Options: Broadcast Multicast IPv6 IPv4 VLAN Unicast IP Addresses: 192.168.138.40 MAC: 02-FF-FF-00-00-03 Multicast IP Addresses: 224.0.0.1MAC: 01-00-5E-00-00-01 224.0.0.251 MAC: 01-00-5E-00-00-FB 224.0.1.22 MAC: 01-00-5E-00-01-16 239.255.255.253 MAC: 01-00-5E-7F-FF-FD VSWITCH SYSTEM VMP3VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0001Default Porttype: Access GVRP: Enabled Native VLAN: 0001VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E210.P00 VDEV: E210 Controller: DTCVSW1 RDEV: EA10.P00 VDEV: EA10 Controller: DTCVSW2 BACKUP still scratching my head .. i run out of ideas what to change or what to try. Regards, Stefan Joerg Haertel haer...@de.ibm.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 23.05.2011 12:52 Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Create z/VM Layer 2 VLAN / VSwitch Stefan, you have connected your NIC device to a z/VM virtual LAN. Virt. LAN has no VLAN support nor can it connect to an OSA Adapter. Only the z/VM VSWITCH has both Layer 2 and VLAN support. So if you want to connect to a externel switch via a OSA adapter using VLAN tagging you must use a VSWITCH. I don't know what are the requierments you have, but keep in mind VLAN is IP where Layer 2 is Ethernet. Mit freundlichen Grüßen / Kind regards Joerg Haertel FTSS zSeries, z/VM, z/VSE, Linux on z, Virtualization, Performance IBM Sales Distribution, STG Sales STG Technical Sales Enterprise Systems FSS Phone: +49-89 4504-3240 IBM Deutschland Home: +49 89 1222 9775 Hollerithstr. 1 Mobile: +49-171 30 59 653 81829 München E-Mail: haer...@de.ibm.com Germany IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Martina Koederitz (Vorsitzende), Reinhard Reschke, Dieter Scholz, Michael Diemer, Gregor Pillen Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940 a virtuel - Deutsche Börse AG
Re: Create z/VM Layer 2 VLAN / VSwitch
Why are you issuing the DEFINE LAN command? You don't need it. Your NICDEF should be connected to VMT1VSW0 not VMT1LN01. This is why you can't connect anywhere.If you use DEFINE LAN, you're just building an internal to z/VM only lan. You don't need this unless you're doing guest to guest communications. From: Stefan Raabe stefan.ra...@deutsche-boerse.com To: IBMVM@LISTSERV.UARK.EDU Date: 05/23/2011 05:38 AM Subject:Create z/VM Layer 2 VLAN / VSwitch Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Hi, i am not a networking expert, but need to build a layer 2 vlan in z/VM 5.4. Linux is Suse SLES 11 SP1. I was told to use layer 2 for VLAN 485 so i used these commands to create vswitch / vlan DEFINE VSWITCH VMT1VSW0 RDEV E606 E706 CONTROLLER * ETHERNET VLAN 485 native 485 DEFINE LAN VMT1LN01 OWNERID SYSTEM TYPE QDIO ETHERNET MAXCONN INFINITE UNRESTRICTED ACCOUNTING OFF the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So after defining / starting everything my system looks like this: q vmlan VMLAN maintenance level: Latest Service: VM64604 VMLAN MAC address assignment: MACADDR Prefix: 02 MACIDRANGE SYSTEM: 01-FF USER: 00-00 VMLAN default accounting status: SYSTEM Accounting: OFF USER Accounting: OFF VMLAN general activity: PERSISTENT Limit: INFINITE Current: 2 TRANSIENT Limit: INFINITE Current: 0 Ready; T=0.01/0.01 11:27:19 q vswitch details VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 VSWITCH Connection: RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 0 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: E606 Unit: 000 Role: DATA vPort: 0001 Index: 0001 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP Ready; T=0.01/0.01 11:28:10 q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED ETHERNET Accounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 81 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0065 Index: 0065 Options: Ethernet Broadcast Unicast MAC Addresses: 02-FF-FF-E3-22-00 Multicast MAC Addresses: 01-00-5E-00-00-01 33-33-00-00-00-01 33-33-FF-E3-22-00 VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP i also performed the proper RACF definitions for vlan 0485 (UACC(UPDATE)) + refresh nic defined in the linux guest using yast with proper ip address. but i can not get any ping to work from / to the linux system. i know this is also related to the routes which are not changed at the moment, but i should be able to see a ping comming in using tcpdump, or not ?!? any hint what is wrong in my configuraiton?!? Regards, Stefan - Deutsche Börse AG Chairman of the Supervisory Board/ Vorsitzender des Aufsichtsrats: Dr. Manfred Gentz Executive Board/Vorstand: Reto Francioni (Chief Executive Officer/Vorsitzender), Andreas Preuss (Deputy Chief Executive Officer/ stellv. Vorsitzender), Frank Gerstenschläger, Michael Kuhn, Gregor Pottmeyer, Jeffrey Tessler. Aktiengesellschaft with registered seat in/mit Sitz in Frankfurt am Main. Commercial register/Handelsregister: Local court/Amtsgericht Frankfurt am Main HRB 32232
Re: Create z/VM Layer 2 VLAN / VSwitch
Is the native VLAN of the switch really 485? When the guest VLAN is the same as the specified native VLAN, the frame is sent untagged. That will cause the switch to apply the port default VLAN, which is the native VLAN unless it has been overridden. In most cases, the native VLAN is 1. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld. - Original Message - From: Stefan Raabe [stefan.ra...@deutsche-boerse.com] Sent: 05/23/2011 11:39 AM ZE2 To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] Create z/VM Layer 2 VLAN / VSwitch Hi, i am not a networking expert, but need to build a layer 2 vlan in z/VM 5.4. Linux is Suse SLES 11 SP1. I was told to use layer 2 for VLAN 485 so i used these commands to create vswitch / vlan DEFINE VSWITCH VMT1VSW0 RDEV E606 E706 CONTROLLER * ETHERNET VLAN 485 native 485 DEFINE LAN VMT1LN01 OWNERID SYSTEM TYPE QDIO ETHERNET MAXCONN INFINITE UNRESTRICTED ACCOUNTING OFF the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So after defining / starting everything my system looks like this: q vmlan VMLAN maintenance level: Latest Service: VM64604 VMLAN MAC address assignment: MACADDR Prefix: 02 MACIDRANGE SYSTEM: 01-FF USER: 00-00 VMLAN default accounting status: SYSTEM Accounting: OFF USER Accounting: OFF VMLAN general activity: PERSISTENT Limit: INFINITE Current: 2 TRANSIENT Limit: INFINITE Current: 0 Ready; T=0.01/0.01 11:27:19 q vswitch details VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 VSWITCH Connection: RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 0 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: E606 Unit: 000 Role: DATA vPort: 0001 Index: 0001 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP Ready; T=0.01/0.01 11:28:10 q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED ETHERNET Accounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 81 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0065 Index: 0065 Options: Ethernet Broadcast Unicast MAC Addresses: 02-FF-FF-E3-22-00 Multicast MAC Addresses: 01-00-5E-00-00-01 33-33-00-00-00-01 33-33-FF-E3-22-00 VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP i also performed the proper RACF definitions for vlan 0485 (UACC(UPDATE)) + refresh nic defined in the linux guest using yast with proper ip address. but i can not get any ping to work from / to the linux system. i know this is also related to the routes which are not changed at the moment, but i should be able to see a ping comming in using tcpdump, or not ?!? any hint what is wrong in my configuraiton?!? Regards, Stefan - Deutsche Börse AG Chairman of the Supervisory Board/ Vorsitzender des Aufsichtsrats: Dr. Manfred Gentz Executive Board/Vorstand: Reto Francioni (Chief Executive Officer/Vorsitzender), Andreas Preuss (Deputy Chief Executive Officer/ stellv. Vorsitzender), Frank Gerstenschläger, Michael Kuhn, Gregor Pottmeyer, Jeffrey Tessler. Aktiengesellschaft with registered seat in/mit Sitz in Frankfurt am Main. Commercial register/Handelsregister: Local court/Amtsgericht Frankfurt am Main HRB 32232. - Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message
Re: Create z/VM Layer 2 VLAN / VSwitch
Hi Stefan, you wrote the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So that NIC is connected to LAN VMT1LN01 not a VSWITCH od did I miss something ? What do you mean with Yes, the NIC is connected to the LAN, the LAN is connected via VSWITCH to the OSA how have you connected the virt. LAN to the VSWITCH ? VLAN 001 is the default VLAN-ID most of the real switch put all the traffic not related to a specific VLAN-ID. With other words 0001 will work as if there no VLAN-Tagging at all. Mit freundlichen Grüßen / Kind regards Joerg Haertel FTSS zSeries, z/VM, z/VSE, Linux on z, Virtualization, Performance IBM Sales Distribution, STG Sales STG Technical Sales Enterprise Systems FSS Phone: +49-89 4504-3240 IBM Deutschland Home: +49 89 1222 9775 Hollerithstr. 1 Mobile: +49-171 30 59 653 81829 München E-Mail: haer...@de.ibm.com Germany IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Martina Koederitz (Vorsitzende), Reinhard Reschke, Dieter Scholz, Michael Diemer, Gregor Pillen Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940 image/gif
Re: Create z/VM Layer 2 VLAN / VSwitch
Hello, yes we tried that too, and now this is working. so now we use NICDEF - VSWITCH with VLAN 001 What i tried was NICDEF - LAN - VSWITCH with VLNAN 485 which did not work, even when trying with VLAN 001. Is this gerneral not possible? Is the VM LAN for internal commuication only and can not be connected via VSWITCH to the outside world?!? Regards, Stefan Karl Kingston karlkings...@ongov.net Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 23.05.2011 13:36 Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Create z/VM Layer 2 VLAN / VSwitch Why are you issuing the DEFINE LAN command? You don't need it. Your NICDEF should be connected to VMT1VSW0 not VMT1LN01. This is why you can't connect anywhere.If you use DEFINE LAN, you're just building an internal to z/VM only lan. You don't need this unless you're doing guest to guest communications. From:Stefan Raabe stefan.ra...@deutsche-boerse.com To:IBMVM@LISTSERV.UARK.EDU Date:05/23/2011 05:38 AM Subject:Create z/VM Layer 2 VLAN / VSwitch Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Hi, i am not a networking expert, but need to build a layer 2 vlan in z/VM 5.4. Linux is Suse SLES 11 SP1. I was told to use layer 2 for VLAN 485 so i used these commands to create vswitch / vlan DEFINE VSWITCH VMT1VSW0 RDEV E606 E706 CONTROLLER * ETHERNET VLAN 485 native 485 DEFINE LAN VMT1LN01 OWNERID SYSTEM TYPE QDIO ETHERNET MAXCONN INFINITE UNRESTRICTED ACCOUNTING OFF the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So after defining / starting everything my system looks like this: q vmlan VMLAN maintenance level: Latest Service: VM64604 VMLAN MAC address assignment: MACADDR Prefix: 02 MACIDRANGE SYSTEM: 01-FF USER: 00-00 VMLAN default accounting status: SYSTEM Accounting: OFF USER Accounting: OFF VMLAN general activity: PERSISTENT Limit: INFINITE Current: 2 TRANSIENT Limit: INFINITE Current: 0 Ready; T=0.01/0.01 11:27:19 q vswitch details VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 VSWITCH Connection: RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 0 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: E606 Unit: 000 Role: DATA vPort: 0001 Index: 0001 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP Ready; T=0.01/0.01 11:28:10 q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED ETHERNET Accounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 81 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0065 Index: 0065 Options: Ethernet Broadcast Unicast MAC Addresses: 02-FF-FF-E3-22-00 Multicast MAC Addresses: 01-00-5E-00-00-01 33-33-00-00-00-01 33-33-FF-E3-22-00 VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP i also performed the proper RACF definitions for vlan 0485 (UACC(UPDATE)) + refresh nic defined in the linux guest using yast with proper ip address. but i can not get any ping to work from / to the linux system. i know this is also related to the routes which are not changed at the moment, but i should be able to see a ping comming in using tcpdump, or not ?!? any hint what is wrong in my
Re: Create z/VM Layer 2 VLAN / VSwitch
Hi Stefan, yes this is the case virt. LAN is only for internal use, as I stated first.. Mit freundlichen Grüßen / Kind regards Joerg Haertel FTSS zSeries, z/VM, z/VSE, Linux on z, Virtualization, Performance IBM Sales Distribution, STG Sales STG Technical Sales Enterprise Systems FSS Phone: +49-89 4504-3240 IBM Deutschland Home: +49 89 1222 9775 Hollerithstr. 1 Mobile: +49-171 30 59 653 81829 München E-Mail: haer...@de.ibm.com Germany IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Martin Jetter Geschäftsführung: Martina Koederitz (Vorsitzende), Reinhard Reschke, Dieter Scholz, Michael Diemer, Gregor Pillen Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 / WEEE-Reg.-Nr. DE 99369940 Stefan Raabe stefan.ra...@deutsche-boerse.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 23.05.2011 14:51 Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Create z/VM Layer 2 VLAN / VSwitch Hello, yes we tried that too, and now this is working. so now we use NICDEF - VSWITCH with VLAN 001 What i tried was NICDEF - LAN - VSWITCH with VLNAN 485 which did not work, even when trying with VLAN 001. Is this gerneral not possible? Is the VM LAN for internal commuication only and can not be connected via VSWITCH to the outside world?!? Regards, Stefan Karl Kingston karlkings...@ongov.net Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 23.05.2011 13:36 Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Create z/VM Layer 2 VLAN / VSwitch Why are you issuing the DEFINE LAN command? You don't need it. Your NICDEF should be connected to VMT1VSW0 not VMT1LN01. This is why you can't connect anywhere.If you use DEFINE LAN, you're just building an internal to z/VM only lan. You don't need this unless you're doing guest to guest communications. From:Stefan Raabe stefan.ra...@deutsche-boerse.com To:IBMVM@LISTSERV.UARK.EDU Date:05/23/2011 05:38 AM Subject:Create z/VM Layer 2 VLAN / VSwitch Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Hi, i am not a networking expert, but need to build a layer 2 vlan in z/VM 5.4. Linux is Suse SLES 11 SP1. I was told to use layer 2 for VLAN 485 so i used these commands to create vswitch / vlan DEFINE VSWITCH VMT1VSW0 RDEV E606 E706 CONTROLLER * ETHERNET VLAN 485 native 485 DEFINE LAN VMT1LN01 OWNERID SYSTEM TYPE QDIO ETHERNET MAXCONN INFINITE UNRESTRICTED ACCOUNTING OFF the Linux guest nic is defined in the directory NICDEF 9000 TYPE QDIO DEVICES 3 LAN SYSTEM VMT1LN01 MACID E32200 So after defining / starting everything my system looks like this: q vmlan VMLAN maintenance level: Latest Service: VM64604 VMLAN MAC address assignment: MACADDR Prefix: 02 MACIDRANGE SYSTEM: 01-FF USER: 00-00 VMLAN default accounting status: SYSTEM Accounting: OFF USER Accounting: OFF VMLAN general activity: PERSISTENT Limit: INFINITE Current: 2 TRANSIENT Limit: INFINITE Current: 0 Ready; T=0.01/0.01 11:27:19 q vswitch details VSWITCH SYSTEM VMT1VSW0 Type: VSWITCH Connected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Aware Default VLAN: 0485Default Porttype: Access GVRP: Enabled Native VLAN: 0485VLAN Counters: OFF MAC address: 02-FF-FF-00-00-01 State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF RDEV: E606.P00 VDEV: E606 Controller: DTCVSW2 VSWITCH Connection: RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 0 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: E606 Unit: 000 Role: DATA vPort: 0001 Index: 0001 RDEV: E706.P00 VDEV: E706 Controller: DTCVSW1 BACKUP Ready; T=0.01/0.01 11:28:10 q lan details LAN SYSTEM VMT1LN01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT UNRESTRICTED ETHERNET Accounting: OFF IPTimeout: 5 Isolation Status: OFF Adapter Connections: Adapter Owner: LXDBST22 NIC: 9000.P00 Name: 0 RX Packets: 0 Discarded: 0 Errors: 0 TX Packets: 0 Discarded: 81 Errors: 0 RX Bytes: 0TX Bytes: 0 Device: 9002 Unit: 002 Role: DATA vPort: 0065 Index: 0065 Options: Ethernet Broadcast Unicast MAC Addresses: 02-FF-FF-E3-22-00 Multicast MAC Addresses: 01
Re: Create z/VM Layer 2 VLAN / VSwitch
On Monday, 05/23/2011 at 08:52 EDT, Stefan Raabe stefan.ra...@deutsche-boerse.com wrote: yes we tried that too, and now this is working. so now we use NICDEF - VSWITCH with VLAN 001 What i tried was NICDEF - LAN - VSWITCH with VLNAN 485 which did not work, even when trying with VLAN 001. Is this gerneral not possible? Is the VM LAN for internal commuication only and can not be connected via VSWITCH to the outside world?!? Please look at the diagrams in Chapter 4 of the z/VM Connectivity manual. They illustrate the difference between the Guest LAN and the Virtual Switch. Guest LANs are isolated LAN segments. Virtual Switches are bridged LAN segments. (Your problem with VLAN 1 vs. VLAN 485 is described in my previous post.) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: New VSWITCH definition Best Practice
Alan, Can you tell me where you have the Best Practices document? Thank You, Terry Martin Lockheed Martin CMS - CITIC 3300 Lord Baltimore Drive, Suite 200, 21244 Engineering Computing Mainframe Support Cell - 443 632-4191 -Original Message- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Alan Altmark Sent: Monday, April 04, 2011 5:03 PM To: IBMVM@LISTSERV.UARK.EDU Subject: New VSWITCH definition Best Practice It's time for me to update my Best Practice for VSWITCH definition With the changes that were made to z/VM 6.1 for zEnterprise ensembles, but which benefit non-ensemble configurations, there's a new sheriff in town. Forget VLAN 666. Here's what you really want to see: DEFINE VSWITCH ... VLAN AWARE NATIVE NONE This does the following: 1. Sets the VSWITCH in trunk mode 2. Requires that you explicitly authorize a guest to use one or more VLAN IDs. 3. If you don't provide an authorization, outbound traffic from the guest will be discarded. 4. No untagged frames from VLAN-aware guests will be emitted by the VSWITCH. The new VLAN AWARE and NATIVE NONE are not available on z/VM 5.4. You will have to continue with the VLAN 666 trick. Regards, Alan z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com
Re: New VSWITCH definition Best Practice
(I'm guessing he uses it to line the bottom of Chuckie's cage g)
Re: New VSWITCH definition Best Practice
On Tuesday, 04/05/2011 at 10:46 EDT, Jeff Gribbin jeff.grib...@gmail.com wrote: (I'm guessing he uses it to line the bottom of Chuckie's cage g) I am taking names. Irrelevantly, one notes that it is common in some parts of the world to discover scorpions in your shoes. Hey, let's be careful out there! C.
Re: New VSWITCH definition Best Practice
On Tuesday, 04/05/2011 at 10:37 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: Can you tell me where you have the Best Practices document? Document? What document? That's like asking for the complete list of Alan's Rules for Networking. This listserver is part of your z/VM Social Media Cloud. (I get points for using Cloud and Social Media in the same business context, right?) And if I wrote all my ideas down, no one would ever hire me. ;-) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: New VSWITCH definition Best Practice
On 4/5/2011 at 12:04 PM, Alan Altmark alan_altm...@us.ibm.com wrote: And if I wrote all my ideas down, no one would ever hire me. ;-) Even though scorpions are not known in Michigan, I'll refrain from comment anyway. Mark Post
New VSWITCH definition Best Practice
It's time for me to update my Best Practice for VSWITCH definition With the changes that were made to z/VM 6.1 for zEnterprise ensembles, but which benefit non-ensemble configurations, there's a new sheriff in town. Forget VLAN 666. Here's what you really want to see: DEFINE VSWITCH ... VLAN AWARE NATIVE NONE This does the following: 1. Sets the VSWITCH in trunk mode 2. Requires that you explicitly authorize a guest to use one or more VLAN IDs. 3. If you don't provide an authorization, outbound traffic from the guest will be discarded. 4. No untagged frames from VLAN-aware guests will be emitted by the VSWITCH. The new VLAN AWARE and NATIVE NONE are not available on z/VM 5.4. You will have to continue with the VLAN 666 trick. Regards, Alan z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com
VSWITCH Layer2 Layer3
Hi Folks I currently have a layer3 VSWITCH defined. This vswitch has been used for production guest machines so I don't want to break this. I have a need for a layer2 VSWITCH. My Layer2 VSWITCH is on CHPID 01, using devices 0D10-0D12. Current subnet is 10.207.1.x I want to add a Layer2 VSWITCH. Can I use devices 0D13-0D15 on CHPID 01. Will be using the same subnet (10.207.1.x). Can it be done? If so, any issues with this?We're running z/VM 5.4 RSU 1001. Thanks
Re: VSWITCH Layer2 Layer3
Running multiple VSWITCHs on the same OSA is a perfectly standard thing to do. They don't have to be same layer 2 / 3. Only question is why you don't use a backup OSA or link aggregation to protect from a single OSA port/card/IO cage or network switch failure. That's not what you asked though. Regards, Mike Barclays Bank _ From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Karl Kingston Sent: 21 March 2011 17:00 To: IBMVM@LISTSERV.UARK.EDU Subject: VSWITCH Layer2 Layer3 Hi Folks I currently have a layer3 VSWITCH defined. This vswitch has been used for production guest machines so I don't want to break this. I have a need for a layer2 VSWITCH. My Layer2 VSWITCH is on CHPID 01, using devices 0D10-0D12. Current subnet is 10.207.1.x I want to add a Layer2 VSWITCH. Can I use devices 0D13-0D15 on CHPID 01. Will be using the same subnet (10.207.1.x). Can it be done? If so, any issues with this?We're running z/VM 5.4 RSU 1001. Thanks This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
Re: VSWITCH Layer2 Layer3
Tom, Can I use devices 0D13-0D15 on CHPID 01 Be sure Q D13-D15 replies with OSA FREE. Or conversely, use Q OSA FREE to be sure these devices are available. Mike MacIsaac mike...@us.ibm.com (845) 433-7061
Re: VSWITCH Layer2 Layer3
Karl, I run layer 2 and layer 3 on the same OSA. I believe that the addresses must begin on an even boundary, therefore you would need to begin with 0D14-0D16. Bob From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Karl Kingston Sent: Monday, March 21, 2011 1:00 PM To: IBMVM@LISTSERV.UARK.EDU Subject: VSWITCH Layer2 Layer3 Hi Folks I currently have a layer3 VSWITCH defined. This vswitch has been used for production guest machines so I don't want to break this. I have a need for a layer2 VSWITCH. My Layer2 VSWITCH is on CHPID 01, using devices 0D10-0D12. Current subnet is 10.207.1.x I want to add a Layer2 VSWITCH. Can I use devices 0D13-0D15 on CHPID 01. Will be using the same subnet (10.207.1.x). Can it be done? If so, any issues with this?We're running z/VM 5.4 RSU 1001. Thanks
Re: VSWITCH Layer2 Layer3
On Monday, 03/21/2011 at 02:14 EDT, Bob McCarthy bob.mccar...@custserv.com wrote: I run layer 2 and layer 3 on the same OSA. I believe that the addresses must begin on an even boundary, therefore you would need to begin with 0D14-0D16. OSAs haven't required even boundaries for a long time, though you will find that restriction still in some host software. DEFINE VSWITCH does not have such a restriction. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: VSWITCH Layer2 Layer3
It seems that z/VSE does have this restriction (and it's the REAL not VIRTUAL addresses that must be an even-odd pair). Just a FYI, Frank M. Ramaekers Jr. -Original Message- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Alan Altmark Sent: Monday, March 21, 2011 1:18 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: VSWITCH Layer2 Layer3 On Monday, 03/21/2011 at 02:14 EDT, Bob McCarthy bob.mccar...@custserv.com wrote: I run layer 2 and layer 3 on the same OSA. I believe that the addresses must begin on an even boundary, therefore you would need to begin with 0D14-0D16. OSAs haven't required even boundaries for a long time, though you will find that restriction still in some host software. DEFINE VSWITCH does not have such a restriction. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott _ This message contains information which is privileged and confidential and is solely for the use of the intended recipient. If you are not the intended recipient, be aware that any review, disclosure, copying, distribution, or use of the contents of this message is strictly prohibited. If you have received this in error, please destroy it immediately and notify us at privacy...@ailife.com.
Re: VSWITCH
I realize that this is a year old but I am trying to get a definitive answer about the earliest release of z/OS that will successfully use a VSWITCH as a guest. We sometimes have to resurrect an old z/OS release to solve a customer issue. I have been successful with z/OS 1.4 but now we have a z/OS 1.3 issue and I can not get z/OS 1.3 to work with a VSWITCH. I was able to build a hipersocket VLAN and got the z/OS guest to work usi ng that but am curious about the minimum level of z/OS that works with a VSWITCH. Our VM host is at z/VM 5.4 at RSU 1003 so it is current in so f ar as what can be run on a z/9 processor. Thanks, Rob
Re: VSWITCH
It depends on the microcode on your z/9 processor. Prior to a microcode upgrade, we were able to run OS/390 2.10 under z/VM. After the microcode upgrade, OS/390 2.10 would run very slowly under z/VM. -Original Message- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Rob Holtz Sent: Friday, February 25, 2011 11:41 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: VSWITCH I realize that this is a year old but I am trying to get a definitive answer about the earliest release of z/OS that will successfully use a VSWITCH as a guest. We sometimes have to resurrect an old z/OS release to solve a customer issue. I have been successful with z/OS 1.4 but now we have a z/OS 1.3 issue and I can not get z/OS 1.3 to work with a VSWITCH. I was able to build a hipersocket VLAN and got the z/OS guest to work using that but am curious about the minimum level of z/OS that works with a VSWITCH. Our VM host is at z/VM 5.4 at RSU 1003 so it is current in so far as what can be run on a z/9 processor. Thanks, Rob
portgroup with vswitch IP routing
guys, i have tryed set up a vswitch on ip routing mode to use port group, but i can't i get group paramenter invalid... when i set up vswtich to ETHERNET, and make SET VSWITCH VSWSVC01 GROUP GRPSRV01 , i receive the error: HCPSWS2799E VSWITCH change is not allowed but after some seconds, the vswitch appears up and running using port group Q VSWITCH ALL VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-1EMAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 15:31:18 I do something wrong? to use port group the vswitch must be ETHERNET ? Thanks again :)
Re: portgroup with vswitch IP routing
You should have gotten another message (HCP2830I) to explain what the state of the virtual switch is .. the message you got indicates the command couldn't complete because of the current state of the vswitch. HELP HCP2830I will show several different variations of the possible states and explanations.. Scott Rohling 2011/1/31 Rogério Soares rogerio.soa...@gmail.com guys, i have tryed set up a vswitch on ip routing mode to use port group, but i can't i get group paramenter invalid... when i set up vswtich to ETHERNET, and make SET VSWITCH VSWSVC01 GROUP GRPSRV01 , i receive the error: HCPSWS2799E VSWITCH change is not allowed but after some seconds, the vswitch appears up and running using port group Q VSWITCH ALL VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 0Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-1EMAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 15:31:18 I do something wrong? to use port group the vswitch must be ETHERNET ? Thanks again :)
Re: portgroup with vswitch IP routing
On Monday, 01/31/2011 at 05:35 EST, Rogério Soares rogerio.soa...@gmail.com wrote: guys, i have tryed set up a vswitch on ip routing mode to use port group, but i can't i get group paramenter invalid... when i set up vswtich to ETHERNET, and make SET VSWITCH VSWSVC01 GROUP GRPSRV01 , i receive the error: HCPSWS2799E VSWITCH change is not allowed but after some seconds, the vswitch appears up and running using port group If you DEFINEd it with GROUP GRPSRV01, then you can't change (SET) the VSWITCH configuration while the group is being established. Once the port group is up, then you can change things. And it is normal (FVVO 'normal') to take a non-trivial amount of time for both OSAs to be joined into the port group. I do something wrong? to use port group the vswitch must be ETHERNET ? You just didn't wait for the port group to be established. And, yes, link aggregation (GROUP) is available only in ETHERNET (layer 2) mode. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: portgroup with vswitch IP routing
Thanks Alan... :) On Mon, Jan 31, 2011 at 9:07 PM, Alan Altmark alan_altm...@us.ibm.comwrote: On Monday, 01/31/2011 at 05:35 EST, Rogério Soares rogerio.soa...@gmail.com wrote: guys, i have tryed set up a vswitch on ip routing mode to use port group, but i can't i get group paramenter invalid... when i set up vswtich to ETHERNET, and make SET VSWITCH VSWSVC01 GROUP GRPSRV01 , i receive the error: HCPSWS2799E VSWITCH change is not allowed but after some seconds, the vswitch appears up and running using port group If you DEFINEd it with GROUP GRPSRV01, then you can't change (SET) the VSWITCH configuration while the group is being established. Once the port group is up, then you can change things. And it is normal (FVVO 'normal') to take a non-trivial amount of time for both OSAs to be joined into the port group. I do something wrong? to use port group the vswitch must be ETHERNET ? You just didn't wait for the port group to be established. And, yes, link aggregation (GROUP) is available only in ETHERNET (layer 2) mode. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: definition of guest using port group and vswitch (link aggregation
Did VSWSVC01 used to be an IP VSWITCH? Have you made the appropriate change in the Linux configuration files to make the interface Layer 2? Regarding the Q NIC output, it looks like you must have all the latest 6. 1 service on because there's now a QUERY NIC Class B command. If you wish to receive information about the virtual maching configuration from a use r that also has Class B, you must use the VIRTUAL option. ie. QUERY VIRTUA L NIC.
Re: definition of guest using port group and vswitch (link aggregation
Hi Sue, I got the problem, when i created the vswitch i set it to ETHERNET, it can be IP VSWITCH without problem? I reinstall the linux enabling LAYER 2 SUPPORT and works great!.. if possible, can you tell me how enable layer 2 support after installed ? i found option QETH_LAYER2_SUPPORT=“1“ but how get the new LLADDR ? or i can leave it blank? By the way, i set the port group using your article avaiable on http://www.vm.ibm.com/virtualnetwork/lkagport.html; thanks for sharing !!! On Fri, Jan 21, 2011 at 12:34 PM, Sue Farrell sue_farr...@vnet.ibm.comwrote: Did VSWSVC01 used to be an IP VSWITCH? Have you made the appropriate change in the Linux configuration files to make the interface Layer 2? Regarding the Q NIC output, it looks like you must have all the latest 6.1 service on because there's now a QUERY NIC Class B command. If you wish to receive information about the virtual maching configuration from a user that also has Class B, you must use the VIRTUAL option. ie. QUERY VIRTUAL NIC.
Re: definition of guest using port group and vswitch (link aggregation
Glad it's working now. I believe all you need to do to enable Layer 2 is what you already did - setting QETH_LAYER2_SUPPORT to '1'. Leave LLADDR blank. Then Linux will use the MAC address assigned to the virtual NIC.
Re: definition of guest using port group and vswitch (link aggregation
abou IP VSWITCH i can set it to IP ou i should keep it on ETHERNET ? i have no problem today with ip vswitch, what you think? i enjoy the moment and change it to ethernet or i can still using ip vswitch ? thanks for help , and forgive if is a noob question.. On Fri, Jan 21, 2011 at 1:13 PM, Sue Farrell sue_farr...@vnet.ibm.comwrote: Glad it's working now. I believe all you need to do to enable Layer 2 is what you already did - setting QETH_LAYER2_SUPPORT to '1'. Leave LLADDR blank. Then Linux will use the MAC address assigned to the virtual NIC.
Re: definition of guest using port group and vswitch (link aggregation
abou IP VSWITCH i can set it to IP ou i should keep it on ETHERNET ? i have no problem today with ip vswitch, what you think? i enjoy the moment and change it to ethernet or i can still using ip vswitch ? For Linux systems, I generally recommend ETHERNET. That uses slightly more CPU, but allows pretty much everything to work as it does on other platforms without any weird configuration stuff inside Linux. The main reason you would want to use a IP VSWITCH is to deal with the fact that z/OS doesn't yet support layer 2 OSA devices, so if you have a Linux and a z/OS system connecting to the same VSWITCH, it has to be a layer 3 (eg IP) VSWITCH.
Re: definition of guest using port group and vswitch (link aggregation
I agree with what David said about using ETHERNET. In addition, if you want to use Link Ag, you have to use ETHERNET. :-) Sue
Re: definition of guest using port group and vswitch (link aggregation
If you are using LACP, must be ETHERNET. (Layer 2) Marcy From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Rogério Soares Sent: Friday, January 21, 2011 7:18 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] definition of guest using port group and vswitch (link aggregation abou IP VSWITCH i can set it to IP ou i should keep it on ETHERNET ? i have no problem today with ip vswitch, what you think? i enjoy the moment and change it to ethernet or i can still using ip vswitch ? thanks for help , and forgive if is a noob question.. On Fri, Jan 21, 2011 at 1:13 PM, Sue Farrell sue_farr...@vnet.ibm.commailto:sue_farr...@vnet.ibm.com wrote: Glad it's working now. I believe all you need to do to enable Layer 2 is what you already did - setting QETH_LAYER2_SUPPORT to '1'. Leave LLADDR blank. Then Linux will use the MAC address assigned to the virtual NIC.
Re: definition of guest using port group and vswitch (link aggregation
Great David, i haven't zos today, when it comes, we create a new vswitch... i will get you advice, i will enjoy the moment to change it to ethernet... :) thanks again :) On Fri, Jan 21, 2011 at 1:24 PM, David Boyes dbo...@sinenomine.net wrote: abou IP VSWITCH i can set it to IP ou i should keep it on ETHERNET ? i have no problem today with ip vswitch, what you think? i enjoy the moment and change it to ethernet or i can still using ip vswitch ? For Linux systems, I generally recommend ETHERNET. That uses slightly more CPU, but allows pretty much everything to work as it does on other platforms without any weird configuration stuff inside Linux. The main reason you would want to use a IP VSWITCH is to deal with the fact that z/OS doesn't yet support layer 2 OSA devices, so if you have a Linux and a z/OS system connecting to the same VSWITCH, it has to be a layer 3 (eg IP) VSWITCH.
Re: definition of guest using port group and vswitch (link aggregation
Thanks for the help peoples.. Problem Solved! On Fri, Jan 21, 2011 at 1:32 PM, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: If you are using LACP, must be ETHERNET. (Layer 2) Marcy *From:* The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] *On Behalf Of *Rogério Soares *Sent:* Friday, January 21, 2011 7:18 AM *To:* IBMVM@LISTSERV.UARK.EDU *Subject:* Re: [IBMVM] definition of guest using port group and vswitch (link aggregation abou IP VSWITCH i can set it to IP ou i should keep it on ETHERNET ? i have no problem today with ip vswitch, what you think? i enjoy the moment and change it to ethernet or i can still using ip vswitch ? thanks for help , and forgive if is a noob question.. On Fri, Jan 21, 2011 at 1:13 PM, Sue Farrell sue_farr...@vnet.ibm.com wrote: Glad it's working now. I believe all you need to do to enable Layer 2 is what you already did - setting QETH_LAYER2_SUPPORT to '1'. Leave LLADDR blank. Then Linux will use the MAC address assigned to the virtual NIC.
definition of guest using port group and vswitch (link aggregation
Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
There is nothing special on the NIC to use a VSWITCH that has LACP. Did you do the grant? Marcy From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Rogério Soares Sent: Thursday, January 20, 2011 12:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] definition of guest using port group and vswitch (link aggregation Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIO Connected: 1 Maxconn: INFINITE PERSISTENT RESTRICTED ETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01 MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
Can you see the startup messages from the guest (from an actual LOGON)? You should be able to see some type of error for 800 .. either that or you didn't put the directory online before restarting the guest? Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
Marcy, yes, i give.. if look on output, Isolation Status: OFF Authorized userids: SYSTEM THOR the guest THOR is listed with grant... :-/ i installed SLES 11 SP1 on this guest.. On Thu, Jan 20, 2011 at 6:15 PM, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: There is nothing special on the NIC to use a VSWITCH that has LACP. Did you do the grant? Marcy From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Rogério Soares Sent: Thursday, January 20, 2011 12:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] definition of guest using port group and vswitch (link aggregation Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
You really need to see this from the z/VM logon - before Linux is even booted. We need to see if CP complains about anything when it creates the NIC. We need to know why address 800 is not created (or is not coupled to the vswitch) - the messages at z/VM guest logon will provide valuable clues. Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com on boot i have only lo ..doneWaiting for mandatory devices: eth0 __NSC__ 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 eth0No interface found ..failedSetting up service (localfs) network . . . . . . . . . ...fail ed Starting rpcbind ..done Not starting NFS client services - no NFS found in /etc/fstab:..unused Mount CIFS File Systems ..unused Starting irqbalance ..unused Setting up (remotefs) network interfaces: Setting up service (remotefs) network . . . . . . . . . ...done Starting SSH daemon..done Starting cupsd..done Starting Name Service Cache Daemon..done Starting mail service (Postfix)..done Starting service xdm..done Starting CRON daemon..done Starting smartd ..unused Starting INET services. (xinetd)..done Master Resource Control: runlevel 5 has been reached Failed services in runlevel 5: Ý80C Ý14Dnetwork Skipped services in runlevel 5: Ý80C Ý43Dnfs smbfs irq_balancer splash smartd Welcome to SUSE Linux Enterprise Server 11 SP1 (s390x) - Kernel 2.6.32.12-0.7-d efault (ttyS0). thor login: On Thu, Jan 20, 2011 at 6:17 PM, Scott Rohling scott.rohl...@gmail.comwrote: Can you see the startup messages from the guest (from an actual LOGON)? You should be able to see some type of error for 800 .. either that or you didn't put the directory online before restarting the guest? Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
i make a test, that give a light.. I remove the grant, boot machine, give grant again, and online i tryed using COUPLE command to to make device network on.. so i receive: CP COUPLE 0800 TO SYSTEM VSWSVC01 HCPNDF6024E Incompatible Transport - SYSTEM VSWSVC01 is an Ethernet Transport someone have idea that what type i should use? On Thu, Jan 20, 2011 at 6:37 PM, Scott Rohling scott.rohl...@gmail.comwrote: You really need to see this from the z/VM logon - before Linux is even booted. We need to see if CP complains about anything when it creates the NIC. We need to know why address 800 is not created (or is not coupled to the vswitch) - the messages at z/VM guest logon will provide valuable clues. Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com on boot i have only lo ..doneWaiting for mandatory devices: eth0 __NSC__ 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 eth0No interface found ..failedSetting up service (localfs) network . . . . . . . . . ...fail ed Starting rpcbind ..done Not starting NFS client services - no NFS found in /etc/fstab:..unused Mount CIFS File Systems ..unused Starting irqbalance ..unused Setting up (remotefs) network interfaces: Setting up service (remotefs) network . . . . . . . . . ...done Starting SSH daemon..done Starting cupsd..done Starting Name Service Cache Daemon..done Starting mail service (Postfix)..done Starting service xdm..done Starting CRON daemon..done Starting smartd ..unused Starting INET services. (xinetd)..done Master Resource Control: runlevel 5 has been reached Failed services in runlevel 5: Ý80C Ý14Dnetwork Skipped services in runlevel 5: Ý80C Ý43Dnfs smbfs irq_balancer splash smartd Welcome to SUSE Linux Enterprise Server 11 SP1 (s390x) - Kernel 2.6.32.12-0.7-d efault (ttyS0). thor login: On Thu, Jan 20, 2011 at 6:17 PM, Scott Rohling scott.rohl...@gmail.comwrote: Can you see the startup messages from the guest (from an actual LOGON)? You should be able to see some type of error for 800 .. either that or you didn't put the directory online before restarting the guest? Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot of information more like this: 00: CP Q NIC 00: Adapter 0800.P00 Type: QDIO Name: UNASSIGNED Devices: 3 00: MAC: 02-00-00-00-00-0F VSWITCH: SYSTEM VSWSVC01 There is a special definition on vswitch or user direct to make a guest using link aggregation? I can't find any aditional information... thanks again for any help.
Re: definition of guest using port group and vswitch (link aggregation
Have you actually rebooted the guest from logon? This is saying your NIC is defined as an IP transport -- but the VSWITCH is ETHERNET. Did you mean to use ETHERNET or IP transport? From HELP HCP6024E: o The transport type of the NIC is set when either it has been coupled to a Guest LAN or VSWITCH or prior to being coupled, a guest operating system (OS) has attempted to activate the NIC. To reset the transport type of the NIC, it must be uncoupled from the Guest LAN or VSWITCH and all active OS connections must be terminated. It is recommended that a NIC be COUPLED to the desired VMLAN segment prior to being initialized by the host device driver. This is why I ask if you have actually rebooted (logged off the guest and back on from z/VM!) the guest since making these changes. It seems like your guest NIC is defined as IP (layer3) -- but your vswitch is ethernet (layer2).If you don't want to reboot or don't have access to z/VM logon: - DET NIC 800(destroy the previous nic) - DEF NIC 800 TYPE QDIO - COUPLE 800 TO SYSTEM VSWSVC01 Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com i make a test, that give a light.. I remove the grant, boot machine, give grant again, and online i tryed using COUPLE command to to make device network on.. so i receive: CP COUPLE 0800 TO SYSTEM VSWSVC01 HCPNDF6024E Incompatible Transport - SYSTEM VSWSVC01 is an Ethernet Transport someone have idea that what type i should use? On Thu, Jan 20, 2011 at 6:37 PM, Scott Rohling scott.rohl...@gmail.comwrote: You really need to see this from the z/VM logon - before Linux is even booted. We need to see if CP complains about anything when it creates the NIC. We need to know why address 800 is not created (or is not coupled to the vswitch) - the messages at z/VM guest logon will provide valuable clues. Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com on boot i have only lo ..doneWaiting for mandatory devices: eth0 __NSC__ 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 eth0No interface found ..failedSetting up service (localfs) network . . . . . . . . . ...fail ed Starting rpcbind ..done Not starting NFS client services - no NFS found in /etc/fstab:..unused Mount CIFS File Systems ..unused Starting irqbalance ..unused Setting up (remotefs) network interfaces: Setting up service (remotefs) network . . . . . . . . . ...done Starting SSH daemon..done Starting cupsd..done Starting Name Service Cache Daemon..done Starting mail service (Postfix)..done Starting service xdm..done Starting CRON daemon..done Starting smartd ..unused Starting INET services. (xinetd)..done Master Resource Control: runlevel 5 has been reached Failed services in runlevel 5: Ý80C Ý14Dnetwork Skipped services in runlevel 5: Ý80C Ý43Dnfs smbfs irq_balancer splash smartd Welcome to SUSE Linux Enterprise Server 11 SP1 (s390x) - Kernel 2.6.32.12-0.7-d efault (ttyS0). thor login: On Thu, Jan 20, 2011 at 6:17 PM, Scott Rohling scott.rohl...@gmail.comwrote: Can you see the startup messages from the guest (from an actual LOGON)? You should be able to see some type of error for 800 .. either that or you didn't put the directory online before restarting the guest? Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130 * DISCO S.O 02131 MDISK 100 3390 0001 10016 LX9B52 MW but , when i tried make linux up, appears like there is no device 0800 ... query #cp q nic direct on guest i have: CP Q NIC Default System MAC Protection: OFF Network Device Allocation: Permitted before using link aggregation, i guet a lot
Re: definition of guest using port group and vswitch (link aggregation
yes, i have logoff and logon this machine after set up... on user direct, i do this definition: 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 to use port group, i should set the vswitch to ETHERNET... :-/ On Thu, Jan 20, 2011 at 6:58 PM, Scott Rohling scott.rohl...@gmail.comwrote: Have you actually rebooted the guest from logon? This is saying your NIC is defined as an IP transport -- but the VSWITCH is ETHERNET. Did you mean to use ETHERNET or IP transport? From HELP HCP6024E: o The transport type of the NIC is set when either it has been coupled to a Guest LAN or VSWITCH or prior to being coupled, a guest operating system (OS) has attempted to activate the NIC. To reset the transport type of the NIC, it must be uncoupled from the Guest LAN or VSWITCH and all active OS connections must be terminated. It is recommended that a NIC be COUPLED to the desired VMLAN segment prior to being initialized by the host device driver. This is why I ask if you have actually rebooted (logged off the guest and back on from z/VM!) the guest since making these changes. It seems like your guest NIC is defined as IP (layer3) -- but your vswitch is ethernet (layer2).If you don't want to reboot or don't have access to z/VM logon: - DET NIC 800(destroy the previous nic) - DEF NIC 800 TYPE QDIO - COUPLE 800 TO SYSTEM VSWSVC01 Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com i make a test, that give a light.. I remove the grant, boot machine, give grant again, and online i tryed using COUPLE command to to make device network on.. so i receive: CP COUPLE 0800 TO SYSTEM VSWSVC01 HCPNDF6024E Incompatible Transport - SYSTEM VSWSVC01 is an Ethernet Transport someone have idea that what type i should use? On Thu, Jan 20, 2011 at 6:37 PM, Scott Rohling scott.rohl...@gmail.comwrote: You really need to see this from the z/VM logon - before Linux is even booted. We need to see if CP complains about anything when it creates the NIC. We need to know why address 800 is not created (or is not coupled to the vswitch) - the messages at z/VM guest logon will provide valuable clues. Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com on boot i have only lo ..doneWaiting for mandatory devices: eth0 __NSC__ 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 eth0No interface found ..failedSetting up service (localfs) network . . . . . . . . . ...fail ed Starting rpcbind ..done Not starting NFS client services - no NFS found in /etc/fstab:..unused Mount CIFS File Systems ..unused Starting irqbalance ..unused Setting up (remotefs) network interfaces: Setting up service (remotefs) network . . . . . . . . . ...done Starting SSH daemon..done Starting cupsd..done Starting Name Service Cache Daemon..done Starting mail service (Postfix)..done Starting service xdm..done Starting CRON daemon..done Starting smartd ..unused Starting INET services. (xinetd)..done Master Resource Control: runlevel 5 has been reached Failed services in runlevel 5: Ý80C Ý14Dnetwork Skipped services in runlevel 5: Ý80C Ý43Dnfs smbfs irq_balancer splash smartd Welcome to SUSE Linux Enterprise Server 11 SP1 (s390x) - Kernel 2.6.32.12-0.7-d efault (ttyS0). thor login: On Thu, Jan 20, 2011 at 6:17 PM, Scott Rohling scott.rohl...@gmail.com wrote: Can you see the startup messages from the guest (from an actual LOGON)? You should be able to see some type of error for 800 .. either that or you didn't put the directory online before restarting the guest? Scott Rohling 2011/1/20 Rogério Soares rogerio.soa...@gmail.com Dear friends, i have a new problem today.. For the first time i tryed set a vswitch using port group definitions using: set port group grpsrv01 join 1D00.P0 1E00.P0 Port group GRPSRV01 is created Ready; T=0.01/0.01 11:19:10 DEFINE VSWITCH VSWSVC01 ETHERNET RDEV 0800.P0 GROUP GRPSRV01 VSWITCH SYSTEM VSWSVC01 is created SET VSWITCH VSWSVC01 GRANT THOR q vswitch vswsvc01 acc VSWITCH SYSTEM VSWSVC01 Type: QDIOConnected: 1Maxconn: INFINITE PERSISTENT RESTRICTEDETHERNET Accounting: OFF VLAN Unaware MAC address: 02-61-01-00-00-01MAC Protection: Unspecified State: Ready IPTimeout: 5 QueueStorage: 8 Isolation Status: OFF Authorized userids: SYSTEM THOR Uplink Port: Group: GRPSRV01 Active LACP Mode: Active RDEV: 1D00.P00 VDEV: 1D00 Controller: DTCVSW2 RDEV: 1E00.P00 VDEV: 1E00 Controller: DTCVSW1 Backup Devices: RDEV: 0800.P00 VDEV: 0800 Controller: DTCVSW2 BACKUP Ready; T=0.01/0.01 13:04:10 on USER DIRECT i set: 02125 USER THOR THOR 512M 512M G 02126 INCLUDE LINDFLT 02127 MACHINE ESA 2 02128 CPU 00 02129 NICDEF 0800 TYPE QDIO LAN SYSTEM VSWSVC01 02130
Re: vswitch delete
DET VSWITCH VSW1 Regards, Paul Garment Global z/OS Virtual Host Environment Global z/OS Core Engineering Ground Floor - B3 Block 10 - Radbroke Hall Knutsford, Cheshire WA16 9EU Mail Van 49 Tel: 0044 (0)1565-614429 Clearway 7-2000-4429 Mobile 07824527131 From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Dean, David (I/S) Sent: 12 January 2011 18:14 To: IBMVM@LISTSERV.UARK.EDU Subject: vswitch delete Sorry to pose a seemingly simple question here, but I have now spent over an hour looking for the command. How do I delete a vswitch? i.e. the opposite of DEFINE VSWITCH VSW1 RDEV D905 AC00 CONTROLLER * David M. Dean Information Systems BlueCross BlueShield Tennnessee - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
vswitch delete
Sorry to pose a seemingly simple question here, but I have now spent over an hour looking for the command. How do I delete a vswitch? i.e. the opposite of DEFINE VSWITCH VSW1 RDEV D905 AC00 CONTROLLER * David M. Dean Information Systems BlueCross BlueShield Tennnessee - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm
Re: vswitch delete
David DETACH VSWITCH VSW1 Bob From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Dean, David (I/S) Sent: Wednesday, January 12, 2011 1:14 PM To: IBMVM@LISTSERV.UARK.EDU Subject: vswitch delete Sorry to pose a seemingly simple question here, but I have now spent over an hour looking for the command. How do I delete a vswitch? i.e. the opposite of DEFINE VSWITCH VSW1 RDEV D905 AC00 CONTROLLER * David M. Dean Information Systems BlueCross BlueShield Tennnessee - Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm
Re: Vswitch Grant as a CMD in User's Directory?
Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservicesoffice: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Does anyone run applications in z/VM? Speaking just for us, YES! We continue to run and enhance existing CMS applications (which run cheaper on z/VM than anywhere else when ALL the expenses are taken into account). But with Aon's acquisition of Hewitt Associates, everything is being re-evaluated, so who knows? However, I have complete confidence in my belief that there are hundreds+ of older VM systems (pre-z/VM, and even perhaps pre-VM/ESA) still running CMS applications. Unfortunately, few of them would probably convert to z/VM as they continue to milk their cash cows, so in their cases your point still applies. But there are still paying z/VM customers running CMS applications, they cannot and must not be abandoned, or management will once again come to believe that VM is dead - ultimately damaging IBM's apparent Linux on System z goals. (See old SHARE conference NOTAGAIN MEMO). Mike Walter Aon Corporation The opinions expressed herein are mine alone, not my employer's. Tom Huegel tehue...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 08:15 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
Re: Vswitch Grant as a CMD in User's Directory?
Yes - CMS is the operating system used to run 'z/VM applications' -- if that's what you mean. At one time - every IBMer had a z/VM CMS guest -- it's how they got their email (PROFS/OfficeVision), submitted expenses, claimed time, etc. Those apps have mostly moved off z/VM - but some still exist, mostly as back ends. CMS guests would link to minidisks containing the application code and data -- would send files (punch/reader) back and forth, etc. But that doesn't have much to do with readable passwords - including minidisk passwords - which can be used by a guest to gain access to another guest minidisk if they are used and known, regardless of the OS they are running. Same with allowing any guest access to a network path (our vswitch conversation). To 'just keep those systems isolated' - an ESM is the only way you can avoid violating most modern security requirements to be considered 'isolated'. Do you control access or don't you? Do you do it with open text passwords or don't you?You have to think about all the layers -- not just your guest OS. Scott Rohling On Fri, Dec 10, 2010 at 7:15 AM, Tom Huegel tehue...@gmail.com wrote: Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.comwrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From: Tom Huegel tehue...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus.
Re: Vswitch Grant as a CMD in User's Directory?
Tom Huegel tehue...@gmail.com wrote :- Does anyone run applications in z/VM? :- Speaking for ourselves - yes. We recently did an exercise to look at the support effort required to maintain our VM system and came to the conclusion that at least 80% was related to local applications and local code function. This in an installation where the primary purpose of VM is to host and support guest (TPF) systems. However, even if we ran no local applications, and only supported guest operating systems, the power of Vm to access data is so great that access really does need to be controlled. We would never consider running VM without an ESM (RACF in our case) and the auditors would skin us alive if we tried. Colin Allinson VM Systems Support Amadeus Data Processing GmbH
Re: Vswitch Grant as a CMD in User's Directory?
And not to mention Nomad. On 12/10/2010 09:57 AM, Bill Munson wrote: Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From: Tom Huegel tehue...@gmail.com To: IBMVM@LISTSERV.UARK.EDU Date: 12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus. -- Dave Jones V/Soft Software www.vsoft-software.com Houston, TX 281.578.7544
Re: Vswitch Grant as a CMD in User's Directory?
I just saw the comment on a long passwords where it would take two people to enter a single password. I remember back in the VAX/VMS days where there was a password option for a UserID to be setup where it required two passwords. Thank you, Scott From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Friday, December 10, 2010 8:16 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott Confidentiality Note: This e-mail, including any attachment to it, may contain material that is confidential, proprietary, privileged and/or Protected Health Information, within the meaning of the regulations under the Health Insurance Portability Accountability Act as amended. If it is not clear that you are the intended recipient, you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this e-mail, including any attachment to it, is strictly prohibited. If you have received this e-mail in error, please immediately return it to the sender and delete it from your system. Thank you.
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 05:46 EST, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. Preventing collusion between two class G users is why z/VM supports mandatory access controls and why you can change the privilege classes of commands and DIAGNOSE subcodes. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Well, not quite that bad, but EAL 6-level systems require two privileged users to make security-relevant changes to a system. Missile silo two-key concept. Multi-part keys CAN be used in the System z crypto cards for secure (encrypted) key operations. No one person has the entire key and so even if one of those people had a copy of the key dataset from z/OS or Linux, they wouldn't be able to use the keys to encrypt or decrypt data. By the way, you can see the two-key concept in RACF. If the security admin tries to deactivate RACF, CP prompts the operator to concur or deny. (A minor inconvenience and easily overcome [for the moment].) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus.
Re: Vswitch Grant as a CMD in User's Directory?
I loved CMS many years ago. I no longer work for a company with z/VM. Haven't for years. Using CMS and RSCS to submit jobs to MVS (yes, that long ago - MVS 3.8!) was so much better than TSO it wasn't even funny. Now I'm using a Linux desktop and writing code which allows me to use it for some things instead of TSO. OpenSSH is really helping on that. But I'm getting off-topic. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of George Henke/NYLIC Sent: Friday, December 10, 2010 10:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com mailto:vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com mailto:tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across
Re: Vswitch Grant as a CMD in User's Directory?
I do the same. Since I have so many VSE z/OS guests I find it easier to keep all my JCL and editing in CMS and submit to the appropriate guest. Better than having 5 or 6 Telnet sessions open to various guests. On Fri, Dec 10, 2010 at 11:57 AM, McKown, John john.mck...@healthmarkets.com wrote: I loved CMS many years ago. I no longer work for a company with z/VM. Haven't for years. Using CMS and RSCS to submit jobs to MVS (yes, that long ago - MVS 3.8!) was so much better than TSO it wasn't even funny. Now I'm using a Linux desktop and writing code which allows me to use it for some things instead of TSO. OpenSSH is really helping on that. But I'm getting off-topic. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of George Henke/NYLIC Sent: Friday, December 10, 2010 10:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Some companies in the past preferred to confine application programmers to CMS due to the large overhead of TSO address spaces thereby realizing savings in CPU and storage. CMS is not as well liked as TSO/ISPF by application programmers, but given CPU price sensitivity these days, it may not be such a bad idea and, who knows, it might even convert them z/VM. Bill Munson william.mun...@bbh.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/10/2010 10:57 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Tom, as Mike said there are a lot of companies I know of that are using CMS applications for day to day work and the DATA resides on VM they are using FOCUS for report generation , as well as MAILBOOK for e-mail and interoffice file transfers , and some are using VM:Backup and VM:Archive and the Shared File System for numerous versions of Source Code like GDG's on TSO and submitting their compiles and assembles to VM:Batch for processing. There is still a lot of WORK being done on VM and these companies are not running any other OS as a guest of these VM systems. They might and do have other VM's for running LINUX or VSE . Granted it is a vast minority of what it was 10, 15, and 20 years ago. munson From:Tom Huegel tehue...@gmail.com To:IBMVM@LISTSERV.UARK.EDU Date:12/10/2010 09:16 AM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. On Fri, Dec 10, 2010 at 2:46 AM, Les Koehler vmr...@tampabay.rr.com mailto:vmr...@tampabay.rr.com wrote: Back in the old days, I recall a finance type person saying something like: The Gold Standard is that it should take collusion between two or more people to defraud the company. If we apply that to IT, then shouldn't pswds for privileged userids that can access/change financial data be long enough that TWO sysprogs can each be given half a pswd so they both have to be present to make a change? Les Alan Altmark wrote: On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com mailto:tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access
Re: Vswitch Grant as a CMD in User's Directory?
On Friday, 12/10/2010 at 09:17 EST, Tom Huegel tehue...@gmail.com wrote: Does anyone run applications in z/VM? Isn't the 'protected data' owned by some other OS (z/OS, z/VSE, zLINUX). It seems that the high level security effort belongs in those OS's. z/VM just needs to keep those systems isolated and NOT be able to circumvent their security procedures. While that protected data is owned by the guest, the data is *potentially* accessible by any virtual machine. It doesn't matter whether you run CMS, VSE, LINUX, MVS, TPF, or anything else. All virtualization platforms create virtual raised floors, and, like a real raised floor, you are obligated to define and enforce access controls on those floors. Some are physical, some are policy only. All persons must badge in; no tailgating. You touch THIS system and you die. You plug THAT cable into THERE, and you die. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
It is a hard sell to management to buy an ESM if there is no audit requirement. Thus my point about IBM quitting whining to us about buying one and start supplying one by default as the Right and Proper Way.
Re: Vswitch Grant as a CMD in User's Directory?
On 12/9/10 3:27 AM, Alan Altmark alan_altm...@us.ibm.com wrote: In order to achieve the savings you imply, then z/VM must move to the z/OS model in which, except for a few specific functions, an ESM is required for proper operation. NO native CP security controls beyone those required to restore ESM control vis a vis SYS1.UADS in order to login to TSO. Any function dependent on the ESM will be configured to DENY access without the ESM. That is exactly what I'm arguing for. IF VM is going to play with the big boys in the enterprise market, it's a necessity to do this, and long overdue. You would HAVE to buy an ESM, whether from IBM or CA. Or have IBM include a basic awful one (eg, RACF) in the price of VM and be done with it. Including a basic one that can be replaced with Something Else would make everybody (IMHO) happy. The internal cost of including RACF can't be that large. And THAT will be acceptable only when folks wrap their heads around the fact that z/VM systems WITHOUT an ESM will fail a modern security audit. The primary example is the presence of unencrypted passwords in USER DIRECT. Amen, brother. I think, however, the pressure will be on IBM to deliver/upgrade the base VM to a state that *can be* acceptable. Another area would be enabling SSL login by default (the setup process for SSLSERV is just a royal PITA). Setting the defaults for FTP to always negotiate SSL. Removing default read/write/multi pw from all system minidisks. Putting a decent backup tool in place. Removing the need for tape drives for spool management. Fixing printing in the default build to not require channel-attached printers. Etc, etc, etc,... There's a whole lot of things that would be a Very Good Idea to Do -- in fact, I'd say that would be a great task for user groups over the next year: write IBM a detailed report of What Needs To Be Done to VM Packaging to Make It Modern and World-Class. I think that would be *extremely* useful as 6.2 ramps up to delivery.
Re: Vswitch Grant as a CMD in User's Directory?
On Wed, Dec 8, 2010 at 7:38 PM, Alan Altmark alan_altm...@us.ibm.com wrote: I've been saying for several years, You need an ESM. More and more z/VM security management will be focused on ESMs, not native CP. If your fave ESM doesn't simplify things for you, gripe to the vendor. That's self-fulfilling prophecy, Sir. You also created the mind boggling approach where the VM Sysprog needs to change hats and perform both steps of the ritual. But I stopped years ago saying that one word of the VM sysprog should be enough for things he controls. So when it already requires magical powers to get a NICDEF statement into the directory, there is no problem in having that imply the GRANT as well. Different when the class G command is used to define the NIC. Yes, this is different from a LINK in the directory because we assume that the owner of the resource manages access to it. In that case it is appropriate that the owner decides whether the LINK can actually work (and can revoke access). | Rob
Re: Vswitch Grant as a CMD in User's Directory?
Not necessarily, there is LOGONBY. They need only know their own passwords. Should anyone have full authority including all the passwords? If so, who? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 08, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization.
Re: Vswitch Grant as a CMD in User's Directory?
Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Besides all of our passwords are probably available on Wikileaks anyway. Don't you just love the airport scanners and patdowns? On Thu, Dec 9, 2010 at 8:40 AM, Schuh, Richard rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. Should anyone have full authority including all the passwords? If so, who? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 08, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization.
Re: Vswitch Grant as a CMD in User's Directory?
-Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Thursday, December 09, 2010 11:01 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? snip Don't you just love the airport scanners and patdowns? As Paul Lynde said many, any years ago on Match Game It's the only reason I fly! snide chortle Seriously, I don't travel. And if I did, I would drive my own car. I wouldn't fly if __they__ paid __me__! -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM
Re: Vswitch Grant as a CMD in User's Directory?
They spoil the patdowns by requiring that the genders of the patter and pattee be the same :-) Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Thursday, December 09, 2010 9:01 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Besides all of our passwords are probably available on Wikileaks anyway. Don't you just love the airport scanners and patdowns? On Thu, Dec 9, 2010 at 8:40 AM, Schuh, Richard rsc...@visa.commailto:rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. Should anyone have full authority including all the passwords? If so, who? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDUmailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Alan Altmark Sent: Wednesday, December 08, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDUmailto:IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edumailto:nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization.
Re: Vswitch Grant as a CMD in User's Directory?
Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. That is not true. SOX was a much needed and overdue reform and perhaps one of the best things both Bush and Congress did for the American economy, the American way of life, and the stock market which had taken a beating after the MCI, et al scandals. No one had confidence in financial statements anymore. Much of the SOX work has identified many control weaknesses in IT systems and led to much remediation which has strengthened IT and financial internal controls, at both the infrastructure and application levels. The last person to bad mouth SOX, Alan Greenspan, just prior to the recent Wall Street melt down, suffered a lot of grief for this lack of attention to internal control and had to eat a lot of crow. Had SOX been fully implemented earlier, the Wall Street melt down would have been impossible. If you do not think corporate fraud from the lowest to the highest levels occurs, there are plenty of numbers published on the subject and SOX audits, both financial and IT, have uncovered much of it. One SOX audit I was on, until the client decided to cover things up, involved late trading, betting on the horse race after it was over. It was soo easy to do with IT. Since all the trades were time-stamped, you just programmed the clearing house system to back date/time the trade and voila !!! instant guaranteed profit. One large Wall Street investment bank, that is no longer in business after the Wall St melt down, was actually brazen enough to advertise this to clients as a system feature, until the SEC levied the largest fine in history on them. Yes, fraud is alive and well in corporate America and IT makes it ever so easier Locks are made to keep honest people honest, not stop a thief The best you can ever do with a thief is slow him down till he gets discouraged or caught. Tom Huegel tehue...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/09/2010 12:00 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Besides all of our passwords are probably available on Wikileaks anyway. Don't you just love the airport scanners and patdowns? On Thu, Dec 9, 2010 at 8:40 AM, Schuh, Richard rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. Should anyone have full authority including all the passwords? If so, who? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 08, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization.
Re: Vswitch Grant as a CMD in User's Directory?
Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. That is not true. SOX was a much needed and overdue reform and perhaps one of the best things both Bush and Congress did for the American economy, the American way of life, and the stock market which had taken a beating after the MCI, et al scandals. No one had confidence in financial statements anymore. Much of the SOX work has identified many control weaknesses in IT systems and led to much remediation which has strengthened IT and financial internal controls, at both the infrastructure and application levels. The last person to bad mouth SOX, Alan Greenspan, just prior to the recent Wall Street melt down, suffered a lot of grief for this lack of attention to internal control and had to eat a lot of crow. Had SOX been fully implemented earlier, the Wall Street melt down would have been impossible. If you do not think corporate fraud from the lowest to the highest levels occurs, there are plenty of numbers published on the subject and SOX audits, both financial and IT, have uncovered much of it. One SOX audit I was on, until the client decided to cover things up, involved late trading, betting on the horse race after it was over. It was soo easy to do with IT. Since all the trades were time-stamped, you just programmed the clearing house system to back date/time the trade and voila !!! instant guaranteed profit. One large Wall Street investment bank, that is no longer in business after the Wall St melt down, was actually brazen enough to advertise this to clients as a system feature, until the SEC levied the largest fine in history on them. Yes, fraud is alive and well in corporate America and IT makes it ever so easier Locks are made to keep honest people honest, not stop a thief The best you can ever do with a thief is slow him down till he gets discouraged or caught. Sometimes honesty and integrity are just plain good business. Tom Huegel tehue...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/09/2010 12:00 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Besides all of our passwords are probably available on Wikileaks anyway. Don't you just love the airport scanners and patdowns? On Thu, Dec 9, 2010 at 8:40 AM, Schuh, Richard rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. Should anyone have full authority including all the passwords? If so, who? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, December 08, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization.
Re: Vswitch Grant as a CMD in User's Directory?
On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On 12/9/2010 at 01:36 PM, George Henke/NYLIC george_he...@newyorklife.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Given the current real life demands on our moderator, could we kill this side-thread on our own and not force him to do it? Mark Post
Re: Vswitch Grant as a CMD in User's Directory?
good point Mark Bill Munson From: Mark Post mp...@novell.com To: IBMVM@LISTSERV.UARK.EDU Date: 12/09/2010 01:46 PM Subject:Re: Vswitch Grant as a CMD in User's Directory? Sent by:The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU On 12/9/2010 at 01:36 PM, George Henke/NYLIC george_he...@newyorklife.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. Given the current real life demands on our moderator, could we kill this side-thread on our own and not force him to do it? Mark Post *** IMPORTANT NOTE*-- The opinions expressed in this message and/or any attachments are those of the author and not necessarily those of Brown Brothers Harriman Co., its subsidiaries and affiliates (BBH). There is no guarantee that this message is either private or confidential, and it may have been altered by unauthorized sources without your or our knowledge. Nothing in the message is capable or intended to create any legally binding obligations on either party and it is not intended to provide legal advice. BBH accepts no responsibility for loss or damage from its use, including damage from virus.
Re: Vswitch Grant as a CMD in User's Directory?
Very true, Alan. But a good auditor always asks the question, Where is the risk? It is pointless to look for controls, test controls, or require controls, where there is no risk which a testing everything approach would try to do. It is the 20:80 rule. 80% of the risk can usually be covered by 20% of the controls. The key to a good audit is to identify that 20% for the client and then test it. There are General Controls and Application Controls. Infrastructure controls are General Controls which are far more powerful and probably why SA's feel so beaten up. Application Controls rely on the General Infrastructure Controls and if there are glaring weaknesses in the infrastructure controls then the Application Controls do not mean much. It would be like locking the door to a room in your house, but leaving the front door unlocked. But this is the very reason a production z/VM, the front door if you will, should have a security system, be it RACF or whatever. An auditor who says test everything will never stay in business very long because he would not be competitive. Auditors, like everyone else, need to make a living and know they would never, get new business, win bids, or just make money if they ever tried to test everything. In fact, the whole purpose of controls and testing controls which is what SOX is all about is to reduce what is known in the auditing trade as substantive testing, adding up all the numbers and tying out to a financial statement, which is very labor-intensive, time consuming, and costly. Auditors could never perform 100% substantive testing on all the transactions and data processed in a financial cycle. It would be impossible. So they invented compliance testing which says that if I can test the controls of a process, then I am justified in reducing the amount of substantive testing I must do for due diligence. A good auditor must first understand the entire process flow and think through the process to identify these controls and then design and identify the minimum testing needed to attest to the financials. He can and will be held responsible for negligence. 30 years ago there was the Big 8 CPA firms. Now there is only the Big 4 and we all know what happened to Arthur Anderson when the cry went out in the MCI scandal, as it always does, Where were the auditors?. After all, if an auditor is not going to tell you, the client, of weaknesses and exposures from which you eventually may or actually do suffer great loss or are forced out of business, what do you need him for anyway? If the general public had no confidence in the financial statements of publicly traded companies what would happen to the stock market, to free enterprise, to capitalism? Honesty and integrity is just plain good business. Alan Altmark alan_altm...@us.ibm.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/09/2010 01:43 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel tehue...@gmail.com wrote: Does it really matter? SOX is just another way congress has come up with to destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is simply a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the Secure Everything policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Thursday, 12/09/2010 at 11:41 EST, Schuh, Richard rsc...@visa.com wrote: Not necessarily, there is LOGONBY. They need only know their own passwords. They logon and access USER DIRECT. Now they know ALL the passwords. Of course, you can have LBYONLY for everyone. But that misses the point. They are unencrypted passwords AND they are in bulk. What if someone gets the bright idea to copy USER DIRECT to their laptop? YOUR password is now exposed. Should anyone have full authority including all the passwords? If so, who? People should have full authority, yes, but they should NOT have access to passwords belonging to others. In some jurisdictions, a password is classified as personal information (encrypted or not) that plays into security breach notification law, even if not covered by PII protection requirements. The idea that an organization might not take ALL REASONABLE precautions (aka due diligence) to protect a system with customer data is worrisome. More worrisome is the fact that some organizations apparently don't have a POLICY of password encryption. It's even harder to believe that company lawyers are on board with that since Company Policy is how corporations insulate themselves from the actions of individuals. Even exceptions to policy need a valid reason. In my Security and Integrity presentation, I say 1. Protect your data 2. Protect your system 3. Protect your clients 4. Protect your company 5. Protect yourself Do the first two, and the last three will take care of themselves. I am not a lawyer, however, so my comments reflect my own opinions and experiences in my role as a system security professional. They should not be construed as legal advice, as such advice should, of course, be obtained from a competent attorney who specializes in such matters in the relevant jurisdictions. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
You would HAVE to buy an ESM, whether from IBM or CA. Or have IBM include a basic awful one (eg, RACF) in the price of VM and be done with it. Including a basic one that can be replaced with Something Else would make everybody (IMHO) happy. The internal cost of including RACF can't be that large. From posts I've seen in the past, I don't think IBM can include a free ESM. They're not allowed to damage a competitor's business by making something free (i.e. no-charge feature) that they currently charge for. If they make RACF free, that could put a big dent in CA's ESM business. IBM can compete by trying to make RACF better than the CA products, but they can't just make it free. If IBM requires an ESM to run z/VM, customers will be required to pay for it. Be careful what you wish for. Dennis Yesterday, December 7, 1941-a date which will live in infamy-the United States of America was suddenly and deliberately attacked by naval and air forces of the Empire of Japan. -- President Franklin D. Roosevelt -- This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. References to Sender are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.
Re: Vswitch Grant as a CMD in User's Directory?
The issue with keeping the grants in AUTOLOG1 or in SYSTEM CONFIG is that you have to either continually modify those files every time you create a new Linux image, or you have to keep a separate list of Linux images somewhere for AUTOLOG1 to read (though you probably have to anyway). Putting the commands in the CP Directory entry just gives you one less worry about where to check if something has been done or not. It also covers you for the initial creation of the image, where AUTOLOG1 will not be run, so that you don't have to worry about granting the image by hand the first time. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? -- Robert P. Nix Mayo Foundation.~. RO-OC-1-18 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/7/10 9:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee
Re: Vswitch Grant as a CMD in User's Directory?
Hi, CP DEFINE LAN have a UNRESTRICTED option, that don't need the grants. My suggestion: If the environment is stable, fix the VSWITCH and GRANTS into SYSTEM CONFIG. If the system is unstable or is in the test phase, test with the unrestricted lan. Only NICDEF changes in directory... __ Clovis From: RPN01 nix.rob...@mayo.edu To: IBMVM@LISTSERV.UARK.EDU Date: 08/12/2010 11:27 Subject: Re: Vswitch Grant as a CMD in User's Directory? Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU The issue with keeping the grants in AUTOLOG1 or in SYSTEM CONFIG is that you have to either continually modify those files every time you create a new Linux image, or you have to keep a separate list of Linux images somewhere for AUTOLOG1 to read (though you probably have to anyway). Putting the commands in the CP Directory entry just gives you one less worry about where to check if something has been done or not. It also covers you for the initial creation of the image, where AUTOLOG1 will not be run, so that you don't have to worry about granting the image by hand the first time. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? -- Robert P. Nix Mayo Foundation.~. RO-OC-1-18 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/7/10 9:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee
Re: Vswitch Grant as a CMD in User's Directory?
