Re: Code to verify LOGON password

2021-01-11 Thread Timothy Sipples
Radoslaw Skorupka wrote:
>That's what we call brute force attack.
>There is no way to protect against it ...or maybe there are some
>things to help.
>1. Do not give your RACF db to hackers. Never.
>2. Enforce periodic password change.
>3. Use KDFAES.
>4. Use passphrases.

Here are some more examples for your list:

5. Don't grant overly generous permissions. Revoke permissions faithfully 
and promptly when required.

6. IBM Z Multi-Factor Authentication.

7. Use excellent data access management and Security Information and Event 
Management (SIEM) solutions.

8. "Stay sharp." Invest in talented security professionals, including in 
their ongoing skills development. Hire other talented security people to 
conduct periodic audits.

9. Stay at least reasonably current with software releases, including z/OS 
releases. Have and follow a reasonable preventive maintenance plan, 
including for security and integrity updates.

10. Use strong, properly implemented network encryption so that 
credentials aren't flying across any LAN or WAN in cleartext. z/OS 
Encryption Readiness Technology (zERT), a standard feature included with 
the base z/OS operating system starting with z/OS 2.3, can help identify 
gaps.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Anyone using IBM Cloud Tape Connector?

2021-01-10 Thread Timothy Sipples
Brian Westerman asks:
>Is anyone using IBM's Cloud Tape Connector product that can tell me
>about the software requirements for it?  Is it just the product that
>needs to be licensed under z/OS, or do you need to license so "other"
>stuff as well?

I can answer the licensing questions unofficially, i.e. based on my best 
understanding. In the hopefully unlikely event IBM officially communicates 
something at odds with what I'm writing, of course that'd be controlling.

IBM Cloud Tape Connector for z/OS does not have any particular software 
product prerequisites or co-requisites except the base z/OS operating 
system. Reference:

https://www.ibm.com/support/knowledgecenter/en/SS6GQC_2.1.0/concepts/cuzucon_requirements.html

As a practical matter you'll need a SAF-compatible security manager. The 
z/OS Security Server (RACF) is my favorite, but there are at least three 
choices. You're highly likely to need some cloud object storage targets, 
on and/or off premises, which may have their own licensing or subscription 
requirements. However, there are sometimes free tiers available. IBM Cloud 
Object Storage, for example, offers a free "Lite" tier that could serve as 
a test target at least.

https://www.ibm.com/cloud/object-storage/pricing

You can license IBM Cloud Tape Connector for z/OS either separately (IBM 
Program No. 5698-ABM) or as part of the IBM Advanced Storage Management 
Suite for z/OS (5698-AAJ). License quantities are based on Value Unit 
Exhibit 007 (VUE007). It's z/OS-based subcapacity licensing eligible, 
including Tailored Fit Pricing eligible. On/Off Capacity On Demand (CoD) 
licensing is also available. If you'd like me to elaborate on any of these 
parts, just ask.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Code to verify LOGON password

2021-01-10 Thread Timothy Sipples
Sam Golob asked:
>Does anyone have user-written code for RACF, so that if the user
>types in a password, the code will verify if it is the user's actual
>LOGON password?

Here's a pedantic point: RACF doesn't actually know what the user's 
password is -- thank goodness. RACF can only determine whether a 
particular password or passphrase string mathematically corresponds to the 
hashed value (derived from previous input) that RACF stores. True, good 
hashing functions minimize collisions, and RACF uses good hashing 
functions.

I echo the other poster's cautions.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: ZFS using zEDC hardware compression

2021-01-10 Thread Timothy Sipples
Richard Pinion asked:
>Can a ZFS dataset be defined with the DATACLAS zEDC compression
>option?
Then later added:
>We're at z/OS 2.2, hoping to go to 2.4 soon, so zfsadm compress
>isn't available.

IBM introduced zEDC compression (and encryption) for zFS in z/OS 2.3. When 
you get upgraded to at least z/OS 2.3, including for all shared zFSes 
across a Sysplex, your new zFS file systems can default to compression at 
format time, still with the possibility to override the default. Here's 
the z/OS 2.4 documentation explaining how to do that via the IOEFSPRM 
configuration option:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ioea700/compress_always.htm

If you can default to encrypted as well (format_encryption=on), even 
better.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SMC-D connectivity between a z/OS LPAR and a z/VM guest running Linux?

2020-12-10 Thread Timothy Sipples
Attila Fogarasi:
>Do you have a specific problem or question?  Remember that SMC-D is TCP
>only, so you still need Hipersockets for UDP.

Or something else that can (also) handle UDP I suppose, but a HiperSocket 
connection is a popular pairing.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Security and z/OS open source tools

2020-12-10 Thread Timothy Sipples
Frank Swarbrick wrote:
>He came back with the following: "My question is how do
>we approve, track and secure the open source code we are
>putting on z/OS?"

The basic answer: how do we approve, track and secure the [open source](*) 
code we put on other operating systems? The other code(*) we put on z/OS? 
Probably we should do much the same, at least to the extent it's sensible 
and reasonable.

As it happens, the base z/OS operating system includes quite a bit of open 
source code.

(*) Does it matter that it's open source? Aren't approving, tracking, and 
securing objectives common to all code?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Preparing for a short z/OS contract

2020-11-29 Thread Timothy Sipples
Rupert Reynolds wrote:
>Thinking further, I now remember that their only debugger was TSO TEST! I
>wrote a mixture of Rexx and CLIST commands to extend it a bit (show regs
>and disassemble the next instruction, every breakpoint).
>
>Is there anything more /modern/ that's given away with z/OS?

Steve Thompson wrote:
>TSO TEST is all that comes free with the system.

z/OS also includes dbx, described here (z/OS 2.4 link, subject to change, 
watch the wrap):

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxa500/bpxa50021.htm


The very first release of OS/390 (generally available on March 29, 1996, 
per IBM Announcement Letter 296-018) included an earlier version of dbx, 
so dbx will very soon reach a full quarter century of history in the base 
operating system. dbx also had a short, earlier history as a separately 
chargeable OpenEdition MVS option ("OpenEdition Debugger feature"). Do try 

to keep up, please. :-)

According to Wikipedia, dbx's original developer was Mark Linton at the 
University of California, Berkeley. He wrote dbx in the period 1981 to 
1984, and then it percolated through the BSD ecosystem. TSO TEST first 
appeared no later than 1972, so dbx is about a decade younger. Whether dbx 

is more "modern" is a separate question. :-)

Another debugger, IBM z/OS Debugger, is the successor to the IBM 
Integrated Debugger and IBM Debug Tool. There are lots of IBM software 
products that include IBM z/OS Debugger -- 6 if I'm counting correctly -- 
so it's possible or even likely you already have a license. Of course if 
you don't have a license it's possible to acquire one.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Improve OMVS cp performance?

2020-11-16 Thread Timothy Sipples
Mike Schwab wrote:
>You have to remember that S/360 was the first 8 bit computer.
>[]
>Sorry.  First computer to use 8 bits per character.

I see others have cited the IBM 7030 and Telefunken TR 4 as examples of 
early computers that used (or at least were explicitly engineered to use) 
8 bit character encoding. However, as far as I can tell both of those 
machines were word addressable machines, and their word sizes were 
different and much larger than their character sizes. Was there any 
pre-System/360 example of a computer that stored characters in 8 bits 
*and* offered 8 bit memory addressing? (Or 6 and 6, or 7 and 7?) For that 
matter, are there any still extant digital computer processors that (only) 
have word addressable memory and don't have 8 bit byte addressable memory?

History evidently judges that particular System/360 design decision as 
wise or at least not unwise.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Checksum/Md5 file

2020-10-20 Thread Timothy Sipples
Paul Gilmartin wrote:
>I thought I was being disingenuous after Bill Godfrey's plaint,
>"just a sandbox". But why is there RACF entanglement?

I'm not sure what you're referring to exactly, but you can certainly run 
ICSF without RACF. You can also license base z/OS (which includes ICSF) 
without the z/OS Security Server (which includes RACF) if you wish. I 
think RACF requires ICSF, or at least often could, but ICSF does not 
require RACF.

>Accommodation to French law which (formerly?) harshly prohibits
>encryption? (I suspect ROT13 is proscribed.) How does that law
>accommodate HTTPS?

I'm by no means an expert on French law. However, it took me about 30 
seconds to figure out that France liberalized encryption-related law in 
2004.

>Are there C header files for APIs to these?

Yes, ICSF offers C interfaces. One option is to use the CKM_MD5 message 
digesting function via ICSF's PKCS #11 interface. Here's an entry point 
into the applicable documentation (current link for z/OS 2.4, subject to 
change):

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.csfba00/capi.htm


- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Checksum/Md5 file

2020-10-19 Thread Timothy Sipples
Paul Gilmartin asked:
>(But is ICSF separately priced with no provision for free trial?)

No. The z/OS Integrated Cryptographic Service Facility (ICSF) is part of 
the z/OS Cryptographic Services, a base element of the z/OS operating 
system. There's no additional charge for ICSF; it's included with your 
z/OS base operating system license.

References:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.e0zb100/baseel.htm

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.csf/csf.htm

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


"Awesome Free Stuff for Your Mainframe" on 2020-10-16 at 04:00 UTC

2020-10-13 Thread Timothy Sipples
You're most welcome to join the "Awesome Free Stuff for Your Mainframe" 
Webcast that I'm hosting live at 04:00 UTC (12 noon Singapore Time) on 
Friday, October 16, 2020. To join the party, please register here:

https://bit.ly/35JtcoA

If this time is impossible because you'll be asleep or otherwise occupied, 
that's OK. My understanding is that if you register you should still 
receive a link to view a recording.

There are a couple people on this list who are directly participating in 
this Webcast, and I'd especially like to thank you along with the many 
contributors. We'll have some light, quick demonstrations of various 
freebies, and I'll also open the floor to live audience questions (typed 
via a chat box).

It was more difficult than I expected to choose the freebies to highlight 
since there's so much great stuff. However, I think I've come up with a 
reasonably broad and now current freebies list, and I'll publish it 
shortly before the Webcast at the IBM Z and LinuxONE Community Web site.

Thanks again.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Working link for current 3270 Data Stream

2020-09-28 Thread Timothy Sipples
Shmuel Metz asked:
>Will wiki accept BookManager format as accessible?

Wikipedia's citations guide explains how you can cite practically 
anything, including (for example) a parchment document that only exists in 
physical form in a rare book library. Here's the link again for your 
reference:

https://en.wikipedia.org/wiki/Wikipedia:Citing_sources

Most probably you would use the book citation template with the type, 
format, and a few other parameters. The type parameter would likely be IBM 
BookManager electronic document, and the format parameter would be BOO. 
Details are available here:

https://en.wikipedia.org/wiki/Template:Cite_book
https://en.wikipedia.org/wiki/Template:Cite_book/TemplateData

The sum total of human knowledge consists of more than what exists in HTML 
and PDF. Wikipedia's citation standards reflect this reality.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Working link for current 3270 Data Stream

2020-09-27 Thread Timothy Sipples
Shmuel Metz wrote:
>I need something that I can use as a citation on wiki;
>either a link that renders the manual or a link that
>downloads the PDF.

If you mean Wikipedia, I don't think you do. There are generally accepted 
and approved ways to cite the IBM publication number (and section and/or 
page number reference, for example) then include a link to the site to 
obtain that publication. Wikipedia explains its citation policies and 
practices here:

https://en.wikipedia.org/wiki/Wikipedia:Citing_sources

Joe Monk provided the link to the specific IBM Web page where you can 
download that publication in BookManager format. In a Wikipedia-style 
citation you would likely note that detail, assuming you test it. ("IBM 
BookManager electronic publication format, retrieved and viewed with IBM 
Softcopy Reader on date-X.") BookManager has a Wikipedia entry available 
for linking here:

https://en.wikipedia.org/wiki/SCRIPT_(markup)#Bookmanager

And IBM Softcopy Reader has an external link here:

http://www-01.ibm.com/support/docview.wss?rs=4=swg27018849

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-08 Thread Timothy Sipples
kekronbekron wrote:
>Thank you Tim, would you be able to share any info about #2
>here.. ?

Yes, let's start with this important announcement:

https://www.ibm.com/downloads/cas/US-ENUS220-037-CA/name/US-ENUS220-037-CA.PDF

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Ransoming a mainframe disk farm

2020-09-07 Thread Timothy Sipples
Kekronbekron wrote:
>Thinking about it ... it would be far simpler (than anti-ransomware
>capability in storage, or lock-all behaviour) if there were a RACF
>HealthChecker that looks for abnormal enc/dec activity. What 'normal'
>is can be learnt from a year's worth of actual enc/dec-related SMF
>data.

There are tools with capabilities like the ones you're describing.

I have a couple comments:

1. There are some excellent ransomware (and similar non-ransomware 
disaster scenario) defenses available based on "out of band" controls and 
lockouts. IBM DS8000 SafeGuarded Copy is one such example, a really 
important one that's the foundation for some other valuable resiliency 
capabilities. However, I have worked with some organizations that still 
(also) want to maintain total physical and electronic (wired, wireless) 
separation for certain data. You can achieve total separation in a few 
ways, such as physical tape cartridges (usually WORM, preferably 
encrypted) ejected from tape libraries and vaulted "afar." Of course the 
costs include elongated Recovery Point Objectives (RPOs) and Recovery Time 
Objectives (RTOs), but in some cases the costs are tolerable or at least 
tolerated.

You cannot really keep data completely, absolutely separate if you care 
about retrieving it. You can only maintain separation with at least one 
adjective added, such as "physically and electronically separate storage 
media," which is not the same as "storage media separated from all 
possible human contact." The Voyager space probes, I think it's fair to 
say, will "never" be vulnerable to human contact. They contain tape drives 
and tape media, and they are currently electronically connected via NASA's 
Deep Space Network.

Anyway, it depends on what you're trying to accomplish, but lots of 
options are available, not necessarily mutually exclusive.

2. If you need secure software build and deployment processes (yes, you 
do), I suggest contacting my employer. IBM has some super exciting new 
capabilities in this area, very cutting edge. They're grounded in 
mainframe technologies, whether in your data center, in the public cloud, 
or both. Mainframes often pioneer new capabilities that didn't exist in 
the entire industry. Here, too, that's what's happening.

Ransomware is one clearcut demonstration that it doesn't particularly 
matter how terrific your data-focused defenses are if you have compromised 
applications, for it's applications -- program code -- that process(es) 
data. So you've got to approach security challenges holistically.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Timothy Sipples
Dave Gibney wrote:
>Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4.
>Is this true? Any prospect of a implemnting PTF?

To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL, 
and I'm not aware of any plans to do so. Of course you can ask:

https://www.ibm.com/developerworks/rfe/

Hypothetically you could run another software implementation of TLS 1.3 
directly on z/OS 2.3 as a possible stopgap measure until you can upgrade 
to z/OS 2.4. For example, I think it might be possible to compile and run 
the Squid proxy server on z/OS if you're looking specifically for HTTPS 
with TLS 1.3. There are scattered reports, including one from IBM many 
years ago, that it's possible. Squid supports TLS 1.3 according to the 
documentation I found. The performance might not be wonderful, but it 
looks technically viable. Squid's source code and documentation are 
available here:

http://www.squid-cache.org

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-04 Thread Timothy Sipples
I don't think you're going to be able to "hack in" support for higher TLS 
levels. I think you've got a couple near-term options, not necessarily 
mutually exclusive:

A. Place one or a couple newer release CICS regions on the "front side" to 
handle the network connectivity, and connect them to your existing CICS TS 
3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I 
write this, CICS TS Version 5.6 is the latest generally available release, 
and it is compatible with your currently installed z/OS release. Broadly, 
generally speaking this means upgrading some or all of the CICS "Terminal 
Owning Regions" ("TORs") while leaving "Application Owning Regions" 
("AORs") temporarily backlevel if you must. The exact details depend on 
your particular CICS deployment.

If you're using CICS's own TLS support, that's currently up to TLS 1.2. 
CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS 
1.2, but I cannot think of any reason why you'd pick something prior to 
the current release in this role. IBM ended Single Version Charge (SVC) 
restrictions in 2017, so there should be no additional charge to run both 
(or multiple) CICS releases as long as you need to. Check with "your 
friendly IBM representative" if there's any doubt.

B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1 
blithely assumes that the connections are unencrypted. The documentation 
for newer CICS TS releases includes some information on migrating from 
CICS TLS to z/OS AT-TLS, and probably that information will be reasonably 
useful if you attempt the same with CICS TS 3.1.

Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3 
you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only 
official/supported way to get TLS 1.3 with CICS TS. IBM's published 
benchmarks suggest that z/OS AT-TLS is slightly more efficient than 
CICS-configured TLS, but results may vary.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


IBM Z Day: September 14-15, 2020

2020-09-02 Thread Timothy Sipples
IBM is sponsoring a bigger and grander "IBM Z Day" this year, so big/grand 
that the live sessions are running for a full 24 hours of binge viewing in 
multiple tracks, so there's way more than 24 hours of live content to 
choose from. IBM Z Day is free, and for the first time there are some 
technical and discussion sessions conducted in languages other than 
English. If you're looking for a session in Italian, German, Spanish, 
Mandarin Chinese, Portuguese, Turkish, or Urdu, c'è almeno una sessione 
per Lei (there's at least one session for you). Presenters and speakers 
are from various organizations, not just IBM. Examples include Canonical, 
Allstate, The Linux Foundation, Kredi Kayıt Bürosu, DATEV, Rocket 
Software, SUSE, Sogei S.P.A., Liber Health (Pakistan), Duke University, 
BMC, Singapore Management University, code.org, and many more.

IBM Z Day starts at 4:00 p.m. New York time (20:00 UTC) on September 14, 
2020, with the "Master the Mainframe" and "Student Journey" tracks. Live 
sessions are scheduled throughout the 24 hour day beginning at that time. 
For more information and to sign up, please visit:

https://www.ibm.com/community/z/community-day-2020/

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


New Redbook: "IBM z/OS Container Extensions Use Cases"

2020-09-02 Thread Timothy Sipples
It's still in draft form at the moment:

http://www.redbooks.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg248471.html

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Architectural Level Sets

2020-09-02 Thread Timothy Sipples
IBM's brief flirtation with extended real addressing (26-bit addressing) 
in the IBM 3033, 3081, and a few models thereafter was quirky. IBM pretty 
quickly dropped extended real addressing once XA debuted.

Back to Tony's original question, I think an "Architectural Level Set" is 
difficult to define in practical terms because there are different real 
world ALSes. I suppose one could argue that there are effectively z/VM, 
Db2 for z/OS, z/OS, Linux, z/VSE, and compiler ALSes, as notable examples. 
For example, z/VM 7.2, planned for release this month (September, 2020), 
declared a new ALS which is manifested/instantiated in IBM z13 and higher 
models, including all IBM LinuxONE models. Red Hat Enterprise Linux 8.x 
and Ubuntu 20.04 LTS have the same minimum model requirements as z/VM 7.2, 
although I don't think Red Hat or Canonical use the ALS term of art.

ALS is not a meaningless term, though. It simply refers to a particular 
collection of minimum capabilities that can be technically manifested (in 
principle anyway) by particular server models at or above particular 
microcode levels. (Sometimes that last detail matters.) "Server models" 
can sometimes include non-physical ones. It's not a term I use very often, 
though.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Dovetail/Kirk Wolf?

2020-09-02 Thread Timothy Sipples
It's terrific that Dovetailed is making this offer, and it's terrific to 
have Tomcat available and supported on z/OS.

If the particular appeal of Tomcat is "it's free," you've got at least a 
couple alternatives that also are:

1. If you already have CICS Transaction Server Version 5.x, then you 
already have CICS Liberty at no additional charge, with IBM Support if 
you're running a supported CICS release. This "flavor" of Liberty features 
extensive z/OS and CICS exploitation which you can choose to use or not 
use, selectively.

2. If you don't already have CICS TS Version 5.x, you can still download 
and run Open Liberty on z/OS (and on other platforms):

https://openliberty.io

Open Liberty is explicitly, routinely IBM tested on z/OS, but it does not 
*particularly* exploit z/OS unique features. Open Liberty support is 
optionally available from IBM for a fee.

It depends on what you're trying to accomplish, really. For example, if 
you're a software vendor or distributor and need a Java Enterprise Edition 
runtime for your product, but if you cannot assume that your end customer 
has a CICS TS or WebSphere Application Server for z/OS license (or even 
z/OS necessarily), then shipping your product assuming an Open Liberty 
base, with the option to install it on CICS Liberty or WebSphere Liberty, 
is likely a really terrific approach all around. Or, if you specifically 
need or prefer Tomcat, OK, that option is available, too. Then Dovetailed 
has you covered if/when you need support. They don't live on bread alone, 
and bread is not free either.

I'll point out again that every z/OS licensee -- even the ones without 
RACF (the z/OS Security Server license) -- has the IBM Directory Server 
for z/OS. This is a fully IBM supported LDAP server, and one of its 
configurable features is that it supports authentication with your chosen 
SAF-enabled security manager. So if your Java application "speaks" LDAP, 
it can also automatically "speak" RACF (or ACF2 or TopSecret) via the IBM 
Directory Server for z/OS. That's regardless of runtime or even platform. 
On the other hand, especially (but not only) if you want a directly 
SAF-enabled JEE runtime, it's really best to pay *someone* something for 
ongoing support, if you care about maintaining at least reasonable 
security anyway. Tomcat had a now well publicized security vulnerability 
that was open for about 13 years called "Ghostcat." That's not good, but 
it's really not good if you don't have a support vendor by your side to 
close such vulnerabilities promptly in your chosen environments.

Anyway, bottom line: keep Kirk (and Katherine, Karen, and Klaus) fed, OK? 
Support is worth paying for if you depend on the software, and you usually 
do.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Timothy Sipples
Brian Westerman asked:
>So does this all mean that (currently) no one on the list
>uses TLS-SSL to forward their mail from CSSMTP to the
>target mail server?

I see "Yes, we use TLS" replies have overtaken this question. That said, I 
assume you wouldn't want and don't expect anyone in an open forum to 
confess to having an open, potential security exposure...that they're 
quickly closing right now.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: (yet another) problem with zcx container

2020-08-26 Thread Timothy Sipples
Gord Tomlin wrote:
>AFAICT the sole reason for the (paid) hardware feature is to provide
>entitlement.
>My guess as to why they require this feature is that you can run a lot
>of FOSS products in zCX that offer similar function to IBM products.
>Unfettered free use of zCX could be very costly to IBM.

That's a bad guess.(*) To the extent you can do that, you can already 
(also) do that without zCX. Moreover, z/OS isn't Feature Code 0104's only 
beneficiary. For that matter, Feature Code 0104 ("Container Hosting 
Foundation") is also available for IBM LinuxONE II and LinuxONE III 
machines, and z/OS isn't.

(*) And backwards, ironically.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe Multi factor authentication possibilities

2020-08-26 Thread Timothy Sipples
Jared Hunter wrote:
>The goal of multi-factor authentication is to strengthen the link
>between a human being and the actions taken by a logical account
>(because a logical account is what the SAF-implementing ESM is
>capable of authorizing and auditing).  Sharing a single (or few)
>logical accounts across many human beings is an anti-pattern that
>is incompatible with that goal.

I agree it's an anti-pattern, but occasionally anti-patterns are useful.

One scenario that comes to mind is when the system (such as the ESM 
itself) must provide typically partial read-only access to a team of 
authorized auditors/inspectors, but the ESM (and the other people who 
manage it) must not have any awareness of precisely which auditor or 
inspector took a look lest that person be subject to possible retaliation 
for an adverse finding.

Another, similar scenario is a reporting system that accepts anonymous but 
still controlled submissions, for whistleblowers to submit tips (sexual 
harassment and other improprieties, suspected fraud, etc.) In such cases 
you'd want to make sure the report comes from within an authorized 
community (e.g. "intelligence officers"), but ideally you don't want even 
any technical ability to trace it to a particular individual.

Voting systems might also fall in this general category.

On the other hand, you might argue that these scenarios and others like 
them don't really involve 2FA or MFA as such, and you might be right. 
There still ought to be reasonable security solutions for these use cases.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe Multi factor authentication possibilities

2020-08-26 Thread Timothy Sipples
The first factor doesn't seem like it'd help distinguish between users 
since you're sharing it. What type of second factor(s) do you plan to use?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Anyone Using MVS Bulk Data Transfer (File-to-File)?

2020-08-20 Thread Timothy Sipples
Ed Jaffe wrote:
>I didn't specify whether I was referring to the BDT SNA/NJE function
>or the BDT File-to-File function.

Clark Morris wrote:
>I think that IBM dead ended and stopped support of the File-to-file
>and all other non-JES3 related functions at least 18 years ago.

Ed Jaffe wrote:
>That's the kind of information I'm looking for, but can find no
>announcement or other reference to suggest this product isn't
>anything but 100% fully supported and fully operational.

Skip Robinson wrote:
>We considered using BDT many moons ago. NDM was the hands-down winner.
>However, BDT still appear to be supported. Still required for JES3 SNA,
>I believe.

Ed and Skip are correct. In fact, the z/OS Bulk Data Transfer (BDT) 
products are not only IBM supported but also IBM marketed. No End of 
Service date, no End of Marketing date. The 2019 z/OS 2.4 announcement 
letter included the BDT products:

https://www.ibm.com/downloads/cas/US-ENUS219-344-CA/name/US-ENUS219-344-CA.PDF

Scroll down and you'll see BDT FTF (File-to-File) listed with the 
entitlement identifier S01728V and BDT SNA NJE with the entitlement 
identifier S01728W. That means they're available for ordering even to new 
z/OS licensees.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: zCX Issues

2020-08-18 Thread Timothy Sipples
You're probably getting that error message because Docker cannot validate 
the (public) TLS server certificate when trying to establish the HTTPS 
connection to your private registry. If that's the problem, to fix it 
you'll need to get the public server certificate, add it to your z/OS 
Container Extensions configuration (via the z/OSMF workflow), then restart 
your zCX instance(s).

If I'm correct, just follow the instructions in the redbook:

http://www.redbooks.ibm.com/redbooks/pdfs/sg248457.pdf

The private registry section is Chapter 6. Refer to Section 6.5, and 
particularly page 122 step 2(b), for the z/OSMF steps. Also please take 
note of the note at the top of page 123. Much of the rest of Chapter 6 is 
also likely helpful.

If you've tried all that already, please post a follow-up. You should also 
be able to open a problem incident (PMR) with IBM z/OS Support if you 
suspect a defect.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Name those boxes

2020-08-18 Thread Timothy Sipples
For a real challenge, try figuring out the original manufacturer(s) and 
model(s) of the chair, desk, cabinet, and floor tiles. :-)

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: cURL and security

2020-07-26 Thread Timothy Sipples
Luke Wilby wrote (aggregating previous posts):
>I'm wondering if anyone is using cURL on z/OS in a
>production setting?
>I'm interested how to utilise cURL when the target
>URL requires authentication.
>We can't use Basic Auth because we are not able to
>store usernames and password in scripts or batch jobs.
>We can't easily use certificates because our users on
>z/OS do not have certificates and our Windows based
>corporate certificate management doesn't allow users
>access to the private keys of their Windows certificates.
>The cURL targets require client authentication.
>The cURL targets live on z/OS (z/OS Connect, zOSMF, DB2,
>etc)
>The clients may be TSO users, batch jobs, Windows, Mac or
>Linux clients. The batch jobs may run under userids that
>do not have passwords.
>We cannot store passwords anywhere. No scripts, no files.
>Our z/OS users generally don't have certificates or keyrings.
>Our servers do (DB2, z/OS Connect, zOSMF, etc).
>My clients need to authenticate to the server. The server
>then needs to perform authorization checks.
>It's the authentication part that we need to sort out.
>Our company's internal certificate management is done on
>Windows. Our Windows clients have personal certificates,
>installed by our Windows team. They don't have access to
>the private keys.
>Our z/OS clients don't have certificates and even if they
>did, they would come from the Windows team and our clients
>wouldn't have access to the private keys to issue the cURL
>call.

David Crayford wrote:
>Use tokens
>
https://developer.atlassian.com/cloud/jira/platform/basic-auth-for-rest-apis/

This suggestion makes a lot of sense, agreed. For example, the z/OS 
Connect Enterprise Edition documentation explains more about these options 
here:

https://www.ibm.com/support/knowledgecenter/SS4SVW_3.0.0/securing/security_overview.html

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Encrypting z/OS SNMP traps to Windows SNMP server

2020-07-24 Thread Timothy Sipples
Attila Fogarasi wrote:
>CA Common Services supports SNMPv3 with DES encryption and SHA-5 and
>MD5 authentication, hopefully that works with your Solar Winds Orion
>server.

Even if the target server currently supports DES, I don't recommend this 
idea. It's entirely possible, even likely, that the next release update 
will disable support for DES. It'd be a very short-term solution at best.

Are there any other encryption and hashing algorithms that CA Common 
Services SNMPv3 supports? For example, is it possible to configure CA 
Common Services to use whatever z/OS System SSL supports?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Sending email from the Mainframe

2020-07-24 Thread Timothy Sipples
Grant Taylor asks:
>What happens to email if CSSMTP (AT-TLS) is configured
>to *require* encryption and the receiving system doesn't
>support encryption?

Fundamentally the same thing(s) that happen when the network connection is 
down or too slow (times out), for whatever reasons. Network encryption is 
part and parcel of the network path. This class of failures must already 
be catered for. In this case, Len Sasso's organization is mandating TLS 
1.2+, and I agree with Shmuel Metz who wrote:
>If management has decreed that all SMTP traffic be encrypted,
>then barring a configuration error the relay will accept
>encrypted traffic.

Moreover, it's entirely possible that your attitude would only increase 
relay administrators' burdens, the people who currently have to manage, 
support, monitor, and audit the e-mail traffic from the one and only 
system still transmitting over an unencrypted connection, a connection 
modality they'd very much like to retire as quickly as possible. You know, 
that "old, obsolete mainframe" that you're actively arguing should 
actually be as old and obsolete as you can possibly force it to be. (TLS 
is *really* not new.) Or it's entirely possible that the relay 
administrators aren't inclined or equipped to provide even mediocre 
service levels for unencrypted connections, or even that there's a lone 
dedicated relay gathering dust in a wiring closet somewhere to support 
this one unencrypted connection, a relay that nobody left in the 
organization even understands or really knows about, that isn't backed up 
or DR protected, that still runs on a 10 Mbps Ethernet segment that 
miraculously hasn't been disconnected yet. Hence the unencrypted 
connection is MORE prone to failure, not less. All very possible, even 
predictable and likely. And I haven't even gotten to the regulatory issues 
and penalties.

Conceivably you could also reduce or eliminate your personal security 
authentication failure planning and handling (hopefully automated) 
responsibilities if you effectively disable your SAF security provider, 
such as RACF. Then those few pesky authentication and authorization 
rejections wouldn't occur, and everyone could just go to the pub and stay 
there (or whatever). That's the logical consequence of your argument, 
isn't it? I don't think you've got a strong argument.

Sorry to be blunt here, but I feel compelled to offer my personal view (as 
always). My colleagues (and I mean that word expansively, in and out of 
IBM) work really hard to deliver and support truly cutting edge 
capabilities, including downright amazing security capabilities, in/for 
this unique and indispensable platform. And this community, overall, often 
works really hard to put these capabilities into practice, in many cases 
literally to keep civilization functioning. Then there are a few people 
who manage a few of these systems, and...well, let's all strive to do 
better, OK?

[Why am I expecting a minor Twitter storm now? :-)]

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Sending email from the Mainframe

2020-07-23 Thread Timothy Sipples
Grant Taylor wrote:
>That means that z/OS's CSSMTP will be near or on par with other SMTP
>servers and related problems securing SMTP traffic.  Most of which have
>to do with the capabilities of the receiving SMTP server, which is
>outside of CSSMTP's control.

First of all, here's what Len Sasso wrote:
>All our messages must implement TLS 1.2 or higher for
>transport level encryption.

I don't know why you're questioning Len's expressed *requirement*. And 
(don't worry, Len!) it's a very, very reasonable requirement in the year 
2020 and beyond. For that matter it was a reasonable requirement 20+ years 
ago, too.

Then there's this fact, which Lionel Dyck kindly pointed out:
>CSSMTP is a send only SMTP service - it does not receive anything.

Exactly. This is about getting TLS 1.2+ encryption enabled from z/OS at 
least as far as the next hop. CSSMTP alone doesn't provide a return 
mailbox.

According to Google's latest Transparency Report, available here:

https://transparencyreport.google.com/safer-email/overview?hl=en

93% of outgoing e-mail from Google and 94% of incoming e-mail to Google 
rode over TLS between April 24, 2020, and July 23, 2020. Google's e-mail 
services are heavily consumer-oriented ("How is piano practice going?"), 
and well over 90% of it is encrypted in flight. Len Sasso is dealing with 
an enterprise system, presumably. Maybe my cousin's medical insurance 
claim acknowledgment is being e-mailed, or maybe your loan application 
update is being e-mailed out to you. Does anyone seriously want to 
question Len's requirement? Or would it be at least as appropriate to 
question why you haven't enabled encryption for your SMTP and other 
network traffic, if you haven't?

It's very frustrating to me when even basic security precautions and 
practices are questioned like this. Get it turned on, please! It's quick, 
easy, and no additional charge. And have a look at the z/OS Encryption 
Readiness Tool ("zERT"), included with z/OS at no additional charge, to 
get visibility on where you still have gaps.

>If you configure z/OS's CSSMTP to /require/ encryption, TLS 1.2 or
>otherwise, and the receiving SMTP system doesn't offer it, the email
>will be stuck on z/OS.

That's an available configuration choice, that's correct, and that's 
exactly what *should* happen in myriad real world scenarios to avoid a 
potential or actual security breach.

>Do you really want to have someone perform regular postmaster duties on
>z/OS?

As Lionel patiently explained, this is about whether Len Sasso's 
requirement is satisfied, to encrypt e-mail traffic to the next hop. There 
are no postperson duties here, not with CSSMTP. These are basic network 
security duties, prudently practiced and respected for decades now.

But (hypothetically, off on your tangent) why not? It's an IMAP 
mailbox the postperson(s) monitor, presumably. The postperson probably 
isn't either configuring and administering a Kubernetes cluster or 
navigating ISPF screens. If the mailbox were hosted on z/OS (yes, it can 
be, with other software), what's the problem?

I'm a little confused here. Isn't this IBM-MAIN? Is there something you 
wouldn't or don't like about providing more and more useful user services 
from z/OS?

>It might be better to send the email to another exissting corporate
>SMTP server where someone is already handling the postmaster duties.

Yes, there's something else besides CSSMTP. OK, backing off that 
tangent

>Simply enabling TLS on z/OS's CSSMTP is probably not sufficient to
>guarantee that the email transmission path to the next SMTP server will
>be encrypted.

It is if you configure AT-TLS to require it, which is par for the course 
really.

>Both the sending end (CSSMTP) and the receiving end (remote SMTP server)
>need to support encryption.

Yes, and as you can see from Google's Transparency Report TLS isn't a rare 
or exotic thing. (What year is this?)

>Most MTAs can be an encrypted client without their own TLS certificate.
>—  Though a /client/ TLS certificate can be entertaining to use in place
>of username and password for authenticating the sending system to a 
relay.
>}:-)

Not merely "entertaining." It's one perfectly reasonable, prudent security 
measure to make spoofing more difficult.

>If the task at hand is to secure email, there are many ways
>to comply with the spirit -or- have acceptable risk between the
>mainframe and an SMTP server over a secure LAN in a secure data center.

Words fail me here.

>If you really want to adhere to the spirit, the email body contents
>should be encrypted.  So that it doesn't matter nearly as much if the
>SMTP transmission path is encrypted or not.  But that's another kettle
>of fish.

I agree it would be great to encrypt the e-mail body *also*, if possible. 
Two popular ways are PGP and S/MIME.

- - - - - - - - - -
Timothy Sip

Re: Sending email from the Mainframe

2020-07-22 Thread Timothy Sipples
Len Sasso wrote:
>We are using CSSMTP to send email from the Mainframe.
>All our messages must implement TLS 1.2 or higher for
>transport level encryption.
>What you using?

CSSMTP. No problem. IBM explains how to set up TLS with CSSMTP here 
(current z/OS 2.4 documentation link, subject to change):

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/cssmtp_tls.htm

It's possible to require TLS 1.2+, exactly as you wish. (Good idea.)

Tony Thigpen wrote:
>We found it easier to set up a small SMTP relay box on an
>Intel platform and let it do all the TLS heavy lifting.

That's possible, but it means that your e-mail traffic is leaving your 
z/OS machine in cleartext. This class of security risks is easily 
avoidable if you simply enable TLS on z/OS. (N.B. TLS is not "heavy 
lifting," or at least it hasn't been for a very, very long time.) There 
may also be some unnecessary server complexity in what you've done, adding 
some inherent fragility.

To be clear (pun intended), there are still one or more e-mail servers in 
the transmission path, of course. This is about encrypting the traffic, 
preferably with TLS certificate authentication, as early as possible in 
the path.

Allan Staller wrote:
>We send everything plain text to the corporate email server
>and let them handle it!

I offer the same suggestion as above.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Encrypting z/OS SNMP traps to Windows SNMP server

2020-07-22 Thread Timothy Sipples
Grant Taylor wrote:
>Why not use "transport" mode vs "tunnel" mode?

That should be fine.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Encrypting z/OS SNMP traps to Windows SNMP server

2020-07-21 Thread Timothy Sipples
Another possible option is to configure an IKEv2/IPsec tunnel between z/OS 
and Microsoft Windows Server, then run your message traffic over the 
encrypted IPsec connection. For your colleagues, Microsoft documents some 
configuration procedures here ("Devices not joined to a domain"):

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2

I concur with the advice to upgrade z/OS 1.12 and the rest of the software 
stack to supported releases that are still receiving security and 
integrity updates.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Multi-channel OSA-ICC routing and TCP port behavior

2020-07-20 Thread Timothy Sipples
Brian Westerman wrote:
>So you are using TCP to get to them inside the ICC, but they
>are technically local 3270 terminals.  I think you can make
>some of them printers if you want, but that seems like a waste.

I recently worked with an organization that configured an OSA-ICC TN3270E 
printer session, and it makes sense for them. They did this because one of 
the TCP/IP products available for z/VSE, the one they use, includes a 
TN3270E server that is limited to display terminal sessions and does not 
support printer sessions. This particular organization uses the TCP/IP 
product's TN3270E server for display sessions, but they also have a line 
printer they need to continue running. Previously, historically, the line 
printer was coax attached to an IBM 3174 Establishment Controller. The 
same line printer is now connected via OSA-ICC's TN3270E server and 
continues to behave like a terminal-attached printer, with IBM Personal 
Communications in the middle handling the emulation. Direct would have 
been nice, and technically the printer can directly connect via a TN3270E 
printer session (it has a built-in TN3270E client), but for some weird 
reason when the line printer operates using a different connection it 
unavoidably changes "personalities" and won't interpret the same data 
stream the same way. That's how the printer is designed, not something 
that can be changed. So rather than reconfigure z/VSE's output to adjust 
the print data stream, they inserted IBM Personal Communications in the 
middle to accept the original data stream then handle some very light 
reformatting before passing it on to the printer via LPR/LPD protocol. 
This arrangement works!

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Multi-channel OSA-ICC routing and TCP port behavior

2020-07-19 Thread Timothy Sipples
Mike Schwab wrote:
>Port 23 is standard telnet.  Port 3270 is non-standard TN3270E.

IANA has actually reserved port 3270 for "Verismart":

https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

I have no idea what Verismart is, or was. It's probably moribund, like 
many port reservations. You're not obliged to honor IANA's reservations 
and recommendations, although it's the "polite thing to do." If nothing 
else it makes the job of somebody monitoring, managing, and 
troubleshooting network traffic a little easier, because at least you give 
that person a clue what the traffic is about.

IANA has reserved port 992 for Telnet, including TN3270/TN3270E, over TLS. 
So one common, IANA-polite approach is to enable port 992 first then, if 
needed, port 23 second, *both* with TN3270E over TLS. (Yes, OSA-ICC 
supports TN3270E over TLS. Use it, please.) IANA also leaves ports 49152 
and above as "private use" ports, so you can use ports 50001, 50002, 
50023, etc. -- a 5 followed by any 4 digits works well -- as recklessly as 
you want. Ports 50992 and 50023 should give above average network 
troubleshooters some clue that the traffic is telnet-oriented.

As far as non-standard ports, the following are at least IANA reserved for 
some sort of "telnet": 89, 107, 902, 903, 1618, 2564, 3083, 3696, 5024, 
and 6623. Some of them are moribund. So if you'd like to use one or more 
of these ports "in the spirit of IANA," that's up to you. :-) Port 22 is 
assigned to SSH, and again "in the spirit of IANA" perhaps you could use 
that one for TN3270E over TLS if you need it.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Java memory limit

2020-07-19 Thread Timothy Sipples
Please note the 31-bit Java variant offers something less than 2 GB of 
memory per Java Virtual Machine to programs. The 64-bit release is 
required if you want more.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Free Mainframe Stuff 2020: Reply Here with Nominations

2020-07-12 Thread Timothy Sipples
Thanks for the nominations, some also coming in via direct e-mail. I'm 
seeing some freebies that I didn't know about, and that's terrific. Please 
keep them coming.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IHS NTLM authentication

2020-07-12 Thread Timothy Sipples
Jantje wrote:
>If it were me, yes, we would go for that. But...

If your organization has some sort of reasonable identity management 
service that provisions, de-provisions, and otherwise manages user 
identities, then you could probably hook TLS client certificate management 
for z/OS into that. Any options there?

If the service desk department is "big" and has "high" turnover, then 
presumably you're managing RACF identities at a fairly high velocity. How 
are you doing that today? Could you fairly straightforwardly extend that 
high velocity identity management to TLS client certificates for z/OS 
HTTPS access?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IBM 2828-G01

2020-07-12 Thread Timothy Sipples
IBM Machine Type 2828 is an IBM zBC12 machine. As I write this (mid July, 
2020), all the latest generally available IBM operating system releases 
support this machine model. These releases include:

z/OS 2.4
z/VM 7.1
z/VSE 6.2
z/TPF (including the latest PUT as I write this)

Certain operating system features, such as the z/OS Container Extensions, 
are not compatible with the IBM z12 generation machines (machine types 
2827 and 2828). On April 14, 2020, IBM announced that it plans to release 
z/VM 7.2 sometime this quarter (3Q2020). z/VM 7.2 will not support z12 
generation machines and will require an IBM z13 generation machine or 
higher, or any IBM LinuxONE machine.

Red Hat and Canonical have dropped support for the IBM z12 generation 
machines in their latest Linux distributions (Red Hat Enterprise Linux 8.x 
and Ubuntu Server 20.04). SUSE continues to support the IBM z12 generation 
machines in their SUSE Linux Enterprise Server 15 SP1. (Their forthcoming 
SP2 also looks OK per their current beta release documentation.)

If you're considering a machine model upgrade (hopefully), currently IBM 
migration and/or other IBM offers are available from the IBM zBC12 to the 
IBM z14 ZR1 and IBM z15 T02 models. Unless there's some super important 
reason I suggest the IBM z15 T02, introduced earlier this year (2020).

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IHS NTLM authentication

2020-07-08 Thread Timothy Sipples
>Not yet, because it opens a different can of worms: that
>of having to manage the client certificates. I am not sure
>I want to do that… But I agree: it would be a good
>alternative.

How many worms? How many TLS client certificates do you expect you'll need 
for this purpose?

Especially if the answer is "more than a few," how about using the z/OS 
PKI Services?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SuperWylbur Users

2020-07-08 Thread Timothy Sipples
Hopefully SuperWylbur will emerge.

Re: Stanford's WYLBUR, have there been any attempts at "upstream" source 
code recovery in a non-mangled form? For example, via pulling and reading 
a tape from someone's/anyone's archive? It appears that Stanford has 
graciously released WYLBUR under the Mozilla Public License 1.1:

https://web.stanford.edu/dept/its/support/wylorv/

I'm not a lawyer, but I assume that means that any/all other custodians of 
*Stanford* WYLBUR are free to operate under those same terms. In other 
words, if Stanford has lost their upstream, non-mangled WYLBUR code, but 
someone else has the identical upstream code available to release, then 
that should be OK.

The MPL goes a little farther than that, actually. According to the 
license, it's OK to redistribute Stanford's WYLBUR "with or without 
modification" as long as the required notice is included. Let's suppose 
for example Site X has Stanford WYLBUR code, with two local code 
modifications for Site X, in its archive. Assuming Site X is OK releasing 
those two local modifications (and grants permission), Site X is also OK 
under the MPL 1.1 releasing the rest. At least, that's how I read it.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SuperWylbur Users

2020-07-08 Thread Timothy Sipples
There's precedent. Stanford graciously offers WYLBUR's source code for 
download:

https://web.stanford.edu/dept/its/support/wylorv/

Of course SuperWylbur is not WYLBUR:

https://en.wikipedia.org/wiki/ORVYL_and_WYLBUR#SuperWylbur%E2%84%A2

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Free Mainframe Stuff 2020: Reply Here with Nominations

2020-07-08 Thread Timothy Sipples
Everyone likes free stuff, right? Please reply to this message with your 
nominations for the new, bigger, even more exciting 2020 edition of "Free 
Stuff for Your Mainframe." To get you started (in other words, to let you 
know about the freebies I surely know about already), the 2016 edition of 
this particular list is posted here:

https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/andrii-vasylchenko1/2016/08/16/free-stuff-for-your-mainframe-2016-update

Nominations are welcome in all of the following categories (and likely a 
couple more that I haven't thought of):

* oriented to the machines themselves (e.g. IBM HMC Mobile, Feature Code 
0115)

* whole operating systems and tools that can start up on their own (e.g. 
ZZSA)

* for all 5 major operating systems (z/OS, z/VSE, z/TPF, z/VM, Linux on Z)

N.B. For Linux on Z I'll probably limit this particular list to software 
that has some reasonably specific IBM Z and/or IBM LinuxONE affinity, 
and/or affinities to other IBM Z operating systems and their workloads. 
LXCMS is one possible example in that vein.

* for mainframe middleware (Db2 for z/OS, CICS TS, IMS, MQ, WAS for z/OS, 
etc., e.g. SupportPacs for CICS and MQ)

* for various subsystems and tools (e.g. ISPF add-ons such as Zigi, RACF 
tools such as PWDCOPY)

* programming languages (e.g. IBM Open Enterprise Python for z/OS)

* handy sample code, such as useful REXX scripts

* programming libraries, modules, and tools (e.g. Rocket Software's Git 
for z/OS)

* free mainframes (e.g. the LinuxONE Community Cloud, the Master the 
Mainframe Learning System)

* tools for mainframe storage

* public cloud services with mainframe affinities (e.g. 
https://optimizer.ibm.com )

* mainframe planning and estimation tools (e.g. the IBM Z Batch Network 
Analyzer)

* free security-related tools and offers with mainframe affinities (e.g. 
free TLS certificates, as long as you can actually use them in z/OS RACF 
for example)

* free mainframe-related books and education

* free "abandonware"

* trialware and "juniorware," but only if it offers real, material value 
(this'll be a personal judgment call)

* client device-installed software that has mainframe affinities (e.g. IBM 
Explorer for z/OS, terminal emulation software, development tools, etc.)

I'd like to hold a Webcast to highlight a few of these gems, probably 
sometime in late August or September (2020), repeated a couple times to 
cover various timezones better. During this Webcast there'd be a few 
quick, ~5 minute demonstrations of mainframe freebies. If you're 
interested in having 5 minutes of additional fame and would like to 
volunteer to show off your favorite freebie(s), please reply to this 
message indicating your interest.

Nominations close on July 31, 2020. Thanks, everyone!

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IHS NTLM authentication

2020-07-07 Thread Timothy Sipples
>Some powers that be have decided not to allow basic
>authentication anymore, even over HTTPS. So I am
>looking for an alternative.

Have those "powers that be" offered a list of acceptable alternatives? 
Unless they insist, I don't think NTLM over HTTP is a good protocol idea 
nowadays for a variety of reasons, so can we skip that one?

The IBM HTTP Server for z/OS supports TLS client certificate 
authentication with RACF. That's not basic authentication, so it 
ostensibly qualifies. It's also widely accepted. Have you considered that 
option?

Or you could adopt a token-based approach. The classic way is forms-based 
authentication, i.e. some application-based mechanism. Another, widely 
accepted choice is OAuth 2.0. However, OAuth 2.0 would require either a 
custom, additional module or an authenticating proxy arrangement of some 
kind. The (non-Apache) mod_oauth2 module code is available here:

https://github.com/zmartzone/mod_oauth2

I have not looked at this code, but there it is.

I'll pause there.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SuperWylbur Users

2020-07-06 Thread Timothy Sipples
Tony Harminc wrote:
>What is (and will be) the licensing status of SuperWylbur? Is there
>potential to turn this into a community maintained project? There are
>surely at least hobbyists out there who would love to play with it.

That's a good idea. The only caveat I can think of is that sometimes 
there's "encumbered" code in a particular product. However, that seems 
unlikely in this case (see below), and even if that were the case it's 
still possible to release only the unencumbered code.

John Giltner wrote:
>It is still distributed with full source code.

That's promising for these purposes. It means there's no first party 
distribution effort required. Permission alone to one or more second 
parties would be sufficient.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Storage & tape question

2020-07-06 Thread Timothy Sipples
Radoslaw Skorupka wrote:
>I forgot something obvious for me: NEVER USE TAPES FOR APPLICATION
>DATA. No jobs should write or read tapes.
>Nothing except backup and restore and (optionally) ML2. Managed by
>HSM or FDR. Some excepions for archive copies are worth to consider.

I take your point, but "NEVER" is too strong. And you're acknowledging 
there might be some exceptions, so let's dig into them a bit.

One notable exception that I'm increasingly encountering is in the digital 
asset industry. There are occasions when they'd like to have certain 
digital assets in an offline state, for example in technically and 
operationally assured systems, encrypted on WORM tape cartridges 
physically removed from tape libraries. In some cases that sort of 
approach is what the asset owners and their insurers require. Another 
potential exception involves certain content management systems, although 
it depends on how they're designed.

As another example, IBM SAFR runs really don't mind source data from tape 
and/or virtual tape. As long as the data streams fast enough for whatever 
you're trying to do with SAFR, that's perfectly fine.

I suppose you could drive even these edge cases through DFSMShsm handling 
(and manual tape loading procedures in the first example), but then you'd 
need above average cooperation with application developers and owners. The 
"my application knows best" philosophy is powerful, for better or worse. 
You just try to do the best you can, and if there's an exceptional edge 
case and consensus agreement that it ought to be handled differently (even 
if you disagree), OK, so it goes.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe co-op

2020-07-05 Thread Timothy Sipples
There's a good organizational structure potentially available:

https://www.openmainframeproject.org

I assume the goal ought to be to have something better than the Master the 
Mainframe Learning System, already available free of charge:

https://www.ibm.com/it-infrastructure/z/education/master-the-mainframe

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: z/OS use of "legacy" programming languages

2020-07-01 Thread Timothy Sipples
Frank Swarbrick asked:
>Is Pascal also still supported/used?

IBM VS Pascal (5668-767) is still IBM marketed and supported:

https://www.ibm.com/support/lifecycle/#/details?q45=M618799U16404L24

The New Stanford Pascal Compiler is also available:

https://github.com/StanfordPascal/Pascal
http://bernd-oppolzer.de/job9.htm

Here are some more classic programming language compilers that are 
currently IBM marketed and supported, in no particular order:

APL2 (5688-228)
https://www.ibm.com/support/lifecycle/#/details?q45=D543769I30278S34

BASIC (5665-948)
https://www.ibm.com/support/lifecycle/#/details?q45=G568183M36263P96

RPG II
This one is a little extra obscure, but yes, it's still IBM marketed and 
supported. The IBM Program Number is 5740-RG1. The z/VSE variant 
(5746-RG1) is listed more visibly here:
https://www.ibm.com/us-en/marketplace/dosvs-rpg-ii
There's a little bit of confusion about RPG in large part because there 
was a relatively briefly marketed RPG compiler introduced years later 
called "IBM SAA RPG/370." This specific, very different compiler 
(5688-127) was withdrawn from marketing and is no longer IBM supported, 
but the previously introduced RPG II compiler is still an active IBM 
product.

IBM's Prolog, Lisp, Ada, Algol, Smalltalk, and COMTRAN compilers are 
withdrawn and past their End of Service dates, but it's likely there are 
some of these compiled programs still running, even with some periodic 
code changes. In some cases there may be available and supported 
programming language offerings from other parties. Some may target Java 
Virtual Machine (JVM) and/or z/OS Container Extensions (zCX) runtimes.

There's a supported JOVIAL compiler available for z/OS and z/VM:
http://www.seadeo.com/IBM_Compilers.htm

If there's some other programming language's status you'd like me to 
research, please ask. And obviously IBM markets and supports C, C++, REXX, 
COBOL, PL/I, Java, EGL, HLASM, and several other programming languages 
(JavaScript, Swift, Python, IBM Migration Utility)

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Mid-2021 Withdrawal of IBM z14 & LinuxONE Emperor II Features

2020-06-30 Thread Timothy Sipples
IBM announced that certain IBM z14 (Machine Type 3906) and IBM LinuxONE 
Emperor II features will no longer be available effective June 30, 2021:

https://www.ibm.com/downloads/cas/US-ENUS920-113-CA/name/US-ENUS920-113-CA.PDF

Note that's 2021, i.e. next year as I write this. This future withdrawal 
relates to the features that require physical shipment of components.

This withdrawal notice does NOT affect IBM z14 ZR1 and IBM LinuxONE 
Rockhopper II models.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


IBM z/OS Statement of Direction re: Containers

2020-06-30 Thread Timothy Sipples
I draw your attention to this Statement of Direction that IBM published on 
June 23, 2020:

https://www.ibm.com/downloads/cas/US-ENUS220-033-CA/name/US-ENUS220-033-CA.PDF

Please also refer to IBM Announcement Letter 219-233 (mostly already 
fulfilled).

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: DASD migration -- Re: Hitachi RAID box going out of support

2020-06-28 Thread Timothy Sipples
Bill Bishop wrote:
>One issue that you may encounter with going to a new storage
>system on a z9 processor is the speed of the ficon cards and
>whether the new unit can z9 cards.  I am not sure the new
>Hitachi's can work with 4GB ficon.

While Radoslaw Skorupka clarified that it's possible to worry less about 
link speeds when there's a switch/director in the mix, I should point out 
that the IBM z9 machine might not be using 4 Gb/s FICON with its storage 
device. FICON4 was only the maximum configurable storage I/O attachment. 
Other maximums were possible. The z9 generation of IBM Z machines also 
supported 1 Gb/s and 2 Gb/s FICON and/or ESCON, even as maximums. For 
direct storage attachment it's important to clarify which link type(s) and 
speed(s) are actually operating.

I should also point out that the IBM z9 machines have passed IBM End of 
Service, and so have all z/OS releases (2.1 and prior) that the IBM z9 
machine supported. The storage device is by no means unique in this 
respect. IBM is still offering a Service Extension for z/OS 2.1, available 
for an additional monthly fee (minimum 3 months) through September 30, 
2021. Service extensions may also be available for other software.

I agree with the other posters suggesting serious, quick investigation of 
other options involving "rebasing" these critical applications on systems 
and middleware that are aligned with their importance. Many people are 
able to help.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Messages & Codes

2020-06-12 Thread Timothy Sipples
Charles Mills wrote:
>You have to understand national politics: "we won't buy this
>product; the error messages are in English" [not French,
>Japanese, etc.]
>Even though you are of course right, "diskette in drive" is
>more understandable to the average French speaker than
>!! Sys01475

(a) This argument would have had more credibility if MS-DOS and its 
children (Windows 95, Windows 98, etc.) had sold poorly in particular 
countries for that reason. That's not how it worked out.

(b) OK, try this:

SYS01475 !! Diskette / Disquette

In 32 bytes that string includes the language neutral (and still 
incomprehensible) error code *and* provides a powerful clue that covers 
English, French, German, Dutch, and some other languages exactly. It also 
covers Spanish, Italian, and Portuguese if you're willing to overlook an 
extra T. You even get the following languages pretty well or exactly (per 
Google, partial list):

Afrikaans: disket
Albanian
Basque: diskete
Bosnian: disketa
Catalan: disquet
Corsican: dischettu
Croatian: disketa
Czech: disketa
Danish
Esperanto: disketo
Estonian: diskett
Filipino
Finish: disketti
Galacian: disquete
Haitian Creole: disk
Icelandic: disklingur
Indonesian: disket
Latvian: diskete
Lithuanian: diskelis
Luxembourgish: diskett
Malay: disket
Maltese: disketta
Norwegian: diskett
Polish: dyskietka
Romanian: dischetă
Slovak: disketa
Turkish: disket

You get the idea. Anyway, this design defect (I'll call it that) is 
history.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Messages & Codes (was Re: "Everyone wants to retire mainframes")

2020-06-11 Thread Timothy Sipples
This pair of error messages was a design mistake:

OS/2 !! Sys01475
OS/2 !! Sys02027

That's a case of national language considerations run amok. That was the 
only pair of messages you saw on your screen when you formatted a diskette 
with OS/2, left the diskette in the primary drive, and rebooted the 
typical PC of that era (that didn't automatically try to boot from another 
device when there was a diskette in the primary drive).

A diskette's boot sector doesn't have much room, so the designers had to 
be concise. They wanted to include at least one error code, and they did. 
But then instead of some portion of the planet not understanding what 
happened, very nearly the entire planet didn't understand what happened. 
:-)

A better design would have used a global message like this:

OS/2 SYS01475: Diskette in Drive!

That's exactly the same number of characters, assuming the new line was 
one character. (If not, the colon could have been omitted.) Yes, "Diskette 
in Drive!" is technically English, but even so it would have been much 
more broadly, globally understood than mystery error codes.

Even this one would have been better:

OS/2 SYS01475 Unbootable Diskette

Or:

SYS01475: Data Diskette in Drive!

Pretty much anything with the word "Diskette" (the term IBM preferred 
instead of "Floppy") would have given users a clue. Even this:

OS/2 !! Sys01475
No Boot Diskette

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Netview 5.4

2020-06-05 Thread Timothy Sipples
I don't have a direct answer to your question, but here's some degree of 
reassurance. z/OS 2.3 became generally available on September 29, 2017. 
Tivoli NetView 5.4 for z/OS reached its End of Support date on October 31, 
2017. Thus it appears this particular release combination was briefly 
fully IBM supported.

Obviously you ought to upgrade to the latest release of NetView as soon as 
reasonably practical. If the only reason you're holding off is due to 
Single Version Charge (SVC) limitation concerns, don't hold off. In 2017 
IBM abolished the SVC time limits for everyone per IBM Announcement Letter 
217-093.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Base SYSPLEX setup

2020-06-05 Thread Timothy Sipples
Brian Westerman wrote:
>SO just how much are the peanuts?

Radoslaw Skorupka wrote:
>Peanuts mean really cheap.

Even a new switch with warranty is only a few more peanuts. For example, 
the Brocade 6510 and IBM SAN48B-5 (2498-F48) switches were just recently 
discontinued (May, 2020), but there might be some new stock available from 
distributors.

Looking at fully qualified (vendor blessed), reasonably physically small, 
not latest model FICON switches, the discontinued Brocade 5300 and IBM 
SAN80B-4 (2498-B80) switches were also qualified for IBM z13s machines (at 
4 and 8 Gb/s). The Cisco MDS 9250i (also available as IBM 9710-E01) and 
discontinued Cisco MDS 9222i (IBM 2054-E01) also appear in IBM 
z13s-related qualification letters.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Base SYSPLEX setup

2020-06-01 Thread Timothy Sipples
Brian,

1. If you haven't also looked at IBM Publication No. SB10-7174 yet, I'd 
refer you to that one ("IBM Z FICON Channel-to-Channel Reference"). I 
believe you've found SG24-5451 already.

2. You might not need additional FICON Express features at all. It depends 
on how you're set up, but there's quite a bit of link sharing that's 
possible. Quoting IBM, "A FICON channel with CTC capability may behave as 
both a standard FICON channel connecting to standard FICON I/O control 
units, as well as having an internal CTC control unit function in support 
of CTC connections Neither FICON channel must be dedicated exclusively 
to CTC operations."

If you have (for example) two machines connected to at least one common 
FICON SAN switch/director then you're *probably* good to go from a 
physical point of view, for some minimum level of service anyway. Sure, do 
due diligence in terms of performance and such, but it seems like a better 
idea to me to leave these machines physically unmolested if possible 
rather than try to hack something in (that's withdrawn from marketing).

There was probably some point in "ancient history" when the various 
sharing options weren't available, but I believe all FICON-equipped 
z/Architecture machines have these various CTC-related sharing 
capabilities at least in some fashion. SB10-7174 repeatedly refers to an 
engineering change (EC) that was available at least as far back as the IBM 
z900 from what I can tell.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: EPSILON?

2020-05-28 Thread Timothy Sipples
Unfortunately nobody is able to ask Richard B. Talmadge about his EPSILON 
ideas. According to this source he's no longer alive:

https://www.maa.org/news/memoriam

It'd be terrific if anyone who worked or interacted with him knows more 
about these EPSILON concepts.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: 3270 terminals: CUT vs. DFT

2020-05-12 Thread Timothy Sipples
Alex, have you considered getting a used terminal controller for your IBM 
3290? It looks like an IBM 3174 would work.

According to IBM Publication No. GG24-3061 (Revision -05 is the latest I 
can find), the IBM 3290 requires a "Downstream Load (DSL) Diskette." This 
feature in turn requires any of the following feature codes: 1046, 1048, 
or 1056 (i.e. a second diskette drive or hard disk). Sadly, none of these 
three feature codes are available on the smallest form factor 3174 models 
81R, 82R, 90R, 91R, and 92R. Thus the most likely "best fit" IBM 3174 
would be one of the 5xR or 6xR "medium size" models, preferably 6xR since 
that's the newer one. Some of these models had Ethernet and/or serial 
("asynchronous") ports.

I found some online evidence that a hobbyist managed to get an IBM 3290 
with IBM 3174 connected to and functioning with a Linux-based PC.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


IBM's Java on z/OS Survey Request

2020-05-12 Thread Timothy Sipples
IBM is soliciting some special feedback for Java on z/OS. The survey is 
available here through May 29, 2020:

https://ibm.biz/zOSJavaSurvey

Thanks.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Developers say Google's Go is 'most sought after' programming language of 2020

2020-05-11 Thread Timothy Sipples
Shmuel Metz wrote:
>The problem is that some of those are incomplete, not z/OS,
>or not up to date.

1. Would you like to be more specific? (And I don't know what you mean by 
"not z/OS." I answered specifically, exclusively for z/OS.)

2. Have you tried fixing the specific issues?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Developers say Google's Go is 'most sought after' programming language of 2020

2020-05-10 Thread Timothy Sipples
Shmuel Metz wrote:
>Now if they could just bring z/OS support for Kotlin, Lua,
>Perl, Raku, Ruby and Rust up to date ...
>Yes, bringing the port up to date includes first porting it ;-)

Let's take these in order

1. As far as I know, as long as you use the Kotlin compiler to target a 
Java Runtime Environment (JRE) -- the typical/usual pattern -- your 
program will (also) run on z/OS. The basic command line compiler syntax is 
as follows, assuming Kotlin source code in the file hello.kt:

kotlinc hello.kt -include-runtime -d hello.jar
java -jar hello.jar

There's also a potential future path that'll support Kotlin's LLVM target 
(since z/OS now supports LLVM), but that's speculative.

2. There's a z/OS build of Lua available here:

http://lua4z.com

This is a circa 2014 build of Lua. Fundi Software created, maintains, and 
supports this distribution, so if you'd like something newer then feel 
free to inquire.

3. Rocket Software offers Perl for z/OS here (currently 5.24.0, which was 
released on May 8, 2016):

https://www.rocketsoftware.com/zos-open-source

4. For Raku, go grab the Rakudo distribution and target a JVM 
(--target=jar). Or use Rakudo.js to target Node.js (JavaScript) since 
Node.js is available for z/OS:

https://www.ibm.com/products/sdk-nodejs-compiler-zos

To my knowledge there's no difficulty with either path.

5. JRuby is available:

https://www.jruby.org

The best implementation of Ruby for z/OS is probably currently the Docker 
container image that runs in the z/OS Container Extensions:

https://hub.docker.com/_/ruby

6. Rust will need LLVM, now available on z/OS. However, you can already 
compile and run Rust code via the z/OS Container Extensions.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe user ID length

2020-05-05 Thread Timothy Sipples
Tom Marchant wrote:
>What is your point? The contents of in-stream data is not part of
>JCL, any more than the contents of some other data set referenced
>in a DD statement is.

Paul Gilmartin wrote:
>There's a qualitative difference.  The Reader or Converter must
>inspect every record of an in-stream data set, and the Interpreter
>or Access Method must scan for substitutable symbols.  Not so with
>some other data set.
>And the in-line data appear in the SUBMITted member commonly called
>JCL.

If anyone still cares, here's what I actually wrote:
>If you want to pass a longer user ID to something else
>using a different vocabulary, JCL isn't going to stop you.
>Example: Try using JCL to invoke z/OS's FTP client to transfer a file to
>an arbitrary FTP server, specifying a user ID longer than 8 characters.
>Can it be done? Of course it can; it's perfectly routine. You just don't
>use JES-related syntax, that's all.

100% true!

If there's a complaint about something I wrote, OK, fine, but how about 
making sure it's a complaint about something I wrote? :-)

Who says mainframe professionals aren't the most friendly, helpful 
individuals willing to go the extra mile (or kilometer) to help solve user 
problems? Why, they never say "Can't be done!" and refuse to help. That's 
just ridiculous. :-) :-)

It's usually not this platform that's getting in the way of progress. 
Here's yet another such case. For over two decades (closer to three) we've 
been submitting JCL to JES2 or JES3 to do such (awful) things as sending 
and receiving files via FTP, with absolutely no trouble specifying a user 
ID that's longer than 8 characters. We haven't even given it a second 
thought, really. JCL hasn't and isn't standing in your way here, 
obviously. Since the OS/390 days you've been able to present a X.509 
digital certificate to RACF in lieu of a user ID for authentication and 
authorization. These features aren't state secrets. If you have z/OS, you 
have in-stream data in JCL. (How long has that been?) You also have the 
IBM Directory Server for z/OS. If you have the z/OS Security Server, you 
have RACF client certificate authentication. If you don't like maximum 8 
character user IDs, OK, don't trouble your users with them! There are 
other viable, sensible approaches available -- handed to you, really. 
Plenty of organizations are already using them and aren't troubling their 
users with maximum 8 character IDs.

So let's cut the nonsense and start leading progress rather than 
inhibiting it, OK? A few more "Wow, that's pretty interesting!" remarks 
would be welcome. (Thanks, Bob.) Deal? And sure, if there's something 
missing that you want or need, by all means ask (IBM RFE).

OK, back to problem solving

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe user ID length

2020-05-05 Thread Timothy Sipples
Shmuel Metz wrote:
>Regardless of why it is coded that way, the code is in
>the C/I and the error message comes from the C/I.

Yes, and in-stream data is an intrinsic feature of the Job Control 
Language (JCL). It says so right here, among other places:

https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zjcl/zjclt_exercise_crtNsubmitjob.htm

Frank Swarbrick wrote:
>On a separate line, are you saying is it possible for z/OS to use
>a non-z/OS LDAP server for authentication (and authorization?),
>including user IDs and passwords?

"z/OS" is a big, grand place, so yes is the answer. For example, that's 
exactly what the z/OS Container Extensions do(es) if you simply turn on 
its LDAP feature. Naturally you do that from the z/OS Management Facility.

>But this would that still require TSO and CICS (and IMS? and others?)
>signon processes to be able to handle those user IDs?

OK, now you're naming names (specific subsystems), and then "it depends." 
Let's pick CICS as an example. If you want to authenticate and authorize a 
user against a LDAP server (highly preferably the one on z/OS) for 
purposes of executing a CICS transaction, then one way to do that is to 
have a CICS Liberty region on the front side handling the job. CICS 
Liberty can definitely authenticate and authorize based on LDAP's guidance 
(with ID mapping), and there's some pretty good documentation explaining 
how to do that.

TSO/E is "classic," and thus it understands up to 8 character maximum user 
IDs (up from 7 previously). However, as I sketched out, the end user need 
not necessarily know that. It'd be wonderful if somebody creates a TSO/E 
sign on screen analogous to z/VSE's that accepts a long user ID and 
passphrase which is then checked against LDAP on z/OS to decide whether to 
log the user on. LDAP on z/OS would then supply the mapped short name, 
without the user's active involvement.

>What I would love to see is some sort of "single signon" option,
>where a user would only need to sign on to their personal workstation
>and not need to explicitly sign on to z/OS at all.

There are many products that do that, including from IBM.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IBM-MAIN Digest - 2 May 2020 to 3 May 2020 (#2020-125)

2020-05-04 Thread Timothy Sipples
Bob Bridges wrote:
>So maybe - maybe, I don't know either - if I sign on to z/OS with a
>certificate, or LDAP, or anything other than the usual, the sign-on 
routine
>MAKES UP an 8-byte ID and stores it in the ACEE. If so, after that
>everything works fine, I guess.

I don't think RACF itself works that way, or at least the z/OS 2.4 
documentation doesn't suggest so. Take a look at this information, for 
example:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha700/icha700_Certificate_mapping.htm

Let's suppose the user is authenticating with RACF (not with the IBM 
Directory Server for z/OS, a.k.a. "LDAP"), and the user transmits an X.509 
client digital certificate for that purpose. RACF has to know ahead of 
time whether or not to authenticate that particular user (digital 
certificate). So the digital certificate has to be known to RACF ahead of 
time. Since the digital certificate has to be known, it's not unreasonable 
to associate an up to 8 character "short" user ID with that certificate. 
And that's how it works, as I understand it. The user doesn't present the 
short user ID -- well, not really, I'll get to this in a moment -- but 
RACF can check the certificate and create an ACEE with a mapped short user 
ID.

There are three basic choices here as I understand it:

1. A one-to-one mapping (one certificate to short ID ABCD1234). The 
documentation does a little bit of handwaving here along the lines of 
"this might be difficult to administer," but I'd argue that's somewhat 
dated advice now that so many organizations use identity management tools.

2. A many-to-one mapping (multiple certificates to ABCD1234).

3. Either mapping, but with the certificate itself holding an embedded 
short name ("hostIdMapping"). Certificate issuers don't typically support 
this extension, or at least they hide it well, but the z/OS PKI Services 
do. (Is this technique "cheating"? Not really)

In all these cases the user need not be aware there's a short name that 
RACF uses "under the covers." The user just supplies a valid, unexpired 
client certificate -- from a PIN-protected smart card perhaps. From RACF's 
perspective the X.509 digital certificate is really just another alias, a 
verbose one.

z/OS LDAP also supports broadly similar RACF ID mapping (supply a long CN, 
which the directory maps to a short name), but it's optional. You can 
certainly authenticate with LDAP as a standalone matter if you wish.

It's an interesting idea to have a fourth option for digital certificate 
authentication with RACF, which would be like choice #1 but without 
telling RACF what the short user ID is ahead of time -- to let RACF create 
one "on the fly," probably with caching and templating. For example, allow 
me to register a bunch of digital certificates in RACF as valid users, but 
I'm not going to tell you (RACF) what their short user IDs are ahead of 
time. The first time you encounter a particular certificate, just create a 
short user ID of C$-- (where the dashes are RACF's randomized or 
sequential choice, of any length -- randomized as default, but sequential 
as an option), store it, and use that on-the-fly short ID to build the 
ACEE. For example. I'd have to ponder that one a bit more, but if you 
think you've got a good use case, ask (RFE).

Of course it'd be "nice" to have more than a maximum 8 character ID (with 
the current maximum of 39 different characters per position) internally in 
RACF, but I imagine that'd be a big plumbing problem and potentially break 
a lot of important stuff if not done carefully. Fortunately, you're not 
required to limit users' experiences to maximum 8 character user IDs: use 
LDAP CNs, use digital certificates, or use something else.

By the way, if someone is looking for an interesting project, I'd be 
pretty neat to have a sample TSO/E signon screen that accepts a LDAP CN 
and passphrase that's then checked against the IBM Directory Server for 
z/OS for authentication (and thus also with the SAF security provider, 
indirectly). This part of the z/OS documentation starts to explain how to 
do that:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.ikjb400/logpan.htm

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe user ID length

2020-05-03 Thread Timothy Sipples
Shmuel Metz wrote:
>According to MVS JCL Reference, SA23-1385-40, both
>USER=abcdefghi and EMAIL=foo+...@patriot.net are
>illegal. That's not a JES issue.

It is JES's issue. JCL is simply respecting JES limits there using that 
particular syntax. If you want to pass a longer user ID to something else 
using a different vocabulary, JCL isn't going to stop you.

Example: Try using JCL to invoke z/OS's FTP client to transfer a file to 
an arbitrary FTP server, specifying a user ID longer than 8 characters. 
Can it be done? Of course it can; it's perfectly routine. You just don't 
use JES-related syntax, that's all.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe user ID length

2020-05-02 Thread Timothy Sipples
rfaces forge ahead. You then decide whether and how 
quickly you'd like to move forward. I think it's much the same here. There 
are lots of applications and subsystems that run on z/OS that expect user 
IDs (or "user IDs") up to 8 characters maximum, but that's not how you 
must present the world to users. Go ahead and use these LDAP and/or client 
certificate authentication technologies as/where you like. If you have 
z/OS you have the former, and if you have RACF you have the latter, too. 
And if something is missing, ask! (RFEs.)

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mainframe user ID length

2020-04-30 Thread Timothy Sipples
Frank Swarbrick wrote:
>Is z/OS still limited in all cases to 8 upper case characters?

No. The IBM Directory Server for z/OS supports more than 8 upper case 
character user IDs. That's a standard, included, IBM supported feature in 
the base z/OS operating system.

Bob Bridges wrote:
>MQ, TSO, CICS, IMS - whatever the environment, the ID has to be
>authenticated by RACF (or ACF2, or TSS).

Not as you've written it, no, that's not correct. First of all, user 
authentication isn't necessarily required. However, I and many others 
argue that these systems should at least be authorizing user requests.

TSO/E, yes, that subsystem supports user IDs up to a maximum of 8 
characters. Otherwise, I know that MQ for z/OS and CICS Transaction Server 
for z/OS can authenticate users via LDAP (ideally the IBM Directory Server 
for z/OS) at least in certain contexts. See here for example:

https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q127976_.htm

I would have to dig a little deeper with respect to IMS if anyone is 
interested.

Interestingly even the "classic" 3270 z/VSE sign on screen supports "long" 
user ID authentication via LDAP-based sign on, although it requires 
"mapping" to a short user ID under the covers:

https://www.ibm.com/support/knowledgecenter/SSB27H_6.2.0/fa2ad_ovw_ldap_sign-on_process.html

Users don't really have to know all that, though. They just sign on with 
LDAP user ID "AliceCooper1990" (or whatever). Maybe somebody would like to 
submit a Request for Enhancement (RFE) for something similar with TSO/E? I 
don't think IBM provides a "stock" sign on screen with z/OS that'll do 
this.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: LzLabs

2020-04-30 Thread Timothy Sipples
Shmuel Metz wrote:
>Google for "look and feel lawsuit". It's illegal to run
>z/OS on an unlicensed platform; it is perfectly legal to
>implement the z/OS interfaces that you need. How well,
>e.g., UNICICS, runs is a separate issue.

Let's leave aside the "edge cases" involving laws in certain sanctioned 
countries.

It isn't actually a settled issue in the United States; it's a very live 
issue. The upcoming U.S. Supreme Court case, Google v. Oracle America, 
significantly bears on the U.S. legality of reimplementing somebody else's 
APIs. See this article for background:

https://en.wikipedia.org/wiki/Google_v._Oracle_America

IBM filed an amicus brief supporting Google's position. Google won two 
jury trials, but the U.S. Federal Circuit Court overturned both verdicts. 
In November, 2019, the U.S. Supreme Court agreed to hear Google's appeal. 
The Supreme Court had to postpone the March, 2020, oral arguments due to 
the COVID-19 pandemic, so the case is still pending.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: COBOL and C

2020-04-27 Thread Timothy Sipples
Charles Mills wrote:
>Funny, isn’t it?
>COBOL (née 1959) is  61 years old. It’s a very old language.
>C (née 1972) is 48 years old. It’s a modern language.

These dates aren't actually comparable. In 1959 the Short Range Committee 
first met -- on May 28 and 29, 1959, at the Pentagon -- and did a lot of 
work over the next few months. However, the COBOL specifications weren't 
formally approved until January 8, 1960 (with GPO printing thereafter). 
There was never any "COBOL 59." The first COBOL was "COBOL 60." And it 
wasn't until August 17, 1960, that the first COBOL program ran (on a RCA 
501).(*) In other words, 1959 is the "some people got together and came up 
with an idea for a new programming language" date, analogous to 
celebrating your birthday on the date when your parents first met.

For sure the first C program ran at least as early as 1972, probably in 
1971, and perhaps even earlier. Version 2 Unix was released on June 12, 
1972, and included a C compiler. Or, in other words, 1972 is when the 
first C compiler shipped outside Bell Labs. That's quite a different 
historical event, not directly comparable to committee meetings.

Then there are the complexities associated with the fact that C comes 
after B, and there was a B programming language -- and BCPL before that. 
And CPL before that (born in 1963). Yes, COBOL has roots in FLOW-MATIC 
(mostly, with a light dusting of COM-TRAN), but...it's complicated. And 
surely we shouldn't be hanging our hat on somebody deciding in circa 1971 
to advance to the next letter of the alphabet in what others might have 
called "B '72"?

Anyway, if somebody wants to claim that a time difference is meaningful, 
isn't it important at least to get the birth dates right?

(*) And the compilers remained practically unusable for a couple years 
thereafter.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Here we go again

2020-04-21 Thread Timothy Sipples
Mark Jacobs wrote:
>The Social Security Administration does not reuse Social Security
>numbers. It has issued over 450 million since the start of the
>program, and at a use rate of about 5.5 million per year. It says
>it has enough to last several generations without reuse or changing
>the number of digits.

The Social Security Administration could easily give 20 years of advance 
warning before expanding their number space if they wish. They've got 
several options before that far distant future, such as:

1. Allowing capital letters except those that can be confused with numeric 
digits. That'd likely mean excluding B, D, F, G, I, L, O, Q, S, T, U, Y, 
and Z if they want to be maximally cautious. That still leaves 13 letters 
available, or 14 if they want to include the symbol representing the 
artist formerly known as Prince. :-) They'll also probably have some 
placement exclusions to avoid spelling out any words. Even with these 
restrictions, the character space is vast.

2. Alternatively, and in an overlapping period, some brand new digital 
identity scheme.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Any shop use UNIX in a production job?

2020-04-17 Thread Timothy Sipples
Radoslaw Skorupka wrote:
>You mentioned several times about source code. IMHO it is irrelevant
>for UNIX certification. My understanding is "black box": anything which
>behaves as UNIX is UNIX. It can be written from scratch.
>Obviously, an access to source code seem to be much easier.

First of all, maybe you missed my other post?

There are many outcomes that are hypothetically possible that haven't 
happened often. To my knowledge there's only one organization and product 
that has ever achieved UNIX certification without some AT/Bell Labs code 
lineage: IBM with z/OS UNIX. History suggests it was REALLY difficult. 
There were many previous efforts that never really took off:

1. Somebody was asking about the UNIX subsystem that was available for 
TSS/370. That was a collaboration with Bell Labs, as this paper from 1984 
discusses:

https://www.bell-labs.com/usr/dmr/www/otherports/ibm.pdf

TSS/370 UNIX became available in 1980, although (like TSS/370 and TSS/360) 
I don't think it was ever an "official" IBM product.

2. INTERACTIVE Systems Corporation (ISC) developed a VM/370-based system 
called VM/IX.

3. ISC's IX/370 was a VM/SP-based version of TSS/370's UNIX, updated with 
UNIX System V compatibility. (Reference: IBM Announcement Letter 285-048.)

4. I think there was also an IX/360 from ISC, although I cannot find much 
information about it.

5. AIX/370 was introduced in 1990. (References: IBM Announcement Letters 
288-130, 288-131, 289-075, and 289-412. Letter 289-412 also announced the 
withdrawal of IX/370.) AIX/ESA followed in 1992. (Reference: IBM 
Announcement Letter 291-544.)

6. Amdahl had UTS, and they started selling it commercially in 1980. UTS 
notionally survived until fairly recently under UTS Global's stewardship.

As far as I know *all* of these efforts were liberally based on AT's 
UNIX source code. Maybe someone has interest in diving into code rescue 
efforts to see how many of these UNIXes they can recover and reanimate. 
There could be copyright impediments, though.

In 2003 Peter Salus recounted some of the history of INTERACTIVE Systems 
Corporation as he remembers it (on page 68):

https://www.usenix.org/system/files/login/issues/login_december_2003.pdf

I don't think he has the chronology quite right, though, but that's 
understandable. I think at least IX/360 must have preceded PC/IX. (Why 
call something "IX/360" in 1984? Or even 1980?) His recollection that some 
other team started IX/360 agrees with the other information I found that 
it started at Bell Labs with TSS/370 UNIX. And did VM/IX fold into IX/370? 
It's very difficult to get this chronology sorted.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How tell what verion of COBOL compiler produced load module?

2020-04-16 Thread Timothy Sipples
Roger Lowe wrote:
>If you have the IBM Debug Tool product, there is included the
>"Load Module Analyzer" which  analyses program objects to determine
>the language translator (compiler or assembler) that was used to
>generate the object for each CSECT.

There are lots of great answers in this thread, and I'll fill out a couple 
more. Nowadays you can get the Load Module Analyzer via "IBM Debug for Z" 
or via "IBM Developer for Z Enterprise Edition." Depending on what you're 
doing you may also find the COBOL and CICS Command Level Conversion Aid to 
be useful. It's available via the same two product offerings and also via 
"IBM Developer for Z."

And/or "IBM Application Discovery" may be useful, and there are at least a 
couple vehicles to get that.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Any shop use UNIX in a production job?

2020-04-16 Thread Timothy Sipples
David Crayford asks:
>Isn't this all obsolete now? Linux and Windows are used everywhere and I
>doubt anybody cares about POSIX certification.

Occasionally I bump into a RFP that includes the letters "POSIX" and/or 
"UNIX." In principle anybody can put anything they want in a RFP.

Scott Ford wrote:
>Wasn’t z/OS Unix System Services based on Posix ? It’s seems I heard this
>sometime ago.

MVS OpenEdition achieved POSIX compliance. z/OS is UNIX® certified. POSIX® 
refers to IEEE Standard 1003.1, and colloquially it means "UNIX-like," but 
that's a little dangerous. The reason is that getting the POSIX® label 
requires a submission and certification, whereas it's possible to be 
"UNIX-like" without certification. Linux, for example, is assuredly 
"UNIX-like" even though it's neither POSIX® nor UNIX®.

http://get.posixcertified.ieee.org/

There aren't too many products that are POSIX® certified these days, 
although many more were in the past. Evidently a lot of vendors haven't 
bothered to renew their certificates. The current POSIX® register is 
available here:

http://get.posixcertified.ieee.org/register.html

The Open Group solely handles UNIX® certification and participates in the 
POSIX standardization process as one of the three "Austin Group" parties.

https://www.opengroup.org/membership/forums/platform/unix

The current UNIX® register is available here:

https://www.opengroup.org/openbrand/register

There's a close technical and working relationship between POSIX and the 
Single UNIX Specification(s), but The Open Group is now the sole grantor 
of the UNIX® label, based on vendor submissions passing its certification 
process. Historically, before the certification era, an operating system 
could have been UNIX basically if AT (and maybe the University of 
California, Berkeley, for a little while) said so. z/OS is at least 
unusual, probably unique, as a UNIX operating system without some sort of 
AT (Bell Labs) code lineage.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Any shop use UNIX in a production job?

2020-04-14 Thread Timothy Sipples
Charles Mills wrote:
>A trivia question: Which of these is UNIX? Windows Server or Linux?

I replied:
>Neither.

Charles Mills then replied:
>Which *used to be* UNIX?

Still neither.

I can find no evidence that Microsoft ever obtained a UNIX(TM) 
certification for any Windows operating system or even obtained a license 
for UNIX source code from AT or another authorized party specifically to 
ship any subsystem or product on/for Windows.(*) However, Microsoft 
evidently would not have been upset if you thought otherwise. :-)

Here's the thumbnail history as I understand it. Back in 1996 a company 
called Softway Systems (later renamed Interix) shipped a product called 
OpenNT for Microsoft's Windows NT operating system. OpenNT apparently was 
written "cleanroom," meaning that it didn't license or use UNIX source 
code from AT or another authorized party. OpenNT was a POSIX subsystem, 
and at some point -- possibly starting pre-Microsoft -- it was POSIX 
certified.

Meanwhile, Microsoft separately developed the "Microsoft POSIX subsystem" 
and included it in early releases of Windows NT. Microsoft did this to get 
FIPS 151-2 certification so that the U.S. federal government could 
consider Windows NT for more of its acquisitions.

Later, Microsoft acquired Interix, updated the technology, positioned it 
as a replacement for their own POSIX subsystem, and renamed the technology 
in this sequence: "Microsoft Windows Services for UNIX" (sometimes "Unix" 
in references) then "Windows Subsystem for UNIX-based Applications." 
However, these products/subsystems were never certified as UNIX(TM) 
either. The preposition "for" in their names is quite meaningful and doing 
a lot of heavy lifting. Initially Microsoft's versions were separately 
chargeable, and then at the very end they were no additional charge 
downloads.

In a completely separate effort, David Korn created UWIN, which is an 
X/Open library and set of utilities for Win32. UWIN isn't UNIX(TM) either. 
Ironically, AT, UNIX's inventor, now distributes UWIN's source code -- 
but that doesn't make it UNIX(TM) either:

https://github.com/att/uwin

OK, so that was/is Microsoft Windows. In fact Microsoft has distributed a 
bona fide UNIX operating system in the past: XENIX (also sometimes written 
Xenix). XENIX was definitely a genuine UNIX(TM) operating system. 
Microsoft licensed AT's UNIX source code (Version 7 then later System 
V), and XENIX also includes bits of BSD. The Santa Cruz Operation (SCO) 
eventually acquired exclusive rights to XENIX, and that branch of the 
very, very complicated UNIX family tree essentially died out, losing out 
to SCO UNIX. But during much of the 1980s Microsoft XENIX from its various 
OEMs (including IBM) was the most popular UNIX(TM) distribution.

(*) The UNIX trademark owner made/makes the final call.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Any shop use UNIX in a production job?

2020-04-14 Thread Timothy Sipples
Charles Mills wrote:
>A trivia question: Which of these is UNIX? Windows Server or Linux?

Neither.

https://www.opengroup.org/openbrand/register/

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Free 3270 emulator for Mac OS

2020-04-05 Thread Timothy Sipples
Seymour J. Metz wrote:
>A few more notes on nomenclature. TN3270 and TN3270E (upper case)
>are protocols published by the IETF; programs implimenting those
>protocols are TN3270 clients, not TN3270 emulators. TN3270 clients
>are not 3270 emulators, because they do not support any of the link
>protocols that real 3270s do, e.g., BSC, CUT, DFT, SDLC.

I disagree with the last sentence, and IBM (among many others) does too, 
evidently. You'll see "emulator" in the IBM Host On-Demand (HOD) 
documentation, for example. I don't recall HOD ever communicating via BSC 
or SDLC. "Emulator" has a different meaning than the word "clone," which 
is the word you might have been looking for.

If you want to be pedantic about it, per Wikipedia "IBM 3270" refers to a 
family of IBM terminals ("displays"), printers, and controllers (following 
the IBM 2260 family) that IBM refined and improved over several years. All 
modern "3270" terminal emulators are necessarily partial emulators in 
certain respects, but practically all of them exceed the capabilities of 
the last physical/classic 3270 family of products in certain respects, 
too.

Anyway, if you want to describe various 3270 emulators as "partially" 
emulating the IBM 3279 (for example), that makes sense to me. However, the 
word "emulator(s)" is perfectly acceptable and appropriate in this context 
-- in my view and with broad consensus agreement as far as I can tell.

"TN3270 emulator" (or "TN3270E emulator") is confusing and not generally 
correct. If you're using TN3270(E) protocol then you're probably not 
emulating it.

A TN3270(E) client need not be a 3270 terminal emulator. I think most 
people would not describe an automated test tool that works via a 
TN3270(E) connection as a "3270 emulator," for example. They'd probably 
describe it as a "3270 test(ing) tool."

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: strange python announcement

2020-03-27 Thread Timothy Sipples
David Crayford wrote:
>Almost certainly Rockets port of Python with support offered by IBM and
>Rocket Software doing L2/L3.

Rocket Software is a member of the open source community. If I had written 
that Statement of Direction I would have phrased it this way:

"IBM intends to enable Python on z/OS together with other open source 
community members."

Sometimes certain parts of IBM forget that IBM is among the biggest 
contributors to open source projects. That's unfortunate here; it's an 
important fact. Also, I wouldn't have used that "intends to enable" 
construction. Those points aside, hopefully you get the idea. My views are 
my own, of course.

By the way, you don't have to wait for whatever IBM intends. Rocket 
Software offers Python for z/OS, and you can also run Python programs 
within the z/OS Container Extensions. Here are the links:

https://www.rocketsoftware.com/zos-open-source

https://hub.docker.com/_/python

Python.org links to Rocket Software from this page:

https://www.python.org/download/other/

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: ZOA Open Automation Utilities (& Ansible News)

2020-03-23 Thread Timothy Sipples
As a followup, I don't think anybody has mentioned yet that a set of 
Ansible modules and roles is now available to interact with the z/OS 
Management Facility (z/OSMF) APIs:

https://galaxy.ansible.com/ibm/ibm_zos_zosmf

This code is called the "IBM z/OS Management Facility (z/OSMF) Ansible 
collection," and it means that Ansible can drive various z/OS operations 
and configuration tasks via z/OSMF's RESTful services.

As a reminder, the IBM Z Open Automation Utilities (IBM Program No. 
5698-PA1) are available now separately -- at no additional charge as I 
understand it -- if you'd like to grab them from IBM ShopZ. IBM support is 
available if you'd like to subscribe, but you're not required to do that 
unless and until you'd like to.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Mandatory Work From Home at my company

2020-03-22 Thread Timothy Sipples
Paul Gilmartin wrote:
>Do you mean that VPN clients for mainframe are rare?

Tony Thigpen wrote:
>I would not even think about a VPN client for the mainframe.

Too late, Tony. :-) The base z/OS operating system includes IPSec IKEv2 
support. Details are available here (z/OS 2.4 link, subject to change):

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/security_ipsec_vpn.htm

The commercial product SSH Tectia Server for IBM z/OS supports SSH 
tunneling.

There are many VPN clients/servers for Linux on Z and LinuxONE. One the 
latest and now fashionable ones is called WireGuard. Installation details 
are available here:

https://www.wireguard.com/install/

Checking the various Linux distributions for IBM Z and LinuxONE, WireGuard 
is at least available for Ubuntu Linux Server and Debian Linux, probably 
others too.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: March 18: Exploring z/OS Container Extensions Live Webcast

2020-03-18 Thread Timothy Sipples
Live Webcasts are sometimes prone to technical issues, but fortunately the 
"Exploring z/OS Container Extensions" virtual Meetup worked well with no 
apparent difficulties and plenty of great questions. Whether you were able 
to attend live or not, if you'd like to obtain the video recording and/or 
presentation charts they are now available for download. Please send me an 
e-mail with the Subject line "Requesting zCX Presentation Access" to get 
access.
Yesterday IBM announced a new 90 day z/OS Container Extensions trial which 
should be generally available later this month (March, 2020). For more 
details please refer to the Meetup presentation as well as the IBM 
announcement:
https://www.ibm.com/downloads/cas/US-ENUS220-102-CA/name/US-ENUS220-102-CA.PDF
What this announcement really means is that you can run the z/OS Container 
Extensions (zCX) for up to 90 days if you don't have Feature Code 0104 
installed yet on your IBM z14 (or higher model) machine. zCX is already 
included with your base z/OS 2.4 license at no additional charge, but IBM 
has worked out a way to get zCX working for a temporary period without the 
system feature code. The prerequisite for this trial is the PTF for APAR 
OA58969, so you can obtain and install that PTF when it's available and 
then (separately) activate the 90 day trial when you're ready. Of course 
many machines already have FC 0104 installed since it's not unique to zCX, 
and in that case you can skip the trial and run zCX as long as you want.
If you have other topics you'd like to suggest, I welcome your 
suggestions.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: March 18: Exploring z/OS Container Extensions Live Webcast

2020-03-09 Thread Timothy Sipples
Massimo Biancucci wrote:
>it would be really appreciated if you'll post a recording of the event.

I'll try, but I cannot promise that yet.

Peter Farley wrote:
>I do see what you saw when I clicked the Attend button, it forces
>you to sign up with Meetup to attend the meeting.

Your other two choices are to log in with a Google or Facebook account.

Be aware of the starting time, though: 10:00 a.m. India Standard Time on 
March 18, 2020. For example, in New York this'll be starting just a few 
minutes before James Corden and Seth Meyers go on the air.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


March 18: Exploring z/OS Container Extensions Live Webcast

2020-03-09 Thread Timothy Sipples
This month Edward McCarthy and I planned to hold a pair of "Exploring z/OS 
Container Extensions" Meetups in Mumbai and Bengaluru, but global 
epidemiological events are forcing certain precautions. Therefore, we'd be 
delighted if even more people join the new virtual Meetup, live at 10:00 
a.m. India Standard Time (04:30 UTC) on Wednesday, March 18, 2020. To find 
out more, and to enroll, please visit:

https://www.meetup.com/IBM-Z-Technical-Community-in-Asia-Pacific/events/267773033

Whether you're in Mumbai, Bengaluru, or almost anywhere else in the world, 
we hope to see you online with us. Please don't wait until the last 
moment, though. Enrollments close about 20 hours before the event, and 
based on past experiences you'll want to test your device and network well 
ahead of time.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Question on MQ on the Z/os

2020-03-04 Thread Timothy Sipples
Massimo Biancucci ha scritto:
>AFAIK if you're using standard application on zOS (Cobol, PLI etc.) you
>need a MQ Server AS up and running on the client lpars.
>MQ Server means license and costs.

For z/OS specifically, there is no separate MQ "server" or "client" 
license.(*) It's IBM MQ for z/OS (or IBM MQ Advanced for z/OS) whether you 
use it for queue managers, as a MQ client(**), or some of both.

>The amount of the cost depends on your licensing type. This case zNALC
>could be a good option.
>Of course you've to ask your IBM representative.

Actually, Tailored Fit Pricing is generally the better/best choice if your 
MQ use in a particular z/OS LPAR is fairly limited. zNALC is usually not 
too relevant in these circumstances. That said, yes, please do ask your 
friendly IBM representative.

As always, as an occasional reminder, my views are my own, not necessarily 
those of any corporation, political party, club, association, or flash 
mob.

(*) However, it's now possible to license and run IBM MQ Server for Linux 
on the z/OS Container Extensions (zCX). zCX is included at no additional 
charge with the base z/OS 2.4 operating system, and it only requires a 
suitably configured IBM z14 or higher model machine. My personal view is 
that, generally speaking, you shouldn't run IBM MQ Server for Linux on zCX 
-- it doesn't generally make sense since IBM MQ for z/OS and IBM MQ 
Advanced for z/OS are so wonderful. However, I can think of one notable 
exception: to implement a MQTT "gateway" directly on z/OS. Currently IBM 
MQ/MQ Advanced for z/OS don't support MQTT protocol, but IBM MQ Server for 
Linux does. So you could run your MQTT protocol support within the z/OS 
Container Extensions via IBM MQ Server for Linux, which is available as a 
Docker/OCI container.

(**) As I mentioned previously, IBM MQ for z/OS supports REST/JSON/HTTPS 
connections too. If you'd like to use the z/OS Client Web Enablement 
Toolkit, as one example, to connect to IBM MQ for z/OS, that's perfectly 
fine if it meets your needs. (z/OS Connect Enterprise Edition is another 
example.) You would then license IBM MQ for z/OS or IBM MQ Advanced for 
z/OS however you license it, such as via Tailored Fit Pricing. You would 
not need a separate license for the z/OS Client Web Enablement Toolkit 
since that's a standard, included feature in the base z/OS operating 
system, part of your z/OS license. In other words, z/OS can sometimes 
*functionally* act as a "MQ client" without using anything in IBM MQ for 
z/OS on the client side. That's allowed, as long as you're licensed as you 
should be licensed.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Question on MQ on the Z/os

2020-03-04 Thread Timothy Sipples
Dennis Longdecker wrote:
>Wondering if anyone here is using MQ Series on the z/os box
>and knows about the licensing?
>If one had MQ on the Z and it was doing all the QMgrs/Queue
>work, do the clients (that aren't QMgrs/Queue) on the other
>boxes need cost/purchase licenses?   What I am finding is:
>- The MQ clients are available as support pacs, they are freely
>downloadable.
>- it's covered by an IBM license, they just don't charge for
>it.
>- MQ Client comes with the Websphere MQ Package, it is a
>component.
>- The standard MQ Client is free

Yes, that's correct. IBM MQ for z/OS Version 8.0 and higher(*) includes 
unlimited IBM MQ client licensing at no additional charge. Download and 
use as many MQ clients from IBM as you wish.(**) As long as the IBM MQ 
clients are connecting directly to your licensed IBM MQ queue managers, 
you're all set. IBM MQ clients are available for download here:

https://www.ibm.com/support/pages/mqc91-ibm-mq-clients

This particular Web address is subject to change since it includes the MQ 
release number.

If you are an IBM MQ Advanced for z/OS licensee, then you can enjoy the MQ 
Advanced client functions, too. If you need the MQ Client for z/VSE, 
provided on an "as-is" basis, it's available for download here:

https://www.ibm.com/it-infrastructure/z/zvse-downloads

Also, there is no additional IBM MQ charge when you communicate directly 
with MQ for z/OS via its REST/JSON/HTTP(S) interface.

(*) In releases of MQ for z/OS prior to Version 8.0 you need to license 
the "Client Attachment Feature" to get unlimited client licensing.

(**) In "exotic" cases a non-IBM software provider may offer a MQ 
compatible client. In that case, any charges would be up to that software 
supplier.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: BMC and Compuware

2020-03-02 Thread Timothy Sipples
Richard Pinion wrote:
>WOW, Innovation Data Processing just came under Compuware's umbrella
>on 01/01/2020.
>This reminds me of UCC buying ACF2, and in short order CA bought UCC.

BMC is also acquiring RSM Partners.

KKR, one of the world's largest private equity firms, owns 100% of BMC.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: DFHSM APIs in a multi-vendor world

2020-02-21 Thread Timothy Sipples
Kirk Wolf wrote:
>I could deal with some configuration of the pseudo-volser,
>but our product doesn't run under TSO, so a "command"
>interface isn't convenient.

What runtime environment and programming language are you using?

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Glossary (was: ZOA ... Ansible)

2020-02-20 Thread Timothy Sipples
Paul Gilmartin wrote:
>Yes, but zFS is too specific, and at risk of change.

Change cuts both/all ways. There's now at least one base z/OS component 
that uses zFS nontrivially (and requires it) that isn't z/OS UNIX System 
Services.

How about something like this: "...a zFS or other z/OS UNIX compatible 
directory/file/path..."? That'd allow for z/OS NFS, HFS (for now, in z/OS 
releases that provide it), etc. if those are acceptable alternatives. 
"z/OS UNIX" seems to be an acceptable short form of "z/OS UNIX System 
Services," so I think that works. If for some reason the requirement is 
specific to zFS, then it'd just collapse to "a zFS directory/file/path." 
Here's another form, in between those two poles:

"...a z/OS UNIX compatible directory/file/path (zFS recommended)..."

Technical writing with clarity is hard, but I think these constructions 
would be an improvement.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Rolling Z/OS migration

2020-02-20 Thread Timothy Sipples
Excellent suggestions. I would add that many organizations seem to have 
one or more "hardware" people who are supposed to look after the driver 
(firmware) updates, Coupling Facility configurations and levels (including 
memory requirements), and Server Time Protocol configurations, as 
examples. The Upgrade Workflow should includes steps that somebody else 
might need to take to make sure you're ready for z/OS 2.4 (and Parallel 
Sysplex) in terms of the underlying system characteristics. And one of the 
many nice things about the Upgrade Workflow is that you can assign steps 
to different people and cross-check everyone's work.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: ZOA Open Automation Utilities (& Ansible News)

2020-02-20 Thread Timothy Sipples
Paul Gilmartin wrote:
>The Installation and Configuration at:
>https://www.ibm.com/support/knowledgecenter/SSKFYE_1.0.1/install.html
>... mentions "a USS directory".  What does it use Unformatted System
>Services for? Does someone need to submit an RCF?

That'd be nice. I think it should read: "a zFS directory." I think we can 
ignore HFS at this point in history, right?

If you're wondering how to get the IBM Z Open Automation Utilities, 
they're included with any of these three product offerings:

IBM Dependency Based Build for z/OS
IBM Z Open Development
IBM Developer for z/OS Enterprise Edition

So if you have (or get) any of those product packages, you have the 
Automation Utilities, too.

In related news, the next wave of Red Hat Ansible-related functionality is 
now available:

https://galaxy.ansible.com/ibm/ibm_zos_core

The Red Hat Ansible Certified Content for IBM Z works with z/OS and the 
IBM Z Open Automation Utilities to make z/OS a managed node within the Red 
Hat Ansible Automation Platform. I interpret this code availability as at 
least partial fulfillment of IBM's Statement of Direction as published in 
IBM Announcement 219-571 late last year.

You can run Ansible control and/or managed nodes on Linux, including on 
IBM Z and LinuxONE. I see there's also a Docker/OCI container for Ansible 
available here:

https://hub.docker.com/r/ibmcom/ansible-s390x

Thus it looks like you can run an Ansible control node in the z/OS 
Container Extensions (zCX), too. If you'd like a support agreement for 
anything Ansible I've just described, please give your friendly Red Hat 
representative an opportunity to help.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Model9 is now backed by Intel Capital

2020-02-18 Thread Timothy Sipples
Gil Peleg wrote:
>In my understanding all the products and offerings you
>listed consider cloud storage as an additional tier on top of tape, while
>Model9 is in a different segment of the storage market where cloud 
storage
>is considered an alternative to tape and as a mean for enabling direct
>access to mainframe data from cloud applications (and all cloud providers
>support storing the data on tape when appropriate).

That's not my understanding. To my knowledge all of the products I listed 
are physical tape "agnostic." You can have physical tape drives/cartridges 
on premises or not, per whatever requirements you have.

As for "enabling direct access to mainframe data from cloud applications," 
I don't think you're providing "direct" access to mainframe data. You're 
actually facilitating access to time lagged mainframe data (i.e. a 
replicated copy), with lots of considerations to take into account of 
course, including security considerations. "Cloud data replication" (and 
synchronization) is a competitive market segment and definitely not a new 
one. There are various fundamental, growing concerns and challenges with 
additional data copies.

To get direct access to *live* mainframe data from cloud applications 
(which could be running on IBM Z machines too of course) the typical 
solution pattern involves data virtualization, and that's a competitive 
market segment, too. IBM Data Virtualization Manager for z/OS is an 
example of a product squarely in that category.

Data virtualization and data replication are not mutually exclusive.

By the way, I should have included z/VSE's VTAPE in my previous list of 
examples. IBM introduced VTAPE in VSE/ESA 2.6 (generally available on 
December 14, 2001) and has considerably enhanced it subsequently. It might 
have even been backported to earlier VSE/ESA releases. VTAPE is available 
at no additional charge to VSE/ESA and z/VSE licensees. See the relevant 
links on this page for details:

https://www.ibm.com/it-infrastructure/z/zvse-downloads

There are some z/VSE VTAPE compatible utilities available for z/OS here:

http://www.cbttape.org/awstape.htm

z/VSE VTAPE is interoperable with Encryption Facility for z/VSE and with 
IBM Spectrum Protect (and its predecessor Tivoli Storage Manager).

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Model9 is now backed by Intel Capital

2020-02-16 Thread Timothy Sipples
For the record, this segment of the storage market is quite competitive. 
Examples of other products and offerings include:

IBM Cloud Tape Connector for z/OS
IBM DS8880/DS8900 and z/OS DFSMShsm Transparent Cloud Tiering
RecoveryPoint z/Archive (which uses the previous one)
Luminex CloudTAPE
Compuware (Innovation Data Processing) CloudVTB
Dell EMC DLm

...and that's very likely not a complete list.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Downsizing? - OPS?

2020-02-07 Thread Timothy Sipples
Clark Morris wrote:
>Unless the z system is totally isolated from the
>Internet, staying current on maintenance is a
>necessity.

There are security and other risks with or without "isolation" from the 
Internet.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Downsizing? - OPS?

2020-02-06 Thread Timothy Sipples
I assume you mean Broadcom CA OPS/MVS. Here are some suggestions, in no 
particular order:

* If you already have NetView, and if your needs are fairly simple or at 
least amenable to NetView, then that might be enough.

* If you are primarily or exclusively Db2-oriented in what you need, then 
you may be able to get by with the Administrative Task Scheduler, included 
with Db2 for z/OS.

* IBM Automation Control for z/OS is essentially a simplified edition of 
IBM System Automation for z/OS, priced accordingly. IBM Tivoli AF/OPERATOR 
for z/OS is another possible choice in a similar vein.

* Brian Westerman posts frequently here, and not only can Syzygy help with 
z/OS and other "version up" work to keep you in a supported configuration 
(with security patches for example), they also offer a simple automation 
tool for z/OS.

* This article provides some advice on possible "freebies," such as z/OS 
Automatic Restart Manager (ARM):

http://www.longpelaexpertise.com.au/ezine/DoWeNeedAutomationSoftware.php

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: 3592-E07

2020-01-30 Thread Timothy Sipples
Radoslaw Skorupka wrote:
>To complement and clarify: when using physical tapes (*
>see below) your RPO and RTO may be 36 hours or zero.

No, your RPO certainly won't be zero. A backup is a (hopefully useful) 
representation of data as it existed historically, at some particular past 

moment(s) in time. It takes some amount of time to run a backup -- let's 
call that "minutes or longer" for working purposes. Backups run at 
periodic intervals -- let's call that "hourly or less often" for working 
purposes. Your backups, without something else, facilitate a best case RPO 

that's as long/big as the maximum (worst case) time elapsed since the 
start of your last good backup. That practically always(*) means a RPO of 
"a couple hours or more."

A long/big RPO usually holds RTO back too, but there are a few rare 
exceptions. On the other hand, it's quite possible to have a long/big RTO 
with a RPO of zero.

(*) Why not "always"? Exotic, contrived exceptions might be possible, such 

as custom software that synchronizes writes directly to local and remote 
tape.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
Mobile/SMS: +65 8526 7454 or +1 213 222 6397 or +372 5322 0545

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: 3592-E07

2020-01-22 Thread Timothy Sipples
running backups to both (just in case one is offline,
somebody forgot to renew the contract, or whatever), using one public
provider and one private provider (whatever your larger organization has
for cloud object storage, and they likely have something already), using
cloud object storage that your DR site operator provides as one of the
pools, and so forth.

3. Place one IBM TS7770 -- it could be without physical tape libraries and
tape drives -- at your DR site, and run your backups to that remote virtual
tape library. That gets your backup data off site right away. This too
requires sufficient network connectivity to your DR site, although it isn't
quite as demanding as Global Mirror.

There are some variations here, too. For example, some shops effectively
run a third "data vault" site. They place one TS7770 across campus in a
completely different building, with no machine or disk, and that's the
"arms length backup vault." They place another TS7770 at the DR site, the
"remote vault." The "arms length" TS7770 then replicates to the "remote"
TS7770.

(*) I'm aware that Broadcom (CA), Model9, and possibly Compuware
(Innovation Data Processing) also offer software products in this
particular market segment, and there might be others I'm not yet aware of.


Timothy Sipples
IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z &
LinuxONE


E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: 3592-E07

2020-01-22 Thread Timothy Sipples
Dean Nai wrote:
>We have a 3592-E07 and our leasing company is telling us
>the following. Anyone have any thoughts? We really don’t
>have the funding for a mirrored VTS and if it’s not mirrored
>then we lose our DR plan.

How are you set up today? For example, do you simply take periodic backups
to physical tape then ship the tapes to your DR site? It's not yet clear to
me whether and why you necessarily need a mirrored VTS.

>From leasing company.
>The first item to be withdrawn from service will be the 3592-C07
>at the end of 2020. The C07 is the controller for the tape
>drives and is required for z/OS or z/VM to communicate with the
>3592-E07 drives.
>IBM has no direct attach tape products for z/OS, z/VM or zVSE.

Just to editorialize here, IBM has not offered "direct attach tape
products" for those operating systems (or for z/TPF) for a LONG time. There
must be a controller in the connection path, either a "smart" or "dumb"
one, in order for z/OS, z/VM, z/VSE, and/or z/TPF to use the drives. (Linux
is the exception and can work with the drives either way.)

IBM maintenance for the last in the line of "dumb" tape controllers, the
3592-C07, is ending at the end of 2020.

>The best option is to go with a VTS and locate a 2nd VTS at your
>DR site with replication between the two sites. There is also the
>option to have an IBM VTS with access to tape drives in a 3584 and
>then send those tapes offsite. To be able to use those tapes for
>DR you would need another IBM VTS at you DR location.

Before suggesting "the" answer, another relevant capability is cloud object
storage. There are a couple software products for z/OS that equip z/OS to
use cloud object storage -- whether on premises, off premises (public
cloud), or both -- as virtual tape. IBM Cloud Tape Connector for z/OS is
one such example.

The basic approach with Cloud Tape Connector for z/OS is that you'd run
your backups pretty much per normal, but the target(s) would be any cloud
object storage that supports IBM Cloud Object Storage S3 protocol, Amazon
S3, Hitachi HCP protocol, or EMC Elastic Cloud Service Protocol. These
storage pools could be public, private, or both. Storage pools can be
backed by any sort of media, including physical tape. Cloud Tape Connector
for z/OS can encrypt data before it's saved to cloud object storage, and
you really ought to do that. For example, you might decide to have one
private pool of cloud object storage at your DR site and also buy a
subscription to IBM Cloud Object Storage as another, duplicate pool. (IBM
then further duplicates your data across IBM's multiple sites. Where and
how many depends on your subscription.) Then, in a disaster, you'd need to
get at least one basic z/OS instance up and running, with Cloud Tape
Connector for z/OS fired up, connect to whichever cloud object storage pool
has survived and is reachable, restore, and you're back in business to the
last good backup point. In a dire emergency the first two steps would
typically start from USB media at the HMC these days.

Anyway, that's the "cloud" way to do things, and there's a lot of merit in
it. It's also combinable with VTS. For example, perhaps you take backups to
both public cloud object storage (encrypted of course) and to remote (DR
site) VTS, with no local VTS. There's a lot of flexibility in all of this,
including economic flexibility, but I'd like to understand a little more
before backing a specific alternative.

--------
Timothy Sipples
IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z &
LinuxONE


E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: IBM 3270 Font Available in Various Formats

2020-01-21 Thread Timothy Sipples
ITschak wrote:
>mac brew doesn't recognize this package -(

OK, but you're not required to build the "IBM 3270" font from source
specifically on macOS. There's also a download link to the prebuilt font
files (.ttf, .otf), and you should find they're suitable for immediate use
on macOS. Just place the .otf files in your Library/Fonts folder.

----
Timothy Sipples
IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z &
LinuxONE


E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


IBM 3270 Font Available in Various Formats

2020-01-20 Thread Timothy Sipples
For those of you who'd like an "IBM 3270" font for various purposes,
there's one available here:

https://github.com/rbanffy/3270font

Please check the license agreement:

https://github.com/rbanffy/3270font/blob/master/LICENSE.txt

Maybe this'll be a popular font for commands and code samples in future
SHARE, GSE, and other presentations? :-)

--------
Timothy Sipples
IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z &
LinuxONE


E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


  1   2   3   4   5   6   7   8   9   >