Steps for configuring IP security to support FIPS 140 mode

Configure IP security to support FIPS 140 mode on each system and stack that needs to use FIPS 140 mode. If you are using Sysplex-Wide Security Associations (SWSA), perform these steps first on your distributor and backup stacks, and then on each of your target stacks.

Perform the following steps to configure IP security to support FIPS 140 mode:

1. Ensure that Integrated Cryptographic Services Facility (ICSF) is started and configured to support FIPS 140.
   Requirement: ICSF must be active before starting the IKE daemon or NSS server configured in FIPS 140 mode. For information about enabling ICSF to support FIPS 140-2, see the topic about operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
   Tip: You do not need to create TKDS data sets in order for IP security to use ICSF.

   For more information about enabling FIPS 140 mode for ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.

2. Ensure that one of the following conditions are true:
   • The SAF class CRYPTOZ is not active.
   • No SAF profile exists for the FIPSEXEMPT.SYSTOK-SESSION-ONLY resource in the CRYPTOZ class.
   • The IKED, the NSSD, and the TCP/IP stacks that are configured in FIPS 140 mode have no access (NONE) to the SAF resource FIPSEXEMPT.SYSTOK-SESSION-ONLY in the CRYPTOZ class.
     Tip: A single z/OS® system can support multiple TCP/IP stacks, and you can configure some TCP/IP stacks with FIPS 140 support and others without FIPS 140 support. The stacks that are configured in FIPS 140 mode must not have access to the SAF resource FIPSEXEMPT.SYSTOK-SESSION-ONLY in the CRYPTOZ class.
3. Ensure that System SSL FIPS 140 support is available and configured. For more information, see the information about System SSL and FIPS 140-2 in z/OS Cryptographic Services System SSL Programming.
4. If you are using network security services (NSS), configure NSS to support FIPS 140. You can configure FIPS 140 by specifying Yes as the FIPS140 value in the NSS configuration file (for example, nssd.conf). In the Configuration Assistant, configure the FIPS 140 option in the Advanced Server Settings for NSS in the NSS perspective.

   After you have configured FIPS 140, restart the NSS daemon if it was active.

   Tip: If TCP/IP is enabled for FIPS 140 but the NSSD is not, then the NSSD cannot provide NSS certificate services to the TCP/IP stack.
5. Configure IKE to support FIPS 140. You can configure FIPS 140 by specifying Yes as the FIPS140 value in the IKED configuration file (for example, iked.conf). In the Configuration Assistant, configure the FIPS 140 option in the Advanced IKE Daemon Settings in the IPSec perspective.

   After you have configured FIPS 140, restart the IKE daemon if it was active.

   Tip: If TCP/IP is enabled for FIPS 140 but the IKED is not, then the IKED will not negotiate dynamic VPN tunnels for that TCP/IP stack.
6. Configure the TCP/IP stack to support FIPS 140. You can configure FIPS 140 by specifying FIPS140 Yes on the IpFilterPolicy statement in the IPSec policy file for the stack. In the Configuration Assistant, configure the FIPS 140 option in the Advanced Stack Settings in the IPSec perspective.

   After you have configured FIPS 140, restart the stack if it was active.