Re: Using SSH or SCP in REXX under TSO
Hi Kirk. My company is in the process of getting rid of zOS. By July 1, 2014, there will be no more z10 (zVM will be gone by July 1, 2013). I accomplished what I needed to do. Thank you for your help. Yours truly, Uriel From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Kirk Wolf [k...@dovetail.com] Sent: Sunday, July 29, 2012 11:50 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO Uriel, z/OS is a great environment, it is a pity that your z/OS system has been stabilized. FWIW, Co:Z is offered under two licensing models: 1) the free Community License 2) an enterprise license and support agreement See: http://dovetail.com/support.html Several of the largest financial institutions in the world are enterprise customers. Please contact me offline if you need more information. Regards, Kirk Wolf Dovetailed Technologies http://dovetail.com On Thu, Jul 26, 2012 at 9:35 AM, Uriel Carrasquilla uriel.carrasqui...@mail.mcgill.ca wrote: Hi John. Great suggestion. For me to get Co:Z I would need to register Dovetail as a vendor even if we pay nothing. That would require a complete check on the company. Think about all the checks a bank wants to do on you when you request a $1m loan. Then I would need authorization from finance that the licenses and financial arrangements are the best we can get. Finance will ask me to review three options and present them all to them for a decision. I will then have to take the product to an IT review committee, mostly architects. At that point they will tell me that nothing new can be installed on the MF since it is off-limit. All new applications go on the Unix or Windows platform. I agree, Co:Z looks like a terrific product. I had read the manual a few months back. So I need to do my task with what I have. Cheers, Uri -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
Uriel, z/OS is a great environment, it is a pity that your z/OS system has been stabilized. FWIW, Co:Z is offered under two licensing models: 1) the free Community License 2) an enterprise license and support agreement See: http://dovetail.com/support.html Several of the largest financial institutions in the world are enterprise customers. Please contact me offline if you need more information. Regards, Kirk Wolf Dovetailed Technologies http://dovetail.com On Thu, Jul 26, 2012 at 9:35 AM, Uriel Carrasquilla uriel.carrasqui...@mail.mcgill.ca wrote: Hi John. Great suggestion. For me to get Co:Z I would need to register Dovetail as a vendor even if we pay nothing. That would require a complete check on the company. Think about all the checks a bank wants to do on you when you request a $1m loan. Then I would need authorization from finance that the licenses and financial arrangements are the best we can get. Finance will ask me to review three options and present them all to them for a decision. I will then have to take the product to an IT review committee, mostly architects. At that point they will tell me that nothing new can be installed on the MF since it is off-limit. All new applications go on the Unix or Windows platform. I agree, Co:Z looks like a terrific product. I had read the manual a few months back. So I need to do my task with what I have. Cheers, Uri -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
IMO, do not even bother. Petition the powers that be to allow you to install
the Co:Z series of products. They have a zero cost option. Persuing this option
gives you all the functionality, just no support. A support contract is
available, if you want it. In over 3 years of using it, I've never had a
problem. You can download them starting at this web site:
http://dovetail.com/solutions.html . At the very least, get Co:Z Batch and Co:Z
launcher. To make it really simple, get Co:Z Data Set Pipes as well. This
latter does require installing some programs on the UNIX system.
The z/OS programs DO NOT require APF authorization or any special RACF
authority. They are simply batch programs. The UNIX programs do not need to run
setuid or setgid. Again, they run with no special authorization. Just put them
somewhere on you normal ${PATH}. If, like me, you have your own ~/bin set up
via your ~/.bashrc to be on the PATH, then you can install the Co:Z programs in
it. Or you could even load the Co:Z programs in ~/coz and then in the in
stream commands sent to your UNIX system, put ~/coz on the PATH. Example below.
Co:Z launcher, possibly with Co:Z Data Set Pipes, seems to be exactly what you
want. What is does is establish an SSH connection to the remote UNIX system. It
then sends the commands in DD STDIN to the remote UNIX system to be executed.
The UNIX stdout and stderr come back to the z/OS job for printing on STDOUT
and STDERR respectively.
Oh, I forgot to mention that use of the UNIX commands to transfer files does
require one change to z/OS UNIX sshd_config configuration file. It requires a
single line similar to subsystem dspipes /usr/local/coz/bin/dspipes.
And remember! THIS COST YOU NOTHING TO USE! You don't even need to register
your name or any other information with Dovetailed Technologies. Just go to the
web site and download the software. They have a presence here and on MVS-OE.
Kirk is very good about answering questions. They also have a free to use Web
based forum to ask questions and get answers too.
//PROCLIB JCLLIB ORDER=coz.samplib
//XFER EXEC PROC=COZPROC,ARG='user@unix'
//STDIN DD *
# example commands run on unix as user
uname -a
ls -laR
scp unix.file user@unix:zos.file #translated to EBCDIC
# if you have the Co:Z UNIX program in ~/coz
export PATH=${PATH}:~/coz
# send file to z/OS data set, allocated to job
# using DD OUT1
todsn unix.file //DD:OUT1
/*
//OUT1 DD DISP=(NEW,CATLG),
// DSN=hlq.UNIX.FILE,
// LRECL=?,RECFM=?,DSORG=PS,
// SPACE=(CYL,(20,10),RLSE)
// UNIT=SYSDA VOL=SER=??
//
Also, if you use a shell prompt on your non-z/OS UNIX system, you can do file
transfers with the UNIX based commands. I do this with Linux. On Linux, I have
~/.ssh/config set up with:
host *
controlmaster auth
controlpath /home/myid/.ssh/ssh-%r@%h:%p
controlpersist yes
host zos1
User myRACF
IdentityFile /home/myid/.ssh/id_rsa.zos1
The z/OS system has id_rsa.zos1.pub contents placed into the authorized_keys
file. I also have a symlink name authorized_keys2 to authorized_keys.
Now, on your non-z/OS UNIX shell, you can ssh into z/OS
ssh -Y zos1
# reply the proper passphrase
exit #terminate z/OS shell
# return to non-z/OS UNIX shell
#
# Note that controlpersist yes means that the SSH connection to zos1
# is still active!
# get a copy of SYS1.MACLIB(READ), for instance:
fromdsn -ssh myRACF@zos1 //'sys1.maclib(read)' sys1.maclib_read.txt
# Due to the controlpersist yes, you aren't prompted for you passphrase
#
# terminate SSH tunnel to zos1
ssh -O exit zos1
--
John McKown
Systems Engineer IV
IT
Administrative Services Group
HealthMarkets(r)
9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone *
john.mck...@healthmarkets.com * www.HealthMarkets.com
Confidentiality Notice: This e-mail message may contain confidential or
proprietary information. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
HealthMarkets(r) is the brand name for products underwritten and issued by the
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The
MEGA Life and Health Insurance Company.SM
-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Uriel Carrasquilla
Sent: Wednesday, July 25, 2012 5:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Using SSH or SCP in REXX under TSO
I need to copy files from zOS 1.11 to a Unix machine on a
regular basis (not to USS or Linux under zVM).
I came across a sample REXX under the IBM web site to execute
USS shell commands (not a JCL solution but Rexx).
The /bin directory has ssh and scp.
I set up the id_rsa.pub so I can now ssh into my zOS/USS and
from there I can scp files to my Unix machine.
Once I ssh into zOS/USS, I can also ssh from zOS/USS to the
same
Re: Using SSH or SCP in REXX under TSO
Ah. I hadn't realized that you worked for a financial institution. I know they are very regulated. We are not as regulated, but HIPAA regs have made things a bit more difficult for us too. Have you looked at the bpxunix function? It allows you to run z/OS UNIX commands, redirecting stdin, stdout, and stderr from REXX. It is documented here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZB6A0/5.2 You might be able to do something like: /* REXX */ stdin.1='cd /unix/subdirectory' stdin.2='ls -la' stdin.3='scp unix.file user@UNIX:/tmp' stdin.4='ls -l /tmp/unix.file' stdin.0=4 stdout.0=0 stderr.0=0 call bpxunix '/bin/sh -L',stdin.,stdout.,stderr. do i=1 to stdout.0 say stdout:stdout.i done do i=1 to stderr.0 say stderr:stderr.i done /* alternate: call bpxunix '/bin/sh -L','DD:STDIN','DD:STDOUT','DD:STDERR' and create //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //STDIN DD * scp.unix.fil user@UNIX:/tmp /* */ //RUNIT EXEC PGM=IKJEFT01,PARM='%DOUNIX' //SYSTSPRT DD SYSOUT=* //SYSEXEC DD DISP=SHR,DSN=pds.containing.rexx.above Remember! that scp on z/OS does an EBCDIC to ASCII translation. If you need a binary transfer, you'll need to use sftp. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM snip -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Uriel Carrasquilla Sent: Wednesday, July 25, 2012 5:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO I need to copy files from zOS 1.11 to a Unix machine on a regular basis (not to USS or Linux under zVM). I came across a sample REXX under the IBM web site to execute USS shell commands (not a JCL solution but Rexx). The /bin directory has ssh and scp. I set up the id_rsa.pub so I can now ssh into my zOS/USS and from there I can scp files to my Unix machine. Once I ssh into zOS/USS, I can also ssh from zOS/USS to the same Unix machine with the id_rsa.pub set up. The above ssh and scp can be accomplished without a password because of the id_rsa.pub that was set up on remote Unix machine. Known hosts was properly set up the first time I went from zOS to Unix machine. But my task is not to sign on from remote machine via SSH to zOS/USS. My work needs to be originated from zOS and in some cases from TSO. The problem is that when I try to use my REXX from TSO, I cannot scp or ssh into my remote Unix machine. (yes, the one that when I used ssh to get to zOS/USS, I can go from there to my Unix machine - I hope I am not confusing everybody here). The REXX is using BPXBATSL PGM /bin/scp uss-file u...@unix.com:/tmp I tried BPXBATSL PGM /bin/ssh u...@unix.com 'ls to no avail. I keep on getting a return code of 2 without anything in STDOUT or STDERR. Does anybody have a sample REXX that can be shared to either scp or ssh to remote Unix from TSO? I have seen JCL to that effect using BPXBATCH but I have not tried it since I need the REXX. ps/ I am able to get BPXBATSL PGM /bin/ls to work by going to USS and pulling the ls listing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
On Thu, 26 Jul 2012 09:55:07 -0500, McKown, John wrote: Remember! that scp on z/OS does an EBCDIC to ASCII translation. If you need a binary transfer, you'll need to use sftp. I've not tried sftp. I'd expect that sftp and scp are both variants of ssh, and the EBCDIC-ASCII translation is intrinsic to the socket interface. Does z/OS sftp have a BINARY subcommand? Are you extrapolating too much from Co:z? I used ssh rather than sftp or scp in the example I posted (I've enhanced it since) partly because of familiarity; partly it gives most control with least terminal interaction. Between two ASCII systems, I have done: ssh remote-host cd wherever amp; tar -cf - . | tar -xvf - With EBCDIC, I'd need an iconv in the pipe. I believe that if ssh (or kindred) needs to prompt for confirmation or password it will write the prompt to stderr and read the response from /dev/tty. This might work from native z/OS UNIX (USS), perhaps even from TSO OMVS. It's less likely from TSO or BPXWUNIX. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Thursday, July 26, 2012 10:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO On Thu, 26 Jul 2012 09:55:07 -0500, McKown, John wrote: Remember! that scp on z/OS does an EBCDIC to ASCII translation. If you need a binary transfer, you'll need to use sftp. I've not tried sftp. I'd expect that sftp and scp are both variants of ssh, and the EBCDIC-ASCII translation is intrinsic to the socket interface. Does z/OS sftp have a BINARY subcommand? Are you extrapolating too much from Co:z? No. sftp uses a separate SSH subsystem which does not do the code translation. IIRC, sftp as distributed by IBM only does a binary transfer. The Dovetailed Technologies enhancments to z/OS sftp allows for code translation. And, in addition, allows transfers to/from z/OS legacy data sets and access to the JES SPOOL (get output and put, as in submit, jobs). I used ssh rather than sftp or scp in the example I posted (I've enhanced it since) partly because of familiarity; partly it gives most control with least terminal interaction. Between two ASCII systems, I have done: ssh remote-host cd wherever amp; tar -cf - . | tar -xvf - With EBCDIC, I'd need an iconv in the pipe. You mean to do the equivalent of a binary transfer? I don't think you'd succeed. I almost never use ssh for file transfer. I guess because I find scp easier, for me. scp /wherever/* user@remote-host:/wherever/ On Linux, I've also done: cd /wherever; echo -e 'cd /wherever\nmput *\nquit\n' | sftp user@remote; cd - I believe that if ssh (or kindred) needs to prompt for confirmation or password it will write the prompt to stderr and read the response from /dev/tty. This might work from native z/OS UNIX (USS), perhaps even from TSO OMVS. It's less likely from TSO or BPXWUNIX. You cannot do ssh under TSO OMVS. That is documented by IBM in the OpenSSH manual. The reason given on one of the forums was the fact that there is no way to nodisplay what you type in for the passphrase or password when running under TSO OMVS. -- gil -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
On Thu, 26 Jul 2012 10:37:28 -0500, McKown, John wrote: No. sftp uses a separate SSH subsystem which does not do the code translation. IIRC, sftp as distributed by IBM only does a binary transfer. The Dovetailed Technologies enhancments to z/OS sftp allows for code translation. And, in addition, allows transfers to/from z/OS legacy data sets and access to the JES SPOOL (get output and put, as in submit, jobs). Thanks. I was unaware of that. ssh remote-host cd wherever amp;amp; tar -cf - . | tar -xvf - With EBCDIC, I'd need an iconv in the pipe. You mean to do the equivalent of a binary transfer? I don't think you'd succeed. I almost never use ssh for file transfer. I guess because I find scp easier, for me. I take that as a challenge. scp /wherever/* user@remote-host:/wherever/ On Linux, I've also done: cd /wherever; echo -e 'cd /wherever\nmput *\nquit\n' | sftp user@remote; cd - But will either of those do a recursive copy of an entire directory hierarchy? You cannot do ssh under TSO OMVS. That is documented by IBM in the OpenSSH manual. The reason given on one of the forums was the fact that there is no way to nodisplay what you type in for the passphrase or password when running under TSO OMVS. Another challenge? If my Rexx works from the ISPF command line, I'd hardly expect it to fail from TSO OMVS. Need to try. I believe ftp (not sftp) successfully masks the password from the TSO OMVS command line. There's a Rexx utility, getpass(prompt) to do that. But years ago I submitted a PMR that neither stty -echo nor the underlying syscall masked the command line for password entry. IBM fixed stty but not the underlying syscall. Go figger. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Thursday, July 26, 2012 10:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO On Thu, 26 Jul 2012 10:37:28 -0500, McKown, John wrote: No. sftp uses a separate SSH subsystem which does not do the code translation. IIRC, sftp as distributed by IBM only does a binary transfer. The Dovetailed Technologies enhancments to z/OS sftp allows for code translation. And, in addition, allows transfers to/from z/OS legacy data sets and access to the JES SPOOL (get output and put, as in submit, jobs). Thanks. I was unaware of that. ssh remote-host cd wherever amp;amp; tar -cf - . | tar -xvf - With EBCDIC, I'd need an iconv in the pipe. You mean to do the equivalent of a binary transfer? I don't think you'd succeed. I almost never use ssh for file transfer. I guess because I find scp easier, for me. I take that as a challenge. scp /wherever/* user@remote-host:/wherever/ On Linux, I've also done: cd /wherever; echo -e 'cd /wherever\nmput *\nquit\n' | sftp user@remote; cd - But will either of those do a recursive copy of an entire directory hierarchy? You cannot do ssh under TSO OMVS. That is documented by IBM in the OpenSSH manual. The reason given on one of the forums was the fact that there is no way to nodisplay what you type in for the passphrase or password when running under TSO OMVS. Another challenge? If my Rexx works from the ISPF command line, I'd hardly expect it to fail from TSO OMVS. Need to try. I believe ftp (not sftp) successfully masks the password from the TSO OMVS command line. There's a Rexx utility, getpass(prompt) to do that. But years ago I submitted a PMR that neither stty -echo nor the underlying syscall masked the command line for password entry. IBM fixed stty but not the underlying syscall. Go figger. -- gil On z/OS 1.12, I went into TSO MVS and tried to ssh to my Linux desktop: LIH1:TSH009:/home/tsh009$ ssh tsh009@10.168.89.69 FOTS1252 The SSH client cannot be run under OMVS. LIH1:TSH009:/home/tsh009$ sftp tsh009@189.169.89.69 Connecting to 189.169.89.69... FOTS1252 The SSH client cannot be run under OMVS. FOTS0841 Connection closed LIH1:TSH009:/home/tsh009$ ftp does indeed run from TSO OMVS. And it does _not_ show the user's password when typed in. I guess the TSO OMVS people fixed the non-display functionality (or lack thereof), but the ssh client still refuses to work from TSO OMVS. Perhaps a z/OS 1.13 person would like to try? -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
user_host = *** /* Sorry! */ source_file = *** For the user_host, I used my userid@host-name For the source_file, is it a USS file? or can it be a zOS file? 'open (source_file)' O_RDONLY reads the file but where is it used? map.1 = 1 map.2 = 2 shouldn't these two parameters be pointing to STDOUT and STDERR recpectively? 'spawn /bin/ssh 3 map. arg. env.' say RC RETVAL wouldn't this just give me the PID in RETVAL? A -1 would mean that it did not spawn. I would expect ERRNO to contain the actual return code. Or I may have to use: 'waitpid (spid) waitpid. 0' xrc = waitpid.W_EXITSTATUS To get the actual return code for the spawn child. From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Paul Gilmartin [paulgboul...@aim.com] Sent: Wednesday, July 25, 2012 8:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO On Wed, 25 Jul 2012 22:12:01 +, Uriel Carrasquilla wrote: Does anybody have a sample REXX that can be shared to either scp or ssh to remote Unix from TSO? I have seen JCL to that effect using BPXBATCH but I have not tried it since I need the REXX. Crudely (error recovery is left as an exercise for the student), but it works: /* Rexx */ signal on novalue; /* Doc: Using ssh from a Rexx EXEC. run on or */ trace R user_host = *** /* Sorry! */ source_file = *** parse source . RC = SYSCALLS( 'ON' ) address 'SYSCALL' 'open /dev/null' O_RDWR /* busy out stdin, stdout, stderr. */ 'open /dev/null' O_RDWR 'open /dev/null' O_RDWR say RC RETVAL 'open (source_file)' O_RDONLY stdin = RETVAL map.0 = stdin map.1 = 1 map.2 = 2 arg.1 = 'ssh' arg.2 = user_host arg.3 = 'set -x; cat foo-sshtest; echo done' arg.0 = 3 env.1 = 'PATH=/bin:/usr/sbin' env.0 = 1 'spawn /bin/ssh 3 map. arg. env.' say RC RETVAL 'close' stdin say RC RETVAL exit( RC ) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
Hi John. is bpxunix something available? I am getting a label not found when the call to bpxunix is executed. Thanks. From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of McKown, John [john.mck...@healthmarkets.com] Sent: Thursday, July 26, 2012 10:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO Ah. I hadn't realized that you worked for a financial institution. I know they are very regulated. We are not as regulated, but HIPAA regs have made things a bit more difficult for us too. Have you looked at the bpxunix function? It allows you to run z/OS UNIX commands, redirecting stdin, stdout, and stderr from REXX. It is documented here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZB6A0/5.2 You might be able to do something like: /* REXX */ stdin.1='cd /unix/subdirectory' stdin.2='ls -la' stdin.3='scp unix.file user@UNIX:/tmp' stdin.4='ls -l /tmp/unix.file' stdin.0=4 stdout.0=0 stderr.0=0 call bpxunix '/bin/sh -L',stdin.,stdout.,stderr. do i=1 to stdout.0 say stdout:stdout.i done do i=1 to stderr.0 say stderr:stderr.i done /* alternate: call bpxunix '/bin/sh -L','DD:STDIN','DD:STDOUT','DD:STDERR' and create //STDOUT DD SYSOUT=* //STDERR DD SYSOUT=* //STDIN DD * scp.unix.fil user@UNIX:/tmp /* */ //RUNIT EXEC PGM=IKJEFT01,PARM='%DOUNIX' //SYSTSPRT DD SYSOUT=* //SYSEXEC DD DISP=SHR,DSN=pds.containing.rexx.above Remember! that scp on z/OS does an EBCDIC to ASCII translation. If you need a binary transfer, you'll need to use sftp. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM snip -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Uriel Carrasquilla Sent: Wednesday, July 25, 2012 5:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Using SSH or SCP in REXX under TSO I need to copy files from zOS 1.11 to a Unix machine on a regular basis (not to USS or Linux under zVM). I came across a sample REXX under the IBM web site to execute USS shell commands (not a JCL solution but Rexx). The /bin directory has ssh and scp. I set up the id_rsa.pub so I can now ssh into my zOS/USS and from there I can scp files to my Unix machine. Once I ssh into zOS/USS, I can also ssh from zOS/USS to the same Unix machine with the id_rsa.pub set up. The above ssh and scp can be accomplished without a password because of the id_rsa.pub that was set up on remote Unix machine. Known hosts was properly set up the first time I went from zOS to Unix machine. But my task is not to sign on from remote machine via SSH to zOS/USS. My work needs to be originated from zOS and in some cases from TSO. The problem is that when I try to use my REXX from TSO, I cannot scp or ssh into my remote Unix machine. (yes, the one that when I used ssh to get to zOS/USS, I can go from there to my Unix machine - I hope I am not confusing everybody here). The REXX is using BPXBATSL PGM /bin/scp uss-file u...@unix.com:/tmp I tried BPXBATSL PGM /bin/ssh u...@unix.com 'ls to no avail. I keep on getting a return code of 2 without anything in STDOUT or STDERR. Does anybody have a sample REXX that can be shared to either scp or ssh to remote Unix from TSO? I have seen JCL to that effect using BPXBATCH but I have not tried it since I need the REXX. ps/ I am able to get BPXBATSL PGM /bin/ls to work by going to USS and pulling the ls listing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
On Thu, 26 Jul 2012 16:13:12 +, Uriel Carrasquilla wrote: For the source_file, is it a USS file? or can it be a zOS file? open() requires a USS file. 'open (source_file)' O_RDONLY reads the file but where is it used? The descriptor gets assigned to map.0 map.1 = 1 map.2 = 2 shouldn't these two parameters be pointing to STDOUT and STDERR recpectively? It was hasty. I'll attach an enhanced instance. Or I may have to use: 'waitpid (spid) waitpid. 0' xrc = waitpid.W_EXITSTATUS To get the actual return code for the spawn child. Ah, but that's error handling, left as an exercise ... John M.: They fixed password masking ad hoc in ftp long ago. They never fixed ioctl/fcntl/whatever where the real problem that should have been fixed lies. They feel that getpass() is a satisfactory circumvention. /* -*/ trace R signal on novalue parse source sys invoked exfn exft exfm excmd subenv . RC = SYSCALLS( 'ON' ) address 'SYSCALL' 'open (source_file)' O_RDONLY stdin = RETVAL if subenv=='SH' then do stdout = 1 stderr = 2 end; else do 'pipe P.' stdout = P.2 stderr = P.2; end map.0 = stdin map.1 = stdout map.2 = stderr arg.1 = 'ssh' arg.2 = user_host arg.3 = 'set -x; cat foo-sshtest; : Done' arg.0 = 3 env.1 = 'PATH=/bin:/usr/sbin' env.0 = 1 'spawn /bin/ssh 3 map. arg. env.' say RC RETVAL 'close' stdin if subenv'SH' then do 'close' P.2 'readfile /dev/fd/'P.1 'L.' 'close' P.1 do I = 1 to L.0 say L.I; end I; end exit( RC ) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Using SSH or SCP in REXX under TSO
OOPS. My bad. At the beginning of the REXX exec, you need something like:
if syscalls('ON')3 then
do
say 'Unable to establish the SYSCALL environment'
return
end
I keep forgetting that.
--
John McKown
Systems Engineer IV
IT
Administrative Services Group
HealthMarkets(r)
9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone *
john.mck...@healthmarkets.com * www.HealthMarkets.com
Confidentiality Notice: This e-mail message may contain confidential or
proprietary information. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original message.
HealthMarkets(r) is the brand name for products underwritten and issued by the
insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance
Company(r), Mid-West National Life Insurance Company of TennesseeSM and The
MEGA Life and Health Insurance Company.SM
-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Uriel Carrasquilla
Sent: Thursday, July 26, 2012 11:27 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Using SSH or SCP in REXX under TSO
Hi John.
is bpxunix something available?
I am getting a label not found when the call to bpxunix is executed.
Thanks.
From: IBM Mainframe Discussion List
[IBM-MAIN@LISTSERV.UA.EDU] on behalf of McKown, John
[john.mck...@healthmarkets.com]
Sent: Thursday, July 26, 2012 10:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Using SSH or SCP in REXX under TSO
Ah. I hadn't realized that you worked for a financial
institution. I know they are very regulated. We are not as
regulated, but HIPAA regs have made things a bit more
difficult for us too. Have you looked at the bpxunix
function? It allows you to run z/OS UNIX commands,
redirecting stdin, stdout, and stderr from REXX. It is
documented here:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPX
ZB6A0/5.2
You might be able to do something like:
/* REXX */
stdin.1='cd /unix/subdirectory'
stdin.2='ls -la'
stdin.3='scp unix.file user@UNIX:/tmp'
stdin.4='ls -l /tmp/unix.file'
stdin.0=4
stdout.0=0
stderr.0=0
call bpxunix '/bin/sh -L',stdin.,stdout.,stderr.
do i=1 to stdout.0
say stdout:stdout.i
done
do i=1 to stderr.0
say stderr:stderr.i
done
/* alternate:
call bpxunix '/bin/sh -L','DD:STDIN','DD:STDOUT','DD:STDERR'
and create
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDIN DD *
scp.unix.fil user@UNIX:/tmp
/*
*/
//RUNIT EXEC PGM=IKJEFT01,PARM='%DOUNIX'
//SYSTSPRT DD SYSOUT=*
//SYSEXEC DD DISP=SHR,DSN=pds.containing.rexx.above
Remember! that scp on z/OS does an EBCDIC to ASCII
translation. If you need a binary transfer,
you'll need to use sftp.
--
John McKown
Systems Engineer IV
IT
Administrative Services Group
HealthMarkets(r)
9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone *
john.mck...@healthmarkets.com * www.HealthMarkets.com
Confidentiality Notice: This e-mail message may contain
confidential or proprietary information. If you are not the
intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.
HealthMarkets(r) is the brand name for products underwritten
and issued by the insurance subsidiaries of HealthMarkets,
Inc. -The Chesapeake Life Insurance Company(r), Mid-West
National Life Insurance Company of TennesseeSM and The MEGA
Life and Health Insurance Company.SM
snip
-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Uriel Carrasquilla
Sent: Wednesday, July 25, 2012 5:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Using SSH or SCP in REXX under TSO
I need to copy files from zOS 1.11 to a Unix machine on a
regular basis (not to USS or Linux under zVM).
I came across a sample REXX under the IBM web site to execute
USS shell commands (not a JCL solution but Rexx).
The /bin directory has ssh and scp.
I set up the id_rsa.pub so I can now ssh into my zOS/USS and
from there I can scp files to my Unix machine.
Once I ssh into zOS/USS, I can also ssh from zOS/USS to the
same Unix machine with the id_rsa.pub set up.
The above ssh and scp can be accomplished without a password
because of the id_rsa.pub that was set up on remote Unix machine.
Known hosts was properly set up the first time I went from
zOS to Unix machine.
But my task is not to sign on from remote machine via SSH to
zOS/USS.
My work needs to be originated from zOS and in some cases
from TSO.
The problem is that when I try to use my REXX from TSO, I
cannot scp or ssh into my remote Unix machine.
(yes, the one that when I used ssh to get to zOS/USS, I can
go from there to my Unix machine - I hope I am not confusing
everybody here).
The REXX
Re: Using SSH or SCP in REXX under TSO
On Wed, 25 Jul 2012 22:12:01 +, Uriel Carrasquilla wrote: Does anybody have a sample REXX that can be shared to either scp or ssh to remote Unix from TSO? I have seen JCL to that effect using BPXBATCH but I have not tried it since I need the REXX. Crudely (error recovery is left as an exercise for the student), but it works: /* Rexx */ signal on novalue; /* Doc: Using ssh from a Rexx EXEC. run on or */ trace R user_host = *** /* Sorry! */ source_file = *** parse source . RC = SYSCALLS( 'ON' ) address 'SYSCALL' 'open /dev/null' O_RDWR /* busy out stdin, stdout, stderr. */ 'open /dev/null' O_RDWR 'open /dev/null' O_RDWR say RC RETVAL 'open (source_file)' O_RDONLY stdin = RETVAL map.0 = stdin map.1 = 1 map.2 = 2 arg.1 = 'ssh' arg.2 = user_host arg.3 = 'set -x; cat foo-sshtest; echo done' arg.0 = 3 env.1 = 'PATH=/bin:/usr/sbin' env.0 = 1 'spawn /bin/ssh 3 map. arg. env.' say RC RETVAL 'close' stdin say RC RETVAL exit( RC ) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
