d telnet session, optionally login
without a password. (Or require two-factor authentication.)
I know that the former Chief z/VM Security Weasel has had "LDEV login
without password" on his to-do list for a long time.
It doesn't work for reconnect, but today you can create an LDEV and, if
z/VM security and compliance reviews. (I know people.) ;-)
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
alan_altm...@us.ibm.com
IBM Endicott
(Almost) ANYTHING is better than creating password repository that must be
audited and managed. (gag)
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
alan_altm...@us.ibm.com
IBM Endicott
her user's password is simply going to highlight
that you are storing passwords in clear-text, which a violation of most
modern password security standards. (Hence the need for an ESM.)
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
alan_altm...@us.ibm.com
IBM Endicott
agent for the target user. (Note that
it doesn't change the id of existing connections.)
Yet another reason you don't go around giving class B privilege to someone
just because they want to issue MSGNOH!
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and
On Friday, 09/17/2010 at 11:09 EDT, Rick Barlow
wrote:
> Does this mean that IBM will finally create PDFs for all of the old
products
> that only have BOO files?
No. The discussion was specifically about just the z/VM product
publications.
Alan Altmark
z/VM and Linux on Sy
On Friday, 09/17/2010 at 03:19 EDT, ashish agarwal
wrote:
> Does z/VM 5.3 support tape drive over FCP? Currently I am using it over
FC but
> need to use with FCP, is it possible?
Linux guests can use use FCP-attached tape, but not CMS or CP.
Alan Altmark
z/VM and Linux on Sy
have it in column 10. (Sneaky,
huh?)
3. Can be seen via "CP QUERY IUCV *CCS"
Alan Altmark
z/VM Development (T minus 3h 50m)
IBM Endicott
;VTAM" and "TCPIP" do and so know how to interpret
the users I see following each VSM.
I mean, haven't you thought it a bit strange that CP DISABLE SNA will stop
linemode telnet sessions?!? Haven't you? Hello?
Alan Altmark
z/VM Development (T minus 05h 05m 42s and counting...)
IBM Endicott
ronment" question, or
specify SGROUP=YES on the CONFIG macro. In either case, rebuild GCS.
I'm overstating the "no SNA" restriction. If you want to run VTAM, VSCS,
and RSCS in the same virtual machine, you can do it. You can even add AVS
and PVMG. The more the merrier, eh?
Alan Altmark
z/VM Development
IBM Endicott
orrect answer, but I understand that such behaviour is
> discouraged nowadays.
RSCS V2 was announced August 7, 1984. (Letter 284-269)
Availabliity was September 5, 1985. (Letter 285-306)
btw, for non-SNA usage, you can still RSCS in a standalone (single-user)
GCS virtual machine - no recovery
e a r/w
control pair and 8 IP stacks, each using one data connection. All of that
traffic will travel over the single physical data connection.
Alan Altmark
z/VM Development
IBM Endicott
to worry about the controller
is when the Support Center asks you to do it.
Alan Altmark
z/VM Development
IBM Endicott
shelves for
some of the same reasons as many of you do and am not looking forward to
learning new tricks. (woof!!)
Alan Altmark
z/VM Development
IBM Endicott
port Center.
Alan Altmark
z/VM Development
IBM Endicott
ot;.
With Single System Image clusters you will be able to have up to 16 active
connections to each adjacent node.
Alan Altmark
z/VM Development
IBM Endicott
Thanks for your understanding.
If you would like to have books delivered in some other format, we're
certainly interested in that as well, though I suspect that will be driven
primarily by Corporate Directives for mobile accessibility, possibly
related to our Smarter Planet initiatives
is "No". The easiest
place to see the information is in the z/VM 5.2 (yes, 5.2) General
Information manual, Appendix C. z/VM 5.2 is needed before you can operate
the controllers in native 2105/2107 mode.
Alan Altmark
z/VM Development
IBM Endicott
run it on your workstation if you like, or you can use the Internet
version. Learning curve is nil.
Alan Altmark
z/VM Development
IBM Endicott
In order to reduce expenses, reduce the amount of time it takes to produce
softcopy documentation, and eliminate dependencies on
soon-to-be-unsupported internal tools (nothing to do with BookManager READ
software), we are thinking about eliminating BOOK (.boo) files from z/VM
softcopy productio
ts to class
A). If such a user logs on, the system lunges at them and sinks its teeth
in. They start seeing things.
