Administering FICON Fabrics
User security considerations
To administer FICON, you must have one of the following roles associated with your login name on
the switch:
•
•
•
•
The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have
no access.
In an Admin Domain-aware fabric, if you use the FICON commands (ficonShow, ficonClear,
ficonCupShow, and ficonCupSet) for any Admin Domain other than AD0 and AD255, the current
switch must be a member of that Admin Domain. The output is not filtered based on the Admin
Domain. In virtual fabrics, these commands apply to the current logical or specified switch only.
Meeting Query Security Attribute requirements
In a cascaded switch configuration, FICON channels use an Extended Link Services Query Security
Attributes (ELS QSA) function to determine whether they are connected to a high integrity fabric.
When a FICON channel is connected to a fabric that is not high integrity, the channel will go into an
invalid attachment and isolated state (drop light), which then requires you to recover with the CPU
Hardware Management Console (HMC).
To ensure the FICON Channel QSA requirements have been met, be sure to configure the following
features:
•
•
FICON Administrator's Guide
53-1002753-01
•
•
•
•
•
•
Addressing modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
•
•
•
FICON best practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Admin
Operator
SwitchAdmin
FabricAdmin
Insistent domain ID
Fabric Wide Consistency Policy => SCC:S (Strict mode)
Chapter
2
17