Prerequisites

After installing the software, you must also perform activities to create and modify the configuration. The following criteria must be met:

  • If you use PARMLIB member IFAPRDxx to disable some zSecure components, either zSecure Adapters for SIEM or zSecure Audit must not be disabled. For details, see Enablement of license features.
  • The SCKRLOAD library must be APF-authorized. For details, see APF authorization of the software.
  • If you decide to use the direct SMF INMEM real-time interface, you must set up the SMFPRMxx member to include the INMEM keyword and parameters. For more information, see Procedure for near real-time. If you use the exit intercept method, you must configure CKQEXSMF as described in Assigning a userid and setting up the CKQEXSMF server started task.

    For these real time interfaces, SIEM might need to be updated to allow syslog input for the z/OS®-related DSMs.

  • You must set up a process to periodically refresh your CKFREEZE and UNLOAD data sets. See Use of a fresh CKFREEZE and UNLOAD each day. Note that UNLOAD can only be used if the product has more than just the QRADAR* entitlement (for example, AUDIT* or ADMINRACF®). However, if the product has only the QRADAR* entitlement, an active or backup RACF database, a copy of the RACF database, an ACF2 backup database, or an inactive ACF2 database must be used.
  • If you decide to use the file polling method to transport the LEEF data, you must have an active FTP (or SFTP) server on your z/OS image, so that SIEM can download those LEEF files.
  • When using Transport Layer Security (TLS): ICSF must be active and the ICSF PKDS data set must be initialized when using cryptographic hardware. For more information, see z/OS Cryptographic Services ICSF System Programmer's Guide and z/OS Cryptographic Services ICSF Administrator's Guide.
  • When using TLS: the certificate that is to be used must be added to the External Security Manager (ESM). The public key must be stored in the ICSF PKDS data set when using cryptographic hardware.
  • When using AT-TLS, an AT-TLS policy must be created and activated. For more information, see section Policy-based networking in z/OS Communications Server: IP Configuration Guide and section Policy Agent and policy applications in z/OS Communications Server: IP Configuration Reference.

The zSecure configuration must contain the specific parameters for SIEM. For information, see Updating the configuration files for LEEF creation.

For instructions for installing and configuring zSecure, see the Program Directory: IBM® Security zSecure CARLa-Driven Components and the first few chapters of the IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide (this manual).