April 24, 2015

Solutions for Keeping Passwords Fresh

Our management wants our 3000 users to be forced to change their password on a regular basis. Also, certain rules must be applied to the new password. We don’t have VEsoft’s Security/3000, although we do have MPEX. I therefore have two options. 1. Write something myself, or 2. See if there is anything in the Contributed Software Library that will do the job, or can be modified to supply the required solution.

Homegrown and bundled solutions follow. Jeff Vance offered this:

There is a pseudo random password generator available among the Jazz files which knows MPE’s password rules. See RANDNAME. There are also UDCs which force a password to be supplied when using NEWUSER, NEWACCT and NEWGROUP CI commands. These required passwords can be random or user entered with a minimal length enforced. 

Then he added as an afterthought, a strategy to program your own password system:

I haven’t thought about it much, but it seems you could have a password file (maybe a CIRcular file?) for each user on the system. This file would have their last N passwords, and the modified date of the file would be the date their password was most recently changed.

A logon UDC could detect if the password file for that user exists. If not create it and require a new password right then.  If the password file exists then get it’s modified date and compare that to today’s date. If greater than X days then in a loop prompt for a new password. Validate the entered password against previous N passwords and your other rules. Maybe run a dictionary checking program to make sure the password is not common, etc.

Update the user-specific password file with their new password, and then logon the user.

Read "Solutions for Keeping Passwords Fresh" in full

Posted by Ron Seybold at 08:25 PM in Hidden Value, Homesteading | Permalink | Comments (0)

Pivital Solutions: Your complete
HP e3000 resource

April 23, 2015

TBT: The Rise of Superdome to Blades

Earlier today, a 3000 manager asked if the Moonshot line of HP servers was part of the plans to establish the Charon HPA PA-RISC emulator in the community. "I think it would be great if someone would demonstrate MPE/iX running on HP Moonshot server," said Tim O'Neill. "[Stromasys might be using] Charon to do something like this, but are they doing it on a Moonshot?"

Univ of Utah CloudLabMoonshot is not the best fit for the Stromasys product, because the HP bladed server is aimed at far larger processing needs. The targets for Moonshot are providers of networking services, cloud hosting co-location providers, customers as large as PayPal, and 20th Century Fox. The studio now distributes its movies around the world digitally, movies that are hundreds of gigabytes per file, and it reduced its datacenter footprint by more than 80 percent and sends those files 40 percent faster.

HP SuperdomeIt's not that the movie business didn't ever use MPE; Warner Brothers had a European distribution center for movies that used a 3000, but that was back in the day when canisters of 35mm film were shipped to theaters. Evoking the name Moonshot, however, recalls the hope that the 3000 community held for HP's first massive enterprise server, Superdome,15 years ago.

SuperdomeArticle20150423The first Superdome computers were PA-RISC systems that ran with the same PA-8600 and PA-8700 servers that powered HP 3000s. When HP started to talk about Superdome in the months after Y2K, 3000 customers wondered "Why not us?" as part of the product's target audience.

An IT manager with beta-test experience on Superdome said at HP World that he believes there’s no reason Superdome can’t work with MPE/iX. “It’s PA-RISC hardware,” he said. “I asked our technical contact from HP why it wouldn’t run with MPE. He replied to me, ‘Yes, why wouldn’t it run MPE?’ ” In a future version, the computer will use its advanced partitioning to run more than one operating environment at once, according to HP’s presentations.

Five years ago this week, HP announced at the HP Technology@Work 2010 conference the first server technology that bridged the multiple-processor designs of Superdome into the blade server concept that would become Moonshot. Even more so than the original Superdome, the Superdome 2 had zero chance of becoming an MPE/iX hardware host, because by the Spring of that year HP was counting down the months until it stopped MPE support completely. (Officially, anyway. Right up to this month, rumors are floating that HP is supporting customer 3000s somewhere.)

Read "TBT: The Rise of Superdome to Blades" in full

Posted by Ron Seybold at 07:16 PM in History | Permalink | Comments (0)

April 22, 2015

Essential Skills: Avoiding A King's Ransom

Editor's Note: HP 3000 managers do many jobs, work that often extends outside the MPE realm. In Essential Skills, we cover the non-3000 skillset for multi-talented MPE pros.

