Steps for configuring the DMD
The Defense Manager daemon (DMD) plays an integral role in managing defensive filters, and must be active for defensive filters to be added, updated, or deleted.
Procedure
Perform the following steps to configure the DMD:
- Authorize the DMD to the external security manager.
- Create the directories that the DMD needs.
- Create the directory /var/dm for use by the DMD. The DMD user ID must have permission to create, delete, read, and write files to this directory.
- If you set the PID file location with the DMD_PIDFILE environment variable, ensure that the path portion of the file name exists and that the DMD user ID has permission to create and write files to that directory. If you use the default PID file location, /var/dm/dmd.pid, you have already created the directory and given the DMD user ID the appropriate access in the previous step.
- Create the directory that will hold the persistent defensive
filters for each stack, as well as the global defensive filters.
The DMD configuration file parameter DefensiveFilterDirectory points to this directory. The default value is /var/dm/filters. Ensure that the DMD user ID is authorized to create, delete, read from, and write to files in this directory. The directory should have sufficient space to support at least 1 MB of data for each TCP/IP stack, plus another 1 MB for the global filter definitions. For more information about the DefensiveFilterDirectory parameter in the DMD configuration file, see z/OS Communications Server: IP Configuration Reference.
- Create the DMD configuration file. Take one of the following actions:
- Use the IBM® Configuration Assistant for z/OS® Communications Server.
The IBM Configuration Assistant for z/OS Communications Server, an optional GUI-based tool, provides a guided interface for configuring TCP/IP policy-based networking functions. You can use the IBM Configuration Assistant for z/OS Communications Server to generate the DMD configuration file.
The IBM Configuration Assistant for z/OS Communications Server is a z/OS Management Facility (z/OSMF) task. z/OSMF provides a web browser interface for a variety of z/OS system management functions. When you invoke the IBM Configuration Assistant for z/OS Communications Server in z/OSMF, the IBM Configuration Assistant for z/OS Communications Server runs natively in the z/OS system and you can access it through a web browser.
Through a series of wizards and online help panels, you can use the GUI to create DMD configuration files for any number of z/OS images with any number of TCP/IP stacks per image.
- Configure the file manually.
A sample configuration file is in /usr/lpp/tcpip/samples/dmd.conf.
For a description of the DMD configuration file, see z/OS Communications Server: IP Configuration Reference.
If the DMD was defined to the external security manager with a nonzero UID, ensure that the DMD has permission to read the configuration file. The DMD user ID must have both read access to the configuration file and execute access to the directory containing the configuration file.
Tip: You can create the configuration file in the /var/dm directory and use the DMD_FILE environment variable to specify the configuration file. You set up the /var/dm directory in step 2 to allow DMD to create, delete, read, and write files to this directory.The following search order is used by the DMD to locate the configuration data set or file:
- If the environment variable DMD_FILE is defined, the DMD uses the value as the name of an MVS™ data set or z/OS UNIX file to access the configuration data.
- /etc/security/dmd.conf
You can specify statements in the configuration file using a variety of EBCDIC code pages. Use the DMD_CODEPAGE environment variable to specify the code page that you want to use. The default code page is IBM-1047.
- Use the IBM® Configuration Assistant for z/OS® Communications Server.
- Optionally, set the _BPX_JOBNAME environment variable.
When you start the DMD from the z/OS UNIX shell, set the environment variable _BPX_JOBNAME. This enables a specific job name to be used with the STOP or MODIFY console commands. For information about _BPX_JOBNAME, see z/OS UNIX System Services Planning.
- Configure and start syslogd. The DMD uses the local4 facility when writing messages to syslogd. For performance purposes, syslogd should use z/OS File System as its underlying file system. For more information about syslogd, see Configuring the syslog daemon.
- Optionally, update the DMD environment variables.
The DMD uses the following environment variables. You can modify them for your installation.
- DMD_CODEPAGE
- Use the DMD_CODEPAGE variable to specify the EBCDIC code page to be used when reading the configuration file. For details about the supported code pages, see z/OS Communications Server: IP Configuration Reference.
- DMD_CTRACE_MEMBER
- Used by the DMD to locate a parmlib member for DMD CTRACE customization. For more information about the TCP/IP services component trace for the DMD, see z/OS Communications Server: IP Diagnosis Guide.
- DMD_FILE
- Used by the DMD in the search order for the DMD configuration file. For details about the search order used for locating this configuration file, see step 3.
- DMD_PIDFILE
- Used by the DMD in the search order for the file that should contain
the DMD process ID (PID). The search order for the DMD PID file is
as follows:
- DMD_PIDFILE environment variable
- /var/dm/dmd.pid
- If you are starting the DMD as a started procedure, update
the DMD cataloged procedure. Create the cataloged procedure by copying the sample in SEZAINST(DMD) to your system. Specify the DMD parameters and change the data set names to suit your local configuration. A copy of the DMD cataloged procedure can also be found in z/OS Communications Server: IP Configuration Reference.
If the DMD was defined to the external security manager with a nonzero UID and the cataloged procedure specifies an HFS file containing environment variables, ensure that the DMD has permission to read the HFS file.