SERVER statement

(Optional) Specifies when BMC AMI Defender should attempt to revert from an alternate TCP/IP or SSL/TLS server to the primary server

The options are as follows:

• COMMand directs that the reversion must be initiated manually with the SET(SERVER) command. For more information, see MODIFY-command.
• AT(MIDNight) attempts the reversion at midnight, local time.
• EVERY(minutes) attempts the reversion after the specified number of minutes. Specify a number of minutes from 5 through 1440 (24 hours).

The default option is COMMand because server connection switching is a fairly time-consuming process, especially if the primary server is still inoperable.

For more information, see Multiple-syslog-server-support.

APIKEY(bmcHelixInterfaceKey)
(SPE2201)

Programming interface security key used to connect with the BMC Helix Log Analytics and BMC Helix Operations Management environments

You must include APIKEY to use the ADELog or ADEInflux SIEMtype.

CURRTime (SPE2201)

Maximum syslog message length, in bytes, for BMC AMI Defender and CZASEND

For messages encoded in UTF-8, the length in bytes might be greater than the length in characters because some characters are encoded in more than one byte.

Use the OPTIONS XLATE parameter to specify the message encoding. Specify a number between 512 and 2,500,000. Most SMF records can be formatted within the default message length of 1,024 bytes, but certain records, notably certain ACF2 and DB2 records, might require up to twice that number or more, depending on the fields specified and their values. If you receive message CZA0301W (indicating that the syslog message from the specified SMF record type overflowed the SERVER MAXMSGLEN length) consider increasing MAXMSGLEN.

Keep the following considerations in mind when you set this parameter:

• The maximum message length specified in RFC 3164 is 1,024 bytes (but that standard is widely disregarded).
• Datagrams (UDP messages) should not exceed the maximum transmission unit (MTU) size. The common Ethernet v2 MTU size is 1,500 bytes.
• The maximum message length that the BMC Defender Server can process is 2,000 characters. Check the maximum message length that your syslog collector (and any intermediate load balancers, forwarders, or proxies) can accept; there is no point in formatting and transmitting data that is not received and processed.
• The maximum MAXMSGlen supported by BMC AMI Defender is 2,500,000 bytes, but that maximum is intended only for very specific situations. Generally, do not code a value over 4,000 bytes.
• Increasing the MAXMSGLEN value increases the storage required by BMC AMI Defender and CZASEND. For non-UTF-8 to-CCSIDs, the storage requirement is at least three times the length value. For UTF-8 to-CCSIDs, the requirement is at least seven times the length.

PACE(No|msgs seconds)
(SPE2201)

Maximum number of messages to transmit in the specified number of seconds

On systems earlier than version 6.1 SPE2201, this parameter is for UDP servers only.

The options are as follows:

• No—no pacing
• msg seconds
  • msg—20 or more messages
  • seconds—1 through 120 (two minutes)

If the PACE value is too restrictive, you might greatly increase the queue requirements.

If you use PACE with the TIMEout options IDLE or SEND, the options are ignored and default values are used.

If you omit this parameter, No is used by default.

TLS|SSL(tlsParameters)

TRANSport(ADE|SSL|TCP|TLS|UDP)

Transport protocol

Choose one of the following protocols:

If your SIEM console or syslog receiver supports TLS, we recommend that you specify TLS or at least TCP.

If you omit this parameter, UDP is used by default unless, you specify SERVER SSL() or TLS(). In that case, SSL or TLS is used by default.

Number of seconds after which an attempt by BMC AMI Defender or CZASEND to connect a TCP/IP session with the SIEM receiver is abandoned

Valid values are from 15 through 240 seconds (four minutes). Specify DEFault instead to enable the z/OS communication server to determine the timeout value.

Consider the following points when you set a value:

• If the value is too low, the session might not connect.
• If the value is too high, then BMC AMI Defender cannot respond to the console’s MODIFY and STOP commands until the timeout completes.

TIMEout CONNect has no effect on UDP transport.

If you omit this parameter, 30 seconds is used by default.

Number of seconds after which an idle BMC AMI Defender TCP/IP session (with no formatted messages) times out

Valid values are from 5 through 3600 seconds (one hour). Specify NONE instead to prevent a timeout.

One or more syslog messages might be lost each time a session is terminated by the SIEM receiver before being terminated by BMC AMI Defender. But if the IDLE value is too high, you occupy resources for nonproductive sessions.

TIMEout IDLE has no effect on CZASEND or UDP transport.

If you omit this parameter, 300 seconds (five minutes) is used by default.

Number of seconds to delay after a TCP/IP error before BMC AMI Defender tries to establish a new session and transmit a message

Valid values are from 0 through 600 seconds (ten minutes). Specifying 0 directs BMC AMI Defender always to retry.

Consider the following points when you set a value:

• A value that is too low might cause unnecessary attempts.
• A value that is too high might cause unnecessary delays (when recovering from an error) and lost messages until the session reconnects.

TIMEout RETRY has no effect on CZASEND or UDP transport.

If you omit this parameter, 5 seconds is used by default. 

SSL or TLS cipher suites that are acceptable to the SSL/TLS client software

The SSL/TLS server selects a cipher suite from this list that is mutually acceptable. If no cipher suites are mutually acceptable, the session initiation fails.

Specify one or more cipher suite numbers that are supported by your version of IBM z/OS Cryptographic Services in your order of preference. Cipher suite numbers are specified as one to four hexadecimal digits. Starting with z/OS V1R13, the supported cipher suites are tabulated in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming.

If you omit TLS(CIPHersuites), then Cryptographic Services uses an internal list of available ciphers, which might vary from release to release (and also vary for FIPS versus non-FIPS mode). You can determine the current list by running BMC AMI Defender with TRANSport(Ssl|TLS) and OPTions TRACE(TLS). The available cipher suites are displayed in message CZA0104I. We recommend that you carefully review the default cipher suites because they might not be appropriate for your installation.

TLS encryption run in FIPS mode

The FIPS mode encryption meets the NIST FIPS 140-2 criteria and enforces more restrictions than non-FIPS mode. For example, in FIPS mode, the key database must have been created in FIPS mode, and certain cipher suites are considered too weak. For more information, see System SSL and FIPS 140-2 in the IBM publication z/OS Cryptographic Services System Secure Sockets Layer Programming and the US Department of Commerce publication Security Requirements for Cryptographic Modules (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf).

If you are running a level of z/OS lower than V2R1 and require FIPS-compliant encryption, you might need to install the appropriate PTF for IBM APAR OA39422.

FIPS support is available only in the BMC AMI Defender for z/OS product. For more information, see Federal-Information-Processing-Standards-support.

(Required) The z/OS key ring file name that BMC AMI Defender or CZASEND uses to verify the signature of the server’s certificate, and to locate a client certificate if the server requests one

Specify the HFS file name of a gskkyman key database, or the name of a RACF key ring. If the RACF key ring is owned by another user, prefix the file name with userid/. If the key ring file begins with a slash (/), it is assumed to be the name of a gskkyman key database; otherwise, it is assumed to be a RACF key ring. HFS file names are case sensitive.

The user ID under which BMC AMI Defender or CZASEND runs requires read access to RACF resource IRR.DIGTCERT.LISTRING to use its own key ring, or update access to IRR.DIGTCERT.LISTRING to use a different user ID’s key ring. If the key ring name contains /*, then be sure to enclose the name in quotation marks: KEYRing('*AUTH*/*').

Password of the gskkyman key ring database

Do not specify PASSword with a RACF key ring.

The name of the stash file is automatically constructed by BMC AMI Defender or CZASEND from the name of the database. If the key ring file name ends with .kdb, then the .kdb is removed and .sth is appended. If the name does not end with .kdb, then .sth is simply appended.

If you omit this parameter, then the key database must be a RACF key ring or it must have a stashed password file that is named as described.

Allowed SSL/TLS security protocols

The z/OS cryptographic client software presents the specified list to the SSL/TLS Server, and the server selects a protocol. If there is no mutually acceptable protocol, then session initiation fails. 

Use one or more of the specifications from the following table. Prefix a specification with a - (minus sign) to exclude it from the allowed protocols.

You can list the specifications in any order, however they are processed from left to right. For example, SECURITY (ALL –SSLv3) indicates all of the supported protocols except SSLv3.

If you omit this parameter, ALL –SSLv3 is used by default.