Optionally creating a IZUPRMxx parmlib member

You might find that the z/OSMF configuration defaults are sufficient for your environment; if so, use the defaults for a quick-start experience with z/OSMF. If your z/OSMF set-up requires customization, you can provide a customized member, IZUPRMxx, with installation-specific values for your configuration. IBM® provides a sample member, IZUPRM00, which you can use as a model.

IZUPRMxx is optional. Before you create this member, review the z/OSMF defaults, which are described in this topic, to determine whether the values are sufficient for your installation. Provide an IZUPRMxx member only if you need to override one or more of the z/OSMF defaults.

To create an IZUPRMxx parmlib member, follow these steps:
  1. Copy the sample parmlib member into the desired parmlib data set with desired suffix.
  2. Update the parmlib member as needed.
  3. Specify the parmlib member suffix on the command that is used to start the z/OSMF server. For information, see Specifying a job name and other parameters.
Tip: Specify values only for those defaults that you want to override. Omit any statement for which the default value is acceptable. Doing so will ensure that you always obtain the default values, even if they happen to change in a future release.

Syntax rules for IZUPRMxx

For general rules of parmlib member syntax, see z/OS MVS Initialization and Tuning Reference .

Additionally, the following rules apply to the creation of IZUPRMxx parmlib members:
  • Use columns 1-71 for data; columns 72-80 are ignored.
  • If a statement is omitted, the default is used.
  • Enter one or more statements on a line, or use several lines for one statement.
  • Use blanks as delimiters. The system interprets multiple blanks as a single blank. You can use blanks between parameters and values. For example, all of the following parameter specifications are equally valid: 
    SESSION_EXPIRE(495)
SESSION_EXPIRE     (495)
SESSION_EXPIRE ( 495 )
  • Comments can appear in columns 1-71 and must begin with slash-asterisk and end with asterisk-slash. Any number of blank lines can appear between statements to improve readability.
  • Enter values in uppercase, lowercase, or mixed case. The system converts input to uppercase, unless the values are enclosed in single quotation marks, which are processed without altering the case.
    These values might require mixed casing, and should therefore be enclosed in single quotation marks:
    • CLOUD_SAF_PREFIX
    • INCIDENT_LOG UNIT
    • JAVA_HOME
    • KEYRING_NAME
    • LOGGING
    • SAF_PREFIX
    • TEMP_DIR
  • Enclose any value that contains special characters in single quotation marks.
  • You can use system symbols in IZUPRMxx. Suppose, for example, that your installation defines a symbol in IEASYMxx for the Java directory, such as JAVA71='/usr/lpp/java/J7.1_64'. To reference this symbol on the JAVA_HOME parameter in IZUPRMxx, specify the symbol as follows: JAVA_HOME(&JAVA71).
  • Enclose any value that is the same as a keyword in single quotation marks, so that the system interprets the value as a value and not as a keyword.
  • Enclose values in single quotation marks, according to the following rules:
    • Two single quotation marks next to each other on the same line are processed as a single quotation mark. For example, the system interprets Jane''s file as Jane's file.
    • If a value is longer than 72 characters, it requires multiple lines. Specify the value in columns 1-71 and use as many subsequent lines as necessary in columns 1-71. For a value that spans multiple lines, place one quotation mark at the beginning of the value, stop the value in column 71 of the line, continue the value in column 1 of the next line, and complete the value with one quotation mark. Use as many lines as necessary to define the value.
  • You can specify multiple IZUPRMxx parmlib members by using concatenation. If the same statement is used more than once, either in the same member or in multiple members, the value from the last occurrence is used. For example, suppose that your installation uses two members, IZUPRM01 and IZUPRM02. If the HOSTNAME parameter is specified in both IZUPRM01 and IZUPRM02, the system uses the HOSTNAME value from IZUPRM02.

Syntax format of IZUPRMxx

/* Common TSO logon proc, account, and region size, used by all plug-ins by default.     */
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)
HOSTNAME('*')                                                                   
HTTP_SSL_PORT(443)                                                              
INCIDENT_LOG UNIT('SYSALLDA')                                                      
JAVA_HOME('&JAVA71_HOME')     /* System symbol used to define home */                                                   
KEYRING_NAME('IZUKeyring.IZUDFLT')                                              
LOGGING('*=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer')  
RESTAPI_FILE ACCT(IZUACCT) REGION(65536) PROC(IZUFPROC)                         
SAF_PREFIX('IZUDFLT')                                                           
SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)                     
SESSION_EXPIRE(495)  
CLOUD_SAF_PREFIX ('IYU')                                                          
TEMP_DIR('/tmp')                                                                
UNAUTH_USER(IZUGUEST)                                                           
WLM_CLASSES DEFAULT(IZUGHTTP) 
            LONG_WORK(IZUGWORK) 
 
/* Uncomment the following statement and any plugins that are desired */   
/* PLUGINS( INCIDENT_LOG,COMMSERVER_CFG,WORKLOAD_MGMT,RESOURCE_MON,CAPACITY_PROV, SOFTWARE_MGMT,ISPF)   */

IBM-supplied defaults for IZUPRMxx

There is no default IZUPRMxx parmlib member. A sample parmlib member, IZUPRM00, is provided with z/OSMF in the partitioned data set SIZUJCL. This data set is created by default when your installation installs z/OSMF through SMP/E.

Syntax format of IZUPRMxx shows the IBM-supplied IZUPRM00 member. Note that the PLUGINS statement is commented out; to use it, you must remove the comment characters.

Statements and parameters for IZUPRMxx

COMMON_TSO ACCT(account-number) REGION(region-size) PROC(proc-name)
Specifies values for the TSO logon procedure that is used internally for various z/OSMF activities. This setting is applicable if your z/OSMF configuration uses:
  • z/OS console REST interface services
  • Software Management task
  • Workflows task

It is recommended that you use the default values, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to the logon procedure name and account number that you specify, and that the region size is at least 50000 kilobytes (KB). For information, see Updating your system for the z/OS data set and file REST interface.

All z/OSMF users must have a TSO segment that is defined in the security management product, such as RACF. Failure to have a TSO segment prevents some z/OSMF functions from working.

ACCT(account-number)
TSO account number to be used for the common logon procedure for z/OSMF.
Rules: 1 - 40 alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
Default: IZUACCT
REGION(region-size)
Region size (in kilobytes) to be used for the common logon procedure for z/OSMF.
Value range: 50000 – 2096128
Default: 50000
PROC(proc-name)
TSO logon procedure to be used for z/OSMF. It is recommended that you accept the default procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in proclib.
Rules: 1 to eight alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
Default: IZUFPROC
HOSTNAME(hostname)
Specifies the host name, as defined by DNS, where the z/OSMF server is located. To use the local host name, enter asterisk (*), which is equivalent to @HOSTNAME from previous releases. Or, you can specify a dynamic VIPA (DVIPA) that resolves to the correct IP address.
Rules:
  • Consists of alphabetic letters (A-Z), numeric digits (0-9), hyphens(-), and periods (.)
  • Consists of 1 to multiple sections (labels) of 1-63 characters that are separated by a period (.)
  • The maximum length of this value, including periods, is 253 characters
  • Alphabetic characters are case insensitive
  • Each section must start and end with either an alphabetic character (A-Z) or numeric digit (0-9). For example: WWW.IBM.COM
Default: *
HTTP_SSL_PORT(nnn)
Identifies the port number that is associated with the z/OSMF server. This port is used for SSL encrypted traffic from your z/OSMF configuration. The default value, 443, follows the Internet Engineering Task Force (IETF) standard.
Note: By default, the z/OSMF server uses the SSL protocol SSL_TLSv2 for secure TCP/IP communications. As a result, the server can accept incoming connections that use SSL V3.0 and the TLS 1.0, 1.1 and 1.2 protocols.
Value range: 1 - 65535 (up to 5 digits)
Default: 443
INCIDENT_LOG UNIT('device-name')
Specifies the device to be used for storing data sets and z/OS UNIX files for the FTP jobs. This parameter is applicable if your configuration includes the Incident Log plug-in.
Rules:
  • Must consist of 1 to 72 characters, including alphanumeric characters (A-Z and 0-9)
  • Can include the following special characters: hyphens(-), commas (,), equal signs (=), or forward slash (/)
Default: SYSALLDA
JAVA_HOME('directory-name')
Specifies the home directory (the fully qualified path name) for IBM 64-bit SDK for z/OS, Java Technology Edition V7 on your system.
Rules:
  • Must contain no more than 1024 characters, case sensitive
  • Must begin with a forward slash (/)
  • Must include the full or absolute path name, and a maximum of 255 characters between slashes
  • Cannot contain a null
Default: /usr/lpp/java/J7.1_64
KEYRING_NAME('keyring-name')
Specifies the key ring name for the z/OSMF server. The format is IZUKeyring.<SAF_PREFIX>.
Rules:
  • Must consist of 1-237 characters, case sensitive
  • Can contain any characters, except ampersand (&), asterisk (*), or percent (%)
Note: The IZUSEC job contains statements that include the generation of digital certificates and the key ring. The value that is specified here must match the key ring name that you defined for z/OSMF in the IZUSEC job or by entering equivalent commands.
Default: IZUKeyring.IZUDFLT
LOGGING('trace_specification')
Initial trace state for the z/OSMF server. These settings are read when the server is started. This value is provided by IBM Support. If there is a problem with starting the server, this value is used to enable tracing for server startup.
Rules: Limited to 2048 characters, case sensitive.
Default: *=warning:com.ibm.zoszmf.*=info:com.ibm.zoszmf.environment.ui=finer
RESTAPI_FILE ACCT(account-number) REGION(region-size) PROC(proc-name)
Specifies values for the TSO logon procedure that is used internally by the z/OS data set and file REST interface services. It is recommended that you use the defaults, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF user and z/OSMF administrator security groups are authorized to the logon procedure name and account number that you specify, and that the region size is at least 65536 kilobytes (KB). For information, see Updating your system for the z/OS data set and file REST interface.

All z/OSMF users must have a TSO segment that is defined in the security management product, such as RACF. Failure to have a TSO segment prevents some z/OSMF functions from working.

ACCT(account-number)
TSO account number to be used for the logon procedure for the z/OS data set and file REST interface services.
Rules: 1 - 40 alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
Default: IZUACCT
REGION(region-size)
Region size (in kilobytes) to be used for the logon procedure for the z/OS data set and file REST interface services.
Value range: 65536 – 2096128
Default: 65536
PROC(proc-name)
TSO logon procedure to be used for operations with the z/OS data set and file REST interface services. It is recommended that you accept the default procedure, IZUFPROC, which is supplied by IBM as a cataloged procedure in proclib.
Rules: 1 to eight alphanumeric characters (A-Z, a-z, 0-9) or special characters (#, $, or @).
Default: IZUFPROC
SAF_PREFIX('IZUDFLT')
SAF profile prefix that is prepended to the names of any resource profile names to be used for the z/OSMF core functions and optional plug-ins.
Note: The IZUxxSEC sample jobs contain commands that include the SAF profile prefix for creating resource profile names. The value that is specified here must match the prefix name that you define for z/OSMF in the IZUxxSEC jobs or by entering equivalent commands.
Default: IZUDFLT
SEC_GROUPS USER(group-name),ADMIN(group-name),SECADMIN(group-name)
Specifies group names for the base set of z/OSMF security groups: user, administrator, and z/OS security administrator.
USER(group-name)
Security group to be used for the z/OSMF user role. The user IDs that are connected to this group are considered to be z/OSMF users.
Default: IZUUSER
ADMIN(group-name)
Security group to be used for the z/OSMF administrator role. The user IDs that are connected to this group are considered to be z/OSMF administrators.
Default: IZUADMIN
SECADMIN(group-name
Group name to be used for the z/OS Security Administrator role. This group is permitted to the Workflows task.
Default: IZUSECAD
SESSION_EXPIRE(nnn)
Amount of time (in minutes) for the session timeout. z/OSMF user sessions expire when this period elapses. For information, see Re-authenticating in z/OSMF.
Value range: 30-999999
Default: 495
CLOUD_SAF_PREFIX('IYU')
SAF profile prefix that is prepended to the names of any group names to be used for authorizing users to IBM Cloud Provisioning and Management for z/OS task activities.
Note: The IZUSEC sample job contains commands that include the group name for creating authorizations. The value that is specified here must match the prefix name that you define for IBM Cloud Provisioning and Management for z/OS authorizations in the IZUSEC job or by entering equivalent commands.
Default: IYU
TEMP_DIR('path-name')
Temporary directory for various z/OSMF activities. This setting is applicable if your z/OSMF configuration uses:
  • Incident Log task
  • Workflows task.
The temporary directory is used, as follows:
  • Incident Log task uses this directory for sending z/OS UNIX file attachments through FTP.
  • Workflows task uses this directory for storing temporary files.

Users of these z/OSMF tasks require write access to the temporary directory. Otherwise, the task might fail with an authorization error (the user encounters message ICH408I).

In IBM Cloud Provisioning and Management for z/OS provisioning, a number of functions are performed using workflows. For example, a software template is comprised of one or more workflows. Therefore, any user involved in IBM Cloud Provisioning and Management for z/OS provisioning is also a potential user of the Workflows task. You must ensure that these users have write access to the TEMP_DIR location.

Rules:
  • Must contain no more than 1024 characters, case sensitive
  • Must begin with a forward slash (/)
  • Must include the full or absolute path name, and a maximum of 255 characters between slashes
  • Cannot contain a null
Default: /tmp
UNAUTH_USER(user-id)
Represents an unauthenticated user. Provides an unknown user with basic privileges to access the Welcome page, but nothing more.
Default: IZUGUEST
WLM_CLASSES DEFAULT(class-name)
Specifies the WLM transaction classes for managing z/OSMF work.
DEFAULT(class-name)
WLM transaction class to be used for managing z/OSMF work, except for long-running work, which is managed through the LONG_WORK(class-name) statement.
Rules:
  • Each class name is 1-8 characters, not case sensitive
  • First character must be an alphanumeric
  • Remaining characters must be alphanumeric or special characters
Default: IZUGHTTP
LONG_WORK(class-name)
WLM transaction class to be used for managing the execution of long-running work. This setting is applicable when your configuration includes the Software Deployment optional plug-in.
Rules:
  • Each class name is 1-8 characters, not case sensitive
  • First character must be an alphanumeric
  • Remaining characters must be alphanumeric or special characters
Default: IZUGWORK
PLUGINS(plugin-id,plugin-id,plugin-id,...)
Specifies the plug-ins for your configuration. Enter one or more of the following plug-in identifiers:
  • INCIDENT_LOG
  • COMMSERVER_CFG
  • WORKLOAD_MGMT
  • RESOURCE_MON
  • CAPACITY_PROV
  • SOFTWARE_MGMT
  • ISPF
Default: No optional plug-ins are specified.

Example of IZUPRMxx parmlib member

In the example that follows, an IZUPRMxx parmlib member is used to set these values:
  • Port 30443
  • System symbol for the Java home directory. The symbol must also be defined in your IEASYMxx member.
HTTP_SSL_PORT(30443)
JAVA_HOME('&JAVA71_HOME')     /* System symbol used to define Java home */
Parent topic: Configuring z/OSMF for the first time