Re: TSO Setup on SSH

Thanks to all. After receiving all reply from experts and from manual now my understanding is, I should use SSL 992 port and with self signed certificate to enable SSL on tso. Please correct me , if I am going in wrong direction. Also please help me to find difference in tn3270 and tn3270e and

Re: IZUSEC job

SMP/E doesn't have an object type called JOB or JCL. SRC didn't find anthing. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Itschak Mugzach Sent: Wednesday, November 23, 2016 9:17 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re:

Re: IZUSEC job

Gadi. Ask smp. If there a job with this name, smp kow it. Itschak בתאריך 23 בנוב 2016 09:14,‏ "גדי בן אבי" כתב: > I looked in SIZUJCL. > It's not there :-( > Gadi > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >

Re: IZUSEC job

I looked in SIZUJCL. It's not there :-( Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Wednesday, November 23, 2016 8:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: IZUSEC job GADI wrote: >I am

Re: HSM question

Tony Thigpen wrote: >Once a week, HSM performs an AUTOBACKUP. Until about 3 months ago, if nobody >was at the shop, HSM would ask for an exiting tape, wait 10 minutes, and if no >tape was mounted, it would ask "Can tape be mounted?". If our remote operator >replied 'N', then HSM would us a

Re: IZUSEC job

GADI wrote: >I am trying to configure z/OSMF for the first time. Good luck. This is a horrible, but managable task. Easier thatn OMEGAMON of course... ;-) >I can't find the IZUSEC job that created the security definitions for z/OSMF. IBM should have given you a copy of dataset IZU.SIZUJCL

Re: Mainframe systems programmer ID 'vaulting'

Tony Thigpen wrote: >> 1) System programmers had two logons. One "normal" and one "higher". The >> "normal" userid still had some privileged access, but nothing like the >> "higher" userid which had basically unlimited access. >> 2) Additional audit trails were created for the "higher" userid.

IZUSEC job

Hi, I am trying to configure z/OSMF for the first time. I can’t find the IZUSEC job that created the security definitions for z/OSMF. z/OSMF was installed as part of z/OS using ServerPac. z/OS and z/OSMF are v2.1 Gadi לתשומת ליבך, בהתאם לנהלי חברת מלם מערכות בע"מ ו/או כל חברת בת ו/או חברה קשורה

List Entries without Alias in Master Catalog(excluding system/io/page datasets)

Been thinking various way to explore/list the datasets which somehow (obviously security/racf in place however considering unexpected situation) how to list the entries from master catalog which do not have alias defined/relate to user catalog ...so basically directly connected in master

Re: HSM question

So some basic questions 1) What version of z/OS? 2) If you do a F dfhsmtaskname,Q SETSYS does it show the same info as the ARCCMDxx member? 3) What is the specific messages you are seeing during autobackup? Lizette > -Original Message- > From: IBM Mainframe Discussion List

Re: Mainframe systems programmer ID 'vaulting'

Or has had their data center blown up-vault and all! Can you say 'single point of failure'? In a message dated 11/22/2016 7:51:28 P.M. Central Standard Time, 0041d919e708-dmarc-requ...@listserv.ua.edu writes: Not just from some manager who doesn't know Mainframes, but some manager

Re: Mainframe systems programmer ID 'vaulting'

Not just from some manager who doesn't know Mainframes, but some manager that has never had the responsibility of operating a real computer system for production purposes, especially in an Enterprise size data center. /Tom kern On 11/22/2016 13:43, william janulin wrote: Sounds like the

HSM question

HSM is not my ballgame, but I am tasked with figuring out this puzzle, so bear with me. As for background, the shop attempts to run lights-out 24/7. Once a week, HSM performs an AUTOBACKUP. Until about 3 months ago, if nobody was at the shop, HSM would ask for an exiting tape, wait 10

Re: Mainframe systems programmer ID 'vaulting'

For a while, about 15 years ago, we had "firecall" IDs. When you logged in, it prompted you for information that, in turn, updated RACF with Name, expiration, etc. These IDs were kept in paper form, in the Data Center Manager's office. Of course, you had to jump thru the flaming hoops of

Re: Mainframe systems programmer ID 'vaulting'

Isn't this a violation of PCI DSS? "10.1 Implement audit trails to link all access to system components to each individual user." Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bigendian Smalls Sent: Tuesday, November 22,

Re: Mainframe systems programmer ID 'vaulting'

On Tue, 22 Nov 2016, at 18:44, Tony Thigpen wrote: > As usual, some pc based person only thinks of the way their world works. > > I have been though multiple audits at multiple companies where they > accepted that: > 1) System programmers had two logons. One "normal" and one "higher". The >

Re: Mainframe systems programmer ID 'vaulting'

At a minimum, I think an IT auditor would require a method of joining who owns one of these id's when, so the mainframe logs (and any other system) can know the real "who" did something. What about long running tasks? Can I start a session that outlives my lease on the ID? I bet my task

Re: TSO Setup on SSH

The scripting for x3270 is basically just automation control. I don't really understand why there would be a performance issue or concern. http://x3270.bgp.nu/Unix/x3270-script.html Here's an example that I did that logs into TSO with a password/passticket supplied in an environment variable:

Re: Mainframe systems programmer ID 'vaulting'

This is pretty close to how we operate too. While we are not yet to the vaulting stage for the god ID's. They are working hard to push everything we do in the PROD environment into a Change record. Things that used to fall into "systems administration" gray area. In the past, if we had to

Re: REXX determine library that is executed from

On Tue, Nov 22, 2016 at 2:47 PM, Robert Prins wrote: > On 2016-11-22 18:31, Donald Likens wrote: > >> I failed to mention that when using EXEC 'rexx.library'. (where >> 'rexx.library' contains member TEMPNAME.) >> >> I am thinking about looking at the output of LISTA but not

Re: REXX determine library that is executed from

On 2016-11-22 18:31, Donald Likens wrote: I failed to mention that when using EXEC 'rexx.library'. (where 'rexx.library' contains member TEMPNAME.) I am thinking about looking at the output of LISTA but not sure it is worth the effort. If anyone else has a need for this capability I may be able

Re: Mainframe systems programmer ID 'vaulting'

As usual, some pc based person only thinks of the way their world works. I have been though multiple audits at multiple companies where they accepted that: 1) System programmers had two logons. One "normal" and one "higher". The "normal" userid still had some privileged access, but nothing

Re: Mainframe systems programmer ID 'vaulting'

Sounds like the brainchild of this project came from some management type that has no clue about mainframes. Usually ideas like that come from those types. On Tuesday, November 22, 2016 1:37 PM, Bigendian Smalls wrote: This is something I hadn’t heard

Re: [EXTERNAL] Re: REXX determine library that is executed from

Here is my contribution - it is a rexx exec that will check the STEPLIB (or provided ddname) for apf authorization. It uses the console interface to get the apf list and then uses lista to find the dsnames in the allocation. The challenge is that lista does not provide the volser so the

Re: Mainframe systems programmer ID 'vaulting'

This is something I hadn’t heard much about, but a couple questions come to mind - for anyone who has thought about or implemented this: 1) If you have a pool of IDs, then are you losing granularity with which you might want to assign privelages? Meaning you now have to have IDs that have

Re: REXX determine library that is executed from

I failed to mention that when using EXEC 'rexx.library'. (where 'rexx.library' contains member TEMPNAME.) I am thinking about looking at the output of LISTA but not sure it is worth the effort. If anyone else has a need for this capability I may be able to work something out and post it.

Re: Which STEPLIB concatenation is not authorized?

You know what I am thinking of doing? Yes, it would be great to loop through all of the concatenations of STEPLIB and display the APF status of each. More time than I can justify at this moment. But what about the following? Wouldn't this solve the problem? A very simple program that would open

Re: Which STEPLIB concatenation is not authorized?

On Tue, Nov 22, 2016 at 11:35 AM, Charles Mills wrote: > > And those for whom this too complicated: don't touch a z/OS system until > you have covered the dummies course. > > I'll tell the support staff to start telling that to the POCs. I'm sure the > sales team will be

Re: Which STEPLIB concatenation is not authorized?

> And those for whom this too complicated: don't touch a z/OS system until you have covered the dummies course. I'll tell the support staff to start telling that to the POCs. I'm sure the sales team will be pleased. Charles -Original Message- From: IBM Mainframe Discussion List

Re: Mainframe systems programmer ID 'vaulting'

Part 2 of the Story is that once all the bugs are fix/ironed out, ANYONE with a privileged USERID ID will have to LOGON Using CyberArk just to do their daily work. This includes SECURITY, and SYSPROGS Steve Beaver

Re: Mainframe systems programmer ID 'vaulting'

Jim - You just hit my ballpark We have tried out CA and CyberArk. We opted for CyberArk, however they have absolutely not idea what TN3270 is. CyberArk has attempted, to write their own TN3270 using open Source and its a disaster. There was a call today with CyberArk and they were told to

Re: Which STEPLIB concatenation is not authorized?

On 11/22/2016 5:06 AM, Peter Relson wrote: What the system has, and could return (indeed does provide to the CSVFETCH exit as of z/OS 2.2) is the UCB address and CCHH of the data set. I don't claim to know exactly how, but you can get from that to the data set name. An enhancement could be made

Mainframe systems programmer ID 'vaulting'

NTAC:3NS-20 Our company is undergoing a project to 'protect privileged access' by using a password vaulting product. We have been doing this for quite some time for applications teams who require higher levels of access to production datasets for problem resolution, installs, etc. The way it

Re: Catalogs in a SYSPLEX

We run two sysplexes of about 12 LPARs each (NonProd vs Prod). Both plexes have a single mcat shared across the plex (but not between plexes). We've upgraded these from release to release over the last 10 years and never had to use a second master catalog. In fact, I just checked our NonProd

Re: TSO Setup on SSH

I use x3270 all the time. And I've made widespread use of custom key sequences to make me more productive. So far so good. Kirk, you mentioned scripting. I've only had limited success with that. One day I'll persist. :-) But the reason for leaping in is to ask whether - in anyone on the list's

Re: TSO Setup on SSH

There are a bunch of pieces that I would have to externalize; maybe some day. I don't really find x3270 all that objectionable. Its fairly easy to customize and the scripting works fine. Granted, I don't use it that much; most of my z/OS work is from a shell. Kirk Wolf Dovetailed Technologies

Re: IBM FTPS connect

On 11/18/2016 9:32 AM, Mark Pace wrote: Great minds. I created an Shopz order for an RSU yesterday. Still having problems with Data connection. Customer tried several changes on their firewall without any luck. They are now going to the vendor to try to figure why it isn't working. Good

Re: TSO Setup on SSH

On Tue, Nov 22, 2016 at 9:01 AM, Kirk Wolf wrote: > ​ > > > We do something like this from our Linux workstations. I wrote a script > that makes an ssh connection (authenticating with a private key from a > password safe) and over this connection it runs a z/OS UNIX command

Re: TSO Setup on SSH

On Tue, Nov 22, 2016 at 12:03 AM, Jack J. Woehr wrote: > > SSH and secure Telnet3270E essentially use the same security technology, > that is, OpenSSL. > z/OS OpenSSH does include some of the EVP crypto code from OpenSSL for Ciphers and MACs, etc, but it doesn't use any "SSL" or

Re: New SDSF Function for APF/PARM/PAG/ etc. (was Which STEPLIB concatenation is not authorized?)

Plus three new ones: AS, DYNX and PROC The enhancements are available through functional PTFs, as listed in Table 4. Check the software status before installing the PTFs to ensure that you have the latest maintenance. Table 4 PTF information The z/OS V1.13 PTFs are toleration only. The new

New SDSF Function for APF/PARM/PAG/ etc. (was Which STEPLIB concatenation is not authorized?)

Just in case someone might be interested in this new function in SDSF at z/OS V2.1 and V2.2 Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Lizette Koehler > Sent: Tuesday, November 22, 2016 7:36 AM > To:

Re: Which STEPLIB concatenation is not authorized?

Actually this can be in z/OS V2.1 with a PTF APAR Identifier .. PI60831 Last Changed 16/07/04 NEW FUNCTION Symptom .. NF NEW FUNCTION Status ... CLOSED UR1 Severity ... 4 Date Closed . 16/06/13 Component ..

Re: Catalogs in a SYSPLEX

" Prior to this job I worked at a shop where we supported sysplexes from a single system to up to 10 LPARs in a single sysplex. The master catalogs were not shared , I think I would put forth one big reason for not sharing the master catalog, would be system upgrades, when we went through the

Re: Which STEPLIB concatenation is not authorized?

I didn't know that one, but now I see I also have it in 2.1 Kees. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Marchant Sent: 22 November, 2016 14:53 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Which STEPLIB concatenation is not

Re: Which STEPLIB concatenation is not authorized?

On Tue, 22 Nov 2016 13:28:14 +, Vernooij, Kees wrote: >Take your libraries and check them against D PROG,APF and you >know what you're looking for. And if you are at z/OS 2.2, the APF command in SDSF is even easier, because the list is sorted by DSNAME. -- Tom Marchant

Re: Catalogs in a SYSPLEX

On Mon, 21 Nov 2016 21:44:19 +, Nims,Alva John (Al) wrote: >I would put forth one big reason for not sharing the master catalog, >would be system upgrades, when we went through the z/OS upgrades, >there were times where SYS1. Level data sets location changed from >one release to the next

Re: IBM-MAIN Digest - 20 Nov 2016 to 21 Nov 2016 (#2016-325)

Binyamin: Here is how I have things defined, and I do not get the message that you get: LAR1,1 Most TU entries will need "1" * * ALLOC w/ DDNAME text unit setup

Re: Which STEPLIB concatenation is not authorized?

Altogether, to me this all seems a tremendous overkill for a problem that occurs a few time per year somewhere in the world. How many system programmers does it take to switch a lightbulb? How many to check a steplib concatenation on 047 abends? Take your libraries and check them against D

Re: Which STEPLIB concatenation is not authorized?

IMHO, we need an enhancement to CSVQUERY/CSVINFO (as appropriate) to return the fully-qualified data set name and volume and/or HFS path from which a module was actually fetched. (If it came from VLF, that information would need to be preserved at the time the module is cached so it can be

Re: The EHIxxxx execs (CBT Tape 769) - Thank you!

On 2016-11-20 12:47, Robert Prins wrote: Hi all, After a long, long time, I've decided to update these legacy-language to HTML tools again, but I need some help, as I'm only on a z/OS 1.10/1.12 system, which means that I have absolutely no clues about - the way all new JCL statements are

Re: TSO Setup on SSH

Venkat, Can you please clarify exactly what you want to achieve, what point you are trying to reach? By "TSO" do you mean, as Paul suspects, you need direct, immediate, access to a TSO prompt for some long-superseded limit on some requirement from years 'n' years ago? Or do you, by "TSO", mean