Configuring the Enterprise Connector for Illumio instances
You can configure the EC for Illumio gateway with one or more agents on multiple LPARs; the gateway also serves as an agent on the LPAR where it runs.
Alternatively, you can configure a stand-alone environment where the gateway serves as an agent on a single LPAR.
The different EC for Illumio installation instances require the following configuration settings:
Run mode | Configuration settings |
|---|---|
Gateway | Configure the Instance parameter in the ECIGPARM configuration member as Gateway. The gateway requires the PCE block definitions. |
Agent | Configure the Instance parameter in the ECIAPARM configuration member as Agent. The agent does not use the PCE block definitions. |
Stand-alone (also called single LPAR) | Omit the Instance parameter from the ECIGPARM configuration member. A stand-alone instance requires the PCE block definitions. In stand-alone mode, each instance of EC for Illumio runs as a separate product. |
Configuration parameter blocks
The following sample configuration members are located in the RSSSAMP data set:
- Gateway: ECIGPARM
- Agent: ECIAPARM
- (SPE2404) Stand-alone: ECISPARM
The configuration members contain the following parameter blocks:
Parameter block | Description |
|---|---|
Global Settings | Message level and product activation For more information about the parameters, see RSS Global configuration parameters. |
EC Settings | EC for Illumio settings, including instance, repository (database directory), and update interval For more information about the parameters, see Configuration parametersin the following section. |
PCE Settings | Connection parameters to Illumio PCE, including host name and port For more information about the parameters, see Configuration parametersin the following section. |
Policy Agent Settings | Connection parameters to IBM Server Policy Agent (PAGENT) For more information about the parameters, see Configuration parametersin the following section. |
Email Settings | Email settings such as the To and From email addresses Configure these parameters to receive an automated email notification after the policy file is generated. For more information about the parameters, see RSS server configuration parameters. |
Configuration parameters
The following table describes the configuration parameters:
Parameter | Description |
|---|---|
ECSetup | EC for Illumio settings header |
Instance | Installation instance type The following values are valid:
|
Repository | Database directory path where EC for Illumio stores PAGENT files |
UpdateInterval | Frequency (in Days, Hours, or Minutes) that EC for Illumio polls Illumio PCE for updates The default value is 4 Hours. |
EndECSetup | EC for Illumio settings trailer |
PCE | Connection to Illumio PCE settings header These settings are required for gateway and stand-alone instances. |
HostName | Domain name or IP address of Illumio PCE |
Port | Communication port of Illumio PCE |
Org_HRef | Your organization's Illumio PCE reference number |
EndPCE | Connection to Illumio PCE settings trailer |
PolicyAgent | IBM Server Policy Agent (PAGENT) settings header |
JobName | Job name of the PAGENT running on your system |
IPSecConfig | File path of the IPSec configuration file on your system You can have multiple parameters, one for each TCP/IP stack name. |
VPNConfig | File path of the IPSec VPN configuration file on your system You can have multiple parameters, one for each TCP/IP stack name. This parameter is optional; only use it if you use IPSec VPNs. |
EndPolicyAgent | PAGENT settings trailer |
FlowLink support
The product samples TCP/IP packets on z/OS and sends the trace data over UDP to Illumio FlowLink.
You must define the following code to enable FlowLink support.
Sample configuration for FlowLink support
* FlowLink Settings *
***********************************************
FlowLink
HostName 172.28.228.224
Port 16001
Frequency 60 seconds
SamplingPeriod 15 seconds
MaximumFlows 256000
StagingBuffer 32
EndFlowLink
Parameter | Description |
|---|---|
HostName | Host name or IP address of the system, on which Illumio FlowLink is running |
Port | The UDP port on which Illumio FlowLink is listening |
Frequency | The interval between packet sampling processing periods Specify the value as nn seconds, minutes, or hours. The default is 180 seconds. |
SamplingPeriod | The duration of each sampling period Specify the value as nn seconds, minutes, or hours. The default is 15 seconds. |
MaximumFlows | The maximum number of unique flow records that the product accumulates during the sampling period The default is 256,000. |
StagingBuffer | The size of the IBM NMI staging buffer in mega bytes (MB) The TCP/IP stack allocates this buffer in common 64 bit storage. The default is 64. |
Resources required for capturing FlowLink data
To capture the information about traffic flows, EC for Illumio makes requests to network management interfaces (NMIs) in z/OS Communications Server. EC for Illumio processes the information retrieved from the NMI and sends it to Illumio FlowLink.
Various SAF resources control access to the NMI. For more information about these resources, see z/OS Communications Server IP Programmer’s Guide and Reference.
The EC for Illumio started tasks require READ access to the following resource names in the SERVAUTH class:
- EZB.TRCCTL.sysName.tcpName.OPEN
- EZB.TRCCTL.sysName.tcpName.PKTTRACE
Variable | Description |
|---|---|
sysName | MVS system name where your TCP/IP stack is running |
tcpName | TCP/IP stack job name |
The NMI requires that a profile protecting these resources exists. If no profile exists, EC for Illumio cannot run the required functions in the NMI.
If you have multiple TCP/IP stacks, make sure that you have assigned suitable permissions for all system names and TCP/IP stack job names where EC for Illumio is running.
zERT summary records processing
EC for Illumio collects z/OS Encryption Readiness Technology (zERT) summary records (SMF 119 subtype 12 records) and stores them in the product's internal database across EC for Illumio sessions. If you COLD start the instance, the product clears the zERT summary records from the database at startup.
You can analyze the collected zERT summary records on the zERT Records menu on the web interface. You can use this menu to perform the following actions:
- Determine which connections use encryption
- Identify which jobs and users are using connections
- View the ports being used
Using summary records instead of connection detail records reduces the volume of records produced. The records are produced regardless of the SMF collection parameters in your SYS1.PARMLIB data set.
To enable zERT summary records support
- Specify the following parameters in your TCP/IP profile data set, SYS1.TCPPARMS(ZERT):
- GLOBALCONFig ZERT AGGregation
- NETMONitor ZERTSUMmary
- Run the following command:
V TCPIP,TCPIP,OBEY,SYS1.TCPPARMS(ZERT)
To configure EC for Illumio for collecting zERT summary records
Specify the following zERT Settings block in your agent (ECIAPARM) or stand-alone (ECISPARM) configuration member. You do not have to specify the zERT Settings block in your gateway configuration member (ECIGPARM).
* zERT Settings *
***********************************************
zERT
Enable Yes
Jobname *
Userid *
DNSResolve Yes
EndzERT
Parameter | Description |
|---|---|
Enable Yes | No | Specify whether the product must collect zERT summary records. |
Jobname | Specify a part of a job name to filter records with the specified job name. |
Userid | Specify a user ID or part of a user ID to filter records with the specified user ID. |
DNSResolve Yes | No | Specify whether the product must find the real name of a client or server. |
SyslogD analysis
When the Illumio rules deny a TCP or UDP packet, the product continuously monitors the SyslogD log for the DENY conditions. Traffic Regulation Manager Daemon (TRMD) writes the log analysis messages to a dynamically allocated SYSOUT dataset with the DD name as ERRLmmdd, and the dataset re-allocates daily.
You must define the following code to enable SyslogD analysis.
Sample configuration for SyslogD analysis
* SyslogD Analysis *
***********************************************
LogAnalysis
LogFile /tmp/syslogd.log
Frequency 15 Seconds
EndLogAnalysis
Parameter | Description |
|---|---|
LogFile | Specify the full zFS path name of the log file to which TRMD writes the messages. If TRMD writes to multiple log files (possibly for multiple TCP/IP stacks), you must define the LogFile keyword for all the log files. To improve performance, you can define the IBM SyslogD configuration to write the TRMD messages to an additional zFS file. This way the product parses TRMD messages only rather than all the SyslogD messages. |
Frequency | Interval between checking for additional records written to the SyslogD file Specify the value as nn seconds, minutes, or hours. The default is 60 seconds. |
Configuration export
You can use EC for Illumio to export TCP/IP interface and service data on z/OS to a flat file. The product can use the information in the flat file to create access control lists (ACLs), workload profiles, and service profiles on the Illumio PCE. If you predefine the flat file, then specify RECFM=VB and LRECL=6144. If you do not predefine the flat file, then it is dynamically allocated.
For more information about generating a configuration export, see the following topics: