Complete the Prerequisite Tasks

top_of_articleComplete the tasks that are described in this article before you install and configure the Data Service Probe.
uimpga-ga
Complete the tasks that are described in this article before you install and configure the Data Service Probe.
This article contains the following topics:
3
2
Overview of the Prerequisite Tasks
IBM CIM Server for z/OS is the data source for the zOps and zStorage probes. Before the probes can get data from the monitored LPARs, the IBM CIM Server for z/OS must be configured on each LPAR that you want to monitor.  IBM CIM Server for z/OS requires RMF, RMF Monitor III, and Distributed Data Server.
  • CIM (Common Information Model), is a standard model for describing and accessing data across an enterprise. IBM CIM Server for z/OS is the z/OS implementation of OpenPegasus CIM server.
  • RMF (Resource Management Facility) is the IBM performance management tool on z/OS systems and is a prerequisite for CIM Server.
  • The RMF component that is named Monitor III is used for data collection and continuous monitoring of the systems.
  • The Distributed Data Server (DDS) gathers the performance data from Monitor III and makes it easily accessible.
Prerequisite Checklist
The zOps and zStorage probes can monitor your LPAR when the following checklist is complete:
Component
Expected Result
RMF
  • RMF is active after IPL.
  • Output contains "ERB100I RMF: ACTIVE“.
  • The GPMSERVE APPL and IRRPTAUTH.GPMSERVE passticket exist.
RMF Monitor III
  • RMFGAT is active after IPL.
  • Output contains “ERB100I III: ACTIVE” and there are no VSAM errors.
Distributed Data Server
  • GPMSERVE is active after IPL.
  • Output contains “+GPM060I RMF DISTRIBUTED DATA SERVER READY FOR COMMANDS”.
CIM Server
  • CFZCIM is active after IPL.
  • Output contains “CFZ10030I: Started CIM Server”.
  • One dedicated user (CFZSRV) is created to run the CFZCIM STC.
  • One dedicated user (CFZUSR) in the CFZUSRGP is created to query CIM from UIM.
  • CFZUSR is not UID=0 and has an OMVS segment with access to directories /etc/wbem and /var/wbem.
  • CFZSRV and CFZUSR have UPDATE access to the IRRPTAUTH.GPMSERVE passticket.
  • zFS mounted at /var/wbem is added to BPXPRMxx to be mounted after an IPL.
  • SYS1.SAMPLIB(CFZIVP) is run with USER=<CFZUSR>, ends with RC=0 and no errors in STDOUT.
Policy Agent
  • CFZCIM_Server_Ring key ring is created, with corresponding certificates.
  • PAGENT is active after IPL.
  • TCPIP task contains output “PAGENT” to indicate that it is using PAGENT.
  • Policy Agent contains policy for CFZCIMServerRuleInbound.
  • CIM is configured to use HTTPS port.  CFZCIM output contains “enableHttpsConnection=true”.
Set up RMF
Complete the following tasks to set up RMF:
1. Set up Resource Management Facility (RMF)
Resource Management Facility (an IBM performance management tool) is a prerequisite for CIM Server.
If RMF is already active on your site, verify that the GPMSERVE APPL and passticket were created as part of the RMF configuration before continuing to the next step.
Follow these steps:
  1. Copy RMF from the installation PROCLIB to a data set that is part of the PROCLIB concatenation for the site.
  2. Authorize RMF load modules SYS1.SERBLINK and SYS1.SERBLPA.
  3. Define the following user IDs for the three started tasks that RMF provides in OMVSGRP:
    • RMF
    • RMFGAT
    • GPMSERVE
  4. Add Program Control access if using RACF security.
  5. Grant READ access for the GPMSERVE id to IBM facilities.
  6. Create GPMSERVE APPL.
  7. Define the GPMSERVE passticket.
  8. Start RMF using the following command:
    S RMF
    Note:
    For more information, see Setting Up RMF on the IBM Knowledge Center.
Verification
You can confirm that RMF started successfully when the following events occur:
  • RMF is active.
  • You see the following output message:
    “ERB100I RMF: ACTIVE”
  • GPMSERVE APPL has been created.
  • Confirm that access can be provided to the IRRPTAUTH.GPMSERVE passticket.
2. Set up RMF Monitor III (RMFGAT)
The RMF component that is named Monitor III is used for data collection and continuous monitoring of the systems.
It is a prerequisite for CIM Server.
Follow these steps:
  1. Copy RMFGAT from the installation PROCLIB to a data set that is part of the PROCLIB concatenation for the site.
  2. Review the comments in RMFGAT.  Define the VSAM data sets for storing data from Monitor III gatherer sessions.
    We recommend that you define
    six VSAM data sets
    , each with 50 cylinders of disk space. This configuration allows for about two days of data on small or medium systems.
    Minimum number of datasets needed : 2
    Maximum number of datasets allowed :100
    Additional VSAMs may be created later and will dynamically be picked up by RMFGAT.
  3. Review and customize the options in default PARMLIB member for Monitor III, ERBRMF04.
    If you are using the zStorage probe and the site uses storage groups, define SGSPACE parameter to list up to 25 storage group names as described in the following syntax.
    SGSPACE(ADD(GRP1,GRP2,GRP3,...))
    The name of the storage group cannot exceed 30 characters. When the name exceeds 30 characters, it is ignored.
  4. Start Monitor III using the following command:
    F RMF, S III
Note:
For more information, see Setting Up Monitor III on the IBM Knowledge Center.
Verification
You can confirm that the Monitor III session started successfully when the following events occur:
  • RMFGAT is active.
  • You see the following output message in RMF:
    ERB100I III: ACTIVE
3. Set up the Distributed Data Server (GPMSERVE)
The Distributed Data Server (DDS) gathers the performance data from Monitor III and makes it easily accessible.
It is a prerequisite for CIM Server.
Follow these steps:
  1. Copy GPMSERVE from the installation PROCLIB to a data set that is part of the PROCLIB concatenation for the site.  Review the comments to determine if APF authorization is required in your site.
  2. Verify that GPMSERVE starts with an ID that has an OMVS segment.
  3. Review and customize the options in default PARMLIB member GPMSRV00.
    Ensure the port number that is specified for HTTP_PORT option is available for use.
  4. Start the Distributed Data Server manually using the following command.
    S GPMSERVE
    Note:
    For more information, see Setting up the Distributed Data Server for z/OS on the IBM Knowledge Center.
Verification
A successful start of GPMSERVE is indicated when the following events occur:
  • GPMSERVE is active.
  • You can see the following output message:
“+GPM060I RMF DISTRIBUTED DATA -
SERVER READY FOR COMMANDS”
Set up CIM Server
This article describes how to install configure CIM Server to monitor one LPAR. If you want to monitor multiple LPARs, you install and configure CIM server on each LPAR that you want to monitor with UIM.
Important!
If your environment contains a z/OS that is running as a guest system on a z/VM, a CIM server that is installed on this environment does not return all of the data that is utilized by UIM for z.
Complete the following tasks to set up CIM Server:
1. Set up the CIM Server Security
This task lets you achieve the following:
  1. Create CIM user IDs and groups/profiles
    1. CFZSRV - the ID used by CIM Started Task.  This should be UID(0) with an OMVS segment.
    2. CFZUSR with access to CFZUSRGP - used to access CIM Data from probes.  This user cannot be UID(0).
    3. CFZSRVGP, CFZADMGP, CFZUSRGP - the groups or profiles that are used with CIM Server, administrator, and end users
  2. Create resource class WBEM and profile CIMSERV.
  3. Provide CFZSRV and CFZADMGP with CONTROL access and CFZUSRGP with UPDATE access to CIMSERV WBEM
  4. Set up a surrogate for CFZSRV for BPX.SRV
  5. Provide CFZSRVGP with UPDATE access to IBM Facilities BPX.SERVER, READ access to BPX.SMF, BPX.CONSOLE, and BPX.POE
  6. Create APPL CFZAPPL and permit groups/profiles
  7. Set up ARM for CFZCIM STC if necessary and provide CFZSRVGP with access to IXCARM IBM Facility
  8. Add permissions for CFZUSR access to CEA, IOSCDR (zStorage)
  9. Give CFZUSRGP access to GPMSERVE passticket and APPL
Follow these steps:
Depending on the security product you use, follow one of the following links to set up CIM server security.
RACF
Use the job CFZSEC provided in SYS1.SAMPLIB as described in Quick security setup for RACF on the IBM Knowledge Center.
After you run the CFZSEC job, add permissions for the users that need to access CIM Server from the Data Service Probe. You modify CFZUSRGP to have access to GPMSERVE, and then add a dedicated, existing user to the CFZUSRGP group so that it can get data from CIM (&CFZUSR). The dedicated user (&CFZUSR) should have an OMVS segment. The following code is an example of the syntax. Note that you replace &CFZUSR with the name of your dedicated, existing user that is used to connect to CIM.
Use &CFZUSR while configuring the CA Unified Infrastructure Management Operations for z Systems and CA Unified Infrastructure Management Storage for z Systems probes.
PERMIT IRRPTAUTH.GPMSERVE.* CL(PTKTDATA) ID(&CFZUSR) ACCESS(UPDATE)
CONNECT (&CFZUSR) GROUP(CFZUSRGP) AUTHORITY(USE)
&CFZUSR should not be UID(0)!
TSS
Use the job CFZTSS as described in the article Configure the CIM Server Using CA Top Secret Security.
ACF2
Use the job CFZACF2 as described in the article: Configure the CIM Server Using CA ACF2 Security.
Note:
For more information, see Setting up the security for the CIM Server on the IBM Knowledge Center.
2. Customize the File Systems and Directories Used by CIM Server
Follow these steps:
  1. Customize CFZRCUST sample job from SYS1.SAMPLIB and submit the job. This job will:
    1. Set up the directories /etc/wbem and /var/wbem.
    2. Create a zFS for /var/wbem.
    Run the following commands in OMVS to   change the owner of /etc/wbem and /var/wbem to CFZSRV:
    chown –R CFZSRV:CFZSRVGP /etc/wbem
    chown –R CFZSRV:CFZSRVGP /var/wbem
    You must use an account that contains superuser privileges to run the above commands.
Note:
For more information, see Customizing the file systems and directories on the IBM Knowledge Center.
3. Configure the CIM Server Ports
As a best practice, we recommended that you use the default ports 5988 (HTTP) and 5989 (HTTPS). Verify that these ports are available.
When you cannot use the default ports, you can modify them using one of the following methods:
  • Use the cimconfig command to set httpPort and httpsPort parameters as illustrated by the following example:
    cimconfig -s httpPort=5990, httpsPort=5991 -p
  • Modify the CFZCIM proc so that STEP1 PARM includes the new values for httpPort and httpsPort as illustrated by the following example:
    PARM='PGM /usr/lpp/wbem/bin/cimserver daemon=false httpPort=5990 httpsPort=5991'
Note:
For more information, see Configuring the ports for the CIM server on the IBM Knowledge Center.
4. Start CIM Server
Follow these steps:
  1. Copy CFZCIM from the installation PROCLIB to a data set that is part of the    PROCLIB concatenation for the site.
  2. Start the CIM server using the following command:
    S CFZCIM
Verification
A successful start of the CIM server is indicated when the following events occur:
  • CFZCIM is active
  • The following output messages are seen, and the CIM Server version is 2.11.2 or 2.12.1:
    CFZ10025I: The CIM server is listening on HTTP port 5988.
    CFZ10028I: The CIM server is listening on the local connection socket.
    CFZ10030I: Started CIM Server version 2.12.1.
    CFZ12532I: The CIM server success fully registered to ARM using element name CFZ_SRV_
You can see the following informational message when ARM is not enabled. No action is required in this case.
CFZ12533I: The CIM server failed to register with ARM using element name
CFZ_SRV_SY1: return code 0x0C, reason code 0x0160.
Note:
For more information, see Starting the CIM server in the IBM Knowledge Center.
5. Customize the Unix Systems Services Shell
You modify the profile of the installer so that you can run the CIM command-line utilities that are used to debug CIM server or set CIM configuration values. The default environment variable file profile.add contains the basic settings to enable z/OS CIM server commands is located in /usr/lpp/wbem/install.
Follow these steps:
  1. Add the contents of profile.add to the .profile in the home path of the installer ID (that starts the CIM server) using the following syntax:
    cat /usr/lpp/wbem/install/profile.add >> ~installer/.profile
Verification
In OMVS, run the command: cimcli.  Verify that the Usage for cimcli is displayed.
Note:
For more information, see Customizing the UNIX System Services shell on the IBM Knowledge Center.
6. Verify CIM Server Setup with IVP Job
Follow these steps:
  1. Copy the installation verification job CFZIVP from SYS1.SAMPLIB to a local dataset.
  2. Modify the JOBCARD to include USER=CFZUSR.
  3. (Optional) Allow the installer to run the CFZIVP job as CFZUSR. Running the IVP job as CFZUSR tests the CIM Security for the user that the Data Service Probe will use.
    • RACF:
      RDEFINE SURROGAT
      CFZUSR
      .SUBMIT UACC(NONE)
      PERMIT
      CFZUSR
      .SUBMIT CLASS(SURROGAT) ID(
      INSTALLER
      ) ACCESS(READ)
      SETROPTS RACLIST(SURROGAT) REFRESH
      CFZUSR:
      The user ID that was created to query the CIM Server during the CIM Server security configuration step.
      INSTALLER:
      The user ID for the current user that is logged in to the console.
      Note:
      For more information about how to SURROGAT users, see Allowing another user to submit your jobs on the IBM Knowledge Center.
    • TSS:
      TSS PERMIT(
      CFZUSR
      ) ACID(
      INSTALLER
      )
      CFZUSR:
      The user ID that was created to query the CIM Server during the CIM Server security configuration step.
      INSTALLER:
      The user ID for the current user that is logged in to the console.
    • ACF2:
      For ACF2, you do not need to surrogate the user. You include the password in the CFZIVP job card when submitting the job. The following code is an example of the job card.
      //CFZIVP1 JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=<
      CFZUSR
      >,PASSWORD=<
      CFZUSR_PASS
      >
      CFZUSR:
      The user ID that was created to query the CIM Server during the CIM Server security configuration step.
      CFZUSR_PASS:
      The password for the CIM server user ID.
  4. Run the CFZIVP job. 
Verification
On successful completion, CFZIVP generates an output similar to the following message:
cimivp Main started ...
Connecting to local CIM Server ...
... success
> Found Computer System : USILSAMP.TEST.COM (CPUID: 114D072827, LPARName: TEST)
> Found Operating System : CFZ1 (Version: 02.01.00, Sysplex: CFZ1PLEX, FreeMem: 52
> Number of active UNIX System Services processes: 4
> Number of active address spaces: 378
> Number of FC ports: 54
> Number of online processors: CP(4) zAAP(0) zIIP(2)
> Number of configured disk volumes: 18231
cimivp - All tests completed successfully.
Note:
For more information, see Setup verification on the IBM Knowledge Center.
7. Enable Remote Users
Follow these steps:
  1. To allow the Data Service probe to issue requests against the CIM server from a remote system, use the command that is described in the following example:
    F CFZCIM,APPL=CONFIG,enableRemotePrivilegedUserAccess=true,PLANNED
    Optionally, use the following command from USS:
    cimconfig -s enableRemotePrivilegedUserAccess=true –p
  2. Restart CFZCIM.
Note:
For more information, see Controlling the CIM server on the IBM Knowledge Center.
8. Create Certificates and Key Rings
You create certificates and key ring to set up AT-TLS with simple SSL protection for the CIM server. The certificates and key ring setup step lets you accomplish the following tasks:
  • Generate a self-signed digital certificate for the local certificate authority to sign the CIM server certificate
  • Generate a valid digital certificate for CFZSRV that is signed with the certificate-authority
  • Create a key ring an assign it to CFZSRV
  • Connect the CIM server certificate and local certificate authority certificate to the key ring.
Follow these steps:
Depending on the security product that you use, see the following articles for instructions about how to configure the security products.
RACF
For more information, see RACF and digital certificates (Implementation Scenario 2) on the IBM Knowledge Center.
TSS
See the article Configure the CIM Server Using CA Top Secret Security. You can use the job that is named CFZKEYRT that is attached to this article.
ACF2
See the article Configure the CIM Server Using CA ACF2 Security. You can use the job that is named CFZKEYRA that is attached to this article.
9. Set up the Policy Agent
As a best practice, we recommend that you configure the CIM server to use an SSL port to encrypt the connection between the Data Service Probe and the CIM Server. In production environments, you disable the HTTP port on the CIM server and configure the Data Service Probe to use only SSL connections. For more information, see Configuring the CIM server HTTPS connection using AT-TLS on the IBM Knowledge Center.
zdataservice Probe supports only the following types of SSL configurations:
  • SSL protection only.
  • SSL protection with certificate authentication.
Follow these steps:
  1. Enable the Policy Agent for AT-TLS in the TCPIP stack where CIM runs
  2. Add PAGENT to the PROCLIB and modify the TCPIP profile to start PAGENT.
  3. Configure the Policy Agent to secure the communication for the CIM server at the configured HTTPS port
The following example illustrates how to configure the
SSL protection only
policy while you are setting up the AT-TLS policy:
TTLSRule CFZCIMServerRuleInbound
{
Jobname CFZCIM*
LocalPortRange 5989
Direction Inbound
TTLSGroupActionRef grp_StartUp
TTLSEnvironmentActionRef CFZCIMServerEnvActionInbound
}
TTLSEnvironmentAction CFZCIMServerEnvActionInbound
{
HandshakeRole Server
TTLSEnvironmentAdvancedParms
{
ClientAuthType PassThru
}
TTLSKeyRingParms
{
Keyring CFZCIM_Server_Ring
}
}
# Common StartUp Group that new Rules may use
# Shows how each connection maps to policy
TTLSGroupAction grp_StartUp
{
TTLSEnabled On
Trace 0 # Log Errors and Info messages to syslogd
}
The following example illustrates how to configure the
SSL protection with certificate authentication
policy while you are setting up the AT-TLS policy:
To enable SSL protection with certificate authentication, you add the user certificate to
CFZCIM_Server_Ring
in the policy agent file as described in Prerequisite Checklist.
TTLSRule CFZCIMServerRuleInbound
{
Jobname CFZCIM*
LocalPortRange 5989
Direction Inbound
TTLSGroupActionRef grp_StartUp
TTLSEnvironmentActionRef CFZCIMServerEnvActionInbound
}
TTLSEnvironmentAction CFZCIMServerEnvActionInbound
{
HandshakeRole ServerWithClientAuth
TTLSEnvironmentAdvancedParms
{
ClientAuthType SAFCheck
}
TTLSKeyRingParms
{
Keyring CFZCIM_Server_Ring
}
}
# Common StartUp Group that new Rules may use
# Shows how each connection maps to policy
TTLSGroupAction grp_StartUp
{
TTLSEnabled On
Trace 0 # Log Errors and Info messages to syslogd
}
Consider the following best practices:
  • In the previous policy example, you should set "Keyring" to the key ring label defined during key ring security configuration.
  • When you do not specify an expiration date for the certificate in the key ring, it expires one year from the date the certificate was configured. We recommend that you specify an expiration date that is greater than one year (for example, two years, three years, five years, or as long as possible), so that you do not need extend the expiration date of the certificate so frequently.
Note:
For more information, see Chapter 22 of the IBM IP Configuration Guide.
10.Configure the CIM Server HTTPS Connection
Follow these steps:
  1. Set the configuration property enableHttpsConnection to true.
    Use the following command from OMVS:
    cimconfig -s enableHttpsConnection=true –p
  2. Verify that the httpsPort is configured to the port specified in the AT-TLS Policy for CFZCIM.
  3. Restart CFZCIM.
Verification
  • The output of CFZCIM contains "CFZ10026I: The CIM server is listening on HTTPS port 5989."
Note:
For more information, see Configuring the CIM server HTTPS connection using AT-TLS on the IBM Knowledge Center.
11. Verify the Prerequisite Installation
Use the Prerequisite Checklist to verify that all tasks have been completed.