Skip to content
CA NetMaster® Shared Content Library - 12.2
Documentation powered by DocOps

Prepare IBM Communications Server (TCP/IP and FTM Only)

Last update April 22, 2019

Perform these tasks to prepare IBM Communications Server to communicate with CA NetMaster NM for TCP/IP and CA NetMaster FTM.

Most tasks apply to CA NetMaster NM for TCP/IP only, but a few tasks apply to CA NetMaster FTM only or to both products. See each section for details.

Note: Tasks that use SERVAUTH assume that it has been previously RACLISTed and activated.


Review Your SOLVE SSI Configuration (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

The SOLVE SSI provides SMF events including Telnet, IP Connection, and FTP transfers events to the product region.

Review the dsnpref.NMC2.SSIPARM (SSISYSIN) member, and ensure the following parameter settings:

  • SMF=YES -- To process SMF records

Verify that SMF Records Are Being Created and Processed (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

Verify that the Communications Server is set up to generate the SMF type 119 records for the following events:

  • Telnet events
  • Connection events
  • FTP events

SOLVE SSI intercepts the SMF records, and the product region uses the records to enable the following functions:

  • Application name generation
  • Event history reporting
  • Telnet connection identification

Also verify that the z/OS operating system is set up to enable Communications Server SMF record types to be processed.

Create SMF Records

The configuration members for Communications Server specify the SMF records:

  • Specify the SMF records that are created.
  • Identify the SMF subtypes.
Note: SOLVE SSI intercepts only SMF record type 119.

Follow these steps:

  1. Check the PROFILE.TCPIP configuration member for TCP connect, FTP client, and Telnet client record creation.
    The SMFCONFIG statement specifies whether the following SMF records are created:
    • TCP connection start
    • TCP connection end
    • FTP and Telnet client records

    Example:

    ...

    SMFCONFIG TYPE119 TCPINIT TCPTERM FTPCLIENT TN3270CLIENT

    ...

    If you omit the SMFCONFIG statement or a particular parameter, an SMF record is not created.

  2. Check the PROFILE.TCPIP configuration member TELNETPARMS section for Telnet server record creation for the following lines:

    TELNETPARMS

    ...

    ;  Telnet Server connection SMF logging

    SMFINIT TYPE119

    SMFTERM TYPE119

    ENDTELNETPARMS

    ;

    The SMFINIT statement controls session start and the SMFTERM statement controls session end records.

  3. Check the FTP.DATA configuration member for the following line:

    SMF    TYPE119

    Use standard record subtypes. Ensure that you set the SMF parameters for FTP to the same type as you set for Telnet, that is, SMF type 119.
    You can use the SMF statement to set the default value for all types.
    If you omit these parameters, an SMF record is not created.

  4. If the member has changed in Step 3, restart the FTP server started task.
  5. If the member has changed in steps 1 or 2, restart the TCP/IP started task.
Note: Alternatively, you can issue these changes in an OBEYFILE.

Set Up Collection of zERT Data (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

(Optional) To set up CA NetMaster NM for TCP/IP to collect zERT data, meet the following prerequisites. For details about meeting them, see your IBM documentation.

  • Run z/OS Release 2.3.
  • Enable the following zERT-related parameters in the IBM STACK PROFILE dataset:
    • GLOBALCONFIG parm ZERT

    • SMFCONFIG TYPE119 parm ZERTDETAIL

    • NETMONITOR parm ZERTSERVICE

Set Up UNIX Authorization for Started Task User IDs (Both Products)

These tasks apply to both CA NetMaster NM for TCP/IP and CA NetMaster FTM.

The started task user IDs require UNIX System Services authorization in an OMVS segment security definition, for the following regions:

    • The product region, which requires access to the sockets interfaces 
    • The SOLVE SSI region of the Packet Analyzer 

To provide this authorization, follow these steps:

  1.  Define the UNIX System Service (USS) authorization for the following user IDs:
    • The started task user ID of the product region
    • The started task user ID of SOLVE SSI
  2. Add CC2DLINK to the LINKLIST. for details, see Prepare to Start Your Product.
  3. Verify that the SEC= parameter in the NMDRVCTL DD RUNSYSIN member is set to any value except NO, for example, NMSAF.

Authorize Product Region Command Access (Both Products)

This task applies to both CA NetMaster NM for TCP/IP and CA NetMaster NM for TCP/IP.

Note: For CA ACF2, perform this task only if it is set up to protect operator commands.

Your product uses z/OS operator VARY TCPIP commands to perform some functions, for example:

  • Packet tracing
  • Device activations and deactivations
  • Dropping connections
  • Verifying Telnet LU status

Your security system must authorize the user ID associated with your product region to issue these commands. The following OPERCMDS resources require UPDATE access level:

  • MVS.VARY.TCPIP.PKTTRACE
  • MVS.VARY.TCPIP.OBEYFILE
  • MVS.VARY.TCPIP.DROP
  • MVS.VARY.TCPIP.TELNET.ACT
  • MVS.VARY.TCPIP.TELNET.INACT

Authorize individual users to the OPERCMDS resources in the following circumstances:

  • You plan to configure your system to use SAF user security.
  • You are using a partial security exit that returns a SAF UTOKEN (for example, NMSAFPX).

Sample Authorization in a CA ACF2 System that Protects Operator Commands

This example authorizes a CA ACF2 UID for the operator VARY TCPIP commands:

$KEY(MVS) TYPE(OPR)

VARY.TCPIP.- UID(uid_string) SERVICE(UPDATE) ALLOW

Sample Authorization in a CA Top Secret System

This example authorizes a CA Top Secret accessor ID (ACID) for the operator VARY TCPIP commands:

TSS PER(acid) OPERCMD(MVS.VARY.) ACCESS(UPDATE)

Sample Authorization in a RACF System

This example authorizes a RACF user ID for the operator VERY TCPIP commands:

PERMIT MVS.VARY.TCPIP.* CLASS(OPERCMDS) ID(uuuuuuu) ACCESS(UPDATE)

Authorize SOLVE SSI Command Access (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

Note: For CA ACF2, perform this task only if it is set up to protect operator commands.

The Packet Analyzer issues VARY TCPIP commands. Your security system must authorize the user ID associated with your SOLVE SSI region to issue these commands. The OPERCMDS resources to be accessed, and required access levels are as follows:

  • MVS.VARY.TCPIP: UPDATE access
  • MVS.VARY.TCPIP.PKTTRACE: CONTROL access

Sample Authorization in a CA ACF2 System that Protects Operator Commands

This example authorizes a CA ACF2 UID for the operator VARY TCPIP commands:

$KEY(MVS) TYPE(OPR)

VARY.TCPIP.- UID(uid_string) SERVICE(UPDATE) ALLOW

VARY.TCPIP.PKTTRACE UID(uid_string) SERVICE(DELETE) ALLOW

Sample Authorization in a CA Top Secret System

This example authorizes a CA Top Secret accessor ID (ACID) for the operator VARY TCPIP commands:

TSS PER(acid) OPERCMD(MVS.VARY.) ACCESS(ALL)

Sample Authorization in a RACF System

This example authorizes a RACF user ID for the operator VERY TCPIP commands:

PERMIT MVS.VARY.TCPIP.* CLASS(OPERCMDS) ID(uuuuuuu) ACCESS(UPDATE)

PERMIT MVS.VARY.TCPIP.PKTTRACE CLASS(OPERCMDS) ID(uuuuuuu) ACCESS(CONTROL)

SNA Network Management Interface Setup (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

The SNA Network Management Interface (SNANMI) of the product requires the VTAM SNAMGMT server to be enabled.

To enable the VTAM SNAMGMT server, specify SNAMGMT=YES in a VTAM start option list, VTAMLST member ATCSTRxx.

To enable the SNAMGMT server dynamically, enter the command:

F NET,VTAMOPTS,SNAMGMT=YES

The SNA Network Management Interface has the following security requirements:

  • The user ID assigned to the VTAM address space must have an OMVS segment and have write access to the /var directory.
  • If you use a SERVAUTH class resource to control access to the VTAM SNAMGMT server, grant the SOLVE SSI user ID access to the resource. The resource name is IST.NETMGMT.sysname.SNAMGMT, where sysname is the system name where the interface is used.

The presence of messages NSN58n in the SOLVE SSI log indicates access problems to /var and IST.NETMGMT.sysname.SNAMGMT.

Examples: Setting IST.NETMGMT.sysname.SNAMGMT security

This example sets the security requirements in a CA ACF2 system:

SET RESOURCE(SER)

COMPILE

$KEY(IST) TYPE(SER)

  NETMGMT.sysname.SNAMGMT UID(uid) SERVICE(READ) ALLOW

STORE

  • SER
    Is the value set in the CLASMAP definition in the GSO for SERVAUTH resources.
  • uid
    Specifies the UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(IST.NETMGMT.sysname.SNAMGMT) ACCESS(READ)

  • userid
    Specifies the ACID of the region user.

This example sets the security requirements in a RACF system:

PER IST.NETMGMT.sysname.SNAMGMT CLASS(SERVAUTH) ID(userid) ACCESS(READ)

  • userid
    Specifies the user ID of the region.

IPSec Network Management Interface Setup (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

If you use IPSec, you can use the IPSec Network Management Interface (IPSECNMI) of the product to monitor it. The interface requires the IKED daemon to be active.

The IPSec Network Management Interface has the following security requirements:

  • The user ID assigned to the SOLVE SSI address space must have the following requirements:
    • An OMVS segment defined
    • Access to the /var/sock directory
    • Write access to the /var/sock/ipsecmgmt socket
  • If you use a SERVAUTH class resource to control access to the interface, grant the SOLVE SSI user ID access to the resources:

    EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY

    EZB.NETMGMT.sysname.tcpipname.IPSEC.CONTROL

    EZB.NETMGMT.sysname.sysname.IKED.DISPLAY

    • sysname
      Specifies the system name where the interface is used.
    • tcpipname
      Specifies the name of the TCP/IP stack.
  • If you do not use a SERVAUTH class resource to control access, the SOLVE SSI user ID must have one of the following authorities:
    • An OMVS superuser
    • Permitted to access to the FACILITY class SAF resource BPX.SUPERUSER

The presence of messages NIS58n in the SOLVE SSI log indicates access problems to /var and EZB.NETMGMT.**.

Examples: Setting EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY security

This example sets the security requirements in a CA ACF2 system:

SET RESOURCE(SER)

COMPILE

$KEY(EZB) TYPE(SER)

  NETMGMT.sysname.tcpipname.IPSEC.DISPLAY UID(uid) SERVICE(READ) ALLOW

STORE

  • SER
    Is the value set in the CLASMAP definition in the GSO for SERVAUTH resources.
  • uid
    Specifies the UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY) ACCESS(READ)

  • userid
    Specifies the ACID of the region user.

This example sets the security requirements in a RACF system:

PER EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)

  • userid
    Specifies the user ID of the region.

Trace Network Management Interface (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

The IBM real-time application-controlled TCP/IP trace Network Management Interface (NMI) provides real-time TCP/IP stack data to network management applications based on filters set by an application trace instance. 

The Trace NMI has the following security requirements:

  • Define new System Authorization Facility (SAF) profiles in the SERVAUTH class.
  • Authorize the user ID assigned to the SOLVE SSI address space to the profiles.
  • Grant the SOLVE SSI user ID READ access to the resources:

    EZB.TRCCTL.sysname.tcpipname.OPEN

    EZB.TRCCTL.sysname.tcpipname.PKTTRACE

    EZB.TRCSEC.sysname.tcpipname.IPSEC

    • sysname
      Specifies the system name where the interface is used.
    • tcpipname
      Specifies the name of the TCP/IP stack.

The presence of NFSU8n messages in the SOLVE SSI log indicates access problems to EZB.TRCCTL.** and EZB.TRCSEC.**.

Examples: Setting EZB.TRCCTL.sysname.tcpipname.OPEN security

This example sets the security requirements in a CA ACF2 system:

SET RESOURCE(SER)

COMPILE

$KEY(EZB) TYPE(SER)

  TRCCTL.sysname.tcpipname.OPEN UID(uid) SERVICE(READ) ALLOW

STORE

  • SER
    Is the value set in the CLASMAP definition in the GSO for SERVAUTH resources.
  • uid
    Specifies the UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(EZB.TRCCTL.sysname.tcpipname.OPEN) ACCESS(READ)

  • userid
    Specifies the ACID of the region user.

This example sets the security requirements in a RACF system:

PER EZB.TRCCTL.sysname.tcpipname.OPEN CLASS(SERVAUTH) ID(userid) ACCESS(READ)

  • userid
    Specifies the user ID of the region.

Note: For more information on using IBM Trace NMI to collect packets, see the PATRACENMI parameter in Packet Analyzer and Solve SSI.

Authorize Users to View Packet Payload Data (SmartTrace Data) (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

Because the IP packets can contain sensitive information, your external security system (CA ACF2, CA Top Secret, or RACF) must grant authority to view the payload data. The user must have READ access to NETMSTR.PKTTRACE.region, where region is the region ACB name, as specified in the PRI= parameter in the RUNSYSIN member.

Grant Access to SmartTrace Data Using CA ACF2

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

[ACF]

SET RESOURCE(FAC)

COMPILE *

$KEY(NETMSTR.PKTTRACE.*) TYPE(FAC)

To permit user USER1 to access SmartTrace data, issue the following command:

$KEY(NETMSTR.PKTTRACE.NMTEST) TYPE(FAC) USER1(USER1) READ(ALLOW)

STORE

[END]

Grant Access to SmartTrace Data Using CA Top Secret

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

TSS ADD(dept) IBMFAC(NETMSTR)

TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.*) ACCESS(NONE)

To permit user USER1 to access SmartTrace data, issue the following command:

TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.NMTEST) ACCESS(CONTROL)

Grant Access to SmartTrace Data Using RACF

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

RDEFINE FACILITY NETMSTR.PKTTRACE.* UACC(NONE)

RDEFINE FACILITY NETMSTR.PKTTRACE.NMTEST UACC(NONE)

SETROPTS RACLIST(FACILITY) REFRESH

To permit user USER1 to access SmartTrace data, issue the following command:

PERMIT NETMSTR.PKTTRACE.NMTEST CLASS(FACILITY) ID(USER1) ACCESS(READ)

User Authorization for IP Security Functions (CA NetMaster NM for TCP/IP Only)

This task applies to CA NetMaster NM for TCP/IP only.

If you use IPSec, your security system must authorize the individual users for read access to the SERVAUTH resource:

  • To view data about IP security:

    EZB.IPSECCMD.sysname.stackname.DISPLAY

  • To perform a control function against a tunnel:

    EZB.IPSECCMD.sysname.stackname.CONTROL

Examples: Authorizing IP security displays and commands

This example authorizes IP security on a CA ACF2 system:

$KEY(MVS) TYPE(OPR) EZB.IPSECCMD.sysname.stackname- UID(uid_string) SERVICE(READ) ALLOW

This example authorizes IP security on a CA Top Secret System:

TSS PER(acid) OPERCMD(EZB.IPSECCMD.sysname.stackname) ACCESS(READ)

This example authorizes IP security on a RACF System:

PE EZB.IPSECCMD.sysname.stackname CLASS(SERVAUTH) ID(uuuuuuu) ACCESS(READ)

OSAENTA Setup (CA NetMaster NM for TCP/IP Only) 

This task applies to CA NetMaster NM for TCP/IP only.

To trace and view Open System Adapter (OSA) Ethernet level frames via the OSA-Express network traffic analyzer (OSAENTA) function, the following prerequisites need to be met:

  • The TCPIP stack PROFILE specification ‘NETMONITOR NTATRCSERVICE’ needs to be set. This will display as ‘NtaSrv:  YES’ in a NETSTAT CONFIG display.
  • The user ID assigned to the NETMASTER SSI (NMSSI)
    • must have READ access to the SERVAUTH class resource named ‘EZB.NETMGMT.sysname.tcpname.SYSTCPOT’ if a profile for the resource is defined; or
  • must be a superuser if a profile for the resource is not defined.

In a multilevel secure environment, a profile for the resource must be defined.

Examples for Setting EZB.NETMGMT.sysname.tcpipname.SYSTCPOT security

This example sets the security requirements in a CA ACF2 system:

SET RESOURCE(SER)

COMPILE

$KEY(EZB) TYPE(SER)

  NETMGMT.sysname.tcpipname.SYSTCPOT UID(uid) SERVICE(READ) ALLOW

STORE

  • SER
    This is the value set in the CLASMAP definition in the GSO for SERVAUTH resources.
  • uid
    Specifies the UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(EZB.NETMGMT.sysname.tcpipname.SYSTCPOT) ACCESS(READ)

  • userid
    Specifies the ACID of the region user.

This example sets the security requirements in a RACF system:

PER EZB.NETMGMT.sysname.tcpipname.SYSTCPOT CLASS(SERVAUTH) ID(userid) ACCESS(READ)

  • userid
    Specifies the user ID of the region user.

Generate SMF Records for FTP Event Flow (CA NetMaster FTM Only)

This task applies to CA NetMaster FTM only.

Note: Perform this task only if you want to monitor FTP events.

The Communications Server must be set up to generate the SMF records required for FTP events. The SMF records are intercepted by the NMFTP Monitor region and are used by the product region to enable the following:

  • File Transfer events monitoring
  • Event history reporting

Follow these steps:

  1. Add the following line to the PROFILE.TCPIP configuration member to enable the SMF API:

    NETMONITOR SMFSERVICE
    
  2. Restart the TCP/IP started task.
Note: Alternatively, you can issue this change in an OBEYFILE.

Generate FTP Post-Processing Transfer Failures Event Flow

Note: Perform this task only if you want to monitor FTP events.

You can use this procedure to monitor all FTP failures.

To generate transfer failures without existing user exit, complete the following steps:

  1. Receive and apply the dsnpref.NMC2.CC2DSAMP(FTPOSTPR) SMP/E USERMOD.
    The FTPOSTPR exit is created.
  2. Do one of the following:
    • APF-authorize the dsnpref.NMC2.CC2DPLD library, and include it as a STEPLIB for your FTP server started task (typically named FTPD).
    • Copy FTPOSTPR from the dsnpref.NMC2.CC2DPLD library into an existing APF-authorized library that also is included as a STEPLIB to your FTP server job.
    • Copy to a link library known to the linklist.
  3. If you are using RACF and program control is active, use the following commands to add FTPOSTPR to program control:

    RDEFINE PROGRAM FTPOSTPR ADDMEM('library'//NOPADCHK) UACC(READ) 
    SETROPTS WHEN(PROGRAM) REFRESH
    
    • library
      Identifies the library that contains FTPOSTPR.

To generate transfer failures with existing user exit, complete the following steps:

  1. Modify your existing FTP post-transfer processing user exit (FTPOSTPR) by inserting the following code fragment immediately before exiting:

    *------------(NetMaster For File Transfer Management )----------------- 
    *                                                                       
    *        .------------------------------------------------------------. 
    *        | Call the CA NMFT FTP Post-Transfer Processing module       | 
    *        '------------------------------------------------------------' 
             L     R15,=V(NM000FPX)                                         
             O     R15,=X'80000000'                                         
             BASSM R14,R15                  Call NM000FPX                   
             L     R14,=A(NEXT0000+X'80000000')                             
             BSM   0,R14                    Ensure in 31-BIT if required    
             SPACE 2                                                        
    NEXT0000 DS    0H
    

    These lines are added in the module entry section, and register 1 must point to the parameter list passed to FTPOSTPR.

  2. Modify your existing FTP post-transfer processing user exit (FTPOSTPR) link-edit deck by inserting the following:

    //AC2DLOAD DD DISP=SHR,DSN=dsnpref.NMC2.AC2DLOAD
    //SYSLIN   DD    *
       ...
       INCLUDE AC2DLOAD (NM000FPX)
       INCLUDE AC2DLOAD (NM000Y51)
       ORDER             NM000FPX
       ORDER             FPXDATA
       ORDER             NM000Y51
       ENTRY    FTPOSTPR
       MODE     AMODE(31)
       MODE     RMODE(ANY)
       NAME     FTPOSTPR(R)
    
  3. Submit the modified job to assemble and link edit the exit.
  4. Ensure that the user exit load module is in a cataloged data set and placed in an APF authorized library that the FTP server accesses using STEPLIB, linklist, or LPA.
Note: The existing FTP Control Customizer parameter group option Enable FTP Event Receiver, also controls the FTP Post Processing User Exit event delivery.

NMFTP Monitor Access to NMI API SMF Records (CA NetMaster FTM Only)

This task applies to CA NetMaster FTM only.

Note: Perform this task only if you want to monitor FTP events.

You can use one of the following methods to grant the NMFTP Monitor region access to Network Management Interface (NMI) API SMF records:

SERVAUTH

If you want to ensure the highest level of security, define the SERVAUTH profile name EZB.NETMGMT.sysname.tcpname.SYSTCPSM and grant the NMFTP Monitor user ID READ access to this profile name.

Important! 

  • After the SERVAUTH facility has been defined to your security system, TCP/IP resource protection will be enabled. This affects the ability of users to access TCP/IP resources other than SYSTCPSM. For example, it may restrict the ability to open sockets, bind to non-ephemeral ports, use Netstat, and use certain network resources. Before you use this method, see the IBM Communications Server IP Configuration Guide for more information about TCP/IP resource protection.
  • If your security setup does not distinguish between a resource profile not defined and a user not permitted to that resource, you may need to define profiles for resources other than SYSTCPSM whenever the SERVAUTH class is active. See the IBM Communications Server IP Configuration Guide for more information.
Note: We recommend that you use this method.

Example CA ACF2 System

SET RESOURCE(SER)
COMPILE *
$KEY(EZB) TYPE(SER)
NETMGMT.SYSA.TCPIPA.SYSTCPSM UID(USER1) SERVICE(READ) ALLOW
STORE
Note: Instead of using TSO, you can use the ACFBATCH utility in JCL. If you do this, omit the [ACF] and [END] lines.

Example CA Top Secret System

TSS ADD SERVAUTH(EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM)
TSS PER(nmuser) SERVAUTH(EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM) 
  ACCESS(READ)

Example RACF System

RDEFINE SERVAUTH EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM UACC(NONE)
SETR RACLIST(SERVAUTH) REFRESH
PE EZB.NETMGMT.SYSA.TCPIPA.SYSTCPSM CLASS(SERVAUTH) ID(nmuser)
  ACCESS(READ)

BPX.SUPERUSER

If you are less concerned with security, grant the NMFTP Monitor user ID READ access to the BPX.SUPERUSER facility.

Example for CA ACF2

SET RESOURCE(FAC)
COMPILE *
$KEY(BPX) TYPE(FAC)
SUPERUSER UID(USER1) SERVICE(READ) ALLOW
STORE
Note: Instead of using TSO, you can use the ACFBATCH utility in JCL. If you do this, omit the [ACF] and [END] lines.

Example for CA Top Secret

TSS PER(nmuser) IBMFAC(BPX.SUPERUSER) ACCESS(READ)

Example for RACF

PE BPX.SUPERUSER CLASS(FACILITY) ID(nmuser) ACCESS(READ)

Set Up the SNMP Agent (Both Products)

These tasks apply to both CA NetMaster NM for TCP/IP and CA NetMaster FTM.

Note: Do not perform this task if OSNMPD is already configured.

Follow these steps:

  1. Configure the SNMP agent (OSNMPD) by following the instructions in the IBM Communications Server IP Configuration Guide.
  2. Locate the PW.SRC data set in the OSNMPD started task JCL. This data set can be:
    • A z/OS data set, for example:

      //SYSPWSRC DD DISP=SHR,DSN=TCPIP.DATA(PWSRC)

    • A z/OS UNIX file, for example:

      /etc/pw.src

  3. In the PW.SRC data set, configure a community name for use by the local host IP address.

    Important! Community names are case-sensitive. The default community name is public in lowercase.

    As an example with multiple IP addresses, a Communications Server has the IP addresses 192.168.8.1 and 192.168.1.2. Your PW.SRC data set could contain something like the following statement:

    public 192.168.0.0 255.255.0.0

    As an example with a single IP address, a Communications Server has the IP address 192.168.0.1. Your PW.SRC data set could contain something like the following statement:

    public 192.168.0.1 255.255.255.255

    Activation of the SNMP Query Engine (SNMPQE) is not necessary. Your product performs the engine functions internally.

  4. Locate the PROFILE data set.
  5. Set up the TCP/IP subagent in the PROFILE data set by following the instructions in the IBM Communications Server IP Configuration Guide, for example:

    SACONFIG COMMUNITY public AGENT 161 ENABLED

  6. Activate the SNMP agent (OSNMPD) by following the instructions in the IBM Communications Server IP Configuration Guide.
Was this helpful?

Please log in to post comments.