Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Antes de instalar o Mainframe Connector, faça a configuração inicial, incluindo a concessão dos papéis necessários à sua conta de serviço, a configuração da segurança dos seus recursos e a configuração da conectividade de rede entre o mainframe e o Google Cloud. As seções a seguir descrevem cada tarefa em detalhes.
Confira se as seguintes permissões exigidas pela Java Cryptography Extension Common Cryptographic Architecture (IBMJCECCA) (Java 8 ou Java 17)
foram concedidas para seu mainframe. A segurança da camada de transporte (TLS) é usada em todas as
solicitações feitas do seu mainframe para as APIs do Google Cloud . Se essas permissões não forem concedidas, uma mensagem de erro INSUFFICIENT ACCESS AUTHORITY vai aparecer.
ICSF Query Facility (CSFIQF)
Geração de números aleatórios criptograficamente seguros (CSFRNG)
Random Number Generate Long (CSFRNGL)
Importação de chave PKA (CSFPKI)
Geração de assinatura digital (CSFDSG)
Verificação de assinatura digital (CSFDSV)
Configurar a conectividade de rede
O conector de mainframe interage com as APIs do Cloud Storage, do BigQuery e do Cloud Logging. Verifique se o Cloud Interconnect e o VPC Service Controls (VPC-SC) estão configurados para permitir o acesso a recursos específicos do BigQuery, do Cloud Storage e do Cloud Logging de intervalos de IP especificados, com base na política da sua empresa. Também é possível usar as APIs do Pub/Sub, Dataflow e Dataproc para mais integração entre jobs em lote do IBM z/OS e pipelines de dados no Google Cloud.
Verifique se a equipe de administração de rede tem acesso ao seguinte:
Sub-redes IP atribuídas às partições lógicas (LPARs) do IBM z/OS
Contas de serviçoGoogle Cloud usadas por jobs em lote do IBM z/OS
Google Cloud IDs de projeto que contêm recursos acessados por jobs em lote do IBM z/OS
Configurar firewalls, roteadores e sistemas de nomes de domínio
Configure seus arquivos de IP do mainframe para incluir regras em firewalls, roteadores e sistemas de nomes de domínio (DNSs) para permitir o tráfego de e para Google Cloud. É possível
instalar userid.ETC.IPNODES ou userid.HOSTS.LOCAL como
arquivo de hosts para resolver os endpoints padrão da API Cloud Storage como o endpoint
VPC-SC. O arquivo de exemplo userid.TCPIP.DATA é implantado para configurar
o DNS para usar as entradas do arquivo de hosts.
Para aplicar o VPC-SC na sua rede local, configure-o da seguinte maneira:
Configure os roteadores locais para rotear o tráfego de saída do IBM z/OS para sub-redes de destino nas redes VPC e no domínio especial restricted.googleapis.com usando o Cloud Interconnect ou uma rede privada virtual (VPN).
Configure os firewalls locais para permitir o tráfego de saída para sub-redes VPC ou instâncias de VM e endpoints da API do Google: restricted.googleapis.com 199.36.153.4/30.
Configure os firewalls locais para negar todo o outro tráfego de saída e evitar o bypass do VPC-SC.
Configure os firewalls locais para permitir o tráfego de saída para https://www.google-analytics.com.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-03 UTC."],[],[],null,["# Get started with Mainframe Connector\n\nBefore you install Mainframe Connector, you must perform the initial\nsetup, including granting the required roles to your service account, setting\nup security for your assets, and setting up network connectivity between your\nmainframe and Google Cloud. The following sections describe each task in detail.\n\nGrant service account permissions\n---------------------------------\n\nEnsure that the following roles are granted to your service account. You can\n[grant multiple roles to your service account using the Google Cloud console](/iam/docs/manage-access-service-accounts#multiple-roles-console) or\n[grant the roles programmatically](/iam/docs/manage-access-service-accounts#multiple-roles-programmatic).\n\n- At the project level, assign the following roles:\n - [Logs Writer](/iam/docs/understanding-roles#logging.logWriter)\n - [BigQuery Job User](/bigquery/docs/access-control#bigquery.jobUser)\n- On your Cloud Storage bucket, assign the following roles:\n - [Storage Object Admin](/storage/docs/access-control/iam-roles)\n - [BigQuery Data Editor](/bigquery/docs/access-control#bigquery.dataEditor)\n - [BigQuery Read Session User](/bigquery/docs/access-control#bigquery.readSessionUser)\n\nSet up security for your assets\n-------------------------------\n\nEnsure that the following permissions required by Java Cryptography Extension Common Cryptographic Architecture (IBMJCECCA) ([Java 8](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=components-ibmjcecca) or [Java 17](https://www.ibm.com/docs/en/semeru-runtime-ce-z/17.0.0?topic=guide-ibmjcecca))\nare granted for your mainframe. Transport layer security (TLS) is used on all\nrequests made from your mainframe to Google Cloud APIs. If these permissions are\nnot granted, you will see an `INSUFFICIENT ACCESS AUTHORITY` error\nmessage.\n\n- ICSF Query Facility (CSFIQF)\n- Random Number Generate (CSFRNG)\n- Random Number Generate Long (CSFRNGL)\n- PKA Key Import (CSFPKI)\n- Digital Signature Generate (CSFDSG)\n- Digital Signature Verify (CSFDSV)\n\nSet up network connectivity\n---------------------------\n\nMainframe Connector interacts with Cloud Storage, BigQuery,\nand Cloud Logging APIs. Ensure [Cloud Interconnect](/network-connectivity/docs/interconnect)\nand [VPC Service Controls (VPC-SC)](/vpc-service-controls/docs/overview) is\nconfigured to allow access to specific BigQuery, Cloud Storage, and\nCloud Logging resources from specified IP ranges, based on your enterprise\npolicy. You can also use Pub/Sub, Dataflow, and Dataproc\nAPIs for additional integration between IBM z/OS batch jobs and data pipelines\non Google Cloud.\n\nEnsure that your network administration team has access to the following:\n\n- IP subnets assigned to the IBM z/OS logical partitions (LPARs)\n- Google Cloud service accounts used by IBM z/OS batch jobs\n- Google Cloud project IDs containing resources accessed by IBM z/OS batch jobs\n\nConfigure firewalls, routers, and Domain Name Systems\n-----------------------------------------------------\n\nConfigure your mainframe IP files to include rules in firewalls, routers, and\nDomain Name Systems (DNSs) to allow traffic to and from Google Cloud. You can\ninstall either *userid.ETC.IPNODES* or *userid.HOSTS.LOCAL* as\nhosts file to resolve the standard Cloud Storage API endpoints as the VPC-SC\nendpoint. The sample file *userid.TCPIP.DATA* is deployed to configure\nDNS to use the hosts file entries. \n\n - ETC.IPNODES\n - 199.36.153.4 www.googleapis.com\n - 199.36.153.5 www.googleapis.com\n - 199.36.153.6 www.googleapis.com\n - 199.36.153.7 www.googleapis.com\n - 199.36.153.4 oauth2.googleapis.com\n - 199.36.153.5 oauth2.googleapis.com\n - 199.36.153.6 oauth2.googleapis.com\n - 199.36.153.7 oauth2.googleapis.com\n - 127.0.0.1 LPAR1 (based on LPAR configuration)\n - 127.0.0.1 LPAR2\n - 127.0.0.1 LPAR3\n - HOSTS.LOCAL\n - HOST : 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7 : WWW.GOOGLEAPIS.COM ::::\n - HOST : 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7 : OAUTH2.GOOGLEAPIS.COM ::::\n - TCPIP.DATA\n - LOOKUP LOCAL DNS\n\n### Configure your network to enforce VPC-SC\n\nTo enforce VPC-SC on your on-premises network, configure it as follows:\n\n- Configure the on-premises routers to route IBM z/OS outbound traffic to destination subnets within the VPC networks and the `restricted.googleapis.com` special domain using Cloud Interconnect or a virtual private network (VPN).\n- Configure the on-premises firewalls to allow outbound traffic to VPC subnets or VM instances and Google API endpoints - `restricted.googleapis.com 199.36.153.4/30`.\n- Configure the on-premises firewalls to deny all other outbound traffic to prevent bypass of VPC-SC.\n- Configure the on-premises firewalls to allow outbound traffic to `https://www.google-analytics.com`.\n\nWhat's next\n-----------\n\n- [Install Mainframe Connector](/mainframe-connector/docs/installation)"]]
