Tape drive sharing

2022-05-25 Thread (K.K.Paradox)T.Kobayashi 

Hello,

Can IBM 3590 tape drive be online at the same time with both LPARs?

If there is an LPAR that currently brought the *all drives* online, another 
LPAR will issue an IEE791I.


IEE791I cuu VARY REJECTED - ASSIGNED TO ANOTHER SYSTEM

I understand that both LPARs cannot use tape drives at the same time.
I know there are products like CA-MIM to prevent this.

Please do not consider separating the some drives and assigning it to both 
LPARs.


Shared DASD can be online at the same time on both LPARs.
Is it correct to recognize that the tape drives can also be online with both 
LPARs at the same time?

If this is possible, could you please advise what settings are required?

Current IOCP setting is bellow:
CHPID PATH=(CSS(1),63),TYPE=FC,SHARED,X
  PARTITION=((CSS(1), X
  (PROD,TEST),X
  (=))),  X
  PCHID=1EC
CHPID PATH=(CSS(1),BA),TYPE=FC,SHARED,X
  PARTITION=((CSS(1), X
  (PROD,TEST),X
  (=))),  X
  PCHID=2D0

E3590A10 CNTLUNIT CUNUMBR=3590,PATH=((CSS(1),63,BA)),CUADD=0,  X
  UNIT=3590,UNITADD=((00,016))

EMIF0A10 IODEVICE CUNUMBR=3590,ADDRESS=(0A10,016),UNITADD=00,  X
  UNIT=3590,STADET=Y

Besy regards,
Toyokazu Kobayashi

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Student Takes Delivery of an IBM z114 Mainframe

2022-05-25 Thread Tom Brennan 
Great!  Hopefully IBM and others can help out with the other things 
needed.  We need more young mainframers.  I've never been one, I started 
when I was already old and then got even older.


On 5/25/2022 7:05 PM, Timothy Sipples wrote:

Proud new owner!

https://www.reddit.com/r/homelab/comments/uxsbef/my_new_z114/

— — — — —
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cyber Security
IBM zSystems and LinuxONE
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Student Takes Delivery of an IBM z114 Mainframe

2022-05-25 Thread Timothy Sipples 
Proud new owner!

https://www.reddit.com/r/homelab/comments/uxsbef/my_new_z114/

— — — — —
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cyber Security
IBM zSystems and LinuxONE
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: System Logstreams

2022-05-25 Thread Michael Oujesky 

Food for thought:
   * when splitting out CICS 110, consider splitting out 110.1.3 
(transaction detail) and all other.  Depending on how you process the 
transaction detail, you might also want to separate out the 110.1.1 
dictionary records.

   * Also consider splitting out TYPE74 from the rest of the 7x's
   * For Db2, the same would apply for TYPE101's
   * should you have zEDC available, and are retaining ten years of 
data (hopefully not including data that has a short-lived value like 
device interval activity), you might consider using IFASMFDl to 
extract data into zEDC compressed data sets, then allow DFHSM to 
archive and manage then.  Thought ought to reduce your archival storage needs.

Michael

At 02:46 PM 5/25/2022, Steve Beaver wrote:

I have learned more about SYSTEM Logstreams that I ever wanted to know.

I have friend that produces BILLIONS of SMF/Logstream records per 
month, And has RETPD of 120 (ten years' worth). And each STAGE file 
is migrated Of within 24 hours.


I am going to split this mess into DB2(100,101,102), SECURITY(80), 
CICS(110), RMF(70-79), and BILLING.


There are 2 questions I have not been able to figure out.

(1)   How does logger determine when a LOGGER STAGE file need to be Expired?
(2)   All  if us at 00.01 force at "I SMF" a switch.  I have not 
been able how To force a LOGGER Switch?


Does anyone have ANY idea ideas?


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Kirk Wolf 
On Wed, May 25, 2022, at 10:30 AM, Dustin Hayes wrote:
> 
> What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
> these are two very different protocols which have nothing to do with each 
> other (think beta vs vhs).
> 
> sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
> that functional is a conversation covered in the USS books, check out the SSH 
> section.
> 

The first sentence is true, but the second is probably misleading.

"SFTP" / "sFTP"  aka "SSH/SFTP" is not the FTP protocol tunneled through an SSH 
interface.  Not even a little.   The SFTP packet layer that runs over an SSH 
channel is this:

https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-13

SFTP resembles "FTP" only as far as many SFTP clients have a command language 
that is somewhat similar to FTP.If you look at the SFTP protocol layer, it 
is semantically close to the the low level Unix file API.  Here are the SFTP 
protocol packet types (with some interesting twists):

   SSH_FXP_INIT1
   SSH_FXP_VERSION 2
   SSH_FXP_OPEN3
   SSH_FXP_CLOSE   4
   SSH_FXP_READ5
   SSH_FXP_WRITE   6
   SSH_FXP_LSTAT   7
   SSH_FXP_FSTAT   8
   SSH_FXP_SETSTAT 9
   SSH_FXP_FSETSTAT   10
   SSH_FXP_OPENDIR11
   SSH_FXP_READDIR12
   SSH_FXP_REMOVE 13
   SSH_FXP_MKDIR  14
   SSH_FXP_RMDIR  15
   SSH_FXP_REALPATH   16
   SSH_FXP_STAT   17
   SSH_FXP_RENAME 18
   SSH_FXP_READLINK   19
   SSH_FXP_LINK   21
   SSH_FXP_BLOCK  22
   SSH_FXP_UNBLOCK23

   SSH_FXP_STATUS101
   SSH_FXP_HANDLE102
   SSH_FXP_DATA  103
   SSH_FXP_NAME  104
   SSH_FXP_ATTRS 105

   SSH_FXP_EXTENDED  200
   SSH_FXP_EXTENDED_REPLY201


Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS>  z/OS OpenSSH doesn't use AT-TLS.It can directly use ICSF calls or 
direct CPACF instructions for Ciphers and Macs.  SSH (the SSH2 RFC) doesn't use 
TLS handshaking either.Maybe that's why the many SSL/TLS bugs haven't 
applied :-)


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: System Logstreams

2022-05-25 Thread Scott Barry 
On Wed, 25 May 2022 14:46:20 -0500, Steve Beaver  wrote:

>I have learned more about SYSTEM Logstreams that I ever wanted to know.
>
>
>
>I have friend that produces BILLIONS of SMF/Logstream records per month,
>
>And has RETPD of 120 (ten years' worth). And each STAGE file is migrated
>
>Of within 24 hours.
>
>
>
>I am going to split this mess into DB2(100,101,102), SECURITY(80),CICS(110),
>
>RMF(70-79), and BILLING.
>
>
>
>There are 2 questions I have not been able to figure out.
>
>
>
>(1)   How does logger determine when a LOGGER STAGE file need to be
>
>Expired?
>
>(2)   All  if us at 00.01 force at "I SMF" a switch.  I have not been able
>how
>
>To force a LOGGER Switch?
>
>
>
>Does anyone have ANY idea ideas?
>

For SMF Logstreams, there is no "I SMF" -- instead, only option is IFASMFDL 
(batch) invocation to offload any given / named SMF LOGSTREAM.  And consider 
staggering the individual START   command invocations, that is if 
you are using zEDC and are not yet at z15, where/when PCIe card use is 
eliminated.

And as for "...need to be Expired?" - you can either exploit IFASMFDL ARCHIVE 
feature or otherwise using RETPD/AUTODELETE function.

And my recommendation is to separate DB2 SMF 101 and 102, mostly due to 
anticipated data-volume.  Also, some sites take action to capture/maintain an 
SCRT SMF LOGSTREAM as well mostly for convenience with using SMS MGMTCLAS 
retention / management when using DFHSM.  Similarly if using MQ, consider 
splitting MQ 116 from MQ 115, again due to data-volume.

Scott Barry
SBBTech LLC

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to keep the response from HSENDCMD batch

2022-05-25 Thread Glenn Wilcock 
Hi, I'm not familiar with QUERYSET, but there is a single thread that processes 
certain commands (QUERY, LIST, etc), so it's possible that the QUERY was queued 
up behind one or more other commands that took longer to run.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

System Logstreams

2022-05-25 Thread Steve Beaver 
I have learned more about SYSTEM Logstreams that I ever wanted to know.

 

I have friend that produces BILLIONS of SMF/Logstream records per month,

And has RETPD of 120 (ten years' worth). And each STAGE file is migrated

Of within 24 hours.

 

I am going to split this mess into DB2(100,101,102), SECURITY(80),CICS(110),

RMF(70-79), and BILLING.

 

There are 2 questions I have not been able to figure out.

 

(1)   How does logger determine when a LOGGER STAGE file need to be

Expired?

(2)   All  if us at 00.01 force at "I SMF" a switch.  I have not been able
how

To force a LOGGER Switch?

 

Does anyone have ANY idea ideas?

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Portable Software Instance - Deployment Question

2022-05-25 Thread Richards, Robert B. (CTR) 
Terri,

Thanks for something new to consider going forward.

Bob

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Shaffer, Terri
Sent: Wednesday, May 25, 2022 10:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Portable Software Instance - Deployment Question

So what I do, is I have 3 different SSASYS1, SSAOMVS and SSASMPE HLQ defined in 
my ACS routines.

And they are related to the catalogs were the end result name will live.

Its my circumvention to duplicates and the nuisances of installs.

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Richards, Robert B. (CTR)
Sent: Thursday, May 5, 2022 8:51 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Portable Software Instance - Deployment Question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Kurt J. Quackenbush
Sent: Thursday, May 5, 2022 8:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Portable Software Instance - Deployment Question

Bob, I believe the workflow steps refer to the data sets with the ZOS25.OMVS 
names, so wait until after you perform the workflow steps before renaming the 
data sets.  But after that, yeah, sure, you should be fine to rename the zFS 
data sets with your OMVS prefix.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com Chuck 
Norris never uses CHECK when he applies PTFs.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Richards, Robert B. (CTR)
Sent: Thursday, May 5, 2022 7:44 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: z/OSMF Portable Software Instance - Deployment Question

Kurt,

Unfortunately, the desired outcome is the latter that you don't support (new 
mastercat, existing usercat) ☹

So, if I understand you correctly:

1) Fix OMVS on Modify catalog page to result in ZOS25.OMVS
2) Modify ACS routines to allow for creation of ZOS25.OMVS temporarily
3) Let SW MGMT generate the JCL (which should create the required JCL for the 
new ZFS datasets (ZOS25.OMVS.*) with PATH entries, correct?
4) Assuming the above works, proceed to WORKFLOWS and give it a try.
5) If that works and the three workflows are created, do I need the ZOS25.OMVS 
datasets any longer?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN 
  
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 
 This email message and any attachments may 
contain confidential, proprietary or non-public information. The information is 
intended solely for the designated recipient(s). If an addressing or 
transmission error has misdirected this email, please notify the sender 
immediately and destroy this email. Any review, dissemination, use or reliance 
upon this information by unintended recipients is prohibited. Any opinions 
expressed in this email are those of the author personally.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob 
Lloyd/Dustin,
>
Thank you. Thank you. Thank you.  You are both right. I totally understand
the difference ... and I was still criss-crossing them.

What I am trying to do is FTPS - native ftp with AT-TLS involved to handle
the SSL/TLS security stuff.  And every one of my tests has been wrong
because I have been trying to do SFTP with WinSCP when what I really wanted
to do is what WinSCP calls ftp with encryption ... a completely different
animal.  And a perfect explanation for why absolutely nothing I was doing
was going to make it work.

Hopefully, now I can make some progress!

Thanks again!
Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SDSF & TSS (RACF)

2022-05-25 Thread Robert S. Hansel (RSH) 
Hi Mark,

The option prevents all the violations when you 's' select the entire job. It 
won't help when you
select the job with ? and then select individual SYSOUTs. For the latter, it is 
WAD.

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
From: Steely.Mark [mailto:steely.m...@aaa-texas.com] 
Sent: Wednesday, May 25, 2022 12:04 PM
To: IBM Mainframe Discussion List
Cc: Robert S. Hansel (RSH)
Subject: RE: SDSF & TSS (RACF)
Importance: High

Thanks for the update - yes I did forget the custom parameter. It may work for 
what I need. When I
select the complete report it comes back as unauthorized. If I expand the 
report with a ? and select
a report it still get the violation and after several attempt it suspend the 
ID. 
Is there anything for that ? 

Thank You 

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Wednesday, May 25, 2022 5:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: FW: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from
unknown or unexpected emails.


Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP
statements that points to the PROPLIST NAME(proplist) statement with the 
PROPERTY parameter? And did
you refresh the ISFPARMS in all the SDSF servers?

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse
ldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149
048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI
wHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata
=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c
2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgn
sek0%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=0
5%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2d
d97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&
amp;reserved=0

-Original Message-
Date:Tue, 24 May 2022 15:02:50 +
From:"Steely.Mark" 
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret).


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from
unknown or unexpected emails.


Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT
DDNAME associated with the job and can generate multiple violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July
2008 issue of our RACF Tips newsletter.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2
FRSH_Consulting__RACF_Tips__July_2008.pdfdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca
2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7C
TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Cs
data=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3Dreserved=0

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse
ldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149
048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI
wHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata

Re: SDSF & TSS (RACF)

2022-05-25 Thread Rob Scott 
Mark

When the user issues a browse request for the entire job, they may not be aware 
of the constituent output DDs and any security violations encountered may be  
out of their initial control (or expectation). It is not unreasonable in this 
case to tolerate the violations without penalty.

The selection of a specific output from the JDS (aka "?") action panel is 
deemed an deliberate action to browse a specific spool dataset and the custom 
property does not apply.

I assume that TSS would act the same (ie suspend the ID) if the user received 
repeated violations for attempts to read normal DASD datasets.

Rob Scott
Rocket Software


From: IBM Mainframe Discussion List  On Behalf Of 
Steely.Mark
Sent: 25 May 2022 17:04
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)
Importance: High

EXTERNAL EMAIL



Thanks for the update - yes I did forget the custom parameter. It may work for 
what I need. When I select the complete report it comes back as unauthorized. 
If I expand the report with a ? and select a report it still get the violation 
and after several attempt it suspend the ID.
Is there anything for that ?

Thank You

-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Robert 
S. Hansel (RSH)
Sent: Wednesday, May 25, 2022 5:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: FW: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or unexpected emails.


Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP statements that points to the PROPLIST NAME(proplist) 
statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all 
the SDSF servers?

Regards, Bob

Robert S. Hansel 35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanseldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3Dreserved=0

-Original Message-
Date: Tue, 24 May 2022 15:02:50 +
From: "Steely.Mark" 
mailto:steely.m...@aaa-texas.com>>
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret).


-Original Message-
From: IBM Mainframe Discussion List 
mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Robert 
S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or

Re: SDSF & TSS (RACF)

2022-05-25 Thread Steely.Mark 
Thanks for the update - yes I did forget the custom parameter. It may work for 
what I need. When I select the complete report it comes back as unauthorized. 
If I expand the report with a ? and select a report it still get the violation 
and after several attempt it suspend the ID. 
Is there anything for that ? 

Thank You 

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Wednesday, May 25, 2022 5:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: FW: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or unexpected emails.


Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP statements that points to the PROPLIST NAME(proplist) 
statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all 
the SDSF servers?

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanseldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3Dreserved=0

-Original Message-
Date:Tue, 24 May 2022 15:02:50 +
From:"Steely.Mark" 
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret).


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or unexpected emails.


Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT DDNAME associated with the job and can generate multiple 
violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July 2008 issue of our RACF Tips newsletter.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdfdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3Dreserved=0

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanseldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3Dreserved=0

-Original Message-

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Dustin Hayes 
Vanguard Integrity Professionals - External - Public
What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
these are two very different protocols which have nothing to do with each other 
(think beta vs vhs).

sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
that functional is a conversation covered in the USS books, check out the SSH 
section.

FTPs is "plain old ftp, wrapped with digital certificates to make it secure" 
(think http vs https) and this is done via PAGENT.  Depending on how its 
configured (e.g. insecure, implicit, explicit, passive) this can run on the 
following ports; TCP20,TCP21,TCP990 and a range of user-specified ports.  FYI, 
this complexity is why PAGENT has the "ApplicationControlled" parm. 

z/OS supports both sFTP and FTPs.  Though, in z/OS, there are feature 
differences between them... 
Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on 
windows.

I would suggest picking one to work with (either sFTP or FTPs) and then ensure 
that z/OS and WinSCP to use the one you selected.  If your unclear on the 
differences you probably want FTPs due to it's greater functionality (on z/OS).
Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS) 
you must turn up trace and read the logs.  There really is no other (practical) 
way to troubleshoot ATTLS issues.

External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.05.25 08:30:10

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Wednesday, 2022 May-25 08:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel   511
> > >
> > > TcpImage   TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction   ftp_server_group
> > >
> > > {
> > >
> > >TTLSEnabled On
> > >
> > >Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >HandshakeRole  Server
> > >
> > >TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >TTLSKeyringParms
> > >
> > >{
> > >
> > >   Keyring mtskeyring
> > >
> > >}
> > >
> > >

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Lloyd Fuller 
You are misusing things here.  SFTP does not equal FTPS.
SFTP is overlaid onshore which is using an encrypted interface itself.  FTPS is 
what the FTP server can support.
WinSCP can do both but not FTPS on port 22.
Lloyd

Sent from AT Yahoo Mail for iPad


On Wednesday, May 25, 2022, 11:20 AM, Michael Babcock  
wrote:

I don’t think you can use PAGENT for port 22 (not 100% sure on that).  If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?  You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN  fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.  Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel  511
> > >
> > > TcpImage  TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction      ftp_server_group
> > >
> > > {
> > >
> > >    TTLSEnabled On
> > >
> > >    Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >    HandshakeRole      Server
> > >
> > >    TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >    TTLSKeyringParms
> > >
> > >    {
> > >
> > >      Keyring mtskeyring
> > >
> > >    }
> > >
> > >    TTLSEnvironmentAdvancedParms
> > >
> > >    {
> > >
> > >      ApplicationControlled On
> > >
> > >      SecondaryMap          On
> > >
> > >      TLSv1.2              On
> > >
> > >      TLSv1.3              On
> > >
> > >    }
> > >
> > > }
> > >
> > > TTLSCipherParms      ftp_server_ciphers
> > >
> > > {
> > >
> > >    V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> > >
> > >    V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > >
> > >    V3CipherSuites TLS_RSA_WITH_NULL_SHA
> > >
> > > }
> > >
> > > TTLSRule              ftp_server_rule
> > >
> > > {
> > >
> > >    LocalPortRange          21-22
> > >
> > >    Direction                Inbound
> > >
> > >    TTLSGroupActionRef      ftp_server_group
> > >
> > >    TTLSEnvironmentActionRef ftp_server_env
> > >
> > > }
> > >
> > >
> > >
> > > Here is a ‘netstat ttls group’ command:
> > >
> > >
> > >
> > > MVS TCP/IP NETSTAT CS V2R5      TCPIP Name: TCPIP          13:14:46
> > >
> > > TTLSGrpAction                            Group ID          Conns
> > >
> > >   -  -
> > >
> > > ftp_server_group                          0003              0
> > >
> > >
> > >
> > > Does that Conns=0 mean anything?
> > >
> > >
> > >
> > > Let me know if there is some other info that might help.
> > >
> > >
> > >
> > > Thank you VERY MUCH for any  suggestions you can offer.
> > >
> > >
> > >
> > > Bob Lamerand
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff /

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock 
I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel   511
> > >
> > > TcpImage   TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction   ftp_server_group
> > >
> > > {
> > >
> > >TTLSEnabled On
> > >
> > >Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >HandshakeRole  Server
> > >
> > >TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >TTLSKeyringParms
> > >
> > >{
> > >
> > >   Keyring mtskeyring
> > >
> > >}
> > >
> > >TTLSEnvironmentAdvancedParms
> > >
> > >{
> > >
> > >   ApplicationControlled On
> > >
> > >   SecondaryMap  On
> > >
> > >   TLSv1.2   On
> > >
> > >   TLSv1.3   On
> > >
> > >}
> > >
> > > }
> > >
> > > TTLSCipherParms   ftp_server_ciphers
> > >
> > > {
> > >
> > >V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> > >
> > >V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > >
> > >V3CipherSuites TLS_RSA_WITH_NULL_SHA
> > >
> > > }
> > >
> > > TTLSRule  ftp_server_rule
> > >
> > > {
> > >
> > >LocalPortRange   21-22
> > >
> > >DirectionInbound
> > >
> > >TTLSGroupActionRef   ftp_server_group
> > >
> > >TTLSEnvironmentActionRef ftp_server_env
> > >
> > > }
> > >
> > >
> > >
> > > Here is a ‘netstat ttls group’ command:
> > >
> > >
> > >
> > > MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
> > >
> > > TTLSGrpAction Group ID   Conns
> > >
> > >   -  -
> > >
> > > ftp_server_group  0003   0
> > >
> > >
> > >
> > > Does that Conns=0 mean anything?
> > >
> > >
> > >
> > > Let me know if there is some other info that might help.
> > >
> > >
> > >
> > > Thank you VERY MUCH for any  suggestions you can offer.
> > >
> > >
> > >
> > > Bob Lamerand
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > --
> > Michael Babcock
> > OneMain Financial
> > z/OS Systems Programmer, Lead
> >
> > --
> > For IBM-MAIN subscribe /

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob Lamerand 
That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21 &22.  
The config I started with had 21 in it, but the WinSCP references 22 so I have 
been trying both ... without success.  I changed it back to 21 now. Still fails.

I just added an ftp configuration parameter of FTPLOGGING TRUE and received 
this message:

EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed

Now I'm trying to figure out what that is telling me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob 
That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
&22.  The config I started with had 21 in it, but the WinSCP references 22
so I have been trying both ... without success.  I changed it back to 21
now. Still fails.

I just added an ftp configuration parameter of FTPLOGGING TRUE and received
this message:

EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed

Now I'm trying to figure out what that is telling me.

On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
wrote:

> I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> configure SSHD for that.   Remove port 22 from PAGENT.
>
> On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
>
> > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> and
> > I don’t know why. I’m sure I am
> >
> > missing something very simple, but I have spent a lot of time over the
> last
> > few weeks trying to figure it out
> >
> > and I cannot.  Note that ftp without encryption does work and I have
> > nothing else using PAGENT or AT-TLS.
> >
> >
> >
> > I originally started with a configuration created by z/OSMF Network
> > Configuration Assistant, but after
> >
> > numerous attempts to get it working I have pared it down to the very
> > minimum configuration below.
> >
> >
> >
> > I’m not even sure what info to share.
> >
> >
> >
> > When I try to connect using WinSCP I just get this:
> >
> >
> >
> > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> > testmvs
> >
> > Searching for host...
> >
> > Network error: Connection to "testmvs" refused.
> >
> > The server rejected SFTP connection, but it listens for FTP connections.
> >
> > Did you want to use FTP protocol instead of SFTP? Prefer using
> encryption.
> >
> > winscp>
> >
> >
> >
> > And the WinSCP log doesn’t show much more:
> >
> >
> >
> > Looking up host "testmvs" for SSH connection
> >
> > Connecting to 10.80.63.94 port 22
> >
> > Failed to connect to 10.80.63.94: Network error: Connection refused
> >
> >
> >
> > And here are the related configuration files.
> >
> >
> >
> > Here’s the pagent.conf:
> >
> >
> >
> > LogLevel   511
> >
> > TcpImage   TCPIP FLUSH
> >
> > TTLSConfig /etc/TTLSConfig.conf FLUSH
> >
> >
> >
> > And here is the TTLSConfig.conf:
> >
> >
> >
> > TTLSGroupAction   ftp_server_group
> >
> > {
> >
> >TTLSEnabled On
> >
> >Trace 30
> >
> > }
> >
> > TTLSEnvironmentAction ftp_server_env
> >
> > {
> >
> >HandshakeRole  Server
> >
> >TTLSCipherParmsRef ftp_server_ciphers
> >
> >TTLSKeyringParms
> >
> >{
> >
> >   Keyring mtskeyring
> >
> >}
> >
> >TTLSEnvironmentAdvancedParms
> >
> >{
> >
> >   ApplicationControlled On
> >
> >   SecondaryMap  On
> >
> >   TLSv1.2   On
> >
> >   TLSv1.3   On
> >
> >}
> >
> > }
> >
> > TTLSCipherParms   ftp_server_ciphers
> >
> > {
> >
> >V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> >
> >V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> >
> >V3CipherSuites TLS_RSA_WITH_NULL_SHA
> >
> > }
> >
> > TTLSRule  ftp_server_rule
> >
> > {
> >
> >LocalPortRange   21-22
> >
> >DirectionInbound
> >
> >TTLSGroupActionRef   ftp_server_group
> >
> >TTLSEnvironmentActionRef ftp_server_env
> >
> > }
> >
> >
> >
> > Here is a ‘netstat ttls group’ command:
> >
> >
> >
> > MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
> >
> > TTLSGrpAction Group ID   Conns
> >
> >   -  -
> >
> > ftp_server_group  0003   0
> >
> >
> >
> > Does that Conns=0 mean anything?
> >
> >
> >
> > Let me know if there is some other info that might help.
> >
> >
> >
> > Thank you VERY MUCH for any  suggestions you can offer.
> >
> >
> >
> > Bob Lamerand
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OSMF Portable Software Instance - Deployment Question

2022-05-25 Thread Shaffer, Terri 
So what I do, is I have 3 different SSASYS1, SSAOMVS and SSASMPE HLQ defined in 
my ACS routines.

And they are related to the catalogs were the end result name will live.

Its my circumvention to duplicates and the nuisances of installs.

Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Richards, Robert B. (CTR)
Sent: Thursday, May 5, 2022 8:51 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Portable Software Instance - Deployment Question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Thank you!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Kurt J. Quackenbush
Sent: Thursday, May 5, 2022 8:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OSMF Portable Software Instance - Deployment Question

Bob, I believe the workflow steps refer to the data sets with the ZOS25.OMVS 
names, so wait until after you perform the workflow steps before renaming the 
data sets.  But after that, yeah, sure, you should be fine to rename the zFS 
data sets with your OMVS prefix.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com Chuck 
Norris never uses CHECK when he applies PTFs.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Richards, Robert B. (CTR)
Sent: Thursday, May 5, 2022 7:44 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: z/OSMF Portable Software Instance - Deployment Question

Kurt,

Unfortunately, the desired outcome is the latter that you don't support (new 
mastercat, existing usercat) ☹

So, if I understand you correctly:

1) Fix OMVS on Modify catalog page to result in ZOS25.OMVS
2) Modify ACS routines to allow for creation of ZOS25.OMVS temporarily
3) Let SW MGMT generate the JCL (which should create the required JCL for the 
new ZFS datasets (ZOS25.OMVS.*) with PATH entries, correct?
4) Assuming the above works, proceed to WORKFLOWS and give it a try.
5) If that works and the three workflows are created, do I need the ZOS25.OMVS 
datasets any longer?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 

This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock 
I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
configure SSHD for that.   Remove port 22 from PAGENT.

On Wed, May 25, 2022 at 8:46 AM Bob  wrote:

> I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
> I don’t know why. I’m sure I am
>
> missing something very simple, but I have spent a lot of time over the last
> few weeks trying to figure it out
>
> and I cannot.  Note that ftp without encryption does work and I have
> nothing else using PAGENT or AT-TLS.
>
>
>
> I originally started with a configuration created by z/OSMF Network
> Configuration Assistant, but after
>
> numerous attempts to get it working I have pared it down to the very
> minimum configuration below.
>
>
>
> I’m not even sure what info to share.
>
>
>
> When I try to connect using WinSCP I just get this:
>
>
>
> d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> testmvs
>
> Searching for host...
>
> Network error: Connection to "testmvs" refused.
>
> The server rejected SFTP connection, but it listens for FTP connections.
>
> Did you want to use FTP protocol instead of SFTP? Prefer using encryption.
>
> winscp>
>
>
>
> And the WinSCP log doesn’t show much more:
>
>
>
> Looking up host "testmvs" for SSH connection
>
> Connecting to 10.80.63.94 port 22
>
> Failed to connect to 10.80.63.94: Network error: Connection refused
>
>
>
> And here are the related configuration files.
>
>
>
> Here’s the pagent.conf:
>
>
>
> LogLevel   511
>
> TcpImage   TCPIP FLUSH
>
> TTLSConfig /etc/TTLSConfig.conf FLUSH
>
>
>
> And here is the TTLSConfig.conf:
>
>
>
> TTLSGroupAction   ftp_server_group
>
> {
>
>TTLSEnabled On
>
>Trace 30
>
> }
>
> TTLSEnvironmentAction ftp_server_env
>
> {
>
>HandshakeRole  Server
>
>TTLSCipherParmsRef ftp_server_ciphers
>
>TTLSKeyringParms
>
>{
>
>   Keyring mtskeyring
>
>}
>
>TTLSEnvironmentAdvancedParms
>
>{
>
>   ApplicationControlled On
>
>   SecondaryMap  On
>
>   TLSv1.2   On
>
>   TLSv1.3   On
>
>}
>
> }
>
> TTLSCipherParms   ftp_server_ciphers
>
> {
>
>V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_NULL_SHA
>
> }
>
> TTLSRule  ftp_server_rule
>
> {
>
>LocalPortRange   21-22
>
>DirectionInbound
>
>TTLSGroupActionRef   ftp_server_group
>
>TTLSEnvironmentActionRef ftp_server_env
>
> }
>
>
>
> Here is a ‘netstat ttls group’ command:
>
>
>
> MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
>
> TTLSGrpAction Group ID   Conns
>
>   -  -
>
> ftp_server_group  0003   0
>
>
>
> Does that Conns=0 mean anything?
>
>
>
> Let me know if there is some other info that might help.
>
>
>
> Thank you VERY MUCH for any  suggestions you can offer.
>
>
>
> Bob Lamerand
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock 
Set your trace to 255 in the policy, refresh PAGENT and check the Syslog.
I suspect a ciphersuite issue.

On Wed, May 25, 2022 at 8:46 AM Bob  wrote:

> I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
> I don’t know why. I’m sure I am
>
> missing something very simple, but I have spent a lot of time over the last
> few weeks trying to figure it out
>
> and I cannot.  Note that ftp without encryption does work and I have
> nothing else using PAGENT or AT-TLS.
>
>
>
> I originally started with a configuration created by z/OSMF Network
> Configuration Assistant, but after
>
> numerous attempts to get it working I have pared it down to the very
> minimum configuration below.
>
>
>
> I’m not even sure what info to share.
>
>
>
> When I try to connect using WinSCP I just get this:
>
>
>
> d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> testmvs
>
> Searching for host...
>
> Network error: Connection to "testmvs" refused.
>
> The server rejected SFTP connection, but it listens for FTP connections.
>
> Did you want to use FTP protocol instead of SFTP? Prefer using encryption.
>
> winscp>
>
>
>
> And the WinSCP log doesn’t show much more:
>
>
>
> Looking up host "testmvs" for SSH connection
>
> Connecting to 10.80.63.94 port 22
>
> Failed to connect to 10.80.63.94: Network error: Connection refused
>
>
>
> And here are the related configuration files.
>
>
>
> Here’s the pagent.conf:
>
>
>
> LogLevel   511
>
> TcpImage   TCPIP FLUSH
>
> TTLSConfig /etc/TTLSConfig.conf FLUSH
>
>
>
> And here is the TTLSConfig.conf:
>
>
>
> TTLSGroupAction   ftp_server_group
>
> {
>
>TTLSEnabled On
>
>Trace 30
>
> }
>
> TTLSEnvironmentAction ftp_server_env
>
> {
>
>HandshakeRole  Server
>
>TTLSCipherParmsRef ftp_server_ciphers
>
>TTLSKeyringParms
>
>{
>
>   Keyring mtskeyring
>
>}
>
>TTLSEnvironmentAdvancedParms
>
>{
>
>   ApplicationControlled On
>
>   SecondaryMap  On
>
>   TLSv1.2   On
>
>   TLSv1.3   On
>
>}
>
> }
>
> TTLSCipherParms   ftp_server_ciphers
>
> {
>
>V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_NULL_SHA
>
> }
>
> TTLSRule  ftp_server_rule
>
> {
>
>LocalPortRange   21-22
>
>DirectionInbound
>
>TTLSGroupActionRef   ftp_server_group
>
>TTLSEnvironmentActionRef ftp_server_env
>
> }
>
>
>
> Here is a ‘netstat ttls group’ command:
>
>
>
> MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
>
> TTLSGrpAction Group ID   Conns
>
>   -  -
>
> ftp_server_group  0003   0
>
>
>
> Does that Conns=0 mean anything?
>
>
>
> Let me know if there is some other info that might help.
>
>
>
> Thank you VERY MUCH for any  suggestions you can offer.
>
>
>
> Bob Lamerand
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Carmen Vitullo 

would an SSL trace help here ?

not the same 'type' of connection, I had an issue with inbound 
connections to CICS and DB2 that was self inflicted, the AT-TLS add on 
required I failed to order and the connections were using some default, 
I was able to find this by performing an SSL trace and providing that 
INFO to IBM support.


Carmen 'grasping' :)


On 5/25/2022 8:46 AM, Bob wrote:

I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
I don’t know why. I’m sure I am

missing something very simple, but I have spent a lot of time over the last
few weeks trying to figure it out

and I cannot.  Note that ftp without encryption does work and I have
nothing else using PAGENT or AT-TLS.



I originally started with a configuration created by z/OSMF Network
Configuration Assistant, but after

numerous attempts to get it working I have pared it down to the very
minimum configuration below.



I’m not even sure what info to share.



When I try to connect using WinSCP I just get this:



d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
testmvs

Searching for host...

Network error: Connection to "testmvs" refused.

The server rejected SFTP connection, but it listens for FTP connections.

Did you want to use FTP protocol instead of SFTP? Prefer using encryption.

winscp>



And the WinSCP log doesn’t show much more:



Looking up host "testmvs" for SSH connection

Connecting to 10.80.63.94 port 22

Failed to connect to 10.80.63.94: Network error: Connection refused



And here are the related configuration files.



Here’s the pagent.conf:



LogLevel   511

TcpImage   TCPIP FLUSH

TTLSConfig /etc/TTLSConfig.conf FLUSH



And here is the TTLSConfig.conf:



TTLSGroupAction   ftp_server_group

{

TTLSEnabled On

Trace 30

}

TTLSEnvironmentAction ftp_server_env

{

HandshakeRole  Server

TTLSCipherParmsRef ftp_server_ciphers

TTLSKeyringParms

{

   Keyring mtskeyring

}

TTLSEnvironmentAdvancedParms

{

   ApplicationControlled On

   SecondaryMap  On

   TLSv1.2   On

   TLSv1.3   On

}

}

TTLSCipherParms   ftp_server_ciphers

{

V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_RSA_WITH_NULL_SHA

}

TTLSRule  ftp_server_rule

{

LocalPortRange   21-22

DirectionInbound

TTLSGroupActionRef   ftp_server_group

TTLSEnvironmentActionRef ftp_server_env

}



Here is a ‘netstat ttls group’ command:



MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46

TTLSGrpAction Group ID   Conns

  -  -

ftp_server_group  0003   0



Does that Conns=0 mean anything?



Let me know if there is some other info that might help.



Thank you VERY MUCH for any  suggestions you can offer.



Bob Lamerand

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN



--
/I am not bound to win, but I am bound to be true. I am not bound to 
succeed, but I am bound to live by the light that I have. I must stand 
with anybody that stands right, and stand with him while he is right, 
and part with him when he goes wrong. *Abraham Lincoln*/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob 
I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
I don’t know why. I’m sure I am

missing something very simple, but I have spent a lot of time over the last
few weeks trying to figure it out

and I cannot.  Note that ftp without encryption does work and I have
nothing else using PAGENT or AT-TLS.



I originally started with a configuration created by z/OSMF Network
Configuration Assistant, but after

numerous attempts to get it working I have pared it down to the very
minimum configuration below.



I’m not even sure what info to share.



