IBM z/OS Change Tracker is a System Software Change Control and Management solution for the z/OS platform via a z/OSMF plugin.. It allows for tracking, control, and management of systems software configuration changes, and can identify and report on system-wide changes.
With its advanced tooling, IBM z/OS Change Tracker can compare local and remote software deployments across z/OS environments, while critical system software and mission-critical application software can be monitored automatically in real-time. Automation extends to member-level backup of protected resources, and allows panel-driven recovery to resolve an undesired change.
IBM z/OS Change Tracker provides robust capabilities to audit and check software integrity, protect critical libraries, and track changes to the members in these libraries through audit trails and fingerprinting key data sets in the environment.
You can use IBM z/OS Change Tracker for data protection, data recovery, and audit support.
IBM z/OS Change Tracker can be used for data protection and data recovery at the member level, audit support, and snapshot comparisons. System programmers can monitor and take automatic backups of critical configuration data sets at the member-level, while compliance evidence providers can use IBM z/OS Change Tracker to see who has changed critical configuration data sets for z/OS, including how it was changed and when.
Data Protection: IBM z/OS Change Tracker provides monitoring and protection of critical libraries. Locked members cannot be changed without permission granted by the Administrator.
Data Recovery: Automatic backups are generated whenever a monitored member is changed, and an optional email notification can be provided. Members in monitored data sets can be restored to previous versions.
Audit Support: Out-of-the-box audit reports of monitored data sets indicate the event type (add, update, delete, rename, zap), who made the change, and when.
It is critical for systems managers to be in charge of the system-wide changes in their z/OS environment. IBM z/OS Change Tracker provides them with comprehensive tools to keep track of critical library changes in real-time, and large software environments across systems and over time.
IBM z/OS Change Tracker will replace manual procedures for auditing and investigating systems changes. In case of an outage, you will review the information collected by IBM z/OS Change Tracker to determine the cause of the system failure and recover from an unplanned or undesired change. Member-level backups generated by IBM z/OS Change Tracker when the change had been made will be available.
Any existing tools will stay in place. IBM z/OS Change Tracker operates behind the scenes to monitor and control changes in your critical libraries.
IBM z/OS Change Tracker grants different levels of access and involvement depending on user role: administrator, user, or auditor.
Administrators are able to define libraries to be monitored and protected, and can grant individuals access to update locked members. Users can view and compare backups.
Users can verify that software on multiple local or remote systems is identical. If IBM z/OS Change Tracker finds any differences, it identifies which members in the libraries have different contents.
Auditors are participants who are able to receive and view outputs generated by IBM z/OS Change Tracker.
There are certain best practices in place to execute the change management process in the correct way.
- Administrator defines critical libraries to be locked and automatically back up
- User submits a request (outside IBM z/OS Change Tracker ) to the administrator for update access to a member in a critical library
- After review, the administrator grants the user update access to that member
- User makes the change
- The administrator revokes their access to the member
IBM z/OS Change Tracker requires z/OS version 2.5 or later to run. It is shipped with z/OS 2.5 and above and is enabled as Monthly License Charge (MLC) content.
Once you are entitled to use this priced feature, you can verify that it has been enabled in IFAPRDxx.
IBM z/OS Change Tracker is deployed and configured using z/OSMF workflows and via a z/OSMF plugin. Instructions and information for plugin installation are available in the z/OSMF Configuration Guide.
IBM z/OS Change Tracker comes preinstalled with z/OS V2.5 or later. It is a priced feature of z/OS that must be enabled before it can be configured and used. IBM z/OS Change Tracker consists of two SMP/E FMIDs - HCYG100 (base and English), and JCYG10 (Japanese).
Alternatively, to install the IBM z/OS Change Tracker FMID(s) as a custom build option, order a CBPDO of z/OS V2.5 along with the IBM z/OS Change Tracker feature on Shopz for that order. When your CBPDO for z/OS V2.5 arrives, then only install the z/OS Change Tracker FMID(s) following the instructions in the z/OS V2.5 Program Directory.
If you wish to entitle IBM z/OS Change Tracker after its GA, you can order it via Shopz with your z/OS V2.5 or later deliverable, or entitle it afterwards as outlined in Using dynamic enablement, in z/OS Planning for Installation.
The z/OSMF plugin properties file installed by SMPE can be tailored as needed for your environment. Then, using the import manager task, the tailored plugin should be defined to z/OSMF. Ensure z/OS Change Tracker is authorized to the TSO environment. Plugin users such as the Change Tracker Administrator then need to be defined to the SAF profile.
For full the details of installing the Change Tracker plugin, refer to the z/OSMF Workflow: /usr/lpp/cyg/zosmf/workflows/cygwflw.xml
Decide who will be the IBM z/OS Change Tracker administrators, users, and auditors in your enterprise.
The Security Administrator will need to create the RACF FACILITY class profiles and grant READ access to the appropriate people. Doing so ensures that the appropriate level of security is assigned to the correct group of users.
To set up roles and determine their access:
- Create two RACF FACILITY class profiles: CYG.ADMIN and CYG.AUDIT
- READ access to CYG.ADMIN grants the user Admin level access in IBM z/OS Change Tracker. The user who will be assigned the started task job will need this.
- READ access to CYG.AUDIT grants the user access to the Audit feature in the product
Note: All of the above can be met by a single user
There are RACF settings required for various roles: FACILITY class profiles: CYG.ADMIN and CYG.AUDIT
IBM z/OS Change Tracker provides a workflow that performs the configuration of the product and the definition of the correct datasets. This workflow also contains details on installing the z/OS Change Tracker z/OSMF plugin.
After the installation of IBM z/OS Change Tracker, run the z/OSMF Configuration Workflow which can be found here: /usr/lpp/cyg/zosmf/workflows/cygwflw.xml
Use z/OSMF Security Configuration Assistant to view and verify the IBM z/OS Change Tracker security definitions.
IBM z/OS Change Tracker uses the z/OSMF Security Configuration Assistant to verify that the correct users in groups can have access to the resources they need.
The Administrator needs to define data sets to be monitored. All modifications to the members of these data sets are then automatically tracked.
The audit feature can be filtered based on event type, date and time range, member name or data set name.
Developers can fingerprint anything from a single file to an entire disc volume.
When analyzing a large collection of data sets, each member is fingerprinted. IBM z/OS Change Tracker then allows you to compare fingerprints of the entire collection of data sets, providing information on what, how, when and by whom modifications have been made – at both data set and member level.
Q: What is IBM z/OS® Change Tracker, and why should I use it?
A: IBM z/OS Change Tracker is a System Software Change Control and Management solution for the z/OS platform. System programmers can identify, track, and recover hundreds of configuration files in real-time using IBM z/OS Change Tracker. Mission-critical system and application software configuration data can be monitored automatically in real-time for z/OS environments. At a glance, IBM z/OS Change Tracker offers:
- Unprecedented control: Track and control real-time system-wide software configuration changes.
- Enhanced recovery processes: Automatic versioning of identified system control data sets.
- Rollback Capabilities: Rollback capabilities to undo unplanned/unsuccessful promotions.
- Next-level monitoring: Data set recovery and reporting of real-time configuration data changes.
Q: Why is IBM z/OS Change Tracker only available on z/OS V2.5 or later? What about z/OS V2.4?
A: IBM z/OS Change Tracker is only available on z/OS V2.5 or later due to functional dependencies which are only satisfied with that release. Those functional dependencies were not provided in z/OS releases prior to z/OS V2.5, meaning that IBM z/OS Change Tracker is available for V2.5 and above.
Q: Where can I find out about latest PTFs delivered for IBM z/OS Change Tracker?
A: This web page contains the details for the PTFs which have been delivered for IBM z/OS Change Tracker. It included both defect corrective PTFs, as well as new function Continuous Delivery PTFs.
Q: Can I try out IBM z/OS Change Tracker without buying it ahead of time?
A: Yes. With the PTF for APAR PH51954, you can try out IBM z/OS Change Tracker for 90 consecutive days at no charge, but it is subject to the normal hardware and software consumption on z/OS. For enabling the trial, you would use IFAPRDxx, according to the dynamic enablement conditions found in the z/OS Planning for Installation book. The entry for the IBM z/OS Change Tracker trial in IFAPRDxx is FEATURENAME('CHNGTRKR_TRIAL90').
Q: What added value can the priced feature IBM z/OS Change Tracker bring to my system?
A: Although you may have existing functions (or indeed, other vendor products which you pay for today) which supply similar capabilities, we feel that IBM z/OS Change Tracker is superior at providing additional capabilities that z/OS Systems Programmers need for robust and real-time systems management.
For instance, you might have the existing ability to determine who has modified a certain data set or have basic security protection for an entire data set, but IBM z/OS Change Tracker can extend further into that capability and allow an administrator to allow specific check in and check out permission such that modifications can be only performed at certain times. Further, an enterprise can determine that any modifications require an explanation provided for the modification which is saved with the change, and then be notified of changes that occurred. These easily performed functions, along with others, make IBM z/OS Change Tracker more valuable to the z/OS Systems Programmer.
Q: Do system programmers require extensive knowledge of z/OS to be able to utilize IBM z/OS Change Tracker?
A: No, IBM z/OS Change Tracker helps to replace manual procedures for auditing and investigating systems changes. using concepts that are easy to understand and follow. For instance, you could review the information collected by IBM z/OS Change Tracker to determine what system configuration changes have occurred during the course of a system failure investigation Then, be able to do recovery from an unplanned or undesired change quickly. Member-level backups generated by IBM z/OS Change Tracker when the change has been made are available. This allows z/OS Systems Programmers and system auditors to easily pinpoint what, who, and how changes were made.
Q: How do I install IBM z/OS Change Tracker?
A: IBM z/OS Change Tracker was made generally available on May 13, 2022 and is now included in the z/OS V2.5 and later ServerPacs. (You can easily check your z/OS V2.5 ServerPac to see if z/OS Change Tracker has been installed by seeing if SMP/E FMID HCYG100 is installed.)
If you choose to order z/OS Change Tracker through a CBPDO, the easiest method is to order a z/OS V2.5 CBPDO, indicating on Shopz that you wish to be entitled to IBM z/OS Change Tracker. You will be delivered the entire z/OS V2.5 product, along with IBM z/OS Change Tracker. Don't worry, you don't need to install all of z/OS V2.5! The IBM z/OS Change Tracker is a very simple install of SMP/E FMIDs (HCYG100 base, and JCYG10J for Japanese), using the supplied z/OS V2.5 Program Directory. IBM z/OS Change Tracker installs into its own data sets and sample jobs are supplied.
z/OS Change Tracker is now part of
Q: How do I configure IBM z/OS Change Tracker?
A: IBM z/OS Change Tracker, like many other functions, is configured with a z/OSMF Workflow. You can find the supplied Workflow in path-prefix/usr/lpp/cyg/zosmf/workflow/cygwflw.xml after you have completed your installation.
The z/OSMF Workflow also includes the steps to set up the z/OSMF plug-in for IBM z/OS Change Tracker.
Q: Now that I have IBM z/OS Change Tracker configured and up and running, how do I start tracking my data sets?
A: Once you have the IBM z/OS Change Tracker started task up and running and your IBM z/OS Change Tracker administrators and users defined, you can start identifying the resources you wish to track and the desired characteristics of them. A good place to start is the 'Administration' section of the Guide and Reference found here:https://www.ibm.com/docs/en/zos/2.5.0?topic=ispf-administration
Q: I see in the Guide and Reference that IBM z/OS Change Tracker has an ISPF panel interface with batch jobs that can be run. Don't you have a z/OSMF interface?
A: Both options are now available! IBM z/OS Change Tracker does have an ISPF interface and batch jobs that can be run, however we encourage clients to utilize the new z/OSMF Change Tracker plugin for an even better user experience. The z/OSMF plugin is designed to offer a modern graphical user interface that will enable a more robust and simpler user experience with IBM z/OS Change Tracker. By using recognizable icons and intuitive compare methods, customization and reporting from IBM z/OS Change Tracker can be used to identify resources to manage, check in and check out data sets and members, and is designed to be quickly understandable and lessen time to productive use. Additional functions for the IBM z/OS Change Tracker in z/OSMF are expected to be added over time.
Q: I see there are lots of functions in IBM z/OS Change Tracker which help the z/OS Systems Programmer, but there are other helpful functions out there. How does IBM z/OS Change Tracker fit with those other solutions?
A: There certainly are a lot of z/OS functions and IBM products available to help z/OS Systems Programmers perform their job! And you probably have some homegrown tools as well. IBM z/OS Change Tracker is not intended to replace any of those, but rather complement and augment them by providing additional capabilities that are needed to help track configuration data sets to keep your systems running with the configuration that you intend.
For instance, specific component knowledge has been encoded into IBM Health Checks to help advise on preferred configurations or an upcoming upgrade action that you will encounter. IBM z/OS Change Tracker does not interfere with component verification during its tracking of your configuration files, managing backups, and controlling who can and cannot access resources at a certain time. If you change your configuration based on the advice of an IBM Health Check, IBM z/OS Change Tracker can take a backup of that change automatically, identify who/how/when the change was done, and even require a reason for doing that permitted change (so the user can indicate it was a specific IBM Health Check perhaps). This scenario shows that IBM z/OS Change Tracker does not conflict with, but rather can nicely augment a change that was indicated by an IBM Health Check.
Q: Are load libraries supported? What kinds of data set can I track?
You can monitor a load library if you desire. Today, IBM z/OS Change Tracker can monitor and protect PDS, and PDSE data sets. In addition, sequential, and entire VSAM data sets (including entire
Q: How does the IBM z/OS Change Tracker differ from the z/OS Generic Tracking Facility?
A: The z/OS Generic Tracking Facility is intended to surface desired information when programs are run and an event is detected which is important to note. The Generic Tracker captured events you might be familiar with, such as the use of one-byte console IDs, specific JES statements, or DFSMS™ EAV information. The Generic Tracker provides a callable service which applications or products can exploit to surface this information.
IBM z/OS Change Tracker is intended to help the z/OS systems programmer manage system configuration data sets easier.
Q: What is the difference between Fingerprint/Tokenization/Snapshot?
A: We understand the confusion over these terms and are trying to consolidate them to make it easier to follow:
- The term “snapshot” is the preferred word for the concept of capturing an instance of data at a point in time. IBM z/OS Change Tracker intends to use this term consistently as future functions are delivered.
- The terms “tokenization” and “token” are today used heavily within the ISPF panels and batch JCL for IBM z/OS Change Tracker. This relates to the internal implementation that IBM z/OS Change Tracker uses to capture the instance of data that a user has requested. Although the internal implementation of tokenization is planned to continue in IBM z/OS Change Tracker with future planned functions, you probably will see that term used less frequently in interfaces.
- The term “fingerprint” is planned to be used by IBM z/OS Change Tracker in the z/OSMF interface, rather than the term “tokenization”. “Tokenization” and “fingerprint” are the same, but within an intended z/OSMF interface, “fingerprint” is preferred.
Q: Is the “snapshot” comparable to other solutions using checksums?
A: IBM z/OS Change Tracker uses its own unique method for taking snapshots and has its own internal implementation to capture an instance of data. The method it uses is not disclosed.
Q: Are there prerequisites for running IBM z/OS Change Tracker?
The only prerequisite is z/OS V2.5 or later, and two V2.5 PTFs which are indicated during the installation. Since IBM z/OS Change Tracker is a priced feature, then entitlement of the feature is also required which allows the feature to be enabled in your IFAPRDxx
Q: Is DFSMShsm™ a requirement? If not, what utilities are used for backup?
IBM z/OS Change Tracker has no functional dependency on
Q: What additional security benefit is there compared to what I have with RACF® , Top Secret, or ACF2?
A: Typically, a security product will control access to a complete data set and the members contained in that data set. IBM z/OS Change Tracker has configuration options that allow a more granular approach to monitoring and controlling access to these members. If a data set is “locked” by the IBM z/OS Change Tracker Administrator, members must first be checked out to a user or group before they can make any updates even if they have authority to write to the data set. Any attempts to update a member before being checked out will result in the update failing and can be tracked in the IBM z/OS Change Tracker activity reports.
In addition, the administrator can enforce use of comments to document the reason for the change to that member, as well as taking a backup of the member once it has been changed. This allows a review of both the previous and updated versions of the member, as well as the ability to easily restore to a previous version from the IBM z/OS Change Tracker ISPF panels.
Q: How does IBM z/OS Change Tracker work with my external security manager (like RACF)? Does it replace it?
A: Your external security manager still controls the access to the data set underneath IBM z/OS Change Tracker. In other words, you can't “bypass” any RACF permissions, as IBM z/OS Change Tracker just has additional granular control on top of your security product.
Q: What are the corresponding RACF profiles / classes?
A: There are new resource profiles needed for IBM z/OS Change Tracker, and these profiles can be viewed and validated using the z/OSMF Security Configuration Assistant. Use the z/OSMF configuration workflow for IBM z/OS Change Tracker to set them up. IBM z/OS Change Tracker grants different levels of access and involvement depending on user role: administrator, user, or auditor.
- Administrators are able to define libraries to be monitored and protected, and can grant individuals access to update locked members.
- Users can verify that software on multiple local or remote systems is identical. Users can view and compare backups. If IBM z/OS Change Tracker finds any differences, it identifies which members in the libraries have different contents.
- Auditors are participants who are able to receive and view outputs generated by IBM z/OS Change Tracker.
Learn more about what IBM z/OS Change Tracker has to offer and how it works.
IBM z/OS Change Tracker Guide and Reference is available in IBM Documentation.
Access the PDF version of the FAQ available on this page.
This self-directed lab will walk you through the different functions that can be utilized with the z/OSMF Plug-in.
Learn about the functions available with the newly released z/OS Change Tracker z/OSMF interface.
Added interactive FAQ section and FAQ PDF under Technical Resources.
On the Set up tab of How to get started, the link to Planning for Installation now goes to appropriate topic in IBM Documentation.
Added new z/OSMF plug-in demo video.