Q: What is IBM z/OS® Change Tracker, and why should I use it?

A: IBM z/OS Change Tracker is a System Software Change Control and Management solution for the z/OS platform. System programmers can identify, track, and recover hundreds of configuration files in real-time using IBM z/OS Change Tracker. Mission-critical system and application software configuration data can be monitored automatically in real-time for z/OS environments. At a glance, IBM z/OS Change Tracker offers:

• Unprecedented control: Track and control real-time system-wide software configuration changes.

• Enhanced recovery processes: Automatic versioning of identified system control data sets.

• Rollback Capabilities: Rollback capabilities to undo unplanned/unsuccessful promotions.

• Next-level monitoring: Data set recovery and reporting of real-time configuration data changes.

Q: Why is IBM z/OS Change Tracker only available on z/OS V2.5 or later? What about z/OS V2.4?

A: IBM z/OS Change Tracker is only available on z/OS V2.5 or later due to functional dependencies which are only satisfied with that release. Those functional dependencies were not provided in z/OS releases prior to z/OS V2.5, meaning that IBM z/OS Change Tracker is available for V2.5 and above.

Q: Where can I find out about latest PTFs delivered for IBM z/OS Change Tracker?

A: This web page contains the details for the PTFs which have been delivered for IBM z/OS Change Tracker. It included both defect corrective PTFs, as well as new function Continuous Delivery PTFs.

Q: Can I try out IBM z/OS Change Tracker without buying it ahead of time?

A: Yes. With the PTF for APAR PH51954, you can try out IBM z/OS Change Tracker for 90 consecutive days at no charge, but it is subject to the normal hardware and software consumption on z/OS. For enabling the trial, you would use IFAPRDxx, according to the dynamic enablement conditions found in the z/OS Planning for Installation book. The entry for the IBM z/OS Change Tracker trial in IFAPRDxx is FEATURENAME('CHNGTRKR_TRIAL90').

Q: What added value can the priced feature IBM z/OS Change Tracker bring to my system?

A: Although you may have existing functions (or indeed, other vendor products which you pay for today) which supply similar capabilities, we feel that IBM z/OS Change Tracker is superior at providing additional capabilities that z/OS Systems Programmers need for robust and real-time systems management.

For instance, you might have the existing ability to determine who has modified a certain data set or have basic security protection for an entire data set, but IBM z/OS Change Tracker can extend further into that capability and allow an administrator to allow specific check in and check out permission such that modifications can be only performed at certain times. Further, an enterprise can determine that any modifications require an explanation provided for the modification which is saved with the change, and then be notified of changes that occurred. These easily performed functions, along with others, make IBM z/OS Change Tracker more valuable to the z/OS Systems Programmer.

Q: Do system programmers require extensive knowledge of z/OS to be able to utilize IBM z/OS Change Tracker?

A: No, IBM z/OS Change Tracker helps to replace manual procedures for auditing and investigating systems changes. using concepts that are easy to understand and follow. For instance, you could review the information collected by IBM z/OS Change Tracker to determine what system configuration changes have occurred during the course of a system failure investigation Then, be able to do recovery from an unplanned or undesired change quickly. Member-level backups generated by IBM z/OS Change Tracker when the change has been made are available. This allows z/OS Systems Programmers and system auditors to easily pinpoint what, who, and how changes were made.

Q: How do I install IBM z/OS Change Tracker?

A: IBM z/OS Change Tracker was made generally available on May 13, 2022 and is now included in the z/OS V2.5 and later ServerPacs. (You can easily check your z/OS V2.5 ServerPac to see if z/OS Change Tracker has been installed by seeing if SMP/E FMID HCYG100 is installed.)

If you choose to order z/OS Change Tracker through a CBPDO, the easiest method is to order a z/OS V2.5 CBPDO, indicating on Shopz that you wish to be entitled to IBM z/OS Change Tracker. You will be delivered the entire z/OS V2.5 product, along with IBM z/OS Change Tracker. Don't worry, you don't need to install all of z/OS V2.5! The IBM z/OS Change Tracker is a very simple install of SMP/E FMIDs (HCYG100 base, and JCYG10J for Japanese), using the supplied z/OS V2.5 Program Directory. IBM z/OS Change Tracker installs into its own data sets and sample jobs are supplied.

z/OS Change Tracker is now part of z/OS Management Facility (z/OSMF). Instructions and information for setting up z/OSMF are available in the z/OSMF Configuration Guide.

Q: How do I configure IBM z/OS Change Tracker?

A: IBM z/OS Change Tracker, like many other functions, is configured with a z/OSMF Workflow. You can find the supplied Workflow in path-prefix/usr/lpp/cyg/zosmf/workflow/cygwflw.xml after you have completed your installation.

The z/OSMF Workflow also includes the steps to set up the z/OSMF plug-in for IBM z/OS Change Tracker.

Q: Now that I have IBM z/OS Change Tracker configured and up and running, how do I start tracking my data sets?

A: Once you have the IBM z/OS Change Tracker started task up and running and your IBM z/OS Change Tracker administrators and users defined, you can start identifying the resources you wish to track and the desired characteristics of them. A good place to start is the 'Administration' section of the Guide and Reference found here:https://www.ibm.com/docs/en/zos/2.5.0?topic=ispf-administration

Q: I see in the Guide and Reference that IBM z/OS Change Tracker has an ISPF panel interface with batch jobs that can be run. Don't you have a z/OSMF interface?

A: Both options are now available! IBM z/OS Change Tracker does have an ISPF interface and batch jobs that can be run, however we encourage clients to utilize the new z/OSMF Change Tracker plugin for an even better user experience. The z/OSMF plugin is designed to offer a modern graphical user interface that will enable a more robust and simpler user experience with IBM z/OS Change Tracker. By using recognizable icons and intuitive compare methods, customization and reporting from IBM z/OS Change Tracker can be used to identify resources to manage, check in and check out data sets and members, and is designed to be quickly understandable and lessen time to productive use. Additional functions for the IBM z/OS Change Tracker in z/OSMF are expected to be added over time.

Q: I see there are lots of functions in IBM z/OS Change Tracker which help the z/OS Systems Programmer, but there are other helpful functions out there. How does IBM z/OS Change Tracker fit with those other solutions?

A: There certainly are a lot of z/OS functions and IBM products available to help z/OS Systems Programmers perform their job! And you probably have some homegrown tools as well. IBM z/OS Change Tracker is not intended to replace any of those, but rather complement and augment them by providing additional capabilities that are needed to help track configuration data sets to keep your systems running with the configuration that you intend.

For instance, specific component knowledge has been encoded into IBM Health Checks to help advise on preferred configurations or an upcoming upgrade action that you will encounter. IBM z/OS Change Tracker does not interfere with component verification during its tracking of your configuration files, managing backups, and controlling who can and cannot access resources at a certain time. If you change your configuration based on the advice of an IBM Health Check, IBM z/OS Change Tracker can take a backup of that change automatically, identify who/how/when the change was done, and even require a reason for doing that permitted change (so the user can indicate it was a specific IBM Health Check perhaps). This scenario shows that IBM z/OS Change Tracker does not conflict with, but rather can nicely augment a change that was indicated by an IBM Health Check.

Q: Are load libraries supported? What kinds of data set can I track?

A: You can monitor a load library if you desire. Today, IBM z/OS Change Tracker can monitor and protect PDS, and PDSE data sets. In addition, sequential, and entire VSAM data sets (including entire zFS data sets) and volumes can be identified for comparisons in snapshops. We have a requirement for being able to monitor individual z/OS UNIX® files. If you need other types of data set monitored, please open a requirement (now called an “Idea“) as we are interested in making sure that IBM z/OS Change Tracker provides comprehensive coverage of your system configuration assets.

Q: How does the IBM z/OS Change Tracker differ from the z/OS Generic Tracking Facility?

A: The z/OS Generic Tracking Facility is intended to surface desired information when programs are run and an event is detected which is important to note. The Generic Tracker captured events you might be familiar with, such as the use of one-byte console IDs, specific JES statements, or DFSMS™ EAV information. The Generic Tracker provides a callable service which applications or products can exploit to surface this information.

IBM z/OS Change Tracker is intended to help the z/OS systems programmer manage system configuration data sets easier.

Q: What is the difference between Fingerprint/Tokenization/Snapshot?

A: We understand the confusion over these terms and are trying to consolidate them to make it easier to follow:

• The term “snapshot” is the preferred word for the concept of capturing an instance of data at a point in time. IBM z/OS Change Tracker intends to use this term consistently as future functions are delivered.

• The terms “tokenization” and “token” are today used heavily within the ISPF panels and batch JCL for IBM z/OS Change Tracker. This relates to the internal implementation that IBM z/OS Change Tracker uses to capture the instance of data that a user has requested. Although the internal implementation of tokenization is planned to continue in IBM z/OS Change Tracker with future planned functions, you probably will see that term used less frequently in interfaces.

• The term “fingerprint” is planned to be used by IBM z/OS Change Tracker in the z/OSMF interface, rather than the term “tokenization”. “Tokenization” and “fingerprint” are the same, but within an intended z/OSMF interface, “fingerprint” is preferred.

Q: Is the “snapshot” comparable to other solutions using checksums?

A: IBM z/OS Change Tracker uses its own unique method for taking snapshots and has its own internal implementation to capture an instance of data. The method it uses is not disclosed.

Q: Are there prerequisites for running IBM z/OS Change Tracker?

A: The only prerequisite is z/OS V2.5 or later, and two V2.5 PTFs which are indicated during the installation. Since IBM z/OS Change Tracker is a priced feature, then entitlement of the feature is also required which allows the feature to be enabled in your IFAPRDxx parmlib member.

Q: Is DFSMShsm™ a requirement? If not, what utilities are used for backup?

A: IBM z/OS Change Tracker has no functional dependency on DFSMShsm or any other priced z/OS feature or program product. In fact, the only functional dependency is the base z/OS V2.5 or later itself (and some z/OS V2.5 PTFs already mentioned), and since IBM z/OS Change Tracker comes preinstalled with z/OS V2.5 or later, that means there are no external dependencies. IBM z/OS Change Tracker uses its own internal implementation to keep saved versions of changed resources in its own repository.

Q: What additional security benefit is there compared to what I have with RACF® , Top Secret, or ACF2?

A: Typically, a security product will control access to a complete data set and the members contained in that data set. IBM z/OS Change Tracker has configuration options that allow a more granular approach to monitoring and controlling access to these members. If a data set is “locked” by the IBM z/OS Change Tracker Administrator, members must first be checked out to a user or group before they can make any updates even if they have authority to write to the data set. Any attempts to update a member before being checked out will result in the update failing and can be tracked in the IBM z/OS Change Tracker activity reports.

In addition, the administrator can enforce use of comments to document the reason for the change to that member, as well as taking a backup of the member once it has been changed. This allows a review of both the previous and updated versions of the member, as well as the ability to easily restore to a previous version from the IBM z/OS Change Tracker ISPF panels.

Q: How does IBM z/OS Change Tracker work with my external security manager (like RACF)? Does it replace it?

A: Your external security manager still controls the access to the data set underneath IBM z/OS Change Tracker. In other words, you can't “bypass” any RACF permissions, as IBM z/OS Change Tracker just has additional granular control on top of your security product.

Q: What are the corresponding RACF profiles / classes?

A: There are new resource profiles needed for IBM z/OS Change Tracker, and these profiles can be viewed and validated using the z/OSMF Security Configuration Assistant. Use the z/OSMF configuration workflow for IBM z/OS Change Tracker to set them up. IBM z/OS Change Tracker grants different levels of access and involvement depending on user role: administrator, user, or auditor.

• Administrators are able to define libraries to be monitored and protected, and can grant individuals access to update locked members.

• Users can verify that software on multiple local or remote systems is identical. Users can view and compare backups. If IBM z/OS Change Tracker finds any differences, it identifies which members in the libraries have different contents.

• Auditors are participants who are able to receive and view outputs generated by IBM z/OS Change Tracker.