When I try to connect using WinSCP I just get this:



d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
testmvs

Searching for host...

Network error: Connection to "testmvs" refused.

The server rejected SFTP connection, but it listens for FTP connections.

Did you want to use FTP protocol instead of SFTP? Prefer using encryption.

winscp>



And the WinSCP log doesn’t show much more:



Looking up host "testmvs" for SSH connection

Connecting to 10.80.63.94 port 22

Failed to connect to 10.80.63.94: Network error: Connection refused



And here are the related configuration files.



Here’s the pagent.conf:



LogLevel   511

TcpImage   TCPIP FLUSH

TTLSConfig /etc/TTLSConfig.conf FLUSH



And here is the TTLSConfig.conf:



TTLSGroupAction   ftp_server_group

{

   TTLSEnabled On

   Trace 30

}

TTLSEnvironmentAction ftp_server_env

{

   HandshakeRole  Server

   TTLSCipherParmsRef ftp_server_ciphers

   TTLSKeyringParms

   {

  Keyring mtskeyring

   }

   TTLSEnvironmentAdvancedParms

   {

  ApplicationControlled On

  SecondaryMap  On

  TLSv1.2   On

  TLSv1.3   On

   }

}

TTLSCipherParms   ftp_server_ciphers

{

   V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

   V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA

   V3CipherSuites TLS_RSA_WITH_NULL_SHA

}

TTLSRule  ftp_server_rule

{

   LocalPortRange   21-22

   DirectionInbound

   TTLSGroupActionRef   ftp_server_group

   TTLSEnvironmentActionRef ftp_server_env

}



Here is a ‘netstat ttls group’ command:



MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46

TTLSGrpAction Group ID   Conns

  -  -

ftp_server_group  0003   0



Does that Conns=0 mean anything?



Let me know if there is some other info that might help.



Thank you VERY MUCH for any  suggestions you can offer.



Bob Lamerand

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

FW: SDSF & TSS (RACF)

2022-05-25 Thread Robert S. Hansel (RSH) 
Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP statements that points to the PROPLIST NAME(proplist) 
statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all 
the SDSF servers?

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 24 May 2022 15:02:50 +
From:"Steely.Mark" 
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret). 


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or unexpected emails.


Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT DDNAME associated with the job and can generate multiple 
violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July 2008 issue of our RACF Tips newsletter.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdfdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ReJ7GWolmeh4hc2MkFDbyahA0i5EVDrdN7qsfXgAKW4%3Dreserved=0

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanseldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=U7odhzAml3JLOoHEPMB0H%2BugsJ0Rls0Z%2Fpk8Ht9KnPc%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=E8kbU8IAtv56Y%2BoiaQn%2BRuFS0IfJ6YswSdVy12zWCUo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=%2BF%2BtoZaedniGmSARZrgDspVsvtLk624fxaEllI4har0%3Dreserved=0

-Original Message-
Date:Mon, 23 May 2022 20:55:48 +
From:"Steely.Mark" 
Subject: SDSF & TSS (RACF)

I am trying to convert our SDSF from using ISFPARMS to TSS for security.

I need some direction on how to provide security for reports.

Currently I am trying to use JESSPOOL to control access.
The customer is allowed to view all currently active and held output jobs but 
may only look at certain JOBS & REPORTS.

During testing I have this occurring:

The customer is trying to view this job (which the customer is not authorized)

COMMAND INPUT ===>
PREFIX=*  DEST=(ALL)  OWNER=*  SYSNAME=
NP   DDNAME   StepName ProcStep DSID OwnerC Dest
 JESMSGLG JES2 2 TS0242   R LOCAL
 JESJCL   JES2 3 TS0242   R LOCAL
 JESYSMSG JES2 4 TS0242   R LOCAL

The above is displayed when I put a ? in the Held output screen.
This is just to show you the report has 3 different reports.

Then the customer goes back to the screen which shows the job name:

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55  LINE 1
COMMAND INPUT ===>
PREFIX=B1*  DEST=(ALL)  OWNER=*  SORT=JOBNAME/A  SYSNAME=
NP   JOBNAME  JobIDOwnerPrty C ODisp Dest
 B100042B JOB09087 TS0242144 R HOLD  LOCAL


Then select the job and receives the following messages:

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7141E Use of Accessor ID Suspended
TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - 
Excessive Violations: Signoff
CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED
**

I would hate to think someone would accidently try to look at an  output they 
are not authorized to view and get their

Re: OMVS trace buffer mapping

2022-05-25 Thread Colin Paice 
I've had rexx exec's which took the CTRACE output from a couple of
components, to extract data I was interested in.
I used IPCS view, and ISPF macros in rexx to do the work
Typical formatting would be to exclude lines, and replace lines with a
subset of each CTRACE output.

On Tue, 24 May 2022 at 23:45, Michael Oujesky 
wrote:

> Due to the complexity of the analysis, why would not IPCS formatting
> meet your needs?
>
> Michael
>
> At 08:38 AM 5/24/2022, Pierre Fichaud wrote:
>
> >I've seen the first 2 already.
> >I looked at the last link.
> >
> >I would like a macro or DSECT(s) that map the OMVS trace buffer.
> >Regards, Pierre.
> >
> >--
> >For IBM-MAIN subscribe / signoff / archive access instructions,
> >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN