ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqconfiguringipsec.htm

111 lines
7.8 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Configure IPSec</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" /><img src="delta.gif" alt="Start of change" />
<a name="rzahqconfiguringipsec"></a>
<h3 id="rzahqconfiguringipsec">Configure IPSec</h3>
<p></p>
<a name="wq212"></a>
<div class="notetitle" id="wq212">Note:</div><img src="delta.gif" alt="Start of change" />
<div class="notebody">An iSCSI HBA for iSeries&trade; with IPSec support is required in order
to use IPSec to secure the data flows over the iSCSI network. If the iSCSI
HBA hardware does not support IPSec, