Updating z/OS for the Sysplex Management plug-in

If you selected to configure the Sysplex Management plug-in, you have system customization to perform, as described in this topic.

To use the Sysplex Management task, your system requires the following updates:

The examples in this topic use RACF commands. If your installation uses an external security manager other than RACF, your security administrator can refer to these examples when creating equivalent commands for your environment.

For a summary of the required profile authorizations for the Sysplex Management task, see Resource authorizations for the Sysplex Management plug-in. IBM provides job IZUSPSEC in SYS1.SAMPLIB to assist you with performing these updates. The job contains RACF commands for creating the required security authorizations.

BCPii installation and configuration

In the z/OSMF Systems task, the Discover CPC function uses z/OS data set and file REST services and BCP internal interface (BCPii) services to query the topology of interconnected CPCs and LPARs in the sysplex. Therefore, you must ensure that both z/OS data set and file REST services and BCPii are configured in the sysplexes that are to be managed through the Systems task.

After BCPii is configured, have your security administrator ensure that the required authorizations are created for the BCPii services. In SYS1.SAMPLIB, the IZUSEC job includes sample RACF commands for enabling the z/OSMF core functions, including the BCPii services.

The following procedure describes the steps that are performed in the IZUSEC sample job. Some values are installation-specific and require modification for your environment.
  1. Define the profile for the BCPii services.
    RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)
  2. Grant the administrator groups access to the BCPii services: 
    PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
  3. Define the profile for the BCPii request type of CPC. 
    RDEFINE FACILITY HWI.TARGET.<netid.nau> UACC(NONE) APPLDATA(’<uppercasecommunityname>')
    Where:
    • netid.nau is the 3–17 character SNA name of the particular CPC.
    • uppercasecommunityname is the SNMP community name that is associated with the CPC. The same SNMP community name that was defined in the support element configuration for a particular CPC must also be defined in the security settings for each CPC to which communication is required.
  4. Define the profile for the BCPii request type of LPAR. 
    RDEFINE FACILITY HWI.TARGET.<netid.nau>.<imagename> UACC(NONE)
    Where:
    • netid.nau is the 3–17 character SNA name of the particular CPC
    • imagename is the 1–8 character LPAR name.
  5. Grant administrators READ access to the CPC and IMAGE profiles through BCPii functions.
    
PERMIT HWI.TARGET.<netid.nau> CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
PERMIT HWI.TARGET.<netid.nau>.<imagename> CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
  6. Refresh the security database. For example: 
    SETROPTS RACLIST(FACILITY) REFRESH

For more information about BCPii, see z/OS MVS Programming: Callable Services for High-Level Languages.

Configure the CPC information in Systems task

Before you use the Sysplex Management task, it is recommended that you configure the CPC information in the z/OSMF Systems task. You can use either of the following methods to do so:
  • Add CPC information manually
  • Use the Discovery CPC function in Systems task to discover the CPC topology of the currently interconnected CPCs and LPARs in the sysplex.

The Discovery CPC function is a long running action; it might take several minutes to complete.

Authorize users to the z/OS console services REST API

Users of the Sysplex Management task require authorization to the z/OS console services REST API. For a system that uses RACF as the security manager, IBM provides job IZUGCSEC in SYS1.SAMPLIB to assist you with creating the authorizations. Ask your security administrator to edit the job for your environment and submit it.

In the IZUGCSEC job, a unique console name must be specified for each user of the Sysplex Management task. In z/OS, a valid console name is 2 to 8 characters and does not begin with a digit. Characters are alphanumeric and can also include the special characters #, $, and @.

Use the following convention to specify console names in the IZUGCSEC job: 
<username>SP
Where <username> is the z/OSMF user name, followed by the letters SP. If the user name is more than six characters, specify the last six characters of the user name, followed by SP. For example, if the user name is IBMUSER, specify the console name BMUSERSP.
Note: If a z/OSMF user name must be shortened to six characters (followed by SP) and the resulting name would not be a valid console name, use the following convention instead: SP<username>, where <username> is the last six characters of the z/OSMF user name. Consider, for example, the z/OSMF user name ID123456. Using the last six characters of this name followed by SP would result in 123456SP, which is an invalid name because it begins with a digit. To avoid this problem, specify SP123456 for the console name.

Create security structures for the Sysplex Management task

To enable users to work with the Sysplex Management task, your external security manager, such as RACF, requires that a number of security structures are defined, as described in this topic, and that users are authorized to the appropriate system resources. If RACF or another security manager is installed, the security administrator can define profiles that control the use of these resources.

Before using the Sysplex Management task, have your security administrator verify that the following conditions exist:
  • The security database, such as the RACF database, is shared across the sysplex.
  • The SAFDFLT profile is defined in the REALM class. The SAFDFLT profile in the REALM class allows the security environment to be recognized.
  • Each security database REALM has its own unique APPLDATA profile, which is associated with the SAFDFLT profile. The same SAFDFLT APPLDATA value is used across all systems in the sysplex. Define the name by using the SAFDFLT profile in the REALM class. Substitute an appropriate string for the plexname, such as the name of the sysplex or another unique string.
    Example:
    
SETROPTS GENERIC(REALM)
RDEFINE REALM SAFDFLT APPLDATA('<plexname OR other unique string>')
SETROPTS RACLIST(REALM) CLASSACT(REALM)
SETROPTS RACLIST(REALM) REFRESH
  • TRUSTED attribute must be assigned to the CEA started task.
  • CEA address space is started in full function mode.
  • Users are authorized to the appropriate resources, as described in Resource authorizations for the Sysplex Management plug-in.
To make the preceding updates effective, you must:
  1. Refresh your security database. Example: 
    SETROPTS RACLIST(SERVAUTH) REFRESH
    SETROPTS RACLIST(ZMFAPLA) REFRESH
  2. Restart CEA.

The Sysplex Management plug-in requires access to local resources on your z/OS system. Resource authorizations for the Sysplex Management plug-in describes the security requirements for the Sysplex Management plug-in.

Update the z/OSMF settings for managing a remote sysplex

If you plan to manage a remote sysplex in addition to the local sysplex in the primary z/OSMF instance, ask your z/OSMF administrator to perform the following updates:
  1. The remote sysplex to be managed must have a z/OSMF instance running in one of its systems. Open z/OSMF Settings > Systems table > Add system on the primary z/OSMF instance and define the system on which the z/OSMF instance is running in the remote sysplex. Specify the URL of the z/OSMF instance when you update the Systems table.
  2. Ensure that single sign-on is configured for the system that is running the primary z/OSMF instance and for the secondary z/OSMF instances in other sysplexes.
  3. Open z/OSMF Settings > Systems table on the primary z/OSMF instance and define the CPC objects on the primary z/OSMF instance, either manually or by running the discovery function, which retrieves CPC information by calling BCPii services.
z/OSMF does not verify the accuracy of your input. Ensure that the information you provide is correct and complete. Incorrect or missing information can cause the major views of the Sysplex Management task to be unavailable:
  • Physical View
  • Connectivity View
  • Connectivity Details View