Step 5: Authorizing IP security to 
ICSF
(optional)
IP security can take advantage of the encryption and decryption functions that are available on System z® hardware in the following ways:
- Encrypting and decrypting TCP/IP packet data in an IPSec tunnel.
- Encrypting signature data included as part of IKE message flows. This encryption is performed only when digital signature authentication is requested.
This encryption support is provided by the combination of the Integrated Cryptographic Feature (ICRF) on the processor and the Integrated Cryptographic Service Facility/MVS™ (ICSF) software product. ICSF
provides cryptography support through various cryptographic hardware
features. The cryptographic features that are available to your applications
depends on your processor or server model. For information about which
features are available on your hardware, see the information about
callable service support by hardware configuration in z/OS Cryptographic Services ICSF Overview.
To use this support, ICSF must be started and
running. Preferably, start ICSF prior to starting
TCP/IP. However, it can also be started when TCP/IP is active. For
details on configuring ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide. ICSF provides SAF controls that you can
optionally use to restrict access to these cryptographic services.
To view a sample procedure for generating the corresponding SAF profiles
for various CSFSERV services, see the Cryptographic Services
Authorization section of the EZARACF sample in the SEZAINST
data set.
If you plan
to control access to the ICSF cryptographic support, TCP/IP must be
permitted to access the ICSF cryptographic services
(CSFSERV).users to these profiles. If
you do need to set up controls in the CSFSERV resource class, complete
the steps below to enable use of ICSF for IP security.