IBM 890 manual Dynamic Virtual IP Address Takeover, Sysplex Distributor, IPv6

Dynamic Virtual IP Address Takeover

VIPA represents an IP address that is not tied to a specifi c hardware adapter address. The benefi t can be that if an adapter fails, the IP protocol can fi nd an alternate path to the same software, be it the TCP/IP services on a zSeries server or an application.

In case of a failure of the primary IP stack, VIPA Takeover introduced in OS/390 V2.8 can support movement to a backup IP stack on a different server in a Parallel Sysplex cluster. Dynamic VIPA Takeover can enhance the initial V2.8 functions, providing VIPA takeback support. This can allow the movement of workload back from the alternate to the primary IP stack.

With Sysplex-Wide Security Associations (SWSA) in z/OS V1.4, IPSec protected workloads are expected to now realize all the benefi ts derived from workload balancing, such as optimal routing of new work to the target system and server application based on QoS and WLM advice, increased availability by routing around failed components and increased fl exibility in adding additional workload in a nondisruptive manner.

Sysplex Distributor

Introduced in OS/390 2.10, Sysplex Distributor is a soft- ware-only means of distributing IP workload across a Parallel Sysplex cluster. Client connections appear to be connected to a single IP address, yet the connections are routed to z/OS images on servers on different zSeries 800/ 900 or S/390 servers. In addition to load balancing, Sys- plex Distributor simplifi es the task of moving applications within a Parallel Sysplex environment.

In z/OS we have taken the functions provided by the Cisco MNLB Workload Agent and Systems Manager, and integrated them into Enhanced Sysplex Distributor. This

can eliminate the need for separate Cisco LocalDirector machines in the network and the need for MNLB work- load agents to be run on the zSeries servers. It can also improve performance, while allowing the Sysplex Distribu- tor to decide, based on priority supplied by WLM, the Service Policy Agent and the TCP/IP stack status, on the application instance the packet is sent to.

z/OS supports Enterprise Identity Mapping (EIM). EIM

defi nes a user’s security context that is consistent through- out an enterprise, regardless of the User ID used and regardless of which platform the user is accessing. RACF commands are enhanced to allow a security administrator to defi ne EIM information for EIM applications to use. The EIM information consists of the LDAP host name where the EIM domain resides, the EIM domain name, and the bind distinguished name and password an application may use to establish a connection with the domain.

Intrusion Detection Services (IDS)

Introduced in z/OS V1.2 and enhanced in V1.5, IDS enables the detection of attacks on the TCP/IP stack and the application of defensive mechanisms on the z/OS server. The focus of IDS is self-protection. IDS can be used alone or in combination with an external network-based Intrusion Detection System. IDS is integrated into the z/OS Communications Server stack.

IPv6

•IPv6 (Internet Protocol version 6) is supported in z/OS and can dramatically increase network addressability in support of larger internal and multi-enterprise net- works. z/OS provides compatibility with existing network addressing and mixed-mode addressing with IPv4.