INFO-VAX Wed, 04 Jul 2007 Volume 2007 : Issue 362 Contents: Dissimillar Drives (Was Re: expanding shadow size) Re: Dissimillar Drives (Was Re: expanding shadow size) Re: Enhancement request - SHOW USER Re: Enhancement request - SHOW USER Re: Enhancement request - SHOW USER Re: Enhancement request - SHOW USER Re: Enhancement request - SHOW USER Re: expanding shadow size Re: expanding shadow size Re: expanding shadow size RE: HP "Support" for OpenVMS RE: HP "Support" for OpenVMS Re: Installing 8.3 on DS10L July the 4th Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option Re: OpenVMS - When downtime is not an option OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Re: System Disk ODS2->oDS5 Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Re: Using the game file on OpenVMS Hobbyist page Re: Using the game file on OpenVMS Hobbyist page Re: Using the game file on OpenVMS Hobbyist page Re: VMS security vulnerability (POP server) Re: VMS security vulnerability (POP server) XML for VMS RE: XML for VMS ---------------------------------------------------------------------- Date: Wed, 04 Jul 2007 07:42:13 -0700 From: "Tom Linden" Subject: Dissimillar Drives (Was Re: expanding shadow size) Message-ID: On Tue, 03 Jul 2007 19:36:02 -0700, John Santos wrote: > AEF wrote: >> On Jul 3, 5:28 am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- >> remove CLOTHES to reply) wrote: >> >>> In article <4689ef96$0$27557$9b622...@news.freenet.de>, "Klaus-D. Bohn" >>> >>> writes: >>> >>>> Buuuuuuuuuuuuut what is about the availability? That disk is a common >>>> disk >>>> in a high availability cluster. We must do a cluster shutdown to >>>> expand the >>>> volume size? What is that? At this point i can't understand OpenVMS >>>> (high >>>> availability, scalability, flexibility, and so on). Sorry, that is >>>> very >>>> crazy and not acceptable. >>> >>> Think about it. You are changing something very low-level in the disk >>> structure. I think it is OK to accept some down-time for this, >>> especially since this is a relatively new feature of VMS. (If it was >>> available from day one, perhaps it could have been implemented without >>> down-time.) >>> >>> Note: I have not yet done this. SET VOLUME/LIMIT requires the private >>> MOUNT. I don't think SET VOLUME/SIZE does (at least this is not >>> mentioned in HELP, whereas it is for /LIMIT). Assume this is correct. >>> > > SET VOLUME/SIZE most definitely does *NOT* require exclusive access to > the disk. > > > >>> Get a NEW DISK. Use SET VOLUME/SIZE and perhaps SET VOLUME/LIMIT to >>> get >>> it to the size you want. (If I understand correctly, with a cluster >>> size of more than 8 the limit is set to the default of 1 TB, which is >>> also the maximum.) "Size you want" should be the CURRENT size of the >>> shadow set. Now, add this shadow set to the current shadow set (full >>> copy); if the current shadow set already has 3 members, drop 1 (just >> Maybe I'm missing something, but won't the full copy operation >> overwrite everything on the NEW DISK, including the SET VOLUME/LIMIT >> effects? > > Yes, it will. This method won't work. > >> >>> dismount the physical disk; no shutdown or whatever needed) and add in >>> the new one with a full copy. Now, get another NEW DISK and set it to >>> the same size. When the shadow copy completes, drop the old disk from >>> the shadow set and add this new disk with a full copy. (For a >>> three-member shadow set, repeat the previous two steps.) Now, use SET >>> VOLUME/SIZE to go to the new size. >> AEF >> > > > SET VOLUME/LIMIT creates a new (larger) BITMAP.SYS file and copies the > existing BITMAP.SYS to it. There is apparently no way to tell other > cluster members to use the new version of BITMAP.SYS except by having > them dismount and remount the disk, and no way to prevent the many > possible race conditions except by keeping exclusive access to the disk > during the process. (Note you also need exclusive access to a disk to > initialize it, including INIT/LIMIT.) > > I suppose they could add code to the XQP to inform the other cluster > nodes to reload the bitmap after expanding it (and locking the bitmap > while expanding it) but then you couldn't share volumes with older > versions of VMS which didn't support this operation. That's a much > more common occurrence than set volume/limit which happens at most > once in the lifetime of any given disk volume. (Zero times if you > never expand it, or if you initialize it with /LIMIT, more than once > only if you set an explicit limit value that is stupidly small.) > Whereas sharing a volume across different VMS versions happens anytime > you do a rolling upgrade, or have a VAX in your cluster. (Maybe this > would be a good excuse for demanding VAX VMS V8.x :-) > > Or are you saying DEC was inexcusably crazy for not anticipating Dynamic > Volume Expansion in 1976 when ODS-2 was being designed, or at the very > least in 1983 or so when clustering was invented? > > I have a shadowset system disk with dissimlar drives and that offends my VAX (since VMS is there limited to 7.3) Can I use /LIMIT and/or /SIZE to make them appear identical to the VAX? Disk $6$DKA0:, device type DEC RZ2DA-LA, is online, member of shadow set DSA10:, Disk $6$DKA100:, device type QUANTUM ATLAS V 9 SCA, is online, member of shadow set DSA10: -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Wed, 04 Jul 2007 10:08:18 -0700 From: Volker Halle Subject: Re: Dissimillar Drives (Was Re: expanding shadow size) Message-ID: <1183568898.891161.292990@c77g2000hse.googlegroups.com> Tom, OpenVMS VAX V7.3 neither supports /LIMIT nor /SIZE and it also does not support DDS (Dissimilar Device Shadowing), so no chance to mount that shadowset from OpenVMS VAX V7.3 Volker. ------------------------------ Date: Wed, 04 Jul 2007 01:48:12 -0700 From: IanMiller Subject: Re: Enhancement request - SHOW USER Message-ID: <1183538892.635270.145990@n2g2000hse.googlegroups.com> email dcl @ hp and explain to the current DCL maintainer why your request is a good thing. The DCL maintainer may or may not see your posting to this newsgroup. $ SHOW SYSTEM/OWN=[myusername] /FULL appears to do what your example does. ------------------------------ Date: Wed, 04 Jul 2007 09:00:44 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: Enhancement request - SHOW USER Message-ID: <0lJii.3399$ZA.1339@newsb.telia.net> IanMiller wrote: > email dcl @ hp and explain to the current DCL maintainer why your > request is a good thing. > The DCL maintainer may or may not see your posting to this newsgroup. > > $ SHOW SYSTEM/OWN=[myusername] /FULL > > appears to do what your example does. > Now, a lot of examples using /USER= or /OWNER= switches has been posted. I read the initial post as a need for a "show user" command showing the users "using" the system *without knowing which user to expect" upfront. And of course not "myusername", I guess he already knows that *that* one is using the system... :-) Regards, Jan-Erik. ------------------------------ Date: 4 Jul 2007 08:09:52 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: Enhancement request - SHOW USER Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: > In article <1183495094.838660.95750@c77g2000hse.googlegroups.com>, Bob > Gezelter writes: > >> First, what version of OpenVMS are you running? On 6.2, SHOW USERS/ >> NETWORK/FULL certainly works. > > It "works", also without /FULL, in that it adds a column to the > traditional display: > > Username Node Interactive Subprocess Batch Network > > However, it lists only network processes, so columns 3--5 are empty! > > What is needed is the above, or even better > > Username Node Interactive Subprocess Batch Network Detached > > where the traditional display is extended, and all processes are listed. Please remember that many want to see exactly what VMS is displaying, human initiated sessions that have gone through the normal login and licensing process. In fact, counting interactive users is a major use for this command at sites that do not have unlimited user licenses. ------------------------------ Date: Wed, 4 Jul 2007 11:00:12 -0400 From: "Syltrem" Subject: Re: Enhancement request - SHOW USER Message-ID: <138ndfu3topmg26@corp.supernews.com> "John Santos" wrote in message news:q2Fii.3277$bO2.1155@trnddc05... > > Or SHOW SYSTEM/OWNER= > > (It's actually an identifier, not a username, but usernames and > identifiers usually map 1:1) > Not always (although most of the time) which can make this cumbersome or error-prone (you may think the guy is not connected although he is, but the UIC is different) I just find the SHOW USER would be the logical thing to use, to see if a user is curently logged (in whatever kind of process type) I didn't know about dcl @ hp dot com Will try and see whatever happens... Syltrem ------------------------------ Date: Wed, 4 Jul 2007 13:53:52 -0400 From: "Syltrem" Subject: Re: Enhancement request - SHOW USER Message-ID: <138nnlhrdo09u54@corp.supernews.com> "IanMiller" wrote in message news:1183538892.635270.145990@n2g2000hse.googlegroups.com... > email dcl @ hp and explain to the current DCL maintainer why your > request is a good thing. > The DCL maintainer may or may not see your posting to this newsgroup. > The request was received favorably at HP Will see what comes up Thanks for the hint Syltrem ------------------------------ Date: Wed, 04 Jul 2007 07:44:06 -0700 From: AEF Subject: Re: expanding shadow size Message-ID: <1183560246.579186.26730@n60g2000hse.googlegroups.com> On Jul 3, 10:36 pm, John Santos wrote: > AEF wrote: > > On Jul 3, 5:28 am, hel...@astro.multiCLOTHESvax.de (Phillip Helbig--- > > remove CLOTHES to reply) wrote: > > >>In article <4689ef96$0$27557$9b622...@news.freenet.de>, "Klaus-D. Bohn" > > >> writes: > > >>>Buuuuuuuuuuuuut what is about the availability? That disk is a common disk > >>>in a high availability cluster. We must do a cluster shutdown to expand the > >>>volume size? What is that? At this point i can't understand OpenVMS (high > >>>availability, scalability, flexibility, and so on). Sorry, that is very > >>>crazy and not acceptable. > > >>Think about it. You are changing something very low-level in the disk > >>structure. I think it is OK to accept some down-time for this, > >>especially since this is a relatively new feature of VMS. (If it was > >>available from day one, perhaps it could have been implemented without > >>down-time.) > > >>Note: I have not yet done this. SET VOLUME/LIMIT requires the private > >>MOUNT. I don't think SET VOLUME/SIZE does (at least this is not > >>mentioned in HELP, whereas it is for /LIMIT). Assume this is correct. > > SET VOLUME/SIZE most definitely does *NOT* require exclusive access to > the disk. > > >>Get a NEW DISK. Use SET VOLUME/SIZE and perhaps SET VOLUME/LIMIT to get > >>it to the size you want. (If I understand correctly, with a cluster > >>size of more than 8 the limit is set to the default of 1 TB, which is > >>also the maximum.) "Size you want" should be the CURRENT size of the > >>shadow set. Now, add this shadow set to the current shadow set (full > >>copy); if the current shadow set already has 3 members, drop 1 (just > > > Maybe I'm missing something, but won't the full copy operation > > overwrite everything on the NEW DISK, including the SET VOLUME/LIMIT > > effects? > > Yes, it will. This method won't work. > > > > >>dismount the physical disk; no shutdown or whatever needed) and add in > >>the new one with a full copy. Now, get another NEW DISK and set it to > >>the same size. When the shadow copy completes, drop the old disk from > >>the shadow set and add this new disk with a full copy. (For a > >>three-member shadow set, repeat the previous two steps.) Now, use SET > >>VOLUME/SIZE to go to the new size. > > > AEF > > SET VOLUME/LIMIT creates a new (larger) BITMAP.SYS file and copies the > existing BITMAP.SYS to it. There is apparently no way to tell other > cluster members to use the new version of BITMAP.SYS except by having > them dismount and remount the disk, and no way to prevent the many > possible race conditions except by keeping exclusive access to the disk > during the process. (Note you also need exclusive access to a disk to > initialize it, including INIT/LIMIT.) > > I suppose they could add code to the XQP to inform the other cluster > nodes to reload the bitmap after expanding it (and locking the bitmap > while expanding it) but then you couldn't share volumes with older > versions of VMS which didn't support this operation. That's a much > more common occurrence than set volume/limit which happens at most > once in the lifetime of any given disk volume. (Zero times if you > never expand it, or if you initialize it with /LIMIT, more than once > only if you set an explicit limit value that is stupidly small.) > Whereas sharing a volume across different VMS versions happens anytime > you do a rolling upgrade, or have a VAX in your cluster. (Maybe this > would be a good excuse for demanding VAX VMS V8.x :-) > > Or are you saying DEC was inexcusably crazy for not anticipating Dynamic > Volume Expansion in 1976 when ODS-2 was being designed, or at the very > least in 1983 or so when clustering was invented? Why are you asking *me* this? I didn't say any such thing. Perhaps asking the OP? > > -- > John Santos > Evans Griffiths & Hart, Inc. > 781-861-0670 ext 539 AEF ------------------------------ Date: Wed, 4 Jul 2007 17:38:13 +0200 From: "Klaus-D. Bohn" Subject: Re: expanding shadow size Message-ID: <468bbee7$0$1890$9b622d9e@news.freenet.de> "Klaus-D. Bohn" schrieb im Newsbeitrag news:4684f400$0$24512$9b622d9e@news.freenet.de... > Hello all together, > > I have an existing problem with a shadow disk. I would like to increase the > shadow size without to dismount all the shadow members. > > I have try it on my test system, but... > > $ init dkd100: test > $ > $ init dkd200: test > $ sh dev/full dkd100: > > -------------------------------------------------------------------------- -- > ---------- > > Disk $5$DKD100: (IDEFIX), device type DEC RZ1CB-CS, is online, file-oriented > device, shareable, available to cluster, error logging is enabled. > > Error count 1 Operations completed > 66500 > Owner process "" Owner UIC > [SYSTEM] > Owner process ID 00000000 Dev Prot > S:RWPL,O:RWPL,G:R,W > Reference count 0 Default buffer size > 512 > Total blocks 8380080 Sectors per track > 113 > Total cylinders 3708 Tracks per cylinder > 20 > Allocation class 5 > > $ > $ sh dev/full dkd200: > > Disk $5$DKD200: (IDEFIX), device type COMPAQ BB00911CA0, is online, file- > oriented device, shareable, available to cluster, error logging is > enabled. > > Error count 0 Operations completed > 66669 > Owner process "" Owner UIC > [SYSTEM] > Owner process ID 00000000 Dev Prot > S:RWPL,O:RWPL,G:R,W > Reference count 0 Default buffer size > 512 > Total blocks 17773524 Sectors per track > 168 > Total cylinders 5290 Tracks per cylinder > 20 > Allocation class 5 > > $ > > -------------------------------------------------------------------------- -- > ---------- > > $ mount /system dsa2: /shadow=($5$dkd100:) test > %MOUNT-I-MOUNTED, TEST mounted on _DSA2: > %MOUNT-I-SHDWMEMSUCC, _$5$DKD100: (IDEFIX) is now a valid member of the > shadow set > $ > $ mount /system dsa2: /shadow=($5$dkd100:,$5$dkd200:) test > %MOUNT-I-MOUNTED, TEST mounted on _DSA2: > %MOUNT-I-ISAMBR, _$5$DKD100: (IDEFIX) is a member of the shadow set > %MOUNT-I-SHDWMEMCOPY, _$5$DKD200: (IDEFIX) added to the shadow set with a > copy operation > $ > > -------------------------------------------------------------------------- -- > ---------- > > $ sh dev dsa2 > > Device Device Error Volume Free Trans > Mnt > Name Status Count Label Blocks Count > Cnt > DSA2: Mounted 0 TEST 8379760 1 > 1 > $5$DKD100: (IDEFIX) ShadowSetMember 1 (member of DSA2:) > $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) > $ > > > > $ sh dev /full dsa2 > > Disk DSA2:, device type Generic SCSI disk, is online, mounted, file-oriented > device, shareable, available to cluster, error logging is enabled, > device > supports bitmaps (no bitmaps active). > > Error count 0 Operations completed > 9464 > Owner process "" Owner UIC > [SYSTEM] > Owner process ID 00000000 Dev Prot > S:RWPL,O:RWPL,G:R,W > Reference count 1 Default buffer size > 512 > Total blocks 8380080 Sectors per track > 113 > Total cylinders 3708 Tracks per cylinder > 20 > Logical Volume Size 8380080 Expansion Size Limit > 9371648 > > Volume label "TEST" Relative volume number > 0 > Cluster size 16 Transaction count > 1 > Free blocks 8379760 Maximum files allowed > 246472 > Extend quantity 5 Mount count > 1 > Mount status System Cache name > "_DSA0:XQPCACHE" > Extent cache size 64 Maximum blocks in extent cache > 837976 > File ID cache size 64 Blocks in extent cache > 0 > Quota cache size 0 Maximum buffers in FCP cache > 1204 > Volume owner UIC [SYSTEM] Vol Prot > S:RWCD,O:RWCD,G:RWCD,W:RWCD > > Volume Status: ODS-2, subject to mount verification, file high-water > marking, > write-back caching enabled. > > Disk $5$DKD100:, device type DEC RZ1CB-CS, is online, member of shadow set > DSA2:, error logging is enabled. > > Error count 1 Shadow member operation count > 76187 > Allocation class 5 > > Disk $5$DKD200:, device type COMPAQ BB00911CA0, is online, member of shadow > set > DSA2:, error logging is enabled. > > Error count 0 Shadow member operation count > 76437 > Allocation class 5 > > Volume Status: volume is being added to the shadow set by a full copy > operation. > > $ > > $ dir/size=all dsa2:[000000]bitmap.sys > > Directory DSA2:[000000] > > BITMAP.SYS;1 129/144 > > Total of 1 file, 129/144 blocks. > $ > > -------------------------------------------------------------------------- -- > ---------- > > $ dism $5$dkd100: > > $ sh dev dsa2 > > Device Device Error Volume Free Trans > Mnt > Name Status Count Label Blocks Count > Cnt > DSA2: Mounted 0 TEST 8379760 1 > 1 > $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) > $ > > -------------------------------------------------------------------------- -- > ---------- > > $ set volume/size dsa2: > > $ sh dev dsa2 > > Device Device Error Volume Free Trans > Mnt > Name Status Count Label Blocks Count > Cnt > DSA2: Mounted 0 TEST 9371328 1 > 1 > $5$DKD200: (IDEFIX) ShadowSetMember 0 (member of DSA2:) > $ > > $ sh dev/full dsa2 > > Disk DSA2:, device type Generic SCSI disk, is online, mounted, file-oriented > device, shareable, available to cluster, error logging is enabled, > device > supports bitmaps (no bitmaps active). > > Error count 0 Operations completed > 66063 > Owner process "" Owner UIC > [SYSTEM] > Owner process ID 00000000 Dev Prot > S:RWPL,O:RWPL,G:R,W > Reference count 1 Default buffer size > 512 > Total blocks 17773524 Sectors per track > 168 > Total cylinders 5290 Tracks per cylinder > 20 > Logical Volume Size 9371648 Expansion Size Limit > 9371648 > > Volume label "TEST" Relative volume number > 0 > Cluster size 16 Transaction count > 1 > Free blocks 9371328 Maximum files allowed > 246472 > Extend quantity 5 Mount count > 1 > Mount status System Cache name > "_DSA0:XQPCACHE" > Extent cache size 64 Maximum blocks in extent cache > 937132 > File ID cache size 64 Blocks in extent cache > 837968 > Quota cache size 0 Maximum buffers in FCP cache > 1204 > Volume owner UIC [SYSTEM] Vol Prot > S:RWCD,O:RWCD,G:RWCD,W:RWCD > > Volume Status: ODS-2, subject to mount verification, file high-water > marking, > write-back caching enabled. > > Disk $5$DKD200:, device type COMPAQ BB00911CA0, is online, member of shadow > set > DSA2:, error logging is enabled. > > Error count 0 Shadow member operation count > 133049 > Allocation class 5 > > $ > > $ dir/size=all dsa2:[000000]bitmap.sys > > Directory DSA2:[000000] > > BITMAP.SYS;1 144/144 > > Total of 1 file, 144/144 blocks. > $ > -------------------------------------------------------------------------- -- > ---------- > > The result on OpenVMS 7.3-2 and 8.3 (ALPHA) is the same. > > Now, what i do wrong? Or, didn't i understand the technology? > What must i do to get the full volume size 17773524? > > Could anywhere help me? > > Thank you very very much! > > Klaus > > Thank you all guy's for your help and hints ! Now, i think i understand the mechanism much better. I will remove my statement "that is very crazy and not acceptable" :-). To all peoble: Have a greate day and no so much problems. Klaus ------------------------------ Date: Wed, 04 Jul 2007 09:33:45 -0700 From: Malcolm Dunnett Subject: Re: expanding shadow size Message-ID: <468bcbea$1@flight> David J Dachtera wrote: >> I wonder why the INIT command doesn't by default set the >> volume expansion limit to be the maximum allowable by the >> clustersize. Is there a penalty in doing so (other than a >> few blocks in the bitmap?) > > How could VAX/VMS V3.x or so, for example, have anticipated that disk volumes > would someday exceed whatever its volume size limit was? Some folks have disk > volumes still on-line that have not been initialized for decades. Obviously it couldn't. Note that I never said "The INIT command didn't... 20 years ago...", I said "doesn't", as in using current versions of VMS. Clearly folks that have volumes initialized before volume expansion existed need to mount them privately to fix it. However, when I INIT a virgin volume on VMS 7.3-2 it sets the expansion limit to be about 15% greater than the current volume size, rather than setting it to 1TB. That's what I was asking about, what's the penalty in just setting it to the maximum possible by default? ------------------------------ Date: Wed, 4 Jul 2007 11:49:24 -0400 From: "Main, Kerry" Subject: RE: HP "Support" for OpenVMS Message-ID: > -----Original Message----- > From: JF Mezei [mailto:jfmezei.spamnot@vaxination.ca] > Sent: June 28, 2007 3:18 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: HP "Support" for OpenVMS >=20 > Main, Kerry wrote: > > Bottom line summary is that HP says the same thing to HP-UX Cust's > > moving to Linux. IBM says the same thing when looking at AIX to > Linux > > migrations. Sun says the same about Solaris to Linux. >=20 >=20 > I am not sure that IBM VPs go around and purposefully send out a > message > stating that IBM will help customers migrate from MVS (Z-OS this week > I > think). >=20 [snip ...] Wrong .. IBM has many internal businesses with their view of the future just like HP does. Overall, however, if you were moving off AIX, they would push you towards another IBM platform - likely Linux. Reference: (from 2003, but shows internal battles) http://news.com.com/2100-1001-982512.html?tag=3Dfd_lede2_hed "IBM: Linux is the 'logical successor'" "Asked whether IBM's eventual goal is to replace AIX with Linux, Mills responded, "It's fairly obvious we're fine with that idea...It's the logical successor." Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT)=20 OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Wed, 4 Jul 2007 11:16:33 -0500 From: "Paul Raulerson" Subject: RE: HP "Support" for OpenVMS Message-ID: <000501c7be56$b05dca30$11195e90$@com> IBM had trouble "killing off" AIX since a version of AIX is embedded in z/OS and in i5OS. And they make pots of money off both products. However, the mainframe happily runs z/VM as a hypervisor, and they any number of z/OS, z/VM, z/VSE, z/TPM, z/LINUX guests. (At work, I run about 20 z/Linux instances on a single processor, including production work load.) This is in a single LPAR, and all the instances happily share DASD, tapes, and network peripherals. The As/400 (Series i) machine runs i5OS, Linux, and AIX all on the same processor as well, but it has to do so in separate LPARS. An awful lot of that capability came out of competing software business groups, where the hardware guys said... MMMM.... and presented their hardware as "the answer" to the software guys. Seems to have worked, and there is little or no psychotic splits going on right now. Except for the Rational Rose guys trying to sell the idea that Yourdon style design can instantly rewrite (or :refactor:) 20 to 40 years of code base. It's fun to watch one of those guys say "This software is 30 years old! We can improve it a LOT! Where's the source code to it?" Their faces do some amazing things when you tell 'em the source code was lost sometime in the 1980's and nobody has gotten around to re-writing it yet. VMS is much more self contained I think, and that is why I think the Itanium platform might just really fly with it. Treat VMS as the Flagship OS it is, add in Linux, HP's variety of Linux, and Windows and well... boy... it can really have potential to fly. I just wish I know the hardware side of HP a quarter as well as I know the IBM side. I keep getting little suprises, like SCSI isn't always SCSI isn't always the same. And finding the part number to order an Alpha media kit for 8.3 is like spelunking in a cave with dead batteries... feeling around carefully in the dark! -Paul (P.S. Does anyone have that part# for sure? The part# I have is for 8.2 I think.) > -----Original Message----- > From: Main, Kerry [mailto:Kerry.Main@hp.com] > Sent: Wednesday, July 04, 2007 10:49 AM > To: Info-VAX@Mvb.Saic.Com > Subject: RE: HP "Support" for OpenVMS > > > > -----Original Message----- > > From: JF Mezei [mailto:jfmezei.spamnot@vaxination.ca] > > Sent: June 28, 2007 3:18 PM > > To: Info-VAX@Mvb.Saic.Com > > Subject: Re: HP "Support" for OpenVMS > > > > Main, Kerry wrote: > > > Bottom line summary is that HP says the same thing to HP-UX Cust's > > > moving to Linux. IBM says the same thing when looking at AIX to > > Linux > > > migrations. Sun says the same about Solaris to Linux. > > > > > > I am not sure that IBM VPs go around and purposefully send out a > > message > > stating that IBM will help customers migrate from MVS (Z-OS this week > > I > > think). > > > > [snip ...] > > Wrong .. IBM has many internal businesses with their view of the future > just like HP does. Overall, however, if you were moving off AIX, they > would push you towards another IBM platform - likely Linux. > > Reference: (from 2003, but shows internal battles) > http://news.com.com/2100-1001-982512.html?tag=fd_lede2_hed > "IBM: Linux is the 'logical successor'" > > "Asked whether IBM's eventual goal is to replace AIX with Linux, Mills > responded, "It's fairly obvious we're fine with that idea...It's the > logical successor." > > > Regards > > > Kerry Main > Senior Consultant > HP Services Canada > Voice: 613-592-4660 > Fax: 613-591-4477 > kerryDOTmainAThpDOTcom > (remove the DOT's and AT) > > OpenVMS - the secure, multi-site OS that just works. > > > ------------------------------ Date: Wed, 04 Jul 2007 08:29:29 -0700 From: sean@obanion.us Subject: Re: Installing 8.3 on DS10L Message-ID: <1183562969.805039.94030@m37g2000prh.googlegroups.com> I forgot that, too. So I should have said- "...the host WWN has not been added to the contoller, access list, or disk presintation, ..." Well, now I can't find my HSG80 manual, but I seem to recall that the DISK or UNIT (wherever the device numer that VMS uses is defined) can have an access list. Sean On Jul 3, 2:32 pm, "Tom Linden" wrote: > On Tue, 03 Jul 2007 11:14:08 -0700, wrote: > > I expect you will need to use WWIDMGR at the SRM prompt to add the > > disk offered on the HSG80 so that SRM can use it. > > If WWIDMGR doesn't see it, then I would suspect that the host WWN has > > not been added to the contoller, and/or Fibre Channel zoning is not > > configured correctly. > > I had forgotten to update the access in the HSG80, which was a list, > replaced with ALL > > -- > PL/I for OpenVMSwww.kednos.com ------------------------------ Date: Wed, 04 Jul 2007 00:56:30 -0700 From: Didier_Toulouse Subject: July the 4th Message-ID: <1183535790.489647.81140@n60g2000hse.googlegroups.com> HAPPY INDEPENDENCE DAY to my US Friends ! Didier --- Discover BB IPSC : http://www.airsoft-shooting.org ------------------------------ Date: Wed, 04 Jul 2007 08:37:45 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: OpenVMS - When downtime is not an option Message-ID: Keith Parris wrote: > Hmmm... In IE7 I see the above. In Mozilla and Firefox there's a > different graphic in the same spot pointing to a "Fiona Ogre Princess" > video advertising HP multimedia laptops. Which (for me) changes in a few seconds to the DR video, using FF 2.0.0.4 and WinXP. It's a plain FF out of the box with no special configuration. After the initial 2-3 secons it stays forever with the link to the DR video. I would not call this for "hiding" the DR video, since probably 99.99% of the target audience probably runs IE7 or FF in a "normal" manner... Jan-Erik. ------------------------------ Date: Wed, 4 Jul 2007 12:30:16 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: OpenVMS - When downtime is not an option Message-ID: In article , Bill Todd writes: >Main, Kerry wrote: > >.... > >> If the design and/or architecture of the OS platform allows an >> application bug to provide access to protected data and/or provides >> elevated rights on the system, does sit matter if it is an application >> or kernel OS issue? > >Clearly, that would be an OS bug (or at least a serious design flaw, if >indeed it were intentional rather than inadvertent) - *if* it had been >the case in this instance. > >It was not: the bugs *only* affected Exchange Server. If Exchange >Server was designed such that it had to execute in a privileged >environment (such that once compromised itself it could compromise other >parts of the system as you describe above), rather than designed >modularly such that at most a few critical parts of it might require >privilege (certainly not including the parsing functions that these bugs >affected) and the rest could run unprivileged, that was an *Exchange >Server* design flaw, not a Windows flaw. > What is this "IF" ? From http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx "An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights" Obviously this means that the codepath executed by the bug must run at a high privilege level. Whether that is because Exchange is running with higher privileges than it really needs because of bad design and implementation or whether it is doing something which requires it to have high privileges at that point in time is not something easily judged without access to the design documents and/or source of Exchange. If as you seem to believe it is bad design and implementation in Exchange causing it to run at higher privileges than needed then it is down to those designing and programming Exchange at Microsoft. However Exchange is a Microsoft product and those same designers and programmers have probably also worked on the OS code during their careers and have had their code reviewed by the same quality control people. Also similar bugs affect lots of Microsoft products which also result in an attacker gaining complete control of the system. Hence similar comments apply to all those involved with the design and programming of those products. Hence either we have all these Microsoft designers and programmers making similar mistakes (ie unnecessarily running their code with elevated privileges when parsing input data) for all these Microsoft Apllications but not making any mistakes in the OS or we have major problems in the OS which the application programmers have trouble avoiding when writing their code. David Webb Security team leader CCSS Middlesex University >- bill ------------------------------ Date: 4 Jul 2007 08:07:38 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: OpenVMS - When downtime is not an option Message-ID: In article , =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= writes: > Keith Parris wrote: > >> Hmmm... In IE7 I see the above. In Mozilla and Firefox there's a >> different graphic in the same spot pointing to a "Fiona Ogre Princess" >> video advertising HP multimedia laptops. > > Which (for me) changes in a few seconds to the DR video, > using FF 2.0.0.4 and WinXP. It's a plain FF out of the > box with no special configuration. > > After the initial 2-3 secons it stays forever with > the link to the DR video. The graphics I see in this page are the same as yesterday: Top: "Customized for you" laptop graphics Next: Picture of supplies and accessories Next: VoodooPC logo Next: Picture of an HP calculator Next: Picture of the face of a woman thinking about storage problems All those pictures are aligned along the left margin. > I would not call this for "hiding" the DR video, since > probably 99.99% of the target audience probably runs > IE7 or FF in a "normal" manner... While I agree that I am not properly in the target audience for videos, it does not help HP's reputation to have warnings about specific features that will not work without JavaScript (proving they know some people do not configure their browsers loosely) and then "miss" making what might be a significant link available to those people. ------------------------------ Date: Wed, 04 Jul 2007 11:53:44 -0500 From: David J Dachtera Subject: Re: OpenVMS - When downtime is not an option Message-ID: <468BD098.8C6136F@spam.comcast.net> Keith Parris wrote: > > JF Mezei wrote: > > Sept 11 2001 was a state of Limbo for VMS. Curly murdered Alpha on June > > 25 2001. Carly and Curly announced their engagement on Sept 7th 2001. > > Nothing was said about VMS' future until May 7th 2002. > > As has been pointed out here before, HP said within days of the > acquisition announcement that it was carrying forward Compaq's plans to > port OpenVMS to Itanium. Unfortunately, that public statement was made > to a group of mostly-UNIX folks and the message didn't get out well to > the VMS base. Indeed. Even then, HP didn't understand VMS's user base. Never has. Never will. -- David J Dachtera dba DJE Systems http://www.djesys.com/ Unofficial OpenVMS Marketing Home Page http://www.djesys.com/vms/market/ Unofficial Affordable OpenVMS Home Page: http://www.djesys.com/vms/soho/ Unofficial OpenVMS-IA32 Home Page: http://www.djesys.com/vms/ia32/ Unofficial OpenVMS Hobbyist Support Page: http://www.djesys.com/vms/support/ ------------------------------ Date: Wed, 04 Jul 2007 10:18:15 -0700 From: AEF Subject: Re: OpenVMS - When downtime is not an option Message-ID: <1183569495.312537.158710@n2g2000hse.googlegroups.com> On Jul 3, 7:15 pm, "Ken Robinson" wrote: > On 7/3/07, Keith Parris wrote: > > > Larry Kilgallen wrote: > > > Not on my browser. Or else I did not look before they took it down. > > > For me it's still there. It's about 2/3s of the way down on the > > right-hand margin. It's a graphic which says: > > Disaster proofing > > >> Explosive video shows > > IT services recover > > in seconds > > > Hmmm... In IE7 I see the above. In Mozilla and Firefox there's a > > different graphic in the same spot pointing to a "Fiona Ogre Princess" > > video advertising HP multimedia laptops. > > It only displays under the "Large Enterprise Business" tab and since > it looks like the page uses Javascript to switch between what's > displayed, if you have Javascript disabled, you won't see it. Clicking > on the "Large Enterprise Business" tab doesn't help, since the video > isn't being pushed there... > > Ken If you click "IT Solutions" on the Large Enterprise Business area you'll get a big Disaster Proof square center right. AEF ------------------------------ Date: Wed, 04 Jul 2007 10:53:10 -0700 From: Ken Fairfield Subject: Re: OpenVMS - When downtime is not an option Message-ID: <5f2582F3aqq60U1@mid.individual.net> Jan-Erik Söderholm wrote: > Keith Parris wrote: > >> Hmmm... In IE7 I see the above. In Mozilla and Firefox there's a >> different graphic in the same spot pointing to a "Fiona Ogre Princess" >> video advertising HP multimedia laptops. > > Which (for me) changes in a few seconds to the DR video, > using FF 2.0.0.4 and WinXP. It's a plain FF out of the > box with no special configuration. Me too w.r.t. FF 2.0.0.4 and Win/XP... However, I do have NoScript installed so I can control which servers can screw with my PC. :-( (I have hp.com white-listed.) Anyway, the Fiona Ogre Princess graphic *never* went away or changed, and when I clicked on it, ta da!, I got the Fiona Ogre Princess video! Fancy that... :-( :-( > After the initial 2-3 secons it stays forever with > the link to the DR video. Stays forever in my configuration... I eventually found the Large Enterprise Business tab, and from there, the disaster vidoes, but it seems to me that HP needs a *lot* more user testing of their web sites! > I would not call this for "hiding" the DR video, since > probably 99.99% of the target audience probably runs > IE7 or FF in a "normal" manner... Again, I take exception to that characterization. I think of myself as running FF in a "normal" manner, given that NoScript is among the most highly recommended add-ons, and that anyone interested in disaster tolerance is most likely somewhat aware of the various security vulnerabilities in PC's and web services. Regards, Ken P.S. I just fired up IE (which I otherwise *never* use) and find precisely the same behaviour as with FF. The highlighted tab is "Home & Home Office", and Fiona never goes away. I wonder if this is a regional or other difference, perhaps a cookie obscurely tucked away somewhere? -- Ken & Ann Fairfield What: Ken dot And dot Ann Where: Gmail dot Com ------------------------------ Date: Wed, 04 Jul 2007 06:30:40 -0700 From: "Tom Linden" Subject: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Message-ID: On Wed, 04 Jul 2007 05:30:16 -0700, wrote: > In article , > Bill Todd writes: >> Main, Kerry wrote: >> >> .... >> >>> If the design and/or architecture of the OS platform allows an >>> application bug to provide access to protected data and/or provides >>> elevated rights on the system, does sit matter if it is an application >>> or kernel OS issue? >> >> Clearly, that would be an OS bug (or at least a serious design flaw, if >> indeed it were intentional rather than inadvertent) - *if* it had been >> the case in this instance. >> >> It was not: the bugs *only* affected Exchange Server. If Exchange >> Server was designed such that it had to execute in a privileged >> environment (such that once compromised itself it could compromise other >> parts of the system as you describe above), rather than designed >> modularly such that at most a few critical parts of it might require >> privilege (certainly not including the parsing functions that these bugs >> affected) and the rest could run unprivileged, that was an *Exchange >> Server* design flaw, not a Windows flaw. >> > > What is this "IF" ? > > From http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx > > > "An attacker who successfully exploited this vulnerability could take > complete control of the affected system. An attacker could then install > programs; view, change or delete data; or create new accounts with full > user > rights" > > Obviously this means that the codepath executed by the bug must run at a > high > privilege level. Whether that is because Exchange is running with higher > privileges than it really needs because of bad design and implementation > or > whether it is doing something which requires it to have high privileges > at that > point in time is not something easily judged without access to the design > documents and/or source of Exchange. > > If as you seem to believe it is bad design and implementation in Exchange > causing it to run at higher privileges than needed then it is down to > those > designing and programming Exchange at Microsoft. However Exchange is a > Microsoft product and those same designers and programmers have probably > also > worked on the OS code during their careers and have had their code > reviewed > by the same quality control people. > > Also similar bugs affect lots of Microsoft products which also result in > an attacker gaining complete control of the system. Hence similar > comments > apply to all those involved with the design and programming of those > products. > > Hence either we have all these Microsoft designers and programmers making > similar mistakes (ie unnecessarily running their code with elevated > privileges > when parsing input data) for all these Microsoft Apllications but not > making > any mistakes in the OS or we have major problems in the OS which the > application programmers have trouble avoiding when writing their code. > As an aside, which I find disturbing, 3 of the 4 banks where I keep accounts use Exchange for the front-ends, and this is for online banking! Fortunately they are local so I can drive to them. > > David Webb > Security team leader > CCSS > Middlesex University > > >> - bill -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Wed, 4 Jul 2007 14:13:56 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Message-ID: In article , "Tom Linden" writes: >On Wed, 04 Jul 2007 05:30:16 -0700, wrote: > >> In article , >> Bill Todd writes: >>> Main, Kerry wrote: >>> >>> .... >>> >>>> If the design and/or architecture of the OS platform allows an >>>> application bug to provide access to protected data and/or provides >>>> elevated rights on the system, does sit matter if it is an application >>>> or kernel OS issue? >>> >>> Clearly, that would be an OS bug (or at least a serious design flaw, if >>> indeed it were intentional rather than inadvertent) - *if* it had been >>> the case in this instance. >>> >>> It was not: the bugs *only* affected Exchange Server. If Exchange >>> Server was designed such that it had to execute in a privileged >>> environment (such that once compromised itself it could compromise other >>> parts of the system as you describe above), rather than designed >>> modularly such that at most a few critical parts of it might require >>> privilege (certainly not including the parsing functions that these bugs >>> affected) and the rest could run unprivileged, that was an *Exchange >>> Server* design flaw, not a Windows flaw. >>> >> >> What is this "IF" ? >> >> From http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx >> >> >> "An attacker who successfully exploited this vulnerability could take >> complete control of the affected system. An attacker could then install >> programs; view, change or delete data; or create new accounts with full >> user >> rights" >> >> Obviously this means that the codepath executed by the bug must run at a >> high >> privilege level. Whether that is because Exchange is running with higher >> privileges than it really needs because of bad design and implementation >> or >> whether it is doing something which requires it to have high privileges >> at that >> point in time is not something easily judged without access to the design >> documents and/or source of Exchange. >> >> If as you seem to believe it is bad design and implementation in Exchange >> causing it to run at higher privileges than needed then it is down to >> those >> designing and programming Exchange at Microsoft. However Exchange is a >> Microsoft product and those same designers and programmers have probably >> also >> worked on the OS code during their careers and have had their code >> reviewed >> by the same quality control people. >> >> Also similar bugs affect lots of Microsoft products which also result in >> an attacker gaining complete control of the system. Hence similar >> comments >> apply to all those involved with the design and programming of those >> products. >> >> Hence either we have all these Microsoft designers and programmers making >> similar mistakes (ie unnecessarily running their code with elevated >> privileges >> when parsing input data) for all these Microsoft Apllications but not >> making >> any mistakes in the OS or we have major problems in the OS which the >> application programmers have trouble avoiding when writing their code. >> > >As an aside, which I find disturbing, 3 of the 4 banks where I keep >accounts use >Exchange for the front-ends, and this is for online banking! Fortunately >they >are local so I can drive to them. > Do you mean that they are the banks main internet connected mail servers ie the systems referred to in the Bank's MX records ? I'm not sure what the position is with Exchange 2007 but for previous versions of Exchange Microsoft recommended placing it on the internal network and having something else directly connected to the internet proxying the mail to it. Many organisations used a UNIX (or in some cases a VMS system running PMDF ) as the directly connected system though Microsoft would recommend routing everything through their ISA proxy server/firewall product. David Webb Security team leader CCSS Middlesex University >> >> David Webb >> Security team leader >> CCSS >> Middlesex University >> >> >>> - bill > > > >-- >PL/I for OpenVMS >www.kednos.com ------------------------------ Date: Wed, 04 Jul 2007 07:51:43 -0700 From: "Tom Linden" Subject: Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Message-ID: On Wed, 04 Jul 2007 07:13:56 -0700, wrote: > In article , "Tom Linden" = > writes: >> On Wed, 04 Jul 2007 05:30:16 -0700, wrote:= >> >>> In article , >>> Bill Todd writes: >>>> Main, Kerry wrote: >>>> >>>> .... >>>> >>>>> If the design and/or architecture of the OS platform allows an >>>>> application bug to provide access to protected data and/or provide= s >>>>> elevated rights on the system, does sit matter if it is an = >>>>> application >>>>> or kernel OS issue? >>>> >>>> Clearly, that would be an OS bug (or at least a serious design flaw= , = >>>> if >>>> indeed it were intentional rather than inadvertent) - *if* it had b= een >>>> the case in this instance. >>>> >>>> It was not: the bugs *only* affected Exchange Server. If Exchange= >>>> Server was designed such that it had to execute in a privileged >>>> environment (such that once compromised itself it could compromise = = >>>> other >>>> parts of the system as you describe above), rather than designed >>>> modularly such that at most a few critical parts of it might requir= e >>>> privilege (certainly not including the parsing functions that these= = >>>> bugs >>>> affected) and the rest could run unprivileged, that was an *Exchang= e >>>> Server* design flaw, not a Windows flaw. >>>> >>> >>> What is this "IF" ? >>> >>> From http://www.microsoft.com/technet/security/bulletin/ms07-026.msp= x >>> >>> >>> "An attacker who successfully exploited this vulnerability could tak= e >>> complete control of the affected system. An attacker could then inst= all >>> programs; view, change or delete data; or create new accounts with f= ull >>> user >>> rights" >>> >>> Obviously this means that the codepath executed by the bug must run = at = >>> a >>> high >>> privilege level. Whether that is because Exchange is running with = >>> higher >>> privileges than it really needs because of bad design and = >>> implementation >>> or >>> whether it is doing something which requires it to have high privile= ges >>> at that >>> point in time is not something easily judged without access to the = >>> design >>> documents and/or source of Exchange. >>> >>> If as you seem to believe it is bad design and implementation in = >>> Exchange >>> causing it to run at higher privileges than needed then it is down t= o >>> those >>> designing and programming Exchange at Microsoft. However Exchange is= a >>> Microsoft product and those same designers and programmers have = >>> probably >>> also >>> worked on the OS code during their careers and have had their code >>> reviewed >>> by the same quality control people. >>> >>> Also similar bugs affect lots of Microsoft products which also resul= t = >>> in >>> an attacker gaining complete control of the system. Hence similar >>> comments >>> apply to all those involved with the design and programming of those= >>> products. >>> >>> Hence either we have all these Microsoft designers and programmers = >>> making >>> similar mistakes (ie unnecessarily running their code with elevated >>> privileges >>> when parsing input data) for all these Microsoft Apllications but no= t >>> making >>> any mistakes in the OS or we have major problems in the OS which the= >>> application programmers have trouble avoiding when writing their cod= e. >>> >> >> As an aside, which I find disturbing, 3 of the 4 banks where I keep >> accounts use >> Exchange for the front-ends, and this is for online banking! = >> Fortunately >> they >> are local so I can drive to them. >> > Do you mean that they are the banks main internet connected mail serve= rs = > ie > the systems referred to in the Bank's MX records ? > > I'm not sure what the position is with Exchange 2007 but for previous = = > versions > of Exchange Microsoft recommended placing it on the internal network a= nd = > having > something else directly connected to the internet proxying the mail to= = > it. > Many organisations used a UNIX (or in some cases a VMS system running = = > PMDF ) > as the directly connected system though Microsoft would recommend rout= ing > everything through their ISA proxy server/firewall product. Well, now I am not sure, it was quite some time ago I looked at it using= http://www.rjlsoftware.com/software/internet/iserver/default.shtml However, they apparently don't lookup https sites, so I couldn't now te= ll. This was not for mail, but online banking. Some smaller banks outsource= = their online banking it appears, e.g., http://www.rjlsoftware.com/software/internet/iserver/submit.cfm?Server=3D= www.gfswebbank.com > > > David Webb > Security team leader > CCSS > Middlesex University > > > >>> >>> David Webb >>> Security team leader >>> CCSS >>> Middlesex University >>> >>> >>>> - bill >> >> >> >> -- >> PL/I for OpenVMS >> www.kednos.com -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: Wed, 4 Jul 2007 15:55:59 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: OT: Exchange (Was Re: OpenVMS - When downtime is not an option) Message-ID: In article , "Tom Linden" writes: >On Wed, 04 Jul 2007 07:13:56 -0700, wrote: > >> In article , "Tom Linden" = > >> writes: >>> On Wed, 04 Jul 2007 05:30:16 -0700, wrote:= > >>> >>>> In article m>, >>>> Bill Todd writes: >>>>> Main, Kerry wrote: >>>>> >>>>> .... >>>>> >>>>>> If the design and/or architecture of the OS platform allows an >>>>>> application bug to provide access to protected data and/or provide= >s >>>>>> elevated rights on the system, does sit matter if it is an = > >>>>>> application >>>>>> or kernel OS issue? >>>>> >>>>> Clearly, that would be an OS bug (or at least a serious design flaw= >, = > >>>>> if >>>>> indeed it were intentional rather than inadvertent) - *if* it had b= >een >>>>> the case in this instance. >>>>> >>>>> It was not: the bugs *only* affected Exchange Server. If Exchange= > >>>>> Server was designed such that it had to execute in a privileged >>>>> environment (such that once compromised itself it could compromise = > = > >>>>> other >>>>> parts of the system as you describe above), rather than designed >>>>> modularly such that at most a few critical parts of it might requir= >e >>>>> privilege (certainly not including the parsing functions that these= > = > >>>>> bugs >>>>> affected) and the rest could run unprivileged, that was an *Exchang= >e >>>>> Server* design flaw, not a Windows flaw. >>>>> >>>> >>>> What is this "IF" ? >>>> >>>> From http://www.microsoft.com/technet/security/bulletin/ms07-026.msp= >x >>>> >>>> >>>> "An attacker who successfully exploited this vulnerability could tak= >e >>>> complete control of the affected system. An attacker could then inst= >all >>>> programs; view, change or delete data; or create new accounts with f= >ull >>>> user >>>> rights" >>>> >>>> Obviously this means that the codepath executed by the bug must run = >at = > >>>> a >>>> high >>>> privilege level. Whether that is because Exchange is running with = > >>>> higher >>>> privileges than it really needs because of bad design and = > >>>> implementation >>>> or >>>> whether it is doing something which requires it to have high privile= >ges >>>> at that >>>> point in time is not something easily judged without access to the = > >>>> design >>>> documents and/or source of Exchange. >>>> >>>> If as you seem to believe it is bad design and implementation in = > >>>> Exchange >>>> causing it to run at higher privileges than needed then it is down t= >o >>>> those >>>> designing and programming Exchange at Microsoft. However Exchange is= > a >>>> Microsoft product and those same designers and programmers have = > >>>> probably >>>> also >>>> worked on the OS code during their careers and have had their code >>>> reviewed >>>> by the same quality control people. >>>> >>>> Also similar bugs affect lots of Microsoft products which also resul= >t = > >>>> in >>>> an attacker gaining complete control of the system. Hence similar >>>> comments >>>> apply to all those involved with the design and programming of those= > >>>> products. >>>> >>>> Hence either we have all these Microsoft designers and programmers = > >>>> making >>>> similar mistakes (ie unnecessarily running their code with elevated >>>> privileges >>>> when parsing input data) for all these Microsoft Apllications but no= >t >>>> making >>>> any mistakes in the OS or we have major problems in the OS which the= > >>>> application programmers have trouble avoiding when writing their cod= >e. >>>> >>> >>> As an aside, which I find disturbing, 3 of the 4 banks where I keep >>> accounts use >>> Exchange for the front-ends, and this is for online banking! = > >>> Fortunately >>> they >>> are local so I can drive to them. >>> >> Do you mean that they are the banks main internet connected mail serve= >rs = > >> ie >> the systems referred to in the Bank's MX records ? >> >> I'm not sure what the position is with Exchange 2007 but for previous = > = > >> versions >> of Exchange Microsoft recommended placing it on the internal network a= >nd = > >> having >> something else directly connected to the internet proxying the mail to= > = > >> it. >> Many organisations used a UNIX (or in some cases a VMS system running = > = > >> PMDF ) >> as the directly connected system though Microsoft would recommend rout= >ing >> everything through their ISA proxy server/firewall product. > >Well, now I am not sure, it was quite some time ago I looked at it using= > >http://www.rjlsoftware.com/software/internet/iserver/default.shtml >However, they apparently don't lookup https sites, so I couldn't now te= >ll. > >This was not for mail, but online banking. Some smaller banks outsource= > = > >their >online banking it appears, e.g., > >http://www.rjlsoftware.com/software/internet/iserver/submit.cfm?Server=3D= >www.gfswebbank.com >> OK that's the IIS webserver rather than Exchange - which makes more sense when talking about online banking. David Webb Security team leader CCSS Middlesex University >> >> David Webb >> Security team leader >> CCSS >> Middlesex University >> >> >> >>>> >>>> David Webb >>>> Security team leader >>>> CCSS >>>> Middlesex University >>>> >>>> >>>>> - bill >>> >>> >>> >>> -- >>> PL/I for OpenVMS >>> www.kednos.com > > > >-- = > >PL/I for OpenVMS >www.kednos.com ------------------------------ Date: Tue, 03 Jul 2007 23:17:13 -0700 From: Volker Halle Subject: Re: System Disk ODS2->oDS5 Message-ID: <1183529833.925971.103740@w5g2000hsg.googlegroups.com> Tom, make sure you use an OpenVMS V8.2 (or higher) CD. There was a problem trying SET VOL/LIMIT after booting from the V7.3-2 CD, so I assume, the same may apply to SET VOL/STRUC=5 The error message was: %SET-E-NOTSET, error modifying ddcu: -SYSTEM-W-DEVNOTALLOC, device not allocated Volker. ------------------------------ Date: Wed, 04 Jul 2007 09:35:09 -0700 From: Andrew Subject: Re: Updated TCO study has OpenVMS AGAIN over AIX, Slowaris Message-ID: <1183566909.319209.275490@w5g2000hsg.googlegroups.com> On 3 Jul, 15:40, ultra...@gmail.com wrote: > notice the virus/worm downtime ... zero for VMS, not so good for > the others ... sorry Andrew, more proof to validate CERT counts ... > > http://h71028.www7.hp.com/ERC/downloads/TechWise_TCO2007.pdf Ohh dear not this old chestnut again. I am not an IBM expert but the choice of servers on the Sun side was kind of questionable. For example instead of using the newer and much cheaper M5000 server from Sun 200K TechWise "chose" the E4900 which is older and in the same config costs 500K. Interestingly TechWise avoided Sun X series servers running Solaris x86 which are quite widely used in HA environments, perhaps the much lower acquisition costs for these systems acted as a deterrent. Again I cannot comment on IBM but the actual downtime "survey data" used by TechWise was collected in 2006 and was presumably based on prior experience. We have seen many customers switching from Solaris 8 to Solaris 10 (skipping 9) and Solaris 10 is both more secure than Solaris 8 and more resilient/reliable for example Solaris 10 uniquely can survive the failure of a CPU without producing an outage, OpenVMS cannot and neither could Solaris 8. The improvements in Solaris 10 which would be seen as a higher % of HA Solaris servers run 10 are not factored into this "TCO analysis". Of course given absolutely no information about who responded to the survey in the first place one has to conclude that it wasn't worth the bandwidth used to transmit it. Regards Andrew Harrison ------------------------------ Date: Wed, 4 Jul 2007 10:25:14 +0200 From: "Gorazd Kikelj" Subject: Re: Using the game file on OpenVMS Hobbyist page Message-ID: "rtk" wrote in message news:1183515136.784841.153390@z28g2000prd.googlegroups.com... > I'm trying to get the games found here: > > http://www.openvmshobbyist.com/downloads.html > > to run on my Alpha box. I tried expanding HACK.ZIP, which gives me > HACK.BCK but BACKUP insists that it isn't a save set. I'm not sure > how to proceed or what I'm missing. > > Any help appreciated! > > Ron > Did you use "-V" in zip command? Best, Gorazd ------------------------------ Date: Wed, 04 Jul 2007 05:54:26 -0700 From: rtk Subject: Re: Using the game file on OpenVMS Hobbyist page Message-ID: <1183553666.403069.224570@m37g2000prh.googlegroups.com> On Jul 3, 9:33 pm, Ulrich Bellgardt wrote: > After unzipping hack.zip, do > > $ set file/attr=(rfm:fix,lrl:32256) hack.bck That worked perfectly! Thanks! Ron ------------------------------ Date: Wed, 4 Jul 2007 09:42:26 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: Using the game file on OpenVMS Hobbyist page Message-ID: <07070409422692_20225360@antinode.org> From: "Gorazd Kikelj" > Did you use "-V" in zip command? Ask the fellow who created the archive, not the one who's trying to expand it. And, just in case there's still someone out there who doesn't know, you don't need "-V" on the UnZip command to restore the VMS file attributes. For UnZip: "-V" retain VMS version numbers. ("unzip -h" and "zip -h" will reveal many true facts.) ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 04 Jul 2007 15:54:08 +0100 From: Tom Wade Subject: Re: VMS security vulnerability (POP server) Message-ID: <4tOii.20679$j7.378338@news.indigo.ie> > Brute force. And VMS is even worse: The problem is that an application that accepts a username/password and attempts to validate using $HASH_PASSWORD and $GETUAI *must* also make explicit calls to $SCAN_INTRUSION, otherwise it provides a back door around the intrusion detection mechanism. I have seen this on many applications, including POP servers and web scripts to change your password. With the benefit of hindsight, it might have been a better idea to provide a $VERIFY_PASSWORD service which combines the three functions above, because it is so easy for a developer to overlook it. Another place to check is if the UCX SMTP server supports SASL (this is the "my-server-requires-authentication" checkbox in the POP client). SASL allows the client to pass a username/password in the ESMTP dialog so that you can allow authenticated clients to relay through your server irrespective of what IP address they are coming from . Even PMDF overlooked putting this through $SCAN_INTRUSION when it first came out (it was fixed pretty quickly). Only slightly more difficult to script an attack on this one. To check if your SMTP server supports SASL, telnet to port 25 and issue an EHLO command. Look for the AUTH extension. It is harder to test using telnet because the username/password pair need to be BASE64 encoded. --------------------------------------------------------- Tom Wade | EMail: tee dot wade at eurokom dot ie EuroKom | Tel: +353 (1) 296-9696 A2, Nutgrove Office Park | Fax: +353 (1) 296-9697 Rathfarnham | Disclaimer: This is not a disclaimer Dublin 14 | Tip: "Friends don't let friends do Unix !" Ireland ------------------------------ Date: Wed, 04 Jul 2007 15:40:26 -0000 From: IanMiller Subject: Re: VMS security vulnerability (POP server) Message-ID: <1183563626.691087.163060@n60g2000hse.googlegroups.com> On Jul 4, 3:54 pm, Tom Wade wrote: > > Brute force. And VMS is even worse: > > The problem is that an application that accepts a username/password and > attempts to validate using $HASH_PASSWORD and $GETUAI *must* also make > explicit calls to $SCAN_INTRUSION, otherwise it provides a back door > around the intrusion detection mechanism. I have seen this on many > applications, including POP servers and web scripts to change your > password. With the benefit of hindsight, it might have been a better > idea to provide a $VERIFY_PASSWORD service which combines the three > functions above, because it is so easy for a developer to overlook it. > > Another place to check is if the UCX SMTP server supports SASL (this is > the "my-server-requires-authentication" checkbox in the POP client). > SASL allows the client to pass a username/password in the ESMTP dialog > so that you can allow authenticated clients to relay through your server > irrespective of what IP address they are coming from . Even PMDF > overlooked putting this through $SCAN_INTRUSION when it first came out > (it was fixed pretty quickly). Only slightly more difficult to script > an attack on this one. > > To check if your SMTP server supports SASL, telnet to port 25 and issue > an EHLO command. Look for the AUTH extension. It is harder to test > using telnet because the username/password pair need to be BASE64 encoded. > > --------------------------------------------------------- > Tom Wade | EMail: tee dot wade at eurokom dot ie > EuroKom | Tel: +353 (1) 296-9696 > A2, Nutgrove Office Park | Fax: +353 (1) 296-9697 > Rathfarnham | Disclaimer: This is not a disclaimer > Dublin 14 | Tip: "Friends don't let friends do Unix !" > Ireland That is the intention of the SYS$ACM service. See Chapter 33 of the programming concepts manual http://h71000.www7.hp.com/doc/82FINAL/5841/5841pro_contents_010.html#toc_chapter_33 ------------------------------ Date: Wed, 4 Jul 2007 11:32:09 -0400 From: ChrisSharman Subject: XML for VMS Message-ID: I've got an old application which accepts orders via tagged text input files. Something like: _order_1001 _product_ab10 _quantity_30 _ink_Black _name_Mr Jones etc... I've looked at updating it to handle xml a number of times, but I've looked at the available parsers in the past (expat etc), and got nowhere. Any advice for getting started with xml on vms? I don't want to reinvent the wheel, and I ideally don't want to impose non-standard rules on my xml input. Nor do I want this to turn into a big project. The original program is written in VMS Pascal. I'm competent in C, too, but I'd prefer to keep the majority of the Pascal code intact. Don't have a Java or C++ compiler. Thanks Chris -- ChrisSharman ------------------------------------------------------------------------ ChrisSharman's Profile: http://techiegroups.com/member.php?userid=5732 View this thread: http://www.techiegroups.com/showthread.php?t=134882 ------------------------------ Date: Wed, 4 Jul 2007 11:25:24 -0500 From: "Paul Raulerson" Subject: RE: XML for VMS Message-ID: <000601c7be57$ece76b90$c6b642b0$@com> I do not know the capabilities of the VMS Pascal compiler, but here are a few links to Windows/Linux Pascal based XML parsers. To be honest, if your input is simple, writing a simple recursive descent parser to handle the defined XML you use is probably a pretty simple task. At worse, you might spend a couple of days doing it. Hope this helps, perhaps you can "file off" some of the serial numbers and reuse the code. :) -Paul http://xml.defined.net/SAX/ http://sourceforge.net/projects/saxforpascal/ http://sourceforge.net/export/rss2_projnews.php?group_id=31011 > -----Original Message----- > From: ChrisSharman [mailto:ChrisSharman.2t7f3f@no- > mx.forums.yourdomain.com.au] > Sent: Wednesday, July 04, 2007 10:32 AM > To: Info-VAX@Mvb.Saic.Com > Subject: XML for VMS > > > I've got an old application which accepts orders via tagged text input > files. > Something like: > > _order_1001 > _product_ab10 > _quantity_30 > _ink_Black > _name_Mr Jones > etc... > > I've looked at updating it to handle xml a number of times, but I've > looked at the available parsers in the past (expat etc), and got > nowhere. > Any advice for getting started with xml on vms? > I don't want to reinvent the wheel, and I ideally don't want to impose > non-standard rules on my xml input. Nor do I want this to turn into a > big project. > The original program is written in VMS Pascal. I'm competent in C, too, > but I'd prefer to keep the majority of the Pascal code intact. > > Don't have a Java or C++ compiler. > > Thanks > Chris > > > -- > ChrisSharman > ----------------------------------------------------------------------- > - > ChrisSharman's Profile: http://techiegroups.com/member.php?userid=5732 > View this thread: http://www.techiegroups.com/showthread.php?t=134882 ------------------------------ End of INFO-VAX 2007.362 ************************