IP Services: Ensure ICSF is active before starting the IKE daemon in FIPS 140 mode
Description
As of z/OS V2R1, FIPS 140 support now requires ICSF services. If the Internet Key Exchange (IKE) daemon is configured in FIPS 140 mode, the daemon will fail to activate if ICSF is not active. Ensure ICSF is started before starting the IKE daemon if it is configured in FIPS 140 mode.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | Communications Server. |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if the IKE daemon is configured in FIPS 140 mode. |
| Target system hardware requirements: | None. |
| Target system software requirements: | ICSF must be active. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | The IKE daemon will fail to initialize. |
| Related IBM Health Checker for z/OS check: | None. |
Steps to take
If the IKE daemon is configured in FIPS 140 mode, ensure ICSF is active prior to starting the IKE daemon.
Reference information
For more information, see "Steps for preparing the z/OS system for IP security" and "Steps for configuring IP security to support FIPS 140 mode" in Chapter 19 in z/OS Communications Server: IP Configuration Guide