Configuring the Enterprise Connector for Illumio instance

As an end-user, you must specify the TCP stack name on the IPSecConfig statement because there is a different configuration file for every TCP/IP stack. If you use IPSec VPNs, then you can use the VPNConfig statement to define the path to your file having the IPSec VPN configuration.

You can run BMC AMI Enterprise Connector for Illumio in one of the following modes:

Gateway
Standalone
Agent

If you omit the keyword Instance from the configuration for gateway mode, you run the product on standalone mode, which is also called single LPAR mode. On standalone mode each instance of EC for Illumio runs as a separate product.

To configure the agent mode, you do not need to define Illumio PCE.

To receive an automated email notification after the policy file is generated, use the email settings (modify as needed) provided in the sample configuration.

The sample configurations are located in the ECRSI, ECRSIA, and ECRSIL members of the hlq.RSMSAMP data set.

Sample gateway configuration

The ECRSI member contains the following sample configuration for gateway instance:

***********************************************
* Global Settings                             *
***********************************************
MessageLevel     Error Info

***********************************************
* Activate Illumio Interface                  *
***********************************************
Activate         Illumio

***********************************************
* EC Settings                                 *
***********************************************
ECSetup
  Instance         Gateway
  Repository       /u/illumio
  UpdateInterval   4 Hours
EndECSetup

***********************************************
* Illumio PCE Settings                        *
***********************************************
PCE
  *HostName         poc1.illum.io
  HostName         52.39.12.255
  Port             443
  Org_HRef         /orgs/509
EndPCE

***********************************************
* Policy Agent Settings                       *
***********************************************
PolicyAgent
  JobName          PAGENT
  IPSecConfig      /etc/pagent/policies/ipSecPol TCPIP
  VPNConfig        /etc/pagent/policies/vpnPol    TCPIP
  IPSecConfig      /etc/pagent/policies/ipSecPol2 TCPIP2
  VPNConfig        /etc/pagent/policies/vpnPol2   TCPIP2
EndPolicyAgent

***********************************************
* Email Settings                              *
***********************************************
EmailProfile
    FromEmail           autonotify@bmc.com
    SysoutClass         B
    SysoutDest          DEVPLEX
    SysoutWriter        SMTP
EndEmailProfile

EmailRecipients
    Notify              To support@bmc.com
EndEmailRecipients

Sample agent configuration

The ECRSIA member contains the following sample configuration for agent instance:

***********************************************
* Global Settings                             *
***********************************************
MessageLevel     Error Info

***********************************************
* Activate Illumio Interface                  *
***********************************************
Activate         Illumio

***********************************************
* EC Settings                                 *
***********************************************
ECSetup
  Instance       Agent
  Repository     /u/illumio2
  UpdateInterval 4 Hours
  PolicyRefresh Manual
EndECSetup

***********************************************
* Policy Agent Settings                       *
***********************************************
PolicyAgent
  JobName        PAGENT
  IPSecConfig    /etc/pagent/policies/ipSecPol TCPIP
EndPolicyAgent

***********************************************
* Email Settings                              *
***********************************************
EmailProfile
    FromEmail           autonotify@bmc.com
    SysoutClass         B
    SysoutDest          DEVPLEX
    SysoutWriter        SMTP
EndEmailProfile

EmailRecipients
    Notify              To support@bmc.com
EndEmailRecipients

Sample configuration for an individual LPAR

The ECRSIL member contains the following sample configuration for an individual LPAR:

Additionally, the product supports the following features:

FlowLink support
SyslogD analysis
Configuration export

FlowLink support

The product samples TCP/IP packets on z/OS and sends the trace data over UDP to Illumio FlowLink.

You must define the following code to enable FlowLink support.

Sample configuration for FlowLink support

***********************************************
* FlowLink Settings                           *
***********************************************
FlowLink
  HostName         172.28.228.224
  Port             16001
  Frequency        60 seconds
  SamplingPeriod   15 seconds
  MaximumFlows     256000
  StagingBuffer    32
EndFlowLink

Parameter	Description
HostName	Host name of the system's IP address, on which Illumio FlowLink runs
Port	The UDP port that Illumio FlowLink listens
Frequency	The interval between packet sampling processing Specify the value as nn seconds, minutes, or hours. The default is 180 seconds.
SamplingPeriod	The duration of each sampling period Specify the value as nn seconds, minutes, or hours. The default is 15 seconds.
MaximumFlows	The maximum number of unique flow records that the product accumulates during the sampling period The default is 256,000.
StagingBuffer	The size of the IBM NMI staging buffer in mega bytes (MB) The TCP/IP stack allocates this buffer in common 64 bit storage. The default is 64.

SyslogD analysis

When the Illumio rules deny a TCP or UDP packet, the product continuously monitors the SyslogD log for the DENY conditions. Traffic Regulation Manager Daemon (TRMD) writes the log analysis messages to a dynamically allocated SYSOUT dataset with the DD name as ERRLmmdd, and the dataset re-allocates daily.

You must define the following code to enable SyslogD analysis.

Sample configuration for SyslogD analysis

***********************************************
* SyslogD Analysis                            *
***********************************************
LogAnalysis
  LogFile          /tmp/syslogd.log
  Frequency        15 Seconds
EndLogAnalysis

Parameter	Description
LogFile	Specify the full zFS path name of the log file to which TRMD writes the messages. If TRMD writes to multiple log files (possibly for multiple TCP/IP stacks), you must define the LogFile keyword for all the log files. To improve performance, you can define the IBM SyslogD configuration to write the TRMD messages to an additional zFS file. This way the product parses TRMD messages only rather than all the SyslogD messages.
Frequency	Interval between checking for additional records written to the SyslogD file Specify the value as nn seconds, minutes, or hours. The default is 60 seconds.

Parameter

Description

LogFile

Specify the full zFS path name of the log file to which TRMD writes the messages.

If TRMD writes to multiple log files (possibly for multiple TCP/IP stacks), you must define the LogFile keyword for all the log files.

To improve performance, you can define the IBM SyslogD configuration to write the TRMD messages to an additional zFS file. This way the product parses TRMD messages only rather than all the SyslogD messages.

Frequency

Interval between checking for additional records written to the SyslogD file

Specify the value as nn seconds, minutes, or hours.

The default is 60 seconds.

Configuration export

You can use EC for Illumio to export TCP/IP interface and service data on z/OS to a flat file from which the product can build workload and Service profiles on Illumio PCE.