The following terms and concepts are used in this information:
- 3DES
- Also known as triple DES, this encryption method uses three DES
operations on a single data block with three different keys. Provides
greater security than single DES.
- Active
- Used in three ways:
- Describes the filter policy that is in effect (default or Policy
Agent).
- Describes the state of the rules or actions that are defined in
Policy Agent. These rules or actions can be active or inactive due
to a time condition.
- Describes the state of a manual tunnel installed in the TCP/IP
stack. A manual tunnel can be active (available for use) or inactive
(not available for use).
- Active IPSec policy
- The policy that is in effect, either the default filter policy
or the IP security filter policy.
- Advanced Encryption Standard (AES)
- A symmetric block cipher that can encrypt (encipher) and decrypt
(decipher) information. IP security for z/OS® Communications
Server supports AES with a 128-bit key length.
- AES Cipher Block Chaining (CBC) (AES_CBC) mode
- The AES algorithm using the CBC mode. IP security for z/OS Communications Server supports
AES_CBC with a 128-bit or 256-bit key length.
- AES Galois Counter Mode (GCM)
- The AES algorithm using Galois Counter Mode and with a 16-byte
integrity check value (ICV). Galois Counter Mode is a combined-mode
algorithm that performs both encryption and authentication simultaneously.
IP security for z/OS Communications
Server supports AES_GCM with a 128-bit or 256-bit key length.
- AES Galois Message Authentication Code (GMAC)
- The AES algorithm using Galois Counter Mode to encode authentication
data in either AH or ESP headers. AES_GMAC functions as a combined-mode
algorithm; however, it provides authentication without encryption.
IP security for z/OS Communications
Server supports AES_GMAC with a 128-bit or 256-bit key length.
- AES Extended Cipher Block Chaining (XCBC)
- The AES algorithm using the XCBC mode to encode authentication
data in either AH or ESP headers, with 128-bit keys and hash truncation
to 96 bits.
- Asymmetric encryption
- Also known as public/private key encryption, this type of encryption
is performed between two parties using pairs of encryption and decryption
keys.
- Authentication Header (AH)
- An IP protocol (51) used with an IPSec Security Association to
provide authentication of IP packets.
- Autoactivation
- The process by which a dynamic tunnel is activated when IP security
policy is installed into the TCP/IP stack, either as the result of
a user action, or the result of TCP/IP or the IKED initialization.
- Certificate authority
- A trusted third party that verifies information that is contained
in an X.509 digital certificate.
- Certificate revocation list (CRL)
- A time-stamped list of revoked certificates that is signed by
a certificate authority.
- Child Security Association
- The IKEv2 name for a phase 2 Security Association.
- Command-line activation
- The process of activating a tunnel through the use of the ipsec command.
Both manual and dynamic tunnels can be activated from the z/OS UNIX command
line.
- CRLDistributionPoints
- An optional X.509 certificate extension that identifies one or
more locations where the CRL for a certificate is.
- Data encryption standard (DES)
- A block cipher with 64-bit blocks and a 56-bit key.
- Default IP filter policy
- Used until the IP security filter policy is installed by Policy
Agent. The default IP filter policy includes both the filter rules
you define in the TCP/IP profile and the implicit default filter rules
that the stack generates. The implicit default filter rules deny all
traffic that does not match any configured filter rule.
- Dynamic tunnel
- An IPSec tunnel whose security parameters are negotiated and whose
encryption keys are generated dynamically using IKE.
- Elliptic curve digital signature algorithm (ECDSA)
- The algorithm that is used to authenticate a remote security endpoint
using ECDSA with either SHA2-256 on the P-256 curve, SHA2-384 on the
P-384 curve, or SHA2-521 on the P-521 curve.
- Encapsulating Security Payload (ESP)
- An IP protocol (50) used with an IPSec Security Association to
provide authentication and encryption of IP packets.
- Hashed message authentication code (HMAC)
- A one-way hash function that combines the contents of a message
and a secret key to produce a hash value; used for authentication.
- HMAC_MD5
- HMAC using the MD5 algorithm.
- HMAC_SHA1
- HMAC using a SHA1 algorithm that encodes authentication data in
AH or ESP headers, using a 160-bit hash value and 96-bit integrity
check value (ICV).
- HMAC_SHA2
- HMAC using a SHA2 algorithm that encodes authentication data in
AH or ESP headers and that is qualified by the length of key and hash
truncation. The algorithm can have 256-bit keys and hash truncation
to 128 bits, 384-bit keys and hash truncation to 192 bits, or 512-bit
keys and hash truncation to 256 bits.
- IKE negotiation
- A process by which two communicating IKE-enabled peers agree on
a set of parameters that are used to protect traffic between them.
This set of parameters is collectively known as a Security Association.
One peer acts as the initiator of the negotiation, the other as the
responder.
- IKE Security Association
- The IKEv2 name for a phase 1 Security Association.
- IKE tunnel
- A tunnel that protects IKE phase 2 messages.
- Internet Key Exchange (IKE)
- A protocol for the secure generation and management of encryption
keys over an existing IP network. There are two versions, commonly
referred to as IKE version 1.0 (IKEv1) and IKE version 2.0 (IKEv2).
- Internet Security Association and Key Management Protocol (ISAKMP)
- Defines IKEv1 procedures and packet formats to establish, negotiate,
modify, and delete Security Associations.
- IP filter rule
- A configured rule that defines the action applied to an IP traffic
pattern that is encompassed by the rule. The possible actions include
permit, deny, and permit with IPSec protection.
- IP filter table
- An ordered list of IP filter rules. When IP filtering is active
on a host, the table is consulted for each IP packet that is sent
or received. The action of the matching IP filter rule is enforced
by the TCP/IP stack.
- IPSec
- A suite of protocols and standards defined by the Internet Engineering
Task Force (IETF) for secure communication over an existing IP network.
- IPSec tunnel
- A tunnel that protects IP traffic between two endpoints using
one or both of the IPSec protocols. Manual and dynamic tunnels are
both instances of an IPSec tunnel.
- IP security filter policy
- The policy that is installed by the Policy Agent. It includes
the filter rules you define in the Policy Agent configuration files
and an implicit deny all rule that is generated by Policy Agent.
- IP traffic pattern
- The set of IP traffic attributes that can be used as input to
an IP filter table query. Typically, this includes IP source address,
IP destination address, source port, destination port, protocol, and
direction (inbound or outbound).
- Manual tunnel
- An IPSec tunnel whose security parameters and encryption keys
are statically configured and must be manually managed by a security
administrator.
- Message authentication code (MAC)
- A tag derived from the contents of a message and a secret key.
The tag can be used to authenticate the integrity of a message as
well as the source of the message.
- Message digest algorithm 5 (MD5)
- A MAC algorithm that produces a 128-bit hash value.
- NAT traversal (NATT)
- Traversal of IPSec traffic through a NAT device.
- Network address port translation (NAPT)
- A technique where multiple internal IP addresses are translated
into a single public IP address. As part of this translation process,
the TCP and UDP ports in the packets are translated. NAPT is sometimes
referred to as port address translation (PAT) or IP masquerade.
- Network address translation (NAT)
- Network address translation is a broad term that encompasses both
a one-to-one address translation function, translating a single internal
IP address to a single public IP address, and the NAPT function.
- Network security services (NSS)
- Services performed in support of security enforcement or management.
- NSS client
- Requests network security services from an NSS server. The z/OS IKE daemon can act as an NSS
client for a TCP/IP stack.
- NSS server
- Provides network security services for one or more NSS clients.
- On-demand
- The process by which a dynamic tunnel is activated by outbound
traffic flow without user intervention.
- Phase 1
- The first stage of an IKE negotiation, in which an ISAKMP Security
Association is established between two IKEv1-enabled peers, or in
which an IKE Security Association is negotiated between two IKEv2-enabled
peers. A phase 1 Security Association refers to IKEv1 ISAKMP SAs,
as well as to IKEv2 IKE SAs.
- Phase 2
- The second stage of an IKE negotiation, in which an IPSec Security
Association is established between two IKEv1-enabled peers, or in
which a child Security Association is negotiated between two IKEv2-enabled
peers. A phase 2 Security Association refers to IKEv1 IPSec SAs, as
well as to IKEv2 child SAs.
- Rivest Shamir Adleman (RSA)
- An asymmetric key encryption method, in which the key that is
used to encrypt data is different than the key that is used to decrypt
the data. RSA can be used for encryption, or to authenticate a digital
signature.
- Secure hash algorithm 1 (SHA1)
- A MAC algorithm similar to MD5, but more secure. This algorithm
produces a 160-bit hash value.
- Secure hash algorithm 2 (SHA2)
- A MAC algorithm similar to SHA1, but more secure. This algorithm
produces a 256-bit, 384-bit or 512-bit hash value.
- Security Association (SA)
- An agreement between two IPSec-enabled hosts that describes the
type of data to protect and the methods that are used to protect the
data. IKE creates a phase 1 Security Association to protect IKE messages
(also known as the ISAKMP Security Association or the IKE Security
Association), and a phase 2 Security Association to protect data traffic
(also known as the IPSec Security Association or the child Security
Association).
- Symmetric encryption
- Encryption that is performed between two parties sharing the same
encryption key. Also known as secret key encryption.
- Transport mode encapsulation
- A process used to construct IPSec packets by inserting one or
more additional IPSec headers between the IP header to be protected
and the IP payload of the packet to be protected.
- Tunnel
- A secure logical connection or channel that is defined by a collection
of Security Associations that define the security parameters protecting
traffic between two endpoints.
- Tunnel activation
- The process by which a tunnel becomes active or usable. For dynamic
tunnels, this process involves initiating an IKE negotiation.
- Tunnel mode encapsulation
- A process used to construct IPSec packets by creating a new IP
header with an IP payload consisting of the entire IP packet being
protected, and then inserting one or more additional IPSec headers
between the new IP header and its IP payload (that is, the original
IP packet).
- UDP encapsulation
- A process used to construct IPSec packets by first applying tunnel
mode encapsulation or transport mode encapsulation to an IP packet
to be protected by the ESP protocol, and then inserting a UDP header
between the IP header and the ESP header.
- Virtual private network (VPN)
- A logical network of connected network nodes that communicate
through secure channels (tunnels), typically by using the IPSec protocols
(AH and ESP).
- X.500 distinguished name
- A collection of X.509 values, such as common name, host name,
organization, organizational unit, and so on, that is stored in an
X.509 digital certificate. An X.500 distinguished name is used as
a globally unique identifier for the owner.
- X.509 digital certificate
- A set of information in the X.509 standard containing various
attributes about an entity, including identity information and a public
key that is used for encrypted communications with that entity.