Cool... I'll try that... I can see a use for GRANTs when the define is done by command. You need to know it's really allowed. But if it's in the directory, hopefully only authorized people can update the directory, so why should they have to update 2 things? Thanks all!! Lee On 12/7/2010 8:29 PM, Marcy Cortes wrote: Add the couple command in there too. Marcy. Sent from my BlackBerry. - Original Message - From: The IBM z/VM Operating SystemIBMVM@LISTSERV.UARK.EDU To: IBMVM@LISTSERV.UARK.EDUIBMVM@LISTSERV.UARK.EDU Sent: Tue Dec 07 21:25:07 2010 Subject: [IBMVM] Vswitch Grant as a CMD in User's Directory? It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANTUSERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
I don't. I don't have any human beings on my systems except for system programmers that have full authority anyway. Having to GRANT linux servers is an extra thing that has to be managed. I would like to define a vswitch as unrestricted. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of RPN01 Sent: Wednesday, December 08, 2010 8:27 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? The issue with keeping the grants in AUTOLOG1 or in SYSTEM CONFIG is that you have to either continually modify those files every time you create a new Linux image, or you have to keep a separate list of Linux images somewhere for AUTOLOG1 to read (though you probably have to anyway). Putting the commands in the CP Directory entry just gives you one less worry about where to check if something has been done or not. It also covers you for the initial creation of the image, where AUTOLOG1 will not be run, so that you don't have to worry about granting the image by hand the first time. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? -- Robert P. Nix Mayo Foundation.~. RO-OC-1-18 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/7/10 9:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee
Re: Vswitch Grant as a CMD in User's Directory?
Or maybe put a password on the VSWITCH that would allow a class G user to connect if he knew the password. On Wed, Dec 8, 2010 at 8:15 AM, Quay, Jonathan (IHG) jonathan.q...@ihg.comwrote: I don't. I don't have any human beings on my systems except for system programmers that have full authority anyway. Having to GRANT linux servers is an extra thing that has to be managed. I would like to define a vswitch as unrestricted. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of RPN01 Sent: Wednesday, December 08, 2010 8:27 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Vswitch Grant as a CMD in User's Directory? The issue with keeping the grants in AUTOLOG1 or in SYSTEM CONFIG is that you have to either continually modify those files every time you create a new Linux image, or you have to keep a separate list of Linux images somewhere for AUTOLOG1 to read (though you probably have to anyway). Putting the commands in the CP Directory entry just gives you one less worry about where to check if something has been done or not. It also covers you for the initial creation of the image, where AUTOLOG1 will not be run, so that you don't have to worry about granting the image by hand the first time. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? -- Robert P. Nix Mayo Foundation.~. RO-OC-1-18 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/7/10 9:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 08:31 EST, RPN01 nix.rob...@mayo.edu wrote: Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? In the same way plugging an ethernet cable into a switch is not sufficient to gain connectivity, so defining a virtual wire is not sufficient to gain connectivity to a virtual network. This is just the way networking is done. Virtualizing the wires doesn't change anything. Assuming you have RACF and generic profiles active, you can allow access to all VSWITCHes while denying access to all user-created Guest LANs. RDEFINE ** CL(VMLAN) UACC(NONE) RDEFINE SYSTEM.** CL(VMLAN) UACC(UPDATE) Without an ESM, Class G Guest LANs can be disabled by putting VMLAN TRANSIENT 0 in SYSTEM CONFIG. I've been saying for several years, You need an ESM. More and more z/VM security management will be focused on ESMs, not native CP. If your fave ESM doesn't simplify things for you, gripe to the vendor. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On 12/8/10 4:15 PM, Quay, Jonathan (IHG) jonathan.q...@ihg.com wrote: I don't. I don't have any human beings on my systems except for system programmers that have full authority anyway. Having to GRANT linux servers is an extra thing that has to be managed. I would like to define a vswitch as unrestricted. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? I'll make a counter argument: there is a significant difference between being allowed to create a piece of infrastructure, and being allowed to use it. Granting permission to use something after it's created is that second item, and I would say that there is a very good reason to have the two steps separate so that they can be separately controlled and audited. So, I think I'm going to side with Alan. If you want an unrestricted VSWITCH, you need to kick your ESM vendor to allow you to control them and declare a rule that anyone can attach to said VSWITCH. OTOH, I think this also argues for a bigger step: for IBM to supply a default ESM and quit having to do it two different ways. We can always replace the default one with something better, but there's a lot of wheel-spinning being done in IBM development to support the two different models. Personally, I dislike RACF with a passion, but I'd rather have RACF be present by default and have one single way to do security management (via the ESM) than have to have a completely separate command authorization matrix to worry about via CP privilege classes, etc, etc, etc. It may have worked in the past, but it's time HAS past. There's too many regulations and too many hostile bozos out there to not have a comprehensive security management tool as part of the VM hypervisor suite. If that means we all have to suffer under RACF for long enough to turn it off, then so be it.
Re: Vswitch Grant as a CMD in User's Directory?
But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. The dollars are needed for other things with a much higher priority before we'd ever get an ESM to control our more wild moments. And, plugging a cable into a switch generally does get you connectivity, because someone put that switch there for the express purpose of providing that connectivity in the first place. If I walk into an office on campus, and there's an Ethernet jack on the wall, I have the reasonable expectation that I should be able to plug my laptop into it and have a connection to the network. The same thing holds true if I see a wireless antenna on the ceiling here. I shouldn't have to call the Network Operations Center and give them my name and password and the jack number to get them to let me in; If that were the case, we'd have a lot of ticked off doctors running around here. (Much the same as I get ticked off every time I have to go grant a virtual machine into the virtual switch.) We even have jacks and wireless in the patent waiting areas so that they can get internet access, and they don't need to be granted in either. The vSwitch grant is not in any way mimicking a real life scenario. It doesn't compare to the real world in any way. Networking gets set up, and once it's set up, you plug things into it and they simply work, as long as you know the IP range and netmask, or your computer does a reasonable job of DHCPing you an address. You don't have to be granted into it. -- Robert P. Nix Mayo Foundation.~. RO-OC-1-18 200 First Street SW/V\ 507-284-0844 Rochester, MN 55905 /( )\ -^^-^^ In theory, theory and practice are the same, but in practice, theory and practice are different. On 12/8/10 12:38 PM, Alan Altmark alan_altm...@us.ibm.com wrote: On Wednesday, 12/08/2010 at 08:31 EST, RPN01 nix.rob...@mayo.edu wrote: Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? In the same way plugging an ethernet cable into a switch is not sufficient to gain connectivity, so defining a virtual wire is not sufficient to gain connectivity to a virtual network. This is just the way networking is done. Virtualizing the wires doesn't change anything. Assuming you have RACF and generic profiles active, you can allow access to all VSWITCHes while denying access to all user-created Guest LANs. RDEFINE ** CL(VMLAN) UACC(NONE) RDEFINE SYSTEM.** CL(VMLAN) UACC(UPDATE) Without an ESM, Class G Guest LANs can be disabled by putting VMLAN TRANSIENT 0 in SYSTEM CONFIG. I've been saying for several years, You need an ESM. More and more z/VM security management will be focused on ESMs, not native CP. If your fave ESM doesn't simplify things for you, gripe to the vendor. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
It is a hard sell to management to buy an ESM if there is no audit requirement. On Wed, Dec 8, 2010 at 11:34 AM, David Boyes dbo...@sinenomine.net wrote: On 12/8/10 4:15 PM, Quay, Jonathan (IHG) jonathan.q...@ihg.com wrote: I don't. I don't have any human beings on my systems except for system programmers that have full authority anyway. Having to GRANT linux servers is an extra thing that has to be managed. I would like to define a vswitch as unrestricted. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? I'll make a counter argument: there is a significant difference between being allowed to create a piece of infrastructure, and being allowed to use it. Granting permission to use something after it's created is that second item, and I would say that there is a very good reason to have the two steps separate so that they can be separately controlled and audited. So, I think I'm going to side with Alan. If you want an unrestricted VSWITCH, you need to kick your ESM vendor to allow you to control them and declare a rule that anyone can attach to said VSWITCH. OTOH, I think this also argues for a bigger step: for IBM to supply a default ESM and quit having to do it two different ways. We can always replace the default one with something better, but there's a lot of wheel-spinning being done in IBM development to support the two different models. Personally, I dislike RACF with a passion, but I'd rather have RACF be present by default and have one single way to do security management (via the ESM) than have to have a completely separate command authorization matrix to worry about via CP privilege classes, etc, etc, etc. It may have worked in the past, but it's time HAS past. There's too many regulations and too many hostile bozos out there to not have a comprehensive security management tool as part of the VM hypervisor suite. If that means we all have to suffer under RACF for long enough to turn it off, then so be it.
Re: Vswitch Grant as a CMD in User's Directory?
If you are a publicly traded company and z/VM is running production without an ESM or its equivalent, then you have a material control weakness in your segregation of duties (SOD) which can lead to more than a 10% error in your financial statements and by Act of Congress, Sarbanes Oxley, aka SOX, requires such GAPs, ie material control weaknesses, to be reported to the Board of Directors and for them to report it to the SEC, made public, which often as an adverse effect on the price of stock. If the IT Audit has failed to identify such a weakness, then it needs to be redone. If you want to bring this to the attention of your management in a timely manner so you can obtain funding for your ESM, just call or email the Audit Committee which is, by law, a subset of the Board of Directors and I am sure the funds will be readily available. You may want to update your resume first. Tom Huegel tehue...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 12/08/2010 03:10 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Vswitch Grant as a CMD in User's Directory? It is a hard sell to management to buy an ESM if there is no audit requirement. On Wed, Dec 8, 2010 at 11:34 AM, David Boyes dbo...@sinenomine.net wrote: On 12/8/10 4:15 PM, Quay, Jonathan (IHG) jonathan.q...@ihg.com wrote: I don't. I don't have any human beings on my systems except for system programmers that have full authority anyway. Having to GRANT linux servers is an extra thing that has to be managed. I would like to define a vswitch as unrestricted. Is there anyone out there that actually gains security from CP users not being granted onto their vSwitches? How many people would like to be able to define a vSwitch as open to the public or not requiring a grant to be accessed? I'll make a counter argument: there is a significant difference between being allowed to create a piece of infrastructure, and being allowed to use it. Granting permission to use something after it's created is that second item, and I would say that there is a very good reason to have the two steps separate so that they can be separately controlled and audited. So, I think I'm going to side with Alan. If you want an unrestricted VSWITCH, you need to kick your ESM vendor to allow you to control them and declare a rule that anyone can attach to said VSWITCH. OTOH, I think this also argues for a bigger step: for IBM to supply a default ESM and quit having to do it two different ways. We can always replace the default one with something better, but there's a lot of wheel-spinning being done in IBM development to support the two different models. Personally, I dislike RACF with a passion, but I'd rather have RACF be present by default and have one single way to do security management (via the ESM) than have to have a completely separate command authorization matrix to worry about via CP privilege classes, etc, etc, etc. It may have worked in the past, but it's time HAS past. There's too many regulations and too many hostile bozos out there to not have a comprehensive security management tool as part of the VM hypervisor suite. If that means we all have to suffer under RACF for long enough to turn it off, then so be it.
