April 30, 2015
TBT: The Legacy of 3000 Creators
The creators of some of the 3000's earliest pieces are still with us, most of them. A notable exception is the legendary Fred White, pictured above in a photo taken from the years before his death in 2014. He's holding up his end of a memory board for an early-model 3000. The HP 2000 Access system behind him introduced many people to HP business systems, and they went on to become the computer's first wave of users.
Holding the other side of the board is Ed Sharpe, who created and curated the first networking resource online devoted to the 3000, a bulletin board system he called The Forum. Throughout the first decade of the 3000's life, BBS communication was the only way to exchange information about MPE technical details other than attending user group meetings. HP did not launch its teleconference sessions, broadcast to customers through HP sales offices, until late in the 1980s.
The Forum earned the support of system managers reaching out to connect with each other. The character-based BBS interface was not much less sophisticated than the mailing-list-based HP3000-L of about a decade later. Downloads of contributed software were a big feature of the Forum. It connected users in an era when long-distance was still a serious business expense.
There was sport and fun on the Forum, too, much like the current-era's Friday Funnies from the 3000-L. "We had a total-weirdness chain story that everyone would add upon about Jo-EL, this man from another planet who presided over HP Labs (a tease at HP's Joel Birnbaum and riffing on Jor El from Superman). The thing went on forever, and we were all killing off each others' characters. and they would come back to life miraculously."
The biggest drawback to the Forum was the long distance charges for the users when downloading Forum CSL files! I am sure I caused some corporate phone bills to increase. Over in Europe, they had greater accessibility to X.25 at that time.
Sharpe created the Forum BBS using the only version of BASIC ever developed for MPE, BASIC/3000.
The marvels of early technology like that core memory are a part of Sharpe's passions. "We are basically holding 8K," he reports about that photo with White. "Core memory was wonderful though -- no battery back-up needed. You could go back a year later, turn it on, and there it was -- just as it was when you shut it down. This board design was a single board compilation of the board set: Core, SSA and XYD that went into the HP 2100 computer. It was used in the HP 2000 F and HP 2000 Access system we had."
Sharpe kept track of the resources in one of the community's Contributed Software Libraries by way of a column in the HP Chronicle for five years. After retiring from The Computer Exchange, a computer retail and timesharing business in Phoenix, he opened up the Southwest Museum of Engineering, Computing and Communication. He's got a collection of vintage gear at the museum including that HP 2000 and gems like an HP 9845 workstation, the latter complete with built-in thermal printer and cassette tape-based storage.
Thanks to a donation from Keven Miller of 3K Ranger, the museum now has a Micro HP 3000. "We will continue to look for more parts to keep it supported into the future," Sharpe says. "We are still looking for a Series II, a Series III and a Series 30 -- and a CX or pre-CX 3000. (Yeah, I may be dreaming there...)"
He's still learning about the HP 3000, too. "I need to know, will the old BASIC 3000 interpreter and compiler from MPE IV run on MPE V?"
April 29, 2015
Linking Yesterday's Data To Today's Server
Another migration is underway in the world of enterprise computing, one that will transport millions of customers. It's not from one OS to another, or even from one model of computer to something much newer. It's a transition from one Windows Server release to the latest, although the latest Windows Server doesn't bear the name of our current year.
Business is making a shift from Windows Server 2003 to Windows Server 2012, triggered by applications. The apps are making use of a larger computing space, going from 32- to 64-bit software. And in so doing, these IT shops need an upgrade to their data links. HP 3000s that are networked into a Windows Server enterprise have a newer model of connectivity software to handle this migration.
UDALink is the progeny of MB Foster's ODBCLink/SE, the middleware created, maintained and supported by MB Foster for IMAGE/SQL for more than 20 years. This continuous and current support of 3000-ready middleware, as we once called it, is a community marvel. No server that's been off a vendor's price list for 12 years, as the 3000 has, ever had more care lavished upon its remaining users. Now UDALink is getting an enhancement to Java Database Connectivity 3.0 API. It's a type 4 interface, and so it's ready for the Windows Server migration.
The vendor's CEO Birket Foster said that about 20 percent of the customers using Windows Server are still on the 2003 release. "It was a customer who requested we enhance the JDBC2 driver on UDALink," Foster said. "We were pleased to do so. It ensures that this customer and future customers can continue to leverage newer technologies with legacy business-critical applications."Foster's product ODBCLink/SE was delivered inside of the MPE Fundamental Operating System. A full-featured version of ODBCLink was available for sale, and that full-edition software became UDALink. The latest version of the UDALink JDBC2 module has support for these changes from the JDBC 3.0 API, "to name a few."
- Reuse of prepared statement by connection pools
- Connection pool configuration
- Savepoint support
- Retrieval of parameter metadata and auto-generated keys
- BOOLEAN data types
- Updating of columns containing BLOB, CLOB, ARRAY and REF
- Transformation groups and type mapping
- Database Metadata APIs
The feature list will be important to the application developer who's maintaining 3000 programs that reach into databases across platforms. "The flexibility with the new interface will allow new integrations, and access for all HP 3000 and UDALink customers," Foster said. The most up to date Windows Server release can reach into 3000 databases.
Pricing information and procedures to add the JDBC2 module enhancements are available from the vendor at email@example.com
April 28, 2015
Locating Help for 4GL 3000 Projects
A phone call -- how old-school -- to the NewsWire offices today posed an interesting question: Who'd be able to help a site that's got Speedware applications which appear to be layered with Visual Speedware? The list of independent Speedware experts who know MPE isn't a long one. A few months ago we compiled the a collection of 3000 experts into a single webpage here on our website. Only three companies named Speedware skills specifically in their company profiles.
"The Speedware here feels like it's hidden behind high walls," the caller said. "There's an aspect of Windows running in there, and the site doesn't really know where their development server is." Visual Speedware is still a product of Fresche Legacy -- the new name of Speedware since 2012 -- and the software that was created for "Enterprise Client/Server Development" has a presence on the Fresche website. The product's data sheet from 2002 is on the hpmigrations.com wing of the Fresche Web addresses.
Readers here will know there's an opportunity to help with a Speedware installation. It's a skill set in declining supply, this kind of 4GL expertise. PowerHouse users have a mailing-list newsgroup, but there's nothing like that for the Speedware user.
The two brands of 4GL have widely differing early days; Speedware was sometimes white-labeled to create apps sold by other software companies. SoftVoyage is a memorable example. PowerHouse always had its name out front where it was deployed. Later installs of these two 4GLs, through the late 1980s onward, were more similar.
In the ways of the IT world in 2015, both of the vendors of these products consider their 3000 customers to be ready candidates for migrations. The transition arrives in various flavors, but all of it is designed to leave the Hewlett-Packard-branded 3000 hardware behind.Fresche Legacy has been in what it calls the application transformation and migration business a long time. In more recent years the company has focused on the IBM marketplace transitions. Fresche Legacy is exhibiting at this week's COMMON conference for IBM users, one of the biggest in the AS/400-Series i world. But when HP 3000 migrations were a nascent concept, HP pointed to a 3000-to-9000 Speedware transition as an early migration success story.
PowerHouse is supported in the 3000 world by MB Foster; the company founder Birket Foster can call on experience with PowerHouse back into the 1970s when the company was called Quasar, rather than Cognos. Foster's right up to date with this platform's options and structures. This year MB Foster inked an alliance with Unicom Global, the latest PowerHouse owners, to assist companies including HP 3000 owners.
If you go back far enough in the history of these two 4GLs, you'll find a moment where PowerHouse and Cognos were in a services deal together. It was all about migrations of PowerHouse, not the preservation of one 4GL or another. It yielded a then-groundbreaking photo of Cognos and Speedware crews arm in arm in one booth, supporting one another.
April 27, 2015
Sendmail, Group Purges, and ACD Removal
Is there a proper or "right" way to shut down sendmail?
Donna Hofmeister replies
• Use the Posix kill signal from SERVER.SENDMAIL or any user with SM capability. (The following can be easily turned into a job!)
kill $(head -n 1 /etc/mail/sendmail.pid)
• Only use :ABORTJOB as a last resort! (This is true for all of the Posix things that got ported to MPE)
If you don't need to run a mail server (e.g. sendmail) on your 3000, you shouldn't. In most cases, using a mail client will be "just the ticket." Point the client at your in-house (SMTP) mail server and enjoy.
How can I easily purge all the files in a group without destroying the group structure?
If GRPNAME is the name of the group then either:
1. chgroup GRPNAME and
Or, purge @.GRPNAME
[Ed. note: Vladimir Volokh notes this last command does not purge databases from a group, although it purges everything else. You must be an SM user to purge everything in one account from another account. Of course, MPEX's %purge will purge everything, and will report the list of what is to be purged. %purge(ISPRIV) for a selection of databases only, for example.]
How can I convert an SL to an XL?
Jeff Kell and Gavin Scott reply:
You can OCTCOMP an SL, which will make the code in it run in mostly-Native Mode (though using several times the memory) and with exactly the same limitations as the original CM code. OCTCOMP just adds a pre-translated version of the CM code to the end of the file that will be invoked when you run the program or SL on an MPE/iX system.
We have problems accessing the files of one group because someone has added ACD's on all the files within that group. Is there a way to remove them all easily?
Mark Ranft replies
Using MPEX, you can issue the command
Keven Miller adds
And if you don't have MPEX, you can use a command file like the one below.
PARM FILES=@, PCMD="ECHO File !" SETVAR XSI_CMD "!PCMD" IF FINFO ( "CMDFLST,TEMP", "EXISTS" ) THEN PURGE CMDFLST,TEMP ENDIF FILE CMDFLST;MSG;TEMP;NOCCTL;REC=-40,,F,ASCII;DISC=100000 LISTF !FILES,6;*CMDFLST FILE CMDFLST,OLDTEMP SETVAR XSI_CNT FINFO ( "CMDFLST,TEMP", "EOF" ) SETVAR XSI_R 0 WHILE !XSI_R < !XSI_CNT DO INPUT XSI_FILE < CMDFLST SETVAR XSI_R XSI_R + 1 SETVAR XSI_FILE RTRIM ( XSI_FILE ) SETVAR XSI_DO REPL (XSI_CMD, "!", XSI_FILE) SETJCW CIERROR=0 CONTINUE !XSI_DO IF CIERROR = 0 THEN ECHO !XSI_DO ENDIF ENDWHILE ECHO !XSI_CNT FILES DELETEVAR XSI_@ PURGE CMDFLST,TEMP
This command file takes 2 parameters. 1. a fileset (wildcards allowed) 2. an MPE command with a ! exclamation as place holder for the filename It does a LISTF ,6 of your fileset into a MSG file. Then it reads through the MSG file and processes each file with your command.
April 24, 2015
Solutions for Keeping Passwords Fresh
Our management wants our 3000 users to be forced to change their password on a regular basis. Also, certain rules must be applied to the new password. We don’t have VEsoft’s Security/3000, although we do have MPEX. I therefore have two options. 1. Write something myself, or 2. See if there is anything in the Contributed Software Library that will do the job, or can be modified to supply the required solution.
Homegrown and bundled solutions follow. Jeff Vance offered this:
There is a pseudo random password generator available among the Jazz files which knows MPE’s password rules. See RANDNAME. There are also UDCs which force a password to be supplied when using NEWUSER, NEWACCT and NEWGROUP CI commands. These required passwords can be random or user entered with a minimal length enforced.
Then he added as an afterthought, a strategy to program your own password system:
From the support community, Donna Hofmeister weighed in with this advice:
I haven’t thought about it much, but it seems you could have a password file (maybe a CIRcular file?) for each user on the system. This file would have their last N passwords, and the modified date of the file would be the date their password was most recently changed.
A logon UDC could detect if the password file for that user exists. If not create it and require a new password right then. If the password file exists then get it’s modified date and compare that to today’s date. If greater than X days then in a loop prompt for a new password. Validate the entered password against previous N passwords and your other rules. Maybe run a dictionary checking program to make sure the password is not common, etc.
Update the user-specific password file with their new password, and then logon the user.
The solution that your management demands is going to cost more for you to develop, implement, or maintain than it’ll take for you to get Security/3000. If you have no choice other than to develop a product, then I’d certainly model it after what VEsoft has already done. That is:
Based on a system-wide UDC, examine all sessions (it is just sessions, yes? By the way, a DSLOGON from inside a job is still a session.) against a ‘database’ (By the way, just how secure is this database? A real database needs passwords... Who’s going to maintain that? A flat file could be lock-worded, but that’s not a slam-dunk answer.) a database which is looking for the ‘age’ of the password (By the way, are you going to provide an advance warning period?).
If it is time to change the password, get the ‘new’ password from the user... but writing the rules is a pain, and keeping track of reused passwords is just annoying. Auditors in the states love when you can say the password is one-way encrypted. Dunno what your management is saying for encrypting an MPE password.
Then came a solution rolled up by Paul Christidis
Some years ago I had developed a set of command files that could be used to require users to have passwords. Later on, mostly as an exercise, I enhanced the process to age passwords and to automatically assign ‘random’ passwords as they expire. The random passwords are comprised of alternating consonants and vowels, they can have a minimum and maximum length and optionally a random digit can be inserted.
The entire ‘process’ is comprised of a system batch job (should be running always), a command file that is invoked by a log-on UDC and communicates with the batch job, a ‘control’ command file that starts and stops the batch job, a command file to determine the password age and a command file to generate the random password. Below are the comments from the batch job. They explain some of the details.
!# Author: Paul H. Christidis
!# Remarks: This job 'listens' at a message file for any requests to
!# determine if a user has a password. Once that determination is
!# made it passes back to the session an indicator to that effect.
!# A command of STOP causes the job to terminate.
!# The request comes via the execution of a command file or a System
!# wide UDC and it is comprised by the file name where the reply should
!# be placed and the user's name and account.
!# This job does NOT return the user's password, it only writes in
!# message file specified by the client the command:
!# setvar user_password true/false
!# The client then executes the command and tests the setting of the
!# variable 'user_password' to decide what action to take.
!# DATE: 06/08/2004 *** WHILE RETAINING THE ABOVE BEHAVIOR ***
!# The job logic was changed to assign a new password after 30 days. A
!# file in the posix space is built using the user's name. Then at each
!# logon a command file is used to determine the file's age, using its
!# date, and when it is older than 30 days another command file is used to
!# generate a random password. Said password is sent back to the session
!# and the user is informed about his new password.
!# If the 'job/session' name is not to be used in creating the posix
!# that will be used to age the password, then the value of the CI
!# 'pw_UseSess' should be set to 'FALSE'.
!# DATE: 06/10/2004 [Added alternative aging values functionality]
!# Alternative aging limits are kept in an ASCII file "pswrdage"
!# of 'setvar' commands, for each MPE account, MPE user or Session name.
!# should adhere to the following format:
!# SETVAR SYS_MANAGER_XTIDIS_pwage 45
!# SETVAR SYS_MANAGER_pwage 40
!# SETVAR SYS_pwage 35
!# The above have the following implications:
!# The user's "xtidis,manager.sys" password expires in 45 days
!# The user's "manager.sys" password expires in 40 days
!# Any other user of the "sys" account has their password expire in 35
!# While the 'default' 30 days applies to every other user on the
!# NOTE 1: Suffix of '_pwage' is required.
!# NOTE 2: A negative or zero setting equals to NO password aging.
!# NOTE 3: The order MUST be 'ActName_UserName_JobName_pwage'.
!# Date: 06/11/2004 [Added code to 'force' a password change]
!# When the CI variable "ForcePwChange" is set to TRUE in the session
!# executes the command file, the 'passed' code is changed and the batch
!# forces the password change (Unless it was already changed on the same
Dave Powell coded up some of the fine print nicely in his contribution:
It ought to be possible to do everything for free, using just MPE. Editing the new password is the ugly part, but if you randomly assign it that issue goes away. The next issue is that the :password command seems to like to be purely interactive, as in:
echo oldpass >> tempf
echo newpass >> tempf
echo newpass >> tempf
:password < tempf
Command not allowed in noninteractive environment. (CIERR 2500)
PASSWORD WAS NOT CHANGED.
That leaves the altuser cmd, which needs AM cap. If you don't want a background job (like Paul's suggestion), you can have the command file (called by your logon UDC) use the echo command to build job with AM cap, which it then streams, kind of like (untested, but I have working examples of cmd-files building other jobs):
ECHO !!JOB ACCTMGR/PASS.SOMEACCT; HIPRI >> TF
ECHO !!ALTUSER !HPUSER;PASS=!NEW_PASS >> TF
ECHO !!SETVAR STREAMED_BY WORD(HPSTREAMEDBY,"()",2) >> TF
ECHO !!TELL !!STREAMED_BY Your new password is !NEW_PASS >> TF
ECHO !!EOJ >> TF
ECHO Please note your new password when it appears
PAUSE 99; JOB = !HPLASTJOB
PURGE TF, TEMP
If I haven't screwed up the fine print too badly, this code in the middle of the password cmd-file runs the job that changes your password, then waits for the job to tell you what the new password is. The single exclamations before HPUSER & NEW_PASS mean that values that are variables to the session and command-file become hard-wired values for the job.
Before all this your cmd-file checks the date, gets a random password, etc., as posted by others. After it the cmd-file writes (or just builds) a file that serves as a timestamp. But I am not too comfy with putting the passwords into a plain-text file, so I might skip that part (remember, the user needs both read and write access to it). Put the command file in a group that users have xeq access to, but not read/write access.
April 23, 2015
TBT: The Rise of Superdome to Blades
Earlier today, a 3000 manager asked if the Moonshot line of HP servers was part of the plans to establish the Charon HPA PA-RISC emulator in the community. "I think it would be great if someone would demonstrate MPE/iX running on HP Moonshot server," said Tim O'Neill. "[Stromasys might be using] Charon to do something like this, but are they doing it on a Moonshot?"
Moonshot is not the best fit for the Stromasys product, because the HP bladed server is aimed at far larger processing needs. The targets for Moonshot are providers of networking services, cloud hosting co-location providers, customers as large as PayPal, and 20th Century Fox. The studio now distributes its movies around the world digitally, movies that are hundreds of gigabytes per file, and it reduced its datacenter footprint by more than 80 percent and sends those files 40 percent faster.
It's not that the movie business didn't ever use MPE; Warner Brothers had a European distribution center for movies that used a 3000, but that was back in the day when canisters of 35mm film were shipped to theaters. Evoking the name Moonshot, however, recalls the hope that the 3000 community held for HP's first massive enterprise server, Superdome,15 years ago.
The first Superdome computers were PA-RISC systems that ran with the same PA-8600 and PA-8700 servers that powered HP 3000s. When HP started to talk about Superdome in the months after Y2K, 3000 customers wondered "Why not us?" as part of the product's target audience.
An IT manager with beta-test experience on Superdome said at HP World that he believes there’s no reason Superdome can’t work with MPE/iX. “It’s PA-RISC hardware,” he said. “I asked our technical contact from HP why it wouldn’t run with MPE. He replied to me, ‘Yes, why wouldn’t it run MPE?’ ” In a future version, the computer will use its advanced partitioning to run more than one operating environment at once, according to HP’s presentations.
Five years ago this week, HP announced at the HP Technology@Work 2010 conference the first server technology that bridged the multiple-processor designs of Superdome into the blade server concept that would become Moonshot. Even more so than the original Superdome, the Superdome 2 had zero chance of becoming an MPE/iX hardware host, because by the Spring of that year HP was counting down the months until it stopped MPE support completely. (Officially, anyway. Right up to this month, rumors are floating that HP is supporting customer 3000s somewhere.)Multiple operating systems, supported on a single HP system, were the innovation HP added to its enterprise lineup with the first Superdome. HP said it was designed to support multiple OS's simultaneously, including HP-UX, Windows NT and something Hewlett-Packard called "the freely distributed Linux operating system."
Supporting two different OS's on a single HP server was a project that went back to 1994 at HP. The Multiple Operating System Technology (MOST) was designed to let MPE/iX control instances of HP-UX on one PA-RISC server. Reaching for performance even on the biggest CPUs of 21 years ago was a problem — but one other MOST challenge was the competition between HP 9000 Unix salespeople and the HP 3000 sales force.
When Superdome was first announced, HP already understood there was going to be no single operating environment to rule all enteprise computing. "Technology is changing so fast, that to bet a business on a proprietary technology, or on a single technology, commits an IT environment to becoming a legacy environment," said CEO Carly Fiorina.
Should there ever be any interest in demonstrating the top power of Moonshot, HP operates a lab system that sounds a lot like the old Invent3K servers hosted to 3000 developers. The HP Discovery Lab allows customers and partners unfettered access to an HP Moonshot System to experiment, test and benchmark applications in a secure and confidential environment. Labs are located in Purdue University in Indiana, Houston, Texas, Grenoble, France and Singapore. Developers can also gain access to a Discovery Lab through VPN from anywhere in the world.
April 22, 2015
Essential Skills: Avoiding A King's Ransom
Editor's Note: HP 3000 managers do many jobs, work that often extends outside the MPE realm. In Essential Skills, we cover the non-3000 skillset for multi-talented MPE pros.
In a recent message on a 3000 developer mailing list, one MPE expert warned of the most common malware attack of 2015: Ransomware. "This is probably the most likely thing to happen to your computer if you click on the wrong thing today," Gavin Scott reports.
It's a nearly perfect criminal scheme.You get the malware on your system and it encrypts all files of value with a randomly generated key, and directs you to send $300 in bitcoin to them in order to get the encryption key to get your files back. It will encrypt every drive it can get access to, so a lot of people get their backups infected in the process of trying to recover. If you pay the $300, then by all reports they do give you the key, you get all your files back, and they don't bother you again. They even direct you to bitcoin ATM companies who reportedly spend much of their time these days providing technical support — to help Grandma operate the bitcoin system to pay her computer ransom.
To explain the fate of having to toss out computers in the IT shop which cannot be ransomed, we call on our security expert Steve Hardwick for some insights.
By Steve Hardwick, CISSP
In a previous article I looked at a Man in the Middle attack using SuperFish. That malware effectively bypassed the encryption built into HTTPS and so allowed Lenovo to inspect secure web traffic. There's another type of encryption hack that's becoming a serious threat: Ransomware.
In standard symmetric encryption, a key — a password — is used to scramble the information to render it undecipherable. The same key is then used to allow a valid user to convert that data back into the original data. Encryption systems ensure that anyone without a key will be unable to reconstitute the original data from encrypted data. Another key component (forgive the pun) is the password used to generate the encrypted data. If a valid user is not able to access the key, then they no longer have access to the data.
In many situations as a security professional, I've been asked how to recover encrypted data after the encryption key has been lost. Despite what TV shows depict, this is not as easy as it looks. Typical recovery of encrypted data is time consuming and costly. The first thing any security professional will say when an encryption key is lost is, "Just recover your data from your backup." But today there's a type of virus out there that uses this weakness, and can compromise backups, too.Ransomware takes data on a machine and encrypts the information, including every data file. The catch to this encyption is that the key is not provided to the user. Typically a message appears telling the user how to get a copy of the decryption key, obviously involving payment. The user is now left with a machine where the data is not accessible unless the encryption key can be obtained. The machine is commonly called a brick. The question now becomes, is there any way to retrieve the data without becoming a victim of extortion?
The actions that can be performed after this attack are very limited. Cracking the encryption itself is going to be difficult at best. Perhaps the one method that can be used is to hope that the virus has been reverse-engineered, so the decryption key is found. There's one common ransomware virus, CryptoLocker, whose code has been cracked and a solution posted for victims to use for free. But you may not be so fortunate. As the time honored saying goes “The best form of defense is a good offense.” Putting provisions in place before the attack is the best way to prevent this extortion.
Here is a list of these measures:
1) Make sure the machine is backed up regularly. It is a good idea to make sure that the backup you are using cannot be compromised by the same virus. For example, some viruses are able to infect the backup as well as the source. That means storing a recent backup offline.
Ed: It's also important that your backup solution does versioning. You don't want to write over a good backup with a bunch of encrypted garbage.
2) Keep your operating system and application software up-to-date with the latest patches.
3) Do not follow unsolicited web links in email
4) Keep your anti-virus software up to date
5) Try to get Windows users not to run with Administrative privileges, which are more prone to attack.
By using these methods, not only will you be less susceptible to ransomware, you will also be less vulnerable to other problems such as other viruses, hard drive failure and loss of your machine.
April 21, 2015
Scheduling Time for Job Management
Starting Wednesday at 2 PM Eastern, MB Foster will demonstrate in a Webinar what Windows-based scheduling software should look like. The template for success comes from a strong jobstream management design: the one on HP 3000s.
3000 managers are making moves to Windows. It's been the most popular migration destination ever since HP announced it was leaving the 3000 space. Going to Linux is popular too, and the older generation of the Linux concept, Unix, had good scheduling software choices. Managers buy their own scheduler for all of these migration platforms, because what's included won't do anything close to what MPE delivers.
Over at the IT operations of Idaho State University, the scheduler that's recommended for the Banner/Ellucian ERP package under Unix has been installed. "We went with Automic's UC 4," said IT analyst John MacLerran. "That is the one recommended for use in Banner and it has worked quite well for us. We are currently on Solaris, with some Windows servers (for our report writer, named Argos), and Linux servers for the Oracle middleware servers. We will be moving the Solaris bits to Linux in the next 12 months or so, as we undergo a hardware refresh on our servers."
That's well and good for Unix or Linux sites, but Windows installations don't have such clean choices. MBF Scheduler is a selection that Measurement Specialties made a few years ago. That 3000 shop added Windows to its IT mix and needed 14,000 3000 jobs managed.Companies that use Windows eventually discover how manual their job scheduling process can become if they're hemmed in with native tools for Windows. Credit card batches must be turned in multiple times a day at online retailers, for example. Measurement Specialities, the manufacturer which still runs a dozen HP 3000s in sites across North America, China and Europe, uses MBF Scheduler. The product manages a complementary farm of Windows Server-based systems to move jobs among servers in Measurement Systems' 3000s.
Terry Simpkins at Measurement Specialties has been devoted to Infor's MANMAN well beyond that vendor's ability to support the ERP app. Like other customers around the community, Simpkins and his team have compared MBF Scheduler to MPE's mature tools, and favorably. Sites like his don't need a separate Unix or Linux server for job scheduling, which is the usual way to keep Windows 2003 or 2012 on schedule.
At Measurement Specialities, for example, the IT pro who handles scheduling never sees the HP 3000. But enterprise server-born concepts such as job fences are tools at that IT pro's command.
Job listings, known as standard lists (STDLISTs), are common to both the 3000 and Windows environment, and MBF Scheduler was built to provide the best of both 3000 and Windows worlds. The software's got its own STDLIST reviewer, integrated with a scripting language called MBF-UDAX.
At Idaho State, a scheduler that would work with an Eloquence-Unix-PowerHouse mix was an early migration target. Before that PowerHouse project shifted to the Banner ERP, a third-party scheduler filled the university's requirement sheet. It was written for Unix, not Windows. The university's MacLerran reported that the Unix scheduler looked good because it looked like MPE/iX scheduling.
We investigated BatchQue+, from Corporate Practical Solutions (grepit.com). One of the nice things about BQ+ was that you could set up different job queues that could be used to prioritize and categorize batch jobs, similar to the job queue mechanism in MPE. Also, BQ+ was one of the only products that had an Operator-type interface for management of the queues. That meant our console operator could see what was executing in batch and which queue it was in, as well as which jobs were waiting in the queue — very much like MPE showjob commands.
April 20, 2015
Replacing Apps, and Adding On, to Migrate
At Idaho State University, migration away from HP 3000 operations has been underway since before 2007. The school directed nearly all of its business functions using MPE/iX software, a good deal of it hand-tooled in PowerHouse. Within a couple of years of the migration launch the higher-education application Banner, running on Solaris Unix servers, took over for key parts of the 3000 operations. The last set of applications of the project now has a target for completing by July.
John MacLerran, senior IT analyst, updated us on the work at the university, noting that there are three applications, as well as control of the school's PBX, that must still be replaced from the 3000. The bank reconciliation functionality in Banner (by now renamed Ellucian) splits up accounts payable and payroll, while the MPE/iX app unified both AP and payroll. "I am rewriting that in Oracle PL/SQL as an add-on for Ellucian," he said, "at the same time, adding enhancements to include unclaimed property processing, as mandated by state law."
These revisions are following a strategy that lets the university rely on updates from Sungard, the vendor selling Ellucian. MacLerran said that whenever possible, his department wants to "not to modify Ellucian directly, but to do add-ons instead — and we were able to hold to that in all but a very few cases."
It's a significant choice for any migrating 3000 site that's moved to a replacement suite. (MB Foster calls these migration targets Commercial Off The Shelf apps.) "Having a no-modification policy saved us quite a bit of heartache," MacLerran said, "as Ellucian comes out with patches and updates quite regularly. Since we didn't modify the original code, we don't have to spend too much time making sure it's still in sync."
Ellucian has aspects that are common to wide-ranging replacement applications. There are organizational operations at the university that have been handled by the 3000 which the ERP's inventory module couldn't match, for example. Another bit of replacement software will step in for the existing MPE/iX app.The campus facilities management office has used a 3000 app to track inventory, MacLerran said.
Our stores department maintains an inventory of items used on campus by our facilities management office — plumbing supplies, janitorial supplies, paint, rubber gloves, light bulbs, etc. The inventory management system in Ellucian didn't have the needed functionality. That application will be replaced by an off-the-shelf application called SouthWare that we are licensing through B.A.S Software (bas-solutions.com). We are in the process of implementing it now.
The patient and comprehensive work at Idaho State reflects IT management that's been careful about matching functionality. That's meant the 3000 there will finally see a potential switch-off date this summer, about eight years after migration work started. There have been many months with design and testing and development taking place even as MPE/iX continued to serve. At one point the Stromasys Charon emulator was under consideration, but accelerating the migration schedule with extra in-house resources let Idaho State stay true to its program — going directly from HP's 3000 hardware to Solaris servers.
MacLerran said there's another 3000 app in its Motor Pool -- the university has locations in three Idaho cities -- that's still in need of migration. That operation bills departments or the use of vehicles by professors who travel to class. The solution to that replacement is still in transit. Again, add-ons are the strategy for migration in the Motor Pool, where an existing system called Dossier might get an add-on module.
As for the PBX, it's telecom equipment the university owns and maintains.
We run our own PBX for telephone switching on campus, and charge departments for phones (the physical phone on the desk), for phone lines to the offices, and for long-distance use. The telecom system bills departments for those charges. About 85 percent of it is already ported to a third-party system (from a company named Pinnacle, I believe), and the rest is scheduled to be done by June 1.
April 17, 2015
Hardware appliance bolsters MPE encryption
HP 3000 sites still need to encrypt data, or at least secure it during transfers. Secure FTP protocol was never delivered as an HP-engineered solution for the MPE/iX OS while the Hewlett-Packard labs were building 3000 software. There's a reasonable amount of promise in SFTP of today for MPE/iX, but the solution isn't likely to satisfy security audits.
FluentEdge Technologies encrypts data moving through applications including the Ecometry ecommerce suite, as well as databases themselves, using software solutions that tap into apps and don't require any rewrites.
There's also a hardware solution, one that's been tested with the 3000, that offers a universal method to keeping data secure in transit. The 10ZiG's Security Group offers "data-at-rest" security solutions, including the Q3 and Q3i appliances. A few years ago, Jack Connor put one of these appliances between a Digital Linear Tape device and a 3000. The results impressed him for a device that costs a few thousand dollars -- and will work with any host. Now there's a new version of the device.
Connor, who supports HP servers at Abtech, found the original Q3 hardware solution provided security that would beat any SFTP transfer option. "I tested an encryption box that sits between the DLT and IO card and it worked like a champ," he said. "It maintained streaming mode and everything."
Similar to 10ZiG's Q3 appliance, the Q3e is the newest version of this state-of-the-art technology. Providing complete security for backup tapes, the Q3e appliance is designed to be easy-to-use and non-intrusive. Installation takes only minutes and key management is strong, yet simple. For the highest level of security, each Q3e appliance includes a hardware encryption chip that is unique to each customer. The Q3e is available with user selectable AES-128 or AES-256 encryption modes and supports up to four tape drives.
3000 customers are using their systems in e-commerce applications today, even though some in the community say the credit card processors' PCI DSS security rules might block such use. But the Q3 webpage lists PCI specifically as a security standard served by this standalone box.
10ZiG's Q3 storage encryption solution assists in your compliance with the PCI Standard by protecting your customer's data with encryption. The Q3 storage security appliance encrypts data at rest without effecting your current backup procedures. Installation is quick and key management is strong yet simple.
One of the testimonials on the Q3 webpage comes from the Series i IBM community, a group of servers whose OS is just as unique and specialized as MPE/iX.
April 16, 2015
TBT: When 3000 Training Went Digital
Twenty-five years ago, HP was making history by integrating CBT for MPE XL on a CD-ROM, running from an IBM PC-AT. Or a Vectra. Ah, what we learned in those years by using acronyms.
At a user conference in Boston better known for a 3000 database showdown, the mashup of acronyms promised Computer Based Training for the 3000's operating system from a Compact Disc Read Only Memory drive. Here on Throwback Thursday, we're celebrating an industry first that leveraged the HP 3000, something of an anomaly for Hewlett-Packard. CD-based information delivery was still in its first steps in the computer industry, and just ramping up in the music business as well. It would be another 10 years before Apple shipped desktops with built-in CD-ROMs.
An HP official who would later come to lead half the company as executive VP, Ann Livermore, was a humble Product Manager for this combination of HP CD classes and an HP CD-ROM player. "It's the equivalent of having a system expert looking over your shoulder while you work," Livermore said. "The audio on these training product adds significant value to the learning experience." The interactive courses show users a typical HP 3000 console on the PC, accompanied by verbal instructions and explanatory text and graphics.
In an era where Bulletin Board Systems were cutting-edge information channels and web browsers didn't exist, having CD-ROM as a tool for support broke new ground for HP's enterprise business. HP sold about six hours of training on CDs for $950. The breakthrough was being able to use the training repeatedly, instead of putting each new operator or end-user in an HP classroom for a week."The CBT product trains end-users and systems operators in HP 3000 Series 900 operations, including account management, system backup, shutdown, and recovery," my article from the HP Chronicle reported. I noted that MPE XL was a proprietary system, something that the vendor was trying to change with another announcement. Posix, an open system interface for Unix, was headed for MPE XL.
Hopes were high. Hewlett-Packard believed a version of MPE that supported Posix would permits Unix software to run on 3000s. We didn't make it up.
"You will be able to run Unix applications on the HP 3000s," said Wim Roelandts, vice president of HP's Computer Systems Group. "For us, open systems are not just Unix." HP also announced X Window user interface support for MPE XL, along with telnet and FTP.
Posix arrived in 1992, triggering a re-naming of the 3000's OS to MPE/iX. The interface has outlasted the utility of the CD-ROM CBT, giving Unix-savvy administrators a way to comprehend and drive what MPE does. But the holy grail of Unix on the 3000 never arrived ready to serve. It would take another 20 years to deliver MPE hosted on top of Linux, when the Stromasys Charon HPA emulator arrived in the market.
April 15, 2015
Patches Are Custom Products in 2015
Last spring we visited the state of HP 3000 patching and found that new work has been making its way into the customer base — one customer at a time. HP Support once created such custom patches, engineered specifically for the configuration at the customer site. Independent support providers who have access to the MPE source code do this today. It's a elite number of support providers. Ask yours if they've got the source.
