How you implement RSA signature authentication depends first on whether you are hard-coding your IPSec configuration or whether you are using IBM Configuration Assistant for z/OS Communications Server to generate your IPSec configuration.

Hard-coding your IPSec Configuration

The parameters you specify to implement RSA signature authentication when hard-coding your IPSec configuration depend on whether your negotiation uses IKE version 1 (IKEv1) or IKE version 2 (IKEv2).

When negotiating using IKE version 1, the authentication method used in both directions is determined by the HowToAuthPeers parameter on the KeyExchangeOffer statement.

When negotiating using IKE version 2, the IKE peers may choose different authentication methods. If you are negotiating using IKE version 2, the HowToAuthPeers parameter is ignored, and instead the HowToAuthMe parameter on the KeyExchangeAction statement determines the authentication method that the IKED uses for its local identity.

If you are using IKE version 1, implement RSA signature authentication by specifying HowToAuthPeers RsaSignature on the KeyExchangeOffer statement.

If you are using IKE version 2, implement RSA signature authentication by specifying HowToAuthMe RsaSignature on the KeyExchangeAction statement.

Using Configuration Assistant for z/OS Communications Server

For IKEv2, set the authentication method to RSA signature for each connectivity rule in the additional IKEv2 options of the remote security endpoint panel. The Configuration Assistant is available as a task in IBM z/OS Management Facility (z/OSMF).