Re: Protecting telnet 3270 sessions
Dear René, dear Gregg,
of course I will share my setup with the community asap. Just give me some time to prep things. For using stunnel4, one needs X.509 certificates which can be easily produced with "easy RSA". But more on this later.?
@Gregg: A ssh tunnel is a viable option, however, it needs a user identy / account on the server side. If you don't want users of the mainframe system to be users of the hosting linux / unix / whatever system, I reckon that stunnel is the easier way.?
For sure we know that hercules and the hosted mainframe OSes? like VM/370 and MVS can't deal with TLS. This is where the server nature of stunnel4 comes to help. The inbound TLS connection is proxied unecrypted to the 3270 (or other comms) ports.? Usually, x3270 can deal with SSL connections, but on the Macintosh, the x3270 seems to be utterly broken or I haven't figured out how it works on a Mac with the system keystore etc. I use stunnel4 on the Mac as a client, that is, my x3270 connects to let's say localhost:53270 plain text, stunnel connects to vmd33672.contaboserver.net:53270 with 2-way TLS and the server stunnel proxies the data to hercules, in this case VM/370 with hercules listening on 3271 (3270 taken by MVS).?
I'll prep something with instructions on easy RSA how to create client, server and ca and intermediate certs and how to setup the stunnel for both client and server. This can be replicated to other TCP/IP comms as well (thinking of HNET for example).?
kind regards
Michael
|
Re: Protecting telnet 3270 sessions
Hello!
I don't know about Michael, but when I ran a regular setup with
Hercules running VM/370 on it, I would use SSH to connect to the
system. I was able to do so from an office in the City to here, and
the networking software I had running, other than the TCP/IP stack
reported just the regular things, and included notations that the
connection was done in secure format.
However a certain fellow will need to have a something else translate
this message.
-----
Gregg C Levine gregg.drwho8@...
"This signature fought the Time Wars, time and again."
toggle quoted message
Show quoted text
On Thu, Mar 10, 2022 at 8:05 AM rvjansen@... <rvjansen@...> wrote:
Hi Michael,
It would be really nice if you could share your stunnel4 setup with us here. It is an oft overlooked fact that running tn3270 sessions over the internet is not a prime example of good data security - I ran a Wireshark on my own network recently and saw the VM passwords pass by - and maybe more people can safeguard their sessions if pointed in the right way.
Best regards,
搁别苍é.
On 10 Mar 2022, at 12:22, Michael Grom <macbaer@...> wrote:
safeguarded by 2-Way TLS for the 3270 comms (or any other inbound/outbound comms)
by using stunnel4.
|
Protecting telnet 3270 sessions
Hi Michael,
It would be really nice if you could share your stunnel4 setup with us here. It is an oft overlooked fact that running tn3270 sessions over the internet is not a prime example of good data security - I ran a Wireshark on my own network recently and saw the VM passwords pass by - and maybe more people can safeguard their sessions if pointed in the right way.
Best regards,
toggle quoted message
Show quoted text
On 10 Mar 2022, at 12:22, Michael Grom < macbaer@...> wrote:
safeguarded by 2-Way TLS for the 3270 comms (or any other inbound/outbound comms)?
by using stunnel4.?
|
Gentlemen, dear Bob,?
?
with your help and instructions and those from MAINT MEMO, I finally accomplished to change the logon screen. Thank you for this. Changing all occurrences of the logo in the source file, however, is a daunting task. thinking of some little program that could read the logo from a file and punch the chars into the proper places. I reckon the size of the logo is somewhat fixed??
I run a TK4- on a public cloud virtual Intel server for quite a while and VM is a good addition. Especially for running DOS/VS (my older brother started with DOS/VS as a young man and I'd love to bring back the memories. The site is, btw., safeguarded by 2-Way TLS for the 3270 comms (or any other inbound/outbound comms)?
by using stunnel4.?
Thanks again!
Kind regards
Michael
p.s. need to catch up with the thread here! :-)?
|
File /GG22-9277-00 VM370 Maintenance Made Simple - Washington Systems Center - May 1982.pdf uploaded
#file-notice
The following files and folders have been uploaded to
the Files area of the [email protected] group.
By: Mark Waterbury <mark.s.waterbury@...>
Description:
VM/370 Maintenance Made Simple -- IBM Washington Systems Center, May 1982
|
Still, it wouldn't be a bad background for those interested in how
maintenance is applied on VM/CMS systems IMO. Then they'd at least have
a better understanding of how the same thing is done on CE and 6-pack.
I think its a good document to read once you have a little experience....
OR... maybe you or someone else could write a much shorter and simpler
"What FATHER Never Told You..." (or similar) type document?
Well "MAINT MEMO" is a "cook book" on how to update the system. The problem is it assumes someone creating their own modification understands how update, auxiliary and control files fit together. Its probably worth taking the first four pages from "Mother" which cover these tools and amending them so they refer to the files layouts and conventions used in in the "N-Packs" Just a thought. :) Its a good thought.
--
"Fish" (David B. Trout)
Software Development Laboratories
mail: fish@...
Dave
|
Dave Wade wrote: Fish wrote: [...] Correct me if I'm wrong, but isn't this all covered in Melinda
Varian's excellent "What Mother Never Told You About VM Service"
document? (available in the group's Files area?) I thought about suggesting reading it but on reflection decided
it wasn't appropriate as it has a few of issues when applied to
the 6-pack..
15-love. It assume a rather higher level of VM knowledge than most of our
users have. 30-love. It has lot of information on how to apply an IBM PUT tape, which
we probably will never have to do. Match point. The way it tells users how to organize service is a little different
to the way we set out the CE editions, We do this so for example we
can separate out IBM fixes, Fixes supplied in the download, and the
users own fixes.
It does not say anything about the EXECs we provided and at 125 pages
it’s a bit large and a lot of the info is irrelevant. GAME! :) Still, it wouldn't be a bad background for those interested in how maintenance is applied on VM/CMS systems IMO. Then they'd at least have a better understanding of how the same thing is done on CE and 6-pack. OR... maybe you or someone else could write a much shorter and simpler "What FATHER Never Told You..." (or similar) type document? Just a thought. :) -- "Fish" (David B. Trout) Software Development Laboratories mail: fish@...
|
toggle quoted message
Show quoted text
-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of Fish Fish
Sent: 09 March 2022 21:55
To: [email protected]
Subject: Re: [h390-vm] VM/370 CE - DMKBOX
Bob Bolch wrote:
[...]
CNTRL [...]
TXTLCL [...]
AUXxxx files [...]
(the name at the bottom of the file first, then working from bottom to
top). Correct me if I'm wrong, but isn't this all covered in Melinda Varian's excellent
"What Mother Never Told You About VM Service" document? (available in
the group's Files area?)
I thought about suggesting reading it but on reflection decided it wasn't appropriate as it has a few of issues when applied to the 6-pack.. It assume a rather higher level of VM knowledge than most of our users have. It has lot of information on how to apply an IBM PUT tape, which we probably will never have to do. The way it tells users how to organize service is a little different to the way we set out the CE editions, We do this so for example we can separate out IBM fixes, Fixes supplied in the download, and he users own fixes. It does not say anything about the EXECs we provided and at 125 pages it’s a bit large and a lot of the info is irrelevant. --
"Fish" (David B. Trout)
Software Development Laboratories
mail: fish@... Dave
|
Bob Bolch wrote: [...] CNTRL [...] TXTLCL [...] AUXxxx files [...] (the name at the bottom of the file first, then
working from bottom to top). Correct me if I'm wrong, but isn't this all covered in Melinda Varian's excellent "What Mother Never Told You About VM Service" document? (available in the group's Files area?) -- "Fish" (David B. Trout) Software Development Laboratories mail: fish@...
|
Hi Michael, The next step you will use, VMFLOAD, uses the input file DMKLCL CNTRL to know which filetype to use for each CSECT in the Control Program Nucleus file you will build. VMFLOAD will search for the file DMKBOX TXTLCL, if not found, it will look for DMKBOX TXTHRC, and if that is not found, it will look for DMKBOX TEXT. Look at DMKLCL CNTRL to see the hierarchy of filetypes it looks for. VMFASM similarly uses DMKLCL CNTRL to find out which AUXxxx files to use to find updates and what order to process them (the name at the bottom of the file first, then working from bottom to top).? Bob
|
Hi Bob,
thank you for these instructions. I ran vmfasm dmkbox dmklcl and I got an?
vmfasm dmkbox dmklcl
UPDATING 'DMKBOX ASSEMBLE I1'.
APPLYING 'DMKBOX HRC029DK F1'.
APPLYING 'DMKBOX HRC101DK F1'.
APPLYING 'DMKBOX HRC370DK A1'.
APPLYING 'DMKBOX HRC073DK F1'.
APPLYING 'DMKBOX HRC372DK F1'.
APPLYING 'DMKBOX HRC373DK F1'.
APPLYING 'DMKBOX HRC374DK F1'.
APPLYING 'DMKBOX HRC999DK A1'.
ASMBLING DMKBOX
?
ASSEMBLER (XF) DONE
NO STATEMENTS FLAGGED IN THIS ASSEMBLY
File 'DMKBOX TEXT A1' not found.
DMKBOX TXTLCL CREATED
Ready; T=0.12/0.31 16:42:31
Can I use the TXTLCL instead of the TEXT for further going forward?
kind regards
Michael
|
Hi Michael,
The VM Community Edition uses the methodology for system updates that is based on what VM customers used in their production environments. Please read the MAINT MEMO on the MAINT 5E5 disk to understand how the files are used.
Updating the VM logo requires that you modify the DMKBOX?data area and rebuild the VM Control Program Nucleus. DMKBOX ASSEMBLE already has several modifications. The easiest way to make sure that any change you make can be carried forward into the next VMCE release, is to add new updates for the function you want, on top of the changes already distributed by IBM and by the VMCE changes already supplied by the User Community. I recommend?the following steps:
1. Issue 'VMSETUP?CP' to setup?a disk search order used to build a new VM Control Program Nucleus. 2. Create an update file with the changes you want. I will upload an example of a file to change the logo screen to the 0files?directory. It is a VMARC file, so upload it to your system with binary file transfer. Then use?VMARC UNPACK DMKBOX?VMARC A to extract the contents to your MAINT 191 disk. The DMKBOX?HRC999DK file will show an example of the way an update file works on VM. Your modified version of this file should retain the update?control statements? ( those that start with ./ ) and modify the contents to be how you want the screen to look. 3. Use a file named DMKBOX AUXLCL that contains a single line: HRC999DK V01 Update logo for VM/370 local system
Next you can build a new CP Nucleus by using the steps in the MAINT MEMO file starting around line 40 or so. Skip the step on rebuilding?the macro library, since you are not changing that file.
4. Assemble the DMKBOX?program file ? ? VMFASM DMKBOX?DMKLCL 5. Build the nucleus using the steps in MAINT MEMO. 6. After you are satisfied, move these files to the MAINT 594 disk. ? ? DMKBOX?HRC999DK ? ? DMKBOX?AUXLCL ? ? CPLOAD?MAP
People on this mailing list are very helpful, so keep sending questions. Looking at the various README files can also make things clearer.
Best regards, Bob Bolch
|
The 2nd argument to vmfasm is the file name of a CNTRL file which contains which update files to be applied to the source before assembly.
toggle quoted message
Show quoted text
On Mar 9, 2022, at 10:08 AM, Michael Grom <macbaer@...> wrote:
?I'm a bit lost here. Anyway, there is a DMKBOX ASSEMBLE on disk F and vmfasm - assuming that this is the program or exec to call - gives me an error that some CNTRL file is not found.? so VMSETUP CP VMFASM DMKBOX ASSEMBLE? yields?
vmfasm dmkbox assemble f
File 'ASSEMBLE CNTRL *' not found.
*** ASSEMBLE CNTRL NOT FOUND ***
Ready(00002); T=0.01/0.01 15:06:45
regards
Michael
|
I'm a bit lost here. Anyway, there is a DMKBOX ASSEMBLE on disk F and vmfasm - assuming that this is the program or exec to call - gives me an error that some CNTRL file is not found.? so VMSETUP CP VMFASM DMKBOX ASSEMBLE? yields?
vmfasm dmkbox assemble f
File 'ASSEMBLE CNTRL *' not found.
*** ASSEMBLE CNTRL NOT FOUND ***
Ready(00002); T=0.01/0.01 15:06:45
regards
Michael
|
You should not alter existing updates. Create a new one ? Dave ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Michael Grom
Sent: 09 March 2022 13:50
To: [email protected]
Subject: Re: [h390-vm] VM/370 CE - DMKBOX? Hi Dave,
executed VMSETUP CP as MAINT - seem to have aggravated the problem. Was able to call DMKBOX HRC370DK into the ee editor and upon saving it complained about an error and left the file DMKBOX EE$TMP. The original file seems to be gone, however, the content being in that ee$tmp file. ? rename dmkbox ee$tmp a dmkbox hrc370dk a
Ready; T=0.01/0.01 13:38:34
vmsetup cp
E (594) R/O
F (094) R/O
G (194) R/O
H (294) R/O
I (394) R/O
Ready; T=0.01/0.01 13:38:43
vmfasm dmkbox hrc370dk
File 'HRC370DK CNTRL *' not found.
*** HRC370DK CNTRL NOT FOUND ***
Ready(00002); T=0.01/0.01 13:38:57 My apologies the instructions have been taken from Gerard's web site who is sub-hosting René Ferland's web space.
The version of the system: q cplevel
SYSTEM 4381-A
VM/370 Community Edition Version? 1 Release? 1.1 05/02/21 12:49:03
IPL at 21:59:37 GMT SATURDAY 03/05/22
PEAK LOAD= 007 USERS
Ready; T=0.01/0.01 13:46:47 Kind regards Michael
|
Hi Dave,
executed VMSETUP CP as MAINT - seem to have aggravated the problem. Was able to call DMKBOX HRC370DK into the ee editor and upon saving it complained about an error and left the file DMKBOX EE$TMP. The original file seems to be gone, however, the content being in that ee$tmp file.
?
rename dmkbox ee$tmp a dmkbox hrc370dk a
Ready; T=0.01/0.01 13:38:34
vmsetup cp
E (594) R/O
F (094) R/O
G (194) R/O
H (294) R/O
I (394) R/O
Ready; T=0.01/0.01 13:38:43
vmfasm dmkbox hrc370dk
File 'HRC370DK CNTRL *' not found.
*** HRC370DK CNTRL NOT FOUND ***
Ready(00002); T=0.01/0.01 13:38:57
My apologies the instructions have been taken from Gerard's web site who is sub-hosting René Ferland's web space.
https://geronimo370.nl/s370/vm-370-virtual-machine/customise-vm-logon-screen/
The version of the system:
q cplevel
SYSTEM 4381-A
VM/370 Community Edition Version? 1 Release? 1.1 05/02/21 12:49:03
IPL at 21:59:37 GMT SATURDAY 03/05/22
PEAK LOAD= 007 USERS
Ready; T=0.01/0.01 13:46:47
Kind regards
Michael
|
Michael, I think there is an extra disk in the CE compared to what Rene wrote about. Did you do ? VMSETUP CP ? Which will access all the disks needed. Does this solve your problem? If not please post a link to the instructions you followed, details of which version of CE you used. ? Dave ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Michael Grom
Sent: 09 March 2022 08:31
To: [email protected]
Subject: [h390-vm] VM/370 CE - DMKBOX? Dear Forum, I'm fairly new to VM and thus doesn't have that much of an idea where the components that comprise the system reside. I found an article on René Ferland's web space on how to change the VM/370 logon screen but that doesn't seem to work on VM/370 CE - it's vmfasm that chokes with an error about files not found. I've text searched the group on this subject but to no avail.?
kind regards
Michael
|
Dear Forum,
I'm fairly new to VM and thus doesn't have that much of an idea where the components that comprise the system reside. I found an article on René Ferland's web space on how to change the VM/370 logon screen but that doesn't seem to work on VM/370 CE - it's vmfasm that chokes with an error about files not found. I've text searched the group on this subject but to no avail.?
kind regards
Michael
|
Re: does anyone know this game/have source?
On Fri, Mar 4, 2022 at 07:59 PM, Mark A. Stevens wrote:
That wasn't it, but thanks for taking a look. Our systems programmer was a PL/I guy and it may have been something he brought from his prior shop.
Man that thread ... that's the hardware I programmed on :) We replaced a 370/148 with a 4341 and retired the physical card reader (which I don't think I ever saw used). Fun times :)
|
Re: does anyone know this game/have source?
On Fri, Mar 4, 2022 at 09:34 AM, BlameTroi wrote:
Waaaaay back in the early 80s on our CMS system I played a submarine warfare game while waiting on long runs to finish.
All I have been able to find, on narchive.com: https://bit.listserv.ibm-main.narkive.com/jAwmVfmk/my-first-mainframe-experience-was-pf9-swap-question is "battleship game by Dave McBride" ?... Mark S.
|
Michael Grom
Mark A. Stevens