Re: Mainframe help now available!

[Tom Brennan]

LOL.  When things like the "Project Management Office" became common in 
maybe the late 1990's where I worked, they called us Resources.  I 
remember writing a note back saying I'm not a lump of coal or even a 
vein of gold.


The real problem though, was like you mentioned, they treated us as a 
simple headcount.  That didn't work because it might take 10 of me to do 
the work of (for example) one good CICS person, if I can figure it out 
at all.


On 6/12/2023 4:18 PM, Tony Harminc wrote:

On Mon, 12 Jun 2023 at 22:13, James FRSolutions 
wrote:


FR Solutions has programs to help find resources or build new resources
for organizations in search of Mainframe professionals.  With the
marketplace shrinking in the MF skills area, we can help.
https://www.frsolutionscorp.com/mainframe



So "resources" is your respectful word for, uh people? I've always aspired
to be a resource. Or maybe a headcount.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Andrew Rowley]

On 13/06/2023 8:04 am, Tom Longfellow wrote:

I am beginning to suspect some new evil is afoot in the land of Java -- 
complete with unhelpful cryptic error messages.
How old is your Java installation, and how old are the certificates 
required?


It's possible that e.g. Java hasn't been updated to include new root 
certificates.



--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe help now available!

[Tony Harminc]

On Mon, 12 Jun 2023 at 22:13, James FRSolutions 
wrote:

> FR Solutions has programs to help find resources or build new resources
> for organizations in search of Mainframe professionals.  With the
> marketplace shrinking in the MF skills area, we can help.
> https://www.frsolutionscorp.com/mainframe


So "resources" is your respectful word for, uh people? I've always aspired
to be a resource. Or maybe a headcount.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Phil Smith III]

Charles added:
>I would not generally expect the necessity of installing any intermediates on 
>the client side.

I'd phrase it more strongly: you do NOT want intermediates on a client machine, 
because when they expire, nobody will notice until things don't work, and won't 
think to check them. Then you'll spend wa too long replacing the root 
repeatedly until you eventually figure it out, die, or move on.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Charles Mills]

I suspect that one you listed first is superfluous but no matter.

Does SMPE really want a client certificate? Where did you get it from? What 
signed it?

If SMPE really wants that client certificate then you should make it the 
default so SMPE can find it.

Are all of those certs on the ring trusted? Untrusted certificates "don't 
exist" for handshake purposes.

What do you get if you do a RACDCERT LISTCHAIN on SMPE Client Certificate?

Charles

On Mon, 12 Jun 2023 17:04:33 -0500, Tom Longfellow 
 wrote:

>Thank you Charles.
>
>you have just spelled out every single step that I have already performed.  
>The named labels, the download steps (Only the new Intermediate was 
>required)., the upload steps, the Cert adds (yes trusted).  the keyring 
>connect to the same keyring used for the last successful loads.
>I have gone further to display the cert by the long character string value.  
>and displayed the cert only to have it tell me "Incomplete" but not why.
>
>It is annoying when you do the same thing that used to work.. that you have 
>been assured WILL work and it DOES NOT work.
>
>For those of you playing the home game.  Here are some RACF displays
>
>=-=-=-=
>racdcert CERTAUTH list(label('GLOBALG2.TLS.RSA.SHA256.#2020CA1'))  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Tom Longfellow]

Thank you Charles.

you have just spelled out every single step that I have already performed.  The 
named labels, the download steps (Only the new Intermediate was required)., the 
upload steps, the Cert adds (yes trusted).  the keyring connect to the same 
keyring used for the last successful loads.
I have gone further to display the cert by the long character string value.  
and displayed the cert only to have it tell me "Incomplete" but not why.

It is annoying when you do the same thing that used to work.. that you have 
been assured WILL work and it DOES NOT work.

For those of you playing the home game.  Here are some RACF displays

=-=-=-=
racdcert CERTAUTH list(label('GLOBALG2.TLS.RSA.SHA256.#2020CA1'))  
   
Digital certificate information for CERTAUTH:  
   
  Label: GLOBALG2.TLS.RSA.SHA256.#2020CA1  
  Certificate ID: 2QiJmZmDhZmjgcfT1sLB08fyS+PT4kvZ4sFL4sjB8vX2S3vy8PLww8Hx 
  Status: TRUST
  Start Date: 2021/03/29 20:00:00  
  End Date:   2031/03/29 19:59:59  
  Serial Number:   
   >0CF5BD062B5602F47AB8502C23CCF066<  
  Issuer's Name:   
   >CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert Inc.C=US<
   
  Subject's Name:  
   >CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1.O=DigiCert Inc.C=US< 
   
  Signing Algorithm: sha256RSA 
  Key Usage: CERTSIGN  
  Key Type: RSA
  Key Size: 2048   
  Private Key: NO  
  Ring Associations:   
   Ring Owner: TECH999
   Ring:  
  >SMPEKeyring<   
=-=-=-=-
racdcert id(TECH999) listring(SMPEKeyring)
  
Digital ring information for user TECH999:
  
  Ring:   
   >SMPEKeyring<  
  Certificate Label Name Cert Owner USAGE  DEFAULT
           ---
  DigiCert Global Root CACERTAUTH   CERTAUTH NO   
  
  DigiCert Global Root G2CERTAUTH   CERTAUTH NO   
  
  SMPE Client CertificateID(TECH999)CERTAUTH NO   
  
  GLOBALG2.TLS.RSA.SHA256.#2020CA1   CERTAUTH   CERTAUTH NO   
=-=-=-=-

I am beginning to suspect some new evil is afoot in the land of Java -- 
complete with unhelpful cryptic error messages.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe help now available!

[James FRSolutions]

Yes, great catch and sorry about that, the website is correct but spell check 
needed here.  :)  Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe help now available!

[Mike Shaw]

James,

Don't you mean immersion?

Mike Shaw
MVS/QuickRef Support Group
Chicago-Soft, Ltd.


On Mon, Jun 12, 2023 at 5:01 PM James FRSolutions 
wrote:

> FR Solutions has programs to help find resources or training emersion for
> new resources for organizations in search of Mainframe professionals.  With
> the marketplace shrinking in the MF skills area, we can help.
> https://www.frsolutionscorp.com/mainframe
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Mainframe help now available!

[James FRSolutions]

FR Solutions has programs to help find resources or training emersion for new 
resources for organizations in search of Mainframe professionals.  With the 
marketplace shrinking in the MF skills area, we can help.  
https://www.frsolutionscorp.com/mainframe

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Charles Mills]

>What I cannot find is the name or source of this unnamed thing.

Name: IBM uses certificates with chains ending in two different DigiCert roots 
with very similar names. This is a source of confusion.

DigiCert Global Root CA
DigiCert Global Root G2

Someone else posted with servers use which. Get the right one!

Where to get them:

Google . Find the one you want. Click "Download pem." 
Open it in a text editor on your PC. It should look like

-BEGIN CERTIFICATE-
MIIFZDCCA0ygAwIBAgIQBs7hMb5tVcgH98DH+0TmIDANBgkqhkiG9w
...
-END CERTIFICATE-

Copy and Paste that into an ISPF edit session. Save it in a dataset (NOT a PDS 
member; a real QSAM dataset -- VB 255 is good.) Do not edit it in any way. The 
BEGIN and END lines must remain there.

Then do a RACDCERT ADD with CERTAUTH and TRUST.

The most convenient keyring is *AUTH*/* which is a "virtual" keyring that 
automagically contains all CERTAUTH certificates.

Charles

On Mon, 12 Jun 2023 00:09:43 -0500, Tom Longfellow 
 wrote:

>Thanks Charles.
>
>I have  come to the same conclusion that I am missing an "appropriate" 
>certificate. 
>
>What I cannot find is the name or source of this unnamed thing.  And sometimes 
>when I find appropriate certs I am presented with barriers to acquiring them.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Mainframe help now available!

[James FRSolutions]

FR Solutions has programs to help find resources or build new resources for 
organizations in search of Mainframe professionals.  With the marketplace 
shrinking in the MF skills area, we can help.  
https://www.frsolutionscorp.com/mainframe

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: JES2 Submitlib Bootstrap problem

[Mark Jacobs]

IBM opened an APAR for this reported problem. OA65017

Mark Jacobs 

Sent from ProtonMail, Swiss-based encrypted email.

GPG Public Key - 
https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com


--- Original Message ---
On Wednesday, May 10th, 2023 at 8:06 PM, Mark Jacobs 
<0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:


> I'm sure we can do that. I still think that IBM should fix it themselves.
> 
> Mark Jacobs
> 
> Sent from ProtonMail, Swiss-based encrypted email.
> 
> GPG Public Key - 
> https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
> 
> 
> 
> 
> --- Original Message ---
> On Wednesday, May 10th, 2023 at 7:45 PM, Steve Horein steve.hor...@gmail.com 
> wrote:
> 
> 
> 
> > Perhaps delay path related SUBMITLIBs by having automation issue $ADD
> > SUBMITLIB commands once OMVS is up:
> > https://www.ibm.com/docs/en/zos/2.4.0?topic=section-add-submitlibx-add-new-concatenation-submit
> > 
> > That should be pretty straightforward with whatever (message) automation
> > package you may have.
> > 
> > On Wed, May 10, 2023 at 7:40 AM Mark Jacobs <
> > 0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:
> > 
> > > I added that to the top of COMMNDxx. JES2 is also started there. In our
> > > sandbox it didn't work. I'd need to get the automation team to get 
> > > involved
> > > to have it trap the OMVS is active message then start JES2. Unless some
> > > other engineering teams express an interest in SUBMITLIBs in a file system
> > > I'm not going to do anything else at this point.
> > > 
> > > I'm still going to pursue the case with IBM though.
> > > 
> > > Mark Jacobs
> > > 
> > > Sent from ProtonMail, Swiss-based encrypted email.
> > > 
> > > GPG Public Key -
> > > https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
> > > 
> > > --- Original Message ---
> > > On Wednesday, May 10th, 2023 at 8:14 AM, Allan Staller <
> > > 0387911dea17-dmarc-requ...@listserv.ua.edu> wrote:
> > > 
> > > > Classification: Confidential
> > > > 
> > > > Issue the command in COMMNDxx or your System Automation product.
> > > > 
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf
> > > > Of Mark Jacobs
> > > > 
> > > > Sent: Wednesday, May 10, 2023 7:12 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: JES2 Submitlib Bootstrap problem
> > > > 
> > > > [CAUTION: This Email is from outside the Organization. Unless you trust
> > > > the sender, Don't click links or open attachments as it may be a 
> > > > Phishing
> > > > email, which can steal your Information and compromise your Computer.]
> > > > 
> > > > How do you start OMVS SUB=MSTR? I'm not seeing any start command in
> > > > parmlib.
> > > > 
> > > > Mark Jacobs
> > > > 
> > > > Sent from ProtonMail, Swiss-based encrypted email.
> > > > 
> > > > GPG Public Key -
> > > > https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com
> > > > 
> > > > --- Original Message ---
> > > > On Wednesday, May 10th, 2023 at 7:58 AM, Allan Staller
> > > > 0387911dea17-dmarc-requ...@listserv.ua.edu wrote:
> > > > 
> > > > > Classification: Confidential
> > > > > 
> > > > > OMVS can be started as SUB=MSTR or as a JES task. Che choice is up to
> > > > > the installation.
> > > > > Ditto for ZFS.
> > > > > 
> > > > > What is really being implied is that if JES2 needs OMVS services, it
> > > > > should not provide those services until OMVS has initialized,
> > > > > 
> > > > > Many other tasks do this (e.g. TSO).
> > > > > 
> > > > > My USD $0.02
> > > > > 
> > > > > -Original Message-
> > > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf
> > > > > Of Pommier, Rex
> > > > > 
> > > > > Sent: Tuesday, May 9, 2023 11:21 AM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: JES2 Submitlib Bootstrap problem
> > > > > 
> > > > > [CAUTION: This Email is from outside the Organization. Unless you
> > > > > trust the sender, Don't click links or open attachments as it may be a
> > > > > Phishing email, which can steal your Information and compromise your
> > > > > Computer.]
> > > > > 
> > > > > I see a problem with this scenario. It appears to me that there is a
> > > > > call (not necessarily by Shmuel) to potentially have JES2 wait for 
> > > > > OMVS to
> > > > > be up before it does its startup (or at least completes the startup). 
> > > > > Due
> > > > > to a self-inflicted screw-up on one of our LPARs, OMVS decided it had 
> > > > > to do
> > > > > a filesystem check on every filesystem on the system. This took a 
> > > > > good half
> > > > > hour where it simply appeared our LPAR was hung. JES2 had come up and 
> > > > > I was
> > > > > able to start a few address spaces that are dependent on JES so I 
> > > > > could
> > > > > figure out what was going on. Had JES been waiting for OMVS we would 
> > > > > have
> > > > > been completely in the dark on this 

Re: Why can't a LinuxOne run z/OS

[Mohammad Khan]

In the famous words of Michael Corleone - it's not personal, it's strictly 
business.
mkk

On Mon, 12 Jun 2023 15:11:23 +0200, Radoslaw Skorupka  
wrote:

>W dniu 09.06.2023 o 01:33, Lennie Dymoke-Bradshaw pisze:
>> Can someone please explain what IBM have done on the LinuxOne machines to
>> stop them running z/OS?
>>
>> I ask out of curiosity only.
>
>What IBM have done?
>NOTHING.
>Simply NOTHING except some business decisions. LinuxONE can have IFL
>engines only (*).
>LinuxONE can have some I/O cards unavailable in regular machine and vice
>versa. But this is business decision, not technical requirement. And the
>plastive elements on the doors are orange, not blue. And you cannot
>order blue doors for LinuxONE.
>Why I'm talking about doors? Because the reason behind is the same as
>for IFL or FCP-Express32S card.
>
>(*) AFAIK there is GDPS Appliance available on LinuxONE. In that case
>the appliance (read: z/OS + SA + GDPS) use regular CP vel GP.
>
>--
>Radoslaw Skorupka
>Lodz, Poland
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Paul Gilmartin]

On Mon, 12 Jun 2023 15:39:12 +0200, Radoslaw Skorupka wrote:

>...
>The path is indeed different in my case. However I know the path and
>obviously (?) it is the same for all the users.
>
I once wrote a REXX "chdir" that worked from the TSO/ISPF command line
so when I entered 3.17, etc. "." meant what I had changed to.  (TSO does
not run REXX in a separate execution environment.)

I had a delusion of sharing it, so I made no "same for all the users"
assumption but used SHSCALL getpwuid.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Kurt J. Quackenbush]

> I did finally get the Certificate loaded, defined and attached to my SMPE 
> keyring.

> The jobs still fail mysteriously.The only clue being that displaying the 
> new key via RACF says that it is 'Incomplete'

I don't know about your RACF "incomplete" issue, but I suggest you double check 
you have the correct root certificate in the correct keyring:

There are two kinds of servers for an SMP/E RECEIVE ORDER request: the order 
server, and the download server.  They are different.  The order servers, like 
eccgw01.boulder.ibm.com, still use the “DigiCert Global Root CA” root cert.  
The download servers, like deliverycb-bld.dhe.ibm.com, recently changed to use 
the "DigiCert Global Root G2” root certificate.  The keyring specified in the 
ORDERSERVER XML must contain the CA root certificate for the order server.  The 
downloadkeyring specified in the CLIENT XML must contain the CA root 
certificate for the download server.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Seymour J Metz]

IMHO, both curl and get belong in the base.


From: IBM Mainframe Discussion List  on behalf of 
Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Monday, June 12, 2023 9:13 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: The new requirement for Certificates to communicate with IBM -- A 
Journey

On Mon, 12 Jun 2023 02:49:14 +, Timothy Sipples wrote:
>...
>When you get "bootstrapped" you'll probably want to install curl for z/OS (or 
>something functionally similar) to make this process easier.
>
"Bootstrap" is a critical term here.  It reflects the antinomy in how can I
elevate myself from a base state where "I trust no one," to the
target state where "I trust you."

But, yes, other systems I use come with certificates installed.  I must
assume I can trust the vendor and auditing of the delivery path.

IBM should incorporate curl in the base system as other suppliers do.
It's too valuable to omit.



--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Radoslaw Skorupka]

W dniu 12.06.2023 o 15:29, Paul Gilmartin pisze:

On Mon, 12 Jun 2023 15:19:34 +0200, Radoslaw Skorupka wrote:


Silly me, of course it is enough to issue cd /u/USER
:-)


Not so silly.  I have worked at a site where home directories were mounted
at a different path.  Sysadmin naiveté/creativity.


The path is indeed different in my case. However I know the path and 
obviously (?) it is the same for all the users.


--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Paul Gilmartin]

On Mon, 12 Jun 2023 08:22:03 -0500, Peter Vander Woude wrote:

>What I have done, to get these certificates, is to look at the keystore on the 
>pc, and save a copy of the certauth record from there, in base64 .cer format.  
>Then edit it, copy and past into a dataset on the mainframe.
> 
Is it ASCII, EBCDIC, or neutral?  What must you edit?


>>
>>
Of course you can trust the PC.  It's where you keep your credit cards.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Paul Gilmartin]

On Mon, 12 Jun 2023 15:19:34 +0200, Radoslaw Skorupka wrote:

>Silly me, of course it is enough to issue cd /u/USER
>:-)
>
Not so silly.  I have worked at a site where home directories were mounted
at a different path.  Sysadmin naiveté/creativity.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Paul Gilmartin]

On Mon, 12 Jun 2023 09:12:27 -0400, Rick Troth wrote:
>...
>The tilde hack is a shell feature, but I'm not aware of any contemporary
>shells where it doesn't work. If tilde doesn't work, then fully
>qualified path to the user's home directory works.
>
Then, 'system("cd ~user")'.

In REXX I've used "syscall getpwuid" to extract a home directory.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Peter Vander Woude]

What I have done, to get these certificates, is to look at the keystore on the 
pc, and save a copy of the certauth record from there, in base64 .cer format.  
Then edit it, copy and past into a dataset on the mainframe.

Peter

On Mon, 12 Jun 2023 08:13:54 -0500, Paul Gilmartin  wrote:

>On Mon, 12 Jun 2023 02:49:14 +, Timothy Sipples wrote:
>>...
>>When you get "bootstrapped" you'll probably want to install curl for z/OS (or 
>>something functionally similar) to make this process easier.
>>
>"Bootstrap" is a critical term here.  It reflects the antinomy in how can I
>elevate myself from a base state where "I trust no one," to the
>target state where "I trust you."
>
>But, yes, other systems I use come with certificates installed.  I must
>assume I can trust the vendor and auditing of the delivery path.
>
>IBM should incorporate curl in the base system as other suppliers do.
>It's too valuable to omit.
>
>
>
>-- 
>gil
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Radoslaw Skorupka]

Silly me, of course it is enough to issue cd /u/USER
:-)

Thank you gentlemen.

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Certificate differences between Z/VM and Z/OS?

[Allan Staller]

Classification: Confidential

Did you transfer the certificate as text (DO NOT USE BINARY).

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Itschak Mugzach
Sent: Sunday, June 11, 2023 1:29 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Certificate differences between Z/VM and Z/OS?

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don't click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I have a certificate signed by an intermediate CA that is self signed (the CA 
certificate). The certificate CN is not specific for a client.
Now I installed it on Z?OS RACF and it works with no problem against a server 
having a server certificate from the same CA.
Now I installed the same certificate on Z/VM (gskyman) and tried to connect to 
the same server. The certificate is refused and the server asks for 
renegotiating (which is impossible at TLS 1.2).

Why does that happen? Both certificates are marked TRUSTED.

ITschak


*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and 
IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: http://www.securiteam.co.il/  **|*

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Mark Jacobs]

Two things I can think of. 

1) cd /u/userdir  - That should invoke automount for you.
2) Manually mount the file system to a directory of your choice. 

Mark Jacobs 


Sent from ProtonMail, Swiss-based encrypted email.

GPG Public Key - 
https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com


--- Original Message ---
On Monday, June 12th, 2023 at 9:03 AM, Radoslaw Skorupka 
<0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote:


> I need to review some user home directories. However they have
> auto-mounted filesystems.
> How to search it without asking folks to logon?
> 
> Note: it is not related to any hacking or unauthorized access. I can
> have any authority I would need, including some tricks to logon using
> their userid, etc. Looking for simple method to run automount by a
> command, etc.
> 
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Paul Gilmartin]

On Mon, 12 Jun 2023 02:49:14 +, Timothy Sipples wrote:
>...
>When you get "bootstrapped" you'll probably want to install curl for z/OS (or 
>something functionally similar) to make this process easier.
>
"Bootstrap" is a critical term here.  It reflects the antinomy in how can I
elevate myself from a base state where "I trust no one," to the
target state where "I trust you."

But, yes, other systems I use come with certificates installed.  I must
assume I can trust the vendor and auditing of the delivery path.

IBM should incorporate curl in the base system as other suppliers do.
It's too valuable to omit.



-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: USS automount facility and search/browse

[Rick Troth]

On 6/12/23 09:03, Radoslaw Skorupka wrote:
I need to review some user home directories. However they have 
auto-mounted filesystems.

How to search it without asking folks to logon?



I have not tried this on USS, but with other automounters, simply 'cd 
~user' will force a mount of that user's home directory.

Try it.

Often, I'll get an error from 'cd ~user' if the target user's home 
directory is not available to me. (Sometimes even when doing the 'cd' as 
root/admin.) But the system cannot know the settings until the directory 
gets mounted, so forcing the mount would seem to be a requirement ahead 
of knowing if the 'cd' would work. But then, if you're needing to 
"review some user home directories", read rights are implied.


The tilde hack is a shell feature, but I'm not aware of any contemporary 
shells where it doesn't work. If tilde doesn't work, then fully 
qualified path to the user's home directory works.




Note: it is not related to any hacking or unauthorized access. I can 
have any authority I would need, including some tricks to logon using 
their userid, etc. Looking for simple method to run automount by a 
command, etc.



-- R; <><



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why can't a LinuxOne run z/OS

[Radoslaw Skorupka]

W dniu 09.06.2023 o 01:33, Lennie Dymoke-Bradshaw pisze:

Can someone please explain what IBM have done on the LinuxOne machines to
stop them running z/OS?

I ask out of curiosity only.


What IBM have done?
NOTHING.
Simply NOTHING except some business decisions. LinuxONE can have IFL 
engines only (*).
LinuxONE can have some I/O cards unavailable in regular machine and vice 
versa. But this is business decision, not technical requirement. And the 
plastive elements on the doors are orange, not blue. And you cannot 
order blue doors for LinuxONE.
Why I'm talking about doors? Because the reason behind is the same as 
for IFL or FCP-Express32S card.


(*) AFAIK there is GDPS Appliance available on LinuxONE. In that case 
the appliance (read: z/OS + SA + GDPS) use regular CP vel GP.


--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

USS automount facility and search/browse

[Radoslaw Skorupka]

I need to review some user home directories. However they have 
auto-mounted filesystems.

How to search it without asking folks to logon?

Note: it is not related to any hacking or unauthorized access. I can 
have any authority I would need, including some tricks to logon using 
their userid, etc. Looking for simple method to run automount by a 
command, etc.



--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Routing HMC message

[Radoslaw Skorupka]

W dniu 07.06.2023 o 05:57, Peter pisze:

Hello

Is it possible to route HMC operating system message and download them as
text file to the desktop?

Right now we are in the situation where TCPIP IP is not reachable but I
just wanted go through all the messages loaded during IPL.



AFAIK there is no such facility.
However this is not an issue related to HMC. It is more or less issue 
how to send console log to the PC.
One of many possible solutions is to use some trace facility of your 
3270 emulator.
Of course it is also possible to write syslog to the dataset (many users 
do that automatically) and send it to the PC.
If you want to get some specific messages, i.e. ICH408I with user=JDOE 
then you can use System Automation (licensed product).

etc. etc.

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Michael Babcock]

Here's the only cert I added for the RECEIVE ORDER process to continue 
working.  Be sure serial number matches yours.


Digital certificate information for CERTAUTH:

  Label: DigiCert Global G2 Root
  Start Date: 2013/08/01 07:00:00
  End Date:   2038/01/15 07:00:00
  Serial Number:
>033AF1E6A711A9A0BB2864B11D09FAE5<

  Issuer's Name:
   >CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert 
Inc.C=US<

  Subject's Name:
   >CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert 
Inc.C=US<



On 6/12/2023 12:09 AM, Tom Longfellow wrote:

Thanks Charles.

I have  come to the same conclusion that I am missing an "appropriate" 
certificate.

What I cannot find is the name or source of this unnamed thing.  And sometimes 
when I find appropriate certs I am presented with barriers to acquiring them.

I am not opposed to adding IT once I  am told what IT is.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Timothy Sipples]

As a follow up, curl is available from Rocket Software. There's also a build of 
curl available here:

https://github.com/ZOSOpenTools

And there's a port of wget if you prefer that, but it's more of a work in 
progress at this instant.

More information here, and contributors welcome:

https://zosopentools.link/docs

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM zSystems/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The new requirement for Certificates to communicate with IBM -- A Journey

[Andrew Rowley]

On 12/06/2023 2:59 pm, Tom Longfellow wrote:

I am worn out from all of these "learning" opportunities and want to get back to 
"doing" the job I am paid to do.


IBM doesn't do its customers any favors with the way they handle 
certificates.


Every other operating system installs default trusted certificates, and 
all this "just works" (mostly). IBM has decided they don't want to tell 
customers who to trust, but the reality is that this makes communication 
over the internet difficult or impractical.


It's even more difficult because RACF is different to everything else 
out there, so it's hard to find examples.


I accept that IBM has customers who need to do their own vetting of CAs. 
However, IBM could provide e.g. a separate optional FMID that installed 
a set of trusted certificates updated by PTF, the same as other 
operating systems. Customers could select whether or not the standard CA 
certificates were installed.


That would make life much easier for customers who just want to use TLS 
for internet connections, and leave vetting CAs to their operating 
system vendors.


--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN