Re: Code to verify LOGON password
Radoslaw Skorupka wrote: >That's what we call brute force attack. >There is no way to protect against it ...or maybe there are some >things to help. >1. Do not give your RACF db to hackers. Never. >2. Enforce periodic password change. >3. Use KDFAES. >4. Use passphrases. Here are some more examples for your list: 5. Don't grant overly generous permissions. Revoke permissions faithfully and promptly when required. 6. IBM Z Multi-Factor Authentication. 7. Use excellent data access management and Security Information and Event Management (SIEM) solutions. 8. "Stay sharp." Invest in talented security professionals, including in their ongoing skills development. Hire other talented security people to conduct periodic audits. 9. Stay at least reasonably current with software releases, including z/OS releases. Have and follow a reasonable preventive maintenance plan, including for security and integrity updates. 10. Use strong, properly implemented network encryption so that credentials aren't flying across any LAN or WAN in cleartext. z/OS Encryption Readiness Technology (zERT), a standard feature included with the base z/OS operating system starting with z/OS 2.3, can help identify gaps. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone using IBM Cloud Tape Connector?
Brian Westerman asks: >Is anyone using IBM's Cloud Tape Connector product that can tell me >about the software requirements for it? Is it just the product that >needs to be licensed under z/OS, or do you need to license so "other" >stuff as well? I can answer the licensing questions unofficially, i.e. based on my best understanding. In the hopefully unlikely event IBM officially communicates something at odds with what I'm writing, of course that'd be controlling. IBM Cloud Tape Connector for z/OS does not have any particular software product prerequisites or co-requisites except the base z/OS operating system. Reference: https://www.ibm.com/support/knowledgecenter/en/SS6GQC_2.1.0/concepts/cuzucon_requirements.html As a practical matter you'll need a SAF-compatible security manager. The z/OS Security Server (RACF) is my favorite, but there are at least three choices. You're highly likely to need some cloud object storage targets, on and/or off premises, which may have their own licensing or subscription requirements. However, there are sometimes free tiers available. IBM Cloud Object Storage, for example, offers a free "Lite" tier that could serve as a test target at least. https://www.ibm.com/cloud/object-storage/pricing You can license IBM Cloud Tape Connector for z/OS either separately (IBM Program No. 5698-ABM) or as part of the IBM Advanced Storage Management Suite for z/OS (5698-AAJ). License quantities are based on Value Unit Exhibit 007 (VUE007). It's z/OS-based subcapacity licensing eligible, including Tailored Fit Pricing eligible. On/Off Capacity On Demand (CoD) licensing is also available. If you'd like me to elaborate on any of these parts, just ask. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Code to verify LOGON password
Sam Golob asked: >Does anyone have user-written code for RACF, so that if the user >types in a password, the code will verify if it is the user's actual >LOGON password? Here's a pedantic point: RACF doesn't actually know what the user's password is -- thank goodness. RACF can only determine whether a particular password or passphrase string mathematically corresponds to the hashed value (derived from previous input) that RACF stores. True, good hashing functions minimize collisions, and RACF uses good hashing functions. I echo the other poster's cautions. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ZFS using zEDC hardware compression
Richard Pinion asked: >Can a ZFS dataset be defined with the DATACLAS zEDC compression >option? Then later added: >We're at z/OS 2.2, hoping to go to 2.4 soon, so zfsadm compress >isn't available. IBM introduced zEDC compression (and encryption) for zFS in z/OS 2.3. When you get upgraded to at least z/OS 2.3, including for all shared zFSes across a Sysplex, your new zFS file systems can default to compression at format time, still with the possibility to override the default. Here's the z/OS 2.4 documentation explaining how to do that via the IOEFSPRM configuration option: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ioea700/compress_always.htm If you can default to encrypted as well (format_encryption=on), even better. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMC-D connectivity between a z/OS LPAR and a z/VM guest running Linux?
Attila Fogarasi: >Do you have a specific problem or question? Remember that SMC-D is TCP >only, so you still need Hipersockets for UDP. Or something else that can (also) handle UDP I suppose, but a HiperSocket connection is a popular pairing. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Security and z/OS open source tools
Frank Swarbrick wrote: >He came back with the following: "My question is how do >we approve, track and secure the open source code we are >putting on z/OS?" The basic answer: how do we approve, track and secure the [open source](*) code we put on other operating systems? The other code(*) we put on z/OS? Probably we should do much the same, at least to the extent it's sensible and reasonable. As it happens, the base z/OS operating system includes quite a bit of open source code. (*) Does it matter that it's open source? Aren't approving, tracking, and securing objectives common to all code? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preparing for a short z/OS contract
Rupert Reynolds wrote:
>Thinking further, I now remember that their only debugger was TSO TEST! I
>wrote a mixture of Rexx and CLIST commands to extend it a bit (show regs
>and disassemble the next instruction, every breakpoint).
>
>Is there anything more /modern/ that's given away with z/OS?
Steve Thompson wrote:
>TSO TEST is all that comes free with the system.
z/OS also includes dbx, described here (z/OS 2.4 link, subject to change,
watch the wrap):
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxa500/bpxa50021.htm
The very first release of OS/390 (generally available on March 29, 1996,
per IBM Announcement Letter 296-018) included an earlier version of dbx,
so dbx will very soon reach a full quarter century of history in the base
operating system. dbx also had a short, earlier history as a separately
chargeable OpenEdition MVS option ("OpenEdition Debugger feature"). Do try
to keep up, please. :-)
According to Wikipedia, dbx's original developer was Mark Linton at the
University of California, Berkeley. He wrote dbx in the period 1981 to
1984, and then it percolated through the BSD ecosystem. TSO TEST first
appeared no later than 1972, so dbx is about a decade younger. Whether dbx
is more "modern" is a separate question. :-)
Another debugger, IBM z/OS Debugger, is the successor to the IBM
Integrated Debugger and IBM Debug Tool. There are lots of IBM software
products that include IBM z/OS Debugger -- 6 if I'm counting correctly --
so it's possible or even likely you already have a license. Of course if
you don't have a license it's possible to acquire one.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Improve OMVS cp performance?
Mike Schwab wrote: >You have to remember that S/360 was the first 8 bit computer. >[] >Sorry. First computer to use 8 bits per character. I see others have cited the IBM 7030 and Telefunken TR 4 as examples of early computers that used (or at least were explicitly engineered to use) 8 bit character encoding. However, as far as I can tell both of those machines were word addressable machines, and their word sizes were different and much larger than their character sizes. Was there any pre-System/360 example of a computer that stored characters in 8 bits *and* offered 8 bit memory addressing? (Or 6 and 6, or 7 and 7?) For that matter, are there any still extant digital computer processors that (only) have word addressable memory and don't have 8 bit byte addressable memory? History evidently judges that particular System/360 design decision as wise or at least not unwise. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Checksum/Md5 file
Paul Gilmartin wrote: >I thought I was being disingenuous after Bill Godfrey's plaint, >"just a sandbox". But why is there RACF entanglement? I'm not sure what you're referring to exactly, but you can certainly run ICSF without RACF. You can also license base z/OS (which includes ICSF) without the z/OS Security Server (which includes RACF) if you wish. I think RACF requires ICSF, or at least often could, but ICSF does not require RACF. >Accommodation to French law which (formerly?) harshly prohibits >encryption? (I suspect ROT13 is proscribed.) How does that law >accommodate HTTPS? I'm by no means an expert on French law. However, it took me about 30 seconds to figure out that France liberalized encryption-related law in 2004. >Are there C header files for APIs to these? Yes, ICSF offers C interfaces. One option is to use the CKM_MD5 message digesting function via ICSF's PKCS #11 interface. Here's an entry point into the applicable documentation (current link for z/OS 2.4, subject to change): https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.csfba00/capi.htm - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Checksum/Md5 file
Paul Gilmartin asked: >(But is ICSF separately priced with no provision for free trial?) No. The z/OS Integrated Cryptographic Service Facility (ICSF) is part of the z/OS Cryptographic Services, a base element of the z/OS operating system. There's no additional charge for ICSF; it's included with your z/OS base operating system license. References: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.e0zb100/baseel.htm https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.csf/csf.htm - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
"Awesome Free Stuff for Your Mainframe" on 2020-10-16 at 04:00 UTC
You're most welcome to join the "Awesome Free Stuff for Your Mainframe" Webcast that I'm hosting live at 04:00 UTC (12 noon Singapore Time) on Friday, October 16, 2020. To join the party, please register here: https://bit.ly/35JtcoA If this time is impossible because you'll be asleep or otherwise occupied, that's OK. My understanding is that if you register you should still receive a link to view a recording. There are a couple people on this list who are directly participating in this Webcast, and I'd especially like to thank you along with the many contributors. We'll have some light, quick demonstrations of various freebies, and I'll also open the floor to live audience questions (typed via a chat box). It was more difficult than I expected to choose the freebies to highlight since there's so much great stuff. However, I think I've come up with a reasonably broad and now current freebies list, and I'll publish it shortly before the Webcast at the IBM Z and LinuxONE Community Web site. Thanks again. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Working link for current 3270 Data Stream
Shmuel Metz asked: >Will wiki accept BookManager format as accessible? Wikipedia's citations guide explains how you can cite practically anything, including (for example) a parchment document that only exists in physical form in a rare book library. Here's the link again for your reference: https://en.wikipedia.org/wiki/Wikipedia:Citing_sources Most probably you would use the book citation template with the type, format, and a few other parameters. The type parameter would likely be IBM BookManager electronic document, and the format parameter would be BOO. Details are available here: https://en.wikipedia.org/wiki/Template:Cite_book https://en.wikipedia.org/wiki/Template:Cite_book/TemplateData The sum total of human knowledge consists of more than what exists in HTML and PDF. Wikipedia's citation standards reflect this reality. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Working link for current 3270 Data Stream
Shmuel Metz wrote:
>I need something that I can use as a citation on wiki;
>either a link that renders the manual or a link that
>downloads the PDF.
If you mean Wikipedia, I don't think you do. There are generally accepted
and approved ways to cite the IBM publication number (and section and/or
page number reference, for example) then include a link to the site to
obtain that publication. Wikipedia explains its citation policies and
practices here:
https://en.wikipedia.org/wiki/Wikipedia:Citing_sources
Joe Monk provided the link to the specific IBM Web page where you can
download that publication in BookManager format. In a Wikipedia-style
citation you would likely note that detail, assuming you test it. ("IBM
BookManager electronic publication format, retrieved and viewed with IBM
Softcopy Reader on date-X.") BookManager has a Wikipedia entry available
for linking here:
https://en.wikipedia.org/wiki/SCRIPT_(markup)#Bookmanager
And IBM Softcopy Reader has an external link here:
http://www-01.ibm.com/support/docview.wss?rs=4=swg27018849
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Ransoming a mainframe disk farm
kekronbekron wrote: >Thank you Tim, would you be able to share any info about #2 >here.. ? Yes, let's start with this important announcement: https://www.ibm.com/downloads/cas/US-ENUS220-037-CA/name/US-ENUS220-037-CA.PDF - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Ransoming a mainframe disk farm
Kekronbekron wrote: >Thinking about it ... it would be far simpler (than anti-ransomware >capability in storage, or lock-all behaviour) if there were a RACF >HealthChecker that looks for abnormal enc/dec activity. What 'normal' >is can be learnt from a year's worth of actual enc/dec-related SMF >data. There are tools with capabilities like the ones you're describing. I have a couple comments: 1. There are some excellent ransomware (and similar non-ransomware disaster scenario) defenses available based on "out of band" controls and lockouts. IBM DS8000 SafeGuarded Copy is one such example, a really important one that's the foundation for some other valuable resiliency capabilities. However, I have worked with some organizations that still (also) want to maintain total physical and electronic (wired, wireless) separation for certain data. You can achieve total separation in a few ways, such as physical tape cartridges (usually WORM, preferably encrypted) ejected from tape libraries and vaulted "afar." Of course the costs include elongated Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs), but in some cases the costs are tolerable or at least tolerated. You cannot really keep data completely, absolutely separate if you care about retrieving it. You can only maintain separation with at least one adjective added, such as "physically and electronically separate storage media," which is not the same as "storage media separated from all possible human contact." The Voyager space probes, I think it's fair to say, will "never" be vulnerable to human contact. They contain tape drives and tape media, and they are currently electronically connected via NASA's Deep Space Network. Anyway, it depends on what you're trying to accomplish, but lots of options are available, not necessarily mutually exclusive. 2. If you need secure software build and deployment processes (yes, you do), I suggest contacting my employer. IBM has some super exciting new capabilities in this area, very cutting edge. They're grounded in mainframe technologies, whether in your data center, in the public cloud, or both. Mainframes often pioneer new capabilities that didn't exist in the entire industry. Here, too, that's what's happening. Ransomware is one clearcut demonstration that it doesn't particularly matter how terrific your data-focused defenses are if you have compromised applications, for it's applications -- program code -- that process(es) data. So you've got to approach security challenges holistically. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TLS 1.3 in z/OS 2.3?
Dave Gibney wrote: >Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. >Is this true? Any prospect of a implemnting PTF? To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL, and I'm not aware of any plans to do so. Of course you can ask: https://www.ibm.com/developerworks/rfe/ Hypothetically you could run another software implementation of TLS 1.3 directly on z/OS 2.3 as a possible stopgap measure until you can upgrade to z/OS 2.4. For example, I think it might be possible to compile and run the Squid proxy server on z/OS if you're looking specifically for HTTPS with TLS 1.3. There are scattered reports, including one from IBM many years ago, that it's possible. Squid supports TLS 1.3 according to the documentation I found. The performance might not be wonderful, but it looks technically viable. Squid's source code and documentation are available here: http://www.squid-cache.org - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3
I don't think you're going to be able to "hack in" support for higher TLS
levels. I think you've got a couple near-term options, not necessarily
mutually exclusive:
A. Place one or a couple newer release CICS regions on the "front side" to
handle the network connectivity, and connect them to your existing CICS TS
3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I
write this, CICS TS Version 5.6 is the latest generally available release,
and it is compatible with your currently installed z/OS release. Broadly,
generally speaking this means upgrading some or all of the CICS "Terminal
Owning Regions" ("TORs") while leaving "Application Owning Regions"
("AORs") temporarily backlevel if you must. The exact details depend on
your particular CICS deployment.
If you're using CICS's own TLS support, that's currently up to TLS 1.2.
CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS
1.2, but I cannot think of any reason why you'd pick something prior to
the current release in this role. IBM ended Single Version Charge (SVC)
restrictions in 2017, so there should be no additional charge to run both
(or multiple) CICS releases as long as you need to. Check with "your
friendly IBM representative" if there's any doubt.
B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1
blithely assumes that the connections are unencrypted. The documentation
for newer CICS TS releases includes some information on migrating from
CICS TLS to z/OS AT-TLS, and probably that information will be reasonably
useful if you attempt the same with CICS TS 3.1.
Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3
you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only
official/supported way to get TLS 1.3 with CICS TS. IBM's published
benchmarks suggest that z/OS AT-TLS is slightly more efficient than
CICS-configured TLS, but results may vary.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM Z Day: September 14-15, 2020
IBM is sponsoring a bigger and grander "IBM Z Day" this year, so big/grand that the live sessions are running for a full 24 hours of binge viewing in multiple tracks, so there's way more than 24 hours of live content to choose from. IBM Z Day is free, and for the first time there are some technical and discussion sessions conducted in languages other than English. If you're looking for a session in Italian, German, Spanish, Mandarin Chinese, Portuguese, Turkish, or Urdu, c'è almeno una sessione per Lei (there's at least one session for you). Presenters and speakers are from various organizations, not just IBM. Examples include Canonical, Allstate, The Linux Foundation, Kredi Kayıt Bürosu, DATEV, Rocket Software, SUSE, Sogei S.P.A., Liber Health (Pakistan), Duke University, BMC, Singapore Management University, code.org, and many more. IBM Z Day starts at 4:00 p.m. New York time (20:00 UTC) on September 14, 2020, with the "Master the Mainframe" and "Student Journey" tracks. Live sessions are scheduled throughout the 24 hour day beginning at that time. For more information and to sign up, please visit: https://www.ibm.com/community/z/community-day-2020/ - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
New Redbook: "IBM z/OS Container Extensions Use Cases"
It's still in draft form at the moment: http://www.redbooks.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg248471.html - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Architectural Level Sets
IBM's brief flirtation with extended real addressing (26-bit addressing) in the IBM 3033, 3081, and a few models thereafter was quirky. IBM pretty quickly dropped extended real addressing once XA debuted. Back to Tony's original question, I think an "Architectural Level Set" is difficult to define in practical terms because there are different real world ALSes. I suppose one could argue that there are effectively z/VM, Db2 for z/OS, z/OS, Linux, z/VSE, and compiler ALSes, as notable examples. For example, z/VM 7.2, planned for release this month (September, 2020), declared a new ALS which is manifested/instantiated in IBM z13 and higher models, including all IBM LinuxONE models. Red Hat Enterprise Linux 8.x and Ubuntu 20.04 LTS have the same minimum model requirements as z/VM 7.2, although I don't think Red Hat or Canonical use the ALS term of art. ALS is not a meaningless term, though. It simply refers to a particular collection of minimum capabilities that can be technically manifested (in principle anyway) by particular server models at or above particular microcode levels. (Sometimes that last detail matters.) "Server models" can sometimes include non-physical ones. It's not a term I use very often, though. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Dovetail/Kirk Wolf?
It's terrific that Dovetailed is making this offer, and it's terrific to have Tomcat available and supported on z/OS. If the particular appeal of Tomcat is "it's free," you've got at least a couple alternatives that also are: 1. If you already have CICS Transaction Server Version 5.x, then you already have CICS Liberty at no additional charge, with IBM Support if you're running a supported CICS release. This "flavor" of Liberty features extensive z/OS and CICS exploitation which you can choose to use or not use, selectively. 2. If you don't already have CICS TS Version 5.x, you can still download and run Open Liberty on z/OS (and on other platforms): https://openliberty.io Open Liberty is explicitly, routinely IBM tested on z/OS, but it does not *particularly* exploit z/OS unique features. Open Liberty support is optionally available from IBM for a fee. It depends on what you're trying to accomplish, really. For example, if you're a software vendor or distributor and need a Java Enterprise Edition runtime for your product, but if you cannot assume that your end customer has a CICS TS or WebSphere Application Server for z/OS license (or even z/OS necessarily), then shipping your product assuming an Open Liberty base, with the option to install it on CICS Liberty or WebSphere Liberty, is likely a really terrific approach all around. Or, if you specifically need or prefer Tomcat, OK, that option is available, too. Then Dovetailed has you covered if/when you need support. They don't live on bread alone, and bread is not free either. I'll point out again that every z/OS licensee -- even the ones without RACF (the z/OS Security Server license) -- has the IBM Directory Server for z/OS. This is a fully IBM supported LDAP server, and one of its configurable features is that it supports authentication with your chosen SAF-enabled security manager. So if your Java application "speaks" LDAP, it can also automatically "speak" RACF (or ACF2 or TopSecret) via the IBM Directory Server for z/OS. That's regardless of runtime or even platform. On the other hand, especially (but not only) if you want a directly SAF-enabled JEE runtime, it's really best to pay *someone* something for ongoing support, if you care about maintaining at least reasonable security anyway. Tomcat had a now well publicized security vulnerability that was open for about 13 years called "Ghostcat." That's not good, but it's really not good if you don't have a support vendor by your side to close such vulnerabilities promptly in your chosen environments. Anyway, bottom line: keep Kirk (and Katherine, Karen, and Klaus) fed, OK? Support is worth paying for if you depend on the software, and you usually do. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Brian Westerman asked: >So does this all mean that (currently) no one on the list >uses TLS-SSL to forward their mail from CSSMTP to the >target mail server? I see "Yes, we use TLS" replies have overtaken this question. That said, I assume you wouldn't want and don't expect anyone in an open forum to confess to having an open, potential security exposure...that they're quickly closing right now. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: (yet another) problem with zcx container
Gord Tomlin wrote:
>AFAICT the sole reason for the (paid) hardware feature is to provide
>entitlement.
>My guess as to why they require this feature is that you can run a lot
>of FOSS products in zCX that offer similar function to IBM products.
>Unfettered free use of zCX could be very costly to IBM.
That's a bad guess.(*) To the extent you can do that, you can already
(also) do that without zCX. Moreover, z/OS isn't Feature Code 0104's only
beneficiary. For that matter, Feature Code 0104 ("Container Hosting
Foundation") is also available for IBM LinuxONE II and LinuxONE III
machines, and z/OS isn't.
(*) And backwards, ironically.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe Multi factor authentication possibilities
Jared Hunter wrote: >The goal of multi-factor authentication is to strengthen the link >between a human being and the actions taken by a logical account >(because a logical account is what the SAF-implementing ESM is >capable of authorizing and auditing). Sharing a single (or few) >logical accounts across many human beings is an anti-pattern that >is incompatible with that goal. I agree it's an anti-pattern, but occasionally anti-patterns are useful. One scenario that comes to mind is when the system (such as the ESM itself) must provide typically partial read-only access to a team of authorized auditors/inspectors, but the ESM (and the other people who manage it) must not have any awareness of precisely which auditor or inspector took a look lest that person be subject to possible retaliation for an adverse finding. Another, similar scenario is a reporting system that accepts anonymous but still controlled submissions, for whistleblowers to submit tips (sexual harassment and other improprieties, suspected fraud, etc.) In such cases you'd want to make sure the report comes from within an authorized community (e.g. "intelligence officers"), but ideally you don't want even any technical ability to trace it to a particular individual. Voting systems might also fall in this general category. On the other hand, you might argue that these scenarios and others like them don't really involve 2FA or MFA as such, and you might be right. There still ought to be reasonable security solutions for these use cases. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe Multi factor authentication possibilities
The first factor doesn't seem like it'd help distinguish between users since you're sharing it. What type of second factor(s) do you plan to use? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Anyone Using MVS Bulk Data Transfer (File-to-File)?
Ed Jaffe wrote: >I didn't specify whether I was referring to the BDT SNA/NJE function >or the BDT File-to-File function. Clark Morris wrote: >I think that IBM dead ended and stopped support of the File-to-file >and all other non-JES3 related functions at least 18 years ago. Ed Jaffe wrote: >That's the kind of information I'm looking for, but can find no >announcement or other reference to suggest this product isn't >anything but 100% fully supported and fully operational. Skip Robinson wrote: >We considered using BDT many moons ago. NDM was the hands-down winner. >However, BDT still appear to be supported. Still required for JES3 SNA, >I believe. Ed and Skip are correct. In fact, the z/OS Bulk Data Transfer (BDT) products are not only IBM supported but also IBM marketed. No End of Service date, no End of Marketing date. The 2019 z/OS 2.4 announcement letter included the BDT products: https://www.ibm.com/downloads/cas/US-ENUS219-344-CA/name/US-ENUS219-344-CA.PDF Scroll down and you'll see BDT FTF (File-to-File) listed with the entitlement identifier S01728V and BDT SNA NJE with the entitlement identifier S01728W. That means they're available for ordering even to new z/OS licensees. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zCX Issues
You're probably getting that error message because Docker cannot validate the (public) TLS server certificate when trying to establish the HTTPS connection to your private registry. If that's the problem, to fix it you'll need to get the public server certificate, add it to your z/OS Container Extensions configuration (via the z/OSMF workflow), then restart your zCX instance(s). If I'm correct, just follow the instructions in the redbook: http://www.redbooks.ibm.com/redbooks/pdfs/sg248457.pdf The private registry section is Chapter 6. Refer to Section 6.5, and particularly page 122 step 2(b), for the z/OSMF steps. Also please take note of the note at the top of page 123. Much of the rest of Chapter 6 is also likely helpful. If you've tried all that already, please post a follow-up. You should also be able to open a problem incident (PMR) with IBM z/OS Support if you suspect a defect. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Name those boxes
For a real challenge, try figuring out the original manufacturer(s) and model(s) of the chair, desk, cabinet, and floor tiles. :-) - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: cURL and security
Luke Wilby wrote (aggregating previous posts): >I'm wondering if anyone is using cURL on z/OS in a >production setting? >I'm interested how to utilise cURL when the target >URL requires authentication. >We can't use Basic Auth because we are not able to >store usernames and password in scripts or batch jobs. >We can't easily use certificates because our users on >z/OS do not have certificates and our Windows based >corporate certificate management doesn't allow users >access to the private keys of their Windows certificates. >The cURL targets require client authentication. >The cURL targets live on z/OS (z/OS Connect, zOSMF, DB2, >etc) >The clients may be TSO users, batch jobs, Windows, Mac or >Linux clients. The batch jobs may run under userids that >do not have passwords. >We cannot store passwords anywhere. No scripts, no files. >Our z/OS users generally don't have certificates or keyrings. >Our servers do (DB2, z/OS Connect, zOSMF, etc). >My clients need to authenticate to the server. The server >then needs to perform authorization checks. >It's the authentication part that we need to sort out. >Our company's internal certificate management is done on >Windows. Our Windows clients have personal certificates, >installed by our Windows team. They don't have access to >the private keys. >Our z/OS clients don't have certificates and even if they >did, they would come from the Windows team and our clients >wouldn't have access to the private keys to issue the cURL >call. David Crayford wrote: >Use tokens > https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest-apis/ This suggestion makes a lot of sense, agreed. For example, the z/OS Connect Enterprise Edition documentation explains more about these options here: https://www.ibm.com/support/knowledgecenter/SS4SVW_3.0.0/securing/security_overview.html - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Attila Fogarasi wrote: >CA Common Services supports SNMPv3 with DES encryption and SHA-5 and >MD5 authentication, hopefully that works with your Solar Winds Orion >server. Even if the target server currently supports DES, I don't recommend this idea. It's entirely possible, even likely, that the next release update will disable support for DES. It'd be a very short-term solution at best. Are there any other encryption and hashing algorithms that CA Common Services SNMPv3 supports? For example, is it possible to configure CA Common Services to use whatever z/OS System SSL supports? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Sending email from the Mainframe
Grant Taylor asks: >What happens to email if CSSMTP (AT-TLS) is configured >to *require* encryption and the receiving system doesn't >support encryption? Fundamentally the same thing(s) that happen when the network connection is down or too slow (times out), for whatever reasons. Network encryption is part and parcel of the network path. This class of failures must already be catered for. In this case, Len Sasso's organization is mandating TLS 1.2+, and I agree with Shmuel Metz who wrote: >If management has decreed that all SMTP traffic be encrypted, >then barring a configuration error the relay will accept >encrypted traffic. Moreover, it's entirely possible that your attitude would only increase relay administrators' burdens, the people who currently have to manage, support, monitor, and audit the e-mail traffic from the one and only system still transmitting over an unencrypted connection, a connection modality they'd very much like to retire as quickly as possible. You know, that "old, obsolete mainframe" that you're actively arguing should actually be as old and obsolete as you can possibly force it to be. (TLS is *really* not new.) Or it's entirely possible that the relay administrators aren't inclined or equipped to provide even mediocre service levels for unencrypted connections, or even that there's a lone dedicated relay gathering dust in a wiring closet somewhere to support this one unencrypted connection, a relay that nobody left in the organization even understands or really knows about, that isn't backed up or DR protected, that still runs on a 10 Mbps Ethernet segment that miraculously hasn't been disconnected yet. Hence the unencrypted connection is MORE prone to failure, not less. All very possible, even predictable and likely. And I haven't even gotten to the regulatory issues and penalties. Conceivably you could also reduce or eliminate your personal security authentication failure planning and handling (hopefully automated) responsibilities if you effectively disable your SAF security provider, such as RACF. Then those few pesky authentication and authorization rejections wouldn't occur, and everyone could just go to the pub and stay there (or whatever). That's the logical consequence of your argument, isn't it? I don't think you've got a strong argument. Sorry to be blunt here, but I feel compelled to offer my personal view (as always). My colleagues (and I mean that word expansively, in and out of IBM) work really hard to deliver and support truly cutting edge capabilities, including downright amazing security capabilities, in/for this unique and indispensable platform. And this community, overall, often works really hard to put these capabilities into practice, in many cases literally to keep civilization functioning. Then there are a few people who manage a few of these systems, and...well, let's all strive to do better, OK? [Why am I expecting a minor Twitter storm now? :-)] - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Sending email from the Mainframe
Grant Taylor wrote:
>That means that z/OS's CSSMTP will be near or on par with other SMTP
>servers and related problems securing SMTP traffic. Most of which have
>to do with the capabilities of the receiving SMTP server, which is
>outside of CSSMTP's control.
First of all, here's what Len Sasso wrote:
>All our messages must implement TLS 1.2 or higher for
>transport level encryption.
I don't know why you're questioning Len's expressed *requirement*. And
(don't worry, Len!) it's a very, very reasonable requirement in the year
2020 and beyond. For that matter it was a reasonable requirement 20+ years
ago, too.
Then there's this fact, which Lionel Dyck kindly pointed out:
>CSSMTP is a send only SMTP service - it does not receive anything.
Exactly. This is about getting TLS 1.2+ encryption enabled from z/OS at
least as far as the next hop. CSSMTP alone doesn't provide a return
mailbox.
According to Google's latest Transparency Report, available here:
https://transparencyreport.google.com/safer-email/overview?hl=en
93% of outgoing e-mail from Google and 94% of incoming e-mail to Google
rode over TLS between April 24, 2020, and July 23, 2020. Google's e-mail
services are heavily consumer-oriented ("How is piano practice going?"),
and well over 90% of it is encrypted in flight. Len Sasso is dealing with
an enterprise system, presumably. Maybe my cousin's medical insurance
claim acknowledgment is being e-mailed, or maybe your loan application
update is being e-mailed out to you. Does anyone seriously want to
question Len's requirement? Or would it be at least as appropriate to
question why you haven't enabled encryption for your SMTP and other
network traffic, if you haven't?
It's very frustrating to me when even basic security precautions and
practices are questioned like this. Get it turned on, please! It's quick,
easy, and no additional charge. And have a look at the z/OS Encryption
Readiness Tool ("zERT"), included with z/OS at no additional charge, to
get visibility on where you still have gaps.
>If you configure z/OS's CSSMTP to /require/ encryption, TLS 1.2 or
>otherwise, and the receiving SMTP system doesn't offer it, the email
>will be stuck on z/OS.
That's an available configuration choice, that's correct, and that's
exactly what *should* happen in myriad real world scenarios to avoid a
potential or actual security breach.
>Do you really want to have someone perform regular postmaster duties on
>z/OS?
As Lionel patiently explained, this is about whether Len Sasso's
requirement is satisfied, to encrypt e-mail traffic to the next hop. There
are no postperson duties here, not with CSSMTP. These are basic network
security duties, prudently practiced and respected for decades now.
But (hypothetically, off on your tangent) why not? It's an IMAP
mailbox the postperson(s) monitor, presumably. The postperson probably
isn't either configuring and administering a Kubernetes cluster or
navigating ISPF screens. If the mailbox were hosted on z/OS (yes, it can
be, with other software), what's the problem?
I'm a little confused here. Isn't this IBM-MAIN? Is there something you
wouldn't or don't like about providing more and more useful user services
from z/OS?
>It might be better to send the email to another exissting corporate
>SMTP server where someone is already handling the postmaster duties.
Yes, there's something else besides CSSMTP. OK, backing off that
tangent
>Simply enabling TLS on z/OS's CSSMTP is probably not sufficient to
>guarantee that the email transmission path to the next SMTP server will
>be encrypted.
It is if you configure AT-TLS to require it, which is par for the course
really.
>Both the sending end (CSSMTP) and the receiving end (remote SMTP server)
>need to support encryption.
Yes, and as you can see from Google's Transparency Report TLS isn't a rare
or exotic thing. (What year is this?)
>Most MTAs can be an encrypted client without their own TLS certificate.
>— Though a /client/ TLS certificate can be entertaining to use in place
>of username and password for authenticating the sending system to a
relay.
>}:-)
Not merely "entertaining." It's one perfectly reasonable, prudent security
measure to make spoofing more difficult.
>If the task at hand is to secure email, there are many ways
>to comply with the spirit -or- have acceptable risk between the
>mainframe and an SMTP server over a secure LAN in a secure data center.
Words fail me here.
>If you really want to adhere to the spirit, the email body contents
>should be encrypted. So that it doesn't matter nearly as much if the
>SMTP transmission path is encrypted or not. But that's another kettle
>of fish.
I agree it would be great to encrypt the e-mail body *also*, if possible.
Two popular ways are PGP and S/MIME.
- - - - - - - - - -
Timothy Sip
Re: Sending email from the Mainframe
Len Sasso wrote: >We are using CSSMTP to send email from the Mainframe. >All our messages must implement TLS 1.2 or higher for >transport level encryption. >What you using? CSSMTP. No problem. IBM explains how to set up TLS with CSSMTP here (current z/OS 2.4 documentation link, subject to change): https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/cssmtp_tls.htm It's possible to require TLS 1.2+, exactly as you wish. (Good idea.) Tony Thigpen wrote: >We found it easier to set up a small SMTP relay box on an >Intel platform and let it do all the TLS heavy lifting. That's possible, but it means that your e-mail traffic is leaving your z/OS machine in cleartext. This class of security risks is easily avoidable if you simply enable TLS on z/OS. (N.B. TLS is not "heavy lifting," or at least it hasn't been for a very, very long time.) There may also be some unnecessary server complexity in what you've done, adding some inherent fragility. To be clear (pun intended), there are still one or more e-mail servers in the transmission path, of course. This is about encrypting the traffic, preferably with TLS certificate authentication, as early as possible in the path. Allan Staller wrote: >We send everything plain text to the corporate email server >and let them handle it! I offer the same suggestion as above. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Grant Taylor wrote: >Why not use "transport" mode vs "tunnel" mode? That should be fine. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Another possible option is to configure an IKEv2/IPsec tunnel between z/OS
and Microsoft Windows Server, then run your message traffic over the
encrypted IPsec connection. For your colleagues, Microsoft documents some
configuration procedures here ("Devices not joined to a domain"):
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2
I concur with the advice to upgrade z/OS 1.12 and the rest of the software
stack to supported releases that are still receiving security and
integrity updates.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Multi-channel OSA-ICC routing and TCP port behavior
Brian Westerman wrote: >So you are using TCP to get to them inside the ICC, but they >are technically local 3270 terminals. I think you can make >some of them printers if you want, but that seems like a waste. I recently worked with an organization that configured an OSA-ICC TN3270E printer session, and it makes sense for them. They did this because one of the TCP/IP products available for z/VSE, the one they use, includes a TN3270E server that is limited to display terminal sessions and does not support printer sessions. This particular organization uses the TCP/IP product's TN3270E server for display sessions, but they also have a line printer they need to continue running. Previously, historically, the line printer was coax attached to an IBM 3174 Establishment Controller. The same line printer is now connected via OSA-ICC's TN3270E server and continues to behave like a terminal-attached printer, with IBM Personal Communications in the middle handling the emulation. Direct would have been nice, and technically the printer can directly connect via a TN3270E printer session (it has a built-in TN3270E client), but for some weird reason when the line printer operates using a different connection it unavoidably changes "personalities" and won't interpret the same data stream the same way. That's how the printer is designed, not something that can be changed. So rather than reconfigure z/VSE's output to adjust the print data stream, they inserted IBM Personal Communications in the middle to accept the original data stream then handle some very light reformatting before passing it on to the printer via LPR/LPD protocol. This arrangement works! - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Multi-channel OSA-ICC routing and TCP port behavior
Mike Schwab wrote: >Port 23 is standard telnet. Port 3270 is non-standard TN3270E. IANA has actually reserved port 3270 for "Verismart": https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt I have no idea what Verismart is, or was. It's probably moribund, like many port reservations. You're not obliged to honor IANA's reservations and recommendations, although it's the "polite thing to do." If nothing else it makes the job of somebody monitoring, managing, and troubleshooting network traffic a little easier, because at least you give that person a clue what the traffic is about. IANA has reserved port 992 for Telnet, including TN3270/TN3270E, over TLS. So one common, IANA-polite approach is to enable port 992 first then, if needed, port 23 second, *both* with TN3270E over TLS. (Yes, OSA-ICC supports TN3270E over TLS. Use it, please.) IANA also leaves ports 49152 and above as "private use" ports, so you can use ports 50001, 50002, 50023, etc. -- a 5 followed by any 4 digits works well -- as recklessly as you want. Ports 50992 and 50023 should give above average network troubleshooters some clue that the traffic is telnet-oriented. As far as non-standard ports, the following are at least IANA reserved for some sort of "telnet": 89, 107, 902, 903, 1618, 2564, 3083, 3696, 5024, and 6623. Some of them are moribund. So if you'd like to use one or more of these ports "in the spirit of IANA," that's up to you. :-) Port 22 is assigned to SSH, and again "in the spirit of IANA" perhaps you could use that one for TN3270E over TLS if you need it. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Java memory limit
Please note the 31-bit Java variant offers something less than 2 GB of memory per Java Virtual Machine to programs. The 64-bit release is required if you want more. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Free Mainframe Stuff 2020: Reply Here with Nominations
Thanks for the nominations, some also coming in via direct e-mail. I'm seeing some freebies that I didn't know about, and that's terrific. Please keep them coming. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
Jantje wrote: >If it were me, yes, we would go for that. But... If your organization has some sort of reasonable identity management service that provisions, de-provisions, and otherwise manages user identities, then you could probably hook TLS client certificate management for z/OS into that. Any options there? If the service desk department is "big" and has "high" turnover, then presumably you're managing RACF identities at a fairly high velocity. How are you doing that today? Could you fairly straightforwardly extend that high velocity identity management to TLS client certificates for z/OS HTTPS access? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM 2828-G01
IBM Machine Type 2828 is an IBM zBC12 machine. As I write this (mid July, 2020), all the latest generally available IBM operating system releases support this machine model. These releases include: z/OS 2.4 z/VM 7.1 z/VSE 6.2 z/TPF (including the latest PUT as I write this) Certain operating system features, such as the z/OS Container Extensions, are not compatible with the IBM z12 generation machines (machine types 2827 and 2828). On April 14, 2020, IBM announced that it plans to release z/VM 7.2 sometime this quarter (3Q2020). z/VM 7.2 will not support z12 generation machines and will require an IBM z13 generation machine or higher, or any IBM LinuxONE machine. Red Hat and Canonical have dropped support for the IBM z12 generation machines in their latest Linux distributions (Red Hat Enterprise Linux 8.x and Ubuntu Server 20.04). SUSE continues to support the IBM z12 generation machines in their SUSE Linux Enterprise Server 15 SP1. (Their forthcoming SP2 also looks OK per their current beta release documentation.) If you're considering a machine model upgrade (hopefully), currently IBM migration and/or other IBM offers are available from the IBM zBC12 to the IBM z14 ZR1 and IBM z15 T02 models. Unless there's some super important reason I suggest the IBM z15 T02, introduced earlier this year (2020). - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
>Not yet, because it opens a different can of worms: that >of having to manage the client certificates. I am not sure >I want to do that… But I agree: it would be a good >alternative. How many worms? How many TLS client certificates do you expect you'll need for this purpose? Especially if the answer is "more than a few," how about using the z/OS PKI Services? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SuperWylbur Users
Hopefully SuperWylbur will emerge. Re: Stanford's WYLBUR, have there been any attempts at "upstream" source code recovery in a non-mangled form? For example, via pulling and reading a tape from someone's/anyone's archive? It appears that Stanford has graciously released WYLBUR under the Mozilla Public License 1.1: https://web.stanford.edu/dept/its/support/wylorv/ I'm not a lawyer, but I assume that means that any/all other custodians of *Stanford* WYLBUR are free to operate under those same terms. In other words, if Stanford has lost their upstream, non-mangled WYLBUR code, but someone else has the identical upstream code available to release, then that should be OK. The MPL goes a little farther than that, actually. According to the license, it's OK to redistribute Stanford's WYLBUR "with or without modification" as long as the required notice is included. Let's suppose for example Site X has Stanford WYLBUR code, with two local code modifications for Site X, in its archive. Assuming Site X is OK releasing those two local modifications (and grants permission), Site X is also OK under the MPL 1.1 releasing the rest. At least, that's how I read it. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SuperWylbur Users
There's precedent. Stanford graciously offers WYLBUR's source code for download: https://web.stanford.edu/dept/its/support/wylorv/ Of course SuperWylbur is not WYLBUR: https://en.wikipedia.org/wiki/ORVYL_and_WYLBUR#SuperWylbur%E2%84%A2 - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Free Mainframe Stuff 2020: Reply Here with Nominations
Everyone likes free stuff, right? Please reply to this message with your nominations for the new, bigger, even more exciting 2020 edition of "Free Stuff for Your Mainframe." To get you started (in other words, to let you know about the freebies I surely know about already), the 2016 edition of this particular list is posted here: https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/andrii-vasylchenko1/2016/08/16/free-stuff-for-your-mainframe-2016-update Nominations are welcome in all of the following categories (and likely a couple more that I haven't thought of): * oriented to the machines themselves (e.g. IBM HMC Mobile, Feature Code 0115) * whole operating systems and tools that can start up on their own (e.g. ZZSA) * for all 5 major operating systems (z/OS, z/VSE, z/TPF, z/VM, Linux on Z) N.B. For Linux on Z I'll probably limit this particular list to software that has some reasonably specific IBM Z and/or IBM LinuxONE affinity, and/or affinities to other IBM Z operating systems and their workloads. LXCMS is one possible example in that vein. * for mainframe middleware (Db2 for z/OS, CICS TS, IMS, MQ, WAS for z/OS, etc., e.g. SupportPacs for CICS and MQ) * for various subsystems and tools (e.g. ISPF add-ons such as Zigi, RACF tools such as PWDCOPY) * programming languages (e.g. IBM Open Enterprise Python for z/OS) * handy sample code, such as useful REXX scripts * programming libraries, modules, and tools (e.g. Rocket Software's Git for z/OS) * free mainframes (e.g. the LinuxONE Community Cloud, the Master the Mainframe Learning System) * tools for mainframe storage * public cloud services with mainframe affinities (e.g. https://optimizer.ibm.com ) * mainframe planning and estimation tools (e.g. the IBM Z Batch Network Analyzer) * free security-related tools and offers with mainframe affinities (e.g. free TLS certificates, as long as you can actually use them in z/OS RACF for example) * free mainframe-related books and education * free "abandonware" * trialware and "juniorware," but only if it offers real, material value (this'll be a personal judgment call) * client device-installed software that has mainframe affinities (e.g. IBM Explorer for z/OS, terminal emulation software, development tools, etc.) I'd like to hold a Webcast to highlight a few of these gems, probably sometime in late August or September (2020), repeated a couple times to cover various timezones better. During this Webcast there'd be a few quick, ~5 minute demonstrations of mainframe freebies. If you're interested in having 5 minutes of additional fame and would like to volunteer to show off your favorite freebie(s), please reply to this message indicating your interest. Nominations close on July 31, 2020. Thanks, everyone! - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IHS NTLM authentication
>Some powers that be have decided not to allow basic >authentication anymore, even over HTTPS. So I am >looking for an alternative. Have those "powers that be" offered a list of acceptable alternatives? Unless they insist, I don't think NTLM over HTTP is a good protocol idea nowadays for a variety of reasons, so can we skip that one? The IBM HTTP Server for z/OS supports TLS client certificate authentication with RACF. That's not basic authentication, so it ostensibly qualifies. It's also widely accepted. Have you considered that option? Or you could adopt a token-based approach. The classic way is forms-based authentication, i.e. some application-based mechanism. Another, widely accepted choice is OAuth 2.0. However, OAuth 2.0 would require either a custom, additional module or an authenticating proxy arrangement of some kind. The (non-Apache) mod_oauth2 module code is available here: https://github.com/zmartzone/mod_oauth2 I have not looked at this code, but there it is. I'll pause there. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SuperWylbur Users
Tony Harminc wrote: >What is (and will be) the licensing status of SuperWylbur? Is there >potential to turn this into a community maintained project? There are >surely at least hobbyists out there who would love to play with it. That's a good idea. The only caveat I can think of is that sometimes there's "encumbered" code in a particular product. However, that seems unlikely in this case (see below), and even if that were the case it's still possible to release only the unencumbered code. John Giltner wrote: >It is still distributed with full source code. That's promising for these purposes. It means there's no first party distribution effort required. Permission alone to one or more second parties would be sufficient. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Storage & tape question
Radoslaw Skorupka wrote: >I forgot something obvious for me: NEVER USE TAPES FOR APPLICATION >DATA. No jobs should write or read tapes. >Nothing except backup and restore and (optionally) ML2. Managed by >HSM or FDR. Some excepions for archive copies are worth to consider. I take your point, but "NEVER" is too strong. And you're acknowledging there might be some exceptions, so let's dig into them a bit. One notable exception that I'm increasingly encountering is in the digital asset industry. There are occasions when they'd like to have certain digital assets in an offline state, for example in technically and operationally assured systems, encrypted on WORM tape cartridges physically removed from tape libraries. In some cases that sort of approach is what the asset owners and their insurers require. Another potential exception involves certain content management systems, although it depends on how they're designed. As another example, IBM SAFR runs really don't mind source data from tape and/or virtual tape. As long as the data streams fast enough for whatever you're trying to do with SAFR, that's perfectly fine. I suppose you could drive even these edge cases through DFSMShsm handling (and manual tape loading procedures in the first example), but then you'd need above average cooperation with application developers and owners. The "my application knows best" philosophy is powerful, for better or worse. You just try to do the best you can, and if there's an exceptional edge case and consensus agreement that it ought to be handled differently (even if you disagree), OK, so it goes. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe co-op
There's a good organizational structure potentially available: https://www.openmainframeproject.org I assume the goal ought to be to have something better than the Master the Mainframe Learning System, already available free of charge: https://www.ibm.com/it-infrastructure/z/education/master-the-mainframe - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS use of "legacy" programming languages
Frank Swarbrick asked: >Is Pascal also still supported/used? IBM VS Pascal (5668-767) is still IBM marketed and supported: https://www.ibm.com/support/lifecycle/#/details?q45=M618799U16404L24 The New Stanford Pascal Compiler is also available: https://github.com/StanfordPascal/Pascal http://bernd-oppolzer.de/job9.htm Here are some more classic programming language compilers that are currently IBM marketed and supported, in no particular order: APL2 (5688-228) https://www.ibm.com/support/lifecycle/#/details?q45=D543769I30278S34 BASIC (5665-948) https://www.ibm.com/support/lifecycle/#/details?q45=G568183M36263P96 RPG II This one is a little extra obscure, but yes, it's still IBM marketed and supported. The IBM Program Number is 5740-RG1. The z/VSE variant (5746-RG1) is listed more visibly here: https://www.ibm.com/us-en/marketplace/dosvs-rpg-ii There's a little bit of confusion about RPG in large part because there was a relatively briefly marketed RPG compiler introduced years later called "IBM SAA RPG/370." This specific, very different compiler (5688-127) was withdrawn from marketing and is no longer IBM supported, but the previously introduced RPG II compiler is still an active IBM product. IBM's Prolog, Lisp, Ada, Algol, Smalltalk, and COMTRAN compilers are withdrawn and past their End of Service dates, but it's likely there are some of these compiled programs still running, even with some periodic code changes. In some cases there may be available and supported programming language offerings from other parties. Some may target Java Virtual Machine (JVM) and/or z/OS Container Extensions (zCX) runtimes. There's a supported JOVIAL compiler available for z/OS and z/VM: http://www.seadeo.com/IBM_Compilers.htm If there's some other programming language's status you'd like me to research, please ask. And obviously IBM markets and supports C, C++, REXX, COBOL, PL/I, Java, EGL, HLASM, and several other programming languages (JavaScript, Swift, Python, IBM Migration Utility) - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Mid-2021 Withdrawal of IBM z14 & LinuxONE Emperor II Features
IBM announced that certain IBM z14 (Machine Type 3906) and IBM LinuxONE Emperor II features will no longer be available effective June 30, 2021: https://www.ibm.com/downloads/cas/US-ENUS920-113-CA/name/US-ENUS920-113-CA.PDF Note that's 2021, i.e. next year as I write this. This future withdrawal relates to the features that require physical shipment of components. This withdrawal notice does NOT affect IBM z14 ZR1 and IBM LinuxONE Rockhopper II models. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM z/OS Statement of Direction re: Containers
I draw your attention to this Statement of Direction that IBM published on June 23, 2020: https://www.ibm.com/downloads/cas/US-ENUS220-033-CA/name/US-ENUS220-033-CA.PDF Please also refer to IBM Announcement Letter 219-233 (mostly already fulfilled). - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DASD migration -- Re: Hitachi RAID box going out of support
Bill Bishop wrote: >One issue that you may encounter with going to a new storage >system on a z9 processor is the speed of the ficon cards and >whether the new unit can z9 cards. I am not sure the new >Hitachi's can work with 4GB ficon. While Radoslaw Skorupka clarified that it's possible to worry less about link speeds when there's a switch/director in the mix, I should point out that the IBM z9 machine might not be using 4 Gb/s FICON with its storage device. FICON4 was only the maximum configurable storage I/O attachment. Other maximums were possible. The z9 generation of IBM Z machines also supported 1 Gb/s and 2 Gb/s FICON and/or ESCON, even as maximums. For direct storage attachment it's important to clarify which link type(s) and speed(s) are actually operating. I should also point out that the IBM z9 machines have passed IBM End of Service, and so have all z/OS releases (2.1 and prior) that the IBM z9 machine supported. The storage device is by no means unique in this respect. IBM is still offering a Service Extension for z/OS 2.1, available for an additional monthly fee (minimum 3 months) through September 30, 2021. Service extensions may also be available for other software. I agree with the other posters suggesting serious, quick investigation of other options involving "rebasing" these critical applications on systems and middleware that are aligned with their importance. Many people are able to help. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Messages & Codes
Charles Mills wrote: >You have to understand national politics: "we won't buy this >product; the error messages are in English" [not French, >Japanese, etc.] >Even though you are of course right, "diskette in drive" is >more understandable to the average French speaker than >!! Sys01475 (a) This argument would have had more credibility if MS-DOS and its children (Windows 95, Windows 98, etc.) had sold poorly in particular countries for that reason. That's not how it worked out. (b) OK, try this: SYS01475 !! Diskette / Disquette In 32 bytes that string includes the language neutral (and still incomprehensible) error code *and* provides a powerful clue that covers English, French, German, Dutch, and some other languages exactly. It also covers Spanish, Italian, and Portuguese if you're willing to overlook an extra T. You even get the following languages pretty well or exactly (per Google, partial list): Afrikaans: disket Albanian Basque: diskete Bosnian: disketa Catalan: disquet Corsican: dischettu Croatian: disketa Czech: disketa Danish Esperanto: disketo Estonian: diskett Filipino Finish: disketti Galacian: disquete Haitian Creole: disk Icelandic: disklingur Indonesian: disket Latvian: diskete Lithuanian: diskelis Luxembourgish: diskett Malay: disket Maltese: disketta Norwegian: diskett Polish: dyskietka Romanian: dischetă Slovak: disketa Turkish: disket You get the idea. Anyway, this design defect (I'll call it that) is history. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Messages & Codes (was Re: "Everyone wants to retire mainframes")
This pair of error messages was a design mistake: OS/2 !! Sys01475 OS/2 !! Sys02027 That's a case of national language considerations run amok. That was the only pair of messages you saw on your screen when you formatted a diskette with OS/2, left the diskette in the primary drive, and rebooted the typical PC of that era (that didn't automatically try to boot from another device when there was a diskette in the primary drive). A diskette's boot sector doesn't have much room, so the designers had to be concise. They wanted to include at least one error code, and they did. But then instead of some portion of the planet not understanding what happened, very nearly the entire planet didn't understand what happened. :-) A better design would have used a global message like this: OS/2 SYS01475: Diskette in Drive! That's exactly the same number of characters, assuming the new line was one character. (If not, the colon could have been omitted.) Yes, "Diskette in Drive!" is technically English, but even so it would have been much more broadly, globally understood than mystery error codes. Even this one would have been better: OS/2 SYS01475 Unbootable Diskette Or: SYS01475: Data Diskette in Drive! Pretty much anything with the word "Diskette" (the term IBM preferred instead of "Floppy") would have given users a clue. Even this: OS/2 !! Sys01475 No Boot Diskette - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Netview 5.4
I don't have a direct answer to your question, but here's some degree of reassurance. z/OS 2.3 became generally available on September 29, 2017. Tivoli NetView 5.4 for z/OS reached its End of Support date on October 31, 2017. Thus it appears this particular release combination was briefly fully IBM supported. Obviously you ought to upgrade to the latest release of NetView as soon as reasonably practical. If the only reason you're holding off is due to Single Version Charge (SVC) limitation concerns, don't hold off. In 2017 IBM abolished the SVC time limits for everyone per IBM Announcement Letter 217-093. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Base SYSPLEX setup
Brian Westerman wrote: >SO just how much are the peanuts? Radoslaw Skorupka wrote: >Peanuts mean really cheap. Even a new switch with warranty is only a few more peanuts. For example, the Brocade 6510 and IBM SAN48B-5 (2498-F48) switches were just recently discontinued (May, 2020), but there might be some new stock available from distributors. Looking at fully qualified (vendor blessed), reasonably physically small, not latest model FICON switches, the discontinued Brocade 5300 and IBM SAN80B-4 (2498-B80) switches were also qualified for IBM z13s machines (at 4 and 8 Gb/s). The Cisco MDS 9250i (also available as IBM 9710-E01) and discontinued Cisco MDS 9222i (IBM 2054-E01) also appear in IBM z13s-related qualification letters. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Base SYSPLEX setup
Brian,
1. If you haven't also looked at IBM Publication No. SB10-7174 yet, I'd
refer you to that one ("IBM Z FICON Channel-to-Channel Reference"). I
believe you've found SG24-5451 already.
2. You might not need additional FICON Express features at all. It depends
on how you're set up, but there's quite a bit of link sharing that's
possible. Quoting IBM, "A FICON channel with CTC capability may behave as
both a standard FICON channel connecting to standard FICON I/O control
units, as well as having an internal CTC control unit function in support
of CTC connections Neither FICON channel must be dedicated exclusively
to CTC operations."
If you have (for example) two machines connected to at least one common
FICON SAN switch/director then you're *probably* good to go from a
physical point of view, for some minimum level of service anyway. Sure, do
due diligence in terms of performance and such, but it seems like a better
idea to me to leave these machines physically unmolested if possible
rather than try to hack something in (that's withdrawn from marketing).
There was probably some point in "ancient history" when the various
sharing options weren't available, but I believe all FICON-equipped
z/Architecture machines have these various CTC-related sharing
capabilities at least in some fashion. SB10-7174 repeatedly refers to an
engineering change (EC) that was available at least as far back as the IBM
z900 from what I can tell.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: EPSILON?
Unfortunately nobody is able to ask Richard B. Talmadge about his EPSILON ideas. According to this source he's no longer alive: https://www.maa.org/news/memoriam It'd be terrific if anyone who worked or interacted with him knows more about these EPSILON concepts. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 3270 terminals: CUT vs. DFT
Alex, have you considered getting a used terminal controller for your IBM
3290? It looks like an IBM 3174 would work.
According to IBM Publication No. GG24-3061 (Revision -05 is the latest I
can find), the IBM 3290 requires a "Downstream Load (DSL) Diskette." This
feature in turn requires any of the following feature codes: 1046, 1048,
or 1056 (i.e. a second diskette drive or hard disk). Sadly, none of these
three feature codes are available on the smallest form factor 3174 models
81R, 82R, 90R, 91R, and 92R. Thus the most likely "best fit" IBM 3174
would be one of the 5xR or 6xR "medium size" models, preferably 6xR since
that's the newer one. Some of these models had Ethernet and/or serial
("asynchronous") ports.
I found some online evidence that a hobbyist managed to get an IBM 3290
with IBM 3174 connected to and functioning with a Linux-based PC.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM's Java on z/OS Survey Request
IBM is soliciting some special feedback for Java on z/OS. The survey is available here through May 29, 2020: https://ibm.biz/zOSJavaSurvey Thanks. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Developers say Google's Go is 'most sought after' programming language of 2020
Shmuel Metz wrote: >The problem is that some of those are incomplete, not z/OS, >or not up to date. 1. Would you like to be more specific? (And I don't know what you mean by "not z/OS." I answered specifically, exclusively for z/OS.) 2. Have you tried fixing the specific issues? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Developers say Google's Go is 'most sought after' programming language of 2020
Shmuel Metz wrote: >Now if they could just bring z/OS support for Kotlin, Lua, >Perl, Raku, Ruby and Rust up to date ... >Yes, bringing the port up to date includes first porting it ;-) Let's take these in order 1. As far as I know, as long as you use the Kotlin compiler to target a Java Runtime Environment (JRE) -- the typical/usual pattern -- your program will (also) run on z/OS. The basic command line compiler syntax is as follows, assuming Kotlin source code in the file hello.kt: kotlinc hello.kt -include-runtime -d hello.jar java -jar hello.jar There's also a potential future path that'll support Kotlin's LLVM target (since z/OS now supports LLVM), but that's speculative. 2. There's a z/OS build of Lua available here: http://lua4z.com This is a circa 2014 build of Lua. Fundi Software created, maintains, and supports this distribution, so if you'd like something newer then feel free to inquire. 3. Rocket Software offers Perl for z/OS here (currently 5.24.0, which was released on May 8, 2016): https://www.rocketsoftware.com/zos-open-source 4. For Raku, go grab the Rakudo distribution and target a JVM (--target=jar). Or use Rakudo.js to target Node.js (JavaScript) since Node.js is available for z/OS: https://www.ibm.com/products/sdk-nodejs-compiler-zos To my knowledge there's no difficulty with either path. 5. JRuby is available: https://www.jruby.org The best implementation of Ruby for z/OS is probably currently the Docker container image that runs in the z/OS Container Extensions: https://hub.docker.com/_/ruby 6. Rust will need LLVM, now available on z/OS. However, you can already compile and run Rust code via the z/OS Container Extensions. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe user ID length
Tom Marchant wrote: >What is your point? The contents of in-stream data is not part of >JCL, any more than the contents of some other data set referenced >in a DD statement is. Paul Gilmartin wrote: >There's a qualitative difference. The Reader or Converter must >inspect every record of an in-stream data set, and the Interpreter >or Access Method must scan for substitutable symbols. Not so with >some other data set. >And the in-line data appear in the SUBMITted member commonly called >JCL. If anyone still cares, here's what I actually wrote: >If you want to pass a longer user ID to something else >using a different vocabulary, JCL isn't going to stop you. >Example: Try using JCL to invoke z/OS's FTP client to transfer a file to >an arbitrary FTP server, specifying a user ID longer than 8 characters. >Can it be done? Of course it can; it's perfectly routine. You just don't >use JES-related syntax, that's all. 100% true! If there's a complaint about something I wrote, OK, fine, but how about making sure it's a complaint about something I wrote? :-) Who says mainframe professionals aren't the most friendly, helpful individuals willing to go the extra mile (or kilometer) to help solve user problems? Why, they never say "Can't be done!" and refuse to help. That's just ridiculous. :-) :-) It's usually not this platform that's getting in the way of progress. Here's yet another such case. For over two decades (closer to three) we've been submitting JCL to JES2 or JES3 to do such (awful) things as sending and receiving files via FTP, with absolutely no trouble specifying a user ID that's longer than 8 characters. We haven't even given it a second thought, really. JCL hasn't and isn't standing in your way here, obviously. Since the OS/390 days you've been able to present a X.509 digital certificate to RACF in lieu of a user ID for authentication and authorization. These features aren't state secrets. If you have z/OS, you have in-stream data in JCL. (How long has that been?) You also have the IBM Directory Server for z/OS. If you have the z/OS Security Server, you have RACF client certificate authentication. If you don't like maximum 8 character user IDs, OK, don't trouble your users with them! There are other viable, sensible approaches available -- handed to you, really. Plenty of organizations are already using them and aren't troubling their users with maximum 8 character IDs. So let's cut the nonsense and start leading progress rather than inhibiting it, OK? A few more "Wow, that's pretty interesting!" remarks would be welcome. (Thanks, Bob.) Deal? And sure, if there's something missing that you want or need, by all means ask (IBM RFE). OK, back to problem solving - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe user ID length
Shmuel Metz wrote: >Regardless of why it is coded that way, the code is in >the C/I and the error message comes from the C/I. Yes, and in-stream data is an intrinsic feature of the Job Control Language (JCL). It says so right here, among other places: https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zjcl/zjclt_exercise_crtNsubmitjob.htm Frank Swarbrick wrote: >On a separate line, are you saying is it possible for z/OS to use >a non-z/OS LDAP server for authentication (and authorization?), >including user IDs and passwords? "z/OS" is a big, grand place, so yes is the answer. For example, that's exactly what the z/OS Container Extensions do(es) if you simply turn on its LDAP feature. Naturally you do that from the z/OS Management Facility. >But this would that still require TSO and CICS (and IMS? and others?) >signon processes to be able to handle those user IDs? OK, now you're naming names (specific subsystems), and then "it depends." Let's pick CICS as an example. If you want to authenticate and authorize a user against a LDAP server (highly preferably the one on z/OS) for purposes of executing a CICS transaction, then one way to do that is to have a CICS Liberty region on the front side handling the job. CICS Liberty can definitely authenticate and authorize based on LDAP's guidance (with ID mapping), and there's some pretty good documentation explaining how to do that. TSO/E is "classic," and thus it understands up to 8 character maximum user IDs (up from 7 previously). However, as I sketched out, the end user need not necessarily know that. It'd be wonderful if somebody creates a TSO/E sign on screen analogous to z/VSE's that accepts a long user ID and passphrase which is then checked against LDAP on z/OS to decide whether to log the user on. LDAP on z/OS would then supply the mapped short name, without the user's active involvement. >What I would love to see is some sort of "single signon" option, >where a user would only need to sign on to their personal workstation >and not need to explicitly sign on to z/OS at all. There are many products that do that, including from IBM. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM-MAIN Digest - 2 May 2020 to 3 May 2020 (#2020-125)
Bob Bridges wrote:
>So maybe - maybe, I don't know either - if I sign on to z/OS with a
>certificate, or LDAP, or anything other than the usual, the sign-on
routine
>MAKES UP an 8-byte ID and stores it in the ACEE. If so, after that
>everything works fine, I guess.
I don't think RACF itself works that way, or at least the z/OS 2.4
documentation doesn't suggest so. Take a look at this information, for
example:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/icha700_Certificate_mapping.htm
Let's suppose the user is authenticating with RACF (not with the IBM
Directory Server for z/OS, a.k.a. "LDAP"), and the user transmits an X.509
client digital certificate for that purpose. RACF has to know ahead of
time whether or not to authenticate that particular user (digital
certificate). So the digital certificate has to be known to RACF ahead of
time. Since the digital certificate has to be known, it's not unreasonable
to associate an up to 8 character "short" user ID with that certificate.
And that's how it works, as I understand it. The user doesn't present the
short user ID -- well, not really, I'll get to this in a moment -- but
RACF can check the certificate and create an ACEE with a mapped short user
ID.
There are three basic choices here as I understand it:
1. A one-to-one mapping (one certificate to short ID ABCD1234). The
documentation does a little bit of handwaving here along the lines of
"this might be difficult to administer," but I'd argue that's somewhat
dated advice now that so many organizations use identity management tools.
2. A many-to-one mapping (multiple certificates to ABCD1234).
3. Either mapping, but with the certificate itself holding an embedded
short name ("hostIdMapping"). Certificate issuers don't typically support
this extension, or at least they hide it well, but the z/OS PKI Services
do. (Is this technique "cheating"? Not really)
In all these cases the user need not be aware there's a short name that
RACF uses "under the covers." The user just supplies a valid, unexpired
client certificate -- from a PIN-protected smart card perhaps. From RACF's
perspective the X.509 digital certificate is really just another alias, a
verbose one.
z/OS LDAP also supports broadly similar RACF ID mapping (supply a long CN,
which the directory maps to a short name), but it's optional. You can
certainly authenticate with LDAP as a standalone matter if you wish.
It's an interesting idea to have a fourth option for digital certificate
authentication with RACF, which would be like choice #1 but without
telling RACF what the short user ID is ahead of time -- to let RACF create
one "on the fly," probably with caching and templating. For example, allow
me to register a bunch of digital certificates in RACF as valid users, but
I'm not going to tell you (RACF) what their short user IDs are ahead of
time. The first time you encounter a particular certificate, just create a
short user ID of C$-- (where the dashes are RACF's randomized or
sequential choice, of any length -- randomized as default, but sequential
as an option), store it, and use that on-the-fly short ID to build the
ACEE. For example. I'd have to ponder that one a bit more, but if you
think you've got a good use case, ask (RFE).
Of course it'd be "nice" to have more than a maximum 8 character ID (with
the current maximum of 39 different characters per position) internally in
RACF, but I imagine that'd be a big plumbing problem and potentially break
a lot of important stuff if not done carefully. Fortunately, you're not
required to limit users' experiences to maximum 8 character user IDs: use
LDAP CNs, use digital certificates, or use something else.
By the way, if someone is looking for an interesting project, I'd be
pretty neat to have a sample TSO/E signon screen that accepts a LDAP CN
and passphrase that's then checked against the IBM Directory Server for
z/OS for authentication (and thus also with the SAF security provider,
indirectly). This part of the z/OS documentation starts to explain how to
do that:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ikjb400/logpan.htm
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe user ID length
Shmuel Metz wrote: >According to MVS JCL Reference, SA23-1385-40, both >USER=abcdefghi and EMAIL=foo+...@patriot.net are >illegal. That's not a JES issue. It is JES's issue. JCL is simply respecting JES limits there using that particular syntax. If you want to pass a longer user ID to something else using a different vocabulary, JCL isn't going to stop you. Example: Try using JCL to invoke z/OS's FTP client to transfer a file to an arbitrary FTP server, specifying a user ID longer than 8 characters. Can it be done? Of course it can; it's perfectly routine. You just don't use JES-related syntax, that's all. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe user ID length
rfaces forge ahead. You then decide whether and how quickly you'd like to move forward. I think it's much the same here. There are lots of applications and subsystems that run on z/OS that expect user IDs (or "user IDs") up to 8 characters maximum, but that's not how you must present the world to users. Go ahead and use these LDAP and/or client certificate authentication technologies as/where you like. If you have z/OS you have the former, and if you have RACF you have the latter, too. And if something is missing, ask! (RFEs.) - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe user ID length
Frank Swarbrick wrote: >Is z/OS still limited in all cases to 8 upper case characters? No. The IBM Directory Server for z/OS supports more than 8 upper case character user IDs. That's a standard, included, IBM supported feature in the base z/OS operating system. Bob Bridges wrote: >MQ, TSO, CICS, IMS - whatever the environment, the ID has to be >authenticated by RACF (or ACF2, or TSS). Not as you've written it, no, that's not correct. First of all, user authentication isn't necessarily required. However, I and many others argue that these systems should at least be authorizing user requests. TSO/E, yes, that subsystem supports user IDs up to a maximum of 8 characters. Otherwise, I know that MQ for z/OS and CICS Transaction Server for z/OS can authenticate users via LDAP (ideally the IBM Directory Server for z/OS) at least in certain contexts. See here for example: https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q127976_.htm I would have to dig a little deeper with respect to IMS if anyone is interested. Interestingly even the "classic" 3270 z/VSE sign on screen supports "long" user ID authentication via LDAP-based sign on, although it requires "mapping" to a short user ID under the covers: https://www.ibm.com/support/knowledgecenter/SSB27H_6.2.0/fa2ad_ovw_ldap_sign-on_process.html Users don't really have to know all that, though. They just sign on with LDAP user ID "AliceCooper1990" (or whatever). Maybe somebody would like to submit a Request for Enhancement (RFE) for something similar with TSO/E? I don't think IBM provides a "stock" sign on screen with z/OS that'll do this. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LzLabs
Shmuel Metz wrote: >Google for "look and feel lawsuit". It's illegal to run >z/OS on an unlicensed platform; it is perfectly legal to >implement the z/OS interfaces that you need. How well, >e.g., UNICICS, runs is a separate issue. Let's leave aside the "edge cases" involving laws in certain sanctioned countries. It isn't actually a settled issue in the United States; it's a very live issue. The upcoming U.S. Supreme Court case, Google v. Oracle America, significantly bears on the U.S. legality of reimplementing somebody else's APIs. See this article for background: https://en.wikipedia.org/wiki/Google_v._Oracle_America IBM filed an amicus brief supporting Google's position. Google won two jury trials, but the U.S. Federal Circuit Court overturned both verdicts. In November, 2019, the U.S. Supreme Court agreed to hear Google's appeal. The Supreme Court had to postpone the March, 2020, oral arguments due to the COVID-19 pandemic, so the case is still pending. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: COBOL and C
Charles Mills wrote: >Funny, isn’t it? >COBOL (née 1959) is 61 years old. It’s a very old language. >C (née 1972) is 48 years old. It’s a modern language. These dates aren't actually comparable. In 1959 the Short Range Committee first met -- on May 28 and 29, 1959, at the Pentagon -- and did a lot of work over the next few months. However, the COBOL specifications weren't formally approved until January 8, 1960 (with GPO printing thereafter). There was never any "COBOL 59." The first COBOL was "COBOL 60." And it wasn't until August 17, 1960, that the first COBOL program ran (on a RCA 501).(*) In other words, 1959 is the "some people got together and came up with an idea for a new programming language" date, analogous to celebrating your birthday on the date when your parents first met. For sure the first C program ran at least as early as 1972, probably in 1971, and perhaps even earlier. Version 2 Unix was released on June 12, 1972, and included a C compiler. Or, in other words, 1972 is when the first C compiler shipped outside Bell Labs. That's quite a different historical event, not directly comparable to committee meetings. Then there are the complexities associated with the fact that C comes after B, and there was a B programming language -- and BCPL before that. And CPL before that (born in 1963). Yes, COBOL has roots in FLOW-MATIC (mostly, with a light dusting of COM-TRAN), but...it's complicated. And surely we shouldn't be hanging our hat on somebody deciding in circa 1971 to advance to the next letter of the alphabet in what others might have called "B '72"? Anyway, if somebody wants to claim that a time difference is meaningful, isn't it important at least to get the birth dates right? (*) And the compilers remained practically unusable for a couple years thereafter. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Here we go again
Mark Jacobs wrote: >The Social Security Administration does not reuse Social Security >numbers. It has issued over 450 million since the start of the >program, and at a use rate of about 5.5 million per year. It says >it has enough to last several generations without reuse or changing >the number of digits. The Social Security Administration could easily give 20 years of advance warning before expanding their number space if they wish. They've got several options before that far distant future, such as: 1. Allowing capital letters except those that can be confused with numeric digits. That'd likely mean excluding B, D, F, G, I, L, O, Q, S, T, U, Y, and Z if they want to be maximally cautious. That still leaves 13 letters available, or 14 if they want to include the symbol representing the artist formerly known as Prince. :-) They'll also probably have some placement exclusions to avoid spelling out any words. Even with these restrictions, the character space is vast. 2. Alternatively, and in an overlapping period, some brand new digital identity scheme. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Any shop use UNIX in a production job?
Radoslaw Skorupka wrote: >You mentioned several times about source code. IMHO it is irrelevant >for UNIX certification. My understanding is "black box": anything which >behaves as UNIX is UNIX. It can be written from scratch. >Obviously, an access to source code seem to be much easier. First of all, maybe you missed my other post? There are many outcomes that are hypothetically possible that haven't happened often. To my knowledge there's only one organization and product that has ever achieved UNIX certification without some AT/Bell Labs code lineage: IBM with z/OS UNIX. History suggests it was REALLY difficult. There were many previous efforts that never really took off: 1. Somebody was asking about the UNIX subsystem that was available for TSS/370. That was a collaboration with Bell Labs, as this paper from 1984 discusses: https://www.bell-labs.com/usr/dmr/www/otherports/ibm.pdf TSS/370 UNIX became available in 1980, although (like TSS/370 and TSS/360) I don't think it was ever an "official" IBM product. 2. INTERACTIVE Systems Corporation (ISC) developed a VM/370-based system called VM/IX. 3. ISC's IX/370 was a VM/SP-based version of TSS/370's UNIX, updated with UNIX System V compatibility. (Reference: IBM Announcement Letter 285-048.) 4. I think there was also an IX/360 from ISC, although I cannot find much information about it. 5. AIX/370 was introduced in 1990. (References: IBM Announcement Letters 288-130, 288-131, 289-075, and 289-412. Letter 289-412 also announced the withdrawal of IX/370.) AIX/ESA followed in 1992. (Reference: IBM Announcement Letter 291-544.) 6. Amdahl had UTS, and they started selling it commercially in 1980. UTS notionally survived until fairly recently under UTS Global's stewardship. As far as I know *all* of these efforts were liberally based on AT's UNIX source code. Maybe someone has interest in diving into code rescue efforts to see how many of these UNIXes they can recover and reanimate. There could be copyright impediments, though. In 2003 Peter Salus recounted some of the history of INTERACTIVE Systems Corporation as he remembers it (on page 68): https://www.usenix.org/system/files/login/issues/login_december_2003.pdf I don't think he has the chronology quite right, though, but that's understandable. I think at least IX/360 must have preceded PC/IX. (Why call something "IX/360" in 1984? Or even 1980?) His recollection that some other team started IX/360 agrees with the other information I found that it started at Bell Labs with TSS/370 UNIX. And did VM/IX fold into IX/370? It's very difficult to get this chronology sorted. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How tell what verion of COBOL compiler produced load module?
Roger Lowe wrote: >If you have the IBM Debug Tool product, there is included the >"Load Module Analyzer" which analyses program objects to determine >the language translator (compiler or assembler) that was used to >generate the object for each CSECT. There are lots of great answers in this thread, and I'll fill out a couple more. Nowadays you can get the Load Module Analyzer via "IBM Debug for Z" or via "IBM Developer for Z Enterprise Edition." Depending on what you're doing you may also find the COBOL and CICS Command Level Conversion Aid to be useful. It's available via the same two product offerings and also via "IBM Developer for Z." And/or "IBM Application Discovery" may be useful, and there are at least a couple vehicles to get that. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Any shop use UNIX in a production job?
David Crayford asks: >Isn't this all obsolete now? Linux and Windows are used everywhere and I >doubt anybody cares about POSIX certification. Occasionally I bump into a RFP that includes the letters "POSIX" and/or "UNIX." In principle anybody can put anything they want in a RFP. Scott Ford wrote: >Wasn’t z/OS Unix System Services based on Posix ? It’s seems I heard this >sometime ago. MVS OpenEdition achieved POSIX compliance. z/OS is UNIX® certified. POSIX® refers to IEEE Standard 1003.1, and colloquially it means "UNIX-like," but that's a little dangerous. The reason is that getting the POSIX® label requires a submission and certification, whereas it's possible to be "UNIX-like" without certification. Linux, for example, is assuredly "UNIX-like" even though it's neither POSIX® nor UNIX®. http://get.posixcertified.ieee.org/ There aren't too many products that are POSIX® certified these days, although many more were in the past. Evidently a lot of vendors haven't bothered to renew their certificates. The current POSIX® register is available here: http://get.posixcertified.ieee.org/register.html The Open Group solely handles UNIX® certification and participates in the POSIX standardization process as one of the three "Austin Group" parties. https://www.opengroup.org/membership/forums/platform/unix The current UNIX® register is available here: https://www.opengroup.org/openbrand/register There's a close technical and working relationship between POSIX and the Single UNIX Specification(s), but The Open Group is now the sole grantor of the UNIX® label, based on vendor submissions passing its certification process. Historically, before the certification era, an operating system could have been UNIX basically if AT (and maybe the University of California, Berkeley, for a little while) said so. z/OS is at least unusual, probably unique, as a UNIX operating system without some sort of AT (Bell Labs) code lineage. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Any shop use UNIX in a production job?
Charles Mills wrote: >A trivia question: Which of these is UNIX? Windows Server or Linux? I replied: >Neither. Charles Mills then replied: >Which *used to be* UNIX? Still neither. I can find no evidence that Microsoft ever obtained a UNIX(TM) certification for any Windows operating system or even obtained a license for UNIX source code from AT or another authorized party specifically to ship any subsystem or product on/for Windows.(*) However, Microsoft evidently would not have been upset if you thought otherwise. :-) Here's the thumbnail history as I understand it. Back in 1996 a company called Softway Systems (later renamed Interix) shipped a product called OpenNT for Microsoft's Windows NT operating system. OpenNT apparently was written "cleanroom," meaning that it didn't license or use UNIX source code from AT or another authorized party. OpenNT was a POSIX subsystem, and at some point -- possibly starting pre-Microsoft -- it was POSIX certified. Meanwhile, Microsoft separately developed the "Microsoft POSIX subsystem" and included it in early releases of Windows NT. Microsoft did this to get FIPS 151-2 certification so that the U.S. federal government could consider Windows NT for more of its acquisitions. Later, Microsoft acquired Interix, updated the technology, positioned it as a replacement for their own POSIX subsystem, and renamed the technology in this sequence: "Microsoft Windows Services for UNIX" (sometimes "Unix" in references) then "Windows Subsystem for UNIX-based Applications." However, these products/subsystems were never certified as UNIX(TM) either. The preposition "for" in their names is quite meaningful and doing a lot of heavy lifting. Initially Microsoft's versions were separately chargeable, and then at the very end they were no additional charge downloads. In a completely separate effort, David Korn created UWIN, which is an X/Open library and set of utilities for Win32. UWIN isn't UNIX(TM) either. Ironically, AT, UNIX's inventor, now distributes UWIN's source code -- but that doesn't make it UNIX(TM) either: https://github.com/att/uwin OK, so that was/is Microsoft Windows. In fact Microsoft has distributed a bona fide UNIX operating system in the past: XENIX (also sometimes written Xenix). XENIX was definitely a genuine UNIX(TM) operating system. Microsoft licensed AT's UNIX source code (Version 7 then later System V), and XENIX also includes bits of BSD. The Santa Cruz Operation (SCO) eventually acquired exclusive rights to XENIX, and that branch of the very, very complicated UNIX family tree essentially died out, losing out to SCO UNIX. But during much of the 1980s Microsoft XENIX from its various OEMs (including IBM) was the most popular UNIX(TM) distribution. (*) The UNIX trademark owner made/makes the final call. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Any shop use UNIX in a production job?
Charles Mills wrote: >A trivia question: Which of these is UNIX? Windows Server or Linux? Neither. https://www.opengroup.org/openbrand/register/ - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Free 3270 emulator for Mac OS
Seymour J. Metz wrote:
>A few more notes on nomenclature. TN3270 and TN3270E (upper case)
>are protocols published by the IETF; programs implimenting those
>protocols are TN3270 clients, not TN3270 emulators. TN3270 clients
>are not 3270 emulators, because they do not support any of the link
>protocols that real 3270s do, e.g., BSC, CUT, DFT, SDLC.
I disagree with the last sentence, and IBM (among many others) does too,
evidently. You'll see "emulator" in the IBM Host On-Demand (HOD)
documentation, for example. I don't recall HOD ever communicating via BSC
or SDLC. "Emulator" has a different meaning than the word "clone," which
is the word you might have been looking for.
If you want to be pedantic about it, per Wikipedia "IBM 3270" refers to a
family of IBM terminals ("displays"), printers, and controllers (following
the IBM 2260 family) that IBM refined and improved over several years. All
modern "3270" terminal emulators are necessarily partial emulators in
certain respects, but practically all of them exceed the capabilities of
the last physical/classic 3270 family of products in certain respects,
too.
Anyway, if you want to describe various 3270 emulators as "partially"
emulating the IBM 3279 (for example), that makes sense to me. However, the
word "emulator(s)" is perfectly acceptable and appropriate in this context
-- in my view and with broad consensus agreement as far as I can tell.
"TN3270 emulator" (or "TN3270E emulator") is confusing and not generally
correct. If you're using TN3270(E) protocol then you're probably not
emulating it.
A TN3270(E) client need not be a 3270 terminal emulator. I think most
people would not describe an automated test tool that works via a
TN3270(E) connection as a "3270 emulator," for example. They'd probably
describe it as a "3270 test(ing) tool."
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: strange python announcement
David Crayford wrote: >Almost certainly Rockets port of Python with support offered by IBM and >Rocket Software doing L2/L3. Rocket Software is a member of the open source community. If I had written that Statement of Direction I would have phrased it this way: "IBM intends to enable Python on z/OS together with other open source community members." Sometimes certain parts of IBM forget that IBM is among the biggest contributors to open source projects. That's unfortunate here; it's an important fact. Also, I wouldn't have used that "intends to enable" construction. Those points aside, hopefully you get the idea. My views are my own, of course. By the way, you don't have to wait for whatever IBM intends. Rocket Software offers Python for z/OS, and you can also run Python programs within the z/OS Container Extensions. Here are the links: https://www.rocketsoftware.com/zos-open-source https://hub.docker.com/_/python Python.org links to Rocket Software from this page: https://www.python.org/download/other/ - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ZOA Open Automation Utilities (& Ansible News)
As a followup, I don't think anybody has mentioned yet that a set of Ansible modules and roles is now available to interact with the z/OS Management Facility (z/OSMF) APIs: https://galaxy.ansible.com/ibm/ibm_zos_zosmf This code is called the "IBM z/OS Management Facility (z/OSMF) Ansible collection," and it means that Ansible can drive various z/OS operations and configuration tasks via z/OSMF's RESTful services. As a reminder, the IBM Z Open Automation Utilities (IBM Program No. 5698-PA1) are available now separately -- at no additional charge as I understand it -- if you'd like to grab them from IBM ShopZ. IBM support is available if you'd like to subscribe, but you're not required to do that unless and until you'd like to. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mandatory Work From Home at my company
Paul Gilmartin wrote: >Do you mean that VPN clients for mainframe are rare? Tony Thigpen wrote: >I would not even think about a VPN client for the mainframe. Too late, Tony. :-) The base z/OS operating system includes IPSec IKEv2 support. Details are available here (z/OS 2.4 link, subject to change): https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/security_ipsec_vpn.htm The commercial product SSH Tectia Server for IBM z/OS supports SSH tunneling. There are many VPN clients/servers for Linux on Z and LinuxONE. One the latest and now fashionable ones is called WireGuard. Installation details are available here: https://www.wireguard.com/install/ Checking the various Linux distributions for IBM Z and LinuxONE, WireGuard is at least available for Ubuntu Linux Server and Debian Linux, probably others too. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: March 18: Exploring z/OS Container Extensions Live Webcast
Live Webcasts are sometimes prone to technical issues, but fortunately the "Exploring z/OS Container Extensions" virtual Meetup worked well with no apparent difficulties and plenty of great questions. Whether you were able to attend live or not, if you'd like to obtain the video recording and/or presentation charts they are now available for download. Please send me an e-mail with the Subject line "Requesting zCX Presentation Access" to get access. Yesterday IBM announced a new 90 day z/OS Container Extensions trial which should be generally available later this month (March, 2020). For more details please refer to the Meetup presentation as well as the IBM announcement: https://www.ibm.com/downloads/cas/US-ENUS220-102-CA/name/US-ENUS220-102-CA.PDF What this announcement really means is that you can run the z/OS Container Extensions (zCX) for up to 90 days if you don't have Feature Code 0104 installed yet on your IBM z14 (or higher model) machine. zCX is already included with your base z/OS 2.4 license at no additional charge, but IBM has worked out a way to get zCX working for a temporary period without the system feature code. The prerequisite for this trial is the PTF for APAR OA58969, so you can obtain and install that PTF when it's available and then (separately) activate the 90 day trial when you're ready. Of course many machines already have FC 0104 installed since it's not unique to zCX, and in that case you can skip the trial and run zCX as long as you want. If you have other topics you'd like to suggest, I welcome your suggestions. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: March 18: Exploring z/OS Container Extensions Live Webcast
Massimo Biancucci wrote: >it would be really appreciated if you'll post a recording of the event. I'll try, but I cannot promise that yet. Peter Farley wrote: >I do see what you saw when I clicked the Attend button, it forces >you to sign up with Meetup to attend the meeting. Your other two choices are to log in with a Google or Facebook account. Be aware of the starting time, though: 10:00 a.m. India Standard Time on March 18, 2020. For example, in New York this'll be starting just a few minutes before James Corden and Seth Meyers go on the air. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
March 18: Exploring z/OS Container Extensions Live Webcast
This month Edward McCarthy and I planned to hold a pair of "Exploring z/OS Container Extensions" Meetups in Mumbai and Bengaluru, but global epidemiological events are forcing certain precautions. Therefore, we'd be delighted if even more people join the new virtual Meetup, live at 10:00 a.m. India Standard Time (04:30 UTC) on Wednesday, March 18, 2020. To find out more, and to enroll, please visit: https://www.meetup.com/IBM-Z-Technical-Community-in-Asia-Pacific/events/267773033 Whether you're in Mumbai, Bengaluru, or almost anywhere else in the world, we hope to see you online with us. Please don't wait until the last moment, though. Enrollments close about 20 hours before the event, and based on past experiences you'll want to test your device and network well ahead of time. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Question on MQ on the Z/os
Massimo Biancucci ha scritto: >AFAIK if you're using standard application on zOS (Cobol, PLI etc.) you >need a MQ Server AS up and running on the client lpars. >MQ Server means license and costs. For z/OS specifically, there is no separate MQ "server" or "client" license.(*) It's IBM MQ for z/OS (or IBM MQ Advanced for z/OS) whether you use it for queue managers, as a MQ client(**), or some of both. >The amount of the cost depends on your licensing type. This case zNALC >could be a good option. >Of course you've to ask your IBM representative. Actually, Tailored Fit Pricing is generally the better/best choice if your MQ use in a particular z/OS LPAR is fairly limited. zNALC is usually not too relevant in these circumstances. That said, yes, please do ask your friendly IBM representative. As always, as an occasional reminder, my views are my own, not necessarily those of any corporation, political party, club, association, or flash mob. (*) However, it's now possible to license and run IBM MQ Server for Linux on the z/OS Container Extensions (zCX). zCX is included at no additional charge with the base z/OS 2.4 operating system, and it only requires a suitably configured IBM z14 or higher model machine. My personal view is that, generally speaking, you shouldn't run IBM MQ Server for Linux on zCX -- it doesn't generally make sense since IBM MQ for z/OS and IBM MQ Advanced for z/OS are so wonderful. However, I can think of one notable exception: to implement a MQTT "gateway" directly on z/OS. Currently IBM MQ/MQ Advanced for z/OS don't support MQTT protocol, but IBM MQ Server for Linux does. So you could run your MQTT protocol support within the z/OS Container Extensions via IBM MQ Server for Linux, which is available as a Docker/OCI container. (**) As I mentioned previously, IBM MQ for z/OS supports REST/JSON/HTTPS connections too. If you'd like to use the z/OS Client Web Enablement Toolkit, as one example, to connect to IBM MQ for z/OS, that's perfectly fine if it meets your needs. (z/OS Connect Enterprise Edition is another example.) You would then license IBM MQ for z/OS or IBM MQ Advanced for z/OS however you license it, such as via Tailored Fit Pricing. You would not need a separate license for the z/OS Client Web Enablement Toolkit since that's a standard, included feature in the base z/OS operating system, part of your z/OS license. In other words, z/OS can sometimes *functionally* act as a "MQ client" without using anything in IBM MQ for z/OS on the client side. That's allowed, as long as you're licensed as you should be licensed. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Question on MQ on the Z/os
Dennis Longdecker wrote: >Wondering if anyone here is using MQ Series on the z/os box >and knows about the licensing? >If one had MQ on the Z and it was doing all the QMgrs/Queue >work, do the clients (that aren't QMgrs/Queue) on the other >boxes need cost/purchase licenses? What I am finding is: >- The MQ clients are available as support pacs, they are freely >downloadable. >- it's covered by an IBM license, they just don't charge for >it. >- MQ Client comes with the Websphere MQ Package, it is a >component. >- The standard MQ Client is free Yes, that's correct. IBM MQ for z/OS Version 8.0 and higher(*) includes unlimited IBM MQ client licensing at no additional charge. Download and use as many MQ clients from IBM as you wish.(**) As long as the IBM MQ clients are connecting directly to your licensed IBM MQ queue managers, you're all set. IBM MQ clients are available for download here: https://www.ibm.com/support/pages/mqc91-ibm-mq-clients This particular Web address is subject to change since it includes the MQ release number. If you are an IBM MQ Advanced for z/OS licensee, then you can enjoy the MQ Advanced client functions, too. If you need the MQ Client for z/VSE, provided on an "as-is" basis, it's available for download here: https://www.ibm.com/it-infrastructure/z/zvse-downloads Also, there is no additional IBM MQ charge when you communicate directly with MQ for z/OS via its REST/JSON/HTTP(S) interface. (*) In releases of MQ for z/OS prior to Version 8.0 you need to license the "Client Attachment Feature" to get unlimited client licensing. (**) In "exotic" cases a non-IBM software provider may offer a MQ compatible client. In that case, any charges would be up to that software supplier. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BMC and Compuware
Richard Pinion wrote: >WOW, Innovation Data Processing just came under Compuware's umbrella >on 01/01/2020. >This reminds me of UCC buying ACF2, and in short order CA bought UCC. BMC is also acquiring RSM Partners. KKR, one of the world's largest private equity firms, owns 100% of BMC. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFHSM APIs in a multi-vendor world
Kirk Wolf wrote: >I could deal with some configuration of the pseudo-volser, >but our product doesn't run under TSO, so a "command" >interface isn't convenient. What runtime environment and programming language are you using? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Glossary (was: ZOA ... Ansible)
Paul Gilmartin wrote: >Yes, but zFS is too specific, and at risk of change. Change cuts both/all ways. There's now at least one base z/OS component that uses zFS nontrivially (and requires it) that isn't z/OS UNIX System Services. How about something like this: "...a zFS or other z/OS UNIX compatible directory/file/path..."? That'd allow for z/OS NFS, HFS (for now, in z/OS releases that provide it), etc. if those are acceptable alternatives. "z/OS UNIX" seems to be an acceptable short form of "z/OS UNIX System Services," so I think that works. If for some reason the requirement is specific to zFS, then it'd just collapse to "a zFS directory/file/path." Here's another form, in between those two poles: "...a z/OS UNIX compatible directory/file/path (zFS recommended)..." Technical writing with clarity is hard, but I think these constructions would be an improvement. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rolling Z/OS migration
Excellent suggestions. I would add that many organizations seem to have one or more "hardware" people who are supposed to look after the driver (firmware) updates, Coupling Facility configurations and levels (including memory requirements), and Server Time Protocol configurations, as examples. The Upgrade Workflow should includes steps that somebody else might need to take to make sure you're ready for z/OS 2.4 (and Parallel Sysplex) in terms of the underlying system characteristics. And one of the many nice things about the Upgrade Workflow is that you can assign steps to different people and cross-check everyone's work. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ZOA Open Automation Utilities (& Ansible News)
Paul Gilmartin wrote: >The Installation and Configuration at: >https://www.ibm.com/support/knowledgecenter/SSKFYE_1.0.1/install.html >... mentions "a USS directory". What does it use Unformatted System >Services for? Does someone need to submit an RCF? That'd be nice. I think it should read: "a zFS directory." I think we can ignore HFS at this point in history, right? If you're wondering how to get the IBM Z Open Automation Utilities, they're included with any of these three product offerings: IBM Dependency Based Build for z/OS IBM Z Open Development IBM Developer for z/OS Enterprise Edition So if you have (or get) any of those product packages, you have the Automation Utilities, too. In related news, the next wave of Red Hat Ansible-related functionality is now available: https://galaxy.ansible.com/ibm/ibm_zos_core The Red Hat Ansible Certified Content for IBM Z works with z/OS and the IBM Z Open Automation Utilities to make z/OS a managed node within the Red Hat Ansible Automation Platform. I interpret this code availability as at least partial fulfillment of IBM's Statement of Direction as published in IBM Announcement 219-571 late last year. You can run Ansible control and/or managed nodes on Linux, including on IBM Z and LinuxONE. I see there's also a Docker/OCI container for Ansible available here: https://hub.docker.com/r/ibmcom/ansible-s390x Thus it looks like you can run an Ansible control node in the z/OS Container Extensions (zCX), too. If you'd like a support agreement for anything Ansible I've just described, please give your friendly Red Hat representative an opportunity to help. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Model9 is now backed by Intel Capital
Gil Peleg wrote: >In my understanding all the products and offerings you >listed consider cloud storage as an additional tier on top of tape, while >Model9 is in a different segment of the storage market where cloud storage >is considered an alternative to tape and as a mean for enabling direct >access to mainframe data from cloud applications (and all cloud providers >support storing the data on tape when appropriate). That's not my understanding. To my knowledge all of the products I listed are physical tape "agnostic." You can have physical tape drives/cartridges on premises or not, per whatever requirements you have. As for "enabling direct access to mainframe data from cloud applications," I don't think you're providing "direct" access to mainframe data. You're actually facilitating access to time lagged mainframe data (i.e. a replicated copy), with lots of considerations to take into account of course, including security considerations. "Cloud data replication" (and synchronization) is a competitive market segment and definitely not a new one. There are various fundamental, growing concerns and challenges with additional data copies. To get direct access to *live* mainframe data from cloud applications (which could be running on IBM Z machines too of course) the typical solution pattern involves data virtualization, and that's a competitive market segment, too. IBM Data Virtualization Manager for z/OS is an example of a product squarely in that category. Data virtualization and data replication are not mutually exclusive. By the way, I should have included z/VSE's VTAPE in my previous list of examples. IBM introduced VTAPE in VSE/ESA 2.6 (generally available on December 14, 2001) and has considerably enhanced it subsequently. It might have even been backported to earlier VSE/ESA releases. VTAPE is available at no additional charge to VSE/ESA and z/VSE licensees. See the relevant links on this page for details: https://www.ibm.com/it-infrastructure/z/zvse-downloads There are some z/VSE VTAPE compatible utilities available for z/OS here: http://www.cbttape.org/awstape.htm z/VSE VTAPE is interoperable with Encryption Facility for z/VSE and with IBM Spectrum Protect (and its predecessor Tivoli Storage Manager). - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Model9 is now backed by Intel Capital
For the record, this segment of the storage market is quite competitive. Examples of other products and offerings include: IBM Cloud Tape Connector for z/OS IBM DS8880/DS8900 and z/OS DFSMShsm Transparent Cloud Tiering RecoveryPoint z/Archive (which uses the previous one) Luminex CloudTAPE Compuware (Innovation Data Processing) CloudVTB Dell EMC DLm ...and that's very likely not a complete list. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Downsizing? - OPS?
Clark Morris wrote: >Unless the z system is totally isolated from the >Internet, staying current on maintenance is a >necessity. There are security and other risks with or without "isolation" from the Internet. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Downsizing? - OPS?
I assume you mean Broadcom CA OPS/MVS. Here are some suggestions, in no particular order: * If you already have NetView, and if your needs are fairly simple or at least amenable to NetView, then that might be enough. * If you are primarily or exclusively Db2-oriented in what you need, then you may be able to get by with the Administrative Task Scheduler, included with Db2 for z/OS. * IBM Automation Control for z/OS is essentially a simplified edition of IBM System Automation for z/OS, priced accordingly. IBM Tivoli AF/OPERATOR for z/OS is another possible choice in a similar vein. * Brian Westerman posts frequently here, and not only can Syzygy help with z/OS and other "version up" work to keep you in a supported configuration (with security patches for example), they also offer a simple automation tool for z/OS. * This article provides some advice on possible "freebies," such as z/OS Automatic Restart Manager (ARM): http://www.longpelaexpertise.com.au/ezine/DoWeNeedAutomationSoftware.php - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 3592-E07
Radoslaw Skorupka wrote: >To complement and clarify: when using physical tapes (* >see below) your RPO and RTO may be 36 hours or zero. No, your RPO certainly won't be zero. A backup is a (hopefully useful) representation of data as it existed historically, at some particular past moment(s) in time. It takes some amount of time to run a backup -- let's call that "minutes or longer" for working purposes. Backups run at periodic intervals -- let's call that "hourly or less often" for working purposes. Your backups, without something else, facilitate a best case RPO that's as long/big as the maximum (worst case) time elapsed since the start of your last good backup. That practically always(*) means a RPO of "a couple hours or more." A long/big RPO usually holds RTO back too, but there are a few rare exceptions. On the other hand, it's quite possible to have a long/big RTO with a RPO of zero. (*) Why not "always"? Exotic, contrived exceptions might be possible, such as custom software that synchronizes writes directly to local and remote tape. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com Mobile/SMS: +65 8526 7454 or +1 213 222 6397 or +372 5322 0545 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 3592-E07
running backups to both (just in case one is offline, somebody forgot to renew the contract, or whatever), using one public provider and one private provider (whatever your larger organization has for cloud object storage, and they likely have something already), using cloud object storage that your DR site operator provides as one of the pools, and so forth. 3. Place one IBM TS7770 -- it could be without physical tape libraries and tape drives -- at your DR site, and run your backups to that remote virtual tape library. That gets your backup data off site right away. This too requires sufficient network connectivity to your DR site, although it isn't quite as demanding as Global Mirror. There are some variations here, too. For example, some shops effectively run a third "data vault" site. They place one TS7770 across campus in a completely different building, with no machine or disk, and that's the "arms length backup vault." They place another TS7770 at the DR site, the "remote vault." The "arms length" TS7770 then replicates to the "remote" TS7770. (*) I'm aware that Broadcom (CA), Model9, and possibly Compuware (Innovation Data Processing) also offer software products in this particular market segment, and there might be others I'm not yet aware of. Timothy Sipples IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: 3592-E07
Dean Nai wrote: >We have a 3592-E07 and our leasing company is telling us >the following. Anyone have any thoughts? We really don’t >have the funding for a mirrored VTS and if it’s not mirrored >then we lose our DR plan. How are you set up today? For example, do you simply take periodic backups to physical tape then ship the tapes to your DR site? It's not yet clear to me whether and why you necessarily need a mirrored VTS. >From leasing company. >The first item to be withdrawn from service will be the 3592-C07 >at the end of 2020. The C07 is the controller for the tape >drives and is required for z/OS or z/VM to communicate with the >3592-E07 drives. >IBM has no direct attach tape products for z/OS, z/VM or zVSE. Just to editorialize here, IBM has not offered "direct attach tape products" for those operating systems (or for z/TPF) for a LONG time. There must be a controller in the connection path, either a "smart" or "dumb" one, in order for z/OS, z/VM, z/VSE, and/or z/TPF to use the drives. (Linux is the exception and can work with the drives either way.) IBM maintenance for the last in the line of "dumb" tape controllers, the 3592-C07, is ending at the end of 2020. >The best option is to go with a VTS and locate a 2nd VTS at your >DR site with replication between the two sites. There is also the >option to have an IBM VTS with access to tape drives in a 3584 and >then send those tapes offsite. To be able to use those tapes for >DR you would need another IBM VTS at you DR location. Before suggesting "the" answer, another relevant capability is cloud object storage. There are a couple software products for z/OS that equip z/OS to use cloud object storage -- whether on premises, off premises (public cloud), or both -- as virtual tape. IBM Cloud Tape Connector for z/OS is one such example. The basic approach with Cloud Tape Connector for z/OS is that you'd run your backups pretty much per normal, but the target(s) would be any cloud object storage that supports IBM Cloud Object Storage S3 protocol, Amazon S3, Hitachi HCP protocol, or EMC Elastic Cloud Service Protocol. These storage pools could be public, private, or both. Storage pools can be backed by any sort of media, including physical tape. Cloud Tape Connector for z/OS can encrypt data before it's saved to cloud object storage, and you really ought to do that. For example, you might decide to have one private pool of cloud object storage at your DR site and also buy a subscription to IBM Cloud Object Storage as another, duplicate pool. (IBM then further duplicates your data across IBM's multiple sites. Where and how many depends on your subscription.) Then, in a disaster, you'd need to get at least one basic z/OS instance up and running, with Cloud Tape Connector for z/OS fired up, connect to whichever cloud object storage pool has survived and is reachable, restore, and you're back in business to the last good backup point. In a dire emergency the first two steps would typically start from USB media at the HMC these days. Anyway, that's the "cloud" way to do things, and there's a lot of merit in it. It's also combinable with VTS. For example, perhaps you take backups to both public cloud object storage (encrypted of course) and to remote (DR site) VTS, with no local VTS. There's a lot of flexibility in all of this, including economic flexibility, but I'd like to understand a little more before backing a specific alternative. -------- Timothy Sipples IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM 3270 Font Available in Various Formats
ITschak wrote: >mac brew doesn't recognize this package -( OK, but you're not required to build the "IBM 3270" font from source specifically on macOS. There's also a download link to the prebuilt font files (.ttf, .otf), and you should find they're suitable for immediate use on macOS. Just place the .otf files in your Library/Fonts folder. ---- Timothy Sipples IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM 3270 Font Available in Various Formats
For those of you who'd like an "IBM 3270" font for various purposes, there's one available here: https://github.com/rbanffy/3270font Please check the license agreement: https://github.com/rbanffy/3270font/blob/master/LICENSE.txt Maybe this'll be a popular font for commands and code samples in future SHARE, GSE, and other presentations? :-) -------- Timothy Sipples IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
