Step 1: Consider whether to use TLS/SSL (using AT-TLS on z/OS)

As you plan to use the z/OS® Load Balancing Advisor, consider whether you need to use TLS/SSL (using AT-TLS on z/OS). The z/OS Load Balancing Advisor acts as a TCP server application, listening on two distinct ports that allow both Load Balancing Agents and external load balancers [or automated domain name registration (ADNR)] to connect to it. You need to restrict the ability to establish a connection to either of these ports, because sensitive interfaces can be exploited after a connection is accepted by the Load Balancing Advisor. For the agent listening port, you need to ensure that only authorized agents are allowed to connect, because these agents are responsible for providing sensitive information that indicates server application availability, health, and performance. For the external load balancer Server/Application State Protocol (SASP) port, you need to ensure that only authorized load balancers and ADNR are allowed to connect, because this interface can be used to obtain sensitive information regarding TCP/IP applications in a sysplex, CPU usage information for each system, and so on. You can use AT-TLS to encrypt data between the external load balancer and the Advisor's TCP/IP stack, and between the Agent's TCP/IP stack and the Advisor's TCP/IP stack.

You can use one or both of the following methods to authorize connections to the z/OS Load Balancing Advisor:

• You can explicitly configure the following lists:
  • The list of IP addresses of all the external load balancers (including ADNR) that are allowed to connect to the Load Balancing Advisor
  • The list of source IP addresses and source ports that each of the Load Balancing Agents use to connect to the Load Balancing Advisor
• You can establish policies using the z/OS Policy Agent so that the Agents, ADNR, or both are required to use TLS/SSL through AT-TLS, and load balancers are required to use TLS/SSL.

Although the configuration parameters might be sufficient in certain environments in which the Load Balancing Advisor, Agents, and external load balancers all are inside a secure network (that is, isolated by a firewall and so on), they might not be sufficient in environments in which the network is not considered to be as secure or in which the need to protect against IP address spoofing attacks is important.

With AT-TLS, the z/OS Load Balancing Advisor provides you with a more secure way to authorize access to critical Load Balancing Advisor resources using industry-standard network security standards like TLS/SSL. The AT-TLS approach also provides some additional benefits:

• Ease of use
  • Reduces the number of IP address and port lists that need to be maintained in the Load Balancing Advisor and coordinated with the external load balancers and Load Balancing Agents.
  • Eliminates the need for defining a source IP address and port for each Load Balancing Agent. This includes the Agent configuration file, the TCP ports that need to be reserved in the TCP/IP profile, and the DVIPAs that are recommended for the source IP address that is used for Agent connections.
• Outage avoidance

  If you do not use AT-TLS, adding an Agent instance into the sysplex requires updates to the Load Balancing Advisor configuration, which in turn requires a recycle of the Load Balancing Advisor so that it can process the configuration changes. With AT-TLS, you can add an Agent instance into the sysplex without recycling the Advisor.

For more information about using AT-TLS, see Application Transparent Transport Layer Security data protection.