IBM Statement of Direction: Fibre Channel Endpoint Security
I’d like to draw your attention to this new IBM Statement of Direction regarding IBM Fibre Channel Endpoint Security with FICON-attached devices: https://www.ibm.com/docs/en/announcements/statement-direction-1-qtr-2024 More information is available here: https://www.ibm.com/downloads/cas/Y6E9KLA8 IBM Fibre Channel Endpoint Security is already available for all current model machines and some prior model machines. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone exploiting ZEDC?
rpinion865<https://www.mail-archive.com/search?l=ibm-main@listserv.ua.edu=from:%22rpinion865%22> wrote: >Is it not true that even though you get the zEDC engines on the z15 and z16, >you still have to pay for the exploitation by enabling Featurename('ZEDC') in >parmlib's IFAPRDxx? David Jousma wrote: >To answer your other question, yes, ZEDC is a chargeable feature >(although very inexpensive) and is turned on in IFAPRD00. OK, I’ll try to clarify On z15/LinuxONE III models and higher the zEDC hardware is on-chip, standard, no additional charge, no feature code needed. “It’s just there.” In z/OS there’s an optional, chargeable software feature called “z/OS zEDC.” This licensed, chargeable feature (like other optional z/OS elements) is enabled in an IFAPRDxx parmlib member. However, if you don’t enable this chargeable element it’s still possible to exploit zEDC on z/OS to some degree. As one example, Java applications using java.util.zip’s zlib library (available in the IBM Semeru Runtimes) can exploit zEDC even without enabling the z/OS zEDC feature. Here’s how the z/OS 3.1 documentation explains it: “...With IBM Integrated Accelerator for zEDC compression on the z15 [and higher], you use IFAPRDxx only for enabling asynchronous processing (by using the FPZ4 authorized services). Entitlement of the zEDC priced feature of z/OS is not required for using zlib-based functions.” Anticipating the next question, I haven’t found a good, current list of zEDC exploiters and whether they require the z/OS zEDC feature or not. It’d be a fairly long list, and the list keeps growing. But if the product’s or component’s documentation lists the z/OS zEDC feature as a prerequisite (or a recommendation) then that’s an indicator it uses (or can use) the FPZ4 authorized services. IBM offers some tools that can help determine whether the z/OS zEDC feature would be of benefit, and how much. This whitepaper illustrates such an analysis: https://www.ibm.com/support/pages/system/files/inline-files/zEDC_White_Paper.pdf — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone exploiting ZEDC?
rpinion865 wrote: > At a prior life, we got the zEDC cards on a z15, and turned that on >for PS datasets. Just to clarify, every IBM z15, LinuxONE III, and higher model machine has on-chip zEDC (compression). It’s formally called the “Integrated Accelerator for zEDC,” and you can expand the zEDC part if you want to be more verbose. On-chip zEDC is included at no additional charge in these more recent machines. No zEDC cards required, no machine feature code required. Moreover, it’s not possible to carry forward the zEDC cards to the newer machine models even if you wanted to. I realize it’s not the major point of this thread, but here’s a quick comment about VSAM performance. I think it’s important to “sanity check” performance assumptions periodically because past assumptions often no longer reflect reality and time and technology progress. When I participate in such assessments (and write reports) I typically include an “expiration date.” I include a statement such as, “We recommend reassessing these performance metrics no later than April 30, 2028.” That sort of statement might be based on some educated guesswork, but I try to set a reasonable boundary in the circumstances. There’ve been lots of VSAM-related performance improvements over the years and decades, and they continue. zHyperWrite and the IBM Z Digital Integration Hub (zDIH) are only two examples. In terms of zEDC applicability to VSAM, just in case anybody needs the official documentation here it is (z/OS 3.1 link): https://www.ibm.com/docs/en/zos/3.1.0?topic=sets-characteristics-compressed-format-data The “Requirements for Compression” subsection is also relevant. There’s a lot of meaning packed into those two pages, more than usual I’d say. For example, these words are quite important: “A compressed format data set cannot be opened for update.” Those few words are doing some heavy lifting. I’d add that a non-compressed format data set (that can be opened for update) CAN contain data compressed with zEDC. As one example, a Java program can compress data with zEDC then store the compressed data in a data set (via JZOS for example). — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
OpenShift 4.15 Now Available
Red Hat OpenShift Container Platform Version 4.15 is now available. This release includes major new features for IBM LinuxONE and IBM Z servers: • a “bare metal” LPAR deployment option — sans z/VM, KVM, or z/OS; • support for multi-architecture compute nodes; • “SNO” (single-node OpenShift) support, with significantly lower resource requirements for applications and development environments that don’t need OpenShift’s high availability features; • easier installation options; and • a preview of hosted control planes. More details are available here: https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/gerald-hosch1/2024/03/14/new-deployment-options-for-less-resource-reqs?CommunityKey=fd56de68-d38b-499b-a1f4-51010f4eee66 — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Ideas for less-distruptive disruptions - Netmaster:Solve and CICS
The “night light” CICS program can be quite simple and written in any language — in REXX, for example. You probably ought to include a link to the replacement application and help desk details. For example: REPLACEMENT APPLICATION NOTICE [Application ABC] replaced [Application XYZ] on March 8, 2024. To access the new application please visit: https://www.ourcompany.com/abc-app If you need special assistance with this transition please contact Our Company Help Desk at 1-800-555-1234 and use QuikHelp code RAN24AA. Press or to return to the previous screen. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM Open Enterprise SDK for Go 1.22 Now Available
Go (Golang) Version 1.22 is now available for z/OS. You can install this release traditionally, and it now also includes a container image that runs on the new IBM z/OS Container Platform. Details here: https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/chandni-dinani2/2024/03/15/ibm-open-sdk-for-go-122-is-now-available The IBM Open Enterprise SDK for Go is available to all z/OS licensees at no additional charge. Optional paid support is available from IBM. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM Announces the z/OS Container Platform
The documentation for IBM z/OS Container Platform is now available here: https://www.ibm.com/docs/en/zoscp/1.1.0 — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: With IBM planning (planned) dropping support for SNA / 802.3
Binyamin Dissen wrote: >With IBM planning (planned) dropping support for SNA / 802.3, does that >mean that application code using LU6.2 will stop working? >Or will VTAM continue to support LU6.2 code? IBM is dropping support for “classic” SNA and pre-SNA “wire” protocols effective with z/OS 3.1 and the machine models after the IBM z16 models, whichever you deploy first. One important reason is that it’s impossible to secure these classic wire protocols without breaking compatibility. The best SNA can do on its own is TDES session-level encryption, and that’s just not good enough (and hasn’t been for a while). IBM is *NOT* dropping support for SNA! Just use Enterprise Extender (EE), also known as SNA over UDP and IETF RFC 2353. Enterprise Extender was first introduced in OS/390 2.7 in 1999 — a quarter century ago. Every z/OS release includes Enterprise Extender in the base operating system. Enterprise Extender can be well secured (we recommend it!), and often you’ll get some performance benefits. It also supports every link type that UDP supports (pretty much everything). SNA also remains available via FICON Channel-to-Channel (CTC) links. FICON CTC links can be well secured using Fibre Channel Endpoint Security. Use z/OS Health Check APAR OA62208 to determine whether your z/OS network configuration needs to be adjusted so that you’re only using Enterprise Extender, other forms of TCP/IP, and/or FICON CTC links. The PTFs for this APAR are available for z/OS 2.3, 2.4, and 2.5. https://www.ibm.com/support/pages/apar/OA62208 — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM Announces the z/OS Container Platform
(Cross-posted to MVS-OE.) A little more information on the IBM z/OS Container Platform is now available here: https://www.ibm.com/support/z-content-solutions/zos-container-platform/ Here’s my quick functional summary of some related offerings: * IBM z/OS Container Extensions: runs containerized Linux applications on z/OS * OpenShift on z/OS (“zCX Foundation for Red Hat OpenShift”): runs containerized Linux applications on z/OS with advanced provisioning, clustering, orchestration, and management * IBM z/OS Container Platform: runs containerized z/OS UNIX™️ applications * Statement of Direction announced with the IBM z/OS Container Platform: “Kubernetes orchestration support” * IBM z/OS Cloud Broker: allows OpenShift environments to provision and orchestrate z/OS-hosted services, including “classic” services Yes, IBM is introducing an Open Container Initiative (OCI)-compliant container image standard for z/OS UNIX applications. The IBM z/OS Container Platform (IBM Program No. 5655-MC3) should be Generally Available on March 15, 2024. The full documentation should also be available on that date. I understand IBM publicly demonstrated (for the first time) the IBM z/OS Container Platform at SHARE about 12 hours ago as I write this. Any first person reports? — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM Announces the z/OS Container Platform
I’d like to draw your attention to this IBM announcement: https://www.ibm.com/docs/en/announcements/zos-container-platform-delivers-industry-standard-cloud-technologies-build-run-zos-unix-applications-as-containers-natively-zos<https://www.ibm.com/docs/en/announcements/zos-container-platform-delivers-industry-standard-cloud-technologies-build-run-zos-unix-applications-as-containers-natively-zos?region=US> — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ZOS Sending Logs to Sumologic Experience?
Steve Estle wrote: >We are embarking on an endeavor to explore sending logics to a >tool called Sumologic(sumologic.com). For those who are unaware, >Sumologic is a competitor to Splunk and contains a very powerful real >time log parsing analytics engine which can be used to build dashboards, >alerts, and more. My basic question is has anyone heard of or actually >been involved in devising ways to send ZOS logs into Sumalogic – our >initial efforts will be security related, but for now am just asking if >anyone has any experience in this realm at all? Or maybe you are >doing something similar to Splunk? I’m not too familiar with Sumo Logic, but they say they can ingest several different log/event feeds, notably LEEF (Log Event Enhanced Format). zSecure Alert and zSecure Audit do a great job providing LEEF (and other format) feeds to the likes of Splunk, QRadar, ArcSight, and others. Here’s an entry point into the zSecure documentation to explain more: https://www.ibm.com/docs/en/szs/3.1.0?topic=deployment-data-preparation-siem To set expectations a bit, even the best z/OS event feed(er), with lots of customization and enrichment options, can only partially help Sumo Logic and its users interpret, correlate, and understand z/OS-specific events. There’s a lot of work that goes into QRadar’s Device Support Modules (DSMs) and AI to understand what’s really happening in z/OS in context, and to display meaningful information to users who don’t necessarily know much about z/OS specifically. So just be prepared to do at least some work to make the feed(s) from z/OS more useful within Sumo Logic — work on both ends. In other words, most of the value in this class of dashboarding and analysis tools is in, well, how much useful analysis they provide. Feeding the tool (even with the best feed) is only part of the story. Metaphorically speaking you could feed hospital-related events to a control center at a steel manufacturer. And that hospital event feed could be the world’s best feed, with lots of enriched data and everything you could ever want to know about what’s happening at the hospital. But a steel manufacturer that understands steel-related events — and maybe also nickel-related, copper-related, and car manufacturing-related events in a pinch — could be bewildered when it receives hospital-related events. True, it’s all English (or some other common language), but what does it mean when there’s a gray alert followed by a pink alert? Are those two events related? And what is a gray alert anyway? Or a pink alert? Answering my own questions, these events could be related. “Gray” means a combative person, and “pink” means an infant abduction. But I didn’t know that until 5 minutes ago. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Frank Swarbrick wrote: >I have a curious question about MFA on z/OS. Does each login >require a different token? Meaning, if I log on to TSO and to CICS, >can I use the same token? I ask because I log on and off to >various CICS regions throughout the day, and I'd hate to have to >get a new token for each login. (We don't use MFA right now, >except for our mainframe "outsourcer" teams (Kyndryl). That’s configurable based on what security posture you’re trying to maintain. The token can be one-time (and time limited) or can be reused (and still time limited). The time limit is configurable, too. >I wish that you could just "logon to VTAM," as it were, and it would >log you in to each VTAM application you use. I don't think this is >available right now, correct me if I'm wrong! Yes, you can do that with a combination of CL/SUPERSESSION, Z MFA, and PassTickets. Other combinations may be possible, but that’s the typical IBM combination. The entry point to the documentation is here: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-clsupersession-zos — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Michael Brennan<https://www.mail-archive.com/search?l=ibm-main@listserv.ua.edu=from:%22Michael+Brennan%22> wrote: >Both ACF2 and Top Secret have common phrases that can not be >used for passwords and you can add or subtract from the list. >You would think RACF would have the same. I have not dug through >the RACF manuals to determine if it does or not. RACF has a new-passphrase exit called ICHPWX11. IBM provides a sample exit routine, and you can use REXX to run whatever passphrase quality checks you wish. The REXX script could even make an external (or “external”) network call to check the passphrase against some database. But you’d have to write and maintain this REXX code, and it wouldn’t provide multi-factor authentication. It’d merely help strengthen new passphrase selections. https://www.ibm.com/docs/en/zos/3.1.0?topic=users-assigning-password-phrases ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Linda Hagedorn wrote: >It's one option to force all RACF password changes through a single >point. However, there's a lot of ways to reach the password change >process in MVS, and writing blocks for all of them isn't reasonable. >The ZMFA holds promise, if I can find a software company that has >bought/collected the same 15m passwords that Cybernews did. >I can route all RACF password changes to the >software company for validation. Not that it’s necessarily the only way to do it, but what I’m thinking with ZMFA is that you’d already have passphrases somewhere that have been validated (and that are changed and managed) according to your requirements, including vetting against previously breached passphrases. These passphrases are already residing in an enterprise-wide LDAP server, for example. I’m assuming RACF isn’t the only security authenticator that needs to meet this requirement. You probably have many other systems and applications that also need to meet this requirement, and they’re depending on passphrases stored/managed somewhere. So, users would stop changing or managing RACF passwords/passphrases. RACF wouldn’t even allow it, really, because their user IDs are marked as MFA-enabled IDs. That means RACF will loop through ZMFA when they try to log in. Users’ would instead first log into ZMFA “out-of-band,” provide their enterprise LDAP-stored passphrases, and get back 8 character tokens that expire. These tokens can be one-time use or multiple use (always within their validity periods). Users then treat the 8 character token as a RACF password to log in RACF, and since the user ID is MFA-enabled RACF checks with ZMFA that the token/password is valid. ZMFA says, “Yes, that’s the user I just gave that token to, it’s not an expired token, and (if one-time use) it hasn’t been used before” then tells RACF it’s OK to let that user in. When a user wants to change his/her passphrase they do that in the enterprise passphrase database, against that LDAP server, not in RACF at all. (They don’t get the opportunity to do so. Effectively they’re changing their password every time they grab a new token, and that password can be one-time use and always has a relatively short validity period.) As Radoslaw Skorupka wisely pointed out, a passphrase, no matter how well managed and vetted, is only one factor. It’s best to authenticate with a second strong factor and the passphrase. ZMFA can do this, too. It has “Multi” in its name, after all. :-) You can adopt ZMFA in a phased approach if you’re not ready to add the second factor immediately. For example, you could first require “privileged” users to provide vetted/well-managed passphrases (stored in a LDAP server for example) to get their RACF log-in tokens. Then extend this requirement to every RACF user ID (except non-human machine ones of course). Then require “privileged” users to log in using 2 factors (the vetted/well-managed passphrase plus a 6 digit code from an IBM or Google authenticator app on their mobile device, for example). Then extend 2 factor authentication (2FA) to every user. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Linda Hagedorn wrote: >This is very promising. Do you know where I can read more about ZMFA? The documentation landing page is here: https://www.ibm.com/docs/en/zma >I'm interested in knowing how to configure the external source, and how >the token is passed back to RACF, and how long the token lasts. >For example, if systems programmers are working a problem, we >wouldn't want the token to expire in 3 hrs. >Or does the token last for the duration of the session? >If tso/ispf times out (sysprog is doing research or answering >mgmt questions), will they have to generate a new token? If for example you’re configuring ZMFA to use a LDAP server as an “external” factor then this landing page has further details: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap I put the word external in quotation marks because the LDAP server could be z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. And LDAP is just one example. Many “external” and external factors’ interfaces are supported. You can configure ZMFA for “out-of-band” authentication so that users obtain what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for example). You can choose whether the CTC is reusable and how quickly it expires. https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RACF, external password management
Linda Hagedorn wrote: >My company wants an external password manager to substitute for RACF. >I need to know if anyone has experience with this, or common password >matching in RACF. >Background >Regulations NYDFS require preventing common passwords to be used. >Vendor tools (Courion, CyberArk, etc.) have a corpus to match password >changes to prevent the use of common passwords. >RACF passwords can be changed from TSO, the internal reader, JCL, >Candle Session manager, etc., so trying to block password changing through >RACF and forcing everyone through one of these 3rd party tools may be near >impossible. >Any input is appreciated. This’d be easy to do with IBM Z Multi Factor Authentication (ZMFA). Despite its name you could use ZMFA to support a single “external” factor such as a super vetted passphrase verifier, although it’d obviously be best to have a genuine second factor too (while you’re at it). Let’s suppose for example you maintain/update these super rule compliant passphrases in a LDAP server. OK, then configure ZMFA so that it validates passphrases against the LDAP server and gives RACF yes or no decisions. You could for example use “out-of-band” authentication so that users who clear the ZMFA hurdle (log in via a secure Web page) get a one-time token that they use to log into RACF (in place of a password). And then you’ve neatly solved the problem of handling RACF password/passphrase changes everywhere. Other variations are possible — this is just an example. If you’re concerned about the “What if the LDAP server is down, unreachable, or slow?” scenarios then one straightforward solution is to use z/OS’s LDAP server and simply keep that LDAP server synced reasonably well with another LDAP server. (LDAP supports syncing.) In that case ZMFA simply loops back to z/OS LDAP, an ultra short loop. If the syncing is down for a little while it’s not a calamity. Or use another LDAP server that runs in the z/OS Container Extensions or in a Linux on IBM Z partition. LDAP is just an example too, although it’s a common one. https://www.ibm.com/products/ibm-multifactor-authentication-for-zos — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Nanosecond resolution timestamps for HLL's?
How about using MQ for z/OS, shared queues (if desired), and channel sequence numbers? — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encryption and decryption - processor or TCPIP
Eric Rossman wrote: >The CPACF is a physically separate chip that runs in lockstep >with the CP that invokes it. So, it is does cost general CP but >much less than implementing it in millicode. Actually, every processor core includes its own CPACF coprocessor section. In other words, CPACF is “on core.” That includes CPs (general purpose processor cores), IFLs, zIIPs, and all the other main processor core types.(*) You can see a design illustration of this arrangement in IBM Redbook SG24-8951 (“IBM z16 Technical Guide”) in Figure 3-13. If your processor core is configured for SMT2 (typical with zIIPs and IFLs) then the CPACF section will also operate in SMT2 mode. Said another way, every processor core thread has its own CPACF section thread. Really the only thing you need to worry about in terms of having CPACF available is to make sure that Feature Code 3863 is installed on your system. FC 3863 is a zero additional charge feature. It’s available in almost every country and territory, but apparently there are one or a couple odd places with peculiar import regulations. Those few places may still allow FC 3863 but may require some sort of permit or other legal paperwork. Ordinarily your IBM representative or IBM business partner will add FC 3863 to your machine order reflexively in the countries/territories where there’s no local regulatory issue. But that’s something to double check. If you don’t have FC 3863 installed then CPACF still partially works, but it only provides hashing and random number functions. FC 3863 enables the full range of CPACF algorithms/instructions including encrypt/decrypt. (*) I think those other processor types also use CPACF instructions from time to time, if available. For example, the Coupling Facility Control Code (CFCC) likely uses CPACF instructions (if FC 3863 is present) when you configure encryption-related functions to strengthen a CF’s security posture. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encryption and decryption - processor or TCPIP
Lennie Dymoke-Bradshaw wrote: >In the back of my mind I also think that the crypto processing for TCP/IP >could be performed on a zIIP processor (which could be using its CPACF, of >course). IPSec/IKEv2 can exploit zIIPs (and CPACF). https://www.ibm.com/docs/en/zos/3.1.0?topic=iv-additional-ipsec-assist-using-system-z-integrated-information-processor-ziip-ip-security But I think we’re drifting a bit. z/OS AT-TLS performs quite well if it’s configured correctly. And if persistent TLS connections are an option then they’d dramatically reduce the number of network roundtrips, eliminating a lot of network latency. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encryption and decryption - processor or TCPIP
>So Timothy (and probably just for me), I've seen a couple >of sites without crypto HSM cards not bother to run ICSF. >Can I assume in that case there's pretty-much no way any >encryption processing could be using CPACF? ICSF supports many, many cryptography-dependent features in z/OS. Even many business applications that just need a simple API to get a random number rely on ICSF. ICSF is “darn important.” But the way you phrased your question I’d answer no. It’s technically possible to exploit CPACF even from within z/OS but without calling ICSF. One simple example that comes to mind is via the z/OS Container Extensions (zCX). You could have a running container image in zCX that’s using CPACF instructions — via an OpenSSL library, for example. (OpenSSL on this architecture knows how to exploit CPACF instructions and has for many years.) However, the container image has no direct access to ICSF. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encryption and decryption - processor or TCPIP
or a SSH tunnel. Another possible option is to relocate the other party closer (in network latency terms) to z/OS AT-TLS. Let’s suppose for example you’re connecting from CICS to an OpenLDAP server running on another machine in another data center. You could install, configure, and run an instance of OpenLDAP on the z/OS Container Extensions (zCX) within the same LPAR running your CICS transactions. That z/OS-hosted OpenLDAP server can replicate with other OpenLDAP servers elsewhere so that it’s kept in sync. And then your CICS application has a much shorter, much lower latency network path because it can connect to the local OpenLDAP instance inside the same LPAR. Does this background help and give you some areas to check? — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: So Long, and Thanks for All the Fish*
Best wishes Cheryl! If Singapore is on your bucket list please stop by to say hello. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
CBS's "60 Minutes": Quantum Computing
If you’d like to understand why IBM is so bullish on quantum computing — and so focused on quantum-safe cryptography — this “60 Minutes” story is well worth watching: https://www.youtube.com/watch?v=K4ssT6Dzmnw — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AI System Services on z/OS 3.1 - is a CF really mandatory?
Peter Bishop wrote: >it seems from the manual linked to below that you must have a CF to run >EzNoSQL in order to use the new AI Framework feature of z/OS 3.1, for >example to have AI-powered WLM batch initiators which is the first use case >given. Most of my customers would baulk at spending for ICFs, so this is a >real blow if it's actually the case. >Is it really true that you must have a CF for AI on z/OS 3.1? Say it ain't >so, IBM, please! >https://www.ibm.com/docs/en/zos/3.1.0?topic=installation-hardware-software- >requirements The z/OS AI Framework requires EzNoSQL, EzNoSQL requires VSAM Record-Level Sharing (RLS), and VSAM RLS requires a Coupling Facility (internal or external) running on either a CF or general purpose engine. Certain software components included in the z/OS AI Framework might not require EzNoSQL and can be useful on their own, but for the AI-driven WLM batch initiators feature I can’t see how you’d avoid the EzNoSQL requirement at least currently. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone with zCX docker hands on?
Tony Harminc wrote: >Do the zArch crypto instructions support the crypto operations used by >Wireguard? I see PCKMO supports Curve25519 for key exchange, but I'm not >seeing any of the others. Does the apparent high performance of the >symmetric crypto running on a CP or specialty engine outdo the crypto >hardware on z? WireGuard has been part of the Linux kernel since kernel 5.6 (March 29, 2020). WireGuard leans heavily on ChaCha20-Poly1305. Its designers picked ChaCha20-Poly1305 in large part because even generic implementations typically perform well even on extremely resource limited systems. Even so, ChaCha20-Poly1305 performance optimizations are possible to raise “excellent” to “super excellent” performance. See here for one important example: https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/bill-ofarrell/2023/09/22/killer-crypto-in-go-on-zos-crypto-acceleration The mainline Linux kernel includes a non-generic, performance optimized implementation of ChaCha20-Poly1305 for s390x. Refer to arch/s390/crypto/chacha-s390.S. Wireguard is supposed to use kernel default cryptographic APIs if/when it doesn’t supply its own, so it should pick up those same ChaCha20-Poly1305 optimizations on s390x. Or at least that’s my understanding, and only with a cursory glance at kernel source code. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone with zCX docker hands on?
Dave Jousma wrote: >Thanks Timothy. Yep found all that, have the instance up and working just fine >it’s the peer to peer networking that is not working. The fine folks at >Rocket indicate that their software is picking up the internal container IP, >and not using the Host IP causing the problem. They are working up their own >testing, and believe that docker overlay networking can resolve this. OK, it’s interesting the software works that way. (“Thinking out loud...”) Could you run a “bigger” Linux container image that includes a VPN tunnel (such as WireGuard) to connect these two peers with one another to work around the issue? — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone with zCX docker hands on?
Dave Jousma wrote: >Ive successfully stood up Rocket Terminal Emulator(RTE) in a couple >of separate ZCX hosts on z/OS V2.5.I am now trying to get the >clustering feature of RTE to work, but there are specific network >changes in Docker that need to be made to allow separate >containers to communicate that Rocket doesn’t document, probably >because docker experience is expected. It should be easy assuming you’ve got your z/OS networking set up properly for zCX and have also set up your Docker/OCI container image properly. The redbook provides a big clue on page 99. https://www.redbooks.ibm.com/redbooks/pdfs/sg248457.pdf It provides an example using nginx, a popular HTTP(S) server. The example uses this startup command: docker run -p 8080:80 -d nginx The -p parameter is crucial. In this example it means, “Expose port 8080 to the outside world, and any traffic to/from port 8080 should be directed to/from port 80 within this nginx container image.” So if you’re trying to get two container images (on two different z/OS LPARs, as Dave Crayford suggested) to talk to each other you’d start them up with the -p option and then tell them to talk to each other on the respective external ports you’ve chosen. Hopefully obviously you should pick external ports that aren’t already occupied or reserved for other z/OS uses in that LPAR. Just to rule out various potential issues you could try the nginx example and then see if you can reach that nginx server from the other z/OS LPAR — using curl on z/OS, for example. There’s a curl Docker/OCI container image available on Docker Hub: https://hub.docker.com/r/curlimages/curl If curl running on zCX in LPAR #2 can reach nginx running on zCX in LPAR #1 then you know you’ve got network connectivity. Reverse the spot test (nginx running in zCX LPAR #1, curl running in zCX LPAR #2) to make sure it works in the other direction, too. If you don’t want to pull from Docker Hub you can pull from the IBM Z and LinuxONE Container Registry: https://ibm.github.io/ibm-z-oss-hub/containers/index.html There’s a nginx container image available there, but you’d use something else in place of the curl container image — anything that can test a HTTP connection. The ClefOS or Alpine container image probably includes curl or wget (since they’re common base Linux distribution commands), but that’s a guess. If you’ve verified that curl (or wget) can reach nginx in both directions then you know you’ve at least got HTTP connectivity. It’s still possible to have a firewall blocking some other protocol, so if Rocket Terminal Emulator Web uses something besides HTTP(S) then you’ll cross that bridge if/when you get to it. Then you may need to work on configuring that cross-cluster network connection with security in mind. One way is internal to Rocket Terminal Emulator Web (whatever it uses) to secure the connection. Or you could establish an IPsec/IKEv2 hop between your two z/OS LPARs. Or a hop that uses z/OS AT-TLS at both ends. If it’s on the same machine you could use a HiperSockets/SMC-D hop, although you may still want to use z/OS AT-TLS (with client and server certificate authentication) atop the HiperSocket/SMC-D hop. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
Sebastian Welton<https://www.mail-archive.com/search?l=ibm-main@listserv.ua.edu=from:%22Sebastian+Welton%22> wrote: >Out of interest then, how do you get around the various data privacy rules such >as GDPR which may not allow storage of certain data outside of a certain >sphere? If AWS or another cloud provider is set-up to automatically transfer >this data out of that sphere, wouldn't the company in question be subject to >multiple privacy lawsuits? You wouldn’t “get around” regulations. You’d comply with them. A public commercial cloud consists of real data centers in multiple physical locations where you can store backup data, strongly encrypted typically. If a regulation or law says you must store these backups in a particular country then you simply pick certain data centers but not others. All the public commercial clouds I’ve ever seen let you do that. If the public commercial cloud company does something contrary to your instructions then that’s likely a contractual violation of some kind, and the public commercial cloud company may also be violating laws or regulations. Likewise, if you hire a company to pick up trash from your offices, then the company dumps your trash on the White House’s lawn, that’s illegal. If you’re concerned that the public commercial cloud company (or your trash collection company) might violate the law then you probably shouldn’t do business with that company. If the company you hire violates the law then you should probably stop doing business with that company. Public commercial cloud companies exist, they offer lots of services, and many organizations buy their services. Just as they buy trash collection, telecommunications, office leasing, temporary staffing, payroll processing, talent recruiting, catering, and myriad other business services. Sometimes it makes sense for organizations to buy business services outside the organization, and sometimes it doesn’t. Either way (and both ways) the cloud object storage solutions for IBM Z and LinuxONE servers are available to help. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
I wrote: > IBM Cloud Tape Connector for z/OS David Crayford wrote: >That’s one of our products. Our team was only talking about >it this week. One of the team had just returned from customer >visits in SE Asia and quite a few muti-national banks are using >CTC so they can recover to data centers in different countries >continents. Everybody uses AWS S3. As you already mentioned, >you can use zones and also replicate to other zones in different >locales. Amazon (AWS) S3 is one of the popular choices, but to be clear you don’t have to use Amazon specifically. Or a public commercial cloud. The cloud object storage APIs are reasonably well standardized, and IBM Cloud Tape Connector for z/OS has broad coverage. The first release of IBM Cloud Tape Connector for z/OS debuted over 7 years ago (as I write this). And Transparent Cloud Tiering in some form extends as far back as the IBM DS8870 storage systems. Anyhow, cloud storage options for z/OS have been available for several years. >When my previous company were acquired by Rocket Software >we used AWS S3 to migrate our storage to the new machines. >Modern internet bandwidth’s are orders of magnitude faster than >what they were a decade ago. The entire process was seamless. >In the old days we would have to dump everything to tape and put >it on plane! Some of the cloud object storage providers can accept data on physical media and/or can send your data back to you on physical media. For a fee, of course. Medium and large organizations frequently have dedicated private network links between their data centers and public commercial cloud data centers. There are several networking companies that provide these services, for example Megaport and Equinix. The list for IBM Cloud Direct Link service is available here: https://cloud.ibm.com/docs/dl?topic=dl-locations#connect-locations — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
Jon Perryman wrote: >One very important detail I did not mention is the location of your data >in the cloud. You may connect to a cloud location thinking that is where >it will be stored. In order to be more efficient, some clouds may redirect >your request to a closer location. Potentially the country of the requester. >Why send the data halfway across the world when their cloud has a >location closer to the point of origin. Mike Schwab wrote: > Most clouds store data in the nearest facility for reduced read write >time. Some clouds replicate to other sites. Have been outages when a >cloud site went down and the data was not available. Itschak Mugzach wrote: > If you use S3, you can specify which zone to use. I agree with Itschak, but it’s even better than that. ALL the major public commercial cloud providers offer cloud object storage services with selectable geographies. (Why was there a presumption they don’t offer geographic choices?) For example, here’s the menu for IBM Cloud’s Object Storage: https://cloud.ibm.com/objectstorage/create#pricing You can choose Cross Region, Regional, or Single Site. Each of these choices then offers various geographic choices. Cross Region keeps copies of your data in multiple data centers across a continent-sized area. Regional keeps copies of your data in multiple data centers across a country or large metro area. Single Site is just what it sounds like: one copy of your data (typically with versioning) in one site. You can provision more than one of these choices if you wish. Moreover, you’re not limited to one public commercial cloud, and you’re not limited to public commercial clouds. Cloud object storage APIs are reasonably well standardized, and you can have cloud object storage pools wherever you wish — across multiple public commercial clouds and/or private/on-premises cloud object storage pools, as you prefer. For example, including an ex-missile silo site if you want. David Jousma: >So the issue of using public cloud storage is a question you have >to answer for yourself. “How quickly do I need to be able to >restore?” If its TB of data, streaming in at network speed, that >could be days or weeks. Will you be out of business by then? It’s a possible consideration (weighed against various other considerations), but backups of z/VM *itself* aren’t typically that big. That’s one reason why I mentioned that you could view the IBM TS7700-based approach (with TS7700-to-TS7700 cross-site replication — what’s known as a Grid configuration — combined with a cloud object storage tier) as “cloud object storage caching.” So if there were a “small pipe” issue when recovering then that issue is partially or fully mitigated thanks to the TS7700’s own virtual tape storage in front of the cloud tier. Another possible approach is that you put your cloud object storage “on-premises” alongside the IBM Z machine, or even on the IBM Z machine. You can host a cloud object storage server on an IBM Z machine quite easily. Then your in-country TS7700’s cloud object storage tier is the remote cloud object storage server, alongside or on the out-of-country IBM Z machine. And then your recovery is via the remote TS7700 (alongside the DR machine) which is just pointing back to DR machine’s cloud object storage service, or the cloud object storage adjacent to the IBM Z machine. No “small pipe” problem with that! Jon Perryman wrote: >Googles cloud backup/recovery is very different from IBM z/OS You headed off on a tangent here that I don’t think I encouraged. I’m not sure what you’re referring to. >No IBM z system has cloud backup. You can't backup z/OS to >any other cloud than that provided by TS7700. Yes, you really can! There are software-only cloud object storage backup/restore solutions for z/OS. The two IBM products that are most directly relevant are: IBM Cloud Tape Connector for z/OS IBM Advanced Archive for DFSMShsm These products are available individually or in the IBM Advanced Storage Management Suite for z/OS license package. There’s a helpful YouTube video about these products here: https://www.youtube.com/watch?v=Inih7c4VeiQ Some other vendors also have products in this segment. As I mentioned, I’m not aware of any vendors that offer a pure software-based cloud object storage solution *for z/VM* backups/restores. IBM’s offering for z/VM (which also works with other operating systems) is the IBM TS7700 with its cloud object storage tier, in your choice of “baby” rack mount or factory frame form factors. But for z/OS (and Linux on IBM Z/LinuxONE) there are some pure software-based choices available too. Moreover, it’s possible to configure both z/OS and Linux on IBM Z/LinuxONE as cloud object storage *servers*. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
Jon Perryman wrote: > Since there are lots of reasons, can you name 3 beyond those >I mentioned? "Save money? Offsite backup? It's new technology? >Don't need to worry because it's the cloud? They want to say they >are cloud enabled?" How about everything else works this way (including z/OS), they don’t want z/VM to be different/exceptional (not in this respect), and they have greater confidence/assurance that their backups will be better secured/encrypted and better protected from local disasters this way? Why does Iron Mountain exist and thrive? It’s the same basic set of reasons. > I suspect Ayre is saying cloud but I doubt Ayre has a specific cloud solution >in mind nor implied "cloud object storage". Cloud object storage is what the public commercial clouds (also) all provide for backup data storage/retrieval. Cloud object storage is the service, and then that service can be provided by public commercial clouds (e.g. Amazon S3), privately hosted cloud object stores, or some combination. >Implementing a new feature request takes time (Potentially years). Potentially, but that’s not a reason to skip filing a feature enhancement request. It’s a great reason to file a request now rather than later. >The obvious problem is maintaining a TS7700 in another country and >moving it if that country becomes a problem. No more or less obvious than the already extant requirement to maintain a suitably configured IBM Z server with sufficient storage in an alternate site to restore the data, recover, and resume service. This emergency infrastructure (server, storage, network, etc.) could be customer owned, leased, or contracted/shared/multi-tenant. The IBM TS7700 is available and supported worldwide (with the obvious very few exceptions), and it’s the most popular virtual tape solution for these servers. Note that it is possible for TS7700 equipment to replicate with each other AND to provide cloud tiering, to do both. The former would speed restoration and recovery since some or all of the backup would be locally available on the emergency infrastructure — but still able to pull from cloud object storage if need be. You can think of this approach as adding a cross-site replicating cloud object storage cache, and it’s quite lovely really. But all we can do is list the various viable options then let the client decide whether any of these few options are worthy of selection or if inertia will rule. I understand the client doesn’t like any of the options available, but they seem to be the available options. So it’s probably time to choose their “least worst” but still viable option and get on with it. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does IBM file manager let you access panvalet
Attila Fogarasi wrote: > Your other option is to convert Panvalet to Endevor... That’s not the (only) other option. Another option is to switch from Panvalet to Git with IBM Dependency Based Build (DBB). ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does IBM file manager let you access panvalet
Yes. See Chapter 9 (p. 113) here: https://www.ibm.com/docs/en/file-manager-for-zos/15.1?topic=customization-guide — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
Jon Perryman wrote: > Why would anyone want to do z/VM backups to a cloud? There are lots of great reasons to do that! Also, I understood the request to mean “cloud object storage” as the target. Cloud object storage can technically reside anywhere. Public commercial clouds’ object storage pools only represent a fraction of total cloud object storage. Back to Arye Shemer Arye, if even a “baby” IBM TS7700 is not an acceptable option for whatever reason(s) then my suggestion is to open a request for a product enhancement. I think that’s probably best aimed at IBM Backup and Restore Manager for z/VM since that seems like the most likely vehicle for this sort of functionality. To open such a request please visit: https://ideas.ibm.com I see that IBM Backup and Restore Manager for z/VM is listed in the Product field. Just type in “Backup and Restore” and it should pop up as an option. Maybe that product could have another input/output handler (CLOUDOBJ?), although it’d be up to the product team to consider (of course). ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
I’m not aware of any pure software-based option from IBM or any other vendor that fits your/their description. However, IBM fairly recently introduced a “baby” TS7700 model that’s customer rack mounted. If they’re concerned about consuming another whole frame footprint it’s not that big. And the hardware-based approach has its advantages, notably lower processing impact(s) on the z/VM environment(s). If they’re willing to relax their z/OS “ban” then I think it can be done with a pure software-based approach, but I’d have to double check. There are hypothetical “Roll Your Own” approaches involving Linux. I suppose for example you could configure the storage system to take point-in-time copies then use a Linux LPAR to back those PITCs up to cloud object storage, highly preferably encrypted before transmission. Not ideal IMHO, and I don’t see how you’d get incremental backups that way. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Does z/VM have a product/tool which can send backup to the Cloud ?
Arye Shemer asked: > Does z/VM have a product/tool of any vendor which can send backups to the >Cloud (*no z/OS involvement*)? The IBM TS7700 can handle that via its Cloud Storage Tier feature. Details here: https://www.redbooks.ibm.com/abstracts/redp5573.html For example, you can run your backups using Backup and Restore Manager for z/VM out to the TS7700, and then the TS7700’s Cloud Storage Tier takes it from there. Tape Manager for z/VM is helpful. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SNA Link Replacement in Z/OS 2.5
Charles Hights wrote: >I am trying to find a replacement for SNA Link in Z/OS 2.5. My problem, I have >4 LPAR's on one physical CPU. Normally to IP between the LPAR's we would just >FTP to that LPAR's IP address and we had no issue. Now all of sudden the >traffic >is timing out. My routes are very simple, just a default route that sends >everything to the switches that the OSA's connect to. I have spoken to the >Switch >support team and they say since the mainframes are on the same IP Segment it >is not being passed to the FW. Unfortunately the switch team doesn't have any >tools that will show what is happening to the traffic once the switch gets it. >So >I wanted to bypass the switches and setup an SNA Link type replacement. I see >that feature is not defined in Z/OS 2.5. On another client we use Hiper Sockets >to bypass the switches for internal IP between the LPAR's. On this particular >CPU, >Hiper Sockets devices are not configured in the IO Gen. So is there something >in >Z/OS 2.5, besides Hiper Sockets, that support a device and link type statements >to all traffic between LPAR's on the same CPU? Obviously you should try to solve the extant networking problem. If your network switches are misconfigured that’d be bad. In the meantime/in addition, you have options (examples): 1. Yes, you can configure HiperSockets. You can also pair HiperSockets with SMC-D connections — and you should if your machine model supports SMC-D. SMC-D was introduced in z/OS 2.2 (with PTFs) and on the IBM z13 family of servers (with a firmware update). 2. If your z/OS LPARs are configured to share one or more OSA-Express ports, and if they are otherwise suitably configured, then traffic can hop from stack to stack via OSA-Express but without flowing through the network switch. See here for the entry point into the z/OS 2.5 documentation on that subject: https://www.ibm.com/docs/en/zos/2.5.0?topic=attachment-osa-express-port-sharing In short, make minor adjustments to your routing if you’re sharing OSA ports. Then that should take the switches out of the loop. 3. I think it’s still possible to configure TCP/IP connections over CTC (IPv4 only) or XCF. If you happen to have CTC or XCF connectivity between z/OS LPARs then that’s an option, albeit a little “off the beaten path” these days. 4. If you have at least one OSA-Express 1000BASE-T adapter with port (X) available to z/OS LPAR (X) and port (Y) available to z/OS LPAR (Y) then I suppose you could connect a cable directly between ports, bypassing any network switches. IBM doesn’t necessarily recommend this, and you might need a crossover cable (depending on how the OSA-Express adapters are configured). Can you also do this for fibre cables? I don’t know; I’ve never tried it. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Free SMPE product to just practice
I’ve seen some good suggestions. Also, there are several no additional license charge products available from IBM for z/OS than you can order. Here are some examples: 5655-UA1IBM Semuru Runtime Certified Edition for z/OS 5655-PYT IBM Open Enterprise Python for z/OS 5698-PA1 IBM Z Open Automation Utilities Double check whether there are any charges, of course, but my understanding is no. Optional Subscription & Support may be chargeable. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Availability of "Orphanware"?
Wayne Bickerdike wrote: >I worked for ICI from 1969 to 1978. Do you know which division wrote >WRS? I found this article: https://wiki.edunitas.com/IT/en/114-10/Works-Records-System_4809_Copy_eduNitas.html That source claims that Works Records System was designed by Dr. Robert Mais, an employee of ICI's Mond Division, with an implementation team that included Ken Dakin. The article mentions that WRS used macro level CICS. If that's still true for the latest/last build of WPS then presumably it'd require MacKinney's CICS Macro Level Interpreter to run. There's a scanning utility called DFHMSCAN, available through CICS TS 5.5 (removed in 5.6 and higher), that can determine whether load modules use CICS macros. ...Kenneth Dakin has a LinkedIn profile! And his LinkedIn biography highlights his experience writing WRS. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Availability of "Orphanware"?
I'm wondering what the status is of the following software: 1. The Works Record System (WRS), developed by ICI in the United Kingdom. First version in 1974. One report suggests it was still used as late as 2001. 2. ExecuCalc, developed by Parallax Systems and first released in 1982. ExecuCalc was similar to VisiCalc – and file format compatible according to the advertising. Available first for VM/CMS, then for MVS/TSO in 1983. Apparently supported color GDDM graphics by about mid-1983. 3. WordPerfect/370. This version used the WordPerfect Version 4.2 base plus some enhancements such as additional printer drivers. Available for both VM/CMS and MVS. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
NIST Releases Draft Standards for Post-Quantum Cryptography
Details here: https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers Comments are due by November 22, 2023. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS 3.1 Webcasts at Asia-Pacific Friendly Times
I'm hosting a couple z/OS 3.1 Webcasts on August 25 (tomorrow) and September 1. Both are at 11:00 AM Singapore/Hong Kong Time. Whether you're in any of the Asia-Pacific region countries or not you're welcome to join if the time works for you. If you're not getting these Webcast notices already then please sign up here: https://ibm.biz/apac-webinar-subscription Tomorrow's Webcast focuses on the new features in z/OS 3.1 Communications Server, especially (but not only) the security-related features. The September 1st Webcast will provide a general technical overview of what z/OS 3.1 brings. The Webcast recordings are generally posted to the IBM Z and LinuxONE Community Web site, but if you join the live Webcast you have the opportunity to question the presenters. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Generating Kerberos Keytab Files on z/OS
Here's a short, "point in time" technical article I wrote explaining how to generate Kerberos keytab files with custom salts on z/OS: https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/timothy-sipples1/2023/08/24/generating-kerberos-keytab-files-on-zos?CommunityKey=7c1d7dc7-29aa-40f6-829c-934e4b522bf8 ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ransomware on z
Tom Brennan wrote: >Thanks Timothy. I've been saying this for years but this might be >the first time I've heard a top IBMer say it. Did I just get a promotion? :-) Jon Perryman wrote: >I hear that AI is getting good results using the microphone to get >keystrokes. Yes, it seems possible that if you capture a big enough keyboard sound sample you can figure out what the password/passphrase/PIN keystrokes are with enough precision. Combine the keyboard sounds with visual observations (visible light and infrared) to boost the accuracy. Higher security systems sometimes use virtual keyboards with letters/numbers that are randomly rearranged each time. Although there's no substitute for a genuinely separate second factor. Or you can just insert a physical keylogger in the keyboard itself. I recall reading somewhere that the KGB installed keyloggers in foreign embassies' electric typewriters. Maybe even the manual typewriters, too. They got to read everything the embassies typed, including all the drafts and mistakes. I recently saw a video showing how an attacker had glued his/her own PIN pad on top of a gas station pump's real PIN pad. It was tough to tell the pump had been "enhanced." Apparently the idea was to capture debit card PINs at the pump and/or Zip codes (as typical with credit card payments at gas pumps) so that the attacker could steal money from bank and credit card accounts. Possibly combined with video surveillance at the pump to capture the card details since chip and NFC card reads are at least tough to capture. Or perhaps the attacker just disabled the chip reader so that the cardholder would be "encouraged" to swipe instead. (Up to you, but I wouldn't swipe any cards nowadays.) — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ransomware on z
Tony Thigpen wrote: > And, that I can agree with. Especially when the admin stores passwords >in their browser. Yes, but not required. If an attacker inserts a keylogger or gets an adequate view of the keyboard it's probably "game over." — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ransomware on z
Responding primarily to Tony, I'll just say that when an adversary (internal or external) gains control over the PC that the privileged storage administrator uses, particularly when there's no true multi-factor authentication in the loop, then it's probably "game over." ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Channelized I/O WAS: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives
David Crayford wrote: >Maybe wait until there is actually some tangible AI libraries such as >TensorFlow, PyTorch and SnapML before blowing trumpets. Huh? You *can* run these libraries on z/OS, on zIIPs even. They run on the z/OS Container Extensions (zCX) or on OpenShift for z/OS, as you prefer. IBM documents this deployment pattern here (TensorFlow and SnapML examples): https://ibm.github.io/ai-on-z-101/tensorflow/ https://ibm.github.io/ai-on-z-101/snapml/ Are you asking specifically for z/OS UNIX System Services-based implementations? If so, have you asked IBM in an official way? — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Channelized I/O WAS: Mainframe Makers.... WAS: Ars Technica: The IBM mainframe: How it runs and why it survives
David Crayford wrote: >Other platforms have integrated AI engines, AMD ZenDNN, >Intel oneDNN etc. Both ship with open source libraries and >toolkits sadly lacking for z/OS. Did you miss zDNN? https://github.com/IBM/zDNN https://www.ibm.com/docs/en/zos/2.5.0?topic=consider-z-deep-neural-network-library-zdnn >I noticed that IBM have shipped patched Python packages for >TensorFlow and SnapML that exploit Telum for Linux on Z. >I suppose like everything, we’ll have to wait a while for z/OS. Missed this one too? https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/evan-rivera/2023/02/24/python-ai-toolkit-for-ibm-zos Quoting from the IBM Redpaper: "The Python AI Toolkit for IBM z/OS also benefits from the IBM zSystems hardware investments that are lower in the stack. Acceleration from the IBM Integrated Accelerator for AI provides benefits when running AI workloads that are built on top of the Python AI Toolkit for IBM z/OS. With this workload execution acceleration, enterprises can meet successfully some of the most stringent service-level agreements (SLAs) when integrating AI into business-critical workloads." https://www.redbooks.ibm.com/abstracts/redp5709.html — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Additional IBM Physical Tape Option: TS7700+TS4300
Given past discussions I should've mentioned this information a while ago, when it was announced in September, 2022. Better now than never! :-) IBM offers an additional physical tape storage option for z/OS (and other operating systems). It's available with this combination of equipment: 1. IBM TS7700 with Feature Code 5995 ("zTape Air-Gap"), available with Release 5.3 or higher, plus a couple other ordering/configuration details. The 3948-CSB and 3948-CFC models support this configuration. 2. IBM TS4300 with your choice of 1, 2, or 3 LTO tape drives. (Currently LTO8.) This equipment is rack mountable and requires a total of 21U of rack space, or exactly 50% of a standard size rack. You would still have plenty of rack space available in the same frame for an IBM DS8910F (16U) flash storage system. Or even a rack mount IBM z16 or LinuxONE Rockhopper 4 server (in its 18U configuration). The IBM TS7700 with IBM TS4500 Tape Attach configuration is still available (of course!) if you'd like a much larger, much more capacious physical tape configuration. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preferred FTP Client for Windows
There are lots of good suggestions. Here's another: If you happen to have IBM Personal Communications ("PComm") or Host On-Demand ("HOD") then you already have a FTP/FTPS* client. There's a good client built into those products. It should understand passive mode and MVS data set vernacular. * Please use (properly configured) FTPS — FTP with TLS — if you use FTP. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
U.S. Federal Reserve Launches FedNow
Congratulations to the U.S. Federal Reserve Bank on its launch of FedNow, the real-time fund transfer system. FedNow has launched with the participation of several banks of all sizes including (as large bank examples:) JP Morgan Chase, BNY Mellon, and Wells Fargo. To connect to FedNow participating banks and other financial intermediaries use freely available IBM MQ clients. (IBM MQ also supports API access, and that's a future enhancement planned for FedNow.) Several popular payment-related applications already support FedNow. The message format is a bespoke ISO20022 XML format. FedNow has a design goal of continuous service. FedNow is for "small" transactions. The systemwide per transaction limit is currently $500,000, although participants can choose a lower limit if they wish. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
zEDC compression questions (Was: zDEC...)