Alan Altmark
z/VM Development
IBM Endicott
nger required; it's one of
those "unchangeable defaults."
Alan Altmark
z/VM Development
IBM Endicott
ers from me on the listservers. (sigh) Oh, and I'll
be making more recommendations that you get a Services contract with Yours
Truly and the Chuckster to help you. (Hmmm do I get to charge twice?)
:-D
See you in the funny papers.
Alan Altmark
IBM z/VM Development (for 14 more days)
ing to know is that when you boot the HMC the first time, it
asks for your country. If the keyboard and the country setting didn't
match, that could have been the source of the problem. (Let no one think
that the IBM 3270 had a monopoly on keyboard/codepage confusion)
Alan Altmark
z/VM Development
IBM Endicott
se keyboards in Brazil have
the forward slash in the same location as the US, right next to the right
shift key. If you had a Portuguese (Portugal) PC keyboard, it would be
shift-7 (the same place it's located on 3270 keyboards).
Alan Altmark
z/VM Development
IBM Endicott
On Tuesday, 08/31/2010 at 10:58 EDT, Mark Pace
wrote:
> When did VSE pick up layer 2 support?
(d'oh!) You're right, VSE does not yet support layer 2.
Alan Altmark
z/VM Development
IBM Endicott
ey have a bootable
system recovery disc "just in case."
We are making efforts to improve the Planning sections
of the Automated Installation book and the post-order instructions so that
the above will be more obvious, with explicit references between the two.
Alan Altmark
z/VM Development
IBM Endicott
lse (with current software) can use layer
2.
Alan Altmark
z/VM Development
IBM Endicott
On the NICDEF add LAN SYSTEM switchNameand it will be coupled
> automatically when you logon.
> example
> NICDEF 061C TYPE QDIO DEVICES 3 LAN SYSTEM VSWTCH3
> OR
> SPECIAL 061C QDIO 3 SYSTEM VSWTCH3
Please use NICDEF instead of SPECIAL.
Alan Altmark
z/VM Development
IBM Endicott
u say that Shopz
requires the DDR? I just set up a Shopz order (short of actually shipping
it), and it didn't whine about needing the DDR.
If you navigate to "How to buy" on the z/VM Home Page, you find a couple
of "Ordering tips" links.
Alan Altmark
z/VM Development
IBM Endicott
t was specifically re-engineered to
work in ascending RDEV order, regardless of variation in DASD response
times or subchannel assignments.
Alan Altmark
z/VM Development
IBM Endicott
On Friday, 08/27/2010 at 02:53 EDT, Sterling James
wrote:
> It is needed if you share an OSA port with zOS.
Sorry, Jim, but it isn't. If you don't specify the port name, no check is
made. If you specify it, it must match.
If you have evidence to the contrary, please call
D, as indicated by the "*
None". An uncoupled NIC is the equivalent of an unplugged ethernet cable.
Alan Altmark
z/VM Development
IBM Endicott
to
issue 'cp q v nic aa0 details'.
Alan Altmark
z/VM Development
IBM Endicott
me to help them ensure
they are sharing ports with hosts that they *think* they're sharing with.
They would get really annoyed. (Every time we assume no one is doing
something, we're always wrong.)
Alan Altmark
z/VM Development
IBM Endicott
DEV to use a la z/OS, or just take the lowest-numbered one
available. In either case, update the UUID in the warm start area.
h.
Alan Altmark
z/VM Development
IBM Endicott
go!): DO NOT SPECIFY A PORT *NAME* in Linux or z/VM IP or
VSWITCH configurations!
Yes, they are required in z/OS, but that's a z/OS Comm Server issue.
Alan Altmark
z/VM Development
IBM Endicott
On Thursday, 08/26/2010 at 05:33 EDT, "Austin, Alyce (CIV)"
wrote:
> Does RSU 5407 run on the z800?
RSUs don't change the architectural level set (ALS) or the supported
processor list for the release, so, yes, it still works on a z800.
Alan Altmark
z/VM Development
IBM Endicott
r AT domain.com (MIME BINARY-ATTACH SUBJECT 'Here is the
PDF you wanted'
Alan Altmark
z/VM Development
IBM Endicott
On Thursday, 08/26/2010 at 05:00 EDT, "Austin, Alyce (CIV)"
wrote:
> Is RSU 5407 available?
Yes. http://www.vm.ibm.com/service/rsu/ is your friend. From there you
can link to RSU contents, as well as discover how to equate the Service
Level with the stacked RSU number.
Alan
PE.
See http://www.vm.ibm.com/service/vmreqz10.html.
Alan Altmark
z/VM Development
IBM Endicott
nder. All other SSL server enhancements will be on
5.4 as well. [This was the source of the confusion at SHARE.]
Alan Altmark
z/VM Development
IBM Endicott
at a time.
Since z/VM 5.4 supports z10, I suggest you upgrade your existing machine
to 5.4 and then slide your z10 in underneath later. THEN you can move up
to 6.1 at your convenience with no loss of support.
Alan Altmark
z/VM Development
IBM Endicott
just virtual and common storage sizes. Or you may
need multiple VTAMs and split things up. (Hey, if it's an odd IP address
DIAL VTAM1. If even, dial VTAM2.)
Alan Altmark
z/VM Development
IBM Endicott
that I discussed in a July post.
http://listserv.uark.edu/scripts/wa.exe?A2=ind1007&L=IBMVM&P=R1084.
Checking AFTER the system has IPLed is too late.
Alan Altmark
z/VM Development
IBM Endicott
(switch is powered off /
recycled, port deactivated, cable pull, ...)
- The OSA fails to to respond to CP in a timely fashion (stalls)
- An unrecoverable I/O error occurs with the OSA
Alan Altmark
z/VM Development
IBM Endicott
"What's in a name? That which we call a rose
By any other name would smell as sweet."
- William Shakespeare
'System z' is a brand, and all that implies. 's390x' is just the
follow-on (eXtension) of the s390 Linux architecture.
al device (L terminal) while there is still a
virtual machine logged onto it.
I don't know why you didn't see it on your 5.3 system.
Alan Altmark
z/VM Development
IBM Endicott
that you would get USER DSC
LOGOFF ... FORCED BY SYSTEM.
Alan Altmark
z/VM Development
IBM Endicott
t now it isn't. (Default is 15
minutes.)
Alan Altmark
z/VM Development
IBM Endicott
the fly with no disruption, then you
engage link aggregation and define a port group.
Alan Altmark
z/VM Development
IBM Endicott
o reset the device, CU, or chpid.
It isn't clear if CP should even be checking on a DPS=NO device.
The best way to get to the bottom of this is to open a PMR.
Alan Altmark
z/VM Development
IBM Endicott
ty to the target user. In that case you are
not required to be the current secuser.
I don't know to what extent CA ESM products support this.
Alan Altmark
z/VM Development
IBM Endicott
"Let your fingers do the walking." I encourage Frank to open a PMR. If
the error message doesn't allow you figure out what's wrong, it needs to
be improved.
Alan Altmark
z/VM Development
IBM Endicott
On Tuesday, 08/17/2010 at 04:41 EDT, Kris Buelens
wrote:
> What is PQ_ON ?
>From HELP DEFINE CHPID, it is Priority Queuing enablement (the default).
Alan Altmark
z/VM Development
IBM Endicott
oday have the concept of parallel
links or primary/backup links. (That is something that z/VM Single
System Image will address.)
Alan Altmark
z/VM Development
IBM Endicott
therwise it should keep its mouth closed. "En boca
cerrada no entran moscas."
(I find it archaeologically interesting that DMS704I is actually an
informational message when the text of the messages uses the word
'invalid'. Something that is not valid is an error, not just informative.
Go figure.)
Alan Altmark
z/VM Development
IBM Endicott
ime.
RSCS and PVM allow redundant paths, but you have to ensure that you have
created groups and/or routing tables to handle them.
Alan Altmark
z/VM Development
IBM Endicott
bove, had a error when try use the FSWRITE (not
error, but
> rc <> 0).
Knowing the return code will typically yield the answer.
Your other question was how to get the 'date of the system.' What do you
mean? The date CP was built? The current date? Other?
Alan Altmark
z/VM Development
IBM Endicott
LL. Example: Linux terminal server and the guests it is
connected to.
2. A V-disk that is defined in the directory and is, therefore,
potentially linkable. Easily alleviated by COMMAND DEFINE.
Alan Altmark
z/VM Development
IBM Endicott
;s already here. There is/was a school of thought that says it
shouldn't be TOO easy for someone to get more privileges; that there
should be a ceremony of some sort that TPTB would notice.
Alan Altmark
z/VM Development
IBM Endicott
find a way to tunnel
under the paddock fences to get it.
Alan Altmark
z/VM Development
IBM Endicott
to use any of the z/VM services
that are not relocatable.
> 2) The move is restricted to LPARs on the same CEC, so no moving from
> one z10 box to another z10 someplace else.
Not true. The preferred cluster design is, in fact, two LPARs on one CEC
and two LPARs on another.
Alan Altmark
z/VM Development
IBM Endicott
week, transaction logs were collected in order to replay them in the event
the db needed to be restored. Apps that need to stay up while backups are
being taken need to include that capability in their design.
Alan Altmark
z/VM Development
IBM Endicott
(Imagine if the International Space Station had only one coolant pump
active at any one time.)
Alan Altmark
z/VM Development
IBM Endicott
> SYSTEM NETID will still be seeing the "old" info but that old file
> relates to the system in use at the moment.
He said DDR, which is disruptive to the 190 disk. Error 3 reading file.
Alan Altmark
z/VM Development
IBM Endicott
Pt. Hey, Buddy. Over here. No, over *here*
s. That is, you install a
'starter' Linux and use that to restore your backups. The only thing that
would be different is the location of the starter Linux. Forget about DDR
in that context except as (maybe) the source of the starter Linux itself.
Alan Altmark
z/VM Development
IBM Endicott
server
config) and Chapter 15 of the TCP/IP LDAP Admin book. gskkeyman is how
you manage certificates. Be sure to read the SSL chapter first.
Alan Altmark
z/VM Development
IBM Endicott
r to use an UPPERCASE label
Alan Altmark
z/VM Development
IBM Endicott
paranoid. I
don't worry about the 95% of the time that it works ok, I worry about the
5% of the time that it doesn't.
Alan Altmark
z/VM Development
IBM Endicott
omes into p
lay
regarding *management* of groups. That is, the scope of authorization fo
r
the group-SPECIAL, group-OPERATIONS, and group-AUDITOR attributes.
(Sorry about that.)
Alan Altmark
z/VM Development
IBM
GROUP1, and SYS1. If you have a user who is a
member of both GROUP2 and GROUP3 (i.e. not in the same hierarchy), then
SETROPTS GRPLIST will cause RACF to check permission of both GROUP2 and
GROUP3, not just the user's current group.
Alan Altmark
z/VM Development
IBM Endicott
ou enable it to manage POSIX stuff by coding the
ICHNGMAX macro in HCPRWA, you have to 'ADDGROUP system' with an OVM
segment that has GID 0. (And that would have been done for you when you
ran RPIDIRCT at enablement time.)
Alan Altmark
z/VM Development
IBM Endicott
ommand output and other virtual machine console I/O is sent to UserB.
UserB can trap it with the WAKEUP command or other home-grown solutions.
There are commercial automation offerings such as IBM Operations Manager
for z/VM that have this kind of thing already built into them (among other
capabil
CH
- DETACH
This includes volids like FREE, ALL, BOXED, ACTIVE, VOLID, VOLUME, etc.
Also avoid imbedded blanks.
Alan Altmark
z/VM Development
IBM Endicott
s the ESM to override a NOLOG. I.e. you have a user profile with
a password and directory entry of NOLOG. You can authenticate via FTP
(for example) and access files, but you do not have a virtual machine to
call your own. This lets you keep USER DIRECT and the ESM in sync.
Alan Altmark
z/VM Development
IBM Endicott
provide some sort of
data in the default user directory that will more easily allow you to
identify IBM-generated user IDs and their purpose.
Alan Altmark
z/VM Development
IBM Endicott
mode MWV on the MDISK
3. Configure the RDEV as SHARED in SYSTEM CONFIG
If you don't, then RACF will not be able to lock the database from
external changes and you will corrupt it. I've seen it happen.
If you're not sharing with other LPARs, then all you need is MWV.
Alan Altmark
z/VM Development
IBM Endicott
ring.
Unfortunately, RACF does not today require you to declare your intent vis
a vis database sharing and so cannot enforce any particular configuration.
Alan Altmark
z/VM Development
IBM Endicott
Workbench (for Windows) from
http://www-01.ibm.com/support/docview.wss?rs=95&uid=psd1P4000360
2. Open a PMR asking that we deliver documents in a 21st century format
Alan Altmark
z/VM Development
IBM Endicott
igm requires that you
use CMS callable services, dmsopen(), dmsread(), dmswrite(), and
dmsclose(). You cannot use the C-native fopen() & Friends for this
purpose.
Your questions are of a general z/VM nature, not unique to InfoZIP, and so
belong here and in the IBMVM archive for posterity. S
ing to avoid an IPL, of course. I?m also
looking
> at setting the MACID suffix on the NICDEF statement to get a unique
value, but
> would prefer to set the prefix instead.
IPL is required.
Alan Altmark
z/VM Development
IBM Endicott
t; them).
To the extent that SFS directories are usually accessed as a filemode, you
have some support already. The more powerful capability is to handle SFS
directory contents *without* using a filemode.
Alan Altmark
z/VM Development
IBM Endicott
n that a lot of people don't believe or know that FTP is secure
(they live in the distant past), they feel free to use sftp and ftps and
'secure ftp' interchangeably. I even saw a web browser incorrectly
process an ftp:// URL, using "binary" transfers for text data, on the
bogus assumption that they are the same. Morons.
Alan Altmark
z/VM Development
IBM Endicott
idisk/SFS
filesystem. A POSIX file id of the form //fn.ft.fm can be used to "exit
out" of BFS and onto an accessed disk/directory.
Alan Altmark
z/VM Development
IBM Endicott
; SFTP too?
IBM-MAIN is where the z/OS folks hang out. Yes, TCP/IP is part of z/OS
base. ssh and sftp are not in the base, but are part of IBM Ported Tools.
Note: you can't use sftp to transfer MVS datasets**. If you want dataset
support you need to get a commercial ssh offering.
Alan Al
and reading a DCSS or NSS? That would
seem to lead me to the conclusion that something is changing a spool file
or queue without proper serialization.
Alan Altmark
z/VM Development
IBM Endicott
n tolerates use by those who aren't in the obey list; they
simply get less information.
As an aside, the NETSTAT OBEY command can be used instead of OBEYFILE for
smaller changes. Learn both.
Alan Altmark
z/VM Development
IBM Endicott
nticate (e.g. via FTP) and have remote
access to resources, but you can't actually log on.
Alan Altmark
z/VM Development
IBM Endicott
To everyone: I'm sorry. I should not have put a historical reference in
my post. Pretty soon folks will be talking about how they remember
rubbing the edges off of rocks to get them to roll more easily.
My abject apologies. I humbly beg forgiveness.
Alan Altmark
z/VM Developmen
ng installation of
z/VM. A user with the same name as an SFS filespace (whether it is BFS or
not) has ownership rights of the filespace.
Alan Altmark
z/VM Development
IBM Endicott
are my coding sheets
Alan Altmark
z/VM Development
IBM Endicott
s required. Contact your service
representative if the error persists.
Alan Altmark
z/VM Development
IBM Endicott
om a security point of view, I would not release previously used
(in-house or purchased) dasd to the 'available' pool until it has been
completely formatted in order to ensure that no residual data remains.
Then I would start with cyl 0 as above.
Alan Altmark
z/VM Development
IBM Endicott
un HCD on the VM-only machines and use the import function. It
is HCD that examines the differences between the old and new IODFs and
issues the dynamic activations.
Alan Altmark
z/VM Development
IBM Endicott
On Friday, 07/16/2010 at 10:18 EDT, David Boyes
wrote:
> Perhaps Chuckie would like to create a template for submitting
networking
> problems that demonstrates this new artistic movement?
The point was not the format, but that the information was organized,
complete, and easy to read.
the existence of that LINK in the directory. Perhaps
something went wrong at that step?
Alan Altmark
z/VM Development
IBM Endicott
Alan
Alan Altmark
Security Architect
IBM z/VM Development
er.
- Never give privilege class B to anyone just so they can issue the ATTACH
and VARY commands. Instead, define them as privclass BQ and give your
trusted MVS people privclass GQ. (e.g. MODIFY COMMAND ATTACH PRIVCLASS
BQ)
Alan Altmark
z/VM Development
IBM Endicott
On Wed, 14 Jul 2010 13:06:22 -0400, Alan Altmark
wrote:
>o A "Linux only" mode LPAR is a term used by the HMC to refer to an LPA
R
>that has only IFLs, by defintion.
I am hoist on my own petard:
o A "Linux only" mode LPAR contains *either* CPs or IFLs.
Alan Al
401 - 500 of 2694 matches
Mail list logo