Customizing the z/OS communications server (TCP/IP) and OMVS
The BMC AMI Defender for z/OS product uses the z/OS communications server for TCP/IP and User Datagram Protocol (UDP) services. To use the z/OS communications server, you need the following items:
- An OMVS segment
- Read access to the EZB.STACKACCESS.sysName.tcpName profile
- Access to EZB.NETACCESS.sysName.tcpName.zoneName profile
OMVS segment
Programs that use the z/OS communications server (whether they run as batch programs, started tasks, or under the UNIX shell) require a z/OS UNIX security context, also known as the OMVS segment, for the owning user ID. If you run BMC AMI Defender without an OMVS segment (or without BPX.UNIQUE.USER), BMC AMI Defender fails immediately with an error message.
A suitable OMVS segment might already exist for your user ID or the user ID under which started tasks run. If BPX.UNIQUE.USER is defined in the FACILITY class, z/OS automatically creates an OMVS segment the first time the user ID attempts to use UNIX System Services (USS).
To create an OMVS segment, see the relevant IBM documentation.
Access configurations
The following table provides details about different types of access that you might require:
Access | Details |
|---|---|
Configuring read access to the EZB.STACKACCESS.sysName.tcpName profile | Any user ID under which BMC AMI Defender or CZASEND runs needs read access to the following profile in the SERVAUTH class: EZB.STACKACCESS.sysName.tcpName
If read access to this profile is unavailable, the following error messages are displayed: ICH408I USER(<xxxxxxx>) GROUP(<xxxxxxxx>) NAME(<xxxxx xxxxx>) EZB.STACKACCESS.sysn.TCPIP CL(SERVAUTH) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ) ACCESS ALLOWED(NONE) |
Accessing the EZB.NETACCESS.sysName.tcpName.zoneName profile | If the syslog console address is in a secured network zone, the user ID requires access to at least one EZB.NETACCESS.sysName.tcpName.zoneName profile. |
Processing SMF 109 records containing USS syslogd messages | If you want BMC AMI Defender to process SMF 109 records containing unformatted system services (USS) syslogd messages, configure syslogd as detailed in the documentation about supported destinations for syslogd in IBM z/OS Communication Server: IP Configuration Reference. |
Accessing the CSVDYNEX facility class | Any user ID under which BMC AMI Defender runs requires SAF UPDATE authority for the CSVDYNEX facility class. Use the following or similar command: PERMIT CSVDYNEX.** CLASS(FACILITY) ID(<userId>) ACCESS(UPDATE) SETROPTS RACLIST(FACILITY) REFRESH The userId variable is the user ID or RACF group name for the BMC AMI Defender started task. If your installation uses CA ACF2 or CA Top Secret instead of RACF, enter the equivalent commands for those products. |
Granting Db2 TRACE privileges | To use BMC AMI Defender to monitor Db2 and the SMF DB2 START option, each Db2 subsystem that you specify must have a BMC AMI Defender user ID with a privilege set that includes at least one of the following privileges or authorities:
To grant Db2 TRACE privileges To grant privileges, use the following or similar Db2 command: GRANT <priv> TO <authId>
|
Granting RACF read access to DDL2.BATCH | The user ID under which BMC AMI Defender runs must have RACF READ access to DDL2.BATCH in the DSNR resource class. To grant RACF read access to DDL2.BATCH To grant access, use the following or similar command: PERMIT DDL2.BATCH CLASS(DSNR) ID(<userID>) ACCESS(READ) |
Granting other RACF authorities | The user ID under which BMC AMI Defender started task is run (and any job run as a test, such as Testing-BMC-AMI-Defender) requires RACF read authority for every data set referenced in the BMC AMI Defender procedure or job. Data sets that require RACF read authority include amihlq.CZAGENT.LOAD, amihlq.CZAGENT.CNTL, or any referenced DB2 load library. |