Cy’s Corner #104
Steve Viola, HCL Technologies, zWS Level 2 Support
40th Birthday edition April 15, 2022
It’s been a while (again) since I have written one of these! I am going to try to go back to a once a quarter schedule.
Two big anniversaries for me this year – 25 years of supporting OPC/TWSZ/IWSZ/ZWS (I started when I was 39), and the aforementioned birthday #40. Release 10.1 of zWS had its birthday (GA) on March 4, 2022 (amazingly the product name did NOT change from the previous release).
A few recent FLASHES in case you did not see them:
Is IBM Workload Scheduler or IBM Workload Scheduler for z/OS susceptible to the CVE-2022-22965 (Spring4Shell) vulnerability?
Browser connect to DWC fails if protocol not TLSv1.2
Is IBM Workload Scheduler susceptible to the CVE-2021-44228 (LOG4J) vulnerability?
The fact that all the FLASHES have been for non-zWS issues may make you want to reconsider running the DWC on z/OS (more about DWC later).
If you didn’t receive notification of these flashes, check your settings at www.ibm.com/support/mynotifications
For HIPERs the lists for 9.5 and 9.3 have been recently updated:
(Need all HIPER maintenance for z Workload Scheduler 9.5.0 ( COMPID 5697WSZ01))
(Need all HIPER maintenance for IWS z/OS 9.3.0 ( COMPID 5697WSZ01 ))
There have not been very many new HIPERs since the last time:
I will create a new technote for the 10.1 release soon.
DWC on z/OS (zliberty)
Running the DWC on z/OS has become more popular, based on the number of cases we are seeing. To make it easier to find APARs or technote related to the DWC on z/OS, keyword DWCZOS is being used, so this makes a good search argument on www.ibm.com
Using this implementation of the DWC, it should be possible for any RACF user to logon to the DWC with their existing RACF userid and password, and be assigned a role (administrator, operator, etc) via the use of EQQADMIN, EJBROLE and the SAF realm (in authentication_config.xml).
The current fix pack level for 9.5 is FP5, the GA version is available for 10.1. Current embedded Liberty level is 184.108.40.206 and 220.127.116.11 is still supported.
Some other technotes which you may find useful:
Documentation required for RESTAPI related cases
How to install the DWC on z/OS (Release 9.5 Fix pack 4)
RFE (Request for enhancement)
If you go to the normal URL for entering an RFE, https://www.ibm.com/developerworks/rfe/ you will see this:
Note: We are currently in the process of improving your RFE experience and RFEs for these product portfolios have now migrated to Ideas Portals accessed through our trusted
provider Aha!. Please use the new links provided to submit and view your RFEs. Over the next few months more products will transition to Aha!, and the list of products will be updated to reflect this. For more details about the migration visit www.ibm.com/ideas. (This includes a link for ideas.ibm.com).
I haven’t tried entering an RFE via Aha! yet, and so far I don’t see the URL to get to the text related to an RFE, so I am going to include a brief description for the enhancement requests listed below:
- EQQADMIN needs to be modifiable without RACF command
Currently EQQADMIN can only be put into effect via issuing of RACF commands such as RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘NO’/’YES’) and if you use EQQADMIN you cannot override this with USERMAP or TMEADMIN entries
- AUTHDEF TRACE (SAF trace) needs to be started/stop via command instead of restarting the controller task
Currently to trace security issues in Z workload scheduler it is necessary to alter the controller parms to have TRACE(8) in AUTHDEF, cycle the controller, collect the EQQMLOG, then set TRACE(0) again and cycle the controller again.
- Dynamic Workload Console on Z: Make the report path (dwc_workarea) configurable
We’d like to have the report path (dwc_workarea) variable configurable to avoid ICH408I message at the start of the STC (insufficient authority to create /reports directory)
- DWC 9.5 on USS (Security RACF and Start/Stop via ZOS)
This one does have a link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=140184
- IWSz Upgrade with zero downtime
Last weekend we migrated IWSz from V9R3 to V9R5. The complete migration took about 1 hour to complete. Due to the unavailability of IWSz there was some impact on critical batch processing with frequencies smaller than 1 hour.
- zCentric job delays due to (parallel server)
We are looking for an EASIER way (either through EQQAUDIT report, or WAPL or RESTAPI even) of determining when a zcentric job is delayed due to parallel server limitation being exceeded
You can see all the BLOGS related to workload automation (distributed workload scheduler, DWC and zWS) at http://www.workloadautomation-community.com/blogs
Some new BLOGS which may be of interest are:
Replacing Default SSL Certificates with CA Signed Custom Certificates
Chatbot Based Integration to Share Data and Collaboratively Solve Issues
Optimize data transfer and integrate file transfer in your automation workflows
New version/release 10.1
The announcement letter for 10.1 is at : https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/6/897/ENUS222-006/index.html&lang=en&request_locale=en
The product id (PID) is now 5698-T09 (instead of 5698-T08) but the COMPID remains 5697WSZ01.
The FMIDS are under A1x (HWSZA10, JWSZA12, etc).
There was a typo in the Deprecated functions of the announcement letter. It should have listed:
- Open Services for Lifecycle Collaboration (OSLC) integration
- IBM Z Workload Scheduler Control Language (OCL)
- Batch loader Fault tolerant agents
- Direct access storage device (DASD) connection method between controller and trackers
It is possible that OCL may be continued after 10.1 as there are performance issues with WAPL compared to OCL for certain functions. For now assume that OCL will “go away”.
10.1 manuals in PDF form as at:
The first SPE for the 10.1 release has been opened (more about this in the next edition); the APAR PH45777.
Most of the key changes at 10.1 level are in the DWC rather than the zWS code. In particular the DWC adds artificial intelligence capabilities (AIDA).
Trends seen in recent cases
ENQ for event dataset (EQQEVDS) dsname – The 9.5 release enforces that each controller or tracker task (other than a STANDBY controller) must have a unique DSNAME. This has always been documented. We are seeing quite a few cases where a migration to 9.5 is done and there are shared event datasets. Be careful of this.
Firewall issues – we are seeing quite a few cases involving zcentric agents, DWC, dynamic pools, etc where the issue is caused by ports being blocked in the firewall, so check this before opening a case.
For example – if the port between a zcentric agent and the HTTPPORTNUMBER of the controller is blocked, zcentric operations will not be marked complete. If the port between a zosengine definition in the DWC and the server task on the mainframe is blocked, you may see this message:
AWSJZC019E A communication error has occurred with IBM Workload Scheduler for z/OS. The connection wait has exceed the timeout of “30,000”
For dynamic domain managers, dynamic agents, dynamic pools, be aware of a parameter setting isforyes = yes needed for a DDM that is used with a z/OS controller. This parameter is documented but seems to be overlooked frequently. Also for a DDM the ROUTOPTS needs to be set for “B” as in broker, for example:
IBM changed its entitlement verification, so it may be necessary to open a case under product “z Workload Scheduler” even if the case involves something on the distribute side of the product, like zcentric agents or the DWC on a non-z/OS platform. You may open a case for z Workload Scheduler and find that it is worked on by the workload scheduler or workload automation team.
Stay safe, keep attending the virtual ASAP presentations (there is/was (depending on when you read this) one about the 10.1 release on April 27 at 0900 Eastern Time) , and keep in touch. If you don’t have any need to open a case for an issue, feel free to drop me an email at email@example.com.