z/OS Communications Server - Group home

zERT | Best practices: Sorting out the different z/OS user IDs involved with the zERT Network Analyzer

By Erin ZHANG posted Fri April 03, 2020 02:46 AM

  
With z/OS Encryption Readiness Technology (zERT), you are now able to discover and analyze the status of the network cryptographic protection of your z/OS TCP and Enterprise Extender workloads. If you have adopted zERT, you might already be familiar with IBM zERT Network Analyzer which makes it easy for you to query and analyze the data that zERT provides.

Based on some of recent discussions we've had, there seems to be some confusion over the different z/OS user IDs involved with the zERT Network Analyzer, and which SAF permissions each one requires.  This blog entry will hopefully clear up that confusion.

There are three different types of z/OS user IDs involved with the zERT Network Analyzer.

  • 1.  The z/OSMF server’s user ID   
  • This is the z/OSMF started task user ID ( the user ID under which z/OSMF and zERT Network Analyzer plug-in execute). When the network analyzer imports SMF data from SMF dump data sets, it is running under the z/OSMF user ID. Because of this, the network analyzer requires the z/OSMF user ID to have one permission beyond those required by z/OSMF itself.  
  • 0_634.gif  
  • Required authorization: The z/OSMF user ID must have READ access to the SMF dump data sets from which the network analyzer imports zERT SMF records.

  • 2. zERT Network Analyzer end-user ID
  • These are the user IDs that log into the zERT Network Analyzer plug-in to use the functions the network analyzer offers. Any user ID that needs to log into the the zERT Network Analyzer plug-in must have the appropriate SAF permission to access the plugin.
  •        0_783A.gif     
  • Required authorization: The zERT Network Analyzer end-user user IDs must have proper access to a couple different SAF resources. See the IZUNASEC sample in setting up security for the z/OSMF plug-ins for details on how to permit this access via SAF group IZUZNA.
  • It is also important to note that when a network analyzer user exports the results of a network analyzer query, the export operation is performed under the logged-in user's user ID instead of the z/OSMF user ID. This way, the zERT Network Analyzer ensures that export files written to the z/OS Unix file system will be written according to the logged-in user's z/OS Unix credentials.
  
  • 3. zERT Network Analyzer database user ID
  • This is a separate, dedicated user ID that the zERT Network Analyzer uses to connect to the Db2 for z/OS database. All the zERT Network Analyzer database operations are executed under this user ID, including queries, insertions, and deletions. This user ID is configured on the zERT Network Analyzer Database Settings panel and must have the appropriate set of permissions to perform the database operations that the network analyzer requires.
  •      1_1AE0.gif
  • Tip: Create a separate, dedicated user ID for this purpose.
  • Required Db2 privileges: Before you start the zERT Network Analyzer, you MUST provide this user ID with the following Db2 privileges to ensure proper operations of various network analyzer functions:
  • INSERT, SELECT, UPDATE, DELETE privileges for the following tables (or to the tables upon which these names are defined as ALIASes, depending on how your DBA chooses to set up the zERT Network Analyzer database): 
    • 1. SYSIBM_EZB_ZNADB.APPL 
    • 2. SYSIBM_EZB_ZNADB.DATAMGMTHISTORY
    • 3. SYSIBM_EZB_ZNADB.DATASET
    • 4. SYSIBM_EZB_ZNADB.SECURITY_SESSION 
    • 5. SYSIBM_EZB_ZNADB.SESSION_STATISTICS 
    • 6. SYSIBM_EZB_ZNADB.IPSEC_INFO 
    • 7. SYSIBM_EZB_ZNADB.SSH_INFO 
    • 8. SYSIBM_EZB_ZNADB.TLS_INFO 
    • 9. SYSIBM_EZB_ZNADB.TOPOLOGY 
    • 10. SYSIBM_EZB_ZNADB.OPENJPA_SEQUENCE_TABLE 
    • 11. SYSIBM_EZB_ZNADB.QUERY 
    • 12. SYSIBM_EZB_ZNADB.SCOPE_FLTR 
    • 13. SYSIBM_EZB_ZNADB.SCOPE_FLTR_ENDPT 
    • 14. SYSIBM_EZB_ZNADB.SCOPE_FLTR_SYSSPEC 
    • 15. SYSIBM_EZB_ZNADB.SEC_FLTR 
    • 16. SYSIBM_EZB_ZNADB.SEC_IPSEC_FLTR 
    • 17. SYSIBM_EZB_ZNADB.SEC_SSH_FLTR 
    • 18. SYSIBM_EZB_ZNADB.SEC_TLS_FLTR
    • 19. FILTEREDSECURITYSESSIONIDS
    • 20. TCPSERVER_SUMMARIES
    • 21. TCPCLIENT_SUMMARIES
    • 22. EEPEER_SUMMARIES
    • 23. TCPSERVER_CLIENTDETAILS
    • 24. TCPCLIENT_CLIENTDETAILS
    • 25. EEPEER_CLIENTDETAILS
    • 26. TCPSERVER_CLEARSECURITYSESSIONDETAILS
    • 27. TCPSERVER_IPSECSECURITYSESSIONDETAILS
    • 28. TCPSERVER_SSHSECURITYSESSIONDETAILS
    • 29. TCPSERVER_TLSSECURITYSESSIONDETAILS
    • 30. TCPCLIENT_CLEARSECURITYSESSIONDETAILS
    • 31. TCPCLIENT_IPSECSECURITYSESSIONDETAILS
    • 32. TCPCLIENT_SSHSECURITYSESSIONDETAILS
    • 33. TCPCLIENT_TLSSECURITYSESSIONDETAILS
    • 34. EEPEER_CLEARSECURITYSESSIONDETAILS
    • 35. EEPEER_IPSECSECURITYSESSIONDETAILS
----------------------------------------------------------------------------------------------------------------------------------

About the authors

Chris Meyer is the network security architect for z/OS and an IBM senior technical staff member.

Joshua Bennetone is the lead developer for the zERT Network Analyzer.