IZUPRMxx reference information
The IZUPRMxx parmlib member specifies options for z/OSMF. SYS1.SAMPLIB contains a copy of the IZUPRMxx member that you can copy to SYS1.PARMLIB and modify.

Operator commands
With the installation of APAR PH24088, it is now possible to change z/OSMF parmlib options dynamically. To do so, use the new operator commands SET IZU and SETIZU, as follows:
- Use the SET IZU to select one or more IZUPRMxx parmlib members for the next restart of the
z/OSMF server. For example, the following specification indicates that IZUPRM01 and IZUPRM02 are to
be used on the next server restart:
SET IZU=(01,02)
- Use the SETIZU command to modify one or more options in the currently active IZUPRMxx member.
For example, the following specification indicates that SYSDA is to be used for storing output from
the Incident Log FTP jobs:
SETIZU ILUNIT=SYSDA
For more information, see z/OS MVS System Commands.

Syntax rules for IZUPRMxx
For general rules of parmlib member syntax, see z/OS MVS Initialization and Tuning Reference.
- Use columns 1-71 for data; columns 72-80 are ignored.
- If a statement is omitted, the default is used.
- You can enter one or more statements on a line, or use several lines for one statement.
- Blanks are treated as delimiters. The system interprets multiple blanks as
a single blank. You can use blanks between parameters and values. For example, all of the following
parameter specifications are equally valid:
SESSION_EXPIRE(495) SESSION_EXPIRE (495) SESSION_EXPIRE ( 495 )
- Comments can appear in columns 1-71 and must begin with "/*" and end with "*/". Any number of blank lines can appear between statements to improve readability.
- Enter values in uppercase, lowercase, or mixed case. The system converts input to uppercase,
unless the values are enclosed in single quotation marks, which are processed without altering the
case. These values that you set for these parameters might require mixed casing, and therefore should be enclosed in single quotation marks:
- HOSTNAME
- INCIDENT_LOG UNIT
- JAVA_HOME
- KEYRING_NAME
- LOGGING
- SAF_PREFIX
- CLOUD_SAF_PREFIX
- CLOUD_SEC_ADMIN
- TEMP_DIR
- AUTOSTART_GROUP
- USER_DIR
- Enclose any value that contains special characters in single quotation marks.
- You can use system symbols in IZUPRMxx. Suppose, for example, that your installation
defines a symbol in IEASYMxx for the Java directory, such as
JAVA80='/usr/lpp/java/J8.0_64'
. To reference this symbol on the JAVA_HOME parameter in IZUPRMxx, specify the symbol as follows:JAVA_HOME(&JAVA80)
. The example in Syntax format of IZUPRMxx shows the use of a system symbol in IZUPRMxx. - Enclose any value that is the same as a keyword in single quotation marks so that the system interprets the value as a value and not as a keyword.
- Enclose values in single quotation marks, according to the following rules:
- Two single quotations next to each other on the same line are processed as a single quotation
mark. For example, the system interprets
Jane''s file
asJane's file
. - If the length of a parameter and its value exceeds 71 characters, it requires multiple lines. Specify the first part of such a value in columns 1-71 and use as many subsequent lines as necessary to complete it. When a value spans multiple lines, place one quotation mark at the beginning of the value, stop the value in column 71 of the line, continue the value in column 1 of the next line, and complete the value with one quotation mark.
- Two single quotations next to each other on the same line are processed as a single quotation
mark. For example, the system interprets
- You can specify multiple IZUPRMxx parmlib members on the IZU= parameter of IEASYSxx. If the same statement is used more than once, either in the same member or in multiple members, the value from the last occurrence is used. For example, suppose that your installation uses two members, IZUPRM01 and IZUPRM02. If the HOSTNAME parameter is specified in both IZUPRM01 and IZUPRM02, the system uses the HOSTNAME value from IZUPRM02.
Syntax format of IZUPRMxx
HOSTNAME('*')
HTTP_SSL_PORT(443)
INCIDENT_LOG UNIT('SYSALLDA')
JAVA_HOME('&JAVA80_HOME') /* System symbol used to define Java home directory */
KEYRING_NAME('IZUKeyring.IZUDFLT')
LOGGING('*=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer')
RESTAPI_FILE ACCT(IZUACCT) REGION(65536) PROC(IZUFPROC)
/* Common TSO logon proc, account, and region size, used by all services by default. */
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)
SAF_PREFIX('IZUDFLT')
CLOUD_SAF_PREFIX ('IYU')
CLOUD_SEC_ADMIN(userid)
SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)
SESSION_EXPIRE(495)
TEMP_DIR('/tmp')
CSRF_SWITCH(ON)
SERVER_PROC(IZUSVR1)
ANGEL_PROC(IZUANG1)
AUTOSTART(LOCAL)
AUTOSTART_GROUP('IZUDFLT')
USER_DIR('/global/zosmf/')
UNAUTH_USER(IZUGUEST)
WLM_CLASSES DEFAULT(IZUGHTTP)
LONG_WORK(IZUGWORK)
/* Uncomment the following statement and any plugins that are desired */
/* PLUGINS( INCIDENT_LOG,COMMSERVER_CFG,WORKLOAD_MGMT,RESOURCE_MON,
CAPACITY_PROV,SOFTWARE_MGMT, SYSPLEX_MGMT, ISPF ) */
IBM-supplied defaults for IZUPRMxx
There is no default IZUPRMxx parmlib member. IBM provides a sample IZUPRM00 parmlib member in the SAMPLIB data set.
Syntax format of IZUPRMxx shows the IBM-supplied IZUPRM00 member. Notice that the PLUGINS statement is commented out; to use it, you must remove the comment characters.
Statements and parameters for IZUPRMxx
- HOSTNAME('hostname')
- Specifies the hostname, as defined by DNS, where the z/OSMF server is located. Specify the IP
address for your system. If you are using z/OSMF in a multisystem sysplex, IBM recommends that you
use a dynamic virtual IP address (DVIPA), which resolves to the correct IP address if the z/OSMF
server is moved to a different system. Note:
HOSTNAME="*"
means listen on all adapters. By default, the server is listening only on address127.0.0.1/localhost
. You can also use the HOSTNAME parameter to specify a single IP address to have the system listen only on the specified IP address.Rules: Must be a valid TCP/IP HOSTNAME or an asterisk (*).Default: * - HTTP_SSL_PORT(nnn)
- Identifies the port number that is associated with the z/OSMF server. This port is used for SSL
encrypted traffic from your z/OSMF configuration. The default value, 443, follows the Internet
Engineering Task Force (IETF) standard.
By default, the z/OSMF server uses the SSL protocol SSL_TLSv2 for secure TCP/IP communications. As a result, the server can accept incoming connections that use SSL V3.0 and the TLS 1.0, 1.1 and 1.2 protocols.
The z/OSMF server port uses Java SSL encryption to protect its outbound HTTPS connections. Therefore, it is not necessary (or possible) to configure AT-TLS on the z/OSMF server port. If you attempt to do so, the z/OSMF server encounters HTTP connection failures and errors, such as the following, in the server logs directory:IZUG476E: The HTTP request to the secondary z/OSMF instance "209" failed with error type "CertificateError" and response code "0"
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Rules: Must be a valid TCP/IP port number.Value range: 1 - 65535 (up to 5 digits)Default:443
- INCIDENT_LOG UNIT('device-name')
- Specifies the device to be used for storing data sets and z/OS UNIX files for the FTP jobs that
are used for the Incident Log service.Rules: You must specify a generic name (such as “3390”) or an esoteric name (such as “DISK”). The esoteric name SYSALLDA, which is used by default, is automatically defined by the system to include all direct-access disk devices.Default:
SYSALLDA
- JAVA_HOME('directory-name')
- Specifies the fully qualified path name for IBM 64-bit SDK for z/OS, Java Technology Edition on
your system. Rules:
- Must be a valid z/OS UNIX System Services path name.
- Must begin with a forward slash (/).
- Must specify a full or absolute path name.
Default: /usr/lpp/java/J8.0_64 - KEYRING_NAME('keyring-name')
- Specifies the key ring name for the z/OSMF
server. The format is
IZUKeyring.<SAF_PREFIX>
.Rules: Must be the name of a valid RACF profile in the DIGTRING class.Note: The IZUSEC job contains statements that include the generation of digital certificates and the key ring. The value that is specified here must match the key ring name that you defined for z/OSMF in the IZUSEC job or by entering equivalent commands.Default:IZUKeyring.IZUDFLT
- LOGGING('trace_specification')
- Initial trace state for the z/OSMF server. These
settings are read when the server is started. Changes to this value are provided,
when necessary, by IBM Support.
Rules:
- 1 - 2048 characters
- Case sensitive.
Default:*=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer
- RESTAPI_FILE ACCT(account-number) REGION(region-size) PROC(proc-name)
- Specifies values for the TSO logon procedure that is used internally by the z/OS data set and
file REST interface services. Except for the account number, it is recommended
that you use the defaults, which should be adequate for most z/OS installations. If you specify
alternative values, you must ensure that the z/OSMF
user and z/OSMF administrator security groups are
authorized to use the logon procedure name and account number that you specify,
and that the region size is at least 65536 kilobytes (KB).
All z/OSMF users must have TSO segments that are defined in the external security manager, such as RACF. Failure to have a TSO segment for each user ID prevents some z/OSMF functions from working.
- ACCT(account-number)
- Account number to be used for the TSO/E logon procedure that is used for
the z/OS® data set and file REST interface services.Rules: A valid accounting number for your installation.Default: IZUACCT
- REGION(region-size)
- Region size (in kilobytes) to be used for the TSO/E logon procedure for the z/OS data set and file REST interface services. Value range: 65536 – 2096128Default: 65536
- PROC(proc-name)
- TSO/E logon procedure to be used for operations with the z/OS data set and file REST interface services. It is recommended that you accept the
default procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in
SYS1.PROCLIB.Rules: Must be a valid partitioned data set member name.Default: IZUFPROC
- COMMON_TSO ACCT(account-number) REGION(region-size) PROC(proc-name)
- Specifies values for the TSO/E logon procedure that is used internally for various z/OSMF
activities. This setting is applicable if your z/OSMF
configuration uses:
- z/OS console REST interface services
- Software Management task
- Workflows task
Except for the account number, it is recommended that you use the default values, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to use the logon procedure name and account number that you specify, and that the region size is at least 50 MB.
All z/OSMF users must have a TSO segment that is defined in the USER profiles that are used by the external security manager, such as RACF. Failure to have a TSO segment for each user ID prevents some z/OSMF functions from working.
- ACCT(account-number)
- Account number to be used for the common TSO/E logon procedure for
z/OSMF.Rules: A valid accounting number for your installation.Default: IZUACCT
- REGION(region-size)
- Region size (in kilobytes) to be used for the common logon procedure for z/OSMF. Value range: 50000 – 2096128Default: 50000
- PROC(proc-name)
- TSO/E logon procedure to be used for z/OSMF. It is recommended that you accept the default
procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in SYS1.PROCLIB.Rules: Must be a valid partitioned data set member name.Default: IZUFPROC
- SAF_PREFIX('IZUDFLT')
- SAF profile prefix that is prepended to the names of any resource profile names to be used for
the z/OSMF core functions and optional
services.Note: The IZUxxSEC sample jobs contain commands that include the SAF profile prefix for creating resource profile names. The value that is specified here must match the prefix name that you define for z/OSMF in the IZUxxSEC jobs or by entering equivalent commands.Rules:
- Must follow the rules for RACF profile names.
- 1 – 3 characters.
Default: IZUDFLT - CLOUD_SAF_PREFIX('IYU')
- SAF profile prefix that is prepended to the names of any groups to be used for authorizing users
to IBM Cloud® Provisioning and Management for z/OS task activities.Note: The IZUPRSEC sample job contains commands that include the group name for creating authorizations for IBM Cloud Provisioning and Management for z/OS. The value that is specified here must match the prefix name that you define for Cloud Provisioning authorizations in the IZUPRSEC job or by entering equivalent commands.Rules:
- Must follow the rules for RACF profile names.
