The z/OS® UNIX ipsec command displays and modifies IP security information for a local TCP/IP stack and the IKE daemon or for a network security services (NSS) IPSec client that uses the IPSec network management service of the local NSS server. You can configure a TCP/IP stack as an NSS IPSec client by adding a NssStackConfig statement to the configuration file of the stack's IKE daemon. See z/OS Communications Server: IP Configuration Guide for details. The NSS client can reside on the local z/OS system or on a different z/OS system.
You can also use the ipsec command to display, add, and manage defensive filters in the TCP/IP stack and the Defense Manager daemon (DMD). An external security information and event manager typically adds defensive filters in response to a detected intrusion. See defensive filtering information in z/OS Communications Server: IP Configuration Guide for more information about the defensive filters and the DMD. The ipsec command displays and modifies defensive filter information for a local TCP/IP stack or for all stacks on a local z/OS image for which the DMD is managing defensive filters.
IP security is implemented through a set of entities that is shared between the TCP/IP stack and the IKE daemon. For a description of the terms and concepts that are used, see IP security information in the z/OS Communications Server: IP Configuration Guide.
The ipsec command is also used to display and manage defensive filters on the local host system.
Restriction: You cannot display and manage defensive filters for an NSS IPSec client.
As new functionality is added to the z/OS Communications Server, the ipsec command input options and display output might change. Programs that post process the output of the ipsec command might be affected by the introduction of z/OS Communications Server maintenance or the installation of a later release. The z/OS Summary of Message and Interface Changes includes information about changes to ipsec command reports.