Use the z/OS® UNIX ipsec command to display and modify IP security information and defensive filter information on the host z/OS system. With the -z option or the -x primary option specified, the ipsec command displays and modifies IP security information for NSS IPSec clients using the IPSec network management service.
Restriction: When you use the ipsec command to interface with the NSS IPSec network management service, you must issue the ipsec command on the same host z/OS system on which the NSS server is running.
To display and modify IP security information, the ipsec command interacts with both the IKE daemon and a TCP/IP communications stack. One or more stacks can be running concurrently on the host z/OS system. While there is at most one IKE daemon, its data is managed on a per stack basis. The ipsec command reports IKED NSS IPSec client information using the -w primary option for multiple stacks. It reports NSS server information using the -x primary option for multiple NSS IPSec clients. For the other ipsec command primary options, the ipsec command is always specified for a single stack (using the -p option) or NSS IPSec client (using the -z option). If the -p option and the -z option are not specified, the command is directed to the default stack on the local system. The default stack refers to the default TCP/IP address space that is specified on the TCPIPJOBNAME statement in the resolver configuration data set.
To display and modify defensive filter information, the ipsec command interacts with both the Defense Manager daemon (DMD) and a TCP/IP communications stack. One or more stacks can be running concurrently on the host z/OS system. Only one DMD can be running on the system. Direct the ipsec command -F primary option to the DMD by specifying the -G (global scope) option. If the -G option is not specified, the ipsec command -F option is directed to a single stack. This can be the stack that is specified with the -p option or the default stack. The default stack is the default TCP/IP address space that is specified on the TCPIPJOBNAME statement in the resolver configuration data set.
Restriction: You cannot display and manage defensive filters for an NSS IPSec client using the -z option.
The actual configuration of IP security entities is managed through Policy Agent policy file specifications. In the policy file definition, network resources and collections of network resources receive names that assist in the management process. Use ipsec command options -n, -g, and -l to identify resources by their policy specification name.
Defensive filters are not configured in Policy Agent policy files. You can add defensive filters to the TCP/IP stack in response to a detected intrusion with the ipsec command defensive filter add command. The defensive filter's name is assigned on the add action. Use the ipsec command option -N to identify a defensive filter by its name.
Rule: All policy names and defensive filter names are case sensitive.
Tip: Use spaces or commas as valid delimiters to separate ipsec command parameter values.
Additionally, as tunnels are initiated and established, they also receive a system-assigned name, known as a tunnel ID. System-assigned tunnel IDs take the form of an integer prefixed with a single letter that identifies the tunnel type. The prefix can be M (manual), K (Internet Key Exchange), or Y (dynamic). The integer is based on a 32-bit counter that is incremented at each assignment and wraps at 4,294,967,295. Remember that tunnel IDs are arbitrary and transitory strings. Manual tunnel IDs are assigned when a manual tunnel is installed in the stack by the Policy Agent. A change in the manual tunnel policy definition results in assignment of a new manual tunnel ID. Dynamic and IKE tunnel IDs are assigned when a tunnel is established. They remain consistent for the life of the stack and the life of the IKE daemon. Use the -a option to identify resources by their tunnel ID.
In addition to the brief help (ipsec -?), a man page describes the command syntax and options in detail (man ipsec). The ipsec command options are discussed in the following sections.
Format
>>---ipsec----| Primary Option |--| Global Option |------------>< Primary Option |--+- -f-| IP Filter Option |--| Stackname Option |--------------+--| +- -F-| Defensive Filter Option |--| Target Option |----------+ +- -m-| Manual Tunnel Option |--| Stackname Option |----------+ +- -k-| IKE Tunnel Option |--| Stackname Option |-------------+ +- -y-| Dynamic Tunnel Option |--| Stackname Option |---------+ +- -i-| Interface Option |--| Stackname Option |--------------+ +- -t-| IP Traffic Test Option |--| Stackname Option |--------+ +- -o-| NATT Port Translation Option |--| Stackname Option |--+ +- -w-| IKED Network Security Option |------------------------+ +- -x-| Network Security Server Option |-+------------------+-+ | '- -znsclienttname-' | '- -?---------------------------------------------------------' Global Option .- 3----------. |-- -d--+-------------+-----------------------------------------| '- debuglevel-' Stackname Option |--+- -p stackname----+-----------------------------------------| '- -z nsclientname-' Target Option |--+- -p stackname-+--------------------------------------------| '- -G-----------' IP Filter Option .- -r detail------. .- -c current------. |--+-display--+-----------------+--+------------------+--| Filter Sel |-+--| | '- -r--+-short--+-' '- -c--+-current-+-' | | +-detail-+ +-policy--+ | | '-wide---' '-profile-' | +-default------------------------------------------------------------+ '-reload-------------------------------------------------------------' Filter Selection |--+------------------------------+--+-----+--------------------| | .---------. | '- -h-' | V | | +- -a----+-Ynn-+-+-------------+ | '-Mnn-' | | .------------------. | | V | | +- -n----IpFilterRuleName-+----+ | .---------------------. | | V | | +- -N----DefensiveFilterName-+-+ | .-------------------. | | V | | '- -g----IpFilterGroupName-+---' Defensive Filter Option .- -r detail------. |--+-display--+-----------------+--+------------------------------+-----+--| | '- -r--+-short--+-' | .---------------------. | | | +-detail-+ | V | | | | '-wide---' '- -N----DefensiveFilterName-+-' | +-add--| Defensive Filter Spec |-- -N--DefensiveFilterName-----------+ +-update--| Defensive Filter Update Spec |-- -N--DefensiveFilterName-+ '-delete-- -N--+-all---------------------+---------------------------' | .---------------------. | | V | | '---DefensiveFilterName-+-' Defensive Filter Specification .-srcip--all------------------------. .-destip--all------------------------. |--+-----------------------------------+--+------------------------------------+--> '-srcip--+-ipaddress--------------+-' '-destip--+-ipaddress--------------+-' +-ipaddress/prefixLength-+ +-ipaddress/prefixLength-+ '-all--------------------' '-all--------------------' .-prot--all-----------------------------------. >--+---------------------------------------------+--------------> '-prot--+-+-tcp-+--| PortSpecification |----+-' | '-6---' | +-+-udp-+--| PortSpecification |----+ | '-17--' | +-+-icmp-+--| IcmpSpecification |---+ | '-1----' | +-+-icmpv6-+--| IcmpSpecification |-+ | '-58-----' | +-igmp------------------------------+ +-ospf------------------------------+ +-opaque----------------------------+ +-n---------------------------------+ '-all-------------------------------' .-dir--inbound------. >--+-------------------+----------------------------------------> '-dir--+-outbound-+-' '-inbound--' .-routing--local---------------------------------. >--+------------------------------------------------+-----------> '-routing--+-local-----------------------------+-' +-routed--| FragmentSpecification |-+ '-either----------------------------' .-mode--block--------. .-log--yes-----. >--+--------------------+--+--------------+---------------------> '-mode--+-block----+-' '-log--+-yes-+-' '-simulate-' '-no--' .-loglimit--value_of_DMD_configuration_DefaultLogLimit_parameter-. >--+----------------------------------------------------------------+--> '-loglimit--+-0-+------------------------------------------------' '-n-' .-lifetime--30-------. >--+--------------------+---------------------------------------| '-lifetime--lifetime-' PortSpecification .-srcport--all------. .-destport--all------. |--+-------------------+--+--------------------+----------------| '-srcport--+-n----+-' '-destport--+-n----+-' +-n--m-+ +-n--m-+ '-all--' '-all--' IcmpSpecification .-type--all-----. .-code--all-----. |--+---------------+--+---------------+-------------------------| '-type--+-n---+-' '-code--+-n---+-' '-all-' '-all-' FragmentSpecification .-fragmentsonly--no------. |--+------------------------+-----------------------------------| '-fragmentsonly--+-no--+-' '-yes-' Defensive Filter Update Specification |--+--------------------+--+--------------------+--+--------------+--+-----------------+--| '-mode--+-block----+-' '-lifetime--lifetime-' '-log--+-yes-+-' '-loglimit--+-0-+-' '-simulate-' '-no--' '-n-'