Making x3270 green screens blue or red, or yellow with green bits.

I have several ISPF screens on z/OS, and I found it confusing knowing which one I was on.   I solved it  by making the screen with the all powerful userid displayed in red, and the “normal” screen in multi colours, and the screen with no authority in green.

With x3270 you can use Options -> Colour Scheme -> Default 3279 |Green, to use a predefined colour scheme.

I created my own colour scheme by editing  ~./x3270pro and adding

! define the list of colour schemes
x3270.schemeList: Default 3279: default\n\
    Bright: bright\n\
    Reverse: reverse\n\
    Green Screen: greenScreen\n\
    Colin: colin 
! now define my list
x3270.colorScheme.colin: \
    black deepSkyBlue pink red \
    green turquoise yellow white \
    black blue3 orange purple \
    paleGreen paleTurquoise2 grey white \
    white black dimGray \
    4 2 1 15

 

This gave a good description, and a good list of options is  here.

You can now use the command to start a session with this scheme.

x3270 -model 5 -scheme colin tso@localhost:3270

Playing twister with Liberty and falling over

Twister is a game where you have you put your left foot here, your left hand there, your right foot here, and in trying to put your right hand over there you fall over.  This is how I felt when I was trying to understand the SSL definitions in MQWEB.  In the end I printed off the definitions and used coloured pens to mark the relevant data.

Let’s start with the easy bit.

  • When mqweb starts, it reads configuration information from a file server.xml
  • This includes two files the “IBM” stuff in  /usr/lpp/mqm/V9R1M1/web/mq/etc/mqweb.xml and the user stuff in /u/mqweb/servers/mqweb/mqwebusr.xml .
  • SSL parameters are defined with and <ssl… id=”thisSSLConfig”   keyStoreRef=”defaultKeyStore” .. /> tag.    This points to the keystore to use.
  • The keystore has <keyStore id=”defaultKeyStore”  ….>.   There is a simple link from SSL to the keystore.   You could have multiple keystores,  if so you just change the  keyStoreRef= to point to a different one.
  • You can have more than one <ssl…/> definition.  You might have one, and there is one in the “IBM stuff”, so you need <sslDefault sslRef=”thisSSLConfig”/>  to point to the ssl statement to use.

That should all be clear, and make sense.   A bit like saying you have a right foot, a left foot and two hands.

The zos_saf_registry.xml used when you want to use the SAF interface on z/OS has some SSL definitions.  I was trying to understand them.   This one here(put a finger on it) points to that one, (put a finger on it), which points to this other one (put a finger on it), which has an end-comment.  Whoops that didn’t work.    As I said a bit like playing Twister.

<sslDefault sslRef=”mqDefaultSSLConfig”/> in the user mqwebuser.xml  points to content in the “IBM stuff”.  By the various levels of indirection this points to <keyStore id=”defaultKeyStore” location=”key.jks” type=”JKS” password=”password”/> .  This keystore has a self signed certificate provided by IBM. If you find your browser complains about using a self signed certificate, this may well be the cause.

In the zos_saf_registry.xml are commented statements

  • <keyStore id=”defaultKeyStore” location=”safkeyring://userId/keyring” …/>
  • <ssl id=”thisSSLConfig”  keyStoreRef=”defaultKeyStore” …/>
  • <sslDefault sslRef=”thisSSLConfig”/>

To me these have been defined upside down, sslDefault should come first.

As these are after the sslDefault sslRef=”mqDefaultSSLConfig statment, if you uncomment them, they will be picked up and the “IBM stuff” will not be processed.

You can uncomment these statements and use them to add your definitions.

My definitions are

<sslDefault sslRef="defaultSSLConfig"/> 
<ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore" 
   sslProtocol="TLSv1.2" 
   clientAuthenticationSupported="true" 
   clientAuthentication="true" 
   serverKeyAlias="LABELMQWEBHSCEKE"/> 

<keyStore filebased="false" id="racfKeyStore" 
   location="safkeyring://START1/MQRING" 
   password="password" 
   readOnly="true" 
   type="JCERACFKS"/> 

<webAppSecurity allowFailOverToBasicAuth="false"/>

ADCD Personalisation of z/OS for first time users

People like to customise how they work.  This blog is the z/OS personalisation I tend to do.  If you have other suggestions please let me know.

Running zPDT on Ubuntu

The recommendation is to run zPDT under a different userid ibmsys1.   To be able to switch between userids

  • Switch user from pull down, select ibmsys1
  • You can switch back to the your normal userid using  Ctrl-Alt-F2, and use Ctrl-Alt-F3 to switch to the ibmsys1 userid
  • I could not see how to cut and paste between userids so I have a file I write to from one userid, and read the file from  “the other side”
  • Post on virtual terminals. and how to switch without F keys.

Ive been running on my normal userid without any problems

Set time zone

Edit /etc/profile and set the TZ.  It defaults to EST5EDT.  I used BST for British Summer Time ( or Europe/London).

Screen size  using bigger screens.

  • Use x3270 -model 5  to get 132*27 screen size.  It works for the console and ISPF terminal .The -oversize 133×60 parameter should work.
  • Logon and use ISPF =0  ro set defaults.  Scroll down
    • To have command line at the top / Command line at bottom  remove the /
    •  Scroll down.  Screen format 3 1. Data 2. Std 3. Max 4. Part
    • Terminal Type 4 1. 3277 2. 3277A 3. 3278 4. 3278A

Other ISPF personalisation

  • Options
    _ Command line at bottom  remove the / to have the command line at the top
    / Tab to point-and-shoot fields so you can tap to column headers, press enter and sort by the columne
  • Member list options
    / Scroll member list
    / Allow empty member list
    / Allow empty member list (nomatch)
    / Empty member list for edit only
  • pfshow off remove the PFKEYS at the bottom
  • ISPF  keys set PF12 to retrieve not cancel
  • ISPF set scroll to CSR not PAGE in all applications
  • ISPF 3.4 use reflists list of the last 30 data sets used, or your own list
  • Setting the ISPF main panel.
    • Copy ADCD.Z24A.ISPPLIB(ISR@PRIM)  to USER.Z24A.ISPPLIB(MYMAIN).
    • Add extra content and comparisons at the bottom for example ISMF,’PGM(DGTFMD01) NEWAPPL(DGT)’ .
    • The following are already defined
      •  RACF,’PANEL(ICHP00)’
      • ISMF,’PGM(DGTFMD01) NEWAPPL(DGT)’
      • SMPE,’PGM(GIMSTART) PARM(&ZCMD) NOCHECK’
      • WLM,’CMD(%IWMARIN0)’
    • When you use the TSO Logon panel specify Command ===> ispf panel(MYMAIN)  

OMVS customising

Escape key to break into long running commands use the escape key.  Default is the cent key ¢

You can use x3270 to set a key to this value, in .x3270pro

x3270.keymap: mine
! Definition of the 'mine' keymap
x3270.keymap.mine: #override \
  <Key>Escape: Clear()\n\
  <Key>End: FieldEnd()\n\
  Ctrl<Key>Delete: EraseEOF()\n\
  Ctrl<Key>Right: NextWord()\n\
  Ctrl<Key>Left: PreviousWord()\n\
  Ctrl<Key>Up: Home()\n\
  <Key>Control_L: Reset()\n\
  <Key>Control_R: Reset()\n\
  <Key>Prior: PF(7)\n\
  <Key>Next: PF(8)\n\
  <Btn3Down>: PA(1)\n\
  Ctrl<Key>1: PA(1)\n\ 
! the next define Alt 4 and Ctrl \ as &cent.
  Alt<Key>4: String("\\x00a2")\n\
  Ctrl<Key>backslash: String("\\x00a2")

 

Note

  • the \\ escape characters.
  • lines end in \n\   which is new line + continutation
  • this also defines Ctrl 1 as PA1
  • String(“\\x00a2\n”) would type the cent symbol and press enter

Set userids OMVS information

create directory /u/adcd then use RACF command

ALTUSER ADCDA OMVS(HOME('/u/adcd') PROGRAM('/bin/sh'))
ALTUSER START1 OMVS( PROGRAM('/bin/sh'))

z/OS customisation

  • Set clock time zone.  Copy  ADCC.Z24A.PARMLIB(CLOCK00) to USER.Z24A.PARMLIB(CLOCK00) and edit it.  Note:  FEU.Z24A.PARMLIB(CLOCK00) is used by default.
    •  SET TIMEZONE=E.01.00 command
  • RMF not a good idea – sometimes abends (S0C6) other times locks up z/OS

 

The following come from FEU.Z24A.PARMLIB

IEASYM00
IEASYS00
IEASYSWS
CLOCK00
AUTORDT
IEACMD00
MPFLST00

 

GTF

Create user.z24a.proclib(GTF).   The text in bold is new text compared to SYS1.PROCLIB(GTF).  It deletes the data set before reallocating it.  It allows a userid to be specified.

//GTFNEW PROC M=GTFPARM,ID=SYS1 
//DELETE EXEC PGM=IEFBR14 
//IEFRDER DD DSNAME=&ID..TRACE,UNIT=SYSDA,SPACE=(TRK,20), *
// DISP=(MOD,DELETE) 
//IEFPROC EXEC PGM=AHLGTF,PARM='MODE=EXT,DEBUG=NO,TIME=YES', *
// TIME=1440,REGION=2880K 
//IEFRDER DD DSNAME=&ID..TRACE,UNIT=SYSDA,SPACE=(TRK,20), *
// DISP=(NEW,KEEP) 
//SYSLIB DD DSNAME=USER.Z24A.PROCLIB(&M),DISP=SHR

Create USER.Z24A.PROCLIB(GTFPARM)

TRACE=SYSM,USR,TRC,DSP,PCI,SRM

and any others you need for example  USER.Z24A.PROCLIB(GTFRACF)

TRACE=USRP
USR=(F44)
END

 

 

ADCD. Backups – why, when, how – whoops.

Having got my own personal z/OS running on my laptop, I now need to look after it.  When I worked for IBM there was a team of people who looked after the z/OS systems, including backups, security and applying fixes. Suddenly with my personal z/OS,  there are a lot of things I need to think about.  Today’s topic is backups.

On my Linux  machine I have backups being taken daily to an external hard drive.  I have a Linux on a USB in case I have problems with my main machine.  How do I do backups on z/OS?

What do I want to backup? Is the wrong question.

The real question should be What do I want to restore?  For example I can get a copy of the operating system from my original download files – or from IBM, but I need to be able to restore the files particular to me.  It is better to restore the total system rather than rebuild it, because of all the additional configuration you had to do (which you may not have record of).  The JCL I have written, the data in the database or MQ queue files, security profiles.

What situations do need to restore from?

It can range from

  • I messed up – I edited a file, and now it does not work.  I cannot undo the changes.  I deleted a file.  I want to go back to last week’s copy.
  • By accident you had two copies of a program updating a file – and corrupting it.
  • The database change you made cannot be undone – you added a new field, and now the record length is longer than the 4KB buffers.
  • There has been an I/O error on the disk (though this is rare).
  • I had my laptop stolen.
  • My 3 year old child used my hard drive as a toy and found it does not float on water.

You also need to ask how long do I have to recover?  If the answer is a week, then you can order a new hard drive, and wait a week for it to be delivered.  If you need it back within hours, you’ll have a spare disk just in case (or you did a make copies to this disk – so all you need to do is use it).

Setting up z/OS

As a rule, with ADCD you should not use any of the ADCD volume for your own data.  Create your own volumes and put your data on that.   Create a user catalog, and use alias’s from the master catalog for this user catalog.  If you have a new ADCD system you need to import the user catalog, and redefined the aliases.

Backup the USER.* data sets.   Do not change the ADCD.* or SYS1.* data sets.

Some of the subsystems, DB2, CICS and MQ have data files on the A4PRD* volumes.   This means you need to backup the volumes – and will be a challenge during migration.

When can I backup?

You should backup when the files are not being used.

  • You can edit a file, use tso xmit to make a copy of the PDS, then save the file you were editing.   That is OK. Using TSO XMIT while the file is being saved could cause a consistency problem.
  • You need to backup some files as logical files, so for example backup the MQ.PAGESET.   If this data set was spread across two disks, and you do an image copy of the first disk, followed by the image copy of the second disk, the data is likely to be inconsistent (if you restore you may not find out for a week after the restore!)  MQ  (and DB2) have logic to be able to recover when a logical dataset is restored.  Some systems have a quiesce capability which stop activity to the file, without stopping the subsystem.
  • Doing full volume backups should be done when the volume is not in use, either the z/OS is down, or the volume has been varied offline and removed from zPDT.  Shutting down may be better, so all the volumes are consistent together.  Sometimes there is data in buffers which has not been written to disk (lazy write), so you have to be careful.

You might try to backup only what has changed. This could be difficult.  Unless the disks/files are read only, there is a chance that a file has changed, or a file has been put on a disk.

How do I backup files?
PDS and sequential files.

You can use the TSO XMIT (TRANSMIT) command to take a file or library and create a file which is easy to transport.

To restore it you use TSO RECEIVE indsn(…) newname(abc…) so can have the current and restored versions with different names.   This allows you to process just one, or as many members as you want.

Files in USS

The file behind the filesystem is a VSAM file.

You could use unix commands like tar or pax to package up a file or directory.   The output can be a file in the file system or into a z/OS dataset.

You could use ADRDSSU to backup the whole file system – see the next topic.

Other files

Traditionally these files are backed up use the ADRDSSU or AMATERSE (or both) utilities which can backup the file, and any indexes etc that go with it.  The output can be a z/OS dataset, or DUMPed to tape.

Full volume backups

Shutdown z/OS  down cleanly, stop zPDT (to ensure buffers in Linux are flushed), and backup the linux files.   Restart z/OS.

Where do I backup to?

To recover from operator errors on “user files”, having the backup on z/OS may be enough.

To be able to recover from system problems, or disk problems, put the backups on a different file systems.  If my z/OS system is on the SSD on my laptop, have the files go to an external file system.  Some people will have their hard drives copied to another disk system, or even “off site”.

Getting backups out of z/OS

You can use FTP into TSO or USS to copy the files.  If you use pax output to a TSO file, you can ftp into TSO.  If you pax output into an unix file, FTP into USS.

You can also virtual tape, so ADRDSSU writes to a tape which maps to a file on the Linux file.

Having backed up the files what then?  Plan for a whoops.

  • It is worth checking that your backups restore, for example restore to a spare HDD, and try to boot from it.
  • It is also worth checking that you are backing up what you think you are backing up.  I know of one customer who was backing up the MQ pagesets, but did not change the backup job when they added more page sets.  I have been guilty or repeating a line and not changing the data set name, so data set A was backed up twice, and data set B was not backed up.
  • Determine how long it will take to restore disks, restart, and recover the file(s) of interest.  If this duration is too long – review your backup and restore procedures.

What next?

I asked about backup on the zPDT group forum and had lots of great comments.  Below is a summary of the comments.

  • Use of Clonezilla. This is a partition and disk imaging/cloning program similar to True Image® or Norton Ghost®. It helps you to do system deployment, bare metal backup and recovery.
  • Use ADRDSSU DUMP followed by AMATERSE to make the z/OS backups smaller.
  • Use of a Synology Network Addressed Storage for your backups.  Synology has comments like “Good for home users and small businesses”.
  • Use ADRDSSU to dump to a volume.  Vary volume offline, then backup the volume.
  • Do not use any of the AD-CD supplied volumes for your data. Create your own volume(s) and simply add them to the devmap for new releases. You need to have a usercatalog on your volume(s) and import it to subsequent releases. You can try to make ALIAS definitions carry forward; I usually just recatalog my datasets for each new release.
  • Use LVM snapshots. With the snapshot Linux grsync with an external drive
  • Use of Borg. The main goal of Borg is to provide an efficient and secure way to backup data. Borg cuts all data into chunks, builds a hash and if the hash is not yet known, the chunk is compressed and stored in a repository. Otherwise only a pointer is set for the chunk in the current archive. This saves a lot of time and disk space (after the initial backup) because only the changed parts of the z-disk images are compressed and stored into the archive.

How long will it take?

This depends on the media you are using, and how much data.  On my laptop copying an 8GB volume from HDD to SSD took about 4 minutes or about 30 MB/second. Compressing it may speed this up.

Some good JCL examples.

Thanks to James Alexander from Hostbridge for the following examples.

The user submits a tape job with an extra "mount" tape step:
//EXP       EXPORT SYMLIST=(DSNAME,UNIT,HLQ,VOL)                  
//*                                                              
//          SET HLQ=MYHLQ                                        
//          SET DSNAME=BACKUP.D999999.DFDSS                
//          SET UNIT=591                                          
//          SET VOL=J00001                                        
//*                                                              
//MOUNT     EXEC MOUNT,UNIT=&UNIT,DSNAME=&DSNAME,VOL=&VOL        
//*                                                              
//*  What follows is a standard DFDSS backup to tape. We compress
//*  it here so less disk space is used.                          
//*                                                              
//BACKUP    EXEC  PGM=ADRDSSU,REGION=0K                          
//SYSPRINT  DD  SYSOUT=*                                          
//TAPE1    DD  UNIT=&UNIT,VOL=SER=(&VOL),                        
//         DISP=NEW,DSN=&DSNAME,LABEL=(1,SL)                      
//SYSIN     DD    *,SYMBOLS=JCLONLY,DLM=$$                        
 DUMP DATASET(                              -                    
         INCLUDE(&HLQ..**           )       -                    
      )                                     -                    
      OUTDDNAME(TAPE1)                      -                    
      TOLERATE(ENQFAILURE)                  -                    
      OPTIMIZE(4)                           -                    
      COMPRESS                                                    
$$                                                                
//

The mount step executes AWSCMDX that runs a Linux script.   If the “DSNAME” tape file exists it mounts it;  if not it copies a tape template file and then mounts it.  A Linux job fires once an hour and syncs all of the files in the tape directory to AWS S3.  With this any user can run a tape job and get offsite backups,   Using the same methodology they can also do their own restores.

Here is the mount proc:

//MOUNT     PROC UNIT=590,DSNAME=BAD.DATASET.NAME,VOL=T00001
//* 
//X         EXPORT SYMLIST=(DSNAME,UNIT,VOL)   
//S         SET UNIT=&UNIT,DSNAME=&DSNAME,VOL=&VOL 
//* 
//M         EXEC PGM=AWSCMDX,PARMDD=MYPARMS
//SYSPRINT  DD   SYSOUT=*
//TAPE      DD   UNIT=(580,,DEFER),LABEL=(1,BLP),VOL=SER=123456,DSN=X
//MYPARMS   DD *,SYMBOLS=JCLONLY
./mountfile &UNIT &DSNAME &VOL 
/*

And here is the mountfile script in Linux:

#!/bin/bash
Unit=$1
Filename='/z/backup/tapes/'$2
Template='/z/backup/TapeTemplate'
echo 'Checking to see if the tape file exists'
if ! [ -e "$Filename" ]
then
    echo 'File does not exist copying template'
    cp $Template $Filename
fi 

echo 'Mounting '$Filename' on unit '$Unit
awsmount $Unit -m $Filename

Why is MQWEB not accepting my certificate ? An end to head banging

I found there were many reasons why a browser’s or curl application’s digital certificate did not work with MQWEB, from an option missing, to unsupported handshake option.  Often there the messages were the vague “A problem has occurred”.

I tried to cause as many problems as possible, and blogged what you get, and the resolution; but event then I found there were even more ways of it failing.

 

I’ve written some java programs called checkTLS which act as a client or a server.

  • You can use your web browser into the server application and see information about what is being used, and if it can detect any problems (such as expired CA)
  • You can extract your certificates from the browser, and then talk to MQWEB, and see what happens in the handshake

This is alpha code.   I would be interested in any comments

  • Is this useful?
  • Does it work for you?
  • Is it too verbose?

I can’t get my web browser talking to mqweb on z/OS

I was trying to get my Linux machine talking to MQWeb browser on z/OS, but I was getting

curl .. Failed to connect to 10.1.1.2 port 9443: Connection refused.

For this to work you have to edit the mqwebuser.xml file and uncomment

<variable name="httpHost" value="*"/> 
<!-- 
-->

It then worked a treat.  Like most things it is easy when you know how to fix it.

Using firefox browser then gave me

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 10.1.1.2:9443.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Which proves I was accessing the site. That is a certificate set up issue, and a whole different ball game.

Getting z/OS running on my Ubuntu laptop with zD&T and zPDT

Having downloaded and installed the zD&T, ZPDT and z/OS products on my laptop.  I was keen to start using it.   Here are part of my journey.

The  IBM ZPDT Guide and Reference redbook is excellent.

I used zD&T to install the products,  but it is missing a few things.

Check the environment

I used /usr/z1090/bin/z1090instcheck in section 4.1.84 of the red book to check the configuration.

I had

 UBUNTU kernel.core_pattern is |/usr/share/apport/apport which is BAD

I left it as it was, it is about what happens if there is a coredump.

Section 4.1.11 talks about checking /etc/sysctl.conf. You can use

sudo  /usr/z1090/bin/aws_sysctl

to set all of the parameters to value values.   It prompts before it changes any value, so is safe.

Creating the devmap

I used the perl script to create my devmap file.

Number of processors

You may want to set the number if processors less than the number of cores in your machine, so you can continue to run if zPDT is 100% busy.
Use the top command.  At the top it shows “load average: 5.3 3.7 4.1” this shows 3 numbers – this is 3 cores.

Set the number of cores using the

processors 1 # number of processors

statement.  Event with 1 processor, sometimes the laptop locked up, the cursor did not move,  or was about 5 seconds behind moving the mouse.

Storage usage

z/OS requires a minimum of 2GB to start (otherwise you get a message at IPL)

IAR057D LESS THAN 2GB OF REAL STORAGE IMPACTS SYSTEM AVAILABILITY

Using the top command gave

 

Use the free -g command to display the storage in your machine, so you do not over allocate the storage.

      total used free shared buff/cache available
Mem:     7     3    0      3          3         0
Swap:    0     0    0

The devmap had

memory 5984m  # define storage size for virtual host

When I stared zD&T  I got

AWSSTA146I Starting independent 1090 instance 'ibmsys1'
AWSEMI001T Insufficient Memory for 1090 to start.

I changed the memory to

memory 2G  # define storage size for virtual host

And I got into the IPL.

First IPL

I did a cold start, as per instructions.

I saw a message “waiting for vtam”.  So I reipled.

I used the command k s,del=n to prevent messages rolling off the top of the screen, and saw

CSV028I ABEND306-0C ISTCFCR2 and VTAM won’t start

I issued the commands

  • SETPROG APF,ADD,DSNAME=NET621.SCNMLNK1,VOLUME=A4PRD3
  • S VTAM

and the system started.

Edit ADCD.Z24A.PARMLIB(PROGAB)  and add  NET621.SCNMLNK1  A4PRD3, and do the same the the same data set on SARES1

Basic checks

The system worked as expected.

I could use x3270 localhost:3270 to get into z/OS using a 3274 “hardware controller” or x3270 10.1.1.2 via TCPIP.  This showed my IP network was basically working.

To get FTP working

Use the MVS command S  FTPD this takes a short time to start.

I installed vsftp on Ubuntu and started it

  • sudo apt install vsftpd
  • sudo service vsftpd start

I could FTP 10.1.1.2 and enter the userid and password.  When I issued any command such as ls, it hung.

I used this article on the Ubuntu firewall. The command  sudo ufw status verbose gave

Status: active

I disabled the firewall in linux

sudo ufw disable

and ftp worked.

The log showed me the activity sudo grep -i ufw /var/log/syslog |grep 10.1.1

Either of the commands give access through the firewall

  • sudo ufw allow from 10.1.1.2
  • sudo iptables -A INPUT -p tcp -s 10.1.1.2 -j ACCEPT

TCP error messages

I got

11.45.32 *EZZ9308E UNRESPONSIVE NAME SERVER DETECTED AT IP ADDRESS 9.26.4.6
11.45.32 EZZ9310I NAME SERVER 9.26.4.6
TOTAL NUMBER OF QUERIES SENT 2
TOTAL NUMBER OF FAILURES 2
PERCENTAGE 100%

This is because it is trying to use the DNS server .  The default is to use DNS then local. To fix this edit  ADCD.Z24A.TCPPARMS(TCPDATA)  insert the bold line

; LOOKUP statement 
; ================ 
; LOOKUP indicates the order of name and address resolution. DNS means 
; use the DNSs listed on the NSINTERADDR and NAMESERVER statements. 
; LOCAL means use the local host tables as appropriate for the 
; environment being used (UNIX System Services or Native MVS). 
; 
; LOOKUP DNS LOCAL  the default
LOOKUP LOCAL

Specifying LOCAL uses /etc/hosts which has

10.1.1.2 S0W1.CANLAB.IBM.COM S0W1 
127.0.0.1__ localhost localhost.localdomain localhost4 
___________ localhost4.localdomain4__________________ 
::1________ localhost localhost.localdomain localhost6 
___________ localhost6.localdomain6________________

Where the _ is really hex ’41’ !

I went into OMVS and issued

mv /etc/resolv.conf /etc/resolv.conf.old
touch /etc/resolv.conf
chmod 755 /etc/resolv.conf

ISPF primary menu

The initial ISPF menu is in

ADCD.Z24A.ISPPLIB(ISR@PRIM)

You can copy it to USER.Z24A.ISPPLIB and tailor it.  If you create a new member name – COLIN, use the command at logon ispf panel(COLIN)

The supplied ISR@PRIM has options which are not listed on the display RACF, ISMF, SMPE, WLM S (for SDSF).  This allows you to issue =S or =ISMF.

When you logon to TSO there is an ISPFLITE procedure with no optional products in the list, in case you have problems.

Unexpected messages

I got the following message many times at IPL  once for each disk.

IEC816I xxx VARY ONLINE – CU AUTHORIZATION FAILED SER=IBM-01024

A VARY ONLINE command attempted to validate the use of advanced features for the device.
The authorization failed.

I think this can be ignored.

RACF set up.

RACMAP command gets Abend System 684 rc 004

Copy ADCD.Z24A.PARMLIB(IKJTSO00) to USER.Z24A.PARMLIB(IKJTSO00)

Add RACMAP

 

Getting z/OS installed on my Ubuntu laptop

Some people retire and buy an open top sports car or big motorbike.  Up here in Orkney  the weather can change every day, so instead of buying a fast car with an open top, when I retired, I got z/OS running on my laptop for the similar sort of price!   This means I can continue “playing” with z/OS and MQ, and helping the next generation to use z/OS.  At the end of this process I had the software installed on my laptop, many unwanted DVDs, and a lot of unnecessary cardboard.

I’ll cover my journey in getting the product and installing it, so anyone following in my footsteps will know what to expect and the time frame.  The process works, but could be slicker.

What options are there?

There are two emulators

HerculesHercules is an open source software implementation of the mainframe System/370 and ESA/390 architectures, in addition to the new 64-bit z/Architecture. Hercules runs under Linux, Windows (98, NT, 2000, and XP), Solaris, FreeBSD, and Mac OS X (10.3 and later).

zPDT from IBM.  IBM System z® Personal Development Tool (IBM zPDT®), which produces a small System z environment suitable for application development. zPDT is a PC Linux application. When zPDT is installed (on Linux), normal System z operating systems (such as IBM z/OS®) can be run on it. zPDT provides the basic System z architecture and emulated IBM 3390 disk drives, 3270 interfaces, OSA interfaces, and so on.  It needs a USB dongle or a license server to run.

What software can be used?

  • Products like z/OS, z/VM and z/VSE are licensed to run on only zPDT software.
  • Using z/VM to provide a coupling facility allows z/OS sysplex functions to be run.  Your USB dongle needs to have the support for this.
  • Public domain or “copyrighted software provided without charge”  software like OS/360DOS/VS, MVS, VM/370 were in the field a long time ago and can be installed on Hercules without a license.     You can also get MTS (which I used when I was at University).

What software is available to me?

I will not cover Hercules, as it is not licensed, and will only cover the IBM solution.

  1. For (big) business partners who are developing software to run on z/OS, you need to get approval to become a z ISV.  You can then  get the hardware dongles and the software from one part of IBM
  2. For other people (like me) who want to use z/OS running on a laptop for non production work there is zDevelopment and Test (zD&T). This comes in 3 flavours.
    1. ZD&T Personal Edition enables a single user to run an IBM® Z distribution on a personal computer. For more information about Personal Edition, see Personal Edition.
      • See here for the price.  You can pay for a 1 year subscription, get support from IBM,  download the code and any updates, and a hardware dongle which has the license to use/decrypt the code
      • You can pay for a perpetual license where you get the 1 year subscription as above, but can use it for ever (no support or updates after 1 year).  You can renew the license for the dongle at no charge.
    2. ZD&T Enterprise Edition enables enterprises to host an IBM Z distribution on low-cost Intel-based x86 machines. Enterprise Edition provides a web-based interface. You can extract, deploy, and manage the application images from an existing Z or ADCD packages. For more information about ZD&T Enterprise Edition, see Enterprise Edition.
      • I could not find the price for this. The license set-up looks very complex.  It looks like you need multiple machines to implement it  With a flexible licensing method, ZD&T Enterprise Edition can be used on cloud, VMs, or in-housed physical 8086 hardware. The Enterprise Edition also comes with a single user license that is known as Authorized User (AU) license, or with a multi-user license that is known as the Resource value Unit (RVU) license.
    3. ZD&T Parallel Sysplex can be used to enable a Sysplex environment that is running within z/VM®. For more information about ZD&TParallel Sysplex, see Parallel Sysplex.
      • I could not find the price for this. It looks like you have to use  a separate machine running as a license server.  The Software-based License Server and ZD&T Parallel Sysplex cannot be installed on the same machine.   I got confused between hardware dongle, software License Server and Rational tokens (which look like they need a different machine).

I’ve paid my money – now what?

This page says Software available for immediate download after online purchase.  This was not true for me.

  • You need an IBM id – this takes seconds to obtain.
  • To be able to download software and get the hardware key, you need access to Passport Advantage.
  • To get access to Passport Advantage you need a site number
  • To download software you need an IBM customer number, and an entry in a database saying what you are entitled to download.
  • To get a customer number takes a few days.

You should plan on two weeks from ordering the package to be able to run it.

The sequence of events before I could download the software and order the USB key…

  • I paid my money on the day 1
  • I quickly received an an email from IBM saying “thank you for your order”.   I was expecting a slick process like Amazon, saying “Your dongle has been dispatched – expect it in 3 days, you can download the software now” – but no.
  • I quickly received an email from IBM saying “Welcome to IBM Rational License Key Center.  Here is your License Key Center account ID:123456789.  Here are the instructions for downloading your license key”.  Great – the first question it asks  is “what is the serial number of your hardware key”.  I had not received it yet, so could not download the license.
  • I created a Passport Advantage account using the “License Key Center account ID” as my “site”.  This worked, and I got an email saying “IBM Welcomes you to Passport Advantage Online”
  • I logged on and tried downloading software – there was non available to me.  I could not order a hardware dongle as I needed a customer number.
  • I had an email from IBM Philippines asking “please confirm if this is for personal or commercial use”.  I said this was for me using as part of my company.    As a result it was flagged as “personal use”.
  • Day 2. I got an electronic PDF invoice, which told me my site number was as above.
  • I received my “Proof of entitlement” giving me my customer number and site number.
  • Later that night I got an email “IBM Electronic Support: Welcome to IBM Electronic Support
  • Day 3. I could order my hardware dongle and there was software for me to download!
  • The money was taken from my account
  • The hardware USB key arrived on day 11 – but the courier notified my it was coming on day 15.

So overall allow for a couple of days before you can access the software, and 2 weeks for the box of dongles.

Downloading the software

If you use the DownloadDirector, check that directory is empty before you start the download – you can move files to a sub directory, or select a different directory for the downloads.  The default directory is ~/DownloadDirector.

You need about 46GB just to download the files,and 270 GB when the files are unpacked.  There are 31 unpacked files of 8GB and one file of 15 GB for z/OS and its disks.  If you are going to allocate additional disks, plan for 8GB for each.

At first glance, the download looked pretty simple. It is, unless you want to put the files on a different drive to the default.

  • From the IBM Passport Advantage site click on Download software.
  • It had IBM Z Development and Test Environment Personal Edition displayed.  I clicked on it.
  • It popped up a window saying
    • IBM Z Development and Test Environment Personal Edition
    • Please do not select an operating system and language for all Engineering and Rational software.   I don’t know what this means.  I ignored it
    • Operating system had a pull down list 1) All operating systems 2) Redhat.   I use Ubuntu so I chose 1) All operating systems.
    • Language had a pull down list of languages.  I selected English and clicked Go.
  • The download page said Required: 38 files (45319MB)  which was the first time I had been told about the amount of space needed.
  • I could select all files or individual files.
  • I clicked on Estimate download time for selected files.   it gave me T1 Download Director 951 minutes, HTTP 4758 minutes.
  • I clicked on  Download, which displayed a terms and conditions page.  Click “HTTP” or “Download Director”, click “I agree” and click “download now” .
  • It displayed “Your browser might ask to open/save a JNLP file in order to launch Download Director. Open the JNLP file with Java WebStart (javaws).”  Click OK
  • It popped up a window “Opening IBM_DownloadDirector.jnlp” Select “Open with “Oracle Java 8 Web Start (default)”   click OK
  • There is a pop up ” Do you want to run this application?  IBM Download Director?” Click on Run
    • The first time I ran it, it tried to put all of the downloads in ~/DownloadDirector.  I clicked cancel, and Setup, and specified the download location to my external hard drive, and clicked “Always ask for Download location”. When I reran it, I think it ignored the location and  put the files in the ~/DownloadDirector path.   The second time I came through this process, it prompted me for the Download Location as expected.  It would be nice if the first time through it prompted for download location rather than take the default.
  • Check where the files are being downloaded to, and restart the download if they are going to the wrong place.
  • The documentation says Verify the integrity of downloaded ADCD packages by using the MD5SUM that is in the adcd.md5 and pe.md5 files.   You can use the command  md5sum -c nov2019_adcd_md5.txt  to do a checksum on the downloads.

Ordering the hardware dongle.

In Passport Advantage, select “Software download & media access“.  Then select “Request Media”.   It should have the hardware dongle items you need.  I can’t remember what I ordered, but I overachieved and ordered stuff I didn’t want.   I cannot remember what the request page looked like, but once the order had been fulfilled it I could see I had ordered

  • IBM Z Development and Test Environment Version 9.1 Hardware Key Multiplatform Multilingual DVD Media Pack (BT0MIML)
  • IBM Z Development and Test Environment Version 9.1 Multiplatform Multilingual DVD Media Pack (BT0MJML)
  • IBM Z Development and Test Environment Hardware Key Version 9.5 Multiplatform Multilingual DVD Media Pack (BT0NUML)
  • IBM Z Development and Test Environment Personal Edition Version 10.0 Multilingual Hardware Key Media Pack (BT0P6ML)
  • IBM Z Development and Test Environment Personal Edition V12.0 Multilingual Hardware Key Media Pack (BT0PFML)

I do not know which of these I should have ordered, the names all look similar.   I was reminded of the phrase from the original game of Adventure “you are in a maze of twisty little passages , packages all alike

What came in the dongle box?

I  was notified that the package would be delivered on day 15, but it arrived on day 11.  I was expecting a small jiffy bag. I got a box 30 cm * 24 cm * 20 cm, with lots of Russian Doll type boxes – it was like Christmas!

In the box I had

  • A box labelled RD&T for System z V9.1 Hardware key media pack containing
    • a box containing
      • a bag containing
        • a plastic wallet containing
          • the USB
    • a CD labelled  IBM Rational Developer and test environment for system z V9.1
    • some instructions
    • other paper work
  • A box labelled RD&T for System z V9.5 Hardware key media pack containing
    • a box containing a bag,containing a plastic wallet, containing the USB
    • a CD labelled  IBM Rational Developer and test environment for system z V9.5
    • some instructions
    • other paper work
  • A box labelled IBM z Systems Development and Test Environment Personal Edition  V10 containing
    • a box containing a bag, containing a plastic wallet, containing the USB
    • a CD labelled IBM z Systems Development and Test Environment Personal Edition  V10
    • some instructions
    • other paper work
  • A box labelled IBM z Systems Development and Test Environment Personal Edition  V12 containing
    • a box containing a bag, containing a plastic wallet, containing the USB
    • a CD labelled IBM z Systems Development and Test Environment Personal Edition  V12
    • some instructions
    • other paper work
  • A bigger box containing CDs
    • IBM Rational Integration Tester Platform Pack 1 CD
    • IBM Rational License Key Server 1 CD
    • IBM Rational Developer and test environment  for System z v9.1 Software distribution for z/OS 1.1.3 12 CDs
    • IBM Rational Developer and test environment  for System z v9.1 Software distribution for z/OS 2.1 15 CDs

Overall I got 4 USB keys (It  could be a challenge to use all 4 ,as my laptop has only one spare USB slot), lots of software and a lot of cardboard.  As I have already downloaded the images, I have two lots of software CDs I do not need. I think the provisions system needs to be looked at, so I get just what I need (one dongle) instead of a lot of waste cardboard and plastic.

Getting the license for the keys

The documentation has a topic Obtaining an update file from Rational License Key Center  which worked.

  • Follow the link and logon
  • It showed me IBM Rational Developer for System z Unit Test.
  • The serial number of one of my USBs was like 02-00222.
  • Number of Server Instances:1
  • Number of Licenses:1
  • Click generate, wait for 10 second and a window is displayed
  • Click download – and save it
  • Follow the instructions in the documentation.  I cannot use “su” so I used sudo ./Z1091_token_update…  which worked.  note the upper case Z in Z1091
  • The status command “sudo ./Z1091_token_update -status” gave me
    • Info: Processing Status request.
    • Info: Found both ADCD-1 License and ADCD-2 License.
    • Info: Command completed with 0 error(s).

As I was only entitled to one license – I had 3 spare dongles but with no license for them.

Installing zD&T.

The instructions are here.

  1. Check the instructions are for the level of zD&T you are using.   Google found me the version for 12.04; I was using 12.05
  2. The license is displayed.
    1. The license is displayed using the more command, so you can use ‘f’ and ‘b’ to go forward and back.  (Until you get to the last page when you cannot go back,  you have to decline license, and go through the install again.
    2. I found the license was not clear.   It looks like big chunks are repeated with only minor variations, which were too subtle for me.
    3. Some software you are allowed to install but not use: Fault Analyzer for z/OS and File Manager for z/OS.  (File manager:  IBM® File Manager for z/OS® (base component) provides comprehensive, user-friendly tools for working with Websphere MQ data, HFS files and QSAM, VSAM and IAM data sets. These tools include the familiar view, edit, copy and print utilities found in ISPF, enhanced to meet the needs of application developers)
    4. I think the words about Authorized User Single Session apply to zD&T personal Edition, and the words about  Resource Value Unit (RVU) apply to the enterprise edition.
    5. I don’t understand When determining the number of entitlements required for Licensee’s installation or use of the Program, Licensee is allowed to define up to two log-in identifiers for use by system programmers (i.e. system administrators or database administrators) to support Licensee development and test activities, which are not used to determine the number of entitlements required for the Program.  I do not understand this (what entitlements?, what is not used ?).  At least two userids are defined, for example IBMUSER, so additional  system programming userids may not be needed.  I do not know if I am allowed to define more userids for doing MQ application development, and defining MQ resources.
    6. The license refers to “Program”.   The text has Program Name : IBM Z Development and Test Environment Enterprise Edition Version 12.0.5, so I think the term “Program” to mean the whole package, so CICS, MQ and z/OS are individual Programs.
      1. This sounds a bit recursive, The license Programs, have programs (load modules) which have programs (compilable source code), the compiled programs have z architecture  instructions which deep down have programs in zPDT, which have instructions which have microcode programs which run on the chip.
    7. I could not find how to get a copy of the license, so I cancelled the installation and found the license in ~/DownloadDirector/zdtpefolder/license/Lic_en.txt
    8. Text like L/N: L-JWOG-BKVNF6 are the license number.  I think it is IBM internal use only as I googled it but could not find it.
    9. So overall written by lawyers and hard to understand.

Optional questions.

It asked Do you want to install Network Configuration for IBM® ZD&T Personal Edition ?(y/N):

I don’t think it installs anything.   I think it configures the network. See installation  and network.  The configuration scripts for example in /opt/ConfigGuideSample/zdt_config_network10.sh enables packet forwarding,  uses iptables to set up routing, Network Address Translation(NAT) with destination of 10.1.1.2.

I could IPL and logon without doing this optional step.  To get FTP working, I had to make one network configuration action.

It uses iptables-save  to make a copy of the IP configuration.  You may want to issue sudo iptables-save > myipconfig.txt  to save your current configuration before using this install to change it.

It makes changes to the running system, then saves them, and changes /etc/rc.local so the commands are executed at Linux boot time.

It asked Optional: Enter y to install all needed dependencies or enter n to decline.

I thought I had checked these, so I replied n.  I don’t know if it checks them and warns of any missing ones.

The installation complete message is not as documented.   The documentation says “If the package is installed successfully, the following output is displayed”

z1091-1-10.55.04.x86_64

I got

ii z1091 1.10.55.04 amd64 z1091, version 1.10.55.04, build date - 02/19/20 for Linux on Ubuntu 64bit

which is close enough.

Unzipping the files

Files  ending in .gz can be unzipped with gunzip.  The other files have to be decrypted and you need the dongle to do that.

The command

gunzip file.gz

takes the file, unzips it to file and deletes file.gz

You can use the command

gunzip -c file.gz > /directory/file

the -c option says write to sysout and do not delete the input file.

To unzip all the files (this took a couple of hours to execute).

  • you could issue gunzip *.gz  . You may want to check that the directory has only the zP&T files in it before executing the command.
  • if you want to have the unzipped files on a different drive you could copy the .gz files to the drive then issue  gunzip *.gz in the directory.

Unzip and decrypting the RES files.

When I tried to unzip the *RES files using my colinpaice userid I got.  /usr/z1090/bin/Z1091_ADCD_install: error while loading shared libraries: libawsDiskItf.so: cannot open shared object file: No such file or directory.

I logged switched to the ibmsys1 userid, and followed the instruction in the documentation. I got

  • /usr/z1090/bin/Z1091_ADCD_install ./A4RES1.ZPD ./A4RES1
  • LIC hasp: * Communication error between API and local Sentinel License Manager : code=33

It took just over 4 minutes to unzip the SARES1 disk

Overall all

The overall process worked.  It took longer than I expected to get entitlement, and the hardware dongles.  I also have 3 dongles I cannot use, a large pile of cardboard, and two piles of CDs I don’t think I need.

My favourite Z/OS commands

I’m putting together some education materials for new z/OS users, and would like a list of common or favourite commands (the commands your fingers know without having to think about them).  If you have any more useful commands, please tell me and I’ll add them.

If there is enough interest I can make the commands into html links to the online manuals – if so please let me know.

Useful links

Console commands

Managing the 3270 console

  • k a,ref shows areas on operator console
  • k a,none – removes “out of line area” from console.  You may need to do k e,d to remove the area first
  • k a,14 makes the area 14 lines deep
  • k a,6,6 makes two areas A and B, can then use D A,L,L=B for to display the command  D A,L in window B

Some commands,  eg display commands comes up in a “out of line” frame at bottom of the screen

  • k d,f scroll forward, sometimes pf8 does this. Check with d pfk
  • k e,d remove the bottom “out of line display” area

Screen

  • k q clear the backlog of queues messages
  • k e clear the scrolling messages
  • k s,ref display the current settings
  • k s,del=rd have message scroll off the top automatically
  • k s,del=n stop messages scrolling off the top
  • k e,n  remove nth message from the top of the screen – useful of the messages do not scroll.
  • d pfk
  • k n,PFk=(001,CMD=’d a,l;d ts,l’) sets the pf key to the command strings separated by ;
  • PA1 retrieve previous command

If you lose the console

Useful MVS commands

VTAM

Subsystem eg DB2, MQ

TCP

JES2

The command prefix is £ or $ depending on your system and keyboard

Commands useful when the spool has filled up

  • $DSPOOL how full is the spool
  • $D JOBDEF display the number of JOES ( Job Output elements = numbers of files) JOENUM can be increased dynamically using $T OUTDEF,JOENUM=xxxx.  Don’t forget to change it in SYS1.PARMLIB(JESPRMxx) in order to make the change permanent.
  • $DJQ,SPL=(%>1) which jobs are using more than 1% of the spool
  • $DS,SPL=(%>1) which STCs are using more than 1% of the  spool
  • $dt,spl=(%>1) which TSO are using more than 1% of the spool
  • $DJQ,DAYS>2 which jobs are more than 2 days old
  • $DO JQ,JM=CCP* display all output for jobs beginning with CCP also $DO S and $do S
  • $PO JQ,JM=CCP* Purge all output for jobs beginning with CCP also $PO S and $po S
  • $DO JQ,AGE>4 Which output data sets are more than 4 days old
  • $PO JQ,AGE>4  Purge output data sets are more than 4 days old also $PO S and $po S
  • $do jq,jm=cp7*,a>7 Which output data sets belong to cp7* and are a week old also $DO S and $do S
  • $po jq,jm=im7*,a>7 Purge output data sets belong to im7* and are a week old also $PO S and $po S

ZFS

TSO commands

  • ddlist or isrddn what are my TSO allocations – useful for looking for ISPPLIB concatentation etc
    • Line commands
      • B Browse the first sixteen data sets or a single data set.
      • E Edit the first sixteen data sets or
      • a single data set.
      • V View the first sixteen data sets or a single data set.
      • M Show an enhanced member list for the first sixteen data sets or a single data set.
      • F Free the entire DDNAME.
      • C Compress a PDS using the existing allocation.
      • I Provide additional data set information.
      • Q Display list of users or jobs using a data set.
    • Primary commands
      • Apf Browse Con CList COUnt CUstom
      • DUPlicates Enq EXclude Find Locate LOAD
      • LONg LPa Member MList  Only Parmlib
      • Reset Select SHort
    • Member name (ddstring) Scan allocations for a particular member.
    • Select modname  Search for a loaded module without searching any allocated data sets.
    • CUstom Show the values in ISPTCM and some ISPF configurations.
  • mount filesystem(‘PAICE.ABC.ZFS’) mountpoint(‘/u/paice/abc’) type(ZFS) mode(read)
  • unmount filesystem(”PAICE.ABC.ZFS’) normal

RACF commands

SDSF

  • OWNER myuserid to see jobs that I own, regardless of prefix.
  • “I use ST command almost exclusively in stead of DA, O etc..”
  • SYSNAME  allows you to see jobs on another connected system
  • PREFIX abc displays jobs beginning with abc
  • filter ? allows you to select on multiple criteria owner eq paice, jobname eq MQ*
  • Sort … sort on column of data sort cpu%
  • ARRange CPU% A REAL arranges the columns so the CPU% column is displayed after the REAL column
  • Prefix commands
    • S display the spool
    • SE display in edit mode
    • C issues JES command to cancel the job
    • ? displays the different output files within the job
    • SJ allows you to edit the JCL and resubmit it
  • log s display the system message log for your MVS system.
  • log o displays the merged, sysplex-wide system message log
  • ulog displays the output from commands you have issued

MQ using CSQUTIL or equivilant command

SMS – ISMF

  • Display all options on the ISMF panel 0 ISMF Profile.0 User Mode Selection  set to 2 For a Storage Administrator (SA)
  • To tailor columns displayed, used view command, specify columns and save it
  • Display disks and information about disks  2 Volume.1 Dasd ,
    • Acquire Physical Data Y,
    • Storage Group Name ” “
    • CDS Name ” “
    • Press enter
  • Display storage group name , 6 Storage Group, 1. List
    • and disks in the storage group 1. List,  then line operator listvol

TASID

TASID is a “monitor” tool developed internally within IBM to monitor activity on a z/OS system. It is displayed in ISPF on TSO.     It displays IPL info, storage usage, address space usage etc.   Think of unix “top” function.

Note that some options may not  operate correctly on all z/OS systems. Download it from IBM here.

USS Unix services

  • ls -T file display file tag, ASCII, EBCDIC etc ISO8859-1 is ASCII
  • chtag -p display/change file tag info
  • whence name like which name, tells you where a command came from eg whence oedit is /bin/oedit
  • tar  like zip
  • cp copy files
  • mkdir 
  • mkdir -p and the intermediate directories
  • pax another way of packing files to make them portable
  • TSO OMVS command for example the ESCape NOPFSHOW

WAS, Liberty,

Angel processes

Liberty

WLM

D WLM.

V WLM,POLICY=….