With their release of z/OS 2.2, IBM has introduced digital signatures to SMF Data. These signatures appear as SMF Type 2 records in the data with two subtypes:
A Group Signature signs a group of SMF records of a specific type and subtype. This record is produced anytime a specific type and subtype of record is written in a minute following any other records of that type and subtype in the current SMF interval. For SMF type/subtypes that are produced very frequently, you might get one of these group signature records for each minute of the interval, whereas for type/subtypes that aren't written in an interval, you will not see any of these records at all. The records indicate the duration of the type/subtype group by indicating the time stamp of the first and last records of the group.
An Interval Signature signs all SMF records of a specific type and subtype that are produced over the course of a single interval. Additionally, if no records of a specific type/subtype are produced in an interval but have been produced before the interval, a signature record indicating there are no records to sign will also be produced. In short, once a type/subtype combination is detected in the SMF logstream, there will always be interval records produced for that type/subtype, even if no records are written for that type/subtype combination for days or even weeks.
There are two PTFs that have been produced for CA SMF Director to handle the digital signature records and are needed when moving to z/OS 2.2. They are:
RO84407 - This PTF modifies the kernel load module of SMF Director, SMFD. It ensures that when SMF Director sees signature records, that they are handled properly. Additionally, this PTF adds the new "SIGNATURES" operand to the EXTRACT, PRINT and SPLIT control statements, indicating whether or not the output SMF file(s) produced by these control statements should contain the signature records. The default for all of the control statements is "SIGNATURES(NO)", meaning that the existing EXTRACT, PRINT and SPLIT control statements will produce output the same was as they did before digital signatures. If signatures are needed in the output file, then the SIGNATURES(YES) operand should be coded.
RO85733 - This PTF modifies the SMF logstream dumping programs SMFDLS, SMFDLX1, SMFDLX2, and SMFDLX3 so that logstream dumping will collect the digital signature records from any logstream where they are being recorded. Please note that SMF Director will always collect the signature records and place them into the SMF History files in its archive. This way they will be available for later recall if necessary. Signature collection will be done if SMF Director detects that the logstream is recording signatures. If the SMF dump is being performed from another system using a shared logstream that at release level z/OS 2.2, then the SIGNATURES control statement provided to SMFDLS via the SMFDLSIN DD can be used to tell SMF Director to collect the signatures.
There is a PDC available that documents all of the new control statement operands for SMFD and SMFDLS: RI84834
So, if you have any questions about SMF Digital Signatures, or questions about SMF Director's support of them, or even if you want to share/swap ideas about how you might go about implementing SMF Digital Signatures, please comment below!
Hi Mike --
Thanks for the detailed information -- please take the first opportunity to document this information in a CA SUPPORT ONLINE PROBLEM RECORD (associated with z/OS V2R2 SUPPORT with SMF DIRECTOR) -- not everyone is clued-in to CA COMMUNITIES and it should be documented / available as a simple SUPPORT ONLINE KB search. As much, sites need to understand the z/OS V2R2 TOLERATION support (bare minimum required), where PARMLIB SMFPRMxx member is not changed to activate this new feature, and as well the ENHANCED support, for site interested in exploiting this new feature.
We have to ensure continued operation with SMF DIRECTOR for SMF MAN / LOGSTREAM processing.
From what I can identify, you have documented an associated PROBLEM RECORD
DIGITAL SIGNATURE LOGSTREAM SUPPORT
So as long as no change is made to PARMLIB(SMFPRMxx) to activate the z/OS V2R2 feature, we should expect continued successful operation with SMF DIRECTOR DUMP executions.....from what I read.
The PTFs mentioned in the main article will ensure that SMF processing will continue uninterrupted whether a customer is using SMF MAN Files, SMF logstreams without signatures or SMF logstreams with signatures. If the two PTFs are not installed in SMF Director 12.7, MAN File and logstream dumping without signatures will not be affected. SMF logstream dumping with signatures will not work properly.
That said, the PTFs should be installed once going to z/OS 2.2 so that in the future if digital signatures are activated, CA SMF Director will be ready to handle them.
I also forgot to mention that no other changes to SMF Director are needed to support digital signatures are needed, and no configuration changes are needed as well.