Customizing IMS to use a System z Integrated Information Processor (zIIP)

IBM Security Guardium S-TAP for IMS allows you to configure an IMS control region to prepare specific auditing functions for execution on a System z® Integrated Information Processor (zIIP). Execution on a zIIP is governed by the Workload Management software on your appliance, as well as the workload already assigned to the zIIP.

To use this feature, the LPAR on which the IMS Control region executes must have a zIIP installed. The IMS Control Region should also make use of the z/OS Workload Manager product. For more information on using z/OS Workload Manager with the IMS Control Region, see the Workload Manager and IMS section of the IBM IMS System Administration manual.

The following processes can be scheduled on a zIIP:
  • Calling of the compiled filter to determine if the DLI event is to be audited, and if the segment concatenated key or segment data should be sent to the Guardium appliance.
  • Movement of the audited DLI calls to a storage buffer used to hold audited data until a write to the z/OS System Logger log-stream can be executed
  • Calling of the z/OS System Logger IXGWRITE, which moves the audited data from the buffer to the log-stream when the buffer fills, or a flush of the buffer is scheduled
To indicate that the IMS Control region should attempt to schedule these processes on the zIIP, a //AUIZIIP DD DUMMY DD statement should be added to the IMS Control Region JCL. When detected, the audit code produces the informational message AUII055I, indicating that zIIP processing will be attempted.

Warning messages AUII042W and AUII043W are issued if zIIP processing is requested when a zIIP is not available, and when IMS is not using Workload Manager. Error message AUII044E indicates that the request was rejected. In all instances where the attempt to use the zIIP has failed, audit processing continues without attempting to execute the audit code on the zIIP.