How do I configure z/OS and SMP/E for RECEIVE ORDER processing for BMC Compuware products?

SMP/E RECEIVE ORDER requires:

• DigiCert Global Root G2 certificate
• BMC X.509 certificate

Procedure to generate and download BMC X.509 certificate:

1. Login to https://webepd.bmc.com/zso using your BMC Support Central credentials.
2. Click on the "Mainframe-Services" tab;
3. Under "Services" change the "Select a Service" pull-down menu to "Request x.509 user certificate";
4. Select the correct "Support ID" under "My support contracts" and click the "Continue" button;
5. Under "Certificate type" select one of the following: "SHA-256 Hash with 1024-bit RSA key" or "SHA-256 Hash with 2048-bit RSA key";
6. Enter a passphrase in the "Keystore passphrase" and "Confirm keystore passphrase" fields and click the "Continue" button;
7. Download the certificate file to your PC;
8. Upload the certificate file in BINARY mode to a sequential dataset (or USS file) on the mainframe for import into RACF, ACF2, Top Secret or a GSK (Global Security Kit) keyring.

For details on how to update your keyring to include the BMC X.509 certificate, read:

• Secure File Transfer User Guide for BMC Customers

For details on configuring SMP/E for RECEIVE ORDER, please review the following pages on BMC Support Central:

• Getting Started With RECEIVE ORDER
• Requesting RECEIVE ORDER via a batch job
• RECEIVE ORDER Can x.509 user certificate be used by multiple users?

The following IBM references are also helpful:

• z/OS SMP/E User's Guide
• z/OS SMP/E Commands
• z/OS SMP/E Messages, Codes, and Diagnosis
• Preparing to use Internet service retrieval
• Setting up z/OS security server RACF

SMP/E RECEIVE ORDER (RO) requires a <ORDERSERVER> and <CLIENT> configuration:

//SMPSNTL  DD  *
  RECEIVE SYSMODS HOLDDATA ORDER(
          FORTGTZONES(target1,target2,target3)
          CONTENT(ALL)
          WAIT(NOLIMIT)
          ORDERSERVER(ORDSERVC)
          CLIENT(CLNTINFO)).
/*

Click here for sample SMP/E RO JCL for BMC.

Per the example below, the RO job will connect to https://ws-prod.bmc.com/smpe on port 443 to request an order and will later download the <PACKAGE> using a <CLIENT> connection to filedownload.bmc.com.

If the <CLIENT> uses downloadmethod="https", the entire process will happen via HTTPS on port 443.

If downloadmethod="ftp" is specified or the CLIENT keyword is removed from the RECEIVE command, SMP/E will launch a shell to invoke the /bin/ftp command and the default ftp.data settings (or those specified by <FTOPTIONS> settings in the <CLIENT> configuration).

Regardless of whether the <CLIENT> configuration invokes the Java Client (GIMJVCLT) or /bin/ftp, SMP/E will use the OMVS segment of the userid of the job for the required shell environment. If the userid does not have an OMVS segment or the one that exists does not have the authority required for the Unix System Services required by SMP/E, the job will fail. If there is a RACF authority error, the job may include ICH408I messages in the output. Similar messages may occur for ACF2 or Top Secret.

The <ORDERSERVER> dataset must use the "certificate" name of the X.509 certificate that was created in the procedure above; "BMCX509" shown below is just a possible example and not a default:

//ORDSERV  DD  *
  <ORDERSERVER
    url="https://ws-prod.bmc.com/smpe"
    keyring="*AUTH*/*"
    certificate="BMCX509"
    inventory="all"
  >
  </ORDERSERVER>
/*

When the BMC Order Server responds, it sends back a <SERVER> configuration that the <CLIENT> will use to download the <PACKAGE>:

<SERVER
  host="filedownload.bmc.com"
  user="username"
  pw="****************"
>
<PACKAGE
  file="/download/GIMPAF.XML"
  hash="3596CD58BCD1D3AF975A97DA164857468BEF647A"
  id="ORD#####-DDMonthYYYY-HH.MM.SS.###"
>
</PACKAGE>
</SERVER>

The <CLIENT> will then connect to the <SERVER> and download the <PACKAGE> to the SMPNTS dataset:

//SMPNTS   DD  PATHDISP=KEEP,PATH='/SMPNTS/ORDER/'

//CLNTINFO DD  *
   <CLIENT
     javadebugoptions="-Dcom.ibm.smp.debug=finest -showversion"
     downloadmethod="https"
     downloadkeyring="*AUTH*/*">
   </CLIENT>
/*

The downloadkeyring specified in the <CLIENT> must contain the DigiCert Global Root G2 certificate.

If the HTTPS connection must go through a proxy, add the following to the <CLIENT> dataset before the </CLIENT> statement:

<HTTPPROXY
  host="company.http.proxy.server"
  port="8080"
>
</HTTPPROXY>

During SMP/E processing you will see the package being unpacked:

"/bin/pax -rvf /SMPNTS/ORDER/..."

When the RECEIVE command completes successfully the package is removed:

"/bin/rm -r /SMPNTS/ORDER/ORD######-DDMonthYYYY-HH.MM.SS/smpeYYYYMMDDHHMM..."

If the SMP/E RO job is having problems connecting to the BMC order server, issue the "INPUT ON" command in SDSF prior to capturing the entire job output so that all instream statements are captured in the output. Then open a case and attach the full job output to the case as a text file.