IPSec keys and values can be configured manually. Manual management of keys was the only non-proprietary option for implementing IPSec before the standardization of the IKE protocols. In a manual IPSec configuration, the keys that are used to encrypt data, and the Security Parameter Index (SPI) values that are used to uniquely identify a Security Association, are determined by the administrator and configured beforehand on both hosts. However, the steps that you must take to manually generate encryption keys can become quite cumbersome, as shown in the following examples:
In a small installation with minimal security concerns, this manual process can work quite well, and might actually be preferable. However, given the large number of communicating hosts in a typical network, this manual process quickly becomes unwieldy, error prone, maintenance intensive, and not scalable. Nevertheless, z/OS® IP security does support manual IPSec configuration for compatibility with systems that use it. If an IP filter rule specifies a manual ipsec action, the corresponding action is consulted to determine all aspects of the encryption and authentication policy for that data, including the identities of the communicating hosts, the keys that are used for encryption and authentication of outbound and inbound packets, and the SPI values. Manual IPSec protection is configured using the IpManVpnAction statement in an IP security policy configuration file. For more details about the IpManVpnAction statement, see z/OS Communications Server: IP Configuration Reference.