Skip to content

Installation Considerations

This chapter describes issues you must consider and decisions you must make before installing or configuring a ChangeMan ZDD server.

System Considerations

This section describes system issues that you must consider before you start the installation process.

z/OS Subsystem

While each Sernet instance is identified by a "subsystem ID," Sernet is not a formal z/OS subsystem like JES or DB2®; do not define Sernet in the subsystem name table in SYS1.PARMLIB(IEFSSNxx). If you define it in the subsystem name table, Sernet abends with an S0C4 when it tries to update the subsystem communication vector table with the identifying address space (ASID).

Updating the System Linkage Index

Each Sernet instance uses a system linkage index (a z/OS resource). The system linkage index is not released when a Sernet started task is shut down. However, the next time the same subsystem ID is initialized, the same system linkage index is used as before.

The NSYSLX parameter in IEASYSxx defines the number of linkage indexes (in addition to those in the system function table) to be reserved as system linkages. The default number is 55. If your environment has a number of subsystems defined that use system linkage indexes (for example, DB2 and IMS V5), you might need to increase the value of NSYSLX if you define multiple Sernet instances on the same LPAR.

Non-Swappable

The Sernet address space must be available at all times for asynchronous requests coming from client desktops and from other z/OS address spaces. Each Sernet instance makes itself non-swappable by internally issuing the following:

SYSEVENT TRANSWAP

TRANSWAP is IBM’s preferred method of making an address space non-swappable for long periods of time.

We recommend that you do not add load libraries for ChangeMan ZDD server to the LINKLIST. Instead, include a STEPLIB statement in the JCL for each Sernet instance, and include a JOBLIB or STEPLIB statement in the JCL for each batch job submitted by a Micro Focus Serena product.

STEPLIB and JOBLIB are preferred because:

  • If you license more than one Micro Focus Serena product and you do not keep the products at compatible release levels, common load modules in a LINKLIST library might interfere with the proper function of some of these products.

  • You should segregate delivered (vendor) versions of load modules in libraries separate from customized programs such as exits. It is easier to maintain the proper concatenation of custom and vendor load libraries if they are in STEPLIB or JOBLIB statements in started procedures and batch JCL.

Security Considerations

This section provides information about how ChangeMan ZDD security works, and it describes security issues you must consider before you start the ChangeMan ZDD server installation process.

How ChangeMan ZDD Security Works

ChangeMan ZDD respects the mainframe security controls provided by RACF, CA ACF2, and CA Top Secret:

  • You gain access to a ChangeMan ZDD server and other mainframe resources through your TSO userid and password.

  • ChangeMan ZDD only allows you to access data sets to which you have authority.

  • ChangeMan ZDD provides your user ID to ChangeMan ZMF so that your authorization to access functions, applications, and components can be verified.

...

Data Set Access for the Sernet Started Task

Grant the Sernet started task userid the highest general data set access authority possible. As described above, all data sets and libraries accessed by ChangeMan ZDD are protected by your security system.

If administrators and developers already have access to ChangeMan ZMF applications, functions, and data sets through the ISPF interface on the mainframe, they will have the same privileges when they use ChangeMan ZDD.

SAF and Your Security System

SAF is an acronym for System Authorization Facility, an interface defined by z/OS that enables programs to use system authorization services to protect access to resources such as data sets and z/OS commands. SAF provides a common interface for IBM Security Server RACF, CA ACF2, and CA Top Secret where you define the security rules for an LPAR.

Sernet is configured to use SAF to interface to your security system. When you define Sernet instances to your security system, you may also need to provide parameters to enable SAF.

Access to TCP/IP Functions

Access to TCP/IP Services in z/OS Communications Server requires a z/OS UNIX security context, referred to as an OMVS segment, for the user ID associated with a Sernet instance.

See the section “Requirement for an OMVS Segment” in the IBM publication z/OS Communications Server: IP Configuration Guide.

Additionally, RACF PassTickets are a requirement for mainframe clients (not ChangeMan ZDD or ChangeMan ZMF for Eclipse) connecting via TCP/IP. Instructions for generating RACF PassTickets are detailed in Chapter 6, “Configuring Security”.

TLS Security

A server can be configured to use Transport Layer Security (TLS) encryption for secure communications with that server. The TLS setting applies to all ChangeMan instances defined under the server.

If TLS security is enabled, AT-TLS on the z/OS server must also be configured to use TLS on all ports for this server, as well as all ChangeMan ports under this server. Likewise, if AT-TLS on the z/OS server is configured to use TLS, the ChangeMan ZDD client must also be configured to use TLS.

Connection to the server will fail if its TLS setting does not match the AT-TLS configuration on the z/OS server.

When a connection is requested, the TLS handshake requires that the server provide a trusted server certificate, which is then authenticated by the client.

There are two ways for a company to supply a server certificate. One way is to purchase a certificate from a universally recognized and trusted certificate authority, such as Symantec, GlobalSign, or DigiCert. The Windows operating system will automatically trust certificates issued from these trusted sources, and the client users don’t need to take any action at all to allow these certificates to be accepted.

The other method, is for security administrators to issue their own self-signed certificates. A company may choose go this route, rather than purchasing a certificate from a universally trusted authority. Since a customer company is not an authority that is automatically trusted by Windows, you will need to import our your company server’s own root CA certificate into the “Trusted Root Certification Authorities” certificate store on each and every client machine. Since this certificate will have an expiration date, this process will have to be repeated periodically, each time the certificate approaches its expiration date. Of course, none of this is necessary, if the company purchases a universally trusted certificate.

If the server is configured to use TLS security, you can optionally log on using a client certificate, rather than supplying a password. There is a new “Use certificate” check box in the Logon dialog box.

The “Use certificate” check box is only present for servers configured to use TLS security. Logging on with a client certificate requires SerNet and ChangeMan ZMF version 8.2.2+.

The client certificate will be issued by the security administrator. The client certificate needs to be imported into the Windows “Personal” certificate store.

In order for the Client Pack to support client certificates for multiple RACF user ID’s, the common name on the certificate must be the same as the RACF user ID. This is the default when a RACF administrator generates the certificate. ChangeMan ZDD will not find the certificate in the certificate store if the administrator calls it something different.

In order to make the client certificate optional, but to have AT-TLS authenticate the client certificate if the client supplies one, AT-TLS must have the ClientAuthType type configured as “Full”.

Sernet JCL

Expect to run at least two instances of Sernet:

  1. One or more Sernet instances that support production versions of Micro Focus Serena mainframe applications.

  2. A test Sernet instance to test upgrades and modifications before they are installed into the libraries running the production Sernet started tasks.

Before building Sernet started procedure, consider the issues described in the following subsections.

Subsystem ID

Each instance of Sernet is identified by a unique one-character subsystem ID. Valid values for a subsystem ID are:

  • Blank (space)

  • Numeric 0-9

  • Alphabetic A-Z

  • Special characters @, #, and $.

Note

Although a null (blank) subsystem ID is valid, we strongly recommend that you avoid using a null subsystem ID.

A subsystem ID is assigned through Sernet keyword option SUBSYS=subsysID, which is input to program SERVER.

Sernet Started Task Names

As stated previously, you will have at least two Sernet instances: a test instance and a production instance. You may also have multiple Sernet instances running on other LPARs.

Each Sernet started task must be assigned a unique identity in z/OS for console commands, automated data center management tools, and SMF. There are three ways to establish a unique z/OS identity for a Sernet started task:

  • Member name - Build a separate procedure (member) for each started task. Use only the member name in the START command.

    S SERPROC1

    The Sernet started task jobname and identifier is SERPROC1.

  • Identifier - Append an identifier to the procedure member name in the START command.

    S SERPROC.SERTASK2,ID=2

    The Sernet started task jobname is SERPROC and the identifier is SERTASK2.

  • Jobname - Use the JOBNAME parameter in the START command.

    S SERPROC,JOBNAME=SERTASK3,ID=3

The Sernet started task jobname and identifier are both SERTASK3.

If you use a common procedure for several Sernet instances, then you must use an identifier or a JOBNAME parameter in the START command.

Note

When you assign a started task identity that is different from the started procedure member name, IBM recommends that you use the JOBNAME parameter because it provides an identity that is available to the most z/OS services.

Parameters for Sernet

Sernet behavior is controlled by keyword options input to program SERVER.

Passing Parameters to Sernet

Keyword options may be passed to Sernet in two ways:

Passing keyword options In the EXEC statement for program SERVER, as subparameters in the PARM= parameter.

Example 1:

//SERVER   PROC ID=1,OPT='XCH=1234'
//SERVER   EXEC PGM=SERVER,            *Started Task
//              REGION=0M,             *Maximum Region
//              DYNAMNBR=200,          *High allocations
//              PARM='SUBSYS=&ID,&OPT' *Execution Parms

Example 2:

Override the SERVER parameters in Example 1 by setting symbolic parameters in the START command.

S SERPROC,**ID=2,XCH=2345**

Passing keyword options in a data set

In a data set read by program SERVER at a DD statement referred to by the keyword option DDNAME=ddname coded as a PARM= subparameter.

Example

//SERVER  PROC
//SERVER  EXEC PGM=SERVER,              *Started Task
//             REGION=0M,               *Maximum Region
//             DYNAMNBR=200,            *High allocations
//             PARM='DDNAME=ANYNAME' *Execution Parms
. . .
//ANYNAME DD DSN=SERCOMC.PARMS(SERPARM)

PDS member SERPARM contains:

```
SUBSYS=3     /* Sernet SUBSYS ID
XCH=3456     /* TCP/IP PORT #
```

...

Sernet Options For ChangeMan ZDD

Keyword options listed in this section are required or are commonly used with a Sernet instance that is used as a ChangeMan ZDD server.

See Appendix F, Sernet Keyword Options for detailed descriptions of the options listed here.

To find other Sernet keyword options that can be used with ChangeMan ZDD, look for "XCH" in the “Application(s)” row of the description tables in Appendix F, Serenet Keyword Options.

Note

Any ChangeMan ZMF server at version 5.3.6 or above that you access with ChangeMan ZDD must not use keyword option XML=NO, which suppresses XML Services.

Required Options

These parameters must be specified for a Sernet instance acting as a ChangeMan ZDD server.

Option Description
SUBSYS=x See SUBSYS in Appendix F
XCH=port or XCH See apl in Appendix F
SDNOTIFY=nnn See SDNOTIFY in Appendix F

Common Options

These options are commonly used with Sernet instances:

Option Description
DDNAME=ddname See DDNAME in Appendix F
EX003=NO See EX003 in Appendix F

Other Options

These options may be specified for a Sernet instance acting as a ChangeMan ZDD server under special circumstances:

Option Description
COMPRESS=[0|1] See COMPRESS in Appendix F
CONNECTCHECK=[YES|NO] See CONNECTCHECK in Appendix F
EXPIRE=HhhMmm See EXPIRE in Appendix F
MIGRAT=volser See MIGRAT in Appendix F
RUNFOR=HhhMmm See RUNFOR in Appendix F
TCPIP=tcpiproc See TCPIP in Appendix F

SER#PARM DD Statement

Each Sernet started task creates and maintains a reference table of application TCP/IP addresses and port numbers for Micro Focus Serena applications. This table is kept in a PDS referenced by DD name SER#PARM in the Sernet started procedure. The TCP/IP addresses are stored in a member named #SERx, where “x” is the subsystem ID of the Sernet started task.

Caution

Do not use the SER#PARM library for any other purpose. Sernet opens this library for output, which can interfere with other uses of the file.

The following example shows the format of a #SERx member in a SER#PARM file:

* SMFI.SUBS APP DOT.TED.DEC.MAL PORT\# TCPIPROC     --Update-Time-Stamp--
  BH3A.SER1 XCH 111.11.111.111 11111                2008/08/15 @ 10:30:59
  BH3A.SER1 CMN 222.22.222.222 22222                2008/10/19 @ 13:31:42
* END OF DATA

SERLIC DD Statement

The SER10TY License Manager gives you a choice of storing licenses for Micro Focus Serena mainframe products in CSA or in a PDS.

If you store licenses in a PDS, that library must be named in DD statement SERLIC included in any started procedure that connects to ChangeMan ZDD.

SYSMDUMP DD Statement

The preferred means of gathering diagnostic information for a program interrupt in a Sernet started task is through a data set allocated to a SYSMDUMP DD statement. The data set should have these attributes:

//SYSMDUMP DD DISP=(MOD,CATLG,CATLG),           * SYSMDUMP
//            DSN=*somnode*.SERCOMC.SYSMDUMP(+1),
//            UNIT=SYSDA,SPACE=(CYL,(200,100),RLSE),
//            DCB=(DSORG=PS,RECFM=FBS,LRECL=4160,BLKSIZE=4160)

...

We recommend that you define a GDG index for the SYSMDUMP dataset to prevent diagnostic information in the dataset from being overwritten when the Sernet instance is restarted after an abend.

SYSTCPD DD Statement

If there are multiple TCP/IP started tasks running on the same LPAR, you may need to code DD name SYSTCPD in the Sernet started procedure. See topic “Considerations for Multiple Instances of TCP/IP” in the IBM publication z/OS Communications Server IP Configuration Guide.

Component Libraries

When you allocate mainframe libraries for ChangeMan ZDD server components, consider the following:

  • Preserve the components delivered with the release. If you modify a ChangeMan ZDD server component, you may need the original version if your changes do not work as expected. Segregate “vendor” and “custom” components in separate libraries.
  • Use the last node of the vendor library name when you name your generic and custom libraries.

This example shows segregated vendor and custom component libraries:

Delivered Library:

SERCOMC.V8R1M0.LOAD

JCL Library:

//STEPLIB   DD DISP=SHR,                                * CUSTOM LOAD
//             DSN=*somnode*.SERCOMC.V8R1M0.CUSTOM.LOAD
//          DD DISP=SHR,                                * VENDOR LOAD
//             DSN=*somnode*.SERCOMC.V8R1M0.LOAD

...

Job Review

The Job Review facility of Sernet makes mainframe job output available in ChangeMan ZDD Jobs folders.

The Job Review facility uses the same subsystem interface as the TSO STATUS command. Job Review is not directly connected to SDSF or other job output viewing tools, and it does not offer the same options for viewing and manipulating output data sets.

What Job Review can make available to ChangeMan ZDD depends on how your components for JES, security, and Sernet are configured. These components determine:

  1. What job output can be selected by the subsystem interface.

  2. What job output a user is authorized to see.

...

Some of the components that can affect what users can see in ChangeMan ZDD Jobs folders include:

  • JESJOBS and JESSPOOL resource classes

  • TSO output/status/cancel exit IKJEFF53

  • RACHECK preprocessing exit ICHRCX01 (RACF only)

  • RACHECK postprocessing exit ICHRCX02 (RACF only)

...

If you make no changes to your existing configuration, ZDD Jobs folders may only show you this job output:

  • JES2 - Jobs with job names consisting of your TSO ID plus one character.

  • JES3 - No jobs.

Sernet Exit SEREX003 for JES

Sernet exit SEREX003 restricts access to JES jobs and is delivered to customers in an enabled state.

Starting with Sernet 7.1.1, exit SEREX003 allows read access to JES jobs that are not owned by the userid. However, cancel/purge/requeue functions are restricted to jobs owned by the userid.

Since access to JES jobs is normally controlled by resource classes JESJOBS and JESSPOOL, regardless of whether SEREX003 is activated, we recommend that you disable this exit. To disable the exit, do one of the following:

  • Use Sernet keyword option EX003=NO.

  • Customize the exit as described in comments at the top of the program source code.

Customizing the ChangeMan ZDD Client

When you access ChangeMan ZMF through its ISPF client, you can modify ZMF panels to fit your requirements. The ISPF interface can be customized further with exit programs that run in the ISPF address space and alter information that is passed to the panels.

The ChangeMan ZDD client does not offer this same flexibility. Most ZDD dialogs that access ChangeMan ZMF functions are fixed, and ZMF exit programs cannot modify what appears on ZDD dialogs.

However, ZDD 3.2 and higher can read parameters and options coded in XML on the mainframe that can alter the behavior and appearance of some ZDD client dialogs. These XML pages control:

  • Field labels, edit rules, and default values for the ZDD client Build dialog. This dialog is the equivalent of the ISPF staging panels and the User Option Panel (CMNUSR01).

  • Library types available in the ZDD client. This function is like ZMF exit program CMNEX035 that hides library types in the ISPF interface.

  • User-defined options for the Audit, Demote, Promote, and New Package dialogs.

  • Enabling or disabling of ZMF commands in the ZDD client.

  • Package fields that a user may or may not update.

The XML pages are stored in members of a mainframe PDS(E) library that is named in DD statement ZDDOPTS in the ZMF server JCL. The server must be running at ZMF 5.3.6 or higher.

If you plan to access ZMF 5.3.6 or higher through ChangeMan ZDD, analyze the following in your environment:

  • Customization of stage processing panels in the ISPF client.

  • Customization of exit program CMNEX035.

  • User-defined options for the Audit, Demote, Promote, and New Package functions.

  • Which ZMF functions a user will be allowed to access.

  • Which package fields a user may or may not update.

Back to top