This IBM Redbooks publication provides an overview of the z/OS Security setups for Parallel Sysplex installations that are considering serving users locally or over non-secure TCP/IP networks. It provides insight into what can be done to minimize the risks in such contexts by addressing the following operating environments:
- Parallel Sysplex (as a stand-alone system) security.
- One member of the Sysplex is exposed to a non-secure network.
- All members of the Sysplex can be reached from the non-secure network.
We use a simple Sysplex configuration running at z/OS 1.7, with the capability of testing workload distribution among the Sysplex members. The basic Security features of z/OS are tested in this environment: SSL/TLS with session ID sharing, Kerberos Key Distribution Center, Communications Server Intrusion Detection Services, and IPSec VPNs with Sysplex Wide Security Association. Other areas of investigation are the potential consequences of resource sharing with members being connected to non-secure networks and what protections are available in terms of z/OS mechanisms and Sysplex configuration best practices.
Table of contents
Part 1. Basic Parallel Sysplex security
Chapter 1. Introduction
Chapter 2. Protection of the Sysplex-specific resources
Chapter 3. UNIX System Services Security
Chapter 4. Sysplex Workload Management and Security
Part 2. One Sysplex member with network connectivity
Chapter 5. Protecting the network connection
Chapter 6. Security at the network level
Part 3. All Sysplex members with network connectivity
Chapter 7. All Sysplex members with network connectivity
Chapter 8. Miscellaneous network-related considerations
Appendix A. RACF protection of MVS commands
Appendix B. TCP/IP configuration information
Appendix C. IP filtering implementation and management example
Appendix D. IP filtering and Sysplex Distributor
Appendix E. AT-TLS implementation
Appendix F. Sysplex session-ID caching setup example
Appendix G. VPN setup