The complexities of z/OSMF security set up for Zowe
IBM z/OS management facility (z/OSMF) provides system management functions in a task-oriented, web browser-based user interface with integrated user assistance. This allows you to manage the day-to-day operations and administration of your mainframe z/OS systems more easily. By streamlining some traditional tasks and automating others, z/OSMF can help to simplify areas of z/OS system management. z/OSMF allows you to communicate with the z/OS system through a web browser, so you can access and manage your z/OS system from anywhere. Multiple users can log into z/OSMF using different computers, different browsers, or multiple instances of the same browser.
I have worked with many customers (RACF, CA ACF2, and CA Top Secret) to help them understand the implication of the z/OSMF setup with their ESM products and help them navigate the issues they may be having. Every customer’s ESM setup is different, and one needs to understand the environment to ensure security is set up appropriately without causing any outages.
Using z/OSMF requires appropriate authority in z/OS. This is especially true on the z/OS system to be managed, where resources need to be accessed on behalf of z/OSMF. Datasets, operator commands, and more are secured through RACF, CA ACF2, or CA Top Secret.
z/OSMF has several areas as described below:
- Core functions are those tasks which are always enabled when you initially configure the product. They are installed and can run without the need for additional plug-ins. When started, these tasks are brought up and a base configuration of z/OSMF contains only these functions. Some core functions are the Workflows task, the Resource Management task, and the Usage Statistics task.
- Categories are collections of tasks and/or plug-ins with shared characteristics. An example of a category is the Performance category, which contains the Capacity Provisioning, Resource Monitoring, and Workload Management plug-ins, along with the System Status task.
- Plug-ins are collections of one or more system management tasks that add significant functionality to z/OSMF. They require additional steps to configure and deploy. They also require the creation of security profiles for the tasks that are associated with them. Examples of plug-ins are the Network Configuration Assistant, Cloud Provisioning, and the Incident Log.
IBM has been working hard to help customers with the security setup for the z/OSMF. There are numerous JCL examples provided in sample libraries to help with this configuration. A recent sample of new profile definitions puts the number at over 100 new profiles to define an External Security Manager (ESM). While this may not appear to be a large number, one needs to review what is currently set up in their ESM and determine appropriate security setup and any potential ‘undercutting’ of accesses. This can cause problems to a customer’s environments if the appropriate review has not taken place prior to implementing these definitions. Another item to review is based on the customer’s security environment. This may require activating new resource classes that have not been active before. A review needs to be performed and tested to ensure everything meets with the customer’s requirements.
z/OS systems programmers need to work closely with the security analysts to ensure appropriate setup, as there are z/OSMF parameter setup options that can affect the security definitions. When properly configured, z/OSMF and Zowe provide a web-centric user interface for managing z/OS. They can help simplify tasks and reduce the time necessary to learn and operate the mainframe.