Re: z13s IOCP with FTP issue

[Parwez Hamid]

I appreciate this discussion is about z13s etc, just wanted you to be aware of 
SE/HMC changes with the z14 announcement. Additional details in the z14 
Technical Guide Redbook - SG24-8451

FTP Support Element through the HMC, Securely via Proxy

With this change the SE will no longer directly access FTP servers, but instead 
will do secure FTP communications between the HMCs and SEs. Secured via 
IBM-supplied certificates.
This enhancement also allows the SEs to remain on a 'Dedicated LAN' between the 
HMCs and SEs, and the FTP servers can be on the 2nd HMC outward LAN for Problem 
Call Home, automation, web browsing, etc.


FTP to HMC - List of updated tasks

System Input/Output Configuration Analyzer
Analyze Console Internal Code
Change Console Internal Code
Save Upgrade Data
Configure Backup Settings/Backup Crit. Console Data
Load from Removable Media or Server
FCP Configuration
OSA Advanced Facilities → Manual Config Options
Export WWPNs
Audit log Scheduled Operations
Export/Import IOCDS
Save/Restore Customizable Console Data
Crypto Config
View/Archive Security Logs

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Jousma, David]

There are some reasons why you would interconnect the SE's with your company 
network.  In our environment, each SE has 2 lan adapters.  One going to private 
network, one going to company network.

1) If you use BCPII in System Automation, there has to be IP connectivity 
between the LPAR's and the SE's
2) If you are in a multi-cec environment across separate data centers, and you 
want to define all CEC's to all HMC's for redundancy, then you have to attach 
your SE's to your company network.
3) If you use an appliance to provide NTP time to your mainframes, the SE's 
need connectivity to the company network to reach that appliance.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Thigpen
Sent: Tuesday, August 08, 2017 6:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z13s IOCP with FTP issue

CAUTION EXTERNAL EMAIL

We don't let *anybody* into the network between the HMC and the SE. Too many 
SEs have default passwords on some of the 'special' IDs that can not be easily 
changed.

We bought a small two-nic nas box and placed it on both the SE network and the 
company network. IOCPs and ICCs go to it as an interim location. 
I.E., copy the IOCP to the nas. Then, access the nas via the company network. 
You could just add another nic card to your FTP server, but make sure that the 
server has all routing turned off.

Also, we set the default route on the SE to 0.0.0.0. An additional protection 
against anybody getting into that network segment.

Tony Thigpen

Eric Chevalier wrote on 08/08/2017 04:42 PM:
> On 8/3/17 10:13 AM, Tony Thigpen wrote:
>
>> 1) The ip address has to be available from SE laptop in the cpu. If 
>> you have the connections between the HMC and the SE on a isolated 
>> network, then the ftp box has to also be on that same isolated network.
>
> We have our HMC on an internal company network so it can be accessed 
> from anywhere, even remotely via VPN. Is there any good technical 
> reason why the SE can't also be on that network for better access to 
> FTP servers in our organization? I realize that having the SE on a 
> separate private network might be better security, but that caused 
> some grief recently. We needed to import an IOCDS into our z13, but 
> that file was in our headquarters office. Because port forwarding 
> isn't enabled on the HMC, so we couldn't get access to the FTP server hosting 
> the IOCDS.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN **DO NOT open 
attachments or click on links from unknown senders or unexpected emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Tony Thigpen]

We don't let *anybody* into the network between the HMC and the SE. Too 
many SEs have default passwords on some of the 'special' IDs that can 
not be easily changed.


We bought a small two-nic nas box and placed it on both the SE network 
and the company network. IOCPs and ICCs go to it as an interim location. 
I.E., copy the IOCP to the nas. Then, access the nas via the company 
network. You could just add another nic card to your FTP server, but 
make sure that the server has all routing turned off.


Also, we set the default route on the SE to 0.0.0.0. An additional 
protection against anybody getting into that network segment.


