Well, I've been through the instructions in the link that Jim provided,
but I still haven't been able to get SSL to start up. I'm trying to set
things up with a single-server, as opposed to the new SSL Pool option.
I'm going provide my configuration in the hope that a mistake might
stand out to the list.
SYSTEM DTCPARMS:
:nick.TCPIP :type.server
:class.stack
:attach.2D18-2D1A
:nick.TCPIP :type.server
:class.stack
:attach.06EC-06EE
:nick.FTP :type.class
:name.FTP daemon
:command.SRVRFTP
:runtime.PASCAL
:diskwarn.YES
:anonymous.YES
:nick.SSLSERV :type.server
:class.ssl
:stack.TCPIP
:name.SSL daemon
:command.VMSSL
:runtime.C
:diskwarn.YES
:Admin_ID_list.TCPMAINT GSKADMIN
:memory.256M
:Mixedcasparms.YES
:vmlink. .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A FORCERW>
:mount. /../VMBFS:VMSYS:ROOT/ / ,
/../VMBFS:VMSYS:SSLSERV/ /tmp ,
/../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm
:parms.KEYfile /etc/gskadm/Database.kdb
:nick.SSLDCSSM :type.server
:class.ssl_dcss_agent
:stack.TCPIP
:for.SSLSERV
:nick.TCPIP :type.server
:class.stack
:DCSS_Parms.<DEFAULT>
PROFILE TCPIP:
SMALLDATABUFFERPOOLSIZE 2048
ASSORTEDPARMS
PROXYARP
ENDASSORTEDPARMS
OBEY
OPERATOR TCPMAINT MAINT MPROUTE DHCPD REXECD SNMPD SNMPQE LDAPSRV
ENDOBEY
AUTOLOG
FTPSERVE 0 ; FTP Server
SSLSERV 0 ; SSL Server
ENDAUTOLOG
INFORM
OPERATOR TCPMAINT
ENDINFORM
SSLSERVERID SSLSERV TIMEOUT 30
SSLLIMITS MAXSESSIONS 3000 MAXPERSSLSERVER 600
INTERNALCLIENTPARMS
TLSLABEL ENTSYSVM
PORT 23 PORT 992
SECURECONNECTION PREFERRED
ENDINTERNALCLIENTPARMS
USER DIRECT entries:
USER SSLSERV SSLSERV 256M 2G G
INCLUDE TCPCMSU
POSIXINFO UID 7 GNAME security
IUCV ALLOW
OPTION ACCT MAXCONN 1024 QUICKDSP SVMSTAT APPLMON
NAMESAVE TCPIP
SHARE RELATIVE 3000
LINK 5VMTCP40 491 491 RR
LINK 5VMTCP40 492 492 RR
LINK TCPMAINT 591 591 RR
LINK TCPMAINT 592 592 RR
LINK TCPMAINT 198 198 RR
MDISK 191 3390 9021 001 540RES MR RSSLSERV WSSLSERV MSSLSERV
USER SSLDCSSM LBYONLY 32M 64M GE
INCLUDE TCPCMSU
OPTION QUICKDSP SVMSTAT
LOGONBY TCPMAINT GSKADMIN
NAMESAVE TCPIP
LINK 5VMTCP40 0491 0491 RR
LINK 5VMTCP40 0492 0492 RR
LINK TCPMAINT 0591 0591 RR
LINK TCPMAINT 0592 0592 RR
LINK TCPMAINT 0198 0198 RR
MDISK 0191 3390 09086 00010 540RES MR READ WRITE MULTI
The issue continues to be the following error when TCPIP starts:
DMSACR1184E Directory VMSYS:TCPMAINT.SSLPOOL_SSL not found or you are
not authorized for it
DTCRUN1001E "VMLINK .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A FORCERW>"
failed with return code 2100
Thanks,
Dave
On Tue, 2010-11-23 at 10:57 -0500, James Poirier wrote:
> Dave,
>
> The following link describes the steps you need to do in addition
> to what the SSLPOOL PLAN option describes.
>
> http://www.vm.ibm.com/related/tcpip/tcspeins.html
>
> Jim P.
>
>
> On 11/23/10 10:46 AM, "Dave Keeton" <[email protected]> wrote:
>
>
> Thanks, Mike. I tried to restart using that option, but it
> complained that a $RESTART file was not found.
>
> I was able to run service again like last time, just using
> SERVICE ALL and it appeared to complete successfully.
>
> My problem now is deciphering exactly WHAT needs to be changed
> in SSL to get it working again. I ran SSLPOOL with the PLAN
> option and got a list of changes that needed to be made - made
> them, but I still get errors when TCPIP starts:
>
> DTCRUN1022I Console log will be sent to default owner ID:
> TCPMAINT
> DMSACR1184E Directory VMSYS:TCPMAINT.SSLPOOL_SSL not found or
> you are not authorized for it
> DTCRUN1001E "VMLINK .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A
> FORCERW>" failed with return code 2100
> DTCRUN1099E Server not started - correct problem and retry
>
> I even went so far as to roll through a refresh of the BFS
> filespaces found here:
> http://www.vm.ibm.com/related/tcpip/tcsslini.html
>
> Dave
>
> On Mon, 2010-11-22 at 16:57 -0600, Mike Walter wrote:
>
>
> Dave,
>
> Issue: HELP VMSES SERVICE
> then look for the "RESTART" doc and give it a try.
> Trying=Learning. :-)
> (Sometimes the Trying="Learning hard way", but this
> should not be one of
> those cases)
>
> Mike Walter
> Aon Corporation
> The opinions expressed herein are mine alone, not my
> employer's.
>
>
>
> "Dave Keeton" <[email protected]>
>
> Sent by: "The IBM z/VM Operating System"
> <[email protected]>
> 11/22/2010 04:47 PM
> Please respond to
> "The IBM z/VM Operating System"
> <[email protected]>
>
>
>
> To
> [email protected]
> cc
>
> Subject
> Question about SSL Service
>
>
>
>
>
>
> I applied the PTFs UK59535 & UM33112 (as designated in
> PK97437) for z/VM
> 5.4 SSL today, but ran PUT2PROD before reading all the
> instructions as I
> should have. The USER DIRECT entries were not present
> when I ran it (I
> know, boneheaded maneuver). As a result, I believe the
> step for creating
> the SFS entries didn't get completed.
>
> Can I run SERVICE again and will it create the
> VMSYS:TCPMAINT.SSLPOOL_SSL
> filepool and subsequent enrollment, or do I need to do
> more research on
> creating this manually?
>
> Thanks,
> Dave Keeton
>
>
>
>
>
> The information contained in this e-mail and any
> accompanying documents may contain information that is
> confidential or otherwise protected from disclosure.
> If you are not the intended recipient of this message,
> or if this message has been addressed to you in error,
> please immediately alert the sender by reply e-mail
> and then delete this message, including any
> attachments. Any dissemination, distribution or other
> use of the contents of this message by anyone other
> than the intended recipient is strictly prohibited.
> All messages sent to and from this e-mail address may
> be monitored as permitted by applicable law and
> regulations to ensure compliance with our internal
> policies and to protect our business. E-mails are not
> secure and cannot be guaranteed to be error free as
> they can be intercepted, amended, lost or destroyed,
> or contain viruses. You are deemed to have accepted
> these risks if you communicate with us by e-mail.
--
Dave Keeton
Systems Programmer
Mainframe Computing Svcs
Oregon State Data Center
Office: (503) 373-0832