Last year a 3000 manager was probing for the cause of a Command Interface CI error on a jobstream. In the course of the quest, an MPE expert made an important point: Patches to repair such MPE/iX bugs are still available. Especially from the seven companies which licensed HP's source code for the HP 3000s. This mention of MPE bug repair was a reminder, actually, that Hewlett-Packard set the internals knowledge of MPE free back in 2010. Read-only rights to the operating system source code went out to seven companies worldwide, including some support providers such as Pivital Solutions and Allegro Consultants.
The latter's Stan Sieler was watching a 3000 newsgroup thread about the error winding up. Tracy Johnson, the curator of the 3000 that hosts the EMPIRE game and a former secretary to OpenMPE, had pointed out that his 3000 sometimes waits longer than expected after a PAUSE in a jobstream.
I nearly always put a CONTINUE statement before a PAUSE in any job. Over the years I have discovered that sometimes the CPU waits "longer" than the specified pause and fails with an error.
A lively newsgroup discussion of 28 messages ensued. It was by far the biggest exchange of tech advice on the newsgroup in 2014. Sieler took note of what's likely to be broken in MPE/iX 7.5, after an HP engineer had made his analysis of might need a workaround. Patches and workarounds are a continuing part of the 3000 manager's life, even here in the second decade of the 3000's Afterlife. You can get 'em if you want 'em.A workaround is the more likely of repairs for something that's not operating correctly in MPE, by this year. Patches were a free HP 3000 element, and those that HP created still are free today -- unlike the situation for HP's still-supported servers. The dilemma is that the final round of patches HP built weren't tested to HP's satisfaction. Plus, there's no more vendor work on new repairs.
Enter the third party supporters, the companies I call independent support providers. They know the 3000 as well as anybody left at HP, so long as they're a party to the source code for the operating system. In many cases, a binary patch isn't what a customer wants. Such a thing has to be tested, and a lot of production 3000s are under lockdown today. Changes are not invited.
But in the case of an MPE/iX jobstream PAUSE error, there's always a chance for a fix. HP's Jim Hawkins looked at Johnson's problem and ranked the causes Nos. 1-4. Number 4 was "possible MPE/iX bug."
Sieler said that it looked like this was a genuine MPE/iX flaw. What to do, now that the MPE/iX lab at HP -- which once included Hawkins -- has gone dark? Sieler pointed to patching.
After analyzing hxpause, the executor responsible for implementing the CI PAUSE command, I suspect there is a bug in the MPE/iX internal routine "pausey", which hxpause uses. The bug appears to be triggerable by :BREAKJOB/:RESUMEJOB, but I have not characterized precisely what triggers it. It is, however, apparently the result of the equivalent of an uninitialized variable.
I believe Allegro could develop a patch, should a customer be interested in it.
Patches beyond the lifespan of an HP lab are a touchy topic. A binary patch, as Allegro's Steve Cooper describes this kind of assignment, is likely to live its life in just one HP 3000 installation. It's a creation to be tested, like any patch.
And now it seems that patches are not only a for-pay item, but something to be guarded. HP even pressed a lawsuit against an independent company when the vendor observed that its patches were being distributed by the indie. No money changed hands in the suit settlement, but the support company said it would stop redistributing HP's patches.
This kind of protective culture from systems vendors is endemic by now, according to Source Direct's Bill Hassell. "This is a hot topic, both for customers as well as third party support organizations," he reported. "There have been very strong reactions from customers to recent statements about firmware restrictions." Hassell, well-known as an HP-UX expert among former Interex user group members, pointed to a handful of articles from HP's own blog and the industry press such as ZDNet, or one from PC World.
But the first one Hassell pointed at was the message from HP's own Mary McCoy, VP of Support for HP Servers, Technology Services. It's titled Customers for Life. In essence, the February posting says HP's firmware only gets an upgrade for "customers with a valid warranty, Care Pack Service, or support agreement."
We know this is a change from how we’ve done business in the past; however, this aligns with industry best practices and is the right decision for our customers and partners. This decision reinforces our goal to provide access to the latest HP firmware, which is valuable intellectual property, for our customers who have chosen to maximize and protect their IT investments.
In the face of this, and other HP announcements such as ProLiant patch availability, the customers who are commenting at HP's website are not happy. One noted that "the customer segment who will suffer the most from this revision in HP firmware availability will be the small and medium businesses performing their own in-house IT support." Some say the pay-for-patch mandate is only going to drive them to other vendors for small business servers. HP asserts that every vendor is doing this by now.
Enter the indie patching potential for MPE/iX. Binary patches are much more of a possibility when source code is in the hands of a support company. The source for HP-UX, or any other proprietary Unix, isn't in the wild, and the same can be said for Windows. Linux source is always available, of course. Nobody is going to be tagged as a Customer for Life when they choose Linux.
But that's also true of MPE/iX. Enter an indie support relationship and you get the benefits of that vendor's expertise, based upon the level of their understanding of MPE. Leave that relationship and you're not penalized. You're just on the hunt now for another support vendor of equal caliber.
A support company's caliber is measured by the way it conducts its business practices, not just what it knows how to create or fix. This vendor lock-in is something familiar to a 3000 owner. But it was technology, not business decisions, which enforced such lock-in during the 20th Century. The indie companies have a patch for the current era's lock-in error.
April 14, 2015
Finding Your Level of MPE Patches
Patches to the HP 3000 never were a popular item in the base of production servers. Mike Hornsby of Beechglen Development once said that "about three things can happen when you patch a 3000, and two of them are bad." In essence, a static 3000 system is a stable system, and managers give away the promise of better features for the certainty there will be no errors or aborts. At least none that the management has not already seen, logged, and worked around.
However, the years which have rolled by have pushed 3000s into new territory. For example, the ability to see larger LDEV 1 drives -- and by larger we mean bigger than 4GB -- only comes through a series of patches. Drives fail, and then replacing them with something not strictly approved by HP is an obvious option.
It's not obvious to determine what a 3000's patch level is, though, considering most of the systems haven't been patched in years.
One of our editors and sponsors pointed out a tool in the 3000 community that can help. To be clear, of course, maintaining independent third party support is one of the best ways to track patch levels. While they can't say it out loud, many support vendors keep a full complement of MPE/iX patches on hand, too.We asked where some experts are finding HP's patches for MPE these days, and Brian Edminster of Applied Technology pointed out the patch-check tool while he was summing up the state of patching.
I'm not sure how you'd be able to get said patches out of HP, given that the last time I called any of the HP support lines asking about support for a 3000, they thought I was talking about a printer.
I was under the impression that companies that had officially provided contracted MPE support had access to the patches, if they didn't actually have copies of them downloaded and on-hand. My 918 or better systems are all on fully patched for MPE/iX 7.5, so I really hadn't thought about getting patches from HP anymore.
Beechglen has a script that compares your current patch level against what was available, so you know what patches you were "missing."
April 13, 2015
How MPE Talks to Its Network Neighbors
Our networking team reports they're going to refresh the hardware on our IP gateways. Our Telecom manager says they will
- Change the physical gateway, because the hardware is being replaced
- Not change the IP address and gateway address
- Change the MAC address of the gateway (because of different gateway hardware)
What do I need to do on our MPE boxes to ensure that they will see the new hardware? Does MPE cache the MAC address of neighbor gateways anywhere? I was thinking I needed to restart networking services, but I wasn't sure if anything more will be needed.
Jack Connor replies
If you're taking it off the air for the network changes, I'd go ahead and close the network down until the work has completed and then reopen it. MPE will be looking for the IPs as it opens up. I know you can see the MAC addresses in NETTOOL, but I don't think they're of any import other than informational and for DTC traffic.
Donna Hofmeister adds
When you halt the network (presuming you're not taking the box down) be sure to halt/quiesce network-dependent things (like jobs/listeners) just prior. I'd suggest doing an 'openq' on your network printers as well (keep the input side of printing open, but not the output side).
Halt the network (even the system if possible -- because it's almost the same thing) while the larger network work is being done. When the new gear is in place and seems stable, "wake up" the 3000 and watch what happens.
Jeff Kell notes
If you have access to your routers/switches, you can also attack this from the other end.
Cisco switches/routers (layer-3) have an ARP table that holds the MAC addresses of the hosts on the subnet. They are subject to a timeout. However, they will generate a "gratuitous unicast ARP" request to any host in the table 30 seconds before it is scheduled to expire. If the host is up, it will respond, and reset the learning timer. It will ALSO push the MAC address and IP of the gateway (the router that just performed the unicast ARP) into the host.
Unfortunately the default ARP timeout on a Cisco device is 4 hours.
You may tweak this as desired on a per-interface basis via the "arp timeout xxx" configuration directive.
If you are doing network monitoring by any SNMP tools, they work best when the mac-address tables (CAMs/TCAMs/etc) are loaded with the host values, and the ARP tables are populated with the current hosts. The mac-address table timeout default is only 300 seconds (I'd suggest moving that up, depending on how volatile your connections may be; we use 600 seconds). This will cause the "gratuitous ARP" to occur at 530 seconds, and if the host answers, it perfectly repopulates the tables for your management tools to read.
Howard Hoxie adds (with a prompt from Gilles Schipper)
MPE caches the MAC for the gateway, and that there is a command that updates with an "INTERNET=@" or "INTERNET=ALL" clause.
(The command is NETCONTROL net=netname; update=all, where netname is probably LAN or LAN1)
April 10, 2015
Putting ERP Securely On Your Wrist
HP 3000 ERP solutions are hosted natively on servers, and some of them can be accessed and managed over Apple's mobile tablets. But the Apple Watch that's due in two weeks will bring a new and personal interface for enterprise servers. Indeed, a well-known alternative and migration target for MANMAN and other MPE apps is climbing aboard the Apple Watch bandwagon from the very first tick.
Salesforce has a Watch app coming out on launch day that ties into a business installation of the storied application. Incredible Insights Just At A Glance, the promo copy promises.
Access the most relevant, timely data in seconds. Swipe to see dashboards, explore with lenses or use Handoff to work seamlessly between Apple Watch and iPhone. And use Voice Search to surface a report, view a dashboard, or find other vital information in seconds.
As mobile computing takes a new step with the Watch -- a device that Apple's careful not to call a smartwatch, as it's more of an interface for a smartphone -- security remains a concern. Apple has been addressing it by recognizing the Four Pillars of Mobile Security. A little review can be helpful for any IT pro who's got mobile devices coming into their user base. That's the essence of BYOD: Bring Your Own Device.According to enterprise Mac management software vendor JAMF, securing a mobile system, whether it's a tablet like the TTerm Pro-enabled iPad, a smartphone or a laptop, "requires careful attention to four key areas."
- Data at rest — Securing data on a device
- Data in transit — Securing data as it moves over a network connection to the device
- Application security — Installing trustworthy software from a safe source
- Patching — Keeping software up to date to avoid vulnerabilities
To implement good security reliably throughout an organization, three additional capabilities are crucial:
- Device management — Deployment, application distribution, security policy enforcement
- Reporting — Inventory of all devices and their configuration
- Auditing & remediating — Audit for compliance to security standards and tools to remediate as needed
JAMF sells its Casper Suite as a tool to manage enterprise-grade Apple platform installations. There's bound to be something just as thorough for the Windows-based user community. It's one more thing to ensure is a part of a migration plan, as the 3000's ERP data moves into a fresh generation.
For reference, to help research the caliber of such a Windows-based strategy, here's the breakdown that JAMF provides in a white paper about securing mobile data as well as Apple does.
1. Data at rest — The iPhone and iPad features hardware-based encryption for data at rest that is enabled by default. For Mac, the FileVault whole disk encryption system (a native feature in OS X) protects data with virtually no impact to system performance or battery life.
2. Data in transit — Apple devices can connect via VPN (Virtual Private Network) to secure data in transit. No additional software is required to take advantage of this security feature, and once configured it is transparent to the user.
3. Application security — One of Apple’s best contributions to the IT security field is their App Store ecosystem. Apple reviews all software submitted to the App Store to weed out malware. Each software package is cryptographically signed to prevent any tampering with the files. OS X and iOS are configured to reject any software that lacks a signature. IT staff can sign their own software packages to take advantage of this application security layer.
4. Patching — Since the dawn of computing, all software includes some number of defects or bugs. Some of these defects can be used by malicious attackers to gain access or steal information. The best practice for IT security is to keep all software up to date to eliminate vulnerabilities as they’re discovered. Apple makes this easy with native software patching utilities built-in to the OS. IT staff can host an Apple Software Update Server on the corporate network to speed up patching.
There's a bit of "every problem seen as a nail" with Apple's tools acting as a hammer here. But closed ecosystems have been essential to 3000-grade reliability for decades. Apple controls every aspect of the ecosystem as much as HP did with the 3000, making hardware as well as operating systems. A turnkey solution usually saves time and resources.
April 09, 2015
Labels leap over legacy support hurdles
An invention in shipping labels is making headway this year, riding the power and promise of marketing. But DuplexPackSlip, while it's a novel product, still manages to reach back to legacy servers like the HP 3000. One reason the label has gained traction is that it's been shaped around a commerce process rather technology choices.
Minisoft, one of the foundational vendors for HP 3000 connectivity, still sells terminal emulation products to link MPE. But one aspect of its cross-platform support comes from eFORMz, a forms management product that ties into any WMS or WRP system. The labels are an all-in-one duplex label shipping solution that combines a shipping label with a packing slip, using the front and back sides of the same label. The new generation of the solution includes marketing on the reverse of the label.
eFORMz has always been platform-agnostic. The software is driven off PCs that tie into business servers including the HP 3000. But choosing to use eFORMz doesn't lock a company into a particular computing environment. That makes the software something to carry forward during a migration, or choose without being concerned about what environment will come next.
Minisoft says that DuplexPackSlip can streamline warehouse shipping operations and reduce costs by 30 percent. The tie-in with the Minisoft software and the labels lies in eFlex Laser Forms. The multi-use laser forms employ label designs so retailers can incorporate special offers, pre-paid returns, targeted cross-sells, loyalty rewards, or gift cards while fulfilling every customer's order.
First released 15 years ago, eFORMz was created using the ubiquitous platform of Java. That language's promise was write once, run anywhere. Java was developed in an era when the silos of technology were tall and stout. The information industry has mowed down those silos by now, but legacy tech still wants to be included in novel solutions. Cross-platform software that can be implemented into future tech, but used in legacy solutions, presents a great means for looking forward with a flexible view.
April 08, 2015
Essential Skills: Man In The Middle Attacks
Editor's Note: HP 3000 managers do many jobs, work that often extends outside the MPE realm. In Essential Skills, we cover the non-3000 skillset for such multi-talented MPE experts.
By Steve Hardwick, CISSP
Lenovo recently made news in the security industry, and it was not good news. The PC manufacturer was shipping a copy of the Superfish malware with its machines. The software executes a threat known as “man in the middle.” Once it was discovered, companies were advised to remove it, yes. But what is a man in the middle attack, and why is it so dangerous?
Superfish compromises the HTTPS security protocol. It will intercept HTTPS requests made by a browser. It then uses a program to connect to the target website. At the same time it sends its own public key to the browser, and has it trust it. Instead of data coming back from the website to the browser, it now comes to the Superfish program.
Normally, encryption is viewed as using a password or phrase to generate a key. The key is then used to encrypt a set of data in clear text. The resulting cyphertext is then sent to the recipient, who must have the original key to decode it. This is commonly referred to as symmetric encryption: used just for a session, the same key both encrypts and decrypts the data.
The Superfish malware extracts a symmetric key from the website and passes it on. The browser thinks it has a secure connection to the website, when in fact Superfish is now listening to all of the communication from the PC to and from the website. Superfish was originally used to intercept Web traffic and surreptitiously record where the PC's user went on the Web. In addition, it opens up very nasty holes for hackers to use.What's at stake? Superfish is recording traffic that can include a lot of private information: Social Security numbers, banking details, credit card numbers, or health information. All a hacker has to do is to break into Superfish and take a copy of the data that it stores back to their location. There it can be reviewed and the personal data extracted.
Second, since the Superfish application is the one validating the digital certificates, false certificates can be installed. This allows a hacker to install a false certificate for a banking site. The user would connect to their back, and instead the hacker would use Superfish to connect to their site. The user would feel safe that the HTTPS connection had been made and all of the data was secure. However, the hacker is now collecting all this private information.
This was a bad security hole. Users were initially unaware of the application that was loaded by this PC manufacturer. There are now many sources of instructions on how to remove this piece of malware. How could this have been avoided in the first place? First of all, it is worth checking the installed program list of any new machine. Work through the list of programs and then use a browser to look up ones that do not look like standard applications. Superfish came up as VisualDiscovery for example.
Sometimes programs like this get loaded when other programs are loaded or upgraded. Browser search bars can get in that way. The only certain way to remove Superfish is to completely wipe the hard drive, and then reload the operating system from scratch, only putting in the programs you want. In many corporations, machines are rebuilt like this using an image of a hard drive that was previously configured safely.
But what is a man in the middle attack, and why is it so dangerous? It helps to know how computers encrypt data.
How encryption works
We begin with understanding how computers identify their partners. One of the major challenges of symmetric encryption is how to deliver the symmetric key safely to the recipient.
To overcome this challenge, Whitfield Diffie and Martin Hellman devised a method of exchanging keys called asymmetric encryption. In this approach, one key is used to encrypt the data and a different key is used to decrypt the data. The two keys are created as a pair. The encryption key, since it is not disclosed, is called the Private Key. The second, which can be distributed, is called the Public Key. Additionally, the public key can be used to encrypt data and the private key used to decrypt it. Using the public key to encrypt a symmetric key allows it to be decrypted only by the user that has the corresponding private key.
The next challenge that arises is verifying public keys. For example, Jane sends Bob an email message saying “Attached is my public key.” Bob then sends Jane an email saying “Here is my public key.” So Bob and Jane can now use these asymmetric keys to securely send a symmetric key. The symmetric key can then be used to encrypt and decrypt the file data. However a couple of days later Bob gets another email message from Jane saying ”New public key attached.” What should Bob do? Ironically at the same time Jane has receive an email from Bob saying ”New public key attached.” Let's say they both believe it is real. However, neither sent the keys.
A bad guy, intent on reading their encrypted data, sent these keys out. Jane uses the new Public key from Bob to encrypt the symmetric key and sends it out. The bad guy sees it and uses the fake private key he created for Bob to decrypt the symmetric key from Jane and store it. Then he uses the fake private key for Jane to encrypt the symmetric key and send it to Bob. Bob uses the fake public key from Jane and decodes the symmetric key. Now Jane and Bob think they are the only ones with the symmetric key and start sending encrypted messages. However, the bad guy also has the symmetric key and can also decode the data too.
What was needed was some way of validating that the public key came from the person that claimed it. The concept of a digital certificate resolves this challenge. A company called a Certificate Authority sets up a way to validate user identity. They send out their public key to everyone who trusts them. The users then send their public key to the CA. The CA verifies their identity and encrypts their public key with the CA private key. The resulting file is now sent out in lieu of a public key. When the recipient receives it they decrypt it with the CA public key and get the validated user's public key. The user public key that was encrypted with the CA private key is called a digital certificate. This is used in HTTPS web connections.
A website owner will generate their Public/Private key pair. They will send it, together with the required documentation, to a digital certificate provider. (There are many out there; just search the Internet.) The digital certificate provider, after authentication, sends back the digital certificate. The web site owner can now set up an HTTPS web site. The digital certificate is sent to the web site user. If the public key of the CA is loaded into their browser, then the website Public key is extracted automatically. The website can now use their private key to send symmetric keys to encrypt the data. A secure channel can now be established. Plus, the website user can also use the digital certificate to validate the website address.
April 07, 2015
Operating Systems Of Our Lifetimes
Managers and owners of HP 3000s are the kind of customers who understand what an operating system does. Most of us in the community remember when there were countless OS's out there to run our businesses, if not necessarily our lives.
The HP 3000 stands out in a healthy legacy comparison because its birthdate in the initial generation of minicomputers. Unlike nearly all, its OS remains in business use today. Other OS's which are not in use: MCP from Burroughs (a source of MPE inspiration); Univac's VS/9; NCR's VRX; Control Data's Kronos; and Honeywell's CP-6. 3000 veterans will recognize those as BUNCH companies, whose mini and mainframe products were swept away by IBM's, HP's, and Digital's.
MPE has not yet outlasted the VS minicomputer operating system from Wang Labs, since that mini still has support from its latest third party owner, TransVirtual Systems. There's more than blind loyalty there when an OS can move into the four-decade lifespan. There's commercial value, too. VS still has about a decade to go to get to MPE's 41 years.
For the 3000-savvy, the cartoon above would have a few extra boxes in it. The longest one is likely to be MPE, in its II-V, XL, and iX generations. There are a few others that pre-date DOS, of course. HP tried to sell PCs running CP/M, for example. You could insert the following boxes underneath the fine cartoon from XKCD, the work of brilliant cartoonist Randall Munroe.
That useful lifespan for MPE will run to 53 years, unless a rolled-over calendar is not a problem for your applications.
Hop over to Munroe's website to enjoy the irony and heart of someone who understands that Gnu (yup, the root of the 3000's iX generation) could be there at the very end, turning out the lights. And who can say for sure that MPE will truly end its days on Dec. 31, 2027 after all? Wang's OS has passed through several third party hands. HP's own VMS will become the property of a third party next year.
In-tribute plug: If you can't find something on the XKCD store to buy, or a cartoon to link to, then all of the above is probably nonsense. For the rest of you, let me know if Gnu could really rule the planet after civilization ends. We're already hearing that embedding a Linux microkernel would make the OS more useful for Digital server users. Something less complex is surely on its way. It might arrive before that fire.
April 06, 2015
Trail of support leads to indies, or an alt-OS
Independent support companies have been keeping HP 3000s running for decades. At one point the battle for support dollars was so profound HP tried to file lawsuits to restrict fair commerce in the maintenance marketplace. Companies with 3000 experts on tap have held their ground over more than a dozen years of the declining interest from Hewlett-Packard in the server and its OS.
Recently we've seen independent resources marshaling knowledge bases and documentation on the server. Much of the MPE/iX OS manual set is on hpmmsupport.com, a website set up by some of the creators of the MM II/3000 MRP software. It's a good thing that outside resources like this exist, because now there's more evidence that the archives of Hewlett-Packard are closing their MPE doors tighter.
This retraction of knowledge can lead a 3000 owner in two directions. They can either embrace operating processes that will require an independent expert to field support calls. Or if a company needs another reason to make serious steps to migration, then less vendor information to help fix bugs will be adequate to push the cart down the hill, away from MPE.
Tonight one set of information can be indexed at an HP Support website. There are patch notices and pointers to support documents, but everything is behind a demand for a valid support agreement. And this news about the successor to HP's IT Response Center (ITRC) shutting some MPE doors includes a confusing footnote. Somewhere out in the world, there might be a 3000 site still getting support from HP, deep under the covers of corporate policies.
While the vendor was public about its waning intentions for 3000 futures, it was also eager to preserve such support business. HP's reach for support contracts while advocating migrations slowed the migration business for the community. In the long shadows after two extensions of support deadlines, migration companies and homesteading firms have been finding no vendor help to portray and preserve the state of the 3000. The customers were promised otherwise, years ago, when the information was still fresh on HP's websites.Sometime last week, a support company's 3000 expert looked in on the HP website where she'd been referencing MPE/iX answers for many years. Nothing to see here, HP advised her in a webpage.
"I went to Whatever They're Calling the ITRC These Days to look for a bit of MPE support information," said Donna Hofmeister, "and got told MPE is no longer supported. (Thank you for playing, now please go away.) No more than two weeks ago, all the support information was there."
"So what happened? Has it truly been taken down, or did HP decide to disallow access since we no longer have an MPE support contract? I'm guessing the former."
Guessing about the status of HP 3000 information resources is a murky venture for people regarding HP as a stable resource. And after all, nobody can get an MPE support contract, can they? Hofmeister, like a few others in the support community, says that's a murky situation, too. "I've heard rumors that some people still have support through HP," she said, "but no proof."
The lack of an official resource — or one that stays in the same place for more than a year at a time — could be cause to recoil from a future with the 3000. Or perhaps, just back off of a future with its creator. Independent service providers, or migration missions: those seem to be the choices today.
April 03, 2015
That final 3000 IO upgrade is still in use
More than five years after HP rolled out the ultimate release of MPE/iX, the vendor finished its work on an SCSI Pass-Through driver for the HP 3000. It was an one of the last HP-designed MPE enhancements. Independent support companies have the tech resources to create customized patches for their customers. The HP driver still makes it possible to connect and configure SCSI storage devices which HP has not certified for 3000 use.
Full instructions on how to use the software are on the ManualShelf free website. It's a tool for permitting an application to address SCSI devices without the use of the MPE/iX file system or high-level IO interfaces. But the software itself was built, lab-tested, then placed on the HP software improvements leash: It was only available to the HP support customer who was willing to take SPT, as HP called it, as a beta test version.
Patches MPENX01A, MPENX03A and MPENX04A were beta patches required to make the SPT work on MPE/iX 7.5. HP still makes these patches available to any 3000 customers at no charge. Two years ago, Allegro's Donna Hofmeister said "the magic incantation when dealing with the Response Center folks is to use transfer code 798. That’ll get you to an MPE person."
Consultants and companies which provide support have many of these patches in their resource bins. The entire patch collection is just 1.27GB, small enough to fit onto a giveaway thumb drive.HP always described the SPT as a tool with many caveats. While the software has a wide scope of help for the customer who wants to add the latest SCSI disk to the 3000 in the future, HP has printed plenty of cautions such as these in its Communicator article:
Sending SPT commands to a device in use by MPE or other applications may result in data loss, data corruption and/or System Aborts. We do not recommend sending SPT commands to Disks with MPE/iX Volumes present nor should one access tapes devices which are used for normal back-up or data logging purposes. Rule of thumb: Don’t do SPT to tape or disk media you cannot recover at a time you don’t wish to cause a system outage.
In 2007, SPT joined the six dozen or so HP developed enhancements and fixes stalled in beta test status. Customers still purchasing HP support were expected to test enough to get SPT into the full community as a general released patch, but few wanted to use beta-grade software in production.
April 02, 2015
TBT: The Ultimate MPE/iX links big disk, FC
HP unveiled the final, ultimate generation of its 3000 operating system 13 years ago this month. On this Throwback Thursday we mark the month that MPE/iX 7.5 made its datasheet debut. It was less than six months after Hewlett-Packard announced an "end-of-life" for the 3000, but the OS was destined to be officially supported for more than eight years.
Independently, 7.5 is still supported by the community's third-party experts, such as Pivital Solutions. The data sheets and lab reports illustrate why the release has had such longevity, a run that rivals the lifespan of Windows XP.
When 7.5's data sheets moved into the customer base, the colorful paper was still commonplace as an information delivery device. What was uncommon about the release was its forward-looking view of fast storage support. HP had built in A-Class and N-Class hardware support for Fibre Channel IO connections, the fastest of their day. But it took the arrival of 7.5 to streamline and stabilize FC connections.
Previously, the 3000 could only be connected to FC devices through HP SCSI Fibre Channel router. In selling the benefits of 7.5 -- and with it, the upgrade sales of A- and N-Class servers -- HP admitted this router arrangement "not only added complexity and slowed FC transfer rates, but it also created multiple potential points of failure."
Access to the wide range of Fibre Channel devices was among the benefits, letting customers make the jump from the AutoRAID arrays to the more powerful and flexible VA 7100 series. Just this week, a customer made news in the community while troubleshooting a VA 7100. That storage platform remains in obvious use at 3000 sites.
The ultimate generation of 3000 processors, the PA-8700, got their complete support in 7.5, too. Fibre Channel proved to be a tangible benefit of the new PCI bus on the newest servers. One feature would have a reach even further than that CPU line: the ability to access a boot disk greater than 4GB. 7.5 opened up untold millions of gigabytes across the entire 3000 line.
Tapping the full range of storage was a game-changer for homesteaders, according to one well-known storage and MPE expert.
MPE veterans praised the enhancement as vital to the 3000’s continued success. “In my mind, this enhancement was critical to the viability of homesteading and the success of OpenMPE,” said Denys Beauchemin of backup utility provider Hi-Comp. “A few years from now, when your LDEV1 disk drive breaks, you will no longer be faced with the problem of buying a 160Gb disk drive (the smallest available) and only being able to use 4Gb.”
Far less crucial was the included support for a free, secure Apache Web Server, which HP had rebranded as HP WebWise. Developed from the starting point of open source Apache — in a user-driven project led by then-customer Mark Bixby — a native 3000 Web server seemed essential in the late 1990s while the dot-com boom was mounting. HP tried to charge for its supported implementation, but slow uptake shifted the product to free-in-7.5 status. The future of the 3000 would not lie in support for Web services, though, not when Windows-based servers were ubiquitous and cheap.
An OpenSSL crypto library was one of the byproducts of that full WebWise support in MPE/iX 7.5. Security concerns were increasing in that era, and some developers of e-commerce software wanted tools to integrate into their applications. WebWise was intended for the 3000 administrator and developer to be able to create RSA, DH and DSA key parameters and X.509 certificates; do encryption and decryption with ciphers; perform SSL/TLS Client and Server Tests and handle S/MIME signed or encrypted mail. 7.5 made support of sendmail possible.
It's all possible today, but the advance of these security tools slowed considerably after the crypto library made it into every copy of 7.5. There was a silver lining in this slow uptake of the frozen toolset. When OpenSSL was used to hack millions of servers in the HeartBleed malware crisis, few 3000s were exposed. That incomplete implementation of OpenSSL, frozen in an earlier edition of the software, put it back in the same category as un-patched OpenSSL web servers: not quite ready for prime time.
April 01, 2015
River cruiser to ferry MPE exokernel mission
An obscure, elite set of EU computer scientists will tackle the looming challenge of slimming down the 3000's operating system this summer, working aboard a cruise ship plying the waters of Europe's river system. The fledgling coalition of seasoned developers will occupy the Norwegian Avignon Passion II on a route between Budapest and Prague, taking on Eastern Bloc developers at Regensburg, Melk, and Roth along the Danube.
The design team's leadership said they were inspired by the Salesforce Dreamforce cruise liner accommodations at this summer's conference. That 135,000-attendee event will handle some needs for lodging and services from the Celebrity Eclipse. The design team will go the next step and cast off its lines in Central Europe, rather than stay tethered to a pier of prior engineering.
"There's nothing we'll want for while we're afloat," said Jean Noosferd, the group's managing director. "It's just us, three million lines of code, and the passion we have to make MPE as popular as Linux." Microkernels for Linux are lifting the popularity for these slimmed-down instances of an OS.
Working from the concept of an exokernel — MIT designs that are much smaller than a normal kernel such as MPE/iX's current monokernel design, and even smaller than a microkernel — the group will leverage the work of open source teams such as the Polish-based Pjotr Mandate. The object is to reduce the installation and management footprint of PA-RISC-ready operating systems. If successful, the development cruise will dock at Prague and release its team of scientists.
"If not, we sail back to Budapest and rework our designs," Noosferd said. When a new version of MPE emerges from the work, the Passion II will remain afloat to preserve the legality of an adapted and enhanced 3000 OS. The software will be sold and distributed using cloud-based Moonraker servers. HP's restrictions on the MPE source code prohibit new versions to be released in any country. "We'll be sailing between countries," Noosferd said. "International law is in force, and so intellectual property ownership will be preserved."Operating in close quarters, the set of scientists will be using small teams, the organizational structure that gave the world the initial breakthrough of MPE. "We all believe in mono-tasking," Noosferd said. "Small teams and small projects are beautiful, and working from staterooms aboard the Passion II will squeeze the best from us. It's like the quote from William Morris, 'Have nothing in your houses that you do not know to be useful, or believe to be beautiful.' We'll have nothing aboard but bytes and brains." Noosferd said that rumors of powering the developers on a steady diet of Beluga caviar are "as outlandish as running a 3000 from an iPhone."
Like an exokernel, which delivers more direct access to a computer system's hardware, the development cruise will remove most distractions. "Unlike that Dreamforce ship, we won't be released to the sea," Noosferd said. "Like MPE's community, we respect boundaries, such as those riverbanks along our path."
The original MPE was designed to operate in a tiny 64KB memory space. If successful, the entire instance of what being called MPE-ExO could fit on an HP Moonshot micro-server. That low-cost hardware has been promoted as a hosting platform for hyperscaled processor computing. Intel's Atom processors — so-named because of their size — are the workhorses of Moonshot.
File transfer tips flow to move databases
System managers in the 3000 community still want to know how to use FTP to ensure a safe backup of 3000 data. Of special interest is the KSAM XL database, but most managers don't know that FAK files are HP's special Keyed Sequential Access Method database files. What appears to be program files are moved over, but database files get left behind. There's a trick to getting such files over to a Windows server.
One rule of 3000 operations is that database files act differently than all others in transfers. So FTPing them to a Windows 2003 Server won't be a successful way to ensure a safe data recovery. Third party tools can help, but if a customer is stuck on an aging HP system running MPE/IX, it's probably going to have only the budget for the included HP STORE for file backups and transfers.
Donna Hofmeister, who's spent a career helping 3000 users via the community's newsgroup, suggests starting with creating a file called mystd to store the 3000 files to disk -- then transferring that Store To Disk file.
"First try this little experiment," Hofmeister begins in her advice.
If it works, you just stored/archived all the files that begin with 'a' in the .pub group of the .sys account into a file called 'mystd' (my store-to-disc). You can expand the number of files being stored into your STD file by modifying your store command to:
@.pub.sys -- all files in .pub.sys
@.@.sys -- all files in .sys
@.@.acct -- all files in .acct (for example)
@.@.@ -- all files on the system (and it's actually better to say '/' instead of '@.@.@')
Keep in mind that as you increase the scope of what you're storing, so does the size of your STD file. In other words, to store the whole system you need 50 percent or more free space , which you probably don't have. So, break what you're storing into chunks (do one account at a time) and things should go smoothly.
If STD doesn't work, you might be able to get tar to work. The same space precautions apply. One advantage of using tar is you should be able to verify the tar file on the destination system -- something you can't do with STORE without a 3000 in the mix.
3K Associates' Chris Bartram, who operates the 3000 information treasure-house 3k.com, added explicit advice about FTP and the 3000's files.
If you package all the MPE files up in either a store-to-disk (aka std) or a tar "wrapper" (disc file) you can transport that file around at will -- as a BINARY file -- don't try to transfer it as ASCII or CR/LF translations will trash it.
Once you get it back on the 3000, a simple file equation directing your source (tape) to the new (std) file name (and add the ;DEV=DISC to the file equation) will allow you to restore the files onto the 3000 preserving all the MPE specific file attributes they started with. Tar will work similarly for almost all MPE files, but can't handle database/PRIV files and probably not MSG (message) files and a few other very MPE-specific files.
tar works the same way on MPE as on *nix boxes. But is much more "familiar" if you run it from the Posix shell (sh.hpbin.sys), though that's not necessary. Treat the tar file just like you would on a *nix box.
For store-to-disc files, you use the same MPE syntax for storing files as you do normally; the only difference is that the output device is file-equated to ;dev=disc. As mentioned, be aware of the disc space required to store another copy of your backed-up files online.
Likewise, when you restore instead of pointing to tape, you point to the disc file -- and don't forget to add ;dev=disc to that file equation as well. If the store-to-disc files are going to be very large (several gigabytes) you can use some additional syntax to break them into chunks - but hopefully you needn't worry about that for now.
Treat a store-to-disc file just like a tar file. Record size and most other attributes aren't so critical, but if you move it around do NOT let FTP transfer it in ASCII mode or it will corrupt the file.
As for examples; I back up my primary HP 3000 to a disc file then transfer (FTP) it to a Linux server. Here's the gist of my JCL:
!STORE / - /BACKUP/ ;*T &
user userid password
put FULLB.PUB.BACKUP hp3000-full