Add ChangeMan ZDD to ChangeMan ZMF
This chapter tells you how to reconfigure an existing ChangeMan ZMF server to also act as a ChangeMan ZDD server.
Skip this chapter if you do not license ChangeMan ZMF, or if you will not use ChangeMan ZDD to access ChangeMan ZMF.
In the diagram Non-dedicated ZDD Server, ZDD clients connect to Sernet A to access ZMF 1 that runs as an application under Sernet A. ZDD clients also connect to Sernet A to access ZMF 2 and ZMF 3 running under Sernet B and Sernet C respectively.
This chapter tells you how to prepare Sernet A for its dual role as a ZMF server and a ZDD server as shown on Non-dedicated ZDD Server.
If you want to build a Sernet started task that is dedicated as a ChangeMan ZDD server, see Build Dedicated Sernet Started Task.
If you want to prepare an existing ChangeMan ZMF server for access through a separate ChangeMan ZDD server, see Connect to ChangeMan ZMF".
We recommend that you set up a dedicated Sernet instance as a ChangeMan ZDD server to access all ChangeMan ZMF instances on an LPAR. See ChangeMan ZDD Server.
However, adding ChangeMan ZDD to an existing ChangeMan ZMF server may be quicker than creating a new Sernet started task. This approach might allow you to demonstrate the capabilities and benefits of ChangeMan ZDD with little effort.
Caution
If you do not currently define SAF as your security system interface in ChangeMan ZMF Global Administration, the procedure in this chapter requires you to change the switch settings in security module SERLCSEC. Mistakes in this change could make ChangeMan ZMF unavailable.
...
Step 1: Verify ChangeMan ZMF Compatibility
As you connect to ChangeMan ZMF, see the release level on the pop-up panel that is displayed before the Primary Option Menu appears.
Menu List Mode Functions Utilities Help
------------------------------------------------------------------------------
ISPF Command Shell
Enter TSO or Workstation commands below:
+-------------------------------------------------------------------------+
===> s | |
| ChangeMan(R) |
| Version = 7.1.1 |
| |
Place | Initialization in progress |
| |
=> ser | Copyright (C) 1985-2010 Serena Software, Inc. |
=> ser | Licensed material. All rights reserved. |
=> SER | ChangeMan is a registered trademark of SERENA (R) Software Inc. |
=> ser | |
=> RAC | |
=> isr +------------------------------------------------------------------+
=> isrddn
=>
=>
=>
See the "Compatibility" section of the ChangeMan ZDD Readme to verify that your ZMF release level is compatible with the ZDD client you want to use to access it.
Upgrade ChangeMan ZMF or ChangeMan ZDD if necessary.
Step 2: Apply ChangeMan ZDD License
Apply the license you received from Micro Focus to enable ChangeMan ZDD. Refer to the SER10TY User’s Guide for instructions on how to apply the license.
Use the SER10TY JCL and SERCOMC load libraries that were used to apply other licenses to this Sernet instance.
If you cannot find that JCL, the load modules, JCL, and other components that run SER10TY are included in the SERCOMC libraries unloaded from the ZDD download image or the distribution CD.
Step 3: Enable ZDD Application With Port Number
Add Sernet application keyword option XCH to the started task to enable ChangeMan ZDD on this Sernet instance and to provide a port number for access by ZDD clients.
Code the option in one of these locations:
-
The PARM= parameter for program SERVER in the Sernet started procedure.
-
The data set coded at the ddname that is specified in the DDNAME=ddname keyword option in the PARM= parameter.
The following format with a port number is required:
XCH=nnnn
Step 4: Provide Port Number for ZMF
To access a ChangeMan ZMF instance from a ChangeMan ZDD server, the CMN application keyword option must include a port number.
-
Locate the CMN application parameter in the Sernet started task. This parameter will be coded in either:
-
The PARM= parameter for program SERVER in the Sernet started procedure.
-
The data set coded at the ddname that is specified in the DDNAME=ddname keyword option in the PARM= parameter.
-
-
Ensure that the CMN keyword option includes a non-zero port number. Example:
CMN=60
Note
Do not use the same port number for the CMN=port keyword option and the XCH=port keyword option.
Step 5: Allocate ZDDOPTS XML Parameters
You can use XML pages in a library at ddname ZDDOPTS in the ChangeMan ZMF started procedure to alter the behavior of the ChangeMan ZDD client when it accesses functions in ChangeMan ZMF 5.3.6 and higher.
See ZDDOPTS: ChangeMan ZDD XML Options for a description of the XML parameter members and for instructions for coding the XML to meet your requirements.
Execute these steps to add a ZDDOPTS library to an existing ChangeMan ZMF server
-
Allocate a PDS(E) for the ZDDOPTS XML page members with these characteristics:
DSN=node.SERCOMC.ZDDOPTS * Recommended last node DCB=(RECFM=VB,LRECL=255,BLKSIZE=0) * Let SMS set BLKSIZE SPACE=(CYL,(1,10,30))
-
Add a ZDDOPTS DD statement to the ChangeMan ZMF started procedure and code it with the data set name of the allocated ZDDOPTS library.
-
Copy these members to the ZDDOPTS library from the SERCOMC SAMPXML library unloaded from the download image or the distribution CD:
- AUDIT
- BUILD
- COMMAND
- DEMOTE
- LIBTYPE
- PKGCREAT
- PKGPROP
- PROMOTE
-
Use a PDS search like the ISPF Search-For Utility to find this XML comment syntax in any ZDDOPTS library member:
`<!--`
-
If no XML comments are found, see Translating Comments in ZDDOPTS Members for a procedure to fix XML comments in ZDDOPTS library members.
Step 6: Set Up Job Notification
The Job Notification facility of Sernet sends job completion messages to a user’s PC for jobs that they submit through ChangeMan ZDD.
Note
Job Notification does not add messages to batch jobs submitted by ChangeMan ZMF, even though you may use ChangeMan ZDD to initiate ChangeMan ZMF jobs.
To enable Job Notification in a ChangeMan ZDD server, you set up a mainframe JCL fragment that is automatically appended onto JCL submitted from ChangeMan ZDD.
-
Copy member $SERNTFY from the vendor SERCOMC CNTL library into your custom CNTL library.
-
Edit member $SERNTFY in the custom library. Change the STEPLIB statement to point to the vendor load library you coded in the STEPLIB for the Sernet started procedure.
-
Copy the updated $SERNTFY member from your custom CNTL library into a system PROCLIB.
Step 7: Set Up Job Review
See Job Review for more information about the Job Review facility.
As delivered in Sernet 7.1.1, Sernet allows read access to JES jobs that are not owned by the userid. Cancel/purge/requeue are restricted to jobs owned by the userid.
Since access to JES jobs is normally controlled by resource classes JESJOBS and JESSPOOL, regardless of whether SEREX003 is activated, we recommend that you disable this exit. To disable the exit, do one of the following:
-
Use Sernet keyword option EX003=NO.
-
Customize the exit as described in source code comments at the top of the program.
Step 8: Configure Your Security System
You may need to change some security settings in your ChangeMan ZMF instance to access it from a ChangeMan ZDD client.
Set Security Interface to SAF
A ChangeMan ZMF instance must use SAF for its security interface if you want to access it from a ChangeMan ZDD client. See SAF and Your Security System.
Execute these steps to ensure that the ChangeMan ZMF server you want to access from a ZDD client is using the SAF security interface
-
Logon to ChangeMan ZMF with Global Administrator authority.
-
Go to the Global Parameters - Part 1 of 6 panel (=A.G.1) and examine the setting of the Security System field.
-
If the Security System field is set to RACF, ACF2, or TSS, change it to SAF, and then save your change by pressing ENTER until you are returned to the menu where you started.
-
If you have not customized local security routine SERLCSEC, no further action is required. Go to Set Security for USS File Systems.
-
Edit local security routine SERLCSEC in your custom ASMSRC library, and search the source code for &SAF.
-
If &SAF is not found, Sernet is running Version 7.1.1 or later, and no further action is required. Go to Set Security for USS File Systems.
-
Compare the switch settings in your customized SERCSEC source to the settings shown in this code fragment.
* BELOW IS WHERE THE USER CAN TAILOR THE SOURCE CODE FOR THE SHOP *-------------------------------------------------------------------- &SAF SETB 1 (YES) security package - SAF &ACF2 SETB 0 (NO) security package - ACF2 &RACF SETB 0 (NO) security package - RACF &RACFVRM SETB 1 (1.9) .RACF 1.9 or better (0=1.8) &TSS SETB 0 (NO) security package - Top Secret &TSSVRM SETB 0 (4.1) .version 4.2 or better (0=4.1) &VERFYID SETB 1 (YES) SAF user ID verification
-
If your switch settings match the settings in the code fragment above, no changes are required. Go to Set Security for USS File Systems.
-
Change the switch settings in your customized SERLCSEC source to match the code fragment above.
-
Assemble and link the customized SERLCSEC program source into your custom LOAD library.
-
Stop and start your ChangeMan ZMF instance.
Set Security for USS File Systems
If you want to use ChangeMan ZDD to access HFS files in Unix System Services on the mainframe, you must make additional entries in your security system.
The instructions here describe commands for z/OS Security Server RACF. If you use CA ACF2 or CA Top Secret, consult with your security administrator to determine the actions they must take in those security systems to accomplish the same objectives.
In the commands that follow, the following conventions are used:
-
SERUSER is the user-id assigned to the Sernet / ZMF started task.
-
SERGRP is the RACF group assigned to the Sernet / ZMF started task.
...
-
Assign a non-zero UID to SERUSER by manually assigning the next available value:
ALTERUSER SERUSER OMVS(UID(xxx))
-
Permit access for SERUSER to two resources so it can manage HFS in USS:
PERMIT BPX.SERVER CLASS(FACILITY) ID(SERUSER) ACCESS(UPDATE) PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ID(SERUSER) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH SETROPTS RACLIST(UNIXPRIV) REFRESH
-
Ensure that the SERUSER default group SERGRP has a GID:
ALTERGROUP SERGRP OMVS(GID(YYY))
Define OMVS Segments For TCP/IP
Most user IDs requiring access to TCP/IP functions must have an OMVS segment. To satisfy this requirement for the ChangeMan ZMF server, do one of the following:
- Define an OMVS RACF segment for the userid assigned to the ZMF server.
or
- Use the default OMVS segment support provided by RACF and z/OS UNIX for users and groups.
See "Requirement for an OMVS segment" in the z/OS Communications Server IP Configuration Guide.
Restrict Logon to ZDD
As described in How ChangeMan ZDD Security Works, ChangeMan ZDD respects the mainframe security controls provided by your security system when a ZDD user works with files, jobs, and job output.
In addition, you can require explicit permission at the user ID and group ID level to logon to a ZDD server.
Execute these steps to restrict logon to a ZDD server
-
Code Sernet keyword option CONNECTCHECK(YES) in one of these locations on a Sernet instance that is acting as a ZDD server:
-
The PARM= parameter for program SERVER in the Sernet started procedure.
-
The data set coded at the ddname that is specified in the DDNAME=ddname keyword option in the PARM= parameter. (The default value for this keyword option is CONNECTCHECK(NO).)
-
-
Define a FACILITY class profile:
SERENA.CONNECT.sysname.XCHsubsys Where: sysname is the four-character SMF ID of the LPAR where the Sernet instance runs. subsys is the one-character subsystem ID of the Sernet started task.
-
Permit READ access to the FACILITY class to user IDs and group IDs to allow logon.