Will I be required to purchase additional hardware?

No, SMA_RT is a software-only solution.

Are there any product dependencies?

The SMA_RT application does not depend on any other software products other than those delivered to the customer from IBM.

Are there documented procedures on how to use the SMA_RT application?

Yes, a copy of the Installation guide and a User’s Guide is packaged on a CD-ROM along with the product.

How long does it take to install and set up the SMA_RT application?

All program executables are shipped on a CD-ROM in Binary format along with Supporting MVS JCL and installation manuals. It can be uploaded and installed in just a few hours.

What experience / skills are required to create / maintain filters and rules?

A Security Administrator with an intermediate z/OS skill set and a basic knowledge of SMF records.

What information needs to be collected before the installation?

Type80 has a Pre-Install Questionnaire that should be completed by an MVS Systems Programmer. It asks information such as the CPU Serial number, and LPAR name. It is intended to supply information for the generation of a key-code and quick-reference installation instructions.

Does the Installation process require an IPL (reboot) of the mainframe?

No, Type80 Products do not require an IPL during installation.

What information is available from SMA_RT alerts?

Information passed from the SMA_RT application includes data items that should be familiar to Security Administrators. However, some of the data will require a general understanding of z/OS and how it operates in order for the data to be truly meaningful.

Every alert sent provides data relevant to the resource and policy that triggered the alert. The data items listed below are some of the information that appears within the alert at the in the alert text and in the meta-tags.

• User Name
• User ID
• Filename accessed
• Sensor name/Source Hostname (Mainframe LPAR name and IP address)
• DDName
• Job name
• Step name
• Program Name
• Term ID
• Device Name
• SAF Group
• Various RACF, ACF2 & TSS Auditor Events
• Detailed descriptive information on security records.

Does the SMA_RT application encrypt network traffic?

Yes. Authentication traffic between the SMA_RT Client and Server is protected against network eavesdropping.

Where does the application receive its information?

The back-office process receives its information from two areas. The two primary data feeds are the SMF Exit and an Operating System Interface. A third and optional data feed from application programs running in Batch, CICS, IMS and DB2 can be obtained by using the TYPE_80 Application Program Interface (API).

Does SMA_RT support Unix Systems running on the z/OS operating system?

Yes, SMA_RT supports Unix System Services (USS). USS generates SMF records on specific events that are passed as type 90 records to the SMF Exit. SMA_RT is capable of capturing these records when generated on a particular LPAR.

What is an LPAR?

An LPAR is the acronym for “Logical Partitions.” IBM delivers a physical IBM mainframe to the customer. Each physical mainframe can operate up to 15 logical partitions at one time but there have been rumors of expanding the capabilities. Each LPAR runs a version of the z/OS operating system. Some customers elect to run test LPARs and production LPARs on the same physical machine. Others may elect to isolate test and production LPARs by ordering a second machine. Each LPAR runs independently and may have different security software depending on geographical location and licensing agreements.

Is it possible to route alerts to other vendor products as well?

Yes. Any vendor product that accepts alerts in standard TCP/IP SYSLOG format from is able to receive alerts from SMA_RT.

What is the performance impact on the Mainframe?

Every Network and CPU performs differently depending on workload, size and resources available so it is difficult, if not impossible, to predict the precise impact of the SMA_RT application on any given customer.

Back-office traffic
The SMA_RT application is capable of examining new events at a rate of approximately 12,000/minute. The filtering process prevents most of these events from entering the back-office processor.
The system infrastructure was tested on an IBM 9672-R35, with 1 CP shared (weight 5 of 100), 256Megabytes real storage, 64Megabytes extended storage using OS/390 V26. Distributing 25,000 events to each of the 4 major components tested the infrastructure. All of the events were processed within 4 seconds.

Network Traffic
An event is again filtered out in the back-office processor if the resource within the event is not being monitored. An alert only goes out if the threshold for the resource has been exceeded, so it is highly unlikely that there would be a high volume of data traffic on the network generated from the SMA_RT application.