To see all my blog posts on IP filtering see here.
You can use the IP filtering component of z/OS Communications Servers to allow or deny packets flowing through a TCPIP stack.
You can use
- CS default rules – configured in the TCPIP profile, or via an OBEYFILE
- Policy agent
- The ipsec command to dynamically add rules – this could be used by networking monitoring tools to defensively add new rules.
These all require common set up.
TCPIP profile
You need in the TCPIP profile
IPCONFIG IPSECURITY...
Logging is done to the SYSLOGD daemon
You need to have the syslogd daemon running to write any event messages produced.
In /etc/syslog.conf I have
*.err /var/log/errors *.CPAGENT.*.* /var/log/CPAGENT.%Y.%m.%d *.TRMD1.*.info /var/log/TRMD1I.%Y.%m.%d *.DMD.*.* /var/log/DMD.%Y.%m.%d
- My policy agent job is called CPAGENT
- My Defense Manager Daemon (DMD) is a started task with name DMD
- I start TRMD, which logs events about the allow/deny rules. TRMD starts up a job TRMD1, and so the syslogd configuration needs to have TRMD1. The messages about allow/deny are written to syslogd as info and debug messages.
Traffic Regulation Management Daemon (TRMD)
This this writes events, about allow or deny packets through the TCPIP stack, to the syslogd daemon.
If this is not running, packets may still get allowed/denied, but will not be logged.
//TRMD PROC OPT='-P TCPIP -d 1'
//*
//* IBM Communications Server for z/OS
//* SMP/E distribution name: EZATRMDP
//*
//* 5650-ZOS Copyright IBM Corp. 1996, 2013
//* Licensed Materials - Property of IBM
//* "Restricted Materials of IBM"
//*
//* Status = CSV2R1
//*
//* Function: Sample procedure for running the Traffic
//* Regulator Management Daemon (TRMD)
//*
//TRMD EXEC PGM=EZATRMD,REGION=4096K,TIME=NOLIMIT,
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/&OPT')
//STDENV DD *
RESOLVER_CONFIG=//'ADCD.Z24C.TCPPARMS(TCPDATA)'
export TZ=GMT0
This daemon requires READ access to the profile BPX.SUPERUSER CL(FACILITY).
When you start TRMD you get
EZZ8495I TRMD STARTED EZZ8500I TRMD INITIALIZATION COMPLETE IEF404I TRMD - ENDED - TIME=11.14.33 $HASP395 TRMD ENDED - RC=0000
but it has started it creates a job with name TRMD1.
When running my TRMD1 the operator command D,A,TRMD1 gave
TRMD1 STEP1 START1 OWT AO ...
WKL=SERVERS SCL=SRVOMVS P=1
You stop the TRMD daemon using
P TRMD1
You can display information from the log using the Unix command trmdstat
trmdstat … logname
Where logname is the trmd log from syslogd.
Policy Agent
If you want to define rules using Policy Agent, the Policy Agent job needs to be running. The Policy Agent just passes the rules to TCPIP, it does not do any processing of requests. To make a change to the rules, you change the policy agent files, and use the refresh policy agent command.
My policy agent procedure
//CPAGENT PROC
// SET EN='ENVAR("_CEE_ENVFILE_S=DD:STDENV")'
//PAGENT EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT,
// PARM='&EN/ -l /var/log/pagent.log -i -d 1 '
//STDENV DD DISP=SHR,DSN=USER.Z24C.TCPPARMS(PAGENTEN)
//SYSPRINT DD SYSOUT=H
//SYSERR DD SYSOUT=H
//SYSOUT DD SYSOUT=H
//*
//CEEDUMP DD SYSOUT=*,DCB=(RECFM=FB,LRECL=132,BLKSIZE=132)
// PEND
Member USER.Z24C.TCPPARMS(PAGENTEN)
has
PAGENT_CONFIG_FILE=//'USER.Z24C.TCPPARMS(PAGENTCF)' LIBPATH=/usr/lib
member PAGENTCF
has
tcpImage TCPIP //'USER.Z24C.TCPPARMS(PAGENTT)'
member PAGENTTT has
TTLSConfig //'USER.Z24C.TCPPARMS(PAGENTZ)' FLUSH PURGE IpSecConfig //'USER.Z24C.TCPPARMS(PAGEIPSE)' FLUSH PURGE
member PAGEIPSE
Started with the minimum configuration
#-------------------------------------------------------
RACF profiles
IPSEC
See ipsec command SERVAUTH profile
RDEFINE SERVAUTH EZB.IPSECCMD.*.*.DISPLAY
RDEFINE SERVAUTH EZB.IPSECCMD.*.*.CONTROL
PERMIT EZB.IPSECCMD.*.*.DISPLAY CLASS(SERVAUTH) ID(IBMUSER) -
ACCESS(READ)
PERMIT EZB.IPSECCMD.*.*.CONTROL CLASS(SERVAUTH) ID(IBMUSER) -
ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH
ColinPaice 
One thought on “CS IP filtering: common setup.”