Re: IBM FTPS connect

[Rob Schramm]

The instructions for debugging connection issues indicates to run with
debug soc which should provide some additional information.

Rob Schramm

On Tue, Sep 13, 2016, 11:10 AM Mark Pace  wrote:

> I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't install
> this system, so I'm not sure.
>
> On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:
>
> > Perhaps the list of ciphers in the ftpdata file is too restrictive or
> > maybe the z/OS Security Level 3 FMID is not installed.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

REASON: 3 - RECORD TYPE NOT RECOGNIZED

[willie bunter]

Hi All,

While running a DIAGNOSE on a USERCAT the following error was picked up:

IDC21364I ERROR DETECTED BY DIAGNOSE:
  ICFCAT ENTRY: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 (7) 
  RECORD: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 /F0   
  OFFSET: X'0002'
  REASON: 3 - RECORD TYPE NOT RECOGNIZED 
IDC21365I ICFCAT RECORD DISPLAY: 
  RECORD: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 /F0  

The programmer response (I hope I read it right) says 
Use DELETE NOSCRATCH to remove the sphere or base record, if it exists.

I have 2 questions:
Since the dsn is not listed in the job output after IDC21364i message I assume 
that the dsn - listed on side (cols 85 to 119) -
I assume that is the dsn in question. Please correct me if I am wrong.

Is this problem serious or it can wait for action to be taken?  The problem was 
detected about 10 days ago.

Thanks.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Steve]

Just as an "Oh by the way".  What are you running that needs so much time?

Steve   

-Original Message-
From: "Jesse 1 Robinson" 
Sent: Tuesday, September 13, 2016 12:35pm
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Bypassing s322

The usual circumvention for S322 is to increase the TIME= value, not play with 
exits. For one thing, IEFUTIL can extend the time, but even with no exit in 
place, the system will abend a job eventually. Be sure to increase the time 
value on both the job card and on the step (EXEC) card. Exceeding either one 
will cause S322. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lizette Koehler
Sent: Tuesday, September 13, 2016 9:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Bypassing s322

I would compare the Run time(Clock) with CPU TIME.  You may be exceeding the 
CPU Time limit set for that Class.

We have an exit that produces a nice little map of CPU usage details.  CPU TIME 
is one of the fields.

I recently had a job running in INPUT CLASS X that kept timing out no matter 
what the TIME was set on the JCL.  Turns out the INPUT Class X had a 60 min CPU 
time limit set.  So even though the job ran for 3 hours - it actually used 
60.01 minutes of CPU Time.  Hence the failure.  

Always check the job while it is running with SDSF and see if the CPU Time 
increases quickly. Your task may be in a loop.


Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> On Behalf Of Peter
> Sent: Tuesday, September 13, 2016 6:05 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Bypassing s322
> 
> Hello
> 
> I am running which is a long running job but it keeps abending with 
> s322. I have used all the long running WLM initiators but still 
> abends. I am not sure if IEFUTL exit is restricting it.
> 
> The error message doesn't produce much information to diagnose.
> 
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
> 
> Peter


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

DFSORT - ICETOOL - Search for text and replace with date

[Elardus Engelbrecht]

Good day to all DFSORT gurus

Background: I have setup an automated e-mail reporting system which grab 
reports from various inputs, then I use IEBGENER to build up one PS file 
containing data in this sequence: e-mail body - report - boundary data - next 
report - ... etc ...

(In this way I can send out e-mails to my clients where each e-mail is 
containing anything from 1 to 10 attachments.)

That PS file is then send over to SMTP to go out. Those boundary lines are used 
to define various attachments containing reports for outgoing e-mails.

Now, a client asked whether it is possible to insert run date in the file names 
of those attachments for easy retrieval at a later stage.

What I want to do is to dynamically replace a specific string into date of run 
in the filenames of the attachment in the e-mail.

So, for example I have this FILENAME="Never Used Ids - MMDD.TXT"

I wish to replace above line with today's date using ICETOOL FINDREP or a 
similar command.

So that example line should be changed to this for today: FILENAME="Never Used 
Ids - 2016-09-13.TXT"

I have tried out this JCL to scan whole input and replace the MMDD to 
rundate, but ICETOOL just shouts RC=16 saying invalid syntax found:

//SELECT   EXEC PGM=ICETOOL 
//TOOLMSG  DD SYSOUT=*  
//DFSMSG   DD SYSOUT=*  
//PRINTDD SYSOUT=*  
//INVOER   DD * 

 e-mail subject and body

--1234567890
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Never Used ids - MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Never Used ids - MMDD.TXT"

. report ...


--1234567890
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Revoked ids - MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Revoked ids - MMDD.TXT"

. report 

//TOOLIN   DD * 
 COPYFROM(INVOER) TO(PRINT) USING(SORT) 
//SORTCNTL   DD *   
 OPTION COPY
 OUTREC FINDREP=(IN=C'MMDD',OUT=DATE1(-))

As you can see those MMDD can be on any place in the input lines.

I only want to change those boundary lines, nothing else. Otherwise I have to 
use some editing tools on the datasets containing the original boundary lines. 

Any clues please? Are any other free products available which can do that 
tricks?

Many thanks in advance.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Richard Pinion]

While not directly related to your question, but are
you family with XMITIP from Lionel B. Dyck?  Real handy
stuff for emailing and attachments from the mainframe.



--- skol...@us.ibm.com wrote:

From: Sri h Kolusu 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:51:01 -0700

Elardus Engelbrecht,

You just need to define a symbol for the current date and you can use it 
in FINDREP. You do not code OPTION COPY when you use COPY verb of ICETOOL. 
Here is a sample

//SELECT   EXEC PGM=ICETOOL  
//TOOLMSG  DD SYSOUT=*  
//SYMNAMES DD *  
CURRDATE,S''  
//DFSMSG   DD SYSOUT=*  
//PRINTDD SYSOUT=*  
//INVOER   DD *  
 E-MAIL SUBJECT AND BODY  
  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="NEVER USED IDS - 
MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="NEVER USED IDS - MMDD.TXT"  
 
. REPORT ...  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="REVOKED IDS - 
MMDD.TXT" 
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="REVOKED IDS - MMDD.TXT"   
. REPORT   
//TOOLIN   DD *  
 COPY  FROM(INVOER) TO(PRINT) USING(SORT)  
//SORTCNTL   DD *  
 OUTREC FINDREP=(IN=C'MMDD',OUT=CURRDATE)  
/*  


btw is there a reason as to why you chose ICETOOL? 

Further if you have any questions please let me know

Thanks,
Kolusu
DFSORT Development
IBM Corporation

IBM Mainframe Discussion List  wrote on 
09/13/2016 08:36:18 AM:

> From: Elardus Engelbrecht 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 09/13/2016 08:36 AM
> Subject: DFSORT - ICETOOL - Search for text and replace with date
> Sent by: IBM Mainframe Discussion List 
> 
> Good day to all DFSORT gurus
> 
> Background: I have setup an automated e-mail reporting system which 
> grab reports from various inputs, then I use IEBGENER to build up 
> one PS file containing data in this sequence: e-mail body - report -
> boundary data - next report - ... etc ...
> 
> (In this way I can send out e-mails to my clients where each e-mail 
> is containing anything from 1 to 10 attachments.)
> 
> That PS file is then send over to SMTP to go out. Those boundary 
> lines are used to define various attachments containing reports for 
> outgoing e-mails.
> 
> Now, a client asked whether it is possible to insert run date in the
> file names of those attachments for easy retrieval at a later stage.
> 
> What I want to do is to dynamically replace a specific string into 
> date of run in the filenames of the attachment in the e-mail.
> 
> So, for example I have this FILENAME="Never Used Ids - MMDD.TXT"
> 
> I wish to replace above line with today's date using ICETOOL FINDREP
> or a similar command.
> 
> So that example line should be changed to this for today: 
> FILENAME="Never Used Ids - 2016-09-13.TXT"
> 
> I have tried out this JCL to scan whole input and replace the 
> MMDD to rundate, but ICETOOL just shouts RC=16 saying invalid 
> syntax found:
> 
> //SELECT   EXEC PGM=ICETOOL 
> //TOOLMSG  DD SYSOUT=* 
> //DFSMSG   DD SYSOUT=* 
> //PRINTDD SYSOUT=* 
> //INVOER   DD * 
> 
>  e-mail subject and body
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Never Used ids - 
> MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Never Used ids - 
MMDD.TXT"
> 
> . report ...  
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Revoked ids - 
MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Revoked ids - MMDD.TXT"
> 
> . report 
> 
> //TOOLIN   DD * 
>  COPYFROM(INVOER) TO(PRINT) USING(SORT) 
> //SORTCNTL   DD * 
>  OPTION COPY 
>  OUTREC FINDREP=(IN=C'MMDD',OUT=DATE1(-))
> 
> As you can see those MMDD can be on any place in the input lines.
> 
> I only want to change those boundary lines, nothing else. Otherwise 
> I have to use some editing tools on the datasets containing the 
> original boundary lines. 
> 
> Any clues please? Are any other free products available which can do
> that tricks?
> 
> Many thanks in advance.
> 
> Groete / Greetings
> Elardus Engelbrecht
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




_
Netscape.  Just the Net You Need.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Where did java 8 hide zoneinfo?

[Paul Gilmartin]

On Tue, 13 Sep 2016 13:40:02 +0800, Timothy Sipples wrote:

>Java 8 relocated timezone information to a file "usually" named tzdb.dat.
>You should find that file in the .../lib directory also.
>
>Anticipating the next question, if you'd like to update timezone
>information between SDK service updates, use the IBM Time Zone Update
>Utility for Java ("JTZU"):
>
>https://www.ibm.com/developerworks/java/jdk/dst/jtzu.html
>
>JTZU is for IBM runtimes and SDKs, including those on z/OS. If you need a
>comparable tool for Oracle's JREs and JDKs on other platforms then look for
>Oracle's "TZUpdater." These tools (in earlier versions) debuted well before
>Java 8, so they've always been important. Arguably they're now even more
>important.
> 
Thanks.  Good guess.  It seems up to date with a couple things I tried.
Egypt?  North Korea?  I wonder yet why this isn't done more conventionally
by PTF.
o Quality Assurance rules?
o Timeliness?
o Intellectual Property concerns?

And it's still disappointing that most UNIX-like systems incorporate this
facility (redundantly) in the nucleus -- I mean kernel, but z/OS provides
it only in Java.  I guess I'm neglecting Emerson.

Thanks again,
-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Paul Gilmartin]

On Tue, 13 Sep 2016 09:06:28 -0700, Sri h Kolusu  wrote:

>>> You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL and 
>substitute the dynamic system symbols for  and , however:
>
>What exactly is the midnight pitfall? If you used the LOCAL system symbols 
>then you would get the local time.  DFSORT also has several date formats 
>and it is based on the time the step ran. 
> 
It's probably covered, depending on how "the time the step ran" is obtained.

>If you meant that a job that started at 11:59:59 PM and the SORT step ran 
>at 00:00:10 then we would get the next date as SORT would not have any 
>idea about when the Job started. 
> 
The pitfall, however narrow, is that if midnight occurs between the evaluations
of  and  the composite value may be in error by (almost)
24 hours.  Rexx covers this by guaranteeing that if a single clause contains
(any number of) references to TIME() and DATE() the TOD clock will be
read only once and that value used for all.  The TIME macro should nave no
need to read the TOD clock more than once.  UNIX time() function returns
a single raw RTC value and provides functions to format that.

I suppose that if processors are fast enough that the gap, accumulated over
the expected life of all installed z/OS systems, meets a six sigma criterion
it's not worth concern.  Has anyone done the calculation?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Steve]

Dave - You can't fix mishaps except thru knowledge 
 
-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 1:08pm
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization



Steve, the user tried to do the build index, but failed on lack of access S913 
as he should have. The user *should* have then deleted his AIX, but didn’t, and 
left it hanging out there. I suspect that the error was unintentional, as our 
application dataset naming conventions here, leave a little to be desired. 
*.TAT.* is test, *.PAT.* is PROD for this particular business application. It 
is my guess, that the user forgot to change the PAT to TAT in the RELATE 
portion of the DEF AIX.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 11:51 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

The challenge you will have is that the user in question had authority to build 
the AIX and the PATH but did not do the BUILD. And he could read the PRIMARY 
KSDS.

This is an apples and oranges discussion or a Catch-22. 

-Original Message-
From: "Roach, Dennis" 
Sent: Tuesday, September 13, 2016 11:45am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Since it can, and did, cause a production outage, I voted for it.

I would think that a production outage would rate higher than a medium priority.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone: 713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID: 94515
Headline: Add SAF check on DEF AIX for RELATE Cluster
Submitted on: 13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand: Servers and Systems Software
Product: z/OS

Link: http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve, 

That’s what I am seeing, and IBM just confirmed it. I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to. Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented. If you wish, you could open an 
'enhancement request' to have this behavior changed. 



