On 8/27/07, David Boyes [EMAIL PROTECTED] wrote:
Most CP commands right now only allow the ESM to audit, not to control
access. If the ESM gets granular access control, we need a a lot of
new error messages to reflect that.
Or just one:
HCPE Command option not permitted by security
I want to wind back a bit on this one:-
We do use RACF as an ESM and we do use LOGONBY (controlled by RACF
profiles) extensively.
I understand that any user with LOGONBY authority can log on and give any
of the commands mentioned but we would be extremely unhappy about these
users being able
This is the kind of change that I hope WILL NOT be the default and will
actually take some effort on my part to implement. It is too dramatic a change,
with too many installations depending upon the current behavior.
As to the serialization of control of a target user, what if there were a
We use LOGONBY to be able to log onto a test user whose profile has
nothing but class G authority. It's great to be able to do final
testing to make sure that the final users have access to all necessary
functions. Changing the privileges by default might negate some of
those results.
Nora
On 8/27/07, Graves Nora E [EMAIL PROTECTED] wrote:
We use LOGONBY to be able to log onto a test user whose profile has
nothing but class G authority. It's great to be able to do final
testing to make sure that the final users have access to all necessary
functions. Changing the privileges
I also agree with Richard.
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf
Of O'Brien, Dennis L
Sent: Friday, August 24, 2007 6:22 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: Ops privs
we need a a lot of
new error messages to reflect that.
Or just one:
HCPE Command option not permitted by security profile. RC=1234
Exactly what isn't permitted isn't the end user's business (to
prevent
gaming the system and determining what options are permitted by
trial
If it were done in that other ESM for VM, it would be in its audit file.
In the absense of an ESM to inplement it, it would be BAU with no new
capability.
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of A. Harry
On 8/27/07, David Boyes [EMAIL PROTECTED] wrote:
So you're proposing a *AUTH or something like that where you can pose a
authorization question from a user, which will be answered by whatever
is connected to *RPI?
The need to do an IUCV connection adds a lot of complexity we don't
need. I
On Monday, 08/27/2007 at 09:20 EDT, Rob van der Heij [EMAIL PROTECTED]
wrote:
Your scenario would only break when Alan had proposed reverse
inheritance or sideways inheritance of privileges (the person who
logged on to TESTABC could also have chosen to logon to TCPMAINT, so
let's now give
So, I'm working on a product that, at its heart, is a couple of DASD
images that get restored to the platters.
Right now, I require two additional 3390-3s for installation: one to
hold the VMARC image of the CMSDDR dump of the disk (because VMARC is
copyable around a network easily because
Hello, Adam.
Yup this would be a very slick way of distributing software; but I don't
think the format of the data on the DVDs is documented anywhere, nor to
I think IBM will be documenting how to use the FTPGET stage, either.
During the recent 5.3 ESP program, I asked about getting FTPGET
On Monday, 08/27/2007 at 12:28 EDT, Adam Thornton
[EMAIL PROTECTED] wrote:
So, is the on-disk format of the CKD images that the z/VM DVD
installer operates on documented?
No. They are subject to change w/o notice. (Though only on a release
boundary, obviously! :-) )
Alan Altmark
z/VM
Alan Altmark [EMAIL PROTECTED] wrote(in part) :-
I proposed that TESTABC could, for example:
- XAUTOLOG TCPMAINT because the user could just bring up another
terminal
session and LOGON TCPMAINT/DISC
- FORCE TCPMAINT because the user could LOGON TCPMAINT/LOGOFF
- SEND TCPMAINT because the
On Aug 27, 2007, at 11:28 AM, Dave Jones wrote:
Hello, Adam.
Yup this would be a very slick way of distributing software; but I
don't think the format of the data on the DVDs is documented
anywhere, nor to I think IBM will be documenting how to use the
FTPGET stage, either. During the
But isn't FORCE just shorthand for LOGON u1 HERE By u2 followed by
LOGOFF?
Bob Bolch
I certainly do not want a user to be able to FORCE another simply because
they have LOGONBY authority for that userid. If allowing this is optional
(for those shops that want it) then fine but I do not want
David Boyes [EMAIL PROTECTED] wrote :-
The number of CMS-intensive shops is being slowly
strangled to nothing, and we increasingly see CP plus guests, with
only
a tiny number of sysprogs having access to a CMS userid. At what
point
does the balance tip to focusing on the integrity of the CP
Take a look at the PIPEDDR package on the IBM Downloads site. It can dump
a
'userid mdisk-addr' or '* attached-addr' to a packed CMS file. The packed
format is equally transportable around the network as Binary-Fixed-1024.
If
you compare PIPEDDR and CMSDDR, you may find that PIPEDDR is a bit
That way, you can surprise everyone who has been using the old defaults
for years :-)
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Monday, August 27, 2007 10:27 AM
To: IBMVM@LISTSERV.UARK.EDU
It depends. There is the BYUSER field that gets updates with the LOGON
... BY u2. Would it get updated by the FORCE?
Regards,
Richard Schuh
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Bob Bolch
Sent: Monday, August 27, 2007
Reminds me of a system modification we had back in the day, at another
company, that the SNA Staff could LOGON to VMVTAM but could not issue
LOGOFF.
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Monday, August 27, 2007
On Monday, 08/27/2007 at 12:55 EDT, Colin Allinson
[EMAIL PROTECTED] wrote:
I certainly do not want a user to be able to FORCE another simply
because they
have LOGONBY authority for that userid. If allowing this is optional
(for those
shops that want it) then fine but I do not want to be
Greetings,
I used the Debian SSL Enabler from SNA on zVM 5.1 until yesterday when I
migrated to zVM
5.3 when it stopped working.
I found a couple of errors and corrected them but still no go and I am still
scratching my head.
Has any one tried Debian SSL Enabler from SNA on 5.3 and can tell
Is FOR new with 5.3? H CP FOR gets me the display for FOrward.
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Monday, August 27, 2007 10:58 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: Ops privs
Hi,
I passed this on to our RSCS ID person and he has corrected the
statement. However, the correction won't show up in the current book and
help files.
Don't know how this one slipped past! Thanks for finding it!
Colleen M Brown
IBM z/VM and Related Products Development and
Thanks for fixing and responding.
Regards,
Richard Schuh
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Colleen Brown
Sent: Monday, August 27, 2007 9:49 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: RSCS
Hi,
I
On Monday, 08/27/2007 at 02:17 EDT, Schuh, Richard [EMAIL PROTECTED]
wrote:
Is FOR new with 5.3? H CP FOR gets me the display for FOrward.
Yes, it is new with z/VM 5.3. And the abbreviation of FORWARD is now
FORW. :-)
Alan Altmark
z/VM Development
IBM Endicott
It would help if you supplied us what errors you're seeing, and what you
see in the TCPIP log.
I used the Debian SSL Enabler from SNA on zVM 5.1 until yesterday when I
migrated to zVM
5.3 when it stopped working.
I found a couple of errors and corrected them but still no go and I am
still
On 8/27/07, David Boyes [EMAIL PROTECTED] wrote:
I think we will have to agree to disagree. Most of the security weasels
I know claim that the less information you give a potential intruder,
the better, but that stems from their mindset that *everyone* is a
potential intruder.
More like
David,
The interface between SSLSERV and TCPIP has changed in z/VM 5.3. See:
http://www.vm.ibm.com/related/tcpip/tcprl2rl.html#rl2ssl
Does Sine Nomine have a version of the SSL
Enabler incorporating the appropriate RPM for z/VM 5.3?
Thanks,
Mark
At 02:25 PM 8/27/2007, David Boyes wrote:
Hello Dave,
I am not seeing any errors, but I can attach the log from TCPIP and SSLSERV.
Suleiman Shahin
Date: Mon, 27 Aug 2007 14:25:06 -0400From: [EMAIL PROTECTED]: Re: Debian SSL
ServerTo: IBMVM@LISTSERV.UARK.EDU
It would help if you supplied us what errors you’re seeing, and what
Does Sine Nomine have a version of the SSL Enabler incorporating the
appropriate RPM for z/VM 5.3?
Not yet. It's behind a few other significant pieces of paying work at
the moment. It's a few weeks away at best.
More later.
-- db
On Sunday, 08/26/2007 at 10:18 EDT, David Boyes [EMAIL PROTECTED]
wrote:
Bundle RACF??? That might be a blow to the users of VM:Secure and
other
ESMs.
Is it? Let's think about that:
The only way it is possible to ship RACF installed and enabled with the
z/VM base is to provide a snap
Better the evil you know then the one you do not know?
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Monday, August 27, 2007 3:32 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: Ops privs
On Sunday, 08/26/2007 at 10:18 EDT,
Out of curiosity, what percentages of the new licenses are for shops
that fit the category z/OS shops who bring in Linux and z/VM?
Regards,
Richard Schuh
-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Monday, August 27,
Thanks David. Glad to hear you're getting paying work. :-)
Mark
At 03:08 PM 8/27/2007, you wrote:
Does Sine Nomine have a version of the SSL Enabler incorporating the
appropriate RPM for z/VM 5.3?
Not yet. It's behind a few other significant pieces of paying work
at the moment. It's a few
On Monday, 08/27/2007 at 03:38 EDT, Schuh, Richard [EMAIL PROTECTED]
wrote:
Out of curiosity, what percentages of the new licenses are for shops
that fit the category z/OS shops who bring in Linux and z/VM?
I have no idea. z/OS sysprog attendance at z/VM and Linux sessions at
conferences
Dave,
I am attaching the TCPIP log for you to look at if you wish.
Thanks. Suleiman Shahin
Date: Mon, 27 Aug 2007 15:41:22 -0400From: [EMAIL PROTECTED]: Re: Debian SSL
ServerTo: [EMAIL PROTECTED] David. Glad to hear you're getting paying work.
:-)MarkAt 03:08 PM 8/27/2007, you wrote:
On Aug 27, 2007, at 2:53 PM, Alan Altmark wrote:
On Monday, 08/27/2007 at 03:38 EDT, Schuh, Richard [EMAIL PROTECTED]
wrote:
Out of curiosity, what percentages of the new licenses are for shops
that fit the category z/OS shops who bring in Linux and z/VM?
I have no idea. z/OS sysprog
I know why they're all called BOB: to drive z/OS, you can't drink ;-)
About 10 years ago an action was organized in Belgium to avoid drunk
drivers: people driving to a party should select a BOB, the guy that
wouldn't drink alcohol and drive the company home. I don't know who
selected BOB as
Alan,
Hi. My name really is Bob and I'm a z/OS sysprog. pause for greeting
And I am looking for a new job! :-)
Seriously, as of last week, I have been informed that my position has
been eliminated. If anyone on this list is looking for an individual
with basic z/VM and Linux skills coupled with
1) The major difference between RACF and the alternatives is that
all of
the alternatives are easier to use, administer, operate and
understand.
z/OS shops who bring in
Linux and z/VM usually prefer RACF on z/VM as it is much easier for
them
to use, administer, operate, and understand.
Sorry; supporting z/OS DRIVES one to drinking!
Kris Buelens [EMAIL PROTECTED]
Sent by: The IBM z/VM Operating System IBMVM@listserv.uark.edu
08/27/2007 03:10 PM
Please respond to
The IBM z/VM Operating System IBMVM@listserv.uark.edu
To
IBMVM@listserv.uark.edu
cc
Subject
Re: Ops privs
A completely uneducated guess would be 50%, and perhaps as high as
90%. Shops that are already comfortable with the IBM mainframe 'mindset'
are much more willing, imho, to consider migrating workload to z/VM and
Linux than organizations that have no previous mainframe experience.
Schuh,
If that is true, then I shudder to think of what the MS Windows people
are abusing! I mean, I know that MS apologists are on dreamy dust and
have little connection to reality anymore.
--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
At one time I think I remember Barton mentioning something about getting
a lot of business from smaller shops. Of course, it could be dangerous
to trust my memory in a critical situation, I couldn't even remember the
command for building an NSS this morning. I had to look it up.
Regards,
Richard
On 8/27/07, Kris Buelens [EMAIL PROTECTED] wrote:
I know why they're all called BOB: to drive z/OS, you can't drink ;-)
About 10 years ago an action was organized in Belgium to avoid drunk
drivers: people driving to a party should select a BOB, the guy that
wouldn't drink alcohol and drive
I thought it quite the opposite; you had to be a heavy drinker to drive
z/OS (or at least its predecessor). :-)
Regards,
Richard Schuh
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Kris Buelens
Sent: Monday, August 27, 2007
Hello!
I happen to know. Coffee. There are more coffee shops, like Starbucks but
stranger then the ones around me, in their home city.
Disturbing, but true.
--
Gregg C Levine [EMAIL PROTECTED]
The Force will be with you. Always. Obi-Wan Kenobi
-Original Message-
From: The IBM z/VM
49 matches
Mail list logo
