Step 5: Authorizing IP security to ICSF (optional)
IP security can take advantage of the encryption and decryption functions that are available on System z® hardware in the following ways:
- Encrypting and decrypting TCP/IP packet data in an IPSec tunnel.
- Encrypting signature data included as part of IKE message flows. This encryption is performed only when digital signature authentication is requested.
This encryption support is provided by the combination of the Integrated Cryptographic Feature (ICRF) on the processor and the Integrated Cryptographic Service Facility/MVS™ (ICSF) software product. ICSF provides cryptography support through various cryptographic hardware features. The cryptographic features that are available to your applications depends on your processor or server model. For information about which features are available on your hardware, see the information about callable service support by hardware configuration in z/OS Cryptographic Services ICSF Overview.
To use this support, ICSF must be started and running. Preferably, start ICSF prior to starting TCP/IP. However, it can also be started when TCP/IP is active. For details on configuring ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide. ICSF provides SAF controls that you can optionally use to restrict access to these cryptographic services. To view a sample procedure for generating the corresponding SAF profiles for various CSFSERV services, see the Cryptographic Services Authorization section of the EZARACF sample in the SEZAINST data set.