OnDemand User Group
Support Forums => z/OS Server => Topic started by: Ed_Arnold on August 31, 2017, 09:49:57 AM
-
Can we have ARSMAINT connect to ARSSOCKD via SSL?
I already had a keyring and certificate created as per the other SSL on z/OS related post:
http://www.odusergroup.org/forums/index.php?topic=1938.0 (http://www.odusergroup.org/forums/index.php?topic=1938.0)
Note that the userid associated with the keyring is the same as the userid of the started task, in my case ARSSV950.
I have the following SSL parms in my ars.ini:
SSL_PORT=11449
SSL_KEYRING_FILE=ARSSOC95.SSLRING
SSL_KEYRING_LABEL=ARSSOC95.CERT
SSL_CLNT_USE_SSL=1
I ran the following batch job which updates statistics on the DB2
database. Be sure you do this on a test system if you use the -r parm!
//TMP1 EXEC PGM=IKJEFT01,
// DYNAMNBR=200
//SYSPROC DD DSN=SYS1.SBPXEXEC,DISP=SHR
//*
//SYSTSPRT DD SYSOUT=*
//*
//SYSTSIN DD *
oshell logger -d1 starting ARSMAINT run
oshell /usr/lpp/ars/V9R5M0/bin/arsmaint -I ARCH950 -r
oshell logger -d1 ending ARSMAINT run
//*
//STDENV DD *
_BPX_SHAREAS=YES
_BPX_BATCH_SPAWN=YES
/*
//OSHOUT1 DD SYSOUT=*,DCB=(RECFM=F,LRECL=255)
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
The first time I ran it I had REGION=7M on the job card and received:
ARS0000E Initialization of ICU for directory >/usr/lpp/ars/V9R5M0/locale/< failed - please ensure proper installation
I changed the JOB card to REGION=0M and this time I got the following on the z/OS console:
IEF196I IGD103I SMS ALLOCATED TO DDNAME SYS00036
ICH408I USER(ODADMIN ) GROUP(ODCMARS ) NAME(EDWARD ARNOLD )
IRR.DIGTCERT.LISTRING CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
A quick trip to the google says I should run the following:
rdefine facility irr.digtcert.listring uacc (none)
permit irr.digtcert.listring class(facility) id(*) acc(read)
SETROPTS RACLIST(facility) REFRESH
Try again, still won't connect.
I received a suggestion to add a USER=ARSSV950 to the JOB card.
Eureka! It works.
If you're trying to see if you can use ARSMAINT via SSL, these instructions should be a good IVP.
Ed
-
Is there a specific advantage to running arsmaint remotely, or over an encrypted connection?
-JD.
-
Is there a specific advantage to running arsmaint remotely, or over an encrypted connection?
-JD.
I'm hoping somebody else answers this, I can't.
Ed
-
*laugh*
So it's a proof of concept more than anything else? :)
-JD.
-
There could be a use case.
- If you have a Linux machine next to it, it is a bit easier (at least for me ;) ) to script things on Linux then on z/OS via USS.
- It also could be a bit cheaper as it doesn't cost MIPS.
- Scripts could be re-used in MP environment as well
-
Interesting side note.
I'm doing a little SSL testing, so I re-ran my batch job via SSL to prove that it was still working.
SSL_PORT=11449
SSL_KEYRING_FILE=ARSSOC95.SSLRING
SSL_KEYRING_LABEL=ARSSOC95.CERT
SSL_CLNT_USE_SSL=1 <<<that's what this line is for, to force ARSMAINT to use SSL.
From the ARSSOC95 started task:
IEF695I START ARSSOC95 WITH JOBNAME ARSSOC95 IS ASSIGNED TO USER ARSSV950, GROUP ODCMARS
When I tested this before I didn't have a NOTIFY= on the job card.
ARSSOC95 runs under userid ARSSV950 <<<< 8 character userid
I copied over a job card that had a NOTIFY=&SYSUID in it and I got
IEF452I ELASSL95 - JOB NOT RUN - JCL ERROR.
IEF642I EXCESSIVE PARAMETER LENGTH IN THE NOTIFY FIELD
I'm on z/OS V2.2
8 character *TSO* userids aren't supported until z/OS V2.3.
Ed