SPARTA News March 2010
March 2010
SPARTA President’s Corner
by Brad Carson
By the time you read this Spring will be here and with it some warmer temperatures and the start of yellow pine pollen season. I hope everyone is ready for anything outside to turn yellow with pollen over the next month or so.
Last month we had a visit from Alfred Christensen to talk to us about encryption and TCP/IP. We had a good discussion on network keys (clear and private) and how they can be used by applications in TCP/IP. This covers not only FTP and TN3270 but almost any socket based application (CICS web services, WebSphere, DB2 DDF, others). A very informative session for everyone.
At work we’ve begun our installation of z/OS 1.11 on our DEVL LPAR. I’m looking forward to getting TSO LOGONHERE support going for when we have those VPN session drops while working from home. I am also planning on getting the SMF logger running and moving away from those VSAM data sets for all the SMF data we generate during a given day. After that we plan on tackling the z/OS Management Facility (z/OSMF) and the “baby” WebSphere that it needs to run. I bet we’ll have some new issues as we give that a try.
On our z/VM front, we’ve been having an issue with IBM JAVA 1.6 and our WebLogic servers. It seems that there is an active timer loop in JAVA when a thread is idle that causes the guest to spin on a virtual CPU and grind away. Our z/VM LPAR has been running at 100% CPU since this surfaced and we are trying to get it corrected in those guests. We are still working on cleaning up these guests from the performance perspective as the application development group moves forward.
Also on the z/VM front, we’ve gone through the tasks needed to access SAN disks from zLinux. The configuration needed on z/VM was simple, but inside the zLinux guest, that required a little more work and some long hex strings. Can you say prone to “finger checks”. I sure can and did!
This month Ed Webb of SAS and Pam Tant of DTS Software will give us their trip reports about SHARE in Seattle. I look forward to seeing you all on the 30th at LabCorp.
Future Speakers
(subject to change)
Mar. 30 SHARE Update by Ed Webb of SAS and other Conference attendees from SPARTA
Apr. 27 z/OS Software by Robbin Lanning of LRS
We need ideas and volunteers for future speakers. Presentations don’t have to be fancy, just informative and interesting. Even a 5 or 10 minute talk can start an interesting interaction. Contact Ron Pimblett by phone as noted below.
2009-2010 SPARTA
Board of Directors
Brad Carson - President
LabCorp 336-436-8294
3060 S. Church St.
Burlington, NC 27215
Ron Pimblett - Vice President
Dignus, LLC 919-676-0847
8354 Six Forks Road
Raleigh, NC 27615
Mike Lockey - Secretary
Guilford Co. Information Services 336-641-6235
201 N. Eugene St.
Greensboro, NC 27401
Tommy Thomas - Treasurer
LabCorp 336-436-4178
3060 S. Church St. 919-361-7267
Burlington, NC 27215
Ed Webb - Communications Director
SAS Institute 919-531-4162
SAS Campus Drive
Cary, NC 27513
Meetings
Meetings are scheduled for the last Tuesday evening of each month (except no meeting in December), with optional dinner at 6:15 p.m. and the meeting beginning at 7:00 p.m.
These monthly meetings usually are held at LabCorp’s Center for Molecular Biology and Pathology (CMBP) near the Research Triangle Park (see last page). Take I-40 to Miami Boulevard and go north. Turn right onto Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn Left to the CMBP Building. In the lobby, sign in as a visitor to see Tommy Thomas. Tommy will escort you to the conference room.
Call for Articles
If you have any ideas for speakers, presentations, newsletter articles, or are interested in taking part in a presentation, PLEASE contact one of the Board of Directors with your suggestions.
Newsletter e-Mailings
The SPARTA policy is to e-mail a monthly notice to our SPARTA-L Group. The newsletter is posted to the website about five (5) days before each meeting so you can prepare. The SPARTA-L Group is maintained by Brad Carson; if you have corrections or problems receiving your meeting notice, contact Brad at 336-436-8294.
Late 2009 “CBT Tape” Shareware Online
The directory and files from the latest CBT tape V478 (dated December 27, 2009) are available from www.cbttape.org.
If you need help obtaining one or more files, contact Brad Carson at LabCorp or Ed Webb at SAS (see Board of Director’s list for contact info).
Minutes of the February 23, 2010 Meeting
•Meeting was called to order at 7:00 p.m. by Brad Carson, the Chapter President.
•The meeting was held at LabCorp in RTP, N.C.
•Eighteen (18) people were present; twelve (12) were members.
•Everyone in the room introduced themselves, told where they worked, and briefly described their job function.
•The minutes of the January 2010 meeting were accepted as published in the February 2010 newsletter.
•Tommy Thomas, the Chapter Treasurer gave the Treasurer's Report. As of February 16, 2010, the balance is $489.79. Motion was made and approved to accept the Treasurer's Report as published in the February 2010 newsletter.
OLD BUSINESS
•Articles are needed for this newsletter. If you would like to write an article for this newsletter, please contact Ed Webb. Keep in mind that you don't really need to write the article, it can be an article that you read that you would like to share with the membership.
•The SPARTA Web page is available. To access the SPARTA Web page, point your Web browser to this site: http://www.spartanc.org. Please send any comments or suggestions about the Web page to Mike Lockey. Be sure to check the Web page every once in a while to see any new or changed information.
•Future Speakers and Topics:
(subject to change)
Mar. 30, 2010: Brad and Ed, "Share Update” from Seattle Mar 14-18
Apr 27, 2010: Robbin Lanning, LRS, z/Series Software
May 25, 2010: Robb Steiskal, CA, Update on CA Automation & Performance
June 29, 2010: Mike Arnold, Softbase, DB2 Tuning
July 27, 2010: Serena Software, Security Compliance
Aug. 31, 2010: Durham Bulls at the DBAP
Sept. 28, 2010: Brad and Ed, "Share Update" from Boston Aug.
Oct. 26, 2010: Craig Mullens, zPrime, What the ?
Nov. 30, 2010: Emmanuel Sauvion, Sysload Software, Performance Management Virtual Environment
If you have suggestions about speakers and topics, contact Ron Pimblett.
•The March SPARTA meeting will be on the 30th at LabCorp in the RTP.
•Food for the March meeting will be BarBQ.
•Brad reminded everyone to keep the conference room clean.
NEW BUSINESS
•Thanks to Tommy Thomas of LabCorp for hosting the meeting.
•Brad reminded everyone that the 2010 SPARTA dues are $30 and should be paid soon.
•The business portion of the meeting ended at 7:45 p.m.
•Alfred B Christensen of IBM gave a presentation titled "TN3270 and FTP SSL/TLS enablement: the easy way". The presentation given by Alfred is available to download at http://www.spartanc.org/2010-02-23 Sparta Raleigh.pdf.
Some of the topics presented were:
Agenda
Introduction
AT-TLS - overview
Cryptographic algorithms, Keys, Certificates, and Key rings
The z/OS networking policy infrastructure
TN3270 enablement
FTP enablement
Introduction
Payment Card Industry Data Security Standard (PCI-DSS) - overview
Compliance with PCI-DSS
A few selected details from the PCI DSS requirements
z/OS Communications Server security overview
Protect the data in the network: technology overview
Some key differences between SSL/TLS and IPSec
Comparing SSL/TLS and IPSec security attributes
ATTLS - overview
z/OS application transparent TLS overview
SSL/TLS application types
Cryptographic algorithms, Keys, Certificates, and Key rings
Cryptographic Basics
Symmetric encryption
Asymmetric encryption
Trust relationships via Certificate Authorities - getting my public key distributed to those who need it
What is needed for z/OS Server authentication only
What is needed for z/OS Server and client authentication
Create self-signed root certificate for test purposes
Create server certificate signed with your own root certificate
Alternative: use an external CA to sign your server certificate
Create you z/OS server started task user ID key-ring and connect required certificates to it
Adding your CA certificate (or self-signed certificate) to your workstation key ring(s)
z10, z9 Hardware Cryptographic components - use by z/OS Communications Server and System SSL
SSL/TLS use of hardware crypto functions
Hardware support
The z/OS networking policy infrastructure
z/OS CS networking policy infrastructure overview
Which address spaces are needed for what?
Configuration files and policy definition files - overview
z/OS syslogd overview - your audit trail !!!
Sample Syslogd configuration file with z/OS V1R11 archive options
Syslogd ISPF browser in z/OS V1R11
AT-TLS error message example
A sample policy agent configuration and policy definition structure
z/OS V1R11 policy infrastructure management overview
Configuration Assistant for z/OS Communications Server
Configuration Assistant files - overview
Sample policy configuration environment
Application setup tasks - base location
Content of base locations after application setup tasks performed
Enabling use of AT-TLS in the TCP/IP stack
Quick guide to working with the Configuration Assistant objects - ATTLS example
TN3270 enablement
Why use AT-TLS for TN3270?
z/OS V1R9 Communications Server TN3270E AT-TLS Security Performance
Migrating the TN3270 server to AT-TLS
Use of AT-TLS for TN3270 before and after z/OS V1R9
Detailed AT-TLS netstat report for AT-TLS secured TN3270 connection
Sample AT-TLS policy for a z/OS TN3270 server on port 2025
Enabling use of AT-TLS for a TN3270 server port
Example: PCOMM key management
PCOMM session
TN3270 connection - secured with AT-TLS
FTP enablement
A quick comparison of selected z/OS file transfer technologies from a security perspective
Comparing FTP Server CPU usage with and without security
Firewalls and FTP
How to deal with dynamic port-based filters in firewalls
z/OS FTP server options for authenticating an FTP client
Virtual key-rings are very useful when z/OS is the FTP client
z/OS FTP server secure setup example
ATTLS policy for secure FTP server port 4021
WS_FTP Pro setup
WS_FTP Pro - AT-TLS secure connection
Filezilla FTP client configuration
Filezilla FTP client certificate prompt
Filezilla FTP client - AT-TLS secure connection
•Meeting ended at 9:15 p.m.
Treasurer’s Report for March 2010
contributed by Tommy Thomas
The balance in the account is $438.69 as of February 28, 2010.
Financial Report
3/01/2009 through 2/28/2010
|
INCOME |
|
|
Opening Balance |
1,117.86 |
|
Dues |
540.00 |
|
Misc. |
0.00 |
|
TOTAL INCOME |
$1,657.86 |
|
EXPENSES |
|
|
Gift Given |
70.04 |
|
Food |
1,086.07 |
|
Petty Cash |
|
|
Bank Service Fees |
|
|
P.O. Box |
44.00 |
|
Hurricane Tickets |
|
|
Web Site |
142.96 |
|
TOTAL EXPENSE |
$1,343.07 |
|
BANK BALANCE |
314.79 |
|
PETTY CASH($175) |
123.90 |
|
TOTAL CASH |
$438.69 |
Items of Interest
SPARTA Schedule and Menu for 2010
contributed by Tommy Thomas and Chris Blackshire
Mar. 30 - BarBQ
Apr. 27 - Pizza
May 25 - Chicken
Jun. 29 - Subs
July 27 - BarBQ
Aug. 31 - Pizza
Sept. 28 - Chicken
Oct. 26 - Subs
Nov. 30 - BarBQ
Dec. 28 - No meeting. Happy Holidays!
Beware SMP/E Security “Enhancement” - Take Action Now!
contributed by Ed Webb
See Info APAR II14489 or the HOLDDATA in PTFs UO01051-UO01054 for IO11698 (Integrity APAR you cannot view on IBMLink, try ResourceLink) for Security changes that are Required to run SMP/E. If you fail to take action (do so today!), you may not be able to run SMP/E at all.
RDEFINE FACILITY GIM.* UACC(READ)
SETROPTS REFRESH(FACILITY)
By taking action today in your security system, you will not be surprised when these PTFs are APPLYed to your SMP/E or you upgrade to a new release of z/OS with a high SMP/E maintenance level.
There are more granular profiles or rules you can use with SMP/E once these PTFs are APPLYed but for now the best proactive approach is leave SMP/E program and command security as is. Just protect your SMP/E data sets, such as CSI and SMPPTS, as you always have, and RDEFINE this new GIM.* FACILITY profile as UACC(READ).
With luck, an ACF2 or Top Secret account can create the appropriate rule(s); Info APAR II14489 points to CA solutions for this security change in SMP/E. But whatever security action you must make, do it now!
AUTOIPL, REIPL, and the z9 and z10
contributed by Ed Webb
If you are running an IBM z10 machine with z/OS V1R10 or later, you can take advantage of the AUTOIPL/REIPL feature for faster recovery and restart of your z/OS system.
Update your DIAGxx PARMLIB member (see the R10 or later Init. and Tuning Reference book), issue a SET DIAG=xx command, and you are ready to go.
When it’s time to IPL your system, just end the shutdown with a VARY XCF,sysname,OFFLINE,REIPL command and viola! z/OS restarts itself on that LPAR with no visit to the HMC.
But what about us poor z9 users (like the ones here at SAS)? No problem. IBM says AUTOIPL and REIPL work on the z9.
But the fine print could be a problem; it is here. Your z9 must be running hardware driver 67 or later (ask your CE or register to view your system info on ResourceLink). Oh, and be sure to find out if your shop ordered the z9 with the no charge feature #9904 labeled SCSI IPL hardware feature. Of course you wanted the SCSI IPL feature, didn’t you? A pretty obvious choice, I’m sure.
If the feature 9904 is missing from your z9, better order it today because you cannot order it after June 30, 2010.
The Most Strategic IT Vendors
contributed by Chris Blackshire
(Ed. Note: Articles from Information Week February 15 and March 15, 2010 issues)
“They're integral to the business, command a central place in the IT architecture, and are mighty hard to replace. How do these vendors compare to your list?
In interviews with countless CIOs over the past decade, Information Week's editors have asked about their most strategic IT vendors -- or "partners," in the politically correct parlance. What makes for strategic? For one thing, those relationships usually are forged over many years. Strategic vendors often command a substantial share of IT budget and a central place in the IT architecture ("We're a Vendor X shop"), and they'd be very hard for CIOs to replace. Strategic vendors sometimes play a critical role in supporting basic business functions ("We run our business on Vendor Y") and delivering competitive advantage ("Vendor Z is our innovation engine"). And you'll find them at the end of the "No one ever got fired for..." line.
<Editor: Some local vendors are cited>
....
1. IBM. Yesterday it was the mainframe and Big Blue's world-class service and support that commanded customers' allegiance. Today, IBM's range of services and products -- outsourcing, integration, consulting, software, systems, security -- still make it a one-stop business technology provider for the blue chip crowd, and not just for the banks that were once its core domain. Under the Smarter Planet campaign, IBM's vast system and software expertise is at the strategic center of healthcare, energy, crime prevention, retail, transportation, government, and many other sectors.
....
5. Cisco. No IT vendor dominates like Cisco, whose many networking competitors are vying just to be No. 2. So why isn't Cisco among the top two or three strategic vendors? While "Cisco shops" abound, it wouldn't be a monumental feat to piece together an alternative using other vendors' products. Still, Cisco's hegemony is impressive. Having all-but-cornered the routing and switching market, Cisco now has its sights on the "single-fabric data center," where virtualized servers, storage, and networks are managed and secured as one (Cisco) architecture. The company is also looking to leverage its tight relationships with CIOs to bolt on network-based collaboration applications: telepresence, Web conferencing, unified communications, and more.
....
9. EMC. Like Cisco in networking, EMC remains almost synonymous with storage, though also like Cisco, its "shop" status doesn't rule out customers going in another direction. Years ago, EMC started acquiring myriad software companies (including VMware) in the event storage would become a commodity, but storage still pays the bills, accounting for 76% of its $14 billion in revenue and a healthy chunk of its profits. (Read Art Wittmann's column, "Practical Analysis: The Storage Stockholm Syndrome," for his analysis of why customers are poised to consider storage alternatives.)
See more of this first of two parts at http://www.informationweek.com/news/global-cio/interviews/showArticle.jhtml?articleID=223000173
<Editor: Happily my employer made the cut, but in the dubious 13th position>
....
13. SAS Institute. SAS products are considered state of the art in one of the most strategic IT areas: business analytics. With customers in 119 countries, including 92 of the world's 100 largest companies, SAS helps banks, manufacturers, government agencies, healthcare providers, retailers, schools, and many others make more informed decisions. And as the only privately held company in our top 20, SAS also has the luxury of investing for the long term rather than the next quarter, spending 23% of its $2.3 billion in revenue on R&D.
....
17. Red Hat. Like Salesforce, Red Hat is strategic more for the movement it leads and represents--in its case, open source software--than for the excellent products it sells to enterprise IT organizations. And as with SaaS, customers value open source not just for its cost savings, but also as the means to keep established software vendors on their toes.
See the complete second part of this report at http://www.informationweek.com/news/global-cio/interviews/showArticle.jhtml?articleID=224000059&cid=RSSfeed_IWK_ALL
Humor
Installing A Husband
contributed by Chris Blackshire
Dear Tech Support,
Last year I upgraded from Boyfriend 5.0 to Husband 1.0 and noticed a distinct slow down in overall system performance, particularly in the flower and jewelry applications, which operated flawlessly under Boyfriend 5.0.
In addition, Husband 1.0 uninstalled many other valuable programs, such as Romance 9.5 and Personal Attention 6.5, and then installed undesirable programs such as
NBA 5.0,
NFL 3.0 and
Golf Clubs 4.1.
Conversation 8.0 no longer runs, and Housecleaning 2.6 simply crashes the system.
Please note that I have tried running Nagging 5.3 to fix these problems, but to no avail.
What can I do?
Signed,
Desperate.
DEAR DESPERATE,
First, keep in mind, Boyfriend 5.0 is an Entertainment Package, while Husband 1.0 is an operating system.
Please enter command: ithoughtyoulovedme.html, try to download Tears 6.2, and do not forget to install the Guilt 3.0 update. If those applications work as designed, Husband 1.0 should then automatically run the applications Jewelry 2.0 and Flowers 3.5.
However, remember, overuse of the above applications can cause Husband 1.0 to default to Grumpy Silence 2.5, Happy Hour 7.0, or Beer 6.1. Please note that Beer 6.1 is a very bad program that will download the Farting and Snoring Loudly Beta.
Whatever you do, DO NOT under any circumstances install Mother-In-Law 1.0 (it runs a virus in the background that will eventually seize control of all your system resources).
In addition, please do not attempt to reinstall the Boyfriend 5.0-program. This is an unsupported application and will crash Husband 1.0.
In summary, Husband 1.0 is a great program, but it does have limited memory and cannot learn new applications quickly. You might consider buying additional software to improve memory and performance. We recommend Cooking 3.0 and Hot Lingerie 7.7.
Good Luck!
Tech Support
Don’t Forget the Next SPARTA Meeting
Tuesday, March 30, 2010
7 p.m.
LabCorp in the RTP
Take I-40 to Miami Boulevard and go north. Turn right onto Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn left to the CMBP Building. In the lobby, sign in as a visitor to see Tommy Thomas. Tommy will escort you to the conference room.
Free Food: BarBQ, Drink, Dessert
Program:
SHARE Conference Reports
Speakers:
SPARTA Members
SPARTA News
P.O. Box 13194
Research Triangle Park, NC 27709-3194
First Class Postage
SPARTA Corporate Sponsors:
