Jaime,

Well if its in the readme it should be there, and the link also needs the user to exist.
I know Bob has moved stuff round so it may have gon. From his E-Mail looks like its now on MAINTC

Dave

I am using VM/370 Community Edition V1R1.1

I am new so I did not know about linking to another disk. I was looking
for the BREXX user.

Thanks


On Fri, 11 Mar 2022 16:46:26 -0000, "Dave Wade" <dave.g4ugm@...>
wrote:

J

Which versión of CE?

Its not usually useful to logon to BREXX, you can link the disk:-

link brexx 191 199 rr???????????

Ready; T=0.01/0.01 11:43:05?????

access 199 x????????????????????

X (199) R/O?????????????????????

Ready; T=0.01/0.01 11:43:10??

Then

FSLIST * * X

Will show you the files. Not sure there is anything relevant to users on
迟丑别谤….??

Dave

G4UGM

????????????????????????????????

FROM: [email protected] ON BEHALF OF j.carpenter@...
SENT: 11 March 2022 16:33
TO: [email protected]
SUBJECT: Re: [h390-vm] Using Hercules version specific config file
parameters with VM370CE

Gentlemen,
I am grateful for the amazing work on VM370CE and also SDL yperion and
Hercules. I reached this forum because I am running a Raspberry Pi and
Herc 3.13. I also had the IPL issue and I read through and understand
about the CONF file and ARCHMODE. I can now IPL. I noticed that the read
me files mention the BREXX user and when I try to logon, it says it is
not in the CP Directory. I mention this here because if it is not
included, then it is also a packaging issue with the readme files. I use
HercGUI on RPi along with Hercules 3.13 because those are the packages
provided. I am a newby here, so if my comments are off topic, please let
me know. Thanks



Links:
------
[1] /g/h390-vm/message/4065
[2]

mailto:[email protected]?subject=Re:%20Re%3A%20%5Bh390-vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20parameters%20with%20VM370CE

[3]

mailto:dave.g4ugm@...?subject=Private:%20Re:%20Re%3A%20%5Bh390-vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20parameters%20with%20VM370CE

[4] /mt/88093602/4526575
[5] /g/h390-vm/post
[6] /g/h390-vm/editsub/4526575
[7] mailto:[email protected]
[8] /g/h390-vm/leave/11166232/4526575/1317415517/xyzzy

开云体育

Gentlemen,
I am grateful for the amazing work on VM370CE and also SDL yperion and Hercules.? I reached this forum because I am running a Raspberry Pi and Herc 3.13.? I also had the IPL issue and I read through and understand about the CONF file and ARCHMODE.? I can now IPL.? I noticed that the read me files mention the BREXX user and when I try to logon, it says it is not in the CP Directory.? I mention this here because if it is not included, then it is also a packaging issue with the readme files. I use HercGUI on RPi along with Hercules 3.13 because those are the packages provided. I am a newby here, so if my comments are off topic, please let me know.? Thanks

开云体育

Hi Dave,

simply, I don't want uninvited visitors in any of my systems, be them actual or vintage. In my own network at home, behind router and firewall, unencrypted comms or terminal sessions is not much of an issue. As soon as your server is in the internet (cloud offering, virtual server) or accessible through the internet, that's a different story. We also cannot rule out that the vintage OS together with hercules can be a vector to attack the underlying host. So yes, speaking of data protection, the system(s) I run is only a big playground. No personal or business data.?
No need to update hercules, that's where ssh tunnel (Gregg) or stunnel4 (my proposal) comes in, based on the following assumption

a) the host system is guarded with a proper IPTABLES setup, only allowing for the desired TLS and/or SSH destination ports (and source ports, if establishing a link to another computer)
b) binding to the local interface (127.0.0.1) is safe. No packets can travel from the loopback interface to a network interface connected to the external world. An attacker would already have to be inside the system and be able to trace such comms.?
c) stunnel or ssh offer a bridge / TLS termination. Encrypted comms is coming in from the outside, passes through the firewall and is accepted and decrypted by the ssh or stunnel and relayed to the destination port (opened by hercules) on the loopback interface.?
d) 2-Way SSL is used to prevent from unauthorized and unwanted connection by arbitrary clients. If the client cert is invalid or unknown, the SSL handshake fails.?

If you want to allow external users to the system, you would have to establish either certificate issueing or signing. A user who wants to access your VM or MVS would have to submit a certificate signing request, you sign it with your CA and return the signed certificate to the user (which is only useful together with the private key the user must keep for himself).?

I think I should prep some slides that visualise the setup in mind (and which I, more or less, run on my own). It's all free stuff, so no cost attached. In the meantime, my setup is as follows:

Macintosh (the machine where x3270 4.x fails to establish a ssl connection for some odd reason, instead, x3270 talks to a stunnel acting as a client to the server)

/opt/homebrew/etc/stunnel/stunnel.conf

output = /opt/homebrew/var/log/stunnel.log

[x3270]

cert = /opt/homebrew/etc/stunneL/kontor2.crt

key? = /opt/homebrew/etc/stunnel/kontor.key

CAfile = /opt/homebrew/etc/stunnel/chain.pem

client = yes

accept = 127.0.0.1:43270

connect = vmd33672.contaboserver.net:43270

[x3271]

cert = /opt/homebrew/etc/stunneL/kontor2.crt

key? = /opt/homebrew/etc/stunnel/kontor.key

CAfile = /opt/homebrew/etc/stunnel/chain.pem

client = yes

accept = 127.0.0.1:53270

?

connect = vmd33672.contaboserver.net:53270


My Linux server (a cloud offering)

?

output = /var/log/stunnel4/stunnel.log
# the VM System listening at port 3271

[x3271]

accept = 53270

connect= 3271

verifyChain=yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

# the MVS system, listening at port 3270

[x3270]

accept = 43270

connect= 3270

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

?

CAfile = /etc/stunnel/chain2.pem

# the http interfaces of the two hercules instances to make it operable from the outside. Also with 2-Way TLS as we have no user management here.

[herchttp]

accept = 4888

connect= 8088

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

?

[herchttp-2]

accept = 5888

connect= 8082

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

When I connect to my vmd33672 from one of my linux boxes, I do not need to use stunnel on the client side, the x3270 call is

?

#!/bin/bash

?

x3270 -model 3279-2 -accepthostname vmd33672.contaboserver.net -cafile ~/chain.pem? -certfile ~/kontor2.crt -keyfile ~/kontor.key? L:vmd33672.contaboserver.net:43270

Tracing failed SSL handshakes can be a daunting task, so don't give up. If one detail goes wrong, the entire handshake fails. Can be anything from chain, algorithm, key size, certificate validity, common name not matching name resolution etcpp.?


Relevant IPTABLES

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:43270

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:53270

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:4888

?

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:5888

kind regards
Michael

?

开云体育

Dear René, dear Gregg,

of course I will share my setup with the community asap. Just give me some time to prep things. For using stunnel4, one needs X.509 certificates which can be easily produced with "easy RSA". But more on this later.?

@Gregg: A ssh tunnel is a viable option, however, it needs a user identy / account on the server side. If you don't want users of the mainframe system to be users of the hosting linux / unix / whatever system, I reckon that stunnel is the easier way.?
For sure we know that hercules and the hosted mainframe OSes? like VM/370 and MVS can't deal with TLS. This is where the server nature of stunnel4 comes to help. The inbound TLS connection is proxied unecrypted to the 3270 (or other comms) ports.? Usually, x3270 can deal with SSL connections, but on the Macintosh, the x3270 seems to be utterly broken or I haven't figured out how it works on a Mac with the system keystore etc. I use stunnel4 on the Mac as a client, that is, my x3270 connects to let's say localhost:53270 plain text, stunnel connects to vmd33672.contaboserver.net:53270 with 2-way TLS and the server stunnel proxies the data to hercules, in this case VM/370 with hercules listening on 3271 (3270 taken by MVS).?
I'll prep something with instructions on easy RSA how to create client, server and ca and intermediate certs and how to setup the stunnel for both client and server. This can be replicated to other TCP/IP comms as well (thinking of HNET for example).?

kind regards
Michael

Hello!
I don't know about Michael, but when I ran a regular setup with
Hercules running VM/370 on it, I would use SSH to connect to the
system. I was able to do so from an office in the City to here, and
the networking software I had running, other than the TCP/IP stack
reported just the regular things, and included notations that the
connection was done in secure format.

However a certain fellow will need to have a something else translate
this message.
-----
Gregg C Levine gregg.drwho8@...
"This signature fought the Time Wars, time and again."

开云体育

Hi Michael,

Gentlemen, dear Bob,?

?

with your help and instructions and those from MAINT MEMO, I finally accomplished to change the logon screen. Thank you for this. Changing all occurrences of the logo in the source file, however, is a daunting task. thinking of some little program that could read the logo from a file and punch the chars into the proper places. I reckon the size of the logo is somewhat fixed??

I run a TK4- on a public cloud virtual Intel server for quite a while and VM is a good addition. Especially for running DOS/VS (my older brother started with DOS/VS as a young man and I'd love to bring back the memories. The site is, btw., safeguarded by 2-Way TLS for the 3270 comms (or any other inbound/outbound comms)?
by using stunnel4.?

Thanks again!
Kind regards
Michael
p.s. need to catch up with the thread here! :-)?

The following files and folders have been uploaded to the Files area of the [email protected] group.

• /GG22-9277-00 VM370 Maintenance Made Simple - Washington Systems Center - May 1982.pdf

By: Mark Waterbury <mark.s.waterbury@...>

Description:
VM/370 Maintenance Made Simple -- IBM Washington Systems Center, May 1982

Still, it wouldn't be a bad background for those interested in how
maintenance is applied on VM/CMS systems IMO. Then they'd at least have
a better understanding of how the same thing is done on CE and 6-pack.

I think its a good document to read once you have a little experience....

OR... maybe you or someone else could write a much shorter and simpler
"What FATHER Never Told You..." (or similar) type document?

Well "MAINT MEMO" is a "cook book" on how to update the system. The problem is it assumes someone creating their own modification understands how update, auxiliary and control files fit together.
Its probably worth taking the first four pages from "Mother" which cover these tools and amending them so they refer to the files layouts and conventions used in in the "N-Packs"

Just a thought. :)

Its a good thought.

--
"Fish" (David B. Trout)
Software Development Laboratories

mail: fish@...

Dave

Dave Wade wrote:

Fish wrote:

[...]

Correct me if I'm wrong, but isn't this all covered in Melinda
Varian's excellent "What Mother Never Told You About VM Service"
document? (available in the group's Files area?)

I thought about suggesting reading it but on reflection decided
it wasn't appropriate as it has a few of issues when applied to
the 6-pack..

15-love.

It assume a rather higher level of VM knowledge than most of our
users have.

30-love.

It has lot of information on how to apply an IBM PUT tape, which
we probably will never have to do.

Match point.

The way it tells users how to organize service is a little different
to the way we set out the CE editions, We do this so for example we
can separate out IBM fixes, Fixes supplied in the download, and the
users own fixes.

It does not say anything about the EXECs we provided and at 125 pages
it’s a bit large and a lot of the info is irrelevant.

GAME! :)

Still, it wouldn't be a bad background for those interested in how maintenance is applied on VM/CMS systems IMO. Then they'd at least have a better understanding of how the same thing is done on CE and 6-pack.

OR... maybe you or someone else could write a much shorter and simpler "What FATHER Never Told You..." (or similar) type document?

Just a thought. :)

--
"Fish" (David B. Trout)
Software Development Laboratories

mail: fish@...

Bob Bolch wrote:

[...]

CNTRL

[...]

TXTLCL

[...]

AUXxxx files

[...]

(the name at the bottom of the file first, then
working from bottom to top).

Correct me if I'm wrong, but isn't this all covered in Melinda Varian's excellent "What Mother Never Told You About VM Service" document? (available in the group's Files area?)

--
"Fish" (David B. Trout)
Software Development Laboratories

mail: fish@...

Hi Bob,

thank you for these instructions. I ran vmfasm dmkbox dmklcl and I got an?

vmfasm dmkbox dmklcl

UPDATING 'DMKBOX ASSEMBLE I1'.

APPLYING 'DMKBOX HRC029DK F1'.

APPLYING 'DMKBOX HRC101DK F1'.

APPLYING 'DMKBOX HRC370DK A1'.

APPLYING 'DMKBOX HRC073DK F1'.

APPLYING 'DMKBOX HRC372DK F1'.

APPLYING 'DMKBOX HRC373DK F1'.

APPLYING 'DMKBOX HRC374DK F1'.

APPLYING 'DMKBOX HRC999DK A1'.

ASMBLING DMKBOX

?

ASSEMBLER (XF) DONE

NO STATEMENTS FLAGGED IN THIS ASSEMBLY

File 'DMKBOX TEXT A1' not found.

DMKBOX TXTLCL CREATED

Ready; T=0.12/0.31 16:42:31

Can I use the TXTLCL instead of the TEXT for further going forward?

kind regards

Michael