IBM Support

Generating SMF records with IBM Session Manager 3.1

Question & Answer


Question

I have an Audit requirement to log 'unsuccessful logins' and 'successful logins or logouts'. I see this information does get written to the IBM Session Manager for z/OS (ISM) Audit log and I am hoping this information will meet our Audit requirements. In case I am asked to create SMF records, I would like some additional information.

  1. Does ISM generate any SMF records by default?

  2. To generate SMF records for 'unsuccessful logins' and 'successful logins or logouts' it looks like I need to customize the ISZATTAB macro with the SMF Record Type and VTAM applids. Is this correct?

  3. Is there a way to generate SMF records for all applications accessed from ISM without having to update and maintain the ISZATTAB macro? Also, based on the RACF SMF data I see, the log parameter must be LOG=ASIS because I only see unsuccessful login attempts. I see ISM has SIGNON and SIGNOFF exits, so maybe the RACROUTE REQUEST=VERIFY can receive its logging parameter from those exits?

  4. It looks like the RACROUTE commands can be used by an application to call RACF for userid and password verification. Does ISM use RACROUTE calls?

  5. Are the SMF 80 records generated based on how ISM interfaces with RACF? For example, does ISM uses RACROUTE with the LOG=ALL parameter?

  6. Should I configure the ISM Signon and Signoff exits? Will they give me the information I need?

Answer

Answers to each of the questions regarding ISM and SMF records...

  • Does ISM generate any SMF records by default?
    Answer: No, ISM does not generate any SMF records by default.

  • To generate SMF records for 'unsuccessful logins' and 'successful logins or logouts' it looks like I need to customize the ISZATTAB macro with the SMF Record Type and VTAM applids. Is this correct?
    Answer: Can you clarify the context of 'unsuccessful logins' and 'successful logins or logouts'? The E39 exit sample for writing SMF 240 records when an ISM back-end session ends is called. If you are referring to successful or unsuccessful attempts to login to the ISM ACB itself from VTAM (prior to the actual attempt to signon to ISM itself), then there is no SMF 240 record written for the VTAM logon/logoff. RACF produces SMF 80 records for authorized accesses or unauthorized attempts to access RACF-protected resources. The ISM VTAM ACB can be defined to RACF, and if the LU is not authorized to the ISM APPLID, RACF would write the SMF 80 record.

  • Is there a way to generate SMF records for all applications accessed from ISM without having to update and maintain the ISZATTAB macro?
    Answer: The E39 sample exit ISZE39AT is invoked with a parameter list. The parm 6 (UEPE39P6) has the APPL set in field UEP39APP. The value is compared with the APPLs listed in the ISZATTAB macro. If you choose to use another method for checking on APPLs other than adding entries to the ISZATTAB macro, then you would just have to write your own E39 exit and compare the UEP39APP field to wherever you want to maintain the list, or just write the SMF 240 record whenever the E39 exit is called and record the SMF data. If using ISZE39AT, you would just skip the check for the ATNUMENT count, and process at label E39X0110.

  • Does ISM user RACROUTE calls?
    Answer: Yes, ISM E21 and E22 exits make RACROUTE calls.

  • Are the SMF 80 records generated based on how ISM interfaces with RACF? For example, does ISM uses RACROUTE with the LOG=ALL parameter?
    Answer: Yes, RACF logs SMF type 80 records. ISM defaults to LOG=ASIS, but you canupdate the ISZE21SF exit to add LOG=ALL.

  • Should I configure the ISM Signon and Signoff exits? Will they give me the information I need?
    Answer: RACF can protect the ISM APPLID, but it sounds like they allow all LUs to access the ISM APPLID so they get the ISM signon panel. The ISM E21 exit issues the RACROUTE VERIFY. The source code for ISZE21SF is in the SISZCONF data set. The RACROUTE is at label VERFYUSR where you can add the LOG=ALL parameter and re-assemble and link using the ISZESAM sample JCL in SISZCONF.

Let me know if this answers your questions.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":""},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSBTJX","label":"IBM Session Manager"},"Platform":[{"code":"PF035","label":"z\/OS"}]}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server;ISM

Document Information

Modified date:
15 November 2016

UID

dwa1314520