z/os v1.11 z/os management facility v1 - gse young ... - zos...z/os management facility v1.11 –...

© 2009 IBM Corporation

z/OS V1.11 z/OS Management Facility V1.11

[email protected]


IBM System z

2

IBM

CICS* DataPower* DB2* DFSMS DFSMSdss DFSMShsm DFSMSrmm DS6000 DS8000 FlashCopy* GDPS* Geographically Dispersed Parallel Sysplex

The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.

HiperSockets HyperSwap Language Environment IBM* IBM logo* IBM Scalable Financial Reporting IMS MVS MQSeries* NetView* Parallel Sysplex*

ProductPac* RACF* Redbooks* REXX SystemPac* System Storage System z System z10 System z9* SYSREXX Tivoli*

WebSphere* z10 z10 BC z10 Business Class z10 EC z9 z/OS* z/VM* zSeries*

Trademarks

The following are trademarks or registered trademarks of other companies. * Registered trademarks of IBM Corporation

* All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. INFINIBAND, InfiniBand Trade Association and the INFINIBAND design marks are trademarks and/or service marks of the INFINIBAND Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.


IBM System z

3

IBM Agenda

  z/OS 1.11 –  zAAPs and zIIPs –  Statements of direction

  z/OS Management Facility V1.11 –  Overview –  Incident Log capability –  Configuration Assistant for the z/OS® Communications Server –  Administration –  Details


IBM System z

4

IBM

z/OS® Version 1 Release 11

z/OS Version 1 Release 11


IBM System z

5

IBM

  Efficient – New user interface helps system programmers to more easily manage and administer a mainframe system

  Trusted - the latest encryption technologies, centralized security certificates, and foundation for unified enterprise-wide identity and access management reduce risk of fraud.

  Smart - a system that learns heuristically from its own environment and is able to anticipate and report on potential issues for predictive analysis

  Responsive - communications that improve network recoverability, availability, and reduce complexity and latency of transactions

  Accountable - enhanced measurement to support comprehensive control, analysis, risk management, audit, and compliance plans

  Synergies - with new IBM System Storage™ DS8000® to make the most of your information asset

Availability September 2009

z/OS® Version 1 Release 11

z/OS Version 1 Release 11


IBM System z

6

IBM

Enabled technologies, in order of introduction:   Java – IBM z/OS JVM Java technology-based applications eligible for zAAP

  Centralized data serving eligible for zIIP - Portions of BI, ERP, and CRM remote connectivity to DB2® V8, as well as portions of long running parallel queries, and select utilities

  Network encryption on zIIP - IPSec network encryption/ decryption (with z/OS V1.8)

  XML parsing – z/OS XML System Services eligible on zAAP or zIIP (w/ z/OS V1.9, V1.8 and V1.7 w/ maint.)

  Remote mirror– zIIP assisted z/OS Global Mirror function (with z/OS V1.9)

  HiperSockets™ Multiple Write operation for outbound large messages (w/z/OS V1.9) eligible for zIIP

  Business Intelligence - IBM Scalable Architecture for Financial Reporting™ provides a high-volume, high performance reporting – can be eligible for zIIP.

  Intra-server communications – z/OS CIM Server processing eligible for zIIP (with z/OS V1.11).

  zAAP on zIIP capability - Optimize the purchase of a new zIIP or maximize your investment in existing zIIPs.

  DB2 sort utility – DB2 utilities sorting fixed-length records using IBM's memory object sorting technique

zAAPs and zIIPs – Designed to help implement, integrate, optimize new technologies


IBM System z

7

IBM

Example with z/OS system data and RMF metrics

CIM Client

CIM Server

CIM XML Processor

CIM HTTP Client

CIM XML Processor

CIM HTTP Server

RMF monitoring providers

z/OS OS management

providers

RMF Distributed data Server (DDS)

native z/OS data

CIM clients send requests to CIM server

CIM server responds with data to CIM client

RMF Monitor III gathers and returns metrics to the DDS

Application

Managed System

 CIM is used within z/OS to communicate information on or to manage resources for system components

–  The CIM client on z/OS is a programming API that enables z/OS applications written in Java for local and remote access to CIM servers.

•  Java classes and Java libraries •  Java-based CIM client applications on z/OS are

already eligible to execute on the zAAP –  Communication is via CIM-XML over HTTP

access protocol.

  IBM, ISV, or custom written applications can access CIM-enabled resources, can monitor or manage z/OS resources

–  z/OS Common Information Model User's Guide •  ibm.com/systems/z/os/zos/bkserv/r9pdf/#cim

CIM on z/OS

Java-based CIM client eligible for zAAP


IBM System z

8

IBM

An example with z/OS system data and RMF metrics

CIM Client

CIM Server

CIM XML Processor

CIM HTTP Client

CIM XML Processor

CIM HTTP Server

RMF monitoring providers

z/OS OS management

providers

RMF Distributed data Server (DDS)

native z/OS data

CIM clients send requests to CIM server

CIM server responds with data to CIM client

RMF Monitor III gathers and returns metrics to the DDS

  z/OS V1.11 is planned to be updated so z/OS CIM server processing is eligible to run on the System (zIIP)

–  Eligible workloads include CIM server and CIM provider

–  Other CIM-related workloads (such as CIM client and CIM-enabled resource systems processing) are not eligible for zIIP

  Makes the development and deployment of z/OS systems management applications more attractive option

  Applications that access CIM-enabled resources and providers can benefit

–  Information providers include RMF™, WLM, DFSMS and BCP

–  Applications include z/OS Capacity Provisioning Manager and parts of z/OS Management Facility

Java-based CIM client eligible for zAAP

CIM server

eligible for zIIP

Application

z/OS CIM server workload eligible for zIIP


IBM System z

9

IBM What is the zAAP on zIIP capability?

  A new capability that can enable System z Application Assist Processor (zAAP) eligible workloads to run on System z Integrated Information Processors (zIIPs). –  For customers with no zAAPs and zIIPs

•  The combined eligible workloads may make the acquisition of a single zIIP cost effective.

–  For customers with only zIIP processors •  Makes Java and z/OS XML System Services -based workloads

eligible to run on existing zIIPs – maximizes zIIP investment.

–  Available September 25, 2009 with z/OS V1.11 and z/OS V1.9 and V1.10 (with PTF) •  This new capability is not available for z/OS LPARS if zAAPs

are installed on the server.


IBM System z

10

IBM Maximize your specialty engine investment

  Can enable you to run zIIP- and zAAP-eligible workloads on the zIIP. –  Optimize the purchase of a new zIIP –  Maximize your investment in existing zIIPs. –  Can help simplify systems management by reducing the

need to plan for and manage multiple types of specialty engines

  Customers who have already invested in zAAP, or have invested in both zAAP and zIIP processors, should continue to use these as this maximizes the new workload potential for the platform. –  This new capability is not available for z/OS LPARS if

zAAPs are installed on the server


IBM System z

11

IBM How to enable the zAAP on zIIP capability

  The capability ships default enabled with z/OS V1.11. –  Parameter in IEASYSxx: ZAAPZIIP = YES (default in z/OS V1.11) –  If you wish to disable the function for any reason, you must IPL with ZAAPZIIP=NO in

the IEASYSxx Parmlib member.

  Also available with z/OS V1.9 and V1.10 –  With PTF for APAR OA27495, and –  Enabled with ZAAPZIIP=YES in the IEASYSxx Parmlib (the default is NO)

  This new capability does not remove the requirement to purchase and maintain one or more general purpose processors for every zIIP processor on the server. –  This part of the IBM terms and conditions surrounding the IBM System z specialty

engines is unchanged.


IBM System z

12

IBM Example 1: zAAP on zIIP**

CPs only, NO zAAPs NO zIIPs

CPs zIIP

** For illustrative purposes only, your results will vary. This new capability is not available for z/OS LPARS if zAAPs are installed on the server

CPs

All workloads on general purpose

processors

Small amount of zIIP

and zAAP eligible work

White space

General purpose workload

White space

  Can enable you to run zIIP- and zAAP-eligible workloads on the zIIP. – Optimize the purchase of a new zIIP

The potential to run these workloads on a zIIP   Java via the IBM SDK (IBM Java Virtual Machine (JVM)),

exploiters include portions of : –  WebSphere Application Server –  IMS™

–  DB2 –  CICS® –  Java batch –  CIM Client applications

  z/OS XML System Services, exploiters include portions of: –  DB2 9 (New Function Mode) –  Enterprise COBOL V4.1 –  Enterprise PL/I V3.8 –  IBM XML Toolkit for z/OS, V1.9 and later –  CICS TS V4.1

 Portions of DB2 V8 for z/OS, DB2 9 for z/OS for: –  Data serving –  Data Warehousing –  Select utilities

 Protions of z/OS Communications Server for: –  Network encryption –  HiperSockets for large messages

  z/OS CIM server  Some ISV workloads – see your ISV

ZAAPZIIP=YES

zAAP eligible zIIP eligible

CPs and zIIP


IBM System z

13

IBM Example 2: zAAP on zIIP**

CPs and zIIPs

CPs zIIPs

** For illustrative purposes only, your results will vary. This new capability is not available for z/OS LPARS if zAAPs are installed on the server

CPs


Some amount zAAP

eligible work

White space


White space

  Can enable you to run zIIP- and zAAP-eligible workloads on the zIIP.

–  Maximize your investment in existing zIIPs.

Potentially ADD the following workloads to your existing zIIPs

  Java via the IBM SDK (IBM Java Virtual Machine (JVM)), exploiters include portions of :

–  WebSphere® Application Server –  IMS™

–  DB2 –  CICS® –  Java batch –  CIM Client applications

  z/OS XML System Services, exploiters include portions of:

–  DB2 9 (New Function Mode) –  Enterprise COBOL V4.1 –  Enterprise PL/I V3.8 –  IBM XML Toolkit for z/OS –  CICS TS V4.1

zIIP

ZAAPZIIP=YES


IBM System z

14

IBM zAAP is still available!

  Customers with zAAPs should continue to invest in zAAPs –  Maximizes the new workload potential for the platform.

  This new capability is not available for z/OS LPARS if zAAPs are installed on the server. –  If there are any zAAPs installed on the server, then the ZAAPZIIP=YES

cannot be honored for any z/OS partition on that server.   At this point IBM does not recommend converting zAAPs to

zIIPs in order to take advantage of the zAAP on zIIP capability –  zAAPs have a 5 year history, some application or middleware may have

zAAP-specific code dependencies •  For example: code may count the number to zAAP engines for multithreading

performance optimization –  Customer planning and testing is recommended before eliminating all

zAAPs as there may be some application code dependencies which may effect performance


IBM System z

15

IBM Plan your zAAP on zIIP workloads accordingly

  Remember: You must purchase and maintain one or more general purpose processors for every zIIP processor on the server.

  Use the zPCR (Processor Capacity Reference for IBM System z) tool –  zPCR is a Windows-based productivity tool, designed to provide capacity

planning insight for IBM System z processors running various workload environments under z/OS, z/VM®, and Linux for System z. Capacity results are based on IBM’s LSPR (Large Systems Performance Reference) data.

  Use PROJECTCPU –  Once the zAAP on zIIP capability is

engaged, PROJECTCPU will just measure zIIP-eligible work.

–  It will not distinguish between what was once zAAP-eligible workload and zIIP-eligible workload. For illustrative purposes only, your results will vary.

ASSUMES no zAAPs on the server. This new capability is not available for z/OS LPARS if zAAPs are installed on the server

---APPL %--- CP 162.08 AAPCP 0.00 IIPCP 129.39

AAP 0.00 IIP 320.93


IBM System z

16

IBM When is zAAP on zIIP capability NOT available?

  z/OS LPARs = This new capability is not available for z/OS LPARS if zAAPs are installed on the server. –  Why? The zAAP on zIIP capability is intended to enable the zAAP eligible work to

run on zIIP when no zAAP is defined. It is not intended to provide an overflow so additional zAAP eligible workload can run on the zIIP.

–  If you have zAAPs on the server and zAAP on zIIP is enabled, then z/OS will not honor zAAP on zIIP and workloads will be dispatched as normal on zAAP and zIIP engines.

  z/OS as a guest of z/VM = This new capability is not available if zAAPs are defined in the virtual machine for z/OS. –  This type of scenario, where z/OS is a guest of z/VM,

may be useful as a test environment.


IBM System z

17

IBM When to use zAAP on zIIP capability

Current condition, if you have…. Then…

No zIIPs or zAAPs Consider zIIPs to support both zAAP and zIIP eligible workloads. As you plan your workloads, please keep the 1:1 zIIP-to-CP ratio in mind.

zAAPs only

Continue to use zAAP for zAAP-eligible workloads. If you have zIIP-eligilble workloads, you may want to consider a zIIP as well. zAAP on zIIP capability is not available for z/OS LPARs when zAAPs are installed on the server. At this time IBM does not recommend converting zAAPs to zIIPs.

Both zAAPs and zIIPs

Continue to use both zAAP and zIIP in support of the applicable workloads. zAAP on zIIP capability is not available for z/OS LPARs when zAAPs are installed on the server. At this time IBM does not recommend converting zAAPs to zIIPs.

zIIPs only Use zIIPs to meet your increasing zIIP eligible workloads and in support of any zAAP eligible workloads that you may have. Get zIIPs if you are not approaching the 1:1 zIIP-to-CP ratio. All zAAP- and zIIP-eligible workloads may execute on zIIP.


IBM System z

18

IBM Statements of Direction*   IBM plans to discontinue delivery of software on 3480, 3480 Compressed (3480C), and 3490E

tape media. (SOD August 2008)   IBM intends to provide the capability to deliver the z/OS Customized Offerings (such as

ServerPac, CBPDO, Customized Offerings Driver, SystemPac®, ProductPac®) and service orders on DVD media. Though IBM recommends using Internet delivery when ordering z/OS products or service, eliminating tape handling, the option to specify DVD physical delivery may provide an option for those who cannot accept Internet delivery.

  Order z/OS over the Internet. Did you know there are now more shipments of z/OS via the Internet than by tape? For more information see the Internet delivery website.

  IF you have IBM 3590 and 3592 Enterprise Tape or IBM System Storage TS1120 Tape drives in-house THEN please order z/OS on 3590 and 3592 tape media.

–  Using high-density media makes it much easier to handle and install z/OS because there are much fewer tapes to manage!

* Statements regarding IBM future direction and intent are subject to change or withdrawal, and represents goals and objectives only.

http://www-03.ibm.com/systems/z/os/zos/serverpac_internet_delivery.html


IBM System z

19

IBM

  August, 2004, IBM announced its intent to withdraw support for VSAM IMBED, REPLICATE, and KEYRANGE attributes in a future release. Based on customer feedback, IBM no longer plans to remove this support from z/OS in the foreseeable future. IBM still recommends that you stop using these attributes and plans to remove IMBED and REPLICATE attributes during logical DFSMSdss restore operations and DFSMShsm recall operations.

  IBM intends to update z/OS with support for the latest Internet Key Exchange protocol, version 2 (IKEv2), as defined by industry standards documented in RFC4306, "Internet Key Exchange (IKEv2) Protocol," and RFC4718, "IKEv2 Clarifications and Implementation Guidelines”

  IBM intends to update the Security Server RACF component of z/OS to support certificates with longer distinguished names. This function is planned to be made available on z/OS V1.10 and z/OS V1.11.

  z/OS V1.11 Communications Server is designed to address FIPS 140-2 requirements for SSL/TLS connections via the Application Transparent Transport Layer Security (AT-TLS) component. The native SSL/TLS support in the TN3270 server and FTP client and server will not be enhanced to address FIPS 140-2 requirements. Customers who need to provide SSL/TLS-secured TN3270 and FTP connections that are designed to be consistent with FIPS 140-2 requirements are advised to use AT-TLS for this purpose.

  In a future release of z/OS, IBM intends to make RFC4301 compliance mandatory. The Configuration Assistant for z/OS Communications Server includes functions to assist with identifying and making network configuration changes.

  IBM plans to remove the Enhanced PSP Tool, host compare program, and the associated extract files from the IBM Technical Support Web site effective December 31, 2010. The Enhanced PSP Tool's function has been replaced by the addition of FIXCAT (fix category) information to Enhanced HOLDDATA and the REPORT MISSINGFIX function introduced in z/OS V1.10 SMP/E (SMP/E for z/OS V3.5 (5655-G44)).


Statements of Direction*


IBM System z

20

IBM Statements of Direction*   The last release of z/OS to support Run-Time Library Services for Language Environment was z/OS

V1.5. In the release following z/OS V1.11, IBM plans to remove the underlying CSVRTLS services from z/OS. A way to track its usage, and to enable you to find any programs that might be using these services, is planned to be made available for z/OS V1.9 and V1.10, and included in V1.11 orders with APAR OA29019 in September 2009.

  The msys for Setup element of z/OS is planned to be removed in the release following z/OS V1.11. IBM intends to continue to deliver improvements to help with z/OS setup and configuration in the future.

  In a future release, IBM plans to withdraw support for z/OS Distributed Computing Environment (DCE) and Distributed Computing Environment Security Server (DCE Security Server). IBM recommends the IBM WebSphere Application Server, the IBM Network Authentication Service, and/or the IBM Directory Server as replacement strategies for each of the DCE technologies. See the DCE Replacement Strategies Redbook for more details: http://www.redbooks.ibm.com/redbooks/pdfs/sg246935.pdf

  In a future release, IBM plans to withdraw support for the z/OS Distributed File Service support that utilizes the Distributed Computing Environment (DCE) architecture. IBM recommends the z/OS Network File System (NFS) implementation as the replacement. The Distributed File Service also supports the Server Message Block (SMB) architecture. Support for SMB remains, and is not affected by this withdrawal of support.

  In a future release, IBM plans to withdraw support for z/OS UNIX System Services Connection Scaling, specifically the Connection Manager and Process Manager components.

  z/OS V1.11 is the last release for which SDK1.4 (5655-I56) support is planned. For more information about z/OS Java SDK products see : http://www.ibm.com/servers/eserver/zseries/software/java/



IBM System z

21

IBM z/OS Management Facility V1.11


IBM System z

22

IBM

 Needs: –  There was no central system

management portal for z/OS

–  There are many interfaces foreign to users new to platform

–  There are manual tasks requiring extensive documentation

–  Requires years of z/OS experience to be productive

z/OS Management Facility V1.11


IBM System z

23

IBM z/OS Management Facility V1.11   The IBM z/OS Management Facility is a new

product for z/OS that provides support for a Web-browser based management console for z/OS.

  Helps system programmers to more easily manage and administer a mainframe system by simplifying day to day operations and administration of a z/OS system.

  More than just a graphical user interface, the z/OS Management Facility is the infrastructure for addressing the needs of your workforce

–  Automated tasks can help reduce the learning curve and improve productivity.

–  Embedded active user assistance (such as wizards) guides you through tasks and helps provide simplified operations.


IBM System z

24

IBM

  Address the needs for a mixed skilled workforce.

  Make System Programmers who are new to the mainframe productive more quickly by: –  Providing a modern browser-based user interface that is more familiar to those

new to the platform –  Automating tasks, thus reducing the learning curve –  Embedding active user assistance in the UI (e.g., wizards that guide users

through tasks, interactive troubleshooting aids).

  Make experienced System Programmers more productive by: –  Making functions easier –  z/OS Management Facility is optional for those who

prefer traditional interfaces

Focus on System Programming


IBM System z

25

IBM

Problem Management and Analysis

 Monitoring health; identifying real and potential problems

  Analyzing and resolving problems

Configuration

  Adding or changing system components; enabling new features; defining and updating policies that affect system behavior.

Simplify and modernize the System Programmer User Experience Deliver solutions in a task-oriented browser-based user interface with integrated user assistance

Information Finding the information needed to use z/OS

z/OS Management Facility Focus areas for simplification


IBM System z

26

IBM

Browser

IBM z/OS Management Facility z/OS application, browser access

HTTP(s)

z/OS

z/OS Management

Facility application

  z/OS Management Facility is an application on z/OS –  Manages z/OS from z/OS –  Browser communicates with z/OS MF via secure connection, anywhere, anytime


IBM System z

27

IBM

Browser

IBM z/OS Management Facility Industry standards

HTTP(s)

z/OS V1.10 or V1.11 LPAR

App. server

 z/OS MF app  Servlets  DOJO/Java script

z/OS elements

  CIM   System REXX™

  RACF®

  and others

  z/OS Management Facility is based on industry standards –  Java™ and Dojo

•  Dojo is an Open Source DHTML toolkit written in JavaScript. Dojo allows you to build dynamic capabilities into web pages and any other environment supporting JavaScript.


IBM System z

28

IBM

Browser

IBM z/OS Management Facility Specialty Engines

HTTP(s)

z/OS V1.10 or V1.11 LPAR

App. server

 z/OS MF app  Servlets  DOJO/JAVA script

z/OS elements

  CIM   System REXX   RACF   and others

Java apps and Java-

based CIM client

eligible for zAAP

z/OS CIM server eligible for zIIP

(R11 only)

 Parts of z/OS Management Facility, such as the Incident log capability, use Java and CIM


IBM System z

29

IBM Guest view Login

Welcome page when user first accesses the URL and has not logged in yet

  To log in you will need a z/OS userID that has been defined and enabled to for z/OSMF (and the WebSphere® runtime environment)

–  Guidance is provided.


IBM System z

30

IBM IBM z/OS Management Facility Welcome page

  z/OSMF Administration category for the administrator: –  Authorization services for administrator to add z/OSMF users and roles –  Allows the administrator to dynamically add links to non-z/OSMF resources,

e.g. ISV products, commonly used installation Web sites  Configuration category with Configuration Assistant for z/OS

Communication Server •  Simplified configuration and setup of TCP/IP policy-based networking

functions  Links category:

–  Provides common launch point for accessing resources beyond the z/OSMF –  Some links are pre-defined in the product.

 Problem Determination category with the Incident Log task –  The Incident Log provides a consolidated list of SVC Dump related problems,

along with details and diagnostic data captured with each incident. It also facilitates sending the data for further diagnostics.


IBM System z

31

IBM

  Pain Points –  Need to troubleshoot a live system, recover from an apparent failure.

–  Need to reduce risk to the business, reduce risk of re-occurrence. –  Complexity of performing the task (number of steps, jargon). –  Data collection very time-consuming

–  Significant skill level needed to analyze problems, interact with IBM and ISVs to obtain additional diagnostic info (setting SLIP traps, traces, etc.)

  Initial focus on Problem Determination capability - Incident Log: –  Troubleshoot your system easier, faster –  The incident log and underlying z/OS diagnostic data gathering greatly improves the tasks

related to: •  Identifying system-detected problems (those related to SVC dumps taken by the system) •  Collecting diagnostic materials related to a problem and sending materials to IBM or

another company's support area •  Telling the system to take the next dump for a previously-recognized problem

z/OSMF Problem Determination


IBM System z

32

IBM z/OSMF Problem Determination – Incident log Benefits

Without z/OSMF** With z/OSMF** Recognizing a system-detected (dumped) problem occurred

Requires 5 to 7 manual steps, plus skill on effective use of IPCS to extract data from each of the dumps.

Up to 5-6 minutes

Display in 1 click. Greatly reduced skill required

As little as 5 seconds

Collecting and sending diagnostic data

Requires 7 to 15 manual steps, plus skill to locate the right log files, build and run jobs, rename the output datasets, and use an FTP job to send the different data sets to the target destination.

Up to 20 minutes Up to 30 minutes for sysplex components

Send the material in 8 clicks:   Select the incident materials   Specify the FTP destination information   Send the material   Check whether the information was FTP’d

successfully As little as 30 seconds

Allow new dump to be taken for the same symptom

Requires 7 to 12 manual steps, plus skill on effective use of IPCS to locate the dump data set, obtain the symptom string, get into the IPCS DAE display, locate the matching symptom string (could be non-trivial) and indicate TakeNext on the IPCS display Up to 15 minutes

Make the update happen in 3 mouse clicks

As little as 10 seconds

** Based on IBM laboratory results, your results may vary

“So easy, even Marketing can use it!” – Gita Grube Berg, IBM System z® Marketing


IBM System z

33

IBM

  Auto-capture basic diagnostic materials, triggered when the dump is written to a data set, managed via parmlib member

–  Initial focus is on Abend and user initiated SVC dumps –  Improved FFDC for system-detected problems; –  Diagnostic data “snapshots” for transient data;

•  Snapshots of 30 min Operlog, •  1 hr Logrec detail, and •  24-hour Logrec summary

–  Allow doc to be FTP'd to IBM (or ISV) without having to keep track of where logs are archived via easy to use interface

–  Simplify informing DAE to take the next dump for the selected incident's symptom string

  Functions include: –  Display list of incidents (Filter/sort/configure table) –  Set properties (associate problem number and tracking id) –  Display properties – view list of diagnostic data, logs –  Send diagnostic data via FTP, define FTP Profiles (firewall) –  Manage ftp jobs status –View, Cancel Job, Delete Status –  Allow next dump –  Delete incident

z/OSMF Problem Determination – Incident Log Details


IBM System z

34

IBM Incident Log – Summary Information

Set the duration

Many fields, set tracking IDs

Popup with actions


IBM System z

35

IBM Incident Log – Incident Details

Tab shows lists of data (logrec and error log)


IBM System z

36

IBM Incident Log – Diagnostic Data


IBM System z

37

IBM Incident Log – Send Diagnostic Data

Wizard guides you through


IBM System z

38

IBM Incident log - Destinations

Pre-loaded with IBM destinations, or add your own


IBM System z

39

IBM Incident Log – Delete Incident


IBM System z

40

IBM

 Pain Points –  Configuration task is highly fragmented

•  Multiple tools, limited integration between tools –  User interfaces not intuitive for new system programmers –  Syntax is complicated and error-prone –  Regression of dynamic changes not reflected in system control files –  Difficult to assess impact of configuration changes

  Initial focus on Configuration Assistant for the z/OS Comm. Server –  A GUI application that simplifies the configuration and setup of the following TCP/IP

policy-based networking functions: •  Application Transparent TLS (AT-TLS) •  IP Security (IPSec) including filters and VPNs •  Network Security Server(NSS) •  Intrusion Detection Services (IDS) •  Policy-based Routing (PBR) •  Quality of Service (QoS)

z/OSMF Configuration


IBM System z

41

IBM

  A GUI that you can use to generate configuration files for z/OS Application Transparent-Transport Layer Security (AT-TLS), IP Security (IPSec), Network Security Services (NSS), Policy Based Routing (PBR), Quality of Service (QoS), and Intrusion Detection Services (IDS).

  Originally available as a Microsoft® Windows® Web download since z/OS V1.7 –  Functions have grown over time –  Still available as a Windows download, but strategy is to provide it only with z/OSMF –  All functions available with Windows are also provided with z/OSMF –  If you are familiar with the Windows GUI, the Configuration Assistant on z/OSMF is essentially the

same

  Now available with z/OSMF V1.11 and z/OS V1.11 –  Configuration files can now be saved to local disk storage that is accessible to your z/OS system

where the Configuration Assistant is running so FTP (from Windows) is not required –  Can also import configuration text files in cases where users have already defined policies and

would like to begin using the Configuration Assistant –  z/OSMF V1.11 and z/OS V1.10 users will not see the Config Assistant for the z/OS Comm Server

Configuration Assistant for z/OS Comm. Server


IBM System z

42

IBM

  Do you need to protect your enterprise data over the network with IP Security or Application Transparent TLS?

  Have you considered protecting your system from misuse from the network with Intrusion Detection Services and then using the Defense Manager Daemon to apply defensive filters?

  If so, you know that these functions can be quite complex to understand and also to set up   You can pour over manuals or you can use a great tool to help you configure your policies

and set up the environment to run these important functions right on the z/OS systems your configuring!

  Use The Configuration Assistant for z/OS Communications Server application on z/OSMF   Helps users build their networking policies and then generates configuration text files for

installation   Guides users through setup tasks for the policy-base environment, including generation of

configuration files, sample started procedures, and RACF profiles

Configuration Assistant for z/OS Comm. Server Value


IBM System z

43

IBM

Create configuration files for any number of z/OS images with any number of TCP/IP stacks per image.

Select the TCP/IP stack that you want to configure and the technology, such as AT-TLS or IPSec.

Click on "Action" and select "Configure" to begin configuring that technology.

Configuration Assistant for z/OS Comm. Server


IBM System z

44

IBM Configuration Assistant for z/OS Comm. Server (V1.11) Simplified AT-TLS Dialog

 Simplified AT-TLS dialog

–  Define AT-TLS from the application level

–  Added a list of well- known applications with predefined rules

–  Simple “click” to enable

–  Rules can be modified or copied and modified


IBM System z

45

IBM Configuration Assistant for z/OS Comm. Server (V1.11) Updates to z/OS System SSL

  Using the latest security provided by z/OS System SSL is a key click away


IBM System z

46

IBM Configuration Assistant for z/OS Comm. Server (V1.11) Simplified IPSec

 Simplified IPSec Requirement Map

–  Simplified panel to show more clearly that a requirement map was a Traffic Descriptor and a Security Level

–  New “advanced wizard” to allow for easier panel navigation


IBM System z

47

IBM Configuration Assistant for z/OS Comm. Server (V1.11) New Application setup tasks

  “Application Setup” task panel is a customized set of tasks (step-by-step) for each policy perspective to deploy the applications required for that function

  There are both image-level and stack-level setup tasks.


IBM System z

48

IBM Configuration Assistant for z/OS Comm. Server (V1.11) Setup tasks – setting the base location for definition files

  Base locations specify a z/OS UNIX® file directory or a PDS(E) library for storing the policy-related definitions that are created by the Configuration Assistant.

  There are both image-level and stack-level base locations.

  This example uses a PDS library.


IBM System z

49

IBM

 Define policies in one place (or read/ update existing policies) and apply them uniformly across the z/OS network

 Uses z/OS Communications Server policy agent to create, manage, and distribute policies

 IPSecurity, Application Transparent Transport Layer Security, Intrusion Detection Services, Quality of Service, Network Security Services, TCP/IP Policy-Based Routing

Policy-based networking IP Filtering to block

unwanted traffic from entering or leaving your z/OS system

Protection against “bad guys” trying to

attack you z/OS system

Making sure high-priority applications also get high-priority

processing by the network

Providing secure end-to-end IPSec VPN tunnels on z/OS

Connection-level security for TCP

applications without application changes

Application-specific selection of outbound interface and route

(policy based routing)

  Application Transparent -TLS and IPSec –  Simplified development and maintenance of security-rich Web apps – centralized configuration of AT-

TLS and IPSec can help you secure the network data with no application modification. •  AT-TLS = for FTP and TN-3270 (1.9), for SASP Load balancing advisor (1.10), support for new SSL function(1.11*)

  Quality of Services & Intrusion Detection Services (1.8) –  Quality of Service policies help maintain network traffic prioritization –  IDS policies help you detect and report suspicious network activities

  Network Security Services (NSS) (1.9) –  Provides single, centralized certificate storage, monitoring, and managing services for IPSec cross-

systems or cross-sysplex •  NSS for WebSphere DataPower® appliance ID authentication and access checks (1.10), additional services (1.11*)

  TCP/IP Policy-Based Routing (PBR) (1.9) –  Outbound network traffic can be separated by application needs –  Allows TCP/IP stack to make routing decisions based on job name, ports, protocol (TCP or UDP),

source IP address, NetAccess security zone, and security label

  Defensive filtering (1.10) –  Defensive filters (temporary security policies) can be quickly deployed to defeat network attacks

Centralized policy-based networking z/OS Communications Server


IBM System z

50

IBM

  z/OSMF Authorization – defining users and roles –  The z/OSMF administrator must define the user to z/OSMF and assign a role in

order for the user to start working with z/OSMF tasks –  The user must have a valid userid on the z/OS system

 Adding Links –  Allows the administrator to dynamically add links to non-z/OSMF resources, e.g.

ISV products, commonly used installation Web sites

Focus on z/OSMF Administration


IBM System z

51

IBM z/OSMF Administration: Adding a z/OSMF user

View all users Click on "Action" and select “New" to add a user to z/OSMF

Scripts are provided. They encompass everything that is required define additional users , end to end, authorization they may require so that you can easily enable more users. For example, use the sample scripts to generate and submit the RACF commands needed to connect user to Configuration Assistant and/or Incident Log.


IBM System z

52

IBM z/OSMF Administration - Users

User ID = RACF user ID Name = any name


IBM System z

53

IBM z/OSMF Administration: Defining a role

Select individual tasks and subtasks for each user.


IBM System z

54

IBM z/OSMF Administration: Adding a link

Define the documentation

Need to share sensitive information with a team?

Select who can see it


IBM System z

55

IBM Focus on Links

 This category contains the pre-defined links provided by IBM as well as any new links added by the z/OSMF administrator

 The links are available to all users of z/OSMF

 Administrator can define which roles have access to each of the defined links.

 The IBM pre-defined links are accessible to all users, including guests, by default.


IBM System z

56

IBM Client side environment checking tool

Your browser connects to the z/OS Management Facility and checks the browser settings


IBM System z

57

IBM

  z/OSMF V1R11 operating environment –  One instance of z/OSMF can manage only one local system or sysplex –  Multiple users may log into the same instance of z/OSMF from different

workstations/browsers • Expectation is to support up to 15 concurrent users

–  From one client system, user can manage additional sysplexes by opening new browser windows (or tabs) and logging into the z/OSMF instance installed on those sysplexes (one browser per system/sysplex).

–  Only one active instance of z/OSMF is supported within a sysplex at any point in time.

• Additional instance may be created e.g for test or service update or backup, but it should not be actively managing the systems at the same time (e.g. working on the same incident concurrently from 2 separate instances of z/OSMF) or using the same data repository.

Additional details on usage


IBM System z

58

IBM

  z/OS Management Facility required z/OS V1 R10 and later –  z/OS V1R10 requires additional service, as defined in the program directory

  The Configuration Assistant for z/OS Communications Server portion of z/OS Management Facility requires z/OS V1.11 or later.

  Client machine (no client machine install requirements) –  Windows XP® operating system and later –  Supported browsers:

•  Mozilla Firefox 3.0.6 (recommended) •  Mozilla Firefox 2 •  Internet Explorer® 7 •  Internet Explorer 6

Prerequisites


IBM System z

59

IBM Migration & Coexistence Considerations

  In a mixed sysplex with some systems below z/OS V1R10: –  z/OSMF V1R11 must be installed and run on z/OS V1R10 or above

–  Incident Log: z/OS V1R9 system’s SVC dumps will be reflected, but with some property values missing

 Configuration Assistant is only supported on z/OSMF V1R11 running on a z/OS V1R11 system.

  z/OSMF can coexist with other ISV products –  For example, all setup instructions are provided for RACF, but z/OSMF will operate

with other security products with equivalent instructions


IBM System z

60

IBM Summary

  IBM z/OS Management Facility (z/OSMF) V1R11 is a new product for z/OS customers.

  z/OSMF will make the day to day operations and administration of the mainframe z/OS systems easier to manage for both new and experienced system programmers.

  Delivers solutions in a task oriented, Web browser based user interface.

  The initial functions include z/OSMF Administration, Incident Log, Configuration Assistant for z/OS Communication Server and Links


IBM System z

61

IBM Additional information   z/OS Management Facility, overview

–  ibm.com/systems/z/os/zos/zosmf/   IBM z/OS Management Facility education modules in IBM Education Assistant

–  When available

  z/OS Hot Topics, Issue 21: –  ibm.com/systems/z/os/zos/bkserv/hot_topics.html –  z/OS Simplifies Your Life … An introduction to z/OSMF –  What’s in your (incident) log? An introduction to the z/OSMF Incident Log –  Setting up Operlog and Logrec for z/OSMF Incident Log –  Removing the Mystery on using System Logger for z/OSMF

  Program Directory for z/OS Management Facility GI11-2886-00

  IBM z/OS Management Facility License Information GC52-1263-00

  IBM z/OS Management Facility User's Guide SA38-0652-00

  IBM WebSphere Application Server OEM Edition for z/OS Configuration Guide, Version 7.0, GA32-0631-00


IBM System z

62

IBM z/OSMF packaging

z/OSMF V1R11 is comprised of:  PID# 5655-S28  S/S PID# 5655-S29  FMID# HSMA110  FMID# HBBN700 (IBM WebSphere Application Server OEM Edition for z/

OS v7.0) –  COMPID 5655I3512 - WEBS APP SVR OEM

 HSMA110 FMID Description: IBM z/OS Management Facility –  COMPID 5655S28SM – z/OSMF Core –  COMPID 5655S2805 – z/OSMF Incident Log –  COMPID 5655S28CA –Config Assist

ZSP03214-USEN-0


IBM System z

63

IBM z/OS Version 1 Release 11 ... ... and z/OS Management Facility Version 1 Release 11

... simplified management   A new face for z/OS, the z/OS Management Facility

(5655-S28) helps improve administrator, operator, and developer productivity, and ultimately provide less opportunity for error.

... failure avoidance   Predictive failure analysis is designed to help provide

early warning about system trends that can cause system or application impacts, in many cases before they impact your business.

.... responsive networking   New z/OS Communications Server designs improve

networking in a Parallel Sysplex, enable more efficient workload distribution, and help improve the quality of the load balancing in multitiered z/OS server and application environments.

... trusted system   The ability to implement centralized authentication,

create a comprehensive audit and risk management plan, configure secure networks, and centrally manage digital certificate lifecycle can not only help reduce the risk from fraud and security breaches, but also help meet industry compliance guidelines.

... accountability   Superior measurement and data collection and reporting

capabilities are updated and can be used for comprehensive risk management, auditing, and compliance plans.

  A new identity propagation function can allow z/OS subsystems (like CICS TS V4.1) to associate distributed identities to RACF for improved cross-platform interoperability and accounting capabilities.

....improved economics and optimization   Also, z/OS V1.11 is enhanced with a new function that can

enable System z Application Assist Processor (zAAP) eligible workloads to run on System z Integrated Information Processors (zIIPs).

  z/OS CIM (Common Information Model) server processing eligible for System z Integrated Information processor (zIIP).

  IBM DB2 for z/OS Version 8 or DB2 9 DB2 utilities is updated to enable part of sort utility processing to run on a zIIP.


IBM System z

64

IBM

Thank you

z/os v1.11 z/os management facility v1 - gse young ... - zos...z/os management facility v1.11 –...

Documents