SSGP61P_3.2.0 - Documentation Index
Table of Contents
Welcome
Summary of changes
Latest release of IBM zSecure Compliance
IBM Security Center for Z
IBM Security Center for Z: Overview and First Steps
System requirements
Hardware prerequisites
z/OS software requirements
System requirements for an IBM z/OS Container Extensions (IBM zCX) installation
System requirements for a Red Hat OpenShift Container Platform (OCP) installation
Project plan for implementing IBM Security Center for Z
Installing
Prepare to install IBM Security Center for Z
Install the SCZ in a z/OS Container Extensions (IBM zCX) configuration
Install the SCZ in an IBM z/OS Container Extensions (IBM zCX) configuration
Steps to upgrade SCZ
Steps for restart and shutdown
Refresh certificates
Steps for configuring SCZ maintenance on zCX by using IBM z/OS job
Install the SCZ in a Red Hat OpenShift Container Platform (RHOCP) configuration
Download the YAML files to your workstation
Configuring OpenShift Data Foundation storage
Disable SSH weak ciphers and algorithms (Red Hat OpenShift 4.13 or later)
Install SCZ in Red Hat OpenShift Container Platform (RHOCP)
Back up critical resources
Install an upgrade
Restore from a backup copy
Refresh the solution namespace whenever cluster certificates are updated
Log in as the administrator
Install applications using the Application Catalog
Getting started with IBM Security Center for Z
Managing user access in IBM Security Center for Z
Adding a user
Editing user details
Deleting a user
User role mappings
Editing user roles
Changing a user's password
Changing your password after you log in
Configuring active directory and LDAP integration
Adding an LDAP connection
Adding an LDAP certificate
Editing an LDAP connection
Synchronizing changed users
Synchronizing all users
Removing imported users
Deleting an LDAP connection
Managing credentials
What are the required permissions?
Configuring IBM Z Connection
Adding an IBM Z connection
Deleting an IBM Z connection
Requesting logs for first failure data capture
Troubleshooting problems with IBM Security Center for Z
Contacting IBM Support
Z Common Data Provider problems
Configuration Tool problems
Configuration Tool troubleshooting checklist
Configuration Tool failed to load with the error message SRVE0295E
Configuration Tool failed to load the policy with the error message HBO6502E regarding message queue size
Text on buttons or boxes does not display correctly
No data streams available for creating policies after deploying the Configuration Tool on z/OSMF
User ID of parameter AUTHORIZED_USER is not found
Failed to open the Configuration Tool on z/OSMF with the error message HBO6501W
Buttons in the Configuration Tool do not show the text but the variable name behind it
Troubleshooting Liberty issues
Configuration Tool failed to load with the CWWKO0801E message in the HBOCFGT job log
Angel server HBOCFGA failed to start with RETURN CODE 00000081 REASON CODE 0594003D
z/OS user ID cannot log on the Configuration Tool successfully
System Data Engine problems
System Data Engine log files
System Data Engine: enabling tracing and statistics data
Enabling tracing for the System Data Engine at startup
Enabling tracing for the System Data Engine after startup
Enabling statistics data for the System Data Engine after startup
System Data Engine does not start
System Data Engine gets ABEND U006 at startup
System Data Engine fails to start with SYSTEM COMPLETION CODE=DC4 REASON CODE=90041620
Message HBO0308I shows up frequently when collecting data with the System Data Engine
SMF data packets that are sent to the target subscriber are very large
Duplicated records are produced when they are aggregated by System Data Engine in stream mode
Data Streamer is not receiving data from System Data Engine
Data Streamer problems
Enabling tracing for the Data Streamer
Enabling tracing or performance tracing for the Data Streamer at startup
Enabling dynamic tracing for the Data Streamer
Data Streamer does not start
Data Streamer fails to start with the message JVMJ9VM015W
Data Streamer issues a message about Java out of memory when a target subscriber remains unresponsive for a long time
Data Streamer is not receiving data from System Data Engine
Subscriber is not receiving data
syslogd message problems: inconsistencies in timestamp, or missing or misplaced messages
Logstash gets JSON parse error messages when receiving data from IBM Z Common Data Provider
Trademarks
IBM zSecure Compliance Guide
Overview of IBM zSecure Compliance
What is compliance posture
What IBM zSecure Compliance does
How it works
Who will interact with this solution
Terms to understand
Architecture and technology
Application programming interfaces (APIs)
Project plan for implementing Compliance
Prerequisites for deploying the IBM zSecure Compliance application
Prerequisites for deploying the IBM zSecure Compliance application
Install Compliance using the Application Catalog
Upgrade to Compliance from IBM Security Center for Z
Getting started with Compliance
Log in as the administrator
What is the collector?
Creating the collector
Creating and managing scopes
Mapping a credential to a scope
Preparing a scope for host-defined profile validation
Viewing scope details
What is a profile?
Creating custom profiles
Including security-patch-related information in your validation scans
Viewing the security-patch-related goals
Modifying goals
Creating custom goals
Working with resource types
Scheduling a scan
Viewing your current posture
Configuring IBM Concert integration
Enabling the IBM Concert connection
Managing IBM Concert connection
Deleting IBM Concert connection
Working with reports
Enable your z/OS systems for data collection
Install PTFs for the z/OS data providers
Configure z/OSMF on one or more z/OS systems
Enable the collection of SMF type 1154 records
Configure ICSF for cryptographic usage tracking
Optionally, verify that CPACF tracking is enabled
Configure z/OS for security patch validation
Enable z/OS middleware for data collection
Set up the Compliance Evidence started task
Installation of the Compliance Evidence task
Configuration of the Compliance Evidence started task
Enable the collection of data for host-defined profiles
Operation of the Compliance Evidence started task
Install IBM Z Common Data Provider
Planning for deployment of the IBM Z Common Data Provider
z/OS system requirements for IBM Z Common Data Provider
IBM Z hardware requirements for zIIP offload
Working directory definitions
Data Streamer port definition
Installation of IBM Z Common Data Provider with SMP/E
Configure IBM Z Common Data Provider
Getting started with the IBM Z Common Data Provider Configuration Tool
Installing the Configuration Tool on z/OSMF
Setting up a working directory for the Configuration Tool
Creating configuration files for IBM Z Common Data Provider
Running the Configuration Tool to create policies
Managing policies
Creating a policy
Creating a policy to stream SMF data
Updating a policy
Adding a subscriber for a data stream or transform
Subscribers to a data stream or transform
Updating subscriptions of a subscriber
Exporting and importing subscribers
Output from the Configuration Tool
Uninstalling the Configuration Tool from z/OSMF
Securing communications between the Data Streamer and its subscribers
Securing communications using certificates
Configuring a Logstash receiver
Configuring the Data Streamer
File buffer function in the Data Streamer
Metrics capture function in the Data Streamer
Binding the Data Streamer to a specific IP address
Verifying the search order for the TCP/IP resolver configuration file
Configuring the System Data Engine
Authorizing the System Data Engine with APF
Configuring the System Data Engine for collecting SMF records
Deciding which method to use for collecting SMF data
Creating the System Data Engine started task for streaming SMF data
Requirements for the System Data Engine user ID
Offloading the System Data Engine code to System z Integrated Information Processors
Operating Z Common Data Provider
Running the Data Streamer
Running the System Data Engine
Enable your Linux on IBM Z systems for data gathering
Planning considerations for Linux on IBM Z data providers
Enable passwordless sudo access for your linux user ID
Enable the PostgreSQL database user for validation
Application programming interfaces (APIs)
Configuration reference for managing IBM Z Common Data Provider policies
Global properties that you can define for all data streams in a policy
SYSTEM properties: Defining alternative host names for source systems
SYSTEM DATA ENGINE properties: Defining your System Data Engine environment
SCHEDULES properties: Defining time intervals for filtering operational data
SMF type 1154 data stream reference
Icons on each node in a policy
Data stream configuration for data gathered by System Data Engine
Subscriber configuration
Troubleshooting problems with Compliance
Troubleshooting problems with the Compliance Evidence started task
Contacting IBM Support
Z Common Data Provider problems
Configuration Tool problems
Configuration Tool troubleshooting checklist
Configuration Tool failed to load with the error message SRVE0295E
Configuration Tool failed to load the policy with the error message HBO6502E regarding message queue size
Text on buttons or boxes does not display correctly
No data streams available for creating policies after deploying the Configuration Tool on z/OSMF
User ID of parameter AUTHORIZED_USER is not found
Failed to open the Configuration Tool on z/OSMF with the error message HBO6501W
Buttons in the Configuration Tool do not show the text but the variable name behind it
Troubleshooting Liberty issues
Configuration Tool failed to load with the CWWKO0801E message in the HBOCFGT job log
Angel server HBOCFGA failed to start with RETURN CODE 00000081 REASON CODE 0594003D
z/OS user ID cannot log on the Configuration Tool successfully
System Data Engine problems
System Data Engine log files
System Data Engine: enabling tracing and statistics data
Enabling tracing for the System Data Engine at startup
Enabling tracing for the System Data Engine after startup
Enabling statistics data for the System Data Engine after startup
System Data Engine does not start
System Data Engine gets ABEND U006 at startup
System Data Engine fails to start with SYSTEM COMPLETION CODE=DC4 REASON CODE=90041620
Message HBO0308I shows up frequently when collecting data with the System Data Engine
SMF data packets that are sent to the target subscriber are very large
Duplicated records are produced when they are aggregated by System Data Engine in stream mode
Data Streamer is not receiving data from System Data Engine
Data Streamer problems
Enabling tracing for the Data Streamer
Enabling tracing or performance tracing for the Data Streamer at startup
Enabling dynamic tracing for the Data Streamer
Data Streamer does not start
Data Streamer fails to start with the message JVMJ9VM015W
Data Streamer issues a message about Java out of memory when a target subscriber remains unresponsive for a long time
Data Streamer is not receiving data from System Data Engine
Subscriber is not receiving data
syslogd message problems: inconsistencies in timestamp, or missing or misplaced messages
Logstash gets JSON parse error messages when receiving data from IBM Z Common Data Provider
CKC Messages
CKC Messages from 100 to 199
CKC Messages from 200 to 299
CKC Messages from 400 to 499
CKC Messages from 700 to 799
Compliance Evidence started task command reference
Upgrading IBM Z Common Data Provider
Upgrading IBM Z Common Data Provider from version 1.1.0 to 5.1.0
Upgrading SMF user exit for collecting SMF records from IBM Z Common Data Provider version 1.1.0 to 5.1.0
Upgrading IBM Z Common Data Provider from version 2.1.0 to 5.1.0
Upgrading SMF user exit for collecting SMF records from IBM Z Common Data Provider version 2.1.0 to 5.1.0
Back up critical resources (manual steps)
Restoring from a backup (manual steps)
Installing the SMF user exit
Uninstalling the SMF user exit
SMF record type 1154
Introduction
SMF record type 1154 (X'482') subtypes
IBM Z Security and Compliance Center SMF record type 1154 (X'482') mapping
SMF 1154 subtype 50 record - Console compliance evidence
1154-50: Console compliance evidence - Self-defining section
1154-50: Console-level settings - Application section 1
SMF 1154 subtype 51 record: DFSMSdfp and ICKDSF compliance evidence
1154-51: DFSMSdfp and ICKDSF compliance evidence - Self-defining section
1154-51: DFSMSdfp system-level settings - Application section 1
1154-51: DFSMSdfp general resource properties - Application section 2
SMF 1154 subtype 52 record - DFSMSrmm and tape protection compliance evidence
1154-52: DFSMSrmm and tape protection compliance evidence - Self-defining section
1154-52: DFSMSrmm system-level settings - Application section 1
1154-52: DFSMSrmm general resource properties - Application section 2
SMF 1154 subtype 53 record - DFSMShsm compliance evidence
1154-53: DFSMShsm compliance evidence - Self-defining section
1154-53: DFSMShsm system-level settings - Application section 1
1154-53: DFSMShsm general resource properties - Application section 2
SMF 1154 subtype 54 record - DFSMSdss compliance evidence
1154-54: DFSMSdss compliance evidence - Self-defining section
1154-54: DFSMSdss system-level settings - Application section 1
1154-54: DFSMSdss general resource properties - Application section 2
SMF 1154 subtype 77 record - z/OS UNIX compliance evidence
1154-77: z/OS UNIX System Services compliance evidence - Self-defining section
1154-77: z/OS UNIX system-level settings - Application section 1
1154-77: z/OS UNIX general resource access risks - Application section 2
SMF 1154 subtype 78 record - SSH daemon (sshd) compliance evidence
1154-78: SSH daemon compliance evidence - Self-defining section
1154-78: SSH daemon-level settings - Application section 1
1154-78: SSH daemon protocol versions - Application section 2
1154-78: SSH daemon cipher - Application section 3
1154-78: SSH daemon MAC - Application section 4
SMF 1154 subtype 79 record - Internet daemon (inetd) compliance evidence
1154-79: inetd compliance evidence - Self-defining section
1154-79: inetd service parameter - Application section 1
1154-79: inetd program name - Application section 2
1154-79: inetd arguments - Application section 3
SMF 1154 subtype 82 record - MQ Managed Service compliance evidence
1154-82: MQ compliance evidence - Self-defining section
1154-82: MQ region-level settings - Application section 1
1154-82: MQ authinfo-level settings - Application section 2
1154-82: MQ Queue CF structures - Application section 3
SMF 1154 subtype 85 record - IBM IMS region-level and OTMA client settings compliance evidence
1154-85: IMS compliance evidence - Self-defining section
1154-85: IMS region-level settings - Application section 1
1154-85: IMS OTMA client settings - Application section 2
SMF 1154 subtype 86 record - IBM IMS OM compliance evidence
1154-86: IMS OM compliance evidence - Self-defining section
1154-86: IMS OM region-level settings - Application section 1
1154-86: IMS OM audit log - Application section 2
SMF 1154 subtype 87 record - IBM IMS Connect compliance evidence
1154-87: IMS Connect compliance evidence - Self-defining section
1154-87: IMS Connect region-level settings - Application section 1
1154-87: IMS Connect IMSPLEX_NAME - Application section 2
SMF 1154 subtype 96 record - SMF global reporting compliance evidence
1154-96: SMF global reporting compliance evidence - Self-defining section
1154-96: SMF system-level settings - Application section 1
1154-96: SMF log stream specification - Application section 2
SMF 1154 subtype 97 record - SMF subsystem reporting compliance evidence
1154-97: SMF subsystem reporting compliance evidence - Self-defining section
1154-97: SMF subsystem-level settings - Application section 1
1154-97: SMF recording activity - Application section 2
Acronyms
IBM Sensitive Data Tagging for Z
Overview of Sensitive Data Tagging for Z
Who will interact with this solution
Architecture
Purpose of Sensitive Data Tagging
Software and hardware requirements
Installing Sensitive Data Tagging for Z on zCX
Security setup for Sensitive Data Tagging for Z
Deploying Sensitive Data Tagging for Z on zCX
Upgrading SDTz
Verifying the signature of Sensitive Data Tagging for Z container images
Transferring Docker Images to an Air-Gapped zCX Instance
Getting started with SDTz
What are data classes
View data classes
Update field mappings
What are classification schemes
Manage classification schemes
Submit a scan request
Manage scans
View and Export Scan Results
Debugging problems with Sensitive Data Tagging for Z (SDTz) in zCX
Troubleshooting problems with Sensitive Data Tagging for Z
Reference information
APIs
Access API
GET
Cancel scan API
POST
Classification scheme API
GET
POST
PUT
Data class API
GET
PUT
POST
Login and logout API
DELETE
POST
PUT
Scan result API
GET
Scan request API
GET
POST
PUT
Scan status API
GET
Scan submit API
POST