Re: GAO recommends upgrades at IRS, Dept Defense Logistics

"Nor is the watchdog happy about the tax agency’s continued use of COBOL, which they note, could lead to 'difficulty finding employees with such knowledge,' adding that this 'shortage of expert personnel available to maintain a critical system creates significant risk to an agency’s mission.'"

Re: LISTSERV Trivia: Deleting drafts?

On Tue, 29 Aug 2023 09:26:34 -0500, Grant Taylor wrote: >> ... >> > >> & To identify a temporary data set name, for example, >> &TEMPDS, and, to identify an in-stream or sysout data set name, >> for example,

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

Here's the URL that Joe referenced from IBM. I neglected to put it in my last post. https://www.ibm.com/support/pages/system/files/inline-files/IBM%20Mainframe%20Life%20Cycle%20History%20V2.13%20-%20July%2011%202023.pdf -Original Message- From: IBM Mainframe Discussion List On Behalf

Re: Firefox and HMC self-signed cert

All true I think, except it's openssl on Linux not Windows. On 8/29/2023 8:46 AM, Charles Mills wrote: Don't want to get into one of the peeing contests that have become all too common here. Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about

Re: Switching between SMT-1 and SMT-2

Create/update your IEAOPTxx member to set MT_ZIIP_MODE=1 then SET OPT=xx to activate it. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com --- Original Message --- On Tuesday, August

Re: GAO recommends upgrades at IRS, Dept Defense Logistics

The reality doesn’t matter. The perception will drive decisions like this. Just like the Cloud sucked work into it only to discover that it was more expensive than on-prem. Here is the tool they are likely looking for:

Re: LISTSERV Trivia: Deleting drafts?

While may be either a temporary dsn or a symbol reference, & resolves to and can only be a temporary dsn. Absent a symbol definition for foo, the two forms are equivalenr. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe

Re: Firefox and HMC self-signed cert

True! I don't think I've created self-signed web certs since before they started that capping trend. But there are other non-web certs I deal with, such as SKLM to TS7000/DS8000 communication. I'll still set those to a higher number than the expected life of the hardware. On 8/29/2023 8:24

Re: Firefox and HMC self-signed cert

"Private certificate"? Issued certificates are signed by the CA's root private key. The root certificate is just a convenient means of packaging the corresponding public key. Certificates don't sign things. Private keys sign things. If I have a CA's (any CA's: Tom Brennan's or DigiCert's) root

Re: Firefox and HMC self-signed cert

I trust your certificate experience. But let's get back to the HMC issue for a second. So the only secure way to get rid of the Firefox warnings and red messages is to use an externally-signed certificate (paid for), and I think that means a manual process to update the HMC web cert/key

Re: Firefox and HMC self-signed cert

Don't want to get into one of the peeing contests that have become all too common here. Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys -- in a pretty accessible format. If I can get

Re: Firefox and HMC self-signed cert

I thought that signing a certificate meant the CA encrypted the checksum of the certificate. For me to validate the certificate I need the CAs public certificate to be able to decrypt the check sum, and compare it with what I calculated. If I do not have the CA's public certificate I cannot do

Threading (was: LISTSERV Trivia: Deleting drafts?)

Kirk Wolf asked Gil: >Not your question, but is the WWW interface why all of your posts >break into a new thread? ( at least in a few mailers that I have >used). and Gil mentioned header: > References: <7241413257405975.wa.paulgboulderaol@listserv.ua.edu >

Re: Threading (was: LISTSERV Trivia: Deleting drafts?)

On Tue, 29 Aug 2023 14:05:59 -0400, Phil Smith III wrote: >... >https://developers.google.com/gmail/api/guides/threads >... >1. The requested threadId must be specified on the Message or >Draft.Message you supply with your request. >2. The References and In-Reply-To headers must

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

Ed, Not according to IBM. The z12 and z13 are like this, but according to this IBM page, previous generations weren't discontinued at the same time. Check Joe Monk's post here from Monday. According to that, it's been a mixed bag. About half of the generations ended at the same time, the

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

On 8/29/2023 9:53 AM, Pommier, Rex wrote: Check Joe Monk's post here from Monday. According to that, it's been a mixed bag. About half of the generations ended at the same time, the other half the business class machines were 1-2 years EOS after the enterprise class machines. Very

Re: Firefox and HMC self-signed cert

>(paid for), and I think that means a manual process to update the HMC >web cert/key every year. Or is there an easier way? I don't know. I am more of a certificate theory expert than a z certificate practice expert. It is true that no commercial CA issues certificates good for much more than

Switching between SMT-1 and SMT-2

I know you can do this, but I can't seem to find the right command in z/OS. Any help much appreciated. In z/VM I use SET MULTITHREAD to do this. Jim Elliott Senior IT Consultant - GlassHouse Systems Inc. -- For IBM-MAIN

Re: Firefox and HMC self-signed cert

On 8/29/23 12:07 PM, Tom Brennan wrote: All true I think, except it's openssl on Linux not Windows. OpenSSL is multi-platform and can run on Windows a myriad of ways, if not natively. Aside: The Enterprise CA can also be done with things other than OpenSSL. -- Grant. . . .

Re: Firefox and HMC self-signed cert

On 8/29/23 12:13 PM, Tom Brennan wrote: I trust your certificate experience.  But let's get back to the HMC issue for a second.  So the only secure way to get rid of the Firefox warnings and red messages is to use an externally-signed certificate (paid for), and I think that means a manual

Re: Firefox and HMC self-signed cert

On 8/29/23 12:58 PM, Charles Mills wrote: https://letsencrypt.org/ provides free automated "real CA" certificates. IIRC they only support requests made using the "ACME" automation protocol. Will the HMC support that? Let's Encrypt supports multiple authentication methods. One of which is

it's all about trust [was: Firefox and HMC self-signed cert]

On 8/29/23 11:24, Grant Taylor wrote: On 8/29/23 10:07 AM, Tom Brennan wrote: And you can specify an expiration far in the future. Remember, some web browsers are capping the limit on the lifetime of certificates they will work with. The browser producers have the advantage over the rest

Re: it's all about trust [was: Firefox and HMC self-signed cert]

Not browser publishers and CAs; ONE particular browser publisher! The CAs were on the other side of this one. https://www.zdnet.com/article/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans/ About the only thing I can say in their defense is that the revocation system is

Re: Firefox and HMC self-signed cert

Sorry - not clear. What I meant was that in this case I ran openssl on Linux, not on Windows as Charles thought. What if I deleted the CA key file after creating the one web cert I needed? That would probably solve the security issue Charles mentioned, but then I would need a long-term web

Re: Firefox and HMC self-signed cert

On 8/29/23 2:32 PM, Tom Brennan wrote: Sorry - not clear.  What I meant was that in this case I ran openssl on Linux, not on Windows as Charles thought. Fair enough. What if I deleted the CA key file after creating the one web cert I needed?  That would probably solve the security issue

securing the trust store [was: Firefox and HMC self-signed cert]

I changed the subject. Also, while this fork is not specifically a mainframe topic, it's really important, and most of us will have it thrown in our face, even as mainframers. On 8/29/23 15:29, Grant Taylor wrote: On 8/29/23 10:46 AM, Charles Mills wrote: Don't want to get into one of the

Re: On-Prem to Cloud Mainframe Migration Experiences

Not seeing much in the way of responses to your question, Lance. Could be you are asking an impossible question. like ' Is there a god?' or 'is global warming real?' Were you expecting an outpouring of enthusiasm for this nebulous technology? What were your experiences? Did you get what you were

Re: securing the trust store [was: Firefox and HMC self-signed cert]

On 8/29/23 3:16 PM, Rick Troth wrote: And making it harder (more expensive) for the attacker (relative to his ROI). Some of it is also about making it more noisy and thus likely easier to detect when something inappropriate is going on. I've heard that some Chinese emperors purposely had

Re: Firefox and HMC self-signed cert

> The certificate is only good if you have the associated key. > If you don't have the key, the certificate isn't worth the disk space > that it takes up. Not true for a CA root. Thought experiment: if DigiCert were to misplace their root private key, would you now be unable to log into

Re: Firefox and HMC self-signed cert

On 8/29/23 10:46 AM, Charles Mills wrote: Don't want to get into one of the peeing contests that have become all too common here. Neither do I. I do want to have a polite and professional discussion about what things are capable of. Hopefully I'll learn things from you -- I usually do.

Re: it's all about trust [was: Firefox and HMC self-signed cert]

On 8/29/23 2:49 PM, Rick Troth wrote: When they say "certificates shall only last a year", there's little we can do about it, whether they're right or wrong. The browser manufacturers have power in the browser ecosystem and the ecosystems that pander to them (*cough* CAs *couth*). But

Re: Firefox and HMC self-signed cert

On 8/29/23 3:38 PM, Charles Mills wrote: Not true for a CA root. Thought experiment: if DigiCert were to misplace their root private key, would you now be unable to log into amazon.com? (There would be very disruptive long-term implications, but things would continue to work in the medium

Re: Firefox and HMC self-signed cert

I looked at letsencrypt and zerossl and decided on zero because I liked the support, the 1 year certs, and their API. The API supports ACME but hey, I call myself a programmer so I rolled my own. I use their email authentication through an automated method I created, but they do have DNS

Re: Firefox and HMC self-signed cert

Just to be clear, I'm not talking about doing anything to the HMC that isn't sanctioned by IBM. And pardon me if you already know this, but HMC's are really locked down. For example, no command line access even when standing at the machine. On 8/29/2023 6:30 PM, Grant Taylor wrote: On

Re: it's all about trust [was: Firefox and HMC self-signed cert]

On 8/29/23 6:10 PM, Charles Mills wrote: Not browser publishers and CAs; ONE particular browser publisher! The CAs were on the other side of this one. Apple may have been the first to the microphone, but I know that other browser manufacturers were writing similar speeches. About the only

Re: Firefox and HMC self-signed cert

On 8/29/23 6:39 PM, Tom Brennan wrote: It's those last couple of steps that I assume would need to be done manually on an HMC via GUI. I have no idea if IBM offers a supported solution or not. I would waver that there are some unsupported solutions that IBM would wag a finger at you for

Re: Firefox and HMC self-signed cert

I've been told by IBMer's not to talk about such things, so I need to drop out now. On 8/29/2023 10:05 PM, Grant Taylor wrote: On 8/29/23 9:49 PM, Tom Brennan wrote: Just to be clear, I'm not talking about doing anything to the HMC that isn't sanctioned by IBM. I assumed as much. And

Re: z13s going EOS anytime soon?

I am looking for a OSA-ICC card for a z13s. You can contact me offline at the address below. Thanks Resiliency Services on Z Mainframe alain.benveni...@kyndryl.com > Le 29 août 2023 à 06:53, Brian Westerman a > écrit : > > 4 our our clients are running z13s's and they all have received the

Re: z13s going EOS anytime soon?

Called it! Unfortunately, it was my worst case scenario. > Subject: Re: IBM Z13 and Z13s EOL > From: Eric D Rossman > Date: Thu, 18 Aug 2022 19:44:39 + > > Long ago, the time from GA to EOS was shorter (like 9 years or so), > then it slowly increased to 12-13 years (and even 14 for the z900

RES: z13s going EOS anytime soon?

Hi Alain, You can use this FC 0408 CCIN 57E9 or FC 0417 CCIN 59A8+E005 in z13 and z13s. Some of them comes from zEC12, zBC12, z114 or z196. 0408 57E9 OSA-Express4S 1000Base-T Ethernet (PCIe) (2 port/CHPID) 0417 59A8 OSA-Express5S mother card (PCIe) 0417 E005 OSA-Express5S

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

What I found somewhat disheartening was that IBM is dropping support for both the z13 and z13s at the same time despite the fact the z13s was made available a year later than its big brother. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Eric D Rossman

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

z/OS 3.1 won't run on it. On Tue, Aug 29, 2023 at 7:46 AM Pommier, Rex wrote: > > What I found somewhat disheartening was that IBM is dropping support for both > the z13 and z13s at the same time despite the fact the z13s was made > available a year later than its big brother. > > Rex > >

Re: Firefox and HMC self-signed cert

Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. If I can extract the CA private key from your PC than it is trivial for me to create a www.chase.com certificate that will be trusted by their

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

Ahh, thanks. Hopefully then, this is an anomaly and not future trends. We don't have a z13s but have a z14 and z15 "baby boxes" and we typically run them until they fall off maintenance. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Schwab Sent:

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

z13 is last version to IPL in S/390 mode. Haven't started planning on over 64 bit machine On Tue, Aug 29, 2023 at 8:34 AM Pommier, Rex wrote: > > Ahh, thanks. Hopefully then, this is an anomaly and not future trends. We > don't have a z13s but have a z14 and z15 "baby boxes" and we typically

Re: Firefox and HMC self-signed cert

On 8/28/23 6:23 PM, Tom Brennan wrote: Does that work?  In the past when I created a self-signed cert (for Apache on Linux), adding it to the trusted certs didn't work (at least in Chrome).  I still got the evil warnings. I've been running into this with many self-signed certs at work. One

Re: LISTSERV Trivia: Deleting drafts?

On Mon, 28 Aug 2023 15:21:55 -0500, Paul Gilmartin wrote: >I use the WWW interface to post to IBM-MAIN. At times it tells me I have >lingering drafts. Each shows a trashcan icon. Clicking it usually fails >or causes a window hang. Is there a trick? > >I may have just discovered that it

Re: Firefox and HMC self-signed cert

On 8/29/23 8:31 AM, Charles Mills wrote: Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. Remember, Certificate Authorities can be constrained. E.g. it's possible to create an Enterprise

Re: LISTSERV Trivia: Deleting drafts?

On 8/28/23 6:35 PM, Paul Gilmartin wrote: I'll copy/paste a couple lines from: Let's see how what appears on the forum compares with the original: Thank you for the clarification Paul. & To identify a temporary data set

Re: [External] : Connect Direct for z/Os Upgrade

Are you using a STEPLIB? If so, make sure ALL libraries in the STEPLIB are APF’d and that they are on the correct volume as your APF list. If not using a STEPLIB use TSO ISRFIND to ensure the exits are not found in another library first. On Mon, Aug 28, 2023 at 8:28 PM Gilson Cesar de

Re: RPMs for installs and Maint: [WAS SMP/E needed for installs?]

I find a great deal of value in reading your posts, Steve. Knowing that you have experience with Amdahl in hardware adds to my respect for your insights. > On 29 Aug 2023, at 8:35 am, Steve Thompson wrote: > > Back in the day, we worked on RAS. So we put in error detection hardware >

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

On 8/29/2023 5:46 AM, Pommier, Rex wrote: What I found somewhat disheartening was that IBM is dropping support for both the z13 and z13s at the same time despite the fact the z13s was made available a year later than its big brother. That has always, Always, ALWAYS been true. When a hardware

Re: Firefox and HMC self-signed cert

Remember Charles, this kludge of making my own CA and signing my own web cert is in lieu of something probably worse for security, saying yes to the red warning messages in Chrome and Firefox. So in either case we're already open to a DNS spoof. The home-made cert is simply to make it easier

Re: [EXTERNAL] Re: z13s going EOS anytime soon?

On Tue, 29 Aug 2023 07:53:50 -0700, Ed Jaffe wrote: >On 8/29/2023 5:46 AM, Pommier, Rex wrote: >> What I found somewhat disheartening was that IBM is dropping support for >> both the z13 and z13s at the same time despite the fact the z13s was made >> available a year later than its big

Re: Firefox and HMC self-signed cert

On 8/29/23 10:07 AM, Tom Brennan wrote: And you can specify an expiration far in the future. Remember, some web browsers are capping the limit on the lifetime of certificates they will work with. -- Grant. . . . -- For