- 1 – 3 characters.
Default: IYU - CLOUD_SEC_ADMIN('user-id')
- Specifies the security administrator user ID to be used for automatic security management in Cloud Provisioning. When specified, automatic security
updates are performed under this user ID. Otherwise, if this value is omitted, security updates for
Cloud Provisioning must be performed manually by your
security administrator.The user ID that is specified here must be connected to the z/OSMF security administrator group, which is named IZUSECAD by default. The IZUPRSEC job in SYS1.SAMPLIB contains a commented RACF command for creating this authorization. Minimally, this user ID requires:
- READ access to the ZMFCLOUD class resource profile IZUDFLT.ZOSMF.SECURITY.ADMIN.
- Authorization to manage resource profiles in the ZMFAPLA and ZMFCLOUD resource classes.
- Authorization to manage security groups.
During regular operations with Cloud Provisioning, your installation might periodically update Resource Management domains and tenants to add or remove users. Such changes require updates to your security setup. By specifying a user ID for the CLOUD_SEC_ADMIN keyword, you indicate that automatic security is to be used for performing user authorizations. If so, the authorizations are performed automatically by the Resource Management task, by using a security REXX exec that is provided by the external security manager. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF. For more information, see Automatic security management for Cloud Provisioning.
If the CLOUD_SEC_ADMIN value is changed, the new setting applies only to domains that are created after the change. Any existing domains continue to operate with manual or automated security, based on the value that was in effect when these domains were created.
Note:With the installation of the PTF for APAR PH29813, the default domain now supports manual security mode for creating templates and tenants. This option is intended for provisioning environments that cannot use automatic security mode. Previously, the default domain was required to run in automatic security mode. Now, when the default domain is created at z/OSMF startup time, it is placed in manual security mode if no security administrator is specified on the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member.
If you have incorrectly configured the security mode for Cloud Provisioning and Management, it is possible to change it. Doing so requires only that you edit the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member and restart the z/OSMF server. You can switch a domain from automatic security to manual security, and vice versa. Your changes to the CLOUD_SEC_ADMIN statement affect the security mode of all existing domains. The suggested practice is that you run Cloud Provisioning and Management in automatic security mode.
Rules:- Must follow the rules for z/OS user IDs.
- 1 – 8 characters.
Default: None. If you do not provide a valid z/OS user ID, the Resource Management task does not perform automatic security updates. - SEC_GROUPS USER(group-name),ADMIN(group-name),SECADMIN(group-name)
- Specifies group names for the base set of z/OSMF
security groups: user, administrator, and z/OS security administrator.
- USER(group-name)
- Security group to be used for the z/OSMF user
role. The user IDs that are connected to this group are considered to be z/OSMF users.Default: IZUUSER
- ADMIN(group-name)
- Security group to be used for the z/OSMF
administrator role. The user IDs that are connected to this group are considered to be z/OSMF administrators.Default: IZUADMIN
- SECADMIN(group-name)
- Group name to be used for the z/OS Security Administrator role. This group is permitted to the
Workflows task.Default: IZUSECAD
- SESSION_EXPIRE(nnn)
- Amount of time (in minutes) for the session timeout. z/OSMF user sessions expire when this
period elapses. For more information, see Re-authenticating in z/OSMF.
Value range:
15-999999
Default: 495 - TEMP_DIR('path-name')
- Temporary directory for various z/OSMF activities. This setting is applicable if your z/OSMF configuration uses:
- Incident Log task
- Workflows task
- z/OSMF Diagnostic Assistant task
The temporary directory is used, as follows:- Incident Log task uses this directory for sending z/OS UNIX file attachments through FTP.
- Workflows task uses this directory for storing temporary files.
- z/OSMF Diagnostic Assistant task uses this directory for storing temporary files.
Users of these z/OSMF tasks require write access to the temporary directory. Otherwise, the task might fail with an authorization error (the user encounters message ICH408I).
Notes:- As part of its data collection, the z/OSMF Diagnostic Assistant task copies the z/OSMF log files and configuration files into a compressed (.zip) file and saves the file in the TEMP_DIR directory. The amount of storage needed to contain the compressed file varies, depending on your installation's use of z/OSMF. If the size of the compressed file exceeds the TEMP_DIR space, an error message is issued to the user of the z/OSMF Diagnostic Assistant task. If this problem occurs, increase the storage amount for the TEMP_DIR directory.
- In IBM Cloud Provisioning and Management for z/OS provisioning, a number of functions are performed by using workflows. For example, a software template is composed of one or more workflows. Therefore, any user who is involved in IBM Cloud Provisioning and Management for z/OS provisioning is also a potential user of the Workflows task. You must ensure that these users have write access to the TEMP_DIR location.
Rules:- Must be a valid z/OS UNIX path name.
- Must specify the full or absolute path name, and a maximum of 255 characters between slashes.
Default:/tmp
- CSRF_SWITCH(ON|OFF)
- Indicates whether Cross Site Request Forgery (CSRF) custom header checking is enabled for REST
API requests. By default, CSRF_SWITCH is set to ON to ensure that your
installation is protected against CSRF attacks. However, in some limited cases, such as for testing,
you might choose to temporarily disable CSRF checking by setting CSRF_SWITCH=OFF. However, it is
recommended that you leave this setting enabled to prevent CSRF attacks. For more information, see
IBM z/OS Management Facility Programming Guide.Default: ON
- SERVER_PROC(proc-name)
- Specifies the name of the started procedure that is used to start the z/OSMF server on this
system. It is recommended that you use the default started procedure, which should be adequate for
most z/OS installations. If you specify an alternative procedure name, ensure that the z/OSMF user
and z/OSMF administrator security groups are authorized to the started procedure name. Rules: Must specify a valid partitioned data set member name.Default: IZUSVR1
- ANGEL_PROC(proc-name)
- Specifies the started procedure that is used to start the z/OSMF angel process on this system.
It is recommended that you use the default started procedure, which should be adequate for most z/OS
installations. If you specify an alternative procedure name, ensure that the z/OSMF user and z/OSMF
administrator security groups are authorized to the started procedure name.
With the installation of APAR PI88651, the ANGEL_PROC statement specifies both the name of the angel process and its started procedure name.Example: ANGEL_PROC(IZUANG1) indicates that both the angel procedure member name and angel process name are IZUANG1.Rules: Must specify a valid partitioned data set member name.Default: IZUANG1
- AUTOSTART(LOCAL|CONNECT)
- Specifies whether the z/OSMF server is to be started automatically on this system. The valid settings for AUTOSTART are, as follows:
- LOCAL
- Indicates that the system is to automatically start the z/OSMF server.
- CONNECT
- Indicates that the z/OSMF server is not to be autostarted on the local z/OS system.
- IBM recommends that you specify LOCAL for all systems in a sysplex, or let it default to LOCAL, if you are using shared file systems for the z/OSMF data directory for each AUTOSTART group. If all systems in a sysplex are part of the same AUTOSTART group, the default, /global/zosmf, allows this. z/OSMF starts only on one system in the sysplex, if the sysplex has only one AUTOSTART group.
- If you have more than one AUTOSTART group in a sysplex, you should use a shared file system for each one, with a unique mount point. For example, if you have AUTOSTART groups that are named ZOSMFA and ZOSMFB, you might use /global/zosmf/zosmfa for the first and /global/zosmf/zosmfb for the second. In this case, specifying LOCAL on all systems results in z/OSMF starting on one system per AUTOSTART group.
- When the z/OSMF server has been started automatically on another system in the same AUTOSTART group in the same sysplex, requests for z/OSMF services that originate on the local system are routed to the remote server.
- When AUTOSTART(CONNECT) is specified for every system in a sysplex, the z/OSMF server is not autostarted on any system in the sysplex. The z/OSMF server can be started with the START command or through automation when no other z/OSMF server is active in the system’s AUTOSTART group.
If a z/OSMF server fails, it must be restarted to restore z/OSMF operations for the autostart group. The server can be restarted on this system or another system, regardless of whether the system is specified as AUTOSTART(LOCAL) or AUTOSTART(CONNECT), using the START command or through automation.
Default: LOCAL - AUTOSTART_GROUP(IZUDFLT|nnnnnnnn)
- Associates the local system with other systems that can share an autostarted z/OSMF server.
AUTOSTART_GROUP defines a domain for z/OSMF work and associated persistent data
within a sysplex. By default, one autostart group that is called IZUDFLT exists per sysplex. To
associate the z/OSMF server on this system with a different autostart group, specify the desired
name here. Rules:
- Must consist of 1-32 alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
- Alphabetic characters are case insensitive.
Default: IZUDFLT - USER_DIR
- z/OSMF data directory path. By default, the z/OSMF data
directory is located in /global/zosmf. If you want to use a different path
for the z/OSMF data directory, specify that value here, for example:
USER_DIR='/the/new/config/dir'
.Every autostart group within a sysplex must have a unique specification for USER_DIR. If you plan to use an autostarted z/OSMF server, this file system must be mounted when you IPL the system. Otherwise, the z/OSMF server cannot be autostarted.
If you specify both
USER_DIR=
in IZUPRMxx andUSERDIR=
on the PRC statement of the started procedure, the system uses the path that is specified byUSERDIR=
in the started procedure.Rules: Must be a valid z/OS UNIX path name.Default: /global/zosmf/ - UNAUTH_USER(user-id)
- Represents an unauthenticated user. Provides an unknown user with basic privileges to access the
z/OSMF log-in page, but nothing more.Rules:
- Must follow the rules for z/OS user IDs.
- 1 – 8 characters.
Default:IZUGUEST
- WLM_CLASSES DEFAULT(class-name)
- Specifies the WLM transaction classes for managing z/OSMF work.
- DEFAULT(class-name)
- WLM transaction class to be used for managing z/OSMF work, except for long-running work. See the description of the LONG_WORK(class-name) statement.Rules: Must specify a valid WLM transaction class name.Default:
IZUGHTTP
- LONG_WORK(class-name)
- WLM transaction class to be used for managing the execution of long-running work. Rules: Must specify a valid WLM transaction class name.Default:
IZUGWORK
- PLUGINS(plugin-id,plugin-id,plugin-id,...)
- Specifies the optional services to be made available in your configuration.
Enter one or more of the service identifiers that are shown in Table 1.
Table 1. z/OSMF optional services and associated service IDs Service ID Service name CAPACITY_PROV Capacity Provisioning COMMSERVER_CFG Network Configuration Assistant INCIDENT_LOG Incident Log ISPF ISPF RESOURCE_MON Resource Monitoring SOFTWARE_MGMT Software Deployment SYSPLEX_MGMT Sysplex Management WORKLOAD_MGMT Workload Management ZERT_ANALYZER IBM® zERT Network Analyzer After a service is enabled, you might later decide to remove it. To do so, edit the IZUPRMxx parmlib member and remove the service identifier from the PLUGINS statement. Then, restart the z/OSMF server. This action removes the services from the z/OSMF desktop interface. Any residual data that is associated with the service is saved in z/OSMF, in case you decide to enable it again later.
Default: No optional services are enabled by default.
Example of IZUPRMxx parmlib member
- Port 30443.
- System symbol for the Java home directory. The symbol must also be defined in your IEASYMxx member.
- On startup, the system autostarts a z/OSMF server. The autostarted z/OSMF
server processes requests from all systems that are members of the z/OSMF autostart group
IZUDFLT
. - These optional services are selected: Network Configuration Assistant, Software Deployment, and Sysplex Management. The services are enabled for use when your installation completes the required host system customization. See z/OSMF optional services.
HTTP_SSL_PORT(30443)
JAVA_HOME('&JAVA80_HOME') /* System symbol used to define Java home */
AUTOSTART(LOCAL)
AUTOSTART_GROUP(IZUDFLT)
PLUGINS(COMMSERVER_CFG,SOFTWARE_MGMT,SYSPLEX_MGMT)