IBM Support

How do I configure the TCP/IP stack to support FIPS 140?

Question & Answer


Question

How do I configure the TCP/IP stack to support FIPS 140?

Answer

To configure the TCP/IP stack to support FIPS 140:

  • If you are hard-coding the IPSec policy file, specify FIPS140 Yes on the IpFilterPolicy statement in the IPSec policy file for the stack.

  • Alternatively, if you are using the Configuration Assistant, configure the FIPS 140 option in the Advanced Stack Settings in the IPSec perspective.

  • After you have configured FIPS 140, restart the stack if it was active.

Then,

  • Ensure ICSF is active before starting AT-TLS groups configured to support FIPS140-2. At AT-TLS group activation time, you can verify that ICSF is active by confirming the issuance of message EZD1289I Tcpname ICSF SERVICES ARE CURRENTLY AVAILABLE FOR AT-TLS GROUP group_name .

  • If the CSFSERV class is defined, give READ access to the userid associated with the TCPIP stack and any application userid using the TTLSGroup to the CSFRNG resource within the RACF CSFSERV class.

  • If the CSFSERV class is defined and Diffie Hellman is being used, give READ access to the application userid to the CSF1TRC, CSF1DVK, CSF1GKP, CSF1GSK, CSF1GAV, and CSF1TRD resources within the RACF CSFSERV class

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
06 May 2015

UID

dwa1187047