IBM Support

PH03137: ZERT NETWORK ANALYZER SUPPORT

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • NEW FUNCTION - IBM z/OS Encryption Readiness Technology
(zERT) Network Analyzer plug-in for z/OS Management Facility

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All users of V2R3 IBM z/OS Management                        *
* Facility for HSMA23A: IBM                                    *
* zERT Network Analyzer.                                       *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* NEW FUNCTION - IBM z/OS Encryption                           *
* Readiness Technology (zERT) Network                          *
* Analyzer plug-in for z/OS Management Facility                *
****************************************************************
* RECOMMENDATION:                                              *
* Apply PTF.                                                   *
****************************************************************
To complete the installation of IBM zERT
Network Analyzer, complete the following
steps:

- Enable the IBM zERT Network Analyzer
   plug-in in z/OSMF by adding
   ZERT_ANALYZER to the PLUGINS
   statement.

  Procedure:
  1. Edit the IZUPRMxx parmlib
  member and add the ZERT_ANALYZER
  plug-in identifier to the PLUGINS statement.

  For more information, consult section
  'IZUPRMxx reference information' in
  z/OSMF Configuration Guide

- Authorize the user IDs that will be
  using IBM zERT Network Analyzer.

  Users of the IBM zERT Network Analyzer
  task require access to resources that are
  protected by the profile <SAF-prefix>.
  ZOSMF.ZERT_NETWORK_ANALYZER in
  class ZMFAPLA. You  must perform
  additional steps to create the necessary
  authorizations.

  Procedure:
  1. Edit the IZUNASEC job before you run it.

  2. Add the names of the users that will
  have authorization to access the IBM zERT
  Network Analyzer task.
  **  Connect the users of the zERT Network **
  **  Analyzer to the zERT Network Analyzer **
  **  group                                 **
  CONNECT USER1 GROUP(IZUZNA)
  CONNECT USER2 GROUP(IZUZNA)
  **  End connect the users to zERT Network **
  **  Analyzer group                        **

  3. Save your changes and run the updated
  IZUNASEC job.

  For more information, consult section
  'Updating z/OS for the IBM z/OS Encryption
  Readiness Technology (zERT) Network
  Analyzer plug-in' in z/OSMF Configuration
  Guide

Once the above steps are complete, the IBM
zERT Network Analyzer plug-in will be visible
to the permitted user IDs.  Note, however, that
further setup is required to define the Db2 for
z/OS database and to connect that database
to the plug-in. For information on the database
setup, other useful information about this
function and updates to publications, consult
the following URL (all one link):

https://www.ibm.com/support/
knowledgecenter/SSLTBW_2.3.0/
com.ibm.zos.v2r3.halg001/nfsrhvhzrtv23.htm

Here are some important guidelines to consider
as you deploy the zERT Network Analyzer:

- You can initially deploy the IBM zERT Network
  Analyzer plug-in and database on a test system.
  Use a system where you can familiarize yourself
  with the plug-in operation as well as the Db2 for
  z/OS and system resource requirements.
  Depending on the number of imported SMF
  records and the complexity of your queries, you
  might also consider initially limiting query
  execution to specific times of day or specific
  systems to minimize system impacts.

- zERT Network Analyzer import and query
  processing for large amounts of data may
  take a long time and consume significant
  CPU cycles.  Because the zERT Network
  Analyzer is a Java application, and Db2 for
  z/OS is used as its data store, much of the
  zERT Network Analyzer processing is eligible
  to run on IBM z Integrated Information
  Processor (zIIP) specialty engines.  Consider
  running zERT Network Analyzer on a system
  that has sufficient zIIP capacity available in
  order to minimize the general purpose
  processor CPU costs associated with import
  and query operations.  Also consider using
  WLM policies to properly prioritize the DDF
  workload initiated by the zERT Network
  Analyzer so it does not impact more important
  workloads on the system.

- If you plan to import SMF dump data sets with
  large numbers of SMF records (hundreds of
  thousands or millions), you can reduce the
  import time and processing costs by filtering out
  any of the SMF records that are not SMF type
  119 subtype 12 before you execute the import
  operation.   These non-zERT records can be
  stripped out of your SMF dump data sets using
  the IFASMFDP program.  To do this, specify the
  SMF dump data set containing the SMF type 119
  subtype 12 and other SMF records as the input
  data set (INDD) and specify
          OUTDD(<outDDname>,TYPE(119(12)))
  Refer to the z/OS MVS System Management
  Facilities (SMF) book for complete details on
  using the IFASMFDP SMF data set dump
  program.

- If possible, consider using a Db2 for z/OS
  subsystem that is co-located with the zERT
  Network Analyzer to reduce latency and
  elapsed times when running operations like
  SMF imports and queries.

    



Problem conclusion


    

  • With this support, you will be able to easily
identify the cryptographic protection
attributes of TCP and Enterprise
Extender (EE) traffic with local endpoints
on your z/OS system

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH03137
    • 

  • Reported component name
    Z/MF CONFIG ASS
    • 

  • Reported component ID
    5655S28CA
    • 

  • Reported release
    23A
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2018-09-21
    • 

  • Closed date
    2018-12-19
    • 

  • Last modified date
    2019-03-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI60375
    

    • 



Modules/Macros


    

  • IZUNASEC IZUZNADG IZUZNADI IZUZNADT IZUZNAHP IZUZNAHS IZUZNAPS
IZUZNAPX

    



Fix information


    

  • Fixed component name
    ZOSMF ZERT NW A
    • 

  • Fixed component ID
    5655S28ZE
    • 



Applicable component levels


    

  • R23A  PSY  UI60375
       UP18/12/21  P  F812
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"23A","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 March 2019
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback