This section provides overview information about the z/OS® Internet Key Exchange (IKE) daemon and its functions.

The IKE daemon manages dynamic IPSec tunnels. The IKE daemon is not involved in the filtering, encapsulation, or decapsulation of packets. The IKE daemon is not required for the configuration or use of IP filters.

The critical elements of IP security are security associations (SAs); specifically the information that they provide about the partners of a secure communications channel, and the cryptographic algorithms and keys to be used. The z/OS IKE daemon supports two versions of the Internet Key Exchange: IKE version 1 (IKEv1) and IKE version 2 (IKEv2). The Internet Security Association Key Management protocol (ISAKMP) provides a framework for exchanging messages to automate the negotiation of security associations. The IKEv1 protocol is a hybrid protocol that conforms to the ISAKMP framework and implements a subset of the Oakley and SKEME protocols to negotiate SAs and provide authenticated keying material for SAs in a protected manner. The IKEv2 protocol is very similar to the IKEv1 protocol, in that it also negotiates SAs and provides authenticated keying material for SAs in a protected manner

The z/OS IKE daemon implements the IKE protocol to dynamically establish SAs with peer daemons that also support these protocols. In the sections that follow, a peer daemon might be referred to as an ISAKMP server or ISAKMP peer. Also, the z/OS IKE daemon might be referred to as the IKE daemon or IKED.

The IKE daemon establishes SAs within the guidelines of internet protocol security (IP security) policy. IP security policies are defined in one or more local files that are read by the Policy Agent. The IKE daemon obtains IP security policies from the Policy Agent using the Policy API (PAPI). See z/OS Communications Server: IP Configuration Guide for more information about configuring and starting Policy Agent, as well as defining policies.