I will be out of the office starting 03/22/2007 and will not return until
03/26/2007.
I will respond to your message when I return.
-
This e-mail and any attachments are intended only for the
individual or company to which it is addressed and may contain
Since our environment is fairly dynamic, what I've done is to let SYSTEM
CONFIG vary on all the devices that are visible to our LPAR, and then parse
through a Q DASD ALL in AUTOLOG1, looking for CP OWNED and CP SYSTEM. Any
other volume I find, I vary offline, keeping my zOS peers happy and off my
I've had to do this where RACF was shared with MVS systems. If the MVS
systems went down then VM was pretty much stuffed so we then just needed
to
IPL with the alternate CPLOAD module. Naturally no RACF was available but
the way VM is built its pretty much secure for the average user. In fact
On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton [EMAIL PROTECTED]
wrote:
I've had to do this where RACF was shared with MVS systems. If the MVS
systems went down then VM was pretty much stuffed so we then just needed
to
IPL with the alternate CPLOAD module. Naturally no RACF was
COOL - what a great feature!
munson
Alan Altmark wrote:
On Thursday, 03/22/2007 at 08:54 EST, Sebastian Welton [EMAIL PROTECTED]
wrote:
I've had to do this where RACF was shared with MVS systems. If the MVS
systems went down then VM was pretty much stuffed so we then just needed
to
IPL
Alan:
Will this command also work with other products - like Top
Secret?
David Wakser
InfoCrossing
If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will
cause the CP-resident RACF code to begin to defer all requests back to
CP, as though RACF is not present,
Alan Altmark [EMAIL PROTECTED] wrote:
If anyone cares, you can CP SEND RACFVM SETRACF INACTIVE. This will
cause
the CP-resident RACF code to begin to defer all requests back to CP, as
though RACF is not present, including LOGON. You don't have to
deactivate
any classes or change any
I create a non-RACF CP nuc for cases where we would not be able to start-up
RACFVM, nor RACMAINT, so SETRACF INACTIVE would not be possible. (e.g. RACF
DB on 200 300 damaged).
We never needed it since we started with VM about 18 years ago.
*Alan Altmark [EMAIL PROTECTED]* wrote:
If anyone
I heartily concur. It would be nice if VM:Secure had the same
capability.
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Bill Munson
Sent: Thursday, March 22, 2007 7:41 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re:
I know they are offline. There is no need for RDEVICE entries or commands if
you sense the devices and then take them offline. A simple VARY command is all
it takes.
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of
On Thursday, 03/22/2007 at 03:52 CET, Colin Allinson
[EMAIL PROTECTED] wrote:
The circumstance I am thinking about is where we have one (limited use)
system
that has no RACF database and no RACFVM server. RACF would not be
enabled in
the SYSTEM CONFIG (RACF will not be licensed on this
Why do you endorse circumventing ppf override?
David
Alan said:
The general idea is:
1. Copy your 5vmcp... PPF file to something else. Don't do an override.
All the devices coded in the imbed file as offline_at_ipl are still seen as
DEV OFFLINE by the system even if we code sensed - in the config
file, as you show. At this time I suppose I will use the cp q all offline
cmd, extract all the DEV and vary on them. Not very nice.
Alain
Coding
I wondered the same thing. It appears to be at odds with everything
Alan and Chuckie have taught us.
Jim
David Kreuter wrote:
Why do you endorse circumventing ppf override?
David
Alan said:
The general idea is:
1. Copy your 5vmcp... PPF file to something else. Don't do an =
Here is an exec that can disable RACF:
/* Disable RACF.
Use with CAUTION!
*/
false = (1=0)
true = (1=1)
Address COMMAND
Trace O
/*
See if RACFVM is logged on.
Procede ONLY if its not.
*/
'CP QUERY USER RACFVM'
if rc = 0
then do
say 'RACFVM is logged on.'
say 'Enter
Storing into CP? What does this gain that SEND RACFVM SETRACF INACTIVE doesn't?
Issuer will need class C or E.
David
-Original Message-
From: The IBM z/VM Operating System on behalf of Rich Greenberg
Sent: Thu 3/22/2007 1:10 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: [IBMVM] Building
On Thursday, 03/22/2007 at 12:40 AST, David Kreuter
[EMAIL PROTECTED] wrote:
Why do you endorse circumventing ppf override?
If the override can be a different name that the base, that's ok. You
don't want to end up with a modified (via overrides) 5VMCPRxx PPF, as that
would mess up the real
I'm lazy too, and confess to doing something similar. But the official way
would be to create an override, do your work,
and regress back to the original.
-Original Message-
From: The IBM z/VM Operating System on behalf of Alan Altmark
Sent: Thu 3/22/2007 1:15 PM
To:
On Thursday, 03/22/2007 at 01:10 AST, Rich Greenberg [EMAIL PROTECTED]
wrote:
Here is an exec that can disable RACF:
Poking into CP? What's that all about? On your system please make sure
no one has access to the STORE.C profile and that STORE.C is controlled.
Your sysprogs are dangerous!
On: Thu, Mar 22, 2007 at 01:10:57PM -0400,Rich Greenberg Wrote:
} Here is an exec that can disable RACF:
I should have clarified why and when you would use this exec.
Why: The RACF server can't be brought up or its database is missing or
. and you need to get some functionally up and
On: Thu, Mar 22, 2007 at 01:11:33PM -0400,David Kreuter Wrote:
} Storing into CP? What does this gain that SEND RACFVM SETRACF INACTIVE
doesn't?
You can't do the SEND if RACFVM is dead and can't/won't come up.
} Issuer will need class C or E.
Which OPERATOR normally has. See the notes I
While I do use a different name for my PPF file
(POL PPF), I think the important thing to
change is the *component* name.
IBM has CP in ZVM (do you really use those
long complicated base PPF names?), so I could
have CPTYPE1 CPTYPE2 etc. Or, as I really
do have: CPTEST CPPROD.
(Since I am using
Hello All:
I am wondering how everyone handles maintenance in your VM
environment with your zLinux instances. We are trying to push to move
some of our UNIX servers to zLinux but the argument that arises each
time we apply maintenance we have to cycle VM (when we do a put2prod).
In the last
My overrride makes I run
VMFBLD ZVM CPNORACF CPLOAD * NUCTARG MODULE MODNAME CPNORACF (ALL
(which is burried in an exec of a few lines)
--
Kris Buelens,
IBM Belgium, VM customer support
On Mar 22, 2007, at 12:43 PM, Sikich, Frank J. wrote:
Also to note we just implemented z/VM on two CEC's and plan to
allow failover between the two machines. I am hoping this will
resolve some issues. We are in the infant stages of implementing z/
VM and z/Linux but we are trying to get it
On 3/22/07, Sikich, Frank J. [EMAIL PROTECTED] wrote:
In the last month we went to 5.2, DST maintenance and we found we were
missing a PTF for PerfMon. This cause us to have to cycle VM and drew some
concerns from our zLinux users.
One thing you an do is run PUT2PROD selectively. For the
VM:Secure has an undocumented command for this purpose. It requires that the
issuer ID be authorized by having an IUCV *RPI record in its directory
entry.
The command is (believe it or not):
VMXYZZY [ENABLE|DISABLE]
to DISABLE or ENABLE VM:Secure rules processing. ACI calls are defered to CP
Too many games of adventur [sic] for those developers me thinks...
On Thu, 2007-03-22 at 14:02 -0400, Bob Bolch wrote:
VMXYZZY [ENABLE|DISABLE]
Well, the last time I applied maintenance, an RSU, was October 15, 2005.
I did change the SYSTEM CONFIG file earlier this year, and we do IPL for
the time changes, since some of our CMS guests can get upset by sudden
time shifts. But there is no particular reason why you couldn't stay up
for
On Mar 22, 2007, at 1:07 PM, Neale Ferguson wrote:
Too many games of adventur [sic] for those developers me thinks...
ITYM ADVENT [sic]
Adam
John,
After an IPL and if I have coded offline_at_ipl A000, A000 will be seen as a
Q A000 will send back the answer DEV A000 OFFLINE. If I VARY ON A000, then
VARY OFF A000 and I do a Q A000 the answer will be DASD A000 OFFLINE.
It means that I can't use a Q DASD OFFLINE to filter just the DASD.
Only fixes to the CP nucleus need an IPL of VM. Everything else can be done
by recycling selected virtual machines. But, then you need to know somewhat
more of VM than PUT2PROD (I never used it, it is too disruptive in my
eyes).
We have for example two copies of the CMS resident, so we can
My experience too with PUT2PROD is that it can be disruptive, sometimes
doing disruptive steps that aren't needed for the software product
that's being serviced.
In some cases, to avoid unnecessary outages follow the software
product's Program Directory VMSES service steps instead of using
In addition to what everyone else has told you about selective
maintenance, we have gotten our zLinux customers to accept a weekly
outage for consistent disaster recovery backups. Once a set of updates
has been applied to the test system, tested there and then approved by
the change control
Now the cat is out of the bag. I have asked if there was a way to do
this several times over the years; however, not in this forum. Nobody
ever offered this command. Thanks.
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
For those of you who have used the Web interface to the ATL, there is a
list of Work Items on the left side of the page. One of those items is
Administer library manager. Under that heading is a Manage operator
interventions. On the web page displayed, at the top, is a check box for
Notify
Richard,
I saw Bob Bolch's not about the undocumented command. We've never
needed to use it, because VM:Secure has a list of userids and ACI groups
in VMXRPI CONFIG that have special powers when VM:Secure is down. That,
and the fact that passwords are stored in the directory, have given us
all
Many thanks for all your comments. Gives me something to go talk to the
vendor about.
i
...
Ian S Worthington
...
http://isw.me.uk/
Dulce et decorum est pro patria mori, sed dulcius pro patria vivere, et
dulcissimus pro patria biber. Ergo, bibiamo pro salute patriae.
On Thu, 22 Mar 2007 13:43:39 -0400, Sikich, Frank J. [EMAIL PROTECTED]
alcity.com wrote:
The struggle is that our midrange
world claims to apply patches to the UNIX servers only once or twice a
year and they are concern that they will have more interruption on
zLinux.
They never apply security
I was going to ask the same thing. I think you'd have to hit at least
once a quarter to keep the auditors happy, probably more in a windows
environment.
Marcy Cortes
Alan wrote:
They never apply security patches?
Several somethings are missing from you post. I see nothing after any of
these colons:
From SYSTEM CONFIG:
From USER DIRECT:
The controllers don't specify anything for a particular machine:
BTW, what we see on the console when the batch update fails is the IP d
isconnect message:
On
41 matches
Mail list logo