Policy types and infrastructure overview
To implement networking policies for your users, you must use the z/OS® Communications Server policy infrastructure. You can use the policy types supported by the Policy Agent for any of the following purposes:
- Policy-based routing (See Policy-based routing)
- Quality of service (See Quality of service)
- Intrusion detection services (See Intrusion detection services)
- IP filtering, and manual and dynamic virtual private network (VPN) tunnels, collectively referred to as IPSec policies (See IP security)
- Application Transparent Transport Layer Security (AT-TLS, see Application Transparent Transport Layer Security data protection)
For more information about the policy types, see Policy types.
Based on the policy types that you want to implement, you must configure and start one or more policy infrastructure components:
- TCP/IP stack
TCP/IP stacks implement most of the policy types. You need to start one or more stacks per logical partition (LPAR).
- Syslog daemon (syslogd)
Syslogd acts as the central message logging facility for z/OS UNIX applications. Syslogd is not specific to the policy infrastructure, but the policy infrastructure depends on syslogd to provide a central logging facility to maintain an audit trail. If you do not start syslogd, messages are lost. You should start one syslog daemon per LPAR.
- Policy Agent
You must start Policy Agent to install and maintain policies in the TCP/IP stacks in an LPAR. You need one Policy Agent per LPAR.
- Traffic regulation management daemon (TRMD)
TRMD formats and sends policy-related messages to your syslog daemon. You need one TRMD per TCP/IP stack in an LPAR.
- Internet Key Exchange daemon (IKED)
IKED is used for negotiating and setting up dynamic VPN tunnels. If you are not using dynamic VPN tunnels, you do not need to start IKED; otherwise, you need one IKED per LPAR.
- Network security services daemon (NSSD)
NSSD can be used as the central certificate and key server for z/OS IKE daemons, or as a network security server for selected non-z/OS platforms. NSSD can be used independently of any z/OS networking policies, but is an element of the overall z/OS networking policy infrastructure. Typically, you do not need an NSSD on every LPAR; one NSSD per sysplex is more likely.
- Defense Manager daemon (DMD)
DMD provides support for short-term defensive filters. You can use DMD without defining any IPSec filter policies, but typically you use DMD in addition to IPSec filter policy. You need one DMD per LPAR.
- Network service level agreement performance monitor 2 (NSLAPM2)
NSLAPM2 is an SNMP subagent that provides QoS metrics through MIB variables. You need one NSLAPM2 per TCP/IP stack in an LPAR.
For more information about syslogd, see Configuring the syslog daemon. For more information about the other policy infrastructure components, see Policy infrastructure components.
To determine the policy infrastructure components that you need to start based on which policy types you are implementing, see Table 1.
Policy type | Component | |||||||
---|---|---|---|---|---|---|---|---|
One or more instances per LPAR | One instance per LPAR | One instance per TCP/IP stack in an LPAR | ||||||
TCP/IP stack | Policy Agent | syslogd | IKED | NSSD | DMD | NSLAPM2 | TRMD | |
QoS | Required | Required | Required | Optional | ||||
IDS | Required | Required | Required | Required | ||||
AT-TLS | Required | Required | Required | |||||
IPSec filters | Required | Required | Required | Optional | Required | |||
IPSec VPNs | Required | Required | Required | Optional (dynamic VPNs) | Optional (central key and certificate server) | Required | ||
Policy-based routing | Required | Required | Required |
You can use the IBM® Configuration Assistant for z/OS Communications Server for assistance with setting up and configuring security, JCL procedures, and configuration files for the following policy infrastructure components:
- Policy Agent, including policy definition files for QoS, IDS, AT-TLS, IPSec, and policy-based routing
- IKED
- NSSD
- DMD