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT. The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list. We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
The process was allowed surprisingly. Contractor only had read access to prod 
dataset. The subsequent BLDINDEX did fail with security violation as expected. 
Nightly processing of that prod file failed however due to the 

Re: IBM FTPS connect

[Mark Pace]

Oh hell.  I don't know what any of that means.  I set it up using the
directions from IBM on testing connectivity.
The ftp.data file contains.  So I assume it's AT-TLS. There must be
something within TCPIP that I need to setup also.

SECURE_MECHANISM TLS
TLSRFCLEVEL  CCCNONOTIFY
TLSMECHANISM FTP
SECURE_FTP   REQUIRED
SECURE_CTRLCONN  CLEAR
SECURE_DATACONN  PRIVATE
KEYRING  MP81136/bexarftp
EPSV4TRUE

On Tue, Sep 13, 2016 at 11:01 AM, Rob Schramm  wrote:

> Is this implemented within FTPD or Policy Agent / AT-TLS?
>
> On Mon, Sep 12, 2016 at 12:28 PM Mark Pace  wrote:
>
> > I'm setting up FTPS on a 1.13 system and am a little confused by this
> > sequence.  It logs on okay showing a secure connect.  But then it won't
> do
> > the actual download. So I'm confused if it's the certificate or not.
> >
> > 220 dhebpcb01 secure FTP server
> > ready.
> > EZA1701I >>> AUTH
> > TLS
> > 234
> > TLSv1
> >
> > EZA2895I Authentication negotiation
> > succeeded
> > EZA1701I >>> PBSZ
> > 0
> > 200
> > PBSZ=0
> >
> > EZA1701I >>> PROT
> > P
> > 200 PROT command
> > successful
> > EZA2906I Data connection protection is
> > private
> > EZA1459I NAME (deliverycb-bld.dhe.ibm.com:MP81136):
> >
> >
> >
> > >
> > B000
> >
> > EZA1701I >>> USER
> > B000
> > 331 Password required for
> > B000.
> > EZA1789I
> > PASSWORD:
> >
> >
> > >
> > *
> >
> > EZA1701I >>>
> > PASS
> > 230 Virtual user B000 logged
> > in.
> > EZA1460I
> > Command:
> >
> >
> > >
> > CCC
> >
> >
> >
> > >
> > BINARY
> >
> > EZA1701I >>>
> > CCC
> > 200 command channel
> > cleared.
> > EZA2905I Control connection protection is
> > clear
> > EZA1460I
> > Command:
> >
> >
> > > GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
> > (REPLACE
> > EZA1701I >>> TYPE
> > I
> > 200 Type set to
> > I.
> > EZA1460I
> > Command:
> > EZA1701I >>>
> > EPSV
> > 229 Entering Passive Mode
> > (|||65045|)
> > EZA1701I >>> RETR
> > /GIMPAF.XML
> > 150 Opening BINARY mode SSL data connection for
> > /GIMPAF.XML.
> > EZA2870I TLS security mechanism negotiation failed - data connection
> > closed
> > 425 ftpd: (data conn) SSL_accept unspecified
> > error
> > EZA1735I Std Return Code = 16425, Error Code =
> > 00017
> > EZA1701I >>>
> > QUIT
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
>
> Rob Schramm
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Roach, Dennis]

Since it can, and did, cause a production outage, I voted for it.

I would think that a production outage would rate higher than a medium priority.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID:94515
Headline:Add SAF check on DEF AIX for 
RELATE Cluster
Submitted on:13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand:  Servers and Systems Software
Product:  z/OS

Link:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error, please do not read, copy or disseminate it in any manner.  If 
you are not the intended recipient, any disclosure, copying, distribution or 
use of the contents of this information is prohibited. Please reply to the 
message immediately by informing the sender that the message was misdirected. 
After replying, please erase it from your computer system. Your assistance in 
correcting this error is appreciated.




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For 

Re: IBM FTPS connect

[Cieri, Anthony]

For the record, there are several FMIDs that may be installed with the 
z/OS Security Lvl 3 and z/OS Communications Server Security lvl 3 may also be 
required. The FMIDs for Z/OS Security Lvl 3 at z/OS Version 1.13 are:

JCRY741
JCPT3D1
JSWK3D1
JRLS3D1

The FMID for z/OS Communications Server lvl 3 at z/OS Version 1.13.is:  
(ask me how I know this!!!)

JIP61DK

You would most likely see errors in PAGENT and its associated tasks 
(like IKED) if you did NOT have these installed!!

Since you appear to be getting a successful control connection 
established ad subsequently failing on the data connection, I would suspect a 
possible firewall issue. The error message provided:

EZA1735I Std Return Code = 16425

Indicates that the "get" command failed for one of the following 
reasons:

425: Can't open a data connection 
425: Can't open a passive connection
425: Command terminated due to server shutdown in progress
425: Unable to open data connection

HTH
Tony 



-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Rob Schramm
Sent: Tuesday, September 13, 2016 11:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IBM FTPS connect

The instructions for debugging connection issues indicates to run with debug 
soc which should provide some additional information.

Rob Schramm

On Tue, Sep 13, 2016, 11:10 AM Mark Pace  wrote:

> I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't 
> install this system, so I'm not sure.
>
> On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:
>
> > Perhaps the list of ciphers in the ftpdata file is too restrictive 
> > or maybe the z/OS Security Level 3 FMID is not installed.
> >
> > 
> > -- For IBM-MAIN subscribe / signoff / archive access instructions, 
> > send email to lists...@listserv.ua.edu with the message: INFO 
> > IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent 
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[John Eells]

Actually, I misremembered how IEFUTL works, and just remembered (sorry)!

IEFUTL gets control when the time limit set expires, and can extend the 
time allowed. It does not set lower values.


John Eells wrote:

For historical reasons lost in the Mists of Time, the explanations for
z/OS BCP system abends are in System Codes, while those for DFSMS abends
are in System Messages.  (It took me years to realize why I always
seemed to be looking in the wrong place!)

Basically, for batch jobs, if you do not specify TIME, it will be taken
from the TIME specified on the JOBCLASS statement (JES2) or its default,
30 minutes if TIME has not been specified on JOBCLASS.  (There is a JES3
equivalent that I no longer recall and did not look up.)

If there is an IEFUTL exit, it can modify the TIME value based on any
data accessible to the exit when it runs.  Because we don't know what
people might be testing for to allow or disallow more time in the exit
(or, for that matter, to increase the time!), your local batch job
standards document or system programmer are the sources of information
about how to get IEFUTL to allow more time.

Although System Codes does not mention IEFUTL for some reason (I have
submitted an RCF), it does cover the other reasons:

322
Explanation: One of the following occurred:
O - The system took a longer time to run a job, job step, or procedure
than the time specified in one of the following:
   – The TIME parameter of the EXEC or JOB statement
   – The standard time limit specified in the job entry subsystem
O - For a started task under the master subsystem, the TIME parameter
was not specified on the PROC statement of the catalogued procedure, and
the PPT entry did not indicate a system task

System action: The system abnormally ends the job, job step, or procedure.

Programmer response: If the TIME parameter was not specified on the PROC
statement of the catalogued procedure, add the TIME parameter or add a
PPT entry for the PGM parameter. Otherwise, check for program errors. If
none exist, specify a longer time in the TIME parameter. Then run the
job again.

Source: System Management Facilities (SMF)

Peter wrote:

Hello

I am running which is a long running job but it keeps abending with
s322. I
have used all the long running WLM initiators but still abends. I am not
sure if IEFUTL exit is restricting it.

The error message doesn't produce much information to diagnose.

Is there a way to bypass any EXIT which might be timing out the Jobs ?







--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Steve]

The challenge you will have is that the user in question had authority to build
the AIX and the PATH but did not do the BUILD.  And he could read the PRIMARY
KSDS.

This is an apples and oranges discussion or a Catch-22.

-Original Message-
From: "Roach, Dennis" 
Sent: Tuesday, September 13, 2016 11:45am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Since it can, and did, cause a production outage, I voted for it.

I would think that a production outage would rate higher than a medium priority.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID:94515
Headline:Add SAF check on DEF AIX for 
RELATE Cluster
Submitted on:13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand:  Servers and Systems Software
Product:  z/OS

Link:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error, please do not read, copy or disseminate it in any manner.  If 
you are not the intended recipient, any disclosure, copying, distribution or 
use of the contents of this information is prohibited. Please reply to the 
message immediately by informing the sender that the message was misdirected. 

Re: DFSORT - ICETOOL - Search for text and replace with date

[Richard Pinion]

That should be "familar" not "family"!


--- rpin...@netscape.com wrote:

From: Richard Pinion 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:56:07 -0700

While not directly related to your question, but are
you family with XMITIP from Lionel B. Dyck?  Real handy
stuff for emailing and attachments from the mainframe.



--- skol...@us.ibm.com wrote:

From: Sri h Kolusu 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:51:01 -0700

Elardus Engelbrecht,

You just need to define a symbol for the current date and you can use it 
in FINDREP. You do not code OPTION COPY when you use COPY verb of ICETOOL. 
Here is a sample

//SELECT   EXEC PGM=ICETOOL  
//TOOLMSG  DD SYSOUT=*  
//SYMNAMES DD *  
CURRDATE,S''  
//DFSMSG   DD SYSOUT=*  
//PRINTDD SYSOUT=*  
//INVOER   DD *  
 E-MAIL SUBJECT AND BODY  
  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="NEVER USED IDS - 
MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="NEVER USED IDS - MMDD.TXT"  
 
. REPORT ...  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="REVOKED IDS - 
MMDD.TXT" 
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="REVOKED IDS - MMDD.TXT"   
. REPORT   
//TOOLIN   DD *  
 COPY  FROM(INVOER) TO(PRINT) USING(SORT)  
//SORTCNTL   DD *  
 OUTREC FINDREP=(IN=C'MMDD',OUT=CURRDATE)  
/*  


btw is there a reason as to why you chose ICETOOL? 

Further if you have any questions please let me know

Thanks,
Kolusu
DFSORT Development
IBM Corporation

IBM Mainframe Discussion List  wrote on 
09/13/2016 08:36:18 AM:

> From: Elardus Engelbrecht 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 09/13/2016 08:36 AM
> Subject: DFSORT - ICETOOL - Search for text and replace with date
> Sent by: IBM Mainframe Discussion List 
> 
> Good day to all DFSORT gurus
> 
> Background: I have setup an automated e-mail reporting system which 
> grab reports from various inputs, then I use IEBGENER to build up 
> one PS file containing data in this sequence: e-mail body - report -
> boundary data - next report - ... etc ...
> 
> (In this way I can send out e-mails to my clients where each e-mail 
> is containing anything from 1 to 10 attachments.)
> 
> That PS file is then send over to SMTP to go out. Those boundary 
> lines are used to define various attachments containing reports for 
> outgoing e-mails.
> 
> Now, a client asked whether it is possible to insert run date in the
> file names of those attachments for easy retrieval at a later stage.
> 
> What I want to do is to dynamically replace a specific string into 
> date of run in the filenames of the attachment in the e-mail.
> 
> So, for example I have this FILENAME="Never Used Ids - MMDD.TXT"
> 
> I wish to replace above line with today's date using ICETOOL FINDREP
> or a similar command.
> 
> So that example line should be changed to this for today: 
> FILENAME="Never Used Ids - 2016-09-13.TXT"
> 
> I have tried out this JCL to scan whole input and replace the 
> MMDD to rundate, but ICETOOL just shouts RC=16 saying invalid 
> syntax found:
> 
> //SELECT   EXEC PGM=ICETOOL 
> //TOOLMSG  DD SYSOUT=* 
> //DFSMSG   DD SYSOUT=* 
> //PRINTDD SYSOUT=* 
> //INVOER   DD * 
> 
>  e-mail subject and body
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Never Used ids - 
> MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Never Used ids - 
MMDD.TXT"
> 
> . report ...  
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Revoked ids - 
MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Revoked ids - MMDD.TXT"
> 
> . report 
> 
> //TOOLIN   DD * 
>  COPYFROM(INVOER) TO(PRINT) USING(SORT) 
> //SORTCNTL   DD * 
>  OPTION COPY 
>  OUTREC FINDREP=(IN=C'MMDD',OUT=DATE1(-))
> 
> As you can see those MMDD can be on any place in the input lines.
> 
> I only want to change those boundary lines, nothing else. Otherwise 
> I have to use some editing tools on the datasets containing the 
> original boundary lines. 
> 
> Any clues please? Are any other free products available which can do
> that tricks?
> 
> Many thanks in advance.
> 
> Groete / Greetings
> Elardus Engelbrecht
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: REASON: 3 - RECORD TYPE NOT RECOGNIZED

[retired mainframer]

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of willie bunter
> Sent: Tuesday, September 13, 2016 9:01 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: REASON: 3 - RECORD TYPE NOT RECOGNIZED
> 
> Hi All,
> 
> While running a DIAGNOSE on a USERCAT the following error was picked up:
> 
> IDC21364I ERROR DETECTED BY DIAGNOSE:
>   ICFCAT ENTRY: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 (7)
>   RECORD: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 /F0
>   OFFSET: X'0002'
>   REASON: 3 - RECORD TYPE NOT RECOGNIZED
> IDC21365I ICFCAT RECORD DISPLAY:
>   RECORD: 05:26:06.214 UTMOPB08: START TWRC MSGID(AFE7 /F0
> 
> The programmer response (I hope I read it right) says
> Use DELETE NOSCRATCH to remove the sphere or base record, if it exists.
> 
> I have 2 questions:
> Since the dsn is not listed in the job output after IDC21364i message I 
> assume that the dsn -
> listed on side (cols 85 to 119) -
> I assume that is the dsn in question. Please correct me if I am wrong.
> 
> Is this problem serious or it can wait for action to be taken?  The problem 
> was detected
> about 10 days ago.

You have already waited ten days and not yet taken any action.  Has there been 
any noticeable impact?  If you run the DIAGNOSE again, do the results change?  
For better or worse?

Were other activities that use the catalog running at the same time as your 
DIAGNOSE?  When I was running EXAMINE jobs to confirm consistency between 
catalogs and VVDSs, I determined that some reported errors were transient and 
could be eliminated by executing the VERIFY command just prior to the EXAMINE.  
I don't know if the same issue could affect DIAGNOSE.  

If it is a permanent error, I would be more concerned with how it occurred and 
what to do to prevent it in the future.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Jousma, David]

Steve, the user tried to do the build index, but failed on lack of access S913 
as he should have.The user *should* have then deleted his AIX, but didn’t, 
and left it hanging out there.   I suspect that the error was unintentional, as 
our application dataset naming conventions here, leave a little to be desired.  
*.TAT.* is test, *.PAT.* is PROD for this particular business application.   It 
is my guess, that the user forgot to change the PAT to TAT in the RELATE 
portion of the DEF AIX.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 11:51 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

The challenge you will have is that the user in question had authority to build 
the AIX and the PATH but did not do the BUILD.  And he could read the PRIMARY 
KSDS.

This is an apples and oranges discussion or a Catch-22.

-Original Message-
From: "Roach, Dennis" 
Sent: Tuesday, September 13, 2016 11:45am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Since it can, and did, cause a production outage, I voted for it.

I would think that a production outage would rate higher than a medium priority.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID:94515
Headline:Add SAF check on DEF AIX for 
RELATE Cluster
Submitted on:13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand:  Servers and Systems Software
Product:  z/OS

Link:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent 

Re: 2FA in the Real World

[Vince Coen]

For me the problem is that it is a Dell product.

Previous experience with them just leave a bitter taste in the mouth and
one I have no intention of repeating.

Vincent


On 13/09/16 17:49, Steve wrote:
> Is anyone in the real not government world using this product?
>
> [ https://software.dell.com/products/defender-mainframe-edition/ ]( 
> https://software.dell.com/products/defender-mainframe-edition/ )
>
>
> Steve

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Mark Pace]

I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't install
this system, so I'm not sure.

On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:

> Perhaps the list of ciphers in the ftpdata file is too restrictive or
> maybe the z/OS Security Level 3 FMID is not installed.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Rob Schramm]

Is this implemented within FTPD or Policy Agent / AT-TLS?

On Mon, Sep 12, 2016 at 12:28 PM Mark Pace  wrote:

> I'm setting up FTPS on a 1.13 system and am a little confused by this
> sequence.  It logs on okay showing a secure connect.  But then it won't do
> the actual download. So I'm confused if it's the certificate or not.
>
> 220 dhebpcb01 secure FTP server
> ready.
> EZA1701I >>> AUTH
> TLS
> 234
> TLSv1
>
> EZA2895I Authentication negotiation
> succeeded
> EZA1701I >>> PBSZ
> 0
> 200
> PBSZ=0
>
> EZA1701I >>> PROT
> P
> 200 PROT command
> successful
> EZA2906I Data connection protection is
> private
> EZA1459I NAME (deliverycb-bld.dhe.ibm.com:MP81136):
>
>
>
> >
> B000
>
> EZA1701I >>> USER
> B000
> 331 Password required for
> B000.
> EZA1789I
> PASSWORD:
>
>
> >
> *
>
> EZA1701I >>>
> PASS
> 230 Virtual user B000 logged
> in.
> EZA1460I
> Command:
>
>
> >
> CCC
>
>
>
> >
> BINARY
>
> EZA1701I >>>
> CCC
> 200 command channel
> cleared.
> EZA2905I Control connection protection is
> clear
> EZA1460I
> Command:
>
>
> > GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
> (REPLACE
> EZA1701I >>> TYPE
> I
> 200 Type set to
> I.
> EZA1460I
> Command:
> EZA1701I >>>
> EPSV
> 229 Entering Passive Mode
> (|||65045|)
> EZA1701I >>> RETR
> /GIMPAF.XML
> 150 Opening BINARY mode SSL data connection for
> /GIMPAF.XML.
> EZA2870I TLS security mechanism negotiation failed - data connection
> closed
> 425 ftpd: (data conn) SSL_accept unspecified
> error
> EZA1735I Std Return Code = 16425, Error Code =
> 00017
> EZA1701I >>>
> QUIT
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Sri h Kolusu]

Elardus Engelbrecht,

You just need to define a symbol for the current date and you can use it 
in FINDREP. You do not code OPTION COPY when you use COPY verb of ICETOOL. 
Here is a sample

//SELECT   EXEC PGM=ICETOOL  
//TOOLMSG  DD SYSOUT=*  
//SYMNAMES DD *  
CURRDATE,S''  
//DFSMSG   DD SYSOUT=*  
//PRINTDD SYSOUT=*  
//INVOER   DD *  
 E-MAIL SUBJECT AND BODY  
  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="NEVER USED IDS - 
MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="NEVER USED IDS - MMDD.TXT"  
 
. REPORT ...  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="REVOKED IDS - 
MMDD.TXT" 
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="REVOKED IDS - MMDD.TXT"   
. REPORT   
//TOOLIN   DD *  
 COPY  FROM(INVOER) TO(PRINT) USING(SORT)  
//SORTCNTL   DD *  
 OUTREC FINDREP=(IN=C'MMDD',OUT=CURRDATE)  
/*  


btw is there a reason as to why you chose ICETOOL? 

Further if you have any questions please let me know

Thanks,
Kolusu
DFSORT Development
IBM Corporation

IBM Mainframe Discussion List  wrote on 
09/13/2016 08:36:18 AM:

> From: Elardus Engelbrecht 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 09/13/2016 08:36 AM
> Subject: DFSORT - ICETOOL - Search for text and replace with date
> Sent by: IBM Mainframe Discussion List 
> 
> Good day to all DFSORT gurus
> 
> Background: I have setup an automated e-mail reporting system which 
> grab reports from various inputs, then I use IEBGENER to build up 
> one PS file containing data in this sequence: e-mail body - report -
> boundary data - next report - ... etc ...
> 
> (In this way I can send out e-mails to my clients where each e-mail 
> is containing anything from 1 to 10 attachments.)
> 
> That PS file is then send over to SMTP to go out. Those boundary 
> lines are used to define various attachments containing reports for 
> outgoing e-mails.
> 
> Now, a client asked whether it is possible to insert run date in the
> file names of those attachments for easy retrieval at a later stage.
> 
> What I want to do is to dynamically replace a specific string into 
> date of run in the filenames of the attachment in the e-mail.
> 
> So, for example I have this FILENAME="Never Used Ids - MMDD.TXT"
> 
> I wish to replace above line with today's date using ICETOOL FINDREP
> or a similar command.
> 
> So that example line should be changed to this for today: 
> FILENAME="Never Used Ids - 2016-09-13.TXT"
> 
> I have tried out this JCL to scan whole input and replace the 
> MMDD to rundate, but ICETOOL just shouts RC=16 saying invalid 
> syntax found:
> 
> //SELECT   EXEC PGM=ICETOOL 
> //TOOLMSG  DD SYSOUT=* 
> //DFSMSG   DD SYSOUT=* 
> //PRINTDD SYSOUT=* 
> //INVOER   DD * 
> 
>  e-mail subject and body
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Never Used ids - 
> MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Never Used ids - 
MMDD.TXT"
> 
> . report ...  
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Revoked ids - 
MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Revoked ids - MMDD.TXT"
> 
> . report 
> 
> //TOOLIN   DD * 
>  COPYFROM(INVOER) TO(PRINT) USING(SORT) 
> //SORTCNTL   DD * 
>  OPTION COPY 
>  OUTREC FINDREP=(IN=C'MMDD',OUT=DATE1(-))
> 
> As you can see those MMDD can be on any place in the input lines.
> 
> I only want to change those boundary lines, nothing else. Otherwise 
> I have to use some editing tools on the datasets containing the 
> original boundary lines. 
> 
> Any clues please? Are any other free products available which can do
> that tricks?
> 
> Many thanks in advance.
> 
> Groete / Greetings
> Elardus Engelbrecht
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Sri h Kolusu]

>> You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL and 
substitute the dynamic system symbols for  and , however:

Paul,

DFSORT has the ability to read system symbols defined here

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/iea2e2c2/2.2.2?


> Does ICETOOL cover the midnight pitfall?

What exactly is the midnight pitfall? If you used the LOCAL system symbols 
then you would get the local time.  DFSORT also has several date formats 
and it is based on the time the step ran. 

If you meant that a job that started at 11:59:59 PM and the SORT step ran 
at 00:00:10 then we would get the next date as SORT would not have any 
idea about when the Job started. 


Thanks,
Kolusu
DFSORT Development
IBM Corporation

IBM Mainframe Discussion List  wrote on 
09/13/2016 08:54:57 AM:

> From: Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 09/13/2016 08:55 AM
> Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
> Sent by: IBM Mainframe Discussion List 
> 
> On Tue, 13 Sep 2016 10:36:18 -0500, Elardus Engelbrecht wrote:
> >
> >Now, a client asked whether it is possible to insert run date in 
> the file names of those attachments for easy retrieval at a later stage.
> > 
> >//INVOER   DD * 
> > 
> You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL
> and substitute the dynamic system symbols for  and , 
however:
> o The format isn't pretty
> o IBM needs to address the midnight pitfall, however minuscule.
> 
> Does ICETOOL cover the midnight pitfall?
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Lizette Koehler]

I would compare the Run time(Clock) with CPU TIME.  You may be exceeding the 
CPU Time limit set for that Class.

We have an exit that produces a nice little map of CPU usage details.  CPU TIME 
is one of the fields.

I recently had a job running in INPUT CLASS X that kept timing out no matter 
what the TIME was set on the JCL.  Turns out the INPUT Class X had a 60 min CPU 
time limit set.  So even though the job ran for 3 hours - it actually used 
60.01 minutes of CPU Time.  Hence the failure.  

Always check the job while it is running with SDSF and see if the CPU Time 
increases quickly. Your task may be in a loop.


Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Peter
> Sent: Tuesday, September 13, 2016 6:05 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Bypassing s322
> 
> Hello
> 
> I am running which is a long running job but it keeps abending with s322. I
> have used all the long running WLM initiators but still abends. I am not sure
> if IEFUTL exit is restricting it.
> 
> The error message doesn't produce much information to diagnose.
> 
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
> 
> Peter
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Hillgang - Save the date

[Neale Ferguson]

Hi,
 The next Hillgang meeting (DC/MD/VA Linux & z/VM User Group) will be held
28 September. The agenda should be available in the next couple of days.
In brief:

- From the z/VM Lab - Bill Bitner

- Introduction to z/TPF
- Customer experience
- Building and using Docker Containers

If that is enough to get you interested you can go to:

http://doodle.com/poll/wh647k9i6ft8sy8x

To register (free) for the event. (Registration is so we can estimate
numbers for our free breakfast.)

Neale

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Bill Woodger]

If there's only one thing to change per line (maximum, or limit) I always use 
DO=1 on the FINDREP. 

If there's a limit to where the data can start, end, or both, there's STARTPOS 
and ENDPOS.

Use IFTHEN=(WHEN=(logicalexpression) to only allow the FINDREP to operate on 
the expected records. This can avoid "false hits" and since the condition is 
likely faster than looking at all the bytes for a length of eight, a bit 
zippier to (won't matter here, probably, but in general).

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Rob Schramm]

To Dave's point, there is an exposure that can be exploited to cause denial
of service with what appears to be relatively "safe" access levels for
production.

Rob Schramm

On Tue, Sep 13, 2016, 11:50 AM Steve  wrote:

> The challenge you will have is that the user in question had authority to
> build
> the AIX and the PATH but did not do the BUILD.  And he could read the
> PRIMARY
> KSDS.
>
> This is an apples and oranges discussion or a Catch-22.
>
> -Original Message-
> From: "Roach, Dennis" 
> Sent: Tuesday, September 13, 2016 11:45am
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IDCAMs DEF AIX authorization
>
> Since it can, and did, cause a production outage, I voted for it.
>
> I would think that a production outage would rate higher than a medium
> priority.
>
> Dennis Roach, CISSP, PMP
> AIG
> IAM Access Administration – Consumer | Identity & Access Management
>
> 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
> Phone:  713-831-8799
>
> dennis.ro...@aig.com | www.aig.com
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Jousma, David
> Sent: Tuesday, September 13, 2016 9:09 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IDCAMs DEF AIX authorization
>
> I did open an RFE for this, if anyone wishes to vote on it, here is the
> info.
>
>
> --
> Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)
>
> ID:94515
> Headline:Add SAF check on DEF AIX for
> RELATE Cluster
> Submitted on:13 Sep 2016, 10:06 AM Eastern
> Time (ET)
> Brand:  Servers and Systems
> Software
> Product:  z/OS
>
> Link:
> http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515
>
> _
> Dave Jousma
> Manager Mainframe Engineering, Assistant Vice President
> david.jou...@53.com
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f
> 616.653.2717
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Jousma, David
> Sent: Tuesday, September 13, 2016 9:49 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IDCAMs DEF AIX authorization
>
> Steve,
>
> That’s what I am seeing, and IBM just confirmed it.   I guess all we can
> do is give the contractor a slap on the hands, and move on.
>
>
> IBM comments:
>
> Basically, authorization checking is done against the AIX being defined
> (ALTER access to the AIX cluster name as shown in the table above) not the
> VSAM dataset the AIX relates to.  Checking against the related VSAM cluster
> will be done when accessed by BLDINDEX.
>
> So, this is working as intended and documented.  If you wish, you could
> open an 'enhancement request' to have this behavior changed.
>
>
>
> _
> Dave Jousma
> Manager Mainframe Engineering, Assistant Vice President
> david.jou...@53.com
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f
> 616.653.2717
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Steve
> Sent: Tuesday, September 13, 2016 9:33 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IDCAMs DEF AIX authorization
>
> AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to
> the extract to the AIX
>
> -Original Message-
> From: "Jousma, David" 
> Sent: Tuesday, September 13, 2016 9:19am
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: IDCAMs DEF AIX authorization
>
> All,
>
> I've got a PMR open with IBM asking the question, but thought I'd also
> pass this by the brain trust on this list.   We recently had an off-shore
> contractor do a DEFINE AIX for a TEST dataset name, but RELATEd it to a
> PROD dataset name.   The process was allowed surprisingly.   Contractor
> only had read access to prod dataset.   The subsequent BLDINDEX did fail
> with security violation as expected.   Nightly processing of that prod file
> failed however due to the empty AIX.   Seems like DEF AIX should have been
> disallowed if the user didn't have the appropriate access for what it was
> related too?
>
> Dave
>
> _
> Dave Jousma
> Manager Mainframe Engineering, Assistant Vice President
> david.jou...@53.com
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f
> 616.653.2717
>
> This e-mail transmission contains information that is confidential and may
> be privileged.
> It is intended only for the addressee(s) named above. If you receive this
> 

Re: DFSORT - ICETOOL - Search for text and replace with date

[Elardus Engelbrecht]

Sri h Kolusu wrote:

>You just need to define a symbol for the current date and you can use it  in 
>FINDREP. You do not code OPTION COPY when you use COPY verb of ICETOOL. 

>Here is a sample

>//SYMNAMES DD *  
>CURRDATE,S''  

>//SORTCNTL   DD *  
> OUTREC FINDREP=(IN=C'MMDD',OUT=CURRDATE)  

Yes! Yes! Yes! That worked! Wow! I totaly forgot about that symbols things 
inside ICETOOL!

Many thanks! I must humbly say thank you for your kind help! I really 
appreciate it much.


>btw is there a reason as to why you chose ICETOOL? 

We standardised on that, because it is easy to build up reports from raw SMF, 
IRRADU00, IRRDBU00, zSecure and custom reports as produced from different 
products.

We need to place columns in certain order. For some client it is easy to 
specify sort order. Some clients want it sorted by id, but another clients want 
to it by date/time.

Some clients dont want headers, so I had to drop them.

ICETOOL language is neatly understandable and teachable to dummies. ;-)

Things like this made us decide on ICETOOL:

DATE(4MD/) -   
TIME(24:) -
BREAK(23,8,CH) BTITLE('IDS') - 
WIDTH() - 

With above we can standardize on date / time format and breakup of reports by 
ids or whatever criteria.

What is more, I use Automation and CPPUPDTE to pre-fill in some data or just 
insert dynamic sort input. Then it is off to ICETOOL, then IEBGENER to SMTP.

Oh, I use ICETOOL when I just grab some raw SMF data in a hurry to produce some 
reports. 

Nothing else beat these ICETOOL statements to translate date/time in SMF into 
readable format:

 HEADER('SMFTYP')  ON(6,1,BI) -
 HEADER('DATE')ON(11,4,DT1,E'/99/99') -
 HEADER('TIME')ON(7,4,TM1,E'99:99:99') -   

You can always write Assembler or other language programs to directly translate 
those fields into something readable, but why re-invent the wheel? ;-)

But the most important reason why we use ICETOOL is - Instead having our 
clients writing own COBOL programs to do reporting, they can do some ICETOOL 
reporting with some of the summarization commands to produce totals.


Paul Gilmartin wrote:

>You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL and 
>substitute the dynamic system symbols for  and , however:

Thanks. I have tried that out, but as you said the format is not pretty.


Richard Pinion wrote:

>While not directly related to your question, but are you family with XMITIP 
>from Lionel B. Dyck? Real handy stuff for emailing and attachments from the 
>mainframe.

I know about that and have played years ago with that when a colleague gave me 
a copy from a SHARE session on a CD. Yep, CD. That is ancient computing... ;-)

But we need to send out attachments in text format unlike XMITIP which can use 
PDF/ZIP/RTF/HTML formats. Simply because more than half of our clients (due to 
regulations) can only accept txt format. 

Whats more, IBM Communication Server SMTP can simply blank out the TO field of 
the e-mails. The clients really don't need who else are also receiving our 
audit e-mails.


>That should be "FAMILIAR" not "FAMILAR"!

Hahaha. I forgive you. I always read your and other's e-mail because I want to 
learn!

Many thanks to all. My problem is solved! And I have been SORTed out ! ;-)

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Sri h Kolusu]

>> Rexx covers this by guaranteeing that if a single clause contains
(any number of) references to TIME() and DATE() the TOD clock will be
read only once and that value used for all.  The TIME macro should nave no
need to read the TOD clock more than once. 

Paul,

If that is the definition of the midnight pitfall, then DFSORT already 
covers that. If you used DFSORT date formats (Date1 thru Date5 ), DFSORT 
reads the TIME macro once and stores the value. It is not changed in 
between despite how many times you have the references of Date parm in 
your control cards.

Thanks,
Kolusu
DFSORT Development
IBM Corporation



From:   Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
To: IBM-MAIN@LISTSERV.UA.EDU
Date:   09/13/2016 09:26 AM
Subject:Re: DFSORT - ICETOOL - Search for text and replace with 
date
Sent by:IBM Mainframe Discussion List 



On Tue, 13 Sep 2016 09:06:28 -0700, Sri h Kolusu  wrote:

>>> You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL and 
>substitute the dynamic system symbols for  and , however:
>
>What exactly is the midnight pitfall? If you used the LOCAL system 
symbols 
>then you would get the local time.  DFSORT also has several date formats 
>and it is based on the time the step ran. 
> 
It's probably covered, depending on how "the time the step ran" is 
obtained.

>If you meant that a job that started at 11:59:59 PM and the SORT step ran 

>at 00:00:10 then we would get the next date as SORT would not have any 
>idea about when the Job started. 
> 
The pitfall, however narrow, is that if midnight occurs between the 
evaluations
of  and  the composite value may be in error by (almost)
24 hours.  Rexx covers this by guaranteeing that if a single clause 
contains
(any number of) references to TIME() and DATE() the TOD clock will be
read only once and that value used for all.  The TIME macro should nave no
need to read the TOD clock more than once.  UNIX time() function returns
a single raw RTC value and provides functions to format that.

I suppose that if processors are fast enough that the gap, accumulated 
over
the expected life of all installed z/OS systems, meets a six sigma 
criterion
it's not worth concern.  Has anyone done the calculation?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN






--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

2FA in the Real World

[Steve]

Is anyone in the real not government world using this product?

[ https://software.dell.com/products/defender-mainframe-edition/ ]( 
https://software.dell.com/products/defender-mainframe-edition/ )


Steve



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Paul Gilmartin]

On Tue, 13 Sep 2016 10:36:18 -0500, Elardus Engelbrecht wrote:
>
>Now, a client asked whether it is possible to insert run date in the file 
>names of those attachments for easy retrieval at a later stage.
>   
>//INVOER   DD * 
> 
You could consider:  //SYSUT1  DD  *,SYMBOLS= instead of ICETOOL
and substitute the dynamic system symbols for  and , however:
o The format isn't pretty
o IBM needs to address the midnight pitfall, however minuscule.

Does ICETOOL cover the midnight pitfall?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Richard Pinion]

That should be "FAMILIAR" not "FAMILAR"!


--- rpin...@netscape.com wrote:

From: Richard Pinion 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:57:22 -0700

That should be "familar" not "family"!


--- rpin...@netscape.com wrote:

From: Richard Pinion 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:56:07 -0700

While not directly related to your question, but are
you family with XMITIP from Lionel B. Dyck?  Real handy
stuff for emailing and attachments from the mainframe.



--- skol...@us.ibm.com wrote:

From: Sri h Kolusu 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DFSORT - ICETOOL - Search for text and replace with date
Date: Tue, 13 Sep 2016 08:51:01 -0700

Elardus Engelbrecht,

You just need to define a symbol for the current date and you can use it 
in FINDREP. You do not code OPTION COPY when you use COPY verb of ICETOOL. 
Here is a sample

//SELECT   EXEC PGM=ICETOOL  
//TOOLMSG  DD SYSOUT=*  
//SYMNAMES DD *  
CURRDATE,S''  
//DFSMSG   DD SYSOUT=*  
//PRINTDD SYSOUT=*  
//INVOER   DD *  
 E-MAIL SUBJECT AND BODY  
  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="NEVER USED IDS - 
MMDD.TXT"
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="NEVER USED IDS - MMDD.TXT"  
 
. REPORT ...  
--1234567890  
CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="REVOKED IDS - 
MMDD.TXT" 
CONTENT-DISPOSITION: ATTACHMENT; FILENAME="REVOKED IDS - MMDD.TXT"   
. REPORT   
//TOOLIN   DD *  
 COPY  FROM(INVOER) TO(PRINT) USING(SORT)  
//SORTCNTL   DD *  
 OUTREC FINDREP=(IN=C'MMDD',OUT=CURRDATE)  
/*  


btw is there a reason as to why you chose ICETOOL? 

Further if you have any questions please let me know

Thanks,
Kolusu
DFSORT Development
IBM Corporation

IBM Mainframe Discussion List  wrote on 
09/13/2016 08:36:18 AM:

> From: Elardus Engelbrecht 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 09/13/2016 08:36 AM
> Subject: DFSORT - ICETOOL - Search for text and replace with date
> Sent by: IBM Mainframe Discussion List 
> 
> Good day to all DFSORT gurus
> 
> Background: I have setup an automated e-mail reporting system which 
> grab reports from various inputs, then I use IEBGENER to build up 
> one PS file containing data in this sequence: e-mail body - report -
> boundary data - next report - ... etc ...
> 
> (In this way I can send out e-mails to my clients where each e-mail 
> is containing anything from 1 to 10 attachments.)
> 
> That PS file is then send over to SMTP to go out. Those boundary 
> lines are used to define various attachments containing reports for 
> outgoing e-mails.
> 
> Now, a client asked whether it is possible to insert run date in the
> file names of those attachments for easy retrieval at a later stage.
> 
> What I want to do is to dynamically replace a specific string into 
> date of run in the filenames of the attachment in the e-mail.
> 
> So, for example I have this FILENAME="Never Used Ids - MMDD.TXT"
> 
> I wish to replace above line with today's date using ICETOOL FINDREP
> or a similar command.
> 
> So that example line should be changed to this for today: 
> FILENAME="Never Used Ids - 2016-09-13.TXT"
> 
> I have tried out this JCL to scan whole input and replace the 
> MMDD to rundate, but ICETOOL just shouts RC=16 saying invalid 
> syntax found:
> 
> //SELECT   EXEC PGM=ICETOOL 
> //TOOLMSG  DD SYSOUT=* 
> //DFSMSG   DD SYSOUT=* 
> //PRINTDD SYSOUT=* 
> //INVOER   DD * 
> 
>  e-mail subject and body
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Never Used ids - 
> MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Never Used ids - 
MMDD.TXT"
> 
> . report ...  
> 
> --1234567890 
> CONTENT-TYPE: TEXT/PLAIN; CHARSET=US-ASCII; NAME="Revoked ids - 
MMDD.TXT"
> CONTENT-DISPOSITION: ATTACHMENT; FILENAME="Revoked ids - MMDD.TXT"
> 
> . report 
> 
> //TOOLIN   DD * 
>  COPYFROM(INVOER) TO(PRINT) USING(SORT) 
> //SORTCNTL   DD * 
>  OPTION COPY 
>  OUTREC FINDREP=(IN=C'MMDD',OUT=DATE1(-))
> 
> As you can see those MMDD can be on any place in the input lines.
> 
> I only want to change those boundary lines, nothing else. Otherwise 
> I have to use some editing tools on the datasets containing the 
> original boundary lines. 
> 
> Any clues please? Are any other free products available which can do
> that tricks?
> 
> Many thanks in advance.
> 
> Groete / Greetings
> Elardus Engelbrecht
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the 

Re: Bypassing s322

[Jesse 1 Robinson]

The usual circumvention for S322 is to increase the TIME= value, not play with 
exits. For one thing, IEFUTIL can extend the time, but even with no exit in 
place, the system will abend a job eventually. Be sure to increase the time 
value on both the job card and on the step (EXEC) card. Exceeding either one 
will cause S322. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lizette Koehler
Sent: Tuesday, September 13, 2016 9:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Bypassing s322

I would compare the Run time(Clock) with CPU TIME.  You may be exceeding the 
CPU Time limit set for that Class.

We have an exit that produces a nice little map of CPU usage details.  CPU TIME 
is one of the fields.

I recently had a job running in INPUT CLASS X that kept timing out no matter 
what the TIME was set on the JCL.  Turns out the INPUT Class X had a 60 min CPU 
time limit set.  So even though the job ran for 3 hours - it actually used 
60.01 minutes of CPU Time.  Hence the failure.  

Always check the job while it is running with SDSF and see if the CPU Time 
increases quickly. Your task may be in a loop.


Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> On Behalf Of Peter
> Sent: Tuesday, September 13, 2016 6:05 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Bypassing s322
> 
> Hello
> 
> I am running which is a long running job but it keeps abending with 
> s322. I have used all the long running WLM initiators but still 
> abends. I am not sure if IEFUTL exit is restricting it.
> 
> The error message doesn't produce much information to diagnose.
> 
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
> 
> Peter


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT - ICETOOL - Search for text and replace with date

[Elardus Engelbrecht]

Bill Woodger wrote:

>It would be ironic if Elardus followed your advice, only to find that his 
>IEBGENER is an alias of ICEGENER and that DFSORT will be used for operations 
>without any IEBGENER control cards.

I'm aware of ICEGENER and such. In fact, CustomPac includes some IVP checks to 
verify ICEGENER.

>Have a date file. Use DFSORT (or anything else) to generate a DFSORT Sort 
>Symbol file with a name for the date. Use the symbol. 

I have some such date files. I have written REXX programs to get different 
dates (yesterday, last month, today, etc) and place them in datasets so they 
can be used later as input for reportings.

But I could not easily transfer those date files contents to the lines I 
described earlier.

Thanks for your posts! I appreciate it!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Internals of Catalog

[Jake Anderson]

Hi

Can some one please explain the Catalog internals with respect to the VVDS
and VTOC.

I am basically trying to understand the relationship from the catalog
internals point of view.

Any documents or URL that might help ?

Jake

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Lizette Koehler]

Just a thought.  Kurt Q. has been helpful to folks offlist to resolve their FTP 
IBM issues.  You may wish to see if he will assist.  He really wants to be a 
smooth process and easy transition.

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Mark Pace
> Sent: Tuesday, September 13, 2016 11:32 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IBM FTPS connect
> 
> That was a big help, thank you.  I was able to confirm that all the correct
> FMIDs were installed.  So I know it "should" work.
> I also tried FWFRIENDLY TRUE  that didn't seem to make any difference.
> Turned on DEBUG SOC.  So now I'll have to research the output.
> 
> > GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
> (REPLACE
> >>> TYPE
> I
> 200 Type set to
> I.
> Command:
> 
> SC1344 initDsConnection:
> entered
> >>>
> EPSV
> 
> 229 Entering Passive Mode
> (|||65321|)
> >>> RETR
> /GIMPAF.XML
> SC1981 connDsConnection:
> entered
> SC2075 connDsConnectionIPv4:
> entered
> GU4945 ftpSetApplData:
> entered
> 150 Opening BINARY mode SSL data connection for /GIMPAF.XML.
> FU0388 protDataConn: secure_socket_init() failed with rc = 406 (Error while
> read ing or writing
> data)
> CG1959 SETCEC code =
> 17
> TLS security mechanism negotiation failed - data connection closed
> SC2637 dataClose:
> entered
> 425 ftpd: (data conn) SSL_accept unspecified error
> CG4118 rcvFile: rc -1 rc_write 0 rc_close
> 0
> PC0921 setClientRC:
> entered
> PC0991 setClientRC: std_rc=16425, rc_type=STD,
> rc=16425
> Std Return Code = 16425, Error Code =
> 00017
> >>>
> QUIT
> 
> : Connection reset by
> peer.
> SC3358 endSession: entered
> (sn=0F9EE7C8)
> SC2637 dataClose:
> entered
> 
> 
> >
> QUIT
> 
> 
> 
> On Tue, Sep 13, 2016 at 12:50 PM, Cieri, Anthony  wrote:
> 
> >
> > For the record, there are several FMIDs that may be installed
> > with the z/OS Security Lvl 3 and z/OS Communications Server Security
> > lvl 3 may also be required. The FMIDs for Z/OS Security Lvl 3 at z/OS
> > Version 1.13
> > are:
> >
> > JCRY741
> > JCPT3D1
> > JSWK3D1
> > JRLS3D1
> >
> > The FMID for z/OS Communications Server lvl 3 at z/OS Version
> > 1.13.is:  (ask me how I know this!!!)
> >
> > JIP61DK
> >
> > You would most likely see errors in PAGENT and its associated
> > tasks (like IKED) if you did NOT have these installed!!
> >
> > Since you appear to be getting a successful control connection
> > established ad subsequently failing on the data connection, I would
> > suspect a possible firewall issue. The error message provided:
> >
> > EZA1735I Std Return Code = 16425
> >
> > Indicates that the "get" command failed for one of the
> > following
> > reasons:
> >
> > 425: Can't open a data connection
> > 425: Can't open a passive connection
> > 425: Command terminated due to server shutdown in progress
> > 425: Unable to open data connection
> >
> > HTH
> > Tony
> >
> >
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Rob Schramm
> > Sent: Tuesday, September 13, 2016 11:53 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: IBM FTPS connect
> >
> > The instructions for debugging connection issues indicates to run with
> > debug soc which should provide some additional information.
> >
> > Rob Schramm
> >
> > On Tue, Sep 13, 2016, 11:10 AM Mark Pace  wrote:
> >
> > > I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't
> > > install this system, so I'm not sure.
> > >
> > > On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:
> > >
> > > > Perhaps the list of ciphers in the ftpdata file is too restrictive
> > > > or maybe the z/OS Security Level 3 FMID is not installed.
> > > >

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: 2FA in the Real World

[Steve]

NC-Pass was purchased some time ago by Dell, and I don't remember who wrote itt
 
 
Steve
-Original Message-
From: "Vince Coen" 
Sent: Tuesday, September 13, 2016 1:23pm
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: 2FA in the Real World



For me the problem is that it is a Dell product.

Previous experience with them just leave a bitter taste in the mouth and
one I have no intention of repeating.

Vincent


On 13/09/16 17:49, Steve wrote:
> Is anyone in the real not government world using this product?
>
> [ https://software.dell.com/products/defender-mainframe-edition/ ]( 
> https://software.dell.com/products/defender-mainframe-edition/ )
>
>
> Steve

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Lizette Koehler]

Most of that is propriety by IBM.

Not much you are going to find unless you can ask a very specific question.

Search REDBOOKS for info on CATALOG and SMS and DATASET and VSAM.

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Jake Anderson
> Sent: Tuesday, September 13, 2016 9:56 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Internals of Catalog
> 
> Hi
> 
> Can some one please explain the Catalog internals with respect to the VVDS and
> VTOC.
> 
> I am basically trying to understand the relationship from the catalog
> internals point of view.
> 
> Any documents or URL that might help ?
> 
> Jake
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Mark Pace]

That was a big help, thank you.  I was able to confirm that all the correct
FMIDs were installed.  So I know it "should" work.
I also tried FWFRIENDLY TRUE  that didn't seem to make any difference.
Turned on DEBUG SOC.  So now I'll have to research the output.

> GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
(REPLACE
>>> TYPE
I
200 Type set to
I.
Command:

SC1344 initDsConnection:
entered
>>>
EPSV

229 Entering Passive Mode
(|||65321|)
>>> RETR
/GIMPAF.XML
SC1981 connDsConnection:
entered
SC2075 connDsConnectionIPv4:
entered
GU4945 ftpSetApplData:
entered
150 Opening BINARY mode SSL data connection for
/GIMPAF.XML.
FU0388 protDataConn: secure_socket_init() failed with rc = 406 (Error while
read
ing or writing
data)
CG1959 SETCEC code =
17
TLS security mechanism negotiation failed - data connection
closed
SC2637 dataClose:
entered
425 ftpd: (data conn) SSL_accept unspecified
error
CG4118 rcvFile: rc -1 rc_write 0 rc_close
0
PC0921 setClientRC:
entered
PC0991 setClientRC: std_rc=16425, rc_type=STD,
rc=16425
Std Return Code = 16425, Error Code =
00017
>>>
QUIT

: Connection reset by
peer.
SC3358 endSession: entered
(sn=0F9EE7C8)
SC2637 dataClose:
entered


>
QUIT



On Tue, Sep 13, 2016 at 12:50 PM, Cieri, Anthony  wrote:

>
> For the record, there are several FMIDs that may be installed with
> the z/OS Security Lvl 3 and z/OS Communications Server Security lvl 3 may
> also be required. The FMIDs for Z/OS Security Lvl 3 at z/OS Version 1.13
> are:
>
> JCRY741
> JCPT3D1
> JSWK3D1
> JRLS3D1
>
> The FMID for z/OS Communications Server lvl 3 at z/OS Version
> 1.13.is:  (ask me how I know this!!!)
>
> JIP61DK
>
> You would most likely see errors in PAGENT and its associated
> tasks (like IKED) if you did NOT have these installed!!
>
> Since you appear to be getting a successful control connection
> established ad subsequently failing on the data connection, I would suspect
> a possible firewall issue. The error message provided:
>
> EZA1735I Std Return Code = 16425
>
> Indicates that the "get" command failed for one of the following
> reasons:
>
> 425: Can't open a data connection
> 425: Can't open a passive connection
> 425: Command terminated due to server shutdown in progress
> 425: Unable to open data connection
>
> HTH
> Tony
>
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Rob Schramm
> Sent: Tuesday, September 13, 2016 11:53 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IBM FTPS connect
>
> The instructions for debugging connection issues indicates to run with
> debug soc which should provide some additional information.
>
> Rob Schramm
>
> On Tue, Sep 13, 2016, 11:10 AM Mark Pace  wrote:
>
> > I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't
> > install this system, so I'm not sure.
> >
> > On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:
> >
> > > Perhaps the list of ciphers in the ftpdata file is too restrictive
> > > or maybe the z/OS Security Level 3 FMID is not installed.
> > >
> > > 
> > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO
> > > IBM-MAIN
> > >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
>
> Rob Schramm
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Jesse 1 Robinson]

I'm sure it's worth fixing FTPS--whatever that takes--but you might find HTTPS 
easier to manage. I use the latter because I have to: my proxy appliance does 
not understand TLS syntax. 

For the record, FTPS and SFTP are entirely different animals. SFTP is an open 
source protocol that evolved independently of FTP. FTPS is an extension of FTP 
with security added to it. Like I said, you may have better luck with HTTPS. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Pace
Sent: Tuesday, September 13, 2016 8:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: IBM FTPS connect

Oh hell.  I don't know what any of that means.  I set it up using the 
directions from IBM on testing connectivity.
The ftp.data file contains.  So I assume it's AT-TLS. There must be something 
within TCPIP that I need to setup also.

