This section contains information that you should review before you install or update the Guardium for Mainframes Z-TAP component.
Verify that you have the following items:
Current version of the Z-TAP component. The z/OS components are distributed electronically.
Guardium license key. The Guardium license key enables a specific set of features and options. Each key is generated for a single Guardium system, which may be a standalone unit or a Central Manager, and it will not work on any other system. Guardium license keys are distributed on .txt files, and may be provided to you on a removable disk or attached to an email.
Z-TAP license key. Separate from the Guardium license key, which is installed on the Z2000 appliance, is a similar license key for the Z-TAP component which must be installed on the host z/OS mainframe.
If any of these items are missing, please contact Guardium Technical Support.
Depending on the size and distribution of your system, several people might contribute to the Z-TAP installation and configuration process. Use the information in the table below to help plan the installation process. If more than one person will participate in the installation, consider meeting with all participants in advance to communicate the product requirements.
In addition, the Z-TAP started task must be granted appropriate security authorizations before the product can be run successfully. For more information about security requirements, see the Security Requirements section of this guide.
Roles and Tasks for Installation Process
|
Role |
Tasks Performed |
Specific Skills or Knowledge Required |
|
System Programmer |
|
|
|
Security Administrator |
Provide appropriate authorities and privileges in the security software for Z-TAP. |
Knowledge of RACF or equivalent security system. |
|
Network Administrator |
Authorize TCP/IP connections, as required. Provide the TCPIP.DATA data set name, and TCP/IP port numbers to the system programmer for use during initial product configuration. |
|
|
DB2 System Administrator or DBA |
Provide appropriate authority for the Z-TAP started task to access the DB2 catalog on z/OS. |
Knowledge of DB2 security requirements. |
|
Guardium for Mainframes administrator |
Perform license administration on the Z2000 appliance and create initial Guardium user profiles. |
Knowledge of Guardium’s administration. |
Before unloading and installing Z-TAP, verify that you have the following software installed on your z/OS system:
|
|
Required Software |
|
ï± |
IBM z/OS version 1.6 or later (64-bit mode required) |
|
ï± |
DB2 for z/OS version 7 or 8 |
|
ï± |
IBM TCP/IP version 3.1 or later |
For Z-TAP to run successfully, you must provide the product with adequate access to operating system and database resources. By using a security administration product (such as RACF), you can establish application profiles for Z-TAP started tasks.
Verify or change the following DB2 settings:
Authorize the Z-TAP started task to access the DB2 Catalog of any DB2 instance being audited.
Verify or change the following RACF settings:
RACF should be used to protect the Z-TAP rules datasets so that it can not be modified by anything other than the Z-TAP started task. The rules datasets are defined by the customizable parameter ”r;Local Rules Dataset Name”.
The Z-TAP started task uses TCP to communicate with the Guardium Z2000 appliance. The z/OS user ID associated with the Z-TAP started task must have an OMVS RACF segment.
The library that contains the Z-TAP load modules (?guardiumhlq.LOAD) must have Application Program Facility (APF) authorization.
Z-TAP uses dataspaces, cross-memory services, and other functions that require APF authorization. These are common and necessary requirements of system-level software.
To APF-authorize the load library, your system programmer will issue an APF command similar to the following examples:
If the load library data set is managed by the IBM System Management Service (SMS):
SETPROG APF,ADD,DSNAME=?guardiumhlq.LOAD,SMS
If the load library is not managed by SMS:
SETPROG APF,ADD,DSNAME=?guardiumhlq.LOAD,VOLUME=volume
Z-TAP will run faster and more reliably if the following configuration settings are made:
Set the Z-TAP started task priority equal to or higher than that of the DB2 instances being audited.
Z-TAP supports the following local attach facilities for DB2 on z/OS:
Call Attach (CAF)
Resource Recover Services (RRSAF)
CICS
TSO
IMS
Z-TAP supports the following facilities for distributed connections:
DRDA
Guardium for Mainframes is an enterprise product that comprises components that run on the z/OS source DBMS platform (Z-TAP) and components that run on a network based appliance (Z2000). Administrator and user tasks are done using the Guardium interface, which runs in your web browser. For Z-TAP to communicate with the Z2000 appliance, you must have TCP/IP network connections between the LPAR where auditing is performed and the appliance.
Before installing Z-TAP, you will need to know the IP port numbers that will be used by the product. Your network administrator may need to establish these for you.
Guardium for Mainframes is an important piece of your database security strategy and to ensure business process continuity, you will want to recover Z-TAP at the same time you recover your z/OS hosted databases. To fully recover Z-TAP, you must include the following resources in your disaster recovery plan:
|
Resource |
Description |
|
?guardiumhlq.ADMIN |
This library contains the product keys for all licensed installed NEON products. |
|
?guardiumhlq.CNTL |
This library contains the control members for the product, including sample JCL. |
|
?guardiumhlq.DBRMLIB |
This library contains the DB2 definitions for Z-TAP. |
|
?guardiumhlq.EXEC |
This library contains the REXX executables needed to configure the product. |
|
?guardiumhlq.LOAD |
This library contains the executable load modules needed to execute the product. |
|
?guardiumhlq.MESSAGES |
This library contains descriptions for product messages. |
|
?guardiumhlq.MLIB |
This library contains messages issued by the ISPF interface. |
|
?guardiumhlq.MSG |
This library contains the message modules used by the product. |
|
?guardiumhlq.PLIB |
This library contains ISPF panels used by the product. |
The Z-TAP component uses an administration (ADMIN) library to manage and maintain product keys and the associated product load libraries. You must allocate and catalog this administration library. Use the following steps to allocate the library:
1. Locate the ALLOCATE sample JCL in the ?guardiumhlq.CNTL data set.
2. Edit the JCL to include a valid job card and meet your site requirements.
3. Submit the job to allocate the library. The job allocates a data set with the format shown in the following table.
Role Allocation Requirements for the ADMIN library
|
Item |
Value |
|
Data set format |
Partitioned data set (PDS) |
|
Record format |
Fixed block (FB), 80-character logical records |
|
Allocated space |
Two tracks and 10 directory blocks |