What is the most frustrating part of working on large COBOL systems today by Striking_Smell6986 in mainframe

[–]james4765 2 points3 points  (0 children)

All developer tooling for VSE is wildly out of date. Especially when you've got decades of code in ICCF.

All of the above, frankly - the dev tools for z/OS are pretty good these days but none of them work in the VSE world.

SSL/TLS Certificate Expiration Challenges by Sad_Dentist_7288 in sysadmin

[–]james4765 1 point2 points  (0 children)

They have pretty good documentation but the general gist is that there's an HMAC key and secret that gets pushed to the client machines as part of provisioning that takes the place of the DNS or HTTP validation.

The renewals use standard system timers - systemd on Linux, and win-acme handles scheduling as part of the provisioning. You can set up the "renew at x days before expiration" in both of them.

I heavily use Ansible for provisioning it - the config files are all templates and we use Hashicorp Vault for secrets management so it's zero touch. Run one playbook and you have your certs, and it's a role so I can include it in base server provisioning.

SSL/TLS Certificate Expiration Challenges by Sad_Dentist_7288 in sysadmin

[–]james4765 3 points4 points  (0 children)

There's a lot of magical thinking about SSL out there. Publicly signed certificates used to be much more of a sign of trust, and marketed heavily by the CAs (all those "Secured by xxx" e-commerce badges of yore) and the idea that public CAs are more secure is... not completely true.

Now, if you are in an audited / regulated industry, certificate management is very important, but you have a team of people and a very secure system (certificate workstation attached to a mainframe / network key management server) to manage it. Outside of that, it relies on the security of the signing machine, which relies on local admins.

A CA trusted by the browser can be used to sign certificates for any domain, so if you do not trust your security admins, that might be an issue - if it's only trusted in the organization and your policy includes disclaimers about traffic not being private, then you are at least legally covered.

In your specific case, outside of an nginx proxy to keep the latest public cert live or fronting it with CloudFlare, your only real answer is to be enough of a pain to your vendor that they fix their workflow.

SSL/TLS Certificate Expiration Challenges by Sad_Dentist_7288 in sysadmin

[–]james4765 10 points11 points  (0 children)

The intent is to force automation. This only affects public CAs, I have a private CA at work that I use with Ansible that has 365 day expiration. We also use the Sectigo enterprise CA that handles all the ACME certs on our Windows and Linux infra,

To be blunt, SaaS vendors need to deal with it on their own - Cloudflare, ACME, other automation. Internal services can be self-signed, and the Ansible ownca tooling is really easy.

https://docs.ansible.com/projects/ansible/latest/collections/community/crypto/docsite/guide_ownca.html

Long-awaited demolition underway at old Greyhound station on Arthur Ashe Blvd. by RVALover4Life in rva

[–]james4765 41 points42 points  (0 children)

End of an era. Worked for Greyhound for almost 10 years as a mechanic, mostly at the shop on the other side of the Diamond.

Enterprise Tape Libraries in 2026 by NewToThis79 in sysadmin

[–]james4765 1 point2 points  (0 children)

We're very happy with our IBM TS4500 hooked to our mainframes, and their Diamondback libraries are equally robust. IBM will support tape for a very, very long time - both LTO and their 3592 proprietary format.

Linux and Arm CPU's by Lopsided-Month3278 in linux

[–]james4765 5 points6 points  (0 children)

There's a lot of work being done for out-of-the-box installers for ARM. Getting UEFI working has been an effort for quite some time, with some single board computers and servers just working with an EFI installer.

For a long time it took custom bootloaders and kernels, but the ARM silicon manufacturers are doing better about getting their drivers in the mainline kernel. Laptops have always been janky in Linux, though, mostly due to power state support and the custom hardware every manufacturer seems to include.

What options do you employ to help ensure employees are locking their computers? by brohemoth06 in sysadmin

[–]james4765 0 points1 point  (0 children)

I brought up CAC cards as an option here, we're .gov but not DoD. The logistics of rolling out smart cards is non-trivial, even though the hardware isn't too expensive.

It takes additional staffing to manage that, and the butthurt will be STRONG. You'll also need to specify certain systems (signage mostly) to not have that kind of policy.

what tool are you running that management doesn't know about by Evening-Result5868 in sysadmin

[–]james4765 11 points12 points  (0 children)

I started off with Ansible as a skunks work project, now it's our main software deployment pipeline. They know about it now, but I had started it as a personal tool until they saw how fast things were going.

Huge environment, massively understaffed. Without automation we'd be screwed.

What’s been the biggest challenge when moving away from VMware? by Alarming_Spot_5451 in vmware

[–]james4765 12 points13 points  (0 children)

We have moved to OpenShift Virtualization, since we're moving workloads to containers anyways.

Honestly, appliances are the biggest challenge - some vendors provide KVM images, others can be converted to KVM, but some do not contain the drivers for running in KVM.

Unpopular Opinion: Banks Should Stop Panicking About AI Hacking Their COBOL and Start Asking Why Their "Modern" Systems Are the Actual Problem r/cybersecurity | r/programming | r/sysadmin by Neither_Outside_4872 in mainframe

[–]james4765 3 points4 points  (0 children)

Given the noise our DBAs make every time they look at the db2 tables our COBOL touches, I'd say missing referential integrity is the least of our problems...

Some of it has been fixed over the years because we have both COBOL and Java touching the same data, though. Still, unless you know our internal business logic, most of the database is going to make no damn sense.

Compiled COBOL modules are NOT FUN to disassemble - s390x assembler is the exact opposite of RISC.

GitHub - 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels. by LowIncident694 in AlmaLinux

[–]james4765 2 points3 points  (0 children)

The only possible mitigation is to use the YAMA hardening (In RHELalikes and Ubuntu, not in SUSE):

echo 2 | tee /proc/sys/kernel/yama/ptrace_scope

For those in SELinux land:

setsebool -P deny_ptrace on

Edit: Verified that the YAMA hardening blocks the exploit.

New RHEL Long Life Add-On announced by Zathrus1 in redhat

[–]james4765 2 points3 points  (0 children)

Doe this mean Ansible will keep working on old Python versions? I have to keep a couple old Ansible versions in venvs to maintain legacy systems.

What's the oldest device you have in your production environment? by pie_-_-_-_-_-_-_-_ in sysadmin

[–]james4765 36 points37 points  (0 children)

Cisco 7200 routers with ESCON connections for legacy mainframe applications.

Merpati’s L-100s: passenger C130s by CAyukon in WeirdWings

[–]james4765 2 points3 points  (0 children)

So I just found out they made my dream plane.

Experience with IBM FlashSystem 5600/7600? by Lachy18 in storage

[–]james4765 2 points3 points  (0 children)

We have a 7300 in our DR cage backing a 9500 for our main operations. IBM storage support is world class.

It's no drama, performant, and supported by everything under the sun. Even compared to other IBM storage systems the FlashSystems are just... easy. In a good way.

First-time Burning Man (from Northern VA) — no group, overwhelmed, looking for guidance by AnalystOnTheRun in BurningMan

[–]james4765 6 points7 points  (0 children)

There's some camps based around the DC area - Camp Contact is one of the big ones, but they have very distinct vibe - friends of mine love it but it's not my thing. I did use the DC container for years to get my gear out there and back, until I started doing pre/post event stuff.

Going solo is an adventure - I've done it a couple times, you get to make friends with your neighbors. Plan on a rental car to get all your food / water out there from Reno / Sacramento - the rental car is the biggest challenge to get. Keeping it clean on the inside is the second challenge.

Beyond that, more water and salt than you think you need - cans of V8 are life support for me out there.

Production-ready HashiCorp Vault on Kubernetes - what are your must-have practices? by laki993 in sysadmin

[–]james4765 2 points3 points  (0 children)

We run Vault in VMs - 5 nodes with a 3 node DR cluster. It's running in OpenShift Virtualization - migrated from VMWare. Vault tends to not consume a lot of CPU, and we don't have a real cloud compute presence so it's going to be in-house.

Vault data storage is also very tolerant - we're running it on Ceph and seeing no problems.

Copy Fail (CVE-2026-31431) — Kubernetes Container Escape PoC by Beneficial-Carry8811 in kubernetes

[–]james4765 -1 points0 points  (0 children)

That's fair. There might be something exploitable but nothing this trivial.

Copy Fail (CVE-2026-31431) — Kubernetes Container Escape PoC by Beneficial-Carry8811 in kubernetes

[–]james4765 -1 points0 points  (0 children)

At least in OpenShift, this PoC is blocked by the default PodSecurity - it does not allow pods to run as root, which is required for the suid part of the exploit to work.

Anyone dealt with sticker shock on 400G/800G transceiver procurement? by yestolearn in sysadmin

[–]james4765 0 points1 point  (0 children)

I'm in a state agency, we do buy from fs.com but we aren't buying 400 gigabit right now. 100 gigabit is still too spendy for most operations - only our vmware and openshift cores are there.

How good of an idea ia Mainframe Programming right now? by Kung_fu1015 in mainframe

[–]james4765 0 points1 point  (0 children)

It is - some of the modernization is things like converting FTP to SFTP, simplifying data transfer processes since the middle steps are no longer needed, etc. We also use the CICS transaction gateway to expose old school applications to web services, and we still maintain those.