Db2 for z/OS customization for the IBM zERT Network Analyzer task

About this task

The IBM® zERT Network Analyzer task stores and queries SMF data in a Db2 for z/OS database. Before you can use the task, this database must be created in a suitable Db2 for z/OS subsystem and the connectivity information for the database must be configured in the IBM zERT Network Analyzer.

Requirement: A given IBM zERT Network Analyzer database must only be accessed by one IBM zERT Network Analyzer plug-in at a time. Concurrent access to a single database by more than one IBM zERT Network Analyzer plug-in generates unpredictable results.

IBM provides tooling and templates in the SYS1.SAMPLIB data set to help your local Db2 for z/OS database administrator (DBA) create the IBM zERT Network Analyzer database in a manner that conforms to local naming and resource conventions. Collectively, this tooling is called the IBM zERT Network Analyzer database schema tooling and it consists of the following members in SYS1.SAMPLIB:

  • The IZUZNADT and IZUZNADA members contain Data Definition Language (DDL) templates for creating the required database objects using two different approaches.
    • IZUZNADT contains a template for creating the required database objects using a fixed schema name (SYSIBM_EZB_ZNADB) and fixed table names that the IBM zERT Network Analyzer depends on. If your local naming conventions allow for these fixed names, then you should use this template.
    • IZUZNADA contains a template for creating the required database objects using your own customized schema and/or table names. It also creates aliases for those tables using the fixed schema name and table names that the IBM zERT Network Analyzer depends on. If your local naming conventions require you to change the schema name and/or the table names, you should use this template.

    The templates contain all the appropriate DDL commands using variables for a wide variety of resource names and parameter values that the DBA may want to control. The DBA should set values for some or all these variables that will comply with the local Db2 for z/OS conventions and allocation strategies.

    Note: The IZUZNADT and IZUZNADA prolog commentary explain each of the variables they include as well as the required variable syntax.
  • The IZUZNADI member of the SYS1.SAMPLIB data set. IZUZNADI is a sample variable substitution data set in which the DBA specifies the desired values for each of the template variables that are defined in the templates. The IZUZNADI sample specifies the default values for each of the variables, but the DBA can override any of the variables as needed.
  • The IZUZNADG DDL generation REXX exec reads the specified template and a customized variable substitution data set and generates a data set that contains a complete set of customized DDL for creating a new IBM zERT Network Analyzer database or to update an existing database to the most current schema level (for applying service).
    Note: Instructions for using the IZUZNADG exec are available by running the exec with the --HELP parameter.

    After running the IZUZNADG exec, your DBA can use the resulting DDL data set in SPUFI or as input to a local JCL stream used to create the new IBM zERT Network Analyzer database in the Db2 for z/OS subsystem.

Procedure

  1. Determine the local resource requirements and location for the IBM zERT Network Analyzer database.

    Your DBA decides which Db2 for z/OS subsystem contains the IBM zERT Network Analyzer database objects as well as the specific Db2 for z/OS resources (storage pools, buffer pools, and so forth) to be allocated to these objects.

    Tip: You should initially deploy the IBM zERT Network Analyzer database and service on a test system. The test system should be a place where you can easily get familiar with the operation of the service and can better understand the Db2 and system resource requirements when running queries against your imported SMF record data. Depending on the number of imported SMF records and the complexity of your queries, you might consider initially limiting query execution to specific times of day or specific systems to minimize system impacts.
    • Determine the maximum number of query reports that will be open at any given time

      Your DBA needs to specify the number of partitions for a subset of tables in the IBM zERT Network Analyzer database called "Query Result Tables." These partitioned tables hold intermediate query results that are displayed through the network analyzer's Report tab. The IBM zERT Network Analyzer assigns one partition in each query result table to each active IBM zERT Network Analyzer query report for as long as that report is open in the web browser. Because of this, you must work with your DBA to determine an appropriate number of partitions to ensure that your database has enough partitions to support your community of IBM zERT Network Analyzer users.

      The number of partitions is determined by the <QRTParts> variable in the DDL templates and is controlled by the DBA in the variable substitution data set used with the IZUZNADG exec (see the IZUZNADI member of SYS1.SAMPLIB).

      To calculate the number of partitions you need, consider the number of users that will be using the IBM zERT Network Analyzer as well as the number of reports each user might have open at any given time (a single user can have multiple reports open at one time, with each one in its own web browser tab). Multiply those two numbers together to determine the maximum possible number of open reports. You should create at least that many partitions for each query result table. You might also want to increase this value by an appropriate percentage to ensure there is some room for growth over time.

      The following equation summarizes the above calculation.
      NumOpenReports = MaxNumberOfUsers * MaxNumberOfReportsPerUser
<QRTParts> = NumOpenReports + ( NumOpenReports * ExtraSpace% )
    • Decide whether to use a separate database for the query result tables

      Two variables in the DDL templates control whether the query result tables are created in the same database as the persistent IBM zERT Network Analyzer tables, or in Start of changea differentEnd of change database.

      <database>
      specifies the name of the database that contains the IBM zERT Network Analyzer's persistent tables (all tables except the query result tables). When you are creating a brand new IBM zERT Network Analyzer database, set this variable to any valid database name. By default, the IZUZNADI sample sets this to 'ZNADB'.
      <QRTDatabase>
      specifies the name of the database that contains the query result tables. You may choose to store the query result tables in the same database as the persistent tables or in a different database. To use the same database, set the <QRTDatabase> and <database> variables to the same value. To use different databases, specify different values. By default, the IZUZNADI sample sets this to 'ZNAQRDB', placing the Query Result Tables in their own database.
    • Determine how much table space to allocate in the database

      The amount of Db2 for z/OS table storage required by IBM zERT Network Analyzer varies, but you can use the following guidelines to estimate the table storage required in your environment:

      • Start with an allocation of 20 MB to hold the core security session data and operational data related to data management and user-built queries. If you are collecting zERT data from an unusually large number of unique security sessions across the z/OS systems, you might eventually need to add to this amount over time.
      • Estimate the space that is required to store the maximum number of SMF Type 119 zERT Summary (subtype 12) records that will be represented in the database at one time and add that amount to the initial 20 MB. To do so, see details in Table 1.
        Table 1. How to estimate the space for SMF Type 119 zERT Summary (subtype 12) records
        Step Task Formula Example
        1 Estimate the number of unique security sessions that typically exist across the set of z/OS systems from which you are collecting zERT data. Use local procedures to estimate this value. Assume that 10,000 unique security sessions typically exist across all of the zERT-monitored systems.

        UniqueSessions = 10,000
        2 Determine the maximum number of SMF intervals to be represented in the IBM zERT Network Analyzer database at a single time.

        MaxIntervals = ((1440 / SMFInterval) * Days)

        where:

        1440 = the number of minutes in a day;

        SMFInterval = the SMF interval in minutes as defined in your SMFPRMxx parmlib member. Note that if you use different SMF intervals across the zERT-monitored z/OS systems, use the average interval length across the different systems here;

        Days = the maximum number of days' worth of SMF data that is stored in the database at a single time.

        		 Assume the average SMF interval is set to 20 minutes and you plan to store 30 days of SMF data in the zERT Network Analyzer database:

        MaxIntervals = (1440 / 20) * 30 = 72 * 30 = 2160
        3 Determine how many SMF 119 subtype 12 records are collected over the Days value and imported into the database. MaxRecords = UniqueSessions * MaxIntervals MaxRecords = 10,000 * 2160 = 21,600,000
        4 Determine how much DASD storage is required to store the data for the maximum number of records. Each SMF 119 subtype 12 record consumes about 500 bytes of DASD storage above and beyond the base space allocation of 20 MB. DASDSpaceMB = 20 + ((MaxRecords * 500) / 1,048,576) DASDSpaceMB = 20 + ((21,600,000 * 500) / 1,048,576) = 20 + 10,299 = 10,319MB or 10GB

        According to the example shown in the table, you need to allocate a total of 10 GB of space in the storage group that is used for your IBM zERT Network Analyzer database's table spaces.

  2. Create the IBM zERT Network Analyzer database.

    Your DBA should use the database schema tooling described above to create the database for your environment.

  3. Define the IBM zERT Network Analyzer database user ID.

    This is the z/OS user ID that is permitted to connect to, store data into, and query data in the IBM zERT Network Analyzer database. The IBM zERT Network Analyzer uses this user ID to communicate with the Db2 for z/OS database and to perform all the operations in its database.

    The database user ID must be given the INSERT, SELECT, UPDATE, DELETE privileges for the IBM zERT Network Analyzer database tables to ensure proper operation of the IBM zERT Network Analyzer's various functions as described below.

    If you use the IZUZNADT template or if you use the IZUZNADA aliasing template with SQL GRANT access controls, then grant INSERT, SELECT, UPDATE, DELETE privileges to:
    • SYSIBM_EZB_ZNADB.APPL
    • SYSIBM_EZB_ZNADB.DATAMGMTHISTORY
    • SYSIBM_EZB_ZNADB.DATASET
    • SYSIBM_EZB_ZNADB.SECURITY_SESSION
    • SYSIBM_EZB_ZNADB.SESSION_STATISTICS
    • SYSIBM_EZB_ZNADB.IPSEC_INFO
    • SYSIBM_EZB_ZNADB.SSH_INFO
    • SYSIBM_EZB_ZNADB.TLS_INFO
    • SYSIBM_EZB_ZNADB.TOPOLOGY
    • SYSIBM_EZB_ZNADB.OPENJPA_SEQUENCE_TABLE
    • SYSIBM_EZB_ZNADB.QUERY
    • SYSIBM_EZB_ZNADB.SCOPE_FLTR
    • SYSIBM_EZB_ZNADB.SCOPE_FLTR_ENDPT
    • SYSIBM_EZB_ZNADB.SCOPE_FLTR_SYSSPEC
    • SYSIBM_EZB_ZNADB.SEC_FLTR
    • SYSIBM_EZB_ZNADB.SEC_IPSEC_FLTR
    • SYSIBM_EZB_ZNADB.SEC_SSH_FLTR
    • SYSIBM_EZB_ZNADB.SEC_TLS_FLTR
    • SYSIBM_EZB_ZNADB.FILTEREDSECURITYSESSIONIDS
    • SYSIBM_EZB_ZNADB.TCPSERVER_SUMMARIES
    • SYSIBM_EZB_ZNADB.TCPCLIENT_SUMMARIES
    • SYSIBM_EZB_ZNADB.EEPEER_SUMMARIES
    • SYSIBM_EZB_ZNADB.TCPSERVER_CLIENTDETAILS
    • SYSIBM_EZB_ZNADB.TCPCLIENT_CLIENTDETAILS
    • SYSIBM_EZB_ZNADB.EEPEER_CLIENTDETAILS
    • SYSIBM_EZB_ZNADB.TCPSERVER_CLEARSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPSERVER_IPSECSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPSERVER_SSHSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPSERVER_TLSSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPCLIENT_CLEARSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPCLIENT_IPSECSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPCLIENT_SSHSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.TCPCLIENT_TLSSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.EEPEER_CLEARSECURITYSESSIONDETAILS
    • SYSIBM_EZB_ZNADB.EEPEER_IPSECSECURITYSESSIONDETAILS
    If you use the IZUZNADA aliasing template with SAF-based access controls on Db2 for z/OS objects, the INSERT, SELECT, UPDATE, DELETE privileges must be granted for the base tables (not the aliases) as specified by the values of the following template variables:
    • <schema>.<appTable>
    • <schema>.<dmhistTable>
    • <schema>.<dsTable>
    • <schema>.<secsessTable>
    • <schema>.<sessstatsTable>
    • <schema>.<ipsecTable>
    • <schema>.<sshTable>
    • <schema>.<tlsTable>
    • <schema>.<topoTable>
    • <schema>.<queryTable>
    • <schema>.<scopeFltrTable>
    • <schema>.<scopeFltrEndptTable>
    • <schema>.<scopeFltrSysspecTable>
    • <schema>.<secFltrTable>
    • <schema>.<secIpsecFltrTable>
    • <schema>.<secSshFltrTable>
    • <schema>.<secTlsFltrTable>
    • <schema>.<openjpaTable>
    • <schema>.<fssIdsTable>
    • <schema>.<tsrvrsTable>
    • <schema>.<tclntsTable>
    • <schema>.<teepTable>
    • <schema>.<tsrvrcTable>
    • <schema>.<tclntcTable>
    • <schema>.<teepcTable>
    • <schema>.<tsrvrCSessTable>
    • <schema>.<tsrvrISessTable>
    • <schema>.<tsrvrSSessTable>
    • <schema>.<tsrvrTSessTable>
    • <schema>.<tclntCSessTable>
    • <schema>.<tclntISessTable>
    • <schema>.<tclntSSessTable>
    • <schema>.<tclntTSessTable>
    • <schema>.<teepCSessTable>
    • <schema>.<teepISessTable>
  4. Collect the connectivity information that is required to link the IBM zERT Network Analyzer service with the Db2 for z/OS database to be used by the service.
    The DBA must provide database connectivity information to the person setting up the IBM zERT Network Analyzer service. This information includes:
    • The hostname or IP address on which the Db2 for z/OS subsystem is running
    • The TCP port number of the subsystem
    • The database location name, which is the value of the LOCATION parameter of the DSNJU003 utility
    • The database user ID
    • The password for the database user ID
    • The JDBC classpath for the Db2 for z/OS JDBC driver on the system where the IBM zERT Network Analyzer executes

    See Connect IBM zERT Network Analyzer task with the Db2 for z/OS database for how to use this connectivity information.

  5. (Optional) Modify the setting of the DSN6SYSP URLGWTH parameter.

    Depending on the size of the SMF dump data sets that you plan to import into IBM zERT Network Analyzer and the setting of the DSN6SYSP URLGWTH parameter, you might see one or more DSNJ031I messages when importing the SMF dump data sets. You can modify the setting of the DSN6SYSP URLGWTH parameter to reduce the number of DSNJ031I messages. For more information, see UR LOG WRITE CHECK field (URLGWTH subsystem parameter) in Installing and migrating Db2.

  6. (Optional) Define additional 4K and 32K work files to be used by IBM zERT Network Analyzer

    By default, small 4K and 32K work files are defined for use by the Db2 for z/OS subsystem. You might need to increase the size of the 4K and 32K work files to allow IBM zERT Network Analyzer to operate more efficiently. For more information, see DSNTIP9: Work file database panel in Installing and migrating Db2.

    Restriction:
    • Db2 for z/OS packages associated with the NULLID collection will be used when IBM zERT Network Analyzer plug-in connects to the Db2 for z/OS subsystem. The collection-id is an optional parameter when binding Db2 for z/OS packages where NULLID is the default collection-id value for distributed applications such as IBM zERT Network Analyzer. For more information, review the DSNTIJLC and DSNTIJLR Db2 for z/OS jobs.
    • APPLCOMPAT bind option for the DB2 for z/OS packages associated with dynamic SQL statements must be set to its respective Db2 for z/OS release level. This means that a Db2 12 for z/OS subsystem must use an APPLCOMPAT value of at least V12R1M500 and a Db2 11 for z/OS subsystem must use an APPLCOMPAT value of V11R1. APPLCOMPAT is an optional parameter when binding Db2 for z/OS packages where the default APPLCOMPAT value is the APPLCOMPAT subsystem parameter. For more information, review the DSNTIJLC and DSNTIJLR Db2 for z/OS jobs.