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 02:35 EST, David Boyes dbo...@sinenomine.net wrote: OTOH, I think this also argues for a bigger step: for IBM to supply a default ESM and quit having to do it two different ways. We can always replace the default one with something better, but there's a lot of wheel-spinning being done in IBM development to support the two different models. Personally, I dislike RACF with a passion, but I'd rather have RACF be present by default and have one single way to do security management (via the ESM) than have to have a completely separate command authorization matrix to worry about via CP privilege classes, etc, etc, etc. It may have worked in the past, but it's time HAS past. There's too many regulations and too many hostile bozos out there to not have a comprehensive security management tool as part of the VM hypervisor suite. If that means we all have to suffer under RACF for long enough to turn it off, then so be it. In order to achieve the savings you imply, then z/VM must move to the z/OS model in which, except for a few specific functions, an ESM is required for proper operation. NO native CP security controls beyone those required to restore ESM control vis a vis SYS1.UADS in order to login to TSO. Any function dependent on the ESM will be configured to DENY access without the ESM. You would HAVE to buy an ESM, whether from IBM or CA. And THAT will be acceptable only when folks wrap their heads around the fact that z/VM systems WITHOUT an ESM will fail a modern security audit. The primary example is the presence of unencrypted passwords in USER DIRECT. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Wednesday, 12/08/2010 at 03:11 EST, RPN01 nix.rob...@mayo.edu wrote: But, should you have to have an external security manager for a system where the majority of users are disconnected guest operating systems? Yes. Most of today's z/VM systems have a bare minimum of real human users. CP is the security manager for us, and it's sufficient to control the wild ramblings of, oh, say, the four people who need access. Those four people know all the passwords. There is no accountability and no plausible deniability. You have de facto password sharing, something I have yet to see countenanced by any IT organization. The dollars are needed for other things with a much higher priority before we'd ever get an ESM to control our more wild moments. That's certainly a fair decision to make. Understand that the ESM is not there to protect the system from rogue sysprogs. It is there to enforce policy and to demonstrate that you *have* a policy and the evidence to demonstrate its enforcement. And, plugging a cable into a switch generally does get you connectivity, because someone put that switch there for the express purpose of providing that connectivity in the first place. If I walk into an office on campus, and there's an Ethernet jack on the wall, I have the reasonable expectation that I should be able to plug my laptop into it and have a connection to the network. You have a policy in place that unused ports are enabled. Whether the port was opened on demand or in advance of use doesn't really matter. It isn't by *your* choice that you are allowed to plug into the network. The same thing holds true if I see a wireless antenna on the ceiling here. I shouldn't have to call the Network Operations Center and give them my name and password and the jack number to get them to let me in; No, but you may require a certificate. But even if you don't, there was still a policy in place to open the ports. If that were the case, we'd have a lot of ticked off doctors running around here. (Much the same as I get ticked off every time I have to go grant a virtual machine into the virtual switch.) We even have jacks and wireless in the patent waiting areas so that they can get internet access, and they don't need to be granted in either. The vSwitch grant is not in any way mimicking a real life scenario. It doesn't compare to the real world in any way. Networking gets set up, and once it's set up, you plug things into it and they simply work, as long as you know the IP range and netmask, or your computer does a reasonable job of DHCPing you an address. You don't have to be granted into it. You are making my point for me, demonstrating that it is NOT sufficient to just plug into a wall port. Someone has cabled/authorized/opened those ports. They have set up the DHCP servers or given you a considered IP address. Those public ports very likely have different access rights than those in offices and exam rooms. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Vswitch Grant as a CMD in User's Directory?
It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
Add the couple command in there too. Marcy. Sent from my BlackBerry. - Original Message - From: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To: IBMVM@LISTSERV.UARK.EDU IBMVM@LISTSERV.UARK.EDU Sent: Tue Dec 07 21:25:07 2010 Subject: [IBMVM] Vswitch Grant as a CMD in User's Directory? It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
All directory statements are processed *during* logon.. But, as you can observe: the statement defining the virtual IO configuration are processed before the CMD statements. You could fix this chickenegg problem by defining the NIC via CMD statements too. 2010/12/8 Lee Stewart lstewart.dsgr...@attglobal.net It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com -- Kris Buelens, IBM Belgium, VM customer support
Re: Vswitch Grant as a CMD in User's Directory?
What seems to be the problem Lee? I did the same thing and it worked just fine. I don't believe the order really matters. I took it out of the directory and put it in AUTOLOG1 because in my case the LINUX guest may be logged on and off several times during a z/VM IPL. Although it worked fine it produced an error message every time (other than the first) time the guest logged on. I don't remember for sure, but I think I also defined the NIC via the CMD statement. Oh I just saw Kris's response.. I guess I did define the NIC via CMD.. I hope that helps. On Tue, Dec 7, 2010 at 7:25 PM, Lee Stewart lstewart.dsgr...@attglobal.netwrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
What Kris said is right. The 2nd time through you already have the access so it appears to work After you IPL or destroy your vswitch, it wouldn’t work on the first login. Drove me crazy. Of course, I hate Grants ☺ Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Tuesday, December 07, 2010 8:24 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Vswitch Grant as a CMD in User's Directory? What seems to be the problem Lee? I did the same thing and it worked just fine. I don't believe the order really matters. I took it out of the directory and put it in AUTOLOG1 because in my case the LINUX guest may be logged on and off several times during a z/VM IPL. Although it worked fine it produced an error message every time (other than the first) time the guest logged on. I don't remember for sure, but I think I also defined the NIC via the CMD statement. Oh I just saw Kris's response.. I guess I did define the NIC via CMD.. I hope that helps. On Tue, Dec 7, 2010 at 7:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
On Tuesday, 12/07/2010 at 11:27 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: What Kris said is right. The 2nd time through you already have the access so it appears to work After you IPL or destroy your vswitch, it wouldnât work on the first login. Drove me crazy. Of course, I hate Grants Then don't use them. Let your ESM handle it and you never need worry about the authorization again, regardless of the existence of the VSWITCH. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
If you use RACF - permitting user's to the VSWITCH only needs to be done once. :-) Say goodbye to GRANT. Scott Rohling On Tue, Dec 7, 2010 at 9:26 PM, Marcy Cortes marcy.d.cor...@wellsfargo.comwrote: What Kris said is right. The 2nd time through you already have the access so it appears to work After you IPL or destroy your vswitch, it wouldn’t work on the first login. Drove me crazy. Of course, I hate Grants ☺ Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Tom Huegel Sent: Tuesday, December 07, 2010 8:24 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Vswitch Grant as a CMD in User's Directory? What seems to be the problem Lee? I did the same thing and it worked just fine. I don't believe the order really matters. I took it out of the directory and put it in AUTOLOG1 because in my case the LINUX guest may be logged on and off several times during a z/VM IPL. Although it worked fine it produced an error message every time (other than the first) time the guest logged on. I don't remember for sure, but I think I also defined the NIC via the CMD statement. Oh I just saw Kris's response.. I guess I did define the NIC via CMD.. I hope that helps. On Tue, Dec 7, 2010 at 7:25 PM, Lee Stewart lstewart.dsgr...@attglobal.net wrote: It seems to me... Rather than putting a Vswitch Grant for each Linux guest somewhere like AUTOLOG1's PROFILE EXEC, I thought I'd try putting a CMD SET VSWITCH VSW1 GRANT USERID in the directory profile for the Linux guests... Alas, it seems that the GRANT isn't processed till after the NIC / LAN connection is attempted. I thought I understood that CMDs in the directory entry were processed before the user was logged on... Did I misunderstand or??? Thanks, Lee -- Lee Stewart, Senior SE Sirius Computer Solutions Phone: (303) 996-7122 Email: lee.stew...@siriuscom.com Web: www.siriuscom.com
Re: Vswitch Grant as a CMD in User's Directory?
Well, you know... there's only the 1 ESM that uses them and we don't use *that* one. I'll tolerate the grants rather than switch ESMs :) Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, December 07, 2010 8:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Vswitch Grant as a CMD in User's Directory? On Tuesday, 12/07/2010 at 11:27 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: What Kris said is right. The 2nd time through you already have the access so it appears to work After you IPL or destroy your vswitch, it wouldn’t work on the first login. Drove me crazy. Of course, I hate Grants Then don't use them. Let your ESM handle it and you never need worry about the authorization again, regardless of the existence of the VSWITCH. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: Vswitch Grant as a CMD in User's Directory?
On Tuesday, 12/07/2010 at 11:37 EST, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: Well, you know... there's only the 1 ESM that uses them and we don't use *that* one. I'll tolerate the grants rather than switch ESMs :) My mistake. I would have figured that by now all ESMs would provide protection for VSWITCHes and Guest LANs, since otherwise you have to turn off the ability for lowly class G users to create Guest LANs. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: No IPL VSWITCH Connectivity
Just a coda on this problem and a special thank you to both Alan and Sue Farrell who hit the bull's eye. Portname in the define VSWITCH was indeed the problem as Sue explains: If you have defined your VSWITCH exactly like you first mentioned: define vswitch lnxvsw1 portname lnxvsw1 rdev 9004 then your problem is the PORTNAME. rdef 9004 is being treated as additional portnames. Like Alan said, leave it off. See the syntax note for DEFINE VSWITCH: Notes: (1) You can specify the operands in any order, as long as switchname is the first operand specified, and portname is the last operand specified, if applicable. Once the portname was eliminated,, the VSWITCH defniition in SYSTEM CONFIG was honored and VSWITCH came up connected after the IPL without any further action required. Also, since it is in season to express thanks, a special thanks to all the listers for help not only on this problem, but all the problems I encountered upgrading z/VM 5.4. We are now z196 compliant at RSU 1002 Level 1 with a Level 2 maintenance environment that did not exist before. None of which would have been possible without the help of you all. So thank you very much one and all. Alan Altmark alan_altm...@us.ibm.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 11/01/2010 03:34 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: No IPL VSWITCH Connectivity On Monday, 11/01/2010 at 03:10 EDT, George Henke/NYLIC george_he...@newyorklife.com wrote: After IPL we can destroy the VSWITCH: det vswitch lnxvsw1 Then issue the same commands as in the IPL below and everything connects. Why? Are there some restrictions, considerations, for defining the VSWITCH at IPL time? SYSTEM CONFIG: define vswitch lnxvsw1 portname lnxvsw1 rdev 9004 I suggest that you remove the PORTNAME LNXVSW1. It isn't needed and it can create unnecessary confusion. AUTOLOG1: PROFILE EXEC: 'CP SET VSWITCH LNXVSW1 GRANT VLINUX1' 'CP SET VSWITCH LNXVSW1 GRANT VLINUX2' 'CP SET VSWITCH LNXVSW1 GRANT VLINUX3' 'CP SET VSWITCH LNXVSW1 GRANT VLINUX4' 'CP SET VSWITCH LNXVSW1 GRANT VLINUX5' 'CP SLEEP 10 SEC' Why sleep 10 sec? The SET VSWITCH commands take effect immediately. 'CP XAUTOLOG VLINUX1' 'CP XAUTOLOG VLINUX2' 'CP XAUTOLOG VLINUX3' A VSWITCH establishes connectivity to the outside world once the controllers (DTCVSW1/2) are up. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
Re: No IPL VSWITCH Connectivity
Same here. Peter -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Ron Schmiedge Sent: November 3, 2010 18:21 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: No IPL VSWITCH Connectivity Or if I weren't such a bad typer, TCVM1.zip On Wed, Nov 3, 2010 at 4:19 PM, Ron Schmiedge ron.schmie...@gmail.com wrote: It says TCMV1.ZIP when I click on it. On Wed, Nov 3, 2010 at 3:02 PM, George Henke/NYLIC george_he...@newyorklife.com wrote: Here is the link Kris. I think if you click the TCVM.ZIP link in the doc in the link below, you will see for yourself in the window it says GZIP compressed TAR file. http://www.vm.ibm.com/download/packages/descript.cgi?TCVM1 As the old song says, Somewhere along the way . . . Kris Buelens kris.buel...@gmail.com Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 11/03/2010 04:50 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: No IPL VSWITCH Connectivity I created the .ZIP file on my Thinkpad, with Windows/XP. Uploaded that to my VM userid and SENDFILEd that to Endicott. Then it is outside my hands. But, when I look with Mozilla Seamonkey, I see http://www.vm.ibm.com/download/packages/tcvm1.zip , still a ZIP extension. Amen. 2010/11/3 George Henke/NYLIC george_he...@newyorklife.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review retransmission dissemination or other use of or taking any action in reliance upon this information by persons or entities other than the intended recipient or delegate is strictly prohibited. If you received this in error please contact the sender and delete the material from any computer. The integrity and security of this message cannot be guaranteed on the Internet. The sender accepts no liability for the content of this e-mail or for the consequences of any actions taken on the basis of information provided. The recipient should check this e-mail and any attachments for the presence of viruses. The sender accepts no liability for any damage caused by any virus transmitted by this e-mail. This disclaimer is property of the TTC and must not be altered or circumvented in any manner.