Kenneth Kripke wrote: >1. How to recover if there is a failure in deflation of a compressed >dataset. We have a mixture of z/14 and z/15 processors. What failure(s) do you have in mind? Of zEDC Express adapters (cards) on your IBM z14 machines? There should be software fallback on machine models that lack zEDC hardware capabilities — assuming you've got the prerequisite PTFs in place. IBM z15 machines (and higher) are guaranteed to have zEDC functionality in hardware since it's integrated on the main processor chips. You could test the software fallback on your IBM z14 machines both for function and performance if you're concerned about card failures. But more realistically you could simulate the effects of a single card failure (configure it offline) and test that failure scenario. Hardware failures that exceed a single card failure probably qualify as DR scenarios, equivalent to a whole site loss. At some point the double (and triple, and quadruple...) failure scenarios must qualify as whole site losses. >2. For the z/15 processor, the footnote for the SMF 30 record indicates >that compression statistics are no longer recorded. How do you measure >compression? Is this also true for the SMF 14 and 15 records? No, that's not quite true. On z15 machines and higher certain parts of SMF Type 30 records are moot due to the nature of the vastly improved hardware, that's all. You still get the zEDC usage statistics that are relevant to the newer machines: number of compression and decompression requests, and the byte counts (compressed/decompressed in/out). See here for reference: https://www.ibm.com/docs/en/zos/2.5.0?topic=mapping-zedc-usage-statistics-section >3. Regarding deflation, is there a noticeable performance/delay ? "Probably not," especially on IBM z15 and higher, but that'll be configuration dependent and something you'll want to test to a reasonable degree. Sometimes/often your performance *improves* when you use zEDC. In particular, batch elapsed times can decrease. There are fewer bytes to fetch from disk/flash storage (and storage cache) when those bytes are compressed, so if you've got something(s) I/O intensive and compressible you tend to do quite well. I recall one of the customers I work with shaved about 25 minutes off their typical batch cycle. 25 minutes might not seem like a lot, but in fact it's a big deal. It's up to them what they do with those extra 25 minutes, but usually it means they can absorb more business growth than expected. They can handle more batch and online transaction processing within the same computing resources they have today. And/or they have more margin for errors in their batch cycles. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OSMF
Brian Westerman replied: >I think you are missing the point, why sell something and >then before you sunset that box, make it so that you can't >upgrade the software? That's completely against IBM's >original method of operation. I'm not sure what you mean here by "sunset that box." IBM withdrew all z13s feature codes from marketing years ago. However, IBM continues to provide support, maintenance, and repair services for IBM z13s servers, and IBM continues to support the vast bulk of its z/OS software product portfolio on IBM z13s servers. (Although sometimes there are functions within otherwise supported products that require a higher model machine.) There's currently no announced End of Service date for IBM z13s machines AFAIK. IBM offered z/OS 2.5 with the classic installation option to all z/OS licensees, including licensees with small capacity IBM z13s machines, at no additional charge. IBM urged all such customers to place any such orders before the end of January, 2022. Lots of customers did exactly that (including many reading this forum), and they either have z/OS 2.5 installed now or they have it sitting on the shelf, ready to install. z/OS 2.5 is the last release of z/OS that can run on IBM z13 generation machines. z/OS 2.5 is currently orderable and installable with the z/OSMF-based installation on all machines compatible with z/OS 2.5. The z/OSMF-based installation steps may run longer on certain capacity models, but it's still installable. CBPDO-based installation is also still available. Over the past several decades of history IBM has eventually dropped software support for older models. z/OS 2.5 doesn't run on IBM 4341 machines, for example. Sometimes a model drop occurs at a version or release boundary, occasionally not. In the newer "continuous delivery" style of software delivery the machine model drops between version/release boundaries are getting somewhat more common, industry-wide. But in this case IBM hasn't even dropped support for z/OS on IBM z13s machines, not yet. (z/OS 3.1 will.) All IBM did was drop one installation method in z/OS 2.5 and only for orders placed after January, 2022. IBM gave advance notice it would. IBM offered delivery of z/OS 2.5 with that installation option to any licensee that cared to order it by January, 2022, and at no additional charge. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OSMF
Brian Westerman wrote: >It would have been smarter for IBM to keep z/OSMF based installation >optional until the z13s was no longer a supported processor. IBM released the current (as I write this) latest release of z/OS (z/OS 2.5) in September, 2021, with the older ISPF CustomPac Dialog format as one of the installation options. IBM announced that this older installation option would no longer be available after January, 2022. IBM urged all customers who'd like this older installation option to place an order no later than January, 2022. That announcement was shared in this forum among many other places. To my knowledge IBM does not charge anything additional for electronic z/OS orders. So there shouldn't have been any financial barrier to ordering z/OS 2.5, at least none that IBM can control. z/OS 3.1, the next release, will require a z14 generation machine or higher. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OSMF
Andrew Rowley wrote: >I've said it before but I'll say it again - to avoid embarrassment >alongside 5 year old laptops or perhaps even a Raspberry Pi, IBM needs >to figure out how to bring the smallest z/OS systems up to a modern >configuration - I would suggest minimum 4 processors and 200 MSU. IBM doesn't require anyone to order/configure less than 200 MSUs (PCIs) of general purpose processor capacity. If you want to order a configuration like that go for it! Bearing in mind that VSEn is important and also exists, and IBM really ought to be building machines that also cater to VSEn customers, here's the current minimum orderable machine configuration (latest model) for z/OS and VSEn: * IBM z16 A02 (or AGZ for rack mount) * Capacity Model A01 * Base CP capacity: 105 PCIs (13 MSUs) * z/OS System Recovery Boosted capacity (standard/no additional charge): 1,982 PCIs * 64GB of usable memory (plus HSA) Add just 1 zIIP and you get ~1,900 PCIs of full-time zIIP capacity with 2 processor threads (SMT2). You can add as many zIIPs as you wish up to the physical capacity of the machine. Capacity Model A01 continues to be zELC eligible on the full capacity. Even though it has 105 PCIs (plus System Recovery Boost, plus more and far better on chip accelerators, plus optional zIIPs) it still qualifies for the same software licensing tier that the ~26 PCIs IBM z890 Model 110 did 19 years ago. I don't see any problem here. If 105 PCIs/13 MSUs (plus a zIIP I suggest) is all you need for your z/OS computing, well OK then! That model is available, and (in most countries) you can get a nifty rack mounted form factor if you'd like. If you need more, OK, that's available too. Here's the recent history of minimum orderable/configurable CP capacity (all Capacity Models A01): IBM z16 A02/AGZ: 105 PCIs* IBM z15 T02: 98 PCIs** IBM z14 ZR1: 88 PCIs IBM z13s: 80 PCIs IBM zBC12: 50 PCIs IBM z114: 26 PCIs * System Recovery Boost capacity: 1,982 PCIs ** System Recovery Boost capacity: 1,761 PCIs The z114 was announced in 2011 and the z16 A02/AGZ in 2023. Over that period IBM increased the minimum orderable CP capacity by ~12.4% per year (compounded), plus SRB. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OSMF
Brian Westerman wrote: >The little single CPU processors don't have the boost feature. AFAIK all currently marketed IBM zSystems servers configured with any subcapacity CPs (general purpose processors) — including the very smallest A01/401 capacity models — feature System Recovery Boost standard, at no additional charge. See here for details: https://ibm.biz/z15SRBWhitePaper<http://ibm.biz/z15SRBWhitePaper> That said it's typically a "really good idea" to configure machines running z/OS with at least one zIIP — and not just for z/OSMF but for myriad other reasons. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMTP and OAuth
Echoing prior responses, Jakarta Mail (formerly JavaMail) supports OAuth2. Here are some ways to get Jakarta Mail on z/OS: J1. If you have at least a relatively recent release of CICS Transaction Server for z/OS then you should have CICS Liberty with Jakarta Mail. You may also be interested in the CICS Event Consumer sample code: https://github.com/cicsdev/cics-event-consumer J2. If you have WebSphere Application Server for z/OS (which includes a WebSphere Liberty license for z/OS) then you should have Jakarta Mail. J3. Open Liberty includes Jakarta Mail and is available here: https://openliberty.io If you'd like a Liberty distribution *with IBM support* on z/OS then please choose one of the first two options. Python is another vehicle that provides support for sending e-mails from z/OS with OAuth2 support. Colin Paice describes how in this article: https://colinpaice.blog/2023/02/21/sending-an-email-from-z-os/ For more information on the IBM Open Enterprise SDK for Python please visit: https://www.ibm.com/products/open-enterprise-python-zos There are probably some other options, but this list is a good starter set I think. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: The new requirement for Certificates to communicate with IBM -- A Journey
As a follow up, curl is available from Rocket Software. There's also a build of curl available here: https://github.com/ZOSOpenTools And there's a port of wget if you prefer that, but it's more of a work in progress at this instant. More information here, and contributors welcome: https://zosopentools.link/docs — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: The new requirement for Certificates to communicate with IBM -- A Journey
Tom Longfellow wrote: > I tried to find an ftp path to a digicert location because I have pretty free >access for internet connections that the mainframe initiates. You should have the z/OS Client Web Enablement Toolkit with its HTTP/HTTPS protocol enabler and REXX samples. Conceivably you could write (modify) a REXX script to fetch the root certificate file(s) over HTTPS using this HTTP/HTTPS protocol enabler that's provided with the base z/OS operating system. The REXX sample is HWTHXRX1. https://www.ibm.com/docs/en/zos/2.5.0?topic=toolkit-zos-httphttps-protocol-enabler https://www.ibm.com/docs/en/zos/2.5.0?topic=enabler-syntax-linkage-programming-considerations When you get "bootstrapped" you'll probably want to install curl for z/OS (or something functionally similar) to make this process easier. I can't advise you on how to comply with your organization's security requirements but (hopefully obviously!) encourage you to do so. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Why can't a LinuxONE run z/OS
Lennie Dymoke-Bradshaw asks: >Can someone please explain what IBM have done on the >LinuxOne machines to stop them running z/OS? Your predicate is incorrect. IBM LinuxONE servers CAN run z/OS. Please read on David Crayford wrote: >From what I gather, LinuxOne machines have the capability to >run z/OS within OCP containers, and there are cloud provisioning >tools available to choose systems software from the ADCD. I had >the opportunity to witness a demonstration of this at a zForum >conference, where IBMer Ed McCarthy showcased its impressive >functionality. I was quite impressed with what I saw. The provisioning >options ranged from x86 emulation to on-premises Linux on Z, >with various tiers in between. Tim Sipples will know the details. To my knowledge there are currently two generally available, fully IBM supported and authorized ways to run z/OS on LinuxONE servers: 1. Via the IBM Virtual Dev and Test for z/OS product. ZVDT supports running real z/OS for development, unit test, demonstration, and training purposes on IBM LinuxONE servers (and on IFLs in IBM zSystems servers). Please note that ZVDT does not currently support z/OS Parallel Sysplex configurations or the z/OS Container Extensions. But it does run real, bit-for-bit identical z/OS. And the performance is broadly excellent. ECKD/FICON-attached storage is supported but not required. https://www.ibm.com/products/virtual-dev-and-test-zos It's common to deploy ZVDT (and the z/OS instances it hosts) in its own, dedicated LPAR. But it doesn't necessarily have to be. My colleague Ed McCarthy might've demonstrated some other deployment options. 2. Via the IBM GDPS Virtual Appliance. You can optionally configure an IBM LinuxONE server with a single general purpose processor (CP) at a specific capacity setting. This single CP can only be used to run the IBM GDPS Virtual Appliance software. The GDPS VA software is shipped and serviced as a single, integral image, but it happens to be z/OS-based. (You're not licensed to use that "interior" z/OS for general purposes.) The IBM GDPS Virtual Appliance is broadly functionally equivalent to the IBM GDPS Metro Mirror (with HyperSwap) offering. ECKD/FICON-attached storage is required for the IBM GDPS Virtual Appliance itself. ECKD/FICON-attached storage is supported but not required for other workloads. Peter Bishop wrote: >And LinuxONEs only have IFLs. You have the option to configure LinuxONE servers with a single subcapacity CP. (See above.) You can also configure them with additional SAPs if you wish. >The rest of the box is the same, apart from the doors The two server families are related, but there are more differences besides the engine choices and doors. As a notable example the LinuxONE servers can be configured with NVMe Carrier features and even boot/IPL from them. NVMe Carrier features are not available on IBM zSystems servers. zHyperLink Express adapters are available in IBM zSystems servers but not in IBM LinuxONE servers. In past model generations (including z15/LinuxONE III which is still generally available) the storage-related adapters are often different, but there's some re-convergence in that area with the z16/LinuxONE 4 servers. IBM zSystems servers support model conversion upgrades (for example from z15 to z16) and carry forward of I/O features. LinuxONE servers do not support either model conversion upgrades or carry forward of any I/O features. You can look through the Feature Codes available for the IBM z16 (3931-A01) and IBM LinuxONE Emperor 4 (3931-LA1) and see many identical feature codes but also many differences. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Updated UNIX certification WAS: z/OS 3.1: Now UNIX® Certified
David Frenzel asks: >Timothy, are you stating that z/OS 3.1 now has the same certification >that 2.1 has or is this certification for 3.1 implying any changes as to >how USS works and whether anything has been improved from 2.x? There have been many improvements in z/OS UNIX since z/OS 2.1. The z/OS 3.1 Preview Announcement lists more z/OS UNIX-related enhancements: https://www.ibm.com/downloads/cas/US-ENUS223-013-CA/name/US-ENUS223-013-CA.PDF I don't know whether or how The Open Group has updated their UNIX 95 certification criteria, but whatever their current criteria are z/OS 3.1 has already passed them. Paul Gilmartin wrote: >Timothy has been conspicuously quiet on this topic since his initial >announcement of UNIX® Certification. I didn't have anything important enough to add, but I appreciate the implication that you missed me. :-) — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS Authorized Code Scanner Webcast
I'm hosting another Webcast this Friday (June 9) at 11:00 AM Singapore time (03:00 UTC). This time it's about the z/OS Authorized Code Scanner (zACS). zACS is an important tool to help keep Program Call and Supervisor Call routines secure. You really don't want unauthorized code to fetch or update storage (memory) that it has no business accessing. zACS helps identify these potential exposures so you can fix them. If you'd like to learn more about zACS then this Webcast is for you. And it's at a time that generally works for participants in Asia-Pacific time zones. To register please visit: https://ibm.biz/apac-webinar-subscription<https://ibm.biz/apac-webinar-subscription)> On June 30th (same time) I'm presenting a "Mainframe Security Freebies" Webcast. I'm still working on this talk and presentation, so I'm still open to ideas and contributions if you have any favorite "freebies." This time I'm focusing on free security-related stuff for your mainframe whether it's for z/OS, Linux, or any other mainframe operating system. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Comm Server - LACP?
Michael Babcock asked: > Does z/OS Communication Server support LACP? No, I don't think so. Anticipating the next question, you can often configure network switches to handle LACP on z/OS's behalf. This IBM technical article illustrates one such scenario: https://www.ibm.com/support/pages/increasing-available-network-bandwidth-leveraging-link-aggregation-and-multipath-routing This article specifically concerns the IBM Db2 Analytics Accelerator when it's running on a separate physical machine. However, the same basic approach should work for other applications. When z/OS runs as a z/VM guest it should benefit from z/VM's support for link aggregation, so that's another possible option. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS 3.1: Now UNIX® Certified
z/OS 3.1 has already earned its UNIX® certification... https://www.opengroup.org/openbrand/register/brand3693.htm — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are Banks Breaking Up With Mainframes? | Forbes
Yes, there are brand new customers buying their first mainframes. IBM periodically discloses this basic fact. Sometimes I'm personally involved, sometimes when it's a "first in country" situation. (First in country?!? Yes, really.) And sometimes I have personal knowledge of other new mainframe customers. I'm reasonably sure I'm not hallucinating. :-) It's a big world with many exciting developments. Most new customers start with Linux but not all. Some add z/OS later. Some start by renting various virtualized pieces of IBM mainframes on IBM Cloud — there are many such choices now — then some later add "on premises" machines. Some are banks, some are not. While there are some common patterns, each new mainframe customer has their own unique needs. Thank you all for your support. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM z16 Wins Red Dot and iF Design Awards
The IBM z16 is winning design awards (plural)... https://medium.com/design-ibm/ibm-zsystems-wins-red-dot-if-design-awards-36ca139783f5 — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Card processing application
Worldline's Cardlink II is a(nother) card management services application. Cardlink II's customer base tends to be concentrated in Asia-Pacific. — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Do you need a coupling facility to implement DVIPA?
Here's a quote pulled from an older IBM redbook: "Note: Dynamic VIPA and Sysplex Distributor capabilities do not rely on data stored in structures in the Coupling Facility. Therefore, they can be implemented using XCF communication without a Coupling Facility (also called Basic Sysplex connectivity)." That's on Page 4 of this redbook: https://www.redbooks.ibm.com/redbooks/pdfs/sg247800.pdf But I also found this more modern reference in the IBM WebSphere Application Server for z/OS documentation: https://www.ibm.com/docs/en/was-zos/9.0.5?topic=sysplex-distributor Funny how we carried forward the z/OS 1.2 (and prior) caveat. That bit of text doesn't seem too important for Version 9.0.5 of WAS for z/OS, does it? :-) ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Webcast on Hyper Protect & LinuxONE Cloud
I'm hosting another technical Webcast at an Asia-Pacific friendly time: Friday, April 21, at 11:00 AM Singapore Time (03:00 UTC). The topic is IBM Hyper Protect Services and LinuxONE via IBM Cloud. It'll be 60 minutes total including Q To register please visit: https://ibm.biz/apac-webinar-subscription Or if you'd just like the calendar entry (.ics file) then that's available here: https://ibm.biz/hyperprotect0421 — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Tape compression and modern encryption facilities.
Radoslaw Skorupka wrote: >NO MORE TAPES connected directly to the z/OS. The last physical drive >TS1140 is out of support. I don't think IBM ever offered any physical tape drives directly connected to z/OS, i.e. physical tape drives with FICON or ESCON ports on them. The IBM TS1140 certainly wasn't connected directly. The TS1140 (and its predecessors, for decades) required a tape controller of some kind for z/OS machine connection. For the TS1140 it was either a 3592-C07 or TS7600 as I recall. Do you mean something like "non-virtualized physical tape" perhaps? [What was the most recent IBM physical tape drive with parallel (bus/tag), ESCON, or FICON ports on it?] — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM z16 Model A02 Announcement
Enzo D'Amato wrote: >I think that it's very good that we now have something like the >multiprise 3000 back again. Radoslaw Skorupka wrote: >IMHO "back again" is not correct I assume Enzo's point is that IBM hasn't offered a physical model mainframe in less than a single frame form factor for many, many years. Until now. Prior to the IBM z16 AGZ (and LinuxONE Rockhopper 4 AGL) the physically smallest mainframe required a whole rack footprint, a rack that IBM supplied. Now it doesn't; the physical dimensions are much smaller. There was some significant progress in recent years to pave the way for these rack mount models. One big change was between the IBM z13s/LinuxONE Rockhopper I and the IBM z14 ZR1/LinuxONE Rockhopper II. In that model cycle IBM reduced the frame size significantly, converging on the industry standard 19 inch rack size. And those models (and the IBM z15/LinuxONE III LT2) also have some optional internal mounting space for a few use cases. As a notable example, you can equip those models with internal ECKD storage (IBM DS8910F). But I agree with Enzo that these new rack mount models available in most countries are attractive. They open up some interesting new deployment options. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 3.1 Preview Webcast (Asia-Pacific Friendly Time)
Colin Paice wrote: >Will the charts be available to us? Yes, after the Webcast. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS 3.1 Preview Webcast (Asia-Pacific Friendly Time)
On Friday, April 14, 2023, at 11:00 AM Singapore Time (03:00 UTC) I'll be hosting Gary Puchkoff for the hour. Gary will explain the technical highlights of this year's z/OS 3.1 release. Please join us if you can make it. We'll reserve some time for your questions. This time is probably best suited for countries in Australasia (India to New Zealand approximately), but you're welcome to join from elsewhere. To sign up for the Webcast please visit: https://ibm.biz/apac-webinar-subscription<http://ibm.biz/apac-webinar-subscription> — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM utility to print an arbitrary block/track on a volume
Peter Farley wrote: >DITTO can certainly do it, but like all the other ways suggested >you will require various special SAF permissions to actually perform >the function. Not like the old days when anyone could display >anything. <*Sigh*> And if it's encrypted, as it should be (z/OS Data Set Encryption), then the track will be particularly unintelligible. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
DevOps and Hybrid Cloud: A Q+A With Rosalind Radcliffe
TechChannel has an interesting article on enterprise DevOps with z/OS: https://techchannel.com/Enterprise/03/2023/devops-hybrid-cloud-rosalind-radcliffe — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CF links and non-IBM machines (historical)
Radoslaw Skorupka wrote: >Q: was it possible to connect Amdahl or Hitachi machines with >IBM CPC using sysplex links? >Did they use the same hardware and protocol? It seems so. Bitsavers.org preserved these Amdahl brochures: http://www.bitsavers.org/pdf/amdahl/brochures/AmdahlMillenniumCoupling500E.pdf http://www.bitsavers.org/pdf/amdahl/brochures/AmdahlMillenniumCoupling400.pdf These brochures suggest that Amdahl (by that time a Fujitsu subsidiary) offered Coupling Facility (CF) machine configurations that supported both Amdahl and non-Amdahl machines ("other Parallel Sysplex capable processors") at least by 1998. IBM announced Parallel Sysplex on April 6, 1994: https://www.ibm.com/common/ssi/cgi-bin/ssialias?appname=skmwww=897%2FENUS194-080=AN=sysplex=ibmsearch_a=CA The first Parallel Sysplex hardware, notably including the first Coupling Facility machine (the 9674 Model C01), was generally available starting later in the same quarter (in June, 1994). My understanding is that back then you had to use a dedicated CF machine, preferably a pair for availability reasons. Amdahl's brochures seem consistent with that sort of configuration. The ability to add CF functions within existing IBM mainframe footprints (non-dedicated CFs, a.k.a. ICFs) arrived not *too* long after June, 1994, but this is all historical for me. As far as vendors besides Amdahl, certain IBM software licensing publications still refer to CF configurations involving non-IBM machines from multiple vendors. See here for example: https://www.ibm.com/downloads/cas/MELGBJPZ I wouldn't assume anyone is still running any of these ~25 year old non-IBM coupled system configurations. But if anyone still is then IBM conveniently still has software license pricing and terms in its catalogs. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Ransomware in VSAM and DB2
Attila Fogarasi wrote: >Also there are various solutions for immutable backups of z/OS data, which >would protect you against ransomware. Tommy Tsui wrote: >Any recommendation https://mediacenter.ibm.com/media/+IBM+Z+Cyber+Vault+Technical+Introduction/1_ug97n0p3 https://www.redbooks.ibm.com/redbooks/pdfs/sg248511.pdf — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
SNA and CHPID OSE Details (Was: Looking for Beta Clients)
Tom Brennan wrote: >To do LU6.2 outside the machine don't you need an OSA card setup as >OSA-E for SNA? No, that's not a requirement. You already have at least two other options: 1. You can use Enterprise Extender (SNA protocols such as LU 6.2 over UDP). z/OS Communications Server's TCP/IP stacks do not require CHPID type OSE. CHPID type OSD is perfectly fine. Enterprise Extender is a standard, included, no additional charge feature in the base z/OS operating system. Enterprise Extender was first introduced in OS/390 V2R7 in early 1999 and retrofitted via PTF to OS/390 V2R6. Of course EE has been enhanced and refined since then. It's getting near a quarter century of EE availability. And since it's really not possible to secure pre-UDP "classic" SNA transports adequately it's prudent to favor EE for SNA traffic. 2. You can use FICON Channel-to-Channel (CTC) connections via FICON Express ports. For example, FICON CTC is probably how you'd connect CICS Transaction Server on VSEn to CICS Transaction Server on z/OS if VSEn and z/OS are running on separate physical machines. AFAIK VSEn and z/VSE do not support Enterprise Extender, but that's OK since FICON CTC is also available for LU 6.2 and other SNA protocols. You can use Fibre Channel Endpoint Security to encrypt those FICON CTC connections. >Unless I read it wrong, IBM has a statement of direction >that z16 will be the last to support OSA-E. Yes. IBM expects that the IBM z16 will be the last model to include support for CHPID type OSE. But that doesn't mean LU 6.2 is going away. Not at all! It might mean the way LU 6.2 traffic is carried across your network changes a little (if it hasn't already changed), but "What else is new?" Physical networks keep evolving and improving (and sometimes simplifying) even while applications keep working. You don't have to change your applications that use LU 6.2 and other SNA protocols. They keep chugging along with better performance, throughput, and security. Not coincidentally IBM also issued a Statement of Direction that the IBM z16 is likely to be the last model to support 1000BASE-T copper Ethernet ports directly on the machine. Those are the only OSA-Express adapters that still support CHPID type OSE. If you still need physical copper Ethernet ports, no problem: lean on your networking equipment (routers, switches) to provide those ports. Your networking gear won't provide CHPID type OSE, but EE doesn't need OSE. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Running a Coupling Facility using a CP for a test Parallel Sysplex 0 anyh gotcha's?
The only other thing I can think of is that some operators (some outsourcers for example) might not have — or know how to perform — capacity measurement, planning, chargeback accounting (ugh!), or contractual arrangements when running the CFCC on general purpose processors (CPs). Those are not a technical limitations. You/they can do all of that for CF workloads straightforwardly. But those "technobusiness" factors might explain some reticence if you're observing any. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zOS 3.1 - zosmf
Peter wrote: > CBPDO option is a good alternative. As we are a shop which predominantly >uses Software ag product I don't understand how that follows. Would you elaborate? As you've probably observed in the z/OS 3.1 preview announcement there are even more z/OS features and operations that depend on z/OSMF. I think it's getting past time to roll out that particular standard, included, no additional charge feature of z/OS. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Running a Coupling Facility using a CP for a test Parallel Sysplex 0 anyh gotcha's?
I think you've covered most of the bases. A few points from me: 1. If you can afford to dedicate a whole engine to the production Coupling Facility — at least for the intervals when you're using the production CF "nontrivially" — then that'd be ideal. But if you cannot afford a whole engine (general purpose processor in this case) then see how your testing goes. The basic point is you really don't want production z/OS to stall, waiting for CF services. 2. Just in case there's any confusion VSAM RLS (and Transactional VSAM, i.e. z/OS DFSMStvs) do(es) not require two or more z/OS instances. A single z/OS instance with a single CF is the minimum configuration for those VSAM features. 3. If you do run two or more z/OS instances (a "Parallel Sysplex in a box") that can be a lovely configuration, but just bear in mind if the site or machine go offline (planned or unplanned) then you lose the whole Sysplex. Nonetheless a "Parallel Sysplex in a box" provides a great deal of value in terms of protecting against various software-related issues that would affect service availability if you only had one z/OS instance. Hypothetically a single CF could topple over and/or require a planned outage even without anything else going offline, but even with one CF the "Parallel Sysplex in a box" is rather good. 4. Check for and apply all relevant firmware, z/OS, and middleware updates (of course). — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM Webinar on OpenShift with Secure Execution
I'm hosting a Webinar this Friday (March 3) at 11:00 AM Singapore Time (03:00 UTC) on the new Secure Execution support available for Red Hat OpenShift Container Platform on IBM zSystems and LinuxONE servers. Secure Execution is available at no additional charge on IBM z15, LinuxONE III, and higher model servers. It improves the isolation/separation between workloads for better security. If you'd like to attend please visit this Web site to sign up: https://ibm.biz/apac-webinar-subscription There are other topics scheduled, and you may also be interested in those. Replays will be available if you cannot join live. This time should be convenient for countries in Asia-Pacific (India to New Zealand basically), and it may also work for the eastern Pacific (U.S. West Coast for example). There aren't a super abundance of live Webcasts in these time zones, so I like to mention them from time to time, especially when I'll be on. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
New Mainframe Freebie: Python AI Toolkit for z/OS
I didn't see anyone mention this IBM announcement yet, so I guess I will, briefly. The announcement letter is available here: https://www.ibm.com/downloads/cas/US-ENUS223-021-CA/name/US-ENUS223-021-CA.PDF Python is a popular language for (among other things) AI- and machine learning-related work — work that's increasingly important everywhere including directly on z/OS for many advantageous reasons (security, performance/low latency, reliability, availability, real-time and near real-time uses). The basic idea is that you should bring the analytics/AI to the data more, and bring the data to the analytics/AI less. Many data scientists and application developers use Python and various Python libraries, the same libraries. IBM is announcing that it'll distribute a collection of popular AI-/ML-related packages for Python, installed as usual via "pip," from an IBM repository. And IBM will apply some quality control as/when appropriate, including security checks. As with Python for z/OS itself there will be no additional charge for these packages. You can use them as much as you wish. If you need formal IBM support for these packages that'll be optionally available for a fee. IBM plans to open this repository on February 24, 2023. Enjoy! — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP with TS7700 and/or DS8K's
Tom Longfellow replied: >I always enjoy your well reasoned points. Oh my gosh, always? I'll try to do better next time. :-) Seriously, thanks! That made my day, probably week too. >I could sign on to many of them if I was in an environment with the >resources and talents you listed. I am in a small shop where mainframe >support is Me and The Other Guy Yes, I fundamentally agree with you. Part of getting security right (and keeping it right) involves fitting within certain temporary and permanent constraints. "One size does not fit all." By the way, and if it's any reassurance, I'm highly confident you're not the smallest shop. As it happens I've been working on a situation that involves a new client that doesn't have a data center yet. And what I mean by "data center" in this case is simply "a halfway decent place where we can uncrate their shiny new mainframe server — their very first server of any type." We'll eventually figure it out together, and it's mostly fun. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP with TS7700 and/or DS8K's
ably take reasonable steps to assure that those external dependencies are well implemented and managed so that they don't jeopardize the availability and performance of your storage units. External dependencies include cables, electrical power, and (often) SAN switches. Is your key manager any different conceptually? No, not actually. So just have "a couple," as you do with redundant cables, power, and switches. And if you're nervous about putting all GKLM instances in one type of deployment environment — I can understand that — then just spread GKLM across two environments. zCX is an excellent one. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
PDS compression needs a new name - defoam? unfoam? degas? I hope someone has a better idea!
How about in verb form compact (COMPACT in 8 capitalized characters or less), and in noun form compaction? Another option is simply to attach adjectives, for example: BCOMP - basic compression [ other options: SCOMP for simple compression, CCOMP for classic compression ] ECOMP - enhanced compression The latter ("enhanced") is the adjective assigned to the newer form of zlib-based hardware accelerated compression, so it aligns orthogonally. And if there's ever a third form of compression there are other adjectives and letters available such as: SCOMP - super compression ACOMP - advanced compression QCOMP - quantum compression No, I don't know what quantum compression would be. It's just an example. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RLSE - A question about releasing unused tracks in a DASD dataset
Dave Gibney wrote: >The F line command from ISPF 3.4 David Cole wrote: >Thanks Dave. I hadn't thought of that. Unfortunately, this has got to >run in the batch (either normally or within batch TSO), so issuing a >shortcut command interactively would not work for me. I think Seymour alluded to this already, but (for future reference at least) here's how you can drive ISPF commands from batch programs: https://www.ibm.com/support/pages/how-use-ispf-batch — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Webinar: Integrating zSystems/LinuxONE with SIEMs and DAMs
I'm co-presenting a webinar this Friday (December 16) on some fairly basic security topics, specifically an introduction to integrating zSystems and LinuxONE servers with Security Incident and Event Management (SIEM) and Data Access Management (DAM) solutions. This webinar will be live at an Asia-Pacific friendly time: about lunchtime in East Asia. If the time works for you and you're interested, great, please join! We'll have some time to answer questions you pose to us in the chat window. To register please visit: https://ibm.biz/apac-webinar-subscription — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TKE and USB filesystem
I'm a bit confused. IBM Trusted Key Entry (TKE) Workstation microcode updates are performed by an IBM Customer Engineer (CE). If you have separation of duties-related concerns that's perfectly fine, but you still should have IBM CE assistance available — you can ask the CE, basically, and then decide who actually physically performs certain steps. (Recently there's also a network-based USB-less microcode update method, but at least for now you should still have an IBM CE available with your machine warranty/maintenance. On-site, even.) Part of the TKE microcode upgrade process involves backing up the critical parameters and other site/customer-specific data from your TKE Workstation. You can back up that data to a USB memory key/drive. But that's a "closed loop." The TKE Workstation formats the drive ("TKEDATA" format) for you. There's nothing to do on a PC, Mac, or other device. Am I missing anything? — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
TNZ 3270 Emulator: Any Experiences?
There's a 3270 emulator (and automation) package written in Python that's available here: https://github.com/IBM/tnz You can run it on any platform that supports Python including macOS and z/OS itself. Any reports? Has anyone tried it? One of the fascinating things you can do with TNZ is to run it on z/OS, connect to z/OS via OpenSSH (using PuTTY or just about any other SSH client), and then start a "loopback" or other TN3270E session within your SSH terminal session. And then you can use ISPF (etc.) via SSH. (Got all that?) — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Crypto Express question
Frank Swarbrick wrote: > I do think that having an internal crypto card is quite a benefit, >and CCA/ICSF is generally quite nice to work with. That being >said, not having to work with any crypto processing at all is even >nicer. "Not having to work with any crypto processing" isn't a viable option, not if you want even trivial security. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Webcast: Modernize & Secure Your Mainframe Networking
I'm hosting a free Webcast this Friday, October 28, at 11:00 AM Singapore Time on modernizing and securing mainframe networks. Sam Reynolds and Edward Seidl are presenting this week. Major topics include: (a) easy options to retire "raw" SNA (and pre-SNA) protocols that unfortunately only offer weak security at best, and (b) measuring your z/OS network security posture with the z/OS Encryption Readiness Tool (zERT), a no additional charge feature included with the base z/OS operating system. As background, IBM has revealed that quite soon (with an upcoming release) you'll need to rely exclusively on Enterprise Extender (also part of z/OS) if you want to continue carrying SNA traffic across your network. "Last call," really, if you haven't retired "raw" SNA and pre-SNA yet. You'll then be able to secure your network properly and likely enjoy some performance benefits. The live Webcast time likely works best for those of you in New Zealand, India, and all time zones in between. However, it'll still be a fairly reasonable time Thursday evening on the U.S. West Coast (for example). If you can join live you'll have the opportunity to ask us questions, but I believe this Webcast will be recorded if you want to replay it at a more reasonable hour in your time zone. To sign up please visit: https://ibm.biz/apac-webinar-subscription — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zOS 1.13 (really) how copy MVS loadmod from ZFS to PDSE
Nightwatch RenBand wrote: >IBM Java support figured it all out. >Java8 uses instructions from the instruction set on z10 and higher >machines. And WE are using a z9 2096 machine. >ERGO S-0C1 was for "ain't no such instruction" rather than the usual not on >a half word boundery. >Thanks for all your help. Wish they would either upgrade or replace the >system so I can go retire... but they keep paying me. >https://www.ibm.com/docs/en/sdk-java-technology/8?topic=installing-supported-environments#supported_env_80__zos Interesting! You might want to ask them when the z10 minimum processor level was introduced since (as far as I can tell) it was introduced at some point in the service stream. At initial announcement the IBM SDK for z/OS, Java Technology Edition, Version 8 was supported on z990/z890 processors or higher with z/OS 1.13 or higher. Then, if you wish (not a recommendation), you could obtain and run the unsupported release just prior to the introduction of the z10 minimum-related code change. I quickly scanned through the release notes, and I haven't been able to find the Service Refresh (SR) or Fix Pack (FP) when the z10 prerequisite was evidently introduced. The Program Directory mentions nothing about a z10 minimum processor level. Alternatively, IBM still provides most of the Java 8 SDK builds going back to the GA release. You can still find them if you navigate through IBM's download pages. What you could try is to roll back to the final Fix Pack for each of the major Service Refreshes to see which one runs on a z9. Here are the final listed Fix Packs for each Service Refresh: GA+IV70681 SR1 FP10 SR2 FP10 SR3 FP22 SR4 FP11 SR5 FP41 SR6 FP36 SR7 FP16 is current, as I write this. So for example try SR6 FP36. If that works, great. If not, try SR5 FP41 next. And so on. I'm assuming any z10 minimum processor level requirement was introduced at a Service Refresh boundary, and that's probably a reasonable assumption. Please let us know how it goes if you head down any of these paths. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pass Phrases
Steve Beaver wrote: > Has anyone SUCCESSFULLY converted to Pass Phrases. >IRS is starting to push and I'm afraid that CICS, DB2, Natural, and the >Password exits are >Are going to be disaster and about 1 year. Why don't you just jump to multi-factor authentication, something you should be doing anyway? Then you'd have Enhanced PassTicket* and "out-of-band" support so you can accommodate situations when the password field is limited to 8 characters. I assume that's the basic issue you're concerned about, that'll you need time to unwire/rewire the various presumptions that passwords are up to 8 characters long and can't be passphrases. I think those issues are already well traveled with MFA. * Don't use Legacy PassTickets. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: COBOL - z/OS 2.1 vs 2.4
Paul Gorlinsky wrote: >There are some notes that the language environment is dropping off some >prior versions of COBOL. Do you have a link to the IBM Language Environment documentation to which you are referring? I'm not sure what you're referring to. >IBM is requiring V6 COBOL on the most current version of z/OS of which LE >is a major component. Although I don't speak for IBM (as a reminder), no, IBM isn't doing that. IBM requires that you adhere to your contractual agreements with IBM including license agreements (and otherwise respect applicable legal provisions such as copyrights and patents), but that's about as far as it goes. Let's separate runtime from compilation. In terms of runtime IBM continues to support COBOL programs compiled with older, unsupported COBOL compilers. If you suspect a defect in the z/OS runtime you should open a problem case with IBM. Fierce dedication to backward compatibility is one of the hallmarks of this platform, and to my knowledge this IBM commitment is enduring. In terms of compilers IBM recommends that you run an IBM supported compiler. Currently this means Enterprise COBOL Version 6 (recent release, preferably current release) unless you have a support extension for an older release. You may wish to recompile older programs for performance and other reasons using the newer compiler (or to use Automatic Binary Optimizer), but you are not required to do so. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Enterprise Cobol 6.3.0, XML PARSE and zIIP usage.
Massimo Biancucci wrote: > After increasing the size of XML up to 150MB then I saw a little of zIIP >usage. Anyway, it would be interesting to know how IBM manages these >thresholds. I don't have any inside information here, but it seems reasonable to infer that ostensibly zIIP eligible workload has to be "big enough" to become actually zIIP eligible. Otherwise you could end up with a perverse outcome: higher than necessary utilization of/on both engines. Cache-related factors may play a role. It's a bit like going to a fast food restaurant and picking up your order at the counter. "May I have one more packet of ketchup?" you ask. The cashier could just grab a packet of ketchup and drop it in your bag. Or the cashier could summon a ketchup specialist to the counter to assist you, the cashier would brief the ketchup specialist on your request, and the ketchup specialist would handle your request. Sometimes it's more efficient for everyone concerned when the cashier grabs the packet of ketchup directly. But if your request is "Would you add some more ketchup to all 6 of my hamburgers, please" then the ketchup specialist ought to get involved so the cashier can serve other customers more efficiently. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Enterprise Cobol 6.3.0, XML PARSE and zIIP usage.
Is the XML processing you're doing in your test program "trivial," thus z/OS correctly decided it wasn't worth even attempting a switch to dispatch the work to your zIIP engine? If my guess seems reasonable are you able to run the test with a bigger XML input file? — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zOS 1.13 (really) how copy MVS loadmod from ZFS to PDSE
John McKown wrote: >What level of hardware? We have a z9BC. SCRT version 29 will NOT run on >this hardware level. I think it needs a z12 or better. From what I saw, I >needed the MVHGI instruction. Actually, this is a Java 8 requirement, not >SCRT 29. I'm still running SCRT 28. In anticipation of requiring SCRT 29, I >downloaded the Windows SCRT program & tested it out. It worked. But that is >still SCRT 28 because SCRT 29, IIRC, won't be available until 15Oct2022. John, let's be precise here. You decided to run SCRT off platform, and that's one choice. But the IBM SDK, Java Technology Edition, Version 8 for z/OS is compatible with/was supported with z/OS 1.13 and higher. (z/OS 1.13 has reached End of Service, so it's an "as-is" situation now.) There are no additional Java 8 prerequisites in terms of machine model, not generalized ones anyway. It's highly likely the error message you observed is spurious since (from what I can determine from afar) you didn't satisfy the published prerequisites. IBM never said Java 8 would work on z/OS 1.12 (your release). When you stray from the published prerequisites and something doesn't work then all you can conclude is that the published prerequisites might be correct. You cannot logically conclude that the published prerequisites are incorrect, and that's what you seem to be doing in what you just wrote. Anyway, back to the original question Nightwatch RenBand asked, or at least a workaround Nightwatch RenBand: Likely the easiest, quickest way to solve your particular problem is to install the IBM SDK, Java Technology Edition, Version 8 via SMP/E rather than via the Web-delivered version. The SMP/E installation should get JZOS properly installed into PDS/Es for you (as well as zFS). You can order the SMP/E installable SDK (with the latest maintenance) through IBM Shopz, and it's a no additional charge software product. That is to say if you're a z/OS licensee you can obtain and run this software product at no additional charge. There are actually two products because there are two IBM Program Numbers, one for the 31-bit release and the other for 64-bit. SCRT recommends 64-bit, although 31-bit will likely work especially if you have a relatively small number of LPARs. You might as well order and install both. Here are the IBM Program Numbers to order: 31-bit: 5655-DGG 64-bit: 5655-DGH And here's the link to IBM Shopz: https://www.ibm.com/client-tools/shopz End of Service for these products is currently September 30, 2026. If you need to open a problem case with IBM that's specific to the SDK (a suspected defect in Java) then you probably can still do so, although be prepared for a "Sorry, we've reached our limits" if you start to drift into something specific to z/OS since you're on 1.13. Obviously it'd be wonderful if you get to a newer, supported z/OS release. But SCRT Version 29's requirements shouldn't force you to do so. Please let us know how it goes! — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM LinuxONE Emperor 4 and z/VM 7.3 Announcements
For your reading pleasure IBM LinuxONE Emperor 4 https://www.ibm.com/downloads/cas/US-ENUS122-002-CA/name/US-ENUS122-002-CA.PDF z/VM 7.3 https://www.ibm.com/downloads/cas/US-ENUS222-215-CA/name/US-ENUS222-215-CA.PDF — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Real fun for companies on older machines & SCRT
John McKown wrote: >1.12 That's very likely your actual problem. The IBM SDK for z/OS, Java Technology Edition, Version 8 definitely requires z/OS 1.13 or higher. >Java 8 won't run on our z9 due to ALS level. That's incorrect. Even the z890/z990 model generation can run Java 8, and your machine is one model generation newer than that. If you have a "sandbox" LPAR with z/OS 1.13 or z/OS 2.1 you can try again. (z/OS 1.13 and 2.1 are the only two z/OS releases that are compatible with both IBM z9 BC machines and Java 8.) — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN