IBM z/OS Management Facility installation and configuration
This chapter provides the information that is needed to install and configure z/OS Management Facility (z/OSMF) on your system.
Before you begin the configuration process, have the following publications available for reference:
•IBM z/OS Management Facility Configuration Guide Version 2 Release 3, SC-27-8419
•z/OS Program Directory V2.3.0, GI11-9848
This chapter includes the following topics;
4.1 Installation considerations
Before you start the z/OSMF configuration process, it is assumed that you completed the SMP/E installation steps that are described in z/OS Program Directory V2.3.0, GI11-9848.
4.1.1 Installation prerequisites
This setup must be done before you configure z/OSMF. By default, the SDK is in the /usr/lpp/java/J8.0_64 directory on your system. If you installed it in another location, be sure to include the JAVA_HOME statement in your IZUPRMxx parmlib member.
4.2 z/OSMF configuration
During the installation and configuration of a z/OSMF system, the following data file systems are built. The default directory names that are used are described in 4.2.1, “z/OSMF file systems” on page 84.
4.2.1 z/OSMF file systems
The following z/OSMF file systems are available:
•Product file system: /usr/lpp/zosmf
•Data file system: /var/zosmf/data
As a base element of the operating system, z/OSMF is installed when you install z/OS. By default, z/OSMF is installed into the z/OS root file system in the /usr/lpp/zosmf directory. As a preferred practice, mount the z/OSMF file systems at IPL by updating your auto-mount process or BPXPRMxx parmlib member.
By default, the file systems use the Data file system name. The default name is IZU.SIZUUSRD. The z/OSMF data file system is mounted in read/write mode at the location that is specified on the IZU_DATA_DIR configuration variable.
To have the file system mounted automatically at IPL, add the following MOUNT command for the file system to your BPXPRMxx parmlib member:
MOUNT FILESYSTEM('IZU.SIZUUSRD') TYPE(ZFS)
MODE(RDWR)MOUNTPOINT('/var/zosmf/data') PARM('AGGRGROW') UNMOUNT
MODE(RDWR)MOUNTPOINT('/var/zosmf/data') PARM('AGGRGROW') UNMOUNT
Another z/OSMF directory that are built during configuration script execution is the configuration log files location /var/zosmf/configuration/logs.
4.2.2 Configuration stages
The configuration of z/OSMF to create a running instance is composed of the following stages:
1. Configuration
If z/OSMF requires customization, you can modify settings by using the IZUPRMxx parmlib member, which is new in this release. A sample member is provided in SYS1.SAMPLIB(IZUPRM00) with settings that match the z/OSMF defaults. By using IZUPRM00 as a model, you can create a customized IZUPRMxx parmlib member for your environment.
The process that is used to configure the core consists of the following steps:
a. Start the configuration by running the izusetup.sh script with the -config option.
b. Run the RACF security REXX exec that was created during step a.
c. Run the RACF security REXX exec that was created for your user ID during step a. This REXX exec is not created if the ID that is used to run the izusetup.sh script with the -config option includes the required access.
d. Verify that the RACF setup completes by using the -verify script option.
e. Complete the configuration by running izusetup with the -finish option.
2. Security
In this release, security authorizations for z/OSMF are created by using sample jobs IZUxxSEC in SYS1.SAMPLIB. In previous releases, the configuration scripts created one or more REXX execs with sample RACF commands for creating authorizations.
3. z/OSMF autostart
z/OSMF is started when you IPL your z/OS system. This behavior, which is referred to as z/OSMF autostart, means that z/OSMF is available for use when the system is available.
4. Plug-in installation
With the base setup, you receive a plain z/OSMF instance without plug-ins. To activate the plug-ins that are supported in z/OSMF V2R3, uncomment the PLUGINS parameter in IZUPRMxx parmlib member (see Figure 4-1 on page 86). For more information about plug-in prerequisites, see Chapter 3, “Planning and prerequisites” on page 23.
4.2.3 Creating the initial z/OSMF configuration
Our sample parmlib member for z/OSMF is shown in Example 4-1.
Example 4-1 Sample parmlib member for z/OSMF
|
HOSTNAME('*')
HTTP_SSL_PORT(2443)
INCIDENT_LOG UNIT('SYSALLDA')
JAVA_HOME('/usr/lpp/java/J8.0_64')
KEYRING_NAME('IZUKeyring.IZUDFLT')
LOGGING('*=warning:com.ibm.zosmf.*=info:com.ibm.zosmf.environment.ui=fi
ner')
RESTAPI_FILE ACCT(IZUACCT) REGION(32768) PROC(IZUFPROC)
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)
SAF_PREFIX('IZUDFLT')
CLOUD_SAF_PREFIX(‘IYU’)
SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)
SESSION_EXPIRE(495)
TEMP_DIR('/tmp')
CSRF_SWITCH(ON)
SERVER_PROC(IZUSVR1)
ANGEL_PROC(IZUANG1)
AUTOSTART(LOCAL)
AUTOSTART_GROUP(‘IZUDFLT’)
USER_DIR(‘/var/zosmf’)
UNAUTH_USER(IZUGUEST)
WLM_CLASSES DEFAULT(IZUGHTTP)
LONG_WORK(IZUGWORK)
/* Uncomment the following statement and any plugins that
are desired */
/* PLUGINS( INCIDENT_LOG,
COMMSERVER_CFG,
WORKLOAD_MGMT
RESOURCE_MON,
CAPACITY_PROV,
SOFTWARE_MGMT,
SYSPLEX_MGMT,
ISPF) */
|
4.2.4 Starting and stopping the z/OSMF server
To start the z/OSMF Server manually, run the following z/OS START commands by using the optional jobname, if required:
S IZUANG1,jobname=jobname
S IZUSVR1,jobname=jobname
If you omit the JOBNAME= specification, the default member names, IZUANG1 and IZUSVR1, are used.
|
Note: IZUANG1 is started first. When you see the CWWKB0056I INITIALIZATION COMPLETE FOR ANGEL message, start the IZUSVR1 STC. The z/OSMF server is available when the following message displays:
CWWKF0011I: The server zosmfServer is ready to run a smarter planet is issued.
|
For information about how to stop the z/OSMF server, see 4.3.1, “Shutting down the server and angel STCs” on page 89.
4.2.5 z/OSMF LOGON window
To access the z/OSMF system in our example, enter the URL in a browser that is shown in the message IZUG349I in the job output from the IZUSVR1, as shown in the following example:
https://WTSC81.ITSO.IBM.COM:62222/zosmf
The example host name is WTSC81.ITSO.IBM.COM and the port that we specified during our configuration was 62222.
After pointing the browser at https://WTSC81.ITSO.IBM.COM:62222/zosmf, you see the initial z/OSMF LOGON window, which is shown in Figure 4-1 on page 88. To complete the logon process, enter a valid z/OS user ID and password.
|
Note: You can start multiple instances of z/OSMF by using different browsers or multiple instances or tabs of the same browser.
|
Figure 4-1 Initial z/OSMF LOGON window
After you enter a valid user ID, the z/OSMF Welcome window opens, as shown in Figure 4-2 on page 89. You can see the features that are available with the core product (no plug-ins are selected):
•Welcome
•Notifications
•Workflow Editor
•Workflows
•Cloud Provisioning
•Configuration
•Consoles
•Jobs and Resources
•Links
•Performance
•Problem Determination
•Software
•z/OS Classic Interfaces
•z/OSMF Administration
•z/OSMF Settings
Figure 4-2 z/OSMF Welcome window for core functions
4.3 Adding plug-ins to your z/OSMF system
After you configure a working instance of z/OSMF on your system, you might want to update your configuration by adding plug-ins. To do so, use the workflow, izu.config.setup.xml. You can find it in /usr/lpp/zosmf/workflow. This workflow guides you through the setup of all plug-ins, including their prerequisites.
4.3.1 Shutting down the server and angel STCs
To shut down the z/OSMF server tasks, run the MVS STOP command. First, shut down the z/OSMF Server task by running the following command:
P IZUSVR1
You should see the following message, which indicates a successful closure of the task:
+CWWKB0001I: Stop command received for server zosmfServer.
£HASP395 IZUSVR1 ENDED
After the z/OSMF Server task is shut down, close the angel STC by running the
following command:
following command:
P IZUANG1
You should see the following messages, which indicate a successful closure of the task:
CWWKB0057I WEBSPHERE FOR Z/OS ANGEL PROCESS ENDED NORMALLY
£HASP395 IZUANG1 ENDED
4.4 Authorizing a user to use z/OSMF
The following section describes the procedure that is used to permit a RACF user to use z/OSMF functions.
4.4.1 Using RACF commands to authorize a user ID to use z/OSMF
The SYS1.SAMPLIB member IZUAUTH is used to authorize a RACF defined user ID to use z/OSMF processing.
The necessary commands for z/OSMF users are shown in Example 4-2. The other commands that you must run for z/OS administrators are shown in Example 4-3.
Example 4-2 SYS1.SAMPLIB(IZUAUTH) commands for z/OSMF user
CONNECT <userid> GROUP(IZUUSER)
CONNECT <userid> GROUP (CFZUSRGP)
CONNECT <userid> GROUP(CPOCTRL)
CONNECT <userid> GROUP(CPOQUERY)
CONNECT <userid> GROUP WLMGRP)
Example 4-3 SYS1.SAMPLIB(IZUAUTH) commands for z/OSMF administrators
CONNECT <userid> GROUP(IZUADMIN)
CONNECT <userid> GROUP (CFZADMGP)
4.5 Creating SAF security commands with IZUGUTSE utility
Starting with Version 2 Release 3, z/OSMF provides security descriptor files that are based on XML logic. These XML documents contain the z/OSMF security definitions that you must define in a product neutral notation.
With this concept, each type of security management system can use the same XML document as their input. The security management system can then translate the product neutral definitions into their own security database updates.
z/OSMF provides a utility that is called IZUGUTSE, which is used to set up the necessary security configuration in the security database of the system. Unlike the RACF commands, the inputs to the utility are consistent across all external security managers (ESMs) that are running on z/OS.
The utility is used to generate the command text and optionally run the RACF commands. The input to the IZUGUTSE utility is an XML document that contains the security definitions to be defined on the target system. The utility translates the contents of the XML document into RACF commands (or another security subsystem's commands) which can then be optionally run on the target system. The resulting command text and optional command run results are returned to the caller in another XML document.
|
Restriction: The utility does not create the definition for a digital certificate.
|
You can find the IZUGUTSE utility in SYS1.SIEALNKE. z/OSMF supplies two XML samples: IZUSEC.xml and IZUAUTH.xml. The samples contain the security definitions that are required by z/OSMF. The samples are in the /usr/lpp/zosmf/samples directory.
The IZUGUTSE utility is designed to work with the RACF-callable service IRRSMO00, which is described in z/OS Security Server RACF Callable ServicesVersion 2 Release 3, SA23-2293.
When you plan to use IZUGUTSE, your security administrator should review the sample and make necessary changes before running it with the security utility. You can customize the XML document (as shown in Example 4-5 on page 93 with the results set shown in Example 4-6 on page 94) to change the parameters. You can make these customizations by using a text editor or any other XML editor.
The XML document is translated into a list of ESM-specific updates and these updates are returned for further inspection. For example, the XML is translated into a set of RACF commands which is then returned for review by your security administrator who can then run them later. Optionally, the security definitions in the XML document can be translated and run in a single step.
If you have RACF running, it must be active.
How to run IZUGUTSE from a batch job is shown in Example 4-4.
Example 4-4 Sample job that uses IZUGUTSE utility
//IZUXS000 JOB (ACCTINFO),CLASS=A,MSGCLASS=0,
// MSGLEVEL=(1,1),REGION=0M,NOTIFY=&SYSUID
/*JOBPARM SYSAFF=SC76
//IZUEXEC1 EXEC PGM=IZUGUTSE,
// PARM='opt=0010,in=/u/harjans/IZUAUTH.xml,out=/u/harjans/IZUS3.xml'
/*
The following parameters for the utility are used in Example 4-4:
•opt
The name of a 4-byte area that contains the Option values. The individual bits in the Option activate the options.
•in
The path for XML security definition file (must be a UNIX file). You can find the XML input that we show in the job in Example 4-4 in Example 4-5 on page 93.
•out
The path for XML execution result (must be a UNIX file). The XML statements are shown in Example 4-5 on page 93. The output that is generated from those XML statements is shown in Example 4-6 on page 94.
The values and their descriptions that the parameter opt supports are listed in Table 4-1.
Table 4-1 Values and descriptions for the opt parameter
|
Value for opt
|
Description
|
|
‘0001’
|
EXECUTE. If this bit is ON, the security definitions that are specified in the Request XML are run, which results in updates being made to the RACF database. The commands that are run, along with their results, are returned in IZUOUT.
If this bit is OFF, the commands are generated and returned without being run. This result allows the user to examine the commands before running them. In this case, no updates are made to the RACF database. If this bit is OFF, the commands are generated with minimal error checking because the command processor (which does most of the syntax checking) is not run.
|
|
‘0010’
|
PRECHECK. Checks for the existence of security definitions in the RACF database during command generation.
The processing that is performed on pre-existing security definitions can be customized on a per-security definition basis in the XML by using the override=”yes | no | force”attribute. By default, override=”yes” add commands are suppressed, and alter commands are generated.
The override=”no”attribute can be set to prevent any update to a security definition that is found to exist in the RACF database. That is, it suppresses the add and alter (including permit) commands. This feature is useful for certain low-level system resources that are most likely defined, and should not be changed from their current definition.
The override=”force”attribute can be set to override the PRECHECK option and always generate the add and alter (including permit) commands.
Note: READ access to IRR.IRRSMO00.PRECHECK in the FACILITY class is required when you specify this option.
|
|
‘0100’
|
If opt 0100 is ON and option 0001 is ON (execute), command run ends when the first error is encountered.
If opt 0100 is off, an attempt is made to run all update commands, even if some fail. If opt 0001 (execute) is OFF, this option is ignored. This option is not supported by RACF, but might be supported by other ESMs.
|
|
‘1000’
|
Suppress sensitive. If this bit is ON, sensitive data that is specified in the input XML is suppressed from the generated command images that are returned from the utility. Sensitive data includes passwords, phrases, and other fields that contain sensitive information. The keywords are still intact in the returned command image, only the values are suppressed.
When used with the EXECUTE option bit, the sensitive data is removed from the commands after the command is run. If this option is specified without the EXECUTE option, important data is missing from the generated command images. If sensitive information appears in an error or warning message, it is not suppressed.
|
You can use multiple opt values in your JCL. For example, if you specify opt=0011, it means EXECUTE(0001) and PRECHECK(0010) are performed.
Example 4-5 Sample XML security definition file
<?xml version="1.0" encoding="UTF-8"?>
<securityrequest xmlns:saf= "http://www.ibm.com/systems/zos/saf" xmlns:racf="http://www.ibm.com/systems/zos/racf" xmlns:esm1="http://www.esm.com/esm1">
<!--Begin "authorize user" Setup-->
<!--Begin zOSMF User Role by default-->
<!--Connect the user to z/OSMF user group by default-->
<saf:groupconnection name="USERID" group="IZUUSER" operation="set" requestid="IZU00001000"></saf:groupconnection>
<!--Connect the user to group of CIM by default-->
<saf:groupconnection name="USERID" group="CFZUSRGP" operation="set" requestid="IZU00002000"></saf:groupconnection>
<!--End zOSMF User Role by default-->
<!--Begin zOSMF adminstrator Role-->
<!--Connect the user to z/OSMF administrator group if the role the user is administrator-->
<saf:groupconnection name="USERID" group="IZUADMIN" operation="set" requestid="IZU00003000"></saf:groupconnection>
<!--Connect the user to CIM administrator group if the role the user is administrator-->
<saf:groupconnection name="USERID" group="CFZADMGP" operation="set" requestid="IZU00004000"></saf:groupconnection>
<!--End zOSMF adminstrator Role-->
<!--Connect the user to group of Capacity Provisioning-->
<saf:groupconnection name="USERID" group="CPOCTRL" operation="set" requestid="IZU00005000"></saf:groupconnection>
<saf:groupconnection name="USERID" group="CPOQUERY" operation="set" requestid="IZU00006000"></saf:groupconnection>
<!--Connect the user to group of Workload Management-->
<saf:groupconnection name="USERID" group="WLMGRP" operation="set" requestid="IZU00007000"></saf:groupconnection>
<!--End "authorize user" Setup-->
</securityrequest>
Example 4-6 Sample XML security definition execution result
<?xml version="1.0" encoding="IBM-1047"?>
<securityresult
xmlns="http://www.ibm.com/systems/zos/saf/IRRSMO00Result1">
<groupconnection name="USER1" group="IZUUSER" operation="set" requestid="IZU00001000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (IZUUSER)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="CFZUSRGP" operation="set" requestid="IZU00002000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (CFZUSRGP)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="IZUADMIN" operation="set" requestid="IZU00003000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (IZUADMIN)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="CFZADMGP" operation="set" requestid="IZU00004000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (CFZADMGP)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="CPOCTRL" operation="set" requestid="IZU00005000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (CPOCTRL)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="CPOQUERY" operation="set" requestid="IZU00006000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (CPOQUERY)</image>
</command>
</groupconnection>
<groupconnection name="USER1" group="WLMGRP" operation="set" requestid="IZU00007000">
<command>
<safreturncode>0</safreturncode>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
<image>CONNECT USER1 GROUP (WLMGRP)</image>
</command>
</groupconnection>
<returncode>0</returncode>
<reasoncode>0</reasoncode>
</securityresult>
IZUGUTSE produces several possible return and reason codes, as listed in Table 4-2.
Table 4-2 IZUGUTSE return and reason codes
|
Return code
|
Reason code
|
Description
|
|
0
|
0
|
Success. The input XML was processed by IZUGUTSE. All RACF commands were generated properly. If the EXECUTE option was specified, all commands were successfully run. Some commands might issue warning or informational messages, and some commands might complete with a nonzero return code. All output from the commands is contained in the resulting XML.
|
|
32
|
1
|
PARM invalid. Parameters should be comma-separated.
|
|
32
|
2
|
PARM opt is missing.
|
|
32
|
3
|
PARM in is missing.
|
|
32
|
4
|
PARM out is missing.
|
|
32
|
5
|
PARM invalid, = is needed for each parameter.
|
|
32
|
6
|
Value of opt invalid.
|
|
36
|
1
|
Read input XML file Error. Check the path and if you can access the file.
|
|
36
|
2
|
Write output XML file Error. Check the path and if you can access the file.
|
|
40
|
1
|
LOAD IRRSMO00 MODULE ERROR. Check your SAF and security subsystem.
|
|
40
|
2
|
IRRSMO00 Service Error. Check your job log for more information.
The value for SAFRC, RACFRC, and RACFRSN are listed in the job log. For more information, see the description of the IRRSMO00 callable service in the RACF Callable Services book.
|
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.