Contribute in GitHub:
Open doc issue|Edit online
Configuring the UKO Agent for CAT data collection
The Agent collects information about ICSF keys in the CKDS,PKCS and TKDS and also collects SMF records written by ICSF. The data is collected into MVS work datasets which is finally written to Kafka topics. The Agent ends after the Kafka topics are produced.
You need to run an agent on every LPAR where you need to collect data.
The agent needs the following prerequisite steps to be completed:
- Kafka needs to be setup on one of the systems
- You need a CAT_AGENT_USER user ID that executes the collection
- Z Open Automation Utilities (ZOAU) is required where the agent runs
The UKO z/OSMF installation workflows provide a CC CAT agent example workflow (catagent/provision.xml) to configure the CC CAT agent. Either specify the variables using a properties file or specify them once you are prompted by the
step.
ICSF configuration for SMF record generation
The following subtypes of the ICSF type 82 SMF records are collected:
| Subtype | Description |
|---|---|
| 31 | cryptographic statistics data |
| 40 | lifecycle events related to symmetric CCA tokens and TR-31 key blocks |
| 41 | lifecycle events related to asymmetric CCA tokens |
| 42 | lifecycle events related to PKCS#11 objects |
| 44 | usage events related to symmetric CCA tokens and TR-31 key blocks |
| 45 | usage events related to asymmetric CCA tokens |
| 46 | usage events related to PKCS#11 objects. |
Be aware that ICSF options determines if the subtypes are written. Check the ICSF System Programmer's guide for details. The ICSF CSFPARM DDname points to the options. The options of interest are:
| Option | Subtype affected | Recommended value giving the maximum view of usage |
|---|---|---|
| STATS | 31 | STATS(ENG,SRV,ALG) |
| AUDITKEYLIFECKDS | 40 | AUDITKEYLIFECKDS(TOKEN(YES),LABEL(YES)) |
| AUDITKEYLIFEPKDS | 41 | AUDITKEYLIFEPKDS(TOKEN(YES),LABEL(YES)) |
| AUDITKEYLIFETKDS | 42 | AUDITKEYLIFETKDS(TOKENOBJ(YES),SESSIONOBJ(YES)) |
| AUDITKEYUSGCKDS | 44 | AUDITKEYUSGCKDS(TOKEN(YES),LABEL(YES),INTERVAL(1)) |
| AUDITKEYUSGPKDS | 45 | AUDITKEYUSGPKDS(TOKEN(YES),LABEL(YES),INTERVAL(1)) |
| AUDITPKCS11USG | 46 | AUDITPKCS11USG(TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(1)) |
However, depending on the actual use of ICSF on the system, you might want to limit records written for performance/DASD space usage. Typically the TOKEN(YES), SESSIONOBJ(YES) and NOKEY(YES) could generate
a lot of records you may not be interested to gather as a start.
You can use the MVS console command "DISPLAY ICSF, OPT" to display the current ICSF settings, and the SETICSF console command to dynamically set the options.
Note: This configuration step is not part of the workflows.
Collection configuration
Two files are required for the configuration:
catagent.propertiesfor general propertiescatsmf.confto configure the SMF dump
Copy them from the ${CAT_INSTALL_DIR} (typically /usr/lpp/IBM/uko/v3r1/cccat/config) to a ${CAT_USER_DIR} (for example /var/cccat/config) and adjust them. If you are using the z/OSMF Workflow,
you will be prompted for the most common parameters.
| Property | description |
|---|---|
| cat_timeout | Time in seconds that the Java agent will wait for the CAT collector to finish |
| cat_dsnqual | High level dataset qualifier of MVS work data sets to be used (created and deleted) |
| cat_unit | UNIT of MVS work data sets to be allocated |
| cat_wsize | Allocation units in CYLS of work data sets |
| cat_debug | If yes is specified, then work data sets a not deleted when the Agent ends |
| cat_trace_ecc | If yes then addition message issued in work data sets for ECC key extract |
| cat_trace_rsa | If yes then addition message issued in work data sets for RSA key extract |
| cat_trace_p11 | If yes then addition message issued in work data sets for TKDS key extract |
| cat_trace_qsa | If yes then addition message issued in work data sets for QSA key extract |
| cat_trace_des | If yes then addition message issued in work data sets for DES key extract |
| cat_trace_sym | If yes then addition message issued in work data sets for AES/HMAC key extract |
| cat_trace_tr21 | If yes then addition message issued in work data sets for CKDS TR31 key block extract |
| cat_trace_null | If yes then addition message issued in work data sets for CKDS/PKDS null token extract |
| cat_smf | If yes then SMF collect is continued after ICSF collect has been done. Otherwise, no SMF data will be collected |
| cat_smf_report | If yes then (huge) text output of SMF records are printed in STDOUT |
| cat_smf_wsize | Allocation units in CYLS of work data sets for SMF dump |
| cat_kafka_uri | IP address and port of Kafka server: ip-address:port |
| cat_kafka_transactional_id | System wide unique ID of UKO CAT agent instance, each deployed instance must have it's own ID |
| cat_ignore_jobnames | Optional exclude of records for specific job names, use comma to separate job names, e.g. JOBNAME1,JOBNAME2,... |
| Parameter | example | value |
|---|---|---|
| SMFGDGBASE | SMFGDGBASE(SYS2.SMFDUMP.LPAR1) | Name of a GDG base for dumped SMF data sets |
| SMFGDGDONE | SMFGDGDONE(G4326V00) | Name of the latest SMF generation already handled |
Note that you need to dump your datasets to be able to process them. When SMFGDGBASE/SMFGDGDONE is used then the Agent will update the SMFGDGDONE with the latest dumped SMF generation.
For example in case of the following GDG with 10 entries:
SYS2.SMFDUMP.LPAR1.G4319V00
SYS2.SMFDUMP.LPAR1.G4320V00
SYS2.SMFDUMP.LPAR1.G4321V00
SYS2.SMFDUMP.LPAR1.G4322V00
SYS2.SMFDUMP.LPAR1.G4323V00
SYS2.SMFDUMP.LPAR1.G4324V00
SYS2.SMFDUMP.LPAR1.G4325V00
SYS2.SMFDUMP.LPAR1.G4326V00
SYS2.SMFDUMP.LPAR1.G4327V00
SYS2.SMFDUMP.LPAR1.G4328V00
The above sample parameters will result in a collection of data from the following SMF dumps:
SYS2.SMFDUMP.LPAR1.G4327V00
SYS2.SMFDUMP.LPAR1.G4328V00
and catsmf.conf will be updated with SMFGDGDONE(G4328V00).
Configure security for the agent
The CC CAT required the following security setup:
- The KMG.SKMGMOD0 load library must be defined as APF authorized.
- To execute the CC CAT Agent the following must be true for the
${CAT_AGENT_USER}executing the CC CAT Agent:- User id must have on OMVS segment
ALTERaccess to the${CAT_TEMP_HLQ}data set qualifier specified in thecat_dsnqualpropertyREADaccess to the${AGENT_RUNLIB}load library (default KMG.SKMGMOD0)READaccess to the SMF datasets dumped
In addition, the ${CAT_AGENT_USER} needs toe following access * READ access to FACILITY resource KMG.CAT.TRUSTED.ICSF (KMG.CAT.TRUSTED.ICSF enables the user to collect data of
the ICSF keys without having access to the ICSF keys outside the use of the CAT Agent ) * READ access to the CSFSERV resources CSFPCI, CSFIQF and CSFIQA
The z/OSMF workflow helps you to define access to KMG.CAT.TRUSTED.ICSF and the CSFSERV profiles for the ${CAT_AGENT_USER} id or group. However, the remaining access needs to be granted manually and you
will be asked to confirm.
Agent execution
Copy the SKMGSAMP(KMGACAT) sample JCL from the ${AGENT_SAMPLIB} to a library and adjust it to match your environment. It can be run either ad-hoc or by a scheduler of choice. The following parameters need to be adjusted:
| Parameter | Example | Description |
|---|---|---|
| ARGS | /var/cccat/config | The ${CAT_USER_DIR} where you copied your config and properties files to |
| JAVA_HOME | /java/java21 | The ${JAVA_HOME} location, where Java is installed according to the prereqs |
| KAFKA_HOME | /usr/lpp/IBM/kafka/v1r1m0/kafka/3.4.1 | The ${KAFKA_HOME} directory, where Kafka was installed according to the prereqs |
| CAT_HOME | /usr/lpp/IBM/uko/v3r1/cccat | The ${CAT_INSTALL_DIR} where the installation files are located |
| ZOAU_HOME | /usr/lpp/IBM/zoau/v1r3 | The ${ZOAU_HOME} directory, where ZOAU was installed according to the prereqs |
| CAT_STEPLIB | KMG.SKMGMOD0 | The ${AGENT_RUNLIB} (APF authorized) |
If you are using the z/OSMF workflow, the JCL will be created for you and you can specify the required parameters. You can either submit the JCL from the workflow or save it in another location from where you want to run it.
Work datasets reference
When the CAT Agent runs, a number of cataloged temporary datasets are allocated prefixed by the value of the cat_dsnqual property. If any of the data sets exits when the CAT Agent is started, then they are deleted by the Agent before data collect
begins. When the CAT Agent ends successfully, then all of the data sets are removed, unless the cat_debug=yes property is used.
When the default cat_dsnqual=KMG.CAT is used, then the following data sets are allocated:
| Data set | description |
|---|---|
| KMG.CAT.COLICRA | Collected ICSF resource information for Kafka topics |
| KMG.CAT.COLSMF | Collected SMF records for Kafka topics |
| KMG.CAT.KMGCAUTH | Output from KMGCAUTH APF program |
| KMG.CAT.DESFILE | Collected CKDS DES keys |
| KMG.CAT.ECCFILE | Collected PKDS ECC keys |
| KMG.CAT.METAFILE | Collected additional xKDS meta data |
| KMG.CAT.NULLFILE | Collected CKDS/PKDS NULL key tokens |
| KMG.CAT.P11FILE | Collected TKDS tokens |
| KMG.CAT.QSAFILE | Collected PKDS QSA keys |
| KMG.CAT.SYMFILE | Collected CKDS AES/HMAC keys |
| KMG.CAT.TR31FILE | Collected CKDS TR31 key blocks |
| KMG.CAT.SYSIN | Helper data set for SORT program |
| KMG.CAT.SYSINIF | Helper data set for SMF dump program |
| KMG.CAT.CKDSFILE | CKDS header file |
| KMG.CAT.PKDSFILE | PKDS header file |
| KMG.CAT.TKDSFILE | TKDS header file |
Note: None of the data sets are in an external documented format and are only interesting in debug situations.
Kafka security setup
Refer to the Kafka Security chapter to setup security for Kafka.