Description: In z/OS V1R13, the Internet Key Exchange (IKE)
daemon is enhanced to take advantage of new services that are provided
by Integrated Cryptographic Service Facility (ICSF) when the IKE daemon
is running in Federal Information Processing Standards (FIPS) mode.
The new ICSF services are provided in updates to ICSF PKCS number
11 functions CSFPDVK and CSFPDMK. ICSF now provides the following
information to the IKE daemon, each with a single call to ICSF:
- The derivation of the original seed key.
- The phase 1 key set.
- The phase 2 key set.
| Element or feature: |
Communications Server. |
| When change was introduced: |
z/OS V1R13. |
| Applies to migration from: |
z/OS V1R12. |
| Timing: |
Before installing z/OS V2R1. |
| Is the migration action required? |
Yes, if you currently run the IKE daemon in
FIPS mode and if you control the access to ICSF resources in the CSFSERV
class. |
| Target system hardware requirements: |
None. |
| Target system software requirements: |
None. |
| Other system (coexistence or fallback) requirements: |
None. |
| Restrictions: |
None. |
| System impacts: |
None. |
| Related IBM Health Checker for z/OS check: |
None. |
Steps to take: Follow these steps:
- The IKE daemon now requires READ access to the CSF1DVK and CSF1DMK
resources in CSFSERV when the IKE daemon is configured to run in FIPS
mode.
- If your security server is RACF, issue the following commands
in the order shown. If you use a different security server, determine
and perform the equivalent steps.
- PERMIT CSF1DVK CLASS(CSFSERV) ID(IKED) ACCESS(READ)
- PERMIT CSF1DMK CLASS(CSFSERV) ID(IKED) ACCESS(READ)
- SETROPTS RACLIST(CSFSERV) REFRESH
Reference information: For details, see the steps for setting
up profiles in the CSFSERV resource class in z/OS V2R1.0 Communications Server: IP Configuration Guide.