Refreshing Security Associations

When a Security Association is refreshed, the encryption keys change. Refreshing a Security Association periodically prevents the keys from being compromised by an outside party. Phase 1 and phase 2 Security Associations are refreshed automatically, based on the lifetime or life size that was configured for IKEv2 or negotiated between the two IKE peers for IKEv1. When a lifetime expiration causes an IKEv2 phase 1 Security Association to refresh, the encryption key changes but the peer is not reauthenticated. Changing the key without reauthenticating the peer reduces CPU cost.

Tip: For phase 1, these parameters are specified in the KeyExchangeOffer statement. For phase 2, these parameters are specified in the IpDataOffer statement.

You can also refresh Security Associations from the z/OS® UNIX command line, but this should be necessary only in exceptional conditions because the IKE daemon is normally responsible for refreshing the keys at configured intervals. Exceptional conditions might include the compromise of a key or the failure to receive an informational IKE message from a remote host. For both IKEv1 and IKEv2 Phase 1 Security Associations, refreshes from the z/OS UNIX command line include both reauthentication and re-keying.

Parent topic: Security Associations