Project plan for deploying IBM zCDI

Edit online

Are you setting up IBM Z Crypto Discovery & Inventory for the first time? Follow this sequence of topics to complete your objective.

It is recommended that you complete the planning for IBM zCDI before you attempt to configure it.

System planners and installation managers collaborate with specialized I/T personnel to plan, configure, and manage IBM zCDI. The following checklists provide a task summary, identify the I/T role or skill that is required for each task, and provide links to further details.

Installing the product
Configuring the z/OS system
Configuring IBM zCDI
Administration and use

Installing the product

This phase encompasses first-time setup tasks for an IBM zCDI configuration.

Table 1. Planning checklist for a first-time installation
Task summary	I/T role or skill	Where to find instructions
Learn what IBM zCDI is—a browser-based solution for creating an inventory of the cryptographic assets in your IBM Z System environment.	System planners and installation managers	Overview of IBM Z Crypto Discovery & Inventory
Review the requirements for IBM zCDI. Ensure that your installation meets the hardware and software prerequisites for using IBM zCDI.	System programmer	System requirements
Install the z/OS prerequisites that are included with IBM zCDI.	System planners and installation managers	IBM Z Crypto Discovery and Inventory Program Directory, GI13-5952-00
You can install IBM zCDI in either of the following environments: IBM z/OS Container Extensions (IBM zCX) configuration Red Hat OpenShift Container Platform (RHOCP Set up the IBM z/OS Container Extensions (IBM zCX) or Red Hat OpenShift Container Platform (RHOCP) environment in preparation for installing the IBM zCDI application.	System programmer or Linux® administrator	IBM Z Security and Compliance Center Guide, which is available at IBM Z Security and Compliance Center.
Install the IBM Z Security and Compliance Center Platform (zSCP) containers from IBM Cloud Registry (ICR).	System programmer or Linux administrator	IBM Z Security and Compliance Center Guide, which is available at IBM Z Security and Compliance Center.
Configure the IBM Z Security and Compliance Center Platform (zSCP). Review the IBM zCDI specific considerations for the platform.	System programmer or Linux administrator	IBM Z Security and Compliance Center Guide, which is available at IBM Z Security and Compliance Center. IBM zSCP platform considerations for IBM zCDI
Plan to install IBM zCDI product updates as they become available.	System programmer or Linux administrator	Installing a fix pack

Configuring the z/OS system

In this phase, you configure the participating z/OS® systems.

Table 2. Planning checklist for configuring the z/OS system
Task summary	I/T role or skill	Where to find instructions
On each participating z/OS system, enable SMF data collection for the required SMF record types and subtypes.	System programmer	Enable the collection of SMF records
On each participating z/OS system, enable the collection of ICSF usage tracking records.	System programmer	Configure ICSF for cryptographic usage tracking
On each participating z/OS system, install and configure the UKO CAT Agent (FMID HKMG31A).	System programmer	Configure the UKO for z/OS components
On one system, install and configure IBM Z® Apache Kafka (FMID HKFK110).	System programmer	Configure Apache Kafka on one system.
On each participating z/OS system, configure IBM Common Data Provider (CDP) to stream SMF records to Apache Kafka. Review the UKO CC CAT considerations for IBM zCDI.	System programmer	Configure Common Data Provider (CDP) Installing Kafka for CC CAT (in the UKO for z/OS documentation)
On the same system as Apache Kafka (or a system that is accessible to that system), install and configure the UKO CC CAT (FMID HKMG31C) by using z/OSMF workflows. Note: Obtain the PostgreSQL database credentials and connection information from the person who installed IBM zSCP (the z/OS system programmer or Linux administrator).	System programmer	UKO for z/OS online documentation: Installation of CC CAT (in the UKO for z/OS documentation) Configuring the Agent for CAT data collection (in the UKO for z/OS documentation)
On each participating z/OS system, begin the data collection process by dumping the SMF data for the UKO CAT Agent to consume. Make a note of the naming convention of the data sets that contain the dumped SMF data.	System programmer	z/OS MVS System Management Facilities (SMF); see Using the SMF dump programs (in the z/OS documentation)

Configuring IBM zCDI

In this phase, you configure the IBM zCDI product settings and perform an initial scan to create an inventory of cryptographic assets. Administrators are the most likely personnel to participate in these activities.

Table 3. Planning checklist for configuring IBM zCDI
Task summary	I/T role or skill	Where to find instructions
Select and install the IBM zCDI application from the IBM Z Security and Compliance Center Platform (zSCP) catalog.	zSCP platform administrator	Install IBM zCDI from the application catalog.
Create users with the `crypto-admin` and `crypto-user` roles.	zSCP platform administrator	Install IBM zCDI from the application catalog
Obtain the IBM zCDI administrator user ID and password from the zSCP platform administrator. Then, log in as the zCDI administrator to configure IBM zCDI.	zCDI administrator	Log in as the IBM zCDI administrator
Obtain GraphQL endpoint information from the UKO CC CAT administrator (after UKO is set up, as mentioned in Table 2). The CC CAT GraphQL interface is available at the following location: `https://hostname:${HTTPS_PORT}/graphql`	zCDI administrator	Additional customization of the Liberty server for CC CAT (in the UKO for z/OS documentation).
Create the IBM Z connection. This action requires the GraphQL endpoint that was obtained in the previous step.	zCDI administrator	Create an IBM Z connection
Obtain the certificates from the z/OS security administrator and associate them with the IBM Z connection that you created earlier.	zCDI administrator	Establish a secure connection with the Liberty server
Use your web browser to log in to IBM zCDI and navigate to the dashboard.	zCDI administrator	Log in as the IBM zCDI administrator

Administration and use

In this phase, you manage and use the IBM zCDI on an ongoing basis. Administrators are the most likely personnel to participate in these activities.

These ongoing activities and other occasional administrative tasks are described in the subsequent chapters of this document.

Table 4. Planning checklist for administrator activities
Task summary	I/T role or skill	Where to find instructions
Create a scope. This action associates the scope with the IBM Z connection.	zCDI administrator	Create and manage a scope
Run the discovery function to identify systems available for inclusion in the scope.	zCDI administrator	Run the discovery function
Run a scan with the specified scope and policy to collect crypto usage data.	zCDI administrator	Run a scan
Generating a report of the scan results.	zCDI administrator and zCDI user	Generate a report
Manage user access to IBM zCDI.	zSCP platform administrator	Manage user access in IBM zCDI
Assign each user to a defined role (crypto-admin or crypto-user); distribute the user IDs and passwords to these individuals.	zSCP platform administrator	User role mappings
Resolve any problems that occur during installation or use of IBM zCDI.	System programmer or zSCP platform administrator	Troubleshoot problems with IBM zCDI
To assist with diagnosing errors in IBM zCDI, you can download a compressed archive of log files from the microservices.	zSCP platform administrator	Requesting logs for first failure data capture