Re: CPU time cost of dynamic allocation
Greg, I think you'll find that whether SVC 99 checks that a data set exists on disk or not depends on the text units used. If I want the 'does data set exist' check made I usually include the text unit to return data set organisation (DALRTORG). This ensures that the DSCB for the data set is read, thus generating an error if it does not exist. However, if I leave this text unit off the dynamic allocation then I can allocate the equivalent of the DD statement you quoted, and subsequently generate a 213-04 abend at OPEN time. However, I think standard TSO ALLOCATE does perform that check, so perhaps it too uses that same text unit. In my understanding step allocation performs the same checks, based on the DD statement keywords you specify. However, some of the text units used in dynamic allocation have no equivalent in the DD statement. See Table 87 on page 692 in MVS Programming: Authorized Assembler Services Guide - SA23-1371-30 for the z/OS 2.3 version. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Greg Price Sent: 07 August 2019 03:00 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] CPU time cost of dynamic allocation On 2019-08-07 5:08 AM, Carmen Vitullo wrote: > I suspect dynamic allocation may be doing more that the IEFBR14 possibly? Well, DYNALLOC is certainly doing more that the job step initiation when it comes to allocation. Device allocation at step-start time is a largely CPU-bound affair with the only I/O usually being for catalog look-ups. That is why something like //MY DD DD DSN=FRED,DISP=OLD,UNIT=3390,VOL=SER=MYVOL1 will get a S213-04 at OPEN time when FRED does not exist. DYNALLOC will check that FRED exists on the volume - yes! it does "lots" of I/O to the data set's volume which batch device allocation does not perform. Data set name enqueue is done before device allocation, and most of it is done at job start time for data sets mentioned in JCL. DYNALLOC has to do the ENQ when it is called before looking at devices. Cheers, Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
Phil Smith III wrote: >I feel that IBM inadvertently caused the confusion by calling >the data set encryption "PE" at first: the fact that this >thread refers to it as such actually supports that, no? You've made this assertion a couple times now, and it's not actually true as far as I can tell. IBM announced z/OS Data Set Encryption on February 21, 2017, in the z/OS 2.3 preview announcement. Refer to IBM Announcement Letters 217-085. Even if you believe IBM caused some confusion -- I cannot find much evidence in the historical record of official IBM communications, but if that's what you believe -- that's certainly NOT a reason to add any more. I've asked you to help reduce terminology confusion, not to increase it. Thanks. >>Obviously IBM is not opposed to application-level encryption! >>It's right there, at the top of the pyramid. Shouldn't you be >>happy with that? >I have seen that. I'm happy that IBM says that; I'd be happier >if z/OS Data Set Encryption wasn't being touted as providing >much more protection than it actually does. Doing so is not >helping customers or IBM. OK, I think that's pretty ridiculous. We (the world) could wait at least a couple decades before application developers finish adding application-level encryption everywhere it's needed, assuming they even do that well and correctly (competently, without malice) and in a way that facilitates rapid progression to more secure algorithms as cryptography advances (big assumptions). But have you actually noticed what's going on in the real world? Substantial, real progress that doesn't require application changes has strong merit. Shouldn't this be obvious? The world cannot wait decades to rise to the many security challenges. I don't know anybody at IBM (or elsewhere, for that matter) claiming that z/OS Data Set Encryption is the *only* security-related capability that customers should adopt. The "pyramid" certainly doesn't say that, and it's a popular diagram by now. But it is quite important, and turning it on doesn't require application changes. We had a similar dialog in 2017 (or thereabouts), and you had the same basic complaint as I recall. But I really don't know why you cannot point to the "pyramid" -- happily so! -- and promote your particular product if it has value to help add application-level encryption. "We solve this part!" if that's what you do. What on earth is wrong with that? I don't get it. Maybe you disagree with where particular customers are spending their always finite resources first, but those are debates to have with your prospective customers, surely and hopefully in a thoughtful, friendly way. IBM, for its part, is clearly and repeatedly saying "application-level encryption is important too." (Is the top of the "pyramid" a bad place?!?!) How a particular customer prioritizes implementation of application-level encryption, and where, is situational, of course. My views are my own, as a reminder. Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
At $previousjob we had copies of the ICSF Master Encryption Keys stored in secure locations. During disaster recovery testing authorized people would re-enter those keys into the crypto-express hardware on that processor. One time we also lost a crypto-express card on our production machine. The working card handled all of our encryption/decryption processing and when the failed card was replaced, we had to enter the ICSF master keys into it before it was able to be used. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com ‐‐‐ Original Message ‐‐‐ On Wednesday, August 7, 2019 2:55 AM, Arthur wrote: > On 6 Aug 2019 07:59:59 -0700, in bit.listserv.ibm-main > (Message-ID:lnxp265mb1484a20a9858d5a5271421bec7...@lnxp265mb1484.gbrp265.prod.outlook.com) > lenni...@rsmpartners.com (Lennie Dymoke-Bradshaw) wrote: > > > Access to the ICSF CKDS would not be enough, as the keys > > held there are encrypted (wrapped) using the master key. > > The master key is held in the Crypto Express domain > > corresponding to the LPAR in question. There is no > > interface to extract the master key from the Crypto > > Express device. The Crypto Express device is a FIPS 140-2 > > level 4 device so it will resist all sorts of attempts to > > get at the master keys. It will destroy those keys before > > you can get them out. > > Are you suggesting that if the Crypto Express device goes > belly-up, that all encrypted data is forevermore > unavailable? How does one decrypt during disaster testing > or a real disaster? > > --- > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
I tried two load modules using the load macro to load them into memory that I know execute And got the same error > On Aug 6, 2019, at 10:03 PM, Greg Price wrote: > >> On 2019-08-07 5:37 AM, Joseph Reichman wrote: >> The program is not a program object, anomalies were found in its >> structure, or the program is PO1 (program object, version 1) and the >> program contains overlay structures. The request was rejected > > So, would you swear on a stack of PLMs that MYMOD is neither a load module > from a PDS nor a segment overlay program object? > > If so, then it is time to post the entire parameter list passed to IEWBFDAT. > > Cheers, > Greg > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
Greg was asking if you are trying to get info about load modules or program objects. The former isn't supported using IEWBFDAT. In article you wrote: > I tried two load modules using the load macro to load them into memory that > I know execute > And got the same error > > On Aug 6, 2019, at 10:03 PM, Greg Price wrote: > > > >> On 2019-08-07 5:37 AM, Joseph Reichman wrote: > >> The program is not a program object, anomalies were found in its > >> structure, or the program is PO1 (program object, version 1) and the > >> program contains overlay structures. The request was rejected > > > > So, would you swear on a stack of PLMs that MYMOD is neither a load module > > from a PDS nor a segment overlay program object? > > > > If so, then it is time to post the entire parameter list passed to IEWBFDAT. > > > > Cheers, > > Greg -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
The master keys, which are stored securely inside the Crypto Express HSM and can never be extracted, are the top-level keys in the key hierarchy. Your application-level keys are stored outside the HSM, encrypted by the master keys. Thus, if the HSM fails, you still have the externally-stored application keys, and all you need is to restore the master key into a new HSM card - then, all of those application keys will again be usable. There are well-known and well-documented procedures for securely backing up and restoring the master keys. In general, they follow the principles of dual-control and split-knowledge. What this means is that the key value is mathematically broken into two or more separate values, such that none of those tells you anything at all about the value of the complete key. You need to combine them in order to obtain the complete master key. In most cases, the process that is used is to use "key components", which are sometimes called "key parts" - the components must all be exclusive-ored (XORed) together to form the master key, and that XOR only takes place inside the secure HSM card. Each component is protected by a separate person - a key component custodian - who keeps it safely locked up, and who enters it into the HSM when the master key must be loaded or restored. The other key component custodian(s) do the same for their components, and the HSM creates the complete master key inside. The components can be manually keyed in (typically on the smart card reader of a TKE workstation), or they may be stored on electronically-readable media. The preferred method with Z and TKE is to have TKE store them on secure smart cards, and then read them out of those cards when needed. With this approach, the key components are never outside a secure device in cleartext. Another, similar approach that is sometimes used is to use "key shares" instead of components. The difference is that with components, you must combine ALL of the components to form the master key, but with shares you only need a subset. This is typically called an m-of-n scheme, where you create n shares of the key, but any n of those can be combined to form the complete key. This means that you do not need all of the m key share custodians to be present to load the master key - any n of them will do. Note that Crypto Express does not support this for loading the master keys, but I wanted to include it here for completeness. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
Correcting a couple of careless "n" and "m" typos in my previous post... -- Another, similar approach that is sometimes used is to use "key shares" instead of components. The difference is that with components, you must combine ALL of the components to form the master key, but with shares you only need a subset. This is typically called an m-of-n scheme, where you create n shares of the key, but any m of those can be combined to form the complete key. This means that you do not need all of the n key share custodians to be present to load the master key - any m of them will do. Note that Crypto Express does not support this for loading the master keys, but I wanted to include it here for completeness. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
Thanks would IEWBIND work with load modules meaning if I want link map from a load module Thanks > On Aug 6, 2019, at 10:03 PM, Greg Price wrote: > >> On 2019-08-07 5:37 AM, Joseph Reichman wrote: >> The program is not a program object, anomalies were found in its >> structure, or the program is PO1 (program object, version 1) and the >> program contains overlay structures. The request was rejected > > So, would you swear on a stack of PLMs that MYMOD is neither a load module > from a PDS nor a segment overlay program object? > > If so, then it is time to post the entire parameter list passed to IEWBFDAT. > > Cheers, > Greg > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Having trouble converting to user logs from sys1.brodcast
On my 2.3 sandbox system I am trying to convert to user datasets for brodcast, I've RTFM(s) and updated the parmlibs accordingly, seems to be a 2 step process to totally move from sys1.brodcast. current parmlib values for SEND SEND /* SEND COMMAND DEFAULTS */ + OPERSEND(ON) /* */ + USERSEND(ON) /* */ + SAVE(ON) /* */ + CHKBROD(OFF) /* */ + LOGNAME(ULOG.DATA.SYST) /* USERID.ULOG.DATA.SYST */ + USEBROD(OFF) /* */ + MSGPROTECT(ON) /* */ + SYSPLEXSHR(OFF) /* */ + BROADCAST(DATASET(SYS1.BRODCAST) + TIMEOUT(5) PROMPT) I/we get notifications fine from jobend via the notify= but testing the send command hangs, I IPL'd the system and tried again and received the same results, my ID, once notified of a batch job completed did allocate a ulog dataset but it's empty, I'm stumped as to what I've missed. any pointers or something I missed I'd appreciate thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Current URI for SNA manuals?
I'm trying to update the list of references in https://en.wikipedia.org/wiki/IBM_Systems_Network_Architecture; each of these has a URL that now longer goes to the manual: Systems Network Architecture Technical Overview. Fifth Edition. IBM. January 1994. GC30-3073-04. Systems Network Architecture Guide to SNA Publications. Third Edition. IBM. July 1994. GC30-3438-02. Systems Network Architecture Formats. Twenty-first Edition. IBM. March 2004. GA27-3136-20. Systems Network Architecture: Transaction Programmer's Reference Manual for LU Type 6.2. Sixth Edition. IBM. June 1993. GC30-3084-05. Systems Network Architecture: Transaction Programmer's Reference Manual for LU Type 6.2. Sixth Edition. IBM. June 1993. GC30-3084-05. Systems Network Architecture Type 2.1 Node Reference. Fifth Edition. IBM. December 1996. SC30-3422-04. Systems Network Architecture LU 6.2 Reference: Peer Protocols. Third Edition. IBM. October 1996. SC31-6808-02. Does anybody have links to these or to more recent editions that are accessible by the general public? Also, I'd like to add the SNA Format and Protocol Logic (FAPL) manual, and don't know whether it was ever available online. Thanks. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Having trouble converting to user logs from sys1.brodcast
Best I can do is show you what we have had for decades. It's not a 'recommendation', just evidence of something that works. (I just noticed the comment about 'transition'. 😉 ) Be sure that your SAF rules are set properly. Remember that updates to user broadcast is done by the system, not by a particular user. I notice that we do not specify BROADCAST(); you might check the default. SEND /* SEND CMD FOR JTE23X2 */ + OPERSEND(ON) /* ALLOW OPER SEND */ + USERSEND(ON) /* ALLOW USER SEND */ + SAVE(ON) /* ALLOW MSG SAVE */ + USEBROD(OFF) /* ACTIONS TO TAKE IN */ + CHKBROD(OFF) /* TRANSITION PERIOD */ + LOGNAME(BRODCAST) /* USERLOG IS CALLED */ + MSGPROTECT(ON)/* 'BRODCAST.USERID' */ + SYSPLEXSHR(ON)/*SYSPLEX SHARING */ . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Carmen Vitullo Sent: Wednesday, August 7, 2019 7:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Having trouble converting to user logs from sys1.brodcast On my 2.3 sandbox system I am trying to convert to user datasets for brodcast, I've RTFM(s) and updated the parmlibs accordingly, seems to be a 2 step process to totally move from sys1.brodcast. current parmlib values for SEND SEND /* SEND COMMAND DEFAULTS */ + OPERSEND(ON) /* */ + USERSEND(ON) /* */ + SAVE(ON) /* */ + CHKBROD(OFF) /* */ + LOGNAME(ULOG.DATA.SYST) /* USERID.ULOG.DATA.SYST */ + USEBROD(OFF) /* */ + MSGPROTECT(ON) /* */ + SYSPLEXSHR(OFF) /* */ + BROADCAST(DATASET(SYS1.BRODCAST) + TIMEOUT(5) PROMPT) I/we get notifications fine from jobend via the notify= but testing the send command hangs, I IPL'd the system and tried again and received the same results, my ID, once notified of a batch job completed did allocate a ulog dataset but it's empty, I'm stumped as to what I've missed. any pointers or something I missed I'd appreciate thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Having trouble converting to user logs from sys1.brodcast
If it hangs then I suggest that you report it and work with IBM to get a fix. An error in your parmlib should give you an error message. Did you take a console dump of the hanging SEND command? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Carmen Vitullo Sent: Wednesday, August 7, 2019 10:53 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Having trouble converting to user logs from sys1.brodcast On my 2.3 sandbox system I am trying to convert to user datasets for brodcast, I've RTFM(s) and updated the parmlibs accordingly, seems to be a 2 step process to totally move from sys1.brodcast. current parmlib values for SEND SEND /* SEND COMMAND DEFAULTS */ + OPERSEND(ON) /* */ + USERSEND(ON) /* */ + SAVE(ON) /* */ + CHKBROD(OFF) /* */ + LOGNAME(ULOG.DATA.SYST) /* USERID.ULOG.DATA.SYST */ + USEBROD(OFF) /* */ + MSGPROTECT(ON) /* */ + SYSPLEXSHR(OFF) /* */ + BROADCAST(DATASET(SYS1.BRODCAST) + TIMEOUT(5) PROMPT) I/we get notifications fine from jobend via the notify= but testing the send command hangs, I IPL'd the system and tried again and received the same results, my ID, once notified of a batch job completed did allocate a ulog dataset but it's empty, I'm stumped as to what I've missed. any pointers or something I missed I'd appreciate thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
Do you simply need a map, or do you need the ability for an application to get a map? For the former, there's always AMBLIST. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Joseph Reichman Sent: Wednesday, August 7, 2019 8:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029 Thanks would IEWBIND work with load modules meaning if I want link map from a load module Thanks > On Aug 6, 2019, at 10:03 PM, Greg Price wrote: > >> On 2019-08-07 5:37 AM, Joseph Reichman wrote: >> The program is not a program object, anomalies were found in its >> structure, or the program is PO1 (program object, version 1) and the >> program contains overlay structures. The request was rejected > > So, would you swear on a stack of PLMs that MYMOD is neither a load module > from a PDS nor a segment overlay program object? > > If so, then it is time to post the entire parameter list passed to IEWBFDAT. > > Cheers, > Greg > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
The Initiator does not check that the data set exists; if it did, the documented JCL for various utilities and service aids would not work. As you note, "some of the text units used in dynamic allocation have no equivalent in the DD statement." -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw Sent: Wednesday, August 7, 2019 4:35 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CPU time cost of dynamic allocation Greg, I think you'll find that whether SVC 99 checks that a data set exists on disk or not depends on the text units used. If I want the 'does data set exist' check made I usually include the text unit to return data set organisation (DALRTORG). This ensures that the DSCB for the data set is read, thus generating an error if it does not exist. However, if I leave this text unit off the dynamic allocation then I can allocate the equivalent of the DD statement you quoted, and subsequently generate a 213-04 abend at OPEN time. However, I think standard TSO ALLOCATE does perform that check, so perhaps it too uses that same text unit. In my understanding step allocation performs the same checks, based on the DD statement keywords you specify. However, some of the text units used in dynamic allocation have no equivalent in the DD statement. See Table 87 on page 692 in MVS Programming: Authorized Assembler Services Guide - SA23-1371-30 for the z/OS 2.3 version. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: http://secure-web.cisco.com/1i_vkpUB53TjjsdUxdu2Gwz3v0DXmssvECR89JmxSRUaXq-98XQWsx9nTMw3TmF5aC3UyhsWMculDvVK9VLe0U-mO8N6WYdjdylnqJcliTyEGGUx0ztU2hKlB0OOxcTvb7DtQlqigqGnV04fU58YSCrUGiXlb2FQ3seOaKau0zASdREliZF1KxDucvA8Fn7Tpxkt0S_qn5uOZekFbUXl4qWHbhx92UV8qaQojvIhbwTiR2Z4JEJpoZyCvxV-qJUp4KKsP55BqZdmhI1JBMmH7rX1fr2EHC8L7FfyBP3wcGJdL8vUjx5-m-fkP5WQC8UFQ9lsW-8wis1yz2vpmblUqIKTR6OqgKV_i3maORUvruxpbOMGeC_5OQ0AbYUVWLaEzZNoIzquJ-VtJlF6IimnKnH7FPz-A_bLmArJk_BjVBpqQ3zO9OP9dMB_ZdqFn5F9t/http%3A%2F%2Fwww.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Greg Price Sent: 07 August 2019 03:00 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] CPU time cost of dynamic allocation On 2019-08-07 5:08 AM, Carmen Vitullo wrote: > I suspect dynamic allocation may be doing more that the IEFBR14 possibly? Well, DYNALLOC is certainly doing more that the job step initiation when it comes to allocation. Device allocation at step-start time is a largely CPU-bound affair with the only I/O usually being for catalog look-ups. That is why something like //MY DD DD DSN=FRED,DISP=OLD,UNIT=3390,VOL=SER=MYVOL1 will get a S213-04 at OPEN time when FRED does not exist. DYNALLOC will check that FRED exists on the volume - yes! it does "lots" of I/O to the data set's volume which batch device allocation does not perform. Data set name enqueue is done before device allocation, and most of it is done at job start time for data sets mentioned in JCL. DYNALLOC has to do the ENQ when it is called before looking at devices. Cheers, Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
>From years ago, I *think* an IEFBR14 step with DISP=(,CATLG) [or (,PASS)] does not physically allocate a dataset on a VOLSER but only registers it in the usercat. Have you checked whether it is in the VTOC? Chris Poncelet (retired sysprog) On 06/08/2019 20:38, Charles Mills wrote: > FWIW I tried adding DISP=(,PASS) to all of the DDs and adding another (BR14 > also) step. No difference in the step CPU time -- still 0.00 seconds. > > Of course, one could play guessing games all day. Is the Initiator smart > enough to know the whole job is one big no-op? I would guess not, but who > knows. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Paul Gilmartin > Sent: Tuesday, August 6, 2019 12:45 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: CPU time cost of dynamic allocation > > On Tue, 6 Aug 2019 12:25:05 -0400, Charles Mills wrote: >> OTOH I have an IEFBR14 batch job on the same machine that allocates 15 >> temporary datasets in JCL. The entire job lock, stock and barrel uses >> (according to IEF032I) .00 CPU seconds. Can anyone explain why JCL >> allocation is apparently much more CPU efficient than SVC 99 allocation? >> > Nowadays, z/OS performs some special optimization for IEFBR14 (it knows > it's not going to use those data sets anyway.) Might that come into play > here? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
Doing it from a program Thanks > On Aug 7, 2019, at 12:21 PM, Seymour J Metz wrote: > > Do you simply need a map, or do you need the ability for an application to > get a map? For the former, there's always AMBLIST. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List on behalf of > Joseph Reichman > Sent: Wednesday, August 7, 2019 8:59 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029 > > Thanks would IEWBIND work with load modules meaning if I want link map from a > load module > > > Thanks > >>> On Aug 6, 2019, at 10:03 PM, Greg Price wrote: >>> >>> On 2019-08-07 5:37 AM, Joseph Reichman wrote: >>> The program is not a program object, anomalies were found in its >>> structure, or the program is PO1 (program object, version 1) and the >>> program contains overlay structures. The request was rejected >> >> So, would you swear on a stack of PLMs that MYMOD is neither a load module >> from a PDS nor a segment overlay program object? >> >> If so, then it is time to post the entire parameter list passed to IEWBFDAT. >> >> Cheers, >> Greg >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
On 2019-08-07 6:36 PM, Lennie Dymoke-Bradshaw wrote: However, I think standard TSO ALLOCATE does perform that check Yes, I was probably basing my opinion on my observations of the behaviour of the ALLOCATE command. Cheers, Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
On 2019-08-07 10:59 PM, Joseph Reichman wrote: Thanks would IEWBIND work with load modules Yes, IEWBIND - the "full" Binder API - can process PDS load modules as well as program objects from a PDSE and from the UNIX file system. Cheers, Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM Destination z - Of Elephants and Mainframes
Some nits: 1. I doubt that much was written in machine language in 1955, although assemblers were primitive by today's standards. 2. Many Share projects maintained mods tapes in the 1970s, and it would be appropriate to mention some of the maintainers by name. As I recall, Romney White maintained the VM mods tape, but there were many others. 3. Surely the "Paddle project" is worthy of mention. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Reg Harbeck Sent: Tuesday, August 6, 2019 8:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: IBM Destination z - Of Elephants and Mainframes Good news: the article has been updated based on input from Gabe and IBM-MAIN. See http://secure-web.cisco.com/1NjfoRYHO_IklC98nwDba14_shyd-SmDL9s12DBLCbbunw9ikwHkSS62f-OQLEr6mQFZtfFlnKDiHcVBeb3mkP2aD1CObuhhFUztX3JDjqKQLM45g8-mNhCpVceetTGl1dUHs6rZ75TdPreROPzfSiOG_NPHB8-GXw7HO0TVRrHtYB_54tmjsYTL9KbWUr0d6WwK_Ytjhs3DcqpCKs-Ca6quPHitduHX82NNxmjvOMwa3wzWyObJW9cY7-UBwpXtDFyG_icp91KcQ3QBk0iQ3a57Yddeb4vLXRbA8VAuYlbf0f7LaqcrdxrFLFdBtpOrBmYuD7wOquEgifqGuwvz2mZthtN-tCuksZj7kyzo5XYBvgrFfxzRNRhk5ptGc2XjItzt1ZPYMxiS1Acf03EI8ZEDw-ThlxsxLhsqhms_90dAD44H8bYbK0eogmpkDQGLn/http%3A%2F%2Fdestinationz.org%2FMainframe-Solution%2FTrends%2Felephants-and-mainframes for the revised version. Thanks, all! Reg Harbeck +1.403.605.7986 -Original Message- From: IBM Mainframe Discussion List On Behalf Of Reg Harbeck Sent: August 1, 2019 14:40 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: IBM Destination z - Of Elephants and Mainframes Thank you, Gabe. I'm honoured that you read my writing so closely, and I take your correction seriously. I'll be more careful how I phrase such things in future articles. FWIW, I am aware that Fortran and other pre-COBOL languages already existed, so perhaps I should have said "much of this stuff" instead. (And to those who have made other suggestions on IBM-MAIN that I should have caught, but missed, in the past, my apologies: still getting into good habits of keeping up with this important part of the mainframe ecosystem.) Reg Harbeck +1.403.605.7986 P.S. Looking forward to seeing many of you in Pittsburgh next week. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Gabe Goldberg Sent: August 1, 2019 13:45 To: IBM-MAIN@LISTSERV.UA.EDU Subject: IBM Destination z - Of Elephants and Mainframes Think back… think way back, possibly to before you were born. Think of the reasons why SHARE was founded in 1955, and the main activities of SHARE. Once upon a time, when electronic computing technology was still being figured out, each new machine was so different from its predecessors that it was necessary to rewrite a whole new set of utilities and drivers and applications for it. Even Assembly language wasn’t available until 1957 (and the first COBOL compiler didn’t come out until 1960) so most of this stuff had to be manually entered in machine language. http://secure-web.cisco.com/1NjfoRYHO_IklC98nwDba14_shyd-SmDL9s12DBLCbbunw9ikwHkSS62f-OQLEr6mQFZtfFlnKDiHcVBeb3mkP2aD1CObuhhFUztX3JDjqKQLM45g8-mNhCpVceetTGl1dUHs6rZ75TdPreROPzfSiOG_NPHB8-GXw7HO0TVRrHtYB_54tmjsYTL9KbWUr0d6WwK_Ytjhs3DcqpCKs-Ca6quPHitduHX82NNxmjvOMwa3wzWyObJW9cY7-UBwpXtDFyG_icp91KcQ3QBk0iQ3a57Yddeb4vLXRbA8VAuYlbf0f7LaqcrdxrFLFdBtpOrBmYuD7wOquEgifqGuwvz2mZthtN-tCuksZj7kyzo5XYBvgrFfxzRNRhk5ptGc2XjItzt1ZPYMxiS1Acf03EI8ZEDw-ThlxsxLhsqhms_90dAD44H8bYbK0eogmpkDQGLn/http%3A%2F%2Fdestinationz.org%2FMainframe-Solution%2FTrends%2Felephants-and-mainframes Um, no. ACM SIGPLAN History of Programming Languages Conference 1978 article on FORTRAN says: Page 166 1.3 Programming Systems in 1954 Most "automatic programming" systems were either assembly programs, or subroutine-fixing programs, or, most popularly, interpretive systems to provide floating point and indexing operations. --- That's far beyond machine language three years before article claims anything more advanced than that was used. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
They say that the memory is the second thing to go (I don't remember the first.) IEFBR14 with DDDISP=(,PASS) or DISP=(,CATLG) does allocate a new data set. there would be much wailing and gnashing of teeth if it stopped doing that. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of CM Poncelet Sent: Wednesday, August 7, 2019 12:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CPU time cost of dynamic allocation >From years ago, I *think* an IEFBR14 step with DISP=(,CATLG) [or (,PASS)] does not physically allocate a dataset on a VOLSER but only registers it in the usercat. Have you checked whether it is in the VTOC? Chris Poncelet (retired sysprog) On 06/08/2019 20:38, Charles Mills wrote: > FWIW I tried adding DISP=(,PASS) to all of the DDs and adding another (BR14 > also) step. No difference in the step CPU time -- still 0.00 seconds. > > Of course, one could play guessing games all day. Is the Initiator smart > enough to know the whole job is one big no-op? I would guess not, but who > knows. > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Paul Gilmartin > Sent: Tuesday, August 6, 2019 12:45 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: CPU time cost of dynamic allocation > > On Tue, 6 Aug 2019 12:25:05 -0400, Charles Mills wrote: >> OTOH I have an IEFBR14 batch job on the same machine that allocates 15 >> temporary datasets in JCL. The entire job lock, stock and barrel uses >> (according to IEF032I) .00 CPU seconds. Can anyone explain why JCL >> allocation is apparently much more CPU efficient than SVC 99 allocation? >> > Nowadays, z/OS performs some special optimization for IEFBR14 (it knows > it's not going to use those data sets anyway.) Might that come into play > here? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
That's true for DASD, but, not for Tape, IIRC. On 2019-08-07 12:53, Seymour J Metz wrote: > They say that the memory is the second thing to go (I don't remember the > first.) IEFBR14 with DDDISP=(,PASS) or DISP=(,CATLG) does allocate a new data > set. there would be much wailing and gnashing of teeth if it stopped doing > that. > > > -- > Shmuel (Seymour J.) Metz > https://nam02.safelinks.protection.outlook.com/?url=http:%2F%2Fmason.gmu.edu%2F~smetz3&data=02%7C01%7C%7Cbf913ac8c88544d06ac908d71b57cd5c%7C84df9e7fe9f640afb435%7C1%7C0%7C637007936258345512&sdata=VvGKdsg2Spkk4Kq0WeVM3amVpcusMCi8yL%2BZEPkXYNw%3D&reserved=0 > > > From: IBM Mainframe Discussion List on behalf of > CM Poncelet > Sent: Wednesday, August 7, 2019 12:34 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: CPU time cost of dynamic allocation > > >From years ago, I *think* an IEFBR14 step with DISP=(,CATLG) [or > (,PASS)] does not physically allocate a dataset on a VOLSER but only > registers it in the usercat. Have you checked whether it is in the VTOC? > > Chris Poncelet (retired sysprog) > > > > On 06/08/2019 20:38, Charles Mills wrote: >> FWIW I tried adding DISP=(,PASS) to all of the DDs and adding another (BR14 >> also) step. No difference in the step CPU time -- still 0.00 seconds. >> >> Of course, one could play guessing games all day. Is the Initiator smart >> enough to know the whole job is one big no-op? I would guess not, but who >> knows. >> >> Charles >> >> >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >> Behalf Of Paul Gilmartin >> Sent: Tuesday, August 6, 2019 12:45 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: CPU time cost of dynamic allocation >> >> On Tue, 6 Aug 2019 12:25:05 -0400, Charles Mills wrote: >>> OTOH I have an IEFBR14 batch job on the same machine that allocates 15 >>> temporary datasets in JCL. The entire job lock, stock and barrel uses >>> (according to IEF032I) .00 CPU seconds. Can anyone explain why JCL >>> allocation is apparently much more CPU efficient than SVC 99 allocation? >>> >> Nowadays, z/OS performs some special optimization for IEFBR14 (it knows >> it's not going to use those data sets anyway.) Might that come into play >> here? >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> . >> > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
Thanks > On Aug 7, 2019, at 12:44 PM, Greg Price wrote: > >> On 2019-08-07 10:59 PM, Joseph Reichman wrote: >> Thanks would IEWBIND work with load modules > > > Yes, IEWBIND - the "full" Binder API - can process PDS load modules as well > as program objects from a PDSE and from the UNIX file system. > > Cheers, > Greg > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Having trouble converting to user logs from sys1.brodcast
Thanks Jesse and Shmuel, Jesse, my original parmlib update was pretty simple SEND /* SEND COMMAND DEFAULTS */ + OPERSEND(ON) /* */ + USERSEND(ON) /* */ + SAVE(ON) /* */ + CHKBROD(OFF) /* */ + LOGNAME(ULOG.DATA.SYST) /* */ after the first hang I went truging into the fine manuals, and used what IBM recomended in SYS1.SAMPLIB, thus what I provided in my post. we did a security trace and didn't find any issues, not saying something could have been there, but we didn't see it. Shmuel; I'm going to give this a try again and cancel my ID with a dump, and move to opening a PMR, BTW; sorry I didn't mention, I'm on a Z13s, z/OS 2.3 RSU 1901 thanks for the responses ! Carmen Vitullo - Original Message - From: "Seymour J Metz" To: IBM-MAIN@LISTSERV.UA.EDU Sent: Wednesday, August 7, 2019 11:19:08 AM Subject: Re: Having trouble converting to user logs from sys1.brodcast If it hangs then I suggest that you report it and work with IBM to get a fix. An error in your parmlib should give you an error message. Did you take a console dump of the hanging SEND command? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Carmen Vitullo Sent: Wednesday, August 7, 2019 10:53 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Having trouble converting to user logs from sys1.brodcast On my 2.3 sandbox system I am trying to convert to user datasets for brodcast, I've RTFM(s) and updated the parmlibs accordingly, seems to be a 2 step process to totally move from sys1.brodcast. current parmlib values for SEND SEND /* SEND COMMAND DEFAULTS */ + OPERSEND(ON) /* */ + USERSEND(ON) /* */ + SAVE(ON) /* */ + CHKBROD(OFF) /* */ + LOGNAME(ULOG.DATA.SYST) /* USERID.ULOG.DATA.SYST */ + USEBROD(OFF) /* */ + MSGPROTECT(ON) /* */ + SYSPLEXSHR(OFF) /* */ + BROADCAST(DATASET(SYS1.BRODCAST) + TIMEOUT(5) PROMPT) I/we get notifications fine from jobend via the notify= but testing the send command hangs, I IPL'd the system and tried again and received the same results, my ID, once notified of a batch job completed did allocate a ulog dataset but it's empty, I'm stumped as to what I've missed. any pointers or something I missed I'd appreciate thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FAST PATH (IEWBFDAT) SQ CALL Fail 10800029
On Wed, 7 Aug 2019 at 12:44, Greg Price wrote: > On 2019-08-07 10:59 PM, Joseph Reichman wrote: > > Thanks would IEWBIND work with load modules > > Yes, IEWBIND - the "full" Binder API - can process PDS load modules as > well as program objects from a PDSE and from the UNIX file system. > It can even handle object decks! I think you would use STARTD, CREATEW, INCLUDE, whatever GET type calls you are using with IEWBFDAT, and ENDD. The GET calls are slightly different, but the data formats (IEWBUFF) are the same. I was (pleasantly) surprised to see that IEWBIND INCLUDE can use the token you got from CSVQUERY. I don't know when they added that, but it's handy. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
Data sets on tape are created by OPEN. For that matter, allocation does no I/O for card punches, paper tape punches or printers; if you have the first two that is TMI. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of David Spiegel Sent: Wednesday, August 7, 2019 1:04 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CPU time cost of dynamic allocation That's true for DASD, but, not for Tape, IIRC. On 2019-08-07 12:53, Seymour J Metz wrote: > They say that the memory is the second thing to go (I don't remember the > first.) IEFBR14 with DDDISP=(,PASS) or DISP=(,CATLG) does allocate a new data > set. there would be much wailing and gnashing of teeth if it stopped doing > that. > > > -- > Shmuel (Seymour J.) Metz > https://nam02.safelinks.protection.outlook.com/?url=http:%2F%2Fmason.gmu.edu%2F~smetz3&data=02%7C01%7C%7Cbf913ac8c88544d06ac908d71b57cd5c%7C84df9e7fe9f640afb435%7C1%7C0%7C637007936258345512&sdata=VvGKdsg2Spkk4Kq0WeVM3amVpcusMCi8yL%2BZEPkXYNw%3D&reserved=0 > > > From: IBM Mainframe Discussion List on behalf of > CM Poncelet > Sent: Wednesday, August 7, 2019 12:34 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: CPU time cost of dynamic allocation > > >From years ago, I *think* an IEFBR14 step with DISP=(,CATLG) [or > (,PASS)] does not physically allocate a dataset on a VOLSER but only > registers it in the usercat. Have you checked whether it is in the VTOC? > > Chris Poncelet (retired sysprog) > > > > On 06/08/2019 20:38, Charles Mills wrote: >> FWIW I tried adding DISP=(,PASS) to all of the DDs and adding another (BR14 >> also) step. No difference in the step CPU time -- still 0.00 seconds. >> >> Of course, one could play guessing games all day. Is the Initiator smart >> enough to know the whole job is one big no-op? I would guess not, but who >> knows. >> >> Charles >> >> >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >> Behalf Of Paul Gilmartin >> Sent: Tuesday, August 6, 2019 12:45 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: CPU time cost of dynamic allocation >> >> On Tue, 6 Aug 2019 12:25:05 -0400, Charles Mills wrote: >>> OTOH I have an IEFBR14 batch job on the same machine that allocates 15 >>> temporary datasets in JCL. The entire job lock, stock and barrel uses >>> (according to IEF032I) .00 CPU seconds. Can anyone explain why JCL >>> allocation is apparently much more CPU efficient than SVC 99 allocation? >>> >> Nowadays, z/OS performs some special optimization for IEFBR14 (it knows >> it's not going to use those data sets anyway.) Might that come into play >> here? >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> . >> > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > . > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM Destination z - Of Elephants and Mainframes
[Default] On 7 Aug 2019 09:45:51 -0700, in bit.listserv.ibm-main sme...@gmu.edu (Seymour J Metz) wrote: >Some nits: > > 1. I doubt that much was written in machine language in 1955, although > assemblers were >primitive by today's standards. > > 2. Many Share projects maintained mods tapes in the 1970s, and it would be > appropriate >to mention some of the maintainers by name. As I recall, Romney White > maintained the VM mods tape, but there were many others. > > 3. Surely the "Paddle project" is worthy of mention. The Michmods tape, Jim Marshals collection of "NIH" software including XEBCOPY and the Goddard mods and "The Wooden Paddle" publications are the ones I used in the 1970s. I also contributed my updates to some of the mods to Michmods tapes (1979, I think) as the WEJ mods. Clark Morris -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
On Wed, 7 Aug 2019 16:25:52 +, Seymour J Metz wrote: >The Initiator does not check that the data set exists; ... > ... and yet it checks for whether it's migrated. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
Timothy Sipples wrote: >Even if you believe IBM caused some confusion -- I cannot find much >evidence in the historical record of official IBM communications, but if >that's what you believe -- that's certainly NOT a reason to add any more. >I've asked you to help reduce terminology confusion, not to increase it. >Thanks. Never said it was official. I'm talking about how it was presented in the real world-at SHARE, IBM Z shows, and IBMers talking directly to customers-and how the customers have interpreted it. How am I adding more confusion by pointing out the confusion? Now I'm confused! Fundamentally, I don't think we're disagreeing here, except that, again, I'm commenting on how the customers seem to be interpreting things, not how IBM officially wants them positioned. As I said, it has gotten better. But I've *heard* IBMers say "With PE [not "data set encryption", but that was the topic at hand) you're protected against attacks." And that's just not true. (Yes, they didn't *say* "all attacks", but nor did they qualify the statement explicitly.) >We (the world) could wait at least a couple decades before application >developers finish adding application-level encryption everywhere it's >needed, assuming they even do that well and correctly (competently, without >malice) and in a way that facilitates rapid progression to more secure >algorithms as cryptography advances (big assumptions). But have you >actually noticed what's going on in the real world? Substantial, real >progress that doesn't require application changes has strong merit. >Shouldn't this be obvious? The world cannot wait decades to rise to the >many security challenges. I think you're missing one of my main points: "Substantial, real progress" isn't what data set encryption provides. It provides a LITTLE BIT of protection for a FEW minor attack vectors. Worthwhile, because it's cheap. But "substantial"? No. Read about data-centric protection, note the analysts and standards bodies saying that container-level protection is just not very useful. And (to beat a dead horse) if folks think it's The Solution, it's perhaps worse than doing nothing, as they do it, solving a small part of the problem, and say "Well, that's done" and then won't discuss further steps to address the rest of the problem, because hey, it's done. Re the pyramid: yes, we've been showing a version of that for a decade, and it's a useful illustration. IBM started doing so recently; that's a good thing. And yes, we solve that top part. But again, if you talk to IBM field folks and to customers, what we're hearing is not "application-level is the goal"; we're hearing "data set encryption [by whatever name] is cheap, easy, and solves the problem". Surely not all IBM field folks, but more than a few. That's what I'm irritated about, on behalf of the customers. I'm at SHARE this week, and just looked at SHARE session titles. It has gotten better: the last few SHAREs have used PE correctly. But if I go back further, it gets murkier. And in a SEC session I was just in, several people-including principals in the SEC project-in mentioning possible use of data set encryption for a ransomware attack, referred to it as "PE" and talked about "PE keys", again clearly meaning data set encryption [keys]. Bottom line: we've had customers tell us, "IBM says that PE [definitely meaning data set encryption] is sufficient to protect us". That doesn't mean IBM meant to say that, or even that a specific IBMer actually said that. But it is how the message was received. Of course my perspective is colored by the fact that we're selling in this space. But that doesn't make the observations invalid; I've had conversations with other folks outside our company who have made the same observations. Let me turn this around and ask: how do we reduce confusion if we don't acknowledge that it exists? .phsiii -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CPU time cost of dynamic allocation
Which simply means that if UNIT and VOLUME are not supplied then it looks in the catalog, where it detects a MIGRAT value if the data set is migrated. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: 07 August 2019 21:15 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] CPU time cost of dynamic allocation On Wed, 7 Aug 2019 16:25:52 +, Seymour J Metz wrote: >The Initiator does not check that the data set exists; ... > ... and yet it checks for whether it's migrated. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
LOADing a module into common storage
Roughly forever we've loaded modules into 24- or 31-bit CSA by first LOADing the module normally into private storage, obtaining the actual length from the LOAD, DELETEing the module, getting the necessary CSA storage, and finally using LOAD with ADDR=. This works fine, but seems unduly complicated. We can't use GLOBAL=YES because the module will be gone at EOM, at best. We also need to store into the module right after loading it, and even if there was an EOM=NEVER or the like to say not to ever delete the module, I'm not sure any store into it would be remembered (if RENT is effectively treated as REFR). So... Just wondering if there's a Modern method of doing this that I've missed. We just want the code in common storage; we don't need its name to be made known via a CDE. Thanks! Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LOADing a module into common storage
On Wed, Aug 07, 2019 at 06:55:53PM -0400, Tony Harminc wrote: > Roughly forever we've loaded modules into 24- or 31-bit CSA by first > LOADing the module normally into private storage, obtaining the actual > length from the LOAD, DELETEing the module, getting the necessary CSA > storage, and finally using LOAD with ADDR=. This works fine, but seems > unduly complicated. [*1] We can't use GLOBAL=YES because the module will be > gone at EOM, at best. We also need to store into the module right after > loading it, and even if there was an EOM=NEVER or the like to say not to > ever delete the module, I'm not sure any store into it would be remembered > (if RENT is effectively treated as REFR). > So... Just wondering if there's a Modern method of doing this that I've > missed. We just want the code in common storage; we don't need its name to > be made known via a CDE. I haven't seen one but haven't been looking. The little bit I've seen seem to want to delete my module at (EOT/EOM) which doesn't seem good... I'd guess the "new" way would be to not have any relocatable values in your module. Then just move a copy to CSA. With the new instructions this seems possible... Not new, but the way IPC (UCLA/Mail) loads it's CSA code is to do a BLDL to get the size, get the storage, and then use LOAD DE= & ADDR= to load the module[2]. The IPC CSA codes lives in CSA key 0 storage but not fetch protected. It is NOT refreshable, some addresses and other values are set in it at IPC init time. 1. Wouldn't you (or rather program fetch) overwrite storage if the low probability happened and the the module length changed between the two LOAD calls. Hopefully with the authorized caller issuing LOAD DE= program fetch will use my BLDL info and catch module size changes. 2. A retro-version of IPC runs on MVS 3.8 before LOAD ADDR= existed. Yuck. A first cut has a module which does 2 LOADs to it's private area, copies one to CSA and compares the two private modules to find the relocated Acons & fixes the CSA ones. In this case all Acons are 4 bytes and on 4 byte boundaries. RX instructions seem to be designed for this: * relocation fixup * - assume all relocated items are 4 bytes on 4 byte boundaries * - scan each 4 byte word of mod1 & mod2 and note differences * correcting them in the target module * * register usage: * * r2 - @ mod1 * r3 - @ mod2 * r4 - @ tgt * r5 - current offset * r6 - count of relocations * r7 - adjustment (for valid checks) * SPACE 1 L R2,W#MOD1 @ mod 1 L R3,W#MOD2 @ mod 2 L R4,W#TGTA @ tgt mod SRR5,R5 offset, start at 0 SRR6,R6 no relocs yet SRR7,R7 no previous adjustments (yet) SPACE 1 LI$LOOP L R0,0(R5,R2)word from mod1 S R0,0(R5,R3)match mod2? BZLI$NEXT CRR0,R7 same as last offset BELI$RELObif same, go reloc LTR R7,R7 first time? BNZ LI$BADRbif not, relocation problem LRR7,R0 save for next time relo check LI$RELO L R0,0(R5,R4)word from tgt ARR0,R4 + tgt adr SRR0,R2 - mod1 adr STR0,0(R5,R4) update tgt acon LAR6,1(,R6) count reloc LI$NEXT LAR5,4(,R5) next offset C R5,W#MOD1+4end of module? BLLI$LOOP I don't recommend this... Somewhere I have code
Re: Capital One Data Breach-100 Million Customers affected
[Default] On 31 Jul 2019 14:44:53 -0700, in bit.listserv.ibm-main jesse1.robin...@sce.com (Jesse 1 Robinson) wrote: >One frequent selling point for cloud solutions is that WE the hired-hand >storage experts can take better care of your precious data than you can. I >sense Death of a Salesman... > Figuring out who should have access to what is an ongoing zoo where who can either be a person or an entity (another program, etc.). Someone should have it today but not tomorrow. Then for problem determination purposes is it always feasible to obscure copies for production data? How well protected are test and quality assurance environments? mirror data centers? Customer Service Representatives by the nature of their jobs may require access to confidential data on any customer who might call in as would any online customer application. In both cases the representative or the application is the one who determines whether a customer is entitled to the information with the added problem that the customer service representative can misuse their access. In the Capital 1 case, apparently someone at Capital 1 failed to do their part and it brings up the point as to how much expertise is required on the application owner's part and how much any service provider can do to make sure the client organization has got the security it needs. If some entity can get into the system and look like an authorized service user, that system will decrypt and format the requested information. A straight disk dump (FDR/ABR, DF/HSM or IDCAMS for example) is not going to provide anything that is easily readable or decipherable. Clark Morris >. >. >J.O.Skip Robinson >Southern California Edison Company >Electric Dragon Team Paddler >SHARE MVS Program Co-Manager >323-715-0595 Mobile >626-543-6132 Office ?=== NEW >robin...@sce.com > >-Original Message- >From: IBM Mainframe Discussion List On Behalf Of >Clark Morris >Sent: Wednesday, July 31, 2019 8:51 AM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: (External):Re: Capital One Data Breach-100 Million Customers affected > >[Default] On 31 Jul 2019 06:58:19 -0700, in bit.listserv.ibm-main >jcew...@acm.org (Joel C. Ewing) wrote: > >>And I noticed a reprinted Washington Post article in my local paper >>today "Bank data stolen despite cloud push", which clearly indicates >>bank management had the perception that somehow removing data from >>Capital One's direct physical control to Amazon Web Services on the >>cloud would "improve" security rather than just add different paths for >>attack. Can't help but wonder if this move to "cut back" on Capital >>One's data centers also involved laying off the people that might have >>been smart enough to configure their firewall correctly and avoid the >>breach. > >Since configuration problems have hit the mainframe, I suspect that platform >didn't matter. I am beginning to believe that the most secure platform is the >one where it is easiest (and mostly by default) to secure to the limits of the >platform. Since this isn't a set and forget issue, good practices need to be >in place so that ex-employees don't have access. Why was the person accused >of the breach able to access the cloud? Did she need credentials in order to >get by the >improperly configured firewall? I suspect that all companies need an >HR application that causes review of an employee's/contractor's access every >time they change position and when their employment is terminated. > >Clark Morris >> Joel C Ewing >> >>On 7/31/19 8:32 AM, Bill Johnson wrote: >>> She breached an incorrectly configured firewall. >>> >>> >>> Sent from Yahoo Mail for iPhone >>> >>> >>> On Tuesday, July 30, 2019, 7:48 PM, Edward Finnell >>> <000248cce9f3-dmarc-requ...@listserv.ua.edu> wrote: >>> >>> https://www.usatoday.com/story/money/2019/07/29/capital-one-data-brea >>> ch-2019-millions-affected-new-breach/1863259001/ >>> >>> A CLOUDy day in data processing. > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Current URI for SNA manuals?
Will these do? https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?PAG=C11&SSN=19HHB0002880621576&TRL=TXT&WRD=&PBL=GC30-3073&LST=ALL&RPP=10 https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?PAG=C11&SSN=19HHB0002880621576&TRL=TXT&WRD=&PBL=GC30-3438&LST=ALL&RPP=10 https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?PAG=C11&SSN=19HHB0002880621576&TRL=TXT&WRD=&PBL=GC30-3084&LST=ALL&RPP=10 https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?PAG=C11&SSN=19HHB0002880621576&TRL=TXT&WRD=&PBL=SC30-3422&LST=ALL&RPP=10 https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?PAG=C11&SSN=19HHB0002880621576&TRL=TXT&WRD=&PBL=SC31-6808&LST=ALL&RPP=10 https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss?SSN=19HHB0002880621576&FNC=ONL&PBL=GA27-3136-20&TRL=TXTSRH# On Wed, Aug 7, 2019 at 10:41 AM Seymour J Metz wrote: > I'm trying to update the list of references in > https://en.wikipedia.org/wiki/IBM_Systems_Network_Architecture; each of > these has a URL that now longer goes to the manual: > > Systems Network Architecture Technical Overview. Fifth Edition. IBM. > January 1994. GC30-3073-04. > Systems Network Architecture Guide to SNA Publications. Third Edition. > IBM. July 1994. GC30-3438-02. > Systems Network Architecture Formats. Twenty-first Edition. IBM. March > 2004. GA27-3136-20. > Systems Network Architecture: Transaction Programmer's Reference Manual > for LU Type 6.2. Sixth Edition. IBM. June 1993. GC30-3084-05. > Systems Network Architecture: Transaction Programmer's Reference Manual > for LU Type 6.2. Sixth Edition. IBM. June 1993. GC30-3084-05. > Systems Network Architecture Type 2.1 Node Reference. Fifth Edition. IBM. > December 1996. SC30-3422-04. > Systems Network Architecture LU 6.2 Reference: Peer Protocols. Third > Edition. IBM. October 1996. SC31-6808-02. > > Does anybody have links to these or to more recent editions that are > accessible by the general public? > > Also, I'd like to add the SNA Format and Protocol Logic (FAPL) manual, and > don't know whether it was ever available online. > > Thanks. > > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Pervasive Encryption - why?
Phil Smith III wrote: >I think you're missing one of my main points: "Substantial, >real progress" isn't what data set encryption provides. It >provides a LITTLE BIT of protection for a FEW minor attack >vectors. I disagree. >Read about data-centric protection, note the analysts and >standards bodies saying that container-level protection is >just not very useful. Let's suppose that's what they say. Who among them considers z/OS data sets to be "containers"? Do they know what z/OS data sets are? Data sets are files that contain one or more records. z/OS Data Set Encryption is thus file-level encryption. (File system-level encryption is different.) Which analysts and standards bodies characterize file-level encryption as "just not very useful"? By the way, applications don't generate, process, and control all data. Middleware and systems generate, process, and control a great deal of data too, including sensitive data. Moreover, data importance and sensitivity are often unrelated or only loosely related to application context. Applications (and their owners and users) don't necessarily understand the sensitivity of the data they process any better than, say, storage administrators and DBAs. For an interesting, recent, real world example, see here: https://theintercept.com/2018/01/29/strava-heat-map-fitness-tracker-us-military-base/ Application developers aren't perfect, and some of them are malicious. It wouldn't be wise to rely solely on them to enforce a particular data security posture. All that said, I certainly wouldn't argue that application-level encryption is "just not very useful." ALL levels of the "pyramid" are important. Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
