Hi,

during a customer PoC on RD&T. The customer decided to test a COBOL, CICS, DB2 application with a relatively complex architecture.

To avoid to get stuck with:

• porting the application
• configuring CICS, DB2 and CTG on the RD&T zOS image  

We want to evaluate whether a full copy of the LPAR is reasonable.

We informed the customer that if we go on with this option they would need to request authorization to third party vendors (CA, BMC, etc). Such providers may allow the customer to proceed with the copy.  

The biggest technical issue, in my opinion, could be the copy of Top Secret, VTAM resources, ...

I don't know whether Top Secret can be copied without breaking encrypted password, CryptoCard's stored keys and so on.

Has anyone ever gone trough a full LPAR copy to RD&T?

Did you managed to IPL in RD&T?

Was TopSecret involved in the case?

Thanks for your help

There is no reason why you couldn't do this with full volume copies.  We share RACF databases all the time across LPARs.  I would imagine the Top Secret db would be no different, but I must admit I have never tried it.

RDzJohn
 

Thanks RDzJohn for your quick reply.

I'm trying to imagine why it couldn't work:

1. Security Manager (RACF, TopSecret, ...) is storing Master Keys in Crypto Cards.
    
2. OSA Cards and VTAM need to "wake-up" in a consistent environment. In other words, VTAM will try to connect the two ends of the VTAM link. One being on RD&T the other would not be reachable.
   Unreachable connections may cause blocking (maybe DB2 datasharing?) or non blocking conditions
    
3. Generally speaking, any software that inspects a non 3390 hardware device can create issues.
   An example of this area may be a software that queries CPU/hardware model for license checking. To make a concrete example, when I move the Hard Disk of a Windows machine in another machine: Windows OS doubts I'm entitled to do the movement.

As you, I never tried so can't say whether there would be more technical issues.

Our OSA emulation is fully compliant albeit several generations behind the current real hardware.  The only area I know of that this might affect is some of the more esoteric aspects of VLAN.  Having said that, you are correct that there will likely be adjustments required in your VTAM LST definitions.

We do support Crypto Express 4, so if your code exploits it, that should not be an issue.

RDzJohn

Hello

Yes as John has mentioned you could do this with a full set of volume sety of copies.  At the same time you could also take a copy of the LPAR SYSRES as then all the respective set up will be done.  BUT BUT be aware that if you copy the sysres then ALL 3RD PARTY software is copied and then you really must do the following:

Get each 3rd part vendor where that software will be used as part of the POC to agree to that software being run on a RD&T set up.

Inform IBM of every 3rd part software that will be used, as we must have written agreement from the ISV that they have approved for that or their software to be running on the RD&T

And then you can just test away and the users can use their same Top Secret password on the RD&T as they do on the real LPAR.

Thanks Keith,

this is really a pre-req for any activity. Thanks for emphasizing the correct approach.

Has anyone ever gone trough a full LPAR copy to RD&T?
Yes.

Did you managed to IPL in RD&T?

Yes.
IPLing is relatively trivial. It is far more complex to have the system work as expected.
Although you can take all precautions of the case, you'll have to deal with various situations such us: network configuration, zOS software, isolate outgoing connection, reconfigure the cloned system reasonably.

Was TopSecret involved in the case?

Yes.
No Crypto Cards.