The following commands are used to administer IP security. For
more information on these commands, see z/OS Communications Server: IP System Administrator's
Commands.
- certbundle
- Use the z/OS® UNIX System Services certbundle command
to create a certificate bundle file that contains certificate and
CRL information.
- ipsec
- Use the z/OS UNIX System Services ipsec command
to display information about active filters and Security Associations,
and to control aspects of Security Association negotiation. The ipsec command
is used to:
- Display filters that are active in the stack
- Revert to default IP filter policy, as defined in the TCP/IP profile
- Reload IP security policy, as defined in the Policy Agent configuration
files
- Activate Security Association negotiations
- Display existing phase 1 Security Associations
- Display existing phase 2 Security Associations
- Display remote port mappings used with NAT traversal configurations
- Display network security configuration information for the active
stacks on the local system
- Display information for each NSS IPSec client that is currently
connected to the NSS server
- Refresh existing phase 1 Security Associations
- Refresh existing phase 2 Security Associations
- Deactivate existing phase 1 Security Associations
- Deactivate existing phase 2 Security Associations
- Test for a filter rule match for a given set of IP traffic characteristics
Authority to use the ipsec command is
controlled through RACF®. There
are two distinct types of SERVAUTH profiles that define access to
the ipsec command, one for display capabilities
and one for control capabilities.
Tip: Many of the
tasks, examples, and references in this information assume that you
are using the z/OS Security
Server (RACF). References to RACF apply to any other SAF-compliant
security products that contain the required support. If you are using
another security product, read the documentation for that product
for instructions on task performance.
For the steps to configure
access control to the ipsec command, see Steps for preparing to run IP security.
For detailed syntax and usage,
and how to control access of the ipsec command, see z/OS Communications Server: IP System Administrator's
Commands.
- pasearch
- Use the pasearch command to display Policy
Agent information that is defined in the Policy Agent configuration
files, including IP security and other types of policies. The options
that are related to IP security include the ability to view IP security
policy rules and actions, both active and inactive, for any TCP/IP
stack for which policies have been defined and that is IPSECURITY-enabled.
If
the user of the pasearch command is not a superuser,
authority is controlled through RACF.
For
detailed syntax and usage of the pasearch command, see z/OS Communications Server: IP System Administrator's
Commands.
- MODIFY
- Use the MODIFY console command to have:
For detailed syntax and usage of the MODIFY command, see z/OS Communications Server: IP System Administrator's
Commands.
- Netstat
- Use the Netstat command to display the following information:
- IPSECURITY enablement for a particular stack (Netstat CONFIG/-f)
- SecurityClass (SECCLASS) for a specific interface (Netstat DEVLINKS/-d)
For detailed syntax and usage of the Netstat command, see z/OS Communications Server: IP System Administrator's
Commands.