IBM Support

How do I enable IKE version 2 for z/OS Communications Server?

Question & Answer


Question

Does z/OS Communications Server support Internet Key Exchange version 2 (IKEv2), the second version of the Internet Key Exchange (IKE) protocol, which is used by peer nodes to perform mutual authentication and to establish and maintain Security Associations (SAs). If it does, how do I enable it?

Answer

Starting with z/OS V1R12 Communications Server, the IKE daemon (IKED) supports IKEv2, in addition to supporting IKEv1. The z/OS V1R12 Communications Server IKEv2 support includes the following items:

  • IPv4 and IPv6 support

  • A new identity type, KeyID. Note: KeyID is also supported for IKEv1.

  • Authentication using pre-shared keys or digital certificates; certificates can use RSA or elliptic curve keys

  • Re-keying and re-authentication of IKE SAs and child SAs

  • Hash and URL encoding of certificates and certificate bundles

Restrictions:

  • In V1R12, z/OS Communications Server IKEv2 cannot be used to negotiate Sysplex-Wide Security Associations (SWSA). However, beginning with V1R13, z/OS Communications Server IKEv2 can be used to negotiate SWSA.

  • In V1R12, z/OS Communications Server IKEv2 does not support Network Address Translation Traversal (NATT). However, beginning with V1R13, z/OS Communications Server IKEv2 does support NATT.

Incompatibilities: IKEv2 must be supported by both peer nodes in order for the SA to be negotiated using IKEv2 flows. You can configure z/OS Communications Server to continue to use IKEv1 with peers that do not support IKEv2.

Dependencies: To activate IKEv2 SAs using certificate-based authentication methods, you must configure IKED as a network security services (NSS) client that is authorized for certificate services, and its NSS server must be at the V1R12 level. If IKED does not have an NSS server that is at the latest level providing certificate services, it can activate IKEv2 SAs only if pre-shared key authentication is used.

Enabling IKE version 2 support

z/OS Communications Server is always enabled for IKEv2 as a responder. If you want to enable the IKE daemon to initiate IPsec SAs using IKEv2 protocols:

  • If you are hard-coding the IPSec policy, specify the value of IKEv2 on the HowToInitiate parameter of the KeyExchangePolicy statement, the KeyExchangeAction statement, or both of those statements.

  • If you are using the IBM Configuration Assistant for z/OS Communications Server, set the default initiator mode in the IPSec perspective stack settings. You can modify the default initiator mode for each connectivity rule in the advanced settings for the rule.

Enabling NATT

  • If you are hard-coding the IPSec policy, specify the value YES on the AllowNat parameter of the KeyExchangePolicy statement, the KeyExchangeAction statement, or on both statements.

  • If you are using the IBM Configuration Assistant for z/OS Communications Server, set the NATT default setting in the IPSec perspective stack settings. You can modify the NATT setting for each connectivity rule in the advanced settings for the rule.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
18 April 2015

UID

dwa1187001

Page Feedback