Local IPSec NMI
The z/OS® Communications Server IKE daemon provides the IPSec network management interface (NMI). The IPSec NMI is an AF_UNIX socket interface through which network management applications can manage IP filtering and IPSec on local TCP/IP stacks. Use this interface for network management applications that expect to maintain agents on each individual z/OS system or use it in any environments where z/OS network security services (NSS) is not enabled. If your applications use a centralized management and monitoring approach, you should consider using the NSS management interface that is described in Network security services (NSS) network management NMI.
This interface enables applications to obtain the following types
of data regarding the local TCP/IP stacks
and the IKE daemon:
- Information about which TCP/IP stacks are configured for integrated IPSec/VPN
- Summary statistics for IKE, IPSec, and IP filtering activity for a particular TCP/IP stack
- Detailed information about IP filters for a particular TCP/IP stack
- Detailed information about IPSec and IKE security associations (SAs) for a particular TCP/IP stack
- Port translation information for NAT traversal
- Information about which IP interfaces are active for a given TCP/IP stack
- Information about NSS clients that are active in the local IKE daemon
- Activate and deactivate manual and dynamic tunnels
- Refresh dynamic tunnels
- Switch between default IP filters and policy-based IP filters
Tip: If you are processing IPSec SMF records, there are
some structures that were designed to be analogous to IPSec NMI structures.
If you have code to process these structures, you might not need
to write new parsing code. The section names are indicated in the
individual SMF records and are described in detail in Type 119 SMF records.
The terms phase 1 and phase 2 refer to different types of security
associations (SAs) that the z/OS IKE daemon can negotiate with its peers. Although the specific
terminology for these types of security associations differs between
the IKE version 1 and IKE version 2 protocols, the terms phase 1 and
phase 2 refers to both versions. IKE terminology includes the following
definitions:
- Phase 1 security association (SA)
- Refers to IKE version 1 phase 1 SAs and IKE version 2 IKE SAs. When a specific version is intended, that version is identified in this document.
- Phase 2 security association (SA)
- Refers to IKE version 1 phase 2 SAs and IKE version 2 child SAs. When a specific version is intended, that version is identified in this document.