Configuring the Enterprise Connector for Illumio instances

To interact with the Illumio PCE product, you must configure the BMC AMI Enterprise Connector for Illumio product to build PAGENT files from the ACL files it receives from Illumio PCE.

The PAGENT files are sent to AT-TLS to establish secure TCP/IP communication.

Illumio PCE interacts with the EC for Illumio gateway, which interacts with the EC for Illumio agents.

Run mode	Configuration settings
Gateway	Configure the Instance parameter in the ECIGPARM configuration member as Gateway. The gateway requires the PCE block definitions.
Agent	Configure the Instance parameter in the ECIAPARM configuration member as Agent. The agent does not use the PCE block definitions.
Stand-alone (also called single LPAR)	Omit the Instance parameter from the ECIGPARM configuration member. A stand-alone instance requires the PCE block definitions. In stand-alone mode, each instance of EC for Illumio runs as a separate product.

Configuration parameter blocks

The following sample configuration members are located in the RSSSAMP data set:

Gateway: ECIGPARM
Agent: ECIAPARM
(SPE2404)Stand-alone: ECISPARM

The configuration members contain the following parameter blocks:

Parameter block	Description
Global Settings	Message level and product activation For more information about the parameters, see RSS Global configuration parameters.
EC Settings	EC for Illumiosettings, including instance, repository (database directory), and update interval For more information about the parameters, see Configuration parametersin the following section.
PCE Settings	Connection parameters to Illumio PCE, including host name and port For more information about the parameters, see Configuration parametersin the following section.
Policy Agent Settings	Connection parameters to IBM Server Policy Agent (PAGENT) For more information about the parameters, see Configuration parametersin the following section.
Email Settings	Email settings such as the To and From email addresses Configure these parameters to receive an automated email notification after the policy file is generated. For more information about the parameters, see RSS server configuration parameters.

Configuration parameters syntax

You must conform to the following rules while specifying the parameters in the configuration data set:

Only one parameter is allowed on each line and can start in any position on that line.
Parameters must be specified in full and are not case-sensitive except for hierarchical file system (HFS) path names.
A line with an asterisk * in the first position is treated as a comment.
RSS parameters support standard z/OS ampersand-prefixed (&) variables (for example, &SYSNAME).
(SPE2507) You can include static and dynamic system symbols in the parameters. For more information, see Using static and dynamic system symbols in parameters.

Using static and dynamic system symbols in parameters

(SPE2507)

System symbols act as placeholders and are replaced by substitution text (a character string) to maintain unique values in your shared parameter library definitions (accessible to multiple systems). There are two types of system symbols:

Static system symbol—The substitution text for these symbols are either system-defined or defined in the IEASYMxx member via the SYMDEF subcommand processing. Static system symbols are set during IPL (Initial Program Load) and do not normally change.
Dynamic system symbol—The substitution text for these symbols can change in real time at any point in an IPL and it is available via the IBM ASASYMBM or ASASYMBF service. You can use dynamic system symbols to build dynamic paths and file names.

Example

If you define AuditLogFileName rss.&SYSNAME..audit.D&YYMMDD..T&HHMMSS..log in your configuration member, and TSOP is your system name, it is resolved to AuditLogFileName rss.TSOP.audit.D250311.T203405.log.

Static or dynamic system symbols that you use must be defined in the "z/OS MVS Initialization and Tuning Reference" manual.

The following table lists commonly used dynamic system symbols:

Dynamic system symbol	Description
&MON	Month of the year
&DAY	Day of the month
&JDAY	Julian day of the year
&YR2	Year in two digits
&YR4	Year in four digits
&WDAY	Name of the day of the week
&HR	Hour
&MIN	Minute
&SEC	Second
&JOBNAME	Job name of task
&HHMMSS	Time of day. Use &LHHMMSS for local time.
&YYMMDD	Date. Use &LYYMMDD for local date.

For more information about system symbols, see the "z/OS MVS Initialization and Tuning Reference" manual.

Configuration parameters

The following table describes the configuration parameters:

Parameter	Description
ECSetup	EC for Illumiosettings header
Instance	Installation instance type The following values are valid: Gateway in the ECIGPARM member Agent in the ECIAPARM member Omit the parameter from the ECIGPARM member for a stand-alone environment
Repository	Database directory path where EC for Illumio stores PAGENT files
UpdateInterval	Frequency (in Days, Hours, or Minutes) that EC for Illumio polls Illumio PCE for updates The default value is 4 Hours.
EndECSetup	EC for Illumiosettings trailer
PCE	Connection to Illumio PCE settings header These settings are required for gateway and stand-alone instances.
HostName	Domain name or IP address of Illumio PCE
Port	Communication port of Illumio PCE
Org_HRef	Your organization's Illumio PCE reference number
EndPCE	Connection to Illumio PCE settings trailer
PolicyAgent	IBM Server Policy Agent (PAGENT) settings header
JobName	Job name of the PAGENT running on your system
IPSecConfig	File path of the IPSec configuration file on your system You can have multiple parameters, one for each TCP/IP stack name.
VPNConfig	File path of the IPSec VPN configuration file on your system You can have multiple parameters, one for each TCP/IP stack name. This parameter is optional; only use it if you use IPSec VPNs.
EndPolicyAgent	PAGENT settings trailer

FlowLink support

The product samples TCP/IP packets on z/OS and sends the trace data over UDP to Illumio FlowLink.

You must define the following code to enable FlowLink support.

Sample configuration for FlowLink support

***********************************************
* FlowLink Settings                           *
***********************************************
FlowLink
  HostName         172.28.228.224
  Port             16001
  Frequency        60 seconds
  SamplingPeriod   15 seconds
  MaximumFlows     256000
  StagingBuffer    32
EndFlowLink

Parameter	Description
HostName	Host name or IP address of the system, on which Illumio FlowLink is running
Port	The UDP port on which Illumio FlowLink is listening
Frequency	The interval between packet sampling processing periods Specify the value as nn seconds, minutes, or hours. The default is 180 seconds.
SamplingPeriod	The duration of each sampling period Specify the value as nn seconds, minutes, or hours. The default is 15 seconds.
MaximumFlows	The maximum number of unique flow records that the product accumulates during the sampling period The default is 256,000.
StagingBuffer	The size of the IBM NMI staging buffer in mega bytes (MB) The TCP/IP stack allocates this buffer in common 64 bit storage. The default is 64.

Resources required for capturing FlowLink data

To capture the information about traffic flows, EC for Illumio makes requests to network management interfaces (NMIs) in z/OS Communications Server. EC for Illumio processes the information retrieved from the NMI and sends it to Illumio FlowLink.

(SPE2504)EC for Illumioadds a timestamp to the FlowLink records sent to Illumio PCE. The timestamp displays the local time and the UTC offset, of the LPAR from which Illumio FlowLink collects network traffic, in the following format:

localDateTlocalTime+-utcOffset

localDate is the local date in YYYY-MM-DD format, localTime is the local time in HH:MM:SS format, and utcOffset is the UTC offset in HH:MM format. The plus sign (+) before the UTC offset indicates that the time zone is ahead of UTC and the minus sign (-) indicates that the time zone is behind UTC.

Example

The timestamp 2025-01-28T13:46:10+06:00 represents a local date of 28 January 2025, local time of 13:46:10, and a UTC offset of +06:00 hours.

The timestamp 2025-01-28T13:46:10-06:00 represents a local date of 28 January 2025, local time of 13:46:10, and a UTC offset of -06:00 hours.

Various SAF resources control access to the NMI. For more information about these resources, see z/OS Communications Server IP Programmer’s Guide and Reference.

The EC for Illumio started tasks require READ access to the following resource names in the SERVAUTH class:

EZB.TRCCTL.sysName.tcpName.OPEN
EZB.TRCCTL.sysName.tcpName.PKTTRACE

Variable	Description
sysName	MVS system name where your TCP/IP stack is running
tcpName	TCP/IP stack job name

The NMI requires that a profile protecting these resources exists. If no profile exists, EC for Illumio cannot run the required functions in the NMI.

If you have multiple TCP/IP stacks, make sure that you have assigned suitable permissions for all system names and TCP/IP stack job names where EC for Illumio is running.

zERT summary records processing

(SPE2404)

EC for Illumiocollects z/OS Encryption Readiness Technology (zERT) summary records (SMF 119 subtype 12 records) and stores them in the product's internal database across EC for Illumio sessions. If you COLD start the instance, the product clears the zERT summary records from the database at startup.

You can analyze the collected zERT summary records on the zERT Records menu on the web interface. You can use this menu to perform the following actions:

Determine which connections use encryption
Identify which jobs and users are using connections
View the ports being used

Using summary records instead of connection detail records reduces the volume of records produced. The records are produced regardless of the SMF collection parameters in your SYS1.PARMLIB data set.

To enable zERT summary records support

Specify the following parameters in your TCP/IP profile data set, SYS1.TCPPARMS(ZERT):
- GLOBALCONFig ZERT AGGregation
- NETMONitor ZERTSUMmary
Run the following command:
V TCPIP,TCPIP,OBEY,SYS1.TCPPARMS(ZERT)

To configure EC for Illumio for collecting zERT summary records

Specify the following zERT Settings block in your agent (ECIAPARM) or stand-alone (ECISPARM) configuration member. You do not have to specify the zERT Settings block in your gateway configuration member (ECIGPARM).

***********************************************
* zERT Settings    *
***********************************************
zERT
  Enable    Yes
  Jobname *
  Userid    *
  DNSResolve    Yes
EndzERT

Parameter	Description
Enable Yes \| No	Specify whether the product must collect zERT summary records.
Jobname	Specify a part of a job name to filter records with the specified job name.
Userid	Specify a user ID or part of a user ID to filter records with the specified user ID.
DNSResolve Yes \| No	Specify whether the product must find the real name of a client or server.

Important

Using zERT records has a few limitations. For more information, see z/OS Communications Server IP Configuration Guide.

SyslogD analysis

When the Illumio rules deny a TCP or UDP packet, the product continuously monitors the SyslogD log for the DENY conditions. Traffic Regulation Manager Daemon (TRMD) writes the log analysis messages to a dynamically allocated SYSOUT dataset with the DD name as ERRLmmdd, and the dataset re-allocates daily.

You must define the following code to enable SyslogD analysis.

Sample configuration for SyslogD analysis

***********************************************
* SyslogD Analysis                            *
***********************************************
LogAnalysis
  LogFile          /tmp/syslogd.log
  Frequency        15 Seconds
EndLogAnalysis

Parameter	Description
LogFile	Specify the full zFS path name of the log file to which TRMD writes the messages. If TRMD writes to multiple log files (possibly for multiple TCP/IP stacks), you must define the LogFile keyword for all the log files. To improve performance, you can define the IBM SyslogD configuration to write the TRMD messages to an additional zFS file. This way the product parses TRMD messages only rather than all the SyslogD messages.
Frequency	Interval between checking for additional records written to the SyslogD file Specify the value as nn seconds, minutes, or hours. The default is 60 seconds.

Parameter

Description

LogFile

Specify the full zFS path name of the log file to which TRMD writes the messages.

If TRMD writes to multiple log files (possibly for multiple TCP/IP stacks), you must define the LogFile keyword for all the log files.

To improve performance, you can define the IBM SyslogD configuration to write the TRMD messages to an additional zFS file. This way the product parses TRMD messages only rather than all the SyslogD messages.

Frequency

Interval between checking for additional records written to the SyslogD file

Specify the value as nn seconds, minutes, or hours.

The default is 60 seconds.

Configuration export

You can use EC for Illumio to export TCP/IP interface and service data on z/OS to a flat file. The product can use the information in the flat file to create access control lists (ACLs), workload profiles, and service profiles on the Illumio PCE. If you predefine the flat file, then specify RECFM=VB and LRECL=6144. If you do not predefine the flat file, then it is dynamically allocated.