Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Figure 2 - Connectivity rules for each stack<br />
Is it hard to learn?<br />
No, the NSCA provides a level of<br />
abstraction in which you work with no<br />
more than three GUI configuration objects,<br />
regardless of whether you are configuring<br />
AT-TLS or CS IPSec, as follows:<br />
• Traffic Descriptor objects identify<br />
specific IP traffic or applications. <strong>The</strong><br />
tool comes with a large number of<br />
preloaded Traffic Descriptors, such as<br />
“TN3270_Server” and “FTP_Server.”<br />
With a few mouse clicks, you can<br />
extend the preloaded set and add more<br />
customized Traffic Descriptors.<br />
• Security Level objects identify a<br />
specific security technology, AT-<br />
TLS or CS IPSec, and the level of<br />
cryptographic protection to apply.<br />
<strong>The</strong> tool comes with a number of<br />
preloaded Security Levels. With a<br />
few mouse clicks, you can extend the<br />
preloaded set to add more customized<br />
Security Levels.<br />
• Requirement Map objects map specific<br />
Traffic Descriptors to specific Security<br />
Levels. For example, within a single<br />
Requirement Map, you can indicate<br />
an entire set of security requirements<br />
to govern the behavior from your z/OS<br />
system to a branch office.<br />
After you build these objects for your<br />
environment, you can reuse them for many<br />
repeating network security scenarios. For<br />
example, that Requirement Map you built<br />
to cover traffic between your z/OS system<br />
to a branch office can be referenced<br />
multiple times in your configuration—once<br />
for each branch office to which you want<br />
to connect.<br />
With the creation of the Requirement<br />
Maps, much of the heavy lifting is done.<br />
For each TCP/IP stack, you create a series<br />
of Connectivity Rules. See Figure 2.<br />
Each rule identifies:<br />
• A local host and a remote host<br />
• Security endpoints (for IPSec only)<br />
• A Requirement Map, which<br />
contains the complete set of security<br />
requirements between the two hosts.<br />
Wizards…<br />
<strong>The</strong> NSCA does its best to keep you on<br />
the right track. It provides wizards to<br />
guide you throughout the process and<br />
ensure that you enter all of the necessary<br />
information. Generally, each wizard asks<br />
you a basic question and then guides you<br />
through the remaining configuration.<br />
Figure 3 shows an example of one such<br />
wizard at work.<br />
Figure 3 - Wizard screen for connectivity rules<br />
…and a health checker, too<br />
<strong>The</strong> wizards do their best to keep you out of<br />
trouble, but you can still get things wrong.<br />
So, before installing your configuration<br />
for a specific TCP/IP stack, click on the<br />
Health Check button. <strong>The</strong> NSCA comes<br />
with a built-in health checker function that<br />
examines your configuration for possible<br />
pitfalls and provides you with feedback<br />
on aspects of the configuration that look<br />
suspicious or incorrect.<br />
Let the NSCA watch your back<br />
<strong>The</strong> NSCA is designed to dramatically<br />
improve your time-to-value ratio. If you<br />
choose not to use the NSCA to configure<br />
AT-TLS or CS IPSec, that’s fine. Without<br />
it, however, there are no wizards or health<br />
checker; you will be the expert.<br />
Protect your IP data; never let it go<br />
out alone!<br />
How do I get the NSCA?<br />
You can download it from the z/OS<br />
Communications Server Web site:<br />
ibm.com/software/network/commserver/<br />
zos/support/<br />
February 2006 z/OS HOT TOPICS Newsletter, Issue 14 35