SPARTA News

August 2019

SPARTA President’s Corner

contributed by Randy Springs

This month marks another release of z/OS – V2.4, with new features and opportunities for system improvements and security. We should hear more about it at our September meeting when Ed Webb presents his SHARE update. At my company, we are continuing to plan for an upcoming merger, which means new people on our mainframe team and new challenges as we merge existing systems and expand our hardware platform.

Our speaker this month will be Marianne Eggert of Mainline talking about System Z IFLs and x86 hardware.

Your SPARTA group still needs a volunteer to replace Pam Tant as treasurer. This position would involve about two hours per month. Please consider serving and talk to me about the position.

Please plan to join your colleagues for BarBQ, networking, and education on Tuesday, August 13, at 6:15 p.m. at our usual LabCorp location in RTP. This meeting was reschedule to avoid conflicts with SHARE attendees during the first week of August.

Randy Springs
BB&T

Future Speakers

(subject to change)

August 13, 2019 (Special date) - System Z IFLs vs. x86 for Linux applications by Marianne Eggett of Mainline

September 10, 2019 - SHARE 2019 Pittsburgh Reports

October 1, 2019 - To Be Announced

We need ideas and volunteers for future speakers. Presentations don’t have to be fancy, just informative and interesting. Even a 5 or 10 minute talk can start an interesting interaction. Contact Ron Pimblett by phone as noted below.

2019-2020 SPARTA

Board of Directors

Randy Springs - President

BB&T                  (919) 745-5241

3200 Beechleaf Court, Suite 300

Raleigh, NC 27604

Ron Pimblett - Vice President

MDI Data Systems

Land line 613 599 6970

Mobile 613 981 6919

190 Guelph Private

Kanata, ON K2T 0J7

Chris Blackshire - Secretary

Retired (Dell, Perot Systems, Nortel)  (919) nnn-nnnn

street

Durham, NC 27713

Randy Springs - (Acting) Treasurer

BB&T                  (919) 745-5241

see Randy

Springs earlier

Ed Webb -  Communications Director

Retired (SAS Institute Inc.)  (919) nnn-nnnn

street

Apex, NC 27523

Mike Lockey -  Web Master

Guilford Co. Information Services  336-641-6235

201 N. Eugene St.

Greensboro, NC 27401

Meetings

Meetings are scheduled for the first Tuesday evening of each month (except no meeting in January), with optional dinner at 6:15 p.m. and the meeting beginning at 7:00 p.m.

These monthly meetings usually are held at LabCorp’s Center for Molecular Biology and Pathology (CMBP) near the Research Triangle Park (see last page). Take I-40 to Miami Boulevard and go north. Turn right onto T.W. Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn Left to the CMBP Building (1912 T.W. Alexander Drive). In the lobby, sign in as a visitor to see Bill Johnson. Bill will escort you to the conference room.

Call for Articles

If you have any ideas for speakers, presentations, newsletter articles, or are interested in taking part in a presentation, PLEASE contact one of the Board of Directors with your suggestions.

Newsletter e-Mailings

The SPARTA policy is to e-mail a monthly notice to our SPARTA-RTP Group. The newsletter is posted to the website about five (5) days before each meeting so you can prepare. The SPARTA-RTP Group is maintained by Chris Blackshire; if you have corrections or problems receiving your meeting notice, contact Chris at chrisbl@nc.rr.com.

April 2019 “CBT Tape” Shareware Online

The directory and files from the latest CBT tape V497 (dated April 29, 2019) are available from www.cbttape.org.

If you need help obtaining one or more files, contact Ed Webb (see Board of Director’s list for contact info).

Minutes of the July 9, 2019 Meeting

• The meeting was called to order at 7:00 PM by Randy Springs, the SPARTA President.

• The meeting was held at a LabCorp conference room in RTP, N.C.

• Twelve (12) people were present.

• Everyone introduced themselves, told where they worked, and briefly described their job functions or their job hunting challenges.

OLD BUSINESS

• The minutes of the June 4, 2019 meeting as published in the July 2019 Newsletter were approved.

• The June 30, 2019 Treasurer's report was approved as published in the July 2019 Newsletter. As of 06/30/2019, the current balance was $1,371.92.

• Call For Articles: Articles are needed for this newsletter. If you would like to write an article for this newsletter, please contact Ed Webb. Keep in mind that you don't really need to write the article, it can be an article that you read that you would like to share with the membership.

• The SPARTA Web page is available. To access the SPARTA Web page, point your Web browser to this site: http://www.spartanc.org. Please send any comments or suggestions about the Web page to Mike Lockey. Be sure to check the Web page every once in a while to see any new or changed information.

• Randy reminded everyone to leave the LabCorp conference room clean.

• 2019 meeting dates, Future Speakers and Topics (subject to change based on internal politics, budget, the weather):

If you have suggestions about speakers and topics, contact Ron Pimblett.

• The next SPARTA monthly meeting will be on Tuesday, August 13, 2019 at Labcorp in RTP.

• Food for the August 13 meeting will be BarBQ (note meeting change date from the August 6 week).

• The 2019 membership fee is due ($30) starting in February 2019. Please pay Randy Springs.

• Thanks to LabCorp and Bill Johnson for hosting the meeting.

• There are currently 92 people on the SPARTA-RTP e-mail list.

• Send any e-mail address changes to Chris Blackshire so he can update the SPARTA-RTP Listserv. You will be added by the moderator (Chris = SPARTA-RTP-owner@yahoogroups.com) sending you an invitation to Join the list.

• No update from Randy Springs on the SPARTA website connection to LinkedIn.

• No update from Chris on the process of putting a package together for Brad Carson, Tommy Thomas, and John Bryan's SPARTA contributions and death information on the web page under a new Emeritus section.

• No update about whether SPARTA needs to change the website to HTTPS access.

• Randy Springs is looking for a new Treasurer volunteer. He projects about 2 hours per month is needed.

- The treasurer position duties are:
- - Collect dues and pay expenses at each monthly meeting.
- - Deposit income at the BB&T bank monthly.
- - Make an updated monthly excel income-expense list for the monthly newsletter.
- - Give a Treasurer report at each meeting.
- - One Time: Be added to the checking account authorization.
- Contact Randy Springs if you are interested.

• LabCorp Meeting Place Update from Bill Johnson: move dates are undetermined.

NEW BUSINESS

• Due to the date conflict with the SHARE in Pittsburgh, a motion was made and approved to change the August 6 meeting to August 13.

• July 8, 2019 - CICS turned 50 years old.

• July 9, 2019 - Ross Perot, the founder of EDS (Electronic Data Systems) died at age 89.

• The Business portion of the meeting ended about 7:37 PM.

Presentation Topic: z/OS Network Security

By Chris Meyer, CISSP, z/OS Network Security Architect at IBM

• Agenda

• Overview
-- Roles and objectives
-- Deployment trends and requirements
• Policy-based Network Security
-- Application Transparent TLS
-- IP security (IP packet filtering and IPSec)
-- Intrusion Detection Services (IDS)
• z/OS Encryption Readiness Technology (zERT)
• SAF Protection of TCP/IP Resources – SERVAUTH class
• Summary

• Note - Chris resumed from his June 4 Presentation after the zERT section (slide 34)

• SAF protection: SERVAUTH class resources
- The SERVAUTH resource class is used to specifically define and protect a number of TCP/IP unique resources
- General SERVAUTH profile format:
- - EZB.resource_category.system_name.jobname.resource_name
- - - EZB designates that this is a TCP/IP resource
- - - resource_category is a capability area to be controlled e.g. TN3270, Stack Access, etc.
- - - system_name is the name of the system (LPAR) - can be wild-carded (*)
- - - jobname is the jobname associated with the resource access request - can be wild-carded (*)
- - - optional resource_name - one or more qualifiers to indicate name of resource to be protected - can be wild-carded (*)
- To protect one of the supported TCP/IP resources, define a SERVAUTH profile with universal access NONE and then permit authorized user IDs to have READ access to that profile
- If using OEM security packages, beware of the differences between defined/not defined resource actions
- All the "traditional" SAF protection of datasets, authorized MVS and z/OS UNIX functions, etc. on a z/OS system applies to TCP/IP workload just as it applies to all other types of workload.
- Be careful with anonymous services such as anonymous FTP or TFTP services that can be configured to allow unauthenticated users access to selected MVS data sets and/or HFS files.

• SAF protection: STACKACCESS
- Limits local users’ open sockets or use of TCP/IP stack services (e.g., get hostname, get hostid, etc.)
- Access to stack via sockets is allowed if the user has access to the following SERVAUTH class SAF resource:
- - EZB.STACKACCESS.sysname.stackname
- Define stack profile with UACC(NONE) and permit groups or individual users to allow them access to the stack
- In the example, TSOUSR1 and TSOUSR2 are not permitted to use TCPIPA
- - EZB.STACKACCESS.*.TCPIPA
- - - WEBSRV permitted, all others not

• SAF protection: NETACCESS
- Controls local user’s access to network resources
- - bind to local address
- - send/receive IP packets to/from protected zone
- - Network
- - Subnet
- - Individual host
- - - (Note that firewalls can’t distinguish between individual users)
- Access to security zone is allowed if the user has access to the SERVAUTH class SAF resource associated with the zone:
- - EZB.NETACCESS.sysname.stackname.zonename
- NETACCESS statement in TCP/IP profile defines security zones. For example, stack B may have:
- - NETACCESS INBOUND OUTBOUND
- In the example, TSOUSR2 is not permitted to network security zone C
- - EZB.STACKACCESS.*.TCPIPA
- - - WEBSRV permitted, all others not
- - EZB.PORTACCESS.*.TCPIPA.WEBPORT
- - - WEBSRV permitted, all others not
- - EZB.NETACCESS.*.TCPIPB.ZONEC
- - - TSOUSR1 permitted, all others not

• SAF protection: PORTACCESS
- Limits local users’ access to non-ephemeral ports
- Controls whether a started task or userid can establish itself as a server on a given TCP or UDP port.
- Access to use port is allowed if the user has access to the following SERVAUTH class SAF resource:
- - EZB.PORTACCESS.sysname.stackname.SAFname
- SAF keyword on PORT or PORTRANGE statement in TCP/IP profile defines SAF resource name.
- - For example, stack A may have: PORT 80 TCP * SAF WEBPORT
- RESERVED keyword on PORT or PORTRANGE statement prohibits access for all users.
- In the example, only userid WEBSRV is permitted to establish itself as a server on port 80 on stack TCPIPA
- - EZB.STACKACCESS.*.TCPIPA
- - - WEBSRV permitted, all others not
- - EZB.PORTACCESS.*.TCPIPA.WEBPORT
- - - WEBSRV permitted, all others not
- - EZB.NETACCESS.*.TCPIPB.ZONEC
- - - TSOUSR1 permitted, all others not

• SAF protection: Other SERVAUTH resources
- There are 30+ different possible TCP/IP-related resource types to protect. Careful use of these can provide a significant level of security administrator-based control over use of TCP/IP-related resources on z/OS
- - Command protection
- - - ipsec
- - - nssctl
- - - pasearch
- - - netstat
- - Application control
- - - broadcast socket options
- - - IPv6 advanced socket APIs
- - - NSS certificate, service, client access
- - - FTP port, command access and HFS access
- - - DCAS access
- - Network management APIs
- - - packet trace
- - - realtime SMF data
- - - connection data
- - Other resource restrictions
- - - Fast Response Cache Accelerator (FRCA) page load
- - - SNMP subagent access
- - - DVIPA modification control
See the z/OS Communications Server IP Configuration Guide chapter 3 for a complete list of Communications Server SERVAUTH resources

• Summary
- Protecting system resources from the network
- - Integrated Intrusion Detection Services detects, records, and defends against scans, stack attacks, flooding
- - Protect system availability
- - - Built in protection against Denial of Service attacks
- - - IP packet filtering
- - - Syslogd integrity and availability
- - - Sysplex Wide Security Associations
- - SAF protection of z/OS resources
- - - z/OS CS application access to data sets and files
- - - SERVAUTH class protection
- Protecting data in the network
- - True end-to-end security with security endpoint on z/OS
- - Strong cryptographic algorithms using IBM Z hardware crypto features
- - Transparent Application Security
- - - IPSec for TCP/IP applications
- - - Application-Transparent TLS support
- - - Internet-ready access to SNA applications with TN3270 TLS/SSL
- - Built-in Application Security
- - - Kerberized FTP, rsh, telnet,
- - SNMPv3, Secure OSPF Authentication
- - Complete auditing of network cryptographic protection through zERT

• Presentation Access - See the SPARTA webpage for the complete presentation.

• Contact Info:
Chris Meyer, CISSP
IBM
Senior Technical Staff Member, z/OS Network Security Architect
3039 Cornwallis Road
Research Triangle Park, NC 27709

Phone: (919) 254-5179
Email: meyerchr@us.ibm.com

• The July 9, 2019 monthly meeting ended about 8:20 P.M.

Treasurer’s Report for July 2019

contributed by Randy Springs

The balance in the account is $940.10 as of July 31, 2019.

SPARTA Financial Report
07/01/2019 through 07/31/2019

Items of Interest

SPARTA Schedule and Menu for 2019

contributed by Chris Blackshire

August 13, 2019 - BarBQ (date changed from August 6 to avoid conflict with SHARE)
September 10, 2019 - Pizza (date changed because of Labor Day holiday in previous week)
October 1, 2019 - Chicken
November 5, 2019 - Subs
December 3, 2019 - BarBQ (last meeting until Feb. 2020)

IBM Z Moved to the New IBM Support Site on July 27, 2019

contributed By Ed Webb

IBM has added Z products to its year-old SalesForce-based Support Site.

"IBM is introducing the new IBM Support site to replace the IBM Service Request Tool. IBM Z software products and offerings [are now] migrated to the new IBM Support site.... IBM Z Hardware will migrate at a later date."

Learn more with links to training at this page.

50 Years Ago: Five Mainframes Put Man on the Moon

contributed By Ed Webb

".... The brunt of the workload for the Apollo 11 mission was handled by five System/360 Model 75 mainframe computers."

"According to Gene Kranz, NASA Flight Director at the time, “The systems information we used to make the go, no-go decisions was developed by IBM, and the ultimate go, no-go decision that day was provided to me by computers operated by IBM engineers within NASA’s Mission Control Center. Without IBM and the systems they provided, we would not have landed on the Moon.”"

Read this brief article from Enterprise Systems Media here.

CICS Turns 50!

contributed By Ed Webb

"Fifty years ago, on July 8, 1969, IBM released CICS (Customer Information Control System). And who would have imagined what an historic day it would eventually be.".

"It all started in the mid-1960s when IBM decided to address the fact that public utilities needed to greatly improve their customer service response times. Ben Riggins, an IBM systems engineer at Virginia Electric Power Co., came up with the idea for the online transaction processing system we now know as CICS. In fact, he became its principal architect of the early releases. He is often considered to be the “Father of CICS.”

Learn more in this brief article in Enterprise Systems Media here.

Humor

Wit and Wisdom continued

contributed by Ed Webb

• Everyone is entitled to their own opinion, but not their own facts.
• One of the advantages of being disorderly is that one is constantly making exciting discoveries.
• Whatever advice you give, be brief.

• The greatest part of our happiness depends on our dispositions, not our circumstances.
• Man cannot discover new oceans until he first loses sight of the shore.
• Procrastination is the thief of time.

Membership Information

Don’t Forget the Next SPARTA Meeting

Tuesday, August 13, 2019
Postponed From August 6

7 p.m.

Location: LabCorp in RTP

Use 1912 TW Alexander Drive, Durham, NC 27703 in your map app.

Take I-40 to Miami Boulevard and go north. Turn right onto 1912 T.W. Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn left to the CMBP Building. In the lobby, sign in as a visitor to see Bill Johnson. Bill will escort you to the conference room.

Free Food before meeting: BarBQ, Sodas and Tea, Dessert

Program:
System Z IFLs vs. x86 for Linux applications

Speaker: Marianne Eggett of Mainline

SPARTA News

P.O. Box 13194

Research Triangle Park, NC  27709-3194

First Class Postage

SPARTA Corporate Sponsors: