IBM Support

Configuring OMEGAMON Enhanced 3270 User interface security

Question & Answer


Question

How do I complete/modify the OMEGAMON Enhanced 3270 user interface security?

Cause

Supplementary information may be required to complete OMEGAMON Enhanced 3270 user interface security.

Answer

This technical notice provides supplementary information on the subject of security configuration for the OMEGAMON enhanced 3270 user interface (enhanced 3270UI).

For the most part, configuration information for the enhanced 3270UI is provided in the IBM Tivoli OMEGAMON XE and IBM Tivoli Management Services on z/OS Common Planning and Configuration Guide:

Note: Enhancements to the enhanced 3270UI delivered with July, 2013 PTFs provide resource authorization enablement for a number of interface functions. If your security system configuration by-default DENIES access to undefined SAF resources, you will have to define access rules for each of the new enhanced 3270UI enabled resources. If you have installed PTFs UA69205 and UA69877 (APARs# OA42127 and OA42748), please refer to the documentation provided at the url location indicated immediately below.

http://pic.dhe.ibm.com/infocenter/tivihelp/v61r1/topic/com.ibm.omegamon_share.doc_6.3.0.1/zcommonconfig/complete_security_e3270_cpcg.htm

Note: If you have not installed the above mentioned PTFs, please refer to the documentation provided at the url location indicated below:

http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/topic/com.ibm.omegamon_share.doc_623fp1/zconfigcommon133.htm?path=2_1_5_2_11#enable_securitye3270ui

The enhanced 3270UI security authorization for Take Action functions is complementary to the authorization performed by the OMEGAMON XE agents. As a result, Take Action security configuration for the enhanced 3270UI and OMEGAMON Agents should be coordinated.

The OMEGAMON XE Agent security configuration is described in the agent-specific configuration documents; e.g.,

OMEGAMON XE for CICS on z/OS v5.1.0, v5.3.0:
https://www.ibm.com/support/knowledgecenter/SSLSDR_5.1.0/com.ibm.omegamon.cics.doc_5.1.0/omcics510_planning112.htm

http://www.ibm.com/support/knowledgecenter/SSLSDR_5.3.0/com.ibm.omegamon_cics.doc_5.3.0/planning/kcpa3053.htm#kcpa3053


OMEGAMON XE for DB2 Performance Expert, Performance Monitor on z/OS v5.1.1:
http://www-01.ibm.com/support/docview.wss?uid=swg21607789


OMEGAMON XE for IMS on z/OS v5.1.0, v5.3.0:
http://www.ibm.com/support/knowledgecenter/SSXS8U_5.1.0/com.ibm.omegamon.xe_ims.doc_5.1.0/omxeims_pcg28.htm#securing_takeaction

http://www.ibm.com/support/knowledgecenter/SSXS8U_5.3.0/com.ibm.omegamon.xe_ims.doc_5.1.0/omxeims_pcg28.htm


OMEGAMON XE for Mainframe Networks v5.1.0, v5.1.1, v5.3.0:
https://www.ibm.com/support/knowledgecenter/SS2JL7_5.1.0/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm

https://www.ibm.com/support/knowledgecenter/SS2JL7_5.1.1/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm

https://www.ibm.com/support/knowledgecenter/SS2JL7_5.3.0/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm


OMEGAMON XE for Messaging on z/OS v7.1.0, V7.3.0:
https://www.ibm.com/support/knowledgecenter/SSRLD6_7.1.0/com.ibm.omegamon.mes_doc_7.1/tsk-e3270-auth-take-action-cmd.html

https://www.ibm.com/support/knowledgecenter/SSRLD6_7.3.0/zos_configuide/tsk-e3270-auth-take-action-cmd.html


OMEGAMON XE on z/OS v5.1.0, V5.1.1:
https://www.ibm.com/support/knowledgecenter/SS2JNN_5.1.1/com.ibm.omegamon_xezos.doc/configuration/complete_omxezos_pcg.htm

https://www.ibm.com/support/knowledgecenter/SS2JNN_5.3.0/com.ibm.omegamon_xezos.doc_511/configuration/complete_omxezos_pcg.htm#complete_omxezos_pcg


Following is supplementary information about configuration of security for the enhanced 3270UI:

With OMEGAMON v510, the configuration tools (PARMGEN workflow or Configuration Tool) have provided a new parameter that may be employed to configure a general/global security class: RTE_SECURITY_CLASS. If specified, this parameter is configured into applicable runtime environment (RTE) variable files; e.g. KOBENV.

The interface and OMEGAMON XE agent security configuration may be defined under the global security class. This is the recommended method/scenario, which is supported by the Configuration Tool.

In addition, the enhanced 3270UI interface may be manually modified to implement an alternate security configuration. This might be done if say more granular and/or separated security definitions were required. The interface security parameters are specified as statements in the rhilev.rte.RKANPARU(KOBENV) environment variables file. Following is a list of the enhanced 3270UI security configuration parameters:

RTE_SECURITY_CLASS= The value following the equal sign will specify the general/global security class name. This parameter statement will be configured by the Configuration Tool if it is specified during the configuration process.
KOB_SAF_LOGON_CLASS_NAME=Specifies a specific security class name that is to be employed for interface log-on authentication. This parameter defaults to the RTE_SECURITY_CLASS (above) parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for log-on authorization.
KOB_SAF_QUERY_CLASS_NAME=Specifies a specific security class name that is to be employed for authorization of an interface query (data retrieval). This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for data retrieval authorization.
KOB_SAF_ACTION_CLASS_NAME= Specifies a specific security class name that is to be employed for Take Action authorization. This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if a unique security class name is required for take action authorization.
LOGON_RESOURCE_PREFIX=Specifies a specific security class resource name that will be employed for log-on authentication. This parameter defaults to resource name "KOB.LOGON". This parameter should only be specified if an alternate log-on resource name is required.


Note 1: The OMEGAMON Agent Take Action authorization is effective for Take Actions initiated at the enhanced 3270UI as well as those initiated at the Tivoli Enterprise Portal (TEP).

Note 2: The KOB_SAF_* parameters are specific to the enhanced 3270UI. Given that Take Action security may be configured to enable authorization both at the interface and at the OMEGAMON XE Agent, resource definitions for the KOB_SAF_ACTION_CLASS_NAME class must correspond to those defined for the OMEGAMON Agent. For example, if say an Agent specific security class was being employed; e.g. KM5_SECURITY_ACTION_CLASS, the resource definitions for the KM5 and KOB Take Action classes would need to be coordinated.

[{"Product":{"code":"SS2JNN","label":"Tivoli OMEGAMON XE on z\/OS"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"5.1.0;5.1.1;5.3.0","Edition":"All Editions","Line of Business":{"code":"LOB17","label":"Mainframe TPS"}}]

Document Information

Modified date:
23 December 2019

UID

swg21606218

Page Feedback