Question & Answer
Question
I'm concerned that the cryptographic keys in use on my security associations have been compromised. How do I deactivate those security associations?
Answer
You should delete all phase 1 Security Associations (IKE tunnels) and their associated phase 2 Security Associations (dynamic tunnels) if you suspect that all compromised keys impact all your phase 1 Security Associations.
To delete all phase 1 Security Associations and all phase 2 Security Associations, issue the ipsec -k deactivate command with the -a all option as follows:
ipsec -k deactivate -a all
You will see messages like the following:
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
Primary: IKE tunnel Function: Deactivate
All IKE tunnels Deactivating
Restriction: Use this option only if there is concern that the cryptographic keys that are in use on the current SA have been compromised. Reactivating dynamic tunnels is a processor-intensive operation. If the scope of a deactivate request is large, then overall system performance can be affected.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
15 November 2017
UID
dwa1413341