|
Use the following information to aid with diagnosing Sysplex-wide
Security Association (SWSA) specifically.
Before you beginEnsure that you have consistent IPSec policies on all participating
systems, which include the following: - Distributing stacks, target stacks and backup stacks.
- Certificates identifying hosts must be available on all distributing
and backup hosts. This is most easily accomplished by sharing the
SAF certificate repository between the processors in the sysplex.
See z/OS Communications Server: IP Configuration
Guide for information about configuring IP security
policy on an IPSECURITY stack.
ProcedurePerform the following steps to diagnose SWSA problems. - Code the DVIPSEC option on the owning and backup stacks
to take advantage of SWSA. Do the following on the owning
and backup stacks:
- Use the netstat,config command to
confirm that IPSECURITY was specified on the IPCONFIG statement and,
if appropriate, on the IPCONFIG6 statement.
Figure XX. netstat,config example
D TCPIP,,NETSTAT,CONFIG
NETSTAT CONFIG
MVS TCP/IP NETSTAT CS V2R1 TCPIP Name: TCPCS
...
IP Configuration Table:
Forwarding: Yes TimeToLive: 00064 RsmTimeOut: 00060
IPSecurity: Yes
...
IPv6 Configuration Table:
Forwarding: Yes HopLimit: 00255 IgRedirect: No
SourceVipa: Yes MultiPath: Conn IcmperrLim: 00003
IgRtrHopLimit: No
IpSecurity: Yes
- Use the ipsec -f command to confirm
that DVIPSEC was specified on the IPSEC statement.
Figure 1. ipsec -f example# ipsec -f disp
CS V2R1 ipsec Stack Name: TCPCS1 Fri May 27 10:48:47 2011
Primary: Filter Function: Display Format: Detail
Source: Stack Profile Scope: Current TotAvail: 2
Logging: Off Predecap: Off DVIPSec: Yes
- Verify from the system log for the distributing and target
stacks (for sysplex distribution of IPSec workload) and the primary
and backup stacks (for dynamic tunnel recovery) that an IST1370I message
like the following was issued:
IST1370I NETA.SSCP1A IS CONNECTED TO STRUCTURE EZBDVIPA
If subplexing is being used, the message is: IST1370I NETA.SSCP1A IS CONNECTED TO STRUCTURE EZBDVIPAvvtt
where vv is the VTAM® subplex group
ID and tt is the TCP/IP subplex group ID.
If no VTAM subplex group ID
was specified at VTAM startup,
but a TCP/IP subplex group ID was specified on the GLOBALCONFIG statement
in the TCP/IP Profile, then the structure name is EZBDVIPA01 tt. If a VTAM subplex group ID was specified, but no TCP/IP subplex group ID was
specified, then the structure name is EZBDVIPA vv.
For SWSA functions to work correctly, the stacks
involved must be connected to the EZBDVIPAvvtt coupling facility structure. If this message was not issued, see z/OS Communications Server: SNA Network Implementation
Guide for information about setting up the sysplex
environment for VTAM function
and defining EZBDVIPAvvtt with the coupling facility.
- For sysplex distribution of IPSec traffic, the target stacks
must have a copy of the dynamic tunnel, called a shadow tunnel, that
matches the dynamic tunnel on the distributing stack. Do the following:
- Use the following command to verify that a dynamic tunnel is active
on distributing stacks:
Figure 2. ipsec -y example# ipsec -y display
CS V2R1 ipsec Stack Name: TCPCS1 Fri May 27 13:22:15 2011
Primary: Dynamic tunnel Function: Display Format: Detail
Source: Stack Scope: Current TotAvail: 2
TunnelID: Y6
Generation: 1
IKEVersion: 2.0
ParentIKETunnelID: K5
VpnActionName: VPN-14-Transport
LocalDynVpnRule: n/a
State: Active
HowToEncap: Transport
LocalEndPoint: 10.93.1.8
RemoteEndPoint: 10.83.4.1
LocalAddressBase: 10.93.1.8
LocalAddressPrefix: n/a
LocalAddressRange: n/a
RemoteAddressBase: 10.83.4.1
RemoteAddressPrefix: n/a
RemoteAddressRange: n/a
HowToAuth: ESP
AuthAlgorithm: HMAC-SHA1
AuthInboundSpi: 1337238202 (0x4FB4A2BA)
AuthOutboundSpi: 3188885928 (0xBE1289A8)
HowToEncrypt: 3DES-CBC
KeyLength: n/a
EncryptInboundSpi: 1337238202 (0x4FB4A2BA)
EncryptOutboundSpi: 3188885928 (0xBE1289A8)
Protocol: ALL(0)
LocalPort: n/a
LocalPortRange: n/a
RemotePort: n/a
RemotePortRange: n/a
Type: n/a
TypeRange: n/a
Code: n/a
CodeRange: n/a
OutboundPackets: 0
OutboundBytes: 0
InboundPackets: 0
InboundBytes: 0
Lifesize: 0K
LifesizeRefresh: 0K
CurrentByteCount: 0b
LifetimeRefresh: 2011/05/27 16:40:23
LifetimeExpires: 2011/05/27 16:58:50
CurrentTime: 2011/05/27 12:58:56
VPNLifeExpires: 2011/05/28 12:58:50
NAT Traversal Topology:
UdpEncapMode: No
LclNATDetected: No
RmtNATDetected: No
RmtNAPTDetected: No
RmtIsGw: n/a
RmtIsZOS: n/a
zOSCanInitP2SA: n/a
RmtUdpEncapPort: n/a
SrcNATOARcvd: n/a
DstNATOARcvd: n/a
PassthroughDF: n/a
PassthroughDSCP: n/a
***********************************************************************
- Use the following command to verify that a shadow tunnel is active
on target stacks:
Figure 3. ipsec -y display -s example# ipsec -y display -s
CS V2R1 ipsec Stack Name: TCPCS2 Fri May 27 13:22:23 2011
Primary: Dynamic tunnel Function: display (shadows) Format: Detail
Source: Stack Scope: Current TotAvail: 2
TunnelID: Y6
Generation: 1
IKEVersion: 2.0
ParentIKETunnelID: K5
VpnActionName: VPN-14-Transport
LocalDynVpnRule: n/a
State: Active
HowToEncap: Transport
LocalEndPoint: 10.93.1.8
RemoteEndPoint: 10.83.4.1
LocalAddressBase: 10.93.1.8
LocalAddressPrefix: n/a
LocalAddressRange: n/a
RemoteAddressBase: 10.83.4.1
RemoteAddressPrefix: n/a
RemoteAddressRange: n/a
HowToAuth: ESP
AuthAlgorithm: HMAC-SHA1
AuthInboundSpi: 1337238202 (0x4FB4A2BA)
AuthOutboundSpi: 3188885928 (0xBE1289A8)
HowToEncrypt: 3DES-CBC
KeyLength: n/a
EncryptInboundSpi: 1337238202 (0x4FB4A2BA)
EncryptOutboundSpi: 3188885928 (0xBE1289A8)
Protocol: ALL(0)
LocalPort: n/a
LocalPortRange: n/a
RemotePort: n/a
RemotePortRange: n/a
Type: n/a
TypeRange: n/a
Code: n/a
CodeRange: n/a
OutboundPackets: 0
OutboundBytes: 0
InboundPackets: 0
InboundBytes: 0
Lifesize: 0K
LifesizeRefresh: 0K
CurrentByteCount: 0b
LifetimeRefresh: 2011/05/27 16:40:23
LifetimeExpires: 2011/05/27 16:58:50
CurrentTime: 2011/05/27 13:22:24
VPNLifeExpires: 2011/05/28 12:58:50
NAT Traversal Topology:
UdpEncapMode: No
LclNATDetected: No
RmtNATDetected: No
RmtNAPTDetected: No
RmtIsGw: n/a
RmtIsZOS: n/a
zOSCanInitP2SA: n/a
RmtUdpEncapPort: n/a
SrcNATOARcvd: n/a
DstNATOARcvd: n/a
PassthroughDF: n/a
PassthroughDSCP: n/a
- To confirm that the coupling facility has the information
about the tunnels in the event a recovery is necessary, use the following VTAM command, specifying the full
name of the EZBDVIPA structure:
d net,stats,type=cfs,strname=ezbdvipa1121,dvipa=10.93.1.8
The following output is displayed: IST097I DISPLAY ACCEPTED
IST350I DISPLAY TYPE = STATS,TYPE=CFS
IST1370I NETA.SSCP1A IS CONNECTED TO STRUCTURE EZBDVIPA1121
IST1797I STRUCTURE TYPE = LIST
IST1517I LIST HEADERS = 2048 - LOCK HEADERS = 0
IST1373I STORAGE ELEMENT SIZE = 256
IST924I -------------------------------------------------------------
IST1374I CURRENT MAXIMUM PERCENT
IST1375I STRUCTURE SIZE 15104K 50176K *NA*
IST1376I STORAGE ELEMENTS 48 28592 0
IST1377I LIST ENTRIES 6 2902 0
IST924I -------------------------------------------------------------
IST1834I LIST DVIPA SYSNAME TCPNAME #ENTRIES TGCOUNT SEQNUMBER
IST1835I 1 10.93.1.8
IST1837I MVS187 TCPCS1 1 1
IST1835I 2 10.93.1.8
IST1836I MVS187 TCPCS1 1 0
IST314I END
Information about the dynamic tunnels that are used in SWSA is
kept in the coupling facility structure in the event that a recovery
of the tunnel is necessary. For example, the recovery information
is used when a DVIPA is taken over by another stack in the sysplex.
For more information, see DISPLAY STATS in z/OS Communications Server: SNA Operation.
For IPSec connections to continue
functioning with that DVIPA, the tunnel has to be recovered by the
same stack that took over the dynamic VIPA.
The list entry
for the DVIPA (list 2 above) shows the system and
stack for which the coupling facility is maintaining information about
the tunnel.
- Use the following VTAM command, specifying the full name of the EZBDVIPA structure, to
confirm that the coupling facility is managing the replay count:
d net,stats,type=cfs,strname=ezbdvipa1121,list=all
For sysplex distribution of IPSec traffic, the dynamic
tunnel replay count (sequence number) is maintained in the EZBDVIPAvvtt
coupling facility structure. The distributing stack dynamic tunnel
and all the target stack shadow tunnels share the replay count.
The following output is displayed: D NET,STATS,TYPE=CFS,STRNAME=EZBDVIPA1121,LIST=ALL
IST097I DISPLAY ACCEPTED
IST350I DISPLAY TYPE = STATS,TYPE=CFS
IST1370I NETA.SSCP1A IS CONNECTED TO STRUCTURE EZBDVIPA1121
IST1797I STRUCTURE TYPE = LIST
IST1517I LIST HEADERS = 2048 - LOCK HEADERS = 0
IST1373I STORAGE ELEMENT SIZE = 256
IST924I -------------------------------------------------------------
IST1374I CURRENT MAXIMUM PERCENT
IST1375I STRUCTURE SIZE 15104K 50176K *NA*
IST1376I STORAGE ELEMENTS 48 28592 0
IST1377I LIST ENTRIES 6 2902 0
IST924I -------------------------------------------------------------
IST1834I LIST DVIPA SYSNAME TCPNAME #ENTRIES TGCOUNT SEQNUMBER
IST1835I 1 10.93.1.8
IST1837I MVS187 TCPCS1 1 1
IST1835I 2 10.93.1.8
IST1836I MVS187 TCPCS1 1 0
IST314I END
The list entry for the dynamic VIPA with a value in the SEQNUMBER
column confirms that this tunnel's replay count is managed by the
coupling facility.
|