Customizing the z/OS communications server (TCP/IP) and OMVS, and configuring RACF, Top Secret, and ACF2 definitions

BMC AMI Datastream for z/OS uses the z/OS communications server for TCP/IP and User Datagram Protocol (UDP) services. To use the z/OS communications server, you need the following items:

  • An OMVS segment
  • Read access to the EZB.STACKACCESS.sysName.tcpName profile
  • Access to EZB.NETACCESS.sysName.tcpName.zoneName profile

Related topic

Customizing-after-installation

OMVS segment

Programs that use the z/OS communications server (whether they run as batch programs, started tasks, or under the UNIX shell) require a z/OS UNIX security context, also known as the OMVS segment, for the owning user ID. If you run BMC AMI Datastream without an OMVS segment (or without BPX.UNIQUE.USER), BMC AMI Datastream fails immediately with an error message.

A suitable OMVS segment might already exist for your user ID or the user ID under which started tasks run. If BPX.UNIQUE.USER is defined in the FACILITY class, z/OS automatically creates an OMVS segment the first time the user ID attempts to use UNIX System Services (USS).

To create an OMVS segment, see the relevant IBM documentation.

Access configurations

The following table provides details about different types of access that you might require:

Access

Details

Configuring read access to the EZB.STACKACCESS.sysName.tcpName profile

Any user ID under which BMC AMI Datastream or CZASEND runs needs read access to the following profile in the SERVAUTH class: EZB.STACKACCESS.sysName.tcpName

  • The sysName variable represents the value of the MVS &SYSNAME. system symbol.
  • The tcpName variable represents the name of the TCP/IP stack (generally TCPIP) that BMC AMI Datastream or CZASEND uses. For more information, see the TCPname parameter in the OPTIONS-statement

If read access to this profile is unavailable, the following error messages are displayed:

ICH408I USER(<xxxxxxx>) GROUP(<xxxxxxxx>) NAME(<xxxxx xxxxx>)
EZB.STACKACCESS.sysn.TCPIP CL(SERVAUTH) INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ) ACCESS ALLOWED(NONE)

Accessing the EZB.NETACCESS.sysName.tcpName.zoneName profile

If the syslog console address is in a secured network zone, the user ID requires access to at least one EZB.NETACCESS.sysName.tcpName.zoneName profile.

Processing SMF 109 records containing USS syslogd messages

If you want BMC AMI Datastream to process SMF 109 records containing unformatted system services (USS) syslogd messages, configure syslogd as detailed in the documentation about supported destinations for syslogd in IBM z/OS Communication Server: IP Configuration Reference.

Accessing the CSVDYNEX facility class

Any user ID under which BMC AMI Datastream runs requires SAF UPDATE authority for the CSVDYNEX facility class.

The userId variable is the user ID or RACF group name for the BMC AMI Datastream started task.

To access the CSVDYNEX facility class 

Use the following or similar command for RACF:

PERMIT CSVDYNEX.** CLASS(FACILITY) ID(<userId>) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH 

Use the following or similar command for Top Secret:

TSS ADD(owning_dept) IBMFAC(CSVDYNEX)
Then it can be permitted to the started task acid:
TSS PER(acid) IBMFAC(CSVDYNEX) ACCESS(UPDATE)

Use the following or similar command for ACF2:

$KEY(<key>) TYPE(FAC)
$USERDATA(BMC AMI Datastream)
CSVDYNEX.** UID(<userID>) SERVICE(UPDATE) ALLOW
LOG
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

Granting Db2 TRACE privileges

To use BMC AMI Datastream to monitor Db2 and the SMF DB2 START option, each Db2 subsystem that you specify must have a BMC AMI Datastream user ID with a privilege set that includes at least one of the following privileges or authorities:

  • TRACE privilege
  • SQLADM authority
  • System DBADM authority
  • SYSOPR authority
  • SYSCTRL authority
  • SYSADM authority
  • SECADM authority

To grant Db2 TRACE privileges

To grant privileges, use the following or similar Db2 command:

GRANT <priv> TO <authId>
  • The priv variable represents the privileges or authority to grant.
  • The authId variable is the authorization ID for the BMC AMI Datastream started task.

Granting RACF, Top Secret, or ACF2 read access to DDL2.BATCH

The user ID under which BMC AMI Datastream runs must have RACF, Top Secret, or ACF2 READ access to DDL2.BATCH in the DSNR resource class.

To grant read access to DDL2.BATCH

Use the following or similar command for RACF:

PERMIT DDL2.BATCH CLASS(DSNR) ID(<userID>) ACCESS(READ)

Use the following or similar command for Top Secret:

TSS ADDTO(acid) IBMFAC(<facility>)  
TSS PERMIT(<userID>) IBMFAC(<facility>) ACCESS(READ)

Use the following or similar command for ACF2:

$KEY(<key>) TYPE(FAC)
$USERDATA(BMC AMI Datastream)
DDL2.BATCH UID(<userID>) SERVICE(READ) ALLOW
LOG
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

Granting other RACF, Top Secret, or ACF2 read access authorities to Datastream data sets

The user ID under which the BMC AMI Datastream started task is run (and any job run as a test, such as Testing-BMC-AMI-Datastream) requires RACF read authority for every data set referenced in the BMC AMI Datastream procedure or job. Data sets that require RACF read authority include the following data sets or any referenced DB2 load library:

  • amihlq.LOAD
  • amihlq.PARM
  • amihlq.EXEC

To grant read access authorities to Datastream data sets

Use the following or similar command for RACF for each data set:

PERMIT <dataset> CLASS(FACILITY)  ID(<userID>) ACCESS(READ)
SETROPTS REFRESH RACLIST(FACILITY)

Use the following or similar command for Top Secret for each data set:

TSS ADDTO(acid) IBMFAC(<facility>)  
TSS PERMIT(<userID>) IBMFAC(<facility>) ACCESS(READ)

Use the following or similar command for ACF2 for each data set:

$KEY(<key>) TYPE(FAC)
$USERDATA(BMC AMI Datastream)
dataset  UID(<userID>) SERVICE(READ) ALLOW
LOG
- UID(NOACCESS) PREVENT
- UID(*) PREVENT

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*