SERVER statement

Specifies when BMC AMI Defender should attempt to revert from an alternate TCP/IP or SSL/TLS Server to the primary server (see Multiple syslog server support). AT(MIDNight) specifies that the reversion should be attempted at midnight local time; COMMand specifies that the reversion must be initiated manually with the SET(SERVER) command (see The Modify or F Command in BMC AMI Defender for z/OS Installation and Operation); EVERY(minutes) specifies that reversion should be attempted at the expiration of the specified number of minutes. Specify a number of minutes between 5 and 1440 (24 hours). This parameter is optional. The default of COMMand is recommended: server connection switching is a fairly time-consuming process, especially if the primary server is still inoperable.

Specifies the maximum syslog message length in bytes for BMC AMI Defender and CZASEND. (For messages encoded in UTF-8, the length in bytes might be greater than the length in characters, because some characters are encoded in more than one byte. The message encoding is specified with the OPTIONS XLATE parameter.) Specify a number between 512 and 2,500,000. Most SMF records might be formatted within the default message length of 1024 bytes, but certain records, notably certain ACF2 and DB2 records, might require up to twice that number or more, depending on the fields specified and their values. If you are receiving message CZA0301W syslog message (SMF Record Type ttt) overflowed SERVER MAXMSGLEN then you should consider increasing MAXMSGLEN. Keep the following considerations in mind:

• The maximum message length specified in RFC 3164 is 1024 bytes (but that standard is widely disregarded).
• It is often recommended that datagrams (UDP messages) not exceed the maximum transmission unit (MTU) size. The common Ethernet v2 MTU size is 1,500 bytes.
• The maximum message length that the BMC Defender Server can process is 2,000 characters. Check the maximum message length that your syslog collector (and any intermediate load balancers, forwarders, or proxies) can accept; there is no point in formatting and transmitting data that is not received and processed.
• The maximum MAXMSGlen supported by BMC AMI Defender is 2,500,000 bytes, but that maximum is intended only for very specific situations; generally, you should never code value in excess of about 4,000 or 5,000.
• Increasing the MAXMSGLEN value increases the storage required by BMC AMI Defender and CZASEND. For non-UTF-8 to-CCSIDs the storage requirement is at least three times the length value; for UTF-8 to-CCSIDs the requirement is at least seven times the length.

Specifies, for UDP Servers only, the maximum number of messages to transmit in a window of so-many seconds, or that no pacing is desired.

Specifies the time in seconds, after that an attempt by BMC AMI Defender or CZASEND to connect a TCP/IP session with the SIEM receiver is abandoned. Specify a time in seconds between 15 and 240 (four minutes), or specify DEFault to allow z/OS communication server to determine the timeout. (The connection timeout default value is not documented but appears to be a little more than three minutes.) If you specify too low a value then sessions might not connect; if you specify too high a value then BMC AMI Defender is not able to respond to console MODIFY and STOP commands until the timeout completes. If you omit TIMEout CONNect, then it defaults to 30 seconds. TIMEout CONNect has no effect on UDP transport.

Specifies the time in seconds, after that an idle (no formatted messages) BMC AMI Defender TCP/IP session will get terminated. Specify None or a number of seconds between 5 and 3600 (one hour). It is very important that you not specify too high a value for IDLE as at least one syslog message is usually lost each time a session is terminated by the SIEM receiver before being terminated by BMC AMI Defender. However, specifying too high a value ties up resources for non-productive sessions. If you omit TIMEout IDLE, it defaults to 300 seconds (five minutes). IDLE has no effect on CZASEND nor on UDP transport.

Specifies the delay in seconds after a TCP/IP error before BMC AMI Defender tries to establish a new session and transmit a message. Specify a time in seconds between 0 (always retry) and 600 (ten minutes). Specifying too low a value might cause needless churning; specifying too high a value might cause needless delays in recovering from an error, and lost messages until the session is reconnected. If you omit TIMEout RETRY, then it defaults to 35 seconds. TIMEout RETRY has no effect on CZASEND nor on UDP transport.

TLS|SSL(TLS parameters)

Specifies the SSL or TLS cipher suites that are acceptable to the SSL/TLS client software. The SSL/TLS Server selects a cipher suite from this list that is mutually acceptable. (If no cipher suites are mutually acceptable, the session initiation fails.) Specify one or more cipher suite numbers that are supported by your version of IBM z/OS Cryptographic Services in your order of preference. Cipher suite numbers are specified as one to four hexadecimal digits. Starting with z/OS V1R13 the supported cipher suites are tabulated in Appendix C of the IBM Manual z/OS Cryptographic Services System Secure Sockets Layer Programming. If you omit TLS(CIPHersuites), then Cryptographic Services uses an internal list of available ciphers, that might vary from release to release (and also vary for FIPS versus non-FIPS mode). You might determine the current list by running BMC AMI Defender with TRANSport(Ssl|TLS) and OPTions TRACE(TLS). The available cipher suites are displayed in message CZA0104I. You should carefully review the defaults as they might not be appropriate for your installation.

Specifies that the TLS encryption is to run in FIPS mode. FIPS mode means that the encryption is designed to meet the NIST FIPS 140-2 criteria. FIPS mode enforces more restrictions than non-FIPS mode. For instance, the key database must have been created in FIPS mode, and certain ciphersuites are considered too weak for FIPS mode. For more information, see System SSL and FIPS 140-2 in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming and the US Department of Commerce publication SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES ( http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf ).

If you are running a level of z/OS lower than V2R1 and require FIPS compliant encryption, you might need to install the appropriate PTF for IBM APAR OA39422.

FIPS support is available only in the BMC AMI Defender for z/OS product. For more information, see Federal Information Processing Standards support.

Specifies the z/OS key ring that BMC AMI Defender or CZASEND uses to verify the signature of the server’s certificate, and to locate a client certificate if one is requested by the server. Specify the HFS file name of a gskkyman key database, or the name of a RACF key ring, optionally prefaced with userid/ if the RACF key ring is owned by another user. If keyringfile begins with a slash (/), it is assumed to be the name of a gskkyman key database; otherwise it is assumed to be a RACF key ring. HFS file names are case sensitive. The User ID under that BMC AMI Defender or CZASEND runs, requires read access to RACF resource IRR.DIGTCERT.LISTRING to use its own key ring, or update access to IRR.DIGTCERT.LISTRING to use a different User ID’s keyring. If the keyring name contains /*, then be sure to enclose the name in quotes: KEYRing('*AUTH*/*'). This parameter is required.

Specify to activate certificate revocation checking using the HTTP URI values in the certificate's AIA extension. OCSPrequires z/OS V2R2 or later.

Specifies the password of the gskkyman key ring database. Do not specify PASSword with a RACF key ring. The PASSword parameter is provided as a convenience; the preferred method of specifying the gskkyman key ring database password is with a stashed password file (stash file). The name of the stash file is constructed by BMC AMI Defender or CZASEND automatically from the name of the database: if the key ring file name ends with .kdb, then the .kdb is removed and .sth is appended; if the name does not end with .kdb, then .sth is simply appended. If this parameter is omitted, then the key database must be a RACF key ring or must have a stashed password file named as described.

Specifies the allowed SSL/TLS security protocols. The z/OS cryptographic client software presents the specified list to the SSL/TLS Server, and the server selects a protocol. If there is no mutually acceptable protocol then session initiation fails. If TLS(SECurity) is omitted, then it defaults to ALL –SSLV3, that is, all of the supported protocols except SSLV3. (SSLV3 has been deprecated due to its vulnerability to the POODLE attack.)

Specify zero or more of the security specifications in the table shown (in any order). Prefix any of the specifications with - (a minus sign) to indicate negation. The specifications are processed left to right. For instance, SECURITY (ALL –SSLV3) indicates all supported protocols except SSLV3.

Specifies the transport protocol. Specify one of the following options. SSL and TLS are equivalent; see TLS(SECurity) if you want to specify a specific secure protocol. If your SIEM console or syslog receiver supports it, you should probably specify TLS or at least TCP. If you omit TRANSport it defaults to Udp, unless you specify SERVER SSL() or TLS(), in that case it defaults to SSL/TLS.