W dniu 2014-05-07 01:21, Tony Harminc pisze:
On 6 May 2014 16:02, Darth Keller darth.kel...@.com wrote:
So maybe this is nit-picking but
It is VSAM datasets, not files
How does one distinguish between a dataset a file?
By name? Well, a file name looks like /usr/foo/bar or foo/bar or
Personally I prefer data set but comprehend dataset. A bit like Full
Function English and Limited Function English. :-)
Lights blue touch paper but fails to stand well back. :-)
Cheers, Martin
Martin Packer,
zChampion, Principal Systems Investigator,
Worldwide Banking Center of Excellence, IBM
I always thought file went with DD and data set with physical object.
Cheers, Martin
Martin Packer,
zChampion, Principal Systems Investigator,
Worldwide Banking Center of Excellence, IBM
+44-7802-245-584
email: martin_pac...@uk.ibm.com
Twitter / Facebook IDs: MartinPacker
Blog:
Issue has been resolved after removing the black space on column 7 etc.
Thanks for helping .
On Tue, May 6, 2014 at 8:43 AM, Lizette Koehler stars...@mindspring.comwrote:
One other thought.
Have you looked at the TSO Segment on your SAF for this TSO ID? Maybe it
is missing something
W dniu 2014-05-06 13:29, Karla Arndt pisze:
Runtime Diagnostics (HZR) does 7 types of analysis only one of which has any
association with OPERLOG.
Side question: where is it documented? I mean Runtime Diagnostic
documentation.
I can't find the manual.
--
Radoslaw Skorupka
Lodz, Poland
Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?
I have a Linux server running vsftpd - I've been using it for years to send
SMF data. I've added TLS support to this server. I've verified that the
Secure connect works via a Filezilla client,
On Wed, 7 May 2014 08:25:47 -0400, Mark Pace wrote:
Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?
Is SFTP an option?
-- gil
--
For IBM-MAIN subscribe / signoff / archive
Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
commonly used than SSL_RC4_SHA.
Make sure the linus root certificate is in your z/OS client keyring.
--
Donald J.
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
The cipher was one of my early problems. But I figured that one out.
vsftpd - ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA
I'm certain that this Keyring is (part of) my problem. Stumbling through
RACF I have found that the GoDaddy Root CA is already defined in z/OS, but
still trying to
racdcert id(userid) listring(ring.name)
racdcert id(userid) connect(ring(ring.name) LABEL('GoDaddy Root Label')
CERTAUTH usage(CERTAUTH) )
--
Donald J.
On Wed, May 7, 2014, at 06:34 AM, Mark Pace wrote:
The cipher was one of my early problems. But I figured that one out.
vsftpd -
If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
defined key rings (format is userid.ringname), then RACDCERT ID(userid)
LISTRING(ringname or *) to see the ring(s) contents.
Also ensure that the root cert you're interested in has TRUST status (default
is NOTRUST).
Why is blksize concerning you? Are you trying to reduce tape usage (reducing
IRG) or make backup faster? Something entirely different?
If it's to speed up the dump, then as Lizette says, optimize will reduce
overall time but take care because it can have an affect on other work. You may
cause
I remember setting up something very similar to connect to IBM. So I
added the GoDady cert to the same keyring.
sr cla(digtring)
IBMUSER.smpemaint
*IBMUSER.FtpSecur *
IBMUSER.IBMRing
IBMUSER.SecureFTPKeyRing
IBMUSER.SMPEMAINT
TN3270.TNRING
***
racdcert id(ibmuser) listring(*FtpSecur*)
Trying to turn on some DEBUG information
DEBUG FLO
FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
format is incorrect)
So not to try to figure out where to find this error message.
On Wed, May 7, 2014 at 10:19 AM, Mark Pace pacemainl...@gmail.com wrote:
I remember
I'm not sure we have a white paper. Will one of our announcement
letters do?
z/OS V2.1 is designed to allow System z servers to run at utilization
levels as high as 100%.
From
SC24-5901
410 SSL message format is incorrect.
Explanation: An incorrectly formatted SSL message is
received from the communication partner.
User response: Collect a System SSL trace
containing a dump of the SSL message and then
contact your service representative
You usually have to run a GSK
If you aren't using any client certs, it is easier to just use a
RAC virtual keyring for CERTAUTH server authentication:
KEYRING *AUTH*/*
--
Donald J.
dona...@4email.net
On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
Trying to turn on some DEBUG information
DEBUG FLO
FC1003
First - thank you for the manual number so that I can look these up.
Now - Dunce hat firmly in place.
I've no idea what AT-TLS environment means.
On Wed, May 7, 2014 at 11:00 AM, Donald J. dona...@4email.net wrote:
SC24-5901
410 SSL message format is incorrect.
Explanation: An incorrectly
On Wed, 7 May 2014 10:47:49 -0400, John Eells wrote:
http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/649/ENUSA13-0568/index.htmllang=enrequest_locale=null
A Long Time Ago in a Data Center Far, Far Away (well, OK, just down the
road from Poughkeepsie in East Fishkill), we
I've worked for a bank and a wholesaler that both routinely ran at 100%.
Service levels were met, but people were always griping about the usage.
As John said, no harm no foul.
-
-teD
-
Original Message
From: John Eells
Sent: Wednesday, May 7, 2014 10:48
To: IBM-MAIN@LISTSERV.UA.EDU
Reply
On Wed, 7 May 2014 11:06:32 -0400, Mark Pace wrote:
First - thank you for the manual number so that I can look these up.
I've no idea what AT-TLS environment means.
By rote memorization: Application Transparent Transport Layer Security.
Transparent would seem to imply that the Application (in
Hi all,
A few of my IBM colleagues and myself are attempting to create a new
community for System z on StackExchange, covering everything System z
related. If you haven't seen StackExchange before, it is an excellent and
easy to find place to ask questions, share answers or even just vote on
Radoslaw,
SG24-8070-00 Extending z/OS System Management Functions with IBM zAware (z
Advanced Workload Analysis Reporter) (august 1, 2013)
page 32-42 2.4 Runtime Diagnostics
· Runtime Diagnostics searches OPERLOG for any occurrences of an
IBM-defined list of messages
+1!
On Wednesday, 7 May 2014, Christopher Hodgins chris.hodg...@uk.ibm.com
wrote:
Hi all,
A few of my IBM colleagues and myself are attempting to create a new
community for System z on StackExchange, covering everything System z
related. If you haven't seen StackExchange before, it is an
All:
I have written a C program using threads and have a question. I have an
external message table that I need to be persistent between threads. The
message table is loaded from an external QSAM file. Program in Cobol loads the
table. I want to be able to use the message table in other
The DEFAULT YES would be used for a client certificate,
not for a CERTAUTH entry.
--
Donald J.
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE DEFAULT
Crap - I've gotten myself so confused.
That was a client certificate I put in many years ago when we did SSL on
our TN3270 connections. I think I still need to add the Go Daddy root
certificate, which what I thought that one was. How I hate this stuff.
On Wed, May 7, 2014 at 11:43 AM, Donald
I didn't see in this thread any mention of proxy. In our case, company
policy requires use of a proxy for outside connections to vendors,
including IBM. We cannot use FTPS from mainframe because our proxy (an
appliance) does not understand FTPS and treats any FTPS command as a
syntax error.
Victor, You should be able to reply on the blocksize recorded in rmm. Just like
other tape systems it gets it from the system.
Assuming you are on a supported level of z/OS, rmm should record all you need
to know about logical and physical view of the data sent to tape by the
application and
Nope - no proxy involved.
On Wed, May 7, 2014 at 11:53 AM, Skip Robinson jo.skip.robin...@sce.comwrote:
I didn't see in this thread any mention of proxy. In our case, company
policy requires use of a proxy for outside connections to vendors,
including IBM. We cannot use FTPS from mainframe
Victor, You still haven't provided details of what the 'tape drive' really
is.
Virtual or a real drive - and then which virtual system/physical drive type and
media type - It can make a big difference
Mike
--
For IBM-MAIN
Radoslaw,
A redbook not being a real official manual,
look at
G325-2564-09 zOS V1R13.0 Problem Management (e0z1k151)
page 39-45Runtime Diagnostics symptoms
http://publibfp.dhe.ibm.com/epubs/pdf/e0z1k151.pdf
or
Hi friends...you have been helpful to in so many areas so far, and now I
have a question about using SORT.
I have an application that creates a CSV file (sort of) on the mainframe.
The data rows start with a field DATA before the actual data fields, and
there is a Header row that has a lot more
On Wed, 7 May 2014 12:28:25 -0400, Bill Ashton wrote:
... The file is a VB file with LRECL=0 and BLKSIZE=4096. ...
???
-- gil
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to
It is definitely TLS and not ATTLS.
GSKSRVR trace is your friend.
Biggest issues that i have had
-Self signed certs are not allowed courtesy of TLS 1.0
-RFC level is very important!!!
-Firewalls and extended pasv are not supported by many clients
Rob
On May 7, 2014 11:51 AM, Mark Pace
These are not self signed certs. It was issued by Go Daddy. Why I was
trying to add the Root authority certificate, and failed.
Still researching what FC level vsftpd uses for TLS
No firewalls involved, at least for this test. This a hipersocket
connection between z/OS and a Linux for System
I saw this same message before. We had a guy here that ran a tcp trace
during the connection process, moved it to a linux workstation and used
TCPDUMP? on it. What he determined was the windows server we were trying
to connect to had a checkpoint firewall and it actually was re-writting
the
The file is a VB file with LRECL=0 and BLKSIZE=4096
Billy Ashton,
Are you sure the LRECL is 0 ? I assuming it is a typo. It is quite is
easy to drop the trailer record and format the detail records. I did not
understand what you wanted to do with the Header record. Can you explain
it a bit
eamacn...@yahoo.ca (Ted MacNEIL) writes:
From
http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/649/ENUSA13-0568/index.htmllang=enrequest_locale=null
A Long Time Ago in a Data Center Far, Far Away (well, OK, just down the
road from Poughkeepsie in East Fishkill), we
Anything is possible. The vsftpd server is of no use for debugging. There
is an ssl_debug parameter, but it doesn't produce any output.
On Wed, May 7, 2014 at 1:19 PM, Brian France b...@psu.edu wrote:
I saw this same message before. We had a guy here that ran a tcp trace
during the
You said latest, so maybe you have tried others. In the parms listed here, your
keyring is commented out.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 5:26 AM
To:
And for giggles I setup another Linux FTP server - this one pure-ftpd -
again no issues connecting with a windows FTPS client - still no connection
with z/OS.
On Wed, May 7, 2014 at 2:39 PM, Mark Pace pacemainl...@gmail.com wrote:
Yes - it was at that time. Since I started working on the RACF
Group:
I post very little here because I have little or no trouble with the 5 old IBM
systems I administer though I do enjoy reading other people's posts. I can't
say the same thing about the z10 system that I help with on occasion. I have
posted on this system before - it is in Oklahoma City
I am now reminded of a difficulty I had with this once. My plea to the list(s)
resulted in this:
Skip to site navigation (Press enter)
Re: FTP TLS Handshake Fails with SSL RC 410 Cal McCracken Thu, 10 Mar 2011
07:44:54 -0800
Thanks to a private responder, I was able to get this resolved. I
Is the DS6800 so sensitive that a power outage would corrupt the data every
single time or could something else be going on here?
Last summer we had a DS6800 go casters up. IBM couldn’t fix it. We ended up
restoring everything to a DS8800.
I doubt you can IPL from tape because you don't
You mentioned DDR in your OP. Is this a z/VM system?
AFAIK, a z10 can be IPL'ed from tape, ...z/OS *cannot*.
There are stand alone versions of ICKDSF (to init DASD) and DF/DSS to restore
data. The load parms are different and the activation profile will need to be
changed to ipl the stand
You did do a:
SETROPTS RACLIST(DIGTCERT) REFRESH
after last changing the keyring?
What does the LISTRING show now?
Does the userid submitting the batch job have any ICH408I
errors in the log?
--
Donald J.
--
http://www.fastmail.fm - Send your email first class
OK, I worked on this offline with Sri Kolusu, and it works great. Here are
the details.
For a file with seven column names interspersed in multiple header fields
like this:
5+6+7+8+9+0+1+--
...003,FIELD,*EMP NO*,N,005,00,N,FIELD,*ACT
Hi,
Is there a way to set up a JES2 output class so that output written to that
class is automagically sent via FTP to a server? It seems that there may be
third party products that do this, but is anything native to JES available?
I realize there are other ways to skin this cat, but that is the
On 5/7/2014 at 08:25 AM, Mark Pace pacemainl...@gmail.com wrote:
I'm beginning to think I am doing something fundamentally wrong instead of
it being a matter of wrong parameters.
//FTP EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
//SYSPRINT DD SYSOUT=*
//SYSFTPD DD
Hi, Mark -
That is contained in the ftp.data file DD name SYSFTPD. In this case the
DSN is
MARPACE.JCL.CNTL(FTPSDATA)
which contains
SECURE_CTRLCONN CLEAR
SECURE_DATACONN PRIVATE
SECURE_FTP REQUIRED
SECURE_HOSTNAME OPTIONAL
SECURE_MECHANISM TLS
KEYRING IBMUSER/FtpSecur
TLSPORT
Bottom line: No. And you say you don't want alternatives, so I'll say no
more.
On Wed, May 7, 2014 at 2:24 PM, Sproull, George J CTR DISA ESB (US)
george.j.sproull@mail.mil wrote:
Hi,
Is there a way to set up a JES2 output class so that output written to that
class is automagically
Hi Karl,
Down system + IBM contract = sev1 depending on your contract terms.
At this point, could be a number of things. What was your resolution last time?
The IBM manuals you mentioned should be available online.
HTH,
Linda
Sent from my iPhone
On May 7, 2014, at 12:12 PM, Karl Severson
I see you have pasv_enable=yes
I think there's a setting in z/OS parms maybe related. EPSV4 True
On 5/7/2014 3:36 PM, Mark Pace wrote:
I had looked at that also. The vsftpd config - comments removed for
brevity.
listen=YES
max_clients=20
use_localtime=YES
log_ftp_protocol=YES
# enable FTPS
Last summer we had a DS6800 go casters up. IBM couldn’t fix it. We ended up
restoring everything to a DS8800.
So is the DS8800 a more robust unit? I'm beginning to think the DS6800 on this
system is a lemon.
doubt you can IPL from tape because you don't have some of the requisite
That's an interesting idea. I wonder how you would specify the ftp server,
userid, password, and remote file name (with path) to such a WRITER. But,
from what I read, the OP want something out of the box from IBM
integrated into JES itself.
On Wed, May 7, 2014 at 2:51 PM, Barkow, Eileen
Mark,
This may be yet another case where running strace or ltrace on the server side
will give you some insight into what is going on. If you don't want to go down
that road, i would say it's time to open up a PMR with IBM.
Mark Post
OP did not mention z/VM, but z/OS. So I'll bet DDR is not in the picture.
The OP would need a standalone ADRDSSU (or FDR) IPLable tape. And maybe an
IPLAble ICKDSF tape. Which, if his system is _down_, he cannot create.
On Wed, May 7, 2014 at 2:53 PM, Karl Severson
You mentioned DDR in your OP. Is this a z/VM system?
Yes, zVM 6.1
AFAIK, a z10 can be IPL'ed from tape, ...z/OS *cannot*.
There are stand alone versions of ICKDSF (to init DASD) and DF/DSS to restore
data. The load parms are different and the activation profile will need to be
changed to
Maybe you can write a writer routine that when specified gets control and ftp's
or does whatever.
JES2MAIL gets control via the WRITER= parm specified for the output and can be
programmed to ftp and do other things,
so you can probably write your own WRITER routine.
-Original
JES2MAIL can do all that (read files and sysout queues, ftp out, write files,
etc)
so if they can do it, any 'REALLY GOOD' programmer can probably figure it out.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of John McKown
Sent:
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE DEFAULT
---
GeoTrust Global CA CERTAUTH
So is the DS8800 a more robust unit?
Yes. You get what you pay for. Until last year we never had a major problem
with a DS6800.
The UTILITY UTILTAPE command will create a bootable tape which will start a
DDR session so that volumes backed up with DDR can be restored.
Sounds like a small
Add this to the FTP Client job parms:
// PARM=('ENVAR(GSK_TRACE=0X,GSK_TRACE_FILE=/tmp/gskwix.trc)',
//'/-r TLS (TRACE EXIT')
There is a formatted documented with gsktrace. Should get you to the exact
error when you format gskwix.trc
Yes, that would be an interesting project to do. I was just asked this
question by a user who doesn't do development and has no budget for additional
products, so I told him that I would run it by you folks. I think I'll
recommend that he create an output file and have our scheduling system
OP did not mention z/VM, but z/OS. So I'll bet DDR is not in the picture.
The OP would need a standalone ADRDSSU (or FDR) IPLable tape. And maybe an
IPLAble ICKDSF tape. Which, if his system is _down_, he cannot create.
Yes, sorry I didn't mention zVM 6.1. I mentioned 610RES as the main resident
Hi Karl,
Down system + IBM contract = sev1 depending on your contract terms.
At this point, could be a number of things. What was your resolution last time?
The IBM manuals you mentioned should be available online.
HTH,
Linda
Yup, sev1. Resolution last time was to reconfigure the DS6800
Thank you. I will give that a try tomorrow. Today - my brain hurts. :)
On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave gib...@wsu.edu wrote:
Add this to the FTP Client job parms:
// PARM=('ENVAR(GSK_TRACE=0X,GSK_TRACE_FILE=/tmp/gskwix.trc)',
//'/-r TLS (TRACE EXIT')
There is a
On Wed, 7 May 2014 14:55:22 -0500, John McKown wrote:
That's an interesting idea. I wonder how you would specify the ftp server,
userid, password, and remote file name (with path) to such a WRITER. But,
from what I read, the OP want something out of the box from IBM
integrated into JES itself.
OOPS, my bad. I should have realized from the VOLSERs that it was z/VM.
BTW - I, personally, _never_ IPL via an activation profile. I just use the
LOAD function on the Recovery page. I drag the LPAR icon onto the LOAD
icon. This gives me a pop up in which I can put the IPL volume and LOAD
That is the simplest way. At our shop, the job which creates the dataset
will then usually do the ftp in a later step, using a DD type put.
On Wed, May 7, 2014 at 3:05 PM, Sproull, George J CTR DISA ESB (US)
george.j.sproull@mail.mil wrote:
Yes, that would be an interesting project to do.
You need to change that to DEFAULT NO.
--
Donald J.
dona...@4email.net
On Wed, May 7, 2014, at 01:01 PM, Mark Pace wrote:
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE
The z10 manuals on the HMC are available on IBM's Resource Link. But you
need a IBM logon id to get to that site.
Yes, thanks for the manual. I have an earlier version and have an IBM ID for
resource link. I copied and pasted the pages 140 to 143 in an email and sent
them to the customer to see
OOPS, my bad. I should have realized from the VOLSERs that it was z/VM.
BTW - I, personally, _never_ IPL via an activation profile. I just use the
LOAD function on the Recovery page. I drag the LPAR icon onto the LOAD
icon. This gives me a pop up in which I can put the IPL volume and LOAD
Until Bob Shannon recounted his experience with failed DASD (!), I would
have looked for a more likely explanation. Here's my first take. IODF gets
dynamically activated over a period of time. Depending on how rigorous you
are, the IOCDS in the SE may get updated less often. It's possible for
Is the chain complete? Check trust and Issuer's/Subject's Names. RACDCERT
LIST(LABEL('Go Daddy Class 2')) CERTAUTH. Do you have all the names? SEARCH
CLASS(DIGTCERT).
Regards,
Kevin
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
z/VM discovers the I/O by itself. No need for RIO gen, or even specifying
in the PARM disk.
If z/OS is just running under z/VM, it just uses the software IOCDS. As
long as the device is
Defined, no need for an actual Control Unit or channel. Although I do go
through the exercise
in case I want
I agree with John McKown on trying just an IPL to see if it works. I suspect
this probably won't work.
Did you POR the machine after you re-installed the last time? If not, then you
might have a problem in how your IODF is defined. Maybe the IODF was built with
a new configuration but
z/VM is adept at finding its way through the thicket to discover reachable
devices. However, 'reachable' is determined by the hardware, and hardware
is driven by the IOCDS in control whether activated dynamically or PORed.
We killed a z/VM LPAR a while back by dynamically activating (from z/OS)
On Wed, 7 May 2014 10:47:49 -0400, John Eells wrote:
I'm not sure we have a white paper.
I would think a search of Techdocs for Kathy Walsh would be a good start.
But of course we need to define whose 100% we're talking about. z/OS has a
peculiar notion of CPU% - more so in virtualised
I agree with John McKown on trying just an IPL to see if it works. I suspect
this probably won't work.
Did you POR the machine after you re-installed the last time? If not, then you
might have a problem in how your IODF is defined. Maybe the IODF was built with
a new configuration but
Think the key is get a working VM system by whatever means available. From
there validate IO config.
Attach a few devices and see if they've got any data. Make a z/OS guest
with required devices and see if it will fly.
In a message dated 5/7/2014 5:54:34 P.M. Central Daylight Time,
Download a copy of ZZSA and burn it to a CD. Have Operations IPL that CD and
use it to explore the volumes, specifically the Resvol and IPL required
volumes (IODF Volume etc). From there you should have an idea as to what is
actually broken.
Jerry Whitteridge
Lead Systems Programmer
Safeway
IBM SUPPORT does not help in situations where it's a configuration issue. If
the error is the IOCDS was not updated, then they are not responsible. On the
other hand, if the problem is hardware, then hardware support is responsible
and if there is a software bug then software support is
IBM first publicly mentioned this new, lower pricing at the Mainframe 50
birthday event in New York on April 8, and now the official announcement
letter is posted:
http://www-01.ibm.com/common/ssi/rep_ca/3/897/ENUS214-223/ENUS214-223.PDF
What follows below is a summary of MWP -- what it is, and
We had a request for this years ago on our SyzSPOOL/z product (JES2 spool
management/viewer), and we designed it into the product, then it was determined
that the site really wanted the ability to decide where to send it on the
fly instead of automatically, so we added the ability to email any
Rather than using FTP, I would suggest using NFS or SAMBA (client or server) on
z/OS. Both are free on z/OS. Client is easy to setup and you probably have an
existing NFS server that is already mapped to the systems wanting access to the
data. It also allows you to specify the password in a
On Wed, 7 May 2014 21:52:14 -0700, Jon Perryman wrote:
Rather than using FTP, I would suggest using NFS or SAMBA (client or server)
on z/OS. Both are free on z/OS. Client is easy to setup and you probably have
an existing NFS server that is already mapped to the systems wanting access to
the
88 matches
Mail list logo