Tony Thigpen

Eric Chevalier wrote on 08/08/2017 04:42 PM:

On 8/3/17 10:13 AM, Tony Thigpen wrote:


1) The ip address has to be available from SE laptop in the cpu. If
you have the connections between the HMC and the SE on a isolated
network, then the ftp box has to also be on that same isolated network.


We have our HMC on an internal company network so it can be accessed
from anywhere, even remotely via VPN. Is there any good technical reason
why the SE can't also be on that network for better access to FTP
servers in our organization? I realize that having the SE on a separate
private network might be better security, but that caused some grief
recently. We needed to import an IOCDS into our z13, but that file was
in our headquarters office. Because port forwarding isn't enabled on the
HMC, so we couldn't get access to the FTP server hosting the IOCDS.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Eric Chevalier]

On 8/3/17 10:13 AM, Tony Thigpen wrote:

1) The ip address has to be available from SE laptop in the cpu. If you 
have the connections between the HMC and the SE on a isolated network, 
then the ftp box has to also be on that same isolated network.


We have our HMC on an internal company network so it can be accessed 
from anywhere, even remotely via VPN. Is there any good technical reason 
why the SE can't also be on that network for better access to FTP 
servers in our organization? I realize that having the SE on a separate 
private network might be better security, but that caused some grief 
recently. We needed to import an IOCDS into our z13, but that file was 
in our headquarters office. Because port forwarding isn't enabled on the 
HMC, so we couldn't get access to the FTP server hosting the IOCDS.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Rob Schramm]

Seems like no one has used ftp with server on zOS.

The lack of any sort of log is killing me.

Rob Schramm

On Fri, Aug 4, 2017, 1:25 PM Rob Schramm  wrote:

> HMC SE and the MF lpar are all in the same subnet.
>
> I was wondering if the HMC / SE was using ftp url support
>
> On Fri, Aug 4, 2017, 4:23 AM R.S.  wrote:
>
>> W dniu 2017-08-03 o 15:30, Rob Schramm pisze:
>> > Listers,
>> >
>> > I am having an issue attempting to use FTP to import the IOCP for a new
>> > z13s machine. I can ping the z/OS box that the FTP server is running
>> from
>> > the HMC and the SE.  But when I click " ", I get "File not found on
>> remote
>> > machine. Recheck the file name, and try again.
>> >
>> > My only real complaint, is that there is no log of errors to see what is
>> > happening.  My other question is has anyone actually retrieved the IOCP
>> > deck from a z/OS machine?
>>
>> (Maybe it was already answered, but it's not a crime to help again)
>>
>> You need very specific network connectivity to do that . Your Support
>> Element is connected to a HMC using "internal network", which is usually
>> isolated - only SE's and HMC are in this network. And you have to
>> connect this network to another network where your ftp server reside.
>> That also allows to "Load from DVD or ftp server" - of course in the
>> part of ftp.
>>
>> HTH
>>
>> --
>> Radoslaw Skorupka
>> Lodz, Poland
>>
>>
>>
>>
>> ==
>>
>>
>> --
>>  Treść tej wiadomości może zawierać informacje prawnie chronione Banku
>> przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być
>> jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś
>> adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej
>> przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie,
>> rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie
>> zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo,
>> prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale
>> usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub
>> zapisane na dysku.
>>
>>  This e-mail may contain legally privileged information of the Bank and
>> is intended solely for business use of the addressee. This e-mail may only
>> be received by the addressee and may not be disclosed to any third parties.
>> If you are not the intended addressee of this e-mail or the employee
>> authorized to forward it to the addressee, be advised that any
>> dissemination, copying, distribution or any other similar activity is
>> legally prohibited and may be punishable. If you received this e-mail by
>> mistake please advise the sender immediately by using the reply facility in
>> your e-mail software and delete permanently this e-mail including any
>> copies of it either printed or saved to hard drive.
>>
>>  mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
>> www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy
>> XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru
>> przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień
>> 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi
>> 168.955.696 złotych.
>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
> --
>
> Rob Schramm
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Rob Schramm]

HMC SE and the MF lpar are all in the same subnet.

