To implement networking policies for your users, you must use the z/OS® Communications Server policy infrastructure. You can use the policy types supported by the Policy Agent for any of the following purposes:
For more information about the policy types, see Policy types.
Based on the policy types that you want to implement, you must configure and start one or more policy infrastructure components:
TCP/IP stacks implement most of the policy types. You need to start one or more stacks per logical partition (LPAR).
Syslogd acts as the central message logging facility for z/OS UNIX applications. Syslogd is not specific to the policy infrastructure, but the policy infrastructure depends on syslogd to provide a central logging facility to maintain an audit trail. If you do not start syslogd, messages are lost. You should start one syslog daemon per LPAR.
You must start Policy Agent to install and maintain policies in the TCP/IP stacks in an LPAR. You need one Policy Agent per LPAR.
TRMD formats and sends policy-related messages to your syslog daemon. You need one TRMD per TCP/IP stack in an LPAR.
IKED is used for negotiating and setting up dynamic VPN tunnels. If you are not using dynamic VPN tunnels, you do not need to start IKED; otherwise, you need one IKED per LPAR.
NSSD can be used as the central certificate and key server for z/OS IKE daemons, or as a network security server for selected non-z/OS platforms. NSSD can be used independently of any z/OS networking policies, but is an element of the overall z/OS networking policy infrastructure. Typically, you do not need an NSSD on every LPAR; one NSSD per sysplex is more likely.
DMD provides support for short-term defensive filters. You can use DMD without defining any IPSec filter policies, but typically you use DMD in addition to IPSec filter policy. You need one DMD per LPAR.
NSLAPM2 is an SNMP subagent that provides QoS metrics through MIB variables. You need one NSLAPM2 per TCP/IP stack in an LPAR.
For more information about syslogd, see Configuring the syslog daemon. For more information about the other policy infrastructure components, see Policy infrastructure components.
To determine the policy infrastructure components that you need to start based on which policy types you are implementing, see Table 1.
Policy type | Component | |||||||
---|---|---|---|---|---|---|---|---|
One or more instances per LPAR | One instance per LPAR | One instance per TCP/IP stack in an LPAR | ||||||
TCP/IP stack | Policy Agent | syslogd | IKED | NSSD | DMD | NSLAPM2 | TRMD | |
QoS | Required | Required | Required | Optional | ||||
IDS | Required | Required | Required | Required | ||||
AT-TLS | Required | Required | Required | |||||
IPSec filters | Required | Required | Required | Optional | Required | |||
IPSec VPNs | Required | Required | Required | Optional (dynamic VPNs) | Optional (central key and certificate server) | Required | ||
Policy-based routing | Required | Required | Required |
You can use the IBM® Configuration Assistant for z/OS Communications Server for assistance with setting up and configuring security, JCL procedures, and configuration files for the following policy infrastructure components: