IPSec Network Management Interface Setup

Preparing the IBM Communications Server › IPSec Network Management Interface Setup

IPSec Network Management Interface Setup

If you use IPSec, you can use the IPSec Network Management Interface (IPSECNMI) of the product to monitor it. The interface requires the IKED daemon to be active.

IPSec Network Management Interface Security Requirements

The security requirements for the IPSec Network Management Interface are:

The user ID assigned to the SOLVE SSI address space must have:
- An OMVS segment defined
- Permission to enter the /var/sock directory
- Permission to write to the /var/sock/ipsecmgmt socket
If you use a SERVAUTH class SAF resource to restrict access to IPSec network management interface, the user ID assigned to the SOLVE SSI address space must be permitted to access to the resources:
```
EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY
EZB.NETMGMT.sysname.tcpipname.IPSEC.CONTROL
EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
```
sysname

Specifies the system name where the interface is used.

tcpipname

Specifies the name of the TCP/IP stack.
If you don't use a SERVAUTH class SAF resource to restrict access to IPSec network management interface, the user ID assigned to the SOLVE SSI address space must be one of:
- An OMVS superuser
- Permitted to access to the FACILITY class SAF resource BPX.SUPERUSER.

Access problems to /var and EZB.NETMGMT.** are indicated by the presence of messages NIS58n in the SOLVE SSI log.

Examples: Setting EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY security

This example sets the security requirements in an CA ACF2 system:

SET RESOURCE(SER)
COMPILE
$KEY(EZB) TYPE(SER)
  NETMGMT.sysname.tcpipname.IPSEC.DISPLAY UID(uid) SERVICE(READ) ALLOW
STORE

SER: The value set in the CLASMAP definition in the GSO for SERVAUTH resources.
Uid: The UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY) ACCESS(READ)

Userid: The ACID of the region user.

This example sets the security requirements in a RACF system:

PER EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)

Userid: The user ID of the region.