Tuesday, December 16, 2014

Security Bulletin: POODLE vulnerability in SSLv3 affects IBM Explorer for z/OS and IBM CICS Explorer

Here's a security bulletin. I'm taking over some of its content. Just take a look over here for all the details, workarounds and mitigations.

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This vulnerability affects all versions of IBM Explorer for z/OS and IBM CICS Explorer.

Vulnerability Details

CVE ID: CVE-2014-3566

DESCRIPTION: IBM Explorer for z/OS and IBM CICS Explorer could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability by using a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions of IBM Explorer for z/OS and IBM CICS Explorer.

Monday, October 27, 2014

Recent security vulnerabilities

OK, I admit, you haven't heard much of me lately but I've been too busy with other stuff that was not all that mainframe related. Still, I couldn't help noticing that there were quite some security issues lately. So, I thought I'd put up a couple of links that might be helpful. And I hope I'll find the time to blog a little more again from now on.

  • Security Bulletin: Vulnerability in SSLv3 affects IBM Virtualization Engine TS7700 (CVE-2014-3566)
    SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Virtualization Engine TS7700.
  • Security Bulletin: Vulnerability in SSLv3 affects TS3500 (CVE-2014-3566)
    SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in TS3500.
  • Security Bulletin: POODLE vulnerability in SSLv3 affects IBM Explorer for z/OS and IBM CICS Explorer (CVE-2014-3566)
    SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This vulnerability affects all versions of IBM Explorer for z/OS and IBM CICS Explorer.
  • Security Bulletin: A Security vulnerability has been discovered in Apache Struts which impacts the DS8000 GUI (CVE-2014-0114)
    A security vulnerability has been discovered in Apache Struts which impacts the DS8000 GUI



Tuesday, September 16, 2014

Master the Mainframe contest - BeNeLux edition

I ventilated my 'annoyance' you might say, a couple of times because the Master the Mainframe contest was (apart from one time) never held in Belgium or in the BeNeLux. But here it is now. I'm taking over some of the content of the site.

"In the Fall semester of 2014, IBM is running its annual Master the Mainframe Contest for University College students across Belgium, Netherlands and Luxembourg.
No experience with Mainframes is necessary. In fact, the contest is designed for students with little or no Mainframe experience, with increasing difficulty as the contest progresses. Students just need to bring drive, curiosity and enthusiasm! (...) Anyone who is currently a student at the university or college level can compete (18 years of age or older)".

Registration opens on September 19th! That's next Friday. The contest runs from October 20th until January 14th.

Friday, August 22, 2014

Hot Topics Newsletter - Issue 28

The good part : there's a new Hot Topics newsletter and it's stuffed with good articles. The bad part : it's clear now that there will be only one release per year. Be tempted, good people of the newsletter, to give us a February release again as well ! You can download the new issue over here and although I see Facebook more as a medium for private matters, Hot Topics thinks otherwise and you can keep up to date with them on Facebook as well.

As I said, it's stuffed with good articles. The focus is on z/OS 2.1 and on the role of the mainframe in the world of CAMS(S) : Cloud, Analytics, Mobile, Social and Security. Let me pick out just a few, but by all means, do read the rest as well.
There's a good summary about 'System z in a mobile world' with particulary also a closer look on the role of CICS and DB2.
z/OSMF seems like it's here to stay : we learn about some APIs like e.g. the z/OSMF Jobs Interface (aka SubmitAPI) and there's a good introduction to 'z/OSMF Resource Monitoring-Reloaded'.
'Not all quiet on the consoles front' tells us about the possibility "to allow consoles to be dynamically added and deleted".
There's an intriguing (to me at least) article on z/OS Fixed Block Architecture services with z/OS Distributed Data Backup (ZDDB). Let me give you a little quote
z/OS Distributed Data Backup (zDDB) is a no-charge licensed feature. When you install zDDB on DS8000 devices, distributed host systems that are attached through Fibre Channel connection (FICON®) interfaces can access logical unit number (LUN) devices containing fixed block data. Typically, FBA LUN devices are connected to Linux®, Windows®, and UNIX® operating systems.
With zDDB, two views of the disk devices are presented, one for z/OS and one for the distributed system, as shown in Figure 2.
Here's this Figure 2

There's also a great deal of attention to the new z/OS 2.1, its migration and to recent innovations like zAWARE, zEDC, the RoCE card and so on.

So, as I always say, just check it out !

Monday, August 18, 2014

Red Alert - z/OS 2.1 DFSORT records out of sequence

I know I'm a bit late with this one but I still want to mention it, just in case you might've missed it.

Red Alert : z/OS 2.1 DFSORT records out of sequence

Abstract:

There is a potential exposure for out of sequence records with DFSORT for users on release z/OS 2.1.

Description:

At z/OS 2.1 code levels, DFSORT is intermittently returning records out of sequence. There is no data loss, but records may be returned out of sequence to the DFSORT output file. If VERIFY=YES is set at the installation level, out of sequence conditions are already being detected. This problem only occurs in z/OS 2.1. No prior releases of DFSORT are affected.

Please see APAR PI22817 for more details and latest information.

Users affected :

All z/OS 2.1 DFSORT (HSM1L00) users who SORT data with DFSORT using the performance path may be affected if there is insufficient virtual storage below the line at the time of execution. In other words the potential for error exists for all users of DFSORT SORT function on z/OS 2.1, but not all users will experience the problem.

Recommended Actions:

Enable VERIFY=YES at the installation level to detect out of sequence conditions. Affected jobs can be rerun with DEBUG $NOPFP$ to circumvent the issue.

In addition, a ++APAR is available to disable the affected performance path, as a temporary circumvention, using a new DFSORT installation option.

See APAR PI22817 for details. 


If you haven't signed up to the Red Alerts by now, you really should do it. Just go over here.

Wednesday, July 16, 2014

Get started with the IBM Mobile Workload Pricing for z/OS

A couple of months ago I wrote about the announcement of the new Mobile Workload Pricing mechnanism for z/OS. I also told you that this was going GA in July but so far I didn't see much of it on the IBM Software Pricing page I usually turn to when I'm looking for information on z/OS pricing.

So I started asking about a bit and David Chase from IBM who gave such a clarifying presentation about the topic during the System z Technical University in Budapest pointed me in the right direction. And yes, the Users Guide and the tool itself are already online. You can find the 'IBM Mobile Workload Tool' (mwrtool.exe) over here. And the 'IBM Mobile Workload Reporting Tool Users Guide' can be found over here. The Users Guide explains step by step how you have to set up the tool (on a Windows 7 64-bit), how you collect the necessary input, how you use the tool and how you submit your report to IBM.

Of course there's a bit more to this. Before you can start submitting the report be sure that you fulfill the requirements. Have a look at my previous post and the announcement to refresh your memory. And then there remains one more question : how do you separate the mobile workload from the rest. This will of course be different per customer. As a matter of fact, you are the only one who knows your shop and can determine this. And this is exactly how it will be done. You will make up a list of your mobile workload and how you can trace it. This will be the basis for an agreement you sign with IBM after a meeting with your IBM representative.

Then one more thing : what will be the benefits ? This is how I understand it for the moment. Suppose you have an LPAR running z/OS and CICS reporting 400 MSU for billing purposes. You will measure the CICS usage and let's say this is 200 MSU. The mobile part of that is e.g. 50% of that 200 MSU. You can subtract 60% from that mobile use. 60% of 100 MSU is 60 MSU so you keep 40 MSU for you mobile workload. 100 MSU plus 40 MSU means you keep 140 MSU of the original 200 MSU. But here comes the beautiful part of the system. You can subtract the 60 MSU from your billing total. So, of the originally reported 400 MSU you only keep 340 MSU for that partition. So where SCRT calculated the Rolling 4-Hour Average, MWRT will make an adjustment to that. As a matter of fact, MWRT will make this adjustment by the hour and then calculate a new Rolling 4-Hour Average. This also implies that it's not only e.g. CICS that benefits from this pricing but z/OS and other softwares as well.

So, as I said in the title of the post : Get Started !

Thursday, June 26, 2014

Exit Lifecycle Extension - Enter Extended Support

In our last newsletter I already mentioned that after z/OS 1.11 there would no longer be the possibility to get Lifecycle Extension support. And you also know that z/OS 1.12 is Out of Support by the end of September. Up to now we only saw some graphs indicating that after the End of Support, you would immediately get into 'Extended Support', as you can see below.

Click on image for larger version

Now there's an announcement making this official 'IBM Software Support Services - service extension offers defect support for IBM z/OS V1.11 and V1.12 beyond the z/OS end-of-service date (ZS14-0025)'. It's a "fee-based corrective service to users who have not completed their migration to a newer z/OS release" for a period of 3 years. z/OS 1.11 is an exception as it gets only 2 years after the Lifecycle Extension period.

As for the content : "IBM Software Support Services - service extension provides corrective service (a fix, bypass, or restriction to a problem) for your z/OS V1.11 and V1.12 operating systems". The ordering pretty much resembles that of the Lifecycle Extension : "Service extension support for both V1.11 and V1.12 requires a minimum three-month purchase and offers flexibility in support of your individual migration plans, either for single machines or for machines configured within a Parallel Sysplex".

Wednesday, June 18, 2014

BMC Intelligent Capping for zEnterprise and MLC pricing

I don't really have a habit of putting third party software in the spotlights but this one caught my attention, so I thought I might give you the heads up as well. I don't think I have to tell you a lot about the challenges companies are facing when it comes to MLC pricing - on whatever level through the organisation.

There's a nice video about the product but I don't know how to embed a FlashPlayer video, so click here to go and see it. It's actually quite nice with references to some sci-fi series I kind of like. A clue about the series ? If you implement this you'll live long and prosper. But let's get back to the product itself. I quote the description from the datasheet.
"BMC Intelligent Capping for zEnterprise dynamically automates and optimizes defined capacity settings to help lower mainframe MLC costs by 2 percent to 5 percent or more, while mitigating risk to the business. The solution analyzes, simulates, and automatically manages changes to defined capacity settings based on workload profiles, enabling IT staff to confidently lower costs. BMC Intelligent Capping for zEnterprise removes the manual effort from managing capping limits, while optimizing capacity usage across LPARs. The solution dynamically aligns workload allocations based on utilization needs, workload importance, and customer policy profiles".
Some features to make it a bit clearer ?
  • "Capacity management – Adjusts capacity across LPARs and WLM capacity groups intelligently and automatically
  • Zero balancing – Balances any increase in a capping threshold necessitated by a high-priority workload with an equivalent decrease in other LPARs or WLM groups with excess capacity
  • Minimal implementation risk – Offers gradual automation and control of capacity settings with three modes: Observe, Message, and Manage
  • Audit logs – Enable you to see exactly what changes are recommended and actions that are implemented over time"
Looks like an interesting product to me. If you want more information you can start over here or contact your local BMC representative. And before you ask, no, I have no commercial links to BMC. Just passing on information of which I think might be interesting to System z shops . . .

Monday, June 16, 2014

Tapeless initial installation of z/VSE

If I'm not blogging that much about z/VSE, then there's a good reason for that. There's some one doing such a great job in this area I barely or rather I cannot add anything useful to it. I said this before, you have the retweet function in Twitter but there should be something like a reblog function too. I'd reblog quite a few of Ingolf's z/VSE Blog. If you haven't discovered this one yet, add it to your must follow blogs now.

This is how I came across this next Live Virtual Class or Webcast on z/VSE. It's on June 24, 2014 at 9AM Brussels time.
"This LVC provides an overview on how to perform tapeless initial installation of z/VSE - a feature introduced with z/VSE 5.2. It covers how to create a z/VSE installation disk in LPAR and under z/VM and how to perform initial installation from such a installation disk in both environments".
I'm mentioning this nonetheless because you should also take a look at the future Live Virtual Classes. There's a 'Z/VSE for beginners' planned at a later date, so be sure to stay tuned.

And while I'm at it, I would also like to mention another event : the 8th European GSE/IBM Technical University for z/VSE, z/VM and Linux on System z which is taking place in Dresden, Germany from October 20 until October 22, 2014. You can find more information over here.

Wednesday, June 11, 2014

Sampling Techdocs - up to May 2014

Here I am again with an overview of interesting TechDocs documents I came across while browsing through the latest publications. If you're completely unfamiliar to Techdocs, here's an introduction to it.
  • FAQ : z/OS 2.1 Frequently Asked Question
    This FAQ is a collection of questions that were raised by customers during several presentations on z/OS 2.1 that have been answered by subject matter experts. Too many diverse topics to sum them all up, so just have a look.
  • Technical Document : IBM drives to Storage Systems cheat sheet
    I'm sure I mentioned this one before but here's an update on this one-pager showing the currently offered drive types for current IBM Storage Systems including of course DS8000 and XIV.
    • Tool : IBM Storage Tier Advisory Tool Charting Utility
      You surely know about the DS8000 Storage Tier Advisor Tool (STAT). Data from the monitoring process by Easy Tier  is included in a summary report that you can download to a Windows system. The STAT application allows you to view the data when you point your browser to that file. Now - on top of this - the Charting Utility does exactly what its name says. This Utility will format some of the data provided and create charts like
      • Skew Chart - Workload activity by percentage of capacity
      • Movement Chart - Easy Tier data movement activity
      • Workload Chart - Capacity utilization by extent pool 
    • Technical Document : IBM System Storage Easy Tier Quick Start
      Ok, ok, I'm cheating a bit here, this one is not on Techdocs but I came across it while following a link on the charting utility. "This publication introduces the IBM® System Storage Easy Tier Quick Start, which helps you get started with Easy Tier functions using the IBM System Storage DS Storage Manager". If you have to set up Easy Tier, this is a document you're surely going to like.
    Well that's it for now. And, as I always say : just check them out !

    Friday, June 6, 2014

    Upcoming GSE meetings Belgium

    You know it's difficult to report on each and every interesting meeting that passes by, so I sureley missed some in the past but here are three upcoming GSE meetings with very promising agendas :

    • Weddnesday June 11, 2014 :  z/OS Working Group Meeting at RealDolmen Huizingen
      This is an all day event with also a couple of customer testimonials and that we always like of course. Topics are OMEGAMON @ Colruyt by Geert Lips (Colruyt), Access the Mainframe: Anywhere, Anytime, Any Device by SysperTec with customer testimonial from P&V Verzekeringen, Fulfilling Retail Expectations with Mobile - a UK costomer case by Bart Gyselinck (IBM), The Evolution of Analytics and Big Data Integration on System z by Eric Michiels (IBM)
      Information and registration
    • Thursday June 12, 2014 : DB2 Working Group Meeting at IBM Forum Brussels
      This is also an all day event with a track for DB2 on z/OS and one for DB2 LUW.
      "During the DB2 for z/OS break-out sessions  we explore some of the topics that DB2 11 is bringing. Some of  the changes with the biggest impact will be thoroughly explained by DB2 expert Timm Zimmermann, and our own Bart Steegmans.
      In the DB2 for LUW break-out sessions, Dirk Coppieters and Frederik Engelen present on migrating from Orable to DB2 and using Ansible for DB2 configuration management. You also have the opportunity to get answers to all your burning questions from the DB2 for LUW Experts panel.
      Is the next stage of Information Technology one without SQL? Kris Van Thillo lets you take the first plunge into NOSQL databases during our closing session."
      Registration here or here.
    • Friday June 20, 2014 : Enterprise Systems Security z/OS meeting at KBC Brussels
      Several sessions about/by The Rocket Software Company, Improving the Integration between Distributed Security and CICS (Nigel Williams - IBM), Secrets of IMS Security and Surviving an IMS Security Audit (Maida Snapper - IBM). Scroll down to the end of the registration page to find the agenda in .pdf.
      Information and registration

    Tuesday, May 27, 2014

    IBM Benelux System z Study Tour USA 2014 Edition

    Hans Deketele from IBM Belgium is planning another IBM Benelux System z Study Tour USA. The tour usually takes you to Poughkeepsie and the agenda contains Lab visits, Reference companies, Premium speakers, Cutting edge technology, System z trends & directions ...

    Here's his invitation to the Benelux customers
    "Dear customer,

    In the year of the Mainframe 50 event the focus is heavily on the IBM System z and of course we are again planning a System z Study Tour to the US, probably in early October.
    Maybe you already joined us in one of the previous tours or maybe you always wanted to but never did: this is an early message that we have started planning for the next edition of this event.

    Please reply to this email before May 30 if you are interested to join us. Of course this is by no means a commitment that you will actually be able to join.

    We plan the tour to be all about System z and the relevant software that you need to generate success in the areas of Cloud, Analytics, Mobile, Social, Security, Linux, Storage...
    So, just send an email to Hans if you're interested or you can always contact me too of course.

    Friday, May 23, 2014

    Reminder : Hardware End of Marketing for z196 and z114

    I wrote about this in a previous post along with the announcement of the zBC12, but I think a quick reminder may be in place. Last year IBM announced the two-phase end of marketing dates for the z196 and the z114.

    A little recap
    • June 30, 2014
      Past this date any upgrades towards a z196 or a z114 will no longer be possible. Nor will you be able to do any model conversions or hardware MES features. Roughly speaking this means that any upgrade which involves hardware changes will no longer be possible. The practical consequences mainly involve connectivity cards and memory. Up to June 30, 2015 you will still be able to activate that zIIP or an IFL or do a microcode upgrade (as long as you don't need an extra book) or even a downgrade. But if that involves adding memory, FICON- or OSA-cards, which is not that imaginary, then you must add them before June 30, 2014. 
    • June 30, 2015
      "Field install features and conversions that are delivered solely through a modification to the machine's Licensed Internal Code (LIC) will continue to be available until June 30, 2015" meaning that everything which is already in the machine will be able to be activated during the next year like, as I already said, zIIPs, IFLs and Plan ahead Memory.
      Capacity on Demand and CBU offerings will be usable until their expiration date. Something to keep in mind when you're planning to use a z196 or z114 after June 2015.
    So, if you are not immediately planning an upgrade and you might have some extra workload(s) in the future, do your planning carefully in order to avoid any unpleasant surprises.

    Monday, May 19, 2014

    DS8870 announcement - Flash optimization II

    This is an announcement from last week : 'IBM DS8870 next-generation flash systems deliver high availability and better performance for critical environments (ZG14-0119)'. However last week I was at the IBM Technical University for System z in Budapest and I wanted to have a closer look at the announcement before writing about it. And, by sheer coincidence, this is the first time in my life that I actually saw the real machine before I even read the announcement as we visited the DS8000 plant while in Hungary.

    IBM fulfills an earlier statement of direction about the use of a "new high-density flash storage module for selected IBM disk systems, including the IBM System Storage DS8000". Now you might say : didn't they already announce an all flash box last year. Well, yes and no. They announced an all SSD box. Now you may argue again : isn't SSD the same as flash. Well, yes and no. It's more or less the same type of disks, or let's say, flash cards. Let's make a little detour to get a better understanding of this.
    IBM has its FlashSystem 840 for open systems which comes from a recent acquisition of Texas Memory Systems. It aims purely at performance and promises extremely high performance and extremely low latency. How does it reach that : well, by concentrating solely on getting the data as fast as possible without any software functionality or storage controller in between that does e.g. compression, deduplication . . . And that's, to me at least, the main distinction between what IBM calls Flash and SSD. As a result the announcement says "it will help to increase IOPS by up to 4 times as compared to SSDs and up to 30 times as compared to spinning drives".

    This is realized with new High Performance Flash Enclosures (HPFEs). This "high-performance flash enclosure is directly attached to the PCIe fabric, enabling increased bandwidth and transaction processing capability. The 1U enclosure contains a pair of powerful redundant RAID controllers".

    Here's a configuration with just HPFEs in the box.


    To the left side, you can see that 4 HPFEs fill the empty slot that was intentionally there from the beginning of the DS8870. ("Intentionally left blank" you might say). One enclosure contains 30 1.8'' flash drives of 400GB giving you a raw capacity of 12TB. If you only use the upper left slot for HPFEs, they can be combined with other types of disks in the regular disk slots.

    The box you see here is an "all-flash, single rack system configured with only flash and up to 96 TB of capacity (73.6 TB of usable capacity) in a 8U of space". This all flash box also "provides twice as many I/O enclosures and up to twice as many host adapters as the standard DS8870 single frame configuration" See the extra host adapters in the green square.

    Let me also give you a brief summary of the other functionalities that were announced :
    General availability : June 6, 2014. Some field availability is only in September.

    Tuesday, May 6, 2014

    IBM Mobile Workload Pricing for z/OS

    Today IBM officially announced the pricing mechanism it already revealed during the April 8 z Anniversary event : 'IBM Mobile Workload Pricing for z/OS can reduce the cost of growth for mobile transactions (ZP14-0280)'. Before giving you the details I'd like to share this video about the First National Bank of South Africa because it illustrates so clearly what mobile is all about.



    Combining mobile and mainframe is answering some real concerns or requirements of companies and people using the applications. Mobile is a rapidly growing market generating lots of transactions on lots of data. And as you could see in the video the data must always be up to date. We can no longer afford to offer copies of data, so what's better than to incorporate mobile with the company's primary data. Data that's residing on the mainframe . . . where it always has been.

    Now, this new pricing mechanism makes sure you're not penalized for following just that strategy. "This enhancement to sub-capacity reporting can mitigate the impact of mobile workloads on sub-capacity license charges, specifically in the cases where higher mobile transaction volumes may cause a spike in machine utilization. This can normalize the rate of transaction growth and reduce the reported peak capacity values used for sub-capacity charges".

    There are some prerequisites of course : it's limited to AWLC and AEWLC pricing which means to zEC12 and zBC12 or environments that have at least one zEC12 or zBC12. You also need to install a new reporting tool that will, in this case, replace SCRT : Mobile Workload Reporting Tool (MWRT). It's use, data collection and timing of reporting is very similar to SCRT. What's the difference ?
    "MWRT will calculate the 4-hour rolling average of the reported mobile transaction general purpose processor time consumed by the Mobile Workload Pricing Defining Programs and subtract 60% of those values from the traditional sub-capacity MSUs for all sub-capacity eligible programs running in the same LPAR(s) as the mobile workloads, on an hour-by-hour basis, per LPAR. The program values for the same hour are summed across all of the LPARs (and any z/OS guest systems running under z/VM®) in which the program runs to create an adjusted sub-capacity value for the program, for the given machine, for each hour. MWRT will determine the billable MSU peak for a given program on a machine using the adjusted MSU values".
    You can find all additional details in the announcement itself. And . . . you have some time to figure out how things work as MWRT becomes available on June 30, 2014 and the first report can be submitted as of July 2, 2014.