Question & Answer
Question
How do I complete/modify the OMEGAMON Enhanced 3270 user interface security?
Cause
Supplementary information may be required to complete OMEGAMON Enhanced 3270 user interface security.
Answer
This technical notice provides supplementary information on the subject of security configuration for the OMEGAMON enhanced 3270 user interface (enhanced 3270UI).
For the most part, configuration information for the enhanced 3270UI is provided in the IBM Tivoli OMEGAMON XE and IBM Tivoli Management Services on z/OS Common Planning and Configuration Guide:
Note: Enhancements to the enhanced 3270UI delivered with July, 2013 PTFs provide resource authorization enablement for a number of interface functions. If your security system configuration by-default DENIES access to undefined SAF resources, you will have to define access rules for each of the new enhanced 3270UI enabled resources. If you have installed PTFs UA69205 and UA69877 (APARs# OA42127 and OA42748), please refer to the documentation provided at the url location indicated immediately below.
http://pic.dhe.ibm.com/infocenter/tivihelp/v61r1/topic/com.ibm.omegamon_share.doc_6.3.0.1/zcommonconfig/complete_security_e3270_cpcg.htm
Note: If you have not installed the above mentioned PTFs, please refer to the documentation provided at the url location indicated below:
http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/topic/com.ibm.omegamon_share.doc_623fp1/zconfigcommon133.htm?path=2_1_5_2_11#enable_securitye3270ui
The enhanced 3270UI security authorization for Take Action functions is complementary to the authorization performed by the OMEGAMON XE agents. As a result, Take Action security configuration for the enhanced 3270UI and OMEGAMON Agents should be coordinated.
The OMEGAMON XE Agent security configuration is described in the agent-specific configuration documents; e.g.,
OMEGAMON XE for CICS on z/OS v5.1.0, v5.3.0:
https://www.ibm.com/support/knowledgecenter/SSLSDR_5.1.0/com.ibm.omegamon.cics.doc_5.1.0/omcics510_planning112.htm
http://www.ibm.com/support/knowledgecenter/SSLSDR_5.3.0/com.ibm.omegamon_cics.doc_5.3.0/planning/kcpa3053.htm#kcpa3053
OMEGAMON XE for DB2 Performance Expert, Performance Monitor on z/OS v5.1.1:
http://www-01.ibm.com/support/docview.wss?uid=swg21607789
OMEGAMON XE for IMS on z/OS v5.1.0, v5.3.0:
http://www.ibm.com/support/knowledgecenter/SSXS8U_5.1.0/com.ibm.omegamon.xe_ims.doc_5.1.0/omxeims_pcg28.htm#securing_takeaction
http://www.ibm.com/support/knowledgecenter/SSXS8U_5.3.0/com.ibm.omegamon.xe_ims.doc_5.1.0/omxeims_pcg28.htm
OMEGAMON XE for Mainframe Networks v5.1.0, v5.1.1, v5.3.0:
https://www.ibm.com/support/knowledgecenter/SS2JL7_5.1.0/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm
https://www.ibm.com/support/knowledgecenter/SS2JL7_5.1.1/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm
https://www.ibm.com/support/knowledgecenter/SS2JL7_5.3.0/com.ibm.omegamon.mn.doc_5.3.0/configguide/mfn_config_guide_completing_security_intro.htm
OMEGAMON XE for Messaging on z/OS v7.1.0, V7.3.0:
https://www.ibm.com/support/knowledgecenter/SSRLD6_7.1.0/com.ibm.omegamon.mes_doc_7.1/tsk-e3270-auth-take-action-cmd.html
https://www.ibm.com/support/knowledgecenter/SSRLD6_7.3.0/zos_configuide/tsk-e3270-auth-take-action-cmd.html
OMEGAMON XE on z/OS v5.1.0, V5.1.1:
https://www.ibm.com/support/knowledgecenter/SS2JNN_5.1.1/com.ibm.omegamon_xezos.doc/configuration/complete_omxezos_pcg.htm
https://www.ibm.com/support/knowledgecenter/SS2JNN_5.3.0/com.ibm.omegamon_xezos.doc_511/configuration/complete_omxezos_pcg.htm#complete_omxezos_pcg
Following is supplementary information about configuration of security for the enhanced 3270UI:
With OMEGAMON v510, the configuration tools (PARMGEN workflow or Configuration Tool) have provided a new parameter that may be employed to configure a general/global security class: RTE_SECURITY_CLASS. If specified, this parameter is configured into applicable runtime environment (RTE) variable files; e.g. KOBENV.
The interface and OMEGAMON XE agent security configuration may be defined under the global security class. This is the recommended method/scenario, which is supported by the Configuration Tool.
In addition, the enhanced 3270UI interface may be manually modified to implement an alternate security configuration. This might be done if say more granular and/or separated security definitions were required. The interface security parameters are specified as statements in the rhilev.rte.RKANPARU(KOBENV) environment variables file. Following is a list of the enhanced 3270UI security configuration parameters:
RTE_SECURITY_CLASS= | The value following the equal sign will specify the general/global security class name. This parameter statement will be configured by the Configuration Tool if it is specified during the configuration process. |
KOB_SAF_LOGON_CLASS_NAME= | Specifies a specific security class name that is to be employed for interface log-on authentication. This parameter defaults to the RTE_SECURITY_CLASS (above) parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for log-on authorization. |
KOB_SAF_QUERY_CLASS_NAME= | Specifies a specific security class name that is to be employed for authorization of an interface query (data retrieval). This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for data retrieval authorization. |
KOB_SAF_ACTION_CLASS_NAME= | Specifies a specific security class name that is to be employed for Take Action authorization. This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if a unique security class name is required for take action authorization. |
LOGON_RESOURCE_PREFIX= | Specifies a specific security class resource name that will be employed for log-on authentication. This parameter defaults to resource name "KOB.LOGON". This parameter should only be specified if an alternate log-on resource name is required. |
Note 1: The OMEGAMON Agent Take Action authorization is effective for Take Actions initiated at the enhanced 3270UI as well as those initiated at the Tivoli Enterprise Portal (TEP).
Note 2: The KOB_SAF_* parameters are specific to the enhanced 3270UI. Given that Take Action security may be configured to enable authorization both at the interface and at the OMEGAMON XE Agent, resource definitions for the KOB_SAF_ACTION_CLASS_NAME class must correspond to those defined for the OMEGAMON Agent. For example, if say an Agent specific security class was being employed; e.g. KM5_SECURITY_ACTION_CLASS, the resource definitions for the KM5 and KOB Take Action classes would need to be coordinated.
Related Information
Was this topic helpful?
Document Information
Modified date:
23 December 2019
UID
swg21606218