Steps for configuring the IKE daemon
The IKE daemon manages dynamic IPSec tunnels and provides a network management interface (NMI) for monitoring and controlling IP filtering and IPSec. Because the IKE daemon processes NMI monitoring requests, it must be running to gather monitoring data for IP filters, manual Security Associations, or dynamic Security Associations.
Procedure
Perform the following steps to configure the IKE daemon:
- Create the IKE daemon configuration file. A sample configuration file is provided in /usr/lpp/tcpip/samples/iked.conf.
The following search order is used by the IKE daemon to locate the configuration data set or file:
- If the environment variable IKED_FILE has been defined, the IKE daemon uses the value as the name of an MVS™ data set or z/OS® UNIX file to access the configuration data.
- /etc/security/iked.conf
You can specify statements in the configuration file using a variety of EBCDIC code pages. Use the IKED_CODEPAGE environment variable to specify the code page that you want to use. The default code page is IBM®-1047.
- Set the _BPX_JOBNAME environment variable (optional). When starting the IKE daemon from the z/OS shell, the environment variable _BPX_JOBNAME
should be set. This enables a specific job name to be used when reserving
ports for the IKE daemon. This name can also be used with the STOP
or MODIFY console commands.
For more information on _BPX_JOBNAME, see z/OS UNIX System Services Planning
- Reserve the ports. Update the PORT statement
in PROFILE.TCPIP to reserve ports 500 and 4500 for the IKE daemon.
Add the name of the member containing the IKE daemon cataloged procedure
or the name as set using _BPX_JOBNAME:
PORT 500 UDP IKED 4500 UDP IKED
- Update the IKE daemon cataloged procedure. If the IKE daemon is to be started by a procedure, create the cataloged
procedure by copying the following sample in SEZAINST(IKED) to your
system or recognized PROCLIB. Specify IKE daemon parameters and change
the data set names to suit your local configuration.
//IKED PROC //* //* IBM Communications Server for z/OS //* SMP/E distribution name: EZBIKPRC //* //* 5650-ZOS Copyright IBM Corp. 2005, 2013 //* Licensed Materials - Property of IBM //* "Restricted Materials of IBM" //* Status = CSV2R1 //* //* //IKED EXEC PGM=IKED,REGION=0K,TIME=NOLIMIT, // PARM='ENVAR("_CEE_ENVFILE_S=DD:STDENV")/' //* //* Provide environment variables to run with the desired //* configuration. As an example, the data set or file specified by //* STDENV could contain: //* //* IKED_FILE=/etc/security/iked.conf2 //* IKED_CTRACE_MEMBER=CTIIKE01 //* IKED_CODEPAGE=IBM-1047 //* //* //* If you want to include comments in the data set or //* z/OS UNIX file, specify the _CEE_ENVFILE_COMMENT //* environment variable as the first environment variable //* in the data set or file. The value specified for //* the _CEE_ENVFILE_COMMENT variable is the comment character. //* For example, if you want to use the pound sign, #, as //* the comment character, specify this as the first //* statement: //* _CEE_ENVFILE_COMMENT=# //* //* For information on the above environment variables, refer to the //* IP Configuration Reference. //* //STDENV DD DUMMY //* Sample MVS data set containing environment variables: //*STDENV DD DSN=TCPIP.IKED.ENV(IKED),DISP=SHR //* Sample HFS file containing environment variables: //*STDENV DD PATH='/etc/security/iked.env',PATHOPTS=(ORDONLY) //* //* Output written to stdout and stderr goes to the data set or //* file specified with SYSPRINT or SYSOUT, respectively. //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=*
- Authorize the IKE daemon to the external security manager. See Step 3: Authorizing the IKE daemon to the external security manager.
- Configure and start syslogd. The IKE daemon
uses the local4 facility when writing messages to syslogd. For performance
purposes, syslogd should use z/OS File System as its underlying file system. For more information
on syslogd, see Configuring the syslog daemon.Tip: The system logging daemon (syslogd) can be configured to forward messages from the IKE daemon to a syslogd on another host. For information about forwarding syslog messages to another host, see z/OS Communications Server: IP Configuration Reference. When a stack is configured as an NSS client, it can be advantageous to forward syslog messages from the IKE daemon to the syslogd running on the NSS server's system. Configuring syslogd in this manner allows all IKE messages relating to an NSS client to be in the same log file as the NSS server's messages.
- Update the IKE daemon environment variables
(optional). The following environment variables are used
by the IKE daemon and can be tailored to a particular installation:
- IKED_CODEPAGE
- Use the IKED_CODEPAGE variable to specify the EBCDIC code page to be used when reading the configuration file. For more information about IKE environment variables and the supported code pages, see z/OS Communications Server: IP Configuration Reference.
- IKED_CTRACE_MEMBER
- The IKED_CTRACE_MEMBER variable is used by the IKE daemon to locate a parmlib member for IKE daemon CTRACE customization. For more information on the TCP/IP services component trace for the IKE daemon, see z/OS Communications Server: IP Diagnosis Guide.
- IKED_FILE
- The IKED_FILE variable is used by the IKE daemon in the search order for the IKE daemon configuration file. For details on the search order used for locating this configuration file, see step 1.
- Setup the IKE daemon for TCP/IP stack initialization access control (optional). See Multiple TCP/IP stacks.
- Setup the IKE daemon for digital signature mode authentication (optional). See Step 6: Setting up the IKE daemon for digital signature authentication (optional).
- Define AT-TLS policy to protect communication with an NSS
server. The IKE daemon requires that communication between
the NSS server and the IKE daemon be secured using Application Transparent
Transport Layer Security (AT-TLS). If a stack is configured as an
NSS client, AT-TLS rules must be defined to secure this communication.
Enable AT-TLS processing for a stack by specifying the TTLS parameter
on the TCPCONFIG statement in the TCP/IP profile. Specific AT-TLS
policy is configured in Policy Agent configuration files. For details
about enabling AT-TLS and configuring AT-TLS policy, see Application Transparent Transport Layer Security data protection.Tip: Define AT-TLS policy such that only cipher suites requiring TLS encryption are exchanged with the NSS server. Failure to restrict the cipher suites to those requiring encryption can result in sensitive information flowing in the clear across an untrusted network.Rule: AT-TLS policy must be defined for each stack through which the IKE daemon communicates with the NSS server.
A sample AT-TLS policy is located in /usr/lpp/tcpip/samples/pagent_TTLS.conf.
Rule: The RemotePortRange value in the TTLSRule statement must include the value specified on the NetworkSecurityServer port parameter or the NetworkSecurityServerBackup port parameter in the IKE daemon configuration file. - Define IP filter policy to enable communication with an
NSS server (optional). If a stack is configured as an
NSS client, IP filter policy for that stack must be defined to enable
this communication. The IKE daemon communicates with the NSS clients
using the TCP protocol. By default, the NSS server listens on port
4159. The IKE daemon connects to the NSS client using an ephemeral
port. Ephemeral ports are generally in the range 1024 – 65355.
Two types of IP filter policy can be defined for a z/OS stack:
- Default IP filter policy is defined in the TCP/IP profile. Updating
default IP filter policy to permit communications between the IKE
daemon and the NSS server is optional. Default IP filter policy is
in effect only when IP security filter policy cannot be loaded or
when the ipsec -f default command has been issued.
For details about how to define default IP filter policy, see z/OS Communications Server: IP Configuration Reference.
The following example of a default policy contains IPSECRule definitions that allow IKE daemon traffic with the NSS server:
IPSEC LOGENable ; Rule SrcAddr DstAddr Logging Protocol SrcPort DestPort Routing Secclass ; OSPF protocol used by Omproute IPSECRule * * NOLOG PROTO OSPF ; IGMP protocol used by Omproute IPSECRule * * NOLOG PROTO 2 ; DNS queries to UDP port 53 IPSECRule * * NOLOG PROTO UDP SRCPort * DESTport 53 ; Administrative access IPSECRule * 9.1.1.2 LOG SECCLASS 100 ; IKE daemon access to the Network Security Server IPSECRule * * LOG TCP SRCPort * DESTport 4159 ; IKE daemon access to the Network Security Server IPSEC6Rule * * LOG TCP SRCPort * DESTport 4159 ENDIPSEC
Rule: The DESTport value in the filter rules must include the value specified for the NetworkSecurityServer port parameter or the NetworkSecurityServerBackup port parameter in the IKE daemon configuration file. - IP security filter policy is defined in Policy Agent configuration
files. IP security filter policy must be updated to permit communications
between the IKE daemon and the NSS server. For details about how to define IP security policy files, see z/OS Communications Server: IP Configuration Reference.
The following example shows an IpFilterRule statement for IPv4, an IpFilterRule statement for IPv6, and an IpGenericFilterAction statement that allow the IKE daemon to communicate with the NSS server:
IpFilterRule NssTrafficIPv4 { IpSourceAddr all4 IpDestAddr all4 IpService { SourcePortRange 1024 65535 DestinationPortRange 4159 Protocol tcp Direction bidirectional OutboundConnect Routing local } IpGenericFilterActionRef permit-nolog } IpFilterRule NssTrafficIPv6 { IpSourceAddr all6 IpDestAddr all6 IpService { SourcePortRange 1024 65535 DestinationPortRange 4159 Protocol tcp Direction bidirectional InboundConnect Routing local } IpGenericFilterActionRef permit-nolog } IpGenericFilterAction permit-nolog { IpFilterAction permit IpFilterLogging no }
Rule: The DestinationPortRange value on the IpService statement must include the value specified on the NetworkSecurityServer port parameter or the NetworkSecurityServerBackup port parameter in the IKE daemon configuration file.
- Default IP filter policy is defined in the TCP/IP profile. Updating
default IP filter policy to permit communications between the IKE
daemon and the NSS server is optional. Default IP filter policy is
in effect only when IP security filter policy cannot be loaded or
when the ipsec -f default command has been issued.
For details about how to define default IP filter policy, see z/OS Communications Server: IP Configuration Reference.