I was wondering if the HMC / SE was using ftp url support

On Fri, Aug 4, 2017, 4:23 AM R.S.  wrote:

> W dniu 2017-08-03 o 15:30, Rob Schramm pisze:
> > Listers,
> >
> > I am having an issue attempting to use FTP to import the IOCP for a new
> > z13s machine. I can ping the z/OS box that the FTP server is running from
> > the HMC and the SE.  But when I click " ", I get "File not found on
> remote
> > machine. Recheck the file name, and try again.
> >
> > My only real complaint, is that there is no log of errors to see what is
> > happening.  My other question is has anyone actually retrieved the IOCP
> > deck from a z/OS machine?
>
> (Maybe it was already answered, but it's not a crime to help again)
>
> You need very specific network connectivity to do that . Your Support
> Element is connected to a HMC using "internal network", which is usually
> isolated - only SE's and HMC are in this network. And you have to
> connect this network to another network where your ftp server reside.
> That also allows to "Load from DVD or ftp server" - of course in the
> part of ftp.
>
> HTH
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
> ==
>
>
> --
>  Treść tej wiadomości może zawierać informacje prawnie chronione Banku
> przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być
> jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś
> adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej
> przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie,
> rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie
> zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo,
> prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale
> usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub
> zapisane na dysku.
>
>  This e-mail may contain legally privileged information of the Bank and is
> intended solely for business use of the addressee. This e-mail may only be
> received by the addressee and may not be disclosed to any third parties. If
> you are not the intended addressee of this e-mail or the employee
> authorized to forward it to the addressee, be advised that any
> dissemination, copying, distribution or any other similar activity is
> legally prohibited and may be punishable. If you received this e-mail by
> mistake please advise the sender immediately by using the reply facility in
> your e-mail software and delete permanently this e-mail including any
> copies of it either printed or saved to hard drive.
>
>  mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
> www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy
> XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru
> przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień
> 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi
> 168.955.696 złotych.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[R.S.]

W dniu 2017-08-03 o 15:30, Rob Schramm pisze:

Listers,

I am having an issue attempting to use FTP to import the IOCP for a new
z13s machine. I can ping the z/OS box that the FTP server is running from
the HMC and the SE.  But when I click " ", I get "File not found on remote
machine. Recheck the file name, and try again.

My only real complaint, is that there is no log of errors to see what is
happening.  My other question is has anyone actually retrieved the IOCP
deck from a z/OS machine?


(Maybe it was already answered, but it's not a crime to help again)

You need very specific network connectivity to do that . Your Support 
Element is connected to a HMC using "internal network", which is usually 
isolated - only SE's and HMC are in this network. And you have to 
connect this network to another network where your ftp server reside.
That also allows to "Load from DVD or ftp server" - of course in the 
part of ftp.


HTH

--
Radoslaw Skorupka
Lodz, Poland




==


   --
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII 
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców 
KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał 
zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Tony Thigpen]

I use FTP all the time. Some tricks:

1) The ip address has to be available from SE laptop in the cpu. If you 
have the connections between the HMC and the SE on a isolated network, 
then the ftp box has to also be on that same isolated network.
2) The 'case' for all items must be correct. Userid, password, and file 
name.
3) The file name must include the full path. Since the patch can change 
depending on what the ftp server considers the user's 'home' path, you 
need to understand how the user is defined on the FTP server.


We use a cheap mini-nas box for storing IOCPs and ICC convfigs.

I have not tried using z/OS as the FTP server as we don't have it on the 
private HMC-SE network. But, I would expect you would have to be 
concerned with normal z/OS FTP stuff, like how the FTP server handles 
adding or not adding the userid to the front of the file name.


Tony Thigpen

Jesse 1 Robinson wrote on 08/03/2017 10:43 AM:

I was never successful in the past with FTP. Relied instead on a thumb drive, 
which worked great but required physical access to the new box.

For our z13s, a colleague was able to get FTP to work. I'm fuzzy on how he did 
it, but I think he piggybacked on some outbound but closely connected hardware 
that not everyone has.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Carmen Vitullo
Sent: Thursday, August 03, 2017 6:36 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: z13s IOCP with FTP issue

Ping only proves the stack is up I think, not that the FTP server is up?
I've done this about a year ago when we upgraded to z13s, we loaded or had the 
SE load the initial IOCP from a thumb drive, maybe you can try that, the only 
successful ftp I've done was reloading (importing) the ICC configuration


Carmen

- Original Message -

From: "Rob Schramm" <rob.schr...@gmail.com>
To: IBM-MAIN@LISTSERV.UA.EDU
Sent: Thursday, August 3, 2017 8:30:28 AM
Subject: z13s IOCP with FTP issue

Listers,

I am having an issue attempting to use FTP to import the IOCP for a new z13s machine. I can 
ping the z/OS box that the FTP server is running from the HMC and the SE. But when I click 
" ", I get "File not found on remote machine. Recheck the file name, and try 
again.

My only real complaint, is that there is no log of errors to see what is 
happening. My other question is has anyone actually retrieved the IOCP deck 
from a z/OS machine?

Thanks,
Rob Schramm



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Jesse 1 Robinson]

I was never successful in the past with FTP. Relied instead on a thumb drive, 
which worked great but required physical access to the new box. 

For our z13s, a colleague was able to get FTP to work. I'm fuzzy on how he did 
it, but I think he piggybacked on some outbound but closely connected hardware 
that not everyone has. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Carmen Vitullo
Sent: Thursday, August 03, 2017 6:36 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: z13s IOCP with FTP issue

Ping only proves the stack is up I think, not that the FTP server is up? 
I've done this about a year ago when we upgraded to z13s, we loaded or had the 
SE load the initial IOCP from a thumb drive, maybe you can try that, the only 
successful ftp I've done was reloading (importing) the ICC configuration 


Carmen 

- Original Message -

From: "Rob Schramm" <rob.schr...@gmail.com>
To: IBM-MAIN@LISTSERV.UA.EDU
Sent: Thursday, August 3, 2017 8:30:28 AM
Subject: z13s IOCP with FTP issue 

Listers, 

I am having an issue attempting to use FTP to import the IOCP for a new z13s 
machine. I can ping the z/OS box that the FTP server is running from the HMC 
and the SE. But when I click " ", I get "File not found on remote machine. 
Recheck the file name, and try again. 

My only real complaint, is that there is no log of errors to see what is 
happening. My other question is has anyone actually retrieved the IOCP deck 
from a z/OS machine? 

Thanks,
Rob Schramm
-- 

Rob 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z13s IOCP with FTP issue

[Carmen Vitullo]

Ping only proves the stack is up I think, not that the FTP server is up? 
I've done this about a year ago when we upgraded to z13s, we loaded or had the 
SE load the initial IOCP from a thumb drive, maybe you can try that, the only 
successful ftp I've done was reloading (importing) the ICC configuration 


Carmen 

- Original Message -

From: "Rob Schramm" <rob.schr...@gmail.com> 
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Thursday, August 3, 2017 8:30:28 AM 
Subject: z13s IOCP with FTP issue 

Listers, 

I am having an issue attempting to use FTP to import the IOCP for a new 
z13s machine. I can ping the z/OS box that the FTP server is running from 
the HMC and the SE. But when I click " ", I get "File not found on remote 
machine. Recheck the file name, and try again. 

My only real complaint, is that there is no log of errors to see what is 
happening. My other question is has anyone actually retrieved the IOCP 
deck from a z/OS machine? 

Thanks, 
Rob Schramm 
-- 

Rob Schramm 

-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z13s IOCP with FTP issue

[Rob Schramm]

Listers,

I am having an issue attempting to use FTP to import the IOCP for a new
z13s machine. I can ping the z/OS box that the FTP server is running from
the HMC and the SE.  But when I click " ", I get "File not found on remote
machine. Recheck the file name, and try again.

My only real complaint, is that there is no log of errors to see what is
happening.  My other question is has anyone actually retrieved the IOCP
deck from a z/OS machine?

Thanks,
Rob Schramm
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN