IPSec Status Attributes

Use the IPSec Status attributes to display IP stack security configuration information and IP stack security statistics.

Active Dynamic SWSA Shadow Tunnels The current number of active dynamic Sysplex-Wide Security Associations shadow tunnels known to the TCP/IP stack. The format is an integer.

Active Dynamic Tunnels The current number of active dynamic tunnels known to the TCP/IP stack. This number does not include Sysplex-Wide Security Associations (SWSA) shadow tunnels or manual tunnels. The format is an integer.

Active IKE Tunnels The number of Internet Key Exchange (IKE) tunnels that are currently active. The format is an integer.

Collection Time The time and date of the data sampling. This time is displayed in the following format:

mm/dd/yy hh:mm:ss (Tivoli Enterprise Portal) or yy/mm/dd hh:mm:ss (3270)

Where:

  • mm = Month
  • dd = Day of the month
  • yy = Year
  • hh = Hour
  • mm = Minute
  • ss = Seconds

The stored format is a string no longer than 16 characters in the format CYYMMDDHHMMSSmmm (as in 1020315064501000 for 03/15/02 06:45:01) where:

  • C = Century (0 for 20th, 1 for 21st)
  • Y = Year
  • M = Month
  • D = Day
  • H = Hour
  • M = Minute
  • S = Second
  • m = Millisecond

Dynamic Tunnels in Progress The number of dynamic tunnels in progress. The state of the tunnel is either PENDING or IN NEGOTIATION. The format is an integer where:

  • 0 means PENDING
  • 1 means IN NEGOTIATION

Expired Dynamic Tunnels The number of dynamic tunnels that are currently expired. This value includes shadow and non-shadow tunnels. The format is an integer.

Expired IKE Tunnels The number of Internet Key Exchange (IKE) tunnels that are currently expired. The format is an integer.

Filter Logging Indicates whether filter logging is enabled for the TCP/IP stack. Filter logging was enabled by coding the LOGENABLE parameter of the IPSEC statement in the TCP/IP profile. For more information about the IPSEC statement, see the most recent edition of the IBM® z/OS® Communication Server: IP Configuration Guide or IBM z/OS Communication Server: IP Configuration Reference. This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Disabled
  • 1 = Enabled

Filter Set In Use Identifies which filter set is currently in use by the TCP/IP stack. One of two filter sets may be in use at any time:

  • The default filter set that is made up of filters defined in the TCP/IP profile.
  • The policy filter set that is made up of filters defined in Policy Agent configuration files.

This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Default
  • 1 = Policy

IKE Bytes Protected The number of bytes protected by Internet Key Exchange (IKE) tunnels in the last interval. The format is an integer.

IKE Inbound Bytes Protected The number of inbound bytes protected by IKE tunnels in the last interval. The format is an integer.

IKE Inbound Protected Byte Rate The number of inbound bytes flowing through Internet Key Exchange (IKE) tunnels every minute. The format is an integer.

IKE Outbound Bytes Protected The number of outbound bytes protected by Internet Key Exchange (IKE) tunnels in the last interval. The format is an integer.

IKE Outbound Protected Byte Rate The number of outbound bytes flowing through Internet Key Exchange (IKE) tunnels every minute. The format is an integer.

IKE Protected Byte Rate The number of bytes flowing through Internet Key Exchange (IKE) tunnels every minute. The format is an integer.

IKE Total Bytes Protected The cumulative number of inbound and outbound bytes of Internet Key Exchange (IKE) traffic protected by IKE tunnels since the IKE daemon was started. The value in this column can be added to the product of 1,073,741,824 and the value in the IKE Total Bytes Protected (in G) column to calculate the cumulative total bytes of IKE traffic protected by IKE tunnels. The format is an integer.

IKE Total Bytes Protected (in G) The cumulative number of inbound and outbound bytes of Internet Key Exchange (IKE) traffic protected by IKE tunnels since the IKE daemon was started, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the IKE Total Bytes Protected column to calculate the cumulative total bytes of IKE traffic protected by IKE tunnels. The format is an integer.

IKE Total Inbound Bytes Protected The cumulative number of inbound bytes of IKE traffic protected by IKE tunnels since the IKE daemon was started. The value in this column can be added to the product of 1,073,741,824 and the value in the IKE Inbound Bytes Protected (in G) column to calculate the cumulative number of IKE Inbound Bytes Protected. The format is an integer.

IKE Total Inbound Bytes Protected (in G) The cumulative number of inbound bytes of IKE traffic protected by dynamic tunnels since the start of the IKE daemon, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the IKE Inbound Bytes Protected column to calculate the cumulative number of IKE inbound bytes protected. The format is an integer.

IKE Total Invalid Key Messages Cumulative number of invalid key exchange (phase 1) messages received since the Internet Key Exchange (IKE) daemon was started. This does not include message authentication failures. The format is an integer.

IKE Total Key Message Authentication Failures The cumulative number of key exchange (phase 1) message authentication failures since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

IKE Total Outbound Bytes Protected The cumulative number of outbound bytes of IKE traffic protected by IKE tunnels since the IKE daemon was started. The value in this column can be added to the product of 1,073,741,824 and the value in the IKE Outbound Bytes Protected (in G) column to calculate the cumulative number of IKE Outbound Bytes Protected. The format is an integer.

IKE Total Outbound Bytes Protected (in G) The cumulative number of outbound bytes of IKE traffic protected by dynamic tunnels since the start of the IKE daemon, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the IKE Outbound Bytes Protected column to calculate the cumulative number of IKE outbound bytes protected. The format is an integer.

IKE Total Replayed Key Messages The cumulative number of replayed key exchange (phase 1) messages received since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

IKE Total Retransmitted Key Messages The cumulative number of retransmitted key exchange (phase 1) messages that was sent since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

IKE Tunnels in Progress The number of Internet Key Exchange (IKE) tunnels currently in progress. The format is an integer where:

  • 0 means PENDING
  • 1 means IN NEGOTIATION

IP Bytes Protected The number of bytes of IP traffic protected by dynamic IP tunnels in the last interval. The format is an integer.

IP Inbound Bytes Protected The number of inbound bytes protected by IP tunnels in the last interval. The format is an integer.

IP Inbound Protected Byte Rate The number of inbound bytes flowing through IP tunnels every minute. The format is an integer.

IP Outbound Bytes Protected The number of outbound bytes protected by IP tunnels in the last interval. The format is an integer.

IP Outbound Protected Byte Rate The number of outbound bytes flowing through IP tunnels every minute. The format is an integer.

IP Protected Byte Rate The number of bytes of IP traffic flowing through dynamic IP tunnels every minute. The format is an integer.

IP Security Indicates whether IP security functions are enabled for IPv4 interfaces. IP security was enabled by coding IPCONFIG IPSECURITY in the TCP/IP profile. For more information about the IPSEC statement, see the most recent edition of the IBM z/OS Communication Server: IP Configuration Guide or IBM z/OS Communication Server: IP Configuration Reference. This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Disabled
  • 1 = Enabled

IP Total Bytes Protected The cumulative number of inbound and outbound bytes of IP traffic protected by dynamic tunnels since the TCP/IP stack was started. The value in this column can be added to the product of 1,073,741,824 and the value in the IP Total Bytes Protected (in G) column to calculate the cumulative total bytes of IP traffic protected by dynamic tunnels. The format is an integer.

IP Total Bytes Protected (in G) The cumulative number of inbound and outbound bytes of IP traffic protected by dynamic tunnels since the TCP/IP stack was started, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,824 and added to the value in the IP Total Bytes Protected column to calculate the cumulative total bytes of IP traffic protected by dynamic tunnels. The format is an integer.

IP Total Inbound Bytes Protected The cumulative number of inbound bytes of IP traffic protected by dynamic tunnels since the start of the TCP/IP stack. The value in this column can be added to the product of 1,073,741,823 and the value in the IP Inbound Bytes Protected (in G) column to calculate the cumulative number of IP Inbound Bytes Protected. The format is an integer.

IP Total Inbound Bytes Protected (in G) The cumulative number of inbound bytes of IP traffic protected by dynamic tunnels since the start of the TCP/IP stack, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,823 and added to the value in the IP Inbound Bytes Protected column to calculate the cumulative number of IP inbound bytes protected. The format is an integer.

IP Total Outbound Bytes Protected The cumulative number of outbound bytes of IP traffic protected by dynamic tunnels since the start of the TCP/IP stack. The value in this column can be added to the product of 1,073,741,823 and the value in the IP Outbound Bytes Protected (in G) column to calculate the cumulative number of IP Outbound Bytes Protected. The format is an integer.

IP Total Outbound Bytes Protected (in G) The cumulative number of outbound bytes of IP traffic protected by dynamic tunnels since the start of the TCP/IP stack, divided by 1,073,741,824. The value in this column can be multiplied by 1,073,741,823 and added to the value in the IP Outbound Bytes Protected column to calculate the cumulative number of IP outbound bytes protected. The format is an integer.

IPv6 Security Indicates whether IP security functions are enabled for IPv6 interfaces. IPv6 security was enabled by coding IPCONFIG IPSECURITY and IPCONFIG6 IPSECURITY in the TCP/IP profile. For more information about the IPSEC statement, see the most recent edition of the IBM z/OS Communication Server: IP Configuration Guide or IBM z/OS Communication Server: IP Configuration Reference. This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Disabled
  • 1 = Enabled

NAT Keep Alive Interval The NAT keep-alive interval, in seconds. The interval is used to regulate the sending of NAT keep-alive messages for a NAT traversal tunnel when a NAT is detected in front of the local host. The format is an integer expressed in seconds.

Number of Configured Filters The number of configured IP Filters for this stack. The format is an integer.

Origin Node The unique identifier for the TCP/IP stack being displayed. The format is an alphanumeric string no longer than 32 characters.

Packets Denied by DENY The number of packets denied by a DENY action on any filter during the most recent collection interval. The format is an integer.

Packets Denied by Mismatch The number of packets denied by a mismatched action on any filter during the most recent interval. The format is an integer.

Packets Filtered The number of packets filtered by the filter rule set during the most recent collection interval. The format is an integer.

Packets Matched The number of packets that matched the condition and action for any filter during the most recent interval. The format is an integer.

Packets Permitted The number of packets permitted by any filter during the most recent interval. The format is an integer.

Percent Packets Denied by DENY The percentage of packets denied by a DENY action on any filter during the most recent interval. The format is a number between 0 and 100 inclusive.

Percent Packets Denied by Mismatch The percentage of packets denied by a mismatched action on any filter during the most recent interval. The format is a number between 0 and 100 inclusive.

Percent Packets Permitted The percentage of packets permitted by any filter during the most recent interval. The format is a number between 0 and 100 inclusive.

Percent Total Packets Denied by DENY The percentage of total packets denied by a DENY action on any filter since the TCP/IP stack was started. The format is a number between 0 and 100 inclusive.

Percent Total Packets Denied by Mismatch The percentage of total packets denied due to a mismatch with any filter action since the stack was started. The format is a number between 0 and 100 inclusive.

Percent Total Packets Permitted The percentage of total packets that was permitted by any filter since the TCP/IP stack was started. The format is a number between 0 and 100 inclusive.

Pre-Decapsulation Filtering Indicates whether pre-decapsulation filtering is enabled. This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Disabled
  • 1 = Enabled

System ID The SMF system ID. The format is an alphanumeric string no longer than 4 characters.

Sysplex Name The name of the sysplex that the monitored system is part of.

Sysplex-Wide Security Associations (SWSA) Indicates whether sysplex-wide security associations (SWSA) are enabled. SWSA was enabled by coding the DVIPSEC parameter on the IPSEC statement in the TCP/IP profile. For more information about the IPSEC statement, see the most recent edition of the IBM z/OS Communication Server: IP Configuration Guide or IBM z/OS Communication Server: IP Configuration Reference. This value is stored as an integer and displayed as a string. Valid values are:

  • 0 = Disabled
  • 1 = Enabled

TCPIP STC Name The name of the TCP/IP job. The format is an alphanumeric string no longer than 8 characters.

Total Active Dynamic Tunnels The total number of currently active dynamic tunnels. This includes active dynamic System-Wide Security Association (SWSA) shadow tunnels and dynamic IP tunnels. The format is an integer.

Total Failed Dynamic Tunnel Activations The cumulative number of failed dynamic tunnel activations since the TCP/IP stack was started. The format is an integer.

Total Failed IKE Tunnel Activations The cumulative number of failed Internet Key Exchange (IKE) tunnel activations that was initiated locally or remotely since the IKE daemon was started. The format is an integer.

Total Failed Local IKE Tunnel Activations The cumulative number of failed Internet Key Exchange (IKE) tunnel activations that was initiated locally since the IKE daemon was started. The format is an integer.

Total Failed Remote IKE Tunnel Activations The cumulative number of failed remote Internet Key Exchange (IKE) tunnel activations since the IKE daemon was started. The format is an integer.

Total Invalid QUICKMODE Messages The cumulative number of invalid QUICKMODE (phase 2) messages received since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

Total Packets Denied by DENY The total number of packets denied by a DENY action on any filter since the TCP/IP stack was started. If the value in the Total Packets Denied By DENY (in G) column is not 0, then the value in this column can be added to the product of 1,073,741,824 and the value in the Total Packets Denied by DENY (in G) column to calculate the packets denied by DENY for any filter. The format is an integer.

Total Packets Denied by DENY (in G) The total number of packets denied by a DENY action on any filter since the TCP/IP stack was started, divided by 1,073,741,824. If the value in this column is not 0, then it can be multiplied by 1,073,741,824 and added to the value in the Total Packets Denied by DENY column to calculate the Packets Denied by DENY for any filter. The format is an integer.

Total Packets Denied by Mismatch The total number of packets denied due to a mismatch with any filter action since the TCP/IP stack was started. If the value in the Total Packets Denied By Mismatch (in G) column is not 0, then the value in this column can be added to the product of 1,073,741,824 and the value in the Packets Denied by Mismatch (in G) column to calculate the packets permitted. The format is an integer.

Total Packets Denied by Mismatch (in G) The total number of packets denied due to a mismatch with any filter action since the TCP/IP stack was started, divided by 1,073,741,824. If the value in this column is not 0, then it can be multiplied by 1,073,741,824 and added to the value in the Total Packets Denied by Mismatch column to calculate the packets denied by an action mismatch. The format is an integer.

Total Packets Filtered The total number of packets processed by the filter rule set since the TCP/IP stack was started. If the value in the Total Packets Filtered (in G) column is not 0, then the value in this column can be added to the product of 1,073,741,824 and the value in the Total Packets Filtered (in G) column to calculate the total packets processed. The format is an integer.

Total Packets Filtered (in G) The total number of packets processed by the filter rule set since the TCP/IP stack was started, divided by 1,073,741,824. If the value in this column is not 0, then it can be multiplied by 1,073,741,824 and added to the value in the Total Packets Filtered column to calculate the total packets processed. The format is an integer.

Total Packets Matched The total number of packets that matched both the condition and action for any filter since the TCP/IP stack was started. If the value in the Total Packets Matched (in G) column is not 0, then the value in this column can be added to the product of 1,073,741,824 and the value in Total Packets Matched (in G) column to calculate the total packets matched. The format is an integer.

Total Packets Matched (in G) The total number of packets that matched both the condition and action for any filter since the TCP/IP stack was started, divided by 1,073,741,824. If the value in this column is not 0, then it can be multiplied by 1,073,741,824 and added to the value in the Total Packets Matched column to calculate the total packets matched. The format is an integer.

Total Packets Permitted The total number of packets that was permitted by any filter since the TCP/IP stack was started. If the value in the Total Packets Permitted (in G) column is not 0, then the value in this column can be added to the product of 1,073,741,824 and the value in Total Packets Permitted (in G) column to calculate the packets permitted. The format is an integer.

Total Packets Permitted (in G) The total number of packets that was permitted by any filter, divided by 1,073,741,824. If the value in this column is not 0, then it can be multiplied by 1,073,741,824 and added to the value in the Total Packets Permitted column to calculate the packets permitted. The format is an integer.

Total Replayed QUICKMODE Messages The cumulative number of replayed QUICKMODE (phase 2) messages received since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

Total Retransmitted QUICKMODE Messages The cumulative number of retransmitted QUICKMODE (phase 2) messages sent since the Internet Key Exchange (IKE) daemon was started. The format is an integer.

Total Successful Dynamic Tunnel Activations The cumulative number of successful dynamic tunnel activations since the TCP/IP stack was started. The format is an integer.

Total Successful IKE Tunnel Activations The cumulative number of successful Internet Key Exchange (IKE) tunnel activations that was initiated locally or remotely since the IKE daemon was started. The format is an integer.

Total Successful Local IKE Tunnel Activations The cumulative number of successful locally initiated Internet Key Exchange (IKE) tunnel activations since the IKE daemon was started. The format is an integer.

Total Successful Remote IKE Tunnel Activations The cumulative number of successful Internet Key Exchange (IKE) tunnel activations that was initiated locally or remotely since the IKE daemon was started. The format is an integer.