Re: mainframe hacking "success stories"?

[Bigendian Smalls]

Bill, would you care to back that sweeping generalization up with some detail? 

> On May 6, 2019, at 22:06, Bill Johnson 
> <0047540adefe-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Completely different. Hacking Microsoft is way easier. 
> 
> 
> Sent from Yahoo Mail for iPhone
> 
> 
> On Monday, May 6, 2019, 3:53 PM, Bigendian Smalls 
>  wrote:
> 
> Which is how 80% of all the hacks today start.  Find purchase and advance 
> your position. This is how the game is played. It was as classic of a hack as 
> anything today. 
> 
>> On May 6, 2019, at 21:43, Bill Johnson 
>> <0047540adefe-dmarc-requ...@listserv.ua.edu> wrote:
>> 
>> Still never would have occurred without a valid userid.
>> 
>> 
>> Sent from Yahoo Mail for iPhone
>> 
>> 
>> On Monday, May 6, 2019, 3:18 PM, Charles Mills  wrote:
>> 
>> No.
>> 
>> From the link you cite:
>> 
>> "According to various sources, the hackers succeeded in finding (and 
>> exploiting) at least 2 previously unknown errors enabling them to raise 
>> their authorisations in the system. One of them was an error in an IBM HTTP 
>> server and the other one was an error in the CNMEUNIX file, which in the 
>> default configuration has SUID 0 authorisations (which means that by 
>> leveraging on the errors it contains, one is able to execute commands with 
>> the system administrator’s authorisations)."
>> 
>> His "user" access to InfoTorg was not a problem for the mainframe. (It was a 
>> problem for the MPAA lawyer whose account he accessed, but not for the 
>> mainframe in general.) The above mainframe security vulnerability was.
>> 
>> Charles
>> 
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
>> Behalf Of Bill Johnson
>> Sent: Monday, May 6, 2019 11:17 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: mainframe hacking "success stories"?
>> 
>> The Pirate Bay hack acquired a valid mainframe userid and password off of a 
>> Microsoft laptop. In effect, not really a mainframe hack. He just logged on. 
>> https://badcyber.com/a-history-of-a-hacking/ 
>> 
>> Sent from Yahoo Mail for iPhone
>> 
>> 
>> On Monday, May 6, 2019, 1:21 PM, Charles Mills  wrote:
>> 
>> #1: Noo. It was a legitimate mainframe hack (assuming you consider USS a 
>> legitimate part of the mainframe, which it has been for 20 years or so). It 
>> was an exploit of CGI buffer overrun.
>> 
>> #2: It drives me nuts to hear mainframers explain away mainframe breaches. 
>> "It wasn't really a mainframe hack, they got in through USS." "It wasn't 
>> really a mainframe hack, they re-used a Windows password." "It wasn't really 
>> a mainframe hack ... whatever." If your CEO was standing in front of the 
>> press explaining how your company let x million credit card numbers go 
>> astray, would it matter HOW they got into your mainframe, or only that they 
>> DID?" If your mainframe is vulnerable to a USS hack, or a shared Windows 
>> password, or whatever, you need to fix THAT, or risk having to explain to 
>> your CEO why he got fired (like Target's) for letting all those credit card 
>> numbers go astray.
>> 
>> Charles
>> 
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
>> Behalf Of Bill Johnson
>> Sent: Sunday, May 5, 2019 10:00 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: mainframe hacking "success stories"?
>> 
>> Wasn’t really a mainframe hack. It was a laptop hack that acquired 
>> legitimate mainframe credentials.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> 
>> --
>> For IBM-MAIN sub

Re: mainframe hacking "success stories"?

[Bigendian Smalls]

Which is how 80% of all the hacks today start.  Find purchase and advance your 
position. This is how the game is played. It was as classic of a hack as 
anything today. 

> On May 6, 2019, at 21:43, Bill Johnson 
> <0047540adefe-dmarc-requ...@listserv.ua.edu> wrote:
> 
> Still never would have occurred without a valid userid.
> 
> 
> Sent from Yahoo Mail for iPhone
> 
> 
> On Monday, May 6, 2019, 3:18 PM, Charles Mills  wrote:
> 
> No.
> 
> From the link you cite:
> 
> "According to various sources, the hackers succeeded in finding (and 
> exploiting) at least 2 previously unknown errors enabling them to raise their 
> authorisations in the system. One of them was an error in an IBM HTTP server 
> and the other one was an error in the CNMEUNIX file, which in the default 
> configuration has SUID 0 authorisations (which means that by leveraging on 
> the errors it contains, one is able to execute commands with the system 
> administrator’s authorisations)."
> 
> His "user" access to InfoTorg was not a problem for the mainframe. (It was a 
> problem for the MPAA lawyer whose account he accessed, but not for the 
> mainframe in general.) The above mainframe security vulnerability was.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Bill Johnson
> Sent: Monday, May 6, 2019 11:17 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: mainframe hacking "success stories"?
> 
> The Pirate Bay hack acquired a valid mainframe userid and password off of a 
> Microsoft laptop. In effect, not really a mainframe hack. He just logged on. 
> https://badcyber.com/a-history-of-a-hacking/ 
> 
> Sent from Yahoo Mail for iPhone
> 
> 
> On Monday, May 6, 2019, 1:21 PM, Charles Mills  wrote:
> 
> #1: Noo. It was a legitimate mainframe hack (assuming you consider USS a 
> legitimate part of the mainframe, which it has been for 20 years or so). It 
> was an exploit of CGI buffer overrun.
> 
> #2: It drives me nuts to hear mainframers explain away mainframe breaches. 
> "It wasn't really a mainframe hack, they got in through USS." "It wasn't 
> really a mainframe hack, they re-used a Windows password." "It wasn't really 
> a mainframe hack ... whatever." If your CEO was standing in front of the 
> press explaining how your company let x million credit card numbers go 
> astray, would it matter HOW they got into your mainframe, or only that they 
> DID?" If your mainframe is vulnerable to a USS hack, or a shared Windows 
> password, or whatever, you need to fix THAT, or risk having to explain to 
> your CEO why he got fired (like Target's) for letting all those credit card 
> numbers go astray.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Bill Johnson
> Sent: Sunday, May 5, 2019 10:00 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: mainframe hacking "success stories"?
> 
> Wasn’t really a mainframe hack. It was a laptop hack that acquired legitimate 
> mainframe credentials.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: mainframe hacking "success stories"?

[Bigendian Smalls]

Charles is correct. He found vulnerabilities in DFS I believe.  Used that for 
privesc.  

> On May 6, 2019, at 21:17, Charles Mills  wrote:
> 
> No.
> 
> From the link you cite:
> 
> "According to various sources, the hackers succeeded in finding (and 
> exploiting) at least 2 previously unknown errors enabling them to raise their 
> authorisations in the system. One of them was an error in an IBM HTTP server 
> and the other one was an error in the CNMEUNIX file, which in the default 
> configuration has SUID 0 authorisations (which means that by leveraging on 
> the errors it contains, one is able to execute commands with the system 
> administrator’s authorisations)."
> 
> His "user" access to InfoTorg was not a problem for the mainframe. (It was a 
> problem for the MPAA lawyer whose account he accessed, but not for the 
> mainframe in general.) The above mainframe security vulnerability was.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Bill Johnson
> Sent: Monday, May 6, 2019 11:17 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: mainframe hacking "success stories"?
> 
> The Pirate Bay hack acquired a valid mainframe userid and password off of a 
> Microsoft laptop. In effect, not really a mainframe hack. He just logged on. 
> https://badcyber.com/a-history-of-a-hacking/ 
> 
> Sent from Yahoo Mail for iPhone
> 
> 
> On Monday, May 6, 2019, 1:21 PM, Charles Mills  wrote:
> 
> #1: Noo. It was a legitimate mainframe hack (assuming you consider USS a 
> legitimate part of the mainframe, which it has been for 20 years or so). It 
> was an exploit of CGI buffer overrun.
> 
> #2: It drives me nuts to hear mainframers explain away mainframe breaches. 
> "It wasn't really a mainframe hack, they got in through USS." "It wasn't 
> really a mainframe hack, they re-used a Windows password." "It wasn't really 
> a mainframe hack ... whatever." If your CEO was standing in front of the 
> press explaining how your company let x million credit card numbers go 
> astray, would it matter HOW they got into your mainframe, or only that they 
> DID?" If your mainframe is vulnerable to a USS hack, or a shared Windows 
> password, or whatever, you need to fix THAT, or risk having to explain to 
> your CEO why he got fired (like Target's) for letting all those credit card 
> numbers go astray.
> 
> Charles
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Bill Johnson
> Sent: Sunday, May 5, 2019 10:00 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: mainframe hacking "success stories"?
> 
> Wasn’t really a mainframe hack. It was a laptop hack that acquired legitimate 
> mainframe credentials.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ZPDT usb issue after lunux update.

[Bigendian Smalls]

An update on this for those using CentOS or RHEL.   Got it working just fine 
tonight.

The problem exists in the update of glibc to   157.el7_3.1 
The last version that I can make work (of glibc) is  106.el7_2.6

The 106 version of glibc is in the 1511 minor release of CentOS 7.2.   

You’ll likely have to enable that repo and downgrade glibc and a couple other 
glibc packages (e.g. i had to do glibc, glibc-common, glibc-devel, 
glibc-headers)
Î
Good news is nothing else (at least on my systems) had to be uninstalled or 
reverted - those packages (both the i686 & x64 versions) were able to be 
downgraded
without taking anything else along - and i was able to update the rest of the 
system to 7.3.1611 - which is the latest release of Cent.

I wrote a script with the relevant yum commands I’d share - if anyone wants it, 
let me know.

If anyone is having this issue with SUSE and wants me to poke at it, I’d be 
happy to look at that also, let me know.

Regards,

Chad

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ZPDT usb issue after lunux update.

[Bigendian Smalls]

The issue is with the USB licensing / sw protection system (sentinel  by 
gemalto) and it’s interaction with either a kernel code/module, or library 
update (like a libc etc)
For CentOS anyway, I’ve almost got it narrowed down to the exact update 
(presume it’ll be the same for RedHat etc).  When i get it to the
specific package I’ll post it here.

If you use CentOS and can roll back to 7.2.1511 that seems to work, 7.3.1611 
does not.  I’ve heard that IBM only supports 7.1 release  for CentOS
(despite 7.1 being unsupported and not updated since 1/8/16).  

It is disappointing we’re still discussing this, it was reported publicly over 
a month ago.  

> Is this issue not analogous to "I made changes on my z/OS system, and now
> some critical software product is broken?”
Yep.

> In that case, you would use SMP/E or volume backups to go back.   Isn't
> linux essentially the same (only different)?

Yes it is - but the issue is no one has identified the particular code that 
affects the licensing system.  Lots of times patches are applied w/o rebooting 
and
sometimes the code doesn’t take effect until reboot - so not entirely clear 
which package did the trick.
> 
> For my Linux desktop (Ubuntu), with the package manager (synaptic / apt) it
> is pretty easy to roll back changes (like a kernel version).   I also keep
> an unmounted mirror disk for my OS disk and use a cron job to rsych to it
> automatically on the weekend.   Rolling back the entire OS volume takes
> about 5 minutes using rsync (after booting from a thumb drive).

That’s what I did - but it’s the nuclear option - also in this day and age who 
wants to roll back patches if they don’t have to.  :)

Chad

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Interested in portable mainframes?

[Bigendian Smalls]

> "Drink waters out of thine own cistern, and running waters out of thine own 
> well." -Proverbs 5:15

This stuff just got biblical.It’s about time.


:)





> -- 
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Interested in portable mainframes?

[Bigendian Smalls]

See this webinar about RD&T

"DRINKING OUR OWN CHAMPAGNE, WITH Z SYSTEMS DEVELOPMENT AND TEST ENVIRONMENT 
V10 (2)”

Start Date:1/24/2017

Start Time:12:00 PM CST

Duration:60 minutes

https://vts.inxpo.com/scripts/Server.nxp?LASCmd=AI:4;F:QS!10100&ShowKey=36587




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TSO Setup on SSH

[Bigendian Smalls]

Have you tried running the daemon in foreground/debug mode to see what it's 
trying to do and failing on? You can run the client also with debug messages, 
if necessary. This solves 99% of my wonky ssh issues. 


sshd -dd -D -f /your-sshd-file 


Chad 

> On Dec 11, 2016, at 05:25, venkat kulkarni  wrote:
> 
> Hello Jack, I tried that well and whole running batch file mentioned in
> open ssh user guide i get permission issue
> 
> #Sftp -b batch file ibm08@10.128.234.43
> FOTS1379 PERMISSION issue denied(public key,passworD,keyboard inter)
> FOTS0841 CONNECTOOB CLOSED.
> 
>> On Dec 11, 2016 13:42, "Jack J. Woehr"  wrote:
>> 
>> venkat kulkarni wrote:
>> 
>>> After your all suggestion, I tried couple of things.
>>> 
>> I think that now you only confusing yourself, having tried so many things.
>> 
>> That is an easy thing to happen on z/OS. I myself recently experienced a
>> wave of confusion about RACF and have only just recovered!
>> 
>> Here is what you should do:
>> 
>> 1. Reset your sshd configuration to the default.
>> 2. Learn how to transfer files USS to Linux and Linux to USS using a
>> public key.
>> 3. Once you understand that, use the procedure in Appendix A. of
>> SC27-6806-01 z/OS V2R2 OpenSSH User's Guide to do
>>   batch transfers.
>> 
>> --
>> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
>> www.well.com/~jax # thinking, a way of skeptically interrogating the
>> universe
>> www.softwoehr.com # with a fine understanding of human fallibility. -
>> Carl Sagan
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why Can't You Buy z Mainframe Services from Amazon Cloud Services?

[Bigendian Smalls]

Timothy - 

I did read all the links on your page - it’s what prompted the rant.  And, 
likewise, if you read my post in its entirety, you know that 15 days of a 
“test-drive of development-based tools on Z” does positively and unquivocally 
zero to address the items I enumerated.  No way that testdrive (and its anemic 
15 day limit) would provide an intelligent person an even remotely fighting 
chance of learning anything useful about the platform with which to make a 
decision on schooling, trade or vocation.  Is there value in the link you 
provided? Sure.  Does it address anything I said.  Nope.

Respectfully,

Chad


> On Dec 9, 2016, at 12:40 AM, Timothy Sipples  wrote:
> 
> Bigendian Smalls wrote:
>> TL;DR - there needs to be a free version of z/os & it’s siblings sooner
> than
>> later, to not do this is to potentially starve the platoform out of
> existence
>> as we know it.
> 
> Didn't anybody read the page that I linked to? There is, already. For up to
> 15 days.
> 
> Charles Mills wrote:
>> What??? THIS is IBM's answer???
> 
> As a reminder, I do not speak for IBM. If you'd like *IBM's* answer, ask
> IBM through an official channel. *My* answer, writing only for himself, is
> to state a plain fact: free z/OS access is available, today, from IBM, for
> up to 15 days. I believe in facts. Let's at least start with them. IBM
> probably will if you're going to make an argument with IBM.
> 
> Scott Chapman wrote:
>> I don't see anything there that says one can do real production business
> work
>> using z/OS, starting at $0.
> 
> No, you don't. I answered Charles Mills's question, not some other question
> that he didn't ask.
> 
> I would point out that the cost to provide z/OS services, or any computing
> services for that matter, is greater than zero, especially but not only for
> "real production business work." If you'd like to suggest that any company
> price its set of products and associated services below cost, it wouldn't
> shock me if that company disagrees with your suggestion.
> 
> That said, IBM has priced z/OS (and associated middleware, tools, and
> utilities) access at $0, for up to 15 days, per the terms and conditions
> associated with that offering. The Master the Mainframe contest is another
> example of $0 z/OS access. IBM provides *some* $0 z/OS access, already.
> 
> Charles Mills wrote:
>> How does a smallish business get going on z/OS? (Answer: they don't.)
> 
> Sure they do. Here's an example:
> 
> https://www.youtube.com/watch?v=CtX0naUx6Qo
> 
> John McKown wrote:
>> But I'm still not likely to find a z13s at the mom & pop
>> fast food place like I would a PC or two. Probably not even in a high
>> priced law firm.
> 
> Analogously you won't often find a MRI machine in an elementary school's
> nurse's office. IBM z Systems with their associated operating systems and
> middleware are major pieces of capital (in the generalized sense, not
> necessarily in the financial accounting sense), of a certain minimum
> "heft." The minimum heft is less than many people think (see above, and see
> Connor Krukosky's parents' basement, as examples), but it is something.
> Otherwise it wouldn't be an IBM z System (or a MRI machine, or a Boeing
> 777, etc.)
> 
> 
> Timothy Sipples
> IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
> E-Mail: sipp...@sg.ibm.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

What about that nextgen? [was Re: Why Can't You Buy z Mainframe Services from Amazon Cloud Services?]

