IP Services: Verify that the changed DHGroup default is acceptable

Description

In z/OS V2R2, the default value for the DHGroup parameter on the KeyExchangeOffer statement in the IPSec policy is changed from Group1 to Group2. If you have an IPSec policy, determine whether this change effects your policy. If you use the IBM Configuration Assistant for z/OS Communications Server to configure your IPSec policy, an explicit DHGroup value is generated on every KeyExchangeOffer statement. A default value is not used.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Steps to take

If your policy is not generated by IBM Configuration Assistant for z/OS Communications Server, search your IPSec policy files for any KeyExchangeOffer statements that do not specify a DHGroup parameter. If you find such a KeyExchangeOffer statement, your policy is effected. If you require the DHGroup value to continue to use the previous default of Group1, update your policy to explicitly set the DHGroup parameter to Group1. If you want to use the new default, you need to coordinate with the owners of each remote IKE peer that is associated with the z/OS policy changes to ensure that the remote peer's policy is compatible with the z/OS changes. If the z/OS policy changes so that it is incompatible with the remote peer's policy, the IKE daemons will no longer be able to successfully negotiate IPSec tunnels.

Reference information

For more information about the KeyExchangeOffer statement in the IPSec policy, see z/OS Communications Server: IP Configuration Reference.