I'm concerned that the cryptographic keys used on my security associations have been compromised. How do I deactivate those security associations?

Question & Answer

Question

I'm concerned that the cryptographic keys in use on my security associations have been compromised. How do I deactivate those security associations?

Answer

You should delete all phase 1 Security Associations (IKE tunnels) and their associated phase 2 Security Associations (dynamic tunnels) if you suspect that all compromised keys impact all your phase 1 Security Associations.

To delete all phase 1 Security Associations and all phase 2 Security Associations, issue the ipsec -k deactivate command with the -a all option as follows:

 ipsec -k deactivate -a all

You will see messages like the following:

 CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
 Primary: IKE tunnel Function: Deactivate
 All IKE tunnels Deactivating

Restriction: Use this option only if there is concern that the cryptographic keys that are in use on the current SA have been compromised. Reactivating dynamic tunnels is a processor-intensive operation. If the scope of a deactivate request is large, then overall system performance can be affected.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
15 November 2017

UID

dwa1413341

Tips