This IBM Redbooks publication provides an overview of the z/OS Security setups for Parallel Sysplex installations that are considering serving users locally or over non-secure TCP/IP networks. It provides insight into what can be done to minimize the risks in such contexts by addressing the following operating environments:

- Parallel Sysplex (as a stand-alone system) security.

- One member of the Sysplex is exposed to a non-secure network.

- All members of the Sysplex can be reached from the non-secure network.

We use a simple Sysplex configuration running at z/OS 1.7, with the capability of testing workload distribution among the Sysplex members. The basic Security features of z/OS are tested in this environment: SSL/TLS with session ID sharing, Kerberos Key Distribution Center, Communications Server Intrusion Detection Services, and IPSec VPNs with Sysplex Wide Security Association. Other areas of investigation are the potential consequences of resource sharing with members being connected to non-secure networks and what protections are available in terms of z/OS mechanisms and Sysplex configuration best practices.

Part 1. Basic Parallel Sysplex security

Chapter 1. Introduction

Chapter 2. Protection of the Sysplex-specific resources

Chapter 3. UNIX System Services Security

Chapter 4. Sysplex Workload Management and Security

Part 2. One Sysplex member with network connectivity

Chapter 5. Protecting the network connection

Chapter 6. Security at the network level

Part 3. All Sysplex members with network connectivity

Chapter 7. All Sysplex members with network connectivity

Chapter 8. Miscellaneous network-related considerations

Appendix A. RACF protection of MVS commands

Appendix B. TCP/IP configuration information

Appendix C. IP filtering implementation and management example

Appendix D. IP filtering and Sysplex Distributor

Appendix E. AT-TLS implementation

Appendix F. Sysplex session-ID caching setup example

Appendix G. VPN setup