Hi John. Great suggestion. For me to get Co:Z I would need to register Dovetail as a vendor even if we pay nothing. That would require a complete check on the company. Think about all the checks a bank wants to do on you when you request a $1m loan. Then I would need authorization from finance that the licenses and financial arrangements are the best we can get. Finance will ask me to review three options and present them all to them for a decision. I will then have to take the product to an IT review committee, mostly architects. At that point they will tell me that nothing new can be installed on the MF since it is off-limit. All new applications go on the Unix or Windows platform. I agree, Co:Z looks like a terrific product. I had read the manual a few months back. So I need to do my task with what I have. Cheers, Uri
________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of McKown, John [[email protected]] Sent: Thursday, July 26, 2012 9:05 AM To: [email protected] Subject: Re: Using SSH or SCP in REXX under TSO IMO, do not even bother. Petition the powers that be to allow you to install the Co:Z series of products. They have a zero cost option. Persuing this option gives you all the functionality, just no support. A support contract is available, if you want it. In over 3 years of using it, I've never had a problem. You can download them starting at this web site: http://dovetail.com/solutions.html . At the very least, get Co:Z Batch and Co:Z launcher. To make it really simple, get Co:Z Data Set Pipes as well. This latter does require installing some programs on the UNIX system. The z/OS programs DO NOT require APF authorization or any special RACF authority. They are simply batch programs. The UNIX programs do not need to run setuid or setgid. Again, they run with no special authorization. Just put them somewhere on you normal ${PATH}. If, like me, you have your own ~/bin set up via your ~/.bashrc to be on the PATH, then you can install the Co:Z programs in it. Or you could even load the Co:Z programs in ~/coz and then in the "in stream" commands sent to your UNIX system, put ~/coz on the PATH. Example below. Co:Z launcher, possibly with Co:Z Data Set Pipes, seems to be exactly what you want. What is does is establish an SSH connection to the remote UNIX system. It then sends the commands in DD STDIN to the remote UNIX system to be executed. The UNIX "stdout" and "stderr" come back to the z/OS job for printing on STDOUT and STDERR respectively. Oh, I forgot to mention that use of the UNIX commands to transfer files does require one change to z/OS UNIX sshd_config configuration file. It requires a single line similar to "subsystem dspipes /usr/local/coz/bin/dspipes". And remember! THIS COST YOU NOTHING TO USE! You don't even need to "register" your name or any other information with Dovetailed Technologies. Just go to the web site and download the software. They have a presence here and on MVS-OE. Kirk is very good about answering questions. They also have a free to use Web based forum to ask questions and get answers too. //PROCLIB JCLLIB ORDER=coz.samplib //XFER EXEC PROC=COZPROC,ARG='user@unix' //STDIN DD * # example commands run on "unix" as "user" uname -a ls -laR scp unix.file user@unix:zos.file #translated to EBCDIC # if you have the Co:Z UNIX program in ~/coz export PATH=${PATH}:~/coz # send file to z/OS data set, allocated to job # using DD OUT1 todsn unix.file "//DD:OUT1" /* //OUT1 DD DISP=(NEW,CATLG), // DSN=hlq.UNIX.FILE, // LRECL=?,RECFM=?,DSORG=PS, // SPACE=(CYL,(20,10),RLSE) // UNIT=SYSDA VOL=SER=?????? // Also, if you use a shell prompt on your non-z/OS UNIX system, you can do file transfers with the UNIX based commands. I do this with Linux. On Linux, I have ~/.ssh/config set up with: host * controlmaster auth controlpath /home/myid/.ssh/ssh-%r@%h:%p controlpersist yes host zos1 User myRACF IdentityFile /home/myid/.ssh/id_rsa.zos1 The z/OS system has id_rsa.zos1.pub contents placed into the authorized_keys file. I also have a symlink name authorized_keys2 to authorized_keys. Now, on your non-z/OS UNIX shell, you can ssh into z/OS ssh -Y zos1 # reply the proper passphrase exit #terminate z/OS shell # return to non-z/OS UNIX shell # # Note that "controlpersist yes" means that the SSH connection to zos1 # is still active! # get a copy of SYS1.MACLIB(READ), for instance: fromdsn -ssh myRACF@zos1 "//'sys1.maclib(read)'" >sys1.maclib_read.txt # Due to the controlpersist yes, you aren't prompted for you passphrase # # terminate SSH tunnel to zos1 ssh -O exit zos1 -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Uriel Carrasquilla > Sent: Wednesday, July 25, 2012 5:12 PM > To: [email protected] > Subject: Re: Using SSH or SCP in REXX under TSO > > I need to copy files from zOS 1.11 to a Unix machine on a > regular basis (not to USS or Linux under zVM). > I came across a sample REXX under the IBM web site to execute > USS shell commands (not a JCL solution but Rexx). > The /bin directory has ssh and scp. > I set up the id_rsa.pub so I can now ssh into my zOS/USS and > from there I can "scp" files to my Unix machine. > Once I ssh into zOS/USS, I can also ssh from zOS/USS to the > same Unix machine with the id_rsa.pub set up. > The above ssh and scp can be accomplished without a password > because of the id_rsa.pub that was set up on remote Unix machine. > Known hosts was properly set up the first time I went from > zOS to Unix machine. > But my task is not to sign on from remote machine via SSH to > zOS/USS. > My work needs to be originated from zOS and in some cases from TSO. > The problem is that when I try to use my REXX from TSO, I > cannot scp or ssh into my remote Unix machine. > (yes, the one that when I used ssh to get to zOS/USS, I can > go from there to my Unix machine - I hope I am not confusing > everybody here). > The REXX is using "BPXBATSL PGM /bin/scp uss-file [email protected]:/tmp" > I tried "BPXBATSL PGM /bin/ssh [email protected] 'ls" to no avail. > I keep on getting a return code of 2 without anything in > STDOUT or STDERR. > > Does anybody have a sample REXX that can be shared to either > scp or ssh to remote Unix from TSO? > I have seen JCL to that effect using BPXBATCH but I have not > tried it since I need the REXX. > > ps/ I am able to get "BPXBATSL PGM /bin/ls" to work by going > to USS and pulling the "ls" listing. > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
