IBM Support

In SMF, can a remote IP address be associated with a user ID?

Question & Answer


Question

We are in the process of converting from SMF TYPE118 (for FTP, TN3270, & TCPIP) to TYPE 119. We also have an audit requirement to tie a remote IP address to a specific user ID. It seems that the only SMF 118/119 records that record the UID (RACF or jobname) are the 118/119 type 7x (FTP Server) records. Is this correct? It is not apparent that UID information (RACF or JOBNAME) is stored in the other 118/119 subtypes. The only UID type information that seems to be stored is the UID information for the TCP stack. It is not apparent that the contents have changed for subtype 7x records between SMF118 and SMF119 for the standard subtypes, just the data locations. Is this correct?

Answer

Each SMF119 record contains a TCP/IP Identification section. The layout for this section is under the heading, Common TCP/IP identification section. This layout is in Appendix E of the IP Programmer's Guide and Reference. This section contains a user ID field, SMF119TI_UserID. The contents of this field is the user ID associated with the address space when it was started.

IBM did not change any existing content when moving from from type 118 to 119. The format and offsets changed, but all the type 118 content is still available. However, the use of type 119 records is preferred.

SMF is able to tie a remote IP address to a jobname. If you enable the TCP connection termination record (type 119 subtype 2), the SMF119AP_TTRName field will hold the jobname. It corresponds to tcb_resrcNm, and is documented as the "Address space name of address space that closed this TCP connection".

In the general sense, it is difficult to correlate a remote IP address to a user ID. Many servers (for example, FTP) change user ID at least once during the life of the connection. In the case of TN3270, the application is not even aware of the underlying user ID that is in use for the SNA session. Because of the wide variety of application behaviors, this problem can only be solved on a per-application basis.

One method to associate the IP address and port number of a TSO TELNET session is to use an IEFACTRT user exit when a Type 30 or Type 34 record is written for a TSO address space termination and use the GTTERM SVC to capture the IP address and port number to update the SMF record with the additional information.

References:

FTP records include user ID information. The TN3270E record includes the LU name. In some environments this might be useful in correlating to user IDs or groups of user IDs.

The TCP connection termination record also includes space for 40 bytes of application-specific data. Applications are free to report user IDs in this data, and the data shows up in places such as SMF records and netstat output. Some z/OS Communication Server applications that fill in this field are: FTP, TN3270E, and CICS sockets.

FTP and CICS include user IDs, but TN3270E only reports LU name. Customers are welcome to use the APPLDATA API in their own applications to report information such as user IDs.


[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.6;1.7;1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2;2.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
21 June 2018

UID

swg21506919

Page Feedback