Re: [Very much off-topic] Re: AI is the real deal.

[Lennie Dymoke-Bradshaw]

Sorry, the date has been truncated on the left. 
That should be 11994.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Allan Staller
Sent: 22 February 2024 19:42
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [Very much off-topic] Re: AI is the real deal.

Classification: Confidential

The last mainframe will be turned off in 1994 - Gartner Group

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: Thursday, February 22, 2024 11:11 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [Very much off-topic] Re: AI is the real deal.

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

A 5-year prediction is generally safe, because in 5 years people will have 
forgotten the predictions. Who remembers the failed 5-year predictions for, 
e.g., controlled fusion, human level machine translation?

I expect it to eventually happen, but as for when, Hypotheses non fingo 
.

On the flip side, hand optimization for pipelined machines is labor intensive 
and fragile; a compiler with an ARCHLVL parameter is better suited for the job.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of Tom 
Harper <05bfa0e23abd-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, February 22, 2024 11:54 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [Very much off-topic] Re: AI is the real deal.

Dave,

I was told the same thing 54 years ago when I starting working at CalTrans. 
Managers would just be able to code in COBOL PROFITS = SALES - EXPENSES and we 
would all be out of a job.

Of course, there are more programmers now  than at any time in history.

The question of assembler comes up from time to time, and the question has more 
nuances than you might think.

As it turns out, there are lines of code and lines of executed code. What that 
means is that lines of code that are executed frequently are seldom written in 
a compiled language but are instead written in assembler.

A good example is sort. In the 1970s sort typically used about a third of all 
processor and channel resources on a mainframe. Today that number is far lower, 
in the mid-teens despite the fact that much more data is being sorted.

The reason for this is that some very brilliant assembler programmers at 
SyncSort and the  IBM Dfsort team wrote code to highly optimize sorting and 
related functions. I’m counting PL/S as essentially assembler in this instance.

The same is true at BMC Software and my own company Phoenix Software 
International: highly optimized assembler code greatly improved performance.

Even though there are almost uncountable lines of COBOL code, it makes for a 
tiny fraction of executed code. Most compiled languages execute a few 
instructions and then invoke a CICS, IMS, or DB2 function.

Starting in the 1980s, corporations the world over began to understand that it 
was much more cost-effective to buy or lease software from a vendor than 
develop it in house. These developers left the end-user companies and went to 
software houses where they primarily write in assembler. Now ever piece of 
software usually has parts that are not performance-sensitive, so they might 
get written in C++ or Rex or some other compiled language.

I’ve grown up with software, having written my first program in 1960.

Assembler won’t be gone in five years or anytime can the foreseeable future.

So I would revisit your thoughts.

Tom Harper

Phoenix Software International

Sent from my iPhone

> On Feb 22, 2024, at 11:07 AM, Dave Beagle 
> <0525eaef6620-dmarc-requ...@listserv.ua.edu> wrote:
>
> Assembler programming will be almost nonexistent in 5 years.
>
>
> Sent from Yahoo Mail for iPhone
>
>
> On Thursday, February 22, 2024, 10:32 AM, Robert Prins 
> <05be6ef5bfea-dmarc-requ...@listserv.ua.edu> wrote:
>
> AI?
>
> More AS!
>
> This is on LinkedIn, it's AI generated and you can probably sue them 
> for jaw-dislocation due to excessive laughter:
>
> <
> https://www/.
> linkedin.com%2Fadvice%2F0%2Fhow-can-developers-take-ownership-bugs-ski
> lls-system-development-x9cve&data=05%7C02%7Callan.staller%40HCL.COM%7C
> cc68e10c66f6488fb04408dc33c94dc1%7C189de737c93a4f5a8b686f4ca9941912%7C
> 0%7C0%7C638442186902794249%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA
> iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3tT
> lvB8EH2KJyndo7QBf0U7KKjNBcexrXzghUxXy%2F5Q%3D&reserved=0
>>
>
>> On Wed, 21 Feb 2024 at 23:37, Dave Beagle < 
>> 0525eaef6620-dmarc-requ...@listserv.ua.edu> wrote:
>>
>> Well, today was NVIDIA earnings day. They are the bellwether for AI.
>> Theirs is the premier AI chip commanding top dollar. And they

Re: [EXTERNAL] Question

[Lennie Dymoke-Bradshaw]

I have the CDs.
I could create an image. I assume you have an activation key.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Steve Beaver
Sent: 20 February 2024 22:30
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Question

I'd like to find a set Office 2010 of install media

Regards,


Steve Beaver


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Pommier, Rex
Sent: Tuesday, February 20, 2024 1:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Question

For my personal use, nope.  Still using 2010.  At work, they're moving us to
365.  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Steve Beaver
Sent: Tuesday, February 20, 2024 12:37 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Question

I have run MS Office 2010 for years.

 

Has anyone in the group Subscribed to Office 365 since there is

No more MS Office.  I also have my own domain for email

 

Thanks

 

Steve

 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from
disclosure and may be legally privileged. If the reader of this message is
not the intended recipient or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any disclosure, distribution, copying, or any action taken or action
omitted in reliance on it, is strictly prohibited and may be unlawful. If
you have received this communication in error, please notify us immediately
by replying to this message and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS policy for NJE

[Lennie Dymoke-Bradshaw]

I am looking for a set of AT-TLS policy statement for NJE, but have been
unable to find them in the JES2 documentation.

Am I looking in the wrong place? Can anyone point me to where these might
be?

 

Thanks

Lennie


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Tn3270 back door

[Lennie Dymoke-Bradshaw]

If you have any other route to the system such as NJE you could submit a batch 
job to fix it.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
James Cradesh
Sent: 16 February 2024 10:55
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Tn3270 back door

I’m locked out of my test lpar.  The ssl cert expired.  A new cert was uploaded 
but the tn3270 doesn’t see it. I did refresh Pagent but it didn’t help.  How do 
you get around this situation?  Is there a way to enable the non ssl port?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Insecure security - was SDSF PS Command column

[Lennie Dymoke-Bradshaw]

I would hope they are instead using a password generator and password safe such 
as Keepass, Passwordsafe, Lastpass or Bitwarden. Writing things down is not so 
good.
Welcome to the world of zero-trust.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Pommier, Rex
Sent: 14 February 2024 15:13
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Insecure security - was SDSF PS Command column

Steve,

You make a good point about making security so onerous one can't use it.  At my 
employer, we use a third party cloud application (unnamed to conceal the 
perpetrator) that doesn't use multi-factor yet.  However their password to get 
in has to be a minimum of 16 characters.  No problem, right, just use a 
passphrase type password.  However, they also require upper, lower, number, and 
special character.  And they keep a history of 10 prior passwords and require a 
change every 60 days.  Their requirements pretty much guarantee most people 
will be writing the passwords down, thus bypassing a lot of the security they 
think they have.  

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steve Thompson
Sent: Wednesday, February 14, 2024 8:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: SDSF PS Command column

Seymour, this is a very interesting observation you made.

I'm now experiencing similar

With a certain banking system we use, you logon, and then you have to prove you 
are the person you say you are by providing more information. While having 2 
factor authentication.

With a certain cell provider, you have to login, then provide your PIN, then 
tell them your IMEI 

How many people have that information memorized?

At some point we make being secure, *insecure,* because we won't talk to you 
because we can't be sure you are who you say you are, even with 2 factor 
authentication, and your password.

Corporate paranoia.

Steve Thompson

On 2/13/2024 11:31 PM, Seymour J Metz wrote:
> The  problem is not auditors; it is incompetent auditors.
>
> In the Army they taught us that preventing authorized access is a security 
> violation. An unthinking automatic timeout is a DOS attack when it prevents 
> running an annual job.
>
> --
> Shmuel (Seymour J.) Metz
> https://urldefense.com/v3/__http://mason.gmu.edu/*smetz3__;fg!!KjMRP1I
> xj6eLE0Fj!r3eDyWon_gy4rfKn8xiwhaf7-aligjydAdLV_p-26FcFegDBRI5PS9lR5OH9
> bl_WBA3n8nAu4SOXe5hz$
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
>
> 
> From: IBM Mainframe Discussion List  on 
> behalf of Farley, Peter 
> <031df298a9da-dmarc-requ...@listserv.ua.edu>
> Sent: Monday, February 5, 2024 12:27 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: SDSF PS Command column
>
> I am constantly amazed at how much this whole “zero trust” meme is violating 
> the concept of sharing everything among application developers.  I for one 
> have no qualms about any other application programmer at my shop seeing any 
> coding I am doing (though I might be occasionally embarrassed by my own dumb 
> mistakes).
>
> It is not “innocent” to share access to application programming information 
> and styles and pitfalls, it is crucial to application programmer development 
> and advancement.  We learn from each other, especially from sharing our 
> mistakes as well as our best practices and clever innovations.
>
> Add to that stupid security rules like “if you didn’t access this resource 
> for the last 180 days we revoke your access to that resource”, which causes 
> all kinds of headaches when you have to suddenly deal with issues in a yearly 
> weekend production process and you don’t have read rights to the data files 
> you need to view to resolve the issue and the security team only works 9 to 5 
> weekdays and the on-call is out shopping somewhere.
>
> Shakespeare was almost right – first get rid of all the auditors, the lawyers 
> are easy to deal with compared to them.
>
> Peter
> From: IBM Mainframe Discussion List  On 
> Behalf Of Paul Gilmartin
> Sent: Monday, February 5, 2024 11:02 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: SDSF PS Command column
>
>
> On Mon, 5 Feb 2024 11:02:07 +, Rob Scott wrote:
>
>> ...
>> As to "why don't you just fix it ?"tstyle questions, we have to consider 
>> quite a few compatibility issues across n-2 releases especially when the 
>> "fix" requires changes to configuration and security ...
> Such as users' embedding cryptographic keys in commands?  Ugh!
>
>
>
> UNIX arose in a more innocent age when no one worried much about such as:
>
>  ls -lt /u
>
>
>
> --
>
> This message and any attachments are intended only for the use of the 
> addressee and may contain information that is privileged and confidential. If 
> the reader of the message is not the intended recipient or an authorized 
> representative of the intended recipient, you are hereby notified that any 
> dissemination of this communication is strictly pr

Re: How read Cyl 0 from within a program?

[Lennie Dymoke-Bradshaw]

The VTOC will be wherever it was placed during volume initialisation. It is not 
in any fixed position. The IPL records are distinct from the VTOC.

Using ABSTR may be possible, but you will almost certainly have a problem using 
a DSN parameter as whatever you place there will get a 213-04 abend.
So, it may require opening another data set on the volume and then altering the 
DEB after it is opened, so that the extents in the DEB cover the tracks you 
want.  Dodgy stuff.

I have tried to use ADRDSSU to copy cylinder 0, to another data set but I keep 
getting a problem with IGWNOTIF (RC=8, Reas=121A0802). Given that I am doing 
nothing with PDSEs I think this may be a bug. 

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Mike Shaw
Sent: 13 February 2024 22:22
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How read Cyl 0 from within a program?

I have used this JCL to open a VTOC to read it:

//DD1 DD UNIT=3390,DISP=SHR,DSN=FORMAT4.DSCB,VOL=SER=xx

The VTOC might be adjacent to track zero, but I am not sure the DEB for an open 
VTOC would include track zero.

Mike Shaw
MVS/QuickRef Support Group
Chicago-Soft, Ltd.


On Tue, Feb 13, 2024, 1:19 PM Charles Mills  wrote:

> I am interested in writing a program to read the IPL records from a 
> DASD volume. (Read only, not update). I am comfortable with XDAP but 
> how do I OPEN a "dataset" that would include cylinder 0?
>
> APF, OPERATIONS and so forth are not out of the question.
>
> Thanks,
> Charles
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Banks migrate from mainframes to AI-driven cloud

[Lennie Dymoke-Bradshaw]

" I have not seen a RISC system in 30 years"
" Sent from my iPhone"

What irony.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steve Beaver
Sent: 10 February 2024 15:52
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Banks migrate from mainframes to AI-driven cloud

I have not seen a RISC system in 30 years 


Sent from my iPhone

No one said I could type with one thumb 

> On Feb 10, 2024, at 09:27, Arthur Fichtl  wrote:
> 
> Am 10.02.2024 um 06:00 schrieb IBM-MAIN automatic digest system:
> migration from the mainframe?
> 
> The mainframe as a piece of hardware might vanish. But the Exabytes  of MF 
> software might move to some sort of virtualization platform, I guess, may 
> that be  based on Intel, cloud, or RISC .
> 
> 
> --
> Diese E-Mail wurde von Avast-Antivirussoftware auf Viren geprüft.
> www.avast.com
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: HLQ of Page Dataset Names

[Lennie Dymoke-Bradshaw]

Experience shows me that this is also possible for VSAM ICSF key stores and 
VSAM RACF databases. In practice it apples to any VSAM data set I think. 
However, it may be designed for those cases noted.
I think any IDCAMS alteration of the VSAM object (e.g. ALTER NEWNAME) must be 
performed through the catalog that actually owns the object. The entries in 
non-owning catalogs can be used for access only.

Lennie
Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Styles, Andy (CIO GS&S - Core Infrastructure & IT Operations )
Sent: 09 February 2024 16:07
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: HLQ of Page Dataset Names

Classification: Public

Certainly as far as catalog entries go, page datasets have some super powers, 
like SYS1. From experience, the catalog that the page datasets (and others) 
were originally defined in has no bearing on the catalog currently in use. From 
the DEFINE CLUSTER RECATALOG manual entry (though I see what appears to be an 
editorial side note is still included as text even in the 3.1 manual 😊).


RECATALOG
Recreates the catalog entries if valid VVDS entries are found on the primary 
VVDS volume. If they are not, the command ends.
When recataloging entries (including zFS files) with indirect volsers, the VVDS 
on the substituted volser must contain a valid NVRs or VVRs that match the 
entry name.

Catalog entries can be re-created only in the catalog specified in the VVR 
except for entries that are swap space, page space, or SYS1 data sets. Change 
this to Catalog entries can be re-created only in the catalog specified in the 
VVR except for entries that are swap space, page space, SYS1 data sets or 
single volume zFS VSAM Linear data sets with an indirect volume serial.


Andy Styles
z/Series Systems Programmer


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
David Elliot
Sent: Friday, February 9, 2024 3:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: HLQ of Page Dataset Names

[Some people who received this message don't often get email from 
05829bddcbe4-dmarc-requ...@listserv.ua.edu. Learn why this is important at 
https://aka.ms/LearnAboutSenderIdentification ]

*** This email is from an external source - be careful of attachments and 
links. Please report suspicious emails ***

Are you talking about choosing your own HLQ for page datasets?



On Fri, Feb 9, 2024, 2:54 PM Mark Jacobs < 
0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:

> I seem to recall, but can't find anything that confirms my 
> recollection that certain HLQs such as SYS1 and PAGE have special 
> powers as relating to systems programmer type management activities.
> Can anyone point me to the documentation if true, or tell me I'm incorrect if 
> I am? Thanks.
>
> Mark Jacobs
>
> Sent from
> [ProtonMail](https://protonmail.com/), Swiss-based encrypted email.
>
> GPG Public Key -
> https://api/.
> protonmail.ch%2Fpks%2Flookup%3Fop%3Dget%26search%3Dmarkjacobs%40proton
> mail.com&data=05%7C02%7CAndy.Styles%40lloydsbanking.com%7Ced61797b2ea3
> 44ef309808dc298256a3%7C3ded2960214a46ff8cf4611f125e2398%7C0%7C0%7C6384
> 30886983227735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jlNqycjuJx9RK%2
> BxmZhesNpzxnm52rIxLW8ON9tZLtRQ%3D&reserved=0
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN Lloyds Banking Group 
plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland 
no. SC95000. Telephone: 0131 225 4555.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. 
Registered in England and Wales no. 2065. Telephone 0207626 1500.

Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. 
Registered in Scotland no. SC327000. Telephone: 03457 801 801.

Lloyds Bank Corporate Markets plc. Registered office: 25 Gresham Street, London 
EC2V 7HN. Registered in England and Wales no. 10399850.

Scottish Widows Schroder Personal Wealth Limited. Registered Office: 25 Gresham 
Street, London EC2V 7HN. Registered in England and Wales no. 11722983.

Lloyds Bank plc, Bank of Scotland plc and Lloyds Bank Corporate Markets plc are 
authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and Prudential Regulation Authority.

Scottish Widows Schroder Personal Wealth Limited is authorised and regulated by 
the Financial Conduct Authority.

Lloyds Bank Corporate Markets Wertpapierh

Where are Unix reason codes over 7371 documented

[Lennie Dymoke-Bradshaw]

I am trying to debug a situation in zSecure where I am getting this message
from the CKNSERVR address space.

CKN017I 12 BPX1AIO connect failed on socket 1 RC 111 permission denied,
reason 7663 730Cx

   Port 7173 of 192.168.11.100

BPX1AIO documents that its return and reason codes are in the UNIX messages
and codes manual.

I am looking in manual SA23-2284-60 but the values for errnojr only go up to
7371.

Where can I find the documentation for higher values?

Lennie

 

 

   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Antiquarian Curiosity: Pre-MVS/XA Mount Command for DASD Volumes

[Lennie Dymoke-Bradshaw]

I still use MOUNT commands on my zPDT z/OS 3.1 system to bring new volumes
online, in flight.
It would be similarly used, I think, if new DASD was made available on any
system.
Lennie Dymoke-Bradshaw

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Michael Watkins
Sent: 01 February 2024 17:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Antiquarian Curiosity: Pre-MVS/XA Mount Command for DASD
Volumes

Wow! I did not realize that this was still part of the system console
command documentation. Thanks!

Thanks to all that replied.


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Jim Mulder
Sent: Thursday, February 1, 2024 11:25 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Antiquarian Curiosity: Pre-MVS/XA Mount Command for DASD
Volumes

CAUTION: This email originated from outside of the Texas Comptroller's email
system.
DO NOT click links or open attachments unless you expect them from the
sender and know the content is safe.

https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-mount-command

Jim Mulder

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Michael Watkins
Sent: Thursday, February 1, 2024 11:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Antiquarian Curiosity: Pre-MVS/XA Mount Command for DASD Volumes

Before MVS/XA and RAID DASD, offline DASD volumes (e.g. 3330, 3350 & 3380
units) had to be mounted instead of simply being varied online. The mount
command used the volser of the offline DASD volume as a parameter.

Does anyone remember the format of the mount command?

Does anyone have the documentation in .pdf format?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Encryption and decryption - processor or TCPIP

[Lennie Dymoke-Bradshaw]

You will need at least a CPACF to initialise ICSF.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Tony Harminc
Sent: 24 January 2024 18:55
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

On Wed, 24 Jan 2024 at 12:38, Phil Smith III  wrote:

> Peter wrote:
> >Still I am trying to understand encryption and decryption load goes 
> >to general CP Incase if you don't have CPACF or ICSF ?
>
> Even with CPACF and ICSF, some/most of the encryption load is on the CPU.
> They aren't magic. CPACF is faster, but it's still fundamentally 
> executing Z instructions in the millicode.
>

Really? Surely there is on-chip crypto hardware that the millicode invokes to 
do much of the work? I can't imagine it's just like the millicode 
implementation of the sort instructions or something.

But I think the OP deserves a simple answer: YES. If there's no crypto hardware 
then ICSF will do it all using ordinary zArch instructions.
Probably there are a few things it can't do, like true random number 
generation, but generally you don't need any crypto hardware at all.

In the early days there was (is?) even an ability to plug your own crypto 
provider software into the back end of ICSF, with interface documentation "by 
request only".

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Encryption and decryption - processor or TCPIP

[Lennie Dymoke-Bradshaw]

Sorry MaRtin.
L

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Lennie Dymoke-Bradshaw
Sent: 24 January 2024 13:09
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Matin said " Easily managed by provisioning enough zIIP."
As one of my old manager's used to say, "you can solve anything with a pot
of gold".

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Martin Packer
Sent: 24 January 2024 12:51
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Thanks. Then if I see zIIP for TCP/IP I should tentatively conclude it's
this. The interesting bit would be if this zIIP usage were large - and
pre-empting Db2 Engine. Easily managed by provisioning enough zIIP.

Cheers, Martin

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 11:58
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Martin,

As Timothy has pointed out, it is for IPSEC processing that a zIIP is used,
not AT/TLS. I think you are correct that this would show against the TCP/IP
address space. But I think you should confirm that with others. (e.g. Chris
Meyer)

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Martin Packer
Sent: 24 January 2024 10:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP


In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).


Lennie, or anybody who knows, which address space would show zIIP CPU time
under those circumstances? I'm assuming TCP/IP address space(s) - which
generally are in SYSSTC and so above eg Db2 Engine.

(At this point I'm interested in detecting / sizing such goings on -
probably with SMF 30.)

Thanks, Martin

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 09:53
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP Tom,

It is possible to initialise ICSF without a Crypto Express card. I have done
it. Changes were made to ICSF in support of that initialisation many years
ago. It does require the CPACF. However, this only supports clear keys in
the CKDS. The CKDS formatting is different in some way and cannot be
converted to a secure key CKDS. I don't know if there is a way of using the
PKDS or TKDS in this configuration. I have been told it is possible to run
Data set encryption with CPACF only and a clear key CKDS, but I have not
tried this.

My understanding is that System SSL libraries use code that works out what
facilities are available and uses the "best" option.

CPACF on the later machines has some support for asymmetric keys so that
could potentially help with handshakes. Earlier machines with CPACF could
only do symmetric key processing.

In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Tom Brennan
Sent: 24 January 2024 08:49
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Woah... right now I'm only about 1000 miles from Timothy so I get to see his
responses in real time and not California time :)

So Timothy (and probably just for me), I've seen a couple of sites without
crypto HSM cards not bother to run ICSF.  Can I assume in that case there's
pretty-much no way any encryption processing could be using CPACF?

On 1/24/2024 12:29 AM, Timothy Sipples wrote:
> Peter wrote:
>> I have a general question here. When you don't have crypto processor, 
>> So when a ATTLS traffic is enabled does the encryption and decryption 
>> handled by Started task TCPIP or the general processor?
>
> I've seen some of the follow-up messages, and it seems like you're 
> trying
to troubleshoot a performance/throughput-related issue. Or at least you'd
like to understand what changed, why you may be observing an elongation in
your transaction times from CICS's perspective.
>
> "Crypto processor" could refer to the CP Assist for Cryptographic
Functions (CPACF) or to the IBM Crypto Express hardware security modules
(HSMs). CPACF is an integral part of every main processor that's on every
modern IBM Z and all IBM LinuxONE machine models. You need to have Feature
Code 3863 installed to enable CPACF's full set of cryptographic algorithms.
So just make sure that feature co

Re: Encryption and decryption - processor or TCPIP

[Lennie Dymoke-Bradshaw]

Matin said " Easily managed by provisioning enough zIIP."
As one of my old manager's used to say, "you can solve anything with a pot
of gold".

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Martin Packer
Sent: 24 January 2024 12:51
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Thanks. Then if I see zIIP for TCP/IP I should tentatively conclude it's
this. The interesting bit would be if this zIIP usage were large - and
pre-empting Db2 Engine. Easily managed by provisioning enough zIIP.

Cheers, Martin

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 11:58
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP
Martin,

As Timothy has pointed out, it is for IPSEC processing that a zIIP is used,
not AT/TLS. I think you are correct that this would show against the TCP/IP
address space. But I think you should confirm that with others. (e.g. Chris
Meyer)

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Martin Packer
Sent: 24 January 2024 10:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP


In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).


Lennie, or anybody who knows, which address space would show zIIP CPU time
under those circumstances? I'm assuming TCP/IP address space(s) - which
generally are in SYSSTC and so above eg Db2 Engine.

(At this point I'm interested in detecting / sizing such goings on -
probably with SMF 30.)

Thanks, Martin

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 09:53
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP Tom,

It is possible to initialise ICSF without a Crypto Express card. I have done
it. Changes were made to ICSF in support of that initialisation many years
ago. It does require the CPACF. However, this only supports clear keys in
the CKDS. The CKDS formatting is different in some way and cannot be
converted to a secure key CKDS. I don't know if there is a way of using the
PKDS or TKDS in this configuration. I have been told it is possible to run
Data set encryption with CPACF only and a clear key CKDS, but I have not
tried this.

My understanding is that System SSL libraries use code that works out what
facilities are available and uses the "best" option.

CPACF on the later machines has some support for asymmetric keys so that
could potentially help with handshakes. Earlier machines with CPACF could
only do symmetric key processing.

In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Tom Brennan
Sent: 24 January 2024 08:49
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Woah... right now I'm only about 1000 miles from Timothy so I get to see his
responses in real time and not California time :)

So Timothy (and probably just for me), I've seen a couple of sites without
crypto HSM cards not bother to run ICSF.  Can I assume in that case there's
pretty-much no way any encryption processing could be using CPACF?

On 1/24/2024 12:29 AM, Timothy Sipples wrote:
> Peter wrote:
>> I have a general question here. When you don't have crypto processor, 
>> So when a ATTLS traffic is enabled does the encryption and decryption 
>> handled by Started task TCPIP or the general processor?
>
> I've seen some of the follow-up messages, and it seems like you're 
> trying
to troubleshoot a performance/throughput-related issue. Or at least you'd
like to understand what changed, why you may be observing an elongation in
your transaction times from CICS's perspective.
>
> "Crypto processor" could refer to the CP Assist for Cryptographic
Functions (CPACF) or to the IBM Crypto Express hardware security modules
(HSMs). CPACF is an integral part of every main processor that's on every
modern IBM Z and all IBM LinuxONE machine models. You need to have Feature
Code 3863 installed to enable CPACF's full set of cryptographic algorithms.
So just make sure that feature code is installed on all your machines. CPACF
is an integral part of your main processors that supports additional
instructions that accelerate lots of cryptographic operations.
>
> IBM Crypto Express HSMs are optional (but strongl

Re: Encryption and decryption - processor or TCPIP

[Lennie Dymoke-Bradshaw]

Martin,

As Timothy has pointed out, it is for IPSEC processing that a zIIP is used,
not AT/TLS. I think you are correct that this would show against the TCP/IP
address space. But I think you should confirm that with others. (e.g. Chris
Meyer)

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Martin Packer
Sent: 24 January 2024 10:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP


In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).


Lennie, or anybody who knows, which address space would show zIIP CPU time
under those circumstances? I'm assuming TCP/IP address space(s) - which
generally are in SYSSTC and so above eg Db2 Engine.

(At this point I'm interested in detecting / sizing such goings on -
probably with SMF 30.)

Thanks, Martin

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Date: Wednesday, 24 January 2024 at 09:53
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: [EXTERNAL] Re: Encryption and decryption - processor or TCPIP Tom,

It is possible to initialise ICSF without a Crypto Express card. I have done
it. Changes were made to ICSF in support of that initialisation many years
ago. It does require the CPACF. However, this only supports clear keys in
the CKDS. The CKDS formatting is different in some way and cannot be
converted to a secure key CKDS. I don't know if there is a way of using the
PKDS or TKDS in this configuration. I have been told it is possible to run
Data set encryption with CPACF only and a clear key CKDS, but I have not
tried this.

My understanding is that System SSL libraries use code that works out what
facilities are available and uses the "best" option.

CPACF on the later machines has some support for asymmetric keys so that
could potentially help with handshakes. Earlier machines with CPACF could
only do symmetric key processing.

In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Tom Brennan
Sent: 24 January 2024 08:49
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Woah... right now I'm only about 1000 miles from Timothy so I get to see his
responses in real time and not California time :)

So Timothy (and probably just for me), I've seen a couple of sites without
crypto HSM cards not bother to run ICSF.  Can I assume in that case there's
pretty-much no way any encryption processing could be using CPACF?

On 1/24/2024 12:29 AM, Timothy Sipples wrote:
> Peter wrote:
>> I have a general question here. When you don't have crypto processor, 
>> So when a ATTLS traffic is enabled does the encryption and decryption 
>> handled by Started task TCPIP or the general processor?
>
> I've seen some of the follow-up messages, and it seems like you're 
> trying
to troubleshoot a performance/throughput-related issue. Or at least you'd
like to understand what changed, why you may be observing an elongation in
your transaction times from CICS's perspective.
>
> "Crypto processor" could refer to the CP Assist for Cryptographic
Functions (CPACF) or to the IBM Crypto Express hardware security modules
(HSMs). CPACF is an integral part of every main processor that's on every
modern IBM Z and all IBM LinuxONE machine models. You need to have Feature
Code 3863 installed to enable CPACF's full set of cryptographic algorithms.
So just make sure that feature code is installed on all your machines. CPACF
is an integral part of your main processors that supports additional
instructions that accelerate lots of cryptographic operations.
>
> IBM Crypto Express HSMs are optional (but strongly recommended!) 
> features that are installed as cards in your IBM Z or IBM LinuxONE 
> server's PCI slots. In recent models there are two variants of the IBM 
> Crypto Express cards: "single port" and "dual port." Dual port means 
> that there are two physical HSMs per card. It's simply a higher 
> density card that allows you to support more HSM domains and modes 
> within a smaller physical space, analogous to the difference between a 
> fully populated processor drawer and a partially populated one.
> Whether you get the single port or dual port variant (or some of 
> both), their role is to protect secrets, especially private encryption 
> keys. They have their own onboard processors to execute cryptographic 
> operations, and you need them to move beyond "clear key" cryptography.
> Clear key

Re: Encryption and decryption - processor or TCPIP

[Lennie Dymoke-Bradshaw]

Tom,

It is possible to initialise ICSF without a Crypto Express card. I have done
it. Changes were made to ICSF in support of that initialisation many years
ago. It does require the CPACF. However, this only supports clear keys in
the CKDS. The CKDS formatting is different in some way and cannot be
converted to a secure key CKDS. I don't know if there is a way of using the
PKDS or TKDS in this configuration. I have been told it is possible to run
Data set encryption with CPACF only and a clear key CKDS, but I have not
tried this.

My understanding is that System SSL libraries use code that works out what
facilities are available and uses the "best" option.

CPACF on the later machines has some support for asymmetric keys so that
could potentially help with handshakes. Earlier machines with CPACF could
only do symmetric key processing.

In the back of my mind I also think that the crypto processing for TCP/IP
could be performed on a zIIP processor (which could be using its CPACF, of
course).

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Tom Brennan
Sent: 24 January 2024 08:49
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encryption and decryption - processor or TCPIP

Woah... right now I'm only about 1000 miles from Timothy so I get to see his
responses in real time and not California time :)

So Timothy (and probably just for me), I've seen a couple of sites without
crypto HSM cards not bother to run ICSF.  Can I assume in that case there's
pretty-much no way any encryption processing could be using CPACF?

On 1/24/2024 12:29 AM, Timothy Sipples wrote:
> Peter wrote:
>> I have a general question here. When you don't have crypto processor, 
>> So when a ATTLS traffic is enabled does the encryption and decryption 
>> handled by Started task TCPIP or the general processor?
> 
> I've seen some of the follow-up messages, and it seems like you're trying
to troubleshoot a performance/throughput-related issue. Or at least you'd
like to understand what changed, why you may be observing an elongation in
your transaction times from CICS's perspective.
> 
> "Crypto processor" could refer to the CP Assist for Cryptographic
Functions (CPACF) or to the IBM Crypto Express hardware security modules
(HSMs). CPACF is an integral part of every main processor that's on every
modern IBM Z and all IBM LinuxONE machine models. You need to have Feature
Code 3863 installed to enable CPACF's full set of cryptographic algorithms.
So just make sure that feature code is installed on all your machines. CPACF
is an integral part of your main processors that supports additional
instructions that accelerate lots of cryptographic operations.
> 
> IBM Crypto Express HSMs are optional (but strongly recommended!) 
> features that are installed as cards in your IBM Z or IBM LinuxONE 
> server's PCI slots. In recent models there are two variants of the IBM 
> Crypto Express cards: "single port" and "dual port." Dual port means 
> that there are two physical HSMs per card. It's simply a higher 
> density card that allows you to support more HSM domains and modes 
> within a smaller physical space, analogous to the difference between a 
> fully populated processor drawer and a partially populated one. 
> Whether you get the single port or dual port variant (or some of 
> both), their role is to protect secrets, especially private encryption 
> keys. They have their own onboard processors to execute cryptographic 
> operations, and you need them to move beyond "clear key" cryptography. 
> Clear key cryptography means your private encryption keys inhabit main 
> memory, the same memory that the operating system, middleware, and 
> applications inhabit. Conceivably that memory could be accessed - via 
> a dump that hasn't been redacted, for example - to obtain the private 
> keys. The vast majority of non-IBM Z/LinuxONE systems that support TLS 
> are operating with clear key, but "we can do better." And we do: 
> Crypto Express facilitates protected key and secure key operations. 
> Get them, use them, love them. :-)
> 
> But let's leave that HSM point aside for the moment and just focus on z/OS
AT-TLS and what you may be observing. If you're actually seeing longer
transaction times - if you've got reasonable evidence this one change
(changing an unencrypted connection to a TLS encrypted connection) made the
difference - then there are likely one or two basic reasons why. One likely
reason is that you're not getting a good match between z/OS AT-TLS and
CPACF. That is, z/OS AT-TLS (and specifically the z/OS System SSL component
that AT-TLS uses) isn't exploiting CPACF as much as it could. For example,
AT-TLS and the other pa

STGADMIN.DPDSRN.dsname and RENAME

[Lennie Dymoke-Bradshaw]

Apologies Radoslaw,

It appears that IEHPROGM will not make use of STGADMIN.DPDSRN.olddsname 
profile. Use of that FACILITY class profile requires that a bit be set in the 
CAMLST macro expansion. It appears IEHPROGM has not been altered to support 
this.

The DFSMS Advanced Services manual states,
Your program sets on a certain bit in the CAMLST macro expansion. You 
can code this instruction: OI listname+2,X'10'.

Is there any program that supports this profile? 
Or do IBM expect we have to write our own?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: 19 January 2024 14:42
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ADRDSSU COMPRESS and enq

Radoslaw wrote
>>3. I don't know how to rename such datasets! Yes, I could imagine 
>>access from another z/OS image, but it would be a series of manual 
>>ISPF r command. Non-repeatable, error prone. Is there any tool 
>>allowing to rename such datasets in batch? Wildcard support (i.e. REN 
>>SYS1.* SYS2.*) would be welcome. <<

Try IEHPROGM.
https://www.ibm.com/docs/en/zos/3.1.0?topic=program-scratching-renaming-data-set-member
 

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 19 January 2024 14:18
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ADRDSSU COMPRESS and enq

Gentlemen,
First, thank you for your answers. I appreciate it.

Regarding TOLENQF - it doesn't work with COMPRESS or CONSOLIDATE. The manual is 
clear here.

Regarding rename - this is the thing I wanted to avoid for several reasons:
1. There is some risk to rename wrong "copy" of the dataset, or alter ICF 
entries for wrong copy.
2. Valid copies are located on non-SMS disk, but cataloged out of regular 
catalog search (SYS1.name in some UCAT). Plus some aliases, etc. 
I want to not destroy it.
3. I don't know how to rename such datasets! Yes, I could imagine access from 
another z/OS image, but it would be a series of manual ISPF r command. 
Non-repeatable, error prone. Is there any tool allowing to rename such datasets 
in batch? Wildcard support (i.e. REN SYS1.* SYS2.*) would be welcome.



--
Radoslaw Skorupka
Lodz, Poland





W dniu 19.01.2024 o 13:27, Radoslaw Skorupka pisze:
> I want to compress some system datasets like SYS1.LINKLIB, but *not* 
> real "live", rather offline copies.
> DSS ends with RC8, because of failed serialization.
> SETPROG LNKLST,UNALLOCATE will not solve all the enqueues, because 
> some datasets are serialized by other entities like TSO users.
>
> And I also want to CONSOLIDATE some datasets as well.
>
>
> Any clue?
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ADRDSSU COMPRESS and enq

[Lennie Dymoke-Bradshaw]

Radoslaw wrote
>>3. I don't know how to rename such datasets! Yes, I could imagine access from 
>>another z/OS image, but it would be a series of manual ISPF r command. 
>>Non-repeatable, error prone. Is there any tool allowing to rename such 
>>datasets in batch? Wildcard support (i.e. REN SYS1.* SYS2.*) would be 
>>welcome. <<

Try IEHPROGM.
https://www.ibm.com/docs/en/zos/3.1.0?topic=program-scratching-renaming-data-set-member
 

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 19 January 2024 14:18
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ADRDSSU COMPRESS and enq

Gentlemen,
First, thank you for your answers. I appreciate it.

Regarding TOLENQF - it doesn't work with COMPRESS or CONSOLIDATE. The manual is 
clear here.

Regarding rename - this is the thing I wanted to avoid for several reasons:
1. There is some risk to rename wrong "copy" of the dataset, or alter ICF 
entries for wrong copy.
2. Valid copies are located on non-SMS disk, but cataloged out of regular 
catalog search (SYS1.name in some UCAT). Plus some aliases, etc. 
I want to not destroy it.
3. I don't know how to rename such datasets! Yes, I could imagine access from 
another z/OS image, but it would be a series of manual ISPF r command. 
Non-repeatable, error prone. Is there any tool allowing to rename such datasets 
in batch? Wildcard support (i.e. REN SYS1.* SYS2.*) would be welcome.



--
Radoslaw Skorupka
Lodz, Poland





W dniu 19.01.2024 o 13:27, Radoslaw Skorupka pisze:
> I want to compress some system datasets like SYS1.LINKLIB, but *not* 
> real "live", rather offline copies.
> DSS ends with RC8, because of failed serialization.
> SETPROG LNKLST,UNALLOCATE will not solve all the enqueues, because 
> some datasets are serialized by other entities like TSO users.
>
> And I also want to CONSOLIDATE some datasets as well.
>
>
> Any clue?
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ADRDSSU COMPRESS and enq

[Lennie Dymoke-Bradshaw]

Rename data set first?
https://www.ibm.com/docs/en/zos/3.1.0?topic=gcr-renaming-data-set-that-might-be-in-use
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 19 January 2024 12:27
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: ADRDSSU COMPRESS and enq

I want to compress some system datasets like SYS1.LINKLIB, but *not* real 
"live", rather offline copies.
DSS ends with RC8, because of failed serialization.
SETPROG LNKLST,UNALLOCATE will not solve all the enqueues, because some 
datasets are serialized by other entities like TSO users.

And I also want to CONSOLIDATE some datasets as well.


Any clue?

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: I hate to be a pain (Cross-Posted)

[Lennie Dymoke-Bradshaw]

Radoslaw,

The "cracking exercise" is not so difficult. Those private keys in RACF are not 
encrypted. They are stored in field CERTPRVK. I think they are BER encoded. 
Details are in the RACF Macros and Interfaces manual. It's easy to display them 
using zSecure if you know how.
Good reason to make sure the absolute minimum of people have READ access to the 
RACF database.

With ICSF the keys are stored in the ICSF CKDS with each key encrypted under 
the ICSF master key. That master key is protected using FIP-140-2 level 4 
standards.

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 18 January 2024 22:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: I hate to be a pain (Cross-Posted)

Is ICSF xKDS file a VSAM? Yes.
So, why to keep the keys in CKDS/PKDS instead of RACFdb?
1. Because the keys in CKDS/PKDS are *well encrypted* using secret key 
(CryptoExpress MK). Assumed you have CEX.
2. Because any key kept in RACF is kept along with the encryption key for that 
key.
3. Because still a majority of RACF installations do not use encrypted VSAM db 
(yet). In such scenario any authorized person (i.e. bad RACF
admin) can read whole db and then do the cracking excercises.


BTW: Recently I did encrypt RACF db. Results: none. Nothing happened. 
The database is encrypted - the only change, but it is invisible to 
administrators.

--
Radoslaw Skorupka
Lodz, Poland



W dniu 17.01.2024 o 21:29, Steve Beaver pisze:
> On z/OS isn't that the ICSF CKDS VSAM file?  Yes
>
> Steve
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Farley, Peter
> Sent: Wednesday, January 17, 2024 1:38 PM
> To:IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: I hate to be a pain (Cross-Posted)
>
> On z/OS isn't that the ICSF CKDS VSAM file?
>
> Peter
>
> From: IBM Mainframe Discussion List  On Behalf Of
> Steve Beaver
> Sent: Wednesday, January 17, 2024 1:32 PM
> To:IBM-MAIN@LISTSERV.UA.EDU
> Subject: I hate to be a pain (Cross-Posted)
>
>
> This is not may area of expertise, and I can't find a YOUTUBE or a step by
>
> step checklist
>
>
>
> How does one create a keystore on zOS?
>
>
>
> Regards,
>
>
>
> Steve
>
> --

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Technical Reason? - Why you can't encrypt load libraries (PDSE format)?

[Lennie Dymoke-Bradshaw]

Radoslaw Skorupka wrote

> Note: Dataset Encryption (DSE) is *not* a replacement for RACF or other 
> security system.
> It is a solution to keep data secret even if you have (unintended) access to 
> the dataset. Bad RACF authority? NO!
> It could be administrative access via STGADMIN, shared DASD, etc.

I think z/OS data set encryption is a solution for protecting z/OS data when it 
is accessed outside of its normal environment. That could be via specialised 
authorised programs (such as ADRDSSU), via other systems (when a volume is 
accessed by a z/OS system using a different RACF database), where a volume is 
accessed by another operating system (such as z/VM or Linux), where a data set 
backup is transported to another system entirely, or any other situation where 
the data is not under its normal RACF controls. 

Lennie Dymoke-Bradshaw
https: //rsclweb.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Technical Reason? - Why you can't encrypt load libraries (PDSE format)?

[Lennie Dymoke-Bradshaw]

It can be set via software but can be disabled by control points. There are 
RACF controls on the Crypto services that are needed. There are controls that 
can used to stop one domain setting the key for another. More serious users 
will have TKE workstations with card readers and multiple key holders. Leonard 
is correct that it is a single point of attack. But it is a very well-protected 
point of attack. Also note that the multiple card holders can re-create the 
master keys.

Lennie Dymoke-Bradshaw
https: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Leonard D Woren
Sent: 15 January 2024 01:53
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Technical Reason? - Why you can't encrypt load libraries (PDSE 
format)?

There has to be a way to set it via software.  What happens when you replace 
the machine including the hardware where the master key is stored?

How is the key set into the disaster recovery machine?

