|
|
Before you install the Cisco IOS for S/390 software, you must prepare your MVS system to accept the product. This chapter provides an overview of the major tasks required to modify the MVS operating system prior to installing Cisco IOS for S/390. These preliminary tasks are described in these sections:
You must define the I/O devices used by Cisco IOS for S/390 to gain access to the network. See the Cisco IOS for S/390 Release Notes for current required levels of microcode and other requirements.
Obtain any additional information about the network interface devices directly from the network interface supplier.
To run Cisco IOS for S/390, you must have a component authorization key and know your customer number. The component authorization key indicates which Cisco IOS for S/390 components are authorized for your installation. If you do not have a component authorization form containing the key for your installation, or if you do not know your customer number, call Customer Support for assistance.
During the initialization process, Cisco IOS for S/390 attempts to locate the subsystem control blocks it needs. It looks for the subsystem name in the control blocks. The default name of the subsystem is ACSS. You can override the default by changing the SSN=symbolic parameter in the RUNTCP JCL stream.
If the required subsystem control blocks cannot be located, Cisco IOS for S/390 builds them dynamically and places them on the MVS subsystem control block chain. Cisco IOS for S/390 does not use the subsystem control blocks if they are in use by another address space.
Dynamic allocation of the subsystem control blocks is recommended. No IPL or maintenance of SYS1.PARMLIB is necessary.
If you prefer to permanently define the subsystem control blocks in your installation, add an entry for the subsystem name in member IEFSSNxx in SYS1.PARMLIB. If you do not want to use the default name (ACSS), override the subsystem name on the SSN= parameter in the RUNTCP job stream. You must perform an IPL in order for the change to IEFSSNxx to take effect.
In installations using external security systems, there may be data-access restrictions. The security administrator must ensure that a TCP/IP implementation does not circumvent any restrictions in place.
The SAF router provides access between Cisco IOS for S/390 and the MVS security system, enabling Cisco IOS for S/390 to perform functions included in FTP, FTP2, FTP3, and Telnet.
If you are using ACF2, all access is denied until explicitly permitted, requiring a series of steps to be taken prior to starting Cisco IOS for S/390.
You must complete security customization before you run the installation verification procedures (IVPs) described in the Cisco IOS for S/390 5.2 Release Notes.
If RACF, ACF2, or CA-TOP SECRET is installed, perform at least the basic system security customization according to the steps described in the chapter "Customizing System Security."
The specific transient libraries needed are PLILINK and SIBMLINK. PLILINK contains the PL/I-specific transient routines; SIBMLINK contains the common library transient routines. You need both PLILINK and SIBMLINK available via LNKLSTnn or STEPLIB, JOBLIB, or TASKLIB to run PL/I applications.
Read the IBM manual OS PL/I Version 2 Installation and Customization under MVS Release 3.
These Cisco IOS for S/390 client commands and their aliases may or may not be run as authorized MVS programs and commands:
When these commands run authorized, they extract encrypted passwords, groups, and TSO user IDs. The extracted information is used to sign on to the Cisco IOS for S/390 address space on the local host.
The authorized versions significantly reduce the number of times a TSO user is prompted for an MVS user ID and password. Neither plain-text MVS passwords nor their associated TSO user IDs are sent across the TCP/IP network when the automatic sign-on feature of the authorized programs is used.
The automatic sign-on feature provides the additional benefit of not having to leave a TSO user ID and password in plain text in the batch input to these programs stored on DASD.
1 . Add the command module names and their aliases to the AUTHCMD, AUTHPGM, and AUTHTSF sections of member IKJTSOxx.
2 . Follow your installation's procedures for updating SYS1.PARMLIB members as shown in this example.
AUTHCMD NAMES( FTP FTP2 FTP3 TCPEEP ACCFTP2) AUTHPGM NAMES( FTP FTP2 FTP3 TCPEEP ACCFTP2) AUTHTSF NAMES( FTP FTP2 FTP3 TCPEEP ACCFTP2)
3 . The FTP3 authorized TSO command is in the FTPLOAD data set; all authorized TSO commands are included in the Cisco IOS for S/390 LINK data set. Follow installation procedures at your site to provide access to these modules under TSO.
Cisco IOS for S/390 LOAD, LINK, and FTPLOAD data sets require APF authorization. In order to set authorization for these common load data sets, modify the IEAAPFxx member of the SYS1.PARMLIB data set.
If you do not have a procedure in place for modifying PARMLIB members, use the following steps to update the SYS1.PARMLIB member IEAAPFxx:
1 . Verify the target name and volume serial of these data sets before proceeding.
2 . If you have a procedure in place for modifying PARMLIB members, follow that procedure; if you do not have a procedure in place, proceed with Step 3.
3 . Create a full-back member by renaming the current IEAAPFxx member and giving it a backup suffix. Copy the renamed member and give it the current suffix. This will provide you with a full-back member in the event an error is made during the editing process.
4 . Edit the APF authorization member IEAAPFxx (or PROFxx for ESA Version 4.3 or higher) in SYS1.PARMLIB (where xx is the suffix of your member).
5 . If you are using OpenEdition (UNIX System Services), also authorize the Cisco IOS for S/390 PFSLOAD data set.
PFSLOAD is a proprietary data set. Refer to the Cisco IOS for S/390 Release Notes for more information about PFSLOAD.
6 . You must perform an IPL in order for the changes to take effect.
Caution Whenever you make changes to any SYS1.PARMLIB member, be sure you can perform an IPL of your system using an alternate IPL volume or an alternate SYS1.PARMLIB member. Typographical errors can cause catastrophic errors during system initialization, leaving your MVS system in an unusable state.
Cisco IOS for S/390 software user interface programs can be executed from both batch and TSO address spaces. The following user interface programs and client commands are located in the
Cisco IOS for S/390 LINK/FTPLOAD library:
To execute these programs, the LINK library must be available to batch jobs and TSO users for execution. These user interface programs also require that SAS 6.00 and the OS PL/I Transient Libraries (Release 1.5 or later) be available for execution to the batch jobs and TSO users.
If you decide to place the LINK data set in the MVS Link List, the LINK data set must be cataloged in your master catalog. Therefore, the LNKINDX (LINK data set high-level index) must not start with a qualifier that is defined as an alias in your master catalog.
You can make the user interface programs available by modifying one of the following:
If you are familiar with the process of updating the Link List and your LINK library and PL/I Transient Libraries are already available in the Link List, skip the rest of this section and continue with the chapter "Customizing System Security".
The FTPLOAD library contains the FTP3 client, with an alias of FTP. FTP3 is more user-friendly and offers more functionality than the original FTP client found in the LINK library. If you prefer to use FTP3 as your default FTP client, place FTPLOAD ahead of the LINK library in the linklist. You will still be able to use the old FTP client under the name FTP1.
If you do not have a procedure in place for modifying PARMLIB members, use the following steps to update the SYS1.PARMLIB member LNKLSTxx:
1 . Create a full-back member by renaming the current LNKLSTxx member and giving it a backup suffix. Copy the renamed member and give it the current suffix. This will provide you with a full-back member in the event an error is made during the editing process.
2 . Edit the LNKLSTxx (where xx is your local suffix) member in SYS1.PARMLIB.
For example, if your HLQ is SYS1.T01TCP for the LINK data set and PLI.V2R2M1 for the two OS PL/I Version 2 transient libraries, add these lines to LINKLSTxx:
SYS1.T01TCP.Vxxx.LINK,
PLI.V2R2M1.PLILINK,
PLI.V2R2M1.SIBMLINK,
Caution The LOAD data set must never be added to the Link List. The Cisco IOS for S/390 element names are not unique and therefore could affect the operation of other software. The LOAD data set should always be referenced through a STEPLIB or JOBLIB statement.
If you are not familiar with changing the LNKLSTxx member in SYS1.PARMLIB, seek assistance from someone who is familiar with the process and/or consult the MVS Initialization and Tuning Guide.
3 . Perform the IPL for the changes to take effect. If you do not plan to perform an IPL right away, you can change STEPLIB or JOBLIB DD statements to make the programs available for execution until the next time the IPL is done.
Caution Whenever you make changes to any SYS1.PARMLIB member, be sure you can perform the IPL of your system using an alternate IPL volume or an alternate SYS1.PARMLIB member. Typographical errors can cause catastrophic errors during system initialization, leaving your MVS system in an unusable state.
If you have already modified LNKLSTxx to add the LINK data set from a previous release of Cisco IOS for S/390, do not replace that entry with the new LINK data set until you are satisfied with the testing of the new release and are ready for migration. During testing, use JOBLIB or STEPLIB DD statements in TSO procedures, batch jobs, and the Cisco IOS for S/390 job to reference the LINK data set for the new release.
If the LINK data set and the OS PL/I Transient Libraries are not available the client commands will not work properly.
Several user interface programs can be executed from TSO address spaces. Some user interface programs have TSO help members that let the users find information on the use and format of each program. Any TSO users who need to reference these TSO help members must have their TSO procedures updated.
Edit any TSO procedures that require access to TSO help members by concatenating a DD statement to SYSHELP. If TRGINDX is specified as T01TCP.V5R2, add the following DD statement to SYSHELP:
// DD DSN=T01TCP.V5R2.HELP,DISP=SHR
|
|