Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on Dec 2, 2022

zERT Enforcement Policy and Policy Agent not adhering to same implementation

When using a zERT Enforcement Policy with two or more Traffic Descriptors, Policy Agent is not able to handle those as a single rule and creates artificially additional
rules for each Traffic Descriptor associated with the zERT defined rule, appending a suffix for each like ~1, ~2.
The setup to have more than one Traffic Descriptor is supported in zERT however Policy Agent is not capable to handle that. Even that 'feature' is not documented.

The conclusion is that Policy Agent must be enhanced to support this and map a zERT rule 1:1 into a Policy Agent managed rule and not a 1:n mapping resulting in many ~1 suffixed rules.

See attached screen-prints for further reference.

Idea priority High
  • Guest
    Reply
    |
    Jan 27, 2023
    NCA was created for ease of use -- to provide simplified construction and views of policy-based rules. NCA was never intended to create a ?one for one? association between NCA connectivity rules and policy agent-level rules (for example TTLSRule, zERTRule, etc.). In fact, the behavior you pointed out is an intentional design point of NCA.

    Specifically, one of the simplifying mechanisms NCA uses is the ability to specify multiple traffic descriptors in a connectivity rule in its GUI interface (whereas policy agent rules only allow a single set of traffic attributes per rule). When NCA creates policy rules from such a connectivity rule, it generates multiple policy agent rules, each with different traffic attributes. This is just one case where a single connectivity rule can result in multiple policy agent rules. In cases like these, the name of the NCA connectivity rule serves as the base rule name for all associated policy rules, with individual policy rule having a unique ?~nn? suffix appended to the base name. This makes it easy to correlate the NCA connectivity rule with all the associated policy agent rules.

    Given the above, this requirement is essentially a request to change the fundamental design points of NCA or Policy Agent, which we do not intend to do. As such, we are declining this requirement. The NCA and policy agent designs have proven to be very effective over many years, so even if we were to accept this requirement, it would be very low on the list of priorities and not likely to ever be prioritized into a product plan. Additionally, implementing such a change without causing signifcant migration issues would be very costly.