[Info-vax] Somewhat levels up to not port outside VMS (letter from Wyoming)

Neil Rieck n.rieck at sympatico.ca
Fri Dec 14 15:43:27 EST 2018 

On Thursday, December 13, 2018 at 10:23:46 AM UTC-5, Scott Dorsey wrote:

[...snip...]

> 
> This is fair enough.  If you want root... then what the hell are you paying
> IBM to do?
> --scott
> 

Good question. "I think" the suits do this for some sort of insurance for the data center. It is really neat to try walking into one of these data centers with middle or upper managers. The IBM gatekeeper looks at everyone "as the enemy" then makes every present their corporate ID in order to get an IBM badge which will allow you to open the one-at-a-time door for access. And this is a data center that "we own" :-)

Anyway, even when you are granted SUDO access for a day, you must sign an agreement that you will only attempt to install (or upgrade) that you requested and IBM approved. And they will not approve anything that they think will break the system.

###

Back to our system in the non-IBM managed center, one guy installed a new LDAP library on our production server. YUM ran the dependencies list then decided to also update OpenSSL (and a bunch of stuff dependent upon OpenSSL). Within four hours we discovered another process had failed. We could no longer reach into an older version of "SQL Server 2005" which was running on "Windows Server 2003" on a system more that 1000 km away in another department with a tiny budget. A little testing showed that one could only connect using SSL2, and that protocol was never compiled into the OpenSSL just installed. Oops!

YUM would never let us roll back OpenSSL because a lot of stuff was upgraded which depended upon the new version. The people running that remote system told us they had no intention of patching that system which had been working well for over a decade. We were forced to grab an old server then install an old version of CentOS which would allow us to access that old windows box. We now use that machine as a gateway to get to the Windows machine. Yikes! What a pain! 

###

Now on OpenVMS we support numerous versions of OpenSSL at the same time with logical names. Heck, some applications like Apache have their own baked-in versions. 

Neil Rieck

More information about the Info-vax mailing list