------------------------------------------------- ----------------- SSLSERV DIRECT ---------------- ------------------------------------------------- USER SSLSERV XXXXXXXX 128M 1G G ACCOUNT 200 TCPIP CPU 0 BASE CPU 1 1. Define CP directory entry for the IPL 100 SSLSERV virtual machine. IUCV ALLOW IUCV ANY MACHINE ESA 4 OPTION ACCT MAXCONN 1024 QUICKDSP SVMSTAT SHARE RELATIVE 3000 DEDICATE 06D2 06D2 DEDICATE 06D3 06D3 CONSOLE 0009 3215 T MDISK 0100 3390 startcyl 300 volume ------------------------------------------------- --------------- Hercules Linux Host ------------- ------------------------------------------------- [hercuser@zhost tape]$ wget -O- http://wotho.ethz.ch/sslserv/sslserv.agz | zcat >sslserv.aws --2011-12-21 14:31:53-- http://wotho.ethz.ch/sslserv/sslserv.agz Resolving wotho.ethz.ch... 82.130.118.35 Connecting to wotho.ethz.ch|82.130.118.35|:80... connected. HTTP request sent, awaiting response... 200 OK 2. Download and unpack the AWS Length: 51727413 (49M) [text/plain] tape containing the SSL server Saving to: `STDOUT' appliance. Use the procedure 100%[=======================================================>] 51,727,413 24.6M/s in 2.0s shown here or any other method 2011-12-21 14:31:55 (24.6 MB/s) - `-' saved [51727413/51727413] of choice. [hercuser@zhost tape]$ ls -l -rw-r--r-- 1 hercuser hercules 221814258 Dec 21 14:31 sslserv.aws [hercuser@zhost tape]$ ------------------------------------------------- ---------------- Hercules Console --------------- ------------------------------------------------- attach 06D2.2 LCS -n /dev/net/tun -m zv:ms:sl:hw:ad 192.168.118.116 HHCLC073I 06D2: TAP device tap2 opened 3. Attach an LCS device to your z/VM devinit 590 tape/sslserv.aws readonly=1 LPAR (if not already done through HHCTA004I 0590: tape/sslserv.aws is a AWS Format tape file your configuration file). Load the HHCTA066I 0590: option 'readonly' accepted. HHCTA010I 0590: Now Displays: " NT RDY " AWS tape and connect a tn3270 HHCPN098I Device 0:0590 initialized client to the Hercules console HHCTE009I Client 192.168.118.113 connected to 3270 device 0:0702 ------------------------------------------------- port. ---------------- OPERATOR Console --------------- ------------------------------------------------- 11:00:17 HCPRFC2264I Device 06D2 is available and online. 4. Logon user SSLSERV from your 11:00:17 HCPRFC2264I Device 06D3 is available and online. 11:02:49 GRAF 0702 LOGON AS SSLSERV USERS = 20 tn3270 client and attach the tape att 590 sslserv drive from the operator console. 11:04:03 TAPE 0590 ATTACHED TO SSLSERV 0590 ------------------------------------------------- ---------------- SSLSERV Console ---------------- ------------------------------------------------- LOGON SSLSERV 00: z/VM Version 5 Release 3.0, Service Level 0801 (64-bit), 00: built on IBM Virtualization Technology 00: There is no logmsg data 00: FILES: NO RDR, NO PRT, NO PUN 00: LOGON AT 11:02:49 MET SATURDAY 12/17/11 HCPVMI232E IPL UNIT ERROR; IRB 00404017 00000010 00200000 00800000 00: HCPGIR450W CP entered; disabled wait PSW 000E0000 00000232 TAPE 0590 ATTACHED TO SSLSERV 0590 Error messages 00: link maint 190 190 rr 00: DASD 0190 LINKED R/O similar to the green 00: i cms ones are expected DMSIND2015W Unable to access the Y-disk. Filemode Y (19E) not accessed z/VM V5.3.0 2008-05-22 15:06 and can safely be ignored. DMSACP113S A(191) not attached or invalid device address DMSWSP100W Shared Y-STAT not available Ready; T=0.04/0.05 11:06:13 ddr z/VM DASD DUMP/RESTORE PROGRAM ENTER: sysprint cons ENTER: in 590 tape ( leave ENTER: 5. Restore the SSL server appliance out 100 3390 to disk using the DDR utility. ENTER: restore all HCPDDR717D DATA DUMPED FROM SSLSRV TO BE RESTORED DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD: yes HCPDDR711D VOLID READ IS EMPTY DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD: Yes RESTORING SSLSRV DATA DUMPED 12/17/11 AT 09.51.27 GMT FROM SSLSRV RESTORED TO EMPTY INPUT CYLINDER EXTENTS OUTPUT CYLINDER EXTENTS START STOP START STOP 0 299 0 299 END OF RESTORE ENTER: END OF JOB Ready; T=0.23/4.87 11:07:50 system clear 00: Storage cleared - system reset. 00: det 190 00: DASD 0190 DETACHED 00: det 590 00: TAPE 0590 DETACHED 6. Tape drive and CMS system disk ------------------------------------------------- ---------------- Hercules Console --------------- are no longer needed, so clear the ------------------------------------------------- system and detach them. HHCTA010I 0590: Now Displays: "REWINDNG" HHCTA010I 0590: Now Displays: " READY " *FP* HHCTA010I 0590: Now Displays: "UNLOADNG" HHCTA101I 0590: AWS Tape tape/sslserv.aws closed HHCTA010I 0590: Now Displays: " " ------------------------------------------------- ---------------- SSLSERV Console ---------------- ------------------------------------------------- 7. IPL the SSL server appliance. 00: i 100 00: zIPL v1.3.2 interactive boot menu 00: 00: 0. default (SSL_Server) 00: 00: 1. SSL_Server 00: 00: Note: VM users please use '#cp vi vmsg <input>' 00: 00: Please choose (default will boot in 30 seconds): 00: Booting default (SSL_Server)... Linux version 2.6.9-78.EL (builder@c4s390x) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-10)) #1 SMP Mon Aug 4 00:28:36 EEST 2008 We are running under VM (64 bit mode) . The usual chatty Linux boot sequence . Detected 2 CPU's Boot cpu address 0 cpu 0 phys_idx=0 vers=FF ident=000111 machine=2097 unused=0000 cpu 1 phys_idx=1 vers=FF ident=000111 machine=2097 unused=0000 Brought up 2 CPUs . The usual chatty Linux boot sequence cont'd . dasd(diag): 0.0.0100: (4096 B/blk): 216000kB dasda:LNX1/ SSLSRV: dasda1 . The usual chatty Linux boot sequence cont'd . INIT: version 2.85 booting Welcome to CentOS release 4.7 (Final) . The green error . The usual chatty Linux boot sequence cont'd . messages are z90crypt: query_online -> Exception testing device 0 expected and can z90crypt: helper_scan_devices -> exception taken! safely be ignored. CentOS release 4.7 (Final) Kernel 2.6.9-78.EL on an s390x 8. After an automatic login a sslserv login: root (automatic login) password changed is requested. Changing password for user root. New UNIX password: new_password Enter the desired root password Retype new UNIX password: new_password twice. passwd: all authentication tokens updated successfully. [root@sslserv ~]# cd /etc/sysconfig/network-scripts [root@sslserv network-scripts]# cat skeleton_ifcfg-eth0 DEVICE=eth0 9. Change directory and display the ARP=yes skeleton LCS network BOOTPROTO=static configuration file. Cut and paste it BROADCAST=BBB.BBB.BBB.BBB HWADDR=XX:XX:XX:XX:XX:XX from the tn3270 session to your IPADDR=AAA.AAA.AAA.AAA GATEWAY=GGG.GGG.GGG.GGG local editor and edit it to match NETMASK=MMM.MMM.MMM.MMM your network configuration. Set NETTYPE=lcs NETWORK=NNN.NNN.NNN.NNN HWADDR to the unique address ONBOOT=yes used in the ATTACH LCS PORTNAME=0 SUBCHANNELS=0.0.xxxx,0.0.yyyy command in item 3. TYPE=Ethernet [root@sslserv network-scripts]# cat >ifcfg-eth0 DEVICE=eth0 ARP=yes BOOTPROTO=static 10. Paste the edited file line by line BROADCAST=192.168.118.255 HWADDR=zv:ms:sl:hw:ad back to your tn3270 session using IPADDR=192.168.118.116 the cat command. Terminate your GATEWAY=192.168.118.113 NETMASK=255.255.255.0 input with ¬d, the 3270 console NETTYPE=lcs equivalent of Ctrl-D. NETWORK=192.168.118.0 ONBOOT=yes PORTNAME=0 SUBCHANNELS=0.0.06d2,0.0.06d3 TYPE=Ethernet ¬d [root@sslserv network-scripts]# rm skeleton_ifcfg-eth0 rm: remove regular file `skeleton_ifcfg-eth0'? y [root@sslserv network-scripts]# cat ifcfg-eth0 DEVICE=eth0 ARP=yes 11. Remove the skeleton and display BOOTPROTO=static the configuration file just created BROADCAST=192.168.118.255 to verify it’s accuracy. HWADDR=zv:ms:sl:hw:ad IPADDR=192.168.118.116 GATEWAY=192.168.118.113 NETMASK=255.255.255.0 NETTYPE=lcs NETWORK=192.168.118.0 ONBOOT=yes PORTNAME=0 SUBCHANNELS=0.0.06d2,0.0.06d3 TYPE=Ethernet [root@sslserv network-scripts]# cd [root@sslserv ~]# ifup eth0 [root@sslserv ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.169.118.115 * 255.255.255.255 UH 0 0 0 iucv0 12. Now you’re ready to bring the 192.168.118.0 * 255.255.255.0 U 0 0 0 eth0 network interface up. Display the 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 routing table and the interface default 192.168.118.113 0.0.0.0 UG 0 0 0 eth0 [root@sslserv ~]# ifconfig configurations. Don’t continue eth0 Link encap:Ethernet HWaddr zv:ms:sl:hw:ad until you’ve managed to get the inet addr:192.168.118.116 Bcast:192.168.118.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 green values to match your RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 desired network configuration. collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:336 (336.0 b) iucv0 Link encap:Serial Line IP inet addr:192.169.118.116 P-t-P:192.169.118.116 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:9216 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:50 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 13. Leave the tn3270 session logged in and continue using a shell lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 window on a (linux-)system, for inet6 addr: ::1/128 Scope:Host example on zhost. The only UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 requirement is that this system TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 can act as a secure shell client collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) and is able to connect to the SSL appliance.