Sysplex-Wide Security Associations
To enable Sysplex-Wide Security Associations (SWSA) on a stack that has IP security enabled, add the DVIPSEC parameter in the IPSEC statement block of the TCP/IP profile.
To take advantage of the functions described here, you must add the DVIPSEC parameter to the primary stack that owns a DVIPA and to all backup TCP/IP stacks. It is not necessary to add the DVIPSEC parameter to hosts that serve only as targets for sysplex distributor.
For more information about configuring SWSA, see Sysplex-Wide Security Associations and IP security in this document, and IPSEC statement in z/OS Communications Server: IP Configuration Reference.
SWSA also requires the use of a coupling facility structure with a name in the form EZBDVIPAvvtt, where vv is the 2-digit VTAM® group ID suffix specified on the XCFGRPID start option, and tt is the TCP group ID suffix specified on the GLOBALCONFIG statement in the TCP/IP profile. If no VTAM group ID suffix is specified, but a TCP/IP group ID suffix is specified, vv is 01. If no TCP/IP group ID suffix is specified, but a VTAM group ID suffix is specified, tt is not present. If neither group ID suffix is specified, both vv and tt are not present. For information about setting up the sysplex environment and the use of the EZBDVIPAvvtt coupling facility structure, see z/OS Communications Server: SNA Network Implementation Guide.
Dynamic IPSec security associations (SA), negotiated by IKE, can use a DVIPA address as the SA endpoint. Manually configured SAs are not supported by SWSA. For more information on IPSec, see IP security.
- DVIPA takeover
- Sysplex distributor
For information on diagnosing SWSA problems, see z/OS Communications Server: IP Diagnosis Guide.