Input/Output Configuration Data Set (Iocds; Lpar Input/Output Configurations - IBM Z9 Planning Manual

Input/Output Configuration Data Set (IOCDS)

An IOCDS defines the logical partitions by name, allocates I/O resources to each of
them, and specifies the security characteristics of those I/O resources. The
following list describes the security-relevant parameters of each type of IOCDS
source statement.
Statement Type
ID
RESOURCE
CHPID
CNTLUNIT
IODEVICE

LPAR Input/Output Configurations

v In general, I/O devices must not be shared by logical partitions, since they can
v The PCHID Summary Report, Channel Path Identifier (CHPID) Summary Report
v A thorough review of the actual physical connections/links of the I/O configuration
v All IOCDSs should be write-protected except for the few minutes during which
v The time stamps of the production-level IOCDSs should be recorded. By
B-8
PR/SM Planning Guide
be used to pass information from one partition to another. There may be special
cases, such as an output-only device which an installation may consider sharable
after careful review of any related security risks, and defining related security
procedures and processes.
and I/O Device Report produced by the Input/Output Configuration Program must
be thoroughly examined by the Security Administrator for indications of unwanted
sharing or reconfigurability of channels and devices.
must be performed to establish that the physical configuration is identical to that
specified in the IOCDS source file. Specific attention should be given to devices
with multiple device path capability, to help ensure that one device (or control
unit) does not (accidentally) connect to more than one partition's channel paths.
they are actually updated.
dragging the CPC Icon over to the I/O Configuration task under the CPC
Discussion
No security-relevant parameters.
Assign logical partition names and MIF image IDs
so that explicit control is asserted, and maximum
checking of following IOCDS source statements is
enabled.
v Use PARTITION parameter to specify which
logical partition each channel path is allocated to.
v Don't use the SHARED parameter.
v Don't use REC without study of security
implications.
v Specify whether the channel path is
REConfigurable, and specify which logical
partitions are to have access (using logical
partition names in the candidate list).
v Do not use the IOCLUSTER keyword. Use of
this keyword will enable sharing of CHPIDs by
partitions within the named cluster.
Specification of the PATH parameter must be
accorded care so that a secure configuration
results.
Specification of the CUNUMBR parameter must be
accorded care so that a secure configuration
results.