Customizing the z/OS communications server (TCP/IP) and OMVS

The BMC AMI Defender for z/OS product uses the z/OS communications server for TCP/IP and User Datagram Protocol (UDP) services. To use the z/OS communications server, you need:

  • An OMVS segment.
  • Read access to the EZB.STACKACCESS.sysName.tcpName profile.
  • Access to EZB.NETACCESS.sysName.tcpName.zoneName profile.

OMVS segment

Programs that use the z/OS communications server (whether they run as batch programs, started tasks, or under the UNIX shell) require a z/OS UNIX security context, also known as the OMVS segment, for the owning user ID. If you run BMC AMI Defender without an OMVS segment, BMC AMI Defender fails immediately with an error message. 

A suitable OMVS segment might already exist for your user ID or the user ID under which started tasks run. If BPX.UNIQUE.USER is defined in the FACILITY class, z/OS automatically creates an OMVS segment the first time the user ID attempts to use UNIX System Services (USS).

To create an OMVS segment, see the relevant IBM documentation.

Read access to the EZB.STACKACCESS.sysName.tcpName profile

Any user ID under which BMC AMI Defender runs needs read access to the following profile in class SERVAUTH: EZB.STACKACCESS.sysName.tcpName

  • The sysName variable represents the value of the MVS &SYSNAME. system symbol.
  • The tcpName variable represents the name of the TCP/IP stack (generally TCPIP) that BMC AMI Defender uses (see OPTIONs TCPname). 

If read access to this profile is unavailable, the following error messages are displayed:

ICH408I USER(<xxxxxxx>) GROUP(<xxxxxxxx>) NAME(<xxxxx xxxxx>)
EZB.STACKACCESS.sysn.TCPIP CL(SERVAUTH) INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ) ACCESS ALLOWED(NONE)

Access to the EZB.NETACCESS.sysName.tcpName.zoneName profile

If the syslog console address is in a secured network zone, the user ID requires access to at least one EZB.NETACCESS.sysName.tcpName.zoneName profile.

Access to the CSVDYNEX FACILITY class

Any user ID under which BMC AMI Defender runs, must have SAF UPDATE authority for the CSVDYNEX FACILITY class. For instance:

PERMIT CSVDYNEX.** CLASS(FACILITY) ID(<user>) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH 

The user variable is the user ID or RACF group name for the BMC AMI Defender started task.

If your installation uses CA ACF2 or CA Top Secret instead of RACF, enter the equivalent commands for those products.

DB2 TRACE privileges

To use BMC AMI Defender to monitor DB2 and the SMF DB2 START option, any user ID under thatBMC AMI Defender runs, must have a privilege set that includes at least one of the following privileges or authorities for each DB2 subsystem specified:

  • TRACE privilege
  • SQLADM authority
  • System DBADM authority
  • SYSOPR authority
  • SYSCTRL authority
  • SYSADM authority
  • SECADM authority

To … , use the following or similar DB2 command:
GRANT priv TO authid

  • The priv variable represents … 
  • The authid variable is the authorization ID for the BMC AMI Defender started task.

RACF read access to DDL2.BATCH

The user ID under which BMC AMI Defender runs must have RACF READ access to DDL2.BATCH in the DSNR resource class with the following or similar command:

PERMIT DDL2.BATCH CLASS(DSNR) ID(<userID>) ACCESS(READ)

Other RACF authorities

The user ID under which BMC AMI Defender started task is run (and any job to be run as a test – see Testing BMC AMI Defender as a job) needs RACF read authority for every data set referenced in the BMC AMI Defender procedure or job, including amihlq.CZAGENT.LOAD, amihlq.CZAGENT.CNTL, or any referenced DB2 load library.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*