There's a lot to chew on here... On Wed, 10 Dec 2008 16:12:58, Boyles, Allan John wrote:
>Subplexing was introduced in z/OS 1.8 (Networking) and in the >documentation I find references to Networking, but nothing regarding >other resource managers (eg. RACF Security, MVS, consoles etc). Actually, though perhaps not referred to as such, several "subplexes" have been possible pretty much since the advent of Sysplex, however several components do not support the concept. Consult the "z/OS MVS Setting Up a Sysplex" and "System Programmer's Guide to Parallel Sysplex Aggregation" for specifics. The latter is a RedBook. >Does Subplex grouping also isolate groups of LPARS from a Security point of >view, i.e.: >- is command routing only possible within a Subplex group Yes, via RO (sys1,sys2, ...) However, there is no console 'subplex' as such. Any console on any system in the sysplex is visible by every other system in the sysplex. >- are Syslog messages confined to the Subplex group Operlog is sysplex-wide, where enabled. Syslog is viewable/managed at the JES MAS boundary, which can be equal to or less than the sysplex boundary (over-simplified, so hopefully I didn't lose the point). >- are WTORs only seen in the Subplex group No. All WTORs are seen across the sysplex, as consoles are sysplex-wide. >- are there any security implications or controls relating to Subplex - >Subplex or Subplex - Sysplex interaction. Yes - very many, particularly with regard to RACF. There was a recent thread on this list (and probably many before) on RACF and sysplex communication - search the IBM-MAIN Archives. > >Basically, our intention is to isolate groups of LPARS within a SYSPLEX >and would like to know if this can be done by Subplexing. Some resources can, some cannot. In the redbook I mentioned above, you will read about the differences between "bronzeplex", "goldplex", and "platinumplex" (IBM's terms), and what is shared or isolated in these environments. There is a sacrifice of manageability if you stick to a "bronzeplex", and even then, there are some thigs, like consoles, that you cannot isolate. >Is it correct to say that this type of isolating LPARs within a Sysplex, >without utilizing Subplexing, is not possible using RACF and/or MVS >controls? Some isolation is possible, but an LPAR that is part of the sysplex, by definition, will share a minimal amount of resources with the rest of the sysplex. If you cannot share these resources, then you will need to manage separate sysplexes (sysplexen?). Regards, Art Gutowski Ford Motor Company ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
