IBM Support

PH03137: ZERT NETWORK ANALYZER SUPPORT

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • NEW FUNCTION - IBM z/OS Encryption Readiness Technology
    (zERT) Network Analyzer plug-in for z/OS Management Facility
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of V2R3 IBM z/OS Management                        *
    * Facility for HSMA23A: IBM                                    *
    * zERT Network Analyzer.                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * NEW FUNCTION - IBM z/OS Encryption                           *
    * Readiness Technology (zERT) Network                          *
    * Analyzer plug-in for z/OS Management Facility                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply PTF.                                                   *
    ****************************************************************
    To complete the installation of IBM zERT
    Network Analyzer, complete the following
    steps:
    
    - Enable the IBM zERT Network Analyzer
       plug-in in z/OSMF by adding
       ZERT_ANALYZER to the PLUGINS
       statement.
    
      Procedure:
      1. Edit the IZUPRMxx parmlib
      member and add the ZERT_ANALYZER
      plug-in identifier to the PLUGINS statement.
    
      For more information, consult section
      'IZUPRMxx reference information' in
      z/OSMF Configuration Guide
    
    - Authorize the user IDs that will be
      using IBM zERT Network Analyzer.
    
      Users of the IBM zERT Network Analyzer
      task require access to resources that are
      protected by the profile <SAF-prefix>.
      ZOSMF.ZERT_NETWORK_ANALYZER in
      class ZMFAPLA. You  must perform
      additional steps to create the necessary
      authorizations.
    
      Procedure:
      1. Edit the IZUNASEC job before you run it.
    
      2. Add the names of the users that will
      have authorization to access the IBM zERT
      Network Analyzer task.
      **  Connect the users of the zERT Network **
      **  Analyzer to the zERT Network Analyzer **
      **  group                                 **
      CONNECT USER1 GROUP(IZUZNA)
      CONNECT USER2 GROUP(IZUZNA)
      **  End connect the users to zERT Network **
      **  Analyzer group                        **
    
      3. Save your changes and run the updated
      IZUNASEC job.
    
      For more information, consult section
      'Updating z/OS for the IBM z/OS Encryption
      Readiness Technology (zERT) Network
      Analyzer plug-in' in z/OSMF Configuration
      Guide
    
    Once the above steps are complete, the IBM
    zERT Network Analyzer plug-in will be visible
    to the permitted user IDs.  Note, however, that
    further setup is required to define the Db2 for
    z/OS database and to connect that database
    to the plug-in. For information on the database
    setup, other useful information about this
    function and updates to publications, consult
    the following URL (all one link):
    
    https://www.ibm.com/support/
    knowledgecenter/SSLTBW_2.3.0/
    com.ibm.zos.v2r3.halg001/nfsrhvhzrtv23.htm
    
    Here are some important guidelines to consider
    as you deploy the zERT Network Analyzer:
    
    - You can initially deploy the IBM zERT Network
      Analyzer plug-in and database on a test system.
      Use a system where you can familiarize yourself
      with the plug-in operation as well as the Db2 for
      z/OS and system resource requirements.
      Depending on the number of imported SMF
      records and the complexity of your queries, you
      might also consider initially limiting query
      execution to specific times of day or specific
      systems to minimize system impacts.
    
    - zERT Network Analyzer import and query
      processing for large amounts of data may
      take a long time and consume significant
      CPU cycles.  Because the zERT Network
      Analyzer is a Java application, and Db2 for
      z/OS is used as its data store, much of the
      zERT Network Analyzer processing is eligible
      to run on IBM z Integrated Information
      Processor (zIIP) specialty engines.  Consider
      running zERT Network Analyzer on a system
      that has sufficient zIIP capacity available in
      order to minimize the general purpose
      processor CPU costs associated with import
      and query operations.  Also consider using
      WLM policies to properly prioritize the DDF
      workload initiated by the zERT Network
      Analyzer so it does not impact more important
      workloads on the system.
    
    - If you plan to import SMF dump data sets with
      large numbers of SMF records (hundreds of
      thousands or millions), you can reduce the
      import time and processing costs by filtering out
      any of the SMF records that are not SMF type
      119 subtype 12 before you execute the import
      operation.   These non-zERT records can be
      stripped out of your SMF dump data sets using
      the IFASMFDP program.  To do this, specify the
      SMF dump data set containing the SMF type 119
      subtype 12 and other SMF records as the input
      data set (INDD) and specify
              OUTDD(<outDDname>,TYPE(119(12)))
      Refer to the z/OS MVS System Management
      Facilities (SMF) book for complete details on
      using the IFASMFDP SMF data set dump
      program.
    
    - If possible, consider using a Db2 for z/OS
      subsystem that is co-located with the zERT
      Network Analyzer to reduce latency and
      elapsed times when running operations like
      SMF imports and queries.
    

Problem conclusion

  • With this support, you will be able to easily
    identify the cryptographic protection
    attributes of TCP and Enterprise
    Extender (EE) traffic with local endpoints
    on your z/OS system
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH03137

  • Reported component name

    Z/MF CONFIG ASS

  • Reported component ID

    5655S28CA

  • Reported release

    23A

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2018-09-21

  • Closed date

    2018-12-19

  • Last modified date

    2019-03-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI60375

Modules/Macros

  • IZUNASEC IZUZNADG IZUZNADI IZUZNADT IZUZNAHP IZUZNAHS IZUZNAPS
    IZUZNAPX
    

Fix information

  • Fixed component name

    ZOSMF ZERT NW A

  • Fixed component ID

    5655S28ZE

Applicable component levels

  • R23A PSY UI60375

       UP18/12/21 P F812

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 23A

Operating system(s): z/OS

Reference #: PH03137

Modified date: 01 March 2019