If you code more than one IkeConfig statement, the last statement is used. Likewise, if a parameter other than SMF119 or SupportedCertAuth in the IkeConfig statement is specified more than once, the value from the last statement is used. SMF119 adds to, but does not replace, the types of SMF records to be written. SupportedCertAuth is used to define a set of certificate authorities (CAs) this value adds to, but does not replace, the list of CAs supported by a local security endpoint.
>>-IkeConfig--| Braces & Parms on Separate Lines |------------->< Braces & Parms on Separate Lines |--+-{------------------------+---------------------------------| +-| IkeConfig Parameters |-+ '-}------------------------' IkeConfig Parameters .-IkeSyslogLevel--1-. .-PagentSyslogLevel--0-. |--+-------------------+--+----------------------+--------------> '-IkeSyslogLevel--n-' '-PagentSyslogLevel--n-' .-SMF119--None------. .-IkeRetries 6-. .-IkeInitWait 2-. >--+-------------------+--+--------------+--+---------------+---> +-SMF119--None------+ '-IkeRetries n-' '-IkeInitWait n-' +-SMF119--IKEALL----+ +-SMF119--IKETunnel-+ '-SMF119--DynTunnel-' .-FIPS140 no------. .-KeyRing--iked/keyring----. >--+-----------------+--+--------------------------+------------> '-FIPS140-+-yes-+-' +-KeyRing--userid/ringname-+ '-no--' '-KeyRing--ringname--------' .-Echo--no------. >--+---------------+--------------------------------------------> '-Echo--+-yes-+-' '-no--' >--+--------------------------------------------------------------------------+--> | .-Port 4159-. | '-NetworkSecurityServer host-+-----------+-Identity--+-IpAddr authid-----+-' '-Port port-' +-Fqdn authid-------+ +-UserAtFqdn authid-+ '-X500dn authid-----' >--+--------------------------------------------------------------------------------+--> | .-Port 4159-. | '-NetworkSecurityServerBackup host-+-----------+-Identity--+-IpAddr authid-----+-' '-Port port-' +-Fqdn authid-------+ +-UserAtFqdn authid-+ '-X500dn authid-----' .-NssWaitLimit 60------. .-NssWaitRetries 3-. >--+----------------------+--+------------------+---------------> '-NssWaitLimit seconds-' '-NssWaitRetries n-' .-------------------------. .-PagentWait--0-. V | >--+---------------+----SupportedCertAuth Label-+--}------------| '-PagentWait--n-'
The KeyRing parameter is not used by NSS client TCP/IP stacks.
Event | Seconds since last event | Elapsed time in seconds |
---|---|---|
Send initial message | 0 | 0 |
1st wait interval expires: message retransmitted | 2 | 2 |
2nd wait interval expires: message retransmitted | 4 | 6 |
3rd wait interval expires: message retransmitted | 8 | 14 |
4th wait interval expires: message retransmitted | 16 | 30 |
5th wait interval expires: message retransmitted | 32 | 62 |
6th wait interval expires: message retransmitted | 64 | 126 |
7th wait interval expires: message exchange is dropped | 128 | 254 (See note) |
Note: * 4 minutes,
14 seconds
|
Event | Seconds since last event | Elapsed time in seconds |
---|---|---|
Send initial message | 0 | 0 |
1st wait interval expires: message retransmitted | 15 | 15 |
2nd wait interval expires: message retransmitted | 30 | 45 |
3rd wait interval expires: message retransmitted | 60 | 105 |
4th wait interval expires: message retransmitted | 120 | 225 |
5th wait interval expires: message retransmitted | 240 | 465 |
6th wait interval expires: message retransmitted | 480 | 945 |
7th wait interval expires: message retransmitted | 960 | 1905 |
8th wait interval expires: message retransmitted | 1920 | 3825 |
9th wait interval expires: message exchange is dropped | 3840 | 7665 |
Note: * 2 hours, 7
minutes, 45 seconds
|
Event | Seconds since last event | Elapsed time in seconds |
---|---|---|
Send initial message | 0 | 0 |
1st wait interval expires: message retransmitted | 1 | 1 |
2nd wait interval expires: message exchange is dropped | 2 | 3 |
Requirement: ICSF must be active before starting the IKE daemon when FIPS140 YES is specified. For information about configuring ICSF to support FIPS 140-2, see Operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
Rule: This parameter cannot be modified while the IKED is running. Attempts to modify the value while the IKED is running are ignored and a warning message is issued.
Tip: Enabling FIPS 140 mode provides a higher degree of assurance of the integrity of the cryptographic modules that IKE uses, including ICSF and System SSL. However, enabling FIPS 140 mode might require additional setup and configuration, it will restrict the available set of cryptographic algorithms, and it might result in a reduction in performance. See Cryptographic standards and FIPS 140 in z/OS Communications Server: IP Configuration Guide for more information.
A single server is used for all of the TCP/IP stacks configured as NSS clients. Stacks can be configured individually as NSS clients. Stacks with a corresponding NssStackConfig statement are treated as NSS clients; stacks without a corresponding NssStackConfig statement rely solely on local IKE resources.
Tip: The NetworkSecurityServer parameter is optional. However, if both the NetworkSecurityServer and NetworkSecurityServerBackup parameters are not specified, none of the TCP/IP stacks can function as an NSS client.
Use the MODIFY IKED,REFRESH command to change this value. If you change the NetworkSecurityServer value, the changes take effect for new connections, but existing connections are not dropped. If you want the old connections to be dropped, perform the following steps:
163.44.212.11
1080:0:0:0:8:800:200C:417A
norton.nycsanitation.gov
This parameter is optional.
The IKE daemon requires that communication with an NSS Server be protected using AT-TLS. During the AT-TLS handshake, the NSS server provides a certificate that is used to authenticate its identity. The IKE daemon interrogates this certificate and verifies that the identity in the certificate matches the identity specified on the NetworkSecurityServer parameter of the IkeConfig statement.
Any distinguished name that contains an imbedded blank must be enclosed in double quotes. For example, X500dn "CN=R. Kramden,T=Driver,O=Gotham Bus Company,C=US".
Abbreviation | Meaning |
---|---|
C | Country |
CN | Common name |
DC | Domain component |
E | E-mail address |
E-mail address (preferred) | |
EMAILADDRESS | E-mail address |
L | Locality |
O | Organization name |
OU | Organizational unit name |
PC | Postal code |
S | State or province |
SN | Surname |
SP | State or province |
ST | State or province (preferred) |
STREET | Street |
T | Title |
CN=Hoffman,OU=Endicott,O=IBM,C=US
2.5.4.3=#130E526F6E616C6420486F66666D616E,2.5.4.11=
#1308456E6469636F7474, 2.5.4.10=#130349424D,2.5.4.6=#13025553
Individual characters can be represented using escape sequences. This is useful when the character cannot be represented in a single-byte character set. The hexadecimal value for the escape sequence is the UTF-8 encoding of the character in the Unicode character set. Table 5 shows some Unicode example letter descriptions.
Unicode letter description | 10646 code | UTF-8 | Quoted |
---|---|---|---|
LATIN CAPITAL LETTER L | U0000004C | 0x4C | L |
LATIN SMALL LETTER U | U00000075 | 0x75 | u |
LATIN SMALL LETTER C WITH CARON | U0000010D | 0xC48D | \C4\8D |
LATIN SMALL LETTER I | U00000069 | 0x69 | i |
LATIN SMALL LETTER C WITH ACUTE | U00000107 | 0xC487 | \C4\87 |
SN=Lu\C4\8Di\C4\87
An escape sequence can also be used for special characters that are part of the name and are not to be interpreted as delimiters. The following special characters must be represented as an escape sequence (prefixed with a backslash [\]) when used as part of the name:
"CN=L. Eagle,OU=Jones\, Dale and Mian,O=IBM,C=US"
In
this example, the enclosing double quotes are required because of
the imbedded blanks, not because of the escaped characters.Rule: When an X500dn type identity is specified, the DN attributes must have the same order as those of the corresponding certificate subject name.
A single backup server is used for all of the TCP/IP stacks configured as NSS clients.
The NetworkSecurityServerBackup parameter is optional. It allows network security clients to connect to a backup NSS server at a different address or port from the primary. Alternatively, in a sysplex configuration, the primary NSS server can be configured on a dynamic VIPA to use the recovery capabilities of dynamic addressing. If no backup server is available when the primary server is not responsive, certificate and remote management services are unavailable to network security clients. However, if a NetworkSecurityServerBackup parameter is not specified, then certificate services are unavailable to Network Security clients if the primary NSS server becomes unresponsive.
Network Security clients switch between the primary and the backup NSS servers whenever their current server becomes unresponsive. If both the primary and the backup become unresponsive, the Network Security client attempts to connect to the primary and the backup in a round-robin fashion until a successful connection is made. It is possible to have a situation where one NSS client is being managed by the primary server and another NSS client is being managed by the backup server. It is also possible to specify a backup server without specifying a primary server, in which case, the backup server is treated as if it is the primary server.
Use the MODIFY IKED,REFRESH command to change this value. If you change the NetworkSecurityServerBackup value, then the changes take effect for new connections, but existing connections are not dropped. If you want the old connections to be dropped, follow this following sequence:
163.44.212.11
1080:0:0:0:8:800:200C:417A
norton.nycsanitation.gov
The IKE daemon requires that communication with an NSS server be protected using AT-TLS. During the AT-TLS handshake the NSS server provides a certificate that is used to authenticate its identify. The IKE daemon interrogates this certificate and verifies that the identity in the certificate matches the identity specified on the NetworkSecurityServer parameter of the IkeConfig statement.
The product of the NssWaitLimit value multiplied by the NssWaitRetries value defines the maximum number of seconds that an NSS client attempts to connect to an NSS server before switching to another server. For example, if the NssWaitLimit value is 60, and the NssWaitRetries value is 3, then an NSS client waits at most for a total of 180 seconds for a successful connection with a given server. See the description of the NetworkSecurityServerBackup parameter for a discussion of how NSS clients switch between the primary and backup NSS servers.
The default value is 60 seconds. Use the MODIFY IKED,REFRESH command to change this value. The new value takes effect immediately.
The product of the NssWaitLimit value multiplied by the NssWaitRetries value defines the maximum number of seconds that an NSS client attempts to connect to an NSS server before switching to another server. For example, if the NssWaitLimit value is 60, and the NssWaitRetries value is 3, then an NSS client waits at most for a total of 180 seconds for a successful connection with a given server. See the description of the NetworkSecurityServerBackup parameter for a discussion of how NSS clients switch between the primary and backup NSS servers.
The default value is 3 retries. Use the MODIFY IKED,REFRESH command to change this value. The new value takes effect immediately.
Use the SupportedCertAuth parameter to define a set of certificate authorities (CAs) supported by the local security endpoint. This list is provided to the remote security endpoint to request that it choose a certificate signed by an acceptable CA. The remote security endpoint is not constrained to choose certificates signed by CAs accepted by the local security endpoint. However, if the remote security endpoint chooses a certificate signed by a CA that is not on the IKE server's key ring, the key exchange fails.
The CaLabel parameter of the RemoteSecurityEndpoint IPSec policy statement can be used to further restrict the set of certificate authorities that can sign the certificate used by a particular remote security endpoint. The advantage of further restricting the set of certificate authorities that might sign the certificate used by a particular remote security endpoint is a reduction in the size of the IKE key exchange messages transmitted between the local security endpoint and the remote security endpoint.
The number of specified labels is limited to a maximum of 128. The maximum length of a label is 32 characters, which corresponds to the maximum length of a RACF® label. The default is an empty list containing no labels.
Use the MODIFY IKED,REFRESH command to change this value.
The SupportedCertAuth parameter is not used by NSS server client TCP/IP stacks.