SECURE_MECHANISM TLS
TLSRFCLEVEL  CCCNONOTIFY
TLSMECHANISM FTP
SECURE_FTP   REQUIRED
SECURE_CTRLCONN  CLEAR
SECURE_DATACONN  PRIVATE
KEYRING  MP81136/bexarftp
EPSV4TRUE

On Tue, Sep 13, 2016 at 11:01 AM, Rob Schramm  wrote:

> Is this implemented within FTPD or Policy Agent / AT-TLS?
>
> On Mon, Sep 12, 2016 at 12:28 PM Mark Pace  wrote:
>
> > I'm setting up FTPS on a 1.13 system and am a little confused by 
> > this sequence.  It logs on okay showing a secure connect.  But then 
> > it won't
> do
> > the actual download. So I'm confused if it's the certificate or not.
> >
> > 220 dhebpcb01 secure FTP server
> > ready.
> > EZA1701I >>> AUTH
> > TLS
> > 234
> > TLSv1
> >
> > EZA2895I Authentication negotiation
> > succeeded
> > EZA1701I >>> PBSZ
> > 0
> > 200
> > PBSZ=0
> >
> > EZA1701I >>> PROT
> > P
> > 200 PROT command
> > successful
> > EZA2906I Data connection protection is private EZA1459I NAME 
> > (deliverycb-bld.dhe.ibm.com:MP81136):
> >
> >
> >
> > >
> > B000
> >
> > EZA1701I >>> USER
> > B000
> > 331 Password required for
> > B000.
> > EZA1789I
> > PASSWORD:
> >
> >
> > >
> > *
> >
> > EZA1701I >>>
> > PASS
> > 230 Virtual user B000 logged
> > in.
> > EZA1460I
> > Command:
> >
> >
> > >
> > CCC
> >
> >
> >
> > >
> > BINARY
> >
> > EZA1701I >>>
> > CCC
> > 200 command channel
> > cleared.
> > EZA2905I Control connection protection is clear EZA1460I
> > Command:
> >
> >
> > > GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
> > (REPLACE
> > EZA1701I >>> TYPE
> > I
> > 200 Type set to
> > I.
> > EZA1460I
> > Command:
> > EZA1701I >>>
> > EPSV
> > 229 Entering Passive Mode
> > (|||65045|)
> > EZA1701I >>> RETR
> > /GIMPAF.XML
> > 150 Opening BINARY mode SSL data connection for /GIMPAF.XML.
> > EZA2870I TLS security mechanism negotiation failed - data connection 
> > closed
> > 425 ftpd: (data conn) SSL_accept unspecified error EZA1735I Std 
> > Return Code = 16425, Error Code =
> > 00017
> > EZA1701I >>>
> > QUIT
> >
> > --
> > The postings on this site are my own and don’t necessarily represent 
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and code pages

[Charles Mills]

Isn't there some Japanese code page (Katakana) support in z/OS?

Some z/OS fields will take any bit value -- for example, the JOB statement 
Programmer Name field. For reasons unnecessary to this thread I have gone into 
Hex mode in ISPF and stored various unprintable values there, and everything 
works just fine. They show up in SMF 30 as entered. So you could put Étienne 
there.

You *might* be able to have ÉTIENNE as your RACF name (not userid, name) -- I 
have not tried.

z/OS DB2 -- I know, not what you asked -- has I believe excellent and full code 
page support including Unicode.

z/OS Unicode Services is all about code pages and so forth. The C compiler I 
think has some varying code page support. z/OS FTP supports code page 
specification. 

How about USS? Where is @Gil when you need him?

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tony Harminc
Sent: Tuesday, September 13, 2016 4:20 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS and code pages

On 13 September 2016 at 19:09, zMan  wrote:
> This is probably a dumb question, but that's never stopped me before:

:-)

> If my name were "*Étienne*", would I be able to have that as a TSO userid?

No.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS and code pages

[zMan]

This is probably a dumb question, but that's never stopped me before:

If my name were "*Étienne*", would I be able to have that as a TSO userid?
Or would I have to suffer through just "*Etienne*", sans accent aigu?

Does the MVS side of z/OS "do" code pages in any meaningful way? I don't
mean in DB2 or some other application. I think I read that WTO really only
does code page 037, which suggests that the answer is "no".

Any pointers to doc welcome; of course "z/os" and "code page" (or
"codepage") gets a zillion hits, too many to be particularly useful.
-- 
zMan -- "I've got a mainframe and I'm not afraid to use it"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and code pages

[Tony Harminc]

On 13 September 2016 at 19:09, zMan  wrote:
> This is probably a dumb question, but that's never stopped me before:

:-)

> If my name were "*Étienne*", would I be able to have that as a TSO userid?

No.

> Or would I have to suffer through just "*Etienne*", sans accent aigu?

Yes. Or of course some other id entirely, since there is nothing in
place to reliably translate Étienne into Etienne if you are sending
userids between other systems (e.g. Windows) that do support "fancier"
characters, and z/OS.

> Does the MVS side of z/OS "do" code pages in any meaningful way? I don't
> mean in DB2 or some other application. I think I read that WTO really only
> does code page 037, which suggests that the answer is "no".

No, not really. RACF, in particular, effectively supports a small
subset of CP 037 only. There are specific and quite restrictive rules
for what byte values are allowed in userids, passwords, and password
phrases. (I say byte values rather then characters, because RACF
specifies the allowed characters this way, rather than in terms of
e.g. Unicode u+ or IBM GCGIDs.) There are also implicit
restrictions on other fields such as the user name. While an
authorized application program may well be able to write unsupported
byte values into the database, there is no real support in the RACF
commands for them, and results may get strange if you write an app
that does this.

> Any pointers to doc welcome; of course "z/os" and "code page" (or
> "codepage") gets a zillion hits, too many to be particularly useful.

The doc updates for RACF APAR OA43999 (in the z/OS 2.2 base doc) do
contain the allowable characters in passwords, and their hex values.
But I don't think there is really much, since z/OS, as you say,
doesn't really support code pages.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Nims,Alva John (Al)]

To add my $0.02 of useless knowledge;
In your FTP.DATA file did you also code?

SECURE_MECHANISM  TLS
TLSRFCLEVELRFC4217

Just my $0.02 worth.  I am no expert when it comes to IBM's FTP, but I recently 
had to add those two to make a connection work.

Al Nims
University of Florida.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lizette Koehler
Sent: Tuesday, September 13, 2016 3:36 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IBM FTPS connect

Just a thought.  Kurt Q. has been helpful to folks offlist to resolve their FTP 
IBM issues.  You may wish to see if he will assist.  He really wants to be a 
smooth process and easy transition.

Lizette


> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
> On Behalf Of Mark Pace
> Sent: Tuesday, September 13, 2016 11:32 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: IBM FTPS connect
> 
> That was a big help, thank you.  I was able to confirm that all the 
> correct FMIDs were installed.  So I know it "should" work.
> I also tried FWFRIENDLY TRUE  that didn't seem to make any difference.
> Turned on DEBUG SOC.  So now I'll have to research the output.
> 
> > GET "/GIMPAF.XML" "/u/MP81136/test.content/GIMPAF.XML"
> (REPLACE
> >>> TYPE
> I
> 200 Type set to
> I.
> Command:
> 
> SC1344 initDsConnection:
> entered
> >>>
> EPSV
> 
> 229 Entering Passive Mode
> (|||65321|)
> >>> RETR
> /GIMPAF.XML
> SC1981 connDsConnection:
> entered
> SC2075 connDsConnectionIPv4:
> entered
> GU4945 ftpSetApplData:
> entered
> 150 Opening BINARY mode SSL data connection for /GIMPAF.XML.
> FU0388 protDataConn: secure_socket_init() failed with rc = 406 (Error 
> while read ing or writing
> data)
> CG1959 SETCEC code =
> 17
> TLS security mechanism negotiation failed - data connection closed
> SC2637 dataClose:
> entered
> 425 ftpd: (data conn) SSL_accept unspecified error
> CG4118 rcvFile: rc -1 rc_write 0 rc_close
> 0
> PC0921 setClientRC:
> entered
> PC0991 setClientRC: std_rc=16425, rc_type=STD,
> rc=16425
> Std Return Code = 16425, Error Code =
> 00017
> >>>
> QUIT
> 
> : Connection reset by
> peer.
> SC3358 endSession: entered
> (sn=0F9EE7C8)
> SC2637 dataClose:
> entered
> 
> 
> >
> QUIT
> 
> 
> 
> On Tue, Sep 13, 2016 at 12:50 PM, Cieri, Anthony  wrote:
> 
> >
> > For the record, there are several FMIDs that may be 
> > installed with the z/OS Security Lvl 3 and z/OS Communications 
> > Server Security lvl 3 may also be required. The FMIDs for Z/OS 
> > Security Lvl 3 at z/OS Version 1.13
> > are:
> >
> > JCRY741
> > JCPT3D1
> > JSWK3D1
> > JRLS3D1
> >
> > The FMID for z/OS Communications Server lvl 3 at z/OS Version
> > 1.13.is:  (ask me how I know this!!!)
> >
> > JIP61DK
> >
> > You would most likely see errors in PAGENT and its 
> > associated tasks (like IKED) if you did NOT have these installed!!
> >
> > Since you appear to be getting a successful control 
> > connection established ad subsequently failing on the data 
> > connection, I would suspect a possible firewall issue. The error message 
> > provided:
> >
> > EZA1735I Std Return Code = 16425
> >
> > Indicates that the "get" command failed for one of the 
> > following
> > reasons:
> >
> > 425: Can't open a data connection
> > 425: Can't open a passive connection
> > 425: Command terminated due to server shutdown in progress
> > 425: Unable to open data connection
> >
> > HTH
> > Tony
> >
> >
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List 
> > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Rob Schramm
> > Sent: Tuesday, September 13, 2016 11:53 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: IBM FTPS connect
> >
> > The instructions for debugging connection issues indicates to run 
> > with debug soc which should provide some additional information.
> >
> > Rob Schramm
> >
> > On Tue, Sep 13, 2016, 11:10 AM Mark Pace  wrote:
> >
> > > I'll have to go check on the z/OS Security lvl 3 FMID.  I didn't 
> > > install this system, so I'm not sure.
> > >
> > > On Tue, Sep 13, 2016 at 9:12 AM, Tim Deller  wrote:
> > >
> > > > Perhaps the list of ciphers in the ftpdata file is too 
> > > > restrictive or maybe the z/OS Security Level 3 FMID is not installed.
> > > >

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and code pages

[Cameron Conacher]

EBCDIC code page 930 supports Japanese kanji and single byte katakana

Sent from my iPhone

> On Sep 13, 2016, at 7:47 PM, Charles Mills  wrote:
> 
> Isn't there some Japanese code page (Katakana) support in z/OS?
> 
> Some z/OS fields will take any bit value -- for example, the JOB statement 
> Programmer Name field. For reasons unnecessary to this thread I have gone 
> into Hex mode in ISPF and stored various unprintable values there, and 
> everything works just fine. They show up in SMF 30 as entered. So you could 
> put Étienne there.
> 
> You *might* be able to have ÉTIENNE as your RACF name (not userid, name) -- I 
> have not tried.
> 
> z/OS DB2 -- I know, not what you asked -- has I believe excellent and full 
> code page support including Unicode.
> 
> z/OS Unicode Services is all about code pages and so forth. The C compiler I 
> think has some varying code page support. z/OS FTP supports code page 
> specification. 
> 
> How about USS? Where is @Gil when you need him?
> 
> Charles
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Tony Harminc
> Sent: Tuesday, September 13, 2016 4:20 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS and code pages
> 
>> On 13 September 2016 at 19:09, zMan  wrote:
>> This is probably a dumb question, but that's never stopped me before:
> 
> :-)
> 
>> If my name were "*Étienne*", would I be able to have that as a TSO userid?
> 
> No.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: 2FA in the Real World

[Vince Coen]

Quest.

Seem to recall some other m/f products as well.  Toad ?

Vince


On 13/09/16 18:31, Steve wrote:
> NC-Pass was purchased some time ago by Dell, and I don't remember who wrote 
> itt
>  
>  
> Steve
> -Original Message-
> From: "Vince Coen" 
> Sent: Tuesday, September 13, 2016 1:23pm
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: 2FA in the Real World
>
>
>
> For me the problem is that it is a Dell product.
>
> Previous experience with them just leave a bitter taste in the mouth and
> one I have no intention of repeating.
>
> Vincent
>
>
> On 13/09/16 17:49, Steve wrote:
>> Is anyone in the real not government world using this product?
>>
>> [ https://software.dell.com/products/defender-mainframe-edition/ ]( 
>> https://software.dell.com/products/defender-mainframe-edition/ )
>>
>>
>> Steve

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Greg Dyck]

On 9/13/2016 11:55 AM, Jake Anderson wrote:

Can some one please explain the Catalog internals with respect to the VVDS
and VTOC.


At the 10,000 ft level...

The catalog is a VSAM KSDS dataset that (mostly) points to the volume 
containing the dataset.


The VTOC contains where on the volume, by cylinder and track, any 
datasets live, be they VSAM or non-VSAM.


The VVDS contains VSAM unique information for any VSAM datasets that are 
contained in the VTOC.


A VSAM catalog entry is actually a composite of the catalog, the VTOC, 
and the VVDS information merged together.


Regards,
Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Gibney, Dave]

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Greg Dyck
> Sent: Tuesday, September 13, 2016 1:14 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Internals of Catalog
> 
> On 9/13/2016 11:55 AM, Jake Anderson wrote:
> > Can some one please explain the Catalog internals with respect to the
> > VVDS and VTOC.
> 
> At the 10,000 ft level...
> 
> The catalog is a VSAM KSDS dataset that (mostly) points to the volume
> containing the dataset.
> 
> The VTOC contains where on the volume, by cylinder and track, any datasets
> live, be they VSAM or non-VSAM.
> 
> The VVDS contains VSAM unique information for any VSAM datasets that are
> contained in the VTOC.

For SMS datasets, the VVDS also contains some of the SMS related data for 
non-VSAM


> 
> A VSAM catalog entry is actually a composite of the catalog, the VTOC, and
> the VVDS information merged together.
> 
> Regards,
> Greg
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Pommier, Rex]

Dave,

First of all, I agree with you that the programmer shouldn't have been able to 
relate the AIX to the base cluster with only having read access to the base.  
But that being said, since they could relate them, why couldn't they run the 
BUILDIX command?  The BUILDIX doesn't update the base cluster, does it?  
Wouldn't read access to the base also have allowed the job to use that data to 
build the AIX?  Or does the BUILDIX somehow update the base?

Rex

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 12:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve, the user tried to do the build index, but failed on lack of access S913 
as he should have.The user *should* have then deleted his AIX, but didn’t, 
and left it hanging out there.   I suspect that the error was unintentional, as 
our application dataset naming conventions here, leave a little to be desired.  
*.TAT.* is test, *.PAT.* is PROD for this particular business application.   It 
is my guess, that the user forgot to change the PAT to TAT in the RELATE 
portion of the DEF AIX.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 11:51 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

The challenge you will have is that the user in question had authority to build 
the AIX and the PATH but did not do the BUILD.  And he could read the PRIMARY 
KSDS.

This is an apples and oranges discussion or a Catch-22.

-Original Message-
From: "Roach, Dennis" 
Sent: Tuesday, September 13, 2016 11:45am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Since it can, and did, cause a production outage, I voted for it.

I would think that a production outage would rate higher than a medium priority.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID:94515
Headline:Add SAF check on DEF AIX for 
RELATE Cluster
Submitted on:13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand:  Servers and Systems Software
Product:  z/OS

Link:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: 

Re: SHARE Atlanta proceedings

[Art Gutowski]

On Sun, 14 Aug 2016 11:49:42 -0600, Mark Post  wrote:

 On 8/14/2016 at 06:17 AM, Art Gutowski  wrote: 
>> I went to San Antonio in March, and not a word about a DVD or an ISO image 
>> or 
>> anything.  Remember the Alamo?  Guess not.
>
>I made a query to SHARE Operations, and they said that the San Antonio 
>proceedings would also be an ISO image, but still needed a few touches to 
>be complete.

As of 9/2, the SHARE San Antonio proceedings ISO image is available.  I am 
downloading it now.  Self-extracting ZIP is 969MB.  For my part, much easier to 
d/l the whole kit and kaboodle than hunt and peck for "just" the session folks 
at my shop would be interested in.

I apologize if this is old news, but I didn't find a follow up post to this 
thread as of this writing.  I am, however, getting to the point where reading 
glasses are in my near, rather than distant future...

Regards,
Art Gutowski
General Motors, LLC

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Richard Pinion]

The VVDS contains VVR and NVR records.  VVR's describe VSAM data sets,
while NVR's describe non-VSAM data sets.



--- gregd...@pobox.com wrote:

From: Greg Dyck 
To:   IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Internals of Catalog
Date: Tue, 13 Sep 2016 15:13:37 -0500

On 9/13/2016 11:55 AM, Jake Anderson wrote:
> Can some one please explain the Catalog internals with respect to the VVDS
> and VTOC.

At the 10,000 ft level...

The catalog is a VSAM KSDS dataset that (mostly) points to the volume 
containing the dataset.

The VTOC contains where on the volume, by cylinder and track, any 
datasets live, be they VSAM or non-VSAM.

The VVDS contains VSAM unique information for any VSAM datasets that are 
contained in the VTOC.

A VSAM catalog entry is actually a composite of the catalog, the VTOC, 
and the VVDS information merged together.

Regards,
Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




_
Netscape.  Just the Net You Need.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and code pages

[Paul Gilmartin]

On 2016-09-13 17:47, Charles Mills wrote:
> 
> z/OS Unicode Services is all about code pages and so forth. The C compiler I 
> think has some varying code page support. z/OS FTP supports code page 
> specification. 
> 
> How about USS? Where is @Gil when you need him?
> 
Sounds kinda like "Where's a cop when you need one?"

ISPF  3.17, like Samuel Johnson's politically incorrect dog, does
surprisingly well within the limits of the terminal code page.

Attaching a .pax which LISTSERV will discard, but you might get it
offlist.  Extract it on a desktop and view the members with a capable
editor such as TextWrangler, gedit, or notepad++.

(LISTSERV entirely rejected it.)

Now extract it on z/OS 2.2 being sure to preserve the extended attributes.
It should look like:

user@OS/390.25.00: ls -alTHE pages
total 96
drwxr-xr-x  2 User Group   8192 Sep 13 
19:07 .
drwxr-xr-x 29 User Group   8192 Sep 13 
19:07 ..
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1434 Sep 13 
19:05 from_IBM-037
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1435 Sep 13 
19:05 from_IBM-1047
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1437 Sep 13 
19:05 from_IBM-1154
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1434 Sep 13 
19:05 from_IBM-500
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1436 Sep 13 
19:04 from_ISO8859-1
t UTF-8   T=on  -rw-r--r--  --s- lf 1 User Group   1437 Sep 13 
19:05 from_ISO8859-5
- untaggedT=off -rw-r--r--  --s-    1 User Group   1340 Sep 13 
19:05 raw_ASCII
- untaggedT=off -rw-r--r--  --s-    1 User Group   1339 Sep 13 
19:05 raw_EBCDIC

The payload is UTF-8; ISPF 3.17 should show all the characters your
terminal supports.  If you can switch your terminal to a different
code page, try that.  (xterm may have an option for 1154.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM-MAIN Digest - 11 Sep 2016 to 12 Sep 2016 (#2016-255)

[Edward Finnell]

There's a standard Lsoft web page at  listserv.ua.edu/archives/ibm-main.html
or follow directions at bottom of every posting.
 
 
In a message dated 9/13/2016 10:31:14 P.M. Central Daylight Time,  
zos.elliott.pic...@gmail.com writes:

>  Help


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS and code pages

[Charles Mills]

Sure, but does z/OS tolerate it? Can you use Katakana characters in passwords 
and userids?

Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Cameron Conacher
Sent: Tuesday, September 13, 2016 4:56 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS and code pages

EBCDIC code page 930 supports Japanese kanji and single byte katakana

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM-MAIN Digest - 11 Sep 2016 to 12 Sep 2016 (#2016-255)

[Mainframe Discussion]

> 
> Help

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Paul Schuster]

The IBM manual

z/OS
DFSMS Managing Catalogs

documents this very well.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Klaus Stanislawiak]

You may also want to look at Chapter 6 of the Redbook "ABCs of z/OS System 
Programming Volume 3":
http://www.redbooks.ibm.com/abstracts/sg246983.html?Open

HTH
Klaus Stanislawiak

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Internals of Catalog

[Jake Anderson]

Thanks

Basically I was looking how IBM catalog programes makes call with respect
to the VVDS and VTOC.

Just trying to understand internally how they synchronize and logics.

I am not trying to resolve anything but just curious if IBM has documented
anywhere.

On Sep 14, 2016 1:50 AM, "Richard Pinion"  wrote:

> The VVDS contains VVR and NVR records.  VVR's describe VSAM data sets,
> while NVR's describe non-VSAM data sets.
>
>
>
> --- gregd...@pobox.com wrote:
>
> From: Greg Dyck 
> To:   IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Internals of Catalog
> Date: Tue, 13 Sep 2016 15:13:37 -0500
>
> On 9/13/2016 11:55 AM, Jake Anderson wrote:
> > Can some one please explain the Catalog internals with respect to the
> VVDS
> > and VTOC.
>
> At the 10,000 ft level...
>
> The catalog is a VSAM KSDS dataset that (mostly) points to the volume
> containing the dataset.
>
> The VTOC contains where on the volume, by cylinder and track, any
> datasets live, be they VSAM or non-VSAM.
>
> The VVDS contains VSAM unique information for any VSAM datasets that are
> contained in the VTOC.
>
> A VSAM catalog entry is actually a composite of the catalog, the VTOC,
> and the VVDS information merged together.
>
> Regards,
> Greg
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
>
> _
> Netscape.  Just the Net You Need.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Elardus Engelbrecht]

Peter wrote:

You've got good replies. Please check all of them!


>I am running which is a long running job but it keeps abending with s322.

How long? What is your TIME on JOB and/or EXEC statements?

Do you have any IEFUTL exit active? (D PROG,EXIT,EX=SYSSTC.IEFUTL,DIAG can help)
What is your JES2 JOBCLASS time definition?

Perhaps there are SMF and/or JES2 exits which enforce the time limit despite 
what you wrote on the JCL.

Oh, some JES2 exits may scan your JCL and modify TIME= at will if those exits 
are written to do that.


>I have used all the long running WLM initiators but still abends. 

I'm not sure WLM can influence that TIME, but I could be wrong.


>I am not sure if IEFUTL exit is restricting it.

Only if IEFUTL is active as per your SMFPRMxx and you have coded TIME= as 
others said.


>The error message doesn't produce much information to diagnose.

This is WAD.


>Is there a way to bypass any EXIT which might be timing out the Jobs ?

Yes, but if your datacenter enforced the installation of IEFUTL and JES2 
JOBCLASS and setup of SMFPRMxx, you may be SOL.

If I'm in charge, I would be a BOFH in no TIME= ... ;-)

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Converson of hex value to character

[Steve Smith]

Bernd Oppolzer's answer is the best, although I'd prefer to define the
fields so length overrides weren't needed:
ONEBYTE DS XL2
TWOBYTE DS CL3

Not that I'd likely use it for small fields, but the TROT instruction is
great at this.  It requires a 512-byte translate table though:

TROTTAB DC C'000102030405060708090A0B0C0D0E0F'
   DC C'101112...
...

Rob Scott posted this with more detail on the Assembler List a while back.

sas

On Tue, Sep 13, 2016 at 7:55 AM, don isenstadt 
wrote:

> I was interested in seeing a complete example.. here is one..
> http://www.z390.org/contest/p3/P3MM1.TXT
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
sas

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Converson of hex value to character

[don isenstadt]

I was interested in seeing a complete example.. here is one..
http://www.z390.org/contest/p3/P3MM1.TXT

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Jousma, David]

I did open an RFE for this, if anyone wishes to vote on it, here is the info.

--
Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET)

ID:94515
Headline:Add SAF check on DEF AIX for 
RELATE Cluster
Submitted on:13 Sep 2016, 10:06 AM Eastern Time (ET)
Brand:  Servers and Systems Software
Product:  z/OS

Link:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe_ID=94515

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: Tuesday, September 13, 2016 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error, please do not read, copy or disseminate it in any manner.  If 
you are not the intended recipient, any disclosure, copying, distribution or 
use of the contents of this information is prohibited. Please reply to the 
message immediately by informing the sender that the message was misdirected. 
After replying, please erase it from your computer system. Your assistance in 
correcting this error is appreciated.




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After 

Re: Converson of hex value to character

[Bill Ashton]

Thank you for all these great suggestions. My needs are very simple in only
having to translate two different 1-byte fields, so Bernd's solution worked
out to be the easiest and quickest to use.

I will be saving these other ones, and like the macro idea as well as a
quick print using DFSORT (Thanks Kolusu!). If I get some time one day, I
will play with these other options to make sure I know how to use them when
it is necessary.

Thanks again!
Billy

On Tue, Sep 13, 2016 at 8:41 AM, Steve Smith  wrote:

> Bernd Oppolzer's answer is the best, although I'd prefer to define the
> fields so length overrides weren't needed:
> ONEBYTE DS XL2
> TWOBYTE DS CL3
>
> Not that I'd likely use it for small fields, but the TROT instruction is
> great at this.  It requires a 512-byte translate table though:
>
> TROTTAB DC C'000102030405060708090A0B0C0D0E0F'
>DC C'101112...
> ...
>
> Rob Scott posted this with more detail on the Assembler List a while back.
>
> sas
>
> On Tue, Sep 13, 2016 at 7:55 AM, don isenstadt 
> wrote:
>
> > I was interested in seeing a complete example.. here is one..
> > http://www.z390.org/contest/p3/P3MM1.TXT
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
>
>
> --
> sas
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Thank you and best regards,
*Billy Ashton*

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Jousma, David]

Steve,  

That’s what I am seeing, and IBM just confirmed it.   I guess all we can do is 
give the contractor a slap on the hands, and move on.


IBM comments:

Basically, authorization checking is done against the AIX being defined (ALTER 
access to the AIX cluster name as shown in the table above) not the VSAM 
dataset the AIX relates to.  Checking against the related VSAM cluster will be 
done when accessed by BLDINDEX. 

So, this is working as intended and documented.  If you wish, you could open an 
'enhancement request' to have this behavior changed.  



_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: Tuesday, September 13, 2016 9:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IDCAMs DEF AIX authorization

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error, please do not read, copy or disseminate it in any manner.  If 
you are not the intended recipient, any disclosure, copying, distribution or 
use of the contents of this information is prohibited. Please reply to the 
message immediately by informing the sender that the message was misdirected. 
After replying, please erase it from your computer system. Your assistance in 
correcting this error is appreciated.




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[John Eells]

For historical reasons lost in the Mists of Time, the explanations for 
z/OS BCP system abends are in System Codes, while those for DFSMS abends 
are in System Messages.  (It took me years to realize why I always 
seemed to be looking in the wrong place!)


Basically, for batch jobs, if you do not specify TIME, it will be taken 
from the TIME specified on the JOBCLASS statement (JES2) or its default, 
30 minutes if TIME has not been specified on JOBCLASS.  (There is a JES3 
equivalent that I no longer recall and did not look up.)


If there is an IEFUTL exit, it can modify the TIME value based on any 
data accessible to the exit when it runs.  Because we don't know what 
people might be testing for to allow or disallow more time in the exit 
(or, for that matter, to increase the time!), your local batch job 
standards document or system programmer are the sources of information 
about how to get IEFUTL to allow more time.


Although System Codes does not mention IEFUTL for some reason (I have 
submitted an RCF), it does cover the other reasons:


322
Explanation: One of the following occurred:
O - The system took a longer time to run a job, job step, or procedure 
than the time specified in one of the following:

  – The TIME parameter of the EXEC or JOB statement
  – The standard time limit specified in the job entry subsystem
O - For a started task under the master subsystem, the TIME parameter 
was not specified on the PROC statement of the catalogued procedure, and 
the PPT entry did not indicate a system task


System action: The system abnormally ends the job, job step, or procedure.

Programmer response: If the TIME parameter was not specified on the PROC 
statement of the catalogued procedure, add the TIME parameter or add a 
PPT entry for the PGM parameter. Otherwise, check for program errors. If 
none exist, specify a longer time in the TIME parameter. Then run the 
job again.


Source: System Management Facilities (SMF)

Peter wrote:

Hello

I am running which is a long running job but it keeps abending with s322. I
have used all the long running WLM initiators but still abends. I am not
sure if IEFUTL exit is restricting it.

The error message doesn't produce much information to diagnose.

Is there a way to bypass any EXIT which might be timing out the Jobs ?




--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Vernooij, Kees (ITOPT1) - KLM]

IEFUTL only acts when you exceed the TIME= value supplied to your job. Did you 
try to overrule the default value with either a reasonable value or NOLIMIT?

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Steve
Sent: 13 September, 2016 15:23
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Bypassing s322

About the only way is to pull out the exit or add a FASTAUTH for some widget

Steve

-Original Message-
From: "John McKown" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Bypassing s322

Have you tried TIME=1440 on the job card? Or, if you like the more recent
way, TIME=NOLIMIT . As Kees said, this may be disallowed at your shop. You
might need to ask your sysprog, if you are not one yourself. There is not a
way for a job to say the equivalent of "this job should not be controlled
by the ... system exit". That would be just silly because I know a lot of
people who'd use it in all their jobs and say "nasty" things if anyone
called them out about it. One programmer learned, the hard way, not to piss
off a BOFH type sysprog (me).

On Tue, Sep 13, 2016 at 8:05 AM, Peter  wrote:

> Hello
>
> I am running which is a long running job but it keeps abending with s322. I
> have used all the long running WLM initiators but still abends. I am not
> sure if IEFUTL exit is restricting it.
>
> The error message doesn't produce much information to diagnose.
>
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
>
> Peter
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Unix: Some say the learning curve is steep, but you only have to climb it
once. -- Karl Lehenbauer
Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[John McKown]

On Tue, Sep 13, 2016 at 8:50 AM, John Eells  wrote:

> For historical reasons lost in the Mists of Time,


​Oh, good one :-) but wouldn't that be Mists of TIME=?​



> the explanations for z/OS BCP system abends are in System Codes, while
> those for DFSMS abends are in System Messages.  (It took me years to
> realize why I always seemed to be looking in the wrong place!)
>
> ​
>


-- 
Unix: Some say the learning curve is steep, but you only have to climb it
once. -- Karl Lehenbauer
Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Bypassing s322

[Peter]

Hello

I am running which is a long running job but it keeps abending with s322. I
have used all the long running WLM initiators but still abends. I am not
sure if IEFUTL exit is restricting it.

The error message doesn't produce much information to diagnose.

Is there a way to bypass any EXIT which might be timing out the Jobs ?

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IDCAMs DEF AIX authorization

[Jousma, David]

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error,
please do not read, copy or disseminate it in any manner.  If you are not the 
intended 
recipient, any disclosure, copying, distribution or use of the contents of this 
information
is prohibited. Please reply to the message immediately by informing the sender 
that the 
message was misdirected. After replying, please erase it from your computer 
system. Your 
assistance in correcting this error is appreciated.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Two running job program name discovery questions

[Charles Mills]

Thanks,

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Peter Relson
Sent: Tuesday, September 13, 2016 5:54 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Two running job program name discovery questions

SMF30PGM: the source is not a programming interface field. It is not the
RB's CDE's CDNAME field.

SMF30_Highest_Task_CPU_Program: The CDNAME field from the CDE from the
oldest RB for the particular task if there is a CDE for that RB. If there is
no CDE for that RB, then 8 question-marks or blanks; the code suggests that
the case of "blanks" should never happen, but is there "just in case".

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Steve]

About the only way is to pull out the exit or add a FASTAUTH for some widget

Steve

-Original Message-
From: "John McKown" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Bypassing s322

Have you tried TIME=1440 on the job card? Or, if you like the more recent
way, TIME=NOLIMIT . As Kees said, this may be disallowed at your shop. You
might need to ask your sysprog, if you are not one yourself. There is not a
way for a job to say the equivalent of "this job should not be controlled
by the ... system exit". That would be just silly because I know a lot of
people who'd use it in all their jobs and say "nasty" things if anyone
called them out about it. One programmer learned, the hard way, not to piss
off a BOFH type sysprog (me).

On Tue, Sep 13, 2016 at 8:05 AM, Peter  wrote:

> Hello
>
> I am running which is a long running job but it keeps abending with s322. I
> have used all the long running WLM initiators but still abends. I am not
> sure if IEFUTL exit is restricting it.
>
> The error message doesn't produce much information to diagnose.
>
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
>
> Peter
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Unix: Some say the learning curve is steep, but you only have to climb it
once. -- Karl Lehenbauer
Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IDCAMs DEF AIX authorization

[Steve]

AS I remember, DEF AIX and PATH only operate in the CAT.  The BLX would to the 
extract to the AIX 

-Original Message-
From: "Jousma, David" 
Sent: Tuesday, September 13, 2016 9:19am
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IDCAMs DEF AIX authorization

All,

I've got a PMR open with IBM asking the question, but thought I'd also pass 
this by the brain trust on this list.   We recently had an off-shore contractor 
do a DEFINE AIX for a TEST dataset name, but RELATEd it to a PROD dataset name. 
  The process was allowed surprisingly.   Contractor only had read access to 
prod dataset.   The subsequent BLDINDEX did fail with security violation as 
expected.   Nightly processing of that prod file failed however due to the 
empty AIX.   Seems like DEF AIX should have been disallowed if the user didn't 
have the appropriate access for what it was related too?

Dave

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717

This e-mail transmission contains information that is confidential and may be 
privileged.
It is intended only for the addressee(s) named above. If you receive this 
e-mail in error,
please do not read, copy or disseminate it in any manner.  If you are not the 
intended 
recipient, any disclosure, copying, distribution or use of the contents of this 
information
is prohibited. Please reply to the message immediately by informing the sender 
that the 
message was misdirected. After replying, please erase it from your computer 
system. Your 
assistance in correcting this error is appreciated.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: What is the STCB?

[Steve Smith]

That seems like an understandable confusion, considering how many TCB
pointers there are in a TCB.  btw, the OTCB is not a TCB, either.

sas

On Mon, Sep 12, 2016 at 11:29 AM, Charles Mills  wrote:

> Thanks all. Thanks @John for the link. Duh -- I did not realize it was its
> own named control block -- I was thinking of it as "another TCB" analogous
> to JSTCB -- the same layout as a TCB DSECT, but with some special
> significance.
>
> Charles
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Tony Harminc
> Sent: Monday, September 12, 2016 8:17 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: What is the STCB?
>
> On 12 September 2016 at 10:16, Charles Mills  wrote:
> > What is the STCB? For example,
> >
> > 312 (138) ADDRESS 4 TCBSTCB ADDRESS OF STCB
>
> General purpose above-the-line extension of the TCB, conforming to more
> modern standards (eyecatcher, 31-bit clean pointers, etc.)
>
> It's been around long anough that I find a number of fields routinely
> useful for debugging. And a couple even during normal operation, e.g.
> STCBOTCB.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
sas

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Two running job program name discovery questions

[Peter Relson]

SMF30PGM: the source is not a programming interface field. It is not the 
RB's CDE's CDNAME field.

SMF30_Highest_Task_CPU_Program: The CDNAME field from the CDE from the 
oldest RB for the particular task if there is a CDE for that RB. If there 
is no CDE for that RB, then 8 question-marks or blanks; the code suggests 
that the case of "blanks" should never happen, but is there "just in 
case".

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM FTPS connect

[Tim Deller]

Perhaps the list of ciphers in the ftpdata file is too restrictive or maybe the 
z/OS Security Level 3 FMID is not installed.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[Vernooij, Kees (ITOPT1) - KLM]

The S322 abend occurs when the TIME= on the JOB or EXEC statement is exceeded. 
So the job does have one and you must be able to find out where it originates 
from, possibly from JES2PARM JOBCLASS statement.
You can override the time with the TIME=nnn or TIME=NOLIMIT parameter (if exits 
allow this).

Kees.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Peter
Sent: 13 September, 2016 15:05
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Bypassing s322

Hello

I am running which is a long running job but it keeps abending with s322. I
have used all the long running WLM initiators but still abends. I am not
sure if IEFUTL exit is restricting it.

The error message doesn't produce much information to diagnose.

Is there a way to bypass any EXIT which might be timing out the Jobs ?

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

FW: FTP_NEEDS_CONNECTION return From EZAFTPKS interface

[Joe Reichman]

Hi

 

I originally posted on the TCP/IP list but saw FTP issues on IBMMAIN 

 

From: Joe Reichman [mailto:reichman...@gmail.com] 
Sent: Tuesday, September 13, 2016 8:21 AM
To: 'ibmtc...@vm.marist.edu' 
Subject: FTP_NEEDS_CONNECTION return From EZAFTPKS interface

 

Hi

 

I got the above error from EZAFTPKS interface

I get a successful return code from INIT

Open

User name Password

 

But I Fail on PUT with the above error code

 

I have a batch FTP job which successfully transferred a file to my windows
PC 

 

Thanks


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Bypassing s322

[John McKown]

Have you tried TIME=1440 on the job card? Or, if you like the more recent
way, TIME=NOLIMIT . As Kees said, this may be disallowed at your shop. You
might need to ask your sysprog, if you are not one yourself. There is not a
way for a job to say the equivalent of "this job should not be controlled
by the ... system exit". That would be just silly because I know a lot of
people who'd use it in all their jobs and say "nasty" things if anyone
called them out about it. One programmer learned, the hard way, not to piss
off a BOFH type sysprog (me).

On Tue, Sep 13, 2016 at 8:05 AM, Peter  wrote:

> Hello
>
> I am running which is a long running job but it keeps abending with s322. I
> have used all the long running WLM initiators but still abends. I am not
> sure if IEFUTL exit is restricting it.
>
> The error message doesn't produce much information to diagnose.
>
> Is there a way to bypass any EXIT which might be timing out the Jobs ?
>
> Peter
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Unix: Some say the learning curve is steep, but you only have to climb it
once. -- Karl Lehenbauer
Unicode: http://xkcd.com/1726/

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN