Configuring the Tivoli Enterprise Monitoring Server on z/os

Transcription

1 IBM Tioli Management Serices on z/os Version Fix Pack 1 Configuring the Tioli Enterprise Monitoring Serer on z/os SC

2

3 IBM Tioli Management Serices on z/os Version Fix Pack 1 Configuring the Tioli Enterprise Monitoring Serer on z/os SC

4 Note Before using this information and the product it supports, read the information in Appendix C, Notices, on page 167. This edition applies to ersion 6, release 2, modification 3, Fix Pack 1 of IBM Tioli Management Serices on z/os (product number 5698-A79) and to all subsequent releases and modifications until otherwise indicated in new editions. This edition replaces SC Copyright IBM Corporation 2005, US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Figures ii Tables ix Part 1. Preparing to configure the Tioli Enterprise Monitoring Serer on z/os.. 1 Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer 3 Tioli Management Serices Tioli Enterprise Monitoring Serer Tioli Enterprise Portal Serer and clients Tioli Data Warehouse TMS:Engine Eent synchronization component Tioli Enterprise Portal Serer extended serices Monitoring agents New in this release Chapter 2. Planning your deployment Decision 1: What kinds of monitoring serers to configure Whether to configure a high-aailability hub on z/os How many remote monitoring serers to configure Whether to enable the self-describing agents capability Whether to enable the auditing function Decision 2: Whether and how to enable eent forwarding Part 2. Configuring hub and remote monitoring serers on z/os Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it PARMGEN method Step 1. Create and configure a runtime enironment for the high-aailability hub Step 2. Configure a remote monitoring serer to report to the high-aailability hub Step 3. Configure monitoring agents to report to the remote monitoring serer Step 4. (Optional) Replicate the remote runtime enironment Configuration Tool (ICAT) method Step 1. Add a runtime enironment Step 2. Build the runtime libraries Step 3. Configure the high-aailability hub monitoring serer Step 4. Configure a remote monitoring serer to report to the high-aailability hub Step 5. Configure monitoring agents to report to the remote monitoring serer Step 6. Load the runtime libraries Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment PARMGEN method Step 1. Create the runtime enironment and set the configuration parameters for the hub Step 2. Set configuration parameters for the monitoring agents in the same runtime enironment 81 Step 3. (Optional) Replicate the runtime enironment to a remote system Configuration Tool (ICAT) method Configuration steps Step 1. Configure the hub monitoring serer Step 2. Configure monitoring agents in the runtime enironment Copyright IBM Corp. 2005, 2012 iii

6 Step 3. Load the runtime libraries Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub PARMGEN method Step 1. Create the runtime enironment and set the configuration parameters for the remote monitoring serer Step 2. Set configuration parameters for the monitoring agents in the same runtime enironment 101 Step 3. (Optional) Replicate the remote runtime enironment Configuration Tool (ICAT) method Configuration steps Step 1. Configure the remote monitoring serer Step 2. Configure monitoring agents in the runtime enironment Step 3. Load the runtime libraries Part 3. Post-configuration procedures Chapter 6. Completing the configuration Typical tasks of completing the configuration of a monitoring serer (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task (If applicable) Add the NetView CNMLINK data set to the monitoring serer started task Copy the started task procedures to your procedure library Copy the VTAM definitions to your system VTAMLST Vary the VTAM major node actie APF-authorize the runtime load libraries (If applicable) Refresh the KSHXHUBS member in other runtime enironments Verify that you can start and stop the monitoring serer (If applicable) Enable NetView to authorize Take Action commands (If applicable) Edit the portal serer enironment file Enable historical data store maintenance (optional) Enable historical data collection (optional) Enable eent forwarding (optional) Run the ITMSUPER Tools (optional) Chapter 7. Adding application support to a monitoring serer on z/os Prerequisites Selecting the correct procedure Install the application support files on a distributed system where a portal serer is installed Installing application support files on Windows Installing application support files on Linux or UNIX Copy or transfer catalog and attribute files to the monitoring serer on z/os Transferring the catalog and attribute files from Windows Transferring the catalog and attribute files from Linux or UNIX Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os Adding application support SQL files from Manage Tioli Monitoring Serices on Windows Adding application support SQL files from Manage Tioli Monitoring Serices on Linux or UNIX 140 Chapter 8. Configuring security on a monitoring serer on z/os Enabling security alidation on a z/os hub Implementing security with RACF Implementing CA-ACF2 security Implementing security with CA-TOP SECRET Implementing security with Network Access Method (NAM) Changing the security system specification Resetting the password encryption key PARMGEN method i IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

7 Configuring NetView authorization of z/os commands Configure the monitoring serer to forward Take Action commands Add the NetView CNMLINK data set to the Tioli Enterprise Monitoring Serer started task Enable NetView to authorize Take Action commands Verifying the configuration Troubleshooting tips Enable RACF authorization of Take Action commands Setting up the userid mapping capability Part 4. Appendixes Appendix A. Documentation library IBM Tioli Monitoring library Documentation for the base agents Shared OMEGAMON XE publications Related publications Other sources of documentation Appendix B. Support information Appendix C. Notices Trademarks Glossary Index Contents

8 i IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

9 Figures 1. Agent/serer/client architecture High-aailability hub monitoring serer and its connections Configuration Tool Main Menu Configure Products panel Product Selection Menu Runtime Enironments (RTEs) panel Add Runtime Enironment (1 of 3) panel Add Runtime Enironment (2 of 3) panel Add Runtime Enironment (3 of 3) panel Configure the TEMS panel Specify Configuration Values panel Eligible Products for HA Hub TEMS panel Exclusion Verification for HA Hub TEMS panel Specify Adanced Configuration Values panel Specify Persistent Datastore Configuration Values panel Specify Values for Eent Destination panel Specify Communication Protocols panel Specify IP.PIPE Communication Protocol panel Specify IP.PIPE Partition References panel Specify TEMS KSHXHUBS Values panel SOAP serer KSHXHUBS List panel SOAP serer KSHXHUBS Security Access List panel Specify TEMS KSHXHUBS User Access List panel Configure TEMS Self-Describing Agent Parameters panel Specify TEMS Self-Describing Agent Values panel Configure Persistent Datastore panel Modify and Reiew Datastore Specifications panel Product Component Selection Menu Create LU6.2 Logmode panel Communication Selection panel Specify Communication Protocols panel Specify IP.PIPE Communication Protocol panel Specify SNA Communication Protocol panel Hub monitoring serer and monitoring agents in the same runtime enironment Remote monitoring serer on z/os reporting to a hub on a distributed system Communication Selection panel Specify Configuration - Hub Values for Remote TEMS panel Specify Communication Protocols panel for a remote monitoring serer Specify IP.PIPE Communication Protocol panel for a remote monitoring serer CNMSTYLE member after editing CNMLINK DD statement in the Tioli Enterprise Monitoring Serer started task CNMSTYLE member after editing Copyright IBM Corp. 2005, 2012 ii

10 iii IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

11 Tables 1. New monitoring serer runtime libraries and started task DDNAMEs SMF type-112 record subtypes SMF record 112 format Procedures for adding application support to a monitoring serer on z/os Copyright IBM Corp. 2005, 2012 ix

12 x IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

13 Part 1. Preparing to configure the Tioli Enterprise Monitoring Serer on z/os This publication is intended to be used together with IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide, which contains ital planning information. Read the chapters in Parts 1 and 2 of the Common Planning and Configuration Guide first, and then continue with the chapters in this part of Configuring the Tioli Enterprise Monitoring Serer on z/os. See Appendix A, Documentation library, on page 159 for information on finding the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide and other related publications. The chapters in this part of Configuring the Tioli Enterprise Monitoring Serer on z/os proide information required for beginning to configure your monitoring serers on z/os. Chapter 1, Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer, on page 3 explains the architecture and the commonly shared components of IBM Tioli Management Serices. Chapter 1 also contains a New in this release section, which describes changes and enhancements that affect the configuration of the Tioli Enterprise Monitoring Serer. Chapter 2, Planning your deployment, on page 13 helps you plan a first-time deployment of the Tioli Enterprise Monitoring Serer on z/os. Chapter 2 coers basic planning decisions that are not coered in Part 1 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide: Decision 1: What kinds of monitoring serers to configure on page 13 Decision 2: Whether and how to enable eent forwarding on page 22 Naigation tips If you are installing and configuring the Tioli Management Serices components for the first time, be sure to read all the chapters in Part 1 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide and in Part 1 of this publication before you begin. If you are upgrading existing components, you can skip ahead. 1. Examine New in this release on page 7 to learn about changes that affect the Tioli Enterprise Monitoring Serer. 2. Follow the upgrade instructions in IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide. See Appendix A, Documentation library, on page 159 for information on finding the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide and other related publications. Copyright IBM Corp. 2005,

14 2 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

15 Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer The Tioli Enterprise Monitoring Serer (also called the monitoring serer) is the central component of the commonly shared technology called Tioli Management Serices. The monitoring serer consolidates and distributes data; receies and distributes commands; and sends alerts when specified aailability and performance problems are detected in the monitored applications, systems, or networks. The monitoring serer can run on distributed or z/os systems. This guide describes how to configure and customize a monitoring serer on a z/os system. Tioli Management Serices The commonly shared components of Tioli Management Serices proide security, data transfer and storage, notification, user interface presentation, and communication for a number of Tioli monitoring products. The Tioli Management Serices components and the monitoring agents work together in an agent/serer/client implementation (Figure 1). Figure 1. Agent/serer/client architecture Some components of Tioli Management Serices, such as Tioli Enterprise Portal and the Warehouse Proxy and Summarization and Pruning agents, run only on distributed systems. The Tioli Enterprise Monitoring Serer and the Tioli Data Warehouse can run on either distributed or mainframe systems. Tioli Management Serices:Engine (TMS:Engine) runs only on mainframe systems. The Tioli Management Serices shared components are included with the IBM Tioli Monitoring product, with the OMEGAMON XE monitoring agent products, with the IBM Tioli Management Serices on z/os product, and with many other Tioli applications. Tioli Management Serices comprises the following commonly shared components: Copyright IBM Corp. 2005,

16 Tioli Enterprise Monitoring Serer Tioli Enterprise Portal Serer and clients Tioli Data Warehouse on page 5 TMS:Engine on page 5 Eent synchronization component on page 5 Tioli Enterprise Portal Serer extended serices on page 5 Tioli Enterprise Monitoring Serer Tioli Enterprise Monitoring Serer is the nere center of Tioli Management Serices. The monitoring serer performs the following tasks: Consolidates the data collected by monitoring agents and distributes the data to the Tioli Enterprise Portal Serer. Manages the connection status of the monitoring agents. Receies commands from Tioli Enterprise Portal and distributes them to the appropriate monitoring agents. Sends alerts to the Tioli Enterprise Portal Serer when specified aailability and performance problems are detected Stores historical data and configuration prototypes. The master monitoring serer is called the hub monitoring serer. The hub monitoring serer acts as the focal point for data collection and distribution. It communicates with monitoring agents, with remote monitoring serers, with the Tioli Enterprise Portal Serer, and with the Warehouse Proxy and Summarization and Pruning agents (see Tioli Data Warehouse on page 5). A remote monitoring serer is remote only with respect to the hub monitoring serer, not with respect to the monitoring agents. Remote monitoring serers communicate only with the monitoring agents that report to them and with the hub monitoring serer to which they report. Monitoring serers can run on z/os, Windows, AIX, HP-UX, Solaris, or Linux systems. Tioli Enterprise Portal Serer and clients Tioli Enterprise Portal (also called the portal or the portal client) is the user interface for products using Tioli Management Serices. The Tioli Enterprise Portal is a thin Jaa client application. It has its own serer, the Tioli Enterprise Portal Serer, that communicates with the hub monitoring serer to send requests to and retriee data from monitoring agents on managed systems. Tioli Enterprise Portal Serer (the portal serer) builds and formats the portal workspaces that display real-time and historical data collected by the monitoring agents. The portal serer can run on Windows, AIX, or Linux systems. You can access the portal client in any of the following ways: Browser client (Internet Explorer or Mozilla Firefox on Windows, Mozilla Firefox on Linux) connected to a web serer embedded in the portal serer. The desktop client is downloaded or updated eery time it starts up. Your site can now run the Tioli Enterprise Portal browser client using newer leels (3.6.x, V5.0, or V6.0.x) of the Firefox Web browser on Windows and Linux when used in conjunction with a Jaa V6 runtime enironment. Note: If your site is running a Jaa V5 runtime enironment instead, you must continue to run the V3.5 or earlier leel of Firefox. Desktop client installed on a Windows or Linux system. Desktop client downloaded and run by IBM Web Start for Jaa, and updated at eery startup. For setup information about the portal serer and client, see the IBM Tioli Monitoring: Installation and Setup Guide. 4 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

17 Tioli Data Warehouse Tioli Data Warehouse, an optional component of Tioli Management Serices, is a long-term data store for the performance and analysis data collected by the monitoring agents. The Warehouse Proxy agent periodically receies data indirectly from the hub monitoring serer or directly from the monitoring agents and inserts that data into the Tioli Data Warehouse. On z/os systems, short-term history data for monitoring agents is maintained in data sets allocated and initialized during product configuration. The Warehouse Proxy agent receies the short-term history data and deliers it to the warehouse. Two specialized agents interact with the Tioli Data Warehouse: The Warehouse Proxy agent receies the short-term history data and deliers it to the Tioli Data Warehouse. You can use the Summarization and Pruning agent to customize how long to sae (pruning) and how often to aggregate (summarization) the data in the Tioli Data Warehouse database. The Warehouse Proxy agent and the Summarization and Pruning agent can run on Windows, AIX, HP-UX, Solaris, or Linux systems. For more information, see the following publications: IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide IBM Tioli Monitoring: Installation and Setup Guide IBM Tioli Monitoring: Administrator's Guide TMS:Engine TMS:Engine proides common functions such as communications, multithreaded runtime serices, tracing, and logging for the monitoring serer and monitoring agents on z/os. This shared component enables common portable code to make platform-independent system calls. This allows Tioli Enterprise Monitoring Serer code to be compiled for and executed on z/os, Windows, Linux, and UNIX platforms. Eent synchronization component The eent synchronization component sends updates to situation eents that hae been forwarded to a Tioli Enterprise Console eent serer or a Netcool /OMNIbus ObjectSerer back to the hub monitoring serer. In the Tioli Enterprise Portal, the Situation Eent Console, the Common Eent Console and the Tioli Enterprise Console eent iews are synchronized with the updated status of the eents. For information about the configurations of eent serers that you can hae in your enironment, see the IBM Tioli Monitoring: Installation and Setup Guide. For information about forwarding eents from a hub monitoring serer on z/os, see Decision 2: Whether and how to enable eent forwarding on page 22. With Tioli Management Serices V6.2.2 and later, stand-alone monitoring agents (those that are configured in their own address spaces) can run in autonomous mode (without communicating directly with a monitoring serer). An autonomous agent can emit Simple Network Management Protocol (SNMP) traps and Eent Integration Facility (EIF) eents directly to an OMNIbus ObjectSerer for agent-specific situations (but not for enterprise situations). The IBM Tioli Monitoring: Installation and Setup Guide proides instructions for configuring OMNIbus ObjectSerers to receie the eents. For information on specifying which situation eents to forward, see the Tioli Enterprise Portal online help and the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide. For detailed information about managing autonomous agents, see the "Agent autonomy" chapter of the IBM Tioli Monitoring: Administrator's Guide. Tioli Enterprise Portal Serer extended serices Tioli Enterprise Portal Serer extended serices (TEPS/e) is an embedded, co-located extension of the Tioli Enterprise Portal Serer that proides J2EE-based Application Serer integration facilities. TEPS/e proides support for a federated user repository. Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer 5

18 Monitoring agents If you purchased IBM Tioli Monitoring as a product, you receied a set of operating system monitoring agents (also called OS agents or base agents) as part of the product. If you purchased a monitoring agent product (for example, an OMEGAMON XE product) that includes the commonly shared components of Tioli Management Serices, you did not receie the base agents. Monitoring agent products are aailable for systems, database products, and applications. You can see the complete list of monitoring agents at the following website: A monitoring agent on any platform can be part of an enterprise that includes monitoring serers on z/os systems. 6 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

19 New in this release This section describes enhancements that affect the configuration of Tioli Enterprise Monitoring Serer and that hae been added since the last release of this publication. Userid-leel security now aailable for Take Action commands. As of fix pack 1 for IBM Tioli Monitoring Version 6.2.3, all z/os Take Action commands issued by the OMEGAMON XE agents, plus any other agents based on the Tioli Management Serices framework that run on z/os, can now be associated with the Tioli Enterprise Portal userid instead of the userid of the started task running the agent. This allows you to authorize the use of Take Action commands by selected portal serer users while restricting it from others. You can secure these userids (or the RACF groups they are in) ia standard security objects proided by your site's security product; for RACF, these are the OPERCMDS facility class and its profiles. See Enable RACF authorization of Take Action commands on page 154. Later ersions of the Firefox browser now supported. Your site can now run the Tioli Enterprise Portal browser client using 3.6.x, V5.0, or V6.0.x of the Firefox Web browser on Windows and Linux. This update requires that your site also use a Jaa V6 runtime enironment. In addition, AIX has been remoed as a Tioli Enterprise Portal client platform from this configuration guide. Only the Windows and Linux platforms are supported for the Tioli Enterprise Portal browser client. AIX is still fully supported as a Tioli Enterprise Portal serer platform. PARMGEN configuration method. The PARMGEN configuration method is now the preferred method of product configuration. The PARMGEN method is particularly suitable for the following types of customers: New OMEGAMON XE customers. Existing OMEGAMON XE customers in enironments in which one person is responsible for configuring all OMEGAMON XE products and components. With the PARMGEN configuration method, you edit a comprehensie list of parameters for configuring all installed products and components. You then submit a series of jobs to create a complete runtime enironment with the parameter alues you specified. The chapters in Part 2, Configuring hub and remote monitoring serers on z/os, on page 25 and Part 3, Post-configuration procedures, on page 117 now include procedural instructions for both PARMGEN and the Configuration Tool (ICAT) configuration methods. For more information about the PARMGEN configuration method, see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide, IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference, and the PARMGEN Technote at Tip: Both the PARMGEN method and the Configuration Tool (ICAT) method are currently supported, but future product enhancements and updates will be aailable by the PARMGEN method only. Therefore, it is a good idea to begin using the PARMGEN method for configuring your products and components. Self-describing agents. Prior to ersion 6.2.3, before an agent could connect to a Tioli Enterprise Monitoring Serer, you were required to update the monitoring serer (as well as other Tioli Management Serices components such as the Tioli Enterprise Portal Serer and the Tioli Data Warehouse) with information necessary for it to recognize and process data sent by that agent, and then restart all affected components. As of V6.2.3, this "seeding" step (as it was once known) becomes unnecessary for the distributed (that is, non-z/os) agents: they hae been enhanced with a self-description capability that automatically distributes each agent's operating configuration directly to the local monitoring serer, which then replicates those agent configuration files first to the hub monitoring serer (if necessary) and then to the arious IBM Tioli Monitoring components that require it. Whether to enable the self-describing agents capability on page 15 has more information about the self-describing distributed agents. Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer 7

20 Note: Once your site actiates self-describing agents on a hub Tioli Enterprise Monitoring Serer, the monitoring serer must hae access to a Jaa Runtime Enironment running under IBM's 31-bit or 64-bit Jaa SDK Version 5 (or higher) and an HFS or zfs file system configured for UNIX System Serices (USS). As part of monitoring serer configuration, the RKCPDEFW VSAM file is now allocated for you. Historically, this file is allocated only by the PARMGEN process if the OMEGAMON XE for CICS (that is, the C5) agent is configured in the current runtime enironment. In support of self-describing agents, this file is now processed as part of monitoring serer configuration; in this way, the monitoring serer started task is already set up to accommodate the C5 agent's hub monitoring serer requirements when the C5 Agent is later added to the RTE. New auditing function. The new auditing function allows you to capture significant eents occurring in your site's IBM Tioli Monitoring enironment and record them in permanent storage for later retrieal and analysis. Each audit record fully describes some eent that has changed the state of your Tioli Monitoring system. Platforms coered include Windows, UNIX/Linux, i5/os, and z/os. On z/os, the auditing facility optionally creates and stores Systems Management Facility format (SMF) records. These new auditing and logging records can be stored in the Tioli Data Warehouse. Standard reports are proided ia the Tioli Common Reporting feature. In addition, a new Tioli Enterprise Portal workspace enables you to iew auditing and logging records online; see the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide for information. Whether to enable the auditing function on page 17 has more information about the new auditing feature. Supporting the auditing function required the creation of a new ICAT panel, KDSPPDS (Specify Persistent Datastore Configuration Values) panel, where you supply the PDS definition parameters; see Figure 15 on page 48. Web Serices (SOAP serer) support extended to remote monitoring serers. IBM Tioli Monitoring's Web Serices solution proides you with an industry-standard, open interface into Tioli Monitoring's performance and aailability data. With it, your site can integrate Tioli Monitoring data with external automation and integration applications. Tioli Monitoring Web Serices implements a client/serer architecture in which the client sends Simple Object Access Protocol (SOAP) requests to the SOAP serer running within the Tioli Enterprise Monitoring Serer. The SOAP serer receies, processes, then responds to the client's SOAP requests. Preiously, the SOAP serer ran only within a hub monitoring serer. The SOAP serer now can run in a remote monitoring serer as well. This means that a policy running on a remote monitoring serer can now send a SOAP request to an agent that is connected to that same monitoring serer, which is important because ersion adds new SOAP-based, on-demand and actiities, which send SOAP requests to the monitoring serer on which the policy is running. In addition, this architecture is more efficient than haing all remote monitoring serers send their SOAP requests to the hub. It also means that a policy that is running on a remote monitoring serer can continue to process SOAP requests een when the hub or the connection to the hub becomes unaailable. To actiate the SOAP serer for a remote monitoring serer, ensure you set the Enable Web Serices SOAP Serer parameter to Y when completing step Specify configuration alues on page 103. Automatic registration of products with the local monitoring serer. The runtime enironment load processing option now automatically copies the KppATR and KppCAT members from the &thile.tkandatv target data set that was installed by SMP/E to the runtime enironment &rhile.&rte.rkandatv library. You do not hae to regenerate and rerun the "Register with local TEMS" (pp#4ssss) job for each product in the runtime enironment if you apply maintenance that updates the KppATR and KppCAT members only. Instead, you can just reload the runtime enironment to refresh the members. The "Register with local TEMS" step is still required the first time you configure a monitoring agent or wheneer you apply maintenance that updates parameters. High-aailability hub monitoring serer. You can now configure a high-aailability hub monitoring serer in any sysplex enironment with dynamic irtual IP addressing (DVIPA) and shared DASD. A 8 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

21 high-aailability hub is configured in its own runtime enironment, without any monitoring agents, and can be configured on the same LPAR with a remote monitoring serer. This configuration allows the hub monitoring serer to be relocated to any suitable LPAR in the sysplex with no changes, and with minimal disruption to the components connecting to the hub. Agent failoer. During configuration of stand-alone distributed monitoring agents, you can specify a primary and secondary monitoring serer for agent connections. If an agent's primary monitoring serer goes offline, the agent connects to the secondary monitoring serer. When the primary monitoring serer goes back online, the agent is automatically reconnected with it. Note: This feature does not apply to the OMEGAMON Monitoring Agents, as it requires the Proxy Agent Serices feature of Tioli Monitoring, which is not aailable on z/os. Increased default alue for minimum extended storage. For a new runtime enironment containing a monitoring serer, the default alue for minimum extended storage is now This alue indicates the minimum amount of irtual storage to be made aailable to the monitoring agents and other components communicating with the monitoring serer. You can oerride the default by specifying a alue in the PARMGEN configuration profile or (in the Configuration Tool) on the Specify Adanced Configuration Values panel during monitoring serer configuration. Eent forwarding to the Tioli Enterprise Console and Netcool/OMNIbus eent management serers. You can now forward situation eents reported to a hub monitoring serer on z/os to the Tioli Enterprise Console or to OMNIbus for correlation and management. To forward situation eents, the Tioli Eent Integration Facility (EIF) on the hub monitoring serer must be enabled, and the host name and listening port of the eent receier must be specified in the Configuration Tool. In addition, seeral tasks must be completed outside the configuration software: The destination eent serer or serers must be configured to receie the eents. A situation update forwarding process (the eent synchronization component) must be installed on the eent serer or serers. If situation eents are forwarded to OMNIbus, an EIF probe must be installed. For situation eents forwarded to the Tioli Enterprise Console,.baroc files for the monitoring agents reporting to the hub must be installed and imported on the Tioli Enterprise Console serer, and the rule base must be updated. The "Eent integration scenarios" section of IBM Tioli Monitoring: Installation and Setup Guide describes the deployment possibilities for hubs and eent serers; and the section on "Integrating eent management systems" proides detailed instructions for configuring the Tioli Enterprise Console and OMNIbus eent serers to receie the eents, including installing the eent synchronization component and the.baroc files. Decision 2: Whether and how to enable eent forwarding on page 22 in this guide explains briefly how eent forwarding works, discusses issues to consider before you enable eent forwarding on a z/os hub, and points you to more complete documentation on eent forwarding. The information for Figure 14 on page 45 and Figure 16 on page 50 gies instructions for enabling EIF and specifying the destination eent serers during configuration of the hub. Enable eent forwarding (optional) on page 124 outlines further steps you must take to enable eent forwarding and points you to instructions for configuring the Tioli Enterprise Console and OMNIbus eent serers to receie forwarded eents. Simplified persistent data store maintenance processing. The maintenance processing of the persistent datastore has been simplified. KPDPROC1 now does all the work formerly done by the maintenance job (KPDJOBC), and KPDPROC2 has been eliminated. It is no longer necessary to authorize and submit the maintenance job; howeer, because the KPDPROCC REXX procedure runs in a TSO enironment, the KPDDSCO program has to be enabled to execute as an authorized program under TSO, by adding the KPDDSCO persistent datastore module name to the SYS1.PARMLIB(IKJTSO00) under the AUTHPGM section. If you are upgrading from a preious ersion of the monitoring serer, you can remoe the KPDPROC2 member from the library. After the enironment has been completely upgraded, you can remoe any Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer 9

22 special RACF or ACF2 rules set up for KPDPROC2. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for further information. Sample VSAM refresh jobs. The Tioli Enterprise Monitoring Serer configuration now generates two sample VSAM jobs: KDSDVSRN and KDSVSRF. The KDSDVSRF job deletes all the &rhile.&rte.rkds* and &rhile.&rte.rkms* monitoring serer VSAM libraries, and allocates and initializes a new set. This job is useful if you must reinitialize a remote monitoring serer or conert a hub monitoring serer to a remote. Important: Use the KDSDVSRF job with caution. It deletes all monitoring serer VSAM libraries. The KDSDVSRN job renames the original VSAM libraries. If you prefer to rename the original VSAM libraries instead of deleting them, use the KDSDVSRN job to rename the original libraries before you submit the KDSDVSRF job. The monitoring serer must be stopped before you run either job. New libraries and started task DDNAMEs. A number of new runtime libraries support new features of the monitoring serer on z/os, and corresponding DDNAMEs are added to the monitoring serer started task. Table 1 lists the new libraries and DDNAMEs. Table 1. New monitoring serer runtime libraries and started task DDNAMEs DDNAME Library suffix Description VSAM or non-vsam Hub, remote, or both DSEVT RKDSEVT EIF eent PDSE Non-VSAM Hub QA1CSPRD RKDSSPRD Role security VSAM Both QA1CSPRR RKDSSPRR Role security VSAM Both QA1DCALE RKDSCALE Dynamic threshold VSAM Both QA1DCONP RKDSCONP Configuration properties VSAM Both QA1DCPRM RKDSCPRM Deploy asynchronous command VSAM Both configuration parameter QA1DDYST RKDSDYST Deploy asynchronous command VSAM Both status QA1DEPRM RKDSEPRM Deploy asynchronous command VSAM Both execution parameter QA1DGRPA RKDSGRPA TGROUP group VSAM Both QA1DGRPI RKDSGRPI TGROUPI indiidual group VSAM Both QA1DNAME RKDSNAME Long name alias VSAM Both QA1DOVRD RKDSOVRD Dynamic threshold VSAM Both QA1DOVRI RKDSOVRI Dynamic threshold VSAM Both QA1DBUNG RKDSBUNG Bundle group member VSAM Hub QA1DEVMP RKDSEVMP EIF eent mapping VSAM Hub QA1DEVSR RKDSEVSR EIF eent VSAM Hub QA1DGRPB RKDSGRPB TGROUP group VSAM Hub QA1DGRPC RKDSGRPC TGROUPI indiidual group VSAM Hub QA1DPYMR RKDSPYMR Deploy group member VSAM Hub QA1DAPPL &&rhile.&&rte. RKDSAPPL VSAM library for the self-describing agents' application properties VSAM Both The new libraries are allocated as part of the runtime enironment build job in a new enironment or as part of the Tioli Enterprise Monitoring Serer upgrade job. Reconnect after TCP/IP recycle. This setting allows the monitoring serer address space to reconnect to its TCP/IP stack without being recycled after the stack is recycled. 10 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

23 Default TCP/IP started task name. Sets the default TCP/IP started task name to a wildcard * (asterisk) for new runtime enironments. This default, which uses the first TCP/IP stack that was started, is suitable if the LPAR contains a single TCP/IP stack. If the LPAR contains more than one TCP/IP stack, you can specify the started task name of the TCP/IP stack you want to use, or you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. If the IP domain name resolution is not fully configured on the z/os system, you must specify the SYSTCPD DDNAME in the started task for each monitoring serer and monitoring agent. For further information, see "Decision 5: how to set up communications between components" in the "Planning your deployment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Network interface support. If your site runs more than one TCP/IP interface or network adapter on the same z/os image, you can indicate the specific local network interfaces to be used by monitoring serers and monitoring agents on z/os. For further information, see "Decision 5: how to set up communications between components" in the "Planning your deployment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Chapter 1. Oeriew of Tioli Management Serices and the Tioli Enterprise Monitoring Serer 11

24 12 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

25 Chapter 2. Planning your deployment The information in this chapter is intended to help you plan a first-time deployment. If you are upgrading your monitoring serers on z/os from a preious ersion, follow the instructions in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide. For a first-time deployment, reiew the prerequisites and make the planning decisions described in Part 1 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Then make the planning decisions described in this chapter: Decision 1: What kinds of monitoring serers to configure Decision 2: Whether and how to enable eent forwarding on page 22 Decision 1: What kinds of monitoring serers to configure The hub monitoring serer is the focal point for the entire monitoring enironment. This serer is under a significant load. Work on the hub includes communicating with remote monitoring serers, with the Tioli Enterprise Portal Serer, and with local monitoring agents; authenticating users; consolidating and distributing data; storing and tracking situations and policies; and initiating and tracking all generated Take Action commands. Place the hub monitoring serer inside the data center on a high-performance network. Connectiity between the hub monitoring serer and the portal serer and between the hub and remote monitoring serers must be fast and reliable. Remote monitoring serers communicate only with the monitoring agents that report to them and with the hub monitoring serer to which they report. Note that a remote monitoring serer is remote with respect to the hub monitoring serer, not necessarily with respect to the monitoring agents. If monitoring agents are installed on the same system as a remote monitoring serer, that monitoring serer is local to the monitoring agents but remote to the hub. The load on remote monitoring serers is typically low. Load is drien higher if historical data collection is performed on the monitoring serers instead of on the monitoring agents. You can install monitoring serers on z/os, Windows, and some UNIX and Linux systems. See IBM Tioli Monitoring: Installation and Setup Guide for a complete list of supported platforms. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for considerations in deciding where to place hub and remote monitoring serers, for information about monitoring serer names, and for planning information for the SOAP serer. Whether to configure a high-aailability hub on z/os An operational hub monitoring serer is essential to a monitoring enironment. If the hub monitoring serer address space fails, or if the system on which the hub is installed has a planned or unplanned outage, the flow of monitoring data comes to a halt. Therefore, it is important to restart the hub or moe it to another system as quickly as possible. You can configure a high-aailability hub monitoring serer in any sysplex enironment with dynamic irtual IP addressing (DVIPA) and shared DASD. A high-aailability hub is configured in its own runtime enironment, without any monitoring agents, and can be configured on the same LPAR with a remote monitoring serer. This configuration allows the hub monitoring serer to be relocated to any suitable LPAR in the sysplex with no changes, and with minimal disruption to the components connecting to the hub. Copyright IBM Corp. 2005,

26 If you hae purchased the Tioli System Automation for z/os product, you can automate the relocation of the hub. To find instructions, search for automating a high aailability hub on the Integrated Serice Management Library website. The high-aailability hub on z/os has the following requirements: It must be configured in a sysplex. It must hae a dynamic irtual IP address (DVIPA), so it can respond to the same IP address on any LPAR in the sysplex. It must be configured stand-alone (in its own runtime enironment without monitoring agents). Its runtime libraries must be stored on shared DASD, so that the hub can start on any LPAR in the sysplex without requiring replication of the libraries. Its runtime enironment cannot use system ariables. The hub is not defined to run on any specific system, and it retains the same parameter alues on any system in the sysplex. Tip: If your enironment fulfills the requirements for a high-aailability hub, it is a good idea to configure one. Before you begin configuring the high-aailability hub, create an application-instance-specific (priate) dynamic irtual IP address, and define it to DNS as a new name (for example, OMEGAHUB). For instructions on configuring a high-aailability hub on z/os if you are configuring components and products for the first time, see Chapter 3, Configuring a high-aailability hub and the remote monitoring serers that report to it, on page 27. For instructions on modifying an existing configuration to accommodate a high-aailability hub, search for high-aailability hub on the Integrated Serice Management Library website. For instructions on configuring a high-aailability hub on a distributed system, see the IBM Tioli Monitoring: High-Aailability Guide for Distributed Systems. How many remote monitoring serers to configure If possible, place a remote monitoring serer on eery z/os system where you are installing monitoring agents. In fact, two monitoring agents (OMEGAMON XE on z/os and OMEGAMON XE for Storage on z/os) require that you configure them in the same address space as a hub or remote monitoring serer. For adice about placing remote monitoring serers on distributed systems, see IBM Tioli Monitoring: Installation and Setup Guide. 14 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

27 Tips A remote monitoring serer can report to a high-aailability hub on the same LPAR. If the hub is not a high-aailability hub, it cannot be on the same LPAR as any of the remote monitoring serers that report to it and that are configured to use any TCP/IP protocol. If more than one remote monitoring serer is configured in a z/os image and if a TCP/IP protocol is being used for communication, the hub to which each remote monitoring serer reports must hae a unique port number. Otherwise, connectiity problems are likely. If more than one hub is configured in a z/os image, each hub must hae a unique port number for any nonsecure TCP/IP protocols being used and a unique port number for any secure TCP/IP protocols being used. For information about port number allocation, see the "Port number assignments" section of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. If a remote monitoring serer is to communicate with any monitoring agents that require SNA, the remote monitoring serer must be configured for SNA communications. Examples of such monitoring agents include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. Whether to enable the self-describing agents capability The self-describing agents enhancement is intended to reduce the time you spend getting the common components of Tioli Management Serices and the monitoring agents that use them up and running, as well as the time and cost of maintaining Tioli Monitoring products and components once you hae them running. In addition, self-describing agents make it unnecessary for you to bring Tioli Monitoring components down and then back up so these newly installed or upgraded agents can be recognized; this can sae your site significant wasted monitoring productiity. As of Version 6.2.3, the application data necessary for the Tioli Enterprise Monitoring Serer to recognize and process data from a distributed agent need no longer be "seeded" at installation into the agent's local monitoring serer and then replicated out to the hub monitoring serer and all other Tioli Management Serices components that require it (such as the Tioli Enterprise Portal Serer and the Tioli Data Warehouse). Instead, this application support data can now be automatically replicated from the agent to its local monitoring serer wheneer the agent starts up. Thus, it is also no longer necessary that you follow each seeding step by restarting all affected Tioli Management Serices components so they can recognize and process data generated by these newly installed or upgraded agents. After you actiate the self-describing agents capability, application support is automatically refreshed wheneer a newer ersion of a self-describing agent is detected. Also, components need not be recycled eery time an update is applied (similarly, its situations, policies, and actiities are automatically redistributed and restarted), nor is it necessary each time a newly updated agent connects to its monitoring serer each update is seeded once and only once. This means you need not interrupt your enterprise monitoring wheneer you add a new self-describing agent or update an existing agent. This enhancement also means that no mainframe agents' application data need be stored on distributed systems. All updates are logged for auditing purposes. If the hub monitoring serer is eer brought down, self-describing capabilities are terminated until it is brought back online. The self-describing agents capability can be selectiely disabled on the Tioli Enterprise Monitoring Serer running on z/os, and is initially disabled when installing a hub Tioli Enterprise Monitoring Serer. It is initially enabled for remote monitoring serers; this effectiely disables support for all self-describing agents Chapter 2. Planning your deployment 15

28 connected to either the hub or one of its remotes. Thus, enabling the self-description capability requires only that you enable it at the hub monitoring serer, as shown in this example. Example of actiating self-describing agents at the hub and its three remotes Your site has defined one hub monitoring serer named HUBTEMS and three remote monitoring serers, RTEMS1, RTEMS2, and RTEMS3, that report to it. You hae not yet touched the self-describing capabilities at any of these monitoring serers; thus, their initial enironment is as follows: Self-describing agents are initially turned on at all three remote monitoring serers but turned off at the hub monitoring serer. Since self-describing agents are turned off at the hub, their self-describing capabilities are effectiely turned off eerywhere, regardless of which monitoring serer they actually connect to. Turning on the agents' self-describing capabilities requires only that you turn it on at the hub, HUBTEMS. 16 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

29 Note about Jaa usage and USS Once your site actiates self-describing agents on a hub Tioli Enterprise Monitoring Serer, the monitoring serer must hae access to a Jaa Runtime Enironment running under IBM's 31-bit or 64-bit Jaa SDK Version 5 (or higher) and an HFS or zfs file system accessed through UNIX System Serices (USS). The self-describing agent function stores the application support packages in the USS file system and then inokes the Jaa jar command to extract the files from the application support packages stored there. Since IBM's Jaa runs on z/os under UNIX System Serices (USS), this also means USS must be aailable with ~50MB of working space. If your enironment has more than agent types, see the hardware and software requirements section of the IBM Tioli Monitoring: Installation and Setup Guide for more details on the storage requirements. When using the self-describing agents feature on a Tioli Enterprise Monitoring Serer running on z/os, ICAT requests that you supply the UNIX System Serices (USS) directory where Jaa is installed. The alue you supply gets set as the TEMS_JAVA_BINPATH statement in the KDSDPROF file, which is created in the monitoring serer's USS support directory. When a ersion monitoring serer running on z/os installs a self-describing agent, it prepends the TEMS_JAVA_BINPATH alue to the default USS PATH setting so it can locate the Jaa /bin directory where the jar utility resides. The jar utility is required to extract the files from the application support packages that were uploaded from the agent. You must ensure that there isn't an older or inconsistent ersion of Jaa still left oer in the default USS PATH or LIBPATH libraries, because the older Jaa binaries may conflict with the Jaa binaries in the directory you supplied to ICAT. For example, the default LIBPATH on most USS systems is LIBPATH=/lib:/usr/lib:. Because this specification contains no Jaa binary directories, it won't conflict with the TEMS_JAVA_BINPATH setting, and so the TEMS-inoked jar utility should run successfully. But if there is a LIBPATH setting that includes a Jaa directory with a different ersion of Jaa than you specified to ICAT, it could cause the self-describing function to fail when it calls the jar utility. This occurs because the TEMS_JAVA_BINPATH alue specifying one Jaa ersion has been prepended to the PATH setting, with a different Jaa ersion specified in LIBPATH. If these are incompatible Jaa ersions, the jar utility cannot work correctly. To resole this problem, update the default USS LIBPATH setting so that it either omits the Jaa directory or specifies a directory at the same Jaa leel as that proided to ICAT. IBM recommends that, if the jar utility inoked by the monitoring serer fails to complete successfully, you erify that there isn't an inconsistent leel of Jaa specified in the default USS PATH or LIBPATH setting that may be causing a binary incompatibility. Whether to enable the auditing function The auditing function allows you to capture significant eents occurring in your site's IBM Tioli Monitoring enironment and record them in permanent storage for later retrieal and analysis. Each audit record fully describes some eent that has changed the state of your Tioli Monitoring system: authorization and authentication failures (such as those that allow or disallow the execution of Take Action commands), and major and minor state changes (though they do not reflect the minor serice messages stored in the RAS logs). Platforms coered include Windows, UNIX/Linux, i5/os, and z/os. The records stored are compatible with those created by Tioli Business Serice Manager. These new auditing and logging records can be stored in the Tioli Data Warehouse. Standard reports are proided ia the Tioli Common Reporting feature. In addition, the Tioli Enterprise Portal Managed System Lists workspace (within the Enterprise icon) enables you to iew auditing and logging records online; see the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide for information. Chapter 2. Planning your deployment 17

30 Initially the auditing function is turned off by default on all Tioli Management Serices nodes. On z/os, the auditing facility optionally creates and stores Systems Management Facility format (SMF) type-112 records, coded in UTF8 and included in a common repository (the SYS1.MANn data sets) with all other z/os eent data. Note that SMF type-112 records are disabled by default in the SYS1.PARMLIB(SMFPRMxx) member. To display the current SMFPRMxx settings, inoke the z/os console command D SMF. For complete information on the syntax of this console command, including how you check which records are enabled for recording and how you dynamically change these settings, consult the z/os System Management Facilities document and the MVS System Commands reference. At this release, the auditing data written coers the new self-describing agents (including their auto-refresh feature), actions of the Warehouse Proxy Agent, successful and failed automation-command actions (for example, the inocation of Take Action commands), and IBM Tioli Monitoring's integration with Tioli Application Dependency Discoery Manager. Enironment ariables that control the auditing function There are two enironment ariables that affect the auditing function when running on a z/os-based Tioli Enterprise Monitoring Serer: AUDIT_TRACE The auditing facility supports three leels of tracing: setting result Minimum Records major changes to the product state such as authorization failure, new connections to the monitoring serer or the portal serer, or failed user login attempts. Basic Records any actions that modify objects or cause an access failure, such as attempts to modify monitoring serer entities like situations and Take Action commands. This is the default tracing leel. Detail Records all authorization requests, whether successful or failed, such as all successful logins and all modifications to entities such as Take Action commands. Disabled Disables the auditing function. AUDIT_SMF z/os only. Controls the writing of auditing records to the System Management Facility. setting result Disabled Preents the creation of SMF records while still allowing IBM Tioli Monitoring audit data to be recorded in the Tioli Data Warehouse and for reporting purposes. Enabled Both SMF and warehouse audit records get written. This is the default for SMF recording. Note: The AUDIT_SMF parameter is not exposed in either the PARMGEN or the ICAT configuration methods. To access this parameter and reset its alue, use the Specify Nonstandard Parameters screen; see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for details. Setting the trace leel to Basic or Detail might require you to enlarge your SYS1.MANn data sets or to increase the frequency with which you offload Tioli Monitoring audit data to your SMF archies. If you do not want to record Tioli Monitoring eents, you can disable SMF audit records (AUDIT_SMF=Disabled) and thereby eliminate the storage requirements and I/O oerhead necessary when writing SMF records. 18 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

31 SMF recording of audit records You can configure the Tioli Enterprise Monitoring Serer running on z/os to write audit records to the z/os System Management Facility (SMF). This enables you to use SMF to integrate Tioli Monitoring eents with the eent data recorded by other products and components that run on your z/os system: you can extract Tioli Monitoring audit record data from SMF data sets (or from the archies of such data sets) for analysis of performance or resource utilization, and for alidation of security eents (authorization and authentication). SMF proides facilities that let you suppress recording of SMF records by record types, eent types (listed in Table 2 as record subtypes), and product codes (known as subsystem IDs, or SSIs). Table 2. SMF type-112 record subtypes SMF 112 subtype Eent type category 32 (0x20) permission checking 33 (0x21) object maintenance 34 (0x22) security maintenance 35 (0x23) system administration 36 (0x24) authorization alidation 37 (0x25) contextual eent (0x26 through 0x2f) resered SMF record 112 subtypes (0x20 through 0x25) share a common, fixed header format followed by a ariable-length field of up to 8,912 bytes that contains XML-encoded eent data, as shown in Table 3. Table 3. SMF record 112 format Name Assembler name Type Length Offset Description smf112len SMF112LEN Binary (unsigned short) smf112seg SMF112SEG Binary (unsigned short) 2 0 Record length (RDW1). Maximum size This field and the next (total of four bytes) form the record descriptor word (RDW). The first two bytes (this field) must contain the logical record length including the RDW1 field. The second two bytes (the following field) are used for ariable-block, spanned records. If the record is not spanned, set these two bytes to hexadecimal zeros. 2 2 (0x02) Segment descriptor (RDW2); see smf112len field aboe. Chapter 2. Planning your deployment 19

32 Table 3. SMF record 112 format (continued) Name Assembler name Type Length Offset Description smf112flg #defined constants: FLGSTY FLGSP4 FLGSP3 FLGSP2 FLGVS2 SMF112FLG predefined EQU constants: FLGSTY FLGSP4 FLGSP3 FLGSP2 FLGVS2 Binary (unsigned char) predefined alues: 0x40 0x10 0x08 0x04 0x (0x04) Header flag byte. Contains the system indicator bits. Bit Meaning when set 0 Resered. 1 Subtypes are alid. 2 Resered. 3 MVS/SP Version 4 and aboe. Bits 3, 4, 5, and 6 are on. Note: IBM recommends you use record type 30 to obtain the MVS product leel. 4 MVS/SP Version 3. Bits 4, 5, and 6 are on. 5 MVS/SP Version 2. Bits 5 and 6 are on. 6 VS2. Bit 6 is on. 7 Resered. smf112rty #defined constants: RTY112 SMF112RTY predefined EQU constants: RTY112 Binary (unsigned char) predefined alues: 112 (0x40) smf112tme SMF112TME Binary (unsigned int) smf112dte SMF112DTE Packed Decimal (char [4]) smf112sid SMF112SID Char (char [4]) smf112ssi SMF112SSI Char (char [4]) System indicator bits are automatically set when the record is written. 1 5 (0x05) Record type (hexadecimal alues are 0-FF). Record type 112 (0x70) for this record type. 4 6 (0x06) Time since midnight, in hundredths of a second, that the record was moed into the SMF buffer (0x0A) Date when the record was moed into the SMF buffer, in the form 00yydddF or 0cyydddF (where c is 0 for 19xx and 1 for 20xx, yy is the current year (0-99), ddd is the current day (1-366), and F is the sign) (0x0E) System identification (also known as the SMFID) (0x12) Subsystem ID (OMEGAMON product code). This field is a four-byte character alue set by the SUBSYS=option keyword specified to SMF. Refer to member RKANSAM(KOLSSI) for a partial list of product codes. 20 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

33 Table 3. SMF record 112 format (continued) Name Assembler name Type Length Offset Description smf112sty #defined constants: STY_EVENT_CHECKING STY_EVENT_OBJMAINT STY_EVENT_SECMAINT STY_EVENT_SYSADMIN STY_EVENT_ACTION SMF112STY predefined EQU constants: STY_EVENT_CHECKING STY_EVENT_OBJMAINT STY_EVENT_SECMAINT STY_EVENT_SYSADMIN STY_EVENT_ACTION Halfword (unsigned short) predefined alues: 32 (0x20) 33 (0x21) 34 (0x22) 35 (0x23) 36 (0x24) STY_EVENT_VALIDATE STY_EVENT_VALIDATE 37 (0x25) ai_er #defined constants: AICVER AIVER predefined EQU constants: AICVER Fullword (unsigned long) predefined alues: 1 ai_jname AIJNAME Char (char [8]) ai_asid AIASID Halfword (unsigned short) ai_eent_len AIEVENTLEN Halfword (unsigned short) ai_eent_info AIEVENTINFO Char (char [8192]) 2 22 (0x16) Record subtype (0x20-0x25): Permission Checking eent Object Maintenance eent Security Maintenance eent System Administration eent Authorization Validation eent Contextual eent 4 24 (0x18) Audit information ersion. This release is (0x1c) Name of the address space issuing this SMF record (0x24) ID of the address space issuing this SMF record (0x26) Length of the null-terminated string in ai_eent_info, including the null terminator. Smallest length is 1 for a null string (0x28) A null-terminated string containing the audit eent data encoded in XML. The maximum length of this field is 8192 bytes, but the actual length is specified by ai_eent_len. The contents of the field depend on the record subtype, which is directly associated with the Eent Type Category for this record. Refer to Table 2 on page 19 for further information. In addition, your site can write its own exits that programmatically decide which records are suppressed; see the z/os System Management Facilities reference for details. Chapter 2. Planning your deployment 21

34 The following sample Tioli Monitoring RKANSAM library members are proided to assist you in extracting data from arious subtypes of type-112 records: Member KOLSMFA KOLSMFC KOLSMFCX KOLSMFCC KOLSMFS KOLSMFSX KOLSMFSC KOLSSI Contents Record format as an assembler language DSECT. Record format as a C typedef. Sample program to extract and print the contents of IBM Tioli Monitoring SMF records. Sample JCL to compile RKANSAM(KOLSMFCX). Record format as a SAS DATA statement. Sample SAS program to extract and print the contents of Tioli Monitoring SMF records. Sample JCL to run RKANSAM(KOLSMFSX). Partial list of product codes (SSIs) mapped to Tioli product names. Additional reference material is proided on the Tools DVD in the XML directory: see either kolddtd.samplib or the copy in the runtime enironment's RKANSAM library, member KOLDDT. This DTD (document type definition) contains XML metadata that describes each XML record's constituent fields and their contents. Decision 2: Whether and how to enable eent forwarding If you use either the Tioli Enterprise Console or Netcool/OMNIbus product, in addition to the Tioli Enterprise Portal, to manage eents in your enterprise, you can configure a z/os hub monitoring serer to forward situation eents to these eent serers for correlation and management. The hub monitoring serer uses a Situation Eent Forwarder component. The Eent Forwarder maps situation eents to Tioli Eent Integration Facility (EIF) eents and uses the EIF interface to send the eents to a Tioli Enterprise Console eent serer or to an OMNIbus EIF probe (the EIF receiers). The eent receiers receie the forwarded eents, and expand and format the eents for the eent serers. On the Tioli Enterprise Console or OMNIbus console, users can iew, acknowledge, or reset situation eents. The updated situation status is returned to the originating hub monitoring serer and reflected in the Tioli Enterprise Console or OMNIbus console. The EIF is an application programming interface (API) that external applications can use to create, send, or receie eents. These eents are in the same format as Tioli Enterprise Console eents and are referred to as either EIF eents or TEC/EIF eents. For complete information about EIF, see the IBM Tioli Enterprise Console Eent Integration Facility Reference. IntheIBM Tioli Monitoring: Administrator's Guide, the section "Customizing eent integration with Tioli Enterprise Console" discusses the mapping of situation eents to Tioli Enterprise Console eents; and the section "Customizing eent integration with Tioli Netcool/OMNIbus" discusses the mapping of situation eents to OMNIbus eents. In addition to using the Configuration Tool to enable EIF forwarding and to specify the default destination serer, the following tasks must be completed outside the Configuration Tool to implement situation eent forwarding: The destination eent serer or serers must be configured to receie the eents. A situation update forwarding process (the eent synchronization component) must be installed on the eent receiers. For situation eents forwarded to the Tioli Enterprise Console: The.baroc files for the monitoring agents reporting to the hub must be installed and imported on the Tioli Enterprise Console serer, and the rule base must be updated. If any distributed agents report either directly or indirectly (through a distributed remote monitoring serer) to a z/os hub, map and resource files for each monitoring agent must be transferred from a 22 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

35 hub monitoring serer on a Windows, Linux, or UNIX system to the RKANDATV library of the runtime enironment that contains the hub monitoring serer on z/os. See Map,.baroc, and resource files on page 125 for details. If z/os agents report to a z/os hub monitoring serer in another CSI, their map files must be copied to the RKANDATV library of the runtime enironment that contains the hub. The section on "Integrating eent management systems" in the IBM Tioli Monitoring: Installation and Setup Guide proides detailed instructions for configuring the Tioli Enterprise Console and OMNIbus to receie forwarded eents, including installing the eent synchronization component and the.baroc files. Tip: If you already hae workflow policies containing emitter actiities that send eents to the Tioli Enterprise Console, turning on EIF eent forwarding results in duplicate eents. You can deactiate the emitter actiities within policies by selecting Disable Workflow Policy/Tioli Emitter Agent Eent Forwarding when you configure the monitoring serer. Howeer, it is likely that the policies inoking the Tioli Enterprise Console emitter are doing little else. If you deactiate these actiities, there is no point in running the policies. You might want to delete policies that are no longer required, instead of disabling them. If situation eent forwarding is enabled, by default all situation eents are forwarded to the EIF destinations defined when you configured the monitoring serer. Howeer, you can configure additional EIF receiers and selectiely forward situation eents to different destinations by using the EIF tab of the Tioli Enterprise Portal Situation editor. You can also use the EIF tab to assign a Tioli Enterprise Console or OMNIbus seerity to a situation. The seerity of EIF eents is deried from the situation name. The seerity is determined as follows: If the suffix of the situation name is either _Warn or _Warning, the EIF eent seerity is set to WARNING. If the suffix is either _Crit or _Critical, the seerity is set to CRITICAL. If the seerity cannot be determined from the suffix, a seerity of UNKNOWN is assumed. You might hae to use the EIF tab to set the seerity for situations that display in the Tioli Enterprise Console or OMNIbus console with a seerity of UNKNOWN. See the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide for instructions on using the Situation editor to assign a situation seerity. Chapter 2. Planning your deployment 23

36 24 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

37 Part 2. Configuring hub and remote monitoring serers on z/os The chapters in this part of Configuring the Tioli Enterprise Monitoring Serer on z/os gie instructions for configuring the monitoring serer. Naigation tips If you are upgrading a monitoring serer on z/os from a preious ersion, follow the instructions in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide. For a first-time configuration, follow this path: 1. Follow the instructions in Part 2 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 2. For a hub monitoring serer on z/os, follow the instructions in one of the following chapters: To configure a high-aailability hub on z/os and the remote monitoring serers on z/os that report to it, follow the instructions in Chapter 3, Configuring a high-aailability hub and the remote monitoring serers that report to it, on page 27. To configure a hub monitoring serer in a z/os enironment that does not support the high-aailability hub, follow the instructions in Chapter 4, Configuring the hub monitoring serer and monitoring agents in the same runtime enironment, on page To configure any additional remote monitoring serers, follow the instructions in one of the following locations: To configure a remote monitoring serer on z/os to report to a hub on a Linux, UNIX, or Windows system, follow the instructions in Chapter 5, Configuring a remote monitoring serer on z/os to report to a distributed hub, on page 99. To configure a remote monitoring serer on a distributed system to report to a z/os hub, follow the instructions in the IBM Tioli Monitoring: Installation and Setup Guide. 4. Go on to Part 3, Post-configuration procedures, on page 117. Note to PARMGEN users: If after haing built a static hub monitoring serer on z/os you decide to conert it to a remote monitoring serer, a scenario that describes this process, Scenario PGN04: clone an existing enironment but conert its hub monitoring serer to a remote", is proided in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: PARMGEN Reference. Copyright IBM Corp. 2005,

38 26 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

39 Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it The first monitoring serer you configure must be a hub. If your enironment supports the requirements for a high-aailability hub, there are important adantages to configuring one. (See Whether to configure a high-aailability hub on z/os on page 13.) This chapter explains how to configure a high-aailability hub monitoring serer on z/os and then how to configure remote monitoring serers on z/os to report to it. Figure 2. High-aailability hub monitoring serer and its connections The configuration shown in Figure 2 depicts the high-aailability hub monitoring serer connected to a remote monitoring serer on the same LPAR, to remote monitoring serers on other LPARs, to remote monitoring serers on distributed systems, and to the portal serer. This configuration is resilient and efficient: resilient because the high-aailability hub can be relocated to any LPAR in the sysplex with minimal disruption to the other components, and efficient because the remote monitoring serer on the same LPAR as the hub handles all communications with the monitoring agents and thus reduces the load on the hub. Tip: The high-aailability hub is the only type of hub that can be on the same LPAR with a remote monitoring serer that reports to it. See Decision 1: What kinds of monitoring serers to configure on page 13 PARMGEN method Complete these steps to configure a runtime enironment for the high-aailability hub and another runtime enironment on the same LPAR for a remote monitoring serer. Step 1. Create and configure a runtime enironment for the high-aailability hub Follow the steps in "Scenario PGN03: perform a pristine install of a high-aailability hub monitoring serer" of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: PARMGEN Reference to create a runtime enironment for the high-aailability hub. Also refer to the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about the parameters in the configuration profile. The configuration profile is the &rhile.&rte.wconfig(&rte) member. Copyright IBM Corp. 2005,

40 Tips The parameters shown in this section are specific to the high-aailability hub but are not the only parameters for which you must either accept or oerride the default alues in the configuration profile for the runtime enironment. After you set the parameters shown here, be sure to go through the entire configuration profile to make sure the parameter alues are correct for the configuration you want. The parameters with names beginning KDS_HUB are not parameters for the hub monitoring serer; they are parameters for remote monitoring serers. Be sure to uncomment any parameters that are needed for your configuration but are commented out by default. For example, if you intend to configure OMEGAMON XE for CICS on z/os and OMEGAMON XE on z/os to report to the high-aailability hub, uncomment this line of the configuration profile by remoing the two asterisks (**) from the beginning of the line: Before: **KDS_TEMS_HA_INCLUDE_KM5 "Y" * OMXE on z/os Agent After: KDS_TEMS_HA_INCLUDE_KM5 "Y" * OMXE on z/os Agent Be sure to set the following parameter alues for the high-aailability hub in the configuration profile: * Tioli Enterprise Monitoring Serer: KDS flag CONFIGURE_TEMS_KDS "Y" ** (Optional) z/os System Variable setting: ** Specify "Y" if you are using symbolics as parameter alues. RTE_SYSV_SYSVAR_FLAG N ** Tioli Enterprise Monitoring Serer (TEMS) flag and CMS_NODEID name: RTE_TEMS_CONFIGURED_FLAG Y RTE_TEMS_NAME_NODEID "rte_name:cms" ** TEMS configuration alues: KDS_TEMS_TYPE HUB ** Begin - High Aailability (HA) Hub TEMS section: ** High Aailability (HA) Hub TEMS alues: ** Note: Specify "HA" if you want to enable this Hub TEMS for High ** Aailability support: KDS_TEMS_HA_TYPE "HA" The following additional requirements also apply to the high-aailability hub configuration: KDS_TEMS_COMM_PROTOCOLn parameter At least one of the alues must be IPPIPE, IP6PIPE, IPSPIPE, orip6spipe. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. KDS_TEMS_TCP_HOST parameter The alue must be the application-instance-specific (priate) dynamic irtual IP address you hae defined to the Domain Name Serer (DNS). KDS_TEMS_TCP_KDEB_INTERFACELIST parameter The alue must be!dipa_hostname, where dipa_hostname is the priate DVIPA name set for the KDS_TEMS_TCP_HOST parameter. This setting ensures that the high-aailability hub is restricted to its priate DVIPA address and cannot interfere with the remote monitoring serer configured on the same LPAR. 28 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

41 KDS_TEMS_VIRTUAL_IP_ADDRESS parameter The alue must be D (for DVIPA). Many other KDS_* parameters are needed for the hub monitoring serer configuration. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about them. After you finish customizing the configuration profile, go on to "Step 3. Submit batch jobs to complete the PARMGEN setup" in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Configuring the monitoring serer to support encryption/decryption To actiate ICSF encryption/decryption within your newly configured high-aailability hub monitoring serer using the PARMGEN configuration method, locate these lines in the configuration profile for the runtime enironment of the monitoring serer:: ** GBL_DSN_CSF_* ICSF system libraries: GBL_DSN_CSF_SCSFMOD0 "CSF.SCSFMOD0" ** TMS KAES256 password encryption key: **KDS_TEMS_SECURITY_KAES256_ENCKEY "IBMTioliMonitoringEncryptionKey" Set GBL_DSN_CSF_SCSFMOD0 to the name of your site's Integrated Cryptographic Serice Facility (ICSF) library. Uncomment KDS_TEMS_SECURITY_KAES256_ENCKEY, and set it to your site's ICSF encryption key for IBM Tioli Monitoring. Once you hae set these parameters, if you enabled ICSF password encryption for your monitoring serer after creating the runtime enironment, rerun the following jobs: WCONFIG($PARSE*) File-tailoring job to recreate: WKANSAMU(KDSDKAES) Stand-alone Tioli Management Serices on z/os password encryption job, if you want a sample job that you can edit manually. WKANSAMU(KCIJPSEC) Composite security job's KAES256 step, if you want a file-tailored job. WKANSAMU(CANSDSST) Monitoring serer started task to concatenate the ICSF load library in the STEPLIB DDNAME. CANSDSST is the IBM-supplied default; set the alue to whateer you specified for the KDS_TEMS_STC parameter. WKANSAMU(KDSDKAES) or WKANSAMU(KCIJPSEC) Creates the encryption key member. WKANPARU(KAES256) or WKANSAMU(KCISYPJB) Run either WKANPARU(KAES256), the stand-alone started task procedure copy job, or WKANSAMU(KCIJPSYS), the composite system copy job that copies the modified monitoring serer started task to the system procedure library. (Optional) Configuring the monitoring serer to support self-describing agents To enable support for self-describing agents with the PARMGEN configuration method, uncomment this line in the configuration profile for the runtime enironment of the monitoring serer: **KDS_KMS_SDA "Y" * Y, N To disable support, uncomment the line and set the KDS_KMS_SDA parameter alue to "N". Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 29

42 For more information on self-describing agents, see Whether to enable the self-describing agents capability on page 15. (Optional) Configuring the monitoring serer to support the auditing feature To enable the auditing feature (see Whether to enable the auditing function on page 17) with the PARMGEN configuration method, locate these lines in the configuration profile for the runtime enironment of the monitoring serer, and uncomment them: ** Audit parameters: ** Note: ** Specify M=Minimum, B=Basic, D=Detail or X=Disabled to enable or ** disable z/os SMF output (z/secure). **KDS_AUDIT_TRACE "B" * M, B, D, or X ** Specify the maximum entries in the in-memory cache reported by ** queries. **KDS_AUDIT_MAX_HIST "100" * ** Specify an identifier that may be used to associate audit ** records. **KDS_AUDIT_ITM_DOMAIN "" Set the KDS_AUDIT_TRACE parameter to M, B, D, or X, as explained in Enironment ariables that control the auditing function on page 18. Set KDS_AUDIT_MAX_HIST to any alue from 10 to 1000, depending on the number of audit records you want kept in the in-memory cache before writing them out. To group audit records by related agents and monitoring serers, set KDS_AUDIT_ITM_DOMAIN to the name you assigned to that group. To disable auditing, set KDS_AUDIT_TRACE to "X". Step 2. Configure a remote monitoring serer to report to the high-aailability hub After you finish configuring a runtime enironment for the high-aailability hub, create a second runtime enironment on the same LPAR, and configure a remote monitoring serer to report to the high-aailability hub. Tips The parameters shown in this section are specific to a remote monitoring serer reporting to the high-aailability hub, but they are not the only parameters for which you must either accept or oerride the default alues in the configuration profile for the runtime enironment. After you set the parameters shown here, be sure to go through the entire configuration profile to make sure the parameter alues are correct for the configuration you want. Be sure to uncomment any parameters that are needed for your configuration but are commented out by default. For example, the configuration profile for a runtime enironment containing a remote monitoring serer that reports to the high-aailability hub requires the KDS_HUB_TEMS_HA_TYPE parameter, which is commented out by default. For such a configuration, you must uncomment this parameter and insert HA between the quotation marks for the parameter alue. Before: **KDS_HUB_TEMS_HA_TYPE "" After: KDS_HUB_TEMS_HA_TYPE "HA" In the configuration profile of the second runtime enironment, set the following parameter alues for the remote monitoring serer: 30 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

43 ** Tioli Enterprise Monitoring Serer (TEMS) flag and CMS_NODEID name: RTE_TEMS_CONFIGURED_FLAG Y RTE_TEMS_NAME_NODEID "remote_rte_name:cms" ** TEMS configuration alues: KDS_TEMS_TYPE REMOTE ** If the TEMS is a Remote, uncomment the KDS_HUB_* parameters ** and specify the Hub alues accordingly: KDS_HUB_TEMS_NAME_NODEID "ha_hub_rte_name:cms" ** If the TEMS is a Remote and its Hub TEMS is enabled for ** High Aailability (HA) support (specify "HA"): KDS_HUB_TEMS_HA_TYPE "HA" The following additional requirements also apply to the remote monitoring serer configuration: KDS_TEMS_COMM_PROTOCOLn parameter At least one of the communication protocols must be the same as a protocol selected for the high-aailability hub. Een though the high-aailability hub does not use the SNA protocol, you can set SNA as one of the communication protocols for the remote monitoring serer reporting to the high-aailability hub, if you need this protocol for any monitoring agents that will report to the remote monitoring serer. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. KDS_TEMS_TCP_HOST parameter This is the TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the remote monitoring serer is installed. KDS_HUB_TCP_HOST parameter The alue must be the application-instance-specific (priate) dynamic irtual IP address of the high-aailability hub. KDS_HUB_TCP_pipe_type_PORT_NUM The alue must be the port number of the hub for each protocol selected. KDS_TEMS_TCP_KDEB_INTERFACELIST parameter To aoid network interface conflicts, you must specify one of the following alues for a remote monitoring serer reporting to the high-aailability hub in the same sysplex:!* to force the remote monitoring serer to use only the interface associated with the default host name for the z/os image. -dipa_hostname to use any interface except the one associated with dipa_hostname. KDS_TEMS_VIRTUAL_IP_ADDRESS parameter The alue must be D (for DVIPA). Many other KDS_* parameters are needed for the hub monitoring serer configuration. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about them. Step 3. Configure monitoring agents to report to the remote monitoring serer In the same configuration profile, set parameter alues for each of the products you want to include in the runtime enironment of the remote monitoring serer. Follow the instructions in each product's Planning and Configuration Guide, and use the information in each product's Parameter Reference. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 31

44 After you finish customizing the configuration profile, go on to "Step 3. Submit batch jobs to complete the PARMGEN setup" in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Step 4. (Optional) Replicate the remote runtime enironment Now you can replicate to other z/os systems the configured runtime enironment that contains the remote monitoring serer and its monitoring agents. Replicating the configured runtime enironment is an easy way to ensure that all your remote monitoring serers are configured to report to the high-aailability hub. Follow the instructions in the "Using the PARMGEN method to replicate a configured enironment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Configuration Tool (ICAT) method Be sure to complete Steps 1, 2, and 3 in the "Configuring products with the Configuration Tool" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide before you begin the configuration steps in this section. Complete the following steps in order: Step 1. Add a runtime enironment Step 2. Build the runtime libraries on page 39 Step 3. Configure the high-aailability hub monitoring serer on page 39 Step 4. Configure a remote monitoring serer to report to the high-aailability hub on page 64 Step 5. Configure monitoring agents to report to the remote monitoring serer on page 76 Step 6. Load the runtime libraries on page 77 Step 1. Add a runtime enironment Complete these steps to define a runtime enironment for the high-aailability hub. 1. If the Configuration Tool is not already running, start it: EX 'shile.instlib' The Configuration Tool Main Menu is displayed, as shown in Figure 3 on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

45 KCIPRIM MAIN MENU Enter the number to select an option: 1 Set up work enironment 2 Install products (Optional: for file-tailored SMP/E jobs) 3 Configure products I Installation information <=== Reised S Serices and utilities Installation and Configuration Assistance Tool Version Copyright IBM Corp Licensed Material - Program Property of IBM F1=Help F3=Back Figure 3. Configuration Tool Main Menu 2. From the Configuration Tool Main Menu, enter 3 (Configure products). The Configure Products panel is displayed, as shown in Figure 4. KCIPRCM CONFIGURE PRODUCTS OPTION ===> Enter the number to select an option: 1 Select product to configure I S Configuration information Serices and utilities F1=Help F3=Back Figure 4. Configure Products panel 3. On the Configure Products panel, enter 1 (Select product to configure). The Product Selection Menu (Figure 5) lists the products aailable for configuration. KCIPPLST PRODUCT SELECTION MENU COMMAND ===> Actions: S Select product monitoring_agent_1_vn.n.n monitoring_agent_2_vn.n.n monitoring_agent_3_vn.n.n IBM Tioli Management Serices on z/os V6.2.3 monitoring_agent_4_vn.n.n monitoring_agent_5_vn.n.n Figure 5. Product Selection Menu 4. Enter S (Select) to the left of IBM Tioli Management Serices on z/os V Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 33

46 Important The high-aailability hub must be configured in its own runtime enironment, without any monitoring agents. Therefore, be sure to select IBM Tioli Management Serices on z/os V6.2.3 rather than selecting one of the monitoring agents. The Runtime Enironments (RTEs) panel (Figure 6) is displayed. KCIPRTE RUNTIME ENVIRONMENTS (RTEs) COMMAND ===> *** Current product entry selected: *** product_name Vn.n.n Actions: A Add RTE, B Build libraries, C Configure, L Load all product libraries after SMP/E, D Delete, U Update, V View alues, Z Utilities R README Table of Contents Action Name Type Sharing Description A HAHUB FULL Runtime enironment for high-aailability hub Enter=Next F1=Help F3=Back F7=Up F8=Down Figure 6. Runtime Enironments (RTEs) panel 5. On the Runtime Enironments (RTEs) panel, type A (Add RTE) in the Action field beside the first empty row, and type a name for the runtime enironment in the Name field. The runtime enironment name is a unique identifier of up to 8 characters. It is the default mid-leel qualifier of the runtime libraries. 6. Specify the type of runtime enironment being created. In this example, a Full runtime enironment is created for the high-aailability hub. For more detailed information about the aailable types of runtime enironments, see "What types of runtime enironments to set up" in the "Planning your deployment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 7. Type a description for this runtime enironment. The description can be any information that is useful for you and others at your site. 8. When you hae specified all required alues on the Runtime Enironments (RTEs) panel, press Enter. The Add Runtime Enironment (1 of 3) panel is displayed, as shown in Figure 7 on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

47 KCIPRTEA ADD RUNTIME ENVIRONMENT (1 of 3) COMMAND ===> RTE: HAHUB Type: FULL Desc: Runtime enironment for high-aailability hub Libraries High-leel Qualifier Volser Unit Storclas Mgmtclas PDSE Non-VSAM rhile olser unit N VSAM rhile olser Mid-leel qualifier ==> HAHUB JCL suffix ==> ssss Remote RTE for transport ==> N (Y, N) STC prefix ==> HAHB Runtime members analysis ==> Y (Y, N) SYSOUT class ==> X Diagnostic SYSOUT class ==> X Load optimization ==> N (Y, N) Will this RTE hae a Tioli Enterprise Monitoring Serer ==> Y (Y, N) If Y, TEMS name ==> HAHUB:CMS (Case sensitie) Copy configuration alues from RTE ==> (Optional) Enter=Next F1=Help F3=Back Figure 7. Add Runtime Enironment (1 of 3) panel The alues on the Add Runtime Enironment panels are used to allocate runtime libraries and proide configuration defaults. 9. Use the following information to complete the first Add Runtime Enironment panel. High-leel qualifier Specify the high-leel qualifiers to be used for allocating the runtime libraries. These entries are required. SMS considerations If you plan to allocate SMS-managed data sets for the runtime enironment, ensure that the following are all true: SMS is actie on the z/os image. The high-leel qualifier that you specify is eligible for SMS-managed olumes. You specify a combination of VOLSER, UNIT, STORCLAS, and MGMTCLAS parameters that is alid at your site. Because SMS can be implemented in seeral different ways, the Configuration Tool does not attempt to alidate these parameters. The data set allocation jobs use the alues you enter. Volser Specify the olume serial numbers to be used for allocating the runtime data sets. This alue is required if the runtime data sets are not managed by SMS. Unit Specify the unit name to be used for allocating the non-vsam runtime data sets. This alue is required if the runtime data sets are not managed by SMS. Storclas If the runtime data sets are to be managed by SMS, specify the SMS storage class to be used for the allocation. If your site does not require the SMS STORCLAS parameter, you can leae this field blank. Mgmtclas If the runtime data sets are to be managed by SMS, specify the SMS management class to be used for the allocation. If your site does not require the SMS MGMTCLAS parameter, you can leae this field blank. PDSE If the non-vsam data sets are to be managed by SMS, you can specify Y to allocate PDSE Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 35

48 data sets instead of PDS data sets. PDSE data sets do not require compression and are not limited by a predefined number of directory entries. The default is N. Een if you specify Y, most load module libraries are not allocated as PDSE data sets. The main exception is a load library used for the SMP/E CALLLIBS facility. Mid-leel qualifier Specify a mid-leel qualifier for runtime libraries, or accept the default (the runtime enironment name). JCL suffix Specify a unique JCL suffix, no more than 4 characters long, to identify the batch job members created in &shile.instjobs by the Configuration Tool for this runtime enironment. Check the INSTJOBS data set to ensure that the suffix is not already in use. STC prefix Specify a unique prefix to be used when generating started task procedures for this runtime enironment. For the high-aailability hub, do not accept the default alue of CANS. Specify your own unique prefix. SYSOUT class Specify the alue of the SYSOUT class for non-diagnostic output DDNAMEs, such as RKPDLOG, in generated JCL. This replaces the preiously hardcoded SYSOUT class alue. Load optimization Specify whether you want to optimize the loading of this runtime enironment, when the runtime enironment load action (L) is selected after maintenance is applied or products are reconfigured. If you specify Y, the load job has the following characteristics: Copies only modified modules from target to runtime libraries. Requires access to IBM's SuperC (ISRSUPC) utility. Uses less DASD space. Performs additional analysis, which uses more CPU processing and file I/O. If you specify N (the default), the load job has the following characteristics: Copies all members from target to runtime libraries, whether or not they were modified. Requires more DASD space. Uses less CPU time. Tip: Een if you enable load optimization, the first load operation copies all members to the runtime data sets. Load optimization takes effect on the second and subsequent load operations. Remote RTE for transport Accept the default alue of N in this field. Runtime members analysis The Configuration Tool generates configuration batch jobs for the runtime enironment and can identify user-modified data set members that each batch job will affect. If runtime members analysis is enabled, a report of user-modified members is displayed. You can also generate these reports from the RTE Utility Menu (action Z, option "Analyze user modified elements"). The default is Y. Diagnostic SYSOUT class Specify the alue of the SYSOUT class for diagnostic output DDNAMEs, such as SYSUDUMP and SYSABEND, in generated JCL. This replaces the preiously hardcoded SYSOUT class alue. The default is X. 36 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

49 Will this RTE hae a Tioli Enterprise Monitoring Serer? Specify Y (the default) to allocate libraries for the monitoring serer. Be sure to make a note of the TEMS name alue displayed here. You will hae to specify it later, when you configure the other components. The TEMS name parameter is case-sensitie on all platforms. Copy configuration alues from RTE Leae this field blank. Configuration alues for the high-aailability hub cannot be copied from another runtime enironment. 10. After you hae specified all required alues on the first Add Runtime Enironment panel, press Enter. The second Add Runtime Enironment panel is displayed, as shown in Figure 8. KCIPRTA ADD RUNTIME ENVIRONMENT (2 of 3) COMMAND ===> Use z/os system ariables? ==> N (Y, N) Use VTAM model applids? ==> N (Y, N) RTE name specification ==> &SYSNAME RTE base alias specification ==> n/a Applid prefix specification ==> K&SYSCLONE. Security system ==> NONE (RACF, ACF2, TSS, NAM, None) ACF2 macro library ==> Fold password to upper case ==> Y (Y, N) Global SAF class name ==> (ACF2 max is 3 chars.) VTAM alues are required under certain conditions. Press F1=Help: Applid prefix ==> CTD Network ID ==> Logmode table ==> KDSMTAB1 LU6.2 logmode ==> CANCTDCS If you require TCP/IP communications for this RTE, complete these alues: Hostname ==> Started task ==> (Recommended default = *) Port number ==> Enter=Next F1=Help F3=Back Figure 8. Add Runtime Enironment (2 of 3) panel The "Global SAF class name" in this panel proides security for the OMEGAMON enhanced 3270 user interface. 11. Use the following information to complete the second Add Runtime Enironment panel. Use z/os system ariables? Leae the default of N in this field. A runtime enironment for a high-aailability hub cannot use system ariables, because the hub is not defined to run on any specific system, and it retains the same parameter alues on any system in the sysplex. Security system Specify what, if any, security system is to be used for this runtime enironment. The default is NONE. If you specify a security system, erify that it is installed and configured correctly for your site. If you specify ACF2, you must also proide the name of the ACF2 macro library. Tip: Specifying a security system here indicates which system will be used for security alidation of users signing on to the Tioli Enterprise Portal, but it does not enable the alidation. Security alidation of users is enabled in a Tioli Enterprise Monitoring Serer configuration panel. For more information about configuring security, see Chapter 8, Configuring security on a monitoring serer on z/os, on page 143. Global SAF class name Specify a common System Authorization Facility (SAF) security class name for OMEGAMON enhanced 3270 user interface security controls. The alue is used in the RTE_SECURITY_CLASS parameter in the KppENV member of the RKANPARU library. If this Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 37

50 field is not specified, the RTE_SECURITY_CLASS parameter is generated as a placeholder comment in the RKANPARU(KppENV) member of components exploiting the parameter. Specify a alid SAF class name if you want to specify a alue. If you are using ACF2 as your external security resource manager, specify a maximum of three characters. Fold password to upper case By default, TMS:Engine folds logon passwords to uppercase. Howeer, RACF V1.7 and higher supports mixed-case passwords. If you want to implement mixed-case passwords and if all your monitoring agents support them (this requires application of maintenance for each monitoring agent), set this field to N. If any of your monitoring agents do not support mixed-case passwords, do not actiate the SETROPTS PASSWORD(MIXEDCASE) option in RACF and do not enable mixed-case passwords in your runtime enironments. Leae this field with the default alue Y. For more information about the MIXEDCASE option in RACF, refer to the z/os Security Serer RACF Security Administrator's Guide. For more information about the way TMS:Engine handles security, enter README SEC at the command line of any Configuration Tool panel. VTAM communication alues The high-aailability hub does not use VTAM for communication. Clear all the input fields in this section. Applid prefix Clear this field. Network ID Clear this field. Logmode table Clear this field. LU6.2 logmode Clear this field. TCP/IP communication alues The alues you specify here become the default TCP/IP alues for the monitoring serer. Hostname For the runtime enironment of the high-aailability hub, specify as the host name the application-instance-specific (priate) DVIPA name you hae defined to DNS. In the example shown, the host name is the priate DVIPA name OMEGAHUB. The host name for the runtime enironment of the high-aailability hub is a irtual system name, because the hub can run on any LPAR in the sysplex. Started task Identifies the TCP/IP stack to be used. If the LPAR contains a single TCP/IP stack, accept the default alue of an asterisk (*), which uses the first TCP/IP stack that was started. If the LPAR contains more than one TCP/IP stack, specify the started task name of the TCP/IP stack you want to use. Alternatiely, you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. Tip: Whicheer method is used to select a TCP/IP stack in a multi-stack enironment, the Tioli Management Serices components continue to use that stack, een if a different stack becomes the primary stack. Therefore, in a multi-stack 38 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

51 enironment, it is best to specify the started task name of the TCP/IP stack to be used, rather than specifying a wildcard or a blank. If IP domain name resolution is not fully configured on the z/os system, the SYSTCPD DD statement is required (see (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task on page 119). Port number The number of the well-known port to be used for communications with the high-aailability hub. The default is (For detailed information about port number assignments, see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide.) 12. After you hae specified all required alues on the second Add Runtime Enironment panel, press Enter. A third Add Runtime Enironment panel is displayed, as shown in Figure 9. KCIPRTA ADD RUNTIME ENVIRONMENT (3 of 3) If you require TN3270E Telnet session link support oerride, complete these alues: Hostname ==> Port number ==> LUGROUP ==> Enter=Next F1=Help F3=Back Figure 9. Add Runtime Enironment (3 of 3) panel 13. Leae the third Add Runtime Enironment panel blank. This panel does not apply to the runtime enironment of the high-aailability hub. 14. Press Enter to return to the Runtime Enironments (RTEs) panel (Figure 6 on page 34). Tip: Enter V (View alues) to erify the runtime enironment information and U (Update) to make any necessary changes. This completes the addition of the runtime enironment. You must build the runtime libraries before continuing to configure the high-aailability hub. Go on to Step 2. Build the runtime libraries. Step 2. Build the runtime libraries This step generates a batch job to allocate the required runtime libraries. 1. On the Runtime Enironments (RTEs) panel, type B to the left of the name of the runtime enironment, and press Enter. The JCL to allocate the runtime libraries is displayed. 2. Reiew the JCL, edit if necessary, and submit the DS#1ssss job. 3. Verify that the job completes successfully. Expect to receie a return code of zero. If you do not, check the log to diagnose errors, and then rerun the job. 4. Press F3 (Back) to return to the Runtime Enironments (RTEs) panel. Step 3. Configure the high-aailability hub monitoring serer To configure the high-aailability hub, perform the following tasks in order: 1. Begin the configuration on page Specify configuration alues on page 40. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 39

52 3. Specify communication protocols on page (Optional) Enable the self-describing agent capability on page Create the runtime members on page Configure the persistent datastore on page Prepare to complete the configuration of the persistent datastore and monitoring serer on page Load the runtime libraries on page 63. Begin the configuration Perform the following steps to begin the configuration: 1. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), enter C (Configure) next to the name of the runtime enironment you created for the high-aailability hub. The Configure the TEMS panel (Figure 10) is displayed. KDS62MCU CONFIGURE THE TEMS / RTE: rte Each RTE can contain only one TEMS. To configure Last selected the TEMS for this RTE, perform these steps in order: Date Time I Configuration information (What s New) 1 Create LU6.2 logmode 11/03/10 05:06 2 Specify configuration alues 11/08/03 17:36 3 Specify communication protocols 11/08/04 22:31 4 Configure TEMS Self-Describing Agent parameters 11/08/04 05:33 5 Create runtime members 11/07/04 08:37 6 Configure persistent datastore 11/03/10 05:06 7 Complete the configuration 11/05/24 16:52 Optional: 8 View TEMS list and registration status 9 Generate sample migration JCL 11/03/10 05:06 F1=Help F3=Back OPTION ===> Figure 10. Configure the TEMS panel Tips The high-aailability hub does not use the SNA communication protocol, so you can skip option 1 (Create LU6.2 logmode) on the Configure the TEMS panel. Select option I (Configuration information: What's New) to read about updates to monitoring serer configuration options since the preious ersions. Specify configuration alues In this step you indicate that the monitoring serer you are configuring is a high-aailability hub. You also specify the name of the started task for this monitoring serer and whether security alidation is in force for the serer. You also use this option to actiate and set control parameters for the auditing function. Do not enable security alidation at this point. Security can be set up more effectiely after you complete and erify the configuration. 40 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

53 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 2 to display the Specify Configuration Values panel (Figure 11). KDS62PP SPECIFY CONFIGURATION VALUES Started task ==> HAHBDSST Type (Hub or Remote) ==> HUB Hub TEMS type ==> HA (HA=High Aailability) security? ==> N (Y, N) Security settings: Validate TMS password encryption information: Integrated Cryptographic Serice Facility (ICSF) installed? ==> N (Y, N) ICSF load library ==> CSF.SCSFMOD0 TMS encryption key ==> IBMTioliMonitoringEncryptionKey Program to Program Interface (PPI) information: Forward Take Action commands to NetView for z/os? ==> N (Y, N) NetView PPI receier ==> CNMPCMDR TEMS PPI sender ==> Enter=Next F1=Help F3=Back F5=Adanced COMMAND ===> Figure 11. Specify Configuration Values panel 2. For the high-aailability hub, the following alues are required: Started task ==> unique_name Type (Hub or Remote) ==> HUB Hub TEMS type ==> HA (HA=High Aailability) For the other fields, accept the default alues or proide the alues appropriate for your site. Started task The name of the high-aailability hub started task JCL procedure. Make a note of the name, because later you will hae to copy this started task procedure to your system procedure library. The default started task name for a monitoring serer is ccccdsst, where cccc is the 4-character STC prefix specified when you defined the runtime enironment. You can edit the started task name displayed on this panel, but make sure the name you specify is unique. Type (Hub or Remote) Specify HUB as the monitoring serer type. Hub TEMS type Specify HA to configure a high-aailability hub. Security settings Validate security? This setting determines whether the hub monitoring serer alidates the user IDs and passwords of users signing on to the Tioli Enterprise Portal. Leae the alue N for now. If you set security alidation to Y at this point, you will hae difficulty completing the configuration steps and erifying the configuration. You can return to this panel and set security alidation to Y later, after you set up security for the monitoring serer (see Chapter 8, Configuring security on a monitoring serer on z/os, on page 143). When Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 41

54 security alidation is enabled on this panel, alidation of users is handled by the security system specified for the runtime enironment. Integrated Cryptographic Serice Facility (ICSF) installed? If the IBM Integrated Cryptographic Serice Facility (ICSF) is installed and configured on the z/os system, set the alue to Y. If you specify that ICSF is not installed on this z/os system (N), then the monitoring serer uses an alternatie, less secure encryption scheme. Note: The encryption method specified for the monitoring serer and the Tioli Enterprise Portal Serer must match. If you specify that ICSF is not installed on this z/os system (N), you must add the line USE_EGG1_FLAG=1 (or USE_EGG1_FLAG=Y) tothe KFWENV enironment file of the Tioli Enterprise Portal Serer (see (If applicable) Edit the portal serer enironment file on page 123). ICSF load library If ICSF is installed and configured on the z/os system, specify the ICSF load library that contains the CSNB* modules used for password encryption. CSF.SCSFMOD0 is the default. If ICSF is not installed on the system, clear the field. TMS encryption key Specify a unique, 32-byte password encryption key. The alue is case-sensitie. Be sure to record the alue you use for the key. You must use the same key during the installation of any components that communicate with this monitoring serer, such as the Tioli Enterprise Portal Serer or a remote monitoring serer. If ICSF is not installed on the system, clear the field. 42 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

55 Encryption key tips The ampersand (&) character cannot be part of the encryption key. The DS#3ssss job (where ssss is the JCL suffix for the runtime enironment) creates the runtime members after you complete the monitoring serer configuration panels. This job uses the alue you specify for the encryption key to create the key file. The key file is member KAES256 in the &rhile.&rte.rkanparu library (see Create the runtime members on page 61). For security reasons, the encryption key alue is not displayed if you return to the Specify Configuration Values panel after you finish configuring the monitoring serer. If you reconfigure the monitoring serer by changing other parameter alues on the configuration panels, the resulting DS#3ssss job does not create a new key file. If you must change the encryption key alue after initial configuration, type the PWD command on the command line of the Specify Configuration Values panel, and then answer Y to the prompt "Do you want to disable ICSF encryption or reset the key?". You can then re-enable encryption and specify a different key. After doing so, you must recreate the runtime members ( Create the runtime members on page 61) and reload the runtime libraries ( Step 3. Load the runtime libraries on page 98). In batch mode, the encryption key alue is stored in parameter KDS_CMS_SEC_ENC_KEY. For batch mode processing, the encryption key is displayed in plain text so that it can be used as input for the KAES256 file in the &rhile.&rte.rkanparu library of other runtime enironments. Therefore, ensure that the &shile.instjobs library for this runtime enironment is secured before you create a batch parameter member containing its alues. The alue of the encryption key batch parameter (KDS_CMS_SEC_ENC_KEY) is enclosed in double quotation marks in the batch parameter member. If you must use a single quotation mark or apostrophe (') as part of the key alue, edit the batch parameter member to enclose the 32-byte encryption key string in two sets of double quotation marks (for example, ""key s_alue""). If you must use both single and double quotation marks as part of the key alue, use the interactie mode of the Configuration Tool instead of the batch mode. Program to Program Interface (PPI) information (Optional) Specify the PPI alues that enable forwarding of Take Action commands to NetView for z/os for authorization and execution. If you enable forwarding, you must also enable NetView to receie and authorize the commands (see Enable NetView to authorize Take Action commands on page 152). Forward Take Action commands to NetView for z/os Specify Y if you want the Tioli Enterprise Monitoring Serer to forward z/os console commands issued as Take Action commands to NetView for authorization and execution. The default alue is N. NetView PPI receier Specify the name of the PPI receier on NetView that will receie Take Action commands. This name must match the receier name specified on the NetView APSERV command. The default name is CNMPCMDR. The Configuration Tool generates the KGLHC_PPI_RECEIVER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 43

56 following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign and number sign (#). This alue must match the alue specified in the NetView DSIPARM initialization member, CNMSTYLE (see Enable NetView to authorize Take Action commands on page 152). If a alue is specified for this parameter and either the specified name is incorrect or the receier is not actie on NetView for z/os, the command fails. If no alue is specified, default command routing to the z/os console is performed. This parameter is required if you answered Y in the Forward Take Action commands to NetView for z/os field. TEMS PPI sender Optionally, specify the name of the PPI sender. The alue must be a 1- through 8-character, unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This name must not conflict with any NetView for z/os domain name, as it is used in logging the command and command response in the NetView log. If a alue is specified on this field, the Configuration Tool generates the KGLHC_PPI_SENDER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. If you do not specify a alue in this field, the default is the job name of the monitoring serer that is the source of the command. 3. When you hae completed the Specify Configuration Values panel, press Enter The Eligible Products for HA Hub TEMS panel is displayed (Figure 12). KDSPHUBH Eligible Products for HA Hub TEMS Row 1 from 25 Exclude products that will not participate in the High Aailability (HA) Hub TEMS configuration. Action: X Exclude product PP Component name X pp product_1 _ pp product_2 _ pp product_3 X pp product_4 Figure 12. Eligible Products for HA Hub TEMS panel This panel lists the products that can be configured to report to a high-aailability hub, either indirectly (through a remote monitoring serer) or directly. The products are listed in alphabetical order of product name; the 2-character product codes (pp) are also shown for your conenience. Tip: Not all monitoring agents are eligible for configuration with a high-aailability hub. The list is limited to those that are eligible. 4. On the Eligible Products for HA Hub TEMS panel, type an X beside the names of all products you want to exclude from reporting to the high-aailability hub. (In the example shown in Figure 12, products 1 and 4 are excluded from reporting to the high-aailability hub.) Use the F7 (Up) and F8 (Down) keys to scroll through the list. 5. When you finish excluding products, press Enter. The Exclusion Verification for HA Hub TEMS panel is displayed (Figure 13 on page 45). 44 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

57 KDSPHUBV Exclusion Verification for HA Hub TEMS Row 1 from 25 Exclude erification list. Press Enter to accept, End or Cancel to redo the exclude list. PP Component name pp product_1 pp product_4 Figure 13. Exclusion Verification for HA Hub TEMS panel This panel lists all the products you selected for exclusion. If you did not select any products for exclusion, the list is blank. Reiew the list, and press Enter to accept it, or F3 (Back) to go back to the Eligible Products for HA Hub TEMS panel and change your selections. When you press Enter to accept the list, you return to the Configure the TEMS panel (Figure 10 on page 40). 6. From the Configure the TEMS panel, select 2 (Specify configuration alues) to display the Specify Configuration Values panel, and then press F5 (Adanced) to display the Specify Adanced Configuration Values panel (Figure 14). KDS62PP SPECIFY ADVANCED CONFIGURATION VALUES Enable Web Serices SOAP Serer ==> Y (Y, N) Enable Tioli Eent Integration Facility (EIF) ==> N (Y, N) Enable startup console messages ==> Y (Y, N) Enable communications trace ==> N (Y, N, D, M, A) Reconnect after TCP/IP recycle ==> N (Y, N) Enable storage detail logging ==> Y (Y, N) Storage detail logging: Hours ==> 0 (0-24) Minutes ==> 60 (0-60) Flush VSAM buffers: Hours ==> 0 (0-24) Minutes ==> 30 (0-60) Virtual IP Address (VIPA) type ==> N (S=Static, D=Dynamic, N=None) Minimum extended storage ==> K Maximum storage request size ==> 16 (Primary) ==> 30 (Extended) Language locale ==> 1 (Press F1=Help for a list of codes) z/os Audit collection alues: Enable/Disable z/os audit collection ==> (M, B, D, X) Maximum in-memory cache entries ==> ( ) Domain ==> F1=Help F3=Back F5=Adanced F6=PDS F10=CMS List Enter=Next COMMAND ===> Figure 14. Specify Adanced Configuration Values panel Accept the default alues or proide the alues appropriate for your site. Enable Web Serices SOAP Serer Accept the default alue of Y. The SOAP serer must be enabled for a hub monitoring serer. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information. Enable Tioli Eent Integration Facility (EIF) Specify Y if you want to enable eent forwarding on this hub. The default alue is N. Ifyou specify Y, the KMS_OMTEC_INTEGRATION=YES enironment ariable is generated in the KDSENV member of &rhile.&rte.rkanparu. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 45

58 See Decision 2: Whether and how to enable eent forwarding on page 22 for more information about eent forwarding. Enable startup console messages Accept the default alue of Y if you want a SYSLOG message on the console to indicate when the monitoring serer finishes initializing. You can use this message as an UP status message in your automation package (for example, Tioli System Automation for z/os). See the documentation for your automation package for instructions on capturing the monitoring serer automation message IDs (KO4SRV032 and KDSMA001). If the alue of this field is Y, the KGL_WTO=YES parameter is added to the KDSENV member of the &rhile.&rte.rkanparu data set. Enable communications trace Set this parameter to Y if you want KDC_DEBUG=Y as the oerride setting in the &rhile.&rte.rkanparu(kdsenv) member. Otherwise, the default setting of KDC_DEBUG=N instructs the data communications layer to summarize communications problems. The default setting is intended for stable applications in production. Tip: The setting KDC_DEBUG=Y causes a great many records to be written to the log files. Use this setting only for testing or problem diagnosis. The default setting (KDC_DEBUG=N) generates standard RAS1 trace data in the monitoring serer RKLVLOG, in addition to the summary information diagnosing possible timeout conditions. The following settings report on data communications problems: KDC_DEBUG=N Minimal tracing (the default). KDC_DEBUG=Y Full-packet tracing. KDC_DEBUG=D KDC_DEBUG=Y, plus state and flow tracing. KDC_DEBUG=M KDC_DEBUG=D, plus input and output help tracing. KDC_DEBUG=A KDC_DEBUG=M, plus all-format tracing. Do not set KDC_DEBUG=A unless directed by IBM Software Support personnel. Reconnect after TCP/IP recycle If you specify Y, the monitoring serer address space reconnects to its TCP/IP stack without being recycled after the stack is recycled. When this parameter is set to Y, the TOLERATERECYCLE keyword is added in the KLXINTCP member of the &rhile.&rte.rkanparu library. If this parameter is set to N (the default), then if the TCP/IP stack used by the monitoring serer is recycled, the monitoring serer address space must also be recycled to re-establish TCP/IP connectiity. Enable storage detail logging Accept the default alue of Y if you want to enable storage allocation detail logging. You can use the storage detail command output to analyze storage allocated by the monitoring serer address space. Specifying Y generates the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). To disable storage detail logging, set this parameter to N. The second EVERY command is then written as a comment in &rhile.&rte.rkancmdu(kdsstart). 46 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

59 Tip: If you disable storage logging on this panel and then want to actiate it after the monitoring serer is configured and running, you can issue the following modify command to the monitoring serer started task: /F started_task,every hh:mm:ss STORAGE D Issuing this modify command actiates storage detail logging without a requirement to recycle the monitoring serer. If you are enabling storage detail logging on the Specify Adanced Configuration Values panel, accept the default alues or set your own alues for two time interals: Storage detail logging Specify how often you want storage allocation detail to be logged. This interal alue is written as part of the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 60 minutes. Flush VSAM buffers Specify how often you want to force all deferred VSAM writes to DASD. This interal alue is written as part of the third EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 30 minutes. Virtual IP Address (VIPA) type Specify D (Dynamic VIPA, or DVIPA). The VIPA name (the application instance specific dynamic irtual IP address) of the monitoring serer must be resolable through DNS. DVIPA requires one of the following communication protocols: IP.PIPE, IP.SPIPE, IP6.PIPE, or IP6.SPIPE. For more information about specifying communication protocols, see Specify communication protocols on page 51. Minimum extended storage Specify the minimum amount of irtual storage to be made aailable to the monitoring agents and other components that are communicating with this monitoring serer. The default alue is If you do not hae many IBM components reporting to the serer and you want to consere storage, you can lower the alue. This alue is used for the MINIMUM parameter in the KDSSYSIN member of &rhile.&rte.rkanparu. This example shows the default alue: MINIMUM(768000,X) Maximum storage request size Specify the maximum TMS:Engine storage request size, as a power of 2, for primary storage and for extended storage. The maximum alue you specify for each type of storage request (primary and extended) can be no higher than 25 (32768 KB). The default maximum for extended storage is 30 (8192 KB). The default maximum for primary storage is 16 (64 KB). Howeer, some monitoring agents configured to run in the monitoring serer address space require a maximum primary storage request size of 20 (1 MB). If a program requests a block of storage larger than the maximum alue set, an abend occurs. The maximum alue is used in building storage access tables to speed memory allocation. Too small a alue causes TMS:Engine components to fail. Too large a alue wastes storage and increases processing oerhead. You might hae to specify a larger alue if any of your monitoring agents builds large VTAM request/response units (RUs) and data streams. This alue is used for the LIMIT parameter in the KDSSYSIN member of &rhile. &rte.rkanparu. This example shows the default alues: LIMIT(23,X) LIMIT(16,P) Language locale This parameter is required. The default alue is 1 (English - United States). Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 47

60 Press F1 (Help) and select Language locale for a list of the possible alues. Specify the numeric alue that represents the language and region for the z/os system. The Configuration Tool uses this alue to set the country and character set for the LANG enironment ariable in &rhile.&rte.rkanparu(kdsenv). For example, if you accept the default alue of 1 (English - United States), the Configuration Tool generates this enironment ariable in KDSENV: LANG=en_US.ibm-037 If the z/os UNIX System Serices (USS) codepage (en_us.ibm-1047) is required, you can specify either en_us.ibm-1047 or 1A in the Language locale field. In batch mode, you can specify either of these alues: Kpp_CMS_ICU_LANG en_us.ibm-1047 Kpp_CMS_ICU_LANG 1A Tip: The USS codepage (en_us.ibm-1047) is required for agent autonomy and for priate situation XML files. z/os Audit collection alues These parameters allow you to actiate and set parameters that control the auditing facility (see Whether to enable the auditing function on page 17 for more information). Enable/Disable z/os audit collection This parameter specifies the audit detail leel; set it to M, B, D, orx, as explained in Enironment ariables that control the auditing function on page 18. The alue you specify generates an AUDIT_TRACE parameter in member KDSENV of the RKANPARU library. If you do not specified a alue for this parameter, AUDIT_TRACE=BASIC is set as the default. Maximum in-memory cache entries This parameter defines the maximum number of auditing records kept in short-term memory, from 10 to 1000; it generates an AUDIT_MAX_HIST parameter in member KDSENV of the RKANPARU library. If you do not specify a alue here, AUDIT_MAX_HIST=100 is set as the default. Domain This field specifies an identifier that your site can use to associate audit records. It is suitable for grouping agents that are associated with each other. One example might be for collecting records regarding a particular customer. This field is also used to create unique namespaces for role-based access control (RBAC). The alue you specify generates an ITM_DOMAIN parameter in KDSENV. To specify adanced parameters for the Persistent Datastore, press F6 (PDS) to display the KDSPPDS (Specify Persistent Datastore Configuration Values) panel (see Figure 15). These fields define default parameters for the persistent datastore, the repository for short-term historical data. For detailed information, see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. KDSPPDS SPECIFY PERSISTENT DATASTORE CONFIGURATION VALUES COMMAND ===> Persistent datastore parameters: Maintenance procedure prefix ==> KPDPROC Datastore file high-leel prefix ==> rhile.rte Volume ==> Storclas ==> Unit ==> Mgmtclas ==> Enter=Next F1=Help F3=Back Figure 15. Specify Persistent Datastore Configuration Values panel 48 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

61 Maintenance procedure prefix This prefix is applied to the procedures that perform maintenance when the persistent datastore is full. Specify the same prefix for all products in all runtime enironments. The default is KPDPROC. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Datastore file high-leel prefix Specify the high-leel qualifier to use when allocating persistent datastore files in this runtime enironment. The default is &rhile.&rte. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Volume Specify the default DASD olume to use when allocating persistent datastore files in this runtime enironment. The default is the olume specified for the runtime enironment. Unit Specify the default DASD unit to use when allocating persistent datastore files in this runtime enironment. Valid unit types are 3380 and The default is the unit type specified for the runtime enironment. Storclas Specify the default SMS storage class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS STORCLAS parameter, you can leae this field blank. Mgmtclas Specify the default SMS management class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS MGMTCLAS parameter, you can leae this field blank. When you hae defined all necessary Persistent Datastore parameters, press Enter. Tip: Under the guidance of IBM Software Support, you can specify alues for parameters other than those shown on the Specify Configuration Values and Specify Adanced Configuration Values panels. To do so, press F5 from the Specify Adanced Configuration Values panel to display the Specify Nonstandard Parameters panel. On this panel you can add, replace, or delete parameter alues in any member of any runtime library. For details, press F1 on the Specify Nonstandard Parameters panel or see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 7. If you specified Y for Enable Tioli Eent Integration Facility (EIF), the Specify Values for Eent Destination panel (Figure 16 on page 50) is displayed when you press Enter on the Specify Adanced Configuration Values panel. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 49

62 KDSPEIF SPECIFY VALUES FOR EVENT DESTINATION Specify the hostname and port number for the TEC eent serer or OMNIbus EIF probe to which you want to forward situation eents: Eent serer type ==> T (T=TEC, M=OMNIbus) Eent serer location ==> Eent serer port ==> 5529 Buffer eents maximum size ==> 4096 Kilobytes For TEC eent listener: Disable Workflow Policy/Emitter Agent eent forwarding ==> N (Y, N) Enter=Next F1=Help F3=Back Figure 16. Specify Values for Eent Destination panel To configure eent forwarding, proide alues for the fields on the Specify Values for Eent Destination panel: Eent serer type Specify the type of eent serer: T (the default) for Tioli Enterprise Console, or M for OMNIbus. This field corresponds to the EentListenerType parameter in the EIF configuration member &rhile.&rte.rkanparu(kmsomtec). Eent serer location Specify the fully qualified host name (the IPV4 dotted-decimal IP address) of the primary eent serer and of up to seen backup eent serers. This field corresponds to the SererLocation parameter in the KMSOMTEC member. If you specify more than one eent serer, use commas to separate the host names or IP addresses. Eent serer location ==> primary_serer,backup_serer1,backup_serer2 If the EIF cannot send an eent to the first serer on the list, it tries the next one, and so on. Eent serer port Specify the port number on which the Tioli Enterprise Console eent serer or OMNIbus EIF probe listens for eents. This field corresponds to the SererPort parameter in the KMSOMTEC member. The default port number is If you specify more than one eent serer, use commas to separate the port numbers. List the port numbers in an order corresponding to the list of eent serer locations. Eent serer port ==> primary_port,backup_port1,backup_port2 Buffer eents maximum size Specify the maximum size, in KB, of the adapter cache file. The cache file stores eents on disk when they cannot be sent to the eent serer. This field corresponds to the BufEtMaxSize parameter in the KMSOMTEC member. The default alue is Disable Workflow Policy/Emitter Agent eent forwarding If you already hae workflow policies containing emitter actiities that send eents to the Tioli Enterprise Console, turning on EIF eent-forwarding causes duplicate eents. If you specify Y in this field, you deactiate the emitter actiities in your policies. The default alue is N. Policies gie you more control oer which eents are sent, and you might want to keep some policies actie. Moreoer, policies that contain the Tioli Enterprise Console emitter actiities generally do little else. If you deactiate these actiities, there is no point in running the policies. Therefore, you might want to delete the policies that are no longer required, instead of disabling them. If this field is set to Y, the KMS_DISABLE_TEC_EMITTER=YES parameter is generated in the KDSENV member of &rhile.&rte.rkanparu. 50 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

63 8. Press Enter until you return to the Configure the TEMS panel (Figure 10 on page 40). Specify communication protocols To specify protocols for communications between the high-aailability hub and other components, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 3 to display the Specify Communication Protocols panel (Figure 17). KDS62PP SPECIFY COMMUNICATION PROTOCOLS Specify the communication protocols in priority sequence for TEMS HAHUB:CMS. IP.PIPE ==> 1 (Non-secure NCS RPC) IP.UDP ==> 2 (Non-secure NCS RPC) IP6.PIPE ==> (IP.PIPE for IPV6) IP6.UDP ==> (IP.UDP for IPV6) IP.SPIPE ==> (Secure IP.PIPE) IP6.SPIPE ==> (Secure IP.PIPE for IPV6) SNA.PIPE ==> (Non-secure NCS RPC) Note: SNA.PIPE is required under certain conditions. Press F1=Help. * Web Serices SOAP Serer is enabled: TCP protocol is required. * Eent Integration Facility (EIF) is enabled: TCP protocol is required. Enter=Next F1=Help F3=Back Figure 17. Specify Communication Protocols panel This panel lists the communication protocols to be used by the monitoring serer. The number beside each protocol indicates its priority. When communication with another component is initiated, the monitoring serer tries Protocol 1 first and goes to Protocol 2 and then to Protocol 3, and so on, in case of failure. Tips The high-aailability hub does not use the SNA protocol. Do not assign a number to SNA.PIPE. The high-aailability hub requires at least one of the following communication protocols: IP.PIPE, IP.SPIPE, IP6.PIPE, or IP6.SPIPE. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 2. Supply the priority number for each protocol you want to select. IP.PIPE Uses the TCP/IP protocol for underlying communications. IP.UDP Also a TCP/IP protocol. Uses the packet-based, connectionless User Datagram Protocol (UDP). IP6.PIPE IP.PIPE protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP6.UDP IP.UDP protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP.SPIPE Secure IP.PIPE protocol. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 51

64 IP6.SPIPE Secure IP.PIPE for IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher with IPV6 installed and operational. SNA.PIPE The high-aailability hub does not use the SNA protocol. Do not assign a number to SNA.PIPE. 3. When you hae selected protocols and assigned their priorities, press Enter. The panel displayed next depends on the protocols and priorities you hae specified. IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE Figure 18 shows the Specify IP.PIPE Communication Protocol panel, where you specify alues for the IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE protocols. KDS62PPD SPECIFY IP.PIPE COMMUNICATION PROTOCOL Specify IP.PIPE and Web Serices SOAP Serer configuration. * Network address (Hostname): ==> OMEGAHUB Started task ==> * (Recommended default = *) Network interface list: (If applicable) ==>!OMEGAHUB Port number ==> 1918 (IP.PIPE) Port number ==> 1918 (IP.PIPE for IPV6) Port number ==> 3660 (Secure IP.PIPE) Port number ==> 3660 (Secure IP.PIPE for IPV6) HTTP serer port number ==> 1920 Access TEMS list ia SOAP Serer? ==> Y (Y, N) Address translation ==> N (Y, N) Partition name ==> * Note: See F1=Help for TSO HOMETEST command instructions. Enter=Next F1=Help F3=Back Figure 18. Specify IP.PIPE Communication Protocol panel Network address (Hostname) For the high-aailability hub, the host name is the application-instance-specific (priate) dynamic irtual IP address you hae defined to DNS. In the example shown, the host name is the priate DVIPA name OMEGAHUB. Started task Identifies the TCP/IP stack to be used. If the LPAR contains a single TCP/IP stack, accept the default alue of an asterisk (*), which uses the first TCP/IP stack that was started. If the LPAR contains more than one TCP/IP stack, specify the started task name of the TCP/IP stack you want to use. Alternatiely, you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. Tip: Whicheer method is used to select a TCP/IP stack in a multi-stack enironment, the Tioli Management Serices components continue to use that stack, een if a different stack becomes the primary stack. Therefore, in a multi-stack enironment, it is best to specify the started task name of the TCP/IP stack to be used, rather than specifying a wildcard or a blank. If IP domain name resolution is not fully configured on the z/os system, the SYSTCPD DD statement is required (see (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task on page 119). Network interface list To ensure that the high-aailability hub is restricted to its priate DVIPA address and cannot 52 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

65 interfere with the remote monitoring serer configured on the same LPAR, the high-aailability hub requires the use of a specific local TCP/IP interface. In this field, specify!dipa_hostname, where dipa_hostname is the priate DVIPA name you specified in the Network address (Hostname) field. In the example shown, the alue for Network interface list is!omegahub. When you supply a alue in the Network interface list field, the Configuration Tool generates the KDEB_INTERFACELIST enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. Important After you set the alue of Network interface list to!dipa_hostname for the high-aailability hub, you must specify one of the following alues for all other products and components configured in all runtime enironments on the same LPAR, and for all remote monitoring serers configured to report to the high-aailability hub in the same sysplex: -!* to force the products and components to use only the interface associated with the default host name for the z/os image. - -dipa_hostname to use any interface except the one associated with dipa_hostname. See "Network interfaces" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information about interface lists. In the default character set (language locale en_us.ibm-037), the code for an exclamation point is x 5A. If you are using a character set other than the default, a different character might map to that code. Use the character that maps to x 5A in your character set. Set HEX ON in TSO Edit to confirm the correct character is entered. Port number Specify the well-known port for the hub monitoring serer, for each of the selected IP*.*PIPE protocols. The port numbers specified here are stored in the KDE_TRANSPORT enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. The default port numbers are 1918 for nonsecure IP protocols and 3660 for secure IP protocols. If you specified a different TCP/IP port number for the runtime enironment, the number you specified is shown as the default for nonsecure IP protocols. Make sure that the hub monitoring serer well-known port is not already on the TCP/IP resered port list. Also, the hub well-known port is the basis for an algorithm that assigns port numbers to the components configured to report to the hub. Make sure that the algorithm will not result in attempts to resere already-resered ports for those components. See "Port number assignments" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. HTTP serer port number The HTTP serer port is used for communications with the SOAP serer. Accept the default alue of If Port 1920 is in use when the monitoring serer is started, another port is assigned. Access TEMS list ia SOAP Serer? Specify Y to create the initial KSHXHUBS member required for SOAP serer operation. The KSHXHUBS member is stored in the &rhile.&rte.rkanparu library. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 53

66 The KSHXHUBS member contains the list of hub monitoring serers with which the SOAP serer communicates, and the corresponding user access list if access has been secured. The TEMS list in the KSHXHUBS member is an aliasing mechanism, equialent to the kshxhubs.xml file on distributed platforms. If the initial KSHXHUBS member has already been created and no changes are required to the SOAP serer alues, set this field to N. Address translation By default, Ephemeral Pipe Support (EPS) is enabled to allow IP.PIPE connections to cross a network address-translating firewall. This feature obiates the requirement for a broker partition file (KDC_PARTITIONFILE=KDCPART). If you specifically want to disable EPS, specify Y for Address translation. For more information, see "Implementation of firewall support" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Partition name If you specified Y for Address translation, you must supply the partition name (label) that identifies the location of the monitoring serer relatie to the firewall(s) used for address translation. The partition name that you supply is added to the partition table, which contains labels and associated socket addresses proided by the firewall administrator. The label is used outside the firewall to establish monitoring serer connections. The well-known port for the hub monitoring serer must be authorized by the firewall administrator. For the IP*.*PIPE protocols, no additional ports require authorization. When you press Enter after proiding the IP*.*PIPE configuration alues, you are presented with one of the following panels: If you specified Y for Address translation, the Specify IP.PIPE Partition References panel (Figure 19) is displayed. KDS62PPE SPECIFY IP.PIPE PARTITION REFERENCES TEMS name ==> rte:cms Partition name ==> partition_name Partition address ==> partition_address Specify IP.PIPE partition references to this TEMS. To add a new entry, type the partition name in the first field and set the address accordingly. To modify an entry, type oer its alues. Use D to delete a partition reference. Action Partition Address Enter=Next F1=Help F3=Back F7=Up F8=Down Figure 19. Specify IP.PIPE Partition References panel The name of the monitoring serer, its partition name (that is, its location or namespace relatie to the firewall), and its partition address (the IP address assigned to the monitoring serer in the specified partition) are displayed at the top of the Specify IP.PIPE Partition References panel. Use the fields of this panel to specify partition references (the alues required to support communication across a firewall using address translation rather than EPS). If more than one firewall is used, specify a partition reference for each firewall. Partition Supply the partition name assigned to the monitoring serer from a location on the other side of the firewall. 54 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

67 Address Supply the IP address assigned to the monitoring serer from a location on the other side of the firewall. To add a partition reference, specify the partition name and the address used in that partition to communicate with the monitoring serer, and press Enter. To modify an existing partition reference, type oer an entry and press Enter. To delete a reference, type D in the Action field and press Enter. Modifications resulting in duplicate entries are ignored. The alues proided on this panel are saed as the KDC_PARTITIONFILE enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. KDC_PARTITIONFILE points to a member, KDCPART, created in the &rhile.&rte.rkanparu library. If you specified N for Address translation, the Specify TEMS KSHXHUBS Values panel is displayed (Figure 20). KDS62PPG SPECIFY TEMS KSHXHUBS VALUES / RTE: RTEname Action: Add Hub TEMS SOAP Serer alues for RTEname : TEMS name ==> RTEname:CMS (case sensitie) Protocol 1 ==> IPPIPE (IPPIPE,IP,IP6PIPE,IP6,IPSPIPE,IP6SPIPE,SNA) TCP hostname TCP port number ==> hostname ==> port_number SNA network ID ==> SNA global location broker applid ==> SNA LU6.2 logmode ==> Alias name ==> HAHUB:CMS Note: IBM recommends that the Alias name is the same as the TEMS name. Enter=Next F1=Help F3=Back Figure 20. Specify TEMS KSHXHUBS Values panel Use this panel to begin a list of hub monitoring serers to connect with the SOAP serer. The alues you specified in earlier configuration panels are displayed as default alues. Hub TEMS SOAP Serer alues for RTEname Accept the default alue, which is the name of the runtime enironment where the monitoring serer is being configured. TEMS name Accept the default alue, which is the TEMS name (CMS_NODEID) you specified when you defined the runtime enironment. TCP hostname Accept the default, which is the host name specified on the Specify IP.PIPE Communication Protocol panel (Figure 18 on page 52). TCP port number Accept the default, which is the port number specified on the Specify IP.PIPE Communication Protocol panel (Figure 18 on page 52). SNA network ID Leae this field blank. It is required only if SNA is Protocol 1. SNA global location broker applid Leae this field blank. It is required only if SNA is Protocol 1. SNA LU6.2 logmode Leae this field blank. It is required only if SNA is Protocol 1. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 55

68 Alias name Accept the default, which is the TEMS name (CMS_NODEID alue). The alias name identifies the hub monitoring serer to the SOAP serer. The alue is case-sensitie. When you press Enter, the SOAP serer KSHXHUBS List panel (Figure 21) is displayed, with the hub monitoring serer shown on the list. KDS62PPF SOAP SERVER KSHXHUBS LIST / RTE: RTEname The following Hub TEMS list is eligible for SOAP Serer access. RTE: RTEname Local SOAP Serer: RTEname:CMS Actions: A Add TEMS, U Update TEMS, D Delete TEMS, V View TEMS, S Secure TEMS, G Grant global security access, C Copy TEMS RTE name TEMS name Preferred TEMS protocol secured _ RTEname RTEname:CMS IPPIPE N F1=Help F3=Back F7=Up F8=Down Figure 21. SOAP serer KSHXHUBS List panel This panel lists the hub monitoring serers that are eligible for SOAP serer access. The list is maintained in the KSHXHUBS member of the &rhile.&rte.rkanparu library. Tips - You can specify non-local hubs if desired. To do so, enter A (Add TEMS) in the Action field to the left of any hub in the list. Then, on the Specify TEMS KSHXHUBS Values panel, proide the TEMS name, TCP hostname (network address), and Alias name for the non-local hub. - Do not edit the KSHXHUBS member directly. Its XML tags and alues require a specific format and are case-sensitie. If you want to change the contents of the KSHXHUBS member, do so in the Configuration Tool. If you exit the SOAP serer KSHXHUBS List panel without securing user access, the SOAP serer honors requests from any user ID that passes logon alidation. The alue shown in the TEMS secured field indicates whether user access to the SOAP serer is secured (Y) or unsecured (N). For an explanation of SOAP serer security, see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. If you want to limit user access to the SOAP serer, follow this procedure: a. On the SOAP serer KSHXHUBS List panel, enter S (Secure TEMS) in the Action field to the left of the item for the hub you just added to the list. The Specify TEMS KSHXHUBS Values panel (Figure 20 on page 55) is displayed, with Action: Secure at the top and with two fields at the bottom for specifying the first user ID to which access is to be granted. Specify initial user ID with Query and/or Update access: Query access ==> Update access ==> Note: To add more users, press Enter. Enter=Next F1=Help F3=Back b. On the Specify TEMS KSHXHUBS Values panel (Figure 20 on page 55), specify the first user ID to hae Query (read) access and Update (write) access. You can specify a user ID for 56 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

69 Query access without specifying one for Update access, but if you specify a user ID for Update access, you must also specify a user ID for Query access. c. If you want only one user ID to hae access, press F3 to return to the SOAP serer KSHXHUBS List panel. If you want to specify more user IDs, press Enter. The SOAP serer KSHXHUBS Security Access List panel is displayed (Figure 22). KDS62PPH SOAP SERVER KSHXHUBS SECURITY ACCESS LIST ---- TEMS SECURED The following users hae access to the monitored Hub TEMS: Local SOAP Serer: Monitored Hub TEMS: Monitored RTE: RTEname:CMS RTEname:CMS RTEname Actions: A Add user, U Update user access, D Delete user I Install user into all monitored TEMS User ID Query Update _ user_id Y Y F1=Help F3=Back F7=Up F8=Down Figure 22. SOAP serer KSHXHUBS Security Access List panel d. Enter A (Add user) in the Action field to the left of the first user ID. The Specify TEMS KSHXHUBS User Access List panel is displayed (Figure 23). KDS62PPI - SPECIFY TEMS KSHXHUBS USER ACCESS LIST / RTE: RTEname Add the TEMS SOAP Serer KSHXHUBS alues for RTEname:CMS User ID ==> Grant query access? ==> Y (Y, N) Grant update access? ==> N (Y, N) Enter=Next F1=Help F3=Back Figure 23. Specify TEMS KSHXHUBS User Access List panel e. Specify a user ID and indicate whether to grant it Query access and Update access. f. Press Enter to return to the SOAP serer KSHXHUBS Security Access List panel. g. Continue adding user IDs until you hae added all the user IDs to which you want to grant SOAP serer access. h. If you want to grant a user ID the same leel of access to all hubs on the SOAP serer KSHXHUBS List, enter I (Install user into all monitored TEMS) to the left of the user ID on the SOAP serer KSHXHUBS Security Access List panel. Caution: This action (I) has the immediate effect of securing eery hub on the list and of granting access only to the user ID selected. Be sure you want this result before specifying the I action. i. Press F3 (Back) until you return to the SOAP serer KSHXHUBS List panel (Figure 21 on page 56). Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 57

70 If you want to disable SOAP serer security for a hub, specify G (Grant global security access) in the Action field for that hub on the SOAP serer KSHXHUBS List panel. This action remoes all user IDs from the user access list and thus enables access for all user IDs that pass logon alidation. Press F3 (Back) to return to the communication protocol configuration panels. IP.UDP and IP6.UDP The field definitions and instructions for the IP.UDP and IP6.UDP protocols are the same as those for the IP*.*PIPE protocols, except that address translation does not apply to IP.UDP and IP6.UDP. 4. Press Enter to return to the Configure the TEMS panel (Figure 10 on page 40). (Optional) Enable the self-describing agent capability For the Tioli Enterprise Monitoring Serer you are configuring to correctly "seed" agents built with the self-describing capability (for ersion 6.2.3, these are only the distributed agents; in other words, no z/os agent is self-describing), you must first enable the hub monitoring serer with which these agents will communicate to receie and process self-description data. (For additional information about this capability, see Whether to enable the self-describing agents capability on page 15.) To enable the self-describing agent capability, complete the following procedure: 1. From the Configure the TEMS panel, enter 4 (Configure TEMS Self-Describing Agent Parameters) to display the Configure TEMS Self-Describing Agent Parameters (panel ID KDS62MC4), shown in Figure 24. KDS62MC CONFIGURE TEMS SELF-DESCRIBING AGENT PARAMETERS Perform the following steps in the order presented: Last selected Date Time 1 Specify TEMS Self-Describing Agent alues 11/08/05 22:34 2 Create configuration members 11/08/05 23:14 3 Create USS directories and copy files on USS 11/08/05 23:14 F3=Back Option ===> F1=Help Figure 24. Configure TEMS Self-Describing Agent Parameters panel This panel lays out the remaining steps required for you to authorize the processing of self-describing agent data; they are: a. Specify TEMS Self-Describing Agent alues Here you specify the parameters the monitoring serer requires to process self-describing agent data. b. Create configuration members Here you generate a batch job that will configure the runtime members that create the HFS or zfs directories and copy files to z/os UNIX system serices (USS). c. Create USS directories and copy files on USS 58 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

71 Here you generate a batch job that will create those HFS or zfs directories and copy the files to USS. The remaining subsections describe each of these steps in turn. Specify TEMS Self-Describing Agent alues: 1. From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Specify TEMS Self-Describing Agent alues step: tab to line 1, and enter S. The TEMS Self-Describing Agent Values panel (panel ID KDS62PP4), shown in Figure 25, is displayed. KDS62PP SPECIFY TEMS SELF-DESCRIBING AGENT VALUES Enable TEMS Self-Description processing (KMS_SDA) ==> N (Y, N) Agent Self-Description processing in TEMS (TEMA_SDA) ==> Y (Y, N) JaaRoot directory for TEMS_JAVA_BINPATH (case sensitie): /usr/lpp/jaa/ibm/j6.0 USS CLIST library (Required) ==> SYS1.SBPXEXEC about the TEMS_MANIFEST_PATH Press F1=Help for information USS SDA Home Directory. Enter=Next F1=Help F3=Back OPTION ===> Figure 25. Specify TEMS Self-Describing Agent Values panel 2. Turn on the processing of self-describing agent data: set Enable TEMS Self-Description processing to Y. 3. If the address space of the monitoring serer you're configuring will also contain z/os monitoring agents (such as the OMEGAMON XE on z/os agent or the OMEGAMON XE for Storage agent), turn on support for self-describing agents within this monitoring serer: set Agent Self-Description Processing in TEMS to Y. Note: For Version of the IBM Tioli Monitoring, there are no self-describing z/os agents; therefore, for now, leae this parameter set to N. 4. Supply the name of your site's Jaa root directory (initially /usr/lpp/jaa/ibm/j6.0) within UNIX System Serices (USS). The self-describing agent capability uses this directory to locate and load the jar utility. 5. Supply the name of your site's UNIX System Serices procedure (CLIST) library (initially SYS1.SBPXEXEC). 6. Press Enter to sae these parameter alues. Create configuration members: From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Create configuration members step: tab to line 2, and enter S. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 59

72 The DS#6T623 batch job is created and submitted. Create USS directories and copy files on USS: From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Create USS directories and copy files on USS step: tab to line 3, and enter S. The DS#UT623 batch job is created and submitted. Note: This job must be submitted on a machine that can access the USS directories. In addition, the job must be submitted by a TSO userid that has write access to the HFS/zFS directories. Note about security definitions for the new USS files To create the runtime enironment's new UNIX System Serices directories, the DS#UT623 job inokes mkdir commands similar to the following: mkdir RTE_USS_RTEDIR/COMPUSS/kds/support/TEMS/META-INF MODE(7,7,7) Note that these directories are created with MODE(7,7,7), which grants write permission to these directories to all users. This MODE alue is specified because the TSO userid of the person running ICAT or PARMGEN is not necessarily the same userid as that associated with the monitoring serer started task. Howeer, both userids require write access to the runtime USS directories for the following reasons: To support the self-describing agents feature, the monitoring serer running on z/os must be able to add and remoe files from these USS directories. A more restrictie MODE setting would preent the monitoring serer from doing so. If a subsequent uninstall is performed from ICAT, the TSO userid of the person running ICAT must hae write access to these same directories. If your site requires a more secure access scheme for these runtime USS directories, you can accomplish this using group-based security. Here's how: 1. The configurator's userid is dayce as in the aboe example, and it is connected to three security groups: GROUP1, GROUP2, and GROUP3. Since GROUP1 is dayce's default group, all of the newly created RTE USS directories are owned by GROUP1 by default. 2. The userid of the monitoring serer started task is stcuser, and it is connected to two security groups: GROUP2 and GROUP4. Since both userids hae GROUP2 in common, the dayce userid could log on to USS and issue a chgrp command to set GROUP2 as the owner of the runtime enironment's USS directories, as in this example: > chgrp -R GROUP2 COMPUSS 3. Next, the dayce userid can issue a chmod command to change the original MODE(7,7,7) alue to something more restrictie, such as: > chmod -R 775 COMPUSS After issuing this chmod command, only users who are connected to GROUP2 hae write access to the runtime USS directories. If the configurator's userid and the userid associated with the monitoring serer started task do not hae any security groups in common, you must either connect both userids to a common security group or define a new security group and connect both userids to that group. Whicheer option you choose, you must still perform the chgrp and chmod actions described aboe. This information applies to users of either the Configuration Tool (ICAT) or PARMGEN. 60 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

73 Create the runtime members To create the runtime members required by Tioli Enterprise Monitoring Serer, complete the following procedure: 1. From the Configure the TEMS panel, enter 5 to display the JCL for the DS#3ssss job that creates the runtime members required by the monitoring serer. These members are created in the runtime libraries for this runtime enironment. 2. Reiew the JCL, edit if necessary, and submit. Verify that the job completes successfully and that all return codes are zero. The following error messages indicate that ICSF is not configured correctly on your system: Cannot encrypt text: call to CSNBSYE failed Cannot encrypt contents of keyfile Function failed with error code 26 If you receie those messages, work with your security specialist to resole the ICSF problem, and then rerun only the KAES256 step of the DS#3ssss job. (If you rerun the entire job, the KAES256 step is omitted for security reasons.) 3. When the job finishes, return to the Configure the TEMS panel (Figure 10 on page 40). Configure the persistent datastore If you want to collect historical data, you must perform this step, which proides a job that configures a persistent datastore. The persistent datastore is the repository for short-term historical data that can be retrieed for table and chart iews in the Tioli Enterprise Portal. For detailed planning information about the persistent datastore, see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. You can also find additional information about the persistent datastore by entering README PDS from the command line of any panel in the Configuration Tool. To configure the persistent datastore, follow these steps. 1. On the Configure the TEMS panel (Figure 10 on page 40), enter 6 to display the Configure Persistent Datastore panel (Figure 26). KPD62PP CONFIGURE PERSISTENT DATASTORE Last selected Perform these configuration steps in order: Date Time 1 Modify and reiew datastore specifications 2* Create or edit PDS maintenance jobcard 3 Create runtime members 4 Allocate and initialize datastore files 5 Complete persistent datastore configuration * Note: The initial PDS maintenance jobcard defaults to the jobcard set on the Set up work enironment option. This jobcard is shared by all products that configured historical collection within this RTE=rte. Change to a generic jobcard, as necessary. F1=Help F3=Back Figure 26. Configure Persistent Datastore panel 2. Enter 1 to display the Modify and Reiew Datastore Specifications panel (Figure 27 on page 62). Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 61

74 KPD62PP MODIFY AND REVIEW DATASTORE SPECIFICATIONS ---- Row 1 to 1 of 1 Modify persistent datastore allocation and maintenance information as required Press Enter to accept alues and then F3 to return. Datastore high-leel qualifier: &rhile.&rte Group -Datasets in Group- Volser/ Storclas/ -Est Cyl- -Maintenance- Name Lowle Count Unit Mgmtclas Space Backup Export Extrac GENHIST RGENHIS 3 36 N N N F1=Help F3=Back Figure 27. Modify and Reiew Datastore Specifications panel On this panel you can specify the placement of the data store files, how much space to allocate, and maintenance options for the data store. The alues you specified when configuring the monitoring serer (see Figure 14 on page 45) are displayed as default alues. You can accept the defaults or change them. Group name The name of the group containing the historical data sets. You cannot edit this name. Datasets in Group Lowle The low-leel qualifier of the data set name. You cannot edit the low-leel qualifier. A 1-character alue (1-9, A-Z) is suffixed to the low-leel qualifier to indicate the data set number in the group. For example, if the low-leel alue is RGENHIS and there are three data sets in the group, these are the names of the data sets: &rhile.&rte.rgenhis1 &rhile.&rte.rgenhis2 &rhile.&rte.rgenhis3 Count Indicates the number of data sets in the group. The minimum supported alue is 3. Volser/Unit Accept the default or modify it. Storclas/Mgmtclas Accept the default or modify it. Est Cyl Space This field is used to allocate space for the data sets and for oerhead information such as the product dictionary, table records, index records, and buffers to hold oerflow data when the data sets are full. Allocate enough storage so that maintenance procedures can run only once a day. See your monitoring agent publications for guidelines to estimating the space required. If you collect short-term history for oer 24 hours, but you still cannot create iews at the Tioli Enterprise Portal for a full 24 hours of data, then you require more data sets (Count) or larger data sets (Est Cyl Space). Maintenance These fields are used for data store maintenance functions. Specify Y to turn on one or more of these maintenance functions for a group. Backup Makes an exact copy of the data set being maintained. Export Writes the data to a flat file in an internal format that can be used by external 62 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

75 programs to process the data. The exported data can also be used for recoery when the persistent datastore detects problems with the data. Extract Writes the data to a flat file in human-readable form that is suitable for loading into other database management systems. 3. Press Enter to accept the alues, and then press F3 to return to the Configure Persistent Datastore panel (Figure 26 on page 61). Tip: Option 2 (Create or edit PDS maintenance jobcard) on the Configure Persistent Datastore panel is no longer required. You can skip it. Create runtime members for the persistent datastore: 1. On the Configure Persistent Datastore panel, enter 3 (Create runtime members) to display the PD#Pssss job that creates the persistent datastore runtime members. 2. Edit this job and submit it. Expect to see a return code of zero. 3. You are returned to the Configure Persistent Datastore panel (Figure 26 on page 61). Allocate and initialize the persistent datastore files: 1. On the Configure Persistent Datastore panel, enter 4 (Allocate and initialize datastore files) to display the job that allocates and initializes all data sets required for the persistent datastore. Note: This job applies to a new persistent datastore configuration. If the persistent datastore data sets already exist, delete or rename the existing persistent data store files if you want the Configuration Tool to reallocate and re-initialize the data sets for the persistent datastore. 2. Edit this job and submit it. Expect to see a return code of zero. 3. You are returned to the Configure Persistent Datastore panel (Figure 26 on page 61). Prepare to complete the configuration of the persistent datastore and monitoring serer 1. On the Configure Persistent Datastore panel, enter 5 (Complete persistent datastore configuration) to display a list of the steps you must take outside the Configuration Tool to complete the configuration of the persistent datastore. Print this list for later reference, but wait to complete the steps. 2. Press F3 until you return to the Configure the TEMS panel (Figure 10 on page 40). 3. On the Configure the TEMS panel, select Option 7 (Complete the configuration) to display a list of the steps you must take outside the Configuration Tool to complete the configuration of the monitoring serer. Print this list for later reference, but wait to complete the steps until you finish loading the runtime libraries. 4. Press F3 (Back) until you return to the Runtime Enironments (RTEs) panel Figure 6 on page 34. Load the runtime libraries Before you complete the configuration of the monitoring serer outside the Configuration Tool, you must load the runtime libraries from the target libraries that were installed by SMP/E. The load job requires exclusie access to the runtime libraries. 1. On the Runtime Enironments (RTEs) panel Figure 6 on page 34, enter L (Load) in the Action field to the left of the name of the runtime enironment. 2. Reiew the JCL and submit the job. Verify that the job completes successfully and that the return code is 04 or lower. 3. When you finish loading the libraries, press F3 (Back) until you return to the Product Selection Menu (Figure 5 on page 33). Complete the configuration of the high-aailability hub See Part 3, Post-configuration procedures, on page 117 for information about completing the configuration of the hub monitoring serer outside the Configuration Tool. Because the high-aailability hub Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 63

76 is the only component configured in its runtime enironment, you can complete its configuration now, without waiting to configure other components and products. Step 4. Configure a remote monitoring serer to report to the high-aailability hub After you finish configuring the high-aailability hub, create a second runtime enironment on the same LPAR, and configure a remote monitoring serer to report to the high-aailability hub. To configure the remote monitoring serer, perform the following tasks in order: 1. Follow the instructions in Chapter 5 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide to add a runtime enironment and build the runtime libraries. Important On the Product Selection Menu (Figure 5 on page 33), select a monitoring agent product rather than selecting IBM Tioli Management Serices on z/os. When you select a monitoring agent, you can configure a monitoring serer and one or more monitoring agents in the same runtime enironment. If you select Tioli Management Serices on z/os, you can only configure a stand-alone monitoring serer in its own runtime enironment, without any monitoring agents. 2. Begin the configuration. 3. Create a logmode on page Specify configuration alues on page Specify communication protocols on page (Optional) Enable the self-describing agent capability on page Create the runtime members on page Configure the persistent datastore on page 61. Begin the configuration Perform the following steps to begin the configuration: 1. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), enter C (Configure) next to the runtime enironment you added for the remote monitoring serer and monitoring agents. The Product Component Selection Menu is displayed (Figure 28). KCIPMCU PRODUCT COMPONENT SELECTION MENU The following list of components requires configuration to make the product operational. Refer to the appropriate configuration documentation if you require additional information to complete the configuration. To configure the desired component, enter the selection number on the command line. You should configure the components in the order they are listed. Note: It may not be necessary to configure Tioli Enterprise Monitoring Serer (TEMS) component, if listed below. Press F1 for more information. COMPONENT TITLE 1 Tioli Enterprise Monitoring Serer 2 monitoring_agent_component_1 3 monitoring_agent_component_2 Figure 28. Product Component Selection Menu 2. From the Product Component Selection Menu, enter 1 to select Tioli Enterprise Monitoring Serer. 64 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

77 The Configure the TEMS panel is displayed (Figure 10 on page 40). Create a logmode If the monitoring serer is to communicate with any monitoring agents that require SNA, you must create a logmode or proide information about an existing logmode. Examples of monitoring agents that require SNA communications include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. If this monitoring serer will not communicate with any monitoring agents that require SNA, you can skip to Specify configuration alues on page 66. Otherwise, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 1 (Create LU 6.2 logmode). The Create LU6.2 Logmode panel is displayed (Figure 29). Use this panel to specify the name of the LU6.2 logmode and logmode table to be used for SNA communications. KDS62PLU CREATE LU6.2 LOGMODE The TEMS requires an LU6.2 logmode. Complete the items on this panel and press Enter to create a job that will assemble and link the required logmode. LU6.2 logmode Logmode table name ==> CANCTDCS ==> KDSMTAB1 VTAMLIB load library ==> SYS1.VTAMLIB VTAM macro library ==> SYS1.SISTMAC1 Figure 29. Create LU6.2 Logmode panel Tip: If you plan to use an existing LU6.2 logmode, you do not hae to submit the job created from this panel. Howeer, you must ensure that the existing logmode has the same VTAM attributes as the logmode contained in the job. Be sure to proide the logmode information, een if you do not intend to submit the job. 2. Reiew the alues on the panel and specify site-specific alues. LU6.2 logmode The name of the LU6.2 logmode. A name is required een if you do not submit the job. Logmode table name The name of the logmode table that contains the LU6.2 logmode. A name is required een if you do not submit the job. VTAMLIB load library The name of the system library that contains VTAM logmode tables. This is typically SYS1.VTAMLIB (the default alue), but you can specify a different load library if you cannot or do not want to update VTAMLIB directly. VTAM macro library The name of the system library that contains the VTAM macros. This library is typically SYS1.SISTMAC (the default). 3. To accept the alues, press Enter. The JCL to create the logmode is displayed. If you want to use the LU6.2 logmode created by this job, reiew the JCL and submit the job. Verify that the job completes successfully and that all return codes are zero. If you want to use an existing LU6.2 logmode whose attributes match those in the logmode created by the job, press F3 (End) without submitting the job. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 65

78 You are returned to the Configure the TEMS panel (Figure 10 on page 40). Specify configuration alues In this step you indicate that the monitoring serer you are configuring is a remote monitoring serer and that it reports to the high-aailability hub. You also specify the name of the started task for the remote monitoring serer and its security settings. Security alidation of users is handled by hub monitoring serers only. Do not attempt to enable security alidation on a remote monitoring serer. 1. From the Configure the TEMS menu (Figure 10 on page 40), enter 2 to display the Specify Configuration Values panel (Figure 11 on page 41). 2. Proide alues in the following fields: Started task The name of the remote monitoring serer started task JCL procedure. Make a note of the name, because later you will hae to copy this started task procedure to your system procedure library. The default is CANSDSST. Type (Hub or Remote) Specify REMOTE as the monitoring serer type. Hub TEMS type Leae this field blank. Tip: If you come back to this panel later, this field will not be displayed, because it applies only to a hub monitoring serer. Security settings Validate security? This setting determines whether the hub monitoring serer alidates the user IDs and passwords of users signing on to the Tioli Enterprise Portal. Leae the alue N for remote monitoring serers. Integrated Cryptographic Serice Facility (ICSF) installed? If the IBM Integrated Cryptographic Serice Facility (ICSF) is installed and configured on the z/os system, set the alue to Y. If you specify that ICSF is not installed on this z/os system (N), then the monitoring serer uses an alternatie, less secure encryption scheme. Note: The encryption method specified for the remote and hub monitoring serers must match that of the Tioli Enterprise Portal Serer. If you specify that ICSF is not installed on this z/os system (N), you must add the line USE_EGG1_FLAG=1 (or USE_EGG1_FLAG=Y) to the KFWENV enironment file of the Tioli Enterprise Portal Serer (see (If applicable) Edit the portal serer enironment file on page 123). ICSF load library If ICSF is installed and configured on the z/os system, specify the ICSF load library that contains the CSNB* modules used for password encryption. CSF.SCSFMOD0 is the default. If ICSF is not installed on the system, clear the field. TMS encryption key Specify a unique, 32-byte password encryption key. The alue is case-sensitie. Be sure to record the alue you use for the key. You must use the same key during the installation of any monitoring agents that communicate with this monitoring serer. If ICSF is not installed on the system, clear the field. Program to Program Interface (PPI) information (Optional) Specify the PPI alues that enable forwarding of Take Action commands to NetView 66 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

79 for z/os for authorization and execution. If you enable forwarding, you must also enable NetView to receie and authorize the commands (see Enable NetView to authorize Take Action commands on page 152). Forward Take Action commands to NetView for z/os Specify Y if you want the Tioli Enterprise Monitoring Serer to forward z/os console commands issued as Take Action commands to NetView for authorization and execution. The default alue is N. NetView PPI receier Specify the name of the PPI receier on NetView that will receie Take Action commands. This name must match the receier name specified on the NetView APSERV command. The default name is CNMPCMDR. If the specified name is incorrect or the receier is not actie on NetView for z/os, default command routing to the z/os console is performed. The Configuration Tool generates the KGLHC_PPI_RECEIVER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. The alue must be a 1- through 8-character, unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This alue must match the alue specified in the NetView DSIPARM initialization member, CNMSTYLE (see Enable NetView to authorize Take Action commands on page 152). If a alue is specified for this parameter and either the specified name is incorrect or the receier is not actie on NetView for z/os, the command fails. If no alue is specified, default command routing to the z/os console is performed. This parameter is required if you answered Y in the Forward Take Action commands to NetView for z/os field. TEMS PPI sender Optionally, specify the name of the PPI sender. The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This name must not conflict with any NetView for z/os domain name, as it is used in logging the command and command response in the NetView log. If a alue is specified on this field, the Configuration Tool generates the KGLHC_PPI_SENDER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. If you do not specify a alue in this field, the default is the job name of the monitoring serer that is the source of the command. 3. When you hae completed the Specify Configuration Values panel, press F5 (Adanced) to display the Specify Adanced Configuration Values panel (Figure 14 on page 45). Accept the defaults or proide the alues appropriate for your site in the following fields: Enable Web Serices SOAP Serer Accept the default alue of Y. The SOAP serer must be enabled for a hub monitoring serer. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information. Enable startup console messages Accept the default alue of Y if you want a SYSLOG message on the console to indicate when the monitoring serer finishes initializing. You can use this message as an UP status message in your automation package (for example, Tioli System Automation for z/os). See the documentation for your automation package for instructions on capturing the monitoring serer automation message IDs (KO4SRV032 and KDSMA001). If the alue of this field is Y, the KGL_WTO=YES parameter is added to the KDSENV member of the &rhile.&rte.rkanparu data set. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 67

80 Enable communications trace Set this parameter to Y if you want KDC_DEBUG=Y as the oerride setting in the &rhile.&rte.rkanparu(kdsenv) member. Otherwise, the default setting of KDC_DEBUG=N instructs the data communications layer to summarize communications problems. The default setting is intended for stable applications in production. Tip: The setting KDC_DEBUG=Y causes a great many records to be written to the log files. Use this setting only for testing or problem diagnosis. The default setting (KDC_DEBUG=N) generates standard RAS1 trace data in the monitoring serer RKLVLOG, in addition to the summary information diagnosing possible timeout conditions. Reconnect after TCP/IP recycle If you specify Y, the monitoring serer address space reconnects to its TCP/IP stack without being recycled after the stack is recycled. When this parameter is set to Y, the TOLERATERECYCLE keyword is added in the KLXINTCP member of the &rhile.&rte.rkanparu library. If this parameter is set to N (the default), then if the TCP/IP stack used by the monitoring serer is recycled, the monitoring serer address space must also be recycled to re-establish TCP/IP connectiity. Enable storage detail logging Accept the default alue of Y if you want to enable storage allocation detail logging. You can use the storage detail command output to analyze storage allocated by the monitoring serer address space. Specifying Y generates the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). To disable storage detail logging, set this parameter to N. The second EVERY command is then written as a comment in &rhile.&rte.rkancmdu(kdsstart). Tip: If you disable storage logging on this panel and then want to actiate it after the monitoring serer is configured and running, you can issue the following modify command to the monitoring serer started task: /F started_task,every hh:mm:ss STORAGE D Issuing this modify command actiates storage detail logging without a requirement to recycle the monitoring serer. If you are enabling storage detail logging on the Specify Adanced Configuration Values panel, accept the default alues or set your own alues for two time interals: Storage detail logging Specify how often you want storage allocation detail to be logged. This interal alue is written as part of the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 60 minutes. Flush VSAM buffers Specify how often you want to force all deferred VSAM writes to DASD. This interal alue is written as part of the third EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 30 minutes. Virtual IP Address (VIPA) type Specify D (Dynamic VIPA, or DVIPA). DVIPA requires one of the following communication protocols: IP.PIPE, IP.SPIPE, IP6.PIPE, or IP6.SPIPE. For more information about specifying communication protocols, see Specify communication protocols on page 51. Minimum extended storage Specify the minimum amount of irtual storage to be made aailable to the monitoring agents 68 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

81 and other components that are communicating with this monitoring serer. The default alue is If you do not hae many IBM components reporting to the serer and you want to consere storage, you can lower the alue. This alue is used for the MINIMUM parameter in the KDSSYSIN member of &rhile.&rte.rkanparu. This example shows the default alue: MINIMUM(768000,X) Maximum storage request size Specify the maximum TMS:Engine storage request size, as a power of 2, for primary storage and for extended storage. The maximum alue you specify for each type of storage request (primary and extended) can be no higher than 25 (32768 KB). The default maximum for extended storage is 23 (8192 KB). The default maximum for primary storage is 16 (64 KB). Howeer, some monitoring agents configured to run in the monitoring serer address space require a maximum primary storage request size of 20 (1 MB). If a program requests a block of storage larger than the maximum alue set, an abend occurs. The maximum alue is used in building storage access tables to speed memory allocation. Too small a alue causes TMS:Engine components to fail. Too large a alue wastes storage and increases processing oerhead. You might hae to specify a larger alue if any of your monitoring agents builds large VTAM request/response units (RUs) and data streams. This alue is used for the LIMIT parameter in the KDSSYSIN member of &rhile. &rte.rkanparu. This example shows the default alues: LIMIT(23,X) LIMIT(16,P) Language locale This parameter is required. The default alue is 1 (English - United States). Press F1 (Help) and select Language locale for a list of the possible alues. Specify the numeric alue that represents the language and region for the z/os system. The Configuration Tool uses this alue to set the country and character set for the LANG enironment ariable in &rhile.&rte.rkanparu(kdsenv). For example, if you accept the default alue of 1 (English - United States), the Configuration Tool generates this enironment ariable in KDSENV: LANG=en_US.ibm-037 If the z/os UNIX System Serices (USS) codepage (en_us.ibm-1047) is required, you can specify either en_us.ibm-1047 or 1A in the Language locale field. In batch mode, you can specify either of these alues: Kpp_CMS_ICU_LANG en_us.ibm-1047 Kpp_CMS_ICU_LANG 1A Tip: The USS codepage (en_us.ibm-1047) is required for agent autonomy and for priate situation XML files. z/os Audit collection alues These parameters allow you to actiate and set parameters that control the auditing facility (see Whether to enable the auditing function on page 17 for more information). Enable/Disable z/os audit collection This parameter specifies the audit detail leel; set it to M, B, D, orx, as explained in Enironment ariables that control the auditing function on page 18. The alue you specify generates an AUDIT_TRACE parameter in member KDSENV of the RKANPARU library. If you do not specified a alue for this parameter, AUDIT_TRACE=BASIC is set as the default. Maximum in-memory cache entries This parameter defines the maximum number of auditing records kept in short-term Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 69

82 memory, from 10 to 1000; it generates an AUDIT_MAX_HIST parameter in member KDSENV of the RKANPARU library. If you do not specify a alue here, AUDIT_MAX_HIST=100 is set as the default. Domain This field specifies an identifier that your site can use to associate audit records. It is suitable for grouping agents that are associated with each other. One example might be for collecting records regarding a particular customer. This field is also used to create unique namespaces for role-based access control (RBAC). The alue you specify generates an ITM_DOMAIN parameter in KDSENV. To specify adanced parameters for the Persistent Datastore, press F6 (PDS) to display the KDSPPDS (Specify Persistent Datastore Configuration Values) panel (see Figure 15 on page 48). These fields define default parameters for the persistent datastore, the repository for short-term historical data. For detailed information, see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Maintenance procedure prefix This prefix is applied to the procedures that perform maintenance when the persistent datastore is full. Specify the same prefix for all products in all runtime enironments. The default is KPDPROC. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Datastore file high-leel prefix Specify the high-leel qualifier to use when allocating persistent datastore files in this runtime enironment. The default is &rhile.&rte. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Volume Specify the default DASD olume to use when allocating persistent datastore files in this runtime enironment. The default is the olume specified for the runtime enironment. Unit Specify the default DASD unit to use when allocating persistent datastore files in this runtime enironment. Valid unit types are 3380 and The default is the unit type specified for the runtime enironment. Storclas Specify the default SMS storage class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS STORCLAS parameter, you can leae this field blank. Mgmtclas Specify the default SMS management class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS MGMTCLAS parameter, you can leae this field blank. When you hae defined all necessary Persistent Datastore parameters, press Enter. Tip: Under the guidance of IBM Software Support, you can specify alues for parameters other than those shown on the Specify Configuration Values and Specify Adanced Configuration Values panels. To do so, press F5 from the Specify Adanced Configuration Values panel to display the Specify Nonstandard Parameters panel. On this panel you can add, replace, or delete parameter alues in any member of any runtime library. For details, press F1 on the Specify Nonstandard Parameters panel or see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 4. Press Enter to accept the alues. 70 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

83 The Communication Selection panel is displayed, as shown in Figure 30. This panel lists hub monitoring serers configured in other runtime enironments accessible to the Configuration Tool. KCIPCMSS COMMUNICATION SELECTION PANEL FOR SHARING2 Row 1 to 1 of 1 Select the hub (primary TEMS) to connect to this remote TEMS. The following lists eligible Tioli Enterprise Monitoring Serers (TEMS) that you hae configured. Enter S next to the TEMS to connect to this remote. To manually enter the TEMS information, press F5. TEMS RTE name RTE Type (mid-leel) Description _ HUB HAHUB Runtime enironment for high-aailability hub F1=Help F3=Back F5=Adanced F7=Up F8=Down Figure 30. Communication Selection panel 5. Enter S beside the high-aailability hub. In the example, this is the hub in the runtime enironment named HAHUB. 6. Press Enter until you return to the Configure the TEMS panel (Figure 10 on page 40). Specify communication protocols To specify protocols for communications with this remote monitoring serer, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 3 to display the Specify Communication Protocols panel (Figure 31). KDS62PPA SPECIFY COMMUNICATION PROTOCOLS Specify the communication protocols in priority sequence for TEMS rte:cms. IP.PIPE ==> 1 (Non-secure NCS RPC) IP.UDP ==> 2 (Non-secure NCS RPC) IP6.PIPE ==> (IP.PIPE for IPV6) IP6.UDP ==> (IP.UDP for IPV6) IP.SPIPE ==> (Secure IP.PIPE) IP6.SPIPE ==> (Secure IP.PIPE for IPV6) SNA.PIPE ==> 3 (Non-secure NCS RPC) Note: SNA.PIPE is required under certain conditions. Press F1=Help. * This Remote TEMS reports to a Hub that uses IP.PIPE to connect. Ensure that this Remote TEMS also specifies the IP.PIPE protocol. * The protocol(s) in use by the Hub TEMS are: -Unsecured IP.PIPE -Unsecured IP.UDP * Ensure that this Remote TEMS also specifies a Network interface list that is compatible with the Hub TEMS. Enter=Next F1=Help F3=Back Figure 31. Specify Communication Protocols panel This panel lists the communication protocols to be used by the remote monitoring serer. The number beside each protocol indicates its priority. When communication with another component is initiated, the monitoring serer tries Protocol 1 first and goes to Protocol 2 and then to Protocol 3, and so on, in case of failure. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 71

84 Tips Because the high-aailability hub uses a piped protocol (IP.PIPE, IP6.PIPE, IP.SPIPE, or IP6.SPIPE), you must select that protocol for the remote monitoring serer. If the remote monitoring serer will communicate with any monitoring agents that require SNA, SNA.PIPE must be one of the protocols chosen, but it does not hae to be Protocol 1. Examples of such monitoring agents include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 2. Supply the priority number for each protocol you want to select. 3. When you hae selected protocols and assigned their priorities, press Enter. The panel displayed next depends on the protocols and priorities you hae specified. IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE Figure 32 shows the Specify IP.PIPE Communication Protocol panel, where you specify alues for the IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE protocols. KDS62PPD SPECIFY IP.PIPE COMMUNICATION PROTOCOL Specify IP.PIPE communication alues. * Network address (Hostname): ==> system_hostname Started task ==> * (Recommended default = *) Network interface list: (Required**) ==>!* ** Non-local Hub TEMS interface list: "!OMEGAHUB" ** Use "!*": Required for any Remote TEMS connecting to an HA Hub Port number of Hub ==> 1918 (IP.PIPE) Port number of Hub ==> (IP.PIPE for IPV6) Port number of Hub ==> (Secure IP.PIPE) Port number of Hub ==> (Secure IP.PIPE for IPV6) Address translation ==> N (Y, N) Partition name ==> * Note: See F1=Help for TSO HOMETEST command instructions. Enter=Next F1=Help F3=Back Figure 32. Specify IP.PIPE Communication Protocol panel Network address (Hostname) The TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the remote monitoring serer is installed. To obtain the host name and IP address, enter TSO HOMETEST at the command line. If the z/os domain name resoler configuration specifies a search path that includes the target domain suffix, specify only the first qualifier of the host name. (Example: sys is the first qualifier of the fully qualified host name sys.ibm.com.) Otherwise, specify the fully qualified host name. 72 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

85 Started task Identifies the TCP/IP stack to be used. If the LPAR contains a single TCP/IP stack, accept the default alue of an asterisk (*), which uses the first TCP/IP stack that was started. If the LPAR contains more than one TCP/IP stack, specify the started task name of the TCP/IP stack you want to use. Alternatiely, you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. Tip: Whicheer method is used to select a TCP/IP stack in a multi-stack enironment, the Tioli Management Serices components continue to use that stack, een if a different stack becomes the primary stack. Therefore, in a multi-stack enironment, it is best to specify the started task name of the TCP/IP stack to be used, rather than specifying a wildcard or a blank. If IP domain name resolution is not fully configured on the z/os system, the SYSTCPD DD statement is required (see (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task on page 119). Network interface list You must specify one of the following alues for a remote monitoring serer reporting to the high-aailability hub in the same sysplex:!* to force the remote monitoring serer to use only the interface associated with the default host name for the z/os image. -dipa_hostname to use any interface except the one associated with dipa_hostname. When you supply a alue in the Network interface list field, the Configuration Tool generates the KDEB_INTERFACELIST enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. See "Network interfaces" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information about interface lists. Hub port numbers For each of the selected IP*.*PIPE protocols, these fields specify the well-known port for the hub. These fields are read-only. Address translation By default, Ephemeral Pipe Support (EPS) is enabled to allow IP.PIPE connections to cross a network address-translating firewall. This feature obiates the requirement for a broker partition file (KDC_PARTITIONFILE=KDCPART). If you specifically want to disable EPS, specify Y for Address translation. For more information, see "Implementation of firewall support" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Partition name If you specified Y for Address translation, you must supply the partition name (label) that identifies the location of the monitoring serer relatie to the firewall(s) used for address translation. The partition name that you supply is added to the partition table, which contains labels and associated socket addresses proided by the firewall administrator. The label is used outside the firewall to establish monitoring serer connections. The well-known port for the hub monitoring serer must be authorized by the firewall administrator. For the IP*.*PIPE protocols, no additional ports require authorization. When you press Enter after proiding the IP*.*PIPE configuration alues, if you specified Y for Address translation, the Specify IP.PIPE Partition References panel (Figure 19 on page 54) is displayed. The name of the monitoring serer, its partition name (that is, its location or namespace relatie to the firewall), and its partition address (the IP address assigned to the monitoring serer in the specified partition) are displayed at the top of the Specify IP.PIPE Partition References panel. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 73

86 Use the fields of this panel to specify partition references (the alues required to support communication across a firewall using address translation rather than EPS). If more than one firewall is used, specify a partition reference for each firewall. Partition Supply the partition name assigned to the monitoring serer from a location on the other side of the firewall. Address Supply the IP address assigned to the monitoring serer from a location on the other side of the firewall. To add a partition reference, specify the partition name and the address used in that partition to communicate with the monitoring serer, and press Enter. To modify an existing partition reference, type oer an entry and press Enter. To delete a reference, type D in the Action field and press Enter. Modifications resulting in duplicate entries are ignored. The alues proided on this panel are saed as the KDC_PARTITIONFILE enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. KDC_PARTITIONFILE points to a member, KDCPART, created in the &rhile.&rte.rkanparu library. IP.UDP and IP6.UDP The field definitions and instructions for the IP.UDP and IP6.UDP protocols are the same as those for the IP*.*PIPE protocols, except that address translation does not apply to IP.UDP and IP6.UDP. SNA.PIPE Figure 33 shows the Specify SNA Communication Protocol panel. KDS62PPB SPECIFY SNA COMMUNICATION PROTOCOL Specify the SNA communication alues for this TEMS. Applid prefix ==> DS Network ID ==> (NETID alue from SYS1.VTAMLST(ATCSTRnn)) Enter=Next F1=Help F3=Back F6=Applids Figure 33. Specify SNA Communication Protocol panel Supply alues for these fields. Applid prefix This alue is used to create the VTAM applids required by the monitoring serer. These applids begin with the prefix, and end with a specific alue that makes each applid unique. The applids are contained in the VTAM major node. You specified this alue when you defined the runtime enironment. Network ID The identifier of your VTAM network. You specified this alue when you defined the runtime enironment. You can also obtain this alue from the NETID parameter in the VTAMLST startup member ATCSTRnn. 4. Press Enter to return to the Configure the TEMS panel (Figure 10 on page 40). (Optional) Enable the self-describing agent capability For the Tioli Enterprise Monitoring Serer you are configuring to correctly "seed" agents built with the self-describing capability (for ersion 6.2.3, these are only the distributed agents; in other words, no z/os agent is self-describing), you must first enable the hub monitoring serer with which these agents will communicate to receie and process self-description data. (For additional information about this capability, see Whether to enable the self-describing agents capability on page 15.) To enable the self-describing agent capability, complete the following procedure: 74 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

87 1. From the Configure the TEMS panel, enter 4 (Configure TEMS Self-Describing Agent Parameters) to display the Configure TEMS Self-Describing Agent Parameters (panel ID KDS62MC4), shown in Figure 24 on page 58. This panel lays out the remaining steps required for you to authorize the processing of self-describing agent data; they are: a. Specify TEMS Self-Describing Agent alues Here you specify the parameters the monitoring serer requires to process self-describing agent data. b. Create configuration members Here you generate a batch job that will configure the runtime members that create the HFS or zfs directories and copy files to z/os UNIX system serices (USS). c. Create HFS directories and copy files on USS Here you generate a batch job that will create those HFS or zfs directories and copy the files to USS. The remaining subsections describe each of these steps in turn. Specify TEMS Self-Describing Agent alues: 1. From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Specify TEMS Self-Describing Agent alues step: tab to line 1, and enter S. The TEMS Self-Describing Agent Values panel (panel ID KDS62PP4), shown in Figure 25 on page 59, is displayed. 2. Turn on the processing of self-describing agent data: set Enable TEMS Self-Description processing to Y. 3. If the address space of the monitoring serer you're configuring will also contain z/os monitoring agents (such as the OMEGAMON XE on z/os agent or the OMEGAMON XE for Storage agent), turn on support for self-describing agents within this monitoring serer: set Agent Self-Description Processing in TEMS to Y. Note: For Version of the IBM Tioli Monitoring, there are no self-describing z/os agents; therefore, for now, leae this parameter set to N. 4. Supply the name of your site's Jaa root directory (initially /usr/lpp/jaa/ibm/j6.0) within UNIX System Serices (USS). The self-describing agent capability uses this directory to locate and load the jar utility. 5. Supply the name of your site's UNIX System Serices procedure (CLIST) library (initially SYS1.SBPXEXEC). 6. Press Enter to sae these parameter alues. Create configuration members: From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Create configuration members step: tab to line 2, and enter S. The DS#6T623 batch job is created and submitted. Create HFS directories and copy files on USS: From the Configure TEMS Self-Describing Agent Parameters panel (see Figure 24 on page 58), select the Create HFS directories and copy files on USS step: tab to line 3, and enter S. The DS#UT623 batch job is created and submitted. Note: This job must be submitted on a machine that can access the USS directories. In addition, the job must be submitted by a TSO userid that has write access to the HFS/zFS directories. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 75

88 Note about security definitions for the new USS files To create the runtime enironment's new UNIX System Serices directories, the DS#UT623 job inokes mkdir commands similar to the following: mkdir RTE_USS_RTEDIR/COMPUSS/kds/support/TEMS/META-INF MODE(7,7,7) Note that these directories are created with MODE(7,7,7), which grants write permission to these directories to all users. This MODE alue is specified because the TSO userid of the person running ICAT is not necessarily the same userid as that associated with the monitoring serer started task. Howeer, both userids require write access to the runtime USS directories for the following reasons: To support the self-describing agents feature, the monitoring serer running on z/os must be able to add and remoe files from these USS directories. A more restrictie MODE setting would preent the monitoring serer from doing so. If a subsequent uninstall is performed from ICAT, the TSO userid of the person running ICAT must hae write access to these same directories. If your site requires a more secure access scheme for these runtime USS directories, you can accomplish this using group-based security. Here's how: 1. The ICAT userid is dayce as in the aboe example, and it is connected to three security groups: GROUP1, GROUP2, and GROUP3. Since GROUP1 is dayce's default group, all of the newly created RTE USS directories are owned by GROUP1 by default. 2. The userid of the monitoring serer started task is stcuser, and it is connected to two security groups: GROUP2 and GROUP4. Since both userids hae GROUP2 in common, the dayce userid could log on to USS and issue a chgrp command to set GROUP2 as the owner of the runtime enironment's USS directories, as in this example: > chgrp -R GROUP2 COMPUSS 3. Next, the dayce userid can issue a chmod command to change the original MODE(7,7,7) alue to something more restrictie, such as: > chmod -R 775 COMPUSS After issuing this chmod command, only users who are connected to GROUP2 hae write access to the runtime USS directories. If the ICAT userid and the userid associated with the monitoring serer started task do not hae any security groups in common, you must either connect both userids to a common security group or define a new security group and connect both userids to that group. Whicheer option you choose, you must still perform the chgrp and chmod actions described aboe. Create runtime members and configure the persistent datastore Follow the instructions in Create the runtime members on page 61 to create the runtime members for the remote monitoring serer, and then follow the instructions in Configure the persistent datastore on page 61 to configure the persistent datastore and create its runtime members. Then press F3 (Back) until you return to the Product Component Selection panel (Figure 28 on page 64). Step 5. Configure monitoring agents to report to the remote monitoring serer In this step, you configure monitoring agents in the same runtime enironment with the remote monitoring serer. 76 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

89 1. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. If two monitoring agent components are listed, select the OMEGAMON II component first. COMPONENT TITLE 1 Tioli Enterprise Monitoring Serer 2 OMEGAMON II... 3 IBM Tioli OMEGAMON XE To configure the monitoring agent, follow the configuration instructions in the product publications in the Tioli Monitoring and OMEGAMON XE Information Center at tiihelp/15r1/index.jsp?toc=. Be sure to select the option Register with local TEMS. This option produces a job that enables the monitoring agent to transmit data to the remote monitoring serer. If you are configuring the monitoring agent in its own address space, be sure to leae the default alue of Y at this prompt: Connect to TEMS in this RTE ==> Y (Y, N) Follow the steps up to Complete the configuration. 3. Press F3 until you return to the Product Selection Menu (Figure 5 on page 33). 4. On the Product Selection Menu, enter S (Select) to the left of the name of another monitoring agent. 5. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), type C (Configure) in the Action field to the left of the name of the runtime enironment where you configured the remote monitoring serer and the first monitoring agent. 6. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. You do not hae to reconfigure the remote monitoring serer to add a monitoring agent to the runtime enironment. 7. Repeat steps 2 to 6 until you hae configured all desired monitoring agents in the runtime enironment. Step 6. Load the runtime libraries Before you complete the configuration of the monitoring serer and monitoring agents outside the Configuration Tool, you must load the runtime libraries from the target libraries that were installed by SMP/E. The load job requires exclusie access to the runtime libraries. 1. On the Runtime Enironments (RTEs) panel Figure 6 on page 34, enter L (Load) in the Action field to the left of the name of the runtime enironment. 2. Reiew the JCL and submit the job. Verify that the job completes successfully and that the return code is 04 or lower. 3. When you finish loading the libraries, press F3 (Back) to return to the Runtime Enironments (RTEs) panel. 4. Go to Chapter 6, Completing the configuration, on page 119, Chapter 7, Adding application support to a monitoring serer on z/os, on page 129, and Part 3 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on completing the configuration, adding application support to the monitoring serers, and alidating the configuration. 5. After you alidate the configuration, perform the tasks in Chapter 8, Configuring security on a monitoring serer on z/os, on page Go to Parts 4 and 5 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on using batch mode to replicate the configured enironment to other LPARs. Chapter 3. Configuring a high-aailability hub and the remote monitoring serers that report to it 77

90 78 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

91 Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment If your enironment does not hae DVIPA or does not meet some other requirement of the high-aailability hub, you hae other configuration options. The configuration shown in Figure 34 depicts the hub monitoring serer and seeral monitoring agents installed in the same runtime enironment on a single z/os image, with the monitoring agents reporting directly to the hub. This configuration is a basic one that you can expand to accommodate more systems. Figure 34. Hub monitoring serer and monitoring agents in the same runtime enironment PARMGEN method Complete these steps to configure a hub monitoring serer and monitoring agents in the same runtime enironment. Tip: To configure a stand-alone hub monitoring serer that is not a high-aailability hub, perform the monitoring serer configuration as described in this section, but omit Step 2. Set configuration parameters for the monitoring agents in the same runtime enironment on page 81. Step 1. Create the runtime enironment and set the configuration parameters for the hub Follow the steps in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide to create a runtime enironment. In "Step 2. Set up your PARMGEN configuration profile," refer to the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about the parameters in the configuration profile. The configuration profile is the &rhile.&rte.wconfig(&rte) member. Copyright IBM Corp. 2005,

92 Tips The parameters shown in this section are specific to the hub monitoring serer but are not the only parameters for which you must either accept or oerride the default alues in the configuration profile for the runtime enironment. After you set the parameters shown here, be sure to go through the entire configuration profile to make sure the parameter alues are correct for the configuration you want. The parameters with names beginning KDS_HUB are not parameters for the hub monitoring serer; they are parameters for remote monitoring serers. Be sure to uncomment any parameters that are needed for your configuration but are commented out by default. For example, if you want to enable eent forwarding, uncomment the KDS_TEMS_EIF_FLAG parameter and make sure its alue is Y. To uncomment a parameter in the configuration profile, delete the two asterisks (**) from the beginning of the line. Before: **KDS_TEMS_EIF_FLAG Y After: KDS_TEMS_EIF_FLAG Y Be sure to set the following parameter alues for the hub in the configuration profile: * Tioli Enterprise Monitoring Serer: KDS flag CONFIGURE_TEMS_KDS "Y" ** Tioli Enterprise Monitoring Serer (TEMS) flag and CMS_NODEID name: RTE_TEMS_CONFIGURED_FLAG Y RTE_TEMS_NAME_NODEID "rte_name:cms" ** TEMS configuration alues: KDS_TEMS_TYPE HUB The following additional requirements also apply to the hub configuration: KDS_TEMS_COMM_PROTOCOLn parameter At least one of the alues must be IPPIPE, IP, IP6PIPE, IP6, IPSPIPE, orip6spipe. If this monitoring serer will communicate with any monitoring agents that require SNA, SNA must be one of the protocols chosen, but it does not hae to be Protocol 1. Examples of such monitoring agents include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. KDS_TEMS_TCP_PIPEc_PORT_NUM The port number that you set for each protocol used by the hub must be respecified for eery component that will communicate with the hub. Many other KDS_* parameters are needed for the hub monitoring serer configuration. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about them. Configuring the monitoring serer to support encryption/decryption To actiate ICSF encryption/decryption within your newly configured hub monitoring serer using the PARMGEN configuration method, locate these lines in the configuration profile for the runtime enironment of the monitoring serer:: ** GBL_DSN_CSF_* ICSF system libraries: GBL_DSN_CSF_SCSFMOD0 "CSF.SCSFMOD0" ** TMS KAES256 password encryption key: **KDS_TEMS_SECURITY_KAES256_ENCKEY "IBMTioliMonitoringEncryptionKey" 80 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

93 Set GBL_DSN_CSF_SCSFMOD0 to the name of your site's Integrated Cryptographic Serice Facility (ICSF) library. Uncomment KDS_TEMS_SECURITY_KAES256_ENCKEY, and set it to your site's ICSF encryption key for IBM Tioli Monitoring. Once you hae set these parameters, if you enabled ICSF password encryption for your monitoring serer after creating the runtime enironment, rerun the following jobs: WCONFIG($PARSE*) File-tailoring job to recreate: WKANSAMU(KDSDKAES) Stand-alone Tioli Management Serices on z/os password encryption job, if you want a sample job that you can edit manually. WKANSAMU(KCIJPSEC) Composite security job's KAES256 step, if you want a file-tailored job. WKANSAMU(CANSDSST) Monitoring serer started task to concatenate the ICSF load library in the STEPLIB DDNAME. CANSDSST is the IBM-supplied default; set the alue to whateer you specified for the KDS_TEMS_STC parameter. WKANSAMU(KDSDKAES) or WKANSAMU(KCIJPSEC) Creates the encryption key member. WKANPARU(KAES256) or WKANSAMU(KCISYPJB) Run either WKANPARU(KAES256), the stand-alone started task procedure copy job, or WKANSAMU(KCIJPSYS), the composite system copy job that copies the modified monitoring serer started task to the system procedure library. Step 2. Set configuration parameters for the monitoring agents in the same runtime enironment In the same configuration profile, set parameter alues for each of the products you want to include in the runtime enironment of the hub monitoring serer. Follow the instructions in each product's Planning and Configuration Guide, and use the information in each product's Parameter Reference. After you finish customizing the configuration profile, go on to "Step 3. Submit batch jobs to complete the PARMGEN setup" in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Step 3. (Optional) Replicate the runtime enironment to a remote system If desired, you can replicate the configured runtime enironment to another LPAR where the Tioli Enterprise Monitoring Serer and monitoring agents are installed, and set the monitoring serer parameters for a remote rather than a hub monitoring serer configuration. Follow the instructions in the "Using the PARMGEN method to replicate a configured enironment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. In the configuration profile of the second runtime enironment, set the following parameter alues for the remote monitoring serer: Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 81

94 ** Tioli Enterprise Monitoring Serer (TEMS) flag and CMS_NODEID name: RTE_TEMS_CONFIGURED_FLAG Y RTE_TEMS_NAME_NODEID "remote_rte_name:cms" ** TEMS configuration alues: KDS_TEMS_TYPE REMOTE The following additional requirements also apply to the remote monitoring serer configuration: KDS_TEMS_COMM_PROTOCOLn parameter At least one of the communication protocols must be the same as a protocol selected for the hub. For information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. KDS_TEMS_TCP_HOST parameter This is the TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the remote monitoring serer is installed. KDS_HUB_TCP_HOST parameter This is the TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the hub monitoring serer is installed. This parameter applies only to a remote monitoring serer that uses TCP/IP for communications. The alue specified for this parameter must match the alue set for the KDS_TEMS_TCP_HOST parameter in the runtime enironment where the hub is configured. KDS_HUB_TCP_pipe_type_PORT_NUM The alue must be the port number of the hub for each protocol selected. Many other KDS_* parameters are needed for the remote monitoring serer configuration. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about them. Modify as needed the monitoring agent parameter alues for communication with the remote monitoring serer in the same runtime enironment. Follow the instructions in each product's Planning and Configuration Guide, and use the information in each product's Parameter Reference. After you finish customizing the configuration profile, go on to "Step 3. Submit batch jobs to complete the PARMGEN setup" in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Now you can replicate to other z/os systems the configured runtime enironment that contains the remote monitoring serer and its monitoring agents. Follow the instructions in the "Using the PARMGEN method to replicate a configured enironment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Configuration Tool (ICAT) method Be sure to complete Steps 1, 2, and 3 in the "Configuring products with the Configuration Tool" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide before you begin the configuration steps in this section. 82 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

95 Important When you select a product on the Product Selection Menu (Figure 5 on page 33), select one of the monitoring agents, not IBM Tioli Management Serices on z/os, if you want to configure both a monitoring serer and monitoring agents in the runtime enironment. If you select IBM Tioli Management Serices on z/os, you can only configure a stand-alone monitoring serer in its own runtime enironment, without any monitoring agents. To configure a stand-alone hub monitoring serer that is not a high-aailability hub, you select IBM Tioli Management Serices on z/os and perform the monitoring serer configuration as described in this section, but omit Step 2. Configure monitoring agents in the runtime enironment on page 97. Configuration steps Complete the following steps in order: Step 1. Configure the hub monitoring serer Step 2. Configure monitoring agents in the runtime enironment on page 97 Step 3. Load the runtime libraries on page 98 Step 1. Configure the hub monitoring serer If you intend to use a z/os hub and you hae not already configured one, the first monitoring serer you configure must be a hub. To configure the hub monitoring serer, perform the tasks in the following sections: 1. Begin the configuration. 2. Create a logmode. 3. Specify configuration alues on page Specify communication protocols on page Create the runtime members on page Configure the persistent datastore on page 61. Begin the configuration Perform the following steps to begin the configuration: 1. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), enter C (Configure) next to the runtime enironment you added for the hub monitoring serer and monitoring agents. The Product Component Selection Menu is displayed (Figure 28 on page 64). 2. From the Product Component Selection Menu, enter 1 to select Tioli Enterprise Monitoring Serer. The Configure the TEMS panel is displayed (Figure 10 on page 40). Tip: Select option I (Configuration information: What's New) to read about updates to monitoring serer configuration options since the preious ersions. Create a logmode If the monitoring serer is to communicate with any monitoring agents that require SNA, you must create a logmode or proide information about an existing logmode. Examples of monitoring agents that require SNA communications include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 83

96 If this monitoring serer will not communicate with any monitoring agents that require SNA, you can skip to Specify configuration alues. Otherwise, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 1 (Create LU 6.2 logmode). The Create LU6.2 Logmode panel is displayed (Figure 29 on page 65). Use this panel to specify the name of the LU6.2 logmode and logmode table required by the monitoring serer. Tip: If you plan to use an existing LU6.2 logmode, you do not hae to submit the job created from this panel. Howeer, you must ensure that the existing logmode has the same VTAM attributes as the logmode contained in the job. Be sure to proide the logmode information, een if you do not intend to submit the job. 2. Reiew the alues on the panel and specify site-specific alues. LU6.2 logmode The name of the LU6.2 logmode. A name is required een if you do not submit the job. Logmode table name The name of the logmode table that contains the LU6.2 logmode. A name is required een if you do not submit the job. VTAMLIB load library The name of the system library that contains VTAM logmode tables. This is typically SYS1.VTAMLIB (the default alue), but you can specify a different load library if you cannot or do not want to update VTAMLIB directly. VTAM macro library The name of the system library that contains the VTAM macros. This library is typically SYS1.SISTMAC (the default). 3. To accept the alues, press Enter. The JCL to create the logmode is displayed. If you want to use the LU6.2 logmode created by this job, reiew the JCL and submit the job. Verify that the job completes successfully and that all return codes are zero. If you want to use an existing LU6.2 logmode whose attributes match those in the logmode created by the job, press F3 (End) without submitting the job. You are returned to the Configure the TEMS panel (Figure 10 on page 40). Specify configuration alues In this step you indicate that the monitoring serer you are configuring is a hub. You also specify the name of the started task for this monitoring serer and whether security alidation is in force for the serer. Do not enable security alidation at this point. Security can be set up more effectiely after you complete and erify the configuration. 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 2 to display the Specify Configuration Values panel (Figure 11 on page 41). 2. Proide alues for the following fields. Started task The name of the monitoring serer started task JCL procedure. Make a note of the name, because later you will hae to copy this started task procedure to your system procedure library. The default is CANSDSST. Tip: If you hae two or more runtime enironments on the same z/os image, make sure that the name of each started task is unique. Type (Hub or Remote) Specify HUB as the monitoring serer type. 84 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

97 Hub TEMS type Leae this field blank. If you specify HA to configure a high-aailability hub, you cannot configure monitoring agents in the same runtime enironment as the hub. To configure a high-aailability hub, follow the instructions in Chapter 3, Configuring a high-aailability hub and the remote monitoring serers that report to it, on page 27. For more information about the high-aailability hub, see Whether to configure a high-aailability hub on z/os on page 13. Security settings Validate security? This setting determines whether the hub monitoring serer alidates the user IDs and passwords of users signing on to the Tioli Enterprise Portal. Leae the alue N for now. If you set security alidation to Y at this point, you will hae difficulty completing the configuration steps and erifying the configuration. You can return to this panel and set security alidation to Y later, after you set up security for the monitoring serer (see Chapter 8, Configuring security on a monitoring serer on z/os, on page 143). When security alidation is enabled on this panel, alidation of users is handled by the security system specified for the runtime enironment. Integrated Cryptographic Serice Facility (ICSF) installed? If the IBM Integrated Cryptographic Serice Facility (ICSF) is installed and configured on the z/os system, set the alue to Y. If you specify that ICSF is not installed on this z/os system (N), then the monitoring serer uses an alternatie, less secure encryption scheme. Note: The encryption method specified for the monitoring serer and the Tioli Enterprise Portal Serer must match. If you specify that ICSF is not installed on this z/os system (N), you must add the line USE_EGG1_FLAG=1 (or USE_EGG1_FLAG=Y) tothe KFWENV enironment file of the Tioli Enterprise Portal Serer (see (If applicable) Edit the portal serer enironment file on page 123). ICSF load library If ICSF is installed and configured on the z/os system, specify the ICSF load library that contains the CSNB* modules used for password encryption. CSF.SCSFMOD0 is the default. If ICSF is not installed on the system, clear the field. TMS encryption key Specify a unique, 32-byte password encryption key. The alue is case-sensitie. Be sure to record the alue you use for the key. You must use the same key during the installation of any components that communicate with this monitoring serer, such as the Tioli Enterprise Portal Serer or a remote monitoring serer. If ICSF is not installed on the system, clear the field. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 85

98 Encryption key tips The ampersand (&) character cannot be part of the encryption key. The DS#3ssss job (where ssss is the JCL suffix for the runtime enironment) creates the runtime members after you complete the monitoring serer configuration panels. This job uses the alue you specify for the encryption key to create the key file. The key file is member KAES256 in the &rhile.&rte.rkanparu library (see Create the runtime members on page 61). For security reasons, the encryption key alue is not displayed if you return to the Specify Configuration Values panel after you finish configuring the monitoring serer. If you reconfigure the monitoring serer by changing other parameter alues on the configuration panels, the resulting DS#3ssss job does not create a new key file. If you must change the encryption key alue after initial configuration, type the PWD command on the command line of the Specify Configuration Values panel, and then answer Y to the prompt "Do you want to disable ICSF encryption or reset the key?". You can then re-enable encryption and specify a different key. After doing so, you must recreate the runtime members ( Create the runtime members on page 61) and reload the runtime libraries ( Step 3. Load the runtime libraries on page 98). In batch mode, the encryption key alue is stored in parameter KDS_CMS_SEC_ENC_KEY. For batch mode processing, the encryption key is displayed in plain text so that it can be used as input for the KAES256 file in the &rhile.&rte.rkanparu library of other runtime enironments. Therefore, ensure that the &shile.instjobs library for this runtime enironment is secured before you create a batch parameter member containing its alues. The alue of the encryption key batch parameter (KDS_CMS_SEC_ENC_KEY) is enclosed in double quotation marks in the batch parameter member. If you must use a single quotation mark or apostrophe (') as part of the key alue, edit the batch parameter member to enclose the 32-byte encryption key string in two sets of double quotation marks (for example, ""key s_alue""). If you must use both single and double quotation marks as part of the key alue, use the interactie mode of the Configuration Tool instead of the batch mode. Program to Program Interface (PPI) information (Optional) Specify the PPI alues that enable forwarding of Take Action commands to NetView for z/os for authorization and execution. If you enable forwarding, you must also enable NetView to receie and authorize the commands (see Enable NetView to authorize Take Action commands on page 152). Forward Take Action commands to NetView for z/os Specify Y if you want the Tioli Enterprise Monitoring Serer to forward z/os console commands issued as Take Action commands to NetView for authorization and execution. The default alue is N. NetView PPI receier Specify the name of the PPI receier on NetView that will receie Take Action commands. This name must match the receier name specified on the NetView APSERV command. The default name is CNMPCMDR. If the specified name is incorrect or the receier is not actie on NetView for z/os, default command routing to the z/os console is performed. The Configuration Tool generates the KGLHC_PPI_RECEIVER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. 86 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

99 The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This alue must match the alue specified in the NetView DSIPARM initialization member, CNMSTYLE (see Enable NetView to authorize Take Action commands on page 152). If a alue is specified for this parameter and either the specified name is incorrect or the receier is not actie on NetView for z/os, the command fails. If no alue is specified, default command routing to the z/os console is performed. This parameter is required if you answered Y in the Forward Take Action commands to NetView for z/os field. TEMS PPI sender Optionally, specify the name of the PPI sender. The alue must be a 1- through 8-character, unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This name must not conflict with any NetView for z/os domain name, as it is used in logging the command and command response in the NetView log. If a alue is specified on this field, the Configuration Tool generates the KGLHC_PPI_SENDER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. If you do not specify a alue in this field, the default is the job name of the monitoring serer that is the source of the command. 3. When you hae completed the Specify Configuration Values panel, press F5 (Adanced) to display the Specify Adanced Configuration Values panel (Figure 14 on page 45). Accept the defaults or proide the alues appropriate for your site in the following fields: Enable Web Serices SOAP Serer Accept the default alue of Y. The SOAP serer is required to be enabled for a hub monitoring serer. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information. Enable Tioli Eent Integration Facility (EIF) Specify Y if you want to enable eent forwarding on this hub. The default alue is N. Ifyou specify Y, the KMS_OMTEC_INTEGRATION=YES enironment ariable is generated in the KDSENV member of &rhile.&rte.rkanparu. See Decision 2: Whether and how to enable eent forwarding on page 22 for more information about eent forwarding. Enable startup console messages Accept the default alue of Y if you want a SYSLOG message on the console to indicate when the monitoring serer finishes initializing. You can use this message as an UP status message in your automation package (for example, Tioli System Automation for z/os). See the documentation for your automation package for instructions on capturing the monitoring serer automation message IDs (KO4SRV032 and KDSMA001). If the alue of this field is Y, the KGL_WTO=YES parameter is added to the KDSENV member of the &rhile.&rte.rkanparu data set. Enable communications trace Set this parameter to Y if you want KDC_DEBUG=Y as the oerride setting in the &rhile.&rte.rkanparu(kdsenv) member. Otherwise, the default setting of KDC_DEBUG=N instructs the data communications layer to summarize communications problems. The default setting is intended for stable applications in production. Tip: The setting KDC_DEBUG=Y causes a great many records to be written to the log files. Use this setting only for testing or problem diagnosis. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 87

100 The default setting (KDC_DEBUG=N) generates standard RAS1 trace data in the monitoring serer RKLVLOG, in addition to the summary information diagnosing possible timeout conditions. The following settings report on data communications problems: KDC_DEBUG=N Minimal tracing (the default). KDC_DEBUG=Y Full-packet tracing. KDC_DEBUG=D KDC_DEBUG=Y, plus state and flow tracing. KDC_DEBUG=M KDC_DEBUG=D, plus input and output help tracing. KDC_DEBUG=A KDC_DEBUG=M, plus all-format tracing. Do not set KDC_DEBUG=A unless directed by IBM Software Support personnel. Reconnect after TCP/IP recycle If you specify Y, the monitoring serer address space reconnects to its TCP/IP stack without being recycled after the stack is recycled. When this parameter is set to Y, the TOLERATERECYCLE keyword is added in the KLXINTCP member of the &rhile.&rte.rkanparu library. If this parameter is set to N (the default), then if the TCP/IP stack used by the monitoring serer is recycled, the monitoring serer address space must also be recycled to re-establish TCP/IP connectiity. Enable storage detail logging Accept the default alue of Y if you want to enable storage allocation detail logging. You can use the storage detail command output to analyze storage allocated by the monitoring serer address space. Specifying Y generates the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). To disable storage detail logging, set this parameter to N. The second EVERY command is then written as a comment in &rhile.&rte.rkancmdu(kdsstart). Tip: If you disable storage logging on this panel and then want to actiate it after the monitoring serer is configured and running, you can issue the following modify command to the monitoring serer started task: /F started_task,every hh:mm:ss STORAGE D Issuing this modify command actiates storage detail logging without a requirement to recycle the monitoring serer. If you are enabling storage detail logging on the Specify Adanced Configuration Values panel, accept the default alues or set your own alues for two time interals: Storage detail logging Specify how often you want storage allocation detail to be logged. This interal alue is written as part of the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 60 minutes. Flush VSAM buffers Specify how often you want to force all deferred VSAM writes to DASD. This interal alue is written as part of the third EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 30 minutes. Virtual IP Address (VIPA) type Specify the type of VIPA defined for the z/os system. The default is N (None). If VIPA is in use, 88 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

101 specify either S (Static) or D (Dynamic). The VIPA name of the monitoring serer must be resolable through the Domain Name Serer (DNS). Dynamic VIPA requires one of the following communication protocols: IP.PIPE, IP.SPIPE, IP6.PIPE, or IP6.SPIPE. For more information about communication protocols, see Specify communication protocols on page 51. Minimum extended storage Specify the minimum amount of irtual storage to be made aailable to the monitoring agents and other components that are communicating with this monitoring serer. The default alue is If you do not hae many IBM components reporting to the serer and you want to consere storage, you can lower the alue. This alue is used for the MINIMUM parameter in the KDSSYSIN member of &rhile.&rte.rkanparu. This example shows the default alue: MINIMUM(768000,X) Maximum storage request size Specify the maximum TMS:Engine storage request size, as a power of 2, for primary storage and for extended storage. The maximum alue you specify for each type of storage request (primary and extended) can be no higher than 25 (32768 KB). The default maximum for extended storage is 23 (8192 KB). The default maximum for primary storage is 16 (64 KB). Howeer, some monitoring agents configured to run in the monitoring serer address space require a maximum primary storage request size of 20 (1 MB). If a program requests a block of storage larger than the maximum alue set, an abend occurs. The maximum alue is used in building storage access tables to speed memory allocation. Too small a alue causes TMS:Engine components to fail. Too large a alue wastes storage and increases processing oerhead. You might hae to specify a larger alue if any of your monitoring agents builds large VTAM request/response units (RUs) and data streams. This alue is used for the LIMIT parameter in the KDSSYSIN member of &rhile. &rte.rkanparu. This example shows the default alues: LIMIT(23,X) LIMIT(16,P) Language locale This parameter is required. The default alue is 1 (English - United States). Press F1 (Help) and select Language locale for a list of the possible alues. Specify the numeric alue that represents the language and region for the z/os system. The Configuration Tool uses this alue to set the country and character set for the LANG enironment ariable in &rhile.&rte.rkanparu(kdsenv). For example, if you accept the default alue of 1 (English - United States), the Configuration Tool generates this enironment ariable in KDSENV: LANG=en_US.ibm-037 If the z/os UNIX System Serices (USS) codepage (en_us.ibm-1047) is required, you can specify either en_us.ibm-1047 or 1A in the Language locale field. In batch mode, you can specify either of these alues: Kpp_CMS_ICU_LANG en_us.ibm-1047 Kpp_CMS_ICU_LANG 1A Tip: The USS codepage (en_us.ibm-1047) is required for agent autonomy and for priate situation XML files. z/os Audit collection alues These parameters allow you to actiate and set parameters that control the auditing facility (see Whether to enable the auditing function on page 17 for more information). Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 89

102 Enable/Disable z/os audit collection This parameter specifies the audit detail leel; set it to M, B, D, orx, as explained in Enironment ariables that control the auditing function on page 18. The alue you specify generates an AUDIT_TRACE parameter in member KDSENV of the RKANPARU library. If you do not specified a alue for this parameter, AUDIT_TRACE=BASIC is set as the default. Maximum in-memory cache entries This parameter defines the maximum number of auditing records kept in short-term memory, from 10 to 1000; it generates an AUDIT_MAX_HIST parameter in member KDSENV of the RKANPARU library. If you do not specify a alue here, AUDIT_MAX_HIST=100 is set as the default. Domain This field specifies an identifier that your site can use to associate audit records. It is suitable for grouping agents that are associated with each other. One example might be for collecting records regarding a particular customer. This field is also used to create unique namespaces for role-based access control (RBAC). The alue you specify generates an ITM_DOMAIN parameter in KDSENV. To specify adanced parameters for the Persistent Datastore, press F6 (PDS) to display the KDSPPDS (Specify Persistent Datastore Configuration Values) panel (see Figure 15 on page 48). These fields define default parameters for the persistent datastore, the repository for short-term historical data. For detailed information, see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Maintenance procedure prefix This prefix is applied to the procedures that perform maintenance when the persistent datastore is full. Specify the same prefix for all products in all runtime enironments. The default is KPDPROC. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Datastore file high-leel prefix Specify the high-leel qualifier to use when allocating persistent datastore files in this runtime enironment. The default is &rhile.&rte. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Volume Specify the default DASD olume to use when allocating persistent datastore files in this runtime enironment. The default is the olume specified for the runtime enironment. Unit Specify the default DASD unit to use when allocating persistent datastore files in this runtime enironment. Valid unit types are 3380 and The default is the unit type specified for the runtime enironment. Storclas Specify the default SMS storage class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS STORCLAS parameter, you can leae this field blank. Mgmtclas Specify the default SMS management class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS MGMTCLAS parameter, you can leae this field blank. When you hae defined all necessary Persistent Datastore parameters, press Enter. 90 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

103 Tip: Under the guidance of IBM Software Support, you can specify alues for parameters other than those shown on the Specify Configuration Values and Specify Adanced Configuration Values panels. To do so, press F5 from the Specify Adanced Configuration Values panel to display the Specify Nonstandard Parameters panel. On this panel you can add, replace, or delete parameter alues in any member of any runtime library. For details, press F1 on the Specify Nonstandard Parameters panel or see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 4. If you specified Y for Enable Tioli Eent Integration Facility (EIF), the Specify Values for Eent Destination panel (Figure 16 on page 50) is displayed when you press Enter on the Specify Adanced Configuration Values panel. To configure eent forwarding, proide alues for the fields on the Specify Values for Eent Destination panel: Eent serer type Specify the type of eent serer: T (the default) for Tioli Enterprise Console, or M for OMNIbus. This field corresponds to the EentListenerType parameter in the EIF configuration member &rhile.&rte.rkanparu(kmsomtec). Eent serer location Specify the fully qualified host name (in IPV4 dotted-decimal format) of the primary eent serer and of up to seen backup eent serers. This field corresponds to the SererLocation parameter the KMSOMTEC member. If you specify more than one eent serer, use commas to separate the host names or IP addresses. Eent serer location ==> primary_serer,backup_serer1,backup_serer2 If the EIF cannot send an eent to the first serer on the list, it tries the next one, and so on. Eent serer port Specify the port number on which the Tioli Enterprise Console eent serer or OMNIbus EIF probe listens for eents. This field corresponds to the SererPort parameter in the KMSOMTEC member. The default port number is If you specify more than one eent serer, use commas to separate the port numbers. List the port numbers in an order corresponding to the list of eent serer locations. Eent serer port ==> primary_port,backup_port1,backup_port2 Buffer eents maximum size Specify the maximum size, in KB, of the adapter cache file. The cache file stores eents on disk when they cannot be sent to the eent serer. This field corresponds to the BufEtMaxSize parameter in the KMSOMTEC member. The default alue is Disable Workflow Policy/Emitter Agent eent forwarding If you already hae workflow policies containing emitter actiities that send eents to the Tioli Enterprise Console, turning on EIF eent-forwarding causes duplicate eents. If you specify Y in this field, you deactiate the emitter actiities in your policies. The default alue is N. Policies gie you more control oer which eents are sent, and you might want to keep some policies actie. Moreoer, policies that contain the Tioli Enterprise Console emitter actiities generally do little else. If you deactiate these actiities, there is no point in running the policies. Therefore, you might want to delete the policies that are no longer required, instead of disabling them. If this field is set to Y, the KMS_DISABLE_TEC_EMITTER=YES parameter is generated in the KDSENV member of &rhile.&rte.rkanparu. 5. Press Enter until you return to the Configure the TEMS panel (Figure 10 on page 40). Specify communication protocols To specify protocols for communications between the hub monitoring serer and other components, complete the following procedure: Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 91

104 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 3 to display the Specify Communication Protocols panel (Figure 17 on page 51). This panel lists the communication protocols to be used by the monitoring serer. The number beside each protocol indicates its priority. When communication with another component is initiated, the monitoring serer tries Protocol 1 first and goes to Protocol 2 and then to Protocol 3, and so on, in case of failure. Tips For the hub monitoring serer, at least one of the protocols chosen must be a TCP protocol to support the SOAP serer. If you hae enabled EIF eent forwarding, at least one of the protocols chosen must be a TCP protocol. If you plan to implement long-term historical data collection, communication with the Tioli Data Warehouse also requires a TCP protocol. If this monitoring serer will communicate with any monitoring agents that require SNA, SNA.PIPE must be one of the protocols chosen, but it does not hae to be Protocol 1. Examples of such monitoring agents include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 2. Supply the priority number for each protocol you want to select. IP.PIPE Uses the TCP/IP protocol for underlying communications. IP.UDP Also a TCP/IP protocol. Uses the packet-based, connectionless User Datagram Protocol (UDP). IP6.PIPE IP.PIPE protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP6.UDP IP.UDP protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP.SPIPE Secure IP.PIPE protocol. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher. IP6.SPIPE Secure IP.PIPE for IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher with IPV6 installed and operational. SNA.PIPE Uses the SNA Adanced Program-To-Program Communications (APPC). This protocol is required if the monitoring serer will communicate with any monitoring agents that require SNA, but it does not hae to be Protocol When you hae selected protocols and assigned their priorities, press Enter. The panel displayed next depends on the protocols and priorities you hae specified. IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE Figure 18 on page 52 shows the Specify IP.PIPE Communication Protocol panel, where you specify alues for the IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE protocols. 92 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

105 Network address (Hostname) The TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the hub monitoring serer is installed. To obtain the host name and IP address, enter TSO HOMETEST at the command line. If the z/os domain name resoler configuration specifies a search path that includes the target domain suffix, specify only the first qualifier of the host name. (Example: sys is the first qualifier of the fully qualified host name sys.ibm.com.) Otherwise, specify the fully qualified host name. Started task Identifies the TCP/IP stack to be used. If the LPAR contains a single TCP/IP stack, accept the default alue of an asterisk (*), which uses the first TCP/IP stack that was started. If the LPAR contains more than one TCP/IP stack, specify the started task name of the TCP/IP stack you want to use. Alternatiely, you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. Tip: Whicheer method is used to select a TCP/IP stack in a multi-stack enironment, the Tioli Management Serices components continue to use that stack, een if a different stack becomes the primary stack. Therefore, in a multi-stack enironment, it is best to specify the started task name of the TCP/IP stack to be used, rather than specifying a wildcard or a blank. If IP domain name resolution is not fully configured on the z/os system, the SYSTCPD DD statement is required (see (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task on page 119). Network interface list One or more network interfaces for the monitoring serer to use. If the z/os image has more than one TCP/IP interface or network adapter, you can use this parameter to direct the monitoring serer to connect to a specific TCP/IP local interface. If you proide a alue for this parameter, the Configuration Tool generates the KDEB_INTERFACELIST enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. To set a network interface list for the monitoring serer, supply one of the following alues: The host name or IP address of the preferred interface. A list of host names or IP addresses, in descending order of preference. Use a blank space to separate the entries. An asterisk (*) to prefer the interface associated with the default host name for the z/os image. To display this alue, enter TSO HOMETEST at the command line. An exclamation point followed by an asterisk (!*) to use only the interface associated with the default host name for the z/os image. An exclamation point followed by a host name or IP address (!hostname) to use only the interface associated with hostname. A minus sign followed by a host name or IP address (-hostname) to use any interface except the one associated with hostname. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 93

106 Important If you set the alue of Network interface list to!* or!hostname, you must specify the same alue for eery component and product configured in all runtime enironments on the same z/os image. In the default character set (language locale en_us.ibm-037), the code for an exclamation point is x 5A. If you are using a character set other than the default, a different character might map to that code. Use the character that maps to x 5A in your character set. Set HEX ON in TSO Edit to confirm the correct character is entered. Port number Specify the well-known port for the hub monitoring serer, for each of the selected IP*.*PIPE protocols. The port numbers specified here are stored in the KDE_TRANSPORT enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. The default port numbers are 1918 for nonsecure IP protocols and 3660 for secure IP protocols. If you specified a different TCP/IP port number for the runtime enironment, the number you specified is shown as the default for nonsecure IP protocols. Make sure that the hub monitoring serer well-known port is not already on the TCP/IP resered port list. Also, the hub well-known port is the basis for an algorithm that assigns port numbers to the components configured to report to the hub. Make sure that the algorithm will not result in attempts to resere already-resered ports for those components. See "Port number assignments" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. HTTP serer port number The HTTP serer port is used for communications with the SOAP serer. Accept the default alue of If Port 1920 is in use when the monitoring serer is started, another port is assigned. Access TEMS list ia SOAP Serer? Specify Y to create the initial KSHXHUBS member required for SOAP serer operation. The KSHXHUBS member is stored in the &rhile.&rte.rkanparu library. The KSHXHUBS member contains the list of hub monitoring serers with which the SOAP serer communicates, and the corresponding user access list if access has been secured. The TEMS list in the KSHXHUBS member is an aliasing mechanism, equialent to the kshxhubs.xml file on distributed platforms. If the initial KSHXHUBS member has already been created and no changes are required to the SOAP serer alues, set this field to N. Address translation By default, Ephemeral Pipe Support (EPS) is enabled to allow IP.PIPE connections to cross a network address-translating firewall. This feature obiates the requirement for a broker partition file (KDC_PARTITIONFILE=KDCPART). If you specifically want to disable EPS, specify Y for Address translation. For more information, see "Implementation of firewall support" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Partition name If you specified Y for Address translation, you must supply the partition name (label) that identifies the location of the monitoring serer relatie to the firewall(s) used for address translation. 94 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

107 The partition name that you supply is added to the partition table, which contains labels and associated socket addresses proided by the firewall administrator. The label is used outside the firewall to establish monitoring serer connections. The well-known port for the hub monitoring serer must be authorized by the firewall administrator. For the IP*.*PIPE protocols, no additional ports require authorization. When you press Enter after proiding the IP*.*PIPE configuration alues, you are presented with one of the following panels: If you specified Y for Address translation, the Specify IP.PIPE Partition References panel (Figure 19 on page 54) is displayed. The name of the monitoring serer, its partition name (that is, its location or namespace relatie to the firewall), and its partition address (the IP address assigned to the monitoring serer in the specified partition) are displayed at the top of the Specify IP.PIPE Partition References panel. Use the fields of this panel to specify partition references (the alues required to support communication across a firewall using address translation rather than EPS). If more than one firewall is used, specify a partition reference for each firewall. Partition Supply the partition name assigned to the monitoring serer from a location on the other side of the firewall. Address Supply the IP address assigned to the monitoring serer from a location on the other side of the firewall. To add a partition reference, specify the partition name and the address used in that partition to communicate with the monitoring serer, and press Enter. To modify an existing partition reference, type oer an entry and press Enter. To delete a reference, type D in the Action field and press Enter. Modifications resulting in duplicate entries are ignored. The alues proided on this panel are saed as the KDC_PARTITIONFILE enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. KDC_PARTITIONFILE points to a member, KDCPART, created in the &rhile.&rte.rkanparu library. If you specified N for Address translation, the Specify TEMS KSHXHUBS Values panel is displayed (Figure 20 on page 55). Use this panel to begin a list of hub monitoring serers to connect with the SOAP serer. The alues you specified in earlier configuration panels are displayed as default alues. Hub TEMS SOAP Serer alues for RTEname Accept the default alue, which is the name of the runtime enironment where the monitoring serer is being configured. TEMS name Accept the default alue, which is the TEMS name (CMS_NODEID) you specified when you defined the runtime enironment. TCP hostname Accept the default, which is the host name specified on the Specify IP.PIPE Communication Protocol panel (Figure 18 on page 52). TCP port number Accept the default, which is the port number specified on the Specify IP.PIPE Communication Protocol panel (Figure 18 on page 52). SNA network ID If you selected SNA as Protocol 1 (the highest-priority protocol), supply the identifier of your VTAM network. You specified this alue while defining the runtime enironment. You can also obtain this alue from the NETID parameter in the VTAMLST startup member ATCSTRnn. This field is required only if SNA is Protocol 1. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 95

108 SNA global location broker applid If you selected SNA as Protocol 1, supply the VTAM applid for the global location broker. This field is required only if SNA is Protocol 1. SNA LU6.2 logmode If you selected SNA as Protocol 1, supply the name of the default LU6.2 logmode entry required by the hub monitoring serer. You specified this alue while defining the runtime enironment. This field is required only if SNA is Protocol 1. Alias name Accept the default, which is the TEMS name (CMS_NODEID alue). The alias name identifies the hub monitoring serer to the SOAP serer. The alue is case-sensitie. When you press Enter, the SOAP serer KSHXHUBS List panel (Figure 21 on page 56) is displayed, with the hub monitoring serer shown on the list. This panel lists the hub monitoring serers that are eligible for SOAP serer access. The list is maintained in the KSHXHUBS member of the &rhile.&rte.rkanparu library. Tips - You can specify non-local hubs if desired. To do so, enter A (Add TEMS) in the Action field to the left of any hub in the list. Then, on the Specify TEMS KSHXHUBS Values panel, proide the TEMS name, TCP hostname (network address), and Alias name for the non-local hub. - Do not edit the KSHXHUBS member directly. Its XML tags and alues require a specific format and are case-sensitie. If you want to change the contents of the KSHXHUBS member, do so in the Configuration Tool. If you exit the SOAP serer KSHXHUBS List panel without securing user access, the SOAP serer honors requests from any user ID that passes logon alidation. The alue shown in the TEMS secured field indicates whether user access to the SOAP serer is secured (Y) or unsecured (N). For an explanation of SOAP serer security, see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. If you want to limit user access to the SOAP serer, follow this procedure: a. On the SOAP serer KSHXHUBS List panel, enter S (Secure TEMS) in the Action field to the left of the item for the hub you just added to the list. The Specify TEMS KSHXHUBS Values panel (Figure 20 on page 55) is displayed, with Action: Secure at the top and with two fields at the bottom for specifying the first user ID to which access is to be granted. b. On the Specify TEMS KSHXHUBS Values panel (Figure 20 on page 55), specify the first user ID to hae Query (read) access and Update (write) access. You can specify a user ID for Query access without specifying one for Update access, but if you specify a user ID for Update access, you must also specify a user ID for Query access. c. If you want only one user ID to hae access, press F3 to return to the SOAP serer KSHXHUBS List panel. If you want to specify more user IDs, press Enter. The SOAP serer KSHXHUBS Security Access List panel is displayed (Figure 22 on page 57). d. Enter A (Add user) in the Action field to the left of the first user ID. The Specify TEMS KSHXHUBS User Access List panel is displayed (Figure 23 on page 57). e. Specify a user ID and indicate whether to grant it Query access and Update access. f. Press Enter to return to the SOAP serer KSHXHUBS Security Access List panel. g. Continue adding user IDs until you hae added all the user IDs to which you want to grant SOAP serer access. 96 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

109 h. If you want to grant a user ID the same leel of access to all hubs on the SOAP serer KSHXHUBS List, enter I (Install user into all monitored TEMS) to the left of the user ID on the SOAP serer KSHXHUBS Security Access List panel. Caution: This action (I) has the immediate effect of securing eery hub on the list and of granting access only to the user ID selected. Be sure you want this result before specifying the I action. i. Press F3 (Back) until you return to the SOAP serer KSHXHUBS List panel (Figure 21 on page 56). If you want to disable SOAP serer security for a hub, specify G (Grant global security access) in the Action field for that hub on the SOAP serer KSHXHUBS List panel. This action remoes all user IDs from the user access list and thus enables access for all user IDs that pass logon alidation. Press F3 (Back) to return to the communication protocol configuration panels. IP.UDP and IP6.UDP The field definitions and instructions for the IP.UDP and IP6.UDP protocols are the same as those for the IP*.*PIPE protocols, except that address translation does not apply to IP.UDP and IP6.UDP. SNA.PIPE Figure 33 on page 74 shows the Specify SNA Communication Protocol panel. Supply alues for these fields. Applid prefix This alue is used to create the VTAM applids required by the monitoring serer. These applids begin with the prefix, and end with a specific alue that makes each applid unique. The applids are contained in the VTAM major node. You specified this alue when you defined the runtime enironment. Tip: Enter README APP on the command line for more information on how the Configuration Tool processes VTAM applids. If system ariable support is enabled, enter README SYS on the command line for more information on how the Configuration Tool processes VTAM applids using z/os system symbols. Press F6 (Applids) for a list of the VTAM major node and applid alues. Network ID The identifier of your VTAM network. You specified this alue when you defined the runtime enironment. You can also obtain this alue from the NETID parameter in the VTAMLST startup member ATCSTRnn. 4. Press Enter to return to the Configure the TEMS panel (Figure 10 on page 40). Create runtime members and configure the persistent datastore Follow the instructions in Create the runtime members on page 61 to create the runtime members for the hub monitoring serer, and then follow the instructions in Configure the persistent datastore on page 61 to configure the persistent datastore and create its runtime members. Then press F3 (Back) until you return to the Product Component Selection panel (Figure 28 on page 64). Step 2. Configure monitoring agents in the runtime enironment In this step, you configure monitoring agents in the same runtime enironment with the hub monitoring serer. 1. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. If two monitoring agent components are listed, select the OMEGAMON II component first. Chapter 4. Configuring the hub monitoring serer and monitoring agents in the same runtime enironment 97

110 COMPONENT TITLE 1 Tioli Enterprise Monitoring Serer 2 OMEGAMON II... 3 IBM Tioli OMEGAMON XE To configure the monitoring agent, follow the configuration instructions in the product publications in the Tioli Monitoring and OMEGAMON XE Information Center at tiihelp/15r1/index.jsp?toc=. Be sure to select the option Register with local TEMS. This option produces a job that enables the monitoring agent to transmit data to the monitoring serer. If you are configuring the monitoring agent in its own address space, be sure to leae the default alue of Y at this prompt: Connect to TEMS in this RTE ==> Y (Y, N) Follow the steps up to Complete the configuration. 3. Press F3 until you return to the Product Selection Menu (Figure 5 on page 33). 4. On the Product Selection Menu, enter S (Select) to the left of the name of another monitoring agent. 5. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), type C (Configure) in the Action field to the left of the name of the runtime enironment where you configured the hub monitoring serer and the first monitoring agent. 6. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. You do not hae to reconfigure the hub monitoring serer to add a monitoring agent to the runtime enironment. 7. Repeat steps 2 to 6 until you hae configured all desired monitoring agents in the runtime enironment. Step 3. Load the runtime libraries Before you complete the configuration of the monitoring serer and monitoring agents outside the Configuration Tool, you must load the runtime libraries from the target libraries that were installed by SMP/E. The load job requires exclusie access to the runtime libraries. 1. On the Runtime Enironments (RTEs) panel Figure 6 on page 34, enter L (Load) in the Action field to the left of the name of the runtime enironment. 2. Reiew the JCL and submit the job. Verify that the job completes successfully and that the return code is 04 or lower. 3. When you finish loading the libraries, press F3 (Back) to return to the Runtime Enironments (RTEs) panel. 4. Go to Chapter 6, Completing the configuration, on page 119, Chapter 7, Adding application support to a monitoring serer on z/os, on page 129, and Part 3 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on completing the configuration, adding application support to the monitoring serers, and alidating the configuration. 5. After you alidate the configuration, perform the tasks in Chapter 8, Configuring security on a monitoring serer on z/os, on page Go to Parts 4 and 5 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on using batch mode to replicate the configured enironment to other LPARs. 98 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

111 Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub This chapter explains how to configure a remote monitoring serer on a z/os image to report to a hub monitoring serer on a distributed system. Figure 35. Remote monitoring serer on z/os reporting to a hub on a distributed system The configuration shown in Figure 35 depicts a hub monitoring serer on Windows, Linux, or UNIX, with a remote monitoring serer on z/os configured to report to the hub. Seeral monitoring agents are configured in the same runtime enironment with the remote monitoring serer. The data collected by those monitoring agents flows through their local monitoring serer to the hub. This configuration makes it possible to locate the hub monitoring serer and the portal serer on the same distributed system, and can be adantageous in an enironment where most monitoring agents are on distributed systems. PARMGEN method The procedure in this section assumes that you hae already configured a hub monitoring serer on a distributed system (see IBM Tioli Monitoring: Installation and Setup Guide for instructions). Complete these steps to configure a remote monitoring serer on z/os to report to a hub on a distributed system. Step 1. Create the runtime enironment and set the configuration parameters for the remote monitoring serer Follow the steps in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide to create a runtime enironment. In "Step 2. Set up your PARMGEN configuration profile," refer to the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about the parameters in the configuration profile. The configuration profile is the &rhile.&rte.wconfig(&rte) member. Copyright IBM Corp. 2005,

112 Tips The parameters shown in this section are specific to the remote monitoring serer but are not the only parameters for which you must either accept or oerride the default alues in the configuration profile for the runtime enironment. After you set the parameters shown here, be sure to go through the entire configuration profile to make sure the parameter alues are correct for the configuration you want. Be sure to uncomment any parameters that are needed for your configuration but are commented out by default. For example, the configuration profile for a runtime enironment containing a remote monitoring serer that will use the IP.PIPE protocol to communicate with the hub requires the KDS_HUB_TCP_PIPE_PORT_NUM parameter, which is commented out by default. For such a configuration, you must uncomment this parameter and insert the port number between the quotation marks for the parameter alue. Before: **KDS_HUB_TCP_PIPE_PORT_NUM "" After: KDS_HUB_TCP_PIPE_PORT_NUM "1918" In the configuration profile for the runtime enironment, set the following parameter alues for the remote monitoring serer: ** Tioli Enterprise Monitoring Serer (TEMS) flag and CMS_NODEID name: RTE_TEMS_CONFIGURED_FLAG Y RTE_TEMS_NAME_NODEID "remote_rte_name:cms" ** TEMS configuration alues: KDS_TEMS_TYPE REMOTE The following additional requirements also apply to the remote monitoring serer configuration: KDS_TEMS_COMM_PROTOCOLn parameter At least one of the communication protocols must be the same as a protocol selected for the hub. For information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. KDS_TEMS_TCP_HOST parameter This is the TCP/IP host name (in IPV4 dotted-decimal format) of the z/os system where the remote monitoring serer is installed. KDS_HUB_TCP_HOST parameter This is the TCP/IP host name (in IPV4 dotted-decimal format) of the distributed system where the hub monitoring serer is installed. KDS_HUB_TCP_pipe_type_PORT_NUM The alue must be the port number of the hub for each protocol selected. Many other KDS_* parameters are needed for the remote monitoring serer configuration. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference for information about them. Configuring the monitoring serer to support encryption/decryption To actiate ICSF encryption/decryption within your newly configured remote monitoring serer using the PARMGEN configuration method, locate these lines in the configuration profile for the runtime enironment of the monitoring serer:: 100 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

113 ** GBL_DSN_CSF_* ICSF system libraries: GBL_DSN_CSF_SCSFMOD0 "CSF.SCSFMOD0" ** TMS KAES256 password encryption key: **KDS_TEMS_SECURITY_KAES256_ENCKEY "IBMTioliMonitoringEncryptionKey" Set GBL_DSN_CSF_SCSFMOD0 to the name of your site's Integrated Cryptographic Serice Facility (ICSF) library. Uncomment KDS_TEMS_SECURITY_KAES256_ENCKEY, and set it to your site's ICSF encryption key for IBM Tioli Monitoring. Once you hae set these parameters, if you enabled ICSF password encryption for your monitoring serer after creating the runtime enironment, rerun the following jobs: WCONFIG($PARSE*) File-tailoring job to recreate: WKANSAMU(KDSDKAES) Stand-alone Tioli Management Serices on z/os password encryption job, if you want a sample job that you can edit manually. WKANSAMU(KCIJPSEC) Composite security job's KAES256 step, if you want a file-tailored job. WKANSAMU(CANSDSST) Monitoring serer started task to concatenate the ICSF load library in the STEPLIB DDNAME. CANSDSST is the IBM-supplied default; set the alue to whateer you specified for the KDS_TEMS_STC parameter. WKANSAMU(KDSDKAES) or WKANSAMU(KCIJPSEC) Creates the encryption key member. WKANPARU(KAES256) or WKANSAMU(KCISYPJB) Run either WKANPARU(KAES256), the stand-alone started task procedure copy job, or WKANSAMU(KCIJPSYS), the composite system copy job that copies the modified monitoring serer started task to the system procedure library. Step 2. Set configuration parameters for the monitoring agents in the same runtime enironment In the same configuration profile, set parameter alues for each of the products you want to include in the runtime enironment of the remote monitoring serer. Follow the instructions in each product's Planning and Configuration Guide, and use the information in each product's Parameter Reference. After you finish customizing the configuration profile, go on to "Step 3. Submit batch jobs to complete the PARMGEN setup" in the "Configuring products with the PARMGEN method" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Step 3. (Optional) Replicate the remote runtime enironment Now you can replicate to other z/os systems the configured runtime enironment that contains the remote monitoring serer and its monitoring agents. Replicating the configured runtime enironment is an easy way to ensure that all your remote monitoring serers are configured to report to the high-aailability hub. Follow the instructions in the "Using the PARMGEN method to replicate a configured enironment" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 101

114 Configuration Tool (ICAT) method The procedure in this section assumes that you hae already configured a hub monitoring serer on a distributed system (see IBM Tioli Monitoring: Installation and Setup Guide) and that you hae completed Steps 1, 2, and 3 in the "Configuring products with the Configuration Tool" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Tips When you select a product on the Product Selection Menu (Figure 5 on page 33), select one of the monitoring agents, not IBM Tioli Management Serices on z/os, if you want to configure both a monitoring serer and monitoring agents in the runtime enironment. If you select IBM Tioli Management Serices on z/os, you can only configure a stand-alone monitoring serer in its own runtime enironment, without any monitoring agents. To configure a remote monitoring serer on z/os to report to a hub monitoring serer in a different CSI, you can follow the same basic procedure described in this chapter. Configuration steps Complete the following steps in order: Step 1. Configure the remote monitoring serer Step 2. Configure monitoring agents in the runtime enironment on page 115 Step 3. Load the runtime libraries on page 116 Step 1. Configure the remote monitoring serer To configure a remote monitoring serer, perform the following tasks in the order listed: 1. Begin the configuration. 2. Create a logmode. 3. Specify configuration alues on page Specify communication protocols on page Create the runtime members on page Configure the persistent datastore on page 61. Begin the configuration Perform the following steps to begin the configuration: 1. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), enter C (Configure) next to the runtime enironment in which you want to configure the monitoring serer. The Product Component Selection Menu is displayed (Figure 28 on page 64). 2. From the Product Component Selection Menu, enter 1 to select Tioli Enterprise Monitoring Serer. The Configure the TEMS panel is displayed (Figure 10 on page 40). Create a logmode If the monitoring serer is to communicate with any monitoring agents that require SNA, you must create a logmode or proide information about an existing logmode. Examples of monitoring agents that require SNA communications include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. If this monitoring serer will not communicate with any monitoring agents that require SNA, you can skip to Specify configuration alues on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

115 Otherwise, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 1 (Create LU 6.2 logmode). The Create LU6.2 Logmode panel is displayed (Figure 29 on page 65). Use this panel to specify the name of the LU6.2 logmode and logmode table required by the monitoring serer. Tip: If you plan to use an existing LU6.2 logmode, you do not hae to submit the job created from this panel. Howeer, you must ensure that the existing logmode has the same VTAM attributes as the logmode contained in the job. Be sure to proide the logmode information, een if you do not intend to submit the job. 2. Reiew the alues on the panel and specify site-specific alues. LU6.2 logmode The name of the LU6.2 logmode. A name is required een if you do not submit the job. Logmode table name The name of the logmode table that contains the LU6.2 logmode. A name is required een if you do not submit the job. VTAMLIB load library The name of the system library that contains VTAM logmode tables. This is typically SYS1.VTAMLIB (the default alue), but you can specify a different load library if you cannot or do not want to update VTAMLIB directly. VTAM macro library The name of the system library that contains the VTAM macros. This library is typically SYS1.SISTMAC (the default). 3. To accept the alues, press Enter. The JCL to create the logmode is displayed. If you want to use the LU6.2 logmode created by this job, reiew the JCL and submit the job. Verify that the job completes successfully and that all return codes are zero. If you want to use an existing LU6.2 logmode whose attributes match those in the logmode created by the job, press F3 (End) without submitting the job. You are returned to the Configure the TEMS panel (Figure 10 on page 40). Specify configuration alues In this step you indicate that the monitoring serer you are configuring is a remote monitoring serer. You also specify the name of the started task for this monitoring serer and its security settings. Security alidation of users is handled by hub monitoring serers only. Do not attempt to enable security alidation on a remote monitoring serer. 1. From the Configure the TEMS menu (Figure 10 on page 40), enter 2 to display the Specify Configuration Values panel (Figure 11 on page 41). 2. Proide alues in the following fields: Started task The name of the monitoring serer started task JCL procedure. Make a note of the name, because later you will hae to copy this started task procedure to your system procedure library. The default is CANSDSST. Tip: If you hae two or more runtime enironments on the same z/os image, make sure that the name of each started task is unique. Type (Hub or Remote) Specify REMOTE as the monitoring serer type. Hub TEMS type Leae this field blank. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 103

116 Tip: If you come back to this panel later, this field will not be displayed, because it applies only to a hub monitoring serer. Security settings Validate security? This setting determines whether the hub monitoring serer alidates the user IDs and passwords of users signing on to the Tioli Enterprise Portal. If your site plans to actiate Web Serices (that is, the SOAP serer) for the remote monitoring serer you are defining, ensure you set this parameter to Y; see the description of the Enable Web Serices SOAP Serer parameter later in this step. Otherwise, leae this alue set to N. Integrated Cryptographic Serice Facility (ICSF) installed? If the IBM Integrated Cryptographic Serice Facility (ICSF) is installed and configured on the z/os system, set the alue to Y. If you specify that ICSF is not installed on this z/os system (N), then the monitoring serer uses an alternatie, less secure encryption scheme. Note: The encryption method specified for the remote and hub monitoring serers must match that of the Tioli Enterprise Portal Serer. If you specify that ICSF is not installed on this z/os system (N), you must add the line USE_EGG1_FLAG=1 (or USE_EGG1_FLAG=Y) to the KFWENV enironment file of the Tioli Enterprise Portal Serer (see (If applicable) Edit the portal serer enironment file on page 123). ICSF load library If ICSF is installed and configured on the z/os system, specify the ICSF load library that contains the CSNB* modules used for password encryption. CSF.SCSFMOD0 is the default. If ICSF is not installed on the system, clear the field. TMS encryption key Specify a unique, 32-byte password encryption key. The alue is case-sensitie. Be sure to record the alue you use for the key. You must use the same key during the installation of any monitoring agents that communicate with this monitoring serer. If ICSF is not installed on the system, clear the field. Important: You must ensure your site enabled Tioli Management Serices on z/os password encryption ia the Integrated Cryptographic Serice Facility (ICSF) when you complete these security settings. This is because wheneer the current remote monitoring serer runs policies that inoke either TADDM_Init or TADDM_Eent actiities, the password (which is stored within the actiity definition in encrypted form) must be deciphered before the request is sent to Tioli Application Dependency Discoery Manager. The encryption methodology must be uniform across the Tioli Enterprise Portal Serer and all monitoring serers, including the hub monitoring serer. 104 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

117 Encryption key tips The ampersand (&) character cannot be part of the encryption key. The DS#3ssss job (where ssss is the JCL suffix for the runtime enironment) creates the runtime members after you complete the monitoring serer configuration panels. This job uses the alue you specify for the encryption key to create the key file. The key file is member KAES256 in the &rhile.&rte.rkanparu library (see Create the runtime members on page 61). For security reasons, the encryption key alue is not displayed if you return to the Specify Configuration Values panel after you finish configuring the monitoring serer. If you reconfigure the monitoring serer by changing other parameter alues on the configuration panels, the resulting DS#3ssss job does not create a key file. If you must change the encryption key alue after initial configuration, type the PWD command on the command line of the Specify Configuration Values panel, and then answer Y to the prompt "Do you want to disable ICSF encryption or reset the key?". You can then re-enable encryption and specify a different key. After doing so, you must recreate the runtime members ( Create the runtime members on page 61) and reload the runtime libraries ( Step 3. Load the runtime libraries on page 98). In batch mode, the encryption key alue is stored in parameter KDS_CMS_SEC_ENC_KEY. For batch mode processing, the encryption key is displayed in plain text so that it can be used as input for the KAES256 file in the &rhile.&rte.rkanparu library of other runtime enironments. Therefore, ensure that the &shile.instjobs library for this runtime enironment is secured before you create a batch parameter member containing its alues. The alue of the encryption key batch parameter (KDS_CMS_SEC_ENC_KEY) is enclosed in double quotation marks in the batch parameter member. If you must use a single quotation mark or apostrophe (') as part of the key alue, edit the batch parameter member to enclose the 32-byte encryption key string in two sets of double quotation marks (for example, ""key s_alue""). If you must use both single and double quotation marks as part of the key alue, use the interactie mode of the Configuration Tool instead of the batch mode. Program to Program Interface (PPI) information (Optional) Specify the PPI alues that enable forwarding of Take Action commands to NetView for z/os for authorization and execution. If you enable forwarding, you must also enable NetView to receie and authorize the commands (see Enable NetView to authorize Take Action commands on page 152). Forward Take Action commands to NetView for z/os Specify Y if you want the Tioli Enterprise Monitoring Serer to forward z/os console commands issued as Take Action commands to NetView for authorization and execution. The default alue is N. NetView PPI receier Specify the name of the PPI receier on NetView that will receie Take Action commands. This name must match the receier name specified on the NetView APSERV command. The default name is CNMPCMDR. If the specified name is incorrect or the receier is not actie on NetView for z/os, default command routing to the z/os console is performed. The Configuration Tool generates the KGLHC_PPI_RECEIVER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 105

118 The alue must be a 1- through 8-character, unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This alue must match the alue specified in the NetView DSIPARM initialization member, CNMSTYLE (see Enable NetView to authorize Take Action commands on page 152). If a alue is specified for this parameter and either the specified name is incorrect or the receier is not actie on NetView for z/os, the command fails. If no alue is specified, default command routing to the z/os console is performed. This parameter is required if you answered Y in the Forward Take Action commands to NetView for z/os field. TEMS PPI sender Optionally, specify the name of the PPI sender. The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z and a-z, numeric characters 0-9, and the following special characters: dollar sign ($), percent sign (%), ampersand (&), at sign (@), and number sign (#). This name must not conflict with any NetView for z/os domain name, as it is used in logging the command and command response in the NetView log. If a alue is specified on this field, the Configuration Tool generates the KGLHC_PPI_SENDER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. If you do not specify a alue in this field, the default is the job name of the monitoring serer that is the source of the command. 3. When you hae completed the Specify Configuration Values panel, press F5 (Adanced) to display the Specify Adanced Configuration Values panel (Figure 14 on page 45). Accept the defaults or proide the alues appropriate for your site in the following fields: Enable Web Serices SOAP Serer To enable Web Serices (that is, the SOAP serer) for this remote monitoring serer, ensure this parameter is set to Y. Enabling the SOAP serer means that a policy running on this remote monitoring serer can now send new SOAP-based on-demand and actiities (supported as of ersion 6.2.3) to an agent connected to this remote monitoring serer. The monitoring serer's SOAP serer must be started if you include either on-demand or actiities within the workflow of one or more policies that will run on that monitoring serer. In addition, this architecture is more efficient than haing all remote monitoring serers send their SOAP requests to the hub. It also means that a policy that is running on this remote monitoring serer can continue to process SOAP requests een when the hub or the connection to the hub becomes unaailable. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for more information. Turning on this parameter causes the HTTP serer port number field to appear on panel KDS62PPA (Specify Communication Protocols; see Figure 38 on page 111). The HTTP serer port number defaults to the HTTP port of the hub monitoring serer that this remote monitoring serer connects to. You can choose to oerride the HTTP port number on the IP.PIPE and IP.UDP panels. Enable startup console messages Accept the default alue of Y if you want a SYSLOG message on the console to indicate when the monitoring serer finishes initializing. You can use this message as an UP status message in your automation package (for example, Tioli System Automation for z/os). See the documentation for your automation package for instructions on capturing the monitoring serer automation message IDs (KO4SRV032 and KDSMA001). 106 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

119 If the alue of this field is Y, the KGL_WTO=YES parameter is added to the KDSENV member of the &rhile.&rte.rkanparu data set. Enable communications trace Set this parameter to Y if you want KDC_DEBUG=Y as the oerride setting in the &rhile.&rte.rkanparu(kdsenv) member. Otherwise, the default setting of KDC_DEBUG=N instructs the data communications layer to summarize communications problems. The default setting is intended for stable applications in production. Tip: The setting KDC_DEBUG=Y causes a great many records to be written to the log files. Use this setting only for testing or problem diagnosis. The default setting (KDC_DEBUG=N) generates standard RAS1 trace data in the monitoring serer RKLVLOG, in addition to the summary information diagnosing possible timeout conditions. The following settings report on data communications problems: KDC_DEBUG=N Minimal tracing (the default). KDC_DEBUG=Y Full-packet tracing. KDC_DEBUG=D KDC_DEBUG=Y, plus state and flow tracing. KDC_DEBUG=M KDC_DEBUG=D, plus input and output help tracing. KDC_DEBUG=A KDC_DEBUG=M, plus all-format tracing. Do not set KDC_DEBUG=A unless directed by IBM Software Support personnel. Reconnect after TCP/IP recycle If you specify Y, the monitoring serer address space reconnects to its TCP/IP stack without being recycled after the stack is recycled. When this parameter is set to Y, the TOLERATERECYCLE keyword is added in the KLXINTCP member of the &rhile.&rte.rkanparu library. If this parameter is set to N (the default), then if the TCP/IP stack used by the monitoring serer is recycled, the monitoring serer address space must also be recycled to re-establish TCP/IP connectiity. Enable storage detail logging Accept the default alue of Y if you want to enable storage allocation detail logging. You can use the storage detail command output to analyze storage allocated by the monitoring serer address space. Specifying Y generates the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). To disable storage detail logging, set this parameter to N. The second EVERY command is then written as a comment in &rhile.&rte.rkancmdu(kdsstart). Tip: If you disable storage logging on this panel and then want to actiate it after the monitoring serer is configured and running, you can issue the following modify command to the monitoring serer started task: /F started_task,every hh:mm:ss STORAGE D Issuing this modify command actiates storage detail logging without a requirement to recycle the monitoring serer. If you are enabling storage detail logging on the Specify Adanced Configuration Values panel, accept the default alues or set your own alues for two time interals: Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 107

120 Storage detail logging Specify how often you want storage allocation detail to be logged. This interal alue is written as part of the second EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 60 minutes. Flush VSAM buffers Specify how often you want to force all deferred VSAM writes to DASD. This interal alue is written as part of the third EVERY command in &rhile. &rte.rkancmdu(kdsstart). The default is 30 minutes. Virtual IP Address (VIPA) type Specify the type of VIPA defined for the z/os system. The default is N (None). If VIPA is in use, specify either S (Static) or D (Dynamic). The VIPA name of the monitoring serer must be resolable through the Domain Name Serer (DNS). Dynamic VIPA requires one of the following communication protocols: IP.PIPE, IP.SPIPE, IP6.PIPE, or IP6.SPIPE. For more information about communication protocols, see Specify communication protocols on page 111. Minimum extended storage Specify the minimum amount of irtual storage to be made aailable to the monitoring agents and other components that are communicating with this monitoring serer. The default alue is If you do not hae many IBM components reporting to the serer and you want to consere storage, you can lower the alue. This alue is used for the MINIMUM parameter in the KDSSYSIN member of &rhile.&rte.rkanparu. This example shows the default alue: MINIMUM(768000,X) Maximum storage request size Specify the maximum TMS:Engine storage request size, as a power of 2, for primary storage and for extended storage. The maximum alue you specify for each type of storage request (primary and extended) can be no higher than 25 (32768 KB). The default maximum for extended storage is 23 (8192 KB). The default maximum for primary storage is 16 (64 KB). Howeer, some monitoring agents configured to run in the monitoring serer address space require a maximum primary storage request size of 20 (1 MB). If a program requests a block of storage larger than the maximum alue set, an abend occurs. The maximum alue is used in building storage access tables to speed memory allocation. Too small a alue causes TMS:Engine components to fail. Too large a alue wastes storage and increases processing oerhead. You might hae to specify a larger alue if any of your monitoring agents builds large VTAM request/response units (RUs) and data streams. This alue is used for the LIMIT parameter in the KDSSYSIN member of &rhile. &rte.rkanparu. This example shows the default alues: LIMIT(23,X) LIMIT(16,P) Language locale This parameter is required. The default alue is 1 (English - United States). Press F1 (Help) and select Language locale for a list of the possible alues. Specify the numeric alue that represents the language and region for the z/os system. The Configuration Tool uses this alue to set the country and character set for the LANG enironment ariable in &rhile.&rte.rkanparu(kdsenv). For example, if you accept the default alue of 1 (English - United States), the Configuration Tool generates this enironment ariable in KDSENV: LANG=en_US.ibm IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

121 If the z/os UNIX System Serices (USS) codepage (en_us.ibm-1047) is required, you can specify either en_us.ibm-1047 or 1A in the Language locale field. In batch mode, you can specify either of these alues: Kpp_CMS_ICU_LANG en_us.ibm-1047 Kpp_CMS_ICU_LANG 1A Tip: The USS codepage (en_us.ibm-1047) is required for agent autonomy and for priate situation XML files. Persistent datastore parameters These fields define default parameters for the persistent datastore, the repository for short-term historical data. For detailed information, see the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. Maintenance procedure prefix This prefix is applied to the procedures that perform maintenance when the persistent datastore is full. Specify the same prefix for all products in all runtime enironments. The default is KPDPROC. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Datastore file high-leel prefix Specify the high-leel qualifier to use when allocating persistent datastore files in this runtime enironment. The default is &rhile.&rte. This parameter is required een if you intend to configure historical data collection at the location of the monitoring agents rather than at the location of the monitoring serer. Volume Specify the default DASD olume to use when allocating persistent datastore files in this runtime enironment. The default is the olume specified for the runtime enironment. Unit Specify the default DASD unit to use when allocating persistent datastore files in this runtime enironment. Valid unit types are 3380 and The default is the unit type specified for the runtime enironment. Storclas Specify the default SMS storage class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS STORCLAS parameter, you can leae this field blank. Mgmtclas Specify the default SMS management class to use when allocating persistent datastore files in this runtime enironment. If your site does not require the SMS MGMTCLAS parameter, you can leae this field blank. Tip: Under the guidance of IBM Software Support, you can specify alues for parameters other than those shown on the Specify Configuration Values and Specify Adanced Configuration Values panels. To do so, press F5 from the Specify Adanced Configuration Values panel to display the Specify Nonstandard Parameters panel. On this panel you can add, replace, or delete parameter alues in any member of any runtime library. For details, press F1 on the Specify Nonstandard Parameters panel or see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 4. Press Enter to accept the alues. The Communication Selection panel is displayed. This panel lists hub monitoring serers configured in other runtime enironments accessible to the Configuration Tool. If any hubs are listed, they are z/os Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 109

122 hubs. For the configuration described in this chapter, the hub is on a distributed system and is not found on the list. KCIPCMSS COMMUNICATION SELECTION PANEL FOR SHARING2 Row 1 to 1 of 1 Select the hub (primary TEMS) to connect to this remote TEMS. The following lists eligible Tioli Enterprise Monitoring Serers (TEMS) that you hae configured. Enter S next to the TEMS to connect to this remote. To manually enter the TEMS information, press F5. _ HUB SHARING1 Sharing runtime enironment for hub and agents F1=Help F3=Back F5=Adanced F7=Up F8=Down Figure 36. Communication Selection panel 5. On the Communication Selection panel, press F5 (Adanced) to naigate to the Specify Configuration - Hub Values for Remote TEMS panel. KDS62PP2 --- SPECIFY CONFIGURATION - HUB VALUES FOR REMOTE TEMS Hub TEMS name (Case sensitie) ==> Complete this section if the Remote TEMS is connecting to its Hub TEMS using SNA. Enter the applicable VTAM alues of its Hub TEMS: Global location broker applid of Hub ==> Network ID of Hub ==> Complete this section if the Remote TEMS is connecting to its Hub TEMS using IP. Enter the applicable network address and respectie port number(s): Network address (Hostname of Hub): ==> IP.PIPE port number ==> (Non-secure NCS RPC) IP6.PIPE port number ==> (IP.PIPE for IPV6) IP.SPIPE port number ==> (Secure IP.PIPE) IP6.SPIPE port number ==> (Secure IP.PIPE for IPV6) IP.UDP port number ==> (Non-secure NCS RPC) IP6.UDP port number ==> (IP.UDP for IPV6) Enter=Next F1=Help F3=Back Figure 37. Specify Configuration - Hub Values for Remote TEMS panel 6. On the Specify Configuration - Hub Values for Remote TEMS panel, enter the alues for the hub monitoring serer with which you want the remote monitoring serer to connect. If you made a note of these alues during configuration of the hub monitoring serer, find it now. Otherwise, you can find the alues in one of the following locations: On Windows systems, launch the Manage Tioli Monitoring Serices application by selecting Start > IBM Tioli Monitoring > Manage Tioli Monitoring Serices. Right-click Tioli Enterprise Monitoring Serer and select Browse Settings. On Linux and UNIX systems, look in the KBBENV file located in the itm_installdir/tables/ tems_name subdirectory. Hub TEMS name The TEMS name (node ID) of the hub monitoring serer. The TEMS name is case-sensitie on all platforms. The TEMS name is generally not the same as the host name. The default TEMS name for the hub on distributed systems is HUB_hostname. For example, for host ITMSERV61, the default TEMS name is HUB_ITMSERV IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

123 The TEMS name is stored as the alue of the CMS_NODEID parameter in the settings for the hub monitoring serer. You can find this alue on distributed systems by browsing the monitoring serer settings in Manage Tioli Monitoring Serices on Windows systems, or by examining the KBBENV file for the monitoring serer on Linux or UNIX systems. Global location broker applid of hub This field does not apply to a hub on a distributed system. Leae it blank. Network ID of hub This field does not apply to a hub on a distributed system. Leae it blank. Network address (Hostname of Hub) The fully qualified TCP/IP host name (in IPV4 dotted-decimal format) of the system on which the hub monitoring serer is installed. Port numbers Supply the hub listening port number for each protocol selected during configuration of the hub. Important: If you are configuring more than one remote monitoring serer in this z/os image, the hub to which each remote monitoring serer reports must hae a unique port number. Otherwise, connectiity problems might occur. For more information about port number allocation, see "Port number assignments" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 7. Press Enter until you return to the Specify Configuration Values panel. The TEMS name of the hub you specified for connection with the remote monitoring serer is displayed in the Hub TEMS name field. 8. Press Enter to return to the Configure the TEMS panel (Figure 10 on page 40). Specify communication protocols To specify protocols for communications between the remote monitoring serer and other components, complete the following procedure: 1. From the Configure the TEMS panel (Figure 10 on page 40), enter 3 to display the Specify Communication Protocols panel. KDS62PPA SPECIFY COMMUNICATION PROTOCOLS Specify the communication protocols in priority sequence for TEMS rte:cms. IP.PIPE ==> 1 (Non-secure NCS RPC) IP.UDP ==> 2 (Non-secure NCS RPC) IP6.PIPE ==> (IP.PIPE for IPV6) IP6.UDP ==> (IP.UDP for IPV6) IP.SPIPE ==> (Secure IP.PIPE) IP6.SPIPE ==> (Secure IP.PIPE for IPV6) SNA.PIPE ==> 3 (Non-secure NCS RPC) Note: SNA.PIPE is required under certain conditions. Press F1=Help. * This Remote TEMS reports to a Hub that uses IP.PIPE to connect. Ensure that this Remote TEMS also specifies the IP.PIPE protocol. * The protocol(s) in use by the Hub TEMS are: -SNA -Unsecured IP.PIPE -Unsecured IP.UDP Enter=Next F1=Help F3=Back Figure 38. Specify Communication Protocols panel for a remote monitoring serer This panel lists the communication protocols to be used by the monitoring serer. The number beside each protocol indicates its priority. When communication with another component is initiated, the monitoring serer tries Protocol 1 first and goes to Protocol 2 and then to Protocol 3, and so on, in case of failure. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 111

124 Tips If the hub with which the remote monitoring serer will connect uses a piped protocol (IP.PIPE, IP6.PIPE, IP.SPIPE, or IP6.SPIPE), you must also select that protocol for the remote monitoring serer. If you plan to implement long-term historical data collection, communication with the Tioli Data Warehouse requires a TCP protocol. If this monitoring serer will communicate with any monitoring agents that require SNA, SNA.PIPE must be one of the protocols chosen, but it does not hae to be Protocol 1. Examples of such monitoring agents include OMEGAMON XE on z/os (for the EPILOG facility of the OMEGAMON II component) and OMEGAMON XE for Messaging on z/os (for the 3270 interface component). See the product-specific configuration guides for further information about SNA requirements. For more information about the communication protocols, see "Decision 5: How to set up communications between components" in the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide. 2. Supply the priority number for each protocol you want to select. IP.PIPE Uses the TCP/IP protocol for underlying communications. IP.UDP Also a TCP/IP protocol. Uses the packet-based, connectionless User Datagram Protocol (UDP). IP6.PIPE IP.PIPE protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP6.UDP IP.UDP protocol that supports IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher, with IPV6 installed and operational. IP.SPIPE Secure IP.PIPE protocol. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher. IP6.SPIPE Secure IP.PIPE for IPV6. This protocol is aailable for a monitoring serer on a z/os system at release leel V1R7 or higher with IPV6 installed and operational. SNA.PIPE Uses the SNA Adanced Program-To-Program Communications (APPC). This protocol is required if the monitoring serer will communicate with any monitoring agents that require SNA, but it does not hae to be Protocol When you hae selected protocols and assigned their priorities, press Enter. The panel displayed next depends on the protocols and priorities you hae specified. IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE Figure 39 on page 113 shows the Specify IP.PIPE Communication Protocol panel, where you specify alues for the IP.PIPE, IP6.PIPE, IP.SPIPE, and IP6.SPIPE protocols. 112 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

125 KDS62PPD SPECIFY IP.PIPE COMMUNICATION PROTOCOL Specify IP.PIPE communication alues. * Network address (Hostname): ==> hostname Started task ==> * (Recommended default = *) Network interface list: (If applicable) ==> Port number of Hub ==> (IP.PIPE) Port number of Hub ==> (IP.PIPE for IPV6) Port number of Hub ==> (Secure IP.PIPE) Port number of Hub ==> (Secure IP.PIPE for IPV6) Address translation ==> N (Y, N) Partition name ==> * Note: See F1=Help for TSO HOMETEST command instructions. Enter=Next F1=Help F3=Back Figure 39. Specify IP.PIPE Communication Protocol panel for a remote monitoring serer The alues you specified for the runtime enironment are displayed as default alues for the monitoring serer. You can accept the defaults or change them. Network address (Hostname) The TCP/IP host name (the IPV4 dotted-decimal IP address) of the z/os system where the remote monitoring serer is installed. To obtain the host name and IP address, enter TSO HOMETEST at the command line. If the z/os domain name resoler configuration specifies a search path that includes the target domain suffix, specify only the first qualifier of the host name. (Example: sys is the first qualifier of the fully qualified host name sys.ibm.com.) Otherwise, specify the fully qualified host name. Started task Identifies the TCP/IP stack to be used. If the LPAR contains a single TCP/IP stack, accept the default alue of an asterisk (*), which uses the first TCP/IP stack that was started. If the LPAR contains more than one TCP/IP stack, specify the started task name of the TCP/IP stack you want to use. Alternatiely, you can specify the number sign (#), which is translated to a blank and allows the TCP/IP enironment to choose the stack to use, either through TCP/IP definitions or through the use of the SYSTCPD DD statement. Tip: Whicheer method is used to select a TCP/IP stack in a multi-stack enironment, the Tioli Management Serices components continue to use that stack, een if a different stack becomes the primary stack. Therefore, in a multi-stack enironment, it is best to specify the started task name of the TCP/IP stack to be used, rather than specifying a wildcard or a blank. If IP domain name resolution is not fully configured on the z/os system, the SYSTCPD DD statement is required (see (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task on page 119). Network interface list One or more network interfaces for the monitoring serer to use. If the z/os image has more than one TCP/IP interface or network adapter, you can use this parameter to direct the monitoring serer to connect to a specific TCP/IP local interface. If you proide a alue for this parameter, the Configuration Tool generates the KDEB_INTERFACELIST enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 113

126 To set a network interface list for the monitoring serer, supply one of the following alues: The host name or IP address of the preferred interface. A list of host names or IP addresses, in descending order of preference. Use a blank space to separate the entries. An asterisk (*) to prefer the interface associated with the default host name for the z/os image. To display this alue, enter TSO HOMETEST at the command line. An exclamation point followed by an asterisk (!*) to use only the interface associated with the default host name for the z/os image. An exclamation point followed by a host name or IP address (!hostname) to use only the interface associated with hostname. A minus sign followed by a host name or IP address (-hostname) to use any interface except the one associated with hostname. Important If you set the alue of Network interface list to!* or!hostname, you must specify the same alue for eery component and product configured in all runtime enironments on the same z/os image. In the default character set (language locale en_us.ibm-037), the code for an exclamation point is x 5A. If you are using a character set other than the default, a different character might map to that code. Use the character that maps to x 5A in your character set. Set HEX ON in TSO Edit to confirm the correct character is entered. Hub port numbers For each of the selected IP*.*PIPE protocols, these fields specify the well-known port for the hub to which the remote monitoring serer will connect. These fields are read-only. If you want to change the hub port number specified in the remote monitoring serer configuration, return to the Specify Configuration - Hub Values for Remote TEMS panel (Figure 37 on page 110). Address translation By default, Ephemeral Pipe Support (EPS) is enabled to allow IP.PIPE connections to cross a network address-translating firewall. This feature obiates the requirement for a broker partition file (KDC_PARTITIONFILE=KDCPART). If you specifically want to disable EPS, specify Y for Address translation. Partition name If you specified Y for Address translation, supply the partition name (label) that identifies the location of the monitoring serer relatie to the firewall(s) used for address translation. The partition name that you supply is added to the partition table, which contains labels and associated socket addresses proided by the firewall administrator. The label is used outside the firewall to establish monitoring serer connections. The well-known port for the hub monitoring serer must be authorized by the firewall administrator. For the IP*.*PIPE protocols, no additional ports require authorization. When you press Enter after proiding the IP*.*PIPE configuration alues, if you specified Y for Address translation, the Specify IP.PIPE Partition References panel (Figure 19 on page 54) is displayed. The name of the monitoring serer, its partition name (that is, its location or namespace relatie to the firewall), and its partition address (the IP address assigned to the monitoring serer in the specified partition) are displayed at the top of the Specify IP.PIPE Partition References panel. Use the fields of this panel to specify partition references (the alues required to support communication across a firewall using address translation rather than EPS). If more than one firewall is used, specify a partition reference for each firewall. 114 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

127 Partition Supply the partition name assigned to the monitoring serer from a location on the other side of the firewall. Address Supply the IP address assigned to the monitoring serer from a location on the other side of the firewall. To add a partition reference, specify the partition name and the address used in that partition to communicate with the monitoring serer, and press Enter. To modify an existing partition reference, type oer an entry and press Enter. To delete a reference, type D in the Action field and press Enter. Modifications resulting in duplicate entries are ignored. The alues proided on this panel are saed as the KDC_PARTITIONFILE enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. KDC_PARTITIONFILE points to a member, KDCPART, created in the &rhile.&rte.rkanparu library. IP.UDP and IP6.UDP The field definitions and instructions for the IP.UDP and IP6.UDP protocols are the same as those for the IP*.*PIPE protocols, except that address translation does not apply to IP.UDP and IP6.UDP. SNA.PIPE Figure 33 on page 74 shows the Specify SNA Communication Protocol panel. Supply alues for these fields. Applid prefix This alue is used to create the VTAM applids required by the monitoring serer. These applids begin with the prefix, and end with a specific alue that makes each applid unique. The applids are contained in the VTAM major node. You specified this alue when you defined the runtime enironment. Tip: Enter README APP on the command line for more information on how the Configuration Tool processes VTAM applids. If system ariable support is enabled, enter README SYS on the command line for more information on how the Configuration Tool processes VTAM applids using z/os system symbols. Press F6 (Applids) for a list of the VTAM major node and applid alues. Network ID The identifier of your VTAM network. You specified this alue when you defined the runtime enironment. You can also obtain this alue from the NETID parameter in the VTAMLST startup member ATCSTRnn. 4. Press Enter to return to the Configure the TEMS panel (Figure 10 on page 40). Create runtime members and configure the persistent datastore Follow the instructions in Create the runtime members on page 61 to create the runtime members for the remote monitoring serer, and then follow the instructions in Configure the persistent datastore on page 61 to configure the persistent datastore and create its runtime members. Then press F3 (Back) until you return to the Product Component Selection panel (Figure 28 on page 64). Step 2. Configure monitoring agents in the runtime enironment In this step, you configure monitoring agents in the same runtime enironment with the remote monitoring serer. 1. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. If two monitoring agent components are listed, select the OMEGAMON II component first. Chapter 5. Configuring a remote monitoring serer on z/os to report to a distributed hub 115

128 COMPONENT TITLE 1 Tioli Enterprise Monitoring Serer 2 OMEGAMON II... 3 IBM Tioli OMEGAMON XE To configure the monitoring agent, follow the configuration instructions in the product publications in the Tioli Monitoring and OMEGAMON XE Information Center at tiihelp/15r1/index.jsp?toc=. Be sure to select the option Register with local TEMS. This option produces a job that enables the monitoring agent to transmit data to the remote monitoring serer. If you are configuring the monitoring agent in its own address space, be sure to leae the default alue of Y at this prompt: Connect to TEMS in this RTE ==> Y (Y, N) Follow the steps up to Complete the configuration. 3. Press F3 until you return to the Product Selection Menu (Figure 5 on page 33). 4. On the Product Selection Menu, enter S (Select) to the left of the name of another monitoring agent. 5. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), type C (Configure) in the Action field to the left of the name of the runtime enironment where you configured the remote monitoring serer and the first monitoring agent. 6. On the Product Component Selection panel (Figure 28 on page 64), select the monitoring agent. You do not hae to reconfigure the hub monitoring serer to add a monitoring agent to the runtime enironment. 7. Repeat steps 2 to 6 until you hae configured all desired monitoring agents in the runtime enironment. Step 3. Load the runtime libraries Before you complete the configuration of the monitoring serer and monitoring agents outside the Configuration Tool, you must load the runtime libraries from the target libraries that were installed by SMP/E. The load job requires exclusie access to the runtime libraries. 1. On the Runtime Enironments (RTEs) panel Figure 6 on page 34, enter L (Load) in the Action field to the left of the name of the runtime enironment. 2. Reiew the JCL and submit the job. Verify that the job completes successfully and that the return code is 04 or lower. 3. When you finish loading the libraries, press F3 (Back) to return to the Runtime Enironments (RTEs) panel. 4. Go to Chapter 6, Completing the configuration, on page 119, Chapter 7, Adding application support to a monitoring serer on z/os, on page 129, and Part 3 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on completing the configuration, adding application support to the monitoring serers, and alidating the configuration. 5. Go to Parts 4 and 5 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on using batch mode to replicate the configured enironment to other LPARs. 116 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

129 Part 3. Post-configuration procedures Some important post-configuration procedures are necessary before the configured monitoring serer is ready to function in a monitoring enterprise. The chapters in this part of Configuring the Tioli Enterprise Monitoring Serer on z/os gie instructions for those procedures: Chapter 6, Completing the configuration, on page 119 outside the configuration software. Chapter 7, Adding application support to a monitoring serer on z/os, on page 129 for the monitoring agents that send it data. Chapter 8, Configuring security on a monitoring serer on z/os, on page 143. Naigation tips All the chapters in Part 3 contain necessary information. Follow this path: 1. Complete the post-configuration tasks in Chapter 6, Completing the configuration, on page 119, in Chapter 7, Adding application support to a monitoring serer on z/os, on page 129, and in your monitoring agent configuration guides. 2. Go to the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on alidating your configuration. 3. After you alidate the configuration, perform the tasks in Chapter 8, Configuring security on a monitoring serer on z/os, on page Go to Part 4 of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide for instructions on replicating the configured enironment to other LPARs. Copyright IBM Corp. 2005,

130 118 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

131 Chapter 6. Completing the configuration You must take a number of steps outside the configuration software to complete the configuration of monitoring serers and monitoring agents. The steps you hae left to complete depend on the steps you hae already taken, the configuration options you hae chosen, and what you intend to monitor. Typical tasks of completing the configuration of a monitoring serer The following tasks are typically required for completing the configuration of a monitoring serer. 1. (If IP domain name resolution is not fully configured): (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task. 2. (If you want to enable NetView authorization of Take Action commands): (If applicable) Add the NetView CNMLINK data set to the monitoring serer started task on page Copy the started task procedures to your procedure library on page Copy the VTAM definitions to your system VTAMLST on page Vary the VTAM major node actie on page APF-authorize the runtime load libraries on page (If you hae configured more than one hub monitoring serer on z/os) (If applicable) Refresh the KSHXHUBS member in other runtime enironments on page Verify that you can start and stop the monitoring serer on page (If you want to enable NetView authorization of Take Action commands): (If applicable) Enable NetView to authorize Take Action commands on page If ICSF is not installed on the system: (If applicable) Edit the portal serer enironment file on page If you intend to collect historical data: Enable historical data store maintenance (optional) on page 123 Enable historical data collection (optional) on page If you want to enable eent forwarding to Tioli Enterprise Console or OMNIbus: Enable eent forwarding (optional) on page 124 If you are using the Configuration Tool (ICAT), you can generate a list of required post-configuration tasks for a specific configured runtime enironment. For more information, see the "Completing the configuration" chapter of the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide and see the configuration documentation for your monitoring agents. (If applicable) Add support for the SYSTCPD DDNAME in the monitoring serer started task If your monitoring serers are configured to use any of the TCP/IP communication protocols for connection, but IP domain name resolution is not fully configured, you must specify the SYSTCPD DDNAME in the CANSDSST started task for each monitoring serer. The configuration software generates the CANSDSST started task in the &rhile.&rte.rkansamu data set with some lines commented out. To add support for the SYSTCPD DDNAME, uncomment the two lines at the end of the section of CANSDSST shown here, and customize the TCPDATA library name for your enironment. //*SYSTCPD explicitly identifies which dataset to use to obtain //*the parameters defined by TCPIP.DATA when no GLOBALTCPIPDATA //*statement is configured. Refer to the IP Configuration Guide //*for information on the TCPIP.DATA search order. The dataset //*can be any sequential dataset or a member of a partitioned Copyright IBM Corp. 2005,

132 //*dataset. TCPIP.SEZAINST(TCPDATA) is the default sample file. //*TCPIVP.TCPPARMS(TCPDATA) is another sample and is created as //*part of the Installation Verification Program for TCP/IP. //*Note: Uncomment out this DDNAME and point to appropriate //* TCPDATA library name supported at your site if domain //* name resolution is not fully configured. //*SYSTCPD DD DISP=SHR, //*DSN=TCPIP.SEZAINST(TCPDATA) (If applicable) Add the NetView CNMLINK data set to the monitoring serer started task To connect to NetView, the monitoring serer must reference the NetView CNMLINK data set. If you want to enable NetView authorization of Take Action commands, concatenate the CNMLINK data set to the RKANMODL statement in the CANSDSST started task for each monitoring serer. You can find the CANSDSST started task procedure in the &rhile.&rte.rkansamu data set. To proide the location, uncomment the CNMLINK DD card in CANSDSST and specify the NetView CNMLINK data set. For example: //RKANMODL DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMODU // DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMODUL // DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMOD //****************************************************************** //* RKANMODL DD: CNMLINK //****************************************************************** //* Uncomment this DD card and specify the location of the CNMLINK //* load module for NetView for z/os. This library is required for the //* "Forward Take Action commands to NetView for z/os" support which //* is enabled for this Agent. The CNMLINK library must also be //* APF-authorized // DD DISP=SHR, // DSN=NETVIEW.V5R3M0.CNMLINK Contact your NetView for z/os system programmer for the data set name, if necessary. The default NetView 5.3 CNMLINK data set is NETVIEW.V5R3M0.CNMLINK. The CNMLINK library must be APF-authorized. Copy the started task procedures to your procedure library The configuration software creates a number of started task procedures in the data set &rhile.&rte.rkansamu. Under a user ID with write authority to the PROCLIB data set, copy the following procedures to your procedure library: CANSDSST (the monitoring serer started task) KPDPROC1 (maintenance procedure for the persistent data store) started task procedures for any monitoring agents configured in their own address space in the runtime enironment The KPDPROC1 procedure is present only if you configured a persistent data store in the runtime enironment. Be careful not to oerwrite any PROCLIB members that hae already been modified. 120 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

133 Copy the VTAM definitions to your system VTAMLST The configuration software also creates VTAM definitions in the data set &rhile.&rte.rkansamu. Under a user ID with write authority to the VTAMLST data set, copy the VTAM major node (default node ID for the monitoring serer: CTDDSN) to your system VTAMLST. Be careful not to oerwrite any VTAMLST members that hae already been modified. Vary the VTAM major node actie Issue the following command to ary the VTAM major node actie: V NET,ACT,ID=CTDDSN If you changed the node ID for the monitoring serer, replace CTDDSN with the new node ID. APF-authorize the runtime load libraries Add the following runtime load libraries to your list of APF-authorized libraries. &rhile.&rte.rkanmod &rhile.&rte.rkanmodu &rhile.&rte.rkanmodl Any other runtime libraries concatenated in the STEPLIB DDNAME or in the RKANMODL DDNAME of started tasks must also be APF-authorized. If you enabled password encryption, you must APF-authorize the ICSF load library (default name CSF.SCSFMOD0), which is concatenated in the RKANMODL DD statements. If the runtime enironment shares target libraries that were installed by SMP/E, you must also APF-authorize the following libraries: &thile.tkanmod &thile.tkanmodl Some monitoring agents require additional target libraries. Check the monitoring agent configuration documentation. (If applicable) Refresh the KSHXHUBS member in other runtime enironments The hub monitoring serer list monitored in the KSHXHUBS member of &rhile.&rte.rkanparu is maintained in a global table (KDSTHUBS), which is used by all SOAP serers enabled in this installation library. Subsequent changes to the entries in this table affect KSHXHUBS members in other runtime enironments. Verify that you can start and stop the monitoring serer At this point you can erify that the monitoring serer can be started and stopped. 1. Start the hub monitoring serer. If your hub is on a z/os system, start the monitoring serer started task: S CANSDSST If your hub is on a distributed system, see IBM Tioli Monitoring: Installation and Setup Guide. 2. If you hae configured a remote monitoring serer on z/os, start its started task: S CANSDSST 3. In the RKLVLOG for the monitoring serer address space, look for the following messages to indicate successful startup: KDSMA001 Tioli Enterprise Monitoring Serer (TEMS) data collection serer started. KO4SRV032 Tioli Enterprise Monitoring Serer (TEMS) startup complete. Chapter 6. Completing the configuration 121

134 Look also for the following messages to indicate successful establishment of a communications path by the local location broker: KDSNC007 Local Location Broker is actie KDSNC004 Bind of local location broker complete= protocol_name:address If the monitoring serer is a hub, additional messages indicate successful establishment of a communications path by the global location broker: KDSNC004 Bind of global location broker complete= protocol_name:address KDSNC005 Bind of global location broker complete at address protocol_name:address on port number KDSNC008 Global Location Broker is actie For a remote monitoring serer, look for a message similar to this one to indicate a successful connection with the hub: KDS9141I The TEMS RTEname:CMS is connected to the hub TEMS protocol_name:address The number of messages depends on the number of protocols defined. 4. Stop the monitoring serer started task: P CANSDSST If you encounter problems starting or stopping the monitoring serer, refer to IBM Tioli Monitoring: Troubleshooting Guide. (If applicable) Enable NetView to authorize Take Action commands If you hae configured monitoring serers to forward z/os Take Action commands to NetView, you must also enable NetView to receie, authorize, and execute the commands. To enable execution of forwarded commands, complete the following steps: 1. Define Tioli Enterprise Portal user IDs to NetView. For information on defining user IDs, see the section "Defining Tioli Enterprise Portal User IDs" in the Tioli NetView for z/os Security Reference. You can find the NetView for z/os publications at Tip: If an existing NetView operator ID matches a Tioli Enterprise Portal user ID, Take Action commands are executed on the existing NetView operator ID. If the NetView operator ID is used to log on to a 3270 terminal, Take Action commands might run on an actie NetView operator, with unwanted results. Mapping Tioli Enterprise Portal user IDs to NetView autotasks is preferable. 2. Perform one of the following actions: Define the NetView PPI receier in the NetView DSIPARM member CNMSTYLE (see Figure 40). Follow the instructions in the member. The PPI receier for APSERV will be started during NetView initialization. ************************************************************************ * Tioli Management Serices infrastructure serer * * * * Uncomment the following (and, optionally, supply preferred OPID) to * * initialize support for commands and messages from Tioli Management * * Serices infrastructure and/or other APF authorized clients. See * * command help for APSERV for information about the function and * * clients depending on it. * * * ************************************************************************ function.autotask.apserv = AUTOTMSI * AUTOTASK.?APSERV.Console = *NONE* // AUTOTASK.?APSERV.InitCmd = APSERV CNMPCMDR Figure 40. CNMSTYLE member after editing 122 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

135 If you do not customize CNMSTYLE to define the receier, start the NetView PPI receier manually by issuing the APSERV command. The APSERV command is a command serer that runs on a NetView autotask or on a irtual OST (VOST). APSERV accepts commands or messages from APF authorized programs only. The APSERV command must be running, whether started during NetView initialization or manually, to receie the system commands from the TEMS and agent. Refer to the NetView online help or to the Tioli NetView for z/os Application Programmers Guide for more information on the APSERV command. 3. Verify that the NetView for z/os Subsystem Address Space is actie with the PPI enabled. The PPI is enabled by specifying the PPIOPT keyword in sample procedure CNMSJ010 (CNMPSSI), located in the NetView CNMSAMP data set. (If applicable) Edit the portal serer enironment file Communication between a hub monitoring serer and the Tioli Enterprise Portal Serer requires ICSF encryption unless you edit the portal serer enironment file. If ICSF is not installed on the z/os system where the hub monitoring serer is configured, edit the portal serer enironment file (kfwen) as follows: 1. On the Windows or Linux system where you hae installed the portal serer, launch the Manage Tioli Monitoring Serices application. 2. In the application window, right-click Tioli Enterprise Portal Serer, and select Adanced > Edit ENV File. The enironment file kfwen is opened in a text editor. 3. Add the following line to the end of the file, and then sae the file and close the editor. USE_EGG1_FLAG=1 (or USE_EGG1_FLAG=Y) 4. Restart the Tioli Enterprise Portal Serer. Enable historical data store maintenance (optional) If you intend to enable historical data collection and hae allocated and configured maintenance of the historical data set, you must perform three additional tasks to enable the maintenance: Proide access to the persistent datastore files. Authorize the KPDDSCO module on page 124. Verify persistent datastore configuration on page 124. If you are upgrading an existing monitoring serer, you must also refresh the KPDPROC1 maintenance procedure in your system procedure library. See the IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide. Proide access to the persistent datastore files Ensure that KPDPROC1 procedure has the necessary authority to read, write, and update the persistent datastore files. The KPDPROC1 procedure is used to maintain the physical files that constitute the persistent datastore. Data store files are archied, exported or recycled according to the maintenance strategy that you specified for persistent datastore file groups for the product. The persistent datastore subsystem automatically submits maintenance jobs wheneer a data store file becomes full. The maintenance procedure must be aailable in a system procedure library for the procedure to operate. The procedure is generic so it can be used by all runtime enironment using this ersion of the persistent datastore. Chapter 6. Completing the configuration 123

136 Authorize the KPDDSCO module The KPDPROCC REXX procedure runs in a TSO enironment and must be enabled to run as an authorized program under TSO. Authorize the KPDDSCO module by adding KPDDSCO to the system PARMGEN(IKJTSOnn) under the AUTHPGM section and refresh the IKJTSOnn member by issuing the set command (T IKJTSO=nn). You might also request that authorized system programmers perform this step so it can be scheduled with the LPAR change control processes. Verify persistent datastore configuration To erify that the configuration and authorization of the procedures hae been successful, perform the following steps: 1. Bring up the started task (for monitoring serer or monitoring agent) that will collect historical data into the product's persistent datastore libraries. In the RKPDLOG DDNAME started task, find any persistent datastore libraries in a non-offline status (for example, Partial or Full status). 2. From a z/os operator console, issue the following z/os MODIFY command: /F &stcname,kpdcmd RECOVER FILE=DSN:&pds_dataset (where &stcname is the name of the started task performing the persistent datastore collection, and &pds_dataset is the persistent datastore data set). For example, issue the following MODIFY command for the monitoring serer: /F CIDSST,KPDCMD RECOVER FILE=+ DSN:&rhile.&rte.RGENHIS1 3. Wait 5 minutes. 4. In the RKPDLOG DDNAME started task, find the following Command: and KPDDSTR: references as shown in the following monitoring serer RKPDLOG DDNAME example below: Command: RESUME FILE=DSN:&rhile.&rte.RGENHIS1 KPDDSTR: CONNECT processing started for DataStore file DSN:rhile.&rte.RGENHIS1 KPDDSTR: CONNECT processing ended for DataStore file DSN:& 5. If these references are not found, iew the KPDPROC1 started task in SDSF and look for any obious errors. Enable historical data collection (optional) Two leels of historical data are aailable: Short-term history data, which is stored in the persistent data store on z/os systems. Long-term history data, which is stored in the Tioli Data Warehouse on distributed systems. Both short-term and long-term history are optional features that can be enabled from the Tioli Enterprise Portal. The Tioli Enterprise Portal History Collection dialog box lists the attribute tables that are enabled for historical collection and reporting. To enable historical data collection, you must select and configure each group (attribute table) for which you want to collect data, and then start collection for those groups. If you want to warehouse the data for long-term historical reporting, you must set the Warehouse Interal to the interal at which data is warehoused. For detailed instructions on configuring history data collection in the Tioli Enterprise Portal, refer to IBM Tioli Monitoring: Administrator's Guide and the Tioli Enterprise Portal online help. Enable eent forwarding (optional) If you hae configured a hub monitoring serer on z/os to forward situation eents to Tioli Enterprise Console or OMNIbus, you must complete the following tasks for eent forwarding to succeed: 1. Configure the destination eent serer or serers to receie the eents. 124 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

137 2. Install a situation update forwarding process (the eent synchronization component) on the eent serer or serers. 3. If situation eents are forwarded to the Tioli Enterprise Console, complete the following steps: a. Copy the.baroc files for the monitoring agents to the Tioli Enterprise Console and install them there. b. If distributed agents report to a z/os hub, use FTP to transfer the map and resource files for each monitoring agent to the RKANDATV library of the runtime enironment that contains the hub. c. If z/os monitoring agents report to a hub in another CSI and their FMIDs hae not been installed in that CSI, copy their map files to the RKANDATV library of the runtime enironment that contains the hub. d. Restart the Tioli Enterprise Portal Serer. 4. Use the taccmd createeentdest command to specify additional destination serers, if desired. 5. Use the Tioli Enterprise Portal Situation editor to: Specify specific eent serers to receie eents (EIF receiers) Specify the eent seerity. Specify which eents are sent to which eent serers. The IBM Tioli Monitoring: Installation and Setup Guide proides detailed instructions for configuring Tioli Enterprise Console and OMNIbus serers to receie the situation eents from the hub and for installing the eent synchronization component that allows the serers to return updated status to the hub. The installation guide also contains instructions for installing the monitoring agent.baroc files on the Tioli Enterprise Console serer. The IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide explains how to use the Situation editor to specify eent destinations and set situation seerities. The following sections describe the.baroc, map, and resource files; tell where they are located; and gies instructions for transferring them to the appropriate destinations: Map,.baroc, and resource files Transferring KppBAR files to a Tioli Enterprise Console serer on page 127 Transferring map and resource files to the z/os hub on page 127 Map,.baroc, and resource files Monitoring agents proide three types of files for forwarding situations eents to a Tioli Enterprise Console: Map files are used by the Eent Forwarder component to map attribute groups and attributes to Tioli Enterprise Console classes and slots before sending these eents to a designated Tioli Enterprise Console serer through the Tioli Eent Integration Facility. Map files must be installed at the hub..baroc files are used by the Tioli Enterprise Console serer to expand and format the forwarded situation eent data. The.baroc files are deliered with application support for the monitoring agents, but must be installed on the Tioli Enterprise Console serer. If situation eents are being forwarded to the Tioli Enterprise Console eent serer, the kpp.baroc files must be copied from the TECLIB to the host of the Tioli Enterprise Console serer and installed in the serer. See IBM Tioli Monitoring: Installation and Setup Guide for detailed instructions for installing kpp.baroc files on the Tioli Enterprise Console serer. Resource files contain the Tioli Enterprise Console message slot translation resource files. These files are used by the hub monitoring serer. If monitoring agents that run on distributed computers report to a z/os hub monitoring serer, or if monitoring agents that run on z/os report to a hub in a different CSI, the map and resource files for those agents must be transferred to the hub. For instructions, see Transferring map and resource files to the z/os hub on page 127. Chapter 6. Completing the configuration 125

138 The map,.baroc, and resource files are deliered with the application support for each monitoring agent. Monitoring agents that run on z/os delier map and.baroc files both in their FMIDs and with application support. Important If any distributed monitoring agents report either directly or indirectly (through a distributed remote monitoring serer) to a z/os hub, you must complete the following steps to obtain the files required for EIF eent forwarding: 1. Install a monitoring serer on a Windows, Linux, or UNIX computer. 2. Configure that monitoring serer as a hub, but do not start it. 3. Install application support on that hub monitoring serer for all monitoring agents from which you want to forward situation eents. The IBM Tioli Monitoring: Installation and Setup Guide proides instructions for installing and configuring a hub monitoring serer on a distributed computer and for installing application support on the hub. Follow the instructions for installing and configuring the hub, but not for starting it. Tip: If only z/os agents report to the z/os hub, you do not hae to configure a distributed hub and install application support for the agents. You can use the KppBAR files. See Transferring KppBAR files to a Tioli Enterprise Console serer on page 127 for instructions on transferring KppBAR files to a Tioli Enterprise Console eent serer. When application support is installed on a distributed hub, kpp.baroc and kpp.map files are placed in the TECLIB directory: <ITM_HOME>/tables/<TEMS_NAME>/TECLIB/(Unix and Linux) <ITM_HOME>/CMS/TECLIB (Windows) Resource files are placed in the following directories: UNIX and Linux: <ITM_HOME>/tables/<TEMS_NAME>/rb/ascii-big/kpp_<LANG>.res ("big-endian" hardware <LANG> messages) <ITM_HOME>/tables/<TEMS_NAME>/rb/ascii-big/kpp_root.res ("big-endian" hardware default language messages) <ITM_HOME>/tables/<TEMS_NAME>/rb/ascii-little/kpp_<LANG>.res ("little-endian" hardware <LANG> messages) <ITM_HOME>/tables/<TEMS_NAME>/rb/ascii-little/kpp_root.res ( "little-endian" hardware default language messages) <ITM_HOME>/tables/<TEMS_NAME>/rb/ebcdic/KPPRSI (z/os English messages) Windows: <ITM_HOME>/CMS/TECLIB/rb/ascii-little/kpp_<LANG>.res ("little-endian" hardware <LANG> messages) <ITM_HOME>/CMS/TECLIB/rb/ascii-little/kpp_root.res ("little-endian" hardware default language messages) <ITM_HOME>/CMS/TECLIB/rb/ascii-big/kpp_<LANG>.res ("big-endian" hardware <LANG> messages) <ITM_HOME>/CMS/TECLIB/rb/ascii-big/kpp_root.res ("big-endian" hardware default language messages) <ITM_HOME>/CMS/TECLIB/rb/ebcdic (z/os English messages) Monitoring agents that run on z/os also proide KppBAR files and KppMAP files, which are installed in the &rhile.&rte.rkandatv library in the z/os hub runtime enironment when the agent registers with the hub. OMEGAMON XE agents that run on z/os do not delier resource files, because their messages are not translated. 126 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

139 Transferring KppBAR files to a Tioli Enterprise Console serer If you hae only z/os agents reporting to a z/os hub and do not want to install a distributed monitoring serer, you can copy or transfer (FTP) the KppBAR files from the RKANDATV library of the runtime enironment that contains the hub to the host of the Tioli Enterprise Console serer. The files must be renamed to kpp.baroc on the Tioli Enterprise Console host. For example: C:\temp>ftp bigblue.ibm.com Connected to bigblue.ibm.com. 220-$FTPA1 IBM FTP CS V1R8 at bigblue.ibm.com, 23:03:19 on Connection will close if idle for more than 5 minutes. User (bigblue.ibm.com:(none)): myuserid 331 Send password please. Password: 230 myuserid is logged on. Working directory is "MYUSERID.". ftp> get test.tst420.sharing1.rkandat(km5bar) km5.baroc 200 Port request OK. 250 Transfer completed successfully. ftp: bytes sent in 1.22Seconds Kbytes/sec. Transferring map and resource files to the z/os hub If distributed agents report to a z/os hub, their kpp.map and kpp.res files must be copied to the RKANDATV library of the hub's runtime enironment and renamed in accordance with z/os naming rules. Important: If you use FTP to transfer the files, map files must be transferred in ASCII mode and resource files must be transferred in binary mode. If you hae monitoring agents on z/os that report to a z/os hub in a different CSI and the agent FMIDs are not installed in the hub CSI, you must also copy or transfer their map files to the hub. Complete the following steps to transfer the files: 1. In a command window on the host of the distributed hub monitoring serer where application support has been installed, change to the TECLIB directory. For example: cd IBM\ITM\CMS\TECLIB 2. At the command prompt, enter the following command: ftp <hostname> where <hostname> is the name or IP address of the host of the z/os hub monitoring serer. 3. Enter an authorized user ID for the z/os host and press Enter. 4. Enter the password for the user ID and press Enter. 5. Enter the following command: put kpp.map &rhile.&rte.rkandatv(kppmap) where pp is the two-letter product code for the agent whose map file you are transferring, &rhile is the high-leel qualifier for the runtime enironment, and &rte is the name of the runtime enironment. Wait for the message telling you that the transfer has completed successfully. Repeat this step for eery agent whose map file you want to transfer to the hub. 6. Change to the /rb/ebcdic directory. For example: cd rb/ebcdic 7. Change to binary mode: bin 8. Put the KppRSI files in the same library: put KppRSI &rhile.&rte.rkandatv(kpprsi) Chapter 6. Completing the configuration 127

140 Repeat this step for eery agent. 9. Exit the FTP session: bye Run the ITMSUPER Tools (optional) Use the ITMSUPER Tools to learn about the health of your managed systems, situations, and enironment configuration. You can find the tools by searching for ITMSUPER on the Integrated Serice Management Library website. If you hae configured products in more than one runtime enironment, you must complete the configuration of the products in eery runtime enironment. Then go on to Chapter 7, Adding application support to a monitoring serer on z/os, on page 129. Note: The ITMSUPER tools require that Web Serices (that is, the SOAP serer) be actie at the hub monitoring serer. 128 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

141 Chapter 7. Adding application support to a monitoring serer on z/os When to follow the steps in this chapter If your site has actiated the self-describing agents capability at the hub monitoring serer, it is not necessary that you complete these steps for any agent that has the self-describing capability (that is, all distributed agents for ersion and subsequent). These steps, howeer, are necessary for all OMEGAMON agents and for all distributed agents at a leel prior to V6.2.3, regardless of the remote monitoring serer or hub monitoring serer they report to, as these agents do not hae the self-describing capability. Before you can iew data collected by monitoring agents, you must add support for the agents to the Tioli Enterprise Portal Serer, to the hub monitoring serer, and in some cases, to remote monitoring serers. Application support for a monitoring agent includes two types of files: Catalog and attribute (CAT and ATR) files are required for presenting workspaces, online help, and expert adice for the agent in Tioli Enterprise Portal. SQL files are required for adding product-proided situations, templates, and policies to the Enterprise Information Base (EIB) tables maintained by the hub monitoring serer. These SQL files are also called seed data, and installing them on a monitoring serer is also called seeding the monitoring serer. Important: The catalog and attribute files for a monitoring agent must be added to a monitoring serer on z/os before the SQL files can be added to that monitoring serer. The way you implement the application support requirements depends on your setup. If a monitoring agent and a monitoring serer are installed in the same CSI, the catalog and attribute files are added automatically to the monitoring serer when its runtime libraries are loaded. Tip: Some monitoring agents on z/os hae additional requirements. See the configuration documentation for each monitoring agent product. If a monitoring agent and a monitoring serer are installed in different CSIs, and if data collected by the monitoring agent will flow through the monitoring serer, you must copy or transfer the catalog and attribute files (KppATR and KppCAT) from the &thile.tkandatv library in the CSI where the monitoring agent is installed to the &rhile.&rte.rkandatv library for the runtime enironment in which the monitoring serer is configured. You add the catalog and attribute files for the Warehouse Proxy agent and for the Summarization and Pruning agent to the hub monitoring serer on z/os from the Manage Tioli Monitoring Serices utility on a Windows, Linux, or UNIX computer where a portal serer is installed and where either the portal serer or a monitoring serer is configured to communicate with the hub on z/os. You add the SQL files for your monitoring agents, for the Warehouse Proxy agent, and for the Summarization and Pruning agent to the hub monitoring serer on z/os from the Manage Tioli Monitoring Serices utility. If a distributed monitoring agent (a monitoring agent installed on a Windows, Linux, or UNIX system) or a monitoring agent on a z/vm system reports directly to a hub monitoring serer on a z/os system, you must add both the catalog and attribute files and the SQL files to the hub on z/os from Manage Tioli Monitoring Serices. This chapter gies instructions for adding application support to a monitoring serer on z/os. For instructions on adding application support to a monitoring serer on Windows, Linux, or UNIX, see the IBM Tioli Monitoring: Installation and Setup Guide. Copyright IBM Corp. 2005,

142 Prerequisites Before you add application support to a monitoring serer, you must complete these prerequisite tasks: Verify that eery monitoring agent for which you plan to add application support is compatible with the ersion components of Tioli Management Serices. If you hae any question about whether the components are compatible, see the planning publications in the monitoring agent library. Install the distributed components of Tioli Management Serices or IBM Tioli Monitoring. The procedures described in this chapter require that a portal serer be installed on a Windows, Linux, or UNIX system and that either the portal serer or a monitoring serer be configured to communicate with the hub on z/os. For instructions, see the IBM Tioli Monitoring: Installation and Setup Guide. Install any distributed non-base monitoring agents that you hae purchased. For instructions, see the documentation for each monitoring agent. Make sure you hae access to the application support data files for eery monitoring agent for which you plan to add application support. Some monitoring agents that run on z/os or z/vm are packaged with their own CD or DVD that contains the data files for adding application support to the monitoring serer. Other monitoring agents that run on z/os are packaged with a CD or DVD that contains application support data files for a number of agents. Distributed agents (including the Warehouse Proxy agent and the Summarization and Pruning agent) already hae the necessary application support files aailable on the appropriate system, if the agents are installed on a computer with a portal serer installed and with either the portal serer or a monitoring serer configured to communicate with the hub on z/os. Tip: During installation of the components of Tioli Management Serices or IBM Tioli Monitoring on a distributed system, you are prompted to add application support to the monitoring serer. Select the option On this computer to add application support to the local monitoring serer. Do not select the option On a different computer to add application support to the hub on z/os at this point. For a distributed agent installed on a computer on which no portal serer is installed or on which neither the portal serer nor a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os, use the product CD or DVD to install the application support files on a different computer where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. For instructions, see the installation instructions in the monitoring agent library, or see IBM Tioli Monitoring: Installation and Setup Guide. To determine where application support files can be found for z/os monitoring agents and to ensure that you install application support for your monitoring agents in the correct order, see the Locating ITM Workspace Application Support Files for z/os Agents Technote. You can find this Technote by selecting one of your OMEGAMON XE products on the Software Support website at support and searching for locating application support. 130 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

143 Selecting the correct procedure The procedure for adding application support to a monitoring serer depends on your configuration. Some configurations, while supported, do not represent best practices and might not yield the best possible results in performance and reporting. The best-practice configurations are identified in Table 4. For more detailed information about best practices for configuring your monitoring enironment, see Chapter 2, Planning your deployment, on page 13. Table 4. Procedures for adding application support to a monitoring serer on z/os Monitoring agent location Best practice? Follow these instructions Same CSI as the hub or remote monitoring serer on z/os Different CSI from the hub or remote monitoring serer on z/os Yes 1. Install the application support files on a distributed system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. See Install the application support files on a distributed system where a portal serer is installed on page Copy or transfer catalog and attribute files to the monitoring serer on z/os for the Warehouse Proxy agent and the Summarization and Pruning agent, if you want to store long-term history data. See Copy or transfer catalog and attribute files to the monitoring serer on z/os on page Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os. See Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os on page 139. No 1. Copy or transfer the monitoring agent's catalog and attribute files (KppCAT and KppATR) from the &thile.tkandatv library in the CSI where the monitoring agent is installed to the &rhile.&rte.rkandatv library for the runtime enironment in which the monitoring serer is configured. You can use IEBCOPY or FTP file transfer. 2. Install the application support files on a distributed system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. See Install the application support files on a distributed system where a portal serer is installed on page Copy or transfer catalog and attribute files to the monitoring serer on z/os for the Warehouse Proxy agent and the Summarization and Pruning agent, if you want to store long-term history data. See Copy or transfer catalog and attribute files to the monitoring serer on z/os on page Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os. See Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os on page 139. Chapter 7. Adding application support to a monitoring serer on z/os 131

144 Table 4. Procedures for adding application support to a monitoring serer on z/os (continued) Monitoring agent location Best practice? Follow these instructions z/vm system Yes 1. Install the application support files on a distributed system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. See Install the application support files on a distributed system where a portal serer is installed on page Copy or transfer catalog and attribute files to the monitoring serer on z/os. See Copy or transfer catalog and attribute files to the monitoring serer on z/os on page Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os. See Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os on page 139. Distributed system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os Distributed system (Windows, Linux, or UNIX) on which no portal serer is installed or on which neither the portal serer nor a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os Yes 1. Copy or transfer catalog and attribute files to the monitoring serer on z/os. See Copy or transfer catalog and attribute files to the monitoring serer on z/os on page Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os. See Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os on page 139. No 1. Install the application support files on a distributed system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. See Install the application support files on a distributed system where a portal serer is installed on page Copy or transfer catalog and attribute files to the monitoring serer on z/os. See Copy or transfer catalog and attribute files to the monitoring serer on z/os on page Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os. See Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os on page 139. The rest of this chapter proides instructions for these procedures. Tip: Complete only the procedures that apply to your configuration. Use Table 4 on page 131 to determine which procedures you must complete, and complete them in the order indicated in the table. 132 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

145 Install the application support files on a distributed system where a portal serer is installed This step inoles installing the application support files on a Windows, Linux, or UNIX system where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. For base agents (distributed agents included in the purchase of IBM Tioli Monitoring) and for other distributed agents installed on a system that meets these requirements, you can skip to Copy or transfer catalog and attribute files to the monitoring serer on z/os on page 137. Follow the instructions for installing the application support files on the appropriate system: Installing application support files on Windows Installing application support files on Linux or UNIX on page 135 Installing application support files on Windows Important Following the correct order for installing application support files on Windows is essential. To determine where application support files can be found and to ensure that you install application support for your monitoring agents in the correct order, see the Locating ITM Workspace Application Support Files for z/os Agents Technote. You can find this Technote by selecting one of your OMEGAMON XE products on the Software Support website at and searching for locating application support. To install the application support files on Windows, follow this procedure: 1. Insert a CD or DVD containing the application support files into the CD-ROM drie of a Windows workstation where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. (See Prerequisites on page 130.) Some monitoring agents that run on z/os or z/vm are packaged with their own CD or DVD that contains the data files for adding application support to the monitoring serer. Other monitoring agents that run on z/os are packaged with a CD or DVD that contains data files for a number of agents.if in doubt, refer to the configuration guide for each of your monitoring agents to find the exact name of the CD or DVD to use. For a distributed agent installed on a computer without a portal serer or monitoring serer configured to communicate with the hub on z/os, use the product CD or DVD to install the application support files on a different workstation where a portal serer is installed and where either the portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os. For instructions, see the installation instructions in the monitoring agent library, or see IBM Tioli Monitoring: Installation and Setup Guide. Installation begins automatically. If the installer does not start, go to the Windows directory on your CD-ROM drie and run setup.exe. Ifsetup.exe initialization fails, you might not hae enough free disk space to extract the setup files. 2. Read the text that welcomes you to the installation, and click Next to continue. 3. On the Install Prerequisites window, check boxes are cleared if the required software is already installed. Otherwise, a message instructs you to install the required software. 4. Click Next to continue. 5. Read the software license agreement and click Accept. Chapter 7. Adding application support to a monitoring serer on z/os 133

146 6. On the Select Features window, expand Tioli Enterprise Portal Serer and Tioli Enterprise Portal Desktop Client (and Tioli Enterprise Monitoring Serer, if it is installed on the Windows workstation). For each component, select support for the monitoring agents you hae installed on z/os. Tip: The IBM Eclipse Help Serer component might be included in the list on the Select Features window. Howeer, this component is not selectable because it does not require application support. The rest of the instructions assume that you are installing application support on the portal serer and desktop client. 7. Click Next to continue. 8. In the Current Settings pane of the Start Copying Files window, read the list of actions to be performed, and click Next. 9. A window notifies you that you will be unable to cancel the installation after this point, and asks whether you want to continue. Click Yes to continue. Application support for the selected monitoring agents is installed on the portal serer and desktop client. This installation step can take seeral minutes. 10. On the Setup Type window, select the following items: Configure Tioli Enterprise Portal Launch Manage Tioli Monitoring Serices for additional configuration options and to start Tioli Monitoring Serices. 11. Click Next to continue. 12. On the TEPS Hostname window, make sure that the host name of the Tioli Enterprise Portal Serer is correct and does not include the domain name. Click Next. Presentation files for the Tioli Enterprise Portal are built. This process can take up to 20 minutes. 13. On the InstallShield Wizard Complete window, click Finish. 14. Use Manage Tioli Monitoring Serices to copy catalog and attribute files and to add SQL files to the monitoring serer on z/os. Follow the instructions in Transferring the catalog and attribute files from Windows on page 137 and Adding application support SQL files from Manage Tioli Monitoring Serices on Windows on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

147 Installing application support files on Linux or UNIX Installing application support on a Linux or UNIX system is a procedure with three iterations: Installing application support on the browser client component of the portal serer. Installing application support on the portal serer. Installing application support on the monitoring serer (if a monitoring serer is installed on the local Linux or UNIX system). Application support can be installed on only one component at a time. This procedure uses the command-line interface. For instructions on using the GUI interface or silent mode, see IBM Tioli Monitoring: Installation and Setup Guide. To install the application support files on Linux or UNIX, follow this procedure. 1. On a system where either a portal serer or a remote monitoring serer is configured to communicate with the hub monitoring serer on z/os, run the following command from the application support installation media:./install.sh The installation media can be either the agent product CD or DVD for distributed monitoring agents, or a data files CD or DVD for monitoring agents that run on z/os or z/vm. See Prerequisites on page When prompted for the IBM Tioli Monitoring home directory, press Enter to accept the default (/opt/ibm/itm) or type the full path to the installation directory you used. The installer presents a list of installation options: Select one of the following: 1) Install products to the local host. 2) Install products to depot for remote deployment (requires TEMS). 3) Install TEMS support for remote seeding 4) Exit install. Please enter a alid number: 3. Enter 1 to start the installation. The software license agreement is displayed. 4. Reiew the license agreement, and then enter 1 to accept it. 5. Select the components on which you want to install application support. Product packages are aailable for this operating system and component support categories: 1) IBM Tioli Monitoring components for this operating system 2) Tioli Enterprise Portal Browser Client support 3) Tioli Enterprise Portal Serer support 4) Tioli Enterprise Monitoring Serer support 5) Other operating systems If you hae not already installed the Tioli Management Serices components on the current operating system, enter 1. Otherwise, select one of the components for installation of application support. Only one item can be selected at a time. Tip: Tioli Enterprise Portal Browser Client support is the component of Tioli Enterprise Portal Serer that supports presentation of the Tioli Enterprise Portal for browser clients. You must install the browser client support on the computer where you installed the portal serer. 6. At the prompt for products to install, select and confirm either an indiidual monitoring agent or all of the aboe. (Although the prompts seem to indicate that the monitoring agents themseles are being installed, only the application support files for the monitoring agents are actually being installed.) The following products are aailable for installation: 1) monitoring_agent_1 Vnn.nn.nn.nn 2) monitoring_agent_2 Vnn.nn.nn.nn 3) all of the aboe Chapter 7. Adding application support to a monitoring serer on z/os 135

148 Type your selections here: 3 The following products will be installed: monitoring_agent_1 Vnn.nn.nn.nn monitoring_agent_2 Vnn.nn.nn.nn Are your selections correct [yorn;"y"isdefault ]?... installing "monitoring_agent_1 Vnn.nn.nn.nn for Linux S390 R2.6 (32 bit)"; please wait.... installing "monitoring_agent_2 Vnn.nn.nn.nn for Linux S390 R2.6 (32 bit)"; please wait. 7. Enter y at the next prompt: Do you want to install additional products or product support packages [y or n;"n"is default ]? 8. Repeat the procedure to install browser client, portal serer, and monitoring serer (if a monitoring serer is installed on the local system) support. Only one item can be installed at a time. For each item, select the same monitoring agents (products) to install. 9. When you hae selected and installed application support for all installed components, enter n at this prompt: Do you want to install additional products or product support packages [yorn;"n"isdefault ]? 10. You are prompted to add application support to all locally installed components. For example, if there is a local monitoring serer, you see a prompt similar to this one: Following Tioli Enterprise Monitoring Serer product support were installed: monitoring_agent_1 monitoring_agent_2 Note: This operation causes the monitoring serer to restart. Do you want to seed product support on the Tioli Enterprise Monitoring Serer? [ 1=Yes, 2=No ; default is "1" ] 11. Enter 1 to add application support to the local monitoring serer. The installer starts the monitoring serer, adds application support, and stops the monitoring serer; and repeats the procedure for each of the other components installed on the local system. This message indicates successful completion: All supports successfully seeded. 12. Exit the installation program. 13. Stop the portal serer and the portal client:./itmcmd agent stop cq./itmcmd agent stop cj 14. Reconfigure the portal serer with the new agent information:./itmcmd config -A cq Tip: If you already configured the portal serer after installing it, you can press Enter at each prompt to accept the preiously entered parameters. 15. Reconfigure the portal client with the new agent information:./itmcmd config -A cj 16. Restart the portal serer and the portal client:./itmcmd agent start cq./itmcmd agent start cj 17. Use Manage Tioli Monitoring Serices to copy catalog and attribute files and to add SQL files to the monitoring serer on z/os. Follow the instructions in Transferring the catalog and attribute files from Linux or UNIX on page 138 and Adding application support SQL files from Manage Tioli Monitoring Serices on Linux or UNIX on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

149 Copy or transfer catalog and attribute files to the monitoring serer on z/os The requirements for catalog and attribute files depend on your setup. For monitoring agents in the same CSI with a monitoring serer on z/os, catalog and attribute files are added automatically to the monitoring serer when its runtime libraries are loaded. Howeer, if you want to store long-term history data, you must still transfer catalog and attribute files to the monitoring serer on z/os for the Warehouse Proxy agent and the Summarization and Pruning agent. For a monitoring agent that is not installed in the same CSI as a z/os monitoring serer through which the agent's data flows, you must copy or transfer the agent's catalog and attribute files (KppATR and KppCAT) from the &thile.tkandatv library in the CSI where the monitoring agent is installed to the &rhile.&rte.rkandatv library for the runtime enironment in which the monitoring serer is configured. You can use IEBCOPY or FTP file transfer to put the files into the &rhile.&rte.rkandatv data set. For distributed monitoring agents reporting to a monitoring serer on z/os, you transfer catalog and attribute files to the monitoring serer on z/os from Manage Tioli Monitoring Serices on a system where a portal serer is installed and where either the portal serer or a monitoring serer is configured to communicate with the monitoring serer on z/os. If you want to store long-term history data, you transfer catalog and attribute files for the Warehouse Proxy agent and the Summarization and Pruning agent to the hub monitoring serer on z/os from Manage Tioli Monitoring Serices on a system where a portal serer is installed and where either the portal serer or a monitoring serer is configured to communicate with the monitoring serer on z/os. The required catalog and attribute files were installed on a Windows, Linux, or UNIX computer when you installed application support from the appropriate media. Follow the instructions for transferring the catalog and attribute files to a monitoring serer on z/os from a system where the portal serer is installed: Transferring the catalog and attribute files from Windows Transferring the catalog and attribute files from Linux or UNIX on page 138 Transferring the catalog and attribute files from Windows Complete this procedure to transfer the catalog and attribute files from Manage Tioli Monitoring Serices on Windows. 1. On the Windows workstation where you installed the application support data files and where the Tioli Enterprise Portal Serer is installed, select Start > Programs (or All Programs) > IBM Tioli Monitoring > Manage Tioli Monitoring Serices. 2. On the Manage Tioli Monitoring Serices window, select Actions > Adanced > Utilities > FTP Catalog and Attribute files. 3. On the FTP Catalog and Attribute Files window, select the files you want to transfer, and click OK. 4. On the FTP TEMS Data to z/os window, proide the following information: The fully qualified host name or the IP address of the monitoring serer on z/os. A alid FTP user ID and password. The fully qualified name of the &rhile.&rte.rkandatv data set (DSN). Important: When you type the data set name, make sure that it does not end with a trailing blank, or the FTP will fail. 5. After you hae completed these fields, click OK to transfer the files. Click OK again to confirm. 6. Stop and restart the monitoring serer on z/os. 7. Go on to add SQL files to the hub on z/os. Follow the instructions in Adding application support SQL files from Manage Tioli Monitoring Serices on Windows on page 139. Chapter 7. Adding application support to a monitoring serer on z/os 137

150 Transferring the catalog and attribute files from Linux or UNIX Complete this procedure to transfer the catalog and attribute files from Manage Tioli Monitoring Serices on a Linux or UNIX system where you hae already installed the Tioli Enterprise Portal Serer and the application support files. 1. To start Manage Tioli Monitoring Serices, go to the $CANDLEHOME bin directory (example: /opt/ibm/itm/bin ) on the system where you installed the application support data files, and run this command:./itmcmd manage & A GUI window opens for Manage Tioli Monitoring Serices. 2. Select Actions > FTP Catalog and Attribute files. 3. On the Select Attribute and Catalog Data for Transfer window, select the files you want to transfer, and click OK. 4. On the FTP TEMS Data to z/os window, proide the following information: The fully qualified host name or the IP address of the monitoring serer on z/os. A alid FTP user ID and password. The fully qualified name of the &rhile.&rte.rkandatv data set (DSN). Important: When you type the data set name, make sure that it does not end with a trailing blank, or the FTP will fail. 5. After you hae completed these fields, click OK to transfer the files. 6. Look for this message in the log window of Manage Tioli Monitoring Serices: Done sending files 7. Stop and restart the monitoring serer on z/os. 8. Go on to add SQL files to the hub on z/os. Follow the instructions in Adding application support SQL files from Manage Tioli Monitoring Serices on Linux or UNIX on page IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

151 Use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os You can use Manage Tioli Monitoring Serices to add application support SQL files to the hub monitoring serer on z/os from any Windows, Linux, or UNIX system where a portal serer or monitoring serer has been installed and configured to communicate with the hub. For monitoring agents on z/os or z/vm, the application support files must also hae been installed from the appropriate data files CD or DVD. For most monitoring agents on z/os, the application support SQL files are required on the hub monitoring serer but not on the remote monitoring serers. Plex agents are the exception: they require SQL files on both hub and remote monitoring serers. Howeer, SQL files for the plex agents are added automatically to each remote monitoring serer on z/os when the agent is registered with the monitoring serer, so you do not hae to concern yourself with them. To add application support SQL files to a hub monitoring serer on z/os from Manage Tioli Monitoring Serices, follow the instructions for the operating system where you hae installed the files: Adding application support SQL files from Manage Tioli Monitoring Serices on Windows Adding application support SQL files from Manage Tioli Monitoring Serices on Linux or UNIX on page 140 Adding application support SQL files from Manage Tioli Monitoring Serices on Windows To add application support SQL files to the hub monitoring serer on z/os, complete this procedure. 1. Ensure that the hub monitoring serer is running. 2. On a Windows workstation where the application support files are installed, select Start > Programs (or All Programs) > IBM Tioli Monitoring > Manage Tioli Monitoring Serices. 3. On the Manage Tioli Monitoring Serices window, select Actions > Adanced > Add TEMS application support. 4. On the Add Application Support to the TEMS window, select On a different computer and click OK. 5. When you are prompted to ensure that the hub monitoring serer is configured and running, click OK. 6. On the Non-Resident TEMS Connection window, proide the hub monitoring serer TEMS name (node ID), specify that it is a hub, select the communication protocol to use in sending the application support SQL files to the hub, and proide any alues required by the selected communication protocol. Then click OK to continue. If you made a note of the TEMS name you specified when you defined the runtime enironment, find it now. Otherwise, you can find the TEMS name as the case-sensitie alue of the CMS_NODEID enironment ariable in this location: &rhile.&rte.rkanparu(kdsenv) 7. On the next panel, select the products for which you want to add application support. (If you want to collect historical data, be sure to select the Warehouse Proxy and Summarization and Pruning agents, in addition to any monitoring agents you hae purchased.) Then specify whether you want to add the default managed system groups to situations when you process the application support files: All Add the default managed system groups to all applicable situations. None New Tip: Make this selection if you hae neer customized situations from preious releases. Do not add the default managed system groups to any situation. Tip: Make this selection if you do not want any predefined managed system groups to be applied to your enironment. Add the default managed system groups to all situations from the application support packages Chapter 7. Adding application support to a monitoring serer on z/os 139

152 being installed for the first time. Modifications are not made to managed system groups in preiously upgraded application support packages. Tip: Make this selection if you hae customized situations from preious releases and you want to protect your customized settings, but you want to apply the predefined managed system groups to new situations. Make a selection and click OK. The SQL application support files are added to the hub monitoring serer. This process might take seeral minutes, depending on the number of products. Tip: Not all situations support the default managed group setting. You might hae to define the distribution of some situations later from the Tioli Enterprise Portal. For more information about managed system groups, see the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide. 8. The Application Support Addition Complete window gies you information about the status and location of the SQL application support files. A return code of 0 (rc=0) indicates that the process succeeded. Click Sae As if you want to sae the information in a text file. Click Close to close the window. If the Application Support Addition Complete window is not displayed after 20 minutes, look in the IBM\ITM\CNPS\Logs\NonResSeedkpp.log files (where pp is the 2-character code for each monitoring agent) for diagnostic messages that help you determine the cause of the problem. See the IBM Tioli Monitoring: Messages and IBM Tioli Monitoring: Troubleshooting Guide for information about messages and abnormal return codes. 9. Stop and restart the hub monitoring serer. Adding application support SQL files from Manage Tioli Monitoring Serices on Linux or UNIX To add application support SQL files to the hub monitoring serer on z/os, complete this procedure. 1. Enable the GUI interface. Your Linux or UNIX enironment might already hae a GUI interface enabled. Otherwise, perform the following tasks to enable it: a. Enable X11. b. Make sure you hae access to a natie X-term monitor or an X Window System emulator. c. If using an X Window System emulator, enable X11 access to the X Window System serer (command example: xhost +). d. If using an X Window System emulator, set the display enironment ariable to point to the X Window System serer: export DISPLAY=pc_ip_address:0 2. Ensure that the hub monitoring serer on z/os is running. 3. To start Manage Tioli Monitoring Serices, go to the $CANDLEHOME bin directory (example: /opt/ibm/itm/bin ) on the system where you installed the application support data files, and run this command:./itmcmd manage & A GUI window opens for Manage Tioli Monitoring Serices. 4. Select Actions > Install product support. 5. On the Add Application Support to the TEMS window, select On a different computer and click OK. 6. When you are prompted to ensure that the hub monitoring serer is configured and running, click OK. 7. On the Non-Resident TEMS Connection window, proide the hub monitoring serer TEMS name (node ID), specify that it is a hub, select the communication protocol to use in sending the application support SQL files to the hub, and proide any alues required by the selected communication protocol. Then click OK to continue. 140 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

153 If you made a note of the TEMS name you specified when you defined the runtime enironment, find it now. Otherwise, you can find the TEMS name as the case-sensitie alue of the CMS_NODEID enironment ariable in this location: &rhile.&rte.rkanparu(kdsenv) 8. On the next panel, select the products for which you want to add application support. (If you want to collect historical data, be sure to select the Warehouse Proxy and Summarization and Pruning agents, in addition to any monitoring agents you hae purchased.) Then specify whether you want to add the default managed system groups to situations when you process the application support files: All Add the default managed system groups to all applicable situations. None New Tip: Make this selection if you hae neer customized situations from preious releases. Do not add the default managed system groups to any situation. Tip: Make this selection if you do not want any predefined managed system groups to be applied to your enironment. Add the default managed system groups to all situations from the application support packages being installed for the first time. Modifications are not made to managed system groups in preiously upgraded application support packages. Tip: Make this selection if you hae customized situations from preious releases and you want to protect your customized settings, but you want to apply the predefined managed system groups to new situations. Make a selection and click OK. The SQL application support files are added to the hub monitoring serer. This process might take seeral minutes, depending on the number of products. Tip: Not all situations support the default managed group setting. You might hae to define the distribution of some situations later from the Tioli Enterprise Portal. For more information about managed system groups, see the IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide. 9. In Manage Tioli Monitoring Serices, look for this message: Remote seeding complete! 10. Stop and restart the hub monitoring serer. Chapter 7. Adding application support to a monitoring serer on z/os 141

154 142 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

155 Chapter 8. Configuring security on a monitoring serer on z/os Access to the Tioli Enterprise Portal is controlled by user IDs defined to the Tioli Enterprise Portal Serer. If security erification is enabled on the hub Tioli Enterprise Monitoring Serer, passwords are also required. How security erification is controlled depends upon the operating system on which the hub is installed. A hub monitoring serer running on z/os alidates user IDs and passwords using either the product-proided security feature, Network Access Method (NAM), or one of seeral system authorization facility (SAF) products. Lightweight Directory Access Protocol (LDAP) authentication is not supported for hub monitoring serers on z/os systems. The monitoring serer supports secure password encryption through the Integrated Cryptographic Serice Facility (ICSF). The ICSF proides a robust encryption and decryption scheme for stored passwords and is the preferred method of password encryption. (If you do not use ICSF, the monitoring serer uses a less secure encryption method.) ICSF uses symmetric secret keys for encrypting and decrypting data. For instructions on setting the password encryption key on a z/os monitor serer with the PARMGEN method, see the comments in the KCIJVSEC (if system ariables are enabled) or KCIJPSEC (if system ariables are not enabled) member of the &rhile.&rte.wkansamu library; for Configuration Tool (ICAT) instructions, see Specify configuration alues on page 40. In addition to alidating user IDs and passwords, a z/os monitoring serer can be configured to redirect Take Action commands to IBM Tioli NetView for z/os for authorization and execution. NetView uses the Tioli Enterprise Portal user ID to check command authorization. If the user ID is authorized, the command is issued and the response is logged in the NetView log. This chapter proides instructions for the following security configuration tasks: Enabling security alidation on a z/os hub Resetting the password encryption key on page 147 Configuring NetView authorization of z/os commands on page 149 For information on setting up security on a hub on a distributed system, see IBM Tioli Monitoring: Installation and Setup Guide. Some monitoring agents might require additional security configuration; see the configuration documentation for the monitoring agent. Enabling security alidation on a z/os hub If security alidation is enabled on a z/os hub monitoring serer, Tioli Enterprise Portal user IDs and alid passwords must be defined to the security system used by the Tioli Enterprise Monitoring Serer. A hub Tioli Enterprise Monitoring Serer running on z/os alidates user IDs and passwords using either the product-proided security feature, Network Access Method (NAM), or one of the following system authorization facility products: RACF CA-ACF2 CA-TOP SECRET (PARMGEN method only) SAF, which proides a generic API to interface to z/os security software Before you enable security, your security administrator must define to the selected security system each logon ID that will be allowed to access the Tioli Enterprise Portal Serer, and the Tioli Enterprise Portal Copyright IBM Corp. 2005,

156 administrator must create user accounts for those IDs. You do not hae to define and authorize additional user IDs before you enable security, but you must define and authorize one administratie ID such as the sysadmin user ID. Tip To create additional user IDs after security alidation is enabled, use one of the following methods: Create a new Tioli Enterprise Portal user whose user ID matches a new or existing user defined to the security program. This is the preferred method. Define a Tioli Enterprise Portal user ID to the security program. Follow these steps to enable security on the hub Tioli Enterprise Monitoring Serer: 1. If you hae not already done so, define the security system to be used. For more information about the security-related parameters, see IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference. PARMGEN method: a. In the configuration profile of the runtime enironment that contains the hub monitoring serer, set the alue of the RTE_SECURITY_USER_LOGON parameter to specify the security system to be used for the runtime enironment: RACF, ACF2, TSS, SAF, NAM, ornone. b. If you specified ACF2, proide the name of the ACF2 macro library as the alue of the GBL_DSN_ACF2_MACLIB parameter. Configuration Tool (ICAT) method: a. On the Runtime Enironments (RTEs) panel (Figure 6 on page 34), enter U (Update) in the Action field beside the name of the runtime enironment where the hub monitoring serer is configured. b. On the Update Runtime Enironment panel, specify the security system you want to use, and press Enter. This example specifies RACF: Security system ==> RACF (RACF, ACF2, TSS, NAM, None) If you select ACF2, you must also specify the ACF2 macro library in the next field. 2. Enable security alidation on the hub. PARMGEN method: a. In the configuration profile, set the alue of the KDS_TEMS_SECURITY_KDS_VALIDATE parameter to Y. b. Uncomment the KDS_TEMS_SECURITY_KAES256_ENCKEY parameter, and either accept the IBM-supplied default alue "IBMTioliMonitoringEncryptionKey" or specify a unique 32-byte password encryption key. The alue is case-sensitie, and the same key must be used for all components that communicate with the hub. Tip:: The encryption key is shown in plain text in the configuration profile, so that the alue can used as input to create the KAES256 encryption key file. For this reason, ensure that the &rhile.&rte.wconfig library is secured. c. Run either the KCIJVSEC (if system ariables are enabled) or KCIJPSEC (if system ariables are not enabled) job in the &rhile.&rte.wkansamu library to create the security-related members of the runtime libraries. Alternatiely, you can run the either the KCIJVSUB or KCIJPSUB composite job, which creates all the runtime members. d. When enabling ICSF password encryption, you must set the GBL_DSN_CSF_SCSFMOD0 parameter. This can be found in either the WCONFIG($GBL$USR) if this is not an ICAT-to-PARMGEN conersion, or in the WCONFIG(%RTE_NAME%) LPAR profile if this is an ICAT-to-PARMGEN conersion: 144 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

157 ISREDDE2 TSTEST.CCAPI.TESTSYSB.WCONFIG($GBL$USR) Columns Command ===> Scroll ===> CSR ** GBL_DSN_CSF_* ICSF system libraries: ** Note: This is required if you are enabling the ITM Password ** Encryption (KAES256) across the ITM enterprise: ** This library is concatenated in the TEMS STC s STEPLIB DD: ** Related PARMGEN CONFIG profile parameters: ** - KDS_TEMS_SECURITY_KAES256_ENCKEY GBL_DSN_CSF_SCSFMOD0 "CSF.SCSFMOD0" Configuration Tool (ICAT) method: a. On the Product Component Selection menu (Figure 28 on page 64), enter 1 to select Tioli Enterprise Monitoring Serer. b. On the Configure the TEMS panel (Figure 10 on page 40), select option 2 (Specify configuration alues). c. On the Specify Configuration Values panel (Figure 11 on page 41), specify Y in the Security alidation? field: Security alidation? ==> Y (Y, N) d. Press Enter to return to the Configure the TEMS panel. Important: Do not enable security alidation until your security is set up. e. On the Configure the TEMS panel, select option 5 (Create runtime members) to open JCL that you can reiew, edit, and submit. Check to make sure the return code is zero. f. After the job completes, press F3 (Back) repeatedly to exit the Configuration Tool. 3. Implement security, following the instructions in the appropriate section: Implementing security with RACF Implementing CA-ACF2 security Implementing security with CA-TOP SECRET on page Verify that the user account you created can log on to the Tioli Enterprise Portal. Implementing security with RACF To implement RACF security after enabling security alidation, recycle the monitoring serer: 1. If your Tioli Enterprise Monitoring Serer is running, stop it by entering: P cccccccc where cccccccc is the name of your monitoring serer started task. 2. If your site has a large numbers of users, you might hae to increase the alue assigned to the RESERVE parameter of member KDSSYSIN in the &rhile.&rte.rkanparu library. 3. Restart your Tioli Enterprise Monitoring Serer by entering: S cccccccc where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task. Implementing CA-ACF2 security Follow these steps to install an exit for CA-AF2 security alidation. 1. If your Tioli Enterprise Monitoring Serer is running, stop it by entering: P cccccccc where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task. 2. Follow the instructions in KLVA2NEV to assemble and link KLVA2NEV. Change the -RHILEV- and -THILEV- ariables as directed. Member KLVA2NEV in &thile.tkansam is the product-supplied interface to CA-ACF2. The product-supplied member KLV@ASM, in &rhile.&rte.rkansamu, contains sample assembly JCL. This gets assembled into the runtime enironment-specific &rhile.&rte.rkanmodu data set. Chapter 8. Configuring security on a monitoring serer on z/os 145

158 3. Define the Tioli Enterprise Monitoring Serer started task as a MUSASS to CA-ACF2: a. Log on to TSO. At the READY prompt, type ACF and press Enter. b. At the ACF prompt, type SET LID and press Enter. c. At the LID prompt, type CH cccccccc MUSASS where cccccccc is the name of the Tioli Enterprise Monitoring Serer started task. Press Enter. d. At the LID prompt, type END and press Enter. If your site has large numbers of users, you might hae to increase the alue assigned to the RESERVE parameter of member KDSSYSIN in the &rhile.&rte.rkanparu library. 4. Restart your Tioli Enterprise Monitoring Serer by entering: S cccccccc where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task. Implementing security with CA-TOP SECRET Follow these steps to implement CA-TOP SECRET security. 1. If your Tioli Enterprise Monitoring Serer is running, stop it by entering: P cccccccc where cccccccc is the name of the monitoring serer started task. 2. Define the monitoring serer as a started task in the STC record and relate it to a master facility accessor identifier. For example: TSS ADD(STC) PROC(cccccccc) ACID(master_facility_acid) where cccccccc is the name of your monitoring serer started task. The alue for master_facility_acid can be the same as cccccccc. 3. Define the name of your Tioli Enterprise Monitoring Serer started task as a FACILITY in the CA-TOP SECRET Facility Matrix Table. Set the SIGN parameter as SIGN(M) and set MODE to MODE=FAIL. Make sure the name of your Tioli Enterprise Monitoring Serer started task and the FACILITY name match. Example: This example shows FACILITY statements for a site that uses CA-TOP SECRET. Some statements might not be releant to your site or might require modification to fit the standards and configuration of your site. FACILITY(USER3=NAME=task) FACILITY(task=MODE=FAIL,ACTIVE,SHRPRF) FACILITY(task=PGM=KLV,NOASUBM,NOABEND,NOXDEF) FACILITY(task=ID=3,MULTIUSER,RES,WARNPW,SIGN(M)) FACILITY(task=NOINSTDATA,NORNDPW,AUTHINIT,NOPROMPT,NOAUDIT,NOMRO) FACILITY(task=NOTSOC,LOG(INIT,SMF,MSG,SEC9)) 4. Restart your Tioli Enterprise Monitoring Serer by entering: S cccccccc where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task. Implementing security with Network Access Method (NAM) As an alternatie to third-party security packages, you can use the product-proided security feature NAM (Network Access Method) to secure your Tioli Enterprise Monitoring Serer. Howeer, be aware that this is a less secure method than using one of the three security packages. NAM user IDs are 1 to 8 characters in length and are not case-sensitie. You can enable NAM from the system console, using the MVS MODIFY command. Instructions are gien in the following sections. 146 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

159 Adding users to NAM Follow these steps to add users to NAM from the z/os system console. 1. Access the z/os system console. 2. Define a password for each user who will access the Tioli Enterprise Portal: F cccccccc,nam SET userid PASSWORD=password where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task, userid is the user ID, and password is the NAM password you want to define for that user Adding a userid password file to NAM If you are defining passwords for a large number of users, you might want to use the following procedure to set up a file containing all your NAM SET statements and execute the file once to define all passwords. 1. Access &rhile.&rte.rkancmdu and create member userids. 2. Edit userids, and populate it with a NAM SET command for each user who will access your Tioli Enterprise Monitoring Serer. Example: NAM SET userid1 PASSWORD=password1 NAM SET userid2 PASSWORD=password2 NAM SET userid3 PASSWORD=password3 Note: Make sure there is sufficient security on the &rhile.&rte.rkancmdu library, as it now contains sensitie information. 3. To execute member userids, enter this command from the z/os system console: F cccccccc,userids where cccccccc is the name of your Tioli Enterprise Monitoring Serer started task. Changing the security system specification When you create the runtime members for the hub Tioli Enterprise Monitoring Serer, appropriate parameters are generated for the security system that you selected. If you must conert to another security system, change the security system specification in the PARMGEN configuration profile or on the Configuration Tool Update Runtime Enironment panel. For the change to take effect, you must recreate the runtime members for the monitoring serer before you recycle the monitoring serer started task. Resetting the password encryption key The Integrated Cryptographic Serices Facility (ICSF) uses a symmetric key to encrypt and decrypt data. The key is known as symmetric because the same key is used to transform plain text to cipher text (encryption) as is used to transform cipher text back to plain text (decryption). When you run the DS#3ssss job (generated by the Create Runtime Members option on the Configure the TEMS panel), the Configuration Tool takes the alue you entered for the key, creates a key file named KAES256 in &rhile.&rte.rkanparu and loads the encrypted key into it. Chapter 8. Configuring security on a monitoring serer on z/os 147

160 Tip Ensure that the KAES256 step of the DS#3ssss job ends successfully. Errors of the following types typically indicate that ICSF is not configured correctly in your system: Cannot encrypt text: call to CSNBSYE failed Cannot encrypt contents of keyfile Function failed with error code 26 If you receie those messages, work with your security specialist to resole the ICSF problem, and then rerun only the KAES256 step of the DS#3ssss job. (If you rerun the entire job, the KAES256 step is omitted for security reasons.) The same key must be used on all Tioli Management Serices components in your enterprise. For example, the encryption key you set for the Tioli Enterprise Portal must be the same alue you specify for the encryption key for the hub monitoring serer, and the key you set for each of the remote monitoring serers that connect to the hub must also hae the same alue. If you reset the key for one component, you must reset it for all of them. In the Configuration Tool, the encryption key alue is not displayed if you return to the Specify Configuration Values panel after you finish configuring the monitoring serer. If you reconfigure the monitoring serer by changing other parameter alues on the configuration panels, the resulting DS#3ssss job does not create a key file. If you must change the encryption key alue after initial configuration with the Configuration Tool, type the PWD command on the command line of the Specify Configuration Values panel, and then answer Y to the prompt "Do you want to disable ICSF encryption or reset the key?". You can then re-enable encryption and specify a different key. After doing so, you must recreate the runtime members ( Create the runtime members on page 61) and reload the runtime libraries ( Step 3. Load the runtime libraries on page 98). For batch mode processing, the encryption key alue is stored in a batch parameter called KDS_CMS_SEC_ENC_KEY. The encryption key must be displayed in plain text in the batch parameter member, so that the alue can used as input to create the KAES256 encryption key file. For this reason, ensure that the &shile.instjobs or whateer library the parameter member is stored in is secured. In the batch parameter member, the alue for the encryption key parameter (KDS_CMS_SEC_ENC_KEY) must be enclosed in quotation marks. If you must use a single quotation mark (') as part of the key alue, enclose the 32-byte encryption key string in double quotation marks ("") and ice-ersa: if you must use a double quotation mark (") as part of the key alue, enclose the string in single quotation marks ('). If you must use both the single quotation mark and the double quotation mark as part of the key alue, use the interactie mode of the Configuration Tool instead. The encryption key has the following characteristics: The key must be 32 bytes in length. The key is case-sensitie. The key cannot contain an ampersand (&) alue. If you change the encryption key on any component, you must change the key to the same alue on all components that connect to the same hub. 148 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

161 PARMGEN method 1. Set the KDS_TEMS_SECURITY_KAES256_ENCKEY parameter to the new alue of choice: ISREDDE2 TSTEST.CCAPI.TESTSYSB.WCONFIG(TESTSYSB) Command ===> Scroll ===> CSR ** TEMS security settings: KAES256 encryption key ** Note: This is required if you are enabling the ITM Password ** Encryption (KAES256) across the ITM enterprise: ** The "KDS_TEMS_SECURITY_KAES256_ENCKEY" alue is encrypted ** and xkanparu(kaes256) member is created as part of the ** xkansamu(kcijpsec) composite security job ** Related PARMGEN CONFIG profile parameter: ** - GBL_DSN_CSF_SCSFMOD0 (DSN alue is concatenated in the ** TEMS STC s STEPLIB DD) KDS_TEMS_SECURITY_KAES256_ENCKEY "IBMTioliMonitoringEncryptionKey" 2. Edit WCONFIG($PARSEPR) from the PARMGEN Workflow Menu option "7. $PARSE" > option "3. $PARSEPR IKANPARU/WKANPARU $PARSE job". Specify "SELECT MEMBER=(KAES256,K??ENV)" only instead of recreating all the runtime members from IKANPARU to WKANPARU. 3. Edit WCONFIG($PARSESM) from the PARMGEN Workflow Menu option "7. $PARSE" > option "4. $PARSESM IKANSAMU/WKANSAMU $PARSE job". Specify "SELECT MEMBER=(KDSDKAES,KCIJPSEC)" only instead of recreating all the runtime members from IKANSAMU to WKANSAMU. Note: Instead of steps 2 and 3 aboe, you also hae the option of rerunning the $PARSE composite job or (if the runtime enironment is enabled for system ariables) the $PARSESV composite job. In either case, the file-tailoring job recreates the following members: WKANSAMU(KDSDKAES) Stand-alone Tioli Management Serices on z/os password encryption job, if you want a sample job that you can edit manually. WKANSAMU(KCIJPSEC) Composite security job's KAES256 step, if you want a file-tailored job. WKANSAMU(CANSDSST) Monitoring serer started task to concatenate the ICSF load library in the STEPLIB DDNAME. CANSDSST is the IBM-supplied default; set the alue to whateer you specified for the KDS_TEMS_STC parameter. WKANSAMU(KDSDKAES) or WKANSAMU(KCIJPSEC) Creates the encryption key member. WKANPARU(KAES256) or WKANSAMU(KCISYPJB) Run either WKANPARU(KAES256), the stand-alone started task procedure copy job, or WKANSAMU(KCIJPSYS), the composite system copy job that copies the modified monitoring serer started task to the system procedure library. 4. Resubmit the WKANSAMU(KDSDKAES) job to refresh the RKANPARU(KAES256) member. 5. Adjust the Tioli Enterprise Portal Serer to also use the same password encryption key (the same key must be used across your enterprise). 6. Recycle the Tioli Enterprise Monitoring Serer started task. Configuring NetView authorization of z/os commands System commands issued from the Tioli Enterprise Portal using Take Action commands, whether issued by a user or triggered by situations or policies, run without any authorization or audit trail. Howeer, you can configure a monitoring serer or monitoring agent address space to redirect z/os Take Action commands to NetView through the Program to Program Interface (PPI). Take Action commands issued in Chapter 8. Configuring security on a monitoring serer on z/os 149

162 NetView make full System Authorization Facility (SAF) calls for authorization. NetView uses the Tioli Enterprise Portal user ID to determine the NetView operator on which the command authorization is performed. If command authorization passes, the command is executed on the NetView operator. Messages are written to the NetView log to proide an audit trail of the commands and the users that issued them. If you enable NetView command authorization on the monitoring serer, you must also enable NetView to execute the commands. Command authorization for the system commands uses the Tioli Enterprise Portal user ID, which is passed to the NetView program with the command. The user ID passed on a Take Action command determines the user ID that issues the command. The user ID passed when a command is drien from a situation is the user ID that last edited the situation. Only the user ID is used for command authorization. Password alidation is not performed. Take Action forwarding requires NetView on z/os, V5.3 (or V5.2 with APAR OA18449 applied). To set up NetView of Take Action commands, complete the following steps: 1. Configure the monitoring serer to forward Take Action commands. 2. Add the NetView CNMLINK data set to the Tioli Enterprise Monitoring Serer started task on page Enable NetView to authorize Take Action commands on page 152 Note: Some agents proide their own Take Action commands, known as agent commands. Agent commands hae a 2-character prefix, such as pp: (where pp is the product code). These commands are not sent to the NetView program for command authorization and execution. An example of an agent that proides agent commands is IBM Tioli OMEGAMON XE for Messaging on z/os. Configure the monitoring serer to forward Take Action commands To configure Take Action command forwarding, set the parameters as shown. PARMGEN method: In the configuration file for the runtime enironment, uncomment the KDS_PPI_RECEIVER and KDS_PPI_SENDER parameters, and either accept the default alues or specify your own alues. Configuration Tool (ICAT) method: On the Specify Configuration Values panel (Figure 11 on page 41), complete the Program to Program Interface (PPI) information section as follows: Forward Take Action commands to NetView for z/os Specify Y if you want the Tioli Enterprise Monitoring Serer to forward z/os console commands issued as Take Action commands to NetView for authorization and execution. The default alue is N. NetView PPI receier Specify the name of the PPI receier on NetView that will receie Take Action commands. This name must match the receier name that is specified on the NetView APSERV command. (The default name is CNMPCMDR.) If the specified name is incorrect or the receier is not actie on NetView for z/os, default command routing to the z/os console is performed. The Configuration Tool generates the KGLHC_PPI_RECEIVER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z or a-z, numeric characters 0-9, and the following special characters: dollar sign ('$'), percent sign ('%'), ampersand ('&'), at sign ('@'), and number sign ('#'). This alue must match the alue specified in the NetView DSIPARM initialization member, CNMSTYLE (see Enable NetView to authorize Take Action commands on page 152). If a alue is specified for this parameter and either the specified name is incorrect or the receier is not actie on NetView for z/os, the command fails. If no alue is specified, default command routing to the z/os console is performed. 150 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

163 TEMS PPI sender Optionally, specify the optional name of the PPI sender. The alue must be a 1- through 8-character unique identifier for the receier program. It can contain alphabetic characters A-Z or a-z, numeric characters 0-9, and the following special characters: dollar sign ('$'), percent sign ('%'), ampersand ('&'), at sign ('@'), and number sign ('#'). This name must not conflict with any NetView for z/os domain name, as it is used in logging the command and command response in the NetView log. If a alue is specified on this field, the Configuration Tool generates the KGLHC_PPI_SENDER enironment ariable in the KDSENV member of the &rhile.&rte.rkanparu library. If you do not specify a alue in this field, the default is the job name of the Tioli Enterprise Monitoring Serer that is the source of the command. Add the NetView CNMLINK data set to the Tioli Enterprise Monitoring Serer started task To connect to NetView, the Tioli Enterprise Monitoring Serer must reference the NetView CNMLINK data set. Concatenate the NetView CNMLINK data set to the RKANMODL statement in the monitoring serer started task. Note to PARMGEN users: In ICAT, this process is a manual step; howeer, with PARMGEN, this is not a post-configuration step. Shown below is the parameter in WCONFIG($GBL$USR) profile that PARMGEN users must customize. This will automatically generate the monitoring serer and agent started tasks with the CNMLINK library concatenated to the RKANMODL DD, proided the PPI parameters are also specified. ISREDDE2 TSTEST.CCAPI.TESTSYSB.WCONFIG($GBL$USR) Columns Command ===> Scroll ===> CSR ** GBL_DSN_NETVIEW_* NetView system libraries: ** Note: This is required if you are enabling the ITM Forward ** Take Action commands to NetView for z/os ** Related PARMGEN CONFIG profile parameters: ** - *_PPI_RECEIVER and *_PPI_SENDER ** This library is concatenated in the TEMS and Agent STCs ** RKANMODL DD: GBL_DSN_NETVIEW_CNMLINK "NETVIEW.VNRNMN.CNMLINK" To proide the location, uncomment the CNMLINK DD card in the started task and specify the NetView CNMLINK data set. For example: //RKANMODL DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMODU // DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMODUL // DD DISP=SHR, // DSN= &RHILEV.&SYS.RKANMOD //****************************************************************** //* RKANMODL DD: CNMLINK //****************************************************************** //* Uncomment this DD card and specify the location of the CNMLINK //* load module for NetView for z/os. This library is required for the //* "Forward Take Action commands to NetView for z/os" support which //* is enabled for this Agent. The CNMLINK library must also be //* APF-authorized // DD DISP=SHR, // DSN=NETVIEW.V5R3M0.CNMLINK Figure 41. CNMLINK DD statement in the Tioli Enterprise Monitoring Serer started task Contact your NetView for z/os system programmer for the data set name, if necessary. The default NetView 5.3 CNMLINK data set is NETVIEW.V5R3M0.CNMLINK. Chapter 8. Configuring security on a monitoring serer on z/os 151

164 The CNMLINK library must be APF-authorized. Enable NetView to authorize Take Action commands In addition to configuring Tioli Enterprise Monitoring Serer address spaces to forward z/os Take Action commands to NetView, you must also enable NetView to receie and execute the commands. NetView does command authorization as part of the execution. To enable execution of forwarded commands, complete the following steps: 1. Define Tioli Enterprise Portal user IDs to NetView. To define a user ID to NetView, perform one or more of the following actions: Create a new Tioli Enterprise Portal user ID that matches a new or existing NetView operator ID. Define an existing Tioli Enterprise Portal user ID as a NetView operator ID. Map the TEP user ID to a alid NetView operator ID by using the NACMD.OPID.TEPLogonid CNMSTYLE statement. See Chapter 2, "CNMSTYLE Initialization Statements" in Tioli NetView for z/os Administration Reference for more information on the NACMD.OPID statement. For information on defining user IDs, see the section "Defining Tioli Enterprise Portal User IDs" in the Tioli NetView for z/os Security Reference. You can find the NetView for z/os publications at tiihelp/3r1/index.jsp?toc=/com.ibm.itnetiewforzos.doc/toc.xml. 2. Perform one of the following actions: Define the NetView PPI receier in the NetView DSIPARM member CNMSTYLE (see Figure 40 on page 122). Follow the instructions in the member. The PPI receier for APSERV will be started during NetView initialization. If you do not customize CNMSTYLE to define the receier, start the NetView PPI receier manually by issuing the APSERV command. The APSERV command is a command serer that runs on a NetView autotask or on a irtual OST (VOST). APSERV accepts commands or messages from APF authorized programs only. The APSERV command must be running, whether started during NetView initialization or manually, to receie the system commands from the TEMS and agent. Refer to the NetView online help or to the Tioli NetView for z/os Application Programmers Guide for more information on the APSERV command. 3. Verify that the NetView for z/os Subsystem Address Space is actie with the PPI enabled. The PPI is enabled by specifying the PPIOPT keyword in sample procedure CNMSJ010 (CNMPSSI), located in the NetView CNMSAMP data set. ************************************************************************ * Tioli Management Serices infrastructure serer * * * * Uncomment the following (and, optionally, supply preferred OPID) to * * initialize support for commands and messages from Tioli Management * * Serices infrastructure and/or other APF authorized clients. See * * command help for APSERV for information about the function and * * clients depending on it. * * * ************************************************************************ function.autotask.apserv = AUTOTMSI * AUTOTASK.?APSERV.Console = *NONE* // AUTOTASK.?APSERV.InitCmd = APSERV CNMPCMDR Figure 42. CNMSTYLE member after editing 152 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

165 Notes: 1. If a NetView operator ID exists that matches a Tioli Enterprise Portal user ID, the command will be executed on the existing NetView operator ID, if appropriate command authorization exists. 2. Be careful about mapping a Tioli Enterprise Portal user ID to a NetView operator ID that is used to log on to a 3270 terminal. The Take Action command might be run on an actie NetView operator with unwanted results. Mapping Tioli Enterprise Portal user IDs to NetView autotasks is preferable. Verifying the configuration Complete the following steps to erify the configuration. 1. If you defined new NetView operator IDs, refresh NetView operator ID definitions. 2. If you did not complete Step 2 under Enable NetView to authorize Take Action commands on page 152, issue the APSERV command on a NetView autotask or VOST. This step must be completed before monitoring serer and agent system commands can successfully be sent to the NetView program. If you completed Step 2 under Enable NetView to authorize Take Action commands on page 152, recycle NetView to start APSERV during NetView initialization. 3. Restart the monitoring serer and agents. 4. Using a Tioli Enterprise Portal client, complete one of the following steps: Issue an existing Take Action command. Create a new Take Action command and issue it. If the command executes successfully, you will see messages in the NetView log. For example: If your Take Action command is D T, you will see messages similar to the following: AUTOTMSI IBMUSER 13:34:21 BNH806I TAKE ACTION COMMAND MVS D T ( ) RECEIVED FOR TASK SYSADMIN SYSADMIN CANSN3 13:34:21 * MVS D T SYSADMIN NTVAF 13:34:21 E IEE136I LOCAL: TIME= DATE= GMT: TIME= DATE= Troubleshooting tips If you encounter problems using the security solution, use the following information to troubleshoot: Reiew your monitoring serer or agent RKLVLOG and NetView log for error messages. If you see either of the following symptoms, the NetView CNMLINK data set has not been concatenated as part of the monitoring serer or monitoring agent RKANMODL DD statement in the startup procedure: A return code of 17 in the Action Status pop-up window after a Take Action command is issued A message in the RKLVLOG stating NetView interface module unaailable: CNMCNETV If you see any of the following symptoms, the NetView APSERV command is not running: A message in RKLVLOG, stating NetView PPI send buffer rejected: 26 A return code of 9 in the Action Status pop-up window after a Take Action command is issued Message KRAIRA002 in RKLVLOG, similar to "KRAIRA002, Executed <DA,L> with status 9, Producer(Automation Command) If you see NetView PPI send buffer rejected: 24 in the RKLVLOG, the NetView for z/os Subsystem Interface is not actie. If you see NetView PPI send buffer rejected: 28 in the RKLVLOG, the Program-to-Program Interface has not been enabled. Chapter 8. Configuring security on a monitoring serer on z/os 153

166 Enable RACF authorization of Take Action commands As of fix pack 1 for IBM Tioli Monitoring Version 6.2.3, all z/os Take Action commands issued by the OMEGAMON XE agents, plus any other agents based on the Tioli Management Serices framework that run on z/os, can now be associated with the Tioli Enterprise Portal userid instead of the userid of the started task running the agent; this allows you to authorize the use of Take Action commands by indiidual portal serer users while restricting it from others. You can secure these userids (or the RACF groups they are in) ia standard security objects proided by your site's security product; for RACF, these are the OPERCMDS facility class and its profiles. Note: This enhancement does not alter the existing behaior of: Prefix-style Take Action commands such as those issued by OMEGAMON XE for CICS and prefixed with CP:. These are still secured by the agent-specific security profiles set up for that purpose. Commands already protected by the OMEGAMON NetView Take Action command security facility. Commands issued by either the OMEGAMON classic interfaces or the OMEGAMON CUA interfaces and coered by their command security. As initially installed, z/os Take Action commands are associated with the userid of the agent started task (the preious behaior). To take adantage of the new security behaior for all agents in a particular runtime enironment, create a new member called KGLUMAP in your RKANPARU data set, and add to it at least a one-line comment such as the following: * z/os Take Action commands now secured This turns on the new security feature so that all z/os Take Action commands issued by all agents in this runtime enironment will be associated with the Tioli Enterprise Portal userid instead of the started task userid. To reert to the old behaior of using the userid of the started task as the issuer of the z/os commands for a particular agent (while retaining the new behaior for other agents), place this line in the appropriate KxxENV member in RKANPARU, where xx is the two-character agent identifier: KGL_COMMAND_AUTHOR_SECURITY_REQUIRED=N All successful and failed command executions create entries in the console log. The agent also creates audit records for all automation command actions. On z/os, these audit records are written to the SMF audit repository (as described in Whether to enable the auditing function on page 17). Before actiating this feature, you also must ensure that eery Tioli Enterprise Portal userid (and the RACF groups that contain it) that either manually inokes Take Action commands or indirectly inokes them ia situations or policies are connected to the appropriate RACF OPERCMDS profiles. Otherwise, RACF may fail some of your z/os Take Action commands. 1. The user ID that last updated an enterprise situation or a policy is the user ID that gets authenticated for the Take Action command associated with the situation or policy. 2. The user ID defined in the <LSTUSRPRF> segment for a priate situation is the user ID that gets authenticated for the Take Action command associated with the situation. If the segment is not defined, the default user ID is AGENTCFG. If your Tioli Enterprise Portal userids aren't currently set up in RACF (for example, if you're using distributed LDAP to authenticate your site's Tioli Enterprise Portal userids), you must either: Add your Tioli Enterprise Portal userids to RACF, and connect them to the appropriate OPERCMDS profiles. Use the userid mapping capability (as described in the next section) to map Tioli Enterprise Portal userids to new or existing RACF userids that you will connect to the appropriate OPERCMDS profiles. 154 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

167 Setting up the userid mapping capability To map Tioli Enterprise Portal userids to new or existing RACF userids for Take Action alidation, create member KGLUMAP in the RKANPARU data set, and add to it one or more one-line mappings of this form: tepuser1 racfuser1 tepuser2 racfuser2 tepuser3 racfuser3 where tepuser is the 1- to 10-character Tioli Enterprise Portal userid, and racfuser is the 1- to 8-character RACF userid. The tepuser field (but only that field) allows a trailing * to indicate a wildcard, as in these examples: tepuser* racfusera sys* racfuserb Note that no TSO or OMVS segments are required for any new RACF userids you choose, since they won't be used to actually log on to z/os. Instead, they are used only for authorization against the OPERCMDS facility profiles. Chapter 8. Configuring security on a monitoring serer on z/os 155

168 156 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

169 Part 4. Appendixes Copyright IBM Corp. 2005,

170 158 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

171 Appendix A. Documentation library This appendix contains information about the publications related to the OMEGAMON XE products and to IBM Tioli Monitoring and the commonly shared components of Tioli Management Serices. These publications are listed in the following categories: IBM Tioli Monitoring library Shared OMEGAMON XE publications on page 161 Related publications on page 162 See IBM Tioli Monitoring and OMEGAMON XE Products: Documentation Guide, SC , for information about accessing and using the publications. You can find the Documentation Guide in the IBM Tioli Monitoring and OMEGAMON XE Information Center at tiihelp/15r1/. To find a list of new and changed publications, click What's new on the Welcome page of the IBM Tioli Monitoring and OMEGAMON XE Information Center. To find publications from the preious ersion of a product, click Preious information centers on the Welcome page for the product. IBM Tioli Monitoring library The following publications proide information about IBM Tioli Monitoring and about the commonly shared components of Tioli Management Serices: IBM Tioli Monitoring: Quick Start Guide, GI Introduces the components of IBM Tioli Monitoring. IBM Tioli Monitoring: Installation and Setup Guide, GC Proides instructions for installing and configuring IBM Tioli Monitoring components on Windows, Linux, and UNIX systems. IBM Tioli Management Serices on z/os: Program Directory for IBM Tioli Management Serices on z/os, GI Gies instructions for the SMP/E installation of the Tioli Management Serices components on z/os. IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os, SC Gies detailed instructions for using the Configuration Tool to configure Tioli Enterprise Monitoring Serer on z/os systems. Includes scenarios for using batch mode to replicate monitoring enironments across the z/os enterprise. Also proides instructions for setting up security and for adding application support to a Tioli Enterprise Monitoring Serer on z/os. IBM Tioli Monitoring: Administrator's Guide, SC Describes the support tasks and functions required for the Tioli Enterprise Portal Serer and clients, including Tioli Enterprise Portal user administration. IBM Tioli Monitoring: High-Aailability Guide for Distributed Systems, SC Gies instructions for seeral methods of ensuring the aailability of the IBM Tioli Monitoring components. Copyright IBM Corp. 2005,

172 Tioli Enterprise Portal online help Proides context-sensitie reference information about all features and customization options of the Tioli Enterprise Portal. Also gies instructions for using and administering the Tioli Enterprise Portal. IBM Tioli Monitoring: Tioli Enterprise Portal User's Guide, SC Complements the Tioli Enterprise Portal online help. The guide proides hands-on lessons and detailed instructions for all Tioli Enterprise Portal features. IBM Tioli Monitoring: Command Reference, SC Proides detailed syntax and parameter information, as well as examples, for the commands you can use in IBM Tioli Monitoring. IBM Tioli Monitoring: Troubleshooting Guide, GC Proides information to help you troubleshoot problems with the software. IBM Tioli Monitoring: Messages, SC Lists and explains messages generated by all IBM Tioli Monitoring components and by z/os-based Tioli Management Serices components (such as Tioli Enterprise Monitoring Serer on z/os and TMS:Engine). IBM Tioli Uniersal Agent User's Guide, SC Introduces you to the IBM Tioli Uniersal Agent, an agent of IBM Tioli Monitoring. The IBM Tioli Uniersal Agent enables you to use the monitoring and automation capabilities of IBM Tioli Monitoring to monitor any type of data you collect. IBM Tioli Uniersal Agent API and Command Programming Reference Guide, SC Explains the procedures for implementing the IBM Tioli Uniersal Agent APIs and proides descriptions, syntax, and return status codes for the API calls and command-line interface commands. IBM Tioli Monitoring: Agent Builder User's Guide, SC Explains how to use the Agent Builder for creating monitoring agents and their installation packages, and for adding functions to existing agents. Documentation for the base agents If you purchased IBM Tioli Monitoring as a product, you receied a set of base monitoring agents as part of the product. If you purchased a monitoring agent product (for example, an OMEGAMON XE product) that includes the commonly shared components of Tioli Management Serices, you did not receie the base agents. The following publications proide information about using the base agents. Operating system agents: IBM Tioli Monitoring: Windows OS Agent User's Guide, SC IBM Tioli Monitoring: UNIX OS Agent User's Guide, SC IBM Tioli Monitoring: Linux OS Agent User's Guide, SC IBM Tioli Monitoring: i5/os Agent User's Guide, SC IBM Tioli Monitoring: UNIX Log Agent User's Guide, SC IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

173 Agentless operating system monitors: IBM Tioli Monitoring: Agentless Monitoring for Windows Operating Systems User's Guide, SC IBM Tioli Monitoring: Agentless Monitoring for AIX Operating Systems User's Guide, SC IBM Tioli Monitoring: Agentless Monitoring for HP-UX Operating Systems User's Guide, SC IBM Tioli Monitoring: Agentless Monitoring for Solaris Operating Systems User's Guide, SC IBM Tioli Monitoring: Agentless Monitoring for Linux Operating Systems User's Guide, SC Warehouse agents: IBM Tioli Monitoring: Warehouse Summarization and Pruning Agent User's Guide, SC IBM Tioli Monitoring: Warehouse Proxy Agent User's Guide, SC System P agents: IBM Tioli Monitoring: AIX Premium Agent User's Guide, SA IBM Tioli Monitoring: CEC Base Agent User's Guide, SC IBM Tioli Monitoring: HMC Base Agent User's Guide, SA IBM Tioli Monitoring: VIOS Premium Agent User's Guide, SA Other base agents: Monitoring Agent for IBM Tioli Monitoring 5.x Endpoint User's Guide, SC Shared OMEGAMON XE publications The following publications proide information common to the OMEGAMON XE products: IBM Tioli OMEGAMON XE Monitoring Agents on z/os: Quick Start Guide, GI Summarizes the installation and setup of an OMEGAMON XE monitoring agent on z/os. IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Planning and Configuration Guide, SC Gies instructions for planning and configuration tasks common to the components of Tioli Management Serices on z/os and the OMEGAMON XE monitoring agents on z/os. IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Upgrade Guide, SC Gies instructions for complete and staged upgrades to V4.2.0 of the OMEGAMON XE products. IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Common Parameter Reference, SC Proides reference information on parameters used for setting up runtime enironments and configuring hub and remote Tioli Enterprise Monitoring Serers on z/os, including detailed descriptions of the PARMGEN parameters. IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: PARMGEN Reference, SC Proides detailed instructions and common configuration scenarios for creating and maintaining runtime enironments using the PARMGEN configuration method. IBM Tioli OMEGAMON XE and Tioli Management Serices on z/os: Enhanced 3270 User Interface Guide, IBM Tioli OMEGAMON XE and Tioli Management Serices on z/os: Enhanced 3270 User Interface Guide Describes the features of the OMEGAMON enhanced 3270 user interface and proides operating instructions and reference material. IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: End-to-End Response Time Feature Reference, SC Proides instructions and reference information for the End-to-End Response Time Feature, which supplies response time data to seeral OMEGAMON XE products. Appendix A. Documentation library 161

174 IBM Tioli OMEGAMON XE and IBM Tioli Management Serices on z/os: Reports for Tioli Common Reporting, SC Explains how to use the Tioli Common Reporting tool to create reports from data displayed in the Tioli Enterprise Portal and stored in the Tioli Data Warehouse database. Related publications You can find useful information about the OMEGAMON XE monitoring agents in the IBM Tioli Monitoring and OMEGAMON XE Information Center at or in the task-oriented OMEGAMON Integrated Information Center at tiihelp/42r1/index.jsp. 162 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

175 Other sources of documentation You can also obtain technical documentation about IBM Tioli Monitoring and the OMEGAMON XE monitoring agents from the following sources: Integrated Serice Management Library Integrated Serice Management Library is an online catalog that contains integration documentation and other downloadable product extensions and accelerators. Redbooks IBM Redbooks and Redpapers include information about products from platform and solution perspecties. Technotes Technotes proide the latest information about known product limitations and workarounds. You can find Technotes through the IBM Software Support website at Tioli wikis on the IBM deeloperworks website Tioli Wiki Central at is the home for interactie wikis that offer best practices and scenarios for using Tioli products. The wikis contain white papers contributed by IBM employees, and content created by customers and business partners. Two of these wikis are of particular releance: Tioli Distributed Monitoring and Application Management Wiki at deeloperworks/wikis/display/tiolimonitoring/home proides information about IBM Tioli Monitoring and related distributed products, including IBM Tioli Composite Application Management products. Tioli System z Monitoring and Application Management Wiki at deeloperworks/wikis/display/tioliomegamon/home proides information about the OMEGAMON XE products, NetView for z/os, Tioli Monitoring Agent for z/tpf, and other System z monitoring and application management products. Appendix A. Documentation library 163

176 164 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

177 Appendix B. Support information If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain support: Online Go to the IBM Software Support site at and follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software sericeability workbench that helps you resole questions and problems with IBM software products. The ISA proides quick access to support-related information and sericeability tools for problem determination. To install the ISA software, go to Troubleshooting Guide For more information about resoling problems, see the product's Troubleshooting Guide. Copyright IBM Corp. 2005,

178 166 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

179 Appendix C. Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user's responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd , Shimotsuruma, Yamato-shi Kanagawa Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm websites are proided for conenience only and do not in any manner sere as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: Copyright IBM Corp. 2005,

180 IBM Corporation 2Z4A/ Burnet Road Austin, TX U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurement may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of indiiduals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and serice names might be trademarks of IBM or other companies. A current list of IBM trademarks is aailable on the web at Copyright and trademark information at Jaa and all Jaa-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Toralds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and serice names may be trademarks or serice marks of others. 168 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

181 Glossary A actiity. One phase within a sequence of predefined steps called a policy that automate system responses to a situation that has fired (that is, become true). administration mode. mode on page 181. See workspace administration Adanced Encryption Standard. An encryption algorithm for securing sensitie but unclassified material designed by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce. AES is intended to be a more robust replacement for the Data Encryption Standard. The specification calls for a symmetric algorithm (in which the same key is used for both encryption and decryption), using block encryption of 128 bits and supporting key sizes of 128, 192 and 256 bits. The algorithm was required to offer security of a sufficient leel to protect data for the next 20 to 30 years. It had to be easily implemented in hardware and software and had to offer good defenses against arious attack techniques. AES has been published as Federal Information Processing Standard (FIPS) 197, which specifies the encryption algorithm that all sensitie, unclassified documents must use. AES. See Adanced Encryption Standard. affinity. A label that classifies objects by managed system. agent. Software installed on systems you want to monitor that collects data about an operating system, subsystem, or application running on each such system. Because an executable file gathers information about a managed system, there is always a one-to-one correspondence between them. Also called a Tioli Enterprise Monitoring Agent. agentless monitor. An agentless monitor uses a standard API (such as SNMP or CIM) to identify and notify you of common problems with the operating system running on a remote computer. Thus, as their name implies, the agentless monitors can retriee monitoring and performance data without requiring OS agents on the computers being monitored. The agentless monitors proide monitoring, data gathering, and eent management for Windows, Linux, AIX, HP-UX, and Solaris systems. agentless monitoring serer. A computer that has one or more agentless monitors running on it. Each agentless monitoring serer can support up to 10 actie instances of the arious types of agentless monitors, in any combination. Each instance can communicate with up to 100 remote nodes, which means a single agentless monitoring serer can support as many as 1000 monitored systems. alert. A warning message or other indication that appears at a console to indicate that something has occurred or is about to occur that may require interention. alert monitor. A monitoring agent that monitors and relays alert information to the monitoring serer. Sources of alerts include message logs, system consoles, and network and system management products. algorithm. A set of well-defined rules for the solution of a problem in a finite number of steps. For example, a full statement of an arithmetic procedure for ealuating sin(x) to a stated precision. API. See Application Programming Interface. application. A software component or collection of software components that performs specific user-oriented work (a task) on a computer. Examples include payroll, inentory-management, and word-processing applications. Application Programming Interface. A set of multiple subprograms and data structures and the rules for using them that enables application deelopment ia a particular language and, often, a particular operating enironment. An API is a functional interface supplied by the operating system or by a separately licensed program that allows an application program written in a high-leel language to use specific data or functions of the operating system or the licensed program. arithmetic expression. A statement containing any combination of alues joined together by one or more arithmetic operators in such a way that the statement can be processed as a single numeric alue. arithmetic operator. A symbol representing a mathematical operation (addition, subtraction, multiplication, diision, or exponentiation), such as +, -, *, /, or ^. associate. The process of linking a situation with a Naigator item that enables a light to go on and a sound to play for an open eent. Predefined situations are associated automatically, as are situations created or edited through the Naigator item pop-up menu. When you open the Situation editor from the toolbar, any situations you create cannot be associated with a Naigator item during this editing session. You need to close the Situation editor, and then open it again from the pop-up menu of the Naigator item with which the situation is associated. Copyright IBM Corp. 2005,

182 attribute. (1) A system or application element being monitored by the monitoring agent, such as Disk Name and Disk Read/Writes Per Second. (2) A characteristic of a managed object; that is, a field in the data structure of a managed object or in the workspace associated with that managed object. (3) A field in an ODBC-compliant database. attribute group. A set of related attributes that can be combined in a data iew or a situation. When you open the iew or start the situation, data samples of the selected attributes are retrieed. Each type of monitoring agent has its own set of attribute groups. autonomous-mode monitoring agents. These monitoring agents run without communicating directly with a Tioli Enterprise Monitoring Serer. An autonomous agent can emit Simple Network Management Protocol (SNMP) traps and Eent Integration Facility (EIF) eents directly to an OMNIbus ObjectSerer for priate situations (but not for enterprise situations) that hae turned true. B baroc files. Basic Recorder of Objects in C files define eent classes for a particular IBM Tioli Enterprise Console serer. Baroc files also alidate eent formats based on these eent-class definitions. browser client. The software installed with the Tioli Enterprise Portal Serer that is downloaded to your computer when you start the Tioli Enterprise Portal in browser mode. The browser client runs under the control of a Web browser. C capacity planning. The process of determining the hardware and software configuration required to accommodate the anticipated workload on a system. chart. A graphical iew of data returned from a monitoring agent. A data point is plotted for each attribute chosen and, for bar and pie charts, a data series for each row. Types of charts include pie, bar, plot, and gauge. CIM. See Common Information Model. class file. A file containing Jaa object code for a single Jaa object class. class loader. files. A Jaa component that loads Jaa class client. An application that receies requested data from a serer. client/serer architecture. An architecture in which the client (usually a personal computer or workstation) is the machine requesting data or serices and the serer is the machine supplying them. Serers can be microcomputers, minicomputers, or mainframes. The client proides the user interface and may perform application processing. In IBM Tioli Monitoring the Tioli Enterprise Portal is the client to the Tioli Enterprise Portal Serer, whereas the portal serer is the client to the Tioli Enterprise Monitoring Serer. A database serer maintains the databases and processes requests from the client to extract data from or to update the database. An application serer proides additional business-support processing for the clients. Common Information Model. An XML-based standard for defining deice and application characteristics so that system administrators and management programs can monitor and control them using the same set of tools, regardless of their differing architectures. CIM proides a more comprehensie toolkit for such management functions than the Simple Network Management Protocol. Common Object Request Broker Architecture. An industry specification for the design and standardization of different types of object request brokers (ORBs). ORBs allow different computers to exchange object data; CORBA enables ORBs from different software endors (often running under dissimilar computer systems and operating systems) to exchange object data. CORBA facilitates communication among program components in a network using objects. The Tioli Enterprise Portal Serer is a CORBA implementation. condition. An expression that ealuates to either true or false. It can be expressed in natural language text, in mathematically formal notation, or in a machine-readable language. Configuration Tool, z/os (ICAT). A REXX-based tool for configuring OMEGAMON XE products running on zseries systems, after they hae been installed using the System Modification Program/Extended (SMP/E) tool. Configure History permission. Your userid must hae Configure History permission to open the History Collection Configuration window for setting up history files and data rolloff. If you do not hae this permission, you cannot see the menu item or tool for historical configuration. CORBA. See Common Object Request Broker Architecture. critical state. The indication that a situation associated with a Naigator item is in an unacceptable state and that you must take correctie action. The critical state is represented by the color red. Custom Naigator Views permission. Your userid has a Modify check box for the Custom Naigator Views 170 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

183 feature. This permission must be enabled for you to open the Naigator iew editor to maintain and update Naigator iews. D Data Encryption Standard. A widely used method of priate-key data encryption that originated at IBM in 1977 and was adopted by the U.S. Department of Defense. DES supports 72 quadrillion or more possible encryption keys; for each message, the key is chosen at random from among this enormous number of possible keys. Like all other priate-key cryptographic methods, both the sender and the receier must know and use the same priate key. DES applies a 56-bit key to each 64-bit block of data. Although this is considered strong encryption, many companies use triple DES, which applies three keys in succession. database. A collection of both interrelated and independent data items that are stored together on a computer disk to sere multiple applications. data source name. The name that is stored in the database serer and that enables you to retriee information from the database through ODBC. The DSN includes such information as the database name, database drier, userid, and password. data sources. Data pertaining to J2EE data sources, which are logical connections to database subsystems. data warehouse. A central repository for all or significant parts of the data that an organization's business systems collect. DB2 for the workstation. IBM's DB2 Database for Linux, UNIX, and Windows systems is a relational database management system that runs on desktop computers. You install a DB2 database on the same system as the Tioli Enterprise Portal Serer; it stores the portal serer's queries, customized workspaces, userids, and custom Naigator iews. DB2 for the workstation can also sere as the data repository for the Tioli Data Warehouse, which stores historical monitoring information. default. Pertaining to an attribute, alue, or option that is assumed when none is explicitly specified. Demilitarized Zone. The area of a World Wide Web application that a company can use to host Internet serices without allowing unauthorized access. Derby. An open-source, public-domain, relational database management system implemented in Jaa and designed to conform to accepted database standards (such as SQL and JDBC). Derby came about when IBM contributed its Cloudscape database manager to the Apache project and features a small machine footprint. IBM Tioli Monitoring implements Derby as an embedded database within its Tioli Enterprise Portal Serer; in other words, the database is installed with the portal serer, and it runs within the portal serer's Jaa irtual machine. DES. See Data Encryption Standard. desktop client. Software supplied with IBM Tioli Monitoring that you install on a workstation that you plan to use for interacting with the Tioli Enterprise Portal Serer and the Tioli Enterprise Monitoring Serer. The desktop Tioli Enterprise Portal client proides the graphical user interface into the IBM Tioli Monitoring network. detailed attribute name. The name used in formulas, expert adice, Take Action commands, and headers and footers when referencing a monitoring agent attribute. In the Properties and Situation editors, you click Show Formula, and then check Show detailed formula to see the detailed attribute name. display item. An attribute designated to further qualify a situation. With a display item set for a multiple-row attribute group, the situation continues to look at the other rows in the sample and opens more eents if other rows qualify. The alue displays in the eent workspace and in the message log and situation eent console iews. You can select a display item when building a situation with a multiple-row attribute group. distribution. The managed systems on which the situation is running. DLL. DMZ. See Dynamic Link Library. See Demilitarized Zone. drill down. To access information by starting with a general category and moing through the hierarchy of information, for example, in a database, to moe from file to record to field. DSN. DVIPA. See data source name. See Dynamic Virtual IP Addressing. Dynamic Link Library. A composite of one or more executable objects that is bound together by a linking procedure and loaded at run time (rather than when the application is linked). The code and data in a dynamic link library can be shared by seeral applications simultaneously. DLLs apply only to Windows operating enironments. Dynamic Virtual IP Addressing. This feature of IP allows System Z to reassign IP addresses in eent of a failure in an application, TCP/IP stack, or LPAR. Glossary 171

184 E EIB. EIF. See Enterprise Information Base. See Eent Integration Facility. endcode. You assign endcodes in a policy when you connect one actiity to another. The endcode indicates the result of this actiity that triggers the next actiity. Enterprise Information Base. A database used by the Tioli Enterprise Monitoring Serer that seres as a repository of shared objects for all systems across your enterprise. The EIB stores all persistent data, including situations, policies, user definitions, and managed-object definitions. enterprise situation. A situation that is created for a Tioli Enterprise Monitoring Agent that reports eents to the Tioli Enterprise Monitoring Serer to which it connects. Enterprise situations are centrally defined at the monitoring serer and distributed at agent startup. See also situation on page 178. eent. An action or some occurrence, such as running out of memory or completing a transaction, that can be detected by a situation. Eents cause a change in the state of a managed object associated with a situation, thereby make the situation true and causing an alert to be issued. eent indicator. The colored icon that displays oer a Naigator item when an eent opens for a situation running on that item. Eent Integration Facility. An application programming interface that external applications can inoke to create, send, or receie eents. These eents are in the same format as Tioli Enterprise Console eents and are referred to as either EIF eents or TEC/EIF eents. eent item. A Naigator item that shows when you open the eent workspace for a true situation (by selecting it from the eent flyoer listing or from the situation eent console pop-up menu). eent sound. The sound file that plays when an eent opens. This sound file is set in the Situation editor when the situation is associated with a Naigator item and can differ for different Naigator items. expert adice. A description within the Situation editor of each situation proided with a monitoring agent to help you quickly understand and interpret eents arising from it. Extensible Markup Language. A data-description language deried from Standard Generalized Markup Language (SGML); also a tool for encoding messages so they describe their own fields. You use XML to format a document as a data structure. As program objects, such documents can hae their contents and data hidden within the object, which allows you to control who can manipulate the document and how. In addition, documents can carry with them the object-oriented procedures called methods. The XML standard aids in exchanging data between applications and users. F filter criteria. These criteria limit the amount of information returned to the data iew in response to a query. You can apply a prefilter to the query to collect only certain data, or apply a postfilter to the iew properties to show only certain data from the information collected. fix pack. A tested collection of all cumulatie maintenance for a product, up to the release of the fix pack. It can also contain fixes that hae not been shipped preiously, but it might contain no new function. G georeferenced map. A special type of graphic that has built-in knowledge of latitude and longitude and can be zoomed into and out of quickly. The Tioli Enterprise Portal uses proprietary.ivl files generated with the map-rendering component. These files cannot be opened or saed in a graphics editor. GSKit. The Global Security Toolkit proides SSL (Secure Sockets Layer) processing within protocols such as SPIPE and HTTPS. On z/os systems, GSKit is known as the Integrated Cryptographic Serice Facility, or ICSF. H hierarchical. Describes data that is organized on computer systems using a hierarchy of containers, often called folders (that is, directories) and files. In this scheme, folders can contain other folders and files. The successie creation of folders within folders creates the leels of organization, which is the hierarchy. historical collection. A definition for collecting and storing data samples for historical reporting. The historical collection identifies the attribute group, any row filtering you hae assigned, the managed system distribution, frequency of data collection, where to store it for the short term, and whether to sae data long term (usually to the Tioli Data Warehouse). historical data management. The procedures applied to short-term binary history files that roll off historical data to either the Tioli Data Warehouse or to delimited text files (the krarloff utility on UNIX or Windows systems; ddname KBDXTRA for the z/os Persistent Datastore), and then delete entries in the 172 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

185 short-term history files oer 24 hours old, thereby making room for new entries. hot standby. A redundant Tioli Enterprise Monitoring Serer running on a distributed platform that, if the primary or hub monitoring serer should fail, assumes the responsibilities of the failed monitoring serer. HTTP. The Hypertext Transfer Protocol is a suite of Internet protocols that transfer and display hypertext documents within Web browsers. HTTP sessions. Data related to inocations of specific World Wide Web sites. HTTPS. The Secure Hypertext Transport Protocol is an implementation of the Hypertext Transport Protocol (HTTP) that relies on either the Secure Sockets Layer (SSL) API or the Transport Layer Security (TLS) API to proide your users with secure access to your site's Web serer. These APIs encrypt and then decrypt user page requests as well as the pages returned by the Web serer. hub. (1) A central host system that collects the status of situations running on your systems. (2) The monitoring serer that your site has selected to act as the focal point to which all portal serers and remote monitoring serers in this monitored network connect. A remote monitoring serer passes its collected data to the hub to be made aailable to clients, creating an enterprise-wide iew. I IBM Tioli Monitoring. A client/serer implementation for monitoring enterprise-wide computer networks that comprises a Tioli Enterprise Monitoring Serer, an application serer known as the Tioli Enterprise Portal Serer, one or more Tioli Enterprise Portal clients, and multiple monitoring agents that collect and distribute data to the monitoring serer. IIOP, a part of the CORBA standard, is based on the client/serer computing model, in which a client program makes requests of a serer program that waits to respond to client requests. With IIOP, you can write client programs that communicate with your site's existing serer programs whereer they are located without haing to understand anything about the serer other than the serice it performs and its address (called the Interoperable Object Reference, IOR, which comprises the serer's port number and IP address). Interoperable Object Reference. Connects clients to the Tioli Enterprise Portal Serer. The IOR identifies a remote object, including such information as name, capabilities, and how to contact it. The URL may include an IOR because it goes through the Web serer; the portal serer uses it to tell the client which IOR to fetch. After it does that, the portal serer extracts the host and port information and tells the client where to route the request. interal. The number of seconds that hae elapsed between one sample and the next. IOR. J See Interoperable Object Reference. Jaa Database Connectiity. A standard API that application deelopers use to access and update relational databases (RDBMSes) from within Jaa programs. The JDBC standard is based on the X/Open SQL Call Leel Interface (CLI) and complies with the SQL-92 Entry Leel standard; it proides a DBMS-independent interface that enables SQL-compliant database access for Jaa programmers. Jaa Management Extensions. A set of Jaa classes for application and network management in J2EE enironments. JMX proides Jaa programmers a set of natie Jaa tools called MBeans (managed beans) that facilitate network, deice, and application management. JMX proides a Jaa-based alternatie to the Simple Network Management Protocol. IIOP. See Internet Inter-ORB Protocol. JDBC. See Jaa Database Connectiity. input data. Data proided to the computer for further processing. See also output data on page 176. integral Web serer. A proprietary Web serer deeloped for IBM Tioli Monitoring that is installed and configured automatically with the Tioli Enterprise Portal Serer. You enter the URL of the integral Web serer to start the Tioli Enterprise Portal client in browser mode. Internet Inter-ORB Protocol. An Internet communications protocol that runs on distributed platforms. Using this protocol, software programs written in different programming languages and running on distributed platforms can communicate oer the Internet. JMX. L LDAP. See Jaa Management Extensions. See Lightweight Directory Access Protocol. Lightweight Directory Access Protocol. A protocol that conforms to the International Standards Organization's X.500 directory standard that uses TCP/IP to access directory databases where applications can store and retriee common naming and location data. For example, applications can use Glossary 173

186 LDAP to access such directory information as addresses, serice configuration parameters, and public keys. location broker. The component that manages connections for the hub monitoring serer, enabling it to find all other Tioli Management Serices components, including remote monitoring serers, the Tioli Enterprise Portal Serer, and monitoring agents. M managed object. An icon created in the Tioli Enterprise Portal from a managed object template that represents resources you monitor using situations. Managed objects are conerted to items in the Naigator's Logical iew. managed system. A particular operating system, subsystem, or application in your enterprise where a monitoring agent is installed and running. A managed system is any system that IBM Tioli Monitoring is monitoring. managed system group. (Formerly managed system list.) A named, heterogeneous group of both similar and dissimilar managed systems organized for the distribution of historical collections, situations, and policies, and for assignment to queries and items in custom Naigator iews. For example, you might create a managed system group named IT_London for a geographic region and another named Credit_Approal for a functional area of your organization. If a managed system group is updated (usually when a constituent managed system is added or deleted), then all the historical collections, situations, and policies that use that group are redistributed to all managed systems in the group. Managed system groups are created, modified, or deleted either by the Tioli Enterprise Portal's Object Group editor or ia the tacmd CLI command with the createsystemlist, editsystemlist, or deletesystemlist keywords; they are maintained by the Tioli Enterprise Monitoring Serer. MBeans. Managed beans are Jaa objects that represent managed resources such as deices, serices, and applications. The management functions are proided by the MBean serer. MDM. See Multi-domain Management. method. In object-oriented programming, the software that implements an object's behaior as specified by an operation. Microsoft Management Console. This feature of Microsoft's arious Windows Serer enironments proides a centralized, consistent, and extensible interface to Windows' arious monitoring and management utilities. In particular, MMC manages directory serices, job scheduling, eent logging, performance monitoring, and user enironments. middleware. Software that enables the exchange of information between components in a distributed computing enironment. The middleware is the data-exchange and communications channel that allows programs to cooperate with each other without haing to know details about how they are implemented or where they are deployed. Middleware typically proides a range of related facilities such as persistence, auditing, and the ability to build a transactional unit of work. IBM's CICS and WebSphere MQ are examples of middleware. migrating. Presering your customized configuration data so you can use it again after installing a newer ersion of the product. MMC. See Microsoft Management Console. monitor. An entity that performs measurements to collect data pertaining to the performance, aailability, reliability, or other attributes of applications or the systems on which those applications rely. These measurements can be compared to predefined thresholds. If a threshold is exceeded, administrators can be notified, or predefined automated responses can be performed. monitor interal. A specified time, scalable to seconds, minutes, hours, or days, for how often the monitoring serer checks to see if a situation has become true. The minimum monitor interal is 30 seconds; the default alue is 15 minutes. monitoring. Running a hardware or software tool to monitor the performance characteristics of a system. Multi-domain Management. This feature gies you the ability to administer multiple IBM Tioli Monitoring domains from a single, central location. This type of management consolidates Tioli Monitoring configuration artifacts into a central database where they can be managed independently of the monitoring serer. Your hub monitoring serer operations will be generalized across multiple IBM Tioli Monitoring domains. MDM has the following capabilities: Promotion of existing configuration artifacts from an editor domain into a standard store. Export of configuration artifacts from multiple domains into a single relational database under a single namespace for management and reporting purposes. Import of configuration artifacts into multiple IBM Tioli Monitoring domains. Ease of monitoring agent migration operations, configuration changes, and compliance with configuration standards. Serer-side audit of all operations. 174 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

187 N namespace. A namespace uniquely identifies a set of names so that there is no ambiguity when objects haing different origins but the same names are mingled. For example, within the Extensible Markup Language (XML), an XML namespace is a collection of element type and attribute names. These element types and attribute names are uniquely identified by the name of the unique XML namespace that contains them. In an XML document, any element type or attribute name can thus require a two-part name consisting of the name of its namespace and then its local (functional) name, separated by a colon (:). It is possible (and often desirable) to create multiple namespaces; this may be essential in enironments where different sets of information are maintained in a common repository like LDAP. NAT. See Network Address Translation. Naigator. The upper-left pane of the Tioli Enterprise Portal window. The Naigator Physical iew shows your network enterprise as a physical hierarchy of systems grouped by platform. You can also define other iews that create logical hierarchies grouped as you specify, such as by department or function. Network Address Translation. A scheme used by local-area networks (LANs) to establish an internal and external set of IP addresses. Internal IP addresses are kept priate and must be translated to and from the external addresses for outbound and inbound communications. NAT is often used in firewall configurations. Network File System. A client/serer file system deeloped by Sun Microsystems that, once mounted (that is, made accessible), allows a user on an NFS client to iew, store, and update files on a remote computer (the NFS serer) as though they were on the user's own computer. The portion of the mounted file system that each user can access and in what ways is determined by the user's own file-access priileges and restrictions. Both the NFS serer and client use TCP/IP's User Datagram Protocol as the mechanism for sending file contents and updates back and forth. NFS has been designated a file serer standard; it uses the Remote Procedure Call method of communication between computers. NFS. See Network File System. node. (1) In networking, a point capable of sending and receiing data. A node can be a deice, such as printer or workstation, a system, a storage location on a disk, or a single computer. (2) Any managed system, such as an AIX-based pseries serer, that IBM Tioli Monitoring is monitoring. A node can also be a managed system of subnodes, all of which are being managed as components of the primary node. non-agent bundles. You can use these custom bundles to remotely deploy components that need not connect to a Tioli Enterprise Monitoring Serer, such as those that support other Tioli products like IBM Tioli Netcool/OMNIbus. O object. An instance of a class, which comprises an implementation and an interface. An object reflects its original, holding data and methods and responds to requests for serices. CORBA defines an object as a combination of state and a set of methods characterized by the behaior of releant requests. ODBC See Open Database Connectiity on page OMEGAMON Dashboard Edition (OMEGAMON DE). The OMEGAMON implementation that includes all the features of the Tioli Enterprise Portal proided with OMEGAMON XE, plus application-integration components that facilitate an enterprise-wide iew of your computing enironment. OMEGAMON DE's workspaces integrate the data from multiple OMEGAMON Monitoring Agents into one network-wide iew. OMEGAMON Extended Edition (OMEGAMON XE). The IBM Tioli Monitoring implementation of a single OMEGAMON Monitoring Agent. OMEGAMON XE displays the monitoring data from each OMEGAMON Monitoring Agent independently, without integrating it into the enterprise-wide workspaces proided by OMEGAMON DE. OMEGAMON Monitoring Agent. The software process that probes a managed z/os system or subsystem (such as CICS) for data. The monitoring agent sends that monitoring information back to the Tioli Enterprise Monitoring Serer and then on to the Tioli Enterprise Portal Serer to be formatted into table and chart iews for display on a Tioli Enterprise Portal client. OMEGAMON Tioli Eent Adapter. Inokes the Eent Integration Facility API to synchronize IBM Tioli Monitoring eents with the IBM Tioli Enterprise Console product. OTEA is a component of the Tioli Enterprise Monitoring Serer; it forwards IBM Tioli Monitoring eents to Tioli Enterprise Console and maps them to their corresponding Tioli Enterprise Console eent classes based on the situation name's suffix, either _Warning or _Critical. Integrating these products requires two parts: a Tioli Enterprise Monitoring Serer piece (included with IBM Tioli Monitoring ersion 6.1 and subsequent releases) called the OMEGAMON Tioli Eent Adapter, and a Glossary 175

188 Tioli Enterprise Console piece called the Situation Update Forwarder that is installed on the Tioli Enterprise Console serer. Open Database Connectiity. A standard API for accessing data in both relational and nonrelational database systems using procedural, non-object-based languages such as C. Using this API, database applications can access data stored in database management systems on a ariety of computers een if each database management system uses a different data storage format and programming interface. Tioli Enterprise Portal users can access the Query editor to write custom SQL queries for creating iews that retriee data from ODBC-compliant databases. operator. (1) The action to be performed on one or more attributes when ealuating an expression. The types of operators the Tioli Enterprise Portal supports are arithmetic, comparison, Boolean, and logical. (2) The symbol (such as +, -, or *) that represents that operation (in these examples, addition, subtraction, multiplication). OTEA. See OMEGAMON Tioli Eent Adapter on page 175. output data. Data resulting from computer processing. See also input data on page 173. P parameter. A alue or reference passed to a function, command, or program that seres as input or to control actions. The alue is supplied by a user or by another program or process. PDS. PerfMon. See Persistent Datastore. See Performance Monitor performance. A major factor in measuring system productiity. Performance is determined by a combination of throughput, response time, and aailability. performance analysis. The use of one or more performance tools to inestigate the reasons for performance improement or deterioration. Performance Monitor (PerfMon). The Windows Performance Monitor is an SNMP-based performance-monitoring tool for Windows enironments. PerfMon monitors network elements such as computers, routers, and switches. Persistent Datastore. A set of z/os data sets where IBM Tioli Monitoring running on z/os systems stores historical monitoring data. The Naigator's Physical mapping places the platform leel under the Enterprise leel. policy. A set of automated system processes that can perform actions, schedule work for users, or automate manual tasks, frequently in response to eents. Policies are the IBM Tioli Monitoring automation tool; they comprise a series of automated steps, called actiities, whose order of execution you control. In most cases, a policy links a Take Action command to a situation that has turned true. When started, the policy's workflow progresses until all actiities hae been completed or until the Tioli Enterprise Portal user manually stops the policy. You can create both policies that fully automate workflow strategies and those that require user interention. As with situations, policies are distributed to the managed systems you want to monitor and to which you are sending commands. presentation files. Two files installed with the Tioli Enterprise Portal Serer, presentation.dat and presentation.idx, that store workspace definitions, link definitions, and terminal emulator scripts. priate situation. A situation that is defined in an XML-based priate configuration file for the local Tioli Enterprise Monitoring Agent or Tioli System Monitor Agent and that does not interact with a Tioli Enterprise Monitoring Serer. Such eents can be sent ia either EIF or SNMP alerts to a receier such as IBM Tioli Enterprise Console or Netcool/OMNIbus. See also situation on page 178. product code. The three-letter code used by IBM Tioli Monitoring to identify the product component. For example, the product code for IBM Tioli Monitoring for WebSphere Application Serer is KWE. Properties editor. A multi-tabbed window for specifying the properties of the indiidual iews that make up a workspace, as well as the general workspace properties. pure eent. A pure eent is one that occurs automatically, such as when a paper-out condition occurs on the printer or when a new log entry is written. Situations written to notify you of pure eents remain true until they are manually closed or automatically closed by an UNTIL clause. See also eent on page 172. Q query. A particular iew of specified attributes of selected instances of a set of managed-object classes, arranged to satisfy a user request. Queries are written using SQL. platform. The operating system on which the managed system is running, such as z/os or Linux. 176 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

189 query permissions.. The set of Tioli Enterprise Portal Serer authorities that allow your user ID to create or update queries. If you do not see the Queries tool, your user ID does not hae View or Modify Query permissions. If you can see the tool but it is disabled, your user ID does not hae Workspace Author Mode permission. If you can open the Query editor but the tools are disabled, your user ID does not hae Modify Query permission. R remote. A remote monitoring serer collects monitoring data from a subset of your site's monitoring agents and passes its collected data to the hub Tioli Enterprise Monitoring Serer to be made aailable to one or more Tioli Enterprise Portal clients through the Tioli Enterprise Portal Serer, thereby creating an enterprise-wide iew. remote deployment. Using IBM Tioli Monitoring software, you can deploy agents and other non-agent, Tioli Management Serices-based components to remote nodes without your haing to sign onto those nodes and perform the installation and configuration steps yourself. Remote deployment requires two pieces on the destination node: (1) a bundle containing the component code and the instructions for installing and configuring it and (2) an operating-system agent to read the bundle and perform the installation and configuration steps. Remote Procedure Call. A protocol based on the Open Software Foundation's Distributed Computing Enironment (DCE) that allows one program to request serices from a program running on another computer in a network. RPC uses the client/serer model: the requesting program is the client, and the responding program is the serer. As with a local procedure call (also known as a function call or a subroutine call), an RPC is a synchronous operation: the requesting program is suspended until the remote procedure returns its results. rolloff. The transfer of monitoring data to a data warehouse. RPC. RTE. See Remote Procedure Call. See runtime enironment. runtime enironment. A group of execution libraries that proide an operational enironment on a z/os system. RTEs execute OMEGAMON products on a z/os image. runtime libraries. Libraries in the runtime enironment that the product uses when it is started and running. S sample. The data that the monitoring agent collects for the monitoring serer instance. The interal is the time between data samplings. sampled eent. Sampled eents happen when a situation becomes true. Situations sample data at regular interals. When the situation becomes true, it opens an eent, which gets closed automatically when the situation goes back to false (or when you close it manually). See also eent on page 172. Secure Sockets Layer. A security protocol for communication priacy that proides secure client/serer conersations. SSL proides transport layer security (authenticity, integrity, and confidentiality) for a secure connection between a client and a serer. seed data. The product-proided situations, templates, policies, and other sample data included with a monitoring agent to initialize the Tioli Enterprise Monitoring Serer's Enterprise Information Base. Before you can use a monitoring agent, the monitoring serer to which it reports must be seeded, that is, initialized with application data. SELinux. The National Security Agency's security-enhanced Linux (SELinux) is a set of patches to the Linux kernel plus utilities that together incorporate a strong, flexible mandatory access control (MAC) architecture into the kernel's major subsystems. SELinux enforces the separation of information based on confidentiality and integrity requirements, which allows attempts to tamper with or bypass application security mechanisms to be recorded and enables the confinement of damage caused by malicious or flawed applications. serer. An application that satisfies data and serice requests from clients. Simple Network Management Protocol. A TCP/IP transport protocol for exchanging network management data and controlling the monitoring of network nodes in a TCP/IP enironment. The SNMP software protocol facilitates communications between different types of networks. IBM Tioli Monitoring uses SNMP messaging to discoer the deices on your network and their aailability. Simple Object Access Protocol. The Simple Object Access Protocol is a lightweight, XML-based interface that endors use to bridge remote procedure calls between competing systems. SOAP makes it unnecessary for sites to choose between CORBA/Jaa/EJB and Microsoft's COM+. Because XML and SOAP are platform- and language-neutral, users can mix operating systems, programming languages, and object architectures yet maintain business-component interoperability across platforms: using SOAP, applications can conerse with Glossary 177

190 each other and exchange data oer the Internet, regardless of the platforms on which they run. single sign-on. This feature lets your IBM Tioli Monitoring users start other Tioli web-enabled applications from any Tioli Enterprise Portal client (desktop, browser, or Jaa Web start), or to start the Tioli Enterprise Portal from those applications, without haing to re-enter their user credentials (userid and password). For SSO to function, User Authentication must be configured through the Tioli Enterprise Portal Serer for an external LDAP registry (such as Microsoft Actie Directory) that is shared by all participating Tioli applications. All the participating applications must be configured for SSO and must belong to the same security domain and realm. situation. The set of monitored conditions running on a managed system that, when met, creates an eent. A situation comprises an attribute, an operator such as greater than or equal to, and a alue. It can be read as If system_condition compared_to alue is_true. An example of a situation is: If CPU_usage > 90% TRUE. The expression CPU_usage > 90% is the situation condition. Situation Eent Forwarder. This component of Tioli Management Serices maps situation eents to Eent Integration Facility (EIF) eents and uses the EIF interface to send the eents to a Tioli Enterprise Console eent serer or to an OMNIbus EIF probe (the EIF receiers). The eent receiers receie the forwarded eents, and expand and format them for the eent serers. On the Tioli Enterprise Console or OMNIbus console, users can iew, acknowledge, or reset situation eents. The updated situation status is returned to the originating hub monitoring serer and reflected in the Tioli Enterprise Console or OMNIbus console. Situation Update Forwarder. The Situation Update Forwarder is a Jaa- and CORBA-based background process for communication between IBM Tioli Enterprise Console and a particular Tioli Enterprise Monitoring Serer running under IBM Tioli Monitoring ersion 6.1 and subsequent releases. Your site must install this component on the Tioli Enterprise Console serer; for instructions, see the IBM Tioli Enterprise Console Installation Guide. SNMP. See Simple Network Management Protocol on page 177. SOAP See Simple Object Access Protocol on page sockets. Refers to the sockets method of passing data back and forth between a networked client and serer or between program layers on the same computer. sound. The WAV file that plays wheneer a situation becomes true for the current Naigator item. Sound is assigned to the Naigator item for a situation in the same way a state is assigned. SPIPE. A secure pipe is an implementation of the Internet Protocol's pipe specification that uses the Secure Sockets Layer API. Using SPIPE, your corporate Web serer can securely access internal serers that are not based on the HTTPS protocol, while retaining their ability to process HTTP requests. SQL. See Structured Query Language. SSL. See Secure Sockets Layer on page 177. SSM. See System Serice Monitors on page 179. SSO. See single sign-on. state. The seerity of the situation eent: critical, warning, or informational. Indicated by a colored eent indicator, state is set in the Situation editor and can be different for different Naigator items. status. The true or false condition of a situation. Structured Query Language. A standards-based programming language for extracting information from and updating information within a relational database. The Query editor enables you to write SQL queries to ODBC data sources for retrieal and display in table and chart iews. subnetwork. A configuration wherein a single IP network address is split up so it can be used on seeral interconnected local networks. Subnetworking is a local configuration; outside it appears as a single IP network. SUF. See Situation Update Forwarder. Summarization and Pruning agent. One of the IBM Tioli Monitoring base agents, the Summarization and Pruning agent keeps the data warehouse from growing too large by summarizing and pruning your stored historical data at interals you set. For eery attribute group that has data collection configured, you specify how often to aggregate (summarize) data in the Tioli Data Warehouse and the length of time to delete (prune) data from the warehouse. symbol. Represents a ariable that can be added to header or footer text for data iews, expert-adice text, or query specification. The detailed attribute name is enclosed in dollar signs, such as $ORIGINNODE$, and resoles to the attribute's alue. For Tioli Enterprise Monitoring Serer queries, == $NODE$ specifies the managed systems from which to retriee data. For queries to be used in link target workspaces, you can create symbols for attributes using the $symbolname$ format. System Monitor Agent. These agents were introduced with IBM Tioli Monitoring V6.2.2 for nodes that run the desktop operating systems (Windows, 178 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

191 Linux, UNIX). These agents operate only autonomously (that is, they run without a connection to a Tioli Enterprise Monitoring Serer) and pass SNMP trap data about operating system performance to an SNMP Eent Collector such as IBM Tioli Netcool/OMNIbus's MTTRAPD receier. No other IBM Tioli Monitoring agents or other components should be installed on the same node as a System Monitor Agent. The only exception to this rule is agents created with the Agent Builder tool for V6.2.2 or subsequent. System Serice Monitors. The IBM Tioli Netcool/OMNIbus product proides System Serice Monitors that support basic system-leel monitoring of network components such as operating systems. In addition, OMNIbus proides ISMs (Internet Serice Monitors) and ASMs (Application Serice Monitors). IBM System Z. Umbrella family name used when referring to multiple product lines or the IBM mainframe class of products in general. T Take Action. A Tioli Enterprise Portal dialog box from which you can enter a command or choose from a list of predefined commands. It also lists systems on which to effect the command, which is usually a response to an eent. Take Action command. A Take Action command allows you to send commands to your managed systems, either automatically, in response to a situation that has fired (that is, turned true), or manually, as the Tioli Enterprise Portal operator requires. With Take Action commands, you can enter a command or select one of the commands predefined by your product and run it on any system in your managed network. Thus you can issue Take Action commands either against the managed system where the situation fired or a different managed system in your network. target libraries. SMP/E-controlled libraries that contain the data installed from the distribution media. task. A unit of work representing one of the steps in a process. TCP/IP. See Transmission Control Protocol/Internet Protocol on page 180. TDW. See Tioli Data Warehouse. telnet. A terminal emulation program used on TCP/IP networks. You can start a telnet session with another system and enter commands that execute on that system. A alid userid and password for that remote system are required. TEPS/e. See Tioli Enterprise Portal Serer extended serices. threshold. (1) A leel set in the system at which a message is sent or an error-handling program is called. For example, in a user auxiliary storage pool, the user can set the threshold leel in the system alues, and the system notifies the system operator when that leel is reached. (2) A customizable alue for defining the acceptable tolerance limits (maximum, minimum, or reference limit) for an application resource or system resource. When the measured alue of the resource is greater than the maximum alue, less than the minimum alue, or equal to the reference alue, an exception is raised. time-scheduling serices. The Tioli Common Reporting module uses the time-scheduling serices to query and manage report schedules and tasks. timestamp. A data type that contains a seen-part alue consisting of a date and a time expressed in years, months, days, hours, minutes, seconds, and microseconds. Tioli Common Reporting. This reporting module allows a single point of access to reports generated by multiple products. It interacts with either the Business Intelligence and Reporting Tools (BIRT) Designer or with the Cognos product for customizing reports and running defined reports. The time-scheduling serice allows you to schedule report extraction and creation. Tioli Data Warehouse. This member of the IBM Tioli Monitoring product family stores Tioli Monitoring agents' monitoring data in separate relational database tables so you can analyze historical trends using that enterprise-wide data. Reports generated from Tioli Data Warehouse data proide information about the aailability and performance of your monitored enironment oer different periods of time. Tioli Enterprise Monitoring Serer. The host data-management component for IBM Tioli Monitoring. It receies and stores data from either the agents or other monitoring serers. Tioli Enterprise Portal. The client component of a Tioli Enterprise Portal Serer. The Tioli Enterprise Portal proides the graphical user interface into monitoring data collected by the Tioli Enterprise Monitoring Serer and prepared for user display by the portal serer. The Tioli Enterprise Portal comes in two ersions: the desktop client and the browser client. Tioli Enterprise Portal Serer. The serer you log onto and connect to through the Tioli Enterprise Portal client. The portal serer connects to the hub Tioli Enterprise Monitoring Serer; it enables retrieal, manipulation, and analysis of data from your enterprise's monitoring agents. Tioli Enterprise Portal Serer extended serices. An embedded, colocated extension of the Tioli Enterprise Portal Serer that proides J2EE-based Application Serer integration facilities. TEPS/e supports Glossary 179

192 a federated user repository built on the Lightweight Directory Access Protocol (LDAP). Tioli Enterprise Serices user interface extensions. A component proided as part of Tioli Management Serices running on distributed systems that proides access to the command line interface for other Tioli Management Serices components. This component includes the tacmd command, which is used for, among other things, administering the self-describing agents feature. The GUI installer on distributed operating systems automatically installs this component when you install the Tioli Enterprise Portal desktop client, the Tioli Enterprise Portal Serer, or the Tioli Enterprise Monitoring Serer. Additionally, it is an optional installable component of the Tioli Enterprise Monitoring Agent component. The component code is KUE. The Tioli Enterprise Serices user interface extensions are not aailable on z/os. Tioli Enterprise Web Serices. An open standards-based interface to the monitoring serer that uses SOAP requests. Using SOAP, any monitoring agent can be dynamically queried, which means that its performance and aailability data can be processed by external applications not a part of IBM Tioli Monitoring. Tioli Integrated Portal. The Tioli Integrated Portal proides a single, task-based naigation panel for Web-based Tioli products; it offers a common user interface with which you can launch applications, launch from one application to another, and share information between applications. It proides a rich, Web-based user interface with which you can access results generated by such applications as Tioli Application Dependency Discoery Manager (TADDM), Tioli Business Serice Manager (TBSM), and Netcool/OMNIbus. The Tioli Integrated Portal enables the secure passing of data between Tioli products ia this common portal. With it, you can manage different aspects of your enterprise from a single dashboard iew. Tioli Management Serices. An integrated, layered architecture consisting of data-access, communication, and presentation components that enable cross-platform operation and integration of enterprise-wide data for systems-management applications. The software foundation that supports the deelopment and operations of the Tioli Enterprise Monitoring Serer, the Tioli Enterprise Portal Serer and Tioli Enterprise Portal, and their monitoring agents. Transmission Control Protocol/Internet Protocol. An open, portable communications protocol that is the software basis for the Internet. TSO. Time Sharing Option, the interactie interface into the z/os operating system. U User Datagram Protocol. A TCP/IP communications protocol that exchanges messages ("datagrams") between networked computers linked by the Internet Protocol (IP). UDP is an alternatie to the Transmission Control Protocol (TCP), which, like UDP, uses IP to moe a message from one computer to another. Unlike TCP, howeer, UDP does not diide the message into packets and reassemble them at the other end. The Network File System uses UDP to moe file contents and file updates between the NFS serer and the NFS client. UDP. V See User Datagram Protocol. alue of expression. A function in a situation condition, query specification, or data iew filter or threshold that uses the raw alue of an attribute. A alue can be a number, text string, attribute, or modified attribute. Use this function with any operator. iew. A window pane, or frame, in a workspace. It may contain data from an agent in a chart or table, or it may contain a terminal session or browser, for example. A iew can be split into two separate, autonomous iews. W Warehouse Proxy agent. One of the IBM Tioli Monitoring base agents, the Warehouse Proxy agent passes historical monitoring data from either a monitoring agent or the Tioli Enterprise Monitoring Serer to the Tioli Data Warehouse. This multithreaded serer process can handle concurrent requests from multiple data sources to roll off data from their short-term history files to the data warehouse. WAV file. Waeform audio format for storing sound in files, deeloped jointly by Microsoft and IBM. wildcard. An asterisk (*) used to represent any characters that may follow or precede those entered, such as Sys* to find System and SysTray. Used in formulas with the VALUE function or MISSING function (in the Missing Task List). Used also with the SCAN function, but at the beginning of the text as in *Z to find markz and typez. Windows Management Instrumentation. Microsoft's Windows Management Instrumentation API proides a toolkit for managing deices and applications in a network of Windows-based computers. WMI proides both the data about the status of local or remote computer systems and the tools for controlling the data. WMI is included with the Windows XP and Windows Serer 2003 operating systems. 180 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

193 WMI. See Windows Management Instrumentation on page 180. workload. A percentage that shows how much of its resources a managed system is using. Workload is calculated using a weighted combination of resource use statistics. workspace. The iewing area of the Tioli Enterprise Portal window, excluding the Naigator. Each workspace comprises one or more iews. Eery Naigator item has its own default workspace and may hae multiple workspaces. workspace administration mode. A global parameter set in the Administer Users editor but which is aailable only for userids with administrator authority. When enabled for a userid, customization of workspaces, links, and terminal-session scripts automatically becomes aailable to all users connected to the same Tioli Enterprise Portal Serer. X XML See Extensible Markup Language on page Z z/os. IBM's operating system for its line of mainframe, zseries computers known for its processing speed and its ability to manage large amounts of memory, direct-access storage, and data. Glossary 181

194 182 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

195 Index A Add Runtime Enironment panel full 34, 37 sharing 34, 37 address translation 54, 73, 94, 95, 114 Adanced Encryption Standard 169 AES See Adanced Encryption Standard agents grouping 48, 70, 90 alert monitor 169 APF-authorizing the load libraries 121 application serer 170 Application Serice Monitors, Netcool/OMNIbus 179 application support adding 7 application support, installing catalog and attribute files 129 seed data 129 SQL files 129 applids, VTAM 38, 74, 97, 115 APSERV command 43, 67, 86, 105 architecture 3 audit collection leel, setting 48, 69, 90 audit collection parameters 48, 69, 89 audit records cache, setting size of 48, 70, 90 audit records, associating 48, 70, 90 AUDIT_MAX_HIST enironment ariable 48, 70, 90 AUDIT_SMF enironment ariable 18 AUDIT_TRACE enironment ariable 18, 48, 69, 90 auditing function 8, 17 configuration ia PARMGEN 30 ia the Configuration Tool 48, 69, 89 tracing leels for 18 automation 13, 46, 67, 87, 106 B Backup maintenance function 62 baroc files 9, 22, 170 Basic Recorder of Objects in C files See baroc files browser client 170 BufEtMaxSize parameter 50, 91 Buffer eents maximum size field 50, 91 buffers, VSAM 47, 68, 88, 108 building runtime libraries 39 C CA-ACF2 KLV@ASM member 145 KLVA2NEV member 145 MUSASS started task 146 setting up security 145 CA-TOP SECRET Facility Matrix Table 146 setting up security 146 SIGN parameter 146 CANCTDCS logmode 38 CANSDSST procedure 41, 66, 84, 103 CANSDSST started task 119 catalog and attribute files 129 chgrp USS command 60, 76 chmod USS command 60, 76 CIM See Common Information Model client/serer architecture 170 CMS_NODEID enironment ariable 110 CNMLINK data set 120, 151, 152 CNMSTYLE member 43, 67, 86, 105 commands APSERV 43, 67, 86, 105 PWD 43, 86, 105 Common Eent Console iew 5 Common Information Model 170 Common Object Request Broker Architecture 170, 177, 178 communication protocols DVIPA 47, 88 dynamic VIPA 68, 108 specifying 51, 91, 111 VIPA type 47, 68, 88, 108 Communication Selection panel 71, 109, 110 communications trace 46, 68, 87, 107 completing the configuration 119 components architecture 3 eent synchronization 5 oeriew 3 configuration completing 119 copying alues 37 decisions 13 high-aailability hub 39 persistent datastore 61 planning 13 security runtime enironment 37 Tioli Enterprise Monitoring Serer 41, 85, 104 Tioli Enterprise Monitoring Serer on z/os 102 Tioli Enterprise Monitoring Serer security 41, 85, 104 ia PARMGEN 7 Configuration Tool panels Add Runtime Enironment 34, 37, 39 Communication Selection 71, 110 Configure Persistent Datastore 61 Configure Products 33 Configure the TEMS 40 Create LU6.2 Logmode 65 Eligible Products for HA Hub TEMS 44 Exclusion Verification for HA Hub TEMS 44 Copyright IBM Corp. 2005,

196 Configuration Tool panels (continued) KCIPCMSS 71, 110 KCIPMCU 64 KCIPPLST 33 KCIPRCM 33 KCIPRIM 32 KCIPRTA1 37 KCIPRTA2 39 KCIPRTE 34 KCIPRTEA 34 KDS62MCU 40 KDS62PLU 65 KDS62PP1 41 KDS62PP2 110 KDS62PP3 45, 51, 71 KDS62PPA 111 KDS62PPB 74 KDS62PPD 52, 72, 112 KDS62PPE 54 KDS62PPF 56 KDS62PPG 55 KDS62PPH 57 KDS62PPI 57 KDSPEIF 49 KDSPHUBH 44 KDSPHUBV 44 KDSPNST1 49, 90, 109 KPD62PP0 61 KPD62PP3 61 KSHXHUBS List 56 KSHXHUBS Security Access List 57 KSHXHUBS User Access List 57 KSHXHUBS Values 55 Main Menu 32 Modify and Reiew Datastore Specifications 61 Product Component Selection Menu 64 Product Selection Menu 33 Runtime Enironments (RTEs) 34 SOAP serer KSHXHUBS List 56 SOAP serer KSHXHUBS Security Access List 57 Specify Adanced Configuration Values 45 Specify Communication Protocols hub monitoring serer 51, 71 remote monitoring serer 111 Specify Configuration - Hub Values for Remote TEMS 110 Specify Configuration Values 41 Specify IP.PIPE Communication Protocol 52, 72, 112 Specify IP.PIPE Partition References 54 Specify Nonstandard Parameters 49, 90, 109 Specify SNA Communication Protocol 74 Specify TEMS KSHXHUBS User Access List 57 Specify TEMS KSHXHUBS Values 55 Specify Values for Eent Destination 49 Configuration Tool, z/os 170 Configure Persistent Datastore panel 61 Configure Products panel 33 Configure the TEMS panel 40 CORBA See Common Object Request Broker Architecture Count field 62 Create LU6.2 Logmode panel 65 CTDDSN node ID 121 D DASD See storage Data Encryption Standard 171 data files, application support 129 data sets CNMLINK 120, 151 VTAMLST 121 data store See persistent datastore database serer 170 ddname KBDXTRA 172 DDNAMEs 10 decisions Eent Integration Facility (EIF) 22 high-aailability hub 13 placement of monitoring serers 13 deployment decisions 13 planning 13 DES See Data Encryption Standard desktop client 171 deeloperworks website 163 diagnostic SYSOUT class 36 Disable Workflow Policy/Emitter Agent eent forwarding field 50, 91 disk space See storage DLL See Dynamic Link Library documentation See publications domain name resolution 119 DSIPARM initialization member 43, 67, 86, 105 DVIPA 13, 47, 88 Dynamic Link Library 171 dynamic VIPA See DVIPA E EIB See Enterprise Information Base EIF See also Eent Integration Facility See Eent Integration Facility (EIF) Eligible Products for HA Hub TEMS panel 44 emitter actiities 23, 50, 91 Enable Tioli Eent Integration Facility (EIF) field 45, 87 encryption 42, 66, 85, 104 encryption key batch mode parameter 43, 86, 105 changing 43, 86, 105 disabling 43, 86, IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

197 encryption key (continued) parameter 148 resetting 43, 86, 105, 147 setting 42, 66, 85, 104 enhancements 7 Enterprise icon Managed System Lists workspace 17 Enterprise Information Base 172 enterprise situation 172 enironment ariables See also parameters CMS_NODEID 110 KDC_DEBUG 46, 68, 87, 107 KDC_PARTITIONFILE 54, 95 KDE_TRANSPORT 53, 94 KDEB_INTERFACELIST 52, 73, 93, 113 KGLHC_PPI_RECEIVER 43, 67, 86, 105 KGLHC_PPI_SENDER 44, 67, 87, 106 KMS_DISABLE_TEC_EMITTER 50, 91 KMS_OMTEC_INTEGRATION 45, 87 LANG 47, 69, 89, 108 MINIMUM 47, 68, 89, 108 Ephemeral Pipe Support (EPS) 54, 73, 94, 95, 114 Est Cyl Space field 62 Eent Forwarder 22 Eent Integration Facility 172, 175 Eent Integration Facility (EIF) configuring 49 decisions 22 enabling 45, 87 KMSOMTEC member 49 new feature 9 requirements 22 rule base 22 Eent serer location field 50, 91 Eent serer port field 50, 91 Eent serer type field 50, 91 eent synchronization component 5 EentListenerType parameter 50, 91 eents determined by situation name 23 duplicate, preenting 23, 50, 91 forwarding 9, 22, 45, 49, 87 integration 9, 22, 45, 49, 87 seerity 23 situation names 23 synchronization 9, 22, 45, 49, 87 Exclusion Verification for HA Hub TEMS panel 44 Export maintenance function 62 extended storage 9 Extensible Markup Language 172 Extract maintenance function 63 F Facility Matrix Table 146 failoer, agent 9 features, new 7 FIPS firewalls address translation 54, 73, 94, 95, 114 firewalls (continued) Ephemeral Pipe Support (EPS) 54, 73, 94, 95, 114 partition address 54, 55, 74, 95, 115 partition name 54, 73, 94, 114 with IP.PIPE protocol 54, 73, 94, 95, 114 folding passwords to uppercase 38 full runtime enironments 34, 37 G GENHIST 62 georeferenced map 172 global location broker applid 111 Global Security Toolkit See GSKit Group name field 62 GSKit 172 H HA hub See high-aailability hub high-aailability hub 8 automation 13 configuration steps 39 designating 41 eligible monitoring agents 44 exclusion erification of monitoring agents 44 monitoring agents, eligible 44 monitoring agents, exclusion erification 44 requirements 14 high-leel qualifiers non-vsam libraries 35 persistent datastore 49, 70, 90, 109 VSAM libraries 35 host name hub 52, 72, 111 remote 93, 113 runtime enironment 38 TCP/IP 52, 72, 93, 111, 113 hot-standby monitoring serer 173 HTTP 173 HTTP serer port number 53, 94 HTTPS 172, 173, 178 hub monitoring serer configuring with monitoring agents 79 decisions 13 defined 4 designating 41, 84, 103 high-aailability 8, 13, 27, 39 location 13 requirements 53, 94 selection for remote monitoring serer connection 71, 110 SOAP serer 53, 94 type 41 alues for remote monitoring serer connection 110 Hub TEMS name field 110 Hub TEMS type field 41 Hypertext Transport Protocol See HTTP Index 185

198 I IBM Support Assistant 165 IBM Tioli Management Serices on z/os See Tioli Management Serices ICAT 170 ICSF See also Integrated Cryptographic Serice Facility See Integrated Cryptographic Serice Facility (ICSF) ICSF load library field 42, 66, 85, 104 IIOP See Internet Inter-ORB Protocol install.sh script 135 installing application support catalog and attribute files 129 seed data 129 SQL files 129 integral Web serer 173 Integrated Cryptographic Serice Facility 172 Integrated Cryptographic Serice Facility (ICSF) 104 encryption key 42, 66, 85, 104 load library 42, 66, 85, 104 resetting encryption key 147 specifying 42, 66, 85, 104 Integrated Serice Management Library 163 Integrated Serice Management Library website 128 integration, eent 9, 22, 45, 49, 87 interfaces, network 11, 52, 73, 93, 113 Internet Inter-ORB Protocol 173 Internet Serice Monitors, Netcool/OMNIbus 179 Interoperable Object Reference 173 IOR See Interoperable Object Reference IP address 38, 52, 54, 55, 72, 74, 93, 95, 111, 113, 115 IP.PIPE protocol address translation 54, 73, 94, 95, 114 Ephemeral Pipe Support (EPS) 54, 73, 94, 95, 114 specifying 52, 72, 92, 112 with firewalls 54, 73, 94, 95, 114 ISA 165 ITM_DOMAIN enironment ariable 48, 70, 90 ITMSUPER Tools 128 J jar utility command failure with 17 dearchie failure with 17 use with self-describing agents 17 Jaa Database Connectiity 173 Jaa Management Extensions API 173 Jaa Runtime Entironment 8, 17 Jaa USS directory 17 JCL suffix 36 JDBC See Jaa Database Connectiity JMX See Jaa Management Extensions API jobs KDSDVSRF 10 jobs (continued) KDSDVSRN 10 sample VSAM refresh 10 K KCIPCMSS panel 71, 110 KCIPMCU panel 64 KCIPPLST panel 33 KCIPRCM panel 33 KCIPRIM panel 32 KCIPRTA1 panel 37 KCIPRTA2 panel 39 KCIPRTE panel 34 KCIPRTEA panel 34 KDC_DEBUG enironment ariable 46, 68, 87, 107 KDC_FAMILIES enironment ariable See KDE_TRANSPORT enironment ariable KDC_PARTITIONFILE enironment ariable 54, 95 KDCPART member 54, 95 KDE_TRANSPORT enironment ariable port numbers 53, 94 well-known port 53, 94 KDEB_INTERFACELIST enironment ariable 52, 73, 93, 113 KDS_CMS_SEC_ENC_KEY parameter 148 KDS62MCU panel 40 KDS62PLU panel 65 KDS62PP1 panel 41 KDS62PP2 panel 110 KDS62PP3 panel 51, 71 KDS62PP3 penal 45 KDS62PPA panel 111 KDS62PPB panel 74 KDS62PPD panel 52, 72, 112 KDS62PPE panel 54 KDS62PPF panel 56 KDS62PPG panel 55 KDS62PPH panel 57 KDS62PPI panel 57 KDSDVSRF job 10 KDSDVSRN job 10 KDSMA001 message ID 46, 67, 87, 107 KDSMTAB1 logmode table 38 KDSPEIF panel 49 KDSPHUBH panel 44 KDSPHUBV panel 44 KDSPNST1 49, 90, 109 KDSSYSIN member 145, 146 key, encryption See also encryption key changing 105 disabling 105 resetting 105 KFWITM217E 137, 138 KGLHC_PPI_RECEIVER enironment ariable 43, 67, 86, 105 KGLHC_PPI_SENDER enironment ariable 44, 67, 87, 106 KLV@ASM member 145 KLVA2NEV member IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

199 KLXINTCP member 46, 68, 88, 107 KMS_DISABLE_TEC_EMITTER enironment ariable 50, 91 KMS_OMTEC_INTEGRATION enironment ariable 45, 87 KMSOMTEC member 50, 91 KO4SRV032 message ID 46, 67, 87, 107 KPD62PP0 panel 61 KPD62PP3 panel 61 KPDPROC* procedures 120 krarloff utility 172 KSHXHUBS List panel 56 KSHXHUBS member 53, 94 KSHXHUBS Security Access List panel 57 KSHXHUBS Values panel 55 L LANG enironment ariable 47, 69, 89, 108 Language locale field 47, 69, 89, 108 LDAP See Lightweight Directory Access Protocol LIBPATH enironment ariable 17 libraries IBM Tioli Monitoring 159 ICSF 42, 66, 85, 104 macro 65, 84, 103 non-vsam 10 OMEGAMON XE shared publications 161 runtime building 39 loading 63, 77, 98, 116 VSAM 10 VTAMLIB 65, 84, 103 Lightweight Directory Access Protocol 173, 175 listening port numbers See port numbers load libraries APF-authorizing 121 ICSF 42, 66, 85, 104 VTAMLIB 65, 84, 103 load optimization 36 location brokers global 55, 96, 111, 122 local 122 logging communications trace data 46, 68, 87, 107 storage detail 46, 68, 88, 107 logmode table 38, 65, 84, 103 logmodes creating 65, 102 LU Lowle field 62 LU6.2 logmodes 38, 65, 84, 102, 103 M Main Menu panel 32 maintenance options, persistent datastore 61 maintenance procedure prefix 49, 70, 90, 109 managed Jaa beans See MBeans master facility accessor identifier 146 maximum storage request size 47, 69, 89, 108 MBeans 173, 174 members, user-modified 36 menu, main 32 messages, startup 46, 67, 87, 106 Mgmtclas field 35, 49, 70, 90, 109 Microsoft Management Console 174 mid-leel qualifiers 36 migration See upgrade MINIMUM enironment ariable 47, 68, 89, 108 minimum extended storage 9, 47, 68, 89, 108 missing data 137, 138 mixed-case passwords 38 mkdir USS command access permissions set by 60, 76 MMC See Microsoft Management Console Modify and Reiew Datastore Specifications panel 61 monitoring agents base 6 completing the configuration 119 defined 6 eligible for high-aailability hub 44 exclusion erification for high-aailability hub 44 failoer 9 OMEGAMON 6 registering 8 monitoring serer See also Tioli Enterprise Monitoring Serer PARMGEN configuration 7 MUSASS started task 146 MVS MODIFY command 146 N NAT See Network Address Translation national languages See languages naigation 1, 25, 117 Netcool/OMNIbus 9, 22, 179 MTTRAPD trap receier for 179 NETID parameter 38, 74, 97, 111, 115 NetView APSERV command 43, 67, 86, 105 CNMLINK data set 120, 151 CNMSTYLE member 43, 67, 86, 105, 152 DSIPARM initialization member 43, 67, 86, 105 enabling command authorization 122 PPI alues receier 43, 67, 86, 105 sender 44, 67, 87, 106 specifying 43, 66, 86, 105 Take Action command authorization 43, 67, 86, 105 configuring 149 Network Access Method (NAM) NAM SET statements 147 Index 187

200 Network Access Method (NAM) (continued) passwords 147 setting up security 146 user IDs 147 Network address (Hostname) 52, 72, 93, 111, 113 Network Address Translation 175 Network File System 175 network ID 38, 74, 97, 111, 115 network interface list 11, 52, 73, 93, 113 new features 7 NFS See Network File System node ID 139, 141 O ODBC See Open Database Connectiity OMEGAMON Tioli Eent Adapter 175 OMNIbus See Netcool/OMNIbus Open Database Connectiity 176 optimization, loading runtime libraries 36 OTEA See also Eent Forwarder See OMEGAMON Tioli Eent Adapter P panels, Configuration Tool See Configuration Tool panels parameters See also enironment ariables BufEtMaxSize 50, 91 encryption key 43, 86, 105 EentListenerType 50, 91 KDS_CMS_SEC_ENC_KEY 43, 86, 105, 148 KMS_OMTEC_INTEGRATION 45, 87 maintenance procedure prefix 49, 70, 90, 109 persistent datastore 48, 70, 90, 109 SererLocation 50, 91 SererPort 50, 91 TOLERATERECYCLE 46, 68, 88, 107 PARMGEN configuration 7 partition address 54, 55, 74, 95, 115 partition name 54, 73, 94, 114 passwords encryption 42, 66, 85, 104, 147 mixed-case 38 NAM SET statements 147 uppercase 38 PATH enironment ariable 17 PDS See also persistent datastore See Persistent Datastore PDSE field 35 PerfMon See Performance Monitor, Windows Performance Monitor, Windows 176 persistent data store copying data sets 63 persistent data store (continued) creating runtime members 63 maintenance functions 62 proiding access to data sets 63 persistent datastore allocating space 61 configuring 61 DASD unit 49, 70, 90, 109 DASD olume 49, 70, 90, 109 file prefix 49, 70, 90, 109 maintenance 9 maintenance options 61 maintenance procedure prefix 49, 70, 90, 109 management class 49, 70, 90, 109 parameters 48, 70, 90, 109 specifying file placement 61 storage class 49, 70, 90, 109 Persistent Datastore 172, 176 planning 13 policies, workflow 23, 50, 91 port numbers default 53, 94 high-aailability hub 39 HTTP serer 53, 94 hub 53, 73, 94, 111, 114 portal client See Tioli Enterprise Portal client portal serer See Tioli Enterprise Portal Serer prefix applid 38, 74, 97, 115 maintenance procedure 49, 70, 90, 109 persistent datastore files 49, 70, 90, 109 started task procedures 36 prerequisites application support 129 encryption 42, 66, 85, 104 ICSF 42, 66, 85, 104 priate situation 176 Product Component Selection Menu panel 64 Product Selection Menu panel 33 program-to-program (PPI) information receier 43, 67, 86, 105 sender 44, 67, 87, 106 specifying 43, 66, 86, 105 protocols See communication protocols publications deeloperworks website 163 Integrated Serice Management Library 163 OMEGAMON XE 161 Redbooks 163 related 162 shared 161 Technotes 163 Tioli Management Serices on z/os 161 types 159 wikis 163 PWD command 43, 86, IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

201 Q qualifiers, high-leel See high-leel qualifiers R RACF MIXEDCASE option 38 OPERCMDS facility class 154, 155 passwords 38 setting up security 145, 154 userid mapping file for 155 RAS1 trace data 46, 68, 87, 107 reconnecting after TCP/IP recycle 46, 68, 88, 107 recycle, TCP/IP 46, 68, 88, 107 Redbooks 163 registering monitoring agents 8, 129 remote monitoring serer Communication Selection panel 71, 110 configuring in interactie mode 99 decisions 13, 14 defined 4 designating 41, 66, 84, 103 hub selection 71, 110 hub TEMS name 110 hub alues panel 110 location 13, 14 reporting to distributed hub 99 specifying hub 110 Remote Procedure Call 177 Remote RTE for Transport field 36 requirements See also prerequisites application support 129 encryption 42, 66, 85, 104 Eent Integration Facility (EIF) 22 high-aailability hub 14 ICSF 42, 66, 85, 104 Web Serices SOAP serer 53, 94 RESERVE parameter 145, 146 RGENHIS 62 RKANDATV data set 137, 138 RKANMOD load library 121 RKANMODL load library 121 RKANMODL statement 120, 151 RKANMODU load library 121 RKANSAMU data set 120 RPC See Remote Procedure Call RTE See runtime enironments rule base 22 runtime enironments building libraries 39 completing the configuration 119 copying configuration alues 37 full 34, 37 load optimization 36 optimization 36 security 37 runtime enironments (continued) sharing 34, 37 transporting 36 Runtime Enironments (RTEs) panel 34 runtime libraries building 39 loading 63, 77, 98, 116 runtime members analyzing 36 creating 61 S sample procedures 120 scenarios high-aailability hub 27 hub with monitoring agents 79 remote monitoring serer with distributed hub 99 Secure Hypertext Transport Protocol See HTTPS secure pipe See SPIPE Secure Sockets Layer API 172, 173, 177, 178 security CA-ACF2 145 CA-TOP SECRET 146 changing 147 enabling 143 NAM 146 RACF 145 requirements 143 runtime enironment 37 setting up 143 SOAP serer 56, 96 supported packages 143 Tioli Enterprise Monitoring Serer 41, 85, 104 security-enhanced Linux See SELinux seeding 129 seeding the monitoring serer 7 self-describing agents 7, 15, 129 configuration ia PARMGEN 29 ia the Configuration Tool 58, 74 SELinux 177 SererLocation parameter 50, 91 SererPort parameter 50, 91 shared publications 161 short-term historical data See persistent datastore SIGN parameter 146 Simple Network Management Protocol 170, 173, 176, 177 Simple Object Access Protocol 177 Simple Object Access Protocol (SOAP) See SOAP serer single sign-on 178 SISTMAC library 65, 84, 103 Situation Eent Console 5 situation eents See eents Index 189

202 Situation Update Forwarder 176, 178 SMF type-112 records 18 SMP/E See System Modification Program/Extended SMS considerations 35 SNA communication protocol applid prefix 74, 97, 115 global location broker applid 111 network ID 74, 97, 111, 115 selection 51, 52, 92, 112 alues 74 SNMP See Simple Network Management Protocol SOAP See Simple Object Access Protocol SOAP serer enabling 45, 67, 87, 106 KSHXHUBS List panel 56 KSHXHUBS member 53, 94 KSHXHUBS Security Access List panel 57 KSHXHUBS User Access List panel 57 remote monitoring serers 8 security 56, 96 user access 56, 96 user access list 56, 96 Software Support 165 Specify Adanced Configuration Values panel 45 Specify Communication Protocols panel hub monitoring serer 51, 71 remote monitoring serer 111 Specify Configuration - Hub Values for Remote TEMS panel 110 Specify Configuration Values panel 41 Specify IP.PIPE Communication Protocol panel 52, 72, 112 Specify IP.PIPE Partition References panel 54 Specify Nonstandard Parameters panel 49, 90, 109 Specify SNA Communication Protocol panel 74 Specify TEMS KSHXHUBS User Access List panel 57 Specify TEMS KSHXHUBS Values panel 55 Specify Values for Eent Destination panel 49 SPIPE 172, 178 SQL See Structured Query Language SQL files 129 SSL See Secure Sockets Layer API SSM See System Serice Monitors, Netcool/OMNIbus SSO See single sign-on started tasks adding NetView CNMLINK data set 120, 151 CANSDSST 41, 66, 84, 103 DDNAMEs 10 monitoring serer 41, 66, 84, 103 MUSASS 146 prefix 36 RKANMODL statement 120, 151 sample procedures 120 TCP/IP 11 started tasks (continued) TCP/IP serer 38, 52, 73, 93, 113 Tioli Enterprise Monitoring Serer 119 startup messages 46, 67, 87, 106 STC prefix 36 STC record 146 storage logging, detail 46, 68, 88, 107 maximum request size 47, 69, 89, 108 minimum 47, 68, 89, 108 minimum extended 9 persistent datastore files 49, 70, 90, 109 irtual 9 Storclas field 35, 49, 70, 90, 109 Structured Query Language 178 SUF See Situation Update Forwarder suffix, JCL 36 Summarization and Pruning agent 5 support assistant 165 synchronization, eent 9, 22, 45, 49, 87 SYSOUT class diagnostic 36 non-diagnostic 36 SYSTCPD DDNAME support 119 System Modification Program/Extended 170, 179 System Serice Monitors, Netcool/OMNIbus 179 system ariables enabling 37 incompatible with high-aailability hub 14 T tacmd createsystemlist command 174 tacmd deletesystemlist command 174 tacmd editsystemlist command 174 Take Action command authorization NetView 43, 67, 86, 105, 154 configuring 149 enabling 152 RACF 154 TCP/IP See also Transmission Control Protocol/Internet Protocol communication alues 38 host name 38, 52, 72, 93, 111, 113 interface list 52, 73, 93, 113 IP address 38 network interfaces 52, 73, 93, 113 recycle 46, 68, 88, 107 serer started task 38, 52, 73, 93, 113 started task name 11 TDW See Tioli Data Warehouse TEC See Tioli Enterprise Console Technotes 163 telnet 179 TEMS name for application support 139, 141 hub, specified for remote configuration IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

203 TEMS name (continued) specifying 37 TEMS_JAVA_BINPATH enironment ariable 17 TEPS/e 5, 179 Tioli Application Dependency Discoery Manager 18, 104 Tioli Business Serice Manager 17 Tioli Common Reporting 8, 17 Tioli Data Warehouse 5, 8, 17, 171, 179 Tioli Enterprise Console 9, 22, 170, 172, 175, 178 eent synchronization 5 integration 5 Tioli Enterprise Console eent iew 5 Tioli Enterprise Console integration 5 Tioli Enterprise Monitoring Agents See monitoring agents Tioli Enterprise Monitoring Serer adding application support 7 adding NetView CNMLINK 120, 151 changing security system 147 completing the configuration 119 configuring on z/os 102 defined 4 high-aailability 41 eligible monitoring agents 44 exclusion erification of monitoring agents 44 high-aailability hub 13, 27, 39 hub configuring with monitoring agents 79 defined 4 high-aailability 8, 13, 27, 39 location 13 node ID 139, 141 placement of hub 13 placement of remote 13, 14 remote configuring in interactie mode 99 configuring on z/os 102 defined 4 location 13, 14 reporting to distributed hub 99 requirements 53, 94 runtime members 61 security CA-ACF2 145 CA-TOP SECRET 146 changing 147 NAM 146 RACF 145 requirements 143 settings 41, 85, 104 setup 143 supported packages 143 seeding 7 SOAP serer 53, 94 started task 146 supported security packages 143 TEMS name 139, 141 type 41, 66, 84, 103 Tioli Enterprise Portal 179 client, defined 4 Tioli Enterprise Portal client Enterprise icon 17 Tioli Enterprise Portal Serer 4 Tioli Enterprise Portal Serer extended serices See TEPS/e Tioli Eent Integration Facility See Eent Integration Facility (EIF) Tioli Integrated Portal 180 Tioli Management Serices architecture 3 components 3 defined 3 distributed components 3 TKANMOD load library 121 TKANMODL load library 121 TLS See Transport Layer Security API TMS:Engine, defined 5 TOLERATERECYCLE keyword 46, 68, 88, 107 trace leel, setting 48, 69, 90 trace, communications 46, 68, 87, 107 Transmission Control Protocol/Internet Protocol 180 Transport Layer Security API 173 U UDP See User Datagram Protocol Unit field 35, 49, 70, 90, 109 UNIX System Serices, z/os 8, 17 Update Runtime Enironment panel 147 uppercase passwords 38 user access list 57 User Datagram Protocol 180 user IDs for SOAP serer access 56, 96 user-modified members 36 USS CLIST library 59, 75 USS directories permissions for 60, 76 V ariables, enironment See enironment ariables ariables, system See system ariables VIPA dynamic 47, 68, 88, 108 static 47, 68, 88, 108 type 47, 68, 88, 108 Virtual IP Addressing See VIPA Volser field 35 Volume field 49, 70, 90, 109 VSAM buffers 47, 68, 88, 108 VSAM libraries high-leel qualifiers 35 new 10 sample refresh jobs 10 VTAM applids 38, 74, 97, 115 Index 191

204 VTAM (continued) communication alues 38 definitions, copying to VTAMLST 121 load library 65, 84, 103 logmode table 38, 65, 84, 103 LU6.2 logmodes 65, 84, 103 macro library 65, 84, 103 major node, arying actie 121 network ID 38, 74, 97, 111, 115 VTAMLIB load library 65, 84, 103 VTAMLST data set 121 VTAMLST startup member 38, 74, 97, 111, 115 W Warehouse Proxy agent 5 WAV file 180 Web Serices 53, 94 Web Serices support remote monitoring serers 8 well-known port 39 wikis 163 wildcard 180 Windows Dynamic Link Library See Dynamic Link Library Windows Management Instrumentation API 180 Windows Performance Monitor See Performance Monitor, Windows WMI See Windows Management Instrumentation API workflow policies 23, 50, 91 X XML See Extensible Markup Language 192 IBM Tioli Management Serices on z/os: Configuring the Tioli Enterprise Monitoring Serer on z/os

205

206 Printed in USA SC