ipsec command

The z/OS® UNIX ipsec command displays and modifies IP security information for a local TCP/IP stack and the IKE daemon or for a network security services (NSS) IPSec client that uses the IPSec network management service of the local NSS server. You can configure a TCP/IP stack as an NSS IPSec client by adding a NssStackConfig statement to the configuration file of the stack's IKE daemon. See z/OS Communications Server: IP Configuration Guide for details. The NSS client can reside on the local z/OS system or on a different z/OS system.

You can also use the ipsec command to display, add, and manage defensive filters in the TCP/IP stack and the Defense Manager daemon (DMD). An external security information and event manager typically adds defensive filters in response to a detected intrusion. See defensive filtering information in z/OS Communications Server: IP Configuration Guide for more information about the defensive filters and the DMD. The ipsec command displays and modifies defensive filter information for a local TCP/IP stack or for all stacks on a local z/OS image for which the DMD is managing defensive filters.

IP security is implemented through a set of entities that is shared between the TCP/IP stack and the IKE daemon. For a description of the terms and concepts that are used, see IP security information in the z/OS Communications Server: IP Configuration Guide.

You can use the ipsec command for the following IP security management activities:
  • Display the default or current filter rules and change the filter rule set that the stack is using
  • Activate, deactivate, display, and refresh manual and dynamic IPSec tunnels
  • Deactivate, display, and refresh IKE tunnels
  • Display stack interfaces, including their security class and DVIPA status
  • For a particular type of data traffic between two specific endpoints, display which filter rules apply, including both defensive filters and IP security filters
  • Display information about the active NSS IPSec client configuration
  • Display information maintained by the NSS server for each NSS IPSec client

The ipsec command is also used to display and manage defensive filters on the local host system.

Restriction: You cannot display and manage defensive filters for an NSS IPSec client.

You can use the ipsec command for the following defensive filter management activities:
  • Add a defensive filter to a specific stack or globally to all eligible stacks. (An eligible stack is a stack on the local z/OS image that is enabled for IP security and that is included in the Defense Manager daemon (DMD) configuration file and has the mode active or simulate.)
  • Display defensive filters that are installed in a specific stack.
  • Display global defensive filters.
  • Delete a defensive filter from a specific stack or globally from all eligible stacks.
  • Update a defensive filter that is installed in a specific stack or globally in all eligible stacks.
  • For a particular type of data traffic between two specific endpoints, display which filter rules apply, including both defensive filters and IP security filters
Tips:
  • Use Secure Shell (SSH) from remote machines to issue secure ipsec commands.
  • The DMD supports up to 10 concurrent ipsec command connections. Automated solutions should issue the ipsec commands serially to ensure that each ipsec command invocation can open a successful connection to the Defense Manager daemon (DMD).

As new functionality is added to the z/OS Communications Server, the ipsec command input options and display output might change. Programs that post process the output of the ipsec command might be affected by the introduction of z/OS Communications Server maintenance or the installation of a later release. The z/OS Summary of Message and Interface Changes includes information about changes to ipsec command reports.

Parent topic: Managing network security