OnDemand User Group
Support Forums => z/OS Server => Topic started by: Ed_Arnold on March 29, 2013, 07:24:20 AM
-
CMOD V9 on z/OS has a new facility, the arsstash command.
It's used to create an encrypted file (called a stash file) used to store userids/passwords.
Use it to replace wherever you're using userid/pw now.
On Multiplatform, CMOD uses the gskit to provide the encryption. On z/OS, it uses ICSF.
ICSF - integrated cryptographic service facility
ICSF must be available on the z/OS system to provide AES-128 encryption, which it will do in software or hardware if available.
Usually, there's a started task which most people call CSF running on the system which will provide this service.
If CSF is not running, you get the very unhelpful message below.
Typical creating a stash file scenario:
arsstash -a 1 -c -s /u/myuser/prodstash.stash -u myuser
it will then prompt twice for the password.
If CSF is not up the messages returned are:
Verify OnDemand Password:
ARS1602E The stash file >/u/myuser/prodstash.stash< is invalid.
/usr/lpp/ars/V9R0M0/bin: >
Ed
-
How do I know if I have CSF up and running so that CMOD V9 can use it?
Use the MODIFY command against your ARSSOCKD.
On a system where CSF is up and running:
F ARSSOCKD,D,ICSF
ARS0438I 15.21.18 DISPLAY ICSF
CSFIQF RC=00, RSN=00000000, AES=3, FMID=HCR7780
On a system where CSF has not been started:
F ARSSOCKD,D,ICSF
ARS0438I 15.28.36 DISPLAY ICSF
CSFIQF RC=12, RSN=00000000, AES=0, FMID=N/A
-
Ed,
I just saw this as we are currently in the process of installing v9.5. What if you don't have a crypto processor
on your machine?
Thanks
Tom
-
This what we currently have specified for ARSLOAD. I don't see the -U as valid parm in the V9.5 Admin Guide.
//ARSLOADC EXEC PGM=ARSLOAD,REGION=0M,TIME=NOLIMIT,
// PARM='/-h ARCHIVE -C O -A WRITER -G FORMS -D TESTOD -f -E -K
// -c ars2/tmp2 -U /etc/ars/arsload.cfg'
-
Ed,
I just saw this as we are currently in the process of installing v9.5. What if you don't have a crypto processor
on your machine?
Thanks
Tom
Then you can't use a stash file and will need to specify userid and password any of the "old" ways.
Ed
-
This what we currently have specified for ARSLOAD. I don't see the -U as valid parm in the V9.5 Admin Guide.
//ARSLOADC EXEC PGM=ARSLOAD,REGION=0M,TIME=NOLIMIT,
// PARM='/-h ARCHIVE -C O -A WRITER -G FORMS -D TESTOD -f -E -K
// -c ars2/tmp2 -U /etc/ars/arsload.cfg'
Correct. "-U" has been deprecated.
Ed
-
Ed,
So one of the old ways was to put the user/password in a file and use the -U to indicate the name of the file.
As that is not available is the only option to specify the user/password in the PARM field?
-u userid -p password
Thanks
Tom
-
Perhaps SARSINST(ARSPTGN) - a passticket solution?
https://www.ibm.com/support/knowledgecenter/SSQHWE_9.5.0/com.ibm.ondemand.configuringzos.doc/dodzc639.htm (https://www.ibm.com/support/knowledgecenter/SSQHWE_9.5.0/com.ibm.ondemand.configuringzos.doc/dodzc639.htm)
Ed
-
Has anyone succeeded using stash file for running arsload?
Because I wonder what is the purpose of the ars.cfg parameter:
SRVR_OD_STASH= usr/lpp/ars/config/stashfiles/arsload.stash
I can't run the arsload without specifying the full path to the stash file:
/usr/lpp/ars/V9R5M0/bin/arsload -u USERID -p /usr/lpp/ars/config/stashfiles/arsload.stash
Omitting the -p /usr/lpp/ars/config/stashfiles/arsload.stash
it says:
stash file >< either does not exist or is not valid.
-
Hi Marthin...
Not trying to nitpick, but you *are* missing the leading slash from the path on your SRVR_OD_STASH parameter, and that might be causing the problem.
-JD.
-
That's ok to be awake :-)
But the slash "disappeared" in the copy/paste process .
but the real problem was that SRVR_OD_STASH= belongs in ars.ini not ars.cfg
After that change I can run arsload without the -p
-
Excellent! I'm glad to hear you got the problem solved, and thanks again for posting the solution.
Take care. :)
-JD.