/Leonard

Jousma, David wrote on 1/14/2024 4:50 PM:
> Pretty hard to mess up the master key, since it only lives in the crypto 
> hardware.
>
> That's the other thing though.  Sounds like the OP wants to encrypt 
> everything with the same HLQ, with the same key  that's a big exposure if 
> the key gets accidentally deleted.  Not sure what the rule of thumb is 
> either, as one key per dataset turns into a key management nightmare.
>
> Dave Jousma
>
> Vice President | Director, Technology Engineering
>
>
> Fifth Third Bank  |  1830 East Paris Ave, SE  |  MD RSCB2H  |  Grand 
> Rapids, MI 49546
>
> 616.653.8429
> 
> From: IBM Mainframe Discussion List  on 
> behalf of Leonard D Woren 
> Sent: Sunday, January 14, 2024 7:05:11 PM
> To: IBM-MAIN@LISTSERV.UA.EDU 
> Subject: Re: Technical Reason? - Why you can't encrypt load libraries (PDSE 
> format)?
>
> (I read the whole thread before starting this reply. ) Steve Estle 
> wrote on 1/13/2024 8: 28 AM: > [. . . ] > My true reason for composing 
> this is that we've discovered the inability to encrypt load libraries 
> - even in PDSE format. [. . . ] >
>
>
> (I read the whole thread before starting this reply.)
>
> Steve Estle wrote on 1/13/2024 8:28 AM:
>> [...]
>> My true reason for composing this is that we've discovered the inability to 
>> encrypt load libraries - even in PDSE format.
> [...]
>> I know this seems innocuous, but we'd like to encrypt as much as possible in 
>> our environment and due to Top Secret deficiencies we have to encrypt at 
>> high level qualifier level (HLQ) (all or nothing under each HLQ 
>> unfortunately).  Given we have load module libraries under many differ HLQ's 
>> this is posing difficulties in moving forward with our rollout when an HLQ 
>> does have one or more load module libraries as part of that HLQ.  You can 
>> only imagine the pain of renaming a load library given all the JCL, etc that 
>> is referencing that library name.
> So, you have poor naming conventions and a poor security system, and 
> you want IBM to make difficult changes which will potentially affect 
> all customers negatively?
>
>> 2. If I were to submit an IBM idea, can I count on this community for some 
>> backing here to help in upvoting such an idea submission?
> I'd vote the highest value of "no".
>
>
> An aside, since I didn't keep track of which comment mentioned this 
> (maybe it was on an old item cross-posted from RACF-L?).  For those 
> concerned about ransomware, z/OS encryption of all data at rest means 
> that a ransomware hacker need only mess up the master key so that no 
> data sets can be decrypted.  No need to waste time encrypting all 
> data, since it's already encrypted.
>
>
> /Leonard
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
> This e-mail transmission contains information that is confidential and may be 
> privileged.   It is intended only for the addressee(s) named above. If you 
> receive this e-mail in error, please do not read, copy or disseminate it in 
> any manner. If you are not the intended recipient, any disclosure, copying, 
> distribution or use of the contents of this information is prohibited. Please 
> reply to the message immediately by informing the sender that the message was 
> misdirected. After replying, please erase it from your computer system. Your 
> assistance in correcting this error is appreciated.
>
> ---

Re: allowed characters in member name

[Lennie Dymoke-Bradshaw]

I believe these came in with the re-write of the JCL Converter and/or 
Interpreter which occurred with MVS 4.2 (working purely from memory!)

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 07 January 2024 23:43
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: allowed characters in member name

Long ago (in OS/390?) IBM introduced a bunch of keywords equivalent to 
subparameters of DCB, e.g., LRECL= is equivalent to DCB=LRECL=. I believe that 
LIKE= was part of that.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Sunday, January 7, 2024 5:15 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: allowed characters in member name

On Sun, 7 Jan 2024 21:50:07 +, Gibney, Dave wrote:

>DCB for the subparameters as been depreciated and, in my opinion, bad form for 
>most of the 40 years I worked on mainframes. The DCB=modeldscb form used for 
>new GDS allocations hasn't been needed since SMS came along. Early 90s'?
>I may recall wrong, but I think LIKE was new with SMS.
>
Formerly needed; now deprecated.  Why was it ever needed?  I suspect the change 
was less to accommodate SMS than UNIX files, which support attributes but no 
DCB.

Answering my earlier question (IRTFM):
<https://www.ibm.com/docs/en/zos/3.1.0?topic=parameter-examples-like>
Example 2
//SMSDS7  DD  DSNAME=MYDS7.PGM,LIKE=MYDSCAT.PGM,DISP=(NEW,KEEP),
//  LRECL=1024
In the example, the data set attributes used for MYDS7.PGM are obtained from
the cataloged model data set MYDSCAT.PGM. Also, the logical record length of
1024 overrides the logical record length obtained from the model data set.

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: allowed characters in member name

[Lennie Dymoke-Bradshaw]

Using quotes around the DSNAME will allow any combination of Hex chars for a 
Dsname I think (possibly excluding 44X'04' which represents the VTOC). However 
these are not supported for SMS datasets, nor can they be catalogued, nor can 
they be protected by RACF.
https://www.ibm.com/docs/en/zos/3.1.0?topic=statement-dsname-parameter

Note particularly,

"The system does not check data set names enclosed in apostrophes for valid 
characters. When SMS is
not installed or active incorrect characters or length result in data set 
allocation, but the data set is not
cataloged. When SMS is active, it will fail the job for incorrect characters or 
length."

However, I think it is not possible to do this with a member name. Happy to 
learn more though, if someone knows better.

Lennie Dymoke-Bradshaw
https: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Leonard D Woren
Sent: 08 January 2024 06:29
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: allowed characters in member name

I don't think anyone has mentioned that X'C0' (left brace in the U.S.) is valid 
in a member name.  I didn't test to see whether it's allowed in the first 
position; probably not.

X'C0' is also valid in a dsname on a non-SMS volume, but it's now broken in 
that you can't catalog it any more.  Get "NOT CATLGD 9". 
Again, I didn't try it in the first position which almost certainly is not 
allowed.


Regarding the limit of 8 characters between periods in a dsname, that was a 
requirement in OS CVOL days.  Seems to me that that validity test can and 
should be removed now that CVOLs are long long dead dead.  I could see 
requiring any levels in an MLA alias restricted to
8 characters.  Why is left as an exercise to the reader.


/Leonard




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: allowed characters in member name

[Lennie Dymoke-Bradshaw]

Radoslaw,
>From memory, this is simply the ALPHANUMNAT set. Alphabetic chars (upper 
>case), Numerics and the national chars (#$@). First char may not be numeric.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 05 January 2024 17:18
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: allowed characters in member name

(This is somehow Friday question, but at least on topic. :-)  )


What characters are allowed in JCL when specifying member name?
I mean constructs like the following:
//ANY DD DSN=HLQ.DATASET(MEMBER)

Note, it is not about PDS/PDSE itself and I have seen SMPSCDS member names (as 
well as PDSMAN generated), but I mean JCL-acceptable names, which are also 
supported by ISPF (I think so).

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Z/OS Survey - Unusuall system commands

[Lennie Dymoke-Bradshaw]

Maybe my statement needs correcting. I meant DD parameters, rather than JCL 
statements. 
I have done this, but it was over 30 years ago. I believe you can specify many 
JCL parameters which can go on DD statements. These are then applied to the 
IEFRDER DD statement.
Happy to be corrected if someone else has better knowledge or if behaviour has 
changed since then.

Lennie Dymoke-Bradshaw
https: //rsclweb.com

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 20 December 2023 12:31
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

?

What JCL statements can START provide. As for parameters, that's limited to 
JOB, EXEC and DD.

Of course, that's enough for a competent auditor to check who can use what.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Sent: Tuesday, December 19, 2023 7:33 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

START will take all sorts of JCL statements as parameters. You can use it to 
recreate data sets that are needed for other things to start.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 19 December 2023 14:52
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

No, START.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu>
Sent: Tuesday, December 19, 2023 9:23 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

Seymour,
Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these 
weaknesses...

BTW, I like your new Hebrew signature!

ITschak

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and 
IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: 
http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il
  **|*





On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz  wrote:

> I you control your console commands through SAF, you have fairly fine 
> granularity.
>
> BTW, a couple of decades ago I reported a similar issue .on a command 
> that is extremely common.  If you're doing an audit, look at the 
> common commands in addition to the rare ones.
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
>
> 
> From: IBM Mainframe Discussion List  on 
> behalf of ITschak Mugzach 
> Sent: Tuesday, December 19, 2023 3:12 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Z/OS Survey - Unusuall system commands
>
> There are some MVS commands that are hard to understand how and why 
> they were created. What bothers me is the fact that the input of the 
> commands that modify MVS behavior allows input from private dataset.
> These are the first commands I am trying when I do a pentest...
> For example:
> *SETLOAD* allows on-the-fly change of parmlib concatenation using a 
> dataset that is not part of the parmlib concatenation itself. for
> example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command 
> allows specification of TCPIP configuration from a private library.
>
> How frequent do you use these commands (if ever) and how do you 
> identify the use (assuming that the commands are protected by your 
> ESM). I wonder why IBM allows such a scenario.
>
> ITschak
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous 
> Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon  *
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
> 

Re: Z/OS Survey - Unusuall system commands

[Lennie Dymoke-Bradshaw]

START will take all sorts of JCL statements as parameters. You can use it to 
recreate data sets that are needed for other things to start.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 19 December 2023 14:52
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

No, START.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu>
Sent: Tuesday, December 19, 2023 9:23 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Z/OS Survey - Unusuall system commands

Seymour,
Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these 
weaknesses...

BTW, I like your new Hebrew signature!

ITschak

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and 
IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: 
http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il
  **|*





On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz  wrote:

> I you control your console commands through SAF, you have fairly fine 
> granularity.
>
> BTW, a couple of decades ago I reported a similar issue .on a command 
> that is extremely common.  If you're doing an audit, look at the 
> common commands in addition to the rare ones.
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
> עַם יִשְׂרָאֵל חַי
> נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר
>
> 
> From: IBM Mainframe Discussion List  on 
> behalf of ITschak Mugzach 
> Sent: Tuesday, December 19, 2023 3:12 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Z/OS Survey - Unusuall system commands
>
> There are some MVS commands that are hard to understand how and why 
> they were created. What bothers me is the fact that the input of the 
> commands that modify MVS behavior allows input from private dataset. 
> These are the first commands I am trying when I do a pentest...
> For example:
> *SETLOAD* allows on-the-fly change of parmlib concatenation using a 
> dataset that is not part of the parmlib concatenation itself. for 
> example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command 
> allows specification of TCPIP configuration from a private library.
>
> How frequent do you use these commands (if ever) and how do you 
> identify the use (assuming that the commands are protected by your 
> ESM). I wonder why IBM allows such a scenario.
>
> ITschak
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous 
> Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon  *
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Can this be done?

[Lennie Dymoke-Bradshaw]

I am assuming you are speaking of DASD based data sets rather than those on 
tape or any other medium.

I would have said use EXCP until recently. In addition you would need to be APF 
authorised in order to open VSAM datasets using EXCP.
However, I understand however that there are some undocumented issues running 
EXCP against data sets that are extended format. The DFP Advanced Services 
manual states the following,
"The EXCP and EXCPVR macro instructions allow you to control the data 
organization based on
device characteristics. The exceptions to this capability are partitioned data 
sets extended (PDSEs),
extended format data sets, spooled and dummy data sets, TSO terminals, and z/OS 
UNIX files and
file systems. They are not supported for user-written applications using EXCP."
It seems likely to me that there are ways of circumventing these restrictions. 
There is a low level interface called the media manager which may do what you 
need. But the manual for this is not available to us mere mortals.
As others have said, use ADRDSSU.

Lennie Dymoke-Bradshaw
https: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Billy Ashton
Sent: 14 December 2023 15:44
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Can this be done?

Hey everyone! I have a little down time here at the end of the year with our 
freeze, and I wanted to play with some ideas I have had.

I would like to write a program that can open any kind of file - PDS, 
Sequential, Panvalet, loadlib, and maybe even VSAM components. I want to open 
the file in "raw" format, as if I were going straight to the disk pack and 
scooping up the bytes from the beginning of the allocation to the end.

Is there any way to do this without caring about the catalog RECFM? 
Obviously, the easiest way is through some JCL parameter that says "force as 
PS" but I doubt that is likely. I can't go into more detail at present, sorry!

What do you think?

Thank you and best regards,
Billy Ashton

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Assembler optimization OPTION

[Lennie Dymoke-Bradshaw]

It's a fair question. I think for me it is because I rarely write a brand new 
program. I take something that works and then change it to do what I want. 
Often I find I can easily do what I need without using newer instructions.

Lennie Dymoke-Bradshaw
https: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 10 December 2023 15:07
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Assembler optimization OPTION

Why does it take so long for people to use new features? HLASM has a lot of 
nifty things that have been around and well documented for decades.

A similar question exists for new instructions; how many shops are still 
running boxen that don't support the z immediate, long displacement and 
relative instructions, e,g.,JC, LARL, LAY?

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר


From: IBM Mainframe Discussion List  on behalf of 
Peter Relson 
Sent: Sunday, December 10, 2023 9:13 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Assembler optimization OPTION

The starting point to almost all of these discussions tends to be to write 
reentrant programs (as high level languages naturally produce).

If you must stick with a non-reentrant program, consider the LOCTR directive. 
If you don't feel like truly moving the data-defining statements within your 
program, you can use the LOCTR directive to help to "move" data to a separate 
area. You might have an area for your "code" and an area for your "static data" 
and an area for your "dynamic data"

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Page Datasets in User Catalog

[Lennie Dymoke-Bradshaw]

The last sentence of the requirement reads,
"I believe IBM needs a new approach to the handling of these situations. Either 
there needs to be a formally agreed process for having 2 or more master 
catalogs in a sysplex, or there needs to be a way for VSAM data sets to be 
“multiply-owned” by more than one catalog."

I think this includes a "dual MCAT solution".
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 29 November 2023 18:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Page Datasets in User Catalog

Lennie,
I won't support it, because I don't want it. In my opinion it is bad approach.
BTW: there is quite new feature
F CATALOG,RESTART(new.mcat.dsn)
which I like.

As an alternative I would consider some solution like dual MCAT - similar to 
dual RACF db, or Db2 log.

--
Radoslaw Skorupka
Lodz, Poland



W dniu 29.11.2023 o 19:27, Lennie Dymoke-Bradshaw pisze:
> Radoslaw and others,
> Please consider supporting my idea on the ideas portal.
>
> Better support for multiple master catalogs in a sysplex.
> https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-3890
>
> Lennie Dymoke-Bradshaw
> https: //rsclweb.com
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Radoslaw Skorupka
> Sent: 29 November 2023 15:42
> To:IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Page Datasets in User Catalog
>
> W dniu 29.11.2023 o 04:56, Mark Zelden pisze:
>> On Thu, 23 Nov 2023 14:20:51 -0600, Jon Perryman   
>> wrote:
>>
>>> On Wed, 22 Nov 2023 22:35:13 +, Seymour J Metz   wrote:
>>>
>>>> I suspect that there was a game of telegraph, whereby crucial details got 
>>>> lost.
>>>>
>>>> It is normal to allocate page datasets in a user catalog that will 
>>>> eventually be used as a master catalog.
>>>> I'm suspicious of the claim that z/OS can use  a page dataset that is not 
>>>> in its own master catalog, but I can't rule it out.
>>> There are definitely crucial details lost. Page and swap are special 
>>> datasets. For instance, a page dataset can be in multiple catalogs (I think 
>>> using recatalog).
>> Pagespace can be in multiple catalogs (which should be a master to the
>> system that is using it) via RECATALOG.  I think at one time it had to
>> have a HLQ of PAGE or SYS1 but my memory is fuzzy on that part.  I know for 
>> a long time the HLQ doesn't matter at all  for pagespace and it could still 
>> be in
>> multiple catalogs.   This also applies to swapspace and VSAM linear ZFS that 
>> is indirectly cataloged.
>> Any SYS1 VSAM dataset can be in multiple catalogs via recatalog.
>>
>> Don't ask me where this is documented now. :)  I'm guessing "DFSMS managing 
>> catalogs".
>
> I dare to correct the above considerations.
> 1. Any non-VSAM and non-SMS dataset can be catalogued twice or multiple 
> times. Reason is obvious: there is no backward reference. It is just entry in 
> BCS, which contains DSN, UNIT and VOLSER.
> 2. VSAM datasets *cannot* be catalogued multiple times. And there is a way to 
> enforce it - VVDS.
> 3. IBM created exceptions for the 2. but only for SYS1 and PAGE HLQ.
> Note - this is matter or HLQ, not VSAM type or flavour. In other words one 
> can "multi-catalog" any SYS1.VSAM.DSN regardless of its purpose and any 
> PAGE.VSAM.DSN, also regardless of its purpose.
> 4. Page dataset is specific kind of VSAM, because it is somehow formatted 
> before use. As one may know DEF PAGE takes significantly more time than 
> regular DEF CL and depends on its size.
> 5. So, it is still possible to have good reason to create some page datasets, 
> even cataloged in UCAT, but for future use. And future use will require page 
> datasets to be in MCAT. How? a) recatalog. b) my current UCAT is de facto 
> other system's MCAT. Other scenarios may apply.
>
>
> My €0.02
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Page Datasets in User Catalog

[Lennie Dymoke-Bradshaw]

Radoslaw and others,
Please consider supporting my idea on the ideas portal.

Better support for multiple master catalogs in a sysplex.
https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-3890

Lennie Dymoke-Bradshaw
https: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 29 November 2023 15:42
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Page Datasets in User Catalog

W dniu 29.11.2023 o 04:56, Mark Zelden pisze:
> On Thu, 23 Nov 2023 14:20:51 -0600, Jon Perryman  wrote:
>
>> On Wed, 22 Nov 2023 22:35:13 +, Seymour J Metz  wrote:
>>
>>> I suspect that there was a game of telegraph, whereby crucial details got 
>>> lost.
>>>
>>> It is normal to allocate page datasets in a user catalog that will 
>>> eventually be used as a master catalog.
>>> I'm suspicious of the claim that z/OS can use  a page dataset that is not 
>>> in its own master catalog, but I can't rule it out.
>> There are definitely crucial details lost. Page and swap are special 
>> datasets. For instance, a page dataset can be in multiple catalogs (I think 
>> using recatalog).
> Pagespace can be in multiple catalogs (which should be a master to the 
> system that is using it) via RECATALOG.  I think at one time it had to 
> have a HLQ of PAGE or SYS1 but my memory is fuzzy on that part.  I know for a 
> long time the HLQ doesn't matter at all  for pagespace and it could still be 
> in
> multiple catalogs.   This also applies to swapspace and VSAM linear ZFS that 
> is indirectly cataloged.
> Any SYS1 VSAM dataset can be in multiple catalogs via recatalog.
>
> Don't ask me where this is documented now. :)  I'm guessing "DFSMS managing 
> catalogs".


I dare to correct the above considerations.
1. Any non-VSAM and non-SMS dataset can be catalogued twice or multiple times. 
Reason is obvious: there is no backward reference. It is just entry in BCS, 
which contains DSN, UNIT and VOLSER.
2. VSAM datasets *cannot* be catalogued multiple times. And there is a way to 
enforce it - VVDS.
3. IBM created exceptions for the 2. but only for SYS1 and PAGE HLQ. 
Note - this is matter or HLQ, not VSAM type or flavour. In other words one can 
"multi-catalog" any SYS1.VSAM.DSN regardless of its purpose and any 
PAGE.VSAM.DSN, also regardless of its purpose.
4. Page dataset is specific kind of VSAM, because it is somehow formatted 
before use. As one may know DEF PAGE takes significantly more time than regular 
DEF CL and depends on its size.
5. So, it is still possible to have good reason to create some page datasets, 
even cataloged in UCAT, but for future use. And future use will require page 
datasets to be in MCAT. How? a) recatalog. b) my current UCAT is de facto other 
system's MCAT. Other scenarios may apply.


My €0.02

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: The JES2 NJE node that cannot die.

[Lennie Dymoke-Bradshaw]

I think you need to set up your RACF NODES profiles and set the node in 
question to UNTRUSTED.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Longfellow
Sent: 15 November 2023 15:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: The JES2 NJE node that cannot die.

I have been in this business for decades and have run in to this situation on a 
few occaisions.   Never really came up with the right recipe to make this 
happen.

Our JES2 systems are NJE interconnected over SNA links interconnected with 
several other mainframes at other agencies.   For resiliency and reliability 
they all act as store and forward nodes in the NJE network.   
We wish to no longer communicate with one of these nodes.   Every method I use 
simply causes the NJE link to switch over to another mainframe in the 
interconnected network.
$P $E $I commands at best cause failoever to another NJE node as the middle 
man.   Killing the SNA CDRSC just causes failover as well.
We have found nothing I can do to the NODE, LINE, or APPL that allow me to make 
this node dead to us.

I am trying to do this gracefully by turning it off before modifying JES parms 
to remove it from my startup.  Trying to preseve the possiblility of fallback 
in case some stealth user pops out from behind the woodshed.

Any suggestions?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Lessons Learned - Mass Extended Format DS Conversion - ZOS 2.5

[Lennie Dymoke-Bradshaw]

Steve,

I took a major role in such a product a couple of years back. Sadly it was 
cancelled a few week before the first application was due to be encrypted.

We had a five string approach to the project. They were led by separate people 
but we worked together a great deal of course.
1. Set up ICSF to be fit for purpose.
2. Set up TKE.
3. Set up EKMF/web for key management.
4. Devise a strategy for mass allocation and copying of data.
5. Standards, procedures and documentation.

We hit a few things you may be interested in. Happy to discuss outside this 
forum if you wish.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steve Estle
Sent: 15 November 2023 12:13
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Lessons Learned - Mass Extended Format DS Conversion - ZOS 2.5

All,

We are in the midst of rolling out pervasive encryption in our ZOS 2.5 customer 
environment.  To get there of course we need to move to extended format 
datasets (sequential, VSAM, etc) which we have minimal exposure / experience 
with today (We have multiple  100K's of datasets in our catalogs across 4 
LPAR's.  We also will be leveraging hardware compression (ZEDC) as we migrate 
things as well towards path to pervasive encryption (PV) of course following 
best practice to compress before encrypting.

Have reviewed redbooks on PV, extended format, and hardware compression 
(experiences with hardware compression so far have been outstanding - 
especially in our DFDSS backup processing).

What I'm looking for are any gotchas / lessons learned / real life experiences 
in embarking on this mass migration from basic format datasets over to extended 
compressed format DSN's and encryption that aren't documented in standard doc 
or redbooks.  Or maybe you ran across or developed some tools to aid in such 
large scale migrations?

If you have anything you'd like to share feel free to share it here or if 
prefer to talk offline contact me  at sest...@gmail.com.

Thanks in advance for sharing.

Steve Estle
sest...@gmail.com

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF record for number of program executions?

[Lennie Dymoke-Bradshaw]

I believe the capability of understanding and counting program LOADs is in the 
latest version of SDSF for z/OS 3.1. (I hope Rob Scott will correct this if I 
am wrong).
However, I do not think this necessarily answers the question posed. That 
question related to the number of times a program is executed, rather than the 
number of times it is LOADed, LINKed to or even ATTACHed. A program can be 
loaded (using a LOAD SVC) and then executed multiple times. That execution can 
be via a LINK SVC but could just as easily be via a CALL, which is effectively 
a BASR or BALR, a machine instruction which does not offer the level of 
traceability that the LOAD, LINK and ATTACH services offer. As such a load 
module monitor such as that in SDSF will not address the issue.
If the load module is marked not reusable and not reentrant, then I think it is 
unlikely to be reused after a first execution. I would expect it to be DELETEd 
and then re-LOADed. I don't think normal processing of the module using 
language environment will allow reuse.
If that is the case, then the question might be able to be answered for a 
specific module that is neither reentrant nor reusable.
Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steve Thompson
Sent: 09 November 2023 22:15
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SMF record for number of program executions?

If you are willing to write an exit to get the info, you can get it via a CSV 
exit (I forget its name, but ALL "LOAD"s go through it). Understand, if you use 
that exit, it has to have a very short code path, can't cause a wait of any 
kind, or you will cause problems for all address spaces in that LPAR. The idea 
is to capture the DSN & member and immediately write it to an SMF buffer or 
similar so you can immediately return control.

But other than what others have said, there is no other way to see all 
dynamically loaded subroutines or load-modules. You will not capture static 
routines as the LNKEDT doesn't use that interface.

I believe that IBM Products make use of that or another undocumented path 
through VLF that is handling LLA and a bit of caching of modules.

Regards,
Steve Thompson



On 11/9/2023 4:56 PM, Glenn Miller wrote:
> Hi Linda,
> When I have been requested to provide that information, I have used the IBM Z 
> Software Asset Management ( aka iZSAM ) software product, which was 
> previously known as IBM Tivoli Asset Discovery for z/OS ( aka TADz ).
>
> Glenn Miller
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Better support for multiple master catalogs in a sysplex

[Lennie Dymoke-Bradshaw]

I have just raised an RFE regarding support for better sharing of VSAM
system datasets (such as RACF, ICSF key stores and ZFS file systems) when
used in a sysplex with multiple master catalogs.

Please would you examine it and support of relevant for you.

 

https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-3890 

 

Thanks

 



Lennie Dymoke-Bradshaw

https://rsclweb.com <https://rsclweb.com/>  


'Dance like no one is watching. Encrypt like everyone is.'

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Better support for multiple master catalogs in a sysplex

[Lennie Dymoke-Bradshaw]

I have just raised an RFE regarding support for better sharing of VSAM
system datasets (such as RACF, ICSF key stores and ZFS file systems) when
used in a sysplex with multiple master catalogs.

Please would you examine it and support of relevant for you.

Thanks

 



Lennie Dymoke-Bradshaw

https://rsclweb.com <https://rsclweb.com/>  


'Dance like no one is watching. Encrypt like everyone is.'

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM APAR Names

[Lennie Dymoke-Bradshaw]

In my experience back in the 1980s and 1990s IBM were far more likely to 
provide ++APAR type fixes for source-maintained products than for others. So at 
the time that mainly applied to JES2, JES3 and IMS I think. However, I have 
been the instigator for a few ++APAR fixes which were zaps.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Jon 
Perryman
Sent: 04 November 2023 18:31
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IBM APAR Names

On Sat, 4 Nov 2023 07:19:49 -0500, Bruce Hewson  
wrote:

>APARs for me are OAx or PHx - these are the entries describing a 
>problem, and may be associates as Error Holds to existing  PTFs.

The broader point that needs to be addressed is the purpose of an APAR. Since 
++APAR are rarely seen by vendor staff and customers, there must be a much 
bigger use for vendors otherwise why do they bother with describe the problem 
in the APAR.

As I said before, documentation is the main purpose for APARs and that 
documentation is presented in problem searches. ++APAR is only 1 of the APAR 
processes available to a vendor but the documentation processes are far more 
important.

For most vendors, APARs document much more than the defect (e.g. resolving 
PTF's, circumventions, holds and anything else that is useful for customers to 
solve that problem). Once a PTF is closed, it will never be updated but APARs 
can be modified as more useful information is found. 

>Before a PTF is issued, the vendor may issue a ++APAR for you to test. A 
>++APAR fix is not fully tested.

I'm skeptical that using ++APAR for testing is common practice. Unlike the well 
established bullet proof PTF processes, ++APAR can cause serious problems and 
grief. The vendors I worked for required management approval and it required 
important justification. 

I suspect that products that are not vital may be using this technique but I 
worked on products that could be destroyer of worlds. There's nothing like 
being on the phone with 35 screaming managers in a room because they think your 
product crashed their computer. It turned out not to be our product but it was 
critical to their environment.  

>++APAR names aill be AAx, BAx etc for each new iteration of a fix for 
>APAR OAx.

It sounds like ++APAR processes are a common practice for you, Each vendor has 
different ++APAR processes and it can vary within a vendor. It sounds like you 
know how to avoid the ++APAR gotchas. The vendor has chosen to a accept the 
consequences if something goes wrong and the rewards outweigh the risk. There 
are times I wish I had open access to ++APAR.   

>So depending on how many attempts have been made to get the corrective 
>fix for the problem described in APAR OAx you can see one or more 
>iterations of the ++APARs.
>
>The eventual PTF will SUPERCEDE all ++APARs that had been built during testing 
>of the fix for the APAR problem.
>
>When searching, say via Google, use the APAR number only, e.g. OAx
> 
>This is how I was introduced to ++APAR naming conventions.

You didn't mention the risks of REWORK, REDO and more. Nor did you mention 
modules must never be removed from an APAR and the superceding PTF must include 
all modules touched by the APARs. 

Searching APARs is the most up to date information about PTFs and it eliminates 
duplications that a PTF search would return.

At the end of the day, you do what's best for you. Problem resolution is about 
getting the best results and there is a lot of flexibility built into the 
processes.  It is process driven with different tools available to automate the 
processes.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Programatically setting JCL symbols

[Lennie Dymoke-Bradshaw]

Yes, I did mean that. My bad for sending a note late at night when I'm tired.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gilmartin
Sent: 18 October 2023 23:56
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Programatically setting JCL symbols

On Wed, 18 Oct 2023 22:53:05 +0100, Lennie Dymoke-Bradshaw wrote:

>On the other hand they can be passed to another job via the internal reader 
>specified with the SYMBOLS parameter.
>For example,
>//INTRDR   DD  *,SYMLIST=*
>It could make sense in this instance.
>
ITYM:
// EXPORT SYMLIST=*
...
//INTRDR   DD  SYSOUT=(,INTRDR),SYMBOLS=JCLONLY

It's possible the OP wants to pass values between steps.  The guaranteed way to 
do that is with a temporary data set.

There was s discussion here lately of environment variables.  Questions I never 
saw clearly answered:

o Are environment variables available to any program, regardless of language?

o Do they require LE or C RTL?

o Do they endure from step to step?

o Are they rooted with WXTRN environ and structured as in POSIX?

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Programatically setting JCL symbols

[Lennie Dymoke-Bradshaw]

On the other hand they can be passed to another job via the internal reader 
specified with the SYMBOLS parameter.
For example,
//INTRDR   DD  *,SYMLIST=*
It could make sense in this instance.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gilmartin
Sent: 18 October 2023 22:28
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Programatically setting JCL symbols

On Wed, 18 Oct 2023 16:18:05 -0500, Charles Hardee wrote:
>
>Thanks in advance for anyone that can shed light on the subject.
>
>Is there a mechanism for setting a JCL type variable from within a program?
> 
I hope you can't.

JCL symbols are elaborated by the Converter, before a program executes.

<https://en.wikipedia.org/wiki/Thiotimoline>

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IEE342I MODIFY REJECTED-TASK BUSY - yet modify command is immediately processed

[Lennie Dymoke-Bradshaw]

Great analysis.
Just tried F,INIT,XYZ and I got 10 messages. Guess how many INITs I am running?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Rob 
Scott
Sent: 18 October 2023 11:41
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IEE342I MODIFY REJECTED-TASK BUSY - yet modify command is 
immediately processed

Here is what I suspect is happening - note that I don't have access to the z/OS 
BCP code - so some of this is semi-educated guess :

(o) CONSOLE operator command processing is fairly simple and its main purpose 
here is to add a CIB to the appropriate queue for the responding address space

(o) IEE342I is issued when the queue is  full (or indeed when CIBCNT=0 - the 
effect is the same)

(o) When the modify command comes in, the CSCB chain is run and ANY match on 
the PROCNAME or ID (CHPROCSN and CHKEY for STC) triggers the logic to attempt 
to add the CIB to that address space queue

(o) CIB queue pointer and max number of queued CIBs maintained in CSCB

(o) Processing does not stop after first match - it will continue until end of 
CSCB chain

(o) So if any STC address space shares the same CHPROCSN/CHKEY as your STC 
PROCNAME and has NOT setup communications with the CONSOLE using QEDIT etc, you 
will get IEE342I

(o) Even if the above is true, your STC will process the CIB as expected.


For giggles, you can try this on a test system and see how many IEE342I 
messages you get in response :

"F INIT,XYZ"


Rob Scott
Rocket Software

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Support, DUNNIT SYSTEMS LTD.
Sent: Wednesday, October 18, 2023 10:45 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IEE342I MODIFY REJECTED-TASK BUSY - yet modify command is 
immediately processed

EXTERNAL EMAIL





Hi Rob,

Q1 : Is the jobname unique on the system?

A1 : Yes. BTW, STC, not JOB.

Q2 : What happens when you start the address space using "S PROCNAME.MYID" and 
then issue "F MYID,command" ?

A2 : with MYID, all's normal - no message IEE342I issued. Shut it down, 
restarted without ID and the problem is back.

Why is that?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ 
Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: 
https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - 
http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy


This communication and any attachments may contain confidential information of 
Rocket Software, Inc. All unauthorized use, disclosure or distribution is 
prohibited. If you are not the intended recipient, please notify Rocket 
Software immediately and destroy all copies of this communication. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS 3.1 documentation

[Lennie Dymoke-Bradshaw]

+1

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 10 October 2023 23:12
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS 3.1 documentation

Yes!  Lionel mentioned that this morning in another group.  And I'm pretty sure 
it was his pressure that got IBM's attention.  Thanks Lionel!

On 10/10/2023 1:26 PM, Paul Gilmartin wrote:
> On Sun, 1 Oct 2023 22:24:51 -0700, Tom Brennan wrote:
> 
>> Over the years I've been trying to maintain a VBS script that reads 
>> the html file and produces Windows shortcuts.  But of course it can't 
>> work at all without the html index.  
>> https://blog.mildredbrennan.com/?p=797
>>
> Apparently as of  2023-10-09 14:15:47, the page at 
> 
> links to
>  cloud/pdx/SSLTBW_3.1.0/zOS310-GA-Indexed-PDF-package-(2023-09-29).zip>
> which contains */*_TOC.htm, organized in shelves.
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Access to PDS(E) ISPF statistics outside of TSO/ISPF

[Lennie Dymoke-Bradshaw]

If you don't want to drop into assembler, you can read the directory of a
PDS by having a DDname point to the data set name and DO NOT specify a
member name. Use an LRECL and BLKSIZE of 256. You can read to the end and
then you have the entire directory in storage. This can be done in REXX if
necessary. Then you need the mapping that Mike Shaw posted to interpret the
data that is returned.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Seymour J Metz
Sent: 10 October 2023 20:45
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Access to PDS(E) ISPF statistics outside of TSO/ISPF

Yes. Use DESERV to get the directory entry and look at the user data field.


From: IBM Mainframe Discussion List  on behalf of
Matt Hogstrom 
Sent: Tuesday, October 10, 2023 12:53 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Access to PDS(E) ISPF statistics outside of TSO/ISPF

I'm looking for a way to access ISPF statistics from Java or C outside of a
TSO / ISPF environment.  Does such an animal exist out there ?

Matt Hogstrom
m...@hogstrom.org

"It may be cognitive, but, it ain't intuitive."
- Hogstrom


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS 3.1 documentation

[Lennie Dymoke-Bradshaw]

That's a lot of work Tom, just to find one manual.
I'm thinking about taking the 2.5 .html file produced by IBM to see if I modify 
it for 3.1; after all many of the files will have similar names. But I'll wait 
a while longer to see if anything is forthcoming from IBM.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 30 September 2023 08:41
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS 3.1 documentation

Here are my notes: https://www.mildredbrennan.com/mvs/pdx.html

On 9/29/2023 9:26 PM, Paul Gilmartin wrote:
> On Fri, 29 Sep 2023 22:07:33 -0400, Bob Bridges wrote:
> 
>> CA has taken to combining all their various TSS manuals into one gigantic 
>> PDF; no more individual manuals for installation, the admins, the CFILE, 
>> reporting and trouble-shooting, messages and so on, they're all just 
>> chapters in one PDF.  I dislike it, but I don't see that I have any option 
>> but to get used to it.
>>
> The undesirable other extreme is as IBM did in splitting the Assembler 
> Callable Services simply by alphabetic ranges.  Search, Index, and ToC become 
> less useful.
> 
>> So when you said you can't select individual manuals, I thought maybe IBM 
>> had taken up the practice too.  But no, you said "set of PDF files", so I 
>> guess you found them all in a single downloaded ZIP and cannot select 
>> individual PDFs to be downloaded without everything else?
>>
> The page at  shows some 
> organization into "shelves", but not what I'm used to.  I see no shelf 
> for Unix System Services as formerly.
> 
> The 1GB .zip does have a .pdx.  I overlooked it earlier somehow.  It 
> organizes search results by relevance.  But some may find the Adobe 
> Reader requirement onerous.
> 
> But no index.htm[l].
> 
> And the collection expands into "zOS310-GA-Indexed-PDF-package-(2023-09-29)/".
> I'm uncomfortable with using shell metacharacters in path names.
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS 3.1 documentation

[Lennie Dymoke-Bradshaw]

Tom,
When I do as you suggest it simply opens an Adobe page which allows me to 
search across the entire set of PDFs. It does not give me a list of the manual 
titles and links to open the appropriate books.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Marchant
Sent: 29 September 2023 19:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS 3.1 documentation

I downloaded it to /downloads/zos 3.1 docs, then extracted it into the same 
folder. 
You can put it wherever it makes sense to you. Having downloaded it, open 
zOS310-GA-Indexed-PDF-package-(2023-09-29).pdx with Adobe reader. It is the 
only .pdx file in the collection.

--
Tom Marchant

On Fri, 29 Sep 2023 10:42:23 -0500, Lionel B. Dyck  wrote:

>You found the problem with the download collection.
>
>See this IBM Idea (and please vote if you agree)
>https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-
>3848
>
>In summary I'm requesting that IBM add a READ_ME_FIRST_ZOS_V3R1_TOC.HTM 
>as they had in previous z/OS download collections.
>
>It would also be VERY NICE if they made it more obvious how/where to 
>download the full collection.
>
>
>Lionel B. Dyck <><
>Website: https://www.lbdsoftware.com
>Github: https://github.com/lbdyck
>
> Worry more about your character than your reputation. Character is 
>what you are, reputation merely what others think you are.- - - 
>John Wooden
>
>-Original Message-
>From: IBM Mainframe Discussion List  On 
>Behalf Of Lennie Dymoke-Bradshaw
>Sent: Friday, September 29, 2023 10:28 AM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: z/OS 3.1 documentation
>
>Having seen the announcement of z/OS 3.1 today I have tried to obtain 
>the usual PDF collection of documentation.
>
>I found it can be downloaded in zip form here, by selecting "IBM z/OS 
>Indexed PDF/PDX Collection". This has given me the set of pdf files.
>
>https://www.ibm.com/docs/en/zos/3.1.0
>
>However, there seems to be no way of selecting individual manuals by 
>title, as there was at previous z/OS levels.
>
>Have I downloaded the wrong package? Or is this no longer to be available?
>
>Lennie Dymoke-Bradshaw
>
> 
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions, send 
>email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions, send 
>email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS 3.1 documentation

[Lennie Dymoke-Bradshaw]

Voted.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Lionel B. Dyck
Sent: 29 September 2023 16:42
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS 3.1 documentation

You found the problem with the download collection.

See this IBM Idea (and please vote if you agree)
https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-3848

In summary I'm requesting that IBM add a READ_ME_FIRST_ZOS_V3R1_TOC.HTM as
they had in previous z/OS download collections.

It would also be VERY NICE if they made it more obvious how/where to
download the full collection.


Lionel B. Dyck <><
Website: https://www.lbdsoftware.com
Github: https://github.com/lbdyck

“Worry more about your character than your reputation. Character is what you
are, reputation merely what others think you are.”   - - - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Lennie Dymoke-Bradshaw
Sent: Friday, September 29, 2023 10:28 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: z/OS 3.1 documentation

Having seen the announcement of z/OS 3.1 today I have tried to obtain the
usual PDF collection of documentation.

I found it can be downloaded in zip form here, by selecting "IBM z/OS
Indexed PDF/PDX Collection". This has given me the set of pdf files.

https://www.ibm.com/docs/en/zos/3.1.0 

However, there seems to be no way of selecting individual manuals by title,
as there was at previous z/OS levels. 

Have I downloaded the wrong package? Or is this no longer to be available?

Lennie Dymoke-Bradshaw

 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS 3.1 documentation

[Lennie Dymoke-Bradshaw]

Having seen the announcement of z/OS 3.1 today I have tried to obtain the
usual PDF collection of documentation.

I found it can be downloaded in zip form here, by selecting "IBM z/OS
Indexed PDF/PDX Collection". This has given me the set of pdf files.

https://www.ibm.com/docs/en/zos/3.1.0 

However, there seems to be no way of selecting individual manuals by title,
as there was at previous z/OS levels. 

Have I downloaded the wrong package? Or is this no longer to be available?

Lennie Dymoke-Bradshaw

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Utility to Read from JES2 spool

[Lennie Dymoke-Bradshaw]

I think you could do this using the SDSF REXX facilities.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Roberto Halais
Sent: 29 September 2023 15:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Utility to Read from JES2 spool

Listers:

Is there an z/os utility that will allow the reading of a spool file (in some 
class) and copy it to a sequential dataset?

We need to read a report from spool and copy it o a sequential dataset.
Just a z/os utility or a CBT tape utility.
Thank you for any pointers.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why it's important to take Seymour's advice

[Lennie Dymoke-Bradshaw]

My experience is that in times past this was definitely true. But nowadays it 
no longer is. 
I am unsure what changed but I think there was a change somewhere, possibly in 
the cross-memory instructions.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
dailom...@aol.com
Sent: 19 September 2023 16:16
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Why it's important to take Seymour's advice

 I think the other address space needs to be nonswappable.


On Tuesday, September 19, 2023 at 09:40:36 AM EDT, Adam Johanson 
<031ca9d720a7-dmarc-requ...@listserv.ua.edu> wrote:  
 
 Tom Brennan wrote:

> I've never written code that runs as an SRB, but over the years I've 
> read about them and seen them in action, such as Omegamon poking code 
> into other address spaces to grab data or do things like zap memory.

For what it's worth, you don't need to go through all the rigamarole of an SRB 
to go poking around in another address space.

Given the proper authorization, you can:

- Issue an AXSET, specifying a value of 1
- Issue an SSAR instruction identifying the target address space as the 
secondary address space
- Use MVCP / MVCS instructions to copy data between your primary address space 
and the secondary address space


There is also the technique of using the special ALET value of x'0001' and 
using AR mode to reference data from another address space.

===
Adam Johanson
Broadcom Mainframe Software Division

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Updating IEEMB846

[Lennie Dymoke-Bradshaw]

I placed a modified copy in a later library in the linklist. Then I renamed
the version in SYS1.LINKLIB. LLA REFRESH was done. So I expected it to be
found. But it behaved as if it did not find it. No SMF 32s were being logged
at all. 
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Peter Relson
Sent: 24 August 2023 15:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Updating IEEMB846


it appears that if IEEMB846 is placed in a library other than SYS1.LINKLIB,
then it is not found.


That should not be a surprise. The module is LOADed. Normal search rules
apply.
SYS1.LINKLIB is the first data set in the LNKLST concatenation unless you
have used the SYSLIB LINKLIB statement of PROGxx, so a copy in a "later"
data set will not be found. If you put your copy of the module in LPA
(dynamic or other) it will be the one found.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Updating IEEMB846

[Lennie Dymoke-Bradshaw]

Excellent. Now why didn't I think of that?
Thank you Walt.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Walt Farrell
Sent: 23 August 2023 16:30
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Updating IEEMB846

On Tue, 22 Aug 2023 13:07:01 +0100, Lennie Dymoke-Bradshaw 
 wrote:

>I am trying to determine which users are using the TSO CONSOLE command.
>
>This is controlled one of those TSOAUTH checks that are done at LOGON 
>time and the results of the RACF check are stored in the PSCB in bit 
>PSCBCNAU. So many normal RACF checking monitors (such as zSecure Access 
>Monitor) are of no use. I want to know who is using it, rather than who can 
>use it.

Have you considered defining CONSOLE in the RACF PROGRAM class, allowing READ 
access to everyone, and setting appropriate AUDIT options?

--
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Updating IEEMB846

[Lennie Dymoke-Bradshaw]

Yes, they will, but IEEMB846 still needs updating for various TSO commands that 
IBM have omitted from it.
I have done tests and it appears that if IEEMB846 is placed in a library other 
than SYS1.LINKLIB, then it is not found. I can update it in-flight in 
SYS1.LINKLIB and after an LLA refresh and restart of the TSO user's address 
space, the updates are picked up.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lionel B. Dyck
Sent: 23 August 2023 16:02
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Updating IEEMB846

Will SMF Type 32 records suffice?


Lionel B. Dyck <><
Website: https://www.lbdsoftware.com
Github: https://github.com/lbdyck

“Worry more about your character than your reputation. Character is what you 
are, reputation merely what others think you are.”   - - - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Jon 
Perryman
Sent: Wednesday, August 23, 2023 9:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Updating IEEMB846

 TSO console has user exits and I'm guessing that it has an init exit. It 
should be simple to code the exit and write the tso userid to a file (dynalloc 
with disp=mod). I don't recommend this as a permanent solution. An abend could 
leave the dataset allocated locking out other users and it wastes space even if 
you specify blksize=lrecl. It would be a little more work but you could use a 
VSAM KSDS with the userid as the key to collect the userid only once and 
eliminate potential alloc problem.

I would think the exit could be dynamically activated and deactivated.


On Tuesday, August 22, 2023 at 05:07:20 AM PDT, Lennie Dymoke-Bradshaw 
<032fff1be9b4-dmarc-requ...@listserv.ua.edu> wrote:  
 
 I am trying to determine which users are using the TSO CONSOLE command.

This is controlled one of those TSOAUTH checks that are done at LOGON time and 
the results of the RACF check are stored in the PSCB in bit PSCBCNAU. So many 
normal RACF checking monitors (such as zSecure Access Monitor) are of no use. I 
want to know who is using it, rather than who can use it.

 

The TSO command table in IEEMB846 is used by the TMP and by ISPF to record 
commands issued in SMF type 32 records. (ISPF uses an interface via SVC
109.) However, IEEMB846 is old. In fact it is so old that it does not contain 
TESTAUTH, PARMLIB, CONSOLE, ISPF. The source is in SYS1.SAMPLIB(SMFTSOCM).  I 
wish to update IEEMB846 to include the CONSOLE command. IEEMB846 is in a 
distinct load module in SYS1.LINKLIB. So can I update this table in flight, or 
do I need to IPL?

 

Thanks,

Lennie


 

 

 

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
  

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Converting Assembler TPUTS to ISPF

[Lennie Dymoke-Bradshaw]

Clem Clarke wrote
>> How would I put output text at a particular row/column, for example?  

There is a TSO/E macro called STLINENO which may do what you want.
I wrote a TSO command processor to use it about 40 years ago, and I still
have it if you are interested. Looking at the code now, there is "room for
improvement", but it does show what can be done.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Clem Clarke
Sent: 22 August 2023 13:12
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Converting Assembler TPUTS to ISPF

I have a program that takes as input something like:

Panel Menubar ('Files Apps Exit')
    //    ('Please enter your Logon Id:', Logon,8,'    ');

This will create a full screen panel with a MenuBar, and an entry field for
a Logon ID.

This simple statement works on Z/OS, Windows and Linux as part of a
scripting language.

The mainframe version uses Assembler TPUTs.  I think there are ways to
create ISPF panels in assembler.

How would I put output text at a particular row/column, for example?  Or
change a color?

Many thanks,

Clem Clarke

PS: A full example with colors and so on can be seen here:
www.oscar-jol.com 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Updating IEEMB846

[Lennie Dymoke-Bradshaw]

I am trying to determine which users are using the TSO CONSOLE command.

This is controlled one of those TSOAUTH checks that are done at LOGON time
and the results of the RACF check are stored in the PSCB in bit PSCBCNAU. So
many normal RACF checking monitors (such as zSecure Access Monitor) are of
no use. I want to know who is using it, rather than who can use it.

 

The TSO command table in IEEMB846 is used by the TMP and by ISPF to record
commands issued in SMF type 32 records. (ISPF uses an interface via SVC
109.) However, IEEMB846 is old. In fact it is so old that it does not
contain TESTAUTH, PARMLIB, CONSOLE, ISPF. The source is in
SYS1.SAMPLIB(SMFTSOCM).  I wish to update IEEMB846 to include the CONSOLE
command. IEEMB846 is in a distinct load module in SYS1.LINKLIB. So can I
update this table in flight, or do I need to IPL?

 

Thanks,

Lennie


 

 

 

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: XCFAS and TRUSTED

[Lennie Dymoke-Bradshaw]

Andrew,

You may be right that IBM are trying to state something stronger. My point is 
that safety is a minimum requirement for an IBM recommendation. I have found 
several cases where IBM has specified a higher level of access than is 
necessary. For example, IBM states that FTP needs UID(0) to function, whereas 
many find this is unnecessary. So while I do not run my FTP with UID(0), I am 
reasonably confident it is safe to do so.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Andrew Rowley
Sent: 21 August 2023 00:40
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: XCFAS and TRUSTED

On 21/08/2023 9:28 am, Lennie Dymoke-Bradshaw wrote:

> Secondly, when IBM states that a task should be given the attribute of 
> Trusted, then I take it to mean that IBM is saying that the task can be 
> trusted that this attribute cannot be the source of an exposure for that task.

I think when IBM says a task should be given trusted, it's a stronger statement 
than that.

I take it to mean that the task should never be denied access by the security 
system, and any denial of access risks the stability or operation of the system.

--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: XCFAS and TRUSTED

[Lennie Dymoke-Bradshaw]

I understand your security group's point of view. I understand yours as well.
When considering this there are a couple of extra points.

Firstly, when a task is given the Trusted attribute then it effectively has 
UID(0) as well as gaining access via each RACF check.

Secondly, when IBM states that a task should be given the attribute of Trusted, 
then I take it to mean that IBM is saying that the task can be trusted that 
this attribute cannot be the source of an exposure for that task. Some tasks 
should not be given the Trusted attribute as it could lead to exposures; or in 
other words, they cannot be trusted. So I take it, that XCFAS can be trusted.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Andrew Rowley
Sent: 21 August 2023 00:20
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: XCFAS and TRUSTED

On 20/08/2023 8:53 pm, Mike Cairns wrote:
> I worked at one site many years ago where the local specialist had actually 
> tested across multiple IPL's the necessity for each and every one of these 
> tasks to actually have the TRUSTED attribute and the conclusion was that many 
> of these did not actually need to be TRUSTED and could manage perfectly fine 
> using normal RACF access to resources granted via permissions to profiles.

I worked at a site which did a similar exercise. The risk is:

1) If the doc says it should be trusted, IBM are free to add functions that 
require access to other resources without documentating them. It's possible 
that IBM don't even consider what access would normally be required for an 
address space they specify as TRUSTED, or test it without TRUSTED.

2) There may be functions that are invoked only in unusual circumstances, so 
you only find out that access is missing when you are already dealing with a 
problem.

Not worth the risk, in my view (our security group disagreed!)

--
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has anyone

[Lennie Dymoke-Bradshaw]

For a HEX viewr, try the V fileviewer at www.fileviewer.com
It also recognises XMIT format and will even work with XMIT within XMIT.
I bought a license about 8 years back for very little. 

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Bob Bridges
Sent: 15 August 2023 21:55
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Has anyone

I use MS Office Pro Plus, but it's still 2019.  No plans to upgrade until I
must; often when I "upgrade" I find the new product doesn't do something I
wanted to continue doing.

For example, some years ago I set out to find a text editor that had a
hex-display feature.  I settled on Notepad++, and it was fine.  But one day
it offered an upgrade, and I accepted without fear.  Turns out, though,
they'd discontinued the hex feature.  Does anyone have a suggestion for a
replacement, by the way?

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* It is amazing how reading the whole Bible can affect some eschatology.
-Rick Joyner, October 2018. */

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Steve Beaver
Sent: Tuesday, August 15, 2023 11:19

Has anyone broken down and bought Microsoft Office 2021 Professional Plus+

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has anyone

[Lennie Dymoke-Bradshaw]

I bought a second hand license at Gamers Outlet for very little UKpounds.
But it has not broken down😊.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Steve Beaver
Sent: 15 August 2023 16:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Has anyone

Has anyone broken down and bought

Microsoft Office 2021 Professional Plus

 

 

Regards,

 

 

Steve 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ibm-main@listserv.ua.edu

[Lennie Dymoke-Bradshaw]

I think JES implements that using SAF calls.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Jay 
Maynard
Sent: 09 August 2023 16:21
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DD SYSOUT=(,),DSN=&SYSUID?

Thank you for the explanation. I was wondering why anyone would care about a 
SYSOUT DSN. That RACF can secure it and (I assume) keep people from looking at 
it through SDSF and the like makes perfect sense. Does RACF implement that at 
the subsystem level, or does SDSF explicitly do RACHECKs for it?

On Wed, Aug 9, 2023 at 8:48 AM Hayim Sokolsky 
wrote:

> DSN= has been legal for SYSOUT since MVS/ESA 3.1.3. However, it does 
> not give the coder much leeway.
>
>
>
> For SYSOUT the DSN value only affects the final qualifier of the JES 
> spool file name. Except for system generated spool files, the final 
> qualifier defaults to “?”. This can be used to write output specific 
> JESPOOL profiles in RACF or other ESMs.
>
>
>
> The syntax is: DSN=&&name – where name is 1 to 8 characters, starting
> with an alpha or national character. The && does not substitute as 
> seen below.
>
>   *   As an undocumented trick, DSN=&&&SYSUID can be used to cause
> substitution as if DSN=&&userid was specified. (See below)
>
>
>
> When looking at a job in SDSF, the node name is not shown in the spool 
> file name. When writing a JESSPOOL profile, the node name is the first 
> qualifier.
>
>
>
> //SYSPRINT DD SYSOUT=A
>
>
>
> Results in the spool dataset being named:
> [node.]userid.jobname.jobnumber.dsnumber.?
>
>
>
> //SYSPRINT DD SYSOUT=A,DSN=&&FRODO
>
>
>
> Results in the spool dataset being named:
>  [node.]userid.jobname.jobnumber.dsnumber.FRODO
>
>
>
> Using the following job as an example…
>
>
>
> //IBMMAIN1 JOB 'IEBGENER',NOTIFY=&SYSUID,
>
> // CLASS=A,MSGCLASS=H,MSGLEVEL=(1,1)
>
> //IEBGENER EXEC PGM=IEBGENER
>
> //SYSPRINT DD  SYSOUT=A,DSN=&&SYSUID   = .SYSUID
>
> //SYSINDD  DUMMY
>
> //SYSUT2   DD  SYSOUT=A,DSN=&&SYSUT2   = .SYSUT2
>
> //SYSUT1   DD  DATA,DSN=&&&SYSUID  = .IBMMAIN
>
>   hello world!
>
> /*
>
> //
>
>
>
> Viewed in SDSF after execution
>
> DDNAME   DSName
>
> JESMSGLG IBMMAIN.IBMMAIN1.J0009213.D002.JESMSGLG
>
> JESJCL   IBMMAIN.IBMMAIN1.J0009213.D003.JESJCL
>
> JESYSMSG IBMMAIN.IBMMAIN1.J0009213.D004.JESYSMSG
>
> SYSPRINT IBMMAIN.IBMMAIN1.J0009213.D102.SYSUID
>
> SYSUT2   IBMMAIN.IBMMAIN1.J0009213.D103.SYSUT2
>
>
>
> With INPUT ON it shows as:
>
> DDNAME   DSName
>
> JESJCLIN IBMMAIN.IBMMAIN1.J0009213.D001.JESJCLIN
>
> JESMSGLG IBMMAIN.IBMMAIN1.J0009213.D002.JESMSGLG
>
> JESJCL   IBMMAIN.IBMMAIN1.J0009213.D003.JESJCL
>
> JESYSMSG IBMMAIN.IBMMAIN1.J0009213.D004.JESYSMSG
>
> $INTTEXT IBMMAIN.IBMMAIN1.J0009213.D005.$INTTEXT
>
> $JOURNAL IBMMAIN.IBMMAIN1.J0009213.D006.$JOURNAL
>
> EVENTLOG IBMMAIN.IBMMAIN1.J0009213.D008.EVENTLOG
>
> SYSUT1   IBMMAIN.IBMMAIN1.J0009213.D101.IBMMAIN
>
> SYSPRINT IBMMAIN.IBMMAIN1.J0009213.D102.SYSUID
>
> SYSUT2   IBMMAIN.IBMMAIN1.J0009213.D103.SYSUT2
>
>
>
>
>
> A sysout specific RACF JESSPOOL profile would be:
>
> /* assumes any jobname owned by IBMMAIN with DSN=&&SYSUID */
>
>
>
> RDEF JESSPOOL *.IBMMAIN.**UACC(NONE) OWNER(IBMMAIN) /* backstop */
>
>
>
> RDEF JESSPOOL *.IBMMAIN.**.SYSUID UACC(NONE) OWNER(IBMMAIN) /* DD 
> suffix specific*/
>
>   PE *.IBMMAIN.**.SYSUID CLASS(JESSPOOL) ID(FRODO) 
> ACCESS(READ)
>
>
>
>
>
> Hayim
>
>
> Hayim Sokolsky (he/him/his)
> Director, Software Engineering
> Rocket Software, USA
> E: hsokol...@rocketsoftware.com
> W:RocketSoftware.com
> The views I have expressed in this email are my own personal views, 
> and are not endorsed or supported by, and do not necessarily express 
> or reflect, the views, positions or strategies of my employer.
>
>
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Allan Staller
> Sent: Wednesday, August 9, 2023 8:12 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: DD SYSOUT=(,),DSN=&SYSUID?
>
>
>
> EXTERNAL EMAIL
>
>
>
>
>
>
>
>
>
>
>
> Classification: Confidential
>
>
>
> SYSOUT= & DSN= are mutually exclusive on a given DD statement. Not 
> possible.
>
>
>
> -Original Message-
>
> From: IBM Mainframe Discussion List  IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Paul Gilmartin
>
> Sent: Tuesday, August 8, 2023 2:50 PM
>
> To: IBM-MAIN@LISTSERV.UA.EDU
>
> Subject: DD SYSOUT=(,),DSN=&SYSUID?
>
>
>
> [CAUTION: This Email is from outside the Organization. Unless you 
> trust the sender, Don’t click links or open attachments as it may be a 
> Phishing email, which can steal your Information and compromise your 
> Computer.]
>
>
>
> How should the user code
>
> DD SYSOUT=(,),DSN=&SYSUID
>
>
>
> in order that the last qualifier of the system-generated name for the 
> sysout data set be the user ID under whose authority the job runs?

Re: Permanent Incremental FlashCopy Relationships? (Was: SETROPTS ERASE...)

[Lennie Dymoke-Bradshaw]

Ed,

Please add your support to this idea,
https://ibm-sys-storage.ideas.ibm.com/ideas/DS80-I-198

You may wish to look at Frank Kyne's recent article in the Watson & Walker 
newsletter.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Ed 
Jaffe
Sent: 06 August 2023 19:54
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Permanent Incremental FlashCopy Relationships? (Was: SETROPTS ERASE...)

On 7/28/2023 5:04 AM, Larre Shiller wrote:
> That said, you might want to check out IBM APAR OA61492 (and associated PE 
> fixes).  The DASD UNMAP function (or the non-IBM DASD equivalent) seems to 
> perform "the same" Erase-On-Scratch function... but at the hardware level.  
> We are using the EMC equivalent and it is working seamlessly--no z/OS side 
> overhead at all and practically nothing at the DASD hardware level.

Dude! I can't believe I didn't know about this awesome new feature!! 
Thanks for posting...

The only troubling part is this restriction:

* This support is available when all of  *
* these conditions are met:  *
* - data sets are on volumes not in copy * <---!!!
*   services relationships   * <---!!!

Our primary DASD volumes are in permanent incremental FlashCopy relationships 
in order to reduce pressure on the DASD subsystem when full-volume FlashCopy is 
needed for dumps, etc. I got the impression after listening to a presentation 
from Glenn Wilcock at SHARE that this was a best practice. Perhaps I 
misunderstood him or things have changes since then, but either-way I'm 
starting to rethink that practice.

Another similarly-restricted function is the DSS SPACEREL command, which we 
issue periodically on our SMS storage groups. Like this UNMAP feature, it won't 
work with active copy services relationships. In that case, we withdraw those 
relationships prior to running the SPACEREL function. But that's something we 
do only a couple/few times a year so it's not a big deal.

It sounds like EMC DASD doesn't have these restrictions? I'm betting Hitachi 
doesn't either, but I don't know for sure...

I wonder what other IBM DASD clients are doing?


--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing JCL SETs in Rexx

[Lennie Dymoke-Bradshaw]

I think the easiest way is to pass them as parameters to the REXX routine.
Alternatively specify them in an in-stream data set and use a DD statement
that specifies SYMBOLS=JCLONLY.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
David Spiegel
Sent: 03 August 2023 18:11
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Accessing JCL SETs in Rexx

Hi,
Does anyone know how to access the JCL SET variables from Rexx.

Thanks in advance,
David

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Specific Question/Scenario on using Pass Tickets with RACF

[Lennie Dymoke-Bradshaw]

Robert,

I think you will more likely get an answer on the RACF-L list rather than
IBMMAIN. I use both lists, but I do not know the answer to your question. I
think some on RACF-L will know.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Robert Garrett
Sent: 02 August 2023 21:22
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Specific Question/Scenario on using Pass Tickets with RACF

Something that's been puzzling me:

Imagine an interactive application that requires valid user credentials (ID
and password) to access, but does NOT require specific authorization to the
application.
In other words, the app does a RACROUTE REQUEST=VERIFY to validate
credentials and create the associated ACEE representing the user, but it
does NOT provide the APPL= parameter on the request, nor does it perform a
subsequent REQUEST=AUTH on an APPL resource.  In other words, if you've got
a valid ID/password, you can "log on" to the app - no PERMIT to the app
itself is required and there's also no corresponding APPL resource for it.

Now, what if I want to be able to generate pass tickets in place of
passwords to access this app?  Doing that requires a PTKTDATA resource whose
name matches the application to control pass ticket generation, but this
application doesn't provide a name for itself.
Possible?
Just plain not supported?
Will RACF "assume" an application name (JOB/STC name, VTAM Applid, something
else) and use that to locate the applicable PTKTDATA resource (and if so,
what does it use)?

(If it matters, assume enhanced pass ticket via AES key in the ICSF CKDS).

Enquiring minds would really like an authoritative and accurate answer on
this one...

Thanks,
Rob

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Userid schemes

[Lennie Dymoke-Bradshaw]

I generally dislike those schemes that make use of departments or projects,
as this means a new id must be assigned when the employee moves department. 
However, some may argue this has its own benefit, as it prevents inheritance
of authorities in those situations.

Lennie
Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Phil Smith III
Sent: 13 July 2023 22:22
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Userid schemes

I've seen various schemes used for creating up-to-eight-character userids,
all truncated as needed, of course. These are IDs I've had, won't tell ya
where each was (and omitting just firstname, just lastname, or intials):

1.  First initial, last name, plus a number as needed: PSMITH, PSMITH1
2.  Last name || first name, with number if necessary, but always
including first initial: SMITHIIP, or SMITHIP2 if needed
3.  First three of last name, first two of first name, plus a number:
SMIPH03 (I've always wondered how they'd deal with Kyle Fuchs or Tyrone
Shipman)
4.  First initial, last name, truncated to max of six with a two-digit
number: I was PSMITH87; friend was TSMITH99-we never found out what the next
T. Smith would get: would they reuse a hole, if any, or go to TSMIT100?


Anyone got any other variations? This is purely a curiosity item, no agenda.


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unix file system ownership

[Lennie Dymoke-Bradshaw]

Usually one issue with making that software read-only is that it is the 
development system RACF database that defines it as read-only. Hence the 
production system has to trust the security of the development system. Many 
security professionals would baulk at this.

Or maybe you were thinking of making it read-only at the hardware level?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gilmartin
Sent: 14 June 2023 19:59
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Unix file system ownership

On Wed, 14 Jun 2023 19:42:32 +0100, Lennie Dymoke-Bradshaw wrote:
>...
>I can understand completely why the environments of Development and 
>Production should have different RACF databases. What I fail to 
>understand is why they are then sharing the DASD.
>
Would sneakernet be better?

There are valid reasons for making production utilities, though not data, 
available, read only, on Development and Test systems.

Are the production TSO IDs similarly not defined or unavailable on the 
Development system?

--
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unix file system ownership

[Lennie Dymoke-Bradshaw]

Frank,

I can understand completely why the environments of Development and
Production should have different RACF databases. What I fail to understand
is why they are then sharing the DASD.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: 14 June 2023 19:17
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Unix file system ownership

I'm guessing this is hopeless, but figured I'd ask anyway.
For "some reason" we have separate RACF databases for each of our
environments (dev/test vs production).  Because of this (I think it's the
reason!) my Unix UID is different in production than in dev/test.  This
means that even though my personal Unix file system is mounted at the same
mount point in each, only in one of them (dev/test) do I technically "own"
it.  I'm wondering if there might be some way I can "own" it in both
systems.  Can UIDs be explicitly set to a particular value?  Or can one be
mapped to another?  Or something else?


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF passphrase support

[Lennie Dymoke-Bradshaw]

I recommend posting to the RACF-L list.
You'll get a lot of help there.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
rpinion865
Sent: 14 June 2023 14:25
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: RACF passphrase support

If I want to move away from passwords and use passphrases, how do I force users 
to use passphrases, i.e. RACF exit(s)?

Sent with [Proton Mail](https://proton.me/) secure email.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Char to Hex

[Lennie Dymoke-Bradshaw]

In assembler there are 2 instructions for handling Char to Hex and Hex to Char.

TRTO - Translate Two to One
TROT - Translate One to Two

It is the TROT instruction I usually use for producing printable HEX, but I 
think you need the TRTO instruction.
Once you have set up the tables it is the simplest I can find. Certainly far 
easier that the UNPK method of old.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Ituriel do Neto
Sent: Tuesday, June 13, 2023 8:06 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Char to Hex

Hi all,

I don't want to reinvent the wheel, so I would be grateful for your advice.
I need to convert C'123AB' to X'0123AB'

Any ideas?


Best Regards

Ituriel do Nascimento Neto
z/OS System Programmer

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Why can't a LinuxONE run z/OS

[Lennie Dymoke-Bradshaw]

Many thanks to everyone who has contributed to this. 
That's quite a lot of information I have gathered.

Thanks especially to Timothy Sipples for putting it all together below.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Timothy Sipples
Sent: 09 June 2023 06:48
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Why can't a LinuxONE run z/OS

Lennie Dymoke-Bradshaw asks:
>Can someone please explain what IBM have done on the LinuxOne machines 
>to stop them running z/OS?

Your predicate is incorrect. IBM LinuxONE servers CAN run z/OS. Please read
on

David Crayford wrote:
>From what I gather, LinuxOne machines have the capability to run z/OS 
>within OCP containers, and there are cloud provisioning tools available 
>to choose systems software from the ADCD. I had the opportunity to 
>witness a demonstration of this at a zForum conference, where IBMer Ed 
>McCarthy showcased its impressive functionality. I was quite impressed 
>with what I saw. The provisioning options ranged from x86 emulation to 
>on-premises Linux on Z, with various tiers in between. Tim Sipples will 
>know the details.

To my knowledge there are currently two generally available, fully IBM
supported and authorized ways to run z/OS on LinuxONE servers:

1. Via the IBM Virtual Dev and Test for z/OS product. ZVDT supports running
real z/OS for development, unit test, demonstration, and training purposes
on IBM LinuxONE servers (and on IFLs in IBM zSystems servers). Please note
that ZVDT does not currently support z/OS Parallel Sysplex configurations or
the z/OS Container Extensions. But it does run real, bit-for-bit identical
z/OS. And the performance is broadly excellent. ECKD/FICON-attached storage
is supported but not required.

https://www.ibm.com/products/virtual-dev-and-test-zos

It's common to deploy ZVDT (and the z/OS instances it hosts) in its own,
dedicated LPAR. But it doesn't necessarily have to be. My colleague Ed
McCarthy might've demonstrated some other deployment options.

2. Via the IBM GDPS Virtual Appliance. You can optionally configure an IBM
LinuxONE server with a single general purpose processor (CP) at a specific
capacity setting. This single CP can only be used to run the IBM GDPS
Virtual Appliance software. The GDPS VA software is shipped and serviced as
a single, integral image, but it happens to be z/OS-based. (You're not
licensed to use that "interior" z/OS for general purposes.) The IBM GDPS
Virtual Appliance is broadly functionally equivalent to the IBM GDPS Metro
Mirror (with HyperSwap) offering. ECKD/FICON-attached storage is required
for the IBM GDPS Virtual Appliance itself. ECKD/FICON-attached storage is
supported but not required for other workloads.

Peter Bishop wrote:
>And LinuxONEs only have IFLs.

You have the option to configure LinuxONE servers with a single subcapacity
CP. (See above.) You can also configure them with additional SAPs if you
wish.

>The rest of the box is the same, apart from the doors

The two server families are related, but there are more differences besides
the engine choices and doors. As a notable example the LinuxONE servers can
be configured with NVMe Carrier features and even boot/IPL from them. NVMe
Carrier features are not available on IBM zSystems servers. zHyperLink
Express adapters are available in IBM zSystems servers but not in IBM
LinuxONE servers. In past model generations (including z15/LinuxONE III
which is still generally available) the storage-related adapters are often
different, but there's some re-convergence in that area with the
z16/LinuxONE 4 servers. IBM zSystems servers support model conversion
upgrades (for example from z15 to z16) and carry forward of I/O features.
LinuxONE servers do not support either model conversion upgrades or carry
forward of any I/O features.

You can look through the Feature Codes available for the IBM z16 (3931-A01)
and IBM LinuxONE Emperor 4 (3931-LA1) and see many identical feature codes
but also many differences.

-
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE,
Asia-Pacific sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Why can't a LinuxOne run z/OS

[Lennie Dymoke-Bradshaw]

Can someone please explain what IBM have done on the LinuxOne machines to
stop them running z/OS?

I ask out of curiosity only.

 

Lennie Dymoke-Bradshaw

 

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Two related member generation questions

[Lennie Dymoke-Bradshaw]

Charles,

Try this Share presentation. (Rather long URL. If problem just try searching 
for "PDSE member generations").

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjQ7oG7rJ3_AhXSTEEAHcKyBAsQFnoECBUQAQ&url=https%3A%2F%2Fshare.confex.com%2Fshare%2F125%2Fwebprogram%2FHandout%2FSession17831%2FSHARE%2520Using%2520Member%2520Generations.pdf&usg=AOvVaw3AfII9eO3h_kXWAw7fhdTk
 

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: 30 May 2023 04:05
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Two related member generation questions

I'll bite: where is it hidden? 

CM

On Mon, 29 May 2023 21:28:50 -0400, Steve Smith  wrote:

>Yes, one of the "hidden secrets" of ISPF.  I use it a lot, but you kind 
>of have to be told it's there, and get used to it.  It's very clunky.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Are you serious about wanting a better IBM doc RCF-type process?

[Lennie Dymoke-Bradshaw]

+1
Voted for Peter Farley's RFE as well.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: 22 May 2023 23:06
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Are you serious about wanting a better IBM doc RCF-type process?

For those who have not been following this discussion, IBM is on track to 
remove the RCF process as we have known it for forty or so years. Customers and 
ISVs will be limited to a Web pop-up “Was this helpful?” and if you answer No, 
you will be able to briefly justify that answer. There is also apparently now 
no path whatsoever for a customer to open a requirement against IBM 
documentation.

We need a way to provide formatted suggestions for improvements, clarifications 
or corrections to IBM manuals.

If you would like that, then wishing and hoping and grumping will not make it 
happen. Here is what might make it happen:

- You could start by replying with a simple +1 to this post. The IBM powers 
that be do not participate in this forum, but there is strong evidence that 
what happens here sometimes percolates in that direction.
- You could vote for Peter Farley’s RFE. Find it here: 
https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/ideas/ZOS-I-3691 
(apologies for any fold).
- If you have an IBM rep at your shop, you could let him or her know. If you 
simply know an IBMer you could tell him or her nicely. 
- If you have contacts who are responsible at your shop for other products such 
as the languages, Db2, CICS, MQ and so forth, you could try to get them to 
chime in. Apparently one of the pushbacks from the documentation team is “IBM 
has 1200 products and our process works fine for all of them – what’s wrong 
with you z/OS people?”

Thank you.
Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: VBS file read in windows - end of record issue

[Lennie Dymoke-Bradshaw]

Radoslaw,

If you specify the LRECL and/or BLKSIZE in your program, then you can set a  
value that appears to flout the JCL rules. For example it used to be that 
IFASMFDP wrote data sets with a BLKSIZE of 32767. I am unsure if it still does.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: 18 May 2023 10:36
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: VBS file read in windows - end of record issue

Well, can you show me a JCL job to allocate such dataset?
My experience say that any attempt to create PS dataset with LRECL > ~32kB ends 
with JCL error and IEF638I JCL Reference clearly say that for non-VSAM dataset 
the maximum is 32760. For VSAM it is 32761.
"Additional Syntax" says it is possible to use LRECL=nK when n is up to 
16,383. However it is possible only for ISO/ANSI V3 tapes.
And there is LRECL=X, which is applicable only to QSAM VS/VBS. It is not 
cheating in the meaning I provided earlier, but it is not quite simple dataset 
usage.


Note: despite of the above it is possible to allocate PS VBS file with 
LRECL=32767, but the LRECL cannot be specified in JCL. LIKE is the trick.


Regarding a little bit off-topic compressed extended format datasets: 
system reports "legal" BLKSIZE 32760 (SDB was used). What's inside - it 
is covered by media manager IMHO.


(irrelevant)
My local "cheating" definition used before: user creates 
records/segments, *including* SDW. IMHO tools like File Manager allow 
such cheating. However it is just track editing play, not dataset usage.


Regards
-- 
Radoslaw Skorupka
Lodz, Poland




W dniu 17.05.2023 o 21:14, Michael Oujesky pisze:
> Having read and written records longer than three MB, it is not 
> "cheating". Especially with RMF 74.5 records with 59 "broken" (split) 
> records to reassemble into one very long record. See the SMF manual on 
> RMF record reassembly area.
>
> JCL allows LRECL=16384K.  And SMS compressed files write full tracks 
> (roughly 56KB).
>
> Michael
>
> At 01:20 PM 5/17/2023, Radoslaw Skorupka wrote:
>> Content-Transfer-Encoding: 8bit
>>
>> Well, not really.
>> There is LRECL=X, but besides we have not very strict limitation of 
>> LRECL. It is 32760 or 32767.
>> First value is limited by JCL syntax, but the second is available 
>> when allocation PS using LIKE= keyword.
>> Of course one may automagically write segments with custom-created 
>> SDWs, but I would call it cheating.
>>
>> BTW: The purpose of VBS was not veeery long record, but records 
>> up to 32k, even on DASD with shorter track. Hint: the track is 
>> natural limit of BLKSIZE. It is no longer important since 3380 
>> (80's), because track size exceeded 32k.
>>
>>
>> -- 
>> Radoslaw Skorupka
>> Lodz, Poland
>>
>>
>>
>>
>> W dniu 16.05.2023 o 18:52, Michael Oujesky pisze:
>>> Just another tidbit, but when combining the record segments, while 
>>> the VBS architecture does not specify a maximum record length, you 
>>> can expect the full records to be up to 16,777,215 (16384K - 1) 
>>> bytes in length.
>>>
>>> Realizing that the RDW is actually a SDW.
>>>
>>> Michael
>>>
>>> At 01:26 AM 5/16/2023, Michael Stein wrote:
>>>> On Tue, May 16, 2023 at 04:14:07AM +, Prashant Joshi wrote:
>>>> >> Did you specify binary mode on the python open call? --
>>>>
>>>> > Yes. And I can read the data.
>>>>
>>>> How are you reading the data.  Assuming an open like:
>>>>
>>>> myfile = open("filename", "rb")
>>>>
>>>> You need to either read it all into memory:
>>>>
>>>> alldata = myfile.read()
>>>>
>>>> or read specific lengths which is messier as you need to read specific
>>>> lengths, first 4 bytes for the RDW and then the length of the record
>>>> in the RDW-4 (as you already read the RDW).
>>>>
>>>> The 4 byte RDW includes the length of the record in the first 2 bytes
>>>> (bigendian order) and the spanning bits in the last 2 bytes.
>>>>
>>>> Either way you need to walk your way through the binary data, any code
>>>> looking for CR or NL or space isn't correct.
>>>>
>>>> A description of VBS records formats:
>>>>
>>>> z/OS 2.4 DFSMS Using Data Sets SC23-6855-40
>>>> https://www-40.ibm.com/servers/resourcelink/svc00100.nsf/pages/z

Re: JES2 Submitlib Bootstrap problem

[Lennie Dymoke-Bradshaw]

Is it possible to only place the submitlib statements in the commands executed 
at the end of JES2 initialization?
This would allow JES2 to initialize I think.
(Still a bit of a bodge though, even if it works.)
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Mark Jacobs
Sent: 11 May 2023 00:29
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: JES2 Submitlib Bootstrap problem

IBM has said that what I'm experiencing is working as it's currently designed. 
They are discussing internally whether it's a good design however. They agree 
that it's poor behavior for JES2 to stop coming up when it can't allocate a 
SUBMITLIB. Film at 11.

Mark Jacobs 


Sent from ProtonMail, Swiss-based encrypted email.

GPG Public Key - 
https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com


--- Original Message ---
On Wednesday, May 10th, 2023 at 8:40 AM, Mark Jacobs 
<0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote:


> I added that to the top of COMMNDxx. JES2 is also started there. In our 
> sandbox it didn't work. I'd need to get the automation team to get involved 
> to have it trap the OMVS is active message then start JES2. Unless some other 
> engineering teams express an interest in SUBMITLIBs in a file system I'm not 
> going to do anything else at this point.
> 
> I'm still going to pursue the case with IBM though.
> 
> Mark Jacobs
> 
> Sent from ProtonMail, Swiss-based encrypted email.
> 
> GPG Public Key - 
> https://api.protonmail.ch/pks/lookup?op=get&search=markjacobs@protonma
> il.com
> 
> 
> 
> 
> --- Original Message ---
> On Wednesday, May 10th, 2023 at 8:14 AM, Allan Staller 
> 0387911dea17-dmarc-requ...@listserv.ua.edu wrote:
> 
> 
> 
> > Classification: Confidential
> > 
> > Issue the command in COMMNDxx or your System Automation product.
> > 
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On 
> > Behalf Of Mark Jacobs
> > 
> > Sent: Wednesday, May 10, 2023 7:12 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: JES2 Submitlib Bootstrap problem
> > 
> > [CAUTION: This Email is from outside the Organization. Unless you 
> > trust the sender, Don't click links or open attachments as it may be 
> > a Phishing email, which can steal your Information and compromise 
> > your Computer.]
> > 
> > How do you start OMVS SUB=MSTR? I'm not seeing any start command in parmlib.
> > 
> > Mark Jacobs
> > 
> > Sent from ProtonMail, Swiss-based encrypted email.
> > 
> > GPG Public Key - 
> > https://api.protonmail.ch/pks/lookup?op=get&search=markjacobs@proton
> > mail.com
> > 
> > --- Original Message ---
> > On Wednesday, May 10th, 2023 at 7:58 AM, Allan Staller 
> > 0387911dea17-dmarc-requ...@listserv.ua.edu wrote:
> > 
> > > Classification: Confidential
> > > 
> > > OMVS can be started as SUB=MSTR or as a JES task. Che choice is up to the 
> > > installation.
> > > Ditto for ZFS.
> > > 
> > > What is really being implied is that if JES2 needs OMVS services, 
> > > it should not provide those services until OMVS has initialized,
> > > 
> > > Many other tasks do this (e.g. TSO).
> > > 
> > > My USD $0.02
> > > 
> > > -Original Message-
> > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On 
> > > Behalf Of Pommier, Rex
> > > 
> > > Sent: Tuesday, May 9, 2023 11:21 AM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: JES2 Submitlib Bootstrap problem
> > > 
> > > [CAUTION: This Email is from outside the Organization. Unless you 
> > > trust the sender, Don't click links or open attachments as it may 
> > > be a Phishing email, which can steal your Information and 
> > > compromise your Computer.]
> > > 
> > > I see a problem with this scenario. It appears to me that there is a call 
> > > (not necessarily by Shmuel) to potentially have JES2 wait for OMVS to be 
> > > up before it does its startup (or at least completes the startup). Due to 
> > > a self-inflicted screw-up on one of our LPARs, OMVS decided it had to do 
> > > a filesystem check on every filesystem on the system. This took a good 
> > > half hour where it simply appeared our LPAR was hung. JES2 had come up 
> > > and I was able to start a few address spaces that are dependent on JES so 
> > > I could figure out what was going on. Had JES been waiting for OMVS we 
> > > would have been completely in the dark on this issue.
> > > 
> > > I could see there being communication between JES and OMVS so that when 
> > > OMVS gets initialized it signals JES to redrive any failed zFS 
> > > allocations, but don't force JES to wait until zFS is available.
> > > 
> > > My $.02.
> > > 
> > > Rex
> > > 
> > > -Original Message-
> > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On 
> > > Behalf Of Seymour J Metz
> > > 
> > > Sent: Tuesday, May 9, 2023 10:10 AM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: [EXTERNAL] Re: JES2 Submitlib Bootstrap problem
> > > 
> > > Yes, IBM absol

Re: Can REXX OUTTRAP trap WTO's?

[Lennie Dymoke-Bradshaw]

I think a WTO that is issued and then written to the TSO screen (as a result
of PROFILE WTPMSG) must ultimately use a TPUT.
(It may even use PUTLINE, which itself then uses a TPUT.) 
Can these messages be captured by TSO Sess Man or by OUTTRAP?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Seymour J Metz
Sent: 10 May 2023 13:01
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Can REXX OUTTRAP trap WTO's?

OUTTRAP is for messages written by PUTLINE and PUTGET; the TSO Session
Manager can capture TPUT but there is no way to capture WTO directly. 

However, if you have the proper authorization (OP does not) then you can
examine console messages with the CONSOLE facility.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of
Farley, Peter [031df298a9da-dmarc-requ...@listserv.ua.edu]
Sent: Tuesday, May 9, 2023 1:30 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Can REXX OUTTRAP trap WTO's?

Cross-posted to IBM-MAIN and TSO-REXX lists.

Is there any way for  Rexx script to capture WTO output?  This is a simple
case, a one-line WTO, no multiline possible.

I only recently found a need to do this, and my tests so far say "no it
can't".

/* Rexx */
/* Capture WTO from BATCHPGM */
xtrp = outtrap("zdsp.")
address attchmvs "BATCHPGM"
xtrp = outtrap("OFF")
say "ZDSP.1="zdsp.1

Execution result online in TSO:

*** WTO OUTPUT FROM BATCHPGM ***
ZDSP.1=ZDSP.1

Peter

This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by e-mail
and delete the message and any attachments from your system.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unlike data sets concatenation - revised

[Lennie Dymoke-Bradshaw]

Fair enough 😊.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Seymour J Metz
Sent: 27 April 2023 11:25
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Unlike data sets concatenation - revised

ObPedant For lo these many years the DASD "physical record" has actually been a 
logical record in DASD with a different architecture.

That said, in DFSMSdfp, "physical record size" refers to the block size as seen 
at the channel, not to the block size of the underlying DASD; "logical record 
size" refers to either a segment of a physical record, or, for spanned records, 
a record constructed from a sequence of such segments, and the meaning of 
"record" depends upon context.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Lennie Dymoke-Bradshaw [032fff1be9b4-dmarc-requ...@listserv.ua.edu]
Sent: Thursday, April 27, 2023 3:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Unlike data sets concatenation - revised

The reference to record as a segment of a physical block is really a "logical 
record". Hence LRECL stands for "logical record length".  The "WRNG.LEN.RECORD" 
reference is speaking of physical records or block.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Mike Schwab
Sent: 27 April 2023 00:43
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Unlike data sets concatenation - revised

A DASD record is a physical block.  Contents of the block depend on the RECFM=, 
i.e. U for load modules, VB for variable blocked, FB for Fixed Blocked.

On Wed, Apr 26, 2023 at 6:11 PM Seymour J Metz  wrote:
>
> The DASD documentation uses the term record.
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> 
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on 
> behalf of Paul Gilmartin 
> [042bfe9c879d-dmarc-requ...@listserv.ua.edu]
> Sent: Wednesday, April 26, 2023 6:08 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Unlike data sets concatenation - revised
>
> On Wed, 26 Apr 2023 13:44:21 -0700, Michael Stein wrote:
>
> >>  000234D0   E6D9D5C7   4BD3C5D5   4BD9C5C3   D6D9C46B   | WRNG.LEN.RECORD, 
> >> |
> >
> >A likely result from reading a block larger than the blksize.
> >
> Why does it say "RECORD" if it means "Block"?
>
> >...
> >What does the *SOURCE* DCB & JCL look like?  Do either specify LRECL 
> >and/or BLKSIZE?
> >
> Just cut the Gordian Knot and specify the largest BLKSIZE expected; even 
> 32760.
> LRECL likewise. Storage is cheap nowadays.
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unlike data sets concatenation - revised

[Lennie Dymoke-Bradshaw]

The reference to record as a segment of a physical block is really a "logical 
record". Hence LRECL stands for "logical record length".  The "WRNG.LEN.RECORD" 
reference is speaking of physical records or block.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Mike Schwab
Sent: 27 April 2023 00:43
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Unlike data sets concatenation - revised

A DASD record is a physical block.  Contents of the block depend on the RECFM=, 
i.e. U for load modules, VB for variable blocked, FB for Fixed Blocked.

On Wed, Apr 26, 2023 at 6:11 PM Seymour J Metz  wrote:
>
> The DASD documentation uses the term record.
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> 
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on 
> behalf of Paul Gilmartin 
> [042bfe9c879d-dmarc-requ...@listserv.ua.edu]
> Sent: Wednesday, April 26, 2023 6:08 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Unlike data sets concatenation - revised
>
> On Wed, 26 Apr 2023 13:44:21 -0700, Michael Stein wrote:
>
> >>  000234D0   E6D9D5C7   4BD3C5D5   4BD9C5C3   D6D9C46B   | WRNG.LEN.RECORD, 
> >> |
> >
> >A likely result from reading a block larger than the blksize.
> >
> Why does it say "RECORD" if it means "Block"?
>
> >...
> >What does the *SOURCE* DCB & JCL look like?  Do either specify LRECL 
> >and/or BLKSIZE?
> >
> Just cut the Gordian Knot and specify the largest BLKSIZE expected; even 
> 32760.
> LRECL likewise. Storage is cheap nowadays.
>
> --
> gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IKJPARS PCL/Parameters

[Lennie Dymoke-Bradshaw]

Can you get this to work if you enter it as a quoted string?
e.g. '12345688 ASID(14)' 
IKJIDENT should accept quoted strings according to the doc.

Do I assume your comments on using the ADDRESS keyword are for IKJPOSIT?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Joseph Reichman
Sent: 26 April 2023 00:53
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: IKJPARS PCL/Parameters

Hi

 

I have a PCL defined as such 

LISTAPCL IKJPARM 

 ADDR1 IKJIDENT 'ADDRESS..',RANGE,UPPERCASE,MAXLNTH=17,FIRST=ANY,OTHER=AX 

NY,VALIDCK=LSTVALAD   

 

What I would like it to be is a string which I treat as an address. I don't
use the ADDRESS key word because I want the ability to enter a 64 bit
address or up to 16 characters

 

I have number of keywords after this one them being ASID

 

When I enter the following string at the TSO terminal

 

12345688 ASID(14)

 

 

IKJPARS total ignores the string 12345688 and LSTVALDAD validity exit points
to the ASID string

 

Don't  understand I thought the 12345688 would match up with the first
string entered at the TSO terminal 12345688 but the LSTVALAD points to
ASID(14)

 

THANKS 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Call to RACF R_admin from CICS module

[Lennie Dymoke-Bradshaw]

CICS does not run your transactions under your signon userid. They run under 
the CICS address space ID, with its authority. So IRRSEQ00 simply looks for an 
ACEE in TCBSENV and if it does not find one, it used ACSBSENV.
Hence your result.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
John Blythe Reid
Sent: 20 April 2023 16:13
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Call to RACF R_admin from CICS module

Has anyone used RACF callable services from a CICS module ?

This is the call to the R_admin interface:

CALL IRRSEQ00 (Work_area,
ALET, SAF_return_code,
ALET, RACF_return_code,
ALET, RACF_reason_code,
Function_code,
Parm_list,
RACF_userID,
ACEE_ptr,
Out_message_subpool,
Out_message_strings
)
I use this function:  ADMN_RUN_COMDX'05'Run a RACF command image

The command string that I give it is simply 'LU' to list my RACF user. The call 
works ok but to my surprise, rather that listing my user it lists the CICS 
region user. This despite having logged on to my CICS session with my userid.

The manual clearly states that the parameters RACF_userID and ACEE_ptr are 
ignored for problem state callers.

By the way, when I make this same call from a batch program it works ok, 
returning the RACF information for my userid.

Has anyone else come across this ?

Regards,
John Blythe Reid.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Rexx Exec to Build 10,000 PDS Members: ALLOC vs ISPF Services vs ?

[Lennie Dymoke-Bradshaw]

This is a good solution but I have a feeling this only works with certain DCBs. 
I think it is limited to a maximum LRECL of 80 bytes.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Wendell Lovewell
Sent: 20 April 2023 15:18
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Rexx Exec to Build 10,000 PDS Members: ALLOC vs ISPF Services vs ?

I don't know about the logic required to create a member -- Kolusu might have 
the  best idea.  But creating one long sequential file with all the members and 
using IEBUPDTE is pretty simple: 

//STEP1EXEC PGM=IEBUPDTE,PARM=MOD
//SYSPRINT DD   SYSOUT=*
//SYSUT1   DD   DISP=OLD,DSN=SOME.PDSE
//SYSUT2   DD   DISP=OLD,DSN=SOME.PDSE
//SYSINDD   DATA
./ADD   NAME=BLUE1

The sky appears blue because of a
phenomenon called Rayleigh scattering.

./ADD   NAME=BLUE2

When sunlight enters the Earth's
atmosphere, it is scattered in all
directions by the gases and particles in the air.

./ADD   NAME=BLUE3

Blue light has a shorter
wavelength and is more easily scattered
than other colors, which is why we see
the sky as blue during the day.

/*
//

(I've included blank lines around the text for clarity here.  All that's needed 
between members is the ./ ADD NAME=membername.) 

This assumes you want to recreate the PDSE each time.  "Monica" says IEBUPDTE 
won't delete from a PDSE like it will from a PDS.  (I've not found "Monica" to 
be all that accurate so far though.) 

Hth,
 
Wendell 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CyberSecurity Risk

[Lennie Dymoke-Bradshaw]

You may well be right. I sort of hinted at that.
Data leakage prevention is about stopping data being shared. It oftens needs 
different techniques to data access prevention.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Bob 
Bridges
Sent: 18 April 2023 01:41
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CyberSecurity Risk

Out of curiosity, how do you distinguish between data leakage and security 
vulnerability?  I would have said the former is one type of the latter.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* In God we trust!  All others bring data.  -W Edwards Deming */

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Monday, April 17, 2023 19:15

I don't think it addresses a security vulnerability per se. It addresses data 
leakage. The folks I am working for do not allow any data to escape their 
systems without prior authorisation. But maybe that is a vulnerability issue.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Bob 
Bridges
Sent: 17 April 2023 21:28


At some of my clients - not all of them - yeah, I cannot cut and paste between 
my own PC and the session I have on the client's network.  It's a pain, and I'm 
with others here who don't see that it addresses a security vulnerability.  But 
it's not crippling; I can just email it from one place to the other and then do 
the copy-paste. :)

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jack Zukt
Sent: Monday, April 17, 2023 06:52

This is  way off topic, sorry, but I am curious, so please be patient In one of 
the clients for which I have to work the Auditors found out that the Copy/Paste 
between the client Citrix session and our PCs is a risk and the client disabled 
the function.  Has anyone else ever has such an issue?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CyberSecurity Risk

[Lennie Dymoke-Bradshaw]

I don't think it addresses a security vulnerability per se. It addresses data 
leakage. The folks I am working for do not allow any data to escape their 
systems without prior authorisation. But maybe that is a vulnerability issue.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Bob 
Bridges
Sent: 17 April 2023 21:28
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CyberSecurity Risk

At some of my clients - not all of them - yeah, I cannot cut and paste between 
my own PC and the session I have on the client's network.  It's a pain, and I'm 
with others here who don't see that it addresses a security vulnerability.  But 
it's not crippling; I can just email it from one place to the other and then do 
the copy-paste. :)

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* The counterpart of rebellion in today's secularist culture is the abdication 
of authority. Adults in authority who make no moral demands on children are as 
alienated from society as any rebel. In days of yore, adults still felt 
entitled to "impose" standards of right and wrong and to teach their pupils 
what "character" meant. Too many of today's parents don't feel authorized to 
impose such standards even on their own kids.  -Joseph Sobran, reflecting on 
Littleton */

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jack Zukt
Sent: Monday, April 17, 2023 06:52

This is  way off topic, sorry, but I am curious, so please be patient In one of 
the clients for which I have to work the Auditors found out that the Copy/Paste 
between the client Citrix session and our PCs is a risk and the client disabled 
the function.  Has anyone else ever has such an issue?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Subject: Re: Currency format suggestions, please?

[Lennie Dymoke-Bradshaw]

We used to have the Milliard as well.
https://www.dictionary.com/browse/milliard 

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Rupert Reynolds
Sent: 02 April 2023 04:05
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Subject: Re: Currency format suggestions, please?

Fair point. When I was at school we used "billion" as long scale 10^12, but by 
the time I worked for Nasty Wetmonster Bank it was short scale.

I tend to just say "thousand million" :-)

Roops

On Sun, 2 Apr 2023, 00:34 Gary Weinhold,  wrote:

> This is been very interesting, but no one has mentioned billions and 
> trillions.  When I was a young, I learned that the UK million was the 
> same as US, but billion was a million millions (not just a thousand 
> million) and a trillion was a million billions and so on.  i guess It 
> makes a difference when you're talking about national debt (cue Senator 
> Everett Dirksen).
> Anyway, UK switched to the thousands- based 'illions in 1974.
>
> Gary Weinhold
> Senior Application Architect
> DATAKINETICS | Data Performance & Optimization
> Phone:+1.613.523.5500 x216
> Email: weinh...@dkl.com
> Visit us online at www.DKL.com
> E-mail Notification: The information contained in this email and any 
> attachments is confidential and may be subject to copyright or other 
> intellectual property protection. If you are not the intended 
> recipient, you are not authorized to use or disclose this information, 
> and we request that you notify us by reply mail or telephone and 
> delete the original message from your mail system.
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IGGCSI00 - NVSNATTR

[Lennie Dymoke-Bradshaw]

The man who will know all about IGGCSI00 is Stephen Branch at IBM, who
maintains this code I think.
He is a very knowledgeable and approachable man, who has helped me in the
past.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Kirk Wolf
Sent: 21 March 2023 18:43
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: IGGCSI00 - NVSNATTR

Peter,
Did you ever get an answer to this question about NVSMATTR='Q' ?

As far as I know, there is no public API (callable by assembler, not an IBM
utility), that can be used to determine PDSEV2.  Am I wrong?


Kirk Wolf
Dovetailed Technologies
https://coztoolkit.com

On Mon, Jan 23, 2023, at 1:17 PM, Pierre Fichaud wrote:
> I asked for NVSMATTR,DEVTYP, DSCBTTR and VOLSER for a PDSE version 1.
> R15 was 0 after the call to IGGCSI.
> The DEVTYP, DSCBTTR and VOLSER were fine.
> I was expecting NVSMATTR to have a value of 'L' for a PDSE but I got 'Q'.
> This isn't documented.
> I was hoping to identify a PDSE (ve or v2) before doing an allocation but
...
> 
> What does 'Q' represent and where is that documented?
> 
> Regards, Pierre.
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Question for our international friends (mostly)

[Lennie Dymoke-Bradshaw]

In Australia "rooter" means something rather different, so I suggest you
don't look it up.
I was always surprised that most of my USA friends say rowt , but they all
agree they get their kicks (CICS?) on root 66.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Jeremy Nicoll
Sent: 18 March 2023 01:49
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Question for our international friends (mostly)

On Sat, 18 Mar 2023, at 01:38, Bernd Oppolzer wrote:
> Very interesting discussion.
>
> I recently tried to understand what the correct pronounciation of the 
> word "router" is, because here in Germany there are different 
> opinions. And I learned in the end, that BOTH ways are correct, like 
> "rooter" and (don't know how to spell the other,
> maybe) "row-ter".

In the UK, usual usage is "rooter" for the network device, but "row-ter"
for the woodworking tool.

--
Jeremy Nicoll - my opinions are my own.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

DLF and Hiperbatch

[Lennie Dymoke-Bradshaw]

While working at multiple sites I have seen customers activating the DLF
address space often. DLF supports a facility known as Hiperbatch, which was
introduced in the early 1990s. Hiperbatch is a way of making data available
in expanded storage from one job step of a batch job to another job step,
thereby reducing I/O. (Hope you all remember expanded storage folks.) The
manual for Hiperbatch is no longer distributed with those for z/OS but is
still available. It is dated 1994 and is still at Version 1 I believe. DLF
is controlled from the COFDLFxx member of PARMLIB. I understand there are 3
ways to make a dataset eligible for Hiperbatch assistance, 

1.  Through a RACF profile in the DLFCLASS class
2.  Through the DLF exit (specified in the COFDLFxx member)
3.  Through the OPC/ESA (long since renamed) special resources dialog,
also using a DLF exit.

 

I think that if DLF is active and the DLFCLASS class is active then each
data set OPEN will cause an extra RACF check to the DLFCLASS class to see if
the data set is eligible. I have seen these checks in zSecure Access
Monitor.

 

So I have two questions. Number 1 is for most people.

Is anyone still using Hiperbatch?

 

Question 2 is for IBM.

In many cases we can simply not start DLF and inactivate the DLFCLASS class
and thereby save processing cycles. What is the downside to this?

 



Lennie Dymoke-Bradshaw

 <https://rsclweb.com/> https://rsclweb.com 


'Dance like no one is watching. Encrypt like everyone is.'

 

 

 

 

 

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Looking for Beta Clients

[Lennie Dymoke-Bradshaw]

Tony,

What is often quoted by the auditors is that IND$FILE will transfer data but is 
essentially unaudited. Thus it is treated as a potential security exposure for 
data leakage.

While a program control RACF check can be used it will only log the use of the 
IND$FILE program, rather than recording or checking on the name of the dataset 
which is transferred. (Even if RACF program protection is used IND£FILE can 
often be executed from another library or under another name to bypass those 
program controls. After all it does not require APF authorisation).

So those of us working in security would like a "more controllable" or at least 
a "more auditable" replacement for IND$FILE. Does your code produce any SMF 
records? Does it have any security controls? Does it run APF authorised?

Lennie
Lennie Dymoke-Bradshaw
https://rsclweb.com 
‘Dance like no one is watching. Encrypt like everyone is.’


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Tony Tancredi
Sent: 09 March 2023 12:42
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Looking for Beta Clients

Hi Michael,
>From OS390 to wherever the Windows PC client is running. I do understand that 
>FTP, TSO XMIT, and other technologies exist. What I'm trying to replace is the 
>IND$FILE transfers most terminal emulator users are using. If you visit my 
>website, you will see we are developing another product, RheoWorx, which will 
>perform automated workflows where data can be transferred and managed between 
>any nodes within the workflow, including multiple mainframes.
Thanks,
Tony

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: One more REXX Question

[Lennie Dymoke-Bradshaw]

I think you may be at the point where you need to ditch the LMCOPY interface 
and directly invoke IEBCOPY.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Cameron Conacher
Sent: 03 March 2023 20:27
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: One more REXX Question

Thanks for the suggestion.
That did not work either,

…….Cameron

From: IBM Mainframe Discussion List  On Behalf Of 
Itschak Mugzach
Sent: Friday, March 3, 2023 11:35 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: One more REXX Question

So try isplog do ddname=syspront

בתאריך יום ו׳, 3 במרץ 2023 ב-17:29 מאת Cameron Conacher <
03cfc59146bb-dmarc-requ...@listserv.ua.edu>:

> Hello Lance,
> I allocated a dataset and then included my new dataset name with the 
> DD statement ISPLOG (DISP=MOD), but IEBCOPY still generates its own 
> files and nothing is written to the ISPLOG file specified by the DD statement.
>
>
> Thanks
>
> …….Cameron
>
> From: IBM Mainframe Discussion List 
> mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf 
> Of Lionel B. Dyck
> Sent: Friday, March 3, 2023 10:13 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [External] Re: One more REXX Question
>
> Just alloc dd ISPLOG to the dataset you want with a DISP=MOD
>
> That should do it
>
>
> Lionel B. Dyck <><
> Website: 
> https://www.lbdsoftware.com 8037/https:/www.lbdsoftware.com>< 
> https://isolate.menlosecurity.com/1/3735928037/https:/www.lbdsoftware.
> com>
> Github: 
> https://github.com/lbdyck 37/https:/github.com/lbdyck>< 
> https://isolate.menlosecurity.com/1/3735928037/https:/github.com/lbdyc
> k>
>
> “Worry more about your character than your reputation. Character is 
> what you are, reputation merely what others think you are.” - - - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List 
> mailto:IBM-MAIN@LISTSERV.UA.EDU> IBM-MAIN@LISTSERV.UA.EDU>> On Behalf 
> Of Cameron Conacher
> Sent: Friday, March 3, 2023 9:04 AM
> To: 
> IBM-MAIN@LISTSERV.UA.EDU a...@listserv.ua.edu>
> Subject: Re: One more REXX Question
>
> Hello Lionel,
> I am assuming that dataset LBDYCK.SPFLOG1.LIST contain the IEBCOPY 
> output log information?
> And that this file was automatically allocated when your Batch JOB ran.
> (You did not pre-allocate before running the JOB).
>
> I want to try to use my own dataset name for this.
> Something like:
> CAMERON.SPFLOG1.LIST
> With DISP=MOD.
>
> But I do not understand how I can introduce this file so that when 
> LMCOPY invokes IEBCOPY, IEBCOPY will write its log data there.
>
> I am running the REXX JOB in Batch (like you).
> I have tried assigning my own dataset names for SYSOUT, SYSPRINT and 
> SYSTSPRT.
> But none catch any of the IEBCOPY output log data.
> And the other files are automatically generated for the JOB, every 
> time I issue an LMCOPY command.
>
> I will try to find something in the Google Group for ISPF.
> If I find anything I will share.
>
> Thanks
>
> …….Cameron
>
> From: IBM Mainframe Discussion List 
> mailto:IBM-MAIN@LISTSERV.UA.EDU> IBM-MAIN@LISTSERV.UA.EDU>> On Behalf 
> Of Lionel B. Dyck
> Sent: Friday, March 3, 2023 9:22 AM
> To: 
> IBM-MAIN@LISTSERV.UA.EDU a...@listserv.ua.edu>
> Subject: [External] Re: One more REXX Question
>
> In my simple test I don't see any sysout.
>
> in = 'lbdyck.test.pds'
> out = 'lbdyck.test.pdse'
> Address ISPexec
> "lminit dataid(indd1) dataset('"in"')"
> "lminit dataid(outdd1) dataset('"out"')"
> "lmcopy fromid("indd1") todataid("outdd1")" ,
> "frommem(a*) replace"
> "lmcopy fromid("indd1") todataid("outdd1")" ,
> "frommem(b*) replace"
> "lmfree dataid("indd1")"
> "lmfree dataid("outdd1")"
>
>
> What I see in the batch execution is this:
>
> ispf cmd(%tlmcopy)
> LBDYCK.SPFLOG1.LIST has been kept.
> READY
>
> But no other sysout datasets.
>
> Lionel B. Dyck <><
> Website: 
> https://www.lbdsoftware.com 8037/https:/www.lbdsoftware.com>< 
> https://isolate.menlosecurity.com/1/3735928037/https:/www.lbdsoftware.
> com
> ><
> https://isolate.menlosecurity.com/1/3735928037/https:/www.lbdsoftware.
> com>
> Github: 
> https://github.com/lbdyck 37/https:/github.com/lbdyck>< 
> https://isolate.menlosecurity.com/1/3735928037/https:/github.com/lbdyc
> k>< bdyck%3e%3c> 
> https://isolate.menlosecurity.com/1/3735928037/https:/github.com/lbdyc
> k>
>
> “Worry more about your character than your reputation. Character is 
> what you are, reputation merely what others think you are.”

Re: DATASET encryption POC

[Lennie Dymoke-Bradshaw]

I think you have switched forums Phil.
This stream started on RACF-L
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Phil Smith III
Sent: 01 March 2023 21:48
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: DATASET encryption POC

Eric D Rossman wrote, in part:
>Not really. Can you give me a reasonable use case where having the 
>encrypted data would be of ANY use to you? There is nothing to 
>compare/correlate. Since the data is (maybe compressed) and encrypted, 
>there is nothing to look at other than the length of a given record.

At a minimum, the ability to copy/compare data sets. If protection was at a
record level, it would be more useful. But I agree it'd be a fairly small
benefit here.

Again, though, that wasn't my full point: it'd be harmless at worst (and
provide the benefits I listed) at least; the problem, as I said, is that
it's been oversold as "Now you're protected from attacks" when you aren't.
That isn't your fault, it's a marketing/presentation thing.

>That is exactly the case we were trying to protect against: a 
>misconfigured system. Someone who has access to open the data set 
>should also have access to the key protecting it. If they do not, that 
>is a misconfiguration and one that we explicit explain how to avoid in 
>the red book.

OK, I guess.though I'd give the customer the option. And access is already
controlled by SAF; the point I was making is that in terms of access *on the
system*, the encryption doesn't provide any real protection against anything
except the two use cases I described. Put another way: in terms of access
*on the system* (and, again, besides storage admins) just adding a second
SAF profile to protect the data set - "This is an important data set, so you
need not only access to it implicitly as part of the DATASET class, but also
via a second profile in the VIP class" - the result would be the same.

>I disagree here as well. We're not merely trying to protect it from the 
>same things that SAF access protects it from. We are really protecting 
>it from the storage admins (i.e. on DASD as well as on the wire).
>Security is a layered approach.

Right, I said that. That's one of the two things it DOES provide protection
from. But that's not an attack vector people commonly worry about in my
experience.

>A.k.a. a layered approach. DASD encryption, data set encryption, and 
>format-preserving encryption are all pieces of the puzzle. Each 
>protects from a different attack vector. There are use cases where data 
>set encryption is the right solution and others where field-level FPE 
>is and others where both are good together.

I don't disagree-again, however, people are sold on "We encrypted something,
now we're protected!" and I think that's doing a disservice to the
customers. And cases where data set encryption alone provides real
protection seem to be pretty few and far between.

>Oh, by the way, ICSF provides FPE which fits beautifully into this.

ICSF provides Visa FPE, which is malleable and thus only usable if you use a
different key for each element. That's a very significant limitation that
makes Visa FPE not really very useful, since it breaks referential
integrity. FF1 is NIST-standard, not malleable, better. The doc I've seen
about FPE through ICSF also doesn't make this very clear, which concerns me:
it's too easy for people to miss it and wind up with protection that's
trivially breakable.

Just to reiterate: whole-data set encryption isn't a Bad Thing, it just sort
of becomes one when people get fooled into thinking it solves their
encryption needs, when it really does only a tiny part of that. That leaves
a bad taste in my mouth, so I'm probably overly negative about it as a
result: it's clearly at least somewhat useful as an adjunct.

Cheers,
...phsiii


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Hardware instrumentation presentation

[Lennie Dymoke-Bradshaw]

I recommend you speak to Martin Packer at IBM.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Colin Paice
Sent: 01 March 2023 18:00
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Hardware instrumentation presentation

I've been asked to give a talk on performance to a University Computing 
department.

I know the z hardware has in builtin instrumentation which allows you to see 
where the delays were for a particular instruction.  For example this load 
instruction got data from the L3 cache and it took x nano seconds.

Is there a presentation on this?

I remember seeing a presentation (it may have been IBM confidential) showing 
that a Load could be slow, if the data was in a the cache in a book
3 ft away, compared to it being in the cache on the chip.
Also the second time round a loop is faster than the first time because the 
instructions are in the instruction cache.

This was all mind blowing stuff!

Colin

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Need advice: rexx calling authorized asmblr w/mult parms

[Lennie Dymoke-Bradshaw]

In order to do this you can use the TSO service facility. Look at Chapter 23
of the manual z/OS 2.5 TSO/E Programming Services.
Or look at this URL.
https://www.ibm.com/docs/en/zos/2.5.0?topic=services-using-tsoe-service-faci
lity-ikjeftsr 
To do what you need you will probably have to update your IKJTSOxx member. I
suggest you should use the AUTHTSF section to place your program there. 
Please note that you will need to code your assembler program carefully to
be use that it does not introduce an integrity exposure. (As an example,
IDCAMS should not be placed within the AUTHTSF section as it allows the
passing of addresses of exit points in its parameter list.)

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Mike Hochee
Sent: 16 February 2023 06:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Need advice: rexx calling authorized asmblr w/mult parms

Looking for some advice on the simplest way to call an authorized assembler
program from a non-compiled Rexx program under TSO/E in batch, with the
requirement that multiple updatable parameters will be passed. Updating
IKJTSOnn and APF authorizing whatever is not a problem.  At issue seems to
be the following...

The ADDRESS TSO CALL command appears to support only a single non-updatable
parameter string, but does support calling an authorized assembler program.
The LINKMVS, LINKPGM, ATTACHMVS and ATTACHPGM host command environments all
appear to support the passing of multiple updatable parameters, but the Rexx
Reference doc I've been reading in section 'Host Command Environments for
Linking to and Attaching Programs', states that these command environments
are all used to link/attach to... unauthorized programs.

Is there a way to satisfy both requirements using the LINK* or ATTACH*
command environments or should I be looking at System Rexx or IKJEFTSR or
something else?  (I would prefer not to setup System Rexx if there's a
reasonable alternative)

Thanks much,
Mike



--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Question on use of LPARNAME, SYSNAME and SMFID

[Lennie Dymoke-Bradshaw]

Interesting. 
I remember the SMFid being around on MVS 3.7 and 3.8. The Sysname (CVTSNAME)
became more important with the advent of Sysplex so I probably remember
using it from then. Wikipedia has MVS/SP dated as 1980. It was preceded by
MVS/SE and before that by MVS 3.8. I don't think I used MVS/SP until
1982ish. 

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Peter Relson
Sent: 14 February 2023 01:34
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Question on use of LPARNAME, SYSNAME and SMFID

>I think the SMFID is older than SYSNAME. I think SYSNAME dates from the
late 80s or 90s, whereas SMFID was in the early versions of MVS.

System symbols are only 30 years old, but system name (via CVTSNAME) has
existed since at least MVS/SP1.3 (no later than 1977).
SMF ID (SMCASID) appears to predate even that.

It remains the case that, of the three items in the subject, only &SYSNAME
is defined as a system symbol by z/OS.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Question on use of LPARNAME, SYSNAME and SMFID

[Lennie Dymoke-Bradshaw]

I think the SMFID is older than SYSNAME. I think SYSNAME dates from the late 
80s or 90s, whereas SMFID was in the early versions of MVS.
Lennie Dymoke-Bradshaw



-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Rob 
Schramm
Sent: 11 February 2023 20:01
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Question on use of LPARNAME, SYSNAME and SMFID

oh.. on that I agree.  I have always thought that it was silly to have a 
sysname that didn't match or in some cases is related to in any way the 
SMFID... but I see it alot.

I would love a reason from someone that kept sysname <> smfid.

Rob

On Sat, Feb 11, 2023 at 2:44 PM Radoslaw Skorupka < 
0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote:

> As far as I understand the question is "what is the difference between 
> SMF ID and SYSNAME".
> Or rather "Why on Earth have two identifiers, while there is always 
> 1:1 correlation".
> I agree, I see no reason to have SMF ID and sysname independent.
> Among meny identifiers I can explain the purpose of JES2 NODE name, 
> MAS member name, LPAR name, TCPIP hostname, sysplex name, etc.
> However I would like to know the reason if it exist.
>
> My €0.02
>
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
> W dniu 10.02.2023 o 17:15, Matt Hogstrom pisze:
> > I’m doing some research involving historical SMF data.  It’s caused 
> > me
> to wonder how engineers use the &SYSNAME, &LPARNAME and &SMFID symbols.
> From what I can see is that in most instances they are the same.  
> LPARNAME appears to me to have little value in that if may or may not 
> have an affinity for a z/OS guest in terms of naming.
> >
> > &SMFID and &SYSNAME seem to generally correlate.  I’m curious if 
> > there
> are use cases where these are different and what the purpose might be?
> >
> > Appreciate any insight  / best parties that people are using.
> >
> > Matt Hogstrom
> > m...@hogstrom.org
> >
> > A generalist knows less and less about more and more till he knows
> nothing about everything
> > A specialist knows more and more about less and less till he knows
> everything about nothing
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Lennie Dymoke-Bradshaw]

Ed,

> We have NO discrete profiles, but we do have generic profiles with no 
> wildcard characters in them.

You can do that with profiles in the DATASET class but I don't think you can do 
it with general classes. 
There is no GENERIC parameter on the RDEFINE command. 
Or do you use some local code to achieve this?

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Ed 
Jaffe
Sent: 08 February 2023 02:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACF - SDSF question

On 2/7/2023 5:14 PM, Seymour J Metz wrote:
> Generic is usually more useful, but you can certainly use specific profiles.

Even discrete profiles can be made generic by specifying GENERIC when created.

That's what we do here. We have NO discrete profiles, but we do have generic 
profiles with no wildcard characters in them.


-- 
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Rexx function STORAGE with weird behavior on Netview

[Lennie Dymoke-Bradshaw]

The Rexx Reference manual has this in the description of the STORAGE function.

"STORAGE returns length bytes of data from the specified address in storage. 
The address is a character
string containing the hexadecimal representation of the storage address from 
which data is retrieved."

So I think that specifying 10 to represent address X'10' is actually correct in 
this instance.
It is in my copy of IPLINFO, which works.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gorlinsky
Sent: 19 December 2022 13:52
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Rexx function STORAGE with weird behavior on Netview

If you are trying to get the cut the address is x10 not 10 try 16 instead of 
10… boundary issue if you use 10… 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Can I get the true jobname in JCL

[Lennie Dymoke-Bradshaw]

Yes, but that's quite a new feature. Only about 25 years old.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Jay 
Maynard
Sent: 16 December 2022 16:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Can I get the true jobname in JCL

You can now put a JOB statement in an STC PROC?!

On Fri, Dec 16, 2022 at 10:10 AM Steve Smith  wrote:

> Well, I've only used the new &SYSJOBNM for batch jobs, as the old 
> &JOBNAME seems to work well for STCs.  However!  I found (in MVS 
> System Commands) the following description of the rabbit hole that is names 
> of STCs:
>
> The job name for a given started task can be assigned based on a 
> variety of
> > inputs. These inputs are examined in the following order, so that if 
> > item
> > #1 is not specified, item #2 is used. If neither #1 nor #2 is 
> > specified, then #3 is used, and so on.
> >
> >1. The job name specified in the JOBNAME= parameter of the START
> >command
> >
> >or
> >
> >The identifier specified on the START command.
> >2. The job name specified on the JOB JCL statement within the member.
> >3. The device number specified on the START command, or the device
> >number associated with the device type specified on the START 
> > command
> >
> >or
> >
> >The device number associated with the device type specified on the
> >START command.
> >4. The device number associated with the IEFRDER DD statement within
> >the member.
> >5. The member name.
> >
> > IBM® recommends that you use the JOBNAME parameter rather than an 
> > identifier. If you use the JOBNAME parameter, SMF records, messages, 
> > and automated programs can reflect or react to job status; 
> > identifiers can
> only
> > be viewed at a console.
> > Note: JOBNAME and identifier are mutually exclusive; you cannot 
> > specify both parameters on the START command.
> >
>
> Nothin's simple.  It would be interesting to see how all the options 
> affect both variables.
>
> sas
>
> On Fri, Dec 16, 2022 at 9:37 AM Colin Paice  wrote:
>
> > Wth
> > S OMPROUTE.OMP4 &SYSJOBNM gives OMROUTE S OMPROUTE,JOBNAME=OMP4 
> > gives OMP4
> >
> > I can live with this
> >
> > Colin
> >
> > On Fri, 16 Dec 2022 at 14:31, Colin Paice  wrote:
> >
> > > Thank you .. I'll raise some doc comments, as it is not well
> documented.
> > > It is only mentioned in the
> > > *what's changed in 2.3 *
> > > Colin
> > >
> > > On Fri, 16 Dec 2022 at 13:04, Steve Smith  wrote:
> > >
> > >> This was asked and answered before.  &SYSJOBNM
> > >>
> > >> sas
> > >>
> > >> On Fri, Dec 16, 2022 at 4:07 AM Colin Paice 
> > >> 
> > >> wrote:
> > >>
> > >> > If I start OMPROUTE.OMP1, or issue Start OMPROUTE,JOBNAME=OMP1, 
> > >> > can
> I
> > >> get
> > >> > the
> > >> > OMP1 as a JCL symbol so I can use it to pick up different
> > configuration
> > >> > members?
> > >> > I can crawl around the control blocks and create a symbol - but
> want a
> > >> > supported solution.
> > >> >
> > >> > If I use &JOBNAME I get JES2.
> > >> >
> > >> > Colin
> > >> >
> > >> >
> --
> > >> > For IBM-MAIN subscribe / signoff / archive access instructions, 
> > >> > send email to lists...@listserv.ua.edu with the message: INFO
> > IBM-MAIN
> > >> >
> > >>
> > >> -
> > >> - For IBM-MAIN subscribe / signoff / archive access 
> > >> instructions, send email to lists...@listserv.ua.edu with the 
> > >> message: INFO
> IBM-MAIN
> > >>
> > >
> >
> > 
> > -- For IBM-MAIN subscribe / signoff / archive access instructions, 
> > send email to lists...@listserv.ua.edu with the message: INFO 
> > IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


--
Jay Maynard

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES)

[Lennie Dymoke-Bradshaw]

True, but then the password would expire and the userid would be unusable. I 
should have mentioned this point in the design. But 30 years was quite a while 
back😊.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
ITschak Mugzach
Sent: 13 December 2022 21:26
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES)

You do not need a password to login if you are in supervisor mode, so trying to 
reverse engineering a password is a if that is the purpose)

On Tuesday, December 13, 2022, Lennie Dymoke-Bradshaw < 
032fff1be9b4-dmarc-requ...@listserv.ua.edu> wrote:

> I wrote code using doing over 30 years ago to automatically change 
> passwords. This was before the days of pass tickets and I needed one 
> piece of software to sign on as an IMS user to IMS. It needed a 
> password. So I coded an exit routine which would build a new password 
> using some randomisation algorithm and then encrypt it using the call 
> you mention.  I then extracted the existing password in encrypted form 
> and used a RACROUTE REQUEST=VERIFY with those old and new passwords and 
> specifying ENCRYPT=NO.
>
> This performed the logon and switched the password every time. No one 
> ever saw the password. I had retry logic for siuations wher the new 
> password was rejected for any reason.
> I think this method breaks under KDFAES passwords. Nowadays a pass 
> ticket would be a preferable method.
> Restoring a DES encrypted password requires 
> REQUEST=EXTRACT,TYPE=REPLACE I think, but I have never tried doing that.
>
> Lennie Dymoke-Bradshaw
> https://rsclweb.com
> 'Dance like no one is watching. Encrypt like everyone is.'
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Binyamin Dissen
> Sent: 13 December 2022 17:13
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES)
>
> The doc indicates that this request will return data that can be used 
> for authentication.
>
> Not clear to me how used (PASSWORD in REQUEST=VERIFY) .
>
> Also, do not understand how a DES encrypted password can be restored.
>
> Am I missing something obvious?
>
> I would think that TOKEN would be the way to go.
>
> --
> Binyamin Dissen  
> http://www.dissensoftware.com
>
> Director, Dissen Software, Bar & Grill - Israel
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


--
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring for 
z/OS, x/Linux & IBM I **| z/VM coming soon  *

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES)

[Lennie Dymoke-Bradshaw]

I wrote code using doing over 30 years ago to automatically change
passwords. This was before the days of pass tickets and I needed one piece
of software to sign on as an IMS user to IMS. It needed a password. So I
coded an exit routine which would build a new password using some
randomisation algorithm and then encrypt it using the call you mention.  I
then extracted the existing password in encrypted form and used a RACROUTE
REQUEST=VERIFY with those old and new passwords and specifying ENCRYPT=NO.

This performed the logon and switched the password every time. No one ever
saw the password. I had retry logic for siuations wher the new password was
rejected for any reason. 
I think this method breaks under KDFAES passwords. Nowadays a pass ticket
would be a preferable method.
Restoring a DES encrypted password requires REQUEST=EXTRACT,TYPE=REPLACE I
think, but I have never tried doing that.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Binyamin Dissen
Sent: 13 December 2022 17:13
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES)

The doc indicates that this request will return data that can be used for
authentication.

Not clear to me how used (PASSWORD in REQUEST=VERIFY) .

Also, do not understand how a DES encrypted password can be restored.

Am I missing something obvious?

I would think that TOKEN would be the way to go.

--
Binyamin Dissen  http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Computers

[Lennie Dymoke-Bradshaw]

My recollection is that it didn't really become a viable alternative to SVS
until MVS 3.7. Soon after was MVS 3.8 and then IBM embarked on a series of
other versions and designations, starting, I think, with MVS SE1 later
renamed to MVS SE1.1
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Seymour J Metz
Sent: 02 December 2022 16:13
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Computers

Presumably OS/VS2 Release 3, the second release of MVS. The MVS releases of
OS/VS2 ran from 2.0 to 3.8, with a bunch of optional selectable units ("By
the pricking of my thumb, SU 7 this way comes.")


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of
David Spiegel [0468385049d1-dmarc-requ...@listserv.ua.edu]
Sent: Friday, December 2, 2022 6:41 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Computers

Hi Leonard,
You said: "... That computer center had MVS 3.0 running in the mid 1970s.
..."
Is "MVS 3.0" a typo? (I do not recall ever hearing of MVS 3.0.)

Thanks and regards,
David

On 2022-12-02 02:15, Leonard D Woren wrote:
> Bill Hitefield wrote on 11/30/2022 10:39 AM:
>> In college we had an IBM 1130 in the computer lab. Those of us 
>> working in the lab discovered an AM radio placed near the console 
>> switches made odd noises when you ran Fortran programs and set the 
>> radio to a specific "station". Further investigation revealed you 
>> could change the tone of the noise by using the "e to the x" function 
>> and varying the value of "x". Our goal in life then became to play 
>> "Smoke on the Water" using that radio. The temp wasn't too great, but 
>> you could recognize the main riff!
>>
>> Bill Hitefield
>> Dino-Software Corporation
>> 800.480.DINO
>> https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.
>> dino-software.com%2F&data=05%7C01%7Csmetz3%40gmu.edu%7Cdee8b1d5fb
>> 404060d1ff08dad45a3d7e%7C9e857255df574c47a0c00546460380cb%7C0%7C0%7C6
>> 38055781337271398%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo
>> iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5V1
>> okCO5Sk%2BgqFt9zdA1nb32gMtrWUmTxIJQrHQmq8w%3D&reserved=0
>>
>>
>
> I don't remember it very well, but I think the same could be done to 
> some extent on some 360 models.
>
> In the mid-1970s, a college friend had a job as an off-hours computer 
> operator at RAND (amusingly, where that 1970 film was made).  He 
> wrote, and a musical friend tuned, a program which played music on a
> 2400 series tape drive by writing various length blocks -- the shorter 
> the repeated block, the higher the note.  I think one of their 2 songs 
> was Puff the Magic Dragon.  It was just hilarious to hear recognizable 
> music from a tape drive.  The program wore out tapes pretty quickly 
> though because all those short blocks were tough on the tape.  One 
> long channel program IIRC to keep the music from pausing when a 
> different job was dispatched.
>
> Footnote:  That computer center had MVS 3.0 running in the mid 1970s.
> It was the first time that I saw MVS with lots of new stuff compared 
> to MVT 21.  But no TSO -- they ran Wylbur.
>
>
> /Leonard
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: To share or not to share DASD

[Lennie Dymoke-Bradshaw]

If you were asking in a security context, I would advise against it in
nearly all cases.
Auditors will not like that a system's data can be accessed without
reference to the RACF (or ACF2, or TSS) system that is supposed to protect
it. 

Lennie Dymoke-Bradshaw

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Gord Neill
Sent: 24 November 2022 20:55
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: To share or not to share DASD

G'day all,
I've been having discussions with a small shop (single mainframe, 3 separate
LPARs, no Sysplex) regarding best practices for DASD sharing.  Their view is
to share all DASD volumes across their 3 LPARs (Prod/Dev/Test) so their
developers/sysprogs can get access to current datasets, but in order to do
that, they'll need to use GRS Ring or MIM with the associated overhead.  I
don't know of any other serialization products, and since this is not a
Sysplex environment, they can't use GRS Star.  I suggested the idea of no
GRS, keeping most DASD volumes isolated to each LPAR, with a "shared string"
available to all LPARs for copying datasets, but it was not well received.

Just curious as to how other shops are handling this.  TIA!


Gord Neill | Senior I/T Consultant | GlassHouse Systems




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Crypto Express question

[Lennie Dymoke-Bradshaw]

Sorry if my comment was cryptic. As a supporter of mainframe systems in
general and having tried to promote the benefits of System z crypto over
many years I am sad that many companies do not take full advantage of it.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: 30 October 2022 05:57
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Crypto Express question

Why "what a shame"?  They already do our crypto processing when we are
unavailable (stand-in), so having them do it all the time makes sense.
Plus. it eliminates all of the audits and security requirements around the
crypto keys, which I have long hated.

Anyway, thanks for the info.

From: IBM Mainframe Discussion List  on behalf of
Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu>
Sent: Friday, October 28, 2022 5:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Crypto Express question

What a shame.

However, If you configure your Crypto Express as an accelerator rather than
a full processor then it will still work with SSL and TLS. The calls used by
SSL and TLS use clear key calls and so do not need the master keys. Master
keys are not used by accelerator mode. Running as an accelerator rather than
as a full processor makes those calls slightly faster as they use a shorter
path with the Crypto Express device.

So the short answer is that you do not need the master keys. Longer answer
is to configure as an accelerator for better performance of SSL and TLS.

Lennie Dymoke-Bradshaw
https://rsclweb.com
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: 28 October 2022 17:59
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Crypto Express question

We are pushing our "host security module" processing off our mainframe back
to our card issuer processor, and I have a couple of questions.

If we use ICSF just for TLS and the like, does this still require the DES
and RSA keys to be loaded?  We already don't have AES or ECC master keys, so
I am thinking we wouldn't need DES or RSA keys either.  But someone who
should know seems to think we still need master keys, even if we're not
using it as a crypto coprocessor.

Other question is, can TLS encryption processes that use ICSF services work
at all if there is no crypto card at all?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Crypto Express question

[Lennie Dymoke-Bradshaw]

What a shame.

However, If you configure your Crypto Express as an accelerator rather than
a full processor then it will still work with SSL and TLS. The calls used by
SSL and TLS use clear key calls and so do not need the master keys. Master
keys are not used by accelerator mode. Running as an accelerator rather than
as a full processor makes those calls slightly faster as they use a shorter
path with the Crypto Express device. 

So the short answer is that you do not need the master keys. Longer answer
is to configure as an accelerator for better performance of SSL and TLS.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: 28 October 2022 17:59
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Crypto Express question

We are pushing our "host security module" processing off our mainframe back
to our card issuer processor, and I have a couple of questions.

If we use ICSF just for TLS and the like, does this still require the DES
and RSA keys to be loaded?  We already don't have AES or ECC master keys, so
I am thinking we wouldn't need DES or RSA keys either.  But someone who
should know seems to think we still need master keys, even if we're not
using it as a crypto coprocessor.

Other question is, can TLS encryption processes that use ICSF services work
at all if there is no crypto card at all?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CSNBENC rc=8 rsn=X'271C'

[Lennie Dymoke-Bradshaw]

It was Pierre's previous posts about replacing a password using ICHEINTY and 
R-admin.
Maybe I have mixed up two distinct issues.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Eric D Rossman
Sent: 12 October 2022 02:56
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSNBENC rc=8 rsn=X'271C'

What gave you the impression that this was related to KDFAES?

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Tuesday, October 11, 2022 6:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: CSNBENC rc=8 rsn=X'271C'

Pierre,

I think you need to understand that KDFAES is not just basic AES encryption. 
There are other parts of the process designed to slow down dictionary attacks.

https://www.ibm.com/docs/en/zos/2.5.0?topic=des-racf-kdfaes-algorithm

Lennie Dymoke-Bradshaw
‘Dance like no one is watching. Encrypt like everyone is.’


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Pierre Fichaud
Sent: 11 October 2022 20:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CSNBENC rc=8 rsn=X'271C'

I used the ICSF panels.
I'll switch to CSNBSAE call.
Thanks, Pierre.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN