Broker partitioning

Address translation is an enhanced security feature of some firewall configurations. With this feature, components that must be reached across the firewall have two unique but corresponding addresses: the external address (valid for components outside the firewall) and the internal address (valid for components inside the firewall). A component on either side of the firewall knows only about the address that is valid for its partition (its own side of the firewall).

You can configure broker partitioning during configuration of the monitoring server on a z/OS® system. To do so, you specify Y as the value of the KDS_TEMS_COMM_ADDRESS_XLAT parameter in the PARMGEN configuration profile. You also supply the label that identifies the location of the monitoring server relative to the firewalls used for address translation, as the value of the KDS_TEMS_PARTITION_NAME parameter in the PARMGEN configuration profile.

The partition name that you supply is added to the partition table, which contains labels and associated socket addresses provided by the firewall administrator. The label is used outside the firewall to establish monitoring server connections.

Additionally, you supply the IP address of the monitoring server in its own partition, and the partition name and address assigned to the monitoring server from a location on the other side of each firewall being used. These values are saved as the KDC_PARTITIONFILE environment variable in the KDSENV member of the rhilev.rte.RKANPARU library. KDC_PARTITIONFILE points to a new member, KDCPART, created in the rhilev.rte.RKANPARU library.

Then, when you configure a monitoring agent that reports to the monitoring server, you specify Y as the value of the address translation parameter, and you supply the partition label of the monitoring server. These values are saved as the KDC_PARTITION environment variable in the monitoring agent's KppENV member of the rhilev.rte.RKANPARU library.

The well-known port for the hub monitoring server must be authorized by the firewall administrator. For the IP*.*PIPE protocols, no additional ports require authorization. For the IP*.UDP protocols, a range of UDP ports must be authorized.