Configuring IP security using the IBM Configuration Assistant for z/OS Communications Server

The IBM® Configuration Assistant for z/OS® Communications Server, an optional GUI-based tool, provides a guided interface for configuring TCP/IP policy-based networking functions. You can use the Configuration Assistant to generate the Policy Agent and IKE daemon configuration files.

The Configuration Assistant is a z/OS Management Facility (z/OSMF) task. z/OSMF provides a web browser interface for a variety of z/OS system management functions. When you invoke the Configuration Assistant in z/OSMF, the Configuration Assistant runs natively in the z/OS system and you can access it through a web browser. To use the Configuration Assistant in z/OSMF, your system must be z/OS V1R11 or later.

Tip: If you have backing store files from V1R13 or an earlier release that were created on a Windows desktop version of Configuration Assistant, you can transfer them to the z/OSMF environment. For information about transferring Configuration Assistant data to z/OSMF, see IBM z/OS Management Facility Configuration Guide.

Through a series of wizards and online help panels, you can use the Configuration Assistant to create IP security configuration files for any number of z/OS images with any number of TCP/IP stacks per image. Using the Configuration Assistant, there are four types of reusable objects:

Traffic descriptors that define the IP traffic type, such as TCP or UDP
Security levels that define the different ways to protect data, such as the encryption level
Requirement maps that map traffic descriptors to security levels
A single requirement map should contain a complete set of security requirements that will govern the level of security for multiple IP traffic types.
Address groups that define a set of addresses to be used in an IP filter rule

For each TCP/IP stack, you create a set of connectivity rules that indicate the data endpoints and indicate which requirement map will govern security between the data endpoints.

The Configuration Assistant comes with a number of IBM-supplied traffic descriptors, security levels, and requirement maps that are easily applied to an existing network topology, or the IBM-supplied definitions can be used as the basis for your own set of reusable objects.

The Configuration Assistant can dramatically reduce the amount of time that is required to create IP security policy files, contributing to ease of configuration and maintenance. Because of the inherently complex nature of z/OS security, use of the GUI is encouraged to ensure that you have a consistent and easily manageable interface for implementing IP security.

This information primarily describes option 2, manual configuration. However, if you are using the Configuration Assistant, reading this information will help you understand security concepts and the relationship between Policy Agent and IP security function.