Sysplex-Wide Security Associations

To enable Sysplex-Wide Security Associations (SWSA) on a stack that has IP security enabled, add the DVIPSEC parameter in the IPSEC statement block of the TCP/IP profile.

To take advantage of the functions described here, you must add the DVIPSEC parameter to the primary stack that owns a DVIPA and to all backup TCP/IP stacks. It is not necessary to add the DVIPSEC parameter to hosts that serve only as targets for sysplex distributor.

Start of changeYou should add DVLOCALFLTR, a DVIPSEC subparameter, to the IPSEC statement block of the TCP/IP profile when intra-sysplex traffic should be protected by security associations. The DVLOCALFLTR parameter enables IP filtering and IPSec protection of TCP traffic between a client and an IPv4 dynamic VIPA that are defined on the same TCP/IP stack, when the traffic is forwarded to another TCP/IP stack.
Restriction: A security association cannot be negotiated if the source and destination IP addresses for client connections are the same dynamic VIPA. To help avoid this scenario, do not code a dynamic VIPA that can be used as a destination IP address on the TCPCONFIG TCPSTACKSOURCEVIPA or SRCIP statement in the TCP/IP profile.
End of change

Start of changeFor more information about configuring SWSA, see Sysplex-Wide Security Associations and IP security in this document, and IPSEC statement in z/OS Communications Server: IP Configuration Reference.End of change

SWSA also requires the use of a coupling facility structure with a name in the form EZBDVIPAvvtt, where vv is the 2-digit VTAM® group ID suffix specified on the XCFGRPID start option, and tt is the TCP group ID suffix specified on the GLOBALCONFIG statement in the TCP/IP profile. If no VTAM group ID suffix is specified, but a TCP/IP group ID suffix is specified, vv is 01. If no TCP/IP group ID suffix is specified, but a VTAM group ID suffix is specified, tt is not present. If neither group ID suffix is specified, both vv and tt are not present. For information about setting up the sysplex environment and the use of the EZBDVIPAvvtt coupling facility structure, see z/OS Communications Server: SNA Network Implementation Guide.

Dynamic IPSec security associations (SA), negotiated by IKE, can use a DVIPA address as the SA endpoint. Manually configured SAs are not supported by SWSA. For more information on IPSec, see IP security.

When using SWSA, there are two possible configurations to consider:
  • DVIPA takeover
  • Sysplex distributor
To support IPSec in conjunction with DVIPA takeover and sysplex distributor, some IKE and IPSec configuration is required. Loss of access to the coupling facility is also discussed in the following subtopics.

For information on diagnosing SWSA problems, see z/OS Communications Server: IP Diagnosis Guide.

Parent topic: Configuring distributed DVIPAs — sysplex distributor