#
# IBM Communications Server for z/OS
# SMP/E distribution path: /usr/lpp/tcpip/samples/IBM/EZAIKCFG
#
# 5694-A01 Copyright IBM Corp. 2007 - 2010.
# Licensed Materials - Property of IBM
# "Restricted Materials of IBM"
# Status = CSV1R12
#
# /etc/security/iked.conf (IKE daemon configuration)
#
# This file contains sample IKE daemon configuration parameters.
# The search order used by the IKE daemon to locate the initial
# configuration file is (highest priority listed first):
#
# 1) The name of a file or MVS data set specified by the IKED_FILE
# environment variable.
# 2) /etc/security/iked.conf
#
# Some parameters may be dynamically modified after the
# IKE daemon has been started. The parameters that are
# dynamically modifiable are noted below.
#
# One way of dynamically modifying parameters is to edit
# the iked.conf file after the IKE daemon has been started and then
# issue a modify command to cause the IKE daemon to re-read the file.
#
# Example: MODIFY IKED,REFRESH
# Note: IKED is the IKE daemon procedure name.
#
# After the IKE daemon has been started, a different configuration
# file can be specified by using the Modify command with the FILE
# parameter. This allows modifiable parameters to be
# dynamically altered while the IKE daemon is running. Note that
# the parameter values modified in this fashion are not
# persistent. To make the changes persistent, edit the iked.conf
# file that is located at IKE initialization time according to the
# search order described previously.
#
# Example: MODIFY IKED,REFRESH,FILE='/etc/security/iked.conf2'
# Note: IKED is the IKE daemon procedure name.
#
# See the IP System Administrator's Commands book for more information
# about the modify command.
#
# See the IP Configuration Reference book for more information about
# the IkeConfig and NssConfig statements and their individual
# parameters.
IkeConfig
{
# IkeSyslogLevel 0-255 (dynamically modifiable)
# Specifies the level of logging to obtain from the IKE daemon.
# To specify a combination of log levels, add the level numbers.
# The supported levels are:
# 0 - IKE_SYSLOG_LEVEL_NONE - Disable IKE daemon syslog messages
# 1 - IKE_SYSLOG_LEVEL_MINIMUM - Minimal IKE daemon syslog output
# 2 - IKE_SYSLOG_LEVEL_SADETAIL - Always output detailed Security
# Association (SA) information when
# available
# 4 - IKE_SYSLOG_LEVEL_DEBUGSA - Include additional debug
# information for SA negotiations
# 8 - IKE_SYSLOG_LEVEL_FMTPKTTRC - Formatted IKE message trace
# 16 - IKE_SYSLOG_LEVEL_UNFPKTTRC - Unformatted IKE message trace
# 32 - IKE_SYSLOG_LEVEL_VERBOSE - Show cascaded error messages
# 64 - IKE_SYSLOG_LEVEL_CERTINFO - Show certificates in CA cache when
# cache is initially built or
# rebuilt
# 128 - reserved
# Default: 1
IkeSyslogLevel 1
# PagentSyslogLevel 0-255 (dynamically modifiable)
# Specifies the level of logging to obtain from pagent through the PAPI.
# To specify a combination of log levels, add the level numbers.
# The supported levels are:
# 1 - PAGENT_SYSLOG_LEVEL_EMERG - A panic condition
# 2 - PAGENT_SYSLOG_LEVEL_ALERT - Requires immediate action
# 4 - PAGENT_SYSLOG_LEVEL_CRIT - Critical condition
# 8 - PAGENT_SYSLOG_LEVEL_ERR - Error messages
# 16 - PAGENT_SYSLOG_LEVEL_WARNING - Warning messages
# 32 - PAGENT_SYSLOG_LEVEL_NOTICE - Notice messages
# 64 - PAGENT_SYSLOG_LEVEL_INFO - Informational messages
# 128 - PAGENT_SYSLOG_LEVEL_DEBUG - Debug messages
# Default: 0
PagentSyslogLevel 0
# Keyring userid/ringname (not dynamically modifiable)
# The owning userid and ringname used by the IKE server when performing
# RSA Signature Mode of authentication. The userid must be the userid
# of the process under which IKE will run.
# Default: iked/keyring
Keyring iked/keyring
# IkeRetries 1-8 (dynamically modifiable)
# Specifies the number of times that an unanswered IKE negotiation
# message is retransmitted before the negotiation is cancelled.
# Default: 6
IkeRetries 6
# IkeInitWait 1-15 (dynamically modifiable)
# Specifies the number of seconds to wait before the first
# retransmission of an unanswered IKE message
# Default: 2
IkeInitWait 2
# FIPS140 yes,no (not dynamically modifiable)
# Specifies whether the IKE daemon should perform cryptographic
# operations by invoking cryptographic modules that are compliant with
# Federal Information Processing Standard (FIPS) publication 140-2's
# Level 1 security requirements.
# Default: no
FIPS140 no
# Echo yes,no (dynamically modifiable)
# Echoes all IKE daemon log messages to the job output file,
# specified by the IKEDOUT DD (JCL) statement.
# Default: no
Echo no
# PagentWait 0-9999 (not dynamically modifiable)
# The time limit in seconds to wait for connection to the policy agent.
# A value of 0 means retry forever.
# Default: 0
PagentWait 0
# SupportedCertAuth label (dynamically modifiable)
# Specifies the label of a Certificate Authority(CA) certificate on the
# IKE server's keyring. Use multiple instances of this keyword to
# specify multiple CA certificates.
# Default: <none>
# NetworkSecurityServer address Port 4159 Identity IpAddr 1.2.3.4
# Default: none #(dynamically modifiable)
# NetworkSecurityServerBackup address Port 4159 Identity IpAddr 2.2.3.4
# Default: none #(dynamically modifiable)
# NssWaitLimit 1-300 (dynamically modifiable)
# Specifies the number of seconds that a Network Security client
# will wait between connection attempts when trying to establish a
# connection with a Network Security Server.
# Default: 60
NssWaitLimit 60
# NssWaitRetries 1-10 (dynamically modifiable)
# Specifies the number of times that a Network Security client will
# attempt to establish a connection with the primary Network Security
# Server before attempting to establish a connection with the backup
# server.
# Default: 3
NssWaitRetries 3
# SMF119 None, IKETunnel, DynTunnel, IKEAll (dynamically
# modifiable)
# Specifies the level of logging to send to the SMF facility.
# IKEAll is equivalent to specifying SMF119 IKETunnel and
# SMF119 DynTunnel on two separate lines.
# The supported levels are:
# None No SMF records
# IKETunnel Phase 1 related SMF records
# DynTunnel Phase 2 related SMF records
# IKEAll Phase 1 and Phase 2 related SMF records
# Default: None
SMF119 None
}
# NssStackConfig stackname (dynamically modifiable)
# Used to configure a stack as a Network Security client.
# Use one NssStackConfig statement for each TCPIP stack that you wish
# to configure as a Network Security client. TCPIP stacks that do not
# have a corresponing NssStackConfig statement will be serviced by
# local IKE resources only.
#
# NssStackConfig TCPCS
# {
# Clientname clientname (dynamically modifiable)
# Specifies the Network Security client name for the stack. Client
# names for stacks typically have the form sysname_stackname, where
# sysname is the MVS system name, and stackname is the TCP/IP stack
# name. This name must match the clientname portion of the associated
# SERVAUTH profiles:
# - EZB.NSS.sysname.clientname.IPSEC.CERT
# - EZB.NSS.sysname.clientname.IPSEC.NETMGMT
# The client name may be from 1 to 24 characters long.
# Default: <systemname>_<stackname>
# ClientName MYSYSTEM_TCPCS
#
# ServiceType RemoteMgmt, Cert (dynamically modifiable)
# Specifies that the stack is requesting a type of centralized
# management via a Network Security Server. This statement will occur
# once for each type of service that the stack is requesting. Supported
# service types are:
# - RemoteMgmt
# - Cert
# Defaults: None
# ServiceType RemoteMgmt
# ServiceType Cert
#
# Userid userid (dynamically modifiable)
# Specifies the RACF userid that will be used to verify access for this
# stack to the services provided by the Network Security Server. Userid
# may be from 1-8 characters long.
# Defaults: None.
# UserId SMITHXYZ
#
#Authby Password password (dynamically modifiable)
# Passticket (dynamically modifiable)
# Specifies the mechanism by which the Network Security Server should
# authenticate the client TCPIP stack. Supported mechanisms are RACF
# password or RACF passticket.
#
# Password password
# password is the RACF password for the userid specified for the
# UserId.
#
# Passticket
# A RACF Passticket is generated for authorization.
#
# Default: none. One (and only one) of Password or Passticket must be
# specified.
# Authby Password secretxyz
# }
Figure 1. Sample IKE daemon configuration file