Dear Group,

I was watching moshix' M94 video (Part 2 on how to use VSAM on VM/370 from COBOL + PL/I using VSAMIO) and thought I give COBOL a try, first, without?

the VSAM example. So I prepped a very small program and tried to compile. Before that, I linked to COBOL 191 and accessed the mini disk as B.?

cobol mycob

SYSTEM/360 COBOL COMPILER? ? ? ? ? CB545 V2 LVL78

OPEN ERROR CODE '03' ON 'SYSIN '.

?

Ready; T=0.01/0.04 08:48:47

That was kind of unexpected to me. As René Ferland explained, the Cobol compiler is significantly older than the system itself and was lifted from a previous version of MVS. Hence the use of VSAMIO which brings VSAM capability to these old compilers. However, the problem seems to start much earlier, at least with my?
VM/370 CE 1.1 installation.

query cplevel

SYSTEM 4381-A

VM/370 Community Edition Version? 1 Release? 1.1 03/10/22 08:54:40

?

Ready; T=0.01/0.01 08:56:28

update: I created the source file with "ee" without any further specification, quite naively. A dir * cobol yields

Filename Filetype Fm? Format? ? Recs Blocks? ? Date? ? ?Time? ?Label

MYCOB? ? COBOL? ? A1? V? ? 32? ? ?10? ? ? 1? 03/12/22? ?16:29? CMS191

Could it be the old compiler chokes because of the file attributes V and lrecl=32??
Is there a way to specify that beforehand or to change the record attributes later??

kind regards
Michael

?

Well … skip that. I varied the wrong address online.

On 12 Mar 2022, at 15:10, rvjansen@... wrote:

Hi Bob,

to prepare for the release of VM370CE 1.1.2 I am getting rid of some sixpack version I am running, and one has a dasd that I allocated for a user; unfortunately it is called VM50-7, which the CE already has. I put it on another address, and when attaching it with:

/attach 6a9 to system as vm51-7

(I thought to be clever and just attach it with another name and change it to that in the USER DIRECT)

VM tells me that:

/13:53:19 DASD 6A9 VOLID VM50-7 DOES NOT MATCH

So I am doubting now to vmarc the content of its minidisks and reformat, or to relabel it, which seems quicker.

Is there a command to relabel it?

Many thanks in advance,

Best regards,

搁别苍é.

On 12 Mar 2022, at 14:04, Bob Bolch <Bob@...> wrote:

Hi Gary,

Ooops :-)?

I have 1.1.2 on the brain, since we are trying to get it out as

soon as we can. The current release is 1.1.1.

We want to get at least a few more of the bugs at

fixed before release if we can. Everything?takes a lot longer to

fix now, than it did in 1978!

Bob?

On Sat, Mar 12, 2022 at 7:41 AM gdblodgett <gdblodgett@...> wrote:

Hi Bob,

Bob Bolch wrote:
> Starting with the Community Edition Version 1 Release 1.2 (the current?
> release),

Is that a typo, or is 1.1.2 set to be released shortly?

Regards,

Gary

On 12 Mar 2022, at 14:04, Bob Bolch <Bob@...> wrote:

Hi Gary,

Ooops :-)?

I have 1.1.2 on the brain, since we are trying to get it out as

soon as we can. The current release is 1.1.1.

We want to get at least a few more of the bugs at

fixed before release if we can. Everything?takes a lot longer to

fix now, than it did in 1978!

Bob?

On Sat, Mar 12, 2022 at 7:41 AM gdblodgett <gdblodgett@...> wrote:

Hi Bob,

Bob Bolch wrote:
> Starting with the Community Edition Version 1 Release 1.2 (the current?
> release),

Is that a typo, or is 1.1.2 set to be released shortly?

Regards,

Gary

On 12 Mar 2022, at 05:38, Jaime Carpenter <j.carpenter@...> wrote:

Hi Bob,

I am a new user to the VM370CE world, so I was looking for the userids to
logon. I looked in the readme files. The one with userids is
readme-1_2.txt. This readme stated that there was a BREXX userid, when I
tried it that is where I got the not in CP Directory message.

The multiple readme files, at first were confusing because they are a mix
of Sixpack, TK4-, vm370ce and others. If this is not going to be called
"Sixpack" then it seems to me that those readme files could be removed and
some of the info put into the VM370CE readme. Also, those sixpack readmes
mention "Please report any issues on the "[email protected]" mailing list."
I think that is no longer valid.

Thanks,
Jaime Carpenter


On Fri, 11 Mar 2022 12:45:56 -0500, "Bob Bolch" <Bob@...> wrote:

Please elaborate on the "packaging issue for the readme files", so it

can

be fixed. The current source code for BREXX and GCC runtime library

files

for CMS, are on the MAINTC user ID in VMCE.
Thanks!
Bob Bolch

Links:
------
[1] /g/h390-vm/message/4066
[2]

mailto:[email protected]?subject=Re:%20Re%3A%20%5Bh390-vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20parameters%20with%20VM370CE

[3]

mailto:Bob@...?subject=Private:%20Re:%20Re%3A%20%5Bh390-vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20parameters%20with%20VM370CE

[4] /mt/88093602/4526575
[5] /g/h390-vm/post
[6] /g/h390-vm/editsub/4526575
[7] mailto:[email protected]
[8] /g/h390-vm/leave/11166232/4526575/1317415517/xyzzy

-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of Jaime
Carpenter
Sent: 11 March 2022 17:14
To: [email protected]
Subject: Re: [h390-vm] Using Hercules version specific config file parameters
with VM370CE

I am using VM/370 Community Edition V1R1.1

I am new so I did not know about linking to another disk. I was looking for
the BREXX user.

Thanks


On Fri, 11 Mar 2022 16:46:26 -0000, "Dave Wade" <dave.g4ugm@...>
wrote:

J

Which versión of CE?

Its not usually useful to logon to BREXX, you can link the disk:-

link brexx 191 199 rr

Ready; T=0.01/0.01 11:43:05

access 199 x

X (199) R/O

Ready; T=0.01/0.01 11:43:10

Then

FSLIST * * X

Will show you the files. Not sure there is anything relevant to users
on ther….

Dave

G4UGM



FROM: [email protected] ON BEHALF OF j.carpenter@...
SENT: 11 March 2022 16:33
TO: [email protected]
SUBJECT: Re: [h390-vm] Using Hercules version specific config file
parameters with VM370CE

Gentlemen,
I am grateful for the amazing work on VM370CE and also SDL yperion and
Hercules. I reached this forum because I am running a Raspberry Pi and
Herc 3.13. I also had the IPL issue and I read through and understand
about the CONF file and ARCHMODE. I can now IPL. I noticed that the
read me files mention the BREXX user and when I try to logon, it says
it is not in the CP Directory. I mention this here because if it is
not included, then it is also a packaging issue with the readme files.
I use HercGUI on RPi along with Hercules 3.13 because those are the
packages provided. I am a newby here, so if my comments are off topic,
please let me know. Thanks



Links:
------
[1] /g/h390-vm/message/4065
[2]

mailto:[email protected]?subject=Re:%20Re%3A%20%5Bh390-
vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20pa
rameters%20with%20VM370CE

[3]

mailto:dave.g4ugm@...?subject=Private:%20Re:%20Re%3A%20%5B
h390-
vm%5D%20Using%20Hercules%20version%20specific%20config%20file%20pa
rameters%20with%20VM370CE

[4] /mt/88093602/4526575
[5] /g/h390-vm/post
[6] /g/h390-vm/editsub/4526575
[7] mailto:[email protected]
[8]
/g/h390-vm/leave/11166232/4526575/1317415517/xyzzy

?

Gentlemen,
I am grateful for the amazing work on VM370CE and also SDL yperion and Hercules.? I reached this forum because I am running a Raspberry Pi and Herc 3.13.? I also had the IPL issue and I read through and understand about the CONF file and ARCHMODE.? I can now IPL.? I noticed that the read me files mention the BREXX user and when I try to logon, it says it is not in the CP Directory.? I mention this here because if it is not included, then it is also a packaging issue with the readme files. I use HercGUI on RPi along with Hercules 3.13 because those are the packages provided. I am a newby here, so if my comments are off topic, please let me know.? Thanks

?

Hi Dave,

simply, I don't want uninvited visitors in any of my systems, be them actual or vintage. In my own network at home, behind router and firewall, unencrypted comms or terminal sessions is not much of an issue. As soon as your server is in the internet (cloud offering, virtual server) or accessible through the internet, that's a different story. We also cannot rule out that the vintage OS together with hercules can be a vector to attack the underlying host. So yes, speaking of data protection, the system(s) I run is only a big playground. No personal or business data.?
No need to update hercules, that's where ssh tunnel (Gregg) or stunnel4 (my proposal) comes in, based on the following assumption

a) the host system is guarded with a proper IPTABLES setup, only allowing for the desired TLS and/or SSH destination ports (and source ports, if establishing a link to another computer)
b) binding to the local interface (127.0.0.1) is safe. No packets can travel from the loopback interface to a network interface connected to the external world. An attacker would already have to be inside the system and be able to trace such comms.?
c) stunnel or ssh offer a bridge / TLS termination. Encrypted comms is coming in from the outside, passes through the firewall and is accepted and decrypted by the ssh or stunnel and relayed to the destination port (opened by hercules) on the loopback interface.?
d) 2-Way SSL is used to prevent from unauthorized and unwanted connection by arbitrary clients. If the client cert is invalid or unknown, the SSL handshake fails.?

If you want to allow external users to the system, you would have to establish either certificate issueing or signing. A user who wants to access your VM or MVS would have to submit a certificate signing request, you sign it with your CA and return the signed certificate to the user (which is only useful together with the private key the user must keep for himself).?

I think I should prep some slides that visualise the setup in mind (and which I, more or less, run on my own). It's all free stuff, so no cost attached. In the meantime, my setup is as follows:

Macintosh (the machine where x3270 4.x fails to establish a ssl connection for some odd reason, instead, x3270 talks to a stunnel acting as a client to the server)

/opt/homebrew/etc/stunnel/stunnel.conf

output = /opt/homebrew/var/log/stunnel.log

[x3270]

cert = /opt/homebrew/etc/stunneL/kontor2.crt

key? = /opt/homebrew/etc/stunnel/kontor.key

CAfile = /opt/homebrew/etc/stunnel/chain.pem

client = yes

accept = 127.0.0.1:43270

connect = vmd33672.contaboserver.net:43270

[x3271]

cert = /opt/homebrew/etc/stunneL/kontor2.crt

key? = /opt/homebrew/etc/stunnel/kontor.key

CAfile = /opt/homebrew/etc/stunnel/chain.pem

client = yes

accept = 127.0.0.1:53270

?

connect = vmd33672.contaboserver.net:53270


My Linux server (a cloud offering)

?

output = /var/log/stunnel4/stunnel.log
# the VM System listening at port 3271

[x3271]

accept = 53270

connect= 3271

verifyChain=yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

# the MVS system, listening at port 3270

[x3270]

accept = 43270

connect= 3270

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

?

CAfile = /etc/stunnel/chain2.pem

# the http interfaces of the two hercules instances to make it operable from the outside. Also with 2-Way TLS as we have no user management here.

[herchttp]

accept = 4888

connect= 8088

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

?

[herchttp-2]

accept = 5888

connect= 8082

verifyChain = yes

verifyPeer = no

cert = /etc/stunnel/vmd33672-server.pem

CAfile = /etc/stunnel/chain2.pem

When I connect to my vmd33672 from one of my linux boxes, I do not need to use stunnel on the client side, the x3270 call is

?

#!/bin/bash

?

x3270 -model 3279-2 -accepthostname vmd33672.contaboserver.net -cafile ~/chain.pem? -certfile ~/kontor2.crt -keyfile ~/kontor.key? L:vmd33672.contaboserver.net:43270

Tracing failed SSL handshakes can be a daunting task, so don't give up. If one detail goes wrong, the entire handshake fails. Can be anything from chain, algorithm, key size, certificate validity, common name not matching name resolution etcpp.?


Relevant IPTABLES

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:43270

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:53270

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:4888

?

ACCEPT ? ? tcp? --? anywhere ? ? ? ? ? ? anywhere ? ? ? ? ? ? tcp dpt:5888

kind regards
Michael

?

?

Dear 搁别苍é, dear Gregg,

of course I will share my setup with the community asap. Just give me some time to prep things. For using stunnel4, one needs X.509 certificates which can be easily produced with "easy RSA". But more on this later.?

@Gregg: A ssh tunnel is a viable option, however, it needs a user identy / account on the server side. If you don't want users of the mainframe system to be users of the hosting linux / unix / whatever system, I reckon that stunnel is the easier way.?
For sure we know that hercules and the hosted mainframe OSes? like VM/370 and MVS can't deal with TLS. This is where the server nature of stunnel4 comes to help. The inbound TLS connection is proxied unecrypted to the 3270 (or other comms) ports.? Usually, x3270 can deal with SSL connections, but on the Macintosh, the x3270 seems to be utterly broken or I haven't figured out how it works on a Mac with the system keystore etc. I use stunnel4 on the Mac as a client, that is, my x3270 connects to let's say localhost:53270 plain text, stunnel connects to vmd33672.contaboserver.net:53270 with 2-way TLS and the server stunnel proxies the data to hercules, in this case VM/370 with hercules listening on 3271 (3270 taken by MVS).?
I'll prep something with instructions on easy RSA how to create client, server and ca and intermediate certs and how to setup the stunnel for both client and server. This can be replicated to other TCP/IP comms as well (thinking of HNET for example).?

kind regards
Michael