z/OS Communications Server: IP Programmer's Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Local IPSec NMI

z/OS Communications Server: IP Programmer's Guide and Reference
SC27-3659-02

The z/OS® Communications Server IKE daemon provides the IPSec network management interface (NMI). The IPSec NMI is an AF_UNIX socket interface through which network management applications can manage IP filtering and IPSec on local TCP⁄IP stacks. Use this interface for network management applications that expect to maintain agents on each individual z/OS system or use it in any environments where z/OS network security services (NSS) is not enabled. If your applications use a centralized management and monitoring approach, you should consider using the NSS management interface that is described in Network security services (NSS) network management NMI.

This interface enables applications to obtain the following types of data regarding the local TCP⁄IP stacks and the IKE daemon:
  • Information about which TCP⁄IP stacks are configured for integrated IPSec/VPN
  • Summary statistics for IKE, IPSec, and IP filtering activity for a particular TCP⁄IP stack
  • Detailed information about IP filters for a particular TCP⁄IP stack
  • Detailed information about IPSec and IKE security associations (SAs) for a particular TCP⁄IP stack
  • Port translation information for NAT traversal
  • Information about which IP interfaces are active for a given TCP⁄IP stack
  • Information about NSS clients that are active in the local IKE daemon
In addition, network management applications can perform the following functions to control IP filtering and IPSec over the same AF_UNIX socket:
  • Activate and deactivate manual and dynamic tunnels
  • Refresh dynamic tunnels
  • Switch between default IP filters and policy-based IP filters
With the IPSec network management interface, a client network management application makes requests and performs management actions by sending messages over an AF_UNIX stream socket connection to the IKE daemon. The requested data is returned to the application directly over the AF_UNIX connection.
Tip: If you are processing IPSec SMF records, there are some structures that were designed to be analogous to IPSec NMI structures. If you have code to process these structures, you might not need to write new parsing code. The section names are indicated in the individual SMF records and are described in detail in Type 119 SMF records.
The terms phase 1 and phase 2 refer to different types of security associations (SAs) that the z/OS IKE daemon can negotiate with its peers. Although the specific terminology for these types of security associations differs between the IKE version 1 and IKE version 2 protocols, the terms phase 1 and phase 2 refers to both versions. IKE terminology includes the following definitions:
Phase 1 security association (SA)
Refers to IKE version 1 phase 1 SAs and IKE version 2 IKE SAs. When a specific version is intended, that version is identified in this document.
Phase 2 security association (SA)
Refers to IKE version 1 phase 2 SAs and IKE version 2 child SAs. When a specific version is intended, that version is identified in this document.
Parent topic: Network management interfaces

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014