Assure Security and Illumio configuration - 7.0

Assure Security Illumio Implementation Guide
Product type
Software
Portfolio
Integrate
Product family
Assure
Product
Assure Security > Assure Elevated Authority Manager (EAM)
Assure Security > Assure Encryption
Assure Security > Assure Secure File Transfer
Assure Security > Assure Monitoring and Reporting (AMR)
Assure Security > Assure Security Multi-Factor Authentication (MFA)
Assure Security > Assure DB2 Data Monitor (DB2MON)
Assure Security > Assure Security Risk Assessment (SRA)
Assure Security > Assure System Access Manager (SAM)
Assure Security > Assure Secure File Transfer with PGP
Version
7.0
ft:locale
en-US
Product name
Assure Security
ft:title
Assure Security Illumio Implementation Guide
Copyright
2025
First publish date
2025
ft:lastEdition
2025-06-03
ft:lastPublication
2025-06-03T12:57:58.093000

 

Follow these steps to configure the Illumio integration with Assure SAM:

  1. Activate the SAM exit points. System Access Manager uses exit points to control access attempts using host servers or TCP servers. There are 2 exit points used for the Illumio integration. You can activate the exit points using menu options or commands.

    To activate the points using a menu option, follow these steps:

    1. Run the SECACCESS command to access the Assure System Access Manager main menu.

    2. Select option 1 to access the Work with Points (WRKQXPNT) screen.

    3. Select option 10=Stat *ON/OFF to activate the SCK_ACCEPT exit point.

    4. Select option 10=Stat *ON/OFF to activate the SCK_CONNEC exit point.

      Note: Option 10=Stat *ON/*OFF is a toggle to activate/deactivate a SAM Exit Point.

    To activate the points via commands, run the following commands:

    • To activate the SCK_ACCEPT exit point:

      VRYQXPNT PNT(SCK_ACCEPT) STATUS(*ON)
    • To activate the SCK_CONNEC exit point:
      VRYQXPNT PNT(SCK_CONNEC) STATUS(*ON)
    For more information on exit points, controls and condition lists, refer to the section Concepts and Terminology in the Assure System Access Manager User Guide.
  2. Monitor SAM activity in simulation mode. With the simulation mode, System Access Manager allows the detection of events but the decision does not impact the operations.
    1. Select option 10 from the Assure System Access Manager menu (SECACCESS) to access the Display System Access Mgr. Log screen. Alternatively, run the DSPQXLOG command.
    2. Use the filter options at top of screen to locate the records you are looking for.

    3. Use the Function keys and options as needed.

      Note: The Date/Time filter displays log data from the selected date and time, forward in time.
  3. Run the CFGILOSRV command to configure the Illumio log service. Enter values for the parameters related to the log service. For example:

    You can also enter values for the following fields, but they are not required:

    The following is an example of the command with the relevant fields filled in:
    CFGILOSRV WRKLDNAM(TEMP) APISVIP('temp') APIPORT(443) AUTHUSER('temp')
SECRET('temp') ORGID('temp') SWCHID('temp') FLSYSIP('ec2-54-69-155-151.us-west-2.compute.amazonaws.com') 
FLSYSPORT(5014) FLSYSPRTCL(*TCP) FLSYSTAG('PRECISELY') ACLTIMINT(10)

    where the temp values are placeholders which will be replaced with actual values in the ACL service configuration.

    For details, see Commands for the Assure SAM integration with Illumio.

  4. Run the STRILOSRV SERVICE(*LOG) command to start the Illumio log service. For details, see Commands for the Assure SAM integration with Illumio.
  5. Validate that the FlowLink traffic page shows traffic from the IBM i.
  6. Analyze the log data in Illumio. Based on this information, configure the Illumio workload (in Illumio). For details, refer to the Illumio documentation here.
    Note: This step may take extended time. When complete, all required parameters for the CFGILOSRV command should be known.
    Note: The Illumio workload name must be in uppercase.
  7. Run the CFGILOSRV command with all parameters filled in.
    Example: 
    CFGILOSRV WRKLDNAM(*SYSNAME) APISVIP('POC1.ILLUM.IO') APIPORT(443) AUTHUSER('api_435s6r54j9aswe5m7')
SECRET('9364sd6351shfte9f308364c63826354fd874dhf8c8e836e9687f07241d8df45g3')
ORGID('87356') SWCHID('db17a4e5-7fed-442c-864e-f87b973d0a62') 
FLSYSIP('ec2-24-67-123-412.us-west-2.compute.amazonaws.com') FLSYSPORT(5015) FLSYSPRTCL(*TCP) FLSYSTAG('PRECISELY') 
ACLTIMINT(10) DVCTIMOUT(5) LOGTIMINT(5) ALTSUPPINT(60)
    where the values in the command parameters are based on the information collected in the previous step.
  8. Run the STRILOSRV SERVICE(*ACL) command to start the Illumio ACL service.
  9. After the Illumio services start, validate that the ILLUMIOAC4 and ILLUMIOCO4 condition lists show the converted ACL file rules (option 5 from the SECACCESS menu).
    Note: The ILLUMIOACU and ILLUMIOCOU condition lists are used for whitelisting certain users.