Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IBM IMS

 

The IBM Information Management System (IMS) DSM for JSA allows you to use an IBM mainframe to collect events and audit IMS database transactions.

To integrate IBM IMS events with JSA, you must download scripts that allow IBM IMS events to be written to a log file.

Overview of the event collection process:

  1. The IBM mainframe records all security events as Service Management Framework (SMF) records in a live repository.

  2. The IBM IMS data is extracted from the live repository using the SMF dump utility. The SMF file contains all of the events and fields from the previous day in raw SMF format.

  3. The qeximsloadlib.trs program pulls data from the SMF formatted file. The qeximsloadlib.trs program only pulls the relevant events and fields for JSA and writes that information in a condensed format for compatibility. The information is saved in a location accessible by JSA.

  4. JSA uses the log file protocol source to retrieve the output file information for JSA on a scheduled basis. JSA then imports and processes this file.

Configuring IBM IMS

You can integrate IBM IMS with JSA:

  1. From the Juniper Customer Support (https://support.juniper.net/support/downloads/), download the following compressed file:

    QexIMS_bundled.tar.gz

  2. On a Linux-based operating system, extract the file:

    tar -zxvf qexims_bundled.tar.gz

    The following files are contained in the archive:

    • qexims_jcl.txt - Job Control Language file

    • qeximsloadlib.trs - Compressed program library (requires IBM TRSMAIN)

    • qexims_trsmain_JCL.txt - Job Control Language for TRSMAIN to decompress the .trs file

  3. Load the files onto the IBM mainframe by using the following methods:

    Upload the sample qexims_trsmain_JCL.txt and qexims_jcl.txt files by using the TEXT protocol.

  4. Upload the qeximsloadlib.trs file by using BINARY mode transfer and append to a pre-allocated data set. The qeximsloadlib.trs file is a tersed file that contains the executable (the mainframe program QexIMS). When you upload the .trs file from a workstation, pre-allocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024, BLKSIZE=6144. The file transfer type must be binary mode and not text. Note

    QexIMS is a small C mainframe program that reads the output of the IMS log file (EARLOUT data) line by line. QexIMS adds a header to each record that contains event information, for example, record descriptor, the date, and time. The program places each field into the output record, suppresses trailing blank characters, and delimits each field with the pipe character. This output file is formatted for JSA and the blank suppression reduces network traffic to JSA. This program does not need much CPU or I/O disk resources.

  5. Customize the qexims_trsmain_JCL.txt file according to your installation-specific information for parameters.

    For example, jobcard, data set naming conventions, output destinations, retention periods, and space requirements.

    The qexims_trsmain_JCL.txt file uses the IBM utility TRSMAIN to extract the program that is stored in the qeximsloadlib.trs file.

    An example of the qexims_trsmain_JCL.txt file includes:

    The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the qexims program as a member.

  6. You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST. The program does not require authorization.
  7. The qexims_jcl.txt file is a text file that contains a sample JCL. You must configure the job card to meet your configuration.

    The qexims_jcl.txt sample file includes:

  8. After the output file is created, you must make one of the following choices:
    • Schedule a job to transfer the output file to an interim FTP server.

    • Each time the job completes, the output file is forwarded to an interim FTP server. You must configure the following parameters in the sample JCL to successfully forward the output to an interim FTP server:

    For example:

    Where:

    • <target server> is the IP address or host name of the interim FTP server to receive the output file.

    • <USER> is the user name required to access the interim FTP server.

    • <PASSWORD> is the password required to access the interim FTP server.

    • <IMSOUT> is the name of the output file saved to the interim FTP server.

    For example:

    PUT 'Q1JACK.QEXIMS.OUTPUT.C320' /192.168.1.101/IMS/QEXIMS.OUTPUT.C320

    Note

    You must remove commented lines that begin with //* for the script to properly forward the output file to the interim FTP server.

    You are now ready to configure the log file protocol.

  9. Schedule JSA to retrieve the output file from IBM IMS.

    If the mainframe is configured to serve files through FTP, SFTP, or allow SCP, then no interim FTP server is required and JSA can pull the output file directly from the mainframe. The following text must be commented out using //* or deleted from the qexims_jcl.txt file:

    You are now ready to configure the log file protocol.

Configuring a Log Source

A log file protocol source allows JSA to retrieve archived log files from a remote host.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. Click the Log Sources icon.
  4. From the Log Source Type list, select IBM IMS.
  5. Using the Protocol Configuration list, select Log File.
  6. Configure the following parameters:

    Table 1: Log File Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source. The log source identifier must be unique for the log source type.

    Service Type

    From the list, select the protocol that you want to use when retrieving log files from a remove server. The default is SFTP.

    • SFTP SSH File Transfer Protocol

    • FTP File Transfer Protocol

    • SCP Secure Copy

    The underlying protocol that is used to retrieve log files for the SCP and SFTP service types requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

    Remote IP or Hostname

    Type the IP address or host name of the IBM IMS system.

    Remote Port

    Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22.

    The valid range is 1 - 65535.

    Remote User

    Type the user name necessary to log in to your IBM IMS system.

    The user name can be up to 255 characters in length.

    Remote Password

    Type the password necessary to log in to your IBM IMS system.

    Confirm Password

    Confirm the Remote Password to log in to your IBM IMS system.

    SSH Key File

    If you select SCP or SFTP from the Service Type field you can define a directory path to an SSH private key file. The SSH Private Key File gives the option to ignore the Remote Password field.

    Remote Directory

    Type the directory location on the remote host from which the files are retrieved. By default, the newauditlog.sh script writes the human-readable logs files to the /var/log/ directory.

    Recursive

    Select this check box if you want the file pattern to also search sub folders. The Recursive parameter is not used if you configure SCP as the Service Type. By default, the check box is clear.

    FTP File Pattern

    If you select SFTP or FTP as the Service Type, this gives the option to configure the regular expression (regex) used to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

    For example, if you want to retrieve all files in the <starttime>.<endtime>.<hostname>.log format, use the following entry: \d+\.\d+\.\w+\.log.

    Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/

    FTP Transfer Mode

    This option appears only if you select FTP as the Service Type. The FTP Transfer Mode parameter gives the option to define the file transfer mode when log files are retrieved over FTP.

    From the list, select the transfer mode that you want to apply to this log source:

    • Binary Select Binary for log sources that require binary data files or compressed .zip, .gzip, .tar, or .tar+gzip archive files.

    • ASCII Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor field and LineByLine the Event Generator field ASCII is used as the transfer mode.

    SCP Remote File

    If you select SCP as the Service Type, you must type the file name of the remote file.

    Start Time

    Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

    Recurrence

    Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).

    For example, type 2H if you want the directory to be scanned every 2 hours. The default is 1H.

    Run On Save

    Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

    Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File(s) parameter.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

    Processor

    If the files on the remote host are stored in a .zip, .gzip, .tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and the contents to be processed.

    Ignore Previously Processed File(s)

    Select this check box to track files that are processed and you do not want the files to be processed a second time. This applies only to FTP and SFTP Service Types.

    Change Local Directory?

    Select this check box to define the local directory on your JSA system that you want to use for storing downloaded files during processing. We recommend that you leave the check box clear. When the check box is selected, the Local Directory field is displayed, which gives the option to configure the local directory to use for storing files.

    Event Generator

    From the Event Generator list, select LineByLine.

  7. Click Save.

    The configuration is complete. Events that are retrieved by using the log file protocol are displayed on the Log Activity tab of JSA.