IZUPRMxx reference information

The IZUPRMxx parmlib member specifies options for z/OSMF. SYS1.SAMPLIB contains a copy of the IZUPRMxx member that you can copy to SYS1.PARMLIB and modify.

Start of change

Operator commands

With the installation of APAR PH24088, it is now possible to change z/OSMF parmlib options dynamically. To do so, use the new operator commands SET IZU and SETIZU, as follows:

  • Use the SET IZU to select one or more IZUPRMxx parmlib members for the next restart of the z/OSMF server. For example, the following specification indicates that IZUPRM01 and IZUPRM02 are to be used on the next server restart: 
    SET IZU=(01,02)
  • Use the SETIZU command to modify one or more options in the currently active IZUPRMxx member. For example, the following specification indicates that SYSDA is to be used for storing output from the Incident Log FTP jobs: 
    SETIZU ILUNIT=SYSDA

For more information, see z/OS MVS System Commands.

End of change

Syntax rules for IZUPRMxx

For general rules of parmlib member syntax, see z/OS MVS Initialization and Tuning Reference.

Additionally, the following rules apply to the creation of IZUPRMxx parmlib members:
  • Use columns 1-71 for data; columns 72-80 are ignored.
  • If a statement is omitted, the default is used.
  • You can enter one or more statements on a line, or use several lines for one statement.
  • Blanks are treated as delimiters. The system interprets multiple blanks as a single blank. You can use blanks between parameters and values. For example, all of the following parameter specifications are equally valid: 
    
SESSION_EXPIRE(495)
SESSION_EXPIRE     (495)
SESSION_EXPIRE ( 495 )
  • Comments can appear in columns 1-71 and must begin with "/*" and end with "*/". Any number of blank lines can appear between statements to improve readability.
  • Enter values in uppercase, lowercase, or mixed case. The system converts input to uppercase, unless the values are enclosed in single quotation marks, which are processed without altering the case.
    These values that you set for these parameters might require mixed casing, and therefore should be enclosed in single quotation marks:
    • HOSTNAME
    • INCIDENT_LOG UNIT
    • JAVA_HOME
    • KEYRING_NAME
    • LOGGING
    • SAF_PREFIX
    • CLOUD_SAF_PREFIX
    • CLOUD_SEC_ADMIN
    • TEMP_DIR
    • AUTOSTART_GROUP
    • USER_DIR
  • Enclose any value that contains special characters in single quotation marks.
  • You can use system symbols in IZUPRMxx. Suppose, for example, that your installation defines a symbol in IEASYMxx for the Java directory, such as JAVA80='/usr/lpp/java/J8.0_64'. To reference this symbol on the JAVA_HOME parameter in IZUPRMxx, specify the symbol as follows: JAVA_HOME(&JAVA80). The example in Syntax format of IZUPRMxx shows the use of a system symbol in IZUPRMxx.
  • Enclose any value that is the same as a keyword in single quotation marks so that the system interprets the value as a value and not as a keyword.
  • Enclose values in single quotation marks, according to the following rules:
    • Two single quotations next to each other on the same line are processed as a single quotation mark. For example, the system interprets Jane''s file as Jane's file.
    • If the length of a parameter and its value exceeds 71 characters, it requires multiple lines. Specify the first part of such a value in columns 1-71 and use as many subsequent lines as necessary to complete it. When a value spans multiple lines, place one quotation mark at the beginning of the value, stop the value in column 71 of the line, continue the value in column 1 of the next line, and complete the value with one quotation mark.
  • You can specify multiple IZUPRMxx parmlib members on the IZU= parameter of IEASYSxx. If the same statement is used more than once, either in the same member or in multiple members, the value from the last occurrence is used. For example, suppose that your installation uses two members, IZUPRM01 and IZUPRM02. If the HOSTNAME parameter is specified in both IZUPRM01 and IZUPRM02, the system uses the HOSTNAME value from IZUPRM02.

Syntax format of IZUPRMxx


HOSTNAME('*')                                                                   
HTTP_SSL_PORT(443)                                                              
INCIDENT_LOG UNIT('SYSALLDA')                                                      
JAVA_HOME('&JAVA80_HOME')     /* System symbol used to define Java home directory */                                                   
KEYRING_NAME('IZUKeyring.IZUDFLT')                                              
LOGGING('*=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer')  
RESTAPI_FILE ACCT(IZUACCT) REGION(65536) PROC(IZUFPROC)   
/* Common TSO logon proc, account, and region size, used by all services by default.     */
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)                     
SAF_PREFIX('IZUDFLT')
CLOUD_SAF_PREFIX ('IYU')     
CLOUD_SEC_ADMIN(userid)                                            
SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)                     
SESSION_EXPIRE(495)                                                            
TEMP_DIR('/tmp')     
CSRF_SWITCH(ON)
SERVER_PROC(IZUSVR1)
ANGEL_PROC(IZUANG1) 
AUTOSTART(LOCAL)     
AUTOSTART_GROUP('IZUDFLT')
USER_DIR('/global/zosmf/')                                                     
UNAUTH_USER(IZUGUEST)                                                           
WLM_CLASSES DEFAULT(IZUGHTTP) 
            LONG_WORK(IZUGWORK) 
 
/* Uncomment the following statement and any plugins that are desired */   
/* PLUGINS( INCIDENT_LOG,COMMSERVER_CFG,WORKLOAD_MGMT,RESOURCE_MON,
             CAPACITY_PROV,SOFTWARE_MGMT, SYSPLEX_MGMT, ISPF )   */

IBM-supplied defaults for IZUPRMxx

There is no default IZUPRMxx parmlib member. IBM provides a sample IZUPRM00 parmlib member in the SAMPLIB data set.

Syntax format of IZUPRMxx shows the IBM-supplied IZUPRM00 member. Notice that the PLUGINS statement is commented out; to use it, you must remove the comment characters.

Statements and parameters for IZUPRMxx

HOSTNAME('hostname')
Specifies the hostname, as defined by DNS, where the z/OSMF server is located. Specify the IP address for your system. If you are using z/OSMF in a multisystem sysplex, IBM recommends that you use a dynamic virtual IP address (DVIPA), which resolves to the correct IP address if the z/OSMF server is moved to a different system.
Note: HOSTNAME="*" means listen on all adapters. By default, the server is listening only on address 127.0.0.1/localhost. You can also use the HOSTNAME parameter to specify a single IP address to have the system listen only on the specified IP address.
Rules: Must be a valid TCP/IP HOSTNAME or an asterisk (*).
Default: *
HTTP_SSL_PORT(nnn)
Identifies the port number that is associated with the z/OSMF server. This port is used for SSL encrypted traffic from your z/OSMF configuration. The default value, 443, follows the Internet Engineering Task Force (IETF) standard.

By default, the z/OSMF server uses the SSL protocol SSL_TLSv2 for secure TCP/IP communications. As a result, the server can accept incoming connections that use SSL V3.0 and the TLS 1.0, 1.1 and 1.2 protocols.

The z/OSMF server port uses Java SSL encryption to protect its outbound HTTPS connections. Therefore, it is not necessary (or possible) to configure AT-TLS on the z/OSMF server port. If you attempt to do so, the z/OSMF server encounters HTTP connection failures and errors, such as the following, in the server logs directory:
  • IZUG476E: The HTTP request to the secondary z/OSMF instance "209" failed with error type "CertificateError" and response code "0"
  • javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Rules: Must be a valid TCP/IP port number.
Value range: 1 - 65535 (up to 5 digits)
Default: 443
INCIDENT_LOG UNIT('device-name')
Specifies the device to be used for storing data sets and z/OS UNIX files for the FTP jobs that are used for the Incident Log service.
Rules: You must specify a generic name (such as “3390”) or an esoteric name (such as “DISK”). The esoteric name SYSALLDA, which is used by default, is automatically defined by the system to include all direct-access disk devices.
Default: SYSALLDA
JAVA_HOME('directory-name')
Specifies the fully qualified path name for IBM 64-bit SDK for z/OS, Java Technology Edition on your system.
Rules:
  • Must be a valid z/OS UNIX System Services path name.
  • Must begin with a forward slash (/).
  • Must specify a full or absolute path name.
Default: /usr/lpp/java/J8.0_64
KEYRING_NAME('keyring-name')
Specifies the key ring name for the z/OSMF server. The format is IZUKeyring.<SAF_PREFIX>.
Rules: Must be the name of a valid RACF profile in the DIGTRING class.
Note: The IZUSEC job contains statements that include the generation of digital certificates and the key ring. The value that is specified here must match the key ring name that you defined for z/OSMF in the IZUSEC job or by entering equivalent commands.
Default: IZUKeyring.IZUDFLT
LOGGING('trace_specification')
Initial trace state for the z/OSMF server. These settings are read when the server is started. Changes to this value are provided, when necessary, by IBM Support.
Rules:
  • 1 - 2048 characters
  • Case sensitive.
Default: *=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer
RESTAPI_FILE ACCT(account-number) REGION(region-size) PROC(proc-name)
Specifies values for the TSO logon procedure that is used internally by the z/OS data set and file REST interface services. Except for the account number, it is recommended that you use the defaults, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to use the logon procedure name and account number that you specify, and that the region size is at least 65536 kilobytes (KB).

All z/OSMF users must have TSO segments that are defined in the external security manager, such as RACF. Failure to have a TSO segment for each user ID prevents some z/OSMF functions from working.

ACCT(account-number)
Account number to be used for the TSO/E logon procedure that is used for the z/OS® data set and file REST interface services.
Rules: A valid accounting number for your installation.
Default: IZUACCT
REGION(region-size)
Region size (in kilobytes) to be used for the TSO/E logon procedure for the z/OS data set and file REST interface services.
Value range: 65536 – 2096128
Default: 65536
PROC(proc-name)
TSO/E logon procedure to be used for operations with the z/OS data set and file REST interface services. It is recommended that you accept the default procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in SYS1.PROCLIB.
Rules: Must be a valid partitioned data set member name.
Default: IZUFPROC
COMMON_TSO ACCT(account-number) REGION(region-size) PROC(proc-name)
Specifies values for the TSO/E logon procedure that is used internally for various z/OSMF activities. This setting is applicable if your z/OSMF configuration uses:
  • z/OS console REST interface services
  • Software Management task
  • Workflows task

Except for the account number, it is recommended that you use the default values, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to use the logon procedure name and account number that you specify, and that the region size is at least 50 MB.

All z/OSMF users must have a TSO segment that is defined in the USER profiles that are used by the external security manager, such as RACF. Failure to have a TSO segment for each user ID prevents some z/OSMF functions from working.

ACCT(account-number)
Account number to be used for the common TSO/E logon procedure for z/OSMF.
Rules: A valid accounting number for your installation.
Default: IZUACCT
REGION(region-size)
Region size (in kilobytes) to be used for the common logon procedure for z/OSMF.
Value range: 50000 – 2096128
Default: 50000
PROC(proc-name)
TSO/E logon procedure to be used for z/OSMF. It is recommended that you accept the default procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in SYS1.PROCLIB.
Rules: Must be a valid partitioned data set member name.
Default: IZUFPROC
SAF_PREFIX('IZUDFLT')
SAF profile prefix that is prepended to the names of any resource profile names to be used for the z/OSMF core functions and optional services.
Note: The IZUxxSEC sample jobs contain commands that include the SAF profile prefix for creating resource profile names. The value that is specified here must match the prefix name that you define for z/OSMF in the IZUxxSEC jobs or by entering equivalent commands.
Rules:
  • Must follow the rules for RACF profile names.
  • 1 – 3 characters.
Default: IZUDFLT
CLOUD_SAF_PREFIX('IYU')
SAF profile prefix that is prepended to the names of any groups to be used for authorizing users to IBM Cloud® Provisioning and Management for z/OS task activities.
Note: The IZUPRSEC sample job contains commands that include the group name for creating authorizations for IBM Cloud Provisioning and Management for z/OS. The value that is specified here must match the prefix name that you define for Cloud Provisioning authorizations in the IZUPRSEC job or by entering equivalent commands.
Rules:
  • Must follow the rules for RACF profile names.
  • 1 – 3 characters.
Default: IYU
CLOUD_SEC_ADMIN('user-id')
Specifies the security administrator user ID to be used for automatic security management in Cloud Provisioning. When specified, automatic security updates are performed under this user ID. Otherwise, if this value is omitted, security updates for Cloud Provisioning must be performed manually by your security administrator.
The user ID that is specified here must be connected to the z/OSMF security administrator group, which is named IZUSECAD by default. The IZUPRSEC job in SYS1.SAMPLIB contains a commented RACF command for creating this authorization. Minimally, this user ID requires:
  • READ access to the ZMFCLOUD class resource profile IZUDFLT.ZOSMF.SECURITY.ADMIN.
  • Authorization to manage resource profiles in the ZMFAPLA and ZMFCLOUD resource classes.
  • Authorization to manage security groups.

During regular operations with Cloud Provisioning, your installation might periodically update Resource Management domains and tenants to add or remove users. Such changes require updates to your security setup. By specifying a user ID for the CLOUD_SEC_ADMIN keyword, you indicate that automatic security is to be used for performing user authorizations. If so, the authorizations are performed automatically by the Resource Management task, by using a security REXX exec that is provided by the external security manager. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF. For more information, see Automatic security management for Cloud Provisioning.

If the CLOUD_SEC_ADMIN value is changed, the new setting applies only to domains that are created after the change. Any existing domains continue to operate with manual or automated security, based on the value that was in effect when these domains were created.

Note: Start of changeWith the installation of the PTF for APAR PH29813, the default domain now supports manual security mode for creating templates and tenants. This option is intended for provisioning environments that cannot use automatic security mode. Previously, the default domain was required to run in automatic security mode. Now, when the default domain is created at z/OSMF startup time, it is placed in manual security mode if no security administrator is specified on the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member.

If you have incorrectly configured the security mode for Cloud Provisioning and Management, it is possible to change it. Doing so requires only that you edit the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member and restart the z/OSMF server. You can switch a domain from automatic security to manual security, and vice versa. Your changes to the CLOUD_SEC_ADMIN statement affect the security mode of all existing domains. The suggested practice is that you run Cloud Provisioning and Management in automatic security mode.

End of change
Rules:
  • Must follow the rules for z/OS user IDs.
  • 1 – 8 characters.
Default: None. If you do not provide a valid z/OS user ID, the Resource Management task does not perform automatic security updates.
SEC_GROUPS USER(group-name),ADMIN(group-name),SECADMIN(group-name)
Specifies group names for the base set of z/OSMF security groups: user, administrator, and z/OS security administrator.
USER(group-name)
Security group to be used for the z/OSMF user role. The user IDs that are connected to this group are considered to be z/OSMF users.
Default: IZUUSER
ADMIN(group-name)
Security group to be used for the z/OSMF administrator role. The user IDs that are connected to this group are considered to be z/OSMF administrators.
Default: IZUADMIN
SECADMIN(group-name)
Group name to be used for the z/OS Security Administrator role. This group is permitted to the Workflows task.
Default: IZUSECAD
SESSION_EXPIRE(nnn)
Amount of time (in minutes) for the session timeout. z/OSMF user sessions expire when this period elapses. For more information, see Re-authenticating in z/OSMF.
Value range: Start of change 15-999999 End of change
Default: 495
TEMP_DIR('path-name')
Temporary directory for various z/OSMF activities. This setting is applicable if your z/OSMF configuration uses:
  • Incident Log task
  • Workflows task
  • z/OSMF Diagnostic Assistant task
The temporary directory is used, as follows:
  • Incident Log task uses this directory for sending z/OS UNIX file attachments through FTP.
  • Workflows task uses this directory for storing temporary files.
  • z/OSMF Diagnostic Assistant task uses this directory for storing temporary files.

Users of these z/OSMF tasks require write access to the temporary directory. Otherwise, the task might fail with an authorization error (the user encounters message ICH408I).

Notes:
  • As part of its data collection, the z/OSMF Diagnostic Assistant task copies the z/OSMF log files and configuration files into a compressed (.zip) file and saves the file in the TEMP_DIR directory. The amount of storage needed to contain the compressed file varies, depending on your installation's use of z/OSMF. If the size of the compressed file exceeds the TEMP_DIR space, an error message is issued to the user of the z/OSMF Diagnostic Assistant task. If this problem occurs, increase the storage amount for the TEMP_DIR directory.
  • In IBM Cloud Provisioning and Management for z/OS provisioning, a number of functions are performed by using workflows. For example, a software template is composed of one or more workflows. Therefore, any user who is involved in IBM Cloud Provisioning and Management for z/OS provisioning is also a potential user of the Workflows task. You must ensure that these users have write access to the TEMP_DIR location.

Rules:
  • Must be a valid z/OS UNIX path name.
  • Must specify the full or absolute path name, and a maximum of 255 characters between slashes.
Default: /tmp
CSRF_SWITCH(ON|OFF)
Indicates whether Cross Site Request Forgery (CSRF) custom header checking is enabled for REST API requests. By default, CSRF_SWITCH is set to ON to ensure that your installation is protected against CSRF attacks. However, in some limited cases, such as for testing, you might choose to temporarily disable CSRF checking by setting CSRF_SWITCH=OFF. However, it is recommended that you leave this setting enabled to prevent CSRF attacks. For more information, see IBM z/OS Management Facility Programming Guide.
Default: ON
SERVER_PROC(proc-name)
Specifies the name of the started procedure that is used to start the z/OSMF server on this system. It is recommended that you use the default started procedure, which should be adequate for most z/OS installations. If you specify an alternative procedure name, ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to the started procedure name.
Rules: Must specify a valid partitioned data set member name.
Default: IZUSVR1
ANGEL_PROC(proc-name)
Specifies the started procedure that is used to start the z/OSMF angel process on this system. It is recommended that you use the default started procedure, which should be adequate for most z/OS installations. If you specify an alternative procedure name, ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to the started procedure name.
With the installation of APAR PI88651, the ANGEL_PROC statement specifies both the name of the angel process and its started procedure name.
Example: ANGEL_PROC(IZUANG1) indicates that both the angel procedure member name and angel process name are IZUANG1.
Rules: Must specify a valid partitioned data set member name.
Default: IZUANG1
AUTOSTART(LOCAL|CONNECT)
Specifies whether the z/OSMF server is to be started automatically on this system.
The valid settings for AUTOSTART are, as follows:
LOCAL
Indicates that the system is to automatically start the z/OSMF server.
CONNECT
Indicates that the z/OSMF server is not to be autostarted on the local z/OS system.
  1. IBM recommends that you specify LOCAL for all systems in a sysplex, or let it default to LOCAL, if you are using shared file systems for the z/OSMF data directory for each AUTOSTART group. If all systems in a sysplex are part of the same AUTOSTART group, the default, /global/zosmf, allows this. z/OSMF starts only on one system in the sysplex, if the sysplex has only one AUTOSTART group.
  2. If you have more than one AUTOSTART group in a sysplex, you should use a shared file system for each one, with a unique mount point. For example, if you have AUTOSTART groups that are named ZOSMFA and ZOSMFB, you might use /global/zosmf/zosmfa for the first and /global/zosmf/zosmfb for the second. In this case, specifying LOCAL on all systems results in z/OSMF starting on one system per AUTOSTART group.
  3. When the z/OSMF server has been started automatically on another system in the same AUTOSTART group in the same sysplex, requests for z/OSMF services that originate on the local system are routed to the remote server.
  4. When AUTOSTART(CONNECT) is specified for every system in a sysplex, the z/OSMF server is not autostarted on any system in the sysplex. The z/OSMF server can be started with the START command or through automation when no other z/OSMF server is active in the system’s AUTOSTART group.

If a z/OSMF server fails, it must be restarted to restore z/OSMF operations for the autostart group. The server can be restarted on this system or another system, regardless of whether the system is specified as AUTOSTART(LOCAL) or AUTOSTART(CONNECT), using the START command or through automation.

Default: LOCAL
AUTOSTART_GROUP(IZUDFLT|nnnnnnnn)
Associates the local system with other systems that can share an autostarted z/OSMF server. AUTOSTART_GROUP defines a domain for z/OSMF work and associated persistent data within a sysplex. By default, one autostart group that is called IZUDFLT exists per sysplex. To associate the z/OSMF server on this system with a different autostart group, specify the desired name here.
Rules:
  • Must consist of 1-32 alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
  • Alphabetic characters are case insensitive.
Default: IZUDFLT
USER_DIR
z/OSMF data directory path. By default, the z/OSMF data directory is located in /global/zosmf. If you want to use a different path for the z/OSMF data directory, specify that value here, for example: USER_DIR='/the/new/config/dir'.

Every autostart group within a sysplex must have a unique specification for USER_DIR. If you plan to use an autostarted z/OSMF server, this file system must be mounted when you IPL the system. Otherwise, the z/OSMF server cannot be autostarted.

If you specify both USER_DIR= in IZUPRMxx and USERDIR= on the PRC statement of the started procedure, the system uses the path that is specified by USERDIR= in the started procedure.

Rules: Must be a valid z/OS UNIX path name.
Default: /global/zosmf/
UNAUTH_USER(user-id)
Represents an unauthenticated user. Provides an unknown user with basic privileges to access the z/OSMF log-in page, but nothing more.
Rules:
  • Must follow the rules for z/OS user IDs.
  • 1 – 8 characters.
Default: IZUGUEST
WLM_CLASSES DEFAULT(class-name)
Specifies the WLM transaction classes for managing z/OSMF work.
DEFAULT(class-name)
WLM transaction class to be used for managing z/OSMF work, except for long-running work. See the description of the LONG_WORK(class-name) statement.
Rules: Must specify a valid WLM transaction class name.
Default: IZUGHTTP
LONG_WORK(class-name)
WLM transaction class to be used for managing the execution of long-running work.
Rules: Must specify a valid WLM transaction class name.
Default: IZUGWORK
PLUGINS(plugin-id,plugin-id,plugin-id,...)
Specifies the optional services to be made available in your configuration. Enter one or more of the service identifiers that are shown in Table 1.
Table 1. z/OSMF optional services and associated service IDs
Service ID Service name
CAPACITY_PROV Capacity Provisioning
COMMSERVER_CFG Network Configuration Assistant
INCIDENT_LOG Incident Log
ISPF ISPF
RESOURCE_MON Resource Monitoring
SOFTWARE_MGMT Software Deployment
SYSPLEX_MGMT Sysplex Management
WORKLOAD_MGMT Workload Management
ZERT_ANALYZER IBM® zERT Network Analyzer

After a service is enabled, you might later decide to remove it. To do so, edit the IZUPRMxx parmlib member and remove the service identifier from the PLUGINS statement. Then, restart the z/OSMF server. This action removes the services from the z/OSMF desktop interface. Any residual data that is associated with the service is saved in z/OSMF, in case you decide to enable it again later.

Default: No optional services are enabled by default.

Example of IZUPRMxx parmlib member

In the example that follows, an IZUPRMxx parmlib member is used to set these values:
  • Port 30443.
  • System symbol for the Java home directory. The symbol must also be defined in your IEASYMxx member.
  • On startup, the system autostarts a z/OSMF server. The autostarted z/OSMF server processes requests from all systems that are members of the z/OSMF autostart group IZUDFLT.
  • These optional services are selected: Network Configuration Assistant, Software Deployment, and Sysplex Management. The services are enabled for use when your installation completes the required host system customization. See z/OSMF optional services.
HTTP_SSL_PORT(30443)
JAVA_HOME('&JAVA80_HOME')     /* System symbol used to define Java home */ 
AUTOSTART(LOCAL)
AUTOSTART_GROUP(IZUDFLT)
PLUGINS(COMMSERVER_CFG,SOFTWARE_MGMT,SYSPLEX_MGMT)