Sysplex Autonomics for IPSec
z/OS V2R4 with APAR PH12788 enhances the sysplex autonomics function to monitor IPsec infrastructure. You can request that sysplex autonomics delay a TCP/IP stack from joining a sysplex group until the IPsec infrastructure is active. You can also request that sysplex autonomics monitor the IPsec infrastructure after the stack has joined the sysplex group. If monitoring the IPsec infrastructure is enabled, you are alerted with new messages when the IPsec infrastructure is not operational. You can optionally configure the TCP/IP stack to also take a recovery action and leave the sysplex when it detects that the IPsec infrastructure is not active. This allows a backup TCP/IP stack to take over DVIPAs from the system that left the sysplex.
- The monitoring of the IPsec infrastructure can only be enabled for a TCP/IP stack that is using sysplex-wide security sessions (SWSA) and has the DVIPSEC parameter configured on the IPSEC statement in the TCP/IP profile.
- While the EZBDVIPA coupling facility structure is required for IPsec sysplex-wide security associations (SWSA), the ability of the TCP/IP stack to connect to or access the EZBDVIPA structure is not monitored by sysplex autonomics for IPsec. A failure related to the EZBDVIPA structure would typically be sysplex-wide. It would not be beneficial for a TCP/IP stack to leave the sysplex for a sysplex-wide failure.
- In IPsec configurations where both a primary and backup NSSD are configured for certificate services, no monitoring of the IKED connection to NSSD is done after the TCP/IP stack joins the sysplex. See the IP Configuration Guide “Sysplex Autonomics for IPsec infrastructure” for additional information.
- If your IPsec infrastructure includes the Network Security Services daemon (NSSD), and the IKED to NSSD connection uses a DVIPA as the source or destination IP address, the sysplex autonomics IPsec infrastructure monitoring function should not be enabled.
- If you use a centralized Policy Agent server for IPsec or AT-TLS policy, and the connection from the policy client to the policy server uses a DVIPA as the source or destination IP address, the sysplex autonomics IPsec infrastructure monitoring function should not be enabled.
To enable Sysplex Autonomics for IPSec, perform the tasks in Table 1.
| Task/Procedure | Reference |
|---|---|
| Enable monitoring of the IPsec infrastructure by sysplex autonomics with the GLOBALCONFIG SYSPLEXMONITOR sub-parameters DELAYJOINIPSEC and MONIPSEC | |
| Display sysplex autonomics configuration settings | Netstat CONFIG/-f report in z/OS Communications Server: IP System Administrator's Commands |
(Optional) Configure the NoKeyring parameter on the IkeConfig statement in the IKE configuration file, if appropriate. If an IKE key ring is not explicitly configured, the Keyring parameter defaults to iked/keyring. If there is no keyring for IKED to process, you can specify NoKeyring. |
IkeConfig statement in z/OS Communications Server: IP Configuration Reference |
| Display the IKED configuration parameters | MODIFY command: IKE server in z/OS Communications Server: IP System Administrator's Commands |