Discussion:
z/OS Data Set Encryption Now Generally Available
(too old to reply)
Mike Baldwin
2017-09-08 17:44:16 UTC
Permalink
Raw Message
Hi Timothy,

Thanks for this.
BSAM, QSAM, and VSAM extended format data sets are all supported.
The FAQ says "residing on disk", so datasets residing on tape (e.g. TS7700)
would not be supported. (Even if accessed using BSAM/QSAM, and of course EXCP).
Is that correct, and do we expect it's a permanent restriction?

Regards,
Mike Baldwin
Cartagena Software Limited
Markham, Ontario, Canada
http://www.cartagena.com
http://www.teltape.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-09 09:42:20 UTC
Permalink
Raw Message
Post by Mike Baldwin
The FAQ says "residing on disk", so datasets residing on tape (e.g. TS7700
would not be supported. (Even if accessed using BSAM/QSAM, and of course
EXCP). Is that correct, and do we expect it's a permanent restriction?
"Disk" in this context means any/all storage that manifests itself as 3390
device types.

For DFSMS backups, including backups to virtual tape and tape, z/OS Data
Set Encrypted datasets stay encrypted. That includes DFSMSdss COPY, DUMP,
and RESTORE, and DFSMShsm backup/recover, as examples. Moreover, there's
Encryption Facility for z/OS, and of course it supports virtual tape and
tape devices.

Do you have some other scenario(s) in mind?

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-09 10:32:20 UTC
Permalink
Raw Message
We're a small shop. We *really* don't want to be paying thousands every
month just for the "privilege" of being able to report bugs with, and
get fixes for, our non-Linux mainframe software. (IMHO such support
ought to be included free as part of MLC and S&S payments, but that's a
discussion for another day...)
It used to be that if you didn't have at least SoftwareXcel Basic
Edition, you could not logon to IBMLink to search for fixes, you could
not open PMRs electronically (you had L1 voice only), and you could not
download PTFs electronically (you had tape only).
You wrote that it's important to be able to report bugs. IBM agrees.
SoftwareXcel has never been required to open PMRs by telephone (or fax), to
my knowledge. Moreover, you should be able to open PMRs electronically (if
you prefer) from this Web page, also at no additional charge:

https://www.ibm.com/support/servicerequest/

Click on the "New service request" button to get started. Please give it a
try, stopping short of actual submission if you don't have a real PMR, and
please correct me if I'm mistaken. It's working for me, though. Moreover,
in some countries it's possible to open PMRs via e-mail. (I don't recommend
e-mail, though, especially for higher severity issues, since you can't
easily check whether and when IBM received your e-mail. But it's available
in some countries, with that understanding.)

ShopZ is available at no additional charge for electronic PTF and new
release/update deliveries. Electronic delivery is the preferred option.
(Earlier this year IBM eliminated the Single Version Charge (SVC)
limitation, in favor of Multi-Version Measurement (MVM). In short, that
means you should electronically order new versions and releases. You
shouldn't even have to think about it.)

You can search for APARs here:

https://www.ibm.com/support/customercare/psearch/search?domain=gapar

This search interface ("Granular APAR Search for Z") was first introduced
in 2014.

Have I ticked all your newly presented boxes? If I haven't, OK, please have
a chat with "your friendly IBM representative."

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
John Eells
2017-09-11 17:54:47 UTC
Permalink
Raw Message
Timothy Sipples wrote:
<snip>
Post by Timothy Sipples
ShopZ is available at no additional charge for electronic PTF and new
release/update deliveries. Electronic delivery is the preferred option.
This is true, but we recommend you use RECEIVE ORDER instead, and even
that you automate it via scheduled batch so you have up to date PTFs and
HOLDDATA on hand.
Post by Timothy Sipples
(Earlier this year IBM eliminated the Single Version Charge (SVC)
limitation, in favor of Multi-Version Measurement (MVM). In short, that
means you should electronically order new versions and releases. You
shouldn't even have to think about it.)
<snip>

You can certainly order products for Internet delivery via Shopz, and
have been able to for some time. However, whenever there is a new
product number, which happens on a version boundary, I believe you will
need to get a new license even when the costs are identical. This, too,
has been true for some time. In the USA, at least, new version orders
are intercepted by TechLine for licensing.
--
John Eells
IBM Poughkeepsie
***@us.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-09-09 14:00:50 UTC
Permalink
Raw Message
That link indeed takes me to what appears to be the standard Service Request page--although a slightly different URL. Without actually submitting an SR I can't tell for sure if it would work. But more to the point, we currently subscribe to SoftwareXcel. Someone who does not subscribe would need to traverse the same path to check out the viability.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Timothy Sipples
Sent: Saturday, September 09, 2017 3:33 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: SoftwareXcel Discontinued
We're a small shop. We *really* don't want to be paying thousands every
month just for the "privilege" of being able to report bugs with, and
get fixes for, our non-Linux mainframe software. (IMHO such support
ought to be included free as part of MLC and S&S payments, but that's a
discussion for another day...)
It used to be that if you didn't have at least SoftwareXcel Basic
Edition, you could not logon to IBMLink to search for fixes, you could
not open PMRs electronically (you had L1 voice only), and you could not
download PTFs electronically (you had tape only).
You wrote that it's important to be able to report bugs. IBM agrees.
SoftwareXcel has never been required to open PMRs by telephone (or fax), to my knowledge. Moreover, you should be able to open PMRs electronically (if you prefer) from this Web page, also at no additional charge:

https://www.ibm.com/support/servicerequest/

Click on the "New service request" button to get started. Please give it a try, stopping short of actual submission if you don't have a real PMR, and please correct me if I'm mistaken. It's working for me, though. Moreover, in some countries it's possible to open PMRs via e-mail. (I don't recommend e-mail, though, especially for higher severity issues, since you can't easily check whether and when IBM received your e-mail. But it's available in some countries, with that understanding.)

ShopZ is available at no additional charge for electronic PTF and new release/update deliveries. Electronic delivery is the preferred option.
(Earlier this year IBM eliminated the Single Version Charge (SVC) limitation, in favor of Multi-Version Measurement (MVM). In short, that means you should electronically order new versions and releases. You shouldn't even have to think about it.)

You can search for APARs here:

https://www.ibm.com/support/customercare/psearch/search?domain=gapar

This search interface ("Granular APAR Search for Z") was first introduced in 2014.

Have I ticked all your newly presented boxes? If I haven't, OK, please have a chat with "your friendly IBM representative."

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-09 15:54:39 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
That link indeed takes me to what appears to be the standard Service Request page--although a slightly different URL. Without actually submitting an SR I can't tell for sure if it would work. But more to the point, we currently subscribe to SoftwareXcel. Someone who does not subscribe would need to traverse the same path to check out the viability.
I'd like to try it too, but like you I worry there will be entitlement
issues without a SoftwareXcel contract in effect.

Perhaps when our SoftwareXcel contract comes up for renewal (January I
think), we will just let it lapse and try these techniques for a while.
(I enjoy experimentation...)

Sure would be great if we could get out from under IBM thumb on this
(hopefully now historical) requirement to pay for the privilege of
electronically reporting and tracking IBM bugs.

If it works, it will make a great Bit Bucket segment for Sacramento or
Salt Lake City! :-)

If it fails, it will make a great Bit Bucket segment for Sacramento or
Salt Lake City! :-D
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jackson, Rob
2017-09-09 22:19:17 UTC
Permalink
Raw Message
I am told, perhaps by a VAR, or not, that you can go ahead and sign a contract for five years or so on your current SoftwareXcel level--and grandfather yourself in. That is what we are trying to do. Perhaps if everyone does the same, IBM will forget about the whole thing. I really doubt any of the current management will be there in five years. There's not a one of the "upper level" that has any outlook beyond a quarter, much less the dedication to what WAS, heartbreakingly, one of the best organizations ever.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Saturday, September 09, 2017 11:56 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: SoftwareXcel Discontinued

[External Email]
Post by Jesse 1 Robinson
That link indeed takes me to what appears to be the standard Service Request page--although a slightly different URL. Without actually submitting an SR I can't tell for sure if it would work. But more to the point, we currently subscribe to SoftwareXcel. Someone who does not subscribe would need to traverse the same path to check out the viability.
I'd like to try it too, but like you I worry there will be entitlement issues without a SoftwareXcel contract in effect.

Perhaps when our SoftwareXcel contract comes up for renewal (January I think), we will just let it lapse and try these techniques for a while.
(I enjoy experimentation...)

Sure would be great if we could get out from under IBM thumb on this (hopefully now historical) requirement to pay for the privilege of electronically reporting and tracking IBM bugs.

If it works, it will make a great Bit Bucket segment for Sacramento or Salt Lake City! :-)

If it fails, it will make a great Bit Bucket segment for Sacramento or Salt Lake City! :-D

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
FIRST TENNESSEE

Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-10 03:25:07 UTC
Permalink
Raw Message
I should have mentioned that SMP/E Internet Software Retrieval (for SMP/E
installed products) and Fix Central (for non SMP/E installed products) are
also included with your MLC and S&S at no additional charge. They are paths
to obtain electronic delivery of PTFs and service updates from IBM.

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Marchant
2017-09-11 12:18:29 UTC
Permalink
Raw Message
Post by Timothy Sipples
You wrote that it's important to be able to report bugs. IBM agrees.
SoftwareXcel has never been required to open PMRs by telephone (or fax), to
my knowledge. Moreover, you should be able to open PMRs electronically (if
https://www.ibm.com/support/servicerequest/
It's not a convincing test since I have to log in with my IBM ID in order to
access it. That's the same ID that I use to log in to SoftwareXcel.
--
Tom Marchant

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Conley
2017-09-11 16:50:29 UTC
Permalink
Raw Message
Post by Tom Marchant
Post by Timothy Sipples
You wrote that it's important to be able to report bugs. IBM agrees.
SoftwareXcel has never been required to open PMRs by telephone (or fax), to
my knowledge. Moreover, you should be able to open PMRs electronically (if
https://www.ibm.com/support/servicerequest/
It's not a convincing test since I have to log in with my IBM ID in order to
access it. That's the same ID that I use to log in to SoftwareXcel.
FWIW,

I signed on to my IBM id with the Jack-Squat service offering, and it
brought up an SR. Did not fill it out, so no idea what would happen....

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-11 17:23:21 UTC
Permalink
Raw Message
Post by Tom Conley
I signed on to my IBM id with the Jack-Squat service offering, and it
brought up an SR.  Did not fill it out, so no idea what would happen....
FWIW, I told Mainline on Saturday that we would *not* be renewing our
SoftwareXcel contract (it expires January 27). I want first-hand
experience tryna get support for z/OS, z/VSE and z/VM without a
SoftwareXcel/Software Care entitlement. (My technical contact over there
said he would be "lost without IBMLink." Haha! We'll see if I am too!)

I already know what it's like having SoftwareXcel for 30 years, so I
should be in a good position to observe if there are significant "gaps"
in what we get for free vs the paid subscription.

No matter the outcome, it's gonna make a *great* SHARE Bit Bucket
segment!!!!
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dyck, Lionel B. , TRA
2017-09-11 17:32:35 UTC
Permalink
Raw Message
This is what I got back from IBM when I asked for details - not much:

Thank you for reaching out to IBM regarding your SoftwareXcel services. The generally available (GA) date for pricing of the new SoftwareXcel offerings will be 11/16/17. IBM will be extending the current SoftwareXcel Basic offering for one year for any contract term ending before 02/15/18.


--------------------------------------------------------------------------
Lionel B. Dyck
Mainframe Systems Programmer - TRA


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Monday, September 11, 2017 12:24 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: SoftwareXcel Discontinued
Post by Tom Conley
I signed on to my IBM id with the Jack-Squat service offering, and it
brought up an SR.  Did not fill it out, so no idea what would happen....
FWIW, I told Mainline on Saturday that we would *not* be renewing our SoftwareXcel contract (it expires January 27). I want first-hand experience tryna get support for z/OS, z/VSE and z/VM without a SoftwareXcel/Software Care entitlement. (My technical contact over there said he would be "lost without IBMLink." Haha! We'll see if I am too!)

I already know what it's like having SoftwareXcel for 30 years, so I should be in a good position to observe if there are significant "gaps"
in what we get for free vs the paid subscription.

No matter the outcome, it's gonna make a *great* SHARE Bit Bucket segment!!!!

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Pommier, Rex
2017-09-11 18:40:14 UTC
Permalink
Raw Message
FWIW, I told Mainline on Saturday that we would *not* be renewing our
SoftwareXcel contract (it expires January 27). I want first-hand
experience tryna get support for z/OS, z/VSE and z/VM without a
SoftwareXcel/Software Care entitlement. (My technical contact over there
said he would be "lost without IBMLink." Haha! We'll see if I am too!)

I already know what it's like having SoftwareXcel for 30 years, so I
should be in a good position to observe if there are significant "gaps"
in what we get for free vs the paid subscription.

No matter the outcome, it's gonna make a *great* SHARE Bit Bucket
segment!!!!
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/



Ed,

Hopefully you'll also share it with us poor folks who don't make it to Share!!

Rex

The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mike Baldwin
2017-09-11 15:26:37 UTC
Permalink
Raw Message
Hi Timothy,
Post by Timothy Sipples
"Disk" in this context means any/all storage that manifests itself as 3390
device types.
For DFSMS backups, including backups to virtual tape and tape, z/OS Data
Set Encrypted datasets stay encrypted. That includes DFSMSdss COPY, DUMP,
and RESTORE, and DFSMShsm backup/recover, as examples. Moreover, there's
Encryption Facility for z/OS, and of course it supports virtual tape and
tape devices.
Do you have some other scenario(s) in mind?
z/OS Data Set Encryption is a fantastic new feature, kudos to IBM, and I don't
mean to detract from its wonderfulness.

That's a good point, and I understand, if a new disk dataset is encrypted,
then copying it to tape will maintain encryption. Very good, especially for HSM.
Mentioning 3390 makes the scope of support much clearer, thank you.

But...
The feature is called "Data Set Encryption", not "Disk Data Set Encryption",
so there is an expectation that it would (directly) apply to tape as well.
The FAQ "difference"s does not mention that this method is different
(from Encryption Facility) with respect to device type/class, i.e. 3390 yes, tape no.

There are many programs that write directly to device type 3490 (and 3590-1),
both of which can be virtual (not using TS11x0 hardware encryption).
Unknown whether they are copying data from disk, or not.
I looked at 10 medium-sized customer tape databases (RMM extract, etc.), and the
top 10 programs (other than HSM ADR* etc) were:
1 IEBGENER
2 DBUTLTY
3 HASJES20
4 ICE*
5 NSX*
6 DSN*
7 IDCAMS
8 SYNCSORT
9 FILEAID
10 JHS*

and there are many others.
Tape data has moved from off-line, to near-line, to pretty close to on-line these days.
That is, it is very accessible, and I believe no less sensitive than data stored on disk.

Consider a job executing a program that writes a dataset, and the DSN resolves to a disk dataset.
The data could be encrypted - great!
In another job, same program but a different DSN that resolves to a tape dataset.
Not encrypted due to device type - not good.

It would be helpful to know if there is an intent to extend this feature to the tape device class,
or if customers need to differentiate between datasets written to disk (potentially
encrypted) and tape (needing a different encryption technique, or change to disk and
then backup to tape).
Also helpful would be support for EXCP access method.
Does IBM give any hints, Timothy?

Thank you!
Mike Baldwin
Cartagena Software Limited
Markham, Ontario, Canada
http://www.cartagena.com
http://www.teltape.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Edward Gould
2017-09-11 17:19:27 UTC
Permalink
Raw Message
Post by Mike Baldwin
z/OS Data Set Encryption is a fantastic new feature, kudos to IBM, and I don't
mean to detract from its wonderfulness.
That's a good point, and I understand, if a new disk dataset is encrypted,
then copying it to tape will maintain encryption. Very good, especially for HSM.
Mentioning 3390 makes the scope of support much clearer, thank you.
But...
The feature is called "Data Set Encryption", not "Disk Data Set Encryption",
so there is an expectation that it would (directly) apply to tape as well.
The FAQ "difference"s does not mention that this method is different
(from Encryption Facility) with respect to device type/class, i.e. 3390 yes, tape no.
There are many programs that write directly to device type 3490 (and 3590-1),
both of which can be virtual (not using TS11x0 hardware encryption).
Unknown whether they are copying data from disk, or not.
I looked at 10 medium-sized customer tape databases (RMM extract, etc.), and the
1 IEBGENER
2 DBUTLTY
3 HASJES20
4 ICE*
5 NSX*
6 DSN*
7 IDCAMS
8 SYNCSORT
9 FILEAID
10 JHS*
and there are many others.
Tape data has moved from off-line, to near-line, to pretty close to on-line these days.
That is, it is very accessible, and I believe no less sensitive than data stored on disk.
Consider a job executing a program that writes a dataset, and the DSN resolves to a disk dataset.
The data could be encrypted - great!
In another job, same program but a different DSN that resolves to a tape dataset.
Not encrypted due to device type - not good.
It would be helpful to know if there is an intent to extend this feature to the tape device class,
or if customers need to differentiate between datasets written to disk (potentially
encrypted) and tape (needing a different encryption technique, or change to disk and
then backup to tape).
Also helpful would be support for EXCP access method.
Does IBM give any hints, Timothy?
This poses a question from me.
Let us say you create a simple sequential data set on disk.
DFHSM comes along and it is eventually migrated to tape. Is the dataset de-encrypted while on tape and then if it is recalled does it get encrypted again?

The secondary question is if there is a key associated with a data set?, if so how/where is the key held? Is there someplace where I can learn about how this “magically” happens? Or is this similar to the password in the RACF database?

Ed


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dan Little
2017-09-11 20:58:56 UTC
Permalink
Raw Message
There is a key for the dataset and it is stored in ICSF.

Nothing magically gets encrypted although some articles and promos seem to imply if buy a z14 everything will magically be encrypted which is not true.

There is key management to plan. There is the decision on how datasets get assigned a key (data class, RACF profile, or JCL keyword).

Good stuff but not magic.

The question has also been asked "if a person has access to dataset and key label in RACF what has been accomplished"? If you only have access to the dataset and not the key then that is something. If a disk has to be sent offsite you don't have to worry about datasets but we use full disk encryption which already covers that.

Any good explanations of the value add are welcome.

Dan
Post by Edward Gould
This poses a question from me.
Let us say you create a simple sequential data set on disk.
DFHSM comes along and it is eventually migrated to tape. Is the dataset de-encrypted while on tape and then if it is recalled does it get encrypted again?
The secondary question is if there is a key associated with a data set?, if so how/where is the key held? Is there someplace where I can learn about how this “magically” happens? Or is this similar to the password in the RACF database?
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steve Smith
2017-09-11 21:29:04 UTC
Permalink
Raw Message
There has been at least one SHARE presentation on this. The one I
know about was session 20612 at San Jose 2017. It covers the basics,
and should answer a lot of questions.

sas

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-12 01:11:27 UTC
Permalink
Raw Message
Post by Mike Baldwin
It would be helpful to know if there is an intent to extend this feature
to the
Post by Mike Baldwin
tape device class,or if customers need to differentiate between datasets
written
Post by Mike Baldwin
to disk (potentially encrypted) and tape (needing a different encryption
technique,
Post by Mike Baldwin
or change to disk and then backup to tape).
The journey continues.

In the meantime, enforce some reasonable security policies that make sense
for your situation, that's all. For example, you could require data set
creation (of at least "sensitive" data) on 3390 type devices, not on
something else. [And "something else" is not only virtual tape and tape. It
could be NFS, as another example. Or a card/paper tape punch, I
suppose. :-)] If encrypted data sets are then HSM migrated to/from virtual
tape and tape, that's perfectly fine.

I don't think this particular idea is a new one. Haven't security desks
(and z/OS security managers) been enforcing "don't write THAT to THAT
(walkable) media" policies for decades now -- if they wish, as they wish to
enforce such policies? Well, they can continue to do that. Or not.

But, to reiterate, "the journey continues."
Post by Mike Baldwin
Let us say you create a simple sequential data set on disk.
DFHSM comes along and it is eventually migrated to tape. Is the
dataset de-encrypted while on tape and then if it is recalled does
it get encrypted again?
No. In my original reply to Mike I explained that encryption is maintained.
z/OS DFSMShsm shifts the bits back and forth across storage but does not
alter them, so encrypted data stays encrypted. HSM is a "mover," not a
"shaker," so to speak. :-) It's "business as usual" in that respect.
Post by Mike Baldwin
The question has also been asked "if a person has access to dataset and
key
Post by Mike Baldwin
label in RACF what has been accomplished"? If you only have access to the
dataset
Post by Mike Baldwin
and not the key then that is something. If a disk has to be sent offsite
you don't
Post by Mike Baldwin
have to worry about datasets but we use full disk encryption which already
covers
Post by Mike Baldwin
that.
To inspire some imagination, as a start, here's a question: what about the
storage team? (Hint, as a start: What is a point-in-time copy/FlashCopy?
It's all the bits on some set of volumes, right?)

Full disk encryption is great stuff, and you should continue using it. But
it's uni-level and protects the physical device as it walks out the door.
That's as far as it goes, and it's not far enough.

Think like an adversary, "internally" and "externally," and that'll help.

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Nightwatch RenBand
2017-09-11 17:27:09 UTC
Permalink
Raw Message
Again, Barry Merrill shows he is one smart guy.
Few things made me happier than finding a bug in MXG code and seeing my
name credited for it. It amazes me that more software companies do not
follow his model. For the price of a T-shirt, or a few lines on a web page,
they could have people falling all over themselves to find, report and fix
bugs.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-11 17:37:01 UTC
Permalink
Raw Message
Post by Nightwatch RenBand
Again, Barry Merrill shows he is one smart guy.
Few things made me happier than finding a bug in MXG code and seeing my
name credited for it. It amazes me that more software companies do not
follow his model. For the price of a T-shirt, or a few lines on a web page,
they could have people falling all over themselves to find, report and fix
bugs.
Dave Cole also does bug/feature attribution in the z/XDC service stream.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barry Merrill
2017-09-11 20:11:31 UTC
Permalink
Raw Message
What a NICE thing to say!!

Barry Merrill

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Nightwatch RenBand
Sent: Monday, September 11, 2017 12:28 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: SoftwareXcel Discontinued

Again, Barry Merrill shows he is one smart guy.
Few things made me happier than finding a bug in MXG code and seeing my name credited for it. It amazes me that more software companies do not follow his model. For the price of a T-shirt, or a few lines on a web page, they could have people falling all over themselves to find, report and fix bugs.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-09-11 17:32:52 UTC
Permalink
Raw Message
Hmm. Sounds suspiciously like open source. ;-)

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Nightwatch RenBand
Sent: Monday, September 11, 2017 10:28 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: SoftwareXcel Discontinued

Again, Barry Merrill shows he is one smart guy.
Few things made me happier than finding a bug in MXG code and seeing my name credited for it. It amazes me that more software companies do not follow his model. For the price of a T-shirt, or a few lines on a web page, they could have people falling all over themselves to find, report and fix bugs.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-09-11 18:43:10 UTC
Permalink
Raw Message
We have ordered product upgrades 'forever' via Shopz. Sometimes the order gets diverted to the 'Order Desk' for approval, especially (but not exclusively, I believe) for a new version. Eventually it gets straightened out. Is there another preferred way to order upgrades?

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of John Eells
Sent: Monday, September 11, 2017 10:56 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: SoftwareXcel Discontinued

Timothy Sipples wrote:
<snip>
Post by Timothy Sipples
ShopZ is available at no additional charge for electronic PTF and new
release/update deliveries. Electronic delivery is the preferred option.
This is true, but we recommend you use RECEIVE ORDER instead, and even that you automate it via scheduled batch so you have up to date PTFs and HOLDDATA on hand.
Post by Timothy Sipples
(Earlier this year IBM eliminated the Single Version Charge (SVC)
limitation, in favor of Multi-Version Measurement (MVM). In short,
that means you should electronically order new versions and releases.
You shouldn't even have to think about it.)
<snip>

You can certainly order products for Internet delivery via Shopz, and have been able to for some time. However, whenever there is a new product number, which happens on a version boundary, I believe you will need to get a new license even when the costs are identical. This, too, has been true for some time. In the USA, at least, new version orders are intercepted by TechLine for licensing.

--
John Eells
IBM Poughkeepsie
***@us.ibm.com


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
John Eells
2017-09-11 21:14:59 UTC
Permalink
Raw Message
Post by Jesse 1 Robinson
We have ordered product upgrades 'forever' via Shopz. Sometimes the order gets diverted to the 'Order Desk' for approval, especially (but not exclusively, I believe) for a new version. Eventually it gets straightened out. Is there another preferred way to order upgrades?
<snip>

Not that I know of.
--
John Eells
IBM Poughkeepsie
***@us.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Timothy Sipples
2017-09-12 02:18:54 UTC
Permalink
Raw Message
Post by John Eells
You can certainly order products for Internet delivery via Shopz, and
have been able to for some time. However, whenever there is a new
product number, which happens on a version boundary, I believe you will
need to get a new license even when the costs are identical.
I think we can phrase your last sentence in a clearer way. I'd say it this
way....

If you have Monthly License Charge (MLC) or Subscription and Support (S&S),
when you order a new product version on Shopz then IBM fulfills that order
at no additional charge, per IBM Multi-Version Measurement (MVM) terms:

https://www.ibm.com/systems/z/resources/swprice/mvm.html

I can't think of any reason why you have to worry about this backend
fulfillment/licensing distinction any more, with one exception: if you have
a licensed product with S&S *and* if you've let your S&S lapse.

Anyway, MVM makes life simpler, and thank goodness. "Just do it."

--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA
E-Mail: ***@sg.ibm.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Greg Boyd
2017-09-12 12:33:17 UTC
Permalink
Raw Message
Pervasive Encryption is for Extended Format data sets, so it is limited to disk data sets. (You could use the Encryption Facility for tape data sets.)

When you allocate the data set it will be flagged as a 'Pervasive Encrypted' data set. (I'm not sure what terminology IBM is using for such a data set ... a pervasively encrypted data set?) There are several ways to flag the data set (SAF profile, ISMF, allocation). As part of that flagging, you'll assign a key label to the data set. The flag and the label are stored with the data set (in the VTOC and the catalog), and every time you open the data set (write or read) using a standard I/O operation, the appropriate encrypt/decrypt operation will be performed, with ICSF retrieving the key from the CKDS. That is, the key that protects the data set must be stored in the CKDS, and defined as a protected key.

If you use a non-standard I/O operation (for example, read the track), the data will be copied 'as is'. That is, the ciphertext will be returned to the calling application. So for example, when you use DFSMSdss to dump the data set, the ciphertext will be dumped, and when DFHSM migrates the data set, the archived copy will remain encrypted. And the key label and pervasive encryption flag will be preserved with the archive. When the data set is recalled, it will be retrieved to DASD in it's encrypted format ... and when you read that data set, using standard I/O the decrypt operation will be performed and the caller will get the cleartext.

Dan: You are correct, Pervasive Encryption is basically providing two SAF locks. To use the data set you must have the appropriate access to the data set itself (READ/UPDATE) AND you must have access to the key material (via the CSFKEYS class, and maybe you should consider Granular Key Label Access Control too).

So it is not a panacea, but I still think it's valuable. A storage administrator, who doesn't need access to the cleartext to do his job, by virtue of his access in a STGADMIN class can process the data and move it as appropriate, with the data remaining encrypted. However, when accessing the data using a standard access method, if you have access to both the data set and the key label, you'll get the cleartext back. If you don't have access to both, then the operation will fail with a security violation.

This is significantly better than disk encryption, which only protects when you lose control of the device. (Yes, you should be doing disk encryption too, because it does protect against a potential loss of data.) And some IBMers don't like it when I say this, but z/OS is finally catching up ... In Linux, you can define an encrypted file system and anything that gets written to that file system will automatically be encrypted. And you can configure Windows so that data written to your hard drive is automatically encrypted. Now, with z/OS, a security administrator or a storage administrator can configure things so that the encryption happens 'auto-magically', without the end-user even knowing that his data is now encrypted.

Most of the above comes from Cecilia Lewis' Share presentation 20612 in San Jose that Steve Smith mentioned.

Greg Boyd
Mainframe Crpyto
www.mainframecrypto.com
Post by Dan Little
There is a key for the dataset and it is stored in ICSF.
Nothing magically gets encrypted although some articles and promos seem to imply if buy a z14 everything will magically be encrypted which is not true.
There is key management to plan. There is the decision on how datasets get assigned a key (data class, RACF profile, or JCL keyword).
Good stuff but not magic.
The question has also been asked "if a person has access to dataset and key label in RACF what has been accomplished"? If you only have access to the dataset and not the key then that is something. If a disk has to be sent offsite you don't have to worry about datasets but we use full disk encryption which already covers that.
Any good explanations of the value add are welcome.
Dan
Post by Edward Gould
This poses a question from me.
Let us say you create a simple sequential data set on disk.
DFHSM comes along and it is eventually migrated to tape. Is the dataset de-encrypted while on tape and then if it is recalled does it get encrypted again?
The secondary question is if there is a key associated with a data set?, if so how/where is the key held? Is there someplace where I can learn about how this “magically” happens? Or is this similar to the password in the RACF database?
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dana Mitchell
2017-09-12 13:16:41 UTC
Permalink
Raw Message
Post by Tom Conley
FWIW,
I signed on to my IBM id with the Jack-Squat service offering, and it
brought up an SR. Did not fill it out, so no idea what would happen....
Regards,
Tom Conley
I can confirm that it does indeed work, http://www.ibm.com/support to open a new SR and manage existing ones. I have been doing it that way for years for IBM i and z problems with no softwarexcel.

Dana

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jousma, David
2017-09-12 13:54:15 UTC
Permalink
Raw Message
I *thought* SoftwareXcel got you the ability to open Q&A PMR's, and Premium response on non-sev1 PMR's. Am I incorrect? I've used both, especially Q&A for how to questions. I've sparingly used Premium response for non-sev1 problems that I needed(or wanted) service on immediately.

_________________________________________________________________
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
***@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Dana Mitchell
Sent: Tuesday, September 12, 2017 9:18 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: SoftwareXcel Discontinued

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected emails**
Post by Tom Conley
FWIW,
I signed on to my IBM id with the Jack-Squat service offering, and it
brought up an SR. Did not fill it out, so no idea what would happen....
Regards,
Tom Conley
I can confirm that it does indeed work, http://www.ibm.com/support to open a new SR and manage existing ones. I have been doing it that way for years for IBM i and z problems with no softwarexcel.

Dana

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected emails**

This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Marchant
2017-09-12 13:45:28 UTC
Permalink
Raw Message
http://www.vm.ibm.com/service/zmatrix.pdf
--
Tom Marchant

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-12 14:47:06 UTC
Permalink
Raw Message
Post by Tom Marchant
http://www.vm.ibm.com/service/zmatrix.pdf
Awesome reference, Tom! I was informed just yesterday that we have S/390
Resolve rather than SoftwareXcel Basic.

That got me scratching my head as to what the differences were.
According to this chart, they are functionally identical offerings!

Probably one was offered to "Big Iron" customers and the other to
"Little Iron" customers or something like that. We pay for just a single
seat.

In a few months we'll be "free wheeling" without a service subscription
of any kind. That should be ... ahem... interesting...
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dyck, Lionel B. , TRA
2017-09-12 14:49:39 UTC
Permalink
Raw Message
Be aware that only SoftwareXcel Basic is being discontinued - Enterprise is untouched (for now)

--------------------------------------------------------------------------
Lionel B. Dyck
Mainframe Systems Programmer - TRA

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Ed Jaffe
Sent: Tuesday, September 12, 2017 9:48 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: SoftwareXcel Discontinued
Post by Tom Marchant
http://www.vm.ibm.com/service/zmatrix.pdf
Awesome reference, Tom! I was informed just yesterday that we have S/390 Resolve rather than SoftwareXcel Basic.

That got me scratching my head as to what the differences were.
According to this chart, they are functionally identical offerings!

Probably one was offered to "Big Iron" customers and the other to "Little Iron" customers or something like that. We pay for just a single seat.

In a few months we'll be "free wheeling" without a service subscription of any kind. That should be ... ahem... interesting...

--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-12 15:08:52 UTC
Permalink
Raw Message
Post by Dyck, Lionel B. , TRA
Be aware that only SoftwareXcel Basic is being discontinued - Enterprise is untouched (for now)
https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-128/index.html

According to the announcement (see link above), all four offerings are
being withdrawn effective November 16, 2017.

o SoftwareXcel enterprise edition for zSeries (6942-77E)
o SoftwareXcel basic edition for zSeries (6942-77G)
o Alert for zSeries (6942-16D)     November 16, 2017
o Resolve for zSeries (6942-23D)     November 16, 2017

Indeed, our current offering is "Resolve for zSeries" (not Software Xcel
Basic Edition as originally thought) and we received a letter from IBM
indicating our support contract was being terminated at its next
anniversary.
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Marchant
2017-09-12 14:56:02 UTC
Permalink
Raw Message
Post by Ed Jaffe
Post by Tom Marchant
http://www.vm.ibm.com/service/zmatrix.pdf
Awesome reference, Tom!
It was about the third hit in a duckduckgo search for softwarexcel.
Post by Ed Jaffe
I was informed just yesterday that we have S/390
Resolve rather than SoftwareXcel Basic.
That got me scratching my head as to what the differences were.
According to this chart, they are functionally identical offerings!
except for "Electronic 'usage' Q&A with Severity"
--
Tom Marchant

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Ed Jaffe
2017-09-12 15:14:31 UTC
Permalink
Raw Message
Post by Tom Marchant
Post by Ed Jaffe
That got me scratching my head as to what the differences were.
According to this chart, they are functionally identical offerings!
except for "Electronic 'usage' Q&A with Severity"
Oh yes, I missed that!

Timothy Sipples had indicated earlier that the primary difference
between the unpaid and paid offerings was the existence of "how to"
support. Obviously, that's not the case. Those of us with "Resolve" have
an offering identical to SoftwareXcel without the "how to" part...
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Relson
2017-09-12 15:02:05 UTC
Permalink
Raw Message
Post by Nightwatch RenBand
Again, Barry Merrill shows he is one smart guy.
FWIW,
Donald Knuth had a similar offer in place for his valued tomes, in the
70's when I was in college.
He'd send a check for any error that you were the first to find. No one
would cash the check because we'd rather have the "badge of honor".
Probably made it difficult to keep the checking account balanced.

Peter Relson
z/OS Core Technology Design


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2017-09-12 16:43:56 UTC
Permalink
Raw Message
Post by Peter Relson
FWIW,
Donald Knuth had a similar offer in place for his valued tomes, in the
70's when I was in college.
He'd send a check for any error that you were the first to find. No one
would cash the check because we'd rather have the "badge of honor".
Probably made it difficult to keep the checking account balanced.
Reportedly, Picasso paid for small purchases with checks whenever possible.
Many went uncashed.

Similar legends about Dali abound.

-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...