The IKE daemon manages dynamic IPSec tunnels and provides
a network management interface (NMI) for monitoring and controlling
IP filtering and IPSec. Because the IKE daemon processes NMI monitoring
requests, it must be running to gather monitoring data for IP filters,
manual Security Associations, or dynamic Security Associations.
Procedure
Perform the following steps to configure the IKE daemon:
- Create the IKE daemon configuration file. A sample configuration file is provided in /usr/lpp/tcpip/samples/iked.conf.
The
following search order is used by the IKE daemon to locate the configuration
data set or file:
- If the environment variable IKED_FILE has been defined, the IKE
daemon uses the value as the name of an MVS™ data
set or z/OS® UNIX file to access the configuration data.
- /etc/security/iked.conf
You can specify statements in the configuration file using
a variety of EBCDIC code pages. Use the IKED_CODEPAGE environment
variable to specify the code page that you want to use. The default
code page is IBM-1047.
- Set the _BPX_JOBNAME environment variable (optional). When starting the IKE daemon from the z/OS shell, the environment variable _BPX_JOBNAME
should be set. This enables a specific job name to be used when reserving
ports for the IKE daemon. This name can also be used with the STOP
or MODIFY console commands.
For more information on _BPX_JOBNAME, see z/OS UNIX System Services Planning
- Reserve the ports. Update the PORT statement
in PROFILE.TCPIP to reserve ports 500 and 4500 for the IKE daemon.
Add the name of the member containing the IKE daemon cataloged procedure
or the name as set using _BPX_JOBNAME:
PORT
500 UDP IKED
4500 UDP IKED
- Update the IKE daemon cataloged procedure. If
the IKE daemon is to be started by a procedure, create the cataloged
procedure by copying the following sample in SEZAINST(IKED) to your
system or recognized PROCLIB. Specify IKE daemon parameters and change
the data set names to suit your local configuration.
//IKED PROC
//*
//* IBM Communications Server for z/OS
//* SMP/E distribution name: EZBIKPRC
//*
//* 5650-ZOS Copyright IBM Corp. 2005, 2013
//* Licensed Materials - Property of IBM
//* "Restricted Materials of IBM"
//* Status = CSV2R1
//*
//*
//IKED EXEC PGM=IKED,REGION=0K,TIME=NOLIMIT,
// PARM='ENVAR("_CEE_ENVFILE_S=DD:STDENV")/'
//*
//* Provide environment variables to run with the desired
//* configuration. As an example, the data set or file specified by
//* STDENV could contain:
//*
//* IKED_FILE=/etc/security/iked.conf2
//* IKED_CTRACE_MEMBER=CTIIKE01
//* IKED_CODEPAGE=IBM-1047
//*
//*
//* If you want to include comments in the data set or
//* z/OS UNIX file, specify the _CEE_ENVFILE_COMMENT
//* environment variable as the first environment variable
//* in the data set or file. The value specified for
//* the _CEE_ENVFILE_COMMENT variable is the comment character.
//* For example, if you want to use the pound sign, #, as
//* the comment character, specify this as the first
//* statement:
//* _CEE_ENVFILE_COMMENT=#
//*
//* For information on the above environment variables, refer to the
//* IP Configuration Reference.
//*
//STDENV DD DUMMY
//* Sample MVS data set containing environment variables:
//*STDENV DD DSN=TCPIP.IKED.ENV(IKED),DISP=SHR
//* Sample HFS file containing environment variables:
//*STDENV DD PATH='/etc/security/iked.env',PATHOPTS=(ORDONLY)
//*
//* Output written to stdout and stderr goes to the data set or
//* file specified with SYSPRINT or SYSOUT, respectively.
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
- Authorize the IKE daemon to the external security manager.
See Step 2: Authorizing the IKE daemon to the external security manager.
- Configure and start syslogd. The IKE daemon
uses the local4 facility when writing messages to syslogd. For performance
purposes, syslogd should use z/OS File
System as its underlying file system. For more information on syslogd,
see Configuring the syslog daemon.
Tip: The
system logging daemon (syslogd) can be configured to forward messages
from the IKE daemon to a syslogd on another host. For information
about
forwarding
syslog messages to another host, see
z/OS Communications Server: IP Configuration
Reference. When a stack is configured as an NSS client,
it can be advantageous to forward syslog messages from the IKE daemon
to the syslogd running on the NSS server's system. Configuring syslogd
in this manner allows all IKE messages relating to an NSS client to
be in the same log file as the NSS server's messages.
- Update the IKE daemon environment variables
(optional). The following environment variables are used
by the IKE daemon and can be tailored to a particular installation:
- IKED_CODEPAGE
- Use the IKED_CODEPAGE variable to specify the EBCDIC code page
to be used when reading the configuration file. For more information
about IKE environment variables and the supported
code pages, see z/OS Communications Server: IP Configuration
Reference.
- IKED_CTRACE_MEMBER
- The IKED_CTRACE_MEMBER variable is used by the IKE daemon to locate
a parmlib member for IKE daemon CTRACE customization. For more information
on the TCP/IP
services component trace for the IKE daemon, see z/OS Communications Server: IP Diagnosis Guide.
- IKED_FILE
- The IKED_FILE variable is used by the IKE daemon in the search
order for the IKE daemon configuration file. For details on the search
order used for locating this configuration file, see step 1.
- Setup the IKE daemon for TCP/IP stack initialization access
control (optional). See Multiple TCP/IP stacks.
- Setup the IKE daemon for digital signature mode authentication
(optional). See Step 5: Setting up the IKE daemon for digital signature authentication (optional).
- Define AT-TLS policy to protect communication with an NSS
server. The IKE daemon requires that communication between
the NSS server and the IKE daemon be secured using Application Transparent
Transport Layer Security (AT-TLS). If a stack is configured as an
NSS client, AT-TLS rules must be defined to secure this communication.
Enable AT-TLS processing for a stack by specifying the TTLS parameter
on the TCPCONFIG statement in the TCP/IP profile. Specific AT-TLS
policy is configured in Policy Agent configuration files. For details
about enabling AT-TLS and configuring AT-TLS policy, see Application Transparent Transport Layer Security data protection.
Tip: Define AT-TLS policy
such that only cipher suites requiring TLS encryption are exchanged
with the NSS server. Failure to restrict the cipher suites to those
requiring encryption can result in sensitive information flowing in
the clear across an untrusted network.
Rule: AT-TLS policy must be defined for each stack through
which the IKE daemon communicates with the NSS server.
A
sample AT-TLS policy is located in /usr/lpp/tcpip/samples/pagent_TTLS.conf.
Rule: The RemotePortRange value in the TTLSRule
statement must include the value specified on the NetworkSecurityServer
port parameter or the NetworkSecurityServerBackup port parameter in
the IKE daemon configuration file.
- Define IP filter policy to enable communication with an
NSS server (optional). If a stack is configured as an
NSS client, IP filter policy for that stack must be defined to enable
this communication. The IKE daemon communicates with the NSS clients
using the TCP protocol. By default, the NSS server listens on port
4159. The IKE daemon connects to the NSS client using an ephemeral
port. Ephemeral ports are generally in the range 1024 – 65355.
Two
types of IP filter policy can be defined for a z/OS stack:
- Default IP filter policy is defined in the TCP/IP profile. Updating
default IP filter policy to permit communications between the IKE
daemon and the NSS server is optional. Default IP filter policy is
in effect only when IP security filter policy cannot be loaded or
when the ipsec -f default command has been issued.
For details about how to define default IP filter policy, see z/OS Communications Server: IP Configuration
Reference.
The following example of a default policy
contains IPSECRule definitions that allow IKE daemon traffic with
the NSS server:
IPSEC LOGENable
; Rule SrcAddr DstAddr Logging Protocol SrcPort DestPort Routing Secclass
; OSPF protocol used by Omproute
IPSECRule * * NOLOG PROTO OSPF
; IGMP protocol used by Omproute
IPSECRule * * NOLOG PROTO 2
; DNS queries to UDP port 53
IPSECRule * * NOLOG PROTO UDP SRCPort * DESTport 53
; Administrative access
IPSECRule * 9.1.1.2 LOG SECCLASS 100
; IKE daemon access to the Network Security Server
IPSECRule * * LOG TCP SRCPort * DESTport 4159
; IKE daemon access to the Network Security Server
IPSEC6Rule * * LOG TCP SRCPort * DESTport 4159
ENDIPSEC
Rule: The DESTport
value in the filter rules must include the value specified for the
NetworkSecurityServer port parameter or the NetworkSecurityServerBackup
port parameter in the IKE daemon configuration file.
- IP security filter policy is defined in Policy Agent configuration
files. IP security filter policy must be updated to permit communications
between the IKE daemon and the NSS server. For details about how to define IP security policy files, see z/OS Communications Server: IP Configuration
Reference.
The following example shows an IpFilterRule
statement for IPv4, an IpFilterRule statement for IPv6, and an IpGenericFilterAction
statement that allow the IKE daemon to communicate with the NSS server:
IpFilterRule NssTrafficIPv4
{
IpSourceAddr all4
IpDestAddr all4
IpService
{
SourcePortRange 1024 65535
DestinationPortRange 4159
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
}
IpGenericFilterActionRef permit-nolog
}
IpFilterRule NssTrafficIPv6
{
IpSourceAddr all6
IpDestAddr all6
IpService
{
SourcePortRange 1024 65535
DestinationPortRange 4159
Protocol tcp
Direction bidirectional InboundConnect
Routing local
}
IpGenericFilterActionRef permit-nolog
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
Rule: The DestinationPortRange
value on the IpService statement must include the value specified
on the NetworkSecurityServer port parameter or the NetworkSecurityServerBackup
port parameter in the IKE daemon configuration file.