Before you upload the installation material to the z/VM system, make sure that the following utilities are installed:
- REXX package or runtime library
You can use the IBM REXX library product or the free IBM REXX Alternate Library.
Make sure that you running the latest version of the BMC AMI Datastream for z/OS product.
To unpack the files and prepare the RACF facility for editing
- Download the installation material to your workstation.
Upload the material to the z/VM system.
Important
You must upload and install the VMARC file as a binary file with a fixed format and 80-byte records.
The following example illustrates how to use FTP to send the material to the maint 191 minidisk.
Example
The following is a sample FTP session initiated from a Microsoft Windows command prompt to the virtual machine. The parts marked with <---ENTER indicate information that you must enter.
----------------------------------------------------------------
C:\MAINT>FTP 10.100.0.235 <-------------------------------ENTER
Connected to 10.100.0.235
220-FTPSERV IBM VM Level 630 at Z63PRD01, 10:50:26 EDT MONDAY 2017-05-16
220 Connect will close it idle for more than 5 minutes
f (10.100.0.235:(none)): maint/by/username <--------------ENTER
331 Send passwords please.
Password: <-------------------------------------------ENTER
230 MAINT logged in: working directory = MAINT 191
ftp> bin <-------------------------------------------------ENTER
200 Representation type IMAGE.
ftp> quote site fix 80 <------------------------------------ENTER
200 Site command was accepted.
ftp> put vmracf.vmarc <-------------------------------------ENTER
200 Port request OK.
150 Storing file 'vmracf.vmarc'
250 Transter completed successfully
ftp: 11920 bytes sent in 0.12Seconds 102.76bytes/sec
ftp> quit <------------------------------------------------ENTER
221 Quit command received. Goodbye.
----------------------------------------------------------------
- Issue the FORCE RACFSMF command to shut down the RACF SMF virtual machine.
Use the VMARC utility to uncompress the materials onto the RACFSMF 0191 minidisk.
Ready; t=0.01/0.01 12:25:58
vmarc unpk vmracf vmarc a = = c ( replace <------------ENTER
EULA TEXT C1. Bytes in= 34393, bytes out= 17520 ( 50%).
VRMSMF EXEC C1. Bytes in= 34816, bytes out= 45920 ( 131%).
RACFSMF SPARMS C1. Bytes in= 400, bytes out= 240 ( 60%).
PROFILE EXEC C1. Bytes in= 653, bytes out= 720 ( 110%).
CZAUME TEXT C1. Bytes in= 4320, bytes out= 2960 ( 68%).
ICHRSWX1 TXTLIB C1. Bytes in= 1680, bytes out= 1200 ( 71%).
CZARCFRX EXEC C1. Bytes in= 781, bytes out= 480 ( 61%).
VRMSMFEX EXEC C1. Bytes in= 39936, bytes out= 46880 ( 117%).
GETRACF EXEC C1. Bytes in= 22528, bytes out= 29600 ( 131%).
CZARCFSD EXEC C1. Bytes in= 4096, bytes out= 5280 ( 128%).
CZATN000 TEXT C1. Bytes in= 2320, bytes out= 1440 ( 62%).
FTPEXIT TEXT C1. Bytes in= 11120, bytes out= 5440 ( 48%).
CZAEXIT CONFIG A1. Bytes in= 39, bytes out= 160 ( 410%).
CZATN000 CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
FTPEXIT CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
CZAEXIT EXEC C1. Bytes in= 12288, bytes out= 15760 ( 128%).
CZACSP MODULE C1. Bytes in= 384, bytes out= 400 ( 104%).
Ready; t=0.01/0.01 12:26:37
- Log on to the system by using the OPERATOR user ID.
Make sure that the RACFVM production server is logged on (use the XAUTOLOG command if necessary) and that the RACMAINT backup server is logged off (use the FORCE command if necessary).
Important
RACFVM must be up before RACMAINT goes down.
- Log on to the system using the user ID, MAINTvrm.
- Issue the FORCE RACFSMF command to shut down the RACF SMF virtual machine.
- Set up RACF SMF on the system.
If RACF SMF is already set up on the system, run the following commands. The parts marked with <---ENTER indicate information that you must enter.
Example
----------------------------------------------------------------
link racfsmf 191 1 mr <--------------------------------ENTER
Ready; t=0.01/0.01 12:25:48
access 1 c <-------------------------------------------ENTER
Ready; t=0.01/0.01 12:25:58
copyfile profile exec c = exec-ibm = (olddate <--------ENTER
Ready; t=0.01/0.01 12:26:10
vmarc unpk vmracf vmarc a = = c ( replace <------------ENTER
EULA TEXT C1. Bytes in= 34393, bytes out= 17520 ( 50%).
VRMSMF EXEC C1. Bytes in= 34816, bytes out= 45920 ( 131%).
RACFSMF SPARMS C1. Bytes in= 400, bytes out= 240 ( 60%).
PROFILE EXEC C1. Bytes in= 653, bytes out= 720 ( 110%).
CZAUME TEXT C1. Bytes in= 4320, bytes out= 2960 ( 68%).
ICHRSWX1 TXTLIB C1. Bytes in= 1680, bytes out= 1200 ( 71%).
CZARCFRX EXEC C1. Bytes in= 781, bytes out= 480 ( 61%).
VRMSMFEX EXEC C1. Bytes in= 39936, bytes out= 46880 ( 117%).
GETRACF EXEC C1. Bytes in= 22528, bytes out= 29600 ( 131%).
CZARCFSD EXEC C1. Bytes in= 4096, bytes out= 5280 ( 128%).
CZATN000 TEXT C1. Bytes in= 2320, bytes out= 1440 ( 62%).
FTPEXIT TEXT C1. Bytes in= 11120, bytes out= 5440 ( 48%).
CZAEXIT CONFIG A1. Bytes in= 39, bytes out= 160 ( 410%).
CZATN000 CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
FTPEXIT CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
CZAEXIT EXEC C1. Bytes in= 12288, bytes out= 15760 ( 128%).
CZACSP MODULE C1. Bytes in= 384, bytes out= 400 ( 104%).
Ready; t=0.01/0.01 12:26:37
If RACF SMF is not already set up on the system, run the following commands. The parts marked with <---ENTER indicate information that you must enter.
Example
----------------------------------------------------------------
link racfsmf 191 1 mr <---------------------------ENTER
Ready; t=0.01/0.01 12:25:48
access 1 c <--------------------------------------ENTER
Ready; t=0.01/0.01 12:25:58
vmarc unpk vmracf vmarc a = = c <-----------------ENTER
EULA TEXT C1. Bytes in= 34393, bytes out= 17520 ( 50%).
VRMSMF EXEC C1. Bytes in= 34816, bytes out= 45920 ( 131%).
RACFSMF SPARMS C1. Bytes in= 400, bytes out= 240 ( 60%).
PROFILE EXEC C1. Bytes in= 653, bytes out= 720 ( 110%).
CZAUME TEXT C1. Bytes in= 4320, bytes out= 2960 ( 68%).
ICHRSWX1 TXTLIB C1. Bytes in= 1680, bytes out= 1200 ( 71%).
CZARCFRX EXEC C1. Bytes in= 781, bytes out= 480 ( 61%).
VRMSMFEX EXEC C1. Bytes in= 39936, bytes out= 46880 ( 117%).
GETRACF EXEC C1. Bytes in= 22528, bytes out= 29600 ( 131%).
CZARCFSD EXEC C1. Bytes in= 4096, bytes out= 5280 ( 128%).
CZATN000 TEXT C1. Bytes in= 2320, bytes out= 1440 ( 62%).
FTPEXIT TEXT C1. Bytes in= 11120, bytes out= 5440 ( 48%).
CZAEXIT CONFIG A1. Bytes in= 39, bytes out= 160 ( 410%).
CZATN000 CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
FTPEXIT CONFIG C1. Bytes in= 16, bytes out= 80 ( 500%).
CZAEXIT EXEC C1. Bytes in= 12288, bytes out= 15760 ( 128%).
CZACSP MODULE C1. Bytes in= 384, bytes out= 400 ( 104%).
Ready; t=0.01/0.01 12:26:37
(SPE2404) (SPE2410) (For SPM only) The GETLBY, GETLST, and GETLGRP execs have been deprecated. Instead, use the GETRACF exec to gather RACF data for BMC AMI Datastream for z/OS to send to BMC AMI Security Policy Manager (SPM) and populate the SPM database tables.
Copy the GETRACF exec to the user ID defined as integrity_checker in the RACFSMF PARMS member. The parts marked with <---ENTER indicate information that you must enter.
Example
----------------------------------------------------------------
Considering integrity_checker is USER1.
link USER1 351 2 mr <---------------------ENTER
Ready; t=0.01/0.01 12:26:50
acc 2 b <---------------------------------ENTER
Ready; t=0.01/0.01 12:27:10
copyfile GETRACF exec c = exec b <---------ENTER
Ready; t=0.01/0.01 12:27:50
(SPE2404) (For SPM only) Release and detach the B disk by using the release b (detach command, as displayed in the following example. The parts marked with <---ENTER indicate information that you must enter.
Example
----------------------------------------------------------------
release b (detach <---------------ENTER
DASD 0002 DETACHED
Ready; t=0.01/0.01 12:30:05
- (SPE2504) Install a Telnet, FTP, or Perfkit exit to enrich z/VM VMRACF records with IP data. For more information, see IP enrichment exits.
Copy the sample parameter file as shown in the following example:
Example
copyfile racfsmf sparms c = parms c
Ready; t=0.01/0.01 12:31:58
Configure the server parameter file.
Edit the RACFSMF PARMS member and make sure that values for the following statements are present.
The server_ip and server_port must match the IP address and port number that are defined in the $$$VMRACF member of the BMC AMI Datastream for z/OS agent parameter data set.
| |
|---|
| IP address in dotted decimal notation |
| Port number greater than 1024 |
The following statements are optional:
| |
|---|
| Time to wait, in seconds, between RACF SMF SWITCH commands The value must be a whole number from 1 through 3600. The default value is 30 seconds. If you enter an invalid value, the default value is used. Important To include the grace time for initial connection, we recommend that you set the wait time to at least 15 seconds. |
| Users who are authorized to issue the SETTIMER and STOP commands to the Datastream for z/VM agent. For more information about the SETTIMER and STOP commands, see Command-and-syntax-reference. The default value is maint. |
| (For SPM only) User ID that is authorized to issue RACF LISTUSER and RLIST commands to collect data about all VM users and surrogate profiles The default value is none. |
| |
Example
The following code is an example of the RACFSMF PARMS member:
----------------------------------------------------------------
server_ip 127.0.0.1
server_port 8192
wait_time 15
integrity_checker none
auth_user maint
----------------------------------------------------------------
This example sets the following values:
- The IP address of the server is 127.0.0.1.
- The listening port is 8192 (2000x).
- The wait time is 15 seconds between the RACF SMF SWITCH commands.
- The user ID that can issue RACF commands, such as LISTUSER and RLIST, to gather data for all users and surrogate profiles.
- The virtual machine maint is an authorized user.
You can issue commands to change the timer interval and stop the machine.
- Add RACFSMF to the XAUTOLOG in the startup list of AUTOLOG2:
- Open the PROFILE EXEC file in an editor such as XEDIT.
- Locate a line containing XAUTOLOG at the beginning of the section with the following comment: Customer user processing can be added here.
Add the following content:
Example
----------------------------------------------------------------
'CP SLEEP 2 SEC'
'CP XAUTOLOG RACFSMF'
----------------------------------------------------------------
Increase the size of the RACFSMF 192 minidisk.
Important
BMC recommends that you increase the RACFSMF 192 minidisk to at least 3,000 cylinders.
Release and detach the C disk by using the release c (detach command, as displayed in the following example:
Example
----------------------------------------------------------------
release c (detach
DASD 0001 DETACHED
Ready; t=0.01/0.01 12:36:05
---------------------------------------------------------------
(SPE2404) (For SPM only) Set SECUSER as RACFSMF.
- Log on to the user ID defined as integrity_checker in the RACFSMF PARMS member to send RACF events to SPM by using BMC AMI Datastream for z/OS.
Add RACFSMF as a secondary user to the user ID. The parts marked with <---ENTER indicate information that you must enter.
Example
set secuser RACFSMF <--------------ENTER
Ready; T=0.01/0.01 23:07:55
Important
The user ID must be connected to the REXX exec or alternate REXX libraries.
Disconnect from the user ID by using the disconnect command. To execute the GETRACF exec, the user ID must be disconnected. The parts marked with <---ENTER indicate information that you must enter.
Example
disconnect <--------ENTER
Start RACFSMF by using an xautolog racfsmf command:
Example
----------------------------------------------------------------
xautolog racfsmf
ICH70001i RACFSMF LAST ACCESS AT 16:52:20 ON MONDAY, MAY 16, 2017
Command accepted
Ready; t=0.01/0.01 12:36:05
AUTO LOGON *** RACFSMF USERS = 17
HCPCLS6056I XAUTOLOG information for RACFSMF: The IPL command is verified by the IPL command processor
----------------------------------------------------------------