Messages

106

Documentation / Re: Users's rules with ARSUSEC

« on: January 19, 2017, 01:18:21 PM »

I don't have a sample from and arsusec, since every case if different, then every user exit is unique... or nearly unique! sorry.


You need to understand that when a user logs in CMOD, CMOD will first run the ARSUSEC, and depending on the answer of ARSUSEC, it will either:
- stop checking and deny the login
- stop checking and allow the login
- continue with its internal checking, and then according to his findings, allow/deny the access.


If you have some specials users that you want to avoid to lock out, then you only way to do it, is to handle them first, and allow them access directly with the ARSUSEC.
And if the users are not the "special" case, then you let CMOD handle them, and do whatever CMOD wants to do according to the rules you have defined in the "System Parameters".
It means also that the ARSUSEC will also need to check the validity of the password of your "special" users... and you cannot use the CMOD hash file, since there is no documentation on how to check the password like CMOD... so it means you need to develop your own way to handle the passwords in a separate table from the official ARSUSER table... meaning that you need also to handle the moment these "special" users wants to change their password...

That would be a nice project... not that difficult, but not that trivial...

I hope that helps you a little bit to see what needs to be done, or not...

Regards,
Alessandro

107

Tips and Tricks / Re: Script to show doc counts for a list of app groups

« on: January 19, 2017, 12:59:55 PM »

Easy peasy... not really a challenge...

in order to have really the number of documents and not the number of rows, then you must use such select :

Code: [Select]

select count(distinct doc_name,doc_off, doc_len, comp_off, comp_len, pri_nid, sec_nid) from <segment table name>
Because the combination of these 7 fields makes a entry to a single document in the storage manager (cache, tsm, HDFS, OAM, etc...)
To be really exact you need to do a count distinct from the union of all the segment tables, since it is possible that you are the same document reference in different segment table.
But I let that as an exercise to the people who wants to challenge themselves!! :-D

Regards,
Alessandro

108

WEBI interface / Re: ODWEK 9.5 and latest WEBI 1.4.0.5 FP5.6 compatibility

« on: January 19, 2017, 12:48:36 PM »

Does anyone know of the latest WEBi fixpack works with ODWEK 9.5?

I would strongly suggest that you upgrade to ICN... since WEBi is not anymore actively developed.

Otherwise I have no answers for you... :-/

Regards,
Alessandro

109

OD/WEK & JAVA API / Re: Connection - Setup Issue

« on: January 19, 2017, 12:46:20 PM »

Hey all,

I am trying to connect CMOD server from my local machine via ODWEK in 64 bit platform. I had copied the ODApi.Jar to import the package and also the .dll files ars3wapi32.dll, ars3wapi64.dll and its dependent libraries icudt48.dll, icuin48.dll, icuio48.dll, icule48.dll, iculx48.dll, icuuc48.dll, arsgsk64.dll and had include the folder where it resides as the native library for source in Java code using eclipse IDE. The CMOD server has v9.0 installed in it. When I run the java code to establish connection to the server, it throws me this error

ars3wapi32.dll can't load IA-32 bit .dll in a AMD 64 bit machine.

If I remove ars3wapi32.dll and run the program, it throws me the below error.

No ars3wapi32.dll found

Any help would be appreciated to resolve this issue.

Hi Jim,

ODWEK needs to be installeds, and not take the bits and pieces like you want. As long as you are installing ODWEK on the system where you need it, then you are supported by IBM.
If you begin to play around taking this dll, this jar, that file, etc... then you are on your own.

So first try to install ODWEK, see if that works, if not, then try to make it work.
Once it works, then you can try to understand which pieces are required or not, and then copy the pieces and bits that you need.
But again... this is absolutely NOT supported by IBM, and if you open a ticket, then the first thing they will require from you is that you install ODWEK and try if that works.

Regards,
Alessandro

110

z/OS Server / Re: Consolidated Folder SQL question

« on: September 29, 2016, 09:18:12 PM »

Good day,
Thank you.  One last question, if I may.

Of course you may!! :-D Even more than one!!!

Is it possible to have an application (thus table) assigned to multiple application groups.

Well, I must say Yes, and No at the same time at this question.

Yes, because you can assign several Application to one Application Group.
But No, because that's the role of the Application Group to have the tables. You must imagine that the Application is an interface with basically 2 roles.
1) For everything that goes inside CMOD (you define, the indexer, compression, large objects, indexes default values, etc...)
2) For everything that goes outside from CMOD (file format, rotation, logical views, ...)

The proof? You can delete an application, all the information are still in tables in your database and your storage manager contains all your archived documents. And if you recreate an application with the exact same link with the application group, then you can access your documents again.
If you delete an application group, first CMOD will ask you many many times if you are sure that you want to delete it! And if you still do it, then all the tables and content of the storage manager will be deleted and lost forever. Except if you have a backup (you should), and then you can restore the tables and the content of the storage...

If so, is that accomplished via the application id of the field identification?

Exactly.

  And, if so can this be accomplished such that this application group is read only?  Please advise.  Thank you.

Nope... all the permissions are in the application group.
The application does not have any permissions, even if you have 100000000 applications on your application group.

If you want to have put your application group as read only, then you need to remove the "Updateable" option for each application group fields. Then even if your users have the right to update a field, CMOD will not allow this action.
But that's a general setting for the application group.
If you want to give to some people the right to modify and to some other not, then you need to keep the updateable field activated, but then you give or not the "Update" right in the permission tab for the user/group.
But in no way, you can define that permission from an application perspective.

If you want to do something special with documents, and that means you wanted to create an "special" application on your application group, then maybe in your case, it would be a better choice to create a new application group with your application, and set this set of documents as 100% read only by removing everything that can update / delete the content of this application group.



Does that answer your last question (that was in fact 3 questions :-D)

111

Tips and Tricks / Re: JCL That I Find Handy

« on: September 28, 2016, 12:24:44 AM »

Trying to save anyone the frustration I just went through...

I tried to put the arsstash -c command in JCL.

I tried every trick in the book I had for feeding in the password.


It turns out the arsstash command can't be put into JCL.

The reason is the getpass() function that is invoked to read the password without echoing won't work unless you have a terminal:

getpass() only works in an environment where either a controlling terminal exists, or stdin and stderr refer to tty devices. Specifically, it does not work in a TSO environment.

https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.bpxbd00/rgpass.htm#rgpass

One of the main purposes of arsstash was to not have passwords anywhere in the clear. 

Putting the password in a file (stdin/stdparm/SYSIN DD * /whatever) in the clear defeats that purpose.

Well if I may... there are tools, like in Linux world called Vault, which their main purpose is to keep all password in your environment safe, and give the password to the process that needs it in a secure way.
So, one of the usage of Vault, could be to automate the creation of CMOD technical users in CMOD with the correct password AND at the same time, create the stash file automatically for it. And in that case you need to be able to pass the password without using a terminal, and therefore the way it is handle with the getpass() is counterproductive and defeat the purpose of such handy tools.

So depending on how you look at it, the glass is half full or half empty or the glass contain half the content of water that you van pour in it or the glass contains the same amount of air and water in the glass!! :-D

112

OD/WEK & JAVA API / Re: ODWEK for 32bit platform

« on: September 26, 2016, 12:59:04 AM »

I know the 64 bit installer installs both 32bit and 64 bit ODWEK.
My question is: how can my user run the 64 bit installer on a 32 bit machine?

It would be of great help if you could share some lights on where I could find the 32 bit installer for my client to run on their 32 bit machine.

I said that the installer was 32bit, and not 64bits.

Now maybe they have changed that with CMOD V9.5.

If not, then you need to open a PMR ask IBM.

Unofficially, at least on Unix, with Windows all the registry and OLE/DDE/... I have no idea, never had to handle it (thanks god....). what you can do it simply install it on a 64bit system and copy to a directory to the 32bit target system.
Well with Unix/Linux, this is easy :-) they don't have anymore 32bits since a looooong time!!! :-)

113

MP Server / Re: ARSMAINT Script

« on: September 25, 2016, 06:34:43 AM »

Well if you put every single option on your arsmaint command... why not.
I prefer to keep things separated.
Only the options for cache, only options for migrations, only command for database expiration.
That way you don't have everything mixed up.

As Justin said. NEVER USE the -t option. This is here for VERY SPECIFIC action, that's why it is required to put the user/pwd with the -t option. Because this is a critical and dangerous option if you don't know how to use it.
And from what I see, you don't know how to use it. So PLEASE do you a favor NEVER use it, as long as you don't know what you are doing.

Now, for your question. If you have define that the data in the database should be kept for 540 days, then the command arsmain -d ... should be enough and CMOD will delete the data that are older than 540days.

BUT there is a catch here, it depends on how the application groups are defined.
If the expiration type is "SEGMENT", then CMOD will delete your data, ONLY if ALL documents in a segment table are > 540 days. If it is not the case, then it will wait until ALL documents in the segments table are older than 540 days, then it will drop the segment tables, and what is in the cache.
If the expiration type is "LOAD", then CMOD will delete your data, ONLY if ALL documents in a single LOAD is >540, otherwise, it will wait until all documents are >540 in this load.
If the expiration type is "DOCUMENT", then CMOD will delete right away each document as soon as it is >540.

If you have the case of an expiration type SEGMENT, and you want to delete everythig >540 before then you need to do things manually.
And you cannot use CMOD arsmaint command. and especially NOT the -t option.

114

OD/WEK & JAVA API / Re: ODWEK for 32bit platform

« on: September 25, 2016, 06:24:35 AM »

Thanks for your reply. So, I have developed everything in 32 bit. And how am I supposed to ask my client to install on a 32 bit platform? I can't find the 32 bit installer of ODWEK. So, how will my target user, using a 32 bit OS machine, can make use of my 32 bit Java ODWEK-enabled application as his 32 bit OS machine won't be able to run the 64 bit installer?

What I am curious is that if ODWEK support both 32 bit and 64 bit platform, then isn't it make sense that I there should be a 32 bit installer? Or am I missing something here?

ODWEK installs automatically both 32 and 64bits, you cannot choose and pick.

If you have developped everything in 32bit, then you need to ask your customer to install the Java 32bit, and ODWEK, and configure your configuration files, and that should be it.
Normally the ODWEK installer should be 32bit. That way it works on both 32 and 64bit OS.

115

MP Server / Re: Need download links for gskcrypt64 & gskssl64-8.0.14 for Linux x86_64

« on: September 21, 2016, 04:15:17 PM »

The GSKit RPMs are included in the CMOD TAR file:

-r--r----- root/archive 1330738 2014-08-06 09:56 CN206ML/linux/gskcrypt32-8.0.14.44.linux.x86.rpm
-r--r----- root/archive 1513551 2014-08-06 09:56 CN206ML/linux/gskcrypt64-8.0.14.44.linux.x86_64.rpm
-r--r----- root/archive 7539231 2014-08-06 09:56 CN206ML/linux/gskssl32-8.0.14.44.linux.x86.rpm
-r--r----- root/archive 7634662 2014-08-06 09:56 CN206ML/linux/gskssl64-8.0.14.44.linux.x86_64.rpm

You are right, but they are quite outdated... (6th August 2014), and it would be better to use a more current version, and therefore the link that Justin provided is essential to have an up to date and secure system.
Since GSKit is doing all the encryption stuff/TLS/etc... to have the latest version is essential to ensure that you have your security hole patched.

116

MP Server / Re: Active/Active CMOD Configuration

« on: September 21, 2016, 04:10:43 PM »

We are using a Active/Standby HA utilizing HPE ServiceGuard.
We have two identical (CPU, RAM, etc.) servers in a cluster at one site.
All storage (cache, db2, tsm, application) is stored on SAN disks that float
between the nodes of the cluster. 
If there's a hardware failure on the active node, it takes less than 10 minutes to failover to the standby node.

Nice, setup :-)
but the original question was active/active .

117

MP Server / Re: Arslog.log is not saving other messages apart from 88

« on: September 21, 2016, 04:08:57 PM »

thank you JD, i will be waiting for your reply on the post.

to avoid the Storage & Performance i unchecked the option what you suggested.

Rajesh,

what Justin wanted to say, you need to open a PMR to ask why. Justin will not do it, since he has not access to your system, and he will need to ask you every 2 seconds for informations...
so in order to bypass the middle man (sorry Justin :-D) and have a more direct answer, please check with IBM and open a PMR.

118

MP Server / Re: ARSMAINT Script

« on: September 21, 2016, 04:02:35 PM »

Sairam,

What do you want exactly?

Purge the document from the database OR from the cache?

Could you put an example of the arsmaint with all the options that you are using? (you can omit the -g and the application group name... we need only the options that you are using).

Because if you want to delete the documents in the cache, then it is tricky and CMOD will not delete everything ... it can leave things behind according to the current situation on your server at that day.
If you want to delete documents in your database/tsm, then arsmaint will do it as requested.

So again, tell us exactly what you want to do in details, and please show us the options that you want to use/plan to use.

119

Windows Client / Re: CMOD Migration from AIX to Linux

« on: September 21, 2016, 03:57:19 PM »

You might have some difficulties, as with any migration.
Like Justin said, test it, test it and test it again. There is absolutely no other way around it. Especially going from one OS to another.

Other than that, for this migration there is really nothing special about it, export DB, reimport DB, correctly configure CMOD, and that's it.

I didn't know that TSM 6.5 exist!!! I though that it went from 6.4 -> 7.1 !

Oh... one important thing.... PLEASE do not use TSM 7.1.1... go directly to the latest version. The 7.1.1 is buggy as hell... so do you a favor, go directly to the latest fix pack for Oracle/Linux/CMOD and TSM.

120

z/OS Server / Re: Encrypt/tokenize CMOD Data on the fly.Possible?

« on: September 21, 2016, 03:52:14 PM »

Another way, would be to have like a multi tier setup:

CMOD -> WebService (which get the document from CMOD and encrypt it) -> Send the encrypted document to the S3 Project team

That way, you can have a simple ODWEK interface on you side, and give the data in the way you want to the other party.
And they don't need to know CMOD, you just encapsulate everything in your API.
That way, you can use bulk retrieve or single retrieve.

The problem with the exit, is that you cannot do bulk retrieve, and this could be really tricky, but not impossible, since people already did that.