Using ICSF in a multi system environment

Using ICSF within a single image or sysplex discussed setting up ICSF in a single environment, where systems can share the ICSF datasets.

This blog post is when you have multiple systems which do not share the ICSF data sets.

You have some encrypted data sets which you have sent to your backup system. How do you get the ICSF keys to your backup site? I will focus on using AES CIPHER keys because AES is recommended over DES keys; and CIPHER keys are recommended over DATA keys.

The challenge of using ICSF in a multi system environment where the ICSF data sets are not shared, is setting up the first keys. This is not easy as ICSF does not provide all the functionality to do this.

If your systems have the same hardware key, you can unload and reload a key using my programs in EASYICSF on Github. You unload the key (encrypted with the hardware key) to a data set, send the data set to the remote system, and reload the key.

If your systems do not use the same hardware key, you can fairly easily set up the keys for use between systems if you can accept some clear text key value sharing.

If your systems do not use the same hardware key, the most secure way of setting up keys is where the key value is never in clear text, and so cannot be copied or used in an authorised way. This has many steps, and I’ll cover this in another blog post (Generating ICSF keys using Diffie-Hellman).

If you want to encrypt a key to send to a remote site, ICSF provides Key Encryption Key (KEK) technology. Once they KEK has been set up you can export a key from the local system, encrypting it with an exporter KEK. Send the encrypted data to the remote site, and use the matching KEK to import it. At no point is the clear text version of the key exposed. I think of a KEK as an asymmetric key for data. Having the exporter KEK does not mean you can decrypt the data.

You need to have an exporter key to get from system A to system B, and an exporter key to get from system B to system A. If you specify the key value yourself these could be the same. If you let the system generate the key value, they will be different.

Once you have keys set up, you can use ICSF Key Encryption Key (KEK) to send keys securely to another system. The key phrase is “Once you have set up…”.

How long are keys needed for ?

A cipher key used in data set encryption is needed for as long as the data set using it is needed, so potentially many years. Deleting the key means the data set cannot be read.

When you create a KEK, you create both the exporter and importer at the same time. You cannot generate one from the other. A KEK is only used when transferring keys between systems. You could have a new KEK every week, with no impact. You just need to ensure you have at least another KEK to encrypt it.

How many KEK’s do I need?

If you have three systems, Production, Backup and Disaster Recovery (DR). You could define an exporter key on production, and the same importer key on Backup and DR. This might be easy to implement, but I think I would feel more comfortable with different KEKs:

Exporter on Production and Importer on Backup,
Exporter on Production and Importer on DR,
Backup to DR

and the opposite; Exporter on Backup and Importer on Production etc.

I included the system names in the data set used to store the key. When I initially used the same name for all definitions, such as ‘COLIN.EXPORTED.KEK’, I found I was getting into a muddle, and had the wrong key in it.

To export and import AES CIPHER keys see export a key from CKDS into a data set so it can be imported on another system and import a key from a data set into the CKDS on Github. You could just use unload and reload a key using my programs in EASYICSF on Github!

Overview to creating keys in a multi system environment

If the hardware keys are the same on each system, you can use UNLOAD and RELOAD programs in my EASYICSF on Github which allows you to copy the hardware encrypted key from one ICSF data set to an intermediate data set, then reload it into an ICSF data set. See here.
You can generate data set encryption keys on each system using a cut and paste of the JCL. This is not very secure because the key value is visible in clear text. See here.
Define Key Encrypting Keys for sending keys encrypted between systems. See here for detailed instructions.
- On the sender system define a temporary exporter key specifying the key value in clear text.
- On the receiving system(s) define the matching importer key using the same key values (cut and paste) and a small edit.
- Define a permanent exporter key letting the system securely generate the key value, and specify the temporary KEK to encrypt the importer key.
- Send the encrypted permanent importer KEK to the remote system.
- On the receiver systems use the temporary importer KEK to import the permanent key
- Delete the temporary KEK from each system.
- You now have KEKs on your system, and the window where there was clear text visible was small.
Locally generate a secure data set encryption key, and export it to the remote systems as needed. See here.
- You generate a data set encryption key.
- For each system you want to send this key to you export it, using the exporter KEK for that system.
- If you want to send the key at a later date, you just export the key using the appropriate KEK.
Generating secure data set encryption keys, both local and encrypted with a KEK
- ICSF has a utility CSFKGUP which, in one request, can generate a key for use locally, and export it using an exporter KEK.
- This does not feel a very good solution to me.
  - If you want to send the key to multiple systems, you need to use the same KEK for all systems.
  - If, at a later date, you want to send the key to another system you have to export it (see above). It is easier just to export it anyway.

These may look relatively simple – but ICSF does not provide a utility to export and import the keys. You can write your own C or REXX program, or use the ones I have written. See export a key and import a key in EasyICSF on Gitub.

Detailed instructions

Use unload and reload.

This is based on unload and reload a key using my programs in EASYICSF on Github.

Unload

//IBMUNL  JOB 'COLIN',CLASS=A,REGION=0M,COND=(4,LE) RESTART=RUN 
//JOBLIB JCLLIB ORDER=(COLIN.ICSF.C,CBC.SCCNPRC) 
//* COMPILE    EXEC  CCPROC,PROG=UNLOAD 
//* 
//* 
// SET KEY='-key   SECKEY2         ' 
// SET DB='-debug 8      ' 
// SET DB='              ' 
//RUN      EXEC PGM=UNLOAD,REGION=0M, 
//   PARM='&KEY.  &DB         ' 
//STEPLIB  DD DISP=SHR,DSN=COLIN.ICSFLOAD 
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200) 
//SYSOUT   DD SYSOUT=* 
//KEY      DD DSN=COLIN.UNLOAD.AES,DISP=(OLD) 
//*        SPACE=(CYL,(1,1)),DCB=(LRECL=7000,RECFM=V)

Reload

//IBMRELOA JOB 'COLIN',CLASS=A,REGION=0M,COND=(4,LE) RESTART=RUN 
//JOBLIB JCLLIB ORDER=(COLIN.ICSF.C,CBC.SCCNPRC) 
//*OMPILE    EXEC  CCPROC,PROG=RELOAD 
//* 
//* 
// SET DB='-debug 8      ' 
// SET KEY='-key   SECKEY2         ' 
//RUN      EXEC PGM=RELOAD,REGION=0M, 
//   PARM='&KEY. &DB         ' 
//STEPLIB  DD DISP=SHR,DSN=COLIN.ICSFLOAD 
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200) 
//SYSOUT   DD SYSOUT=* 
//KEY      DD DSN=COLIN.UNLOAD.AES,DISP=(OLD)

An easy, not very secure method, for use in a proof of concept.

You can use JCL Like

//IBMICSF JOB 1,MSGCLASS=H
//STEP10 EXEC PGM=CSFKGUP
// SET CKDS=COLIN.SCSFCKDS
//CSFCKDS DD DISP=OLD,DSN=&CKDS
//CSFIN DD *,LRECL=80
ADD TYPE(CIPHER) ALGORITHM(AES), 
   KEYMGT(XPRTCPAC), 
   CLEAR, 
   KEY(0123456789ABCDEF,0123456789ABCDEF,
       0123456789ABCDEF,0123456789ABCDEF), 
   LABEL(COLINCIPHERCLEAR ) , 
   KEYUSAGE(ANY-MODE) 
/*
//CSFDIAG DD SYSOUT=,LRECL=133 //CSFKEYS DD SYSOUT=,LRECL=1044
//CSFSTMNT DD SYSOUT=,LRECL=80 // REFRESH THE IN MEMORY DATA
//REFRESH EXEC PGM=CSFEUTIL,PARM='&CKDS,REFRESH'

You run this on every system where you need the data set encryption key.

You need to specify for data se

KEYMGT(XPRTCPAC),
KEYUSAGE(ANY-MODE)
KEY(….) You need to pick a set of random hexadecimal numbers.

You can run this job on all systems you need the data set encryption keys on, with no changes.

This is not secure because other people may be able to see the keys…

You may have saved the JCL containing the key value (for future use) either in a data set or on paper
If you ran this as a job, the values may be in the spool output. Depending on how you specified the output class.
Copying the values to the remote system may get intercepted.

Defining KEKs

If you want to encrypt a key to send to a remote site ICSF provides Key Encryption Key (KEK) technology. Once the KEK has been set up you can export a key from the local system, encrypting it with an exporter KEK. Send the encrypted data to the remote site, and use the matching KEK to import it. At no point is the clear text version of the key exposed.

Generate a bootstrap KEK.

This bootstrap KEK is only used to set up a permanent KEK.

In a similar way to defining the data set encryption key above you can use

//IBMICSF  JOB 1,MSGCLASS=H 
//STEP10 EXEC PGM=CSFKGUP 
//  SET CKDS=COLIN.SCSFCKDS 
//CSFCKDS DD DISP=OLD,DSN=&CKDS 
//CSFIN DD *,LRECL=80 
DELETE TYPE(EXPORTER) LABEL(TEMPATOB) 
ADD   LABEL(TEMPATOB)TYPE(EXPORTER)  CLEAR , 
 ALGORITHM(AES), 
 KEY(3123456789ABCDEF,0123456789ABCDEF) 
/* 
//CSFDIAG DD SYSOUT=*,LRECL=133 
//* REFRESH THE IN MEMORY DATA 
//REFRESH  EXEC PGM=CSFEUTIL,PARM='&CKDS,REFRESH'

On the remote system, use the same JCL except with TYPE(IMPORTER). You will, of course, use different hex values in the key to those I gave.

Generate the long term KEK.

//IBMICSF  JOB 1,MSGCLASS=H 
//STEP10 EXEC PGM=CSFKGUP 
//  SET CKDS=COLIN.SCSFCKDS 
//CSFCKDS DD DISP=OLD,DSN=&CKDS 
//* LENGTH(32) GENERATES A 256 BIT KEY 
//CSFIN DD *,LRECL=80 
ADD   LABEL(ATOBPERM)  TYPE(EXPORTER)        , 
  TRANSKEY(TEMPATOB)  , 
  ALGORITHM(AES)  LENGTH(32) 
/* 
//CSFDIAG DD SYSOUT=*,LRECL=133 
//CSFKEYS DD DSN=COLIN.CSFKEYS,DISP=OLD
//CSFSTMNT DD SYSOUT=*,LRECL=80  
//* REFRESH THE IN MEMORY DATA 
//REFRESH  EXEC PGM=CSFEUTIL,PARM='&CKDS,REFRESH'

This creates a key value, stores the exporter KEK in the local CKDS encrypted with the hardware keys. It encrypts the new importer KEK with the TEMPATOB KEK and stores it in the CSFKEYS dataset.

The layout of this CSFKEYS data set is:

ATOBPERM the name of the object,
IMPORTER you need this sort of key to import it,
ATOB this is the KEK name used to encrypt it
The key for ATOBPERM with the key value encrypted. This is a hexadecimal value.

Knowing the information in the CSFKEYS data set you can import the key into the CKDS on the remote system, using the TEMPATOB importer key.

ICSF does not provide a utility for this. You can write some REXX code, or you can use my programs. See import a key from a data set into the CKDS.

Delete the temporary KEK

You can use the JCL

//IBMICSF  JOB 1,MSGCLASS=H 
//STEP10 EXEC PGM=CSFKGUP 
//  SET CKDS=COLIN.SCSFCKDS 
//CSFCKDS DD DISP=OLD,DSN=&CKDS 
//CSFIN DD *,LRECL=80 
DELETE TYPE(EXPORTER) LABEL(TEMPATOB) 
/* 
//CSFDIAG DD SYSOUT=*,LRECL=133 
//CSFKEYS DD DUMMY 
//CSFSTMNT DD DUMMY 
//* REFRESH THE IN MEMORY DATA 
//REFRESH  EXEC PGM=CSFEUTIL,PARM='&CKDS,REFRESH'

Locally generate a secure data set encryption key

If you do not have a data set encryption key, use JCL like

Securely generate data set encryption keys.

//IBMDSENC JOB 1,MSGCLASS=H 
//STEP0  EXEC PGM=CSFKGUP 
//* 
//  SET CKDS=COLIN.SCSFCKDS 
//CSFCKDS DD DISP=OLD,DSN=&CKDS 
//* LENGTH(32) GENERATES A 256 BIT KEY 
//CSFIN DD *,LRECL=80 
ADD TYPE(CIPHER) ALGORITHM(AES) LENGTH(32), 
  LABEL(DSENCRYPTION), 
  KEYMGT(XPRTCPAC), 
  KEYUSAGE(ANY-MODE) 
/*
//CSFDIAG DD SYSOUT=*,LRECL=133 
//CSFKEYS DD DUMMY
//CSFSTMNT DD DUMMY 
//* REFRESH THE IN MEMORY DATA 
//REFRESH  EXEC PGM=CSFEUTIL,PARM='&CKDS,REFRESH' 
//

You can then send the CSFKEYS data set to the remote site, and import it using the ATOBPERM importer key. See import a key from a data set into the CKDS on Github.

Using keys across systems

You can only use keys which are within their validity dates: crypto-period start date and
cypto-period end date.

When you import a key, meta data from the original site is not included, so you might need to specify start date, stop date, archive flags etc. See set meta data attributes on Github.

Generating ICSF keys using Diffie-Hellman

The Diffie-Hellman technique allows you to create keys on two system securely, with no need to share a common key. Each system needs a private/public key pair, and the public keys are available on all systems. There are many steps but it is relatively painless.

Scenario

Two systems A and B. We want to have a data set encryption key on system A copied to system B and to create an exporter key on A, and a matching importer key on B.

The steps are

generate private/public pairs on each system
use these to generate the symmetric keys.

Generate a private/public key pair on each system, and send the public key to the other system.

On System A

Use the ISPF ICSF panels

Options 5;6;6 Generate PKA keys, import or export public keys via certificate
- Enter PKDS record’s label: SYSTEMA
- Select Generate a new RSA or EC key pair record
- Select EC NIST Curve, P521.
- This should display PKDS Key Request Successful. Press enter to return.
- Select Export the PKDS record’s public key to a certificate data set
- Specify a data set name ‘COLIN.SYSTEMA’
- Specify the common name SYSTEMA
- Press enter
- This should give you PKDS Public Key Export Successful
Send the data set ‘COLIN.SYSTEMA’ to the remote system.

On System B

Follow the instructions above to generate PKA keys.
- Label Name SYSTEMB, and use export data set name COLIN.SYSTEMB, etc. Check it has worked.
- Next, select Create a PKDS public key record from an input certificate
- Enter the name of the data set you copied across containing the public key for SYSTEMA
- Press enter. It should import the key
- F3 to return to the ICSF PDKS keys page.
- Select option 1, and press enter. Use the line command K to display the contents of the certificates. You should have the private key with sections “PRIVATE PUBLIC”, and the public key should have section “PUBLIC”
Send the data set ‘COLIN.SYSTEMB’ to the first system.

On System A

Read in the data set
Options 5;6;6 Generate PKA keys, import or export public keys via certificate
Enter PKDS record label SYSTEMB
Select Create a PKDS public key record from an input certificate
Enter the name of the data set COLIN.SYSTEMB.
When this has worked, display the contents of the PKDS as described above.

You now have a private/public key on each system, and each system has a copy of the other’s public key.

Generate a symmetric key on each system

Now you have the private/public key on each system, and the public key of the other system, you can create a key.

ICSF does not provide a function for this. See Generate a secure shared key on multiple systems using Diffie-Hellman in Github.

On SYSTEMA you need the name of the private/public pair SYSTEMA, and the name of the public certificate SYSTEMB.
You need a phrase which provides a seed to the encryption. This does not need to be kept confidential, but you may still wish to protect it.

Generate a CIPHER for data set encryption

//RUN      EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS 
//MYPARMS DD * 
 -ptype INTERNAL,AES,CIPHER,XPRTCPAC,ANY-MODE 
 -key AESDHDSCIPHER 
 -private AAA 
 -public  BBB 
 -replace Y 
 -party cOlinSeed 
 -debug 0 
/* 
//STEPLIB  DD DISP=SHR,DSN=COLIN.LOAD 
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200) 
//CEEDUMP  DD SYSOUT=*,DCB=(LRECL=200) 
//SYSOUT   DD SYSOUT=* 
//SYSERR   DD SYSOUT=*

On the other system change AAA and BBB, and run the JCL.

Create an exporter key on SYSTEMA

//RUN      EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS 
//MYPARMS DD * 
 -ptype INTERNAL,AES,EXPORTER 
 -key AESDHKEK
 -private AAA 
 -public  BBB 
 -replace Y 
 -party cOlinSeed2 
 -debug 0 
/*  
//STEPLIB  DD DISP=SHR,DSN=COLIN.LOAD 
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200) 
//CEEDUMP  DD SYSOUT=*,DCB=(LRECL=200) 
//SYSOUT   DD SYSOUT=* 
//SYSERR   DD SYSOUT=*

Create a matching importer key on SYSTEMB

//RUN      EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS 
//MYPARMS DD * 
 -ptype INTERNAL,AES,IMPORTER 
 -key AESDHKEK
 -private BBB 
 -public  AAA 
 -replace Y 
 -party cOlinSeed2 
 -debug 0 
/* 
//STEPLIB  DD DISP=SHR,DSN=COLIN.LOAD 
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200) 
//CEEDUMP  DD SYSOUT=*,DCB=(LRECL=200) 
//SYSOUT   DD SYSOUT=* 
//SYSERR   DD SYSOUT=*

You can now use exporter key AESDHKEK on system A, and importer KEK AESDHKEK on system B.

Idiot’s guide to TCPIP connectivity

I had a working TCPIP network, and made a few “improvements”. Unfortunately these improvements sometimes stopped the connectivity between systems, and I had a frustrating time understanding the problems and fixing them. The idiot in the blog post is me, for next time when I need to connect boxes together.

In concept TCPIP connectivity is simple – it is, but there are some subtle, non obvious things you need to be aware of.

As I was writing this post I found I did not know really how IPV4 worked, because it used “the wrong” IP address but still worked.

I found many ways of failing to connect to TCPIP, and some complex ways of getting it to work – I just wanted a simple way of being able to ping z/OS from my laptop. It is complicated by some definitions need to be done in order, and doing things in a different order sometimes worked, sometimes did not.

Basic TCPIP concepts that every one should know

The term socket is used by applications to communicate with TCP/IP, not where you connect a network/phone cable.
Think of a connection between two boxes. I have a yellow Ethernet cable between them. There are several terms for the where the cable is plugged in. A common term is the interface.
IP addresses
- Each end of the connection has one or more IP addresses. I think of it as having plastic labels tied to the end of the cable.
- IPV6 addresses beginning with fe… and ff… are used by (internal use) advanced technology and can be ignored. You can use them, but the addresses may change every time the connection is started, which makes it hard to automate using them.
- The system may generate some IPV6 addresses, but you can define your own. The system generated an address like 2a00:9999:8888:7777:894e:9876:781:32f1. Sometimes parts of these (the right hand part) are randomised (to make it harder for people to observer traffic patterns and so hack your system).
- I use addresses like 2001:db8::f which are shorter to type.
- On z/OS an IPV4 interface can have only one IP address. An IPV6 interface can have multiple addresses see ADDADDR. On z/OS an interface can be IPV4 or IPV6 but not both.
- On Linux, an interface can have multiple IPV4, and multiple IPV6 addresses (but only the first IPV4 may be visible to applications)
- For IPV6, TCP/IP can generate its own IPV6 addresses for internal processing, such as routing.
To get data from this machine to that machine over the yellow Ethernet cable, you have a route definition like “for this range of remote addresses use the yellow Ethernet cable, which has the address xxxx at the far end.
If you use TCP/IP to send a request, you usually want a response to come back. As well as defining a route to get to the remote end, you need a route defined to get from the remote machine back to the local machine. A ping request can fail because
- The local end does not have a valid route to the remote end. The packet could be sent to the wrong place(down the wrong cable), or just discarded.
- An intermediate box does not have a route to the remote end.
- The remote end receives the request but does not have a route definition to send the response back to the requester.
- An intermediate box does not have a route to the local end.
- A firewall says no.
- You can use the traceroute command to find the path taken to the remote end. This will tell you the path it took to get there. It does not tell you the route back. For this you need to issue the traceroute command on the remote end, and perhaps on intermediate boxes.
You define a route from this box using the yellow cable with label xxxx on it. The remote end of the cable has IP address….
You need at least two route statements
- to get the data from the local system to the remote system,
- the remote system needs a route statement to get to the local system.
You can find these address using
- the Linux command ip -6 addr or ip -4 addr for TCP IPV6 and IPV4 respectively.
- the z/OS command TSO NETSTAT HOME
Subnet: an IP V6 address has 32 hex digits. These are broken up into groups of 16 eg 2001:0DB8… This can be written as 2001:db8… The subnet specified which bits are significant when routing packets to the router. With z/OS usually the top 64 bits are used. This is written as …./64.
An address 2001:db8:9::1/64 is in a different subnet to address 2001:db8:8::1/64.
Address 2001:db8:8:1::2/64 is in the same subnet as 2001:db8:8:1::3 because only the top 64 bits count towards the subnet (2001:db8:8:1).
A gateway is a network point that acts as an entrance to another network. On the Internet, a node or stopping point can be either a gateway node or a host (end-point) node. Both the computers of Internet users and the computers that serve pages to users are host nodes. A gateway can have one protocol in, and output the data in a different protocol. For example I have broadband coming to my house. The gateway router converts this to TCP/IP, and converts it to wireless.

Things that you may not know

My end of a connection has two IP addresses defined. If I ping a remote site it uses the first IP address in its list, the remote site sees a packet of data from the first IP address in the list. You may have configured a route at the remote system to get back to your local system, but if you define your local addresses in a different order, a different IP address will be sent – and the remote end may not have a route for it.
If the interface at the next machine has two IP addresses 10.1.0.3 and 7.168.1.2 , I have to use the first IP address in the list defining a route sudo ip -4 route add 7.168.1.74 via 10.1.0.3 dev enp0s31f6. If I delete the first address, then I need to use the 7.168.1.2

Python could not read a data set I sent from z/OS USS.

I created a file in Unix System Services, and FTPed it down to my Linux box. I could edit it, and process it with no problems, until I came to read in the file using Python.

Python gave me

File “<frozen codecs>”, line 322, in decode
UnicodeDecodeError: ‘utf-8’ codec can’t decode byte 0xb8 in position 3996: invalid start byte

The Linux command file pagentn.txt gave me

pagentn.txt: ISO-8859 text

whereas other files had ASCII text.

I changed my Python program to have

with open(“/home/colinpaice/python/pagentn.txt”,encoding=”ISO-8859-1″) as file:

and it worked!

I browsed the web, and found a Python way of finding the code page of a file

import chardet    
rawdata = open(infile, 'rb').read()
result = chardet.detect(rawdata)
charenc = result['encoding']

it returned a dict with

result {‘encoding’: ‘ISO-8859-1’, ‘confidence’: 0.73, ‘language’: ”}

Why does it take an application using TCPIP, so long to start?

I had problems with a couple of applications taking over 30 seconds to start. For example FTP and the RMF DDS Server.

I found this was cause by my TCPIP resolver was misconfigured. An application can ask DNS for the IP address(10.1.1.2) or the string address (BBC.CO.UK) from the TCPIP Resolver function. On my system this was configured in ADCD.Z31A.TCPPARMS(GBLTDATA) as

LOOKUP DNS LOCAL

This says, go to the network, and ask the DNS server “out there” for information. If this request times out, use the local information. On my system the path to the DNS server was not configured, so it waited, and eventually timed out.

When I changed the LOOKUP definition to

LOOKUP LOCAL

it came up with no delays.

Debugging the “you do not have access to something, but I’m not telling you what” problem

The problem, I had a message

SSL Handshake Failed, ICSF error. Review ‘RACF CSFSERV Resource Requirements’ of the z/OS documentation.
Reason: The webservers userid does not have access to CSFSERV resource classes required for SSL.

But it does not tell me what it does not have access to.

When an application tries to access a resource, and the userid is not authorised to that resource, RACF can produce an error message, which tells you the resource name.

If the application asks “does this application have access to this resource”, then RACF produces no error message, and it is up to the application to provide a sensible and useful message.

Collecting a RACF trace

You can use a command

#SET TRACE(CLASS(CSFSERV),RACROUTE(ALL))

to turn on the trace for that class. You can also use USERID(…) and jobname(…) to further restrict what is traced.

The output goes to GTF.

s gtf,gtf
01 AHL125A  RESPECIFY TRACE OPTIONS OR REPLY U 
 1,trace=usrp                                                                                 
IEE600I REPLY TO 01 IS;TRACE=USRP                                                              
    09.53.19 STC00315  TRACE=USRP                                                                                     
02 AHL101A  SPECIFY TRACE EVENT KEYWORDS --USR=                                                
  - 09.53.27           r 2,usr=(F44),end                                                                              
    09.53.27 STC00315  IEE600I REPLY TO 02 IS;USR=(F44),END                                                           
    09.53.27 STC00315  USR=(F44),END                                                                                  
    09.53.27 STC00315  AHL103I  TRACE OPTIONS SELECTED --USR=(F44)                                                    
  | 09.53.27 STC00315 *03 AHL125A  RESPECIFY TRACE OPTIONS OR REPLY U                                                 
00- 09.53.30           r 3,u                                                                                          
    09.53.30 STC00315  IEE600I REPLY TO 03 IS;U                                                                       
    09.53.30 STC00315  U

Run your work.

P GTF
AHL006I GTF ACKNOWLEDGES STOP COMMAND
AHL904I THE FOLLOWING TRACE DATASETS CONTAIN TRACE DATA :
SYS1.TRACE

if you do not get “THE FOLLOWING TRACE DATASETS CONTAIN TRACE DATA…” it means you did not collect any data.

Use IPCS to look at it

=0 and specify the trace data set name
if you change scope to both it will remember the data for next time
=6 to get you to IPCS Subcommand Entry panel
if this is the first time you have used this instance of the data set, you should issue the dropd command to get IPCS to forget about previous usage
gtf usr(all) This displays the data
You can process this
- type M and press PF8 to get to the bottom of the data
- report view will display the data in ISPF edit (view mode)
- You can now issue commands like
- x all
- f code all and look for non zero return codes.
- del all x
- sort 30 50 to display all return codes in numerical order. You need to look at the top and the bottom.
- make a note of the return code ( copy the line to your clipboard)
- quit
- report view
- find return code

To get rid of some of the forest of unhelpful data

x all
find ‘ ‘ 1 20 all
find ‘+’ 1 2 all
delete all nx

#SET TRACE(NOCLASS,RACROUTE(ALL))

Upgrade to Ubuntu 24.04 – whoops I’ve lost my network connections

I used remote access to upgrade my Ubuntu server. After the upgrade I could not connect over Ethernet. ( I could not access over Wi-Fi, but that was a different problem).

If I pinged from either end, it did not connect.

On my server, the network server for the network connection wired, did not have a MAC address specified. I used the pull down and selected it. I do not know if this is relevant.

My laptop had address 10.1.0.2, and the server had address 10.10.0.3.

On the server the command

ip addr

gave

2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...
    inet 10.1.0.3/24 brd 10.1.0.255 scope global noprefixroute eno1

I used the command

sudo ip route add 10.1.0.2 dev eno1

to define the route, and connectivity was temporarily restored. I could ping from either machine.

Digging deeper

The command

grep -i warn /var/log/syslog

gave

NetworkManager[1457]: <warn>  [...] keyfile: load: "/etc/NetworkManager/system-connections/eno1": failed to load connection: File permissions (100604) are insecure

ls -ltr /etc/NetworkManager/system-connections/eno1

gave

-rw----r-- 1 root root 376 Oct 21 2022 /etc/NetworkManager/system-connections/eno1

Where file permission xxx604 is -rw—-r–, which allows “other” to read the file

The command

sudo chmod o-r /etc/NetworkManager/system-connections/*

removes the “other” read permission.The next reboot gave me connectivity back.

Lessons learned

After doing an upgraded, (or perhaps once a week) display the syslog for warn and error and resolve any problems.

Ubuntu 24.04 upgrade. tp-link wifi did not work

I upgraded from 22.04 to 24.04 and my plug-in Wi-Fi tp-link device did not work.

What device do I have ?

The command

lsusb

gave me

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 17ef:4515 Lenovo Lenovo Portable HDD
Bus 001 Device 003: ID 2357:0109 TP-Link TL-WN823N v2/v3 [Realtek RTL8192EU]

but the command

sudo lshw -c network

did not show me any wireless definitions.

Fixing the problem

I followed the instructions in https://github.com/Mange/rtl8192eu-linux-driver.

The files you need may already be on your machine for earlier versions of Ubuntu, you may not need to download anything.

Because my server had no Wi-Fi connection, I used git to download the latest code to my laptop onto a USB device, and then used the USB device on the server machine. You may not need to do this.

I used the instructions to

sudo dkms uninstall rtl8192eu/1.0 to uninstall the driver and
sudo dkms remove rtl8192eu/1.0 –all to delete the drive
reboot
then followed the instructions.

Without the uninstall and remove the install did not activate the drivers.

Migrating from Ubuntu 22.04 to 24.04

Overall this was pretty painless, but did have a few problems on the way.

Could not contact web sites

I used the Software Updater application to upgrade to 24.04. This could not get to some sites. This is because some git hub keys had expired. (EXPKEYSIG 23F3D4EA75716059) See here for the solution.

Copy the long command to the clip board and execute it.
I do not think I needed to reinstall gh. ( I cannot test this because my migration was a success)

Disk space

The install complained that I did not have enough free space on /.

I removed various products: thunderbirds, libreoffice, gcc (theses get re-installed as part of the upgrade). I emptied the rubbish bin.

I removed some of the snaps.

The command snap list –all lists all of the currently installed snaps. The output is like

Name            Version       Rev Tracking      Publisher   Notes
gnome-3-38-2004 0+git.efb213a 143 latest/stable canonical** -
gnome-3-38-2004 0+git.6f39565 140 latest/stable canonical** disabled
...

My snap is configured to keep two revisions around.

I deleted the older versions

snap remove “gnome-3-38-2004″ –revision=”140”

I did not want to delete all versions, in case my upgrade to 24.04 failed, and I stayed on 22.04 for a while longer.

The upgrade took several hours,and seemed to work.

Rebooted into command line

After it had finished installing, I rebooted, and it booted into a command line – not the full screen mode.

I had been caught like this before, and used the command

sudo apt install –resinstall ubuntu-desktop

to reinstall gnome.

The next boot worked.

What’s different?

gedit

gedit is not installed by default. You can use apt to install it. The replacements is gnome-text-editor. I created an alias in ~/.bashrc

alias gte='gnome-text-editor'

so I can type gte…. to open a file.

parcellite did not work

I used this as my clip board manager. I started it, but it did nothing. A little while later it did work.

I installed copyq which provides more capability than parcellite.

I used settings -> Keyboard -> Keyboard Shortcuts > Custom shortcuts to create a short cut to copyq menu.

I used dash -> show apps -> startup applications to add copyq.

Touchpad speed

I still needed to use

echo 250 |sudo tee /sys/devices/platform/i8042/serio1/serio2/sensitivity

to make my touchpad sensitive to movement. You can also tweak/sys/devices/platform/i8042/serio1/serio2/speed.

I also found the command xset m 4/1 0 but I haven’t played with it

Why has it gone dark?

I use my laptop with a dual monitor, and the laptop was very dark (to the point of being almost unreadable). After a bit of faffing around the laptop brightness controls worked, and the screen came back to normal.

I also found

cat /sys/class/backlight/intel_backlight/brightness
cat /sys/class/backlight/intel_backlight/max_brightness

which gave me brightness 1365 and max_brightness 1515.

You can change the brightness using

echo 1000| sudo tee /sys/class/backlight/intel_backlight/brightness

This may be due to auto-dimming. Settings -> Power -> Power savings dim screen.

Lenovo server problems

When I ran sudo apt update, I got messages like

W: Skipping acquisition of configured file ‘sutton.simon/dep11/icons-64×64@2.tar’, as repository ‘http://lenovo.archive.canonical.com noble InRelease’ doesn’t have the component ‘sutton.simon’ (component misspelt in sources.list?)

I issued commands

sudo mv /etc/apt/sources.list.d/oem-sutton.simon-banning-meta.sources ~/sources.list.d.oem-sutton.simon-banning-meta.sources
sudo mv /etc/apt/sources.list.d/oem-sutton.simon-banning-meta.list.distUpgrade ~/sources.list.d.oem-sutton.simon-banning-meta.list.distUpgrade

and it seems to have cured the problem.

One minute mvs: data set file system (/dsfs) on z/OS

One minute mvs: data set file system (/dsfs) on z/OS
Setting up data set file system /dsfs on z/OS
Creating data sets and members from /dsfs
Problems I experienced when using /dsfs

There is a good overview of dsfs here.

My understanding of how dsfs works is that you can access z/OS datasets, members and spool, through a Unix file system interface, and so use commands like “ls”. When you read a member, it is read into the dsfs file system, and the Unix commands work on this data. When you write to the Unix file, it is written to the dsfs file system, and when the file is closed, the data is written to the dataset.

Some information is cached in the dsfs file system, and some definitions, such as DCB information on a per userid basis is also stored.

DSFS is defined to OMVS as a Physical File System. Part of the definition of the PFS is the started task name. When the PFS is defined to OMVS, it starts the DSFS started task.

To stop it, you issue a command to OMVS to stop the PFS.

Permissions

The dsfs started task has threads which do work. When you issue a request, one of the threads becomes your userid and accesses the data sets, so there is no change to the standard RACF data set protection.

User defaults

You can define defaults for when data sets are created. These are user dependant. To issue these for another user, you have to become a super user to become that id, and then issue the dfsadm command.

Changing configuration

You can change the configuration file and restart DSFS (which will be disruptive).

You can make changes to the active system (which are not saved) using the omvs command

Diagnosis

Messages are produced, and are documented in the M&C manual. if you get a reason code, you can use bpxmtext code to display the meaning of the code.