[Bigendian Smalls]

Not to be contrarian, but - well - let me be contrarian.  Rant coming.  TL;DR - 
there needs to be a free version of z/os & it’s siblings sooner than later, to 
not do this is to potentially starve the platoform out of existence as we know 
it.

I don’t think, for a moment, that when people ask for a mainframe-in-the-cloud 
type experience, that they are asking for Linux One or linux on Z, the want a 
z/OS-type platform on which to learn and play.  Otherwise it's just Ubuntu or 
SUSE, like I can run on my laptop.  For anyone but the kernel developers and a 
few select others, most would never know the difference (outside of 
performance, perhaps).  It’s certainly not the classic z/OS / VM / tpf / etc 
experience that most here talk about daily.

As for the other offerings, none are the same (or even really the same sport) 
as having your hands on a “real” z/OS (or z/VM, etc.) mainframe - the closest 
of which for people not buying hardware would be z/PDT.  By real, I mean you 
can provision storage, configure parmlibs, install software with SMP/E, develop 
load modules, configure platform software and tcp/ip, etc etc. IPL the system, 
crash it, figure out how to build a stand alone dump.  Figure out how to read 
that dump, get the system up and running again.  Gen a system from scratch; 
install an upgrade with a serverpac and so on.

Until IBM figures out that they’re losing opportunities because of this, I fear 
the platform is going to get harder and harder to support and defend.  Most (if 
not all) of the cloud - or public offerings on Z (again, not talking Linux) are 
for Developers.  Master the mainframe, z Systems cloud trial (RDT for z “Test 
drive development tools”) etc. <- all focused on developers.

But, where will the next generation of Storage Engineers & System Programmers 
come from? Who will write the DFSMS/ACS routines, or write the assembler-based 
system exits? Who will wade through SMP/E reading hold data and figuring out 
how to fix or remove a wonky PTF that didn’t apply correctly or went PE?  Who 
will configure the VTAM / 3270 applications and the intricate work tweaking 
TCP/IP net filter and ATTLS?  Who is going to do the detailed capacity / 
performance analysis and tuning of the storage, wlm, cpus and so on?  To say 
nothing of the gargantuan task of securing these beasts.

These are skills with theoretical backgrounds in many disciples, but the 
specifics and technical difficulties pertaining to using those skills on this 
platform are non-trivial.  People need time, mentors and opportunity to learn 
it.  That opportunity is nearly gone - or unrealistically appraised at this 
point.

Sure there are a few colleges which teach these skills, and the tried and true 
way of apprenticeship still works if you can get it, but how prevalent is that? 
 Moreover, why would a fresh-out-of-school person take a chance on an 
OS/platform that they’ve never gotten to put their hands on? In today’s world, 
they can get a free/inexpensive version of every single OS on the planet for 
personal use (Microsoft & VMWare development and full evaluation versions, 
Linux is open source and free, as is the BSD’s, etc etc) - except for z/OS and 
it’s time-tested brethren.   Why is that?  How does that secrecy help generate 
buzz and the next generation of loyal mainframers?

To ask the fresh, talented, next generation of techies to go to work in a 
mainframe shop - or to go to a school to learn mainframe is asking them to take 
a gigantic leap of faith.  They have the opportunity to be hands-on with 
99.999% of the tech out there before they leave high school; but somehow, 
someone expects that they’l self-select into becoming a z/OS sysprog?  Why 
would they?   Not having a clear track to this pipeline is the single biggest 
security issue and threat to this platform there is.  Companies will hire the 
remaining few, then outsource, then divest - unless we (and IBM) start driving 
interest by making the platform (the whole platform, not just the development 
bits) available to anyone who wants to play with it.

It’s a huge opportunity missed, and I hope it changes soon.  One of the hardest 
things to see is, after giving a talk at a non-mainframe centric conference, 
people who come and ask how they can get involved directly.  You can’t.  Unless 
you go to work or school somewhere special, or are willing to lay out several 
thousand out of your own pocket - you just have to admire it from afar.  And 
that’s too bad, because it’s a kick butt OS and a super challenging ecosystem 
that the unbelievably sharp new technologists would sink their teeth into.  
They’d eat it up.  Many were programming from the time they could walk and 
computers just. make. sense.  But this computer, with it’s super configurable 
and somewhat non-forgiving “you better know what you’re doing or how to figure 
it out” practices and protocols, requires time and a steep ramp-up period to 
become proficient.  It has to start now. 

Re: [EXTERNAL] Re: z/OS Web Based Dropbox ?

[Bigendian Smalls]

If it were me, I’d start by Googling open source web file sharing or open 
source private cloud.  I think the issue is starting with “Z” based xyz.   Most 
/ many technologies can / will run on z if they’re java / c / plain ol’ web 
type stuff - you might very well be able to port or even just install off the 
shelf one of the 10s of options in that space.

Obviously you might’nt be able to do direct xfers to MVS Datasets, for instance 
- but with all the other help / ingenuity here I’m sure you can work / code 
around that to use UNIX as the base for pickup/dropoff.



> On Nov 30, 2016, at 12:19 PM, Peter Hunkeler  wrote:
> 
> 
>> ftp is restricted - was my first thought as well 
> 
> 
> What is the limiting part? FTP can write to and read from the z/OS UNIX file 
> system. 
> Do you need to work with the files on z/OS? Or is it only to be the parking 
> space?
> 
> 
> --
> Peter Hunkeler
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Apache Virtual Server Setup

[Bigendian Smalls]

I am trying to setup a virtual server on zos 2.2 apache http server. My intent 
is to have anyone coming in on ip 12.1.1.12:80  to be directed to a welcome 
page html. But I keep getting the access error below. I have tried many, many 
different directive variations but no luck. Any examples or assistance is 
appreciated. Thanks Matt

If this is not the correct forum for this please let me know. tks

# START Virtual Server 1 statements.

#

DirectoryIndex welcome.html

   Require all granted



#


Check your error logs, but you may be missing (or need to change) the 
ServerRoot or DocumentRoot directive ?

Here’s some info
http://httpd.apache.org/docs/2.4/mod/core.html#serverroot

http://stackoverflow.com/questions/5947947/difference-between-serverroot-documentroot-and-directory

http://stackoverflow.com/questions/5891802/how-do-i-change-the-root-directory-of-an-apache-server

Chad






Forbidden

You don't have permission to access / on this server.
IBM_HTTP_Server Server at 27.1.39.74 Port 80

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mainframe systems programmer ID 'vaulting'

[Bigendian Smalls]

This is something I hadn’t heard much about, but a couple questions come to 
mind - for anyone who has thought about or implemented this:

1) If you have a pool of IDs, then are you losing granularity with which you 
might want to assign privelages?  Meaning you now have to have IDs that have 
exactly the same permissions - if they are user-agnostic (among some class of 
users obviously, like DEVs or SYSPROGs or whatever) - Seems like that is back 
to the old, “Create a new id.  What perms to give him? Dunno, just build it 
like Chad’s, they have the same job.”  Which has kind of gone out of style for 
obvious reasons (though still prevelant in practice).

2) How does tracing back activity go?  If Gil & Charles decide to collude and 
do horrible things, I see this on SMF or whatever I’m using to monitor these 
guys, then I have to go back to another system of record to see who had those 
IDs during what time (hoping that all that data is up to date, accurate and 
available)  ?   

3)  Is this a band-aid, where having MF-RACF (or whichever ESM) passphrases / 2 
factor auth would seemingly be preferable, but for whatever reason people 
can’t/won’t do this?

4) I get the value for privileged IDs that say a production support dev or 
infrastructure team that’s 2nd level, or oncall might not need everyday, but 
might need in a “break glass” scenario; but day to day - would it make sense?   
Certainly if the alternative is the standard password character pool and it’s 
30 year old lack of entropy, then anything is an improvement - but given the 
headaches in doing a huge new process / tooling - I wonder if time wouldn’t be 
better spent updating the ESM settings + 2 factor?


Chad


> On Nov 22, 2016, at 10:52 AM, James Peddycord  wrote:
> 
> NTAC:3NS-20
> Our company is undergoing a project to 'protect privileged access' by using a 
> password vaulting product. We have been doing this for quite some time for 
> applications teams who require higher levels of access to production datasets 
> for problem resolution, installs, etc.
> The way it works is that a pool of logonids is created, along with an AD 
> group that allows the appropriate applications folks to be able to 'check 
> out' one of these pooled logonids for 24 hours via a web interface. The web 
> interface uses the users lan password plus their secure key passcode and 
> phrase to validate their identity.
> The project has now included Windows and Unix server admins, but instead of a 
> pooled logonid these users have separate logonids with admin access and they 
> 'check out' their own individual administrator logonid.
> Now the project has moved into the mainframe systems programmer space. So far 
> we have used the 'privileges' on the logonid records as defined by our 
> security product to limit this vaulting. Users with 'security' access must 
> check out logonids from the vault. Users with the non-cncl privilege are next.
> During project discussions it has been brought up that the systems 
> programmers, with their access to SYS1 datasets and operator commands, are 
> privileged users by nature, and that eventually they are going to want to 
> vault this access. We (the systems programmers) are strongly against this.
> It looks like at some point we will lose our battle and our access to the 
> mainframe will be vaulted, meaning my entire team will need to check a 
> logonid out of the password vault every morning before starting work. Our 
> main argument now is that we do not want these logonids to be generic, pooled 
> logonids, we want them to be basically the same as our own logonids so that 
> we can see who did what by using the mainframe's built in logging (SMF data, 
> ISPF stats, etc...).
> 
> My questions are, are other companies using password vaulting or other 
> multi-level authentication for mainframe systems programmer access?
> What else could we use in our argument against using generic, pooled logonids?
> 
> Thanks in advance!
> 
> Jim
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sftp implementation

[Bigendian Smalls]

z/OS sftp client supports ASCII. And I believe the Co:Z sftp server that runs 
on z/OS does too along with lots of other goodies like spool access.

That's good to know, cheers! I rarely use it with a properly configured FTP/S 
being more useful imo. But the sftp is handy for binary transfers especially 
when FTP/S isn't configured.

On Nov 18, 2016, at 06:07, David Crayford 
mailto:dcrayf...@gmail.com>> wrote:

On 18/11/2016 7:52 PM, Bigendian Smalls wrote:
Any Linux or unix or MacOS has sftp built in.
I believe only binary transfers are  possible with these, you'll have to 
character convert separately.

But it'll be sufficient to test your implementation.

z/OS sftp client supports ASCII. And I believe the Co:Z sftp server that runs 
on z/OS does too along with lots of other goodies like spool access.

On Nov 18, 2016, at 05:10, David Crayford 
mailto:dcrayf...@gmail.com>> wrote:

I've googled that for you http://www.sftp.net/clients#windows ;)

If you're seriously considering sftp check out 
https://www.dovetail.com/products/sftp.html

On 18/11/2016 6:09 PM, venkat kulkarni wrote:
Hello,

We are doing sftp implementation but I am not able to find way to test this
scenarios. For ftp, i can test using window cmd prompt and try transferring
files from mainframe to local system.

But how do I test this new sftp. Also wanted to check that if we have any
constraint on sftp that only once files can be used for sftp not the z/os
files.

Please help

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Sftp implementation

[Bigendian Smalls]

Any Linux or unix or MacOS has sftp built in. 
I believe only binary transfers are  possible with these, you'll have to 
character convert separately. 

But it'll be sufficient to test your implementation. 

> On Nov 18, 2016, at 05:10, David Crayford  wrote:
> 
> I've googled that for you http://www.sftp.net/clients#windows ;)
> 
> If you're seriously considering sftp check out 
> https://www.dovetail.com/products/sftp.html
> 
>> On 18/11/2016 6:09 PM, venkat kulkarni wrote:
>> Hello,
>> 
>> We are doing sftp implementation but I am not able to find way to test this
>> scenarios. For ftp, i can test using window cmd prompt and try transferring
>> files from mainframe to local system.
>> 
>> But how do I test this new sftp. Also wanted to check that if we have any
>> constraint on sftp that only once files can be used for sftp not the z/os
>> files.
>> 
>> Please help
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: wget for omvs?

[Bigendian Smalls]

Rocket ported tools has curl.


> On Oct 14, 2016, at 1:36 PM, Dyck, Lionel B. (TRA)  wrote:
> 
> Is there a OMVS version of WGET?
> 
> Thanks
> 
> --
> Lionel B. Dyck (TRA Contractor)
> Mainframe Systems Programmer
> Enterprise Infrastructure Support (Station 200) (005OP6.3.10)
> VA OI&T Service Delivery & Engineering
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why not an IBM personal use z/OS license? (Was "Installation Improvements (was ...")

[Bigendian Smalls]

You can run z/PDT on a Linux VM in a free or cheap hypervisor (Like vmware 
fusion or virtualbox) on a small Mac or PC giving it only 1 CP and ~3G ram if 
you're the only one on it. Don't need to pay for SUSE or CENTos (both are 
supported and free). 

It works pretty well in this config if all you're doing is development. Java 
requires a little more horsepower but is still doable with cheap commodity 
hardware. 

Chad 

> On Oct 5, 2016, at 07:06, Steve  wrote:
> 
> 
> I did some looking sometime ago.  You still need a desktop, with a large 
> 64-bit processor.  Since I looked last there is a new chip that is the $1,000 
> range plus the other gear there for you are looking at a box for about 
> $2,400.  Then add SuSe 64 Enterprise Linux
> 
> The someone would have to bring up zVM and then instantiate 16 zOS guests.  
> One that is done, place the box in a co-lo facility and that could be a 
> subscriber  service at about $800 per year or so
> 
> 
> Steve Beaver
> 
> 
> 
> 
> This electronic mail (including any attachments) may contain information that 
> is privileged, confidential, and/or otherwise protected from disclosure to 
> anyone other than its intended recipient(s). Any dissemination or use of this 
> electronic email or its contents (including any attachments) by persons other 
> than the intended recipient(s) is strictly prohibited. If you have received 
> this message in error, please notify us immediately by reply email so that we 
> may correct our internal records. Please then delete the original message 
> (including any attachments) in its entirety. Thank you
> 
> 
> -Original Message-
> From: "Ed Jaffe" 
> Sent: Tuesday, October 4, 2016 4:38pm
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Why not an IBM personal use z/OS license? (Was "Installation 
> Improvements (was ...")
> 
> 
> 
>> On 10/4/2016 12:09 PM, Charles Mills wrote:
>> That said, why is IBM so antagonistic to z/OS running on non-Z hardware?
> 
> https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/pw_com_zpdt
> 
> -- 
> Edward E Jaffe
> Phoenix Software International, Inc
> 831 Parkview Drive North
> El Segundo, CA 90245
> http://www.phoenixsoftware.com/
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why not an IBM personal use z/OS license? (Was "Installation Improvements (was ...")

[Bigendian Smalls]

Thoughts - Charles is right on. And: 

> How can IBM know that your hardware is working correctly and they aren't 
> having to diagnose your hardware system rather than just diagnosing their 
> software, if you get what I mean?

The license would be 'as is' - no support.  And it'd be easier to just let 
people have the hypervisor (pdt) vs trying to port z/OS to x86. So no hw 
issues, just license for free a hobbyist no support z/OS + pdt, limited to X # 
CPs & memory (and no useless USB keys). 

> If IBM blesses your system, how can IBM know that you aren't running 
> production workloads without paying them the requisite license fees?

They can't. However, take Microsoft or VMware, I can get full featured versions 
of all MSFT products (server, exchange, etc) for a few hundred bucks. VMware 
too. Sometimes eval versions for free. What keeps people honest? Lawyers. Woe 
to the company using unlicensed enterprise software for real workloads. 
 
Also, with regards to "hackers" or other nation state or  
taking the software apart - I've yet to hear a compelling argument that not 
licensing the software to hobbyists or students has any relevance to this. 

- nation states can just buy or steal Z/OS and the hardware directly or second 
hand. Not stopping them. 

- hackers or other motivated individuals have only to collectively buy, beg or 
steal a copy of the OS. Or get a job somewhere that uses it, or go to a school 
that does etc. it's hardly hard to find. 

Furthermore, if any of the above found a vulnerability or 10, and used it - 
that'd get back to IBM pretty quick, who could then fix said vuln and make the 
platform safer  what's the issue again?  

That's the model used by more or less every single software company today. If 
that's not crazy enough, many now *pay* people to take their software apart and 
find bugs. Wow! It would seem IBM - Z is behind the times here. 

Interestingly IBM supports and promoted big bounties in other non-Z areas. 
Apparently differences of opinion. 

Ok end rant. 

Chad

> 
>> On 10/04/2016 03:09 PM, Charles Mills wrote:
>> IMO, FWIW  IBM is *very* supportive of those of us who make money 
>> developing software. The pricing at the Dallas Innovation Center cannot be a 
>> huge profit center for IBM. IBM is about to host a software vendor meeting 
>> (how much can I say without violating the NDA?) that has to cost IBM a heck 
>> a lot more than the nominal attendance fee. IBM gives my employer a 
>> "software vendor advocate." I can go to him with any problem (well, any 
>> problem that might be in IBM's court) and while he probably does not know 
>> the answer (unless it is a GRS or RSM question) he probably knows someone 
>> who knows who knows the answer. We pay nothing for his time.
>> 
>> That said, why is IBM so antagonistic to z/OS running on non-Z hardware? I 
>> of course don't know (and doubt our advocate would get us an answer!) but 
>> perhaps they fear opening the floodgates? If z/OS on Hercules, then legally 
>> why not z/OS on a Brand X mainframe? Still makes no sense to me, but IBM 
>> employs people who know more and spend more time on this subject than I.
>> 
>> Charles
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

EMC VMAX zero days found

[Bigendian Smalls]

Not necessarily IBM specific, but probably of interest to some.

http://www.cio.com/article/3126816/dell-emc-patches-critical-flaws-in-vmax-enterprise-storage-systems.html

http://arstechnica.com/security/2016/10/security-company-finds-five-zero-day-flaws-in-emc-management-console/

http://www.itnews.com.au/news/zero-days-discovered-in-emc-vmax-products-438629

Looks nasty.

Chad




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM Knowledge Centre

[Bigendian Smalls]

While we are piling on, I agree - it’s pretty miserable (and still full of 
broken links).The only reasonable way to find anything these days is 
searching one at a time (which works fairly well) but I miss the tree-driven 
system, and generally revert to the PDFs now constantly.

Chad


> On Jul 1, 2016, at 7:41 AM, Staller, Allan  
> wrote:
> 
> Agreed!
> 
> 
> 
> To me, the KC is a big pile of steamy stuff, and isn't fit for purpose. I'm 
> spending more time searching for the documentation than actually using it!
> 
> This email ? including attachments ? may contain confidential information. If 
> you are not the intended recipient, do not copy, distribute or act on it. 
> Instead, notify the sender immediately and delete the message.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS OpenSSL, SelfSigned Certs, etc

[Bigendian Smalls]

Most platforms (Windows, zOS, Linux, OSX) allow for deletion of pre-included 
root certs, if the user has the right authority to do so.

Browsers that package them (Mostly FFox) can be modified, others use the OS 
version (IE, Safari) - for which the above applies.

For  custom products which use Certs, well that just depends :)

Charles wrote:
, that the security is 100% in your hands
^— agreed.  The only rub to this is if companies are not prepared to do proper 
key management and security, could make things worse, but I firmly agree with 
your assertion.


Rob wrote:
There are ways that another well known CA can sign a cert that you can then
use as a CA for signing / issuing certs... which may be helpful for
business to business transactions / connections.

As far as I know, the only thing Root CAs (assuming that’s what you mean by 
“well known”) can do is issue you an Intermediate Certificate Authority, which 
is non-trivial, very expensive and not easily obtained.  Simply because, once 
issued, the internediate cert allows you the full signing authority of the Root 
CA - meaning you could use that to go rogue, generate your own 
bankinyourtown.com<http://bankinyourtown.com> or whatever.  The current x.509 / 
cert system doesn’t delegate well outside the thoroughly “Vetted”Am I 
missing your point or some other option?

And Verisign has a mountain bunker and dedicated staff to keeping their
roots safe.

Certainly they do - as the grandaddy of them all.  It’s the other lesser ones 
that have had issues in the past, or give me pause.

And it helps some that they have active CRLs and OCSP responders.

True - but again, this is strictly OPT-in.   If the client doesn’t check, or 
some bad guy blocks the checks, those are more or less useless.  Having the 
onus of actively checking for revocation be on the client is another huge 
shortcoming of the existing system.   Certificate pinning makes this far more 
paletable, as the client would refuse to connect to all but the certificate 
that it knows.  This is done on the web by HPKP or in apps in various ways.

The trust issue is just a trust issue.  No more no less.   Really no
different than trusting a local pharmacy.

Amen.

There is blockchain PKI.  I just started investigating various blockchain
related technology.  But it may be a way to be less dependent on
centralized authorities.

This could very well be a great way to solve the problem - I’d like to read 
more about that.

Chad

On Jun 22, 2016, at 11:07 AM, Charles Mills 
mailto:charl...@mcn.org>> wrote:

Thanks! Agreed.

Well, agreed pretty much. Is it the "powers of the Internet" that have blessed 
these 168 (wow! I didn't realize that many!) CAs or the various browser and OS 
publishers? There is no ICANN or similar list of trusted CAs, right -- just 
whatever your browser, OS or ESM ships?

Any customer is free (correct me if I am wrong) to delete one or more of these 
"trusted" root authorities, right? Admittedly the process may be obscure and 
difficult to manage in an era of BYOD.

I kind of got stomped on a couple of weeks ago when I made the assertion you 
make in your last paragraph, but I still agree. There is nothing magic about 
Verisign, as much as their advertising would like to make you think there is. 
If your sole need is internal -- if you are not, for example, talking about 
"public" browsers connecting to an external Web site -- then there is no reason 
not to go with an in-house CA. As you say, you can even make the argument that 
it is MORE secure, or at least, that the security is 100% in your hands.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Bigendian Smalls
Sent: Wednesday, June 22, 2016 8:46 AM
To: IBM-MAIN@LISTSERV.UA.EDU<mailto:IBM-MAIN@listserv.ua.edu>
Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc

Well said Charles!Slightly OT - It’s also worth noting that while the 
powers of the internet have seen fit to bless
the likes of Verisign and GoDaddy as “trusted”  they’ve also blessed quite a 
few others with more dubious
roots.   The latest revision of Firefox, for example, has 168 unique trusted 
root CAs (many which have roots, etc)
Exaples such as these (from Mozilla):

 *   Hong Kong Post Office
 *   China Internet Network Information Center
 *   Amazon

Any one of which could issue a cert for your site and every browser with some 
exceptions (HSTS, HPKP, etc)

Ultimately it’s up to the individual browsers/OS’s to decide which CA’s they’ll 
include.  But, for internal use (and even some customer use) a properly built 
private CA (yes that’s self-signed) is as good or better, as
you know the origin and can manage the keys properly.   Assuming you don’t need 
the general public to
get a happy green bar + Lock on their browser, this is often a great way to go, 
assuming you manage it properly.
And, depending on your needs (e.g. 

Re: z/OS OpenSSL, SelfSigned Certs, etc

[Bigendian Smalls]

Well said Charles!Slightly OT - It’s also worth noting that while the 
powers of the internet have seen fit to bless
the likes of Verisign and GoDaddy as “trusted”  they’ve also blessed quite a 
few others with more dubious
roots.   The latest revision of Firefox, for example, has 168 unique trusted 
root CAs (many which have roots, etc)
Exaples such as these (from Mozilla):

  *   Hong Kong Post Office
  *   China Internet Network Information Center
  *   Amazon

Any one of which could issue a cert for your site and every browser with some 
exceptions (HSTS, HPKP, etc)

Ultimately it’s up to the individual browsers/OS’s to decide which CA’s they’ll 
include.  But, for internal use
(and even some customer use) a properly built private CA (yes that’s 
self-signed) is as good or better, as
you know the origin and can manage the keys properly.   Assuming you don’t need 
the general public to
get a happy green bar + Lock on their browser, this is often a great way to go, 
assuming you manage it properly.
And, depending on your needs (e.g. not wanting anyone to be able to spoof you) 
it might even be better.

Chad




On Jun 22, 2016, at 10:17 AM, Charles Mills 
mailto:charl...@mcn.org>> wrote:

Right.

This is the confusion on what self-signed means. "Properly" (to be a pedant)
self-signed means the certificate is at the head (or bottom, if you will) of
the chain. It attests to its own validity; it signs itself; it is not signed
by some other certificate -- self-signed does NOT mean that it is signed by
you yourselves as opposed to some "known and trusted" authority.

There is no way you can become a "known and trusted authority" unless you
want to go to the trouble of competing with Verisign and GoDaddy and become
a known and trusted authority.

OpenSSL (and other tools presumably) can create a self-signed certificate.
They can create a chain of certificates signed by your in-house authority.
But no tool can make you into Verisign or GoDaddy. No tool can make you
known and trusted.

Verisign and GoDaddy are known and trusted simply because they are known and
trusted. There is nothing in the TLS protocol that makes them any different
from your in-house authority, or for that matter, a private little root
certificate that you create on your desktop.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Gord Tomlin
Sent: Wednesday, June 22, 2016 7:17 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc

On 2016-06-22 10:01, Donald J. wrote (snipped):
With the recent
talk about negative aspects of using self signed certs, I attempted to
see if that OpenSSL could be used to generate a root certificate and a
user cert chained to that root cert.

This appears to me to just build a "son of a self-signed certificate", since
your root certificate will not be a known and trusted certificate.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Mirror/back up your Development DASD

[Bigendian Smalls]

In general .. 

Mirroring is a recovery technology for infrastructure - should you lose 
hardware / geographic incident, etc. -  If you have any data corruption 
(intentional or otherwise) - Mirroring just makes it worse..  If you’re serious 
about having a development environment (Most shops are - Prodduction fixes, 
round the clock development, etc) you have to treat it as good as you would 
production.

Backups are for putting the pieces back in the event of inadvertant (or 
intentional) corruption / deletion / modification of something.  You need both 
- if your environment is important to you.

Sell it like this - Suppose you have a major development outage - what’s that 
costing you in lost productivity by the dev staff?   What if you had a 
production issue during that outage - is your source code availble?   Could you 
apply / test a fix?   

lastly - how long would it take to rebuild / buy a new development environment 
if you had a major issue.  Could you be down that long?  I suspect not, if you 
are like most places.

At a minimum you should back up and offsite your source code repos - any IP you 
cannot easily replace.

My .02

Chad




> On May 19, 2016, at 9:02 AM, White, Andy  wrote:
> 
> Hi people - For companies that mirror their mainframe DASD via XRC, SRDF, how 
> many of them back up the development DASD?
> 
> Currently, we mirror all production but don't mirror the development DASD we 
> back most via VTS but I am pushing or trying that we back up all DASD. My 
> thoughts about this are the development cycles and releases have a lot of 
> time and money invested if it lost this work, how much is this worth?
> 
> Anyway, if you are mirroring your development how did you "sell" it to your 
> management? If you're not why not?
> 
> Thanks
> Andy
> 
> 
> 
> The information contained in this message may be CONFIDENTIAL and is for the 
> intended addressee only.  Any unauthorized use, dissemination of the 
> information, or copying of this message is prohibited.  If you are not the 
> intended addressee, please notify the sender immediately and delete this 
> message.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM secure z/OS software delivery: Don't get locked out!

[Bigendian Smalls]

>  However, you will be able to use HTTPS. 

Kurt - that hasn’t been my experience on z/OS 2.1.   Without Sec Lvl 3 
(JCPT411) the test SMP/E download job fails - captures show that it cannot 
negotiate a common cipher suite with the server - and fails right after the 
Client Hello - as I’d expect with the limited Cipher Suite.  Unless I’m missing 
something?

Regards,

Chad



> On May 6, 2016, at 4:18 PM, Kurt Quackenbush  wrote:
> 
> On 5/6/2016 10:35 AM, vern wrote:
>> All the doc's I can find seem to be pertinent to zOS 2.1 or 2.2 .
>> We're still running 1.13, can we get the secure retrieval working on that ?
> 
> If you don't have z/OS Security Level 3, then you won't be able to use FTPS 
> to download IBM products and PTFs.  However, you will be able to use HTTPS.  
> Read about how to setup and use that here (watch the wrap):
> http://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.gim3000/dsetups.htm
> 
> Kurt Quackenbush -- IBM, SMP/E Development
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Passable April Fool's joke

[Bigendian Smalls]

My favorite, along this line, was taking a screenshot of the users desktop and 
replacing their wallpaper with this, then hiding the desktop icons.  The gift 
that keeps giving. 

Chad. 



> On Apr 1, 2016, at 11:10 AM, Pommier, Rex  wrote:
> 
> Hmm, mine works on a screen-by-screen basis.  So if you have one upside down, 
> just click somewhere in that screen and flip it right.
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Nims,Alva John (Al)
> Sent: Friday, April 01, 2016 8:35 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Passable April Foll's joke
> 
> I DO NOT recommend doing so on a Multi-Screen system or Multi-Screen Windows 
> 7, because at the moment, one screen is back to being right side up, but the 
> other is still UPSIDE DOWN!
> Yes, I did it to myself, before I attempt to do it to someone else, guess 
> what I WON'T be doing today!  :-)
> 
> Al Nims
> Systems Admin/Programmer 3
> UFIT
> University of Florida
> (352) 273-1298
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Scott Ford
> Sent: Friday, April 01, 2016 8:41 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Passable April Foll's joke
> 
> Brian,
> 
> 
> Very very funny my friend...
> 
> Throws people for a serious curve 
> 
> Scott
> 
> On Friday, April 1, 2016, Brian Westerman 
> wrote:
> 
>> This is one I do every year to as many people as I can.  I think it 
>> works on all windows PCs.
>> 
>> I wait till they are not looking and press the combination of
>> CTRL+ALT+downarrow  It inverts their screen.
>> 
>> Try to walk away as quickly as possible without drawing attention to 
>> yourself.  A lot of people don't realize what happened and they can't 
>> coordinate working upside down to do a web search to see how to set it 
>> back to right-side up.
>> 
>> It helps if you know how to reset it back in case you can't get away 
>> fast enough.
>> 
>> Brian
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu  with the message:
>> INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> The information contained in this message is confidential, protected from 
> disclosure and may be legally privileged.  If the reader of this message is 
> not the intended recipient or an employee or agent responsible for delivering 
> this message to the intended recipient, you are hereby notified that any 
> disclosure, distribution, copying, or any action taken or action omitted in 
> reliance on it, is strictly prohibited and may be unlawful.  If you have 
> received this communication in error, please notify us immediately by 
> replying to this message and destroy the material in its entirety, whether in 
> electronic or hard copy format.  Thank you.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OT but hopefully amusing - FBI, iPhone and water

[Bigendian Smalls]

That’s a satire piece, but I”m sure you knew that :)

The NAND chip replacement avenue, as far as I’ve heard, is not the route 
they’re going with this - it’s a software exploit from all I have seen.

Chad

> On Mar 29, 2016, at 12:11 PM, Roach, Dennis  wrote:


> 
> Has anyone verified this? The scuttlebutt was that they were going to remove 
> the chip, copy it to a backup, clone several, and brute force them. If so, 
> they should still have the backup and be able to do it again.
> 
> Dennis Roach, CISSP, PMP
> IAM Access Administration - Consumer - Senior Analyst 
> 2929 Allen Parkway, America Building, 3rd Floor, Houston, TX 77019
> Work:  713-831-8799
> Cell:  713-591-1059
> Email:  dennis.ro...@aig.com 
> 
> All opinions expressed by me are mine and may not agree with my employer or 
> any person, company, or thing, living or dead, on or near this or any other 
> planet, moon, asteroid, or other spatial object, natural or manufactured, 
> since the beginning of time.
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Charles Mills
> Sent: Tuesday, March 29, 2016 10:32 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: OT but hopefully amusing - FBI, iPhone and water
> 
> http://www.newyorker.com/humor/borowitz-report/unlocked-iphone-worthless-aft
> er-f-b-i-spills-glass-of-water-on-it  
> 
> Charles 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unix System Services question

[Bigendian Smalls]

Check out the zfsadm command for info on the volume. It's likely a mount point 
at /usr.  

https://www.ibm.com/support/knowledgecenter/#!/SSLTBW_2.1.0/com.ibm.zos.v2r1.ioea700/ioea7zcmd1008032.htm

Chad 

> On Mar 21, 2016, at 4:41 PM, Scott Ford  wrote:
> 
> All,
> 
> How do i find the volume where '/usr/local/'   lives ?
> I think it might be ZFS , but how can i tell ..and how do i increase the
> filesystem where it lives ?
> 
> Scott
> Idmworks
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]

[Bigendian Smalls]

> 
> How much malware is there on github? The only malware I'm aware of is the 
> stuff security companies throw up for scrutiny.

No idea. How much is too much if you get hit by, say some type of ransomware?

http://thenextweb.com/insider/2013/02/07/criminals-push-ransomware-hosted-on-github-and-sourceforge-pages-by-spamming-fake-nude-pics-of-celebrities/#gref

> I can understand licensing concerns but blocking github is rather silly IMO. 
> It's mostly viewed and not installed and only
> sysadmins should be able to install software anyway, especially on mainframe 
> systems where there is far greater levels of security.

Agreed only administrators should install software.  Most malware only takes 
hold (at least in Windows) when running as an admin anyway.  So, that would 
seem not a great control.  In my experience the admins are as guilty of this as 
anyone -  perhaps some over confidence.  

http://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html

I think it's a good idea, especially in a large company, but perhaps even small 
ones, to tightly control where the software comes from. Could be an innocuous 
email link on some admins email that uses github as the back end repository for 
a malware drop, for instance. 

Chad 

> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Alleged mainframe breach to add to the list

[Bigendian Smalls]

It was an AS400 according to the full report


Behind the scenes, KWC was a likely candidate for a data breach. Its internet- 
facing perimeter showed several high-risk vulnerabilities often seen being 
exploited in the wild. The OT end of the water district relied heavily on 
antiquated computer systems running operating systems from ten-plus years ago. 
Even more concerning, many critical IT and OT functions ran on a single AS400 
system. KWC referred to this AS400 system as its "SCADA platform." This system 
functioned

as a router with direct connections into several networks, ran the water 
district’s valve and flow control application that was responsible for 
manipulating hundreds of Programmable Logic Controllers (PLCs), housed customer 
PII and associated billing information, as well as KWC’s financials.. Moreover, 
only a single employee was capable of administering it. If a data breach were 
to occur at KWC, this SCADA platform would be the first place to look.





On Mar 5, 2016, at 5:47 PM, Phil Smith 
mailto:p...@voltage.com>> wrote:

http://www.networkworld.com/article/3040575/security/rsa-verizon-details-data-breaches-from-pirates-to-pwned-water-district.html

Not sure I believe this was a "mainframe"; I mean, not impossible, but it seems 
unlikely that anyone controls SCADA systems using z/anything. More likely it 
was NonStop or something else is my guess. But that's only a guess...

...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]

[Bigendian Smalls]

:) indeed!

> On Mar 4, 2016, at 11:34 AM, Leonardo Vaz  wrote:
> 
> You may be right; I would agree with a policy like that if GitHub was a 
> shareware site where users would downloads executables, like tucows for 
> instance. I might be wrong, but in my experience GitHub is mainly a source 
> and information repository, not something that users would install on their 
> computers before compiling first.
> 
> Anyway, I'm glad I don't have to comply with such policies :)
> 
> Leo
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Bigendian Smalls
> Sent: Friday, March 04, 2016 12:00 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]
> 
>> On Mar 4, 2016, at 10:46 AM, Leonardo Vaz  wrote:
>> 
>> You could be right, it might just be unintentional blocking.
>> 
>> I would certainly prefer this version vs intentional blocking since 
>> the later is pretty much security by obscurity (as long as you don't 
>> know the code you can't do harm...)
>> 
>> Leo
> Respectfully, this is not security by obscurity. Companies who block, say 
> GitHub, intentionally as a site which contains untrusted downloads, are not 
> pretending github - or the code therein -doesn't exist.  
> 
> They're throwing up a roadblock, which is likely backed by a policy.  It's 
> almost always possible to circumvent these things for a determined employee - 
> but that isn't the point. It's meant to remind the employees (and stop the 
> ones who aren't determined to violate the policy) that downloading or 
> installing software (or potentially uploading company intellectual property) 
> is a no-no.  
> 
> The security part comes by taking away rights in Windows, for example, that 
> allow users to install new software.  None of the above is foolproof, but 
> that doesn't mean they shouldn't layer it on as another security control - if 
> that's what the company has decided fits their risk appetite.  
> 
> Chad 
> 
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>> On Behalf Of John McKown
>> Sent: Friday, March 04, 2016 11:23 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: gist.github.com unreachable [was: RE: rexx and tso 
>> alllocate]
>> 
>>> On Fri, Mar 4, 2016 at 10:16 AM, Leonardo Vaz  wrote:
>>> 
>>> That's not a private IP address on his LAN, it is the gist.github.com 
>>> IP address.
>> 
>> ​Correct. But if the LAN authorities think, as he did, that 
>> 192.0.0.0/8 is all private, instead of just 192.168.0.0/16, then their 
>> routing tables may be set up to not forward 192.30.252.141 to the 
>> outside world, but route the entire 192.0.0.0/8 to the inside only. 
>> Which would time out. As it did.​
>> 
>> 
>> 
>>> 
>>> -Original Message-
>>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>>> On Behalf Of John McKown
>>> Sent: Friday, March 04, 2016 11:13 AM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: gist.github.com unreachable [was: RE: rexx and tso 
>>> alllocate]
>>> 
>>> On Fri, Mar 4, 2016 at 9:50 AM, Farley, Peter x23353 < 
>>> peter.far...@broadridge.com> wrote:
>>> 
>>>> You aren't the only one Steve.  From my employer's network I can't 
>>>> reach gist.github.com at all, even just the main site never mind 
>>>> John's
>>> area.
>>>> Trying a tracert to gist.github.com only gets timeouts:
>>>> 
>>>> Tracing route to gist.github.com [192.30.252.141] over a maximum of
>>>> 30
>>>> hops:
>>>> 
>>>> 1 *** Request timed out.
>>>> Etc.
>>>> 
>>>> That DNS address (192.30.252.141) looks odd to me.  I thought
>>>> 192.*.*.* was reserved for private local networks, or is that only
>>> 192.168.*.*?
>>> 
>>> ​the private IPv4 address ranges are:​ 10.0.0.0/8, 172.16.0.0/12, and
>>> 192.168.0.0/16 ref: https://en.wikipedia.org/wiki/Private_network
>>> 
>>> ​I'll almost bet your LAN people are laboring under the same delusion.
>>> 
>>> 
>>>> 
>>>> I can reach gist from home though, maybe you can as well.
>>>> 
>>>> Peter
>>> 
>>> 
>>> --
>>> A fail-safe circu

Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]

[Bigendian Smalls]

On Mar 4, 2016, at 10:46 AM, Leonardo Vaz  wrote:
> 
> You could be right, it might just be unintentional blocking.
> 
> I would certainly prefer this version vs intentional blocking since the later 
> is pretty much security by obscurity (as long as you don't know the code you 
> can't do harm...)
> 
> Leo
Respectfully, this is not security by obscurity. Companies who block, say 
GitHub, intentionally as a site which contains untrusted downloads, are not 
pretending github - or the code therein -doesn't exist.  

They're throwing up a roadblock, which is likely backed by a policy.  It's 
almost always possible to circumvent these things for a determined employee - 
but that isn't the point. It's meant to remind the employees (and stop the ones 
who aren't determined to violate the policy) that downloading or installing 
software (or potentially uploading company intellectual property) is a no-no.  

The security part comes by taking away rights in Windows, for example, that 
allow users to install new software.  None of the above is foolproof, but that 
doesn't mean they shouldn't layer it on as another security control - if that's 
what the company has decided fits their risk appetite.  

Chad 

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of John McKown
> Sent: Friday, March 04, 2016 11:23 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]
> 
>> On Fri, Mar 4, 2016 at 10:16 AM, Leonardo Vaz  wrote:
>> 
>> That's not a private IP address on his LAN, it is the gist.github.com 
>> IP address.
> 
> ​Correct. But if the LAN authorities think, as he did, that 192.0.0.0/8 is 
> all private, instead of just 192.168.0.0/16, then their routing tables may be 
> set up to not forward 192.30.252.141 to the outside world, but route the 
> entire 192.0.0.0/8 to the inside only. Which would time out. As it did.​
> 
> 
> 
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>> On Behalf Of John McKown
>> Sent: Friday, March 04, 2016 11:13 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: gist.github.com unreachable [was: RE: rexx and tso 
>> alllocate]
>> 
>> On Fri, Mar 4, 2016 at 9:50 AM, Farley, Peter x23353 < 
>> peter.far...@broadridge.com> wrote:
>> 
>>> You aren't the only one Steve.  From my employer's network I can't 
>>> reach gist.github.com at all, even just the main site never mind 
>>> John's
>> area.
>>> Trying a tracert to gist.github.com only gets timeouts:
>>> 
>>> Tracing route to gist.github.com [192.30.252.141] over a maximum of 
>>> 30
>>> hops:
>>> 
>>>  1 *** Request timed out.
>>> Etc.
>>> 
>>> That DNS address (192.30.252.141) looks odd to me.  I thought
>>> 192.*.*.* was reserved for private local networks, or is that only
>> 192.168.*.*?
>> 
>> ​the private IPv4 address ranges are:​ 10.0.0.0/8, 172.16.0.0/12, and
>> 192.168.0.0/16 ref: https://en.wikipedia.org/wiki/Private_network
>> 
>> ​I'll almost bet your LAN people are laboring under the same delusion.
>> 
>> 
>>> 
>>> I can reach gist from home though, maybe you can as well.
>>> 
>>> Peter
>> 
>> 
>> --
>> A fail-safe circuit will destroy others. -- Klipstein
>> 
>> Maranatha! <><
>> John McKown
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> --
> A fail-safe circuit will destroy others. -- Klipstein
> 
> Maranatha! <><
> John McKown
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]

[Bigendian Smalls]

> 192 prefixed IP addresses are class C addresses 
> https://en.wikipedia.org/wiki/Classful_network.
That's a deprecated term. Since this introduction of cidr addresses there 
really aren't classes of addresses anymore.  The only special 192.x.x.x 
addresses are the private space as has been mentioned. 

> It's a bit disconcerting that github is being blocked because IBM (and the 
> company I work for) are using github to ship code and add-ons for our 
> products. All the new Liberty server goodies from IBM are staged in github 
> repositories.
> I don't understand why a company would block a site that hosts source code 
> repositories. Has there been a major security issue browsing github that 
> compromises clients?
> 

Companies are restricting sites where people can download and then presumably 
install software.  Obviously there are many small sites that allow this, but 
GitHub and some others are huge and only provide this service. So they are low 
hanging fruit.  

Unauthorized installing of software is a huge malware installation vector and 
it can also have licensing issues for the company. So usually it's a no no at 
bigger companies.  

Chad 


>> I can reach gist from home though, maybe you can as well.
>> 
>> Peter
>> 
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
>> Behalf Of Steve Coalbran
>> Sent: Friday, March 04, 2016 5:56 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: rexx and tso alllocate
>> 
>> Hi Lizette - this site gets forbidden for me (I work for Nordea bank now - 
>> no longer IBM - more restrictive)
>> Could you possibly be so kind as to send me this code :-D to 
>> coalb...@hotmail.com ?
>> /Steve
>>  
>>> Date: Thu, 3 Mar 2016 10:27:28 -0700
>>> From: stars...@mindspring.com
>>> Subject: Re: rexx and tso alllocate
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> 
>>> Have you tried under TSO BATCH with or without ISPF libraries (and I am 
>>> thinking the ISF libraries may need to be included in the JCL).
>>> 
>>> Lizette
>>> 
>>> 
>>> -Original Message-
 From: "Barkow, Eileen" 
 Sent: Mar 3, 2016 9:26 AM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: rexx and tso alllocate
 
 I am currently converting some SDSF BATCH routines to SDSF  REXX and I am 
 finding that things do not always work the same when
 invoking the clist from ISPF 1.6 and invoking it  from batch with IRXJCL.
 option  1.6 runs under TSO/E and IRXJCL does not.
 so far, I have encountered differences with the ISFOWNER settings, putting 
 quotes on datasetnames used for ISFPRTDSNAME,
 and the use of the TSO/E SYSDSN routine is not allowed with IRXJCL.
 
 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
 Behalf Of Lizette Koehler
 Sent: Thursday, March 03, 2016 11:09 AM
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: Re: rexx and tso alllocate
 
 If you search on JES2DISK by John McKown,
 https://gist.github.com/JohnArchieMckown/b27747d0c4750a258997
 
 This is a very nice example of extracting from SPOOL to DASD or other.
 
 Lizette
>> --
>> 
>> This message and any attachments are intended only for the use of the 
>> addressee and may contain information that is privileged and confidential. 
>> If the reader of the message is not the intended recipient or an authorized 
>> representative of the intended recipient, you are hereby notified that any 
>> dissemination of this communication is strictly prohibited. If you have 
>> received this communication in error, please notify us immediately by e-mail 
>> and delete the message and any attachments from your system.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: gist.github.com unreachable [was: RE: rexx and tso alllocate]

[Bigendian Smalls]

 192.168.0.0/16 is the private address space. This IP is outside that.  

Were I a betting man, I'd say many employers block some or all  GitHub as a 
security risk because of he possibility of people downloading malicious code. 


> On Mar 4, 2016, at 9:50 AM, Farley, Peter x23353 
>  wrote:
> 
> You aren't the only one Steve.  From my employer's network I can't reach 
> gist.github.com at all, even just the main site never mind John's area.  
> Trying a tracert to gist.github.com only gets timeouts:
> 
> Tracing route to gist.github.com [192.30.252.141]
> over a maximum of 30 hops:
> 
>  1 *** Request timed out.
> Etc.
> 
> That DNS address (192.30.252.141) looks odd to me.  I thought 192.*.*.* was 
> reserved for private local networks, or is that only 192.168.*.*?
> 
> I can reach gist from home though, maybe you can as well.
> 
> Peter
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Steve Coalbran
> Sent: Friday, March 04, 2016 5:56 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: rexx and tso alllocate
> 
> Hi Lizette - this site gets forbidden for me (I work for Nordea bank now - no 
> longer IBM - more restrictive)
> Could you possibly be so kind as to send me this code :-D to 
> coalb...@hotmail.com ?
> /Steve
> 
> 
> 
>> Date: Thu, 3 Mar 2016 10:27:28 -0700
>> From: stars...@mindspring.com
>> Subject: Re: rexx and tso alllocate
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> 
>> Have you tried under TSO BATCH with or without ISPF libraries (and I am 
>> thinking the ISF libraries may need to be included in the JCL).
>> 
>> Lizette
>> 
>> 
>> -Original Message-
>>> From: "Barkow, Eileen" 
>>> Sent: Mar 3, 2016 9:26 AM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: rexx and tso alllocate
>>> 
>>> I am currently converting some SDSF BATCH routines to SDSF  REXX and I am 
>>> finding that things do not always work the same when
>>> invoking the clist from ISPF 1.6 and invoking it  from batch with IRXJCL.
>>> option  1.6 runs under TSO/E and IRXJCL does not.
>>> so far, I have encountered differences with the ISFOWNER settings, putting 
>>> quotes on datasetnames used for ISFPRTDSNAME,
>>> and the use of the TSO/E SYSDSN routine is not allowed with IRXJCL.
>>> 
>>> -Original Message-
>>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
>>> Behalf Of Lizette Koehler
>>> Sent: Thursday, March 03, 2016 11:09 AM
>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>> Subject: Re: rexx and tso alllocate
>>> 
>>> If you search on JES2DISK by John McKown,
>>> https://gist.github.com/JohnArchieMckown/b27747d0c4750a258997
>>> 
>>> This is a very nice example of extracting from SPOOL to DASD or other.
>>> 
>>> Lizette
> 
> --
> 
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly prohibited. If you have 
> received this communication in error, please notify us immediately by e-mail 
> and delete the message and any attachments from your system.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Introducing Open Blockchain for IBM z Systems

[Bigendian Smalls]

Fantastic thank you.  

> On Feb 25, 2016, at 3:36 AM, Timothy Sipples  wrote:
> 
> Yes, take a look here for source code (with more to come, including as I
> understand it more details on building on z):
> 
> https://github.com/IBM-Blockchain
> https://github.com/openblockchain
> 
> Although optional, IBM would very much like to stay in touch with those
> working with Blockchain on z. Please visit this page:
> 
> http://www.ibm.com/blockchain/z.html
> 
> and click on "Contact an expert" to get in that loop.
> 
> 
> Timothy Sipples
> IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
> E-Mail: sipp...@sg.ibm.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Introducing Open Blockchain for IBM z Systems

[Bigendian Smalls]

Hey Timothy - 

I’ve read quite a bit on blockchain - and agree it could be very game changing 
for certain types of applications.

It was stated elsewhere that IBM’s implementation (along with their corporate 
and Linux partners) would be open source.  Is it available yet?

Cheers

Chad




> On Feb 18, 2016, at 1:38 AM, Timothy Sipples  wrote:
> 
> I haven't seen anybody mention Open Blockchain public ledger technologies
> on IBM z Systems yet in this forum, so I'd just like to draw your attention
> to them and raise some awareness in this community. Here is some background
> reading:
> 
> http://www.ibm.com/blockchain/z.html
> http://www.ibmsystemsmag.com/mainframe/trends/IBM-Announcements/z-Systems_LinuxONE_Blockchain/
> 
> Here's a YouTube video illustrating some use cases:
> 
> https://youtu.be/EqZr4LPQIWk
> 
> Here's some more background on Blockchain technologies:
> 
> http://www.ibm.com/blogs/think/2015/12/17/how-blockchain-will-transform-business-and-society/
> 
> And here is Tuesday's official IBM press release:
> 
> http://www.ibm.com/press/us/en/pressrelease/49029.wss
> 
> There's much more to come, I'm sure, but you can get started now.
> 
> 
> Timothy Sipples
> IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
> E-Mail: sipp...@sg.ibm.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

> It seems, but it concerns me that one can't rely on the width in the format
> specification for visual column alignment of tabular data.  "C", but not awk,
> may have additional format modifiers to make this work.  Probably even
> worse for DBCS with shift-in/shift-out sequences.
> 
>>> On Feb 20, 2016, at 7:37 PM, Paul Gilmartin  wrote:
>>> 
>>> 735 $ LC_ALL=en_US.UTF-8 awk 'BEGIN { printf( "%5s\n%5s\n12345\n", "A", "Ж" 
>>> ) }'
>>>   A
>>>  Ж
>>> 12345

The alignment for printf comes in the spec - the 5 is max width, any padding 
for alingnment has to come before - such as

awk 'BEGIN { printf( "% 2s   \n%05s\n12345\n","A","#") }'
 A
#
12345

Or were you saying something else?  — But agree that C isn’t the best choice 
for tabular display / processing of record based data by any stretch.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

Which part of that concerns you?  Seems like expected awk & printf behavior no?

> On Feb 20, 2016, at 7:37 PM, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> On Sun, 21 Feb 2016 00:21:08 +, Bigendian Smalls wrote:
>> 
>> Agreed 100%
> Well, I'll agree with myself only 98%.  I don't like the following behavior:
> 
> 735 $ LC_ALL=en_US.UTF-8 awk 'BEGIN { printf( "%5s\n%5s\n12345\n", "A", "Ж" ) 
> }'
>A
>   Ж
> 12345
> 
>>> On Feb 20, 2016, at 6:13 PM, Paul Gilmartin wrote:
>>> 
>>> In the UTF-8 representation, then, please.  UTF-8 is a marvelously 
>>> compatible
>>> superset of USASCII.  Near zero (well, at worst minimal) effort to adapt.  
>>> And
>>> it's the de facto World Wide Web standard.
>>> 
>>> Don't indulge in wishful thinking that a Unicode based compiler can smoothly
>>> accept eiter ASCII or EBCDIC source code.  The EBCDIC will need to be
>>> converted.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

Agreed 100%

> On Feb 20, 2016, at 6:13 PM, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> On Sat, 20 Feb 2016 00:41:22 +0000, Bigendian Smalls wrote:
>> 
>> The answer may be in compiling it to be Unicode based.   Gonna look into it 
>> with the extra 'round tuits.  
> In the UTF-8 representation, then, please.  UTF-8 is a marvelously compatible
> superset of USASCII.  Near zero (well, at worst minimal) effort to adapt.  And
> it's the de facto World Wide Web standard.
> 
> Don't indulge in wishful thinking that a Unicode based compiler can smoothly
> accept eiter ASCII or EBCDIC source code.  The EBCDIC will need to be
> converted.
> 
>>> On Feb 19, 2016, at 6:28 PM, Farley, Peter x23353 wrote:
>>> 
>>> AFAIK that version is strictly EBCDIC, intended to be run using JCL in 
>>> batch jobs accessing EBCDIC datasets.  It uses a customized EBCDIC version 
>>> of the PDCLib library routines (public domain C library code).
> But an 8-character limit is absurd.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

To really make it go you need the whole autotools suite.  Make autoconf 
automake m4 configure etc.  Have had some luck getting most of those going. The 
usual stumbling blocks are code page as per usual. 

> On Feb 20, 2016, at 10:42 AM, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> On Fri, 19 Feb 2016 21:55:11 -0600, Mike Schwab  wrote:
>> 
>> It is designed to translate a unix style name to MVS data.set.names.
>> If you use a DD name with a path statement it might work.
> Errr...  How do the compiler derive an MVS data set name from:
> 
>#include "../headers/product_types.h"
> 
> I suppose one might dynalloc it.  Does that compiler do so?
> 
> And GNU configure?  That's been a stumbling block for me.
> 
>>> On Fri, Feb 19, 2016 at 6:07 PM, Paul Gilmartin wrote:
 On Fri, 19 Feb 2016 17:00:10 -0600, Mike Schwab wrote:
 
 http://gccmvs.sourceforge.net/ Paul Edwards has a version running on
 MVS 3.8 that will recompile.  Runs under XA and ESA and z/OS too. I am
 sure he would help solve any bugs in your version, if different.
>>> How well does it do with UNIX files?
>>> 
>>> Does it work with GNU configure?
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ASCII vs. EBCDIC (was Re: On sort options ...)

[Bigendian Smalls]

Is there a defined klingon code page?


> On Feb 20, 2016, at 11:07 AM, Charles Mills  wrote:
> 
> Going just from memory here -- too lazy or too inconsequential to look it up.
> 
> 1. Yes, the bit has gone away.
> 2. It never did much. After all, CLC or MVC does not care if the data is 
> ASCII, EBCDIC or Klingon. All it ever did was control the sign nibble in 
> packed results: C and D for EBCDIC, some other sign configurations for ASCII.
> 
> Charles
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Paul Gilmartin
> Sent: Saturday, February 20, 2016 8:46 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: ASCII vs. EBCDIC (was Re: On sort options ...)
> 
>> On Sat, 20 Feb 2016 06:54:56 -0600, Bill Woodger wrote:
>> 
>> Indeed, there's a bit in the PSW indicating whether it is running in 
>> ASCII or EBCDIC, isn't there? :-)
> Used to be.  I doubt that it's still functional.  Did COBOL ever exploit it?
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

The answer may be in compiling it to be Unicode based.   Gonna look into it 
with the extra 'round tuits.  

> On Feb 19, 2016, at 6:28 PM, Farley, Peter x23353 
>  wrote:
> 
> AFAIK that version is strictly EBCDIC, intended to be run using JCL in batch 
> jobs accessing EBCDIC datasets.  It uses a customized EBCDIC version of the 
> PDCLib library routines (public domain C library code).
> 
> You could conceivably recompile the GNU toolchain using that GCC and have an 
> EBCDIC toolchain, but that is a lot of work.
> 
> Not that I wouldn't love to have that toolchain, but finding those darn round 
> tuits is just plain difficult.
> 
> It may be that Paul has already completed some parts of the toolchain, but I 
> have lost track of what he has made available and sourceforge is not 
> responding to me at the moment so I can't check the download list.
> 
> Peter
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Paul Gilmartin
> Sent: Friday, February 19, 2016 7:07 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: On sort options orignally: zfs question root growth
> 
>> On Fri, 19 Feb 2016 17:00:10 -0600, Mike Schwab wrote:
>> 
>> http://gccmvs.sourceforge.net/ Paul Edwards has a version running on
>> MVS 3.8 that will recompile.  Runs under XA and ESA and z/OS too. I am
>> sure he would help solve any bugs in your version, if different.
> How well does it do with UNIX files?
> 
> Does it work with GNU configure?
> 
> --
> 
> 
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly prohibited. If you have 
> received this communication in error, please notify us immediately by e-mail 
> and delete the message and any attachments from your system.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

Thanks for that. Maybe I can use that to build a newer version.  

Cheers 

> On Feb 19, 2016, at 5:00 PM, Mike Schwab  wrote:
> 
> http://gccmvs.sourceforge.net/ Paul Edwards has a version running on
> MVS 3.8 that will recompile.  Runs under XA and ESA and z/OS too. I am
> sure he would help solve any bugs in your version, if different.
> 
> On Fri, Feb 19, 2016 at 3:48 PM, Bigendian Smalls
>  wrote:
>> Yes well there in lies the rub.  I've been working on compiling gcc on and 
>> off for a while. Eventually I'll get it and share :)
>> 
>> 
>> 
>>> On Feb 19, 2016, at 1:35 PM, Vince Coen  wrote:
>>> 
>>> Not on a m/f but loads of other kit.
>>> 
>>> On 19/02/16 18:24, Bigendian Smalls wrote:
>>>>> If you install the GCC development system e.g.,C along with the
>>>>> libraries you can then download the sources for these utilities and
>>>>> compile them and install them into a common path.
>>>> Have you done this successfully from source?
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Feb 19, 2016, at 12:22 PM, Vince Coen  wrote:
>>>>> 
>>>>> If you install the GCC development system e.g.,C along with the
>>>>> libraries you can then download the sources for these utilities and
>>>>> compile them and install them into a common path.
>>>>> 
>>>>> Easy ..
>>>>> 
>>>>> compiler On 19/02/16 18:13, Paul Gilmartin wrote:
>>>>>>> On 2016-02-19, at 10:14, Bigendian Smalls wrote:
>>>>>>> I always feel like i have to backtrack skills learned over decades of 
>>>>>>> other ‘nix’s when using OMVS .. would be nice to have a modern 
>>>>>>> complement of tools and switches.
>>>>>> I try hard to stay within POSIX to keep my skills portable.  Things I
>>>>>> use regularly elsewhere and miss most on z/OS are:
>>>>>> 
>>>>>> find -iname
>>>>>> find -ls
>>>>>> find -print0
>>>>>> xargs -0
>>>>>> ls -l --full-time  # (different on every system.)
>>>>>> 
>>>>>> I wish OMVS had implemented only an ASCII kernel and let the shells
>>>>>> and GNU utilities diffuse in by osmosis.
>>>>>> 
>>>>>> -- gil
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> 
> -- 
> Mike A Schwab, Springfield IL USA
> Where do Forest Rangers go to get away from it all?
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

Yes well there in lies the rub.  I've been working on compiling gcc on and off 
for a while. Eventually I'll get it and share :)



> On Feb 19, 2016, at 1:35 PM, Vince Coen  wrote:
> 
> Not on a m/f but loads of other kit.
> 
> On 19/02/16 18:24, Bigendian Smalls wrote:
>>> If you install the GCC development system e.g.,C along with the
>>> libraries you can then download the sources for these utilities and
>>> compile them and install them into a common path.
>> Have you done this successfully from source?
>> 
>> 
>> 
>> 
>>> On Feb 19, 2016, at 12:22 PM, Vince Coen  wrote:
>>> 
>>> If you install the GCC development system e.g.,C along with the
>>> libraries you can then download the sources for these utilities and
>>> compile them and install them into a common path.
>>> 
>>> Easy ..
>>> 
>>> compiler On 19/02/16 18:13, Paul Gilmartin wrote:
>>>>> On 2016-02-19, at 10:14, Bigendian Smalls wrote:
>>>>> I always feel like i have to backtrack skills learned over decades of 
>>>>> other ‘nix’s when using OMVS .. would be nice to have a modern complement 
>>>>> of tools and switches.
>>>> I try hard to stay within POSIX to keep my skills portable.  Things I
>>>> use regularly elsewhere and miss most on z/OS are:
>>>> 
>>>> find -iname
>>>> find -ls
>>>> find -print0
>>>> xargs -0
>>>> ls -l --full-time  # (different on every system.)
>>>> 
>>>> I wish OMVS had implemented only an ASCII kernel and let the shells
>>>> and GNU utilities diffuse in by osmosis.
>>>> 
>>>> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

> If you install the GCC development system e.g.,C along with the
> libraries you can then download the sources for these utilities and
> compile them and install them into a common path.
Have you done this successfully from source?




> On Feb 19, 2016, at 12:22 PM, Vince Coen  wrote:
> 
> If you install the GCC development system e.g.,C along with the
> libraries you can then download the sources for these utilities and
> compile them and install them into a common path.
> 
> Easy ..
> 
> compiler On 19/02/16 18:13, Paul Gilmartin wrote:
>> On 2016-02-19, at 10:14, Bigendian Smalls wrote:
>>> I always feel like i have to backtrack skills learned over decades of other 
>>> ‘nix’s when using OMVS .. would be nice to have a modern complement of 
>>> tools and switches.
>>> 
>> I try hard to stay within POSIX to keep my skills portable.  Things I
>> use regularly elsewhere and miss most on z/OS are:
>> 
>> find -iname
>> find -ls
>> find -print0
>> xargs -0
>> ls -l --full-time  # (different on every system.)
>> 
>> I wish OMVS had implemented only an ASCII kernel and let the shells
>> and GNU utilities diffuse in by osmosis.
>> 
>> -- gil
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: On sort options orignally: zfs question root growth

[Bigendian Smalls]

Oh for sure and - on just about any other system i tried, -n is absolutely 
necessary

Better yet most linux distros have a -h on sort which is awesome and seamlessly 
tackles du -sh (human readable output) - sorting things like 8M and 8G in their 
proper place.  Get with it OMVS :)

d:/usr$ du -sh *|sort -h
4.0Kgames
8.0Kdefault
36K var
224Ksrc
47M sbin
82Minclude
112Mlocal
500Mbin
3.3Glib
4.0Gshare


I always feel like i have to backtrack skills learned over decades of other 
‘nix’s when using OMVS .. would be nice to have a modern complement of tools 
and switches.

Chad
> On Feb 19, 2016, at 10:48 AM, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
> On 2016-02-19, at 09:26, Bigendian Smalls wrote:
>> 
>> I’m a big proponent of using the switches to be sure and accurate , but in 
>> the case of the output of du I can’t see where it makes a difference. ...
>> 
> I'll agree with you about output of du.  Testing on an OS X system 
> with signed numbers:
> 
> 639 $ echo "
> 1
> -1
> 2
> -2
> 3
> -3 " | sort
> 
> -1
> -2
> -3 
> 1
> 2
> 3
> 640 $ 
> ... not a very good numeric sort.  But:
> 640 $ echo "
> 1
> -1
> 2
> -2
> 3
> -3 " | sort -nk1,1
> -3 
> -2
> -1
> 
> 1
> 2
> 3
> 641 $ 
> 
> So, "to be sure and accurate", or perhaps just by habit, I use
> "-nk" for numeric sorting.  Don't know about floating point or
> scientific or engineering notation.  Or about DFSORT.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

On sort options orignally: zfs question root growth

[Bigendian Smalls]

Well ok i’ll bite. (way off the OP post)

I’m a big proponent of using the switches to be sure and accurate , but in the 
case of the output of du I can’t see where it makes a difference.   The default 
is sorting each line as one whole field, and the output of du always starts 
with spaces and a number - so by definition that will always sort in an 
intuitive way - in fact I’ve not found an example where using nk1,1 changes the 
output in any way from just using sort (speaking on the output of du only).

The only difference I can find is a trumped up example whereby there is no 
numeric, then sort treats that as putting it after the numerics  (any character 
> than any number) and -n treats any non-numeric starting value as 0

such as
> cat test.txt | sort
-1file
001 file
01 file
011 file
11 file
110 file
12 file
file
> cat test.txt | sort -nk1,1
-1file
file
001 file
01 file
011 file
11 file
12 file
110 file

But still that wouldn’t happen with du as a du ouptut as du will output minimum 
0 for everything. So the switches are unneeded.

du nonwithstanding - 
-n would i think be confusing in cases where, like the above, you have mixed 
beginning numeric and alpha, as I would think most would expect sorting of the 
numerics first, then the alphas, and not the non-intuitive sorting of “file” in 
between “-1file” and “001file”  vs the former of having it after all the 
numerics.

Last - I think -k1,1 is pretty much superfluous here given the space separator 
between the numeric size and folder/file name (sort assumes any combo of spaces 
tabs are a field seperator by default) - as I read the man page  k[m.n,p.q] 
means sort  starting at the qth character (here 0) of the mth field (hear first 
field) and continue through the qth character (again 0) of the pth field (here 
1) - so k1,1 means the key is the entire first field - which would be the 
default if there was any space after it.

if there is a tie, then it moves to the next character.  Only in examples like 
the last one, would  -k[1,3] change the order.

> cat test.txt
d002 file3
d001 file2
d003 file1
> cat test.txt | sort -nk1,1
d001 file2
d002 file3
d003 file1
> cat test.txt | sort -nk1
d001 file2
d002 file3
d003 file1
> cat test.txt | sort -nk1,3
d003 file1
d001 file2
d002 file3

I could see using something like: 
cat test.txt | sort -nk1.8 (note period not comma)
y001 file2
x002 file3
z003 file1

to sort by the numeric at the end of the first field. But this again is a made 
up example not an output from du.

But I digress … this was fun! … wait what was I talking about...

Chad





> On Feb 19, 2016, at 9:35 AM, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
> On 2016-02-19, at 07:48, Bigendian Smalls wrote:
> 
>> Tim have you tried this from a shell at the root of your ZFS partition (or 
>> just root / )
>> 
>> du -sk | sort
>> 
> BTW, I'm more comfortable with:
> 
>du -k | sort -nk1,1
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zfs question root growth

[Bigendian Smalls]

> But beware; it may be resource-intensive.

Alternatively you could du -sk * > file.txt
then cat file.txt|sort

Saving the trouble of doing it in memory.  Though I suspect calculating the 
sizes of the folders is much much more intensive than sorting a relatively 
brief set of text.

> Does UNIX sort employ DFSORT when needed/available?

I don’t know for sure, but I’d be surprised if it did.   /bin/sort is a 
standard fixture in ‘nixes forever …   Could poke at it a bit though to find 
out for sure :)

Chad

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zfs question root growth

[Bigendian Smalls]

Couple other commands handy to manage ZFS / other mountpoint sizes

zfsadm aggrinfo

ex:
...
ZFS.DIR.U2 (R/W COMP): 1314251 K free out of total 2728080

df -kP

ex:
Filesystem 1024-blocksUsed  Available  Capacity Mounted on
...
ZFS.DIR.U2 2728080 14138291314251   52% /u


Forgot the asterisk on my first post

du -sk *  |sort

Chad



The former will show you size / utilization of all your zfs mounts.   The 
latter will show freespace on all of your mounts, irrespective of type.




On Feb 19, 2016, at 8:50 AM, Lizette Koehler 
mailto:stars...@mindspring.com>> wrote:

Are you looking for a monitoring tool?

There are IOE messages that come out in syslog indicating utilization on zFS
files.  So you could look at those from an external perspective.

Manually, you can use ISPF 3.17 to look at specific files and see what they look
like.

I have not done this, but I think RMF may have something for zFS files.

Could you provide more details on what you are looking for?

Do you have aggregate grow turned on ?  What version of zFS are you using?
Version 3/4/5?
How much space is available on the volume for your root?

In my mind, a ROOT should be fairly static.  SYMLINKs and non-growing files.

What files do you have in your ROOT that maybe should be under /etc /lpp /user
and so forth?


Lizette


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Tim Brown
Sent: Friday, February 19, 2016 7:42 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: zfs question root growth

Is there a way to determine where space is allocated in ZFS to find which
directories use the most space. Our root is low on free space and I am
concerned about its ability to grow.

Thanks,
Tim Brown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zfs question root growth

[Bigendian Smalls]

Tim have you tried this from a shell at the root of your ZFS partition (or just 
root / )


du -sk | sort


*that’s a pipe sign, not an I or an l  :) 
drop the | sort if you just want to see the folder sizes in alphabetical order

That should give you all the directories sizes in kilobytes sorted lowest to 
highest.  You can then hit the largest ones, dive into that directory and 
repeat.

You could script this if you wanted to do it regularly.


Chad


> On Feb 19, 2016, at 8:41 AM, Tim Brown  wrote:
> 
> Is there a way to determine where space is allocated in ZFS to find which 
> directories
> use the most space. Our root is low on free space and I am concerned about its
> ability to grow.
> 
> Thanks,
> Tim Brown
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM z13s article.

[Bigendian Smalls]

Two factor auth in the OS is a big (and long overdue) deal.   Has anyone heard 
of this in a general flavor of z/os or know what version / add-on might contain 
such a thing for the rest of us?


> On Feb 16, 2016, at 9:10 AM, Dana Mitchell  wrote:
> 
> I found support for SSL on OSA ICC interesting.  That would eventually allow 
> us to move consoles off a dedicated network.
> 
> Dana
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: So Long, and Thanks For All The Fish

[Bigendian Smalls]

Apologies to Shane I hadn't read beyond the first reply.  Best sir. 

> On Dec 31, 2015, at 09:58, Bigendian Smalls  
> wrote:
> 
> That is a devastating loss.  And sounds like bizarre circumstances-yet to get 
> all the details. 
> 
>> On Dec 31, 2015, at 09:00, Andre Massena  wrote:
>> 
>> An this as well - 
>> http://www.theregister.co.uk/2015/12/30/ian_murdock_debian_founder/
>> 
>> 
>> 
>> 
>>  Message d'origine 
>> De : Shane Ginnane 
>> À : IBM-MAIN@LISTSERV.UA.EDU
>> Objet : So Long, and Thanks For All The Fish
>> Date : 31/12/2015 15:47:04 CET
>> 
>> Shane ...
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: So Long, and Thanks For All The Fish

[Bigendian Smalls]

That is a devastating loss.  And sounds like bizarre circumstances-yet to get 
all the details. 

> On Dec 31, 2015, at 09:00, Andre Massena  wrote:
> 
> An this as well - 
> http://www.theregister.co.uk/2015/12/30/ian_murdock_debian_founder/
> 
> 
> 
> 
>  Message d'origine 
> De : Shane Ginnane 
> À : IBM-MAIN@LISTSERV.UA.EDU
> Objet : So Long, and Thanks For All The Fish
> Date : 31/12/2015 15:47:04 CET
> 
> Shane ...
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Any Git compliant Client for OMVS

[Bigendian Smalls]

Working on a git compilation - but it isn’t ready for prime time yet.  I’ll let 
you know when it is.

I haven’t seen any commercial or non-commercial version that work out of the 
box.  I’m compiling from source.  Slowly.
Very Slowly.



> On Dec 18, 2015, at 1:46 AM, Munif Sadek  wrote:
> 
> Dear Listers
> 
> I am trying to find any Git client to run under OMVS (z/OS 2.1) to automate 
> couple of Java objects deployment. I have tried 
> https://eclipse.org/jgit/download/ but not able to make it work.
> 
> regards 
> Munif  
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TAR Files:" Extracting" on a IBM Mainframe

[Bigendian Smalls]

check on pax command. think there's some overlap there. 

> On Dec 16, 2015, at 18:54, Pinnacle  wrote:
> 
>> On 12/16/2015 7:41 PM, Leonard Sasso wrote:
>> Hello !
>> Anyone know of a product (besides Data21's ZIP/390 Product), that can
>> "extract" a file(s) from a TAR file on a IBM Mainframe - z/OS 2.1 ?
>> 
>> 
>> 
>> Thank You In Advance for your Help, it is appreciated.
>> 
>> 
>> 
>> 
>> Len Sasso
>> RDC Applications Management - Professional: System Administrator
>> Backup QMR - Production Operations
>> CSC
> 
> Len,
> 
> You don't need one, you can unspin the tarball in Unix System Services, 
> either via OMVS, ISPF 3.17, or BPXBATCH.
> 
> Regards,
> Tom Conley
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Advanced Assembler Language and MVS Interfaces

[Bigendian Smalls]

Hey Bob - perfect!

Any chance you’d be willing to take Paypal or Wells Fargo’s sure pay?   Both 
just require an email address (being an employee of the latter I can vouch for 
it’s integrity).

If not, no sweat - just gotta find a check, envelope, stamp, :)   Perils of the 
21st century.

Cheers.

Chad



> On Dec 11, 2015, at 10:01 AM, Bob Shannon  wrote:
> 
> Sold.
> 
> R.P. Shannon
> Manager, zTeam
> Rocket Software
> 77 Fourth Avenue * Waltham, MA 02451 * USA
> t: +1 781 684 2105 * f: +1 781 684 7100 * e: 
> bshan...@rs.com * w: 
> www.rocketsoftware.com
> 
> 
> 
> Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? 
> +1 800.966.3270 ? +1 781.577.4321
> Unsubscribe From Commercial Email - unsubscr...@rocketsoftware.com
> Manage Your Subscription Preferences - 
> http://info.rocketsoftware.com/GlobalSubscriptionManagementEmailFooter_SubscriptionCenter.html
> Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
> 
> 
> This communication and any attachments may contain confidential information 
> of Rocket Software, Inc. All unauthorized use, disclosure or distribution is 
> prohibited. If you are not the intended recipient, please notify Rocket 
> Software immediately and destroy all copies of this communication. Thank you.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing RESTful services from a z/OS batch job

[Bigendian Smalls]

Agreed on lua from what I've seen it seems like a fairly competent language 
(mostly I've see it from the backside of wireshark/nmap).  I'll give your port 
a look, thanks for sharing that!

I'd love to see the python port truly finished, it's still my go-to prototyping 
tool on most platforms, quick POC where others like C or ASM are too wordy for 
quick mock-ups, but way better for long term and speed.  

> On Nov 24, 2015, at 05:15, David Crayford  wrote:
> 
>> On 24/11/2015 11:52 AM, Bigendian Smalls wrote:
>> Fair point on the rocket Python for http tip.  Just did some testing on that 
>> - yikes. only ever used that flavor of Python locally - but outside comm is 
>> a huge pain indeed.  Good call to stick with curl or Java as you'd mentioned 
>> and leave the Python until it's fully baked for cp conversions.
> 
> It gets worse. The JSON libraries are broken too. Unicode escaping is a case 
> in point. And the URL and base64 stuff. Python has a huge standard library so 
> a real EBCDIC port is going to be a lot of work and probably won't happen 
> unless a significant ROI
> can be made. You can try my Lua port which is patched to support EBCDIC for 
> HTTP, JSON, URL, base64 etc http://lua4z.com/. It smokes REXX by an order of 
> magnitude wrt performance and has all the modern features that you get with 
> Python. There's
> even a decent list comprehension implementation in the penlight library. I 
> haven't implemented Lua-cURL yet but I will now that rocket have made libcurl 
> available with their port. That should bring a lot of other powerful HTTP, 
> FTP features available.
> 
>>>> On Nov 23, 2015, at 19:30, David Crayford  wrote:
>>>> 
>>>> On 24/11/2015 9:12 AM, Bigendian Smalls wrote:
>>>> Depending on the volume, python's usage of the REST APIs I've used (like 
>>>> Aws works great).   I'm sure it'd be not to hard to do in REXX also from 
>>>> the few client HTTP code snippets I've seen in Google.
>>> Classic REXX using the socket() API would be doable. But I wouldn't go 
>>> there.
>>> 
>>>> But the python one works great - using Rocket's ported tools.  fwiw.
>>> All of the web APIs (HTTP etc) in Rockets z/OS Python port are broken. They 
>>> haven't done the ASCII/EBCDIC work on the HTTP protocol. Until they do 
>>> Rockets Python port is nothing but a broken toy.
>>> 
>>>> Chad
>>>> 
>>>>> On Nov 23, 2015, at 18:17, Frank Swarbrick  
>>>>> wrote:
>>>>> 
>>>>> Sounds interesting.  Anyone have any experience with it?
>>>>> We are still on z/OS 1.13.  I don't know when we'll go to 2.1, much less 
>>>>> 2.2, but its certainly something to consider.
>>>>> 
>>>>> I'm still open to other ideas.
>>>>> 
>>>>> Thanks!
>>>>> Frank
>>>>> 
>>>>>> Date: Mon, 23 Nov 2015 18:02:20 -0600
>>>>>> From: k...@dovetail.com
>>>>>> Subject: Re: Accessing RESTful services from a z/OS batch job
>>>>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>>>>> 
>>>>>> Maybe the z/OS client web enablement toolkit?
>>>>>> 
>>>>>> see the V2R2 docs for latest features -
>>>>>> https://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.e0za100/mvs_web_enablement.htm
>>>>>> 
>>>>>> "
>>>>>> You can use web application APIs to create a client/server application
>>>>>> using a
>>>>>> request-response protocol that can link a client residing anywhere in the
>>>>>> world
>>>>>> with any web server. Many web applications have evolved to a simpler
>>>>>> programming model based on representational state transfer (REST). 
>>>>>> Governed
>>>>>> by
>>>>>> a set of architectural constraints, RESTful applications can be much 
>>>>>> easier
>>>>>> to
>>>>>> develop, enabling the creation of elegant and secure web applications.
>>>>>> RESTful
>>>>>> applications typically use the ubiquitous Hypertext Transfer Protocol
>>>>>> (HTTP) as the
>>>>>> means of communication and either JavaScript Object Notation (JSON) or
>>>>>> Extensible Markup Language (XML) as the format 

Re: Accessing RESTful services from a z/OS batch job

[Bigendian Smalls]

Fair point on the rocket Python for http tip.  Just did some testing on that - 
yikes. only ever used that flavor of Python locally - but outside comm is a 
huge pain indeed.  Good call to stick with curl or Java as you'd mentioned and 
leave the Python until it's fully baked for cp conversions. 

>> On Nov 23, 2015, at 19:30, David Crayford  wrote:
>> 
>> On 24/11/2015 9:12 AM, Bigendian Smalls wrote:
>> Depending on the volume, python's usage of the REST APIs I've used (like Aws 
>> works great).   I'm sure it'd be not to hard to do in REXX also from the few 
>> client HTTP code snippets I've seen in Google.
> 
> Classic REXX using the socket() API would be doable. But I wouldn't go there.
> 
>> 
>> But the python one works great - using Rocket's ported tools.  fwiw.
> 
> All of the web APIs (HTTP etc) in Rockets z/OS Python port are broken. They 
> haven't done the ASCII/EBCDIC work on the HTTP protocol. Until they do 
> Rockets Python port is nothing but a broken toy.
> 
>> Chad
>> 
>>> On Nov 23, 2015, at 18:17, Frank Swarbrick  
>>> wrote:
>>> 
>>> Sounds interesting.  Anyone have any experience with it?
>>> We are still on z/OS 1.13.  I don't know when we'll go to 2.1, much less 
>>> 2.2, but its certainly something to consider.
>>> 
>>> I'm still open to other ideas.
>>> 
>>> Thanks!
>>> Frank
>>> 
>>>> Date: Mon, 23 Nov 2015 18:02:20 -0600
>>>> From: k...@dovetail.com
>>>> Subject: Re: Accessing RESTful services from a z/OS batch job
>>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>>> 
>>>> Maybe the z/OS client web enablement toolkit?
>>>> 
>>>> see the V2R2 docs for latest features -
>>>> https://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.e0za100/mvs_web_enablement.htm
>>>> 
>>>> "
>>>> You can use web application APIs to create a client/server application
>>>> using a
>>>> request-response protocol that can link a client residing anywhere in the
>>>> world
>>>> with any web server. Many web applications have evolved to a simpler
>>>> programming model based on representational state transfer (REST). Governed
>>>> by
>>>> a set of architectural constraints, RESTful applications can be much easier
>>>> to
>>>> develop, enabling the creation of elegant and secure web applications.
>>>> RESTful
>>>> applications typically use the ubiquitous Hypertext Transfer Protocol
>>>> (HTTP) as the
>>>> means of communication and either JavaScript Object Notation (JSON) or
>>>> Extensible Markup Language (XML) as the format of data exchange between the
>>>> client and server programs
>>>> 
>>>> Kirk Wolf
>>>> Dovetailed Technologies
>>>> http://dovetail.com
>>>> 
>>>> On Mon, Nov 23, 2015 at 5:32 PM, Frank Swarbrick <
>>>> frank.swarbr...@outlook.com> wrote:
>>>> 
>>>>> What are you using to perform this function?
>>>>> 
>>>>> --
>>>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>>> --
>>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>>
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing RESTful services from a z/OS batch job

[Bigendian Smalls]

Depending on the volume, python's usage of the REST APIs I've used (like Aws 
works great).   I'm sure it'd be not to hard to do in REXX also from the few 
client HTTP code snippets I've seen in Google. 

But the python one works great - using Rocket's ported tools.  fwiw. 

Chad

> On Nov 23, 2015, at 18:17, Frank Swarbrick  
> wrote:
> 
> Sounds interesting.  Anyone have any experience with it?
> We are still on z/OS 1.13.  I don't know when we'll go to 2.1, much less 2.2, 
> but its certainly something to consider.
> 
> I'm still open to other ideas.
> 
> Thanks!
> Frank
> 
>> Date: Mon, 23 Nov 2015 18:02:20 -0600
>> From: k...@dovetail.com
>> Subject: Re: Accessing RESTful services from a z/OS batch job
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> 
>> Maybe the z/OS client web enablement toolkit?
>> 
>> see the V2R2 docs for latest features -
>> https://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.e0za100/mvs_web_enablement.htm
>> 
>> "
>> You can use web application APIs to create a client/server application
>> using a
>> request-response protocol that can link a client residing anywhere in the
>> world
>> with any web server. Many web applications have evolved to a simpler
>> programming model based on representational state transfer (REST). Governed
>> by
>> a set of architectural constraints, RESTful applications can be much easier
>> to
>> develop, enabling the creation of elegant and secure web applications.
>> RESTful
>> applications typically use the ubiquitous Hypertext Transfer Protocol
>> (HTTP) as the
>> means of communication and either JavaScript Object Notation (JSON) or
>> Extensible Markup Language (XML) as the format of data exchange between the
>> client and server programs
>> 
>> Kirk Wolf
>> Dovetailed Technologies
>> http://dovetail.com
>> 
>> On Mon, Nov 23, 2015 at 5:32 PM, Frank Swarbrick <
>> frank.swarbr...@outlook.com> wrote:
>> 
>>> What are you using to perform this function?
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange HMC issue

[Bigendian Smalls]

That's interesting. I'd still think a PCAP that ran during boot of the HMC and 
maybe watched for a bit could be enlightening. See if / who the IPs are 
speaking to, any dns lookups etc. Curious what you figure out - but it is 
certainly suspect. 

> On Nov 21, 2015, at 11:18, Tony Thigpen  wrote:
> 
> Thanks.
> 
> When pinging either the hard-coded address or the DHCP assigned address, the 
> ping fails anytime we unplug the ethernet cable to that nic.
> 
> We think that the HMC has opened up a tunnel in linux which is acting as a 
> proxy for . At first we thought maybe the the laptops 
> in the z10, but the ping does not fail if we disconnect the cable going to 
> the z10 switch.
> 
> I wish I could get into the real linux and doing some displays.
> 
> Tony Thigpen
> 
> Bigendian Smalls wrote on 11/21/2015 11:54 AM:
>> It occurs to me Tony, there could be a multitude things here.  But one 
>> involves routes and routing tables. Presuming the two networks on your 
>> multi-homed HMC don't overlap (different subnets) I'd wonder how your routes 
>> in that box are set up (default and otherwise).
>> 
>> #3 concerns me a little that you have the same Mac arp resolution to 2 
>> different IPs. While not impossible there could be some issues with this.  
>> Have you captured the traffic from the host that is suspect - and rebooted, 
>> see if it is actually dhcp requesting an address? It sounds like there could 
>> possibly be another box with a MAC address the same as your HMC.  That's one 
>> idea. or a process on it requesting a dhcp address.
>> 
>> If it were me I'd take two traffic captures, one that gets all the traffic 
>> from the HMC you suspect.  and one from the box handing out IPs.  Do a 
>> reboot of the HMC if you can, and see if the traffic coincides with expected 
>> behavior.  That's where I'd start.
>> 
>> Chad
>> 
>> 
>>> On Nov 20, 2015, at 23:03, Tony Thigpen  wrote:
>>> 
>>> Background: HMC software version 2.11.1 connected to a z10.
>>> 
>>> The HMC is connected to two networks. The first is a small private network 
>>> with just the laptops in the z10 and the HMC. No other HMCs or other CPUs. 
>>> The second network is a local network with several items on it, including 
>>> other HMCs. This network is behind a VPN firewall and is used to access the 
>>> web services on the HMC.
>>> 
>>> Both interfaces have hard-coded IP addresses.
>>> 
>>> Today we noticed something strange. We had a DHCP address assigned to a box 
>>> we did not know about. Except for 3 workstations on the network, all other 
>>> boxes have hard-coded IP addresses. In the DHCP assigned addresses table, 
>>> the box had provided a name of BMC_DHCP.
>>> 
>>> After a bunch of testing, we isolated the assigned address to the HMC, but 
>>> the address does not show up in any of the HMC panels that show IP 
>>> addresses.
>>> 
>>> Items:
>>> 1) When we ping the HMC using the hard-coded address, the response is under 
>>> 3.0ms.
>>> 2) When we ping the DHCP assigned address, the response is 10x longer, in 
>>> the 30.0ms range.
>>> 3) The arp tables on another PC show both addresses having the same nic 
>>> address.
>>> 4) The HMC can ping it's own hard-coded address, but it can not ping the 
>>> DHCP assigned address.
>>> 5) We have other CPUs and other HMCs. None of the others are doing the same 
>>> thing. (z900 though z10).
>>> 6) This HMC has the latest software version of all the HMCs.
>>> 7) nMap (port mapping tool) says that there are no ports open at this DHCP 
>>> assigned address.
>>> 
>>> Thoughts on what is happening?
>>> Anybody else seeing the same thing?
>>> 
>>> --
>>> Tony Thigpen
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange HMC issue

[Bigendian Smalls]

It occurs to me Tony, there could be a multitude things here.  But one involves 
routes and routing tables. Presuming the two networks on your multi-homed HMC 
don't overlap (different subnets) I'd wonder how your routes in that box are 
set up (default and otherwise). 

#3 concerns me a little that you have the same Mac arp resolution to 2 
different IPs. While not impossible there could be some issues with this.  Have 
you captured the traffic from the host that is suspect - and rebooted, see if 
it is actually dhcp requesting an address? It sounds like there could possibly 
be another box with a MAC address the same as your HMC.  That's one idea. or a 
process on it requesting a dhcp address.  

If it were me I'd take two traffic captures, one that gets all the traffic from 
the HMC you suspect.  and one from the box handing out IPs.  Do a reboot of the 
HMC if you can, and see if the traffic coincides with expected behavior.  
That's where I'd start. 

Chad 


> On Nov 20, 2015, at 23:03, Tony Thigpen  wrote:
> 
> Background: HMC software version 2.11.1 connected to a z10.
> 
> The HMC is connected to two networks. The first is a small private network 
> with just the laptops in the z10 and the HMC. No other HMCs or other CPUs. 
> The second network is a local network with several items on it, including 
> other HMCs. This network is behind a VPN firewall and is used to access the 
> web services on the HMC.
> 
> Both interfaces have hard-coded IP addresses.
> 
> Today we noticed something strange. We had a DHCP address assigned to a box 
> we did not know about. Except for 3 workstations on the network, all other 
> boxes have hard-coded IP addresses. In the DHCP assigned addresses table, the 
> box had provided a name of BMC_DHCP.
> 
> After a bunch of testing, we isolated the assigned address to the HMC, but 
> the address does not show up in any of the HMC panels that show IP addresses.
> 
> Items:
> 1) When we ping the HMC using the hard-coded address, the response is under 
> 3.0ms.
> 2) When we ping the DHCP assigned address, the response is 10x longer, in the 
> 30.0ms range.
> 3) The arp tables on another PC show both addresses having the same nic 
> address.
> 4) The HMC can ping it's own hard-coded address, but it can not ping the DHCP 
> assigned address.
> 5) We have other CPUs and other HMCs. None of the others are doing the same 
> thing. (z900 though z10).
> 6) This HMC has the latest software version of all the HMCs.
> 7) nMap (port mapping tool) says that there are no ports open at this DHCP 
> assigned address.
> 
> Thoughts on what is happening?
> Anybody else seeing the same thing?
> 
> -- 
> Tony Thigpen
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HMC certificate SHA-2

[Bigendian Smalls]

Hi Nathan -

I believe the HMCs come default with a self-signed certificate (meaning not 
generated by a real Certificate Authority), rather the kind that anyone can 
just create on their own - getting the encryption benefits, but not the 
verification ones that come with certificates.

 I think the HMC can generate a certificate itself - I've not done it, but see 
here:  http://www-01.ibm.com/support/docview.wss?uid=nas8N1020801

If the certificate has, in fact, been upgraded by your organization to be a 
real cert, either generated by your company's internal Certificate Authority, 
or by a real CA (like Verisign, for instance) - then you have to go through 
them to get a new cert with the SHA2 family of hashing algorithms.If you 
want a custom self-signed cert, you can regenerate one of those yourself - 
there are a multitude of instructions on how to do this with something like 
openssl on the web (google  openssl generate self signed cert).  I linked a 
simple one below.

Some useful links.
https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
https://www-304.ibm.com/servers/resourcelink/lib03030.nsf/pages/howtousethehardwaremanagementconsole/$file/remote_security.htm

Hope that helps

Chad


From: IBM Mainframe Discussion List  on behalf of 
Nathan Astle 
Sent: Wednesday, November 18, 2015 8:23 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: HMC certificate SHA-2

Hello,

Could someone point me the procedure for upgrading the SHA-1 certificate to
SHA-2 in HMC ?

I searched with the keyword "SHA-2 certificate HMC + z/OS" from the Google
but not getting a correct document to follow on.

Could someone shed light on the above ?

Nathan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Extended Addressability for non-SMS VSAM

[Bigendian Smalls]

Lizette is correct. You need an SMS DC to get the EA but you don't need SMS to 
manage the allocation.  I do this with ZFS and other non ZFS all the time. 

Chad 

> On Nov 10, 2015, at 05:26, Lizette Koehler  wrote:
> 
> I think you need a dataclas the adds the ea/ef formats but does not need to 
> be SMS managed.  I would need to review the manuals to be 99.9% sure.  We use 
> this for DB2 les datasets.  So not restricted to zFS.  Any vast dataset 
> should work.
> 
> 
> Lizette
> 
> 
> -Original Message-
>> From: "R.S." 
>> Sent: Nov 9, 2015 8:49 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Extended Addressability for non-SMS VSAM
>> 
>> AFAIK since z/OS 2.1 it is possible to use EA for VSAM LDS clusters 
>> which are not Extended Format (and not SMS-managed).
>> 
>> Questions:
>> 
>> Q1. Is it supported for any kind of VSAM LDS or for ZFS only?
>> 
>> Q2. Is it supported/planned to support for other types of VSAM datasets?
>> 
>> -- 
>> Radoslaw Skorupka
>> Lodz, Poland
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: I just bought an IBM z890

[Bigendian Smalls]

I think you want gofundme.   More for a personal goal vs product. 

> On Nov 7, 2015, at 18:24, Charles Mills  wrote:
> 
> Does anyone have any experience with setting up an account on KickStarter?
> 
> You need a budget or goal on KickStarter. What would a reasonable budget be 
> for flights and hotels?
> 
> Charles
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Charles Mills
> Sent: Saturday, November 07, 2015 2:54 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: I just bought an IBM z890
> 
> Me too.
> 
> Charles
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Richard Pinion
> Sent: Saturday, November 07, 2015 2:35 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: I just bought an IBM z890
> 
> Hey IBM-Main folks, what about a "jump-start" for paying for Mr. Krukosky 
> travel and hotel expenses to Share.  I'd make a donation.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: I just bought an IBM z890

[Bigendian Smalls]

Outstanding … very cool 
> On Nov 6, 2015, at 3:05 PM, Connor Krukosky  wrote:
> 
> Mine is a model 320.
> I wouldn't mind getting a larger system but the problem is if I can't just 
> trade say the PU Book and the SE's to do this then I would like to NOT have 
> to go through the trouble of removing the WHOLE thing from the basement again 
> and putting another one back into the basement.
> 
> -Connor K
> 
> On 11/6/2015 3:53 PM, Tony Thigpen wrote:
>> What model is it?
>> I have a big one that I would trade for a 110 (the smallest model).
>> 
>> Tony Thigpen
>> 
>> Connor Krukosky wrote on 11/06/2015 02:55 PM:
>>> Hi I'm new to the list, was pointed here by someone because I need some
>>> help using the HMC on the z890 to get an LPAR setup to boot via FTP.
>>> I bought this machine for $237 :)
>>> It wasn't fun to get into the basement but its here now.
>>> http://imgur.com/a/5uWit
>>> I have gotten it to power on and 'power-on reset' but that's about as
>>> far as I've gotten.
>>> I also have to reconfigure the I/O because a pair of I/O modules where
>>> damaged because the heat-sinks fell off when removing them and they
>>> damaged some chips while removing them.
>>> Any help would be appreciated :)
>>> Thanks!
>>> -Connor K
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>> 
>>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Java and .jar files on OMVS

[Bigendian Smalls]

For binary you have to use sftp - uses the same back end as openssh.  Very easy 
to configure - couple settings in the sshd_config file. 

For hashing I use ported tools OpenSSL.  

openssl md5   

that works great. 

> On Nov 2, 2015, at 15:29, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> On Mon, 2 Nov 2015 14:20:37 -0700, Jack J. Woehr wrote:
>> 
>> Kirk Wolf wrote:
>>> BTW: the scp included in IBM Ported Tools OpenSSH always does ASCII-EBCDIC
>>> conversion.
>> 
>> Well, Kirk, you've answered my question. Indeed, the z/OS OpenSSH User's 
>> Guide Version 2 Release 2 SC27-6806-00 says:
>> 
>>   scp assumes that files are text. Files copied between EBCDIC and ASCII 
>> platforms are converted.
>> 
>> OpenSSH scp for the entire rest of the computing universe assumes all 
>> transfers are binary, and IBM has recoded it to
>> assume everything is text.
>> 
>> *Thunk* (banging head against keyboard)
> IBM's sftp does binary, at least by default.  I understand there's a client 
> command
> to select ASCII<->EBCDIC.
> 
> I hate EBCDIC!
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Java and .jar files on OMVS

[Bigendian Smalls]

Yes. This.  A quick MD5 hash should do the trick. Also if you have the "file" 
command line tool working (OMVS ships with it but it isn't always set up) that 
should register the same type of file in both places.  

Make sure your aren't going through any x86 in your scp'ing as it tries to 
convert and will wreak havoc with any binary type files. SFTP works much better 
for that and uses the same ssh setup.  

> On Nov 2, 2015, at 08:42, Paul Gilmartin 
> <000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> 
>> On Sun, 1 Nov 2015 18:02:29 -0700, Jack J. Woehr wrote:
>> 
>> I scp OMVS Java 8.0_64 files back and forth but they open okay with jar tf  
>> ... so it's not that scp is garbling the file.
>> 
>> Any tips?
> Always verify checksums at both ends, whether you need to or not.
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICMP ping failure

[Bigendian Smalls]

Last update (honest)  I ran several tests using new(“tcp”) in the script vs 
new(“icmp”) and they all seemed to work fine, regardless of host / etc.  A 
firewall specifically blocking tcp SYNs to unknown ports might block this; but 
basically it just sends a SYN to a port that wouldn’t likely be open (on my box 
it was port 7) and the TCP dutifully replies with a RST - basically letting the 
user know the host is alive.   As an aside (FWIW) this is how port scanners 
like NMAP work - send a SYN, wait for a SYN-ACK or a RST and never respond back 
(how cruel) - letting the scanner know the other end is there.  I would try 
this route - it’s the safest, doesn’t require privilege escalation and should 
work unless you have firewalls in the middle dropping those packets.

Best,

Chad


On Oct 29, 2015, at 10:17 AM, Bigendian Smalls 
mailto:mainfr...@bigendiansmalls.com>> wrote:

hey Venkat -

Pinging (even /bin/ping) requires root (if you look at it on a UNIX / linux 
machine it is almost always a SETUID binary, executing with root privelidges) 
privileges.

The perl version is no different (same underlying reasons - opening a socket in 
raw mode is a high privilege operation).

I suspect the maintenance you applied did one of a couple things:
removed a setuid privilege from a binary or script you used to run ping with
your code changed to use icmp instead of tcp (tcp sockets do not require root, 
but the ping is not the same as an icmp ping)

Like the former - the perl5.6 pgm was a setuid (sticky bit set so the pgm ran 
as root user). Adding it back will fix this problem but (big but) ->

This is a scary prospect, as then any script run by perl would be run with root 
privileges and I really don’t think you want that.
You can also just package the script / perl up to run inside another script 
which can be owned by root and have it’s SETUID bit set, this may also work.  
But essentially the calling program must have effective root privileges in 
order to icmp ping.

If you google “perl icmp requires root privilege” you’ll see lots of solutions 
as this isn’t a z/os specific issue, but one of UNIX/linux permissions.


Chad


On Oct 29, 2015, at 6:51 AM, venkat kulkarni 
mailto:venkatkulkarn...@gmail.com><mailto:venkatkulkarn...@gmail.com>>
 wrote:

Hello All,
We applied maintenance few months back and all went well. But
when we started looking at icmp then we are getting below issues.

SYS01:/u/venka> /usr/local/bin/perl5.6 -e 'use Net::Ping;
$p=Net::Ping->new("icmp", 2) or die bye; print "$ARGV[0] is alive \n" if
$p->ping($ARGV[0]); $p->close;' sys01
icmp ping requires root privilege at -e line 1

icmp ping requires root privilege at
/usr/local/nde/ade/bin/perl/ADE_Label_Utils.pm line 338

I am not able to find solution for this issue and where and to whom we need
to give root privilege.


Regards
Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to 
lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu><mailto:lists...@listserv.ua.edu>
 with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICMP ping failure

[Bigendian Smalls]

On further inspection, just wrapping it all in a script doesn’t work.  The 
calling program or user must be effectively root (or root) so a simple script 
won’t work (as that is really just using the shell pgrogram to launch further 
commands).  You’d have to call the perl program from a user who has an 
effective ID of 0, set the SETUID bit on the perl pgm and change it’s owner to 
root (Danger Danger, bad idea) or build a custom binary to do it.  OR, just 
have perl script call the existing ping binary which should already have the 
appropriate permissions set up.  You can also use a TCP type ping, but I 
suspect that might not have the same effect.  TCP sockets do not require root 
permissions.


On Oct 29, 2015, at 10:17 AM, Bigendian Smalls 
mailto:mainfr...@bigendiansmalls.com>> wrote:

hey Venkat -

Pinging (even /bin/ping) requires root (if you look at it on a UNIX / linux 
machine it is almost always a SETUID binary, executing with root privelidges) 
privileges.

The perl version is no different (same underlying reasons - opening a socket in 
raw mode is a high privilege operation).

I suspect the maintenance you applied did one of a couple things:
removed a setuid privilege from a binary or script you used to run ping with
your code changed to use icmp instead of tcp (tcp sockets do not require root, 
but the ping is not the same as an icmp ping)

Like the former - the perl5.6 pgm was a setuid (sticky bit set so the pgm ran 
as root user). Adding it back will fix this problem but (big but) ->

This is a scary prospect, as then any script run by perl would be run with root 
privileges and I really don’t think you want that.
You can also just package the script / perl up to run inside another script 
which can be owned by root and have it’s SETUID bit set, this may also work.  
But essentially the calling program must have effective root privileges in 
order to icmp ping.

If you google “perl icmp requires root privilege” you’ll see lots of solutions 
as this isn’t a z/os specific issue, but one of UNIX/linux permissions.


Chad


On Oct 29, 2015, at 6:51 AM, venkat kulkarni 
mailto:venkatkulkarn...@gmail.com><mailto:venkatkulkarn...@gmail.com>>
 wrote:

Hello All,
We applied maintenance few months back and all went well. But
when we started looking at icmp then we are getting below issues.

SYS01:/u/venka> /usr/local/bin/perl5.6 -e 'use Net::Ping;
$p=Net::Ping->new("icmp", 2) or die bye; print "$ARGV[0] is alive \n" if
$p->ping($ARGV[0]); $p->close;' sys01
icmp ping requires root privilege at -e line 1

icmp ping requires root privilege at
/usr/local/nde/ade/bin/perl/ADE_Label_Utils.pm line 338

I am not able to find solution for this issue and where and to whom we need
to give root privilege.


Regards
Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to 
lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu><mailto:lists...@listserv.ua.edu>
 with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICMP ping failure

[Bigendian Smalls]

hey Venkat -

Pinging (even /bin/ping) requires root (if you look at it on a UNIX / linux 
machine it is almost always a SETUID binary, executing with root privelidges) 
privileges.

The perl version is no different (same underlying reasons - opening a socket in 
raw mode is a high privilege operation).

I suspect the maintenance you applied did one of a couple things:
removed a setuid privilege from a binary or script you used to run ping with
your code changed to use icmp instead of tcp (tcp sockets do not require root, 
but the ping is not the same as an icmp ping)

Like the former - the perl5.6 pgm was a setuid (sticky bit set so the pgm ran 
as root user). Adding it back will fix this problem but (big but) ->

This is a scary prospect, as then any script run by perl would be run with root 
privileges and I really don’t think you want that.
You can also just package the script / perl up to run inside another script 
which can be owned by root and have it’s SETUID bit set, this may also work.  
But essentially the calling program must have effective root privileges in 
order to icmp ping.

If you google “perl icmp requires root privilege” you’ll see lots of solutions 
as this isn’t a z/os specific issue, but one of UNIX/linux permissions.


Chad


On Oct 29, 2015, at 6:51 AM, venkat kulkarni 
mailto:venkatkulkarn...@gmail.com>> wrote:

Hello All,
 We applied maintenance few months back and all went well. But
when we started looking at icmp then we are getting below issues.

SYS01:/u/venka> /usr/local/bin/perl5.6 -e 'use Net::Ping;
$p=Net::Ping->new("icmp", 2) or die bye; print "$ARGV[0] is alive \n" if
$p->ping($ARGV[0]); $p->close;' sys01
icmp ping requires root privilege at -e line 1

icmp ping requires root privilege at
/usr/local/nde/ade/bin/perl/ADE_Label_Utils.pm line 338

I am not able to find solution for this issue and where and to whom we need
to give root privilege.


Regards
Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM

[Bigendian Smalls]

It's good, I think, that the HMC does this. We're it an actual emergency, it'd 
be the desired behavior.  I wonder if the HMC couldn't be configured to either 
block the scanning IP range or whitelist it so as to not phone home. I'd push 
IBM on this a little. 

I know of shops that don't even scan the HMC or mainframe itself because "some 
time ago" the TCP/IP stack crashed after a scan - or some such.  That might be 
an ok temporary solution (crashing the stack isn't probably a good thing to do 
regularly) but definitely not scanning seems short-sighted.

Agree the wolf could win the day here, but I'm not sure the wolf is the 
scanners   The system should be able to discern an internal scan or ignore such 
attempted connections. 

Chad  

> On Oct 19, 2015, at 11:58, J O Skip Robinson  wrote:
> 
> We have sort of the opposite 'problem'. Our network security people run some 
> kind of probe against every device found on our network. When it pokes the 
> HMC, he calls home and reports a possible intruder. Then Support Center opens 
> an incident and our CE gets dragged in. I tried to get the HMCs exempted from 
> our internal probe. No dice. No exceptions. Our guys actually told me to ask 
> Support Center to ignore the HMC complaint. 
> 
> We all know the classic tale of the boy who cried wolf. If you recall, it was 
> the wolf who won the day. 
> 
> .
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler 
> SHARE MVS Program Co-Manager
> 626-302-7535 Office
> 323-715-0595 Mobile
> jo.skip.robin...@sce.com
> 
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of David L. Craig
> Sent: Monday, October 19, 2015 9:22 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: (External):Re: IBM
> 
>> On 15Oct16:1752+, Lance D. Jackson wrote:
>> 
>> This is disturbing: 
>> http://www.wsj.com/articles/ibm-allows-chinese-government-to-review-so
>> urce-code-1444989039
> 
> If your only concern is IP misappropriation, I understand your concern.
> My concern is the possibility of backdoors in appliances like the HMC and SE 
> boxen.  The problem is we don't know just what the Chinese are looking at nor 
> for.  Neither can we know if any apparent acceptance by them of the code as 
> untainted is applicable to the code our machines are running.  Are any other 
> customers receiving such preferential treatment (perhaps the good folks at No 
> Such Agency)? 
> --
> 
> May the LORD God bless you exceedingly abundantly!
> 
> Dave_Craig__
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Big Blue lets Chinese government eyeball source code – report

[Bigendian Smalls]

Maybe a guilty conscience is the driver ?

http://mobile.reuters.com/article/idUSKCN0SD0AT20151019

On Oct 18, 2015, at 23:13, Ed Gould 
mailto:edgould1...@comcast.net>> wrote:

http://www.theregister.co.uk/2015/10/18/ibm_source_code_chinese_government/


Another take on the "deal"

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: (External):Re: IBM

[Bigendian Smalls]

And - I don’t mean to imply at all that most companies are willfully abusing 
that fact, just simply that most software is a black box.

> On Oct 17, 2015, at 11:08 AM, Clark Morris  wrote:
> 
> On Sat, 17 Oct 2015 06:16:47 -0700 (PDT), in bit.listserv.ibm-main you
> wrote:
> 
>> The fact that IBM continues to issue integrity PTFs shows that their code is 
>> not perfect when it comes to integrity and therefore security.  Nobody's is. 
>>  So, it is possible, by a review of the code, that the Chinese review team 
>> can identify an integrity issue and save that for a later attack on an IBM 
>> customer.  This is a big risk.
> 
> Actually allowing any country to review code is to open an exposure.
> On the other hand all users have at least some need to verify that
> code is not exposing them.  For those users with high security needs
> and a large enough budget, having all software in house maybe using
> open source software as a starting base can make sense.  I believed
> back in the 1970s and 80s that one of the best places to put a spy was
> in the IBM software creation and distribution system.  These comments
> apply to all countries.  It would be interesting to find out which
> countries and entities are reviewing source code from the various
> vendors. I believe that Snowden supporters are naive if they believe
> that other major and not so major countries are not engaged in much
> the same activities as those he accused the United States NSA and
> other agencies of committing. If IBM is allowing the Chinese
> government to review the code, I will guarantee that other governments
> are also reviewing the code.  In addition we know that at least some
> ISV's have access to at least some of the code under non-disclosure
> agreements.  I leave to you who are citizens of various countries to
> determine how concerned you should be.
> 
> Clark Morris
>> 
>> Barry Schrager
>> Creator of ACF2
>> Member: Mainframe Hall of Fame
>> www.Enterprisesystemsmedia.com/mainframe-hall-of-fame
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: (External):Re: IBM

[Bigendian Smalls]

It does beg the question of who is looking out, software vulnerability-wise, 
for those who don’t have enough clout to review source code.   As Barry 
mentions, there is no such thing as perfect code.   There is a lot of trust out 
there I think, and not enough skepticism / push back in this area.  Not that 
open source is a panacea, or the right answer everywhere - certainly we’ve seen 
in the last few years major ugly bugs in open source software (OpenSSL, for 
instance).  But, at least there is a wider audience and the opportunity to 
review it.   The recent Volkswagen fiasco is a god example of willful misuse of 
the fact that little corporate software IP is reviewed outside the 
‘mothership’, if you will.

Chad

> On Oct 17, 2015, at 11:08 AM, Clark Morris  wrote:
> 
> On Sat, 17 Oct 2015 06:16:47 -0700 (PDT), in bit.listserv.ibm-main you
> wrote:
> 
>> The fact that IBM continues to issue integrity PTFs shows that their code is 
>> not perfect when it comes to integrity and therefore security.  Nobody's is. 
>>  So, it is possible, by a review of the code, that the Chinese review team 
>> can identify an integrity issue and save that for a later attack on an IBM 
>> customer.  This is a big risk.
> 
> Actually allowing any country to review code is to open an exposure.
> On the other hand all users have at least some need to verify that
> code is not exposing them.  For those users with high security needs
> and a large enough budget, having all software in house maybe using
> open source software as a starting base can make sense.  I believed
> back in the 1970s and 80s that one of the best places to put a spy was
> in the IBM software creation and distribution system.  These comments
> apply to all countries.  It would be interesting to find out which
> countries and entities are reviewing source code from the various
> vendors. I believe that Snowden supporters are naive if they believe
> that other major and not so major countries are not engaged in much
> the same activities as those he accused the United States NSA and
> other agencies of committing. If IBM is allowing the Chinese
> government to review the code, I will guarantee that other governments
> are also reviewing the code.  In addition we know that at least some
> ISV's have access to at least some of the code under non-disclosure
> agreements.  I leave to you who are citizens of various countries to
> determine how concerned you should be.
> 
> Clark Morris
>> 
>> Barry Schrager
>> Creator of ACF2
>> Member: Mainframe Hall of Fame
>> www.Enterprisesystemsmedia.com/mainframe-hall-of-fame
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM

[Bigendian Smalls]

Positively terrifying.   I know large companies often get to review unthinkable 
source code, because of the risks this article states.  But a foreign 
government, and China no less - seems risky.  I’m sure it is done ‘eyes only’ 
and they don’t actually get to keep a copy.  But still, stealing IP would be 
the one bad outcome - finding ugly undisclosed vulnerabilities quite another.

> On Oct 16, 2015, at 12:52 PM, Lance D. Jackson 
>  wrote:
> 
> This is disturbing: 
> http://www.wsj.com/articles/ibm-allows-chinese-government-to-review-source-code-1444989039
> 
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Having the mainframe on YouTube

[Bigendian Smalls]

Thanks Jack!  - Chad
> On Oct 15, 2015, at 2:49 PM, Jack J. Woehr  wrote:
> 
> Mark Post wrote:
>> Related to this, Chad Rikansrud has written a blog post about APAR OA43999 
>> and just how much that APAR improves RACF's encryption.  
>> Seehttp://www.bigendiansmalls.com/racf-gets-serious-about-password-encryption
>>   if you're interested.  The improvement is actually pretty impressive.
>> 
> 
> Nice presentation, learned more from that about RACF than I ever learned 
> administering it back in the 1990's!
> 
> -- 
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the universe
> www.softwoehr.com # with a fine understanding of human fallibility. - Carl 
> Sagan
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN