Re: Security (was: Software Delivery on Tape ...)

Hi Folks, As someone who is currently dealing with this - replacing unexpired certificates (to the Digicert Intermediate/CA from the Symantec CA) for our F5s and back-end servers, I can tell you that this is a pain in my butt. Can't renew while replacing unless within 90 days of

Security (was: Software Delivery on Tape ...)

On Wed, 4 Apr 2018 17:34:45 -0500, Walt Farrell wrote: > >Of course, you want a checksum method that is strong enough that an attacker >can't create a modified file that will have the same checksum. SHA-1 is no >longer strong enough to guarantee that, from what I've read. SHA-2 should be

Re: Software Delivery on Tape to be Discontinued

> Whether the key itself is signed by a CA Keys are not signed, at least not generally. Messages may be signed; a process that involves two keys. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Andrew Rowley Sent:

Re: Security (was: Software Delivery on Tape ...)

Three months may be the new normal. That is all that LetsEncrypt is doing. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lester, Bob Sent: Wednesday, April 4, 2018 4:29 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Security

Re: Software Delivery on Tape to be Discontinued

On 5/04/2018 1:01 PM, Charles Mills wrote: Keys are not signed, at least not generally. Messages may be signed; a process that involves two keys. What do you call it then when I generate a key pair and submit the public key to a CA, they perform some form of verification and return a

Re: Software Delivery on Tape to be Discontinued

On Wed, 4 Apr 2018 10:54:04 +1000, Andrew Rowley wrote: >On 4/04/2018 10:29 AM, Paul Gilmartin wrote: >> So is a signature any more secure than an independently verifiable checksum, >> or just more practical? >If you get the checksum via a reliable channel I think

Re: Software Delivery on Tape to be Discontinued

On Thu, 5 Apr 2018 08:56:04 +1000, Andrew Rowley wrote: >... You trust your vendor implicitly by using their browser. >> >> THAT is what CA/Browser Forum (CAB) industry group is all about. >Right, but I was just nitpicking the statement that a public key on a >website doesn't require a CA. >

Re: [External] Getting a VOLSER for a disk that is a member of a copy pair

The doc says online, offline and both earlier in the doc. Sent from my iPhone > On Apr 4, 2018, at 3:42 PM, Pommier, Rex wrote: > > Actually I think an English major would disagree with your documentation > assessment. 3-Either means if it is either online or

Re: Security (was: Software Delivery on Tape ...)

> As for Certificate Authorities, quis custodiet ipsos custodes? Google LOL. https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin

Re: Software Delivery on Tape to be Discontinued

On 4/04/2018 11:02 PM, Alan Altmark wrote: Because you accessed the web site via https://, causing the transmission of the key to be encrypted and tamper-proof. Further, Charles' web site uses a certificate published by a Certificate Authority that YOU trust. Or more precisely, he uses a CA

Re: Security (was: Software Delivery on Tape ...)

On Wed, 4 Apr 2018 15:57:02 -0700, Charles Mills wrote: >> As for Certificate Authorities, quis custodiet ipsos custodes? > >Google LOL. >https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html > How will that be removed from my Firefox? Routinely, with updates, or will

Re: Software Delivery on Tape to be Discontinued

Andrew Rowley wrote: On 3/04/2018 9:21 PM, John Eells wrote: If you have a requirement for packages signed with strong algorithms, please open an RFE. Is the SMP/E package signed, or just checksummed? A stronger hash is no real value if the hash itself can be substituted because it is not

Re: Zconnect

Timothy Sipples wrote: I probably should have also mentioned that z/OS Management Facility (z/OSMF) provides REST APIs for such tasks as provisioning services, submitting jobs, console interface services, and much more. z/OSMF is a no additional charge feature in the base z/OS operating system,

Re: Zconnect

Len Sasso wrote: >I'm sorry, but I meant accessing, via a REST API, an external >Website and downloading a file from the external site? You could use either the z/OS Client Web Enablement Toolkit (for basic function) or z/OS Connect Enterprise Edition (fuller function) to do that. z/OS would then

Re: Software Delivery on Tape to be Discontinued

I guess you would call that "issuing a certificate." Certificates -- the entire certificate -- are signed. They include a public key. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Andrew Rowley Sent: Wednesday, April 4,

Re: File access from remote systems

There is a product called Distributed FileManager/MVS which I believe used to have a Windows client (1997) but now only seems to support OS/2, AS400, and AIX. For more info look at https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.idag200/d9069.htm to see if this is

Re: Zconnect

Does it include the ability to access and download a file from a REST API site? Thank You, Len Sasso System Administrator Out-Of-The-Office: TEAM: Together Everyone Achieves More RDC - 327 Columbia TPKE, Rensselaer NY 12144-4400 t: +1.518.257.4209 | m: +1.518.894.0879 len.sa...@csra.com |

Mini recovery system build

I have been tasked with bringing our mini recovery system to a more current level. It's 'way back there', it's actually pre-z/OS. Our current production system is z/OS 1.13. Can anybody point me to a power-point or other document that I can use as a guide for this process? -- Tony Thigpen

Re: Mini recovery system build

http://mzelden.com/mvsutilr.html#jobs Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Wed, Apr 4, 2018 at 7:20 AM, Tony Thigpen wrote: > I have been tasked with bringing our mini recovery system to a more > current level. It's 'way back

Re: Software Delivery on Tape to be Discontinued

On Wed, 4 Apr 2018 10:58:16 +1000, Andrew Rowley wrote: >How do I verify that the key that I see browsing your website is really >yours and hasn't been e.g. substituted in transit? Key exchange is the >hardest bit of cryptography. Because you accessed the web site

Re: Software Delivery on Tape to be Discontinued

Thanks, @Alan, I missed @Andrew's question (or rather, my SPAM filter missed it for me). Alan's answer is unquestionably the correct one -- and also, I think in the earliest days of digital signatures, before the use of SSL/TLS browsing was widespread, the idea was that my public key was

Re: Mini recovery system build

Tony, I believe Mark Zelden website has lot of scripts for building mini systems. Dan Sent from Yahoo Mail for iPhone On Wednesday, April 4, 2018, 9:20 AM, Tony Thigpen wrote: I have been tasked with bringing our mini recovery system to a more current level. It's 'way back

Re: Zconnect

Sasso, Len wrote: Does it include the ability to access and download a file from a REST API site? Yes. You can find it, read it, and write it, in fact (and much more). Please see Table 273 on PDF p. 508 in IBM z/OS Management Facility Programming Guide, here, for a list of what you can do

Re: Zconnect

I'm sorry, but I meant accessing, via a REST API, an external Website and downloading a file from the external site? Thank You, Len Sasso System Administrator Out-Of-The-Office: TEAM: Together Everyone Achieves More RDC - 327 Columbia TPKE, Rensselaer NY 12144-4400 t: +1.518.257.4209 | m:

Re: Software Delivery on Tape to be Discontinued

W dniu 2018-04-04 o 02:58, Andrew Rowley pisze: On 4/04/2018 10:53 AM, Charles Mills wrote: No, a digital signature does not require an authority. I publish my public key on my Web site. How do I verify that the key that I see browsing your website is really yours and hasn't been e.g.

Re: Software Delivery on Tape to be Discontinued

> IBM sign the hash (in fact they sign whole serverpac) I think the "whole serverpac" is effectively signed -- but the way that is done is to sign the hash. There are security advantages too long a digression for this reply. > If you really want to encrypt the content (ie. DVD files) then you

Re: Explanation about the SVCASF bit ("SVC can be assisted") in the SVC table?

"SVC Assist" is a facility that performed some common housekeeping operations on behalf of the SVC - for example, copying the information stored at the last SVC interruption into the current request block, saving general registers, and loading the general registers with appropriate values. It

Re: Software Delivery on Tape to be Discontinued

W dniu 2018-04-04 o 17:34, Charles Mills pisze: IBM sign the hash (in fact they sign whole serverpac) I think the "whole serverpac" is effectively signed -- but the way that is done is to sign the hash. There are security advantages too long a digression for this reply. If you really want to

Re: File access from remote systems

W dniu 2018-04-03 o 19:44, Ward, Mike S pisze: Hello all, does anyone know of any software that allows access to VSAM, SEQ, CICS files from remote systems. I.E. distributed systems. How is the access done? Web service calls? MQ calls? Remote z/OS ? ;-))) Two free (built in) options: *

Re: Explanation about the SVCASF bit ("SVC can be assisted") in the SVC table?

SVC Assist has not been used since MVS/ESA SP3.1.0 (30 years ago), so the SVCASF bit has had no meaning for 30 years. It is on in the SVC 13 and SVC 26 entries because of some obsolete code in IEAVNPS5, which should have been deleted. However, this causes no harm, since the bit is not

Re: File access from remote systems

No not a remote z/OS, but a distributed system. I.E. Intel and such. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, April 04, 2018 11:44 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: File access from remote

Re: Software Delivery on Tape to be Discontinued

Yep, that's what TLS does. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, April 4, 2018 9:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Software Delivery on Tape to be Discontinued W dniu 2018-04-04

Re: Explanation about the SVCASF bit ("SVC can be assisted") in the SVC table?

Thank you both for the historical perspective, and special thanks to Jim for the additional up-to-date clarification - it now makes much more sense. Best regards, Dori On Wed, Apr 4, 2018 at 8:44 PM, Jim Mulder wrote: > SVC Assist has not been used since MVS/ESA SP3.1.0

Getting a VOLSER for a disk that is a member of a copy pair

I have a program that reads VOLSERS for offline volumes. It works fine for several flavors of VM and Z/OS, and returns the data in a few MS. But takes a minute when issued to a device in a copy pair. If I issue it a second time, it runs fast, so I suppose it could be coming from CACHE or some

Re: [External] Getting a VOLSER for a disk that is a member of a copy pair

Actually I think an English major would disagree with your documentation assessment. 3-Either means if it is either online or offline, add it to the list, 3-Both says it has to be both online and offline to get included. :-) Rex -Original Message- From: IBM Mainframe Discussion List

Explanation about the SVCASF bit ("SVC can be assisted") in the SVC table?

Hello, Does anyone know the meaning of the SVCASF bit (x'01') of the SVCTP byte of the SVC table? If I am not mistaken, on our system (z/OS 2.2 ADCD) following the IPL this bit is off for all SVC's except SVC 13 (ABEND, IEAVTRT2) and SVC 26 (LOCATE / CATALOG, IGG026DU). Also, I did not see an