In a recent message on a 3000 developer mailing list, one MPE expert warned of the most common malware attack of 2015: Ransomware. "This is probably the most likely thing to happen to your computer if you click on the wrong thing today," Gavin Scott reports.

Piracy keyboardIt's a nearly perfect criminal scheme.You get the malware on your system and it encrypts all files of value with a randomly generated key, and directs you to send $300 in bitcoin to them in order to get the encryption key to get your files back. It will encrypt every drive it can get access to, so a lot of people get their backups infected in the process of trying to recover. If you pay the $300, then by all reports they do give you the key, you get all your files back, and they don't bother you again. They even direct you to bitcoin ATM companies who reportedly spend much of their time these days providing technical support — to help Grandma operate the bitcoin system to pay her computer ransom.

To explain the fate of having to toss out computers in the IT shop which cannot be ransomed, we call on our security expert Steve Hardwick for some insights.

By Steve Hardwick, CISSP

In a previous article I looked at a Man in the Middle attack using SuperFish. That malware effectively bypassed the encryption built into HTTPS and so allowed  Lenovo to inspect secure web traffic. There's another type of encryption hack that's becoming a serious threat: Ransomware.

In standard symmetric encryption, a key — a password — is used to scramble the information to render it undecipherable. The same key is then used to allow a valid user to convert that data back into the original data. Encryption systems ensure that anyone without a key will be unable to reconstitute the original data from encrypted data. Another key component (forgive the pun) is the password used to generate the encrypted data. If a valid user is not able to access the key, then they no longer have access to the data.

In many situations as a security professional, I've been asked how to recover encrypted data after the encryption key has been lost. Despite what TV shows depict, this is not as easy as it looks. Typical recovery of encrypted data is time consuming and costly. The first thing any security professional will say when an encryption key is lost is, "Just recover your data from your backup." But today there's a type of virus out there that uses this weakness, and can compromise backups, too.

Read "Essential Skills: Avoiding A King's Ransom" in full

Posted by Ron Seybold at 06:15 PM in Newsmakers | Permalink | Comments (0)

April 21, 2015

Scheduling Time for Job Management

Starting Wednesday at 2 PM Eastern, MB Foster will demonstrate in a Webinar what Windows-based scheduling software should look like. The template for success comes from a strong jobstream management design: the one on HP 3000s.

3000 managers are making moves to Windows. It's been the most popular migration destination ever since HP announced it was leaving the 3000 space. Going to Linux is popular too, and the older generation of the Linux concept, Unix, had good scheduling software choices. Managers buy their own scheduler for all of these migration platforms, because what's included won't do anything close to what MPE delivers.

MBF Scheduler Webinar at 2 PMOver at the IT operations of Idaho State University, the scheduler that's recommended for the Banner/Ellucian ERP package under Unix has been installed. "We went with Automic's UC 4," said IT analyst John MacLerran. "That is the one recommended for use in Banner and it has worked quite well for us. We are currently on Solaris, with some Windows servers (for our report writer, named Argos), and Linux servers for the Oracle middleware servers. We will be moving the Solaris bits to Linux in the next 12 months or so, as we undergo a hardware refresh on our servers."

That's well and good for Unix or Linux sites, but Windows installations don't have such clean choices. MBF Scheduler is a selection that Measurement Specialties made a few years ago. That 3000 shop added Windows to its IT mix and needed 14,000 3000 jobs managed.

Read "Scheduling Time for Job Management" in full

Posted by Ron Seybold at 05:45 PM in Migration | Permalink | Comments (1)

April 20, 2015

Replacing Apps, and Adding On, to Migrate

At Idaho State University, migration away from HP 3000 operations has been underway since before 2007. The school directed nearly all of its business functions using MPE/iX software, a good deal of it hand-tooled in PowerHouse. Within a couple of years of the migration launch the higher-education application Banner, running on Solaris Unix servers, took over for key parts of the 3000 operations. The last set of applications of the project now has a target for completing by July.

Add-onJohn MacLerran, senior IT analyst, updated us on the work at the university, noting that there are three applications, as well as control of the school's PBX, that must still be replaced from the 3000. The bank reconciliation functionality in Banner (by now renamed Ellucian) splits up accounts payable and payroll, while the MPE/iX app unified both AP and payroll. "I am rewriting that in Oracle PL/SQL as an add-on for Ellucian," he said, "at the same time, adding enhancements to include unclaimed property processing, as mandated by state law."

These revisions are following a strategy that lets the university rely on updates from Sungard, the vendor selling Ellucian. MacLerran said that whenever possible, his department wants to "not to modify Ellucian directly, but to do add-ons instead — and we were able to hold to that in all but a very few cases."

It's a significant choice for any migrating 3000 site that's moved to a replacement suite. (MB Foster calls these migration targets Commercial Off The Shelf apps.) "Having a no-modification policy saved us quite a bit of heartache," MacLerran said, "as Ellucian comes out with patches and updates quite regularly. Since we didn't modify the original code, we don't have to spend too much time making sure it's still in sync."

Ellucian has aspects that are common to wide-ranging replacement applications. There are organizational operations at the university that have been handled by the 3000 which the ERP's inventory module couldn't match, for example. Another bit of replacement software will step in for the existing MPE/iX app.

Read "Replacing Apps, and Adding On, to Migrate" in full

Posted by Ron Seybold at 06:34 PM in Migration | Permalink | Comments (0)

April 17, 2015

Hardware appliance bolsters MPE encryption

Encrypted backupsHP 3000 sites still need to encrypt data, or at least secure it during transfers. Secure FTP protocol was never delivered as an HP-engineered solution for the MPE/iX OS while the Hewlett-Packard labs were building 3000 software. There's a reasonable amount of promise in SFTP of today for MPE/iX, but the solution isn't likely to satisfy security audits.

FluentEdge Technologies encrypts data moving through applications including the Ecometry ecommerce suite, as well as databases themselves, using software solutions that tap into apps and don't require any rewrites.

There's also a hardware solution, one that's been tested with the 3000, that offers a universal method to keeping data secure in transit. The 10ZiG's Security Group offers "data-at-rest" security solutions, including the Q3 and Q3i appliances. A few years ago, Jack Connor put one of these appliances between a Digital Linear Tape device and a 3000. The results impressed him for a device that costs a few thousand dollars -- and will work with any host. Now there's a new version of the device.

Similar to 10ZiG's Q3 appliance, the Q3e is the newest version of this state-of-the-art technology. Providing complete security for backup tapes, the Q3e appliance is designed to be easy-to-use and non-intrusive. Installation takes only minutes and key management is strong, yet simple. For the highest level of security, each Q3e appliance includes a hardware encryption chip that is unique to each customer. The Q3e is available with user selectable AES-128 or AES-256 encryption modes and supports up to four tape drives.

Read "Hardware appliance bolsters MPE encryption" in full

Posted by Ron Seybold at 06:50 PM in Homesteading | Permalink | Comments (0)

April 16, 2015

TBT: When 3000 Training Went Digital

Twenty-five years ago, HP was making history by integrating CBT for MPE XL on a CD-ROM, running from an IBM PC-AT. Or a Vectra. Ah, what we learned in those years by using acronyms.

CBTAt a user conference in Boston better known for a 3000 database showdown, the mashup of acronyms promised Computer Based Training for the 3000's operating system from a Compact Disc Read Only Memory drive. Here on Throwback Thursday, we're celebrating an industry first that leveraged the HP 3000, something of an anomaly for Hewlett-Packard. CD-based information delivery was still in its first steps in the computer industry, and just ramping up in the music business as well. It would be another 10 years before Apple shipped desktops with built-in CD-ROMs.

An HP official who would later come to lead half the company as executive VP, Ann Livermore, was a humble Product Manager for this combination of HP CD classes and an HP CD-ROM player. "It's the equivalent of having a system expert looking over your shoulder while you work," Livermore said. "The audio on these training product adds significant value to the learning experience." The interactive courses show users a typical HP 3000 console on the PC, accompanied by verbal instructions and explanatory text and graphics.

In an era where Bulletin Board Systems were cutting-edge information channels and web browsers didn't exist, having CD-ROM as a tool for support broke new ground for HP's enterprise business. HP sold about six hours of training on CDs for $950. The breakthrough was being able to use the training repeatedly, instead of putting each new operator or end-user in an HP classroom for a week.

Read "TBT: When 3000 Training Went Digital" in full

Posted by Ron Seybold at 08:41 PM in History | Permalink | Comments (0)

April 15, 2015

Patches Are Custom Products in 2015

Last spring we visited the state of HP 3000 patching and found that new work has been making its way into the customer base — one customer at a time. HP Support once created such custom patches, engineered specifically for the configuration at the customer site. Independent support providers who have access to the MPE source code do this today. It's a elite number of support providers. Ask yours if they've got the source.

Tailored workLast year a 3000 manager was probing for the cause of a Command Interface CI error on a jobstream. In the course of the quest, an MPE expert made an important point: Patches to repair such MPE/iX bugs are still available. Especially from the seven companies which licensed HP's source code for the HP 3000s. This mention of MPE bug repair was a reminder, actually, that Hewlett-Packard set the internals knowledge of MPE free back in 2010. Read-only rights to the operating system source code went out to seven companies worldwide, including some support providers such as Pivital Solutions and Allegro Consultants.

The latter's Stan Sieler was watching a 3000 newsgroup thread about the error winding up. Tracy Johnson, the curator of the 3000 that hosts the EMPIRE game and a former secretary to OpenMPE, had pointed out that his 3000 sometimes waits longer than expected after a PAUSE in a jobstream.

I nearly always put a CONTINUE statement before a PAUSE in any job.  Over the years I have discovered that sometimes the CPU waits "longer" than the specified pause and fails with an error.

A lively newsgroup discussion of 28 messages ensued. It was by far the biggest exchange of tech advice on the newsgroup in 2014. Sieler took note of what's likely to be broken in MPE/iX 7.5, after an HP engineer had made his analysis of might need a workaround. Patches and workarounds are a continuing part of the 3000 manager's life, even here in the second decade of the 3000's Afterlife. You can get 'em if you want 'em.

Read "Patches Are Custom Products in 2015" in full

Posted by Ron Seybold at 06:54 PM in Homesteading | Permalink | Comments (0)

April 14, 2015

Finding Your Level of MPE Patches

PatchworkPatches to the HP 3000 never were a popular item in the base of production servers. Mike Hornsby of Beechglen Development once said that "about three things can happen when you patch a 3000, and two of them are bad." In essence, a static 3000 system is a stable system, and managers give away the promise of better features for the certainty there will be no errors or aborts. At least none that the management has not already seen, logged, and worked around.

However, the years which have rolled by have pushed 3000s into new territory. For example, the ability to see larger LDEV 1 drives -- and by larger we mean bigger than 4GB -- only comes through a series of patches. Drives fail, and then replacing them with something not strictly approved by HP is an obvious option.

It's not obvious to determine what a 3000's patch level is, though, considering most of the systems haven't been patched in years.

One of our editors and sponsors pointed out a tool in the 3000 community that can help. To be clear, of course, maintaining independent third party support is one of the best ways to track patch levels. While they can't say it out loud, many support vendors keep a full complement of MPE/iX patches on hand, too.

Read "Finding Your Level of MPE Patches" in full

Posted by Ron Seybold at 10:29 PM in Homesteading | Permalink | Comments (0)

April 13, 2015

How MPE Talks to Its Network Neighbors

Our networking team reports they're going to refresh the hardware on our IP gateways. Our Telecom manager says they will 

  • Change the physical gateway, because the hardware is being replaced
  • Not change the IP address and gateway address
  • Change the MAC address of the gateway (because of different gateway hardware)

Network NeighborhoodWhat do I need to do on our MPE boxes to ensure that they will see the new hardware? Does MPE cache the MAC address of neighbor gateways anywhere? I was thinking I needed to restart networking services, but I wasn't sure if anything more will be needed.

Jack Connor replies

If you're taking it off the air for the network changes, I'd go ahead and close the network down until the work has completed and then reopen it. MPE will be looking for the IPs as it opens up. I know you can see the MAC addresses in NETTOOL, but I don't think they're of any import other than informational and for DTC traffic.

Donna Hofmeister adds

Halt the network (even the system if possible -- because it's almost the same thing) while the larger network work is being done. When the new gear is in place and seems stable, "wake up" the 3000 and watch what happens.

Read "How MPE Talks to Its Network Neighbors" in full

Posted by Ron Seybold at 06:08 PM in Hidden Value, Homesteading | Permalink | Comments (0)

Search