Steps for preparing the z/OS system for IP security

Establish the security needs for your installation. Set up key required applications, modify default IP filter policy if necessary, configure the IKE daemon, configure the NSS daemon and additional encryption products as needed, and create IP security policy configuration files.

Before you begin

You need to be familiar with the concepts of IP filter logging and IPSec protection. See Overview of using IP security. You also need to be familiar with the commands used to administer IP security. See Commands used to administer IP security.

Procedure

Perform the following steps to prepare the z/OS® system for IP security.

  1. Develop a site policy to address the security needs of your installation. Consider the following questions before beginning to build a robust IP security policy:
    • Do you want a default-allow or default-deny policy?
    • If you want a default-deny policy, what traffic is allowable as critical to the correct functioning of the system?
    • What hosts are allowed to send data to the secure host?
    • Do you understand the network topology, and where the communicating hosts are located within the network?
    • Are there network address translation (NAT) devices in the network topology?
    • What type of traffic is allowable from those hosts?
    • What general network services that rely on well-known ports do you want to allow?
    • Will you forward any packets you receive that are not destined for you?
    • Who is allowed to configure the IP security policy?
    • Are you running with one TCP/IP stack, or more than one TCP/IP stack?
    • Are you running IPv6 traffic?
    • Will all TCP/IP stacks share the same policy definitions, or will they have unique differences?
    • Will traffic that is sent or received by the secure host traverse the Internet?
    • Do you want to participate in a VPN? (If so, IPSec is required.)
    • If IPSec is required:
      • What are the IPSec capabilities of the remote endpoints?
      • How do you want to authenticate participating hosts:
        • Pre-shared key?
        • Digital signature? (requires digital certificates)
      • What type of authentication is needed for the data that is involved?
      • Is encryption needed for the data that is involved, and how strong should the encryption algorithms be?
      • Will all participating hosts use the same level of data encryption and authentication, or do you need to define unique policies for individual hosts?
  2. Identify the resources to be secured. Create a worksheet for each TCP/IP stack you will enable for IP security. This information aids in determining which interfaces and connected networks are secured. You can later use the information from the worksheets to provide values for IP security policy configuration statements. Figure 1 includes a sample worksheet:
    Figure 1. Sample worksheet for stack security
    Host name of z/OS system _____________________________________

Complete for each TCP/IP stack on this host:
TCP/IP stack name ______________IPSECURITY-enabled (Y/N)______
Network interface(s)
IPv4 address/Mask______________________Security Class_________
IPv4 address/Mask______________________Security Class_________
IPv4 address/Mask______________________Security Class_________
IPv4 address/Mask______________________Security Class_________
IPv6 address/Prefix____________________Security Class_________
IPv6 address/Prefix____________________Security Class_________
Virtual IPv4 address/Mask____________________
Virtual IPv4 address/Mask____________________
Virtual IPv4 address/Mask____________________
Virtual IPv4 address/Mask____________________
Virtual IPv6 address/Prefix__________________
Virtual IPv6 address/Prefix__________________

Identities, other than IP address, by which the IKE daemon will be known
(e.g., X500dn, Fqdn, UserAtFqdn, KeyID)
___________________
___________________
___________________
___________________
___________________

    Security class is an optional designation for a network interface. You can assign network interfaces a security class (1-255) that is used to group interfaces with similar security requirements. This concept is an extension of the traditional notion of secure and nonsecure interfaces, to allow for more than two classes. The secure and nonsecure model can still apply if only two security classes are defined.

    Complete a table of remote hosts and subnetworks with which this host needs to transfer data, as shown in Table 1. The remote hosts can optionally be grouped in a user-defined zone to simplify the number of IP filter rules that are required. For instance, you might want to define an internal, external, trusted, Internet, partner company, or other zone that has meaning to your site.

    Rule: If the remote IKE peer is on a security gateway to the remote host, the IP address of the remote host might not match the IP address of the remote IKE peer. If this is the case, tunnel-mode encapsulation of IPSec traffic is required.
    Table 1. Table of remote hosts and subnetworks
    Remote IP address or subnet User-defined zone of remote hosts Identity of remote IKE peer (IpAddr, X500dn, KeyID, Fqdn, or UserAtFqdn) IP address of remote IKE peer Allowed list of services (Telnet, FTP, web, EE, ALL, or other) Security action (permit, deny, ipsec) IPSec security level, if applicable
                 
                 
  3. Modify the default IP filter policy (optional). After the site policy is established, you can modify the default IP filter policy if necessary. For a description and examples of how to modify the default IP filter policy, see Default IP filter policy and IP security policy.
    Guideline: You should define IPSECRULE and IPSEC6RULE statements that permit access from at least one administrative machine. In the event that Policy Agent is unavailable, or the IP security configuration files contain errors, the active default policy would deny access to the IP security-enabled stack. Should this situation occur, if you have added the appropriate IPSECRULE and IPSEC6RULE statements to the default policy, you can still access the secure z/OS host and make the necessary administrative changes to correct the problem.
  4. Set up the key required applications:
    • TCP/IP

      To enable IP security on a z/OS stack, make the following changes in the TCP/IP profile:

      • Add IPCONFIG IPSECURITY.
      • To also enable IP security for IPv6, add IPCONFIG6 IPSECURITY.
      • Reserve ports 500 and 4500 for IP security. If the IKE daemon is running on this system, reserve the ports for the user ID under which the IKE daemon is running. In this example, the IKE daemon is running under the IKED user ID: 
        500   UDP        IKED
4500  UDP        IKED
        If the IKE daemon is not running on this system, reserve the ports by specifying RESERVED: 
        500   UDP        RESERVED
4500  UDP        RESERVED
      • To direct IPSec's AH and ESP protocol processing to zIIPs, add GLOBALCONFIG ZIIP IPSECURITY.
      For information on the IPCONFIG, IPCONFIG6, GLOBALCONFIG, and PORT statements, see z/OS Communications Server: IP Configuration Reference.
    • Policy Agent

      For information on configuring the Policy Agent, see Policy-based networking.

    • TRMD

      For information on configuring TRMD, see TRMD.

    • Syslogd

      For information on configuring the syslog daemon, see Configuring the syslog daemon.

    • IKED

      The IKED can be started from a z/OS UNIX command line or as an MVS™ procedure. The iked.conf file controls the overall function of the IKE daemon, such as the following settings:

      • The logging level of the IKE daemon
      • The logging level of the Policy Agent when performing IP security-related tasks on behalf of the IKE daemon
      • The name of the RACF® key ring that is owned by the IKE daemon
      • Whether IKE messages are echoed to STDOUT when the daemon is started for the UNIX System services shell
      • How long to wait when attempting to connect to the Policy Agent
      • The list of certificate authorities that are acceptable for RSA signature negotiation when the IKED is using the native certificate service (when the Network Security Services (NSS) server is providing the certificate service, this list is not used)

      Most of the configuration parameters have a default value and do not require modification.

      Rule: If the RSA signature method is to be used in any IKE phase 1 negotiation and the IKED is using the native certificate service, the name of the IKE key ring must be included in the iked.conf file. If the NSS server is providing the certificate service, the IKE key ring name is not needed.
      Tip: If the RSA signature method is used and the IKED is using the native certificate service, including a list of supported certificate authorities enhances the performance of certificate searches.
      Guideline: You should not change the logging levels of the IKE daemon (IkeSyslogLevel) and Policy Agent (PagentSyslogLevel) from their default values for normal day-to-day operation. Higher logging levels can affect performance and should be used for temporary diagnostic purposes only. The default PagentSyslogLevel value 0 prevents the IKE daemon from logging diagnostic information about its interactions with Policy Agent. The default IkeSyslogLevel value 1 provides basic informational and error messages. You can set the IkeSyslogLevel value to 0 to disable IKE syslog messages entirely (for both the IKE daemon and Policy Agent; to collect PagentSyslogLevel tracing, the IkeSyslogLevel value must also be a nonzero value). You can set the IkeSyslogLevel value to a higher value to identify the source of an error; for example, if you experience problems with Security Association negotiations that are caused by a configuration error, you might enable IkeSyslogLevel 4 (debugging information for Security Association negotiations).

      For detailed syntax and a description of the iked.conf file, and details on starting the IKE daemon as an MVS procedure, see z/OS Communications Server: IP Configuration Reference.

  5. Define access controls for key required applications:
    • TRMD

      TRMD runs as an authorized program and requires RACF setup. TRMD must be able to run as a started task and have superuser authority. For sample RACF commands, see the EZARACF member of SEZAINST.

    • Policy Agent

      Policy Agent runs as an authorized program and requires RACF setup. Policy Agent must be able to run as a started task and have superuser authority. For sample RACF commands, see the EZARACF member of SEZAINST and Step 1: Configure general information.

    • IKED

      For the steps to prepare for running the IKE daemon, see Steps for preparing to run IP security.

  6. Configure the IKE daemon. See Steps for preparing to run IP security.
  7. (Optional) Configure the NSS daemon. If the IKED is using the NSS certificate service for any IKEv1 or IKEv2 Security Association negotiation, then configure the NSS daemon. The IKED must use the NSS certificate service for any IKEv2 negotiation that uses certificates for authentication. The IKED can use either the native certificate service or the NSS certificate service for an IKEv1 negotiation that uses certificates for authentication.

    For more information about the NSS daemon, see Network security services.

  8. (Optional) Configure additional encryption products.
    • 3DES support

      For 3DES (triple DES), the IP security level 3 feature, FMID JIP614K, is required.

    • AES support (including AES-CBC, AES-GCM and AES-GMAC)

      For AES, the Communications Server Security Level 3 feature and the z/OS Security Level 3 feature are required and ICSF must be started.

    • FIPS 140

      For IKED, NSSD, and TCP/IP to run in FIPS 140 mode, you must first choose one of several modes of FIPS operation for ICSF and start ICSF.

      Requirement: ICSF must be active before starting the IKE daemon or NSS server configured in FIPS 140 mode. For information about enabling ICSF to support FIPS 140-2, see the topic about operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
    • ICSF

      There are several options available on z/OS to perform encryption in hardware. The ICSF product is required to support these various options. For a description and information about how to configure these options, see z/OS Cryptographic Services ICSF Administrator's Guide.

      For the RACF commands that authorize ICSF, see Steps for preparing to run IP security.

    • SHA2 support (including SHA2-256, SHA2-384, and SHA2-512, as well as all corresponding HMAC-SHA2 algorithms) and AES authentication (AES-XCBC)

      For SHA2 and AES-XCBC authentication, ICSF must be started.

  9. Create IP security policy configuration files. After the security needs of your installation are established, the next step is to create one or more IP security policy configuration files. There are two main configuration files in which IP security policy configuration is stored:
    Stack-specific IP security configuration file
    Configured on a per-stack basis and contains only IP security policy configuration that applies to the stacks for which it is configured.
    Common IP security configuration file
    Contains IP security policy configuration that applies to every stack on the system and can be used to hold shared definitions.

    The stack-specific file can refer to various definitions in the common file, and can override policy definitions in the common file.

    Although Policy Agent uses LDAP to store policy for some other policy types, IP security policy configuration is stored exclusively in human-readable text files, either in the z/OS UNIX file system or in an MVS data set. These configuration files are then read by Policy Agent when it initializes and before being installed into the stack.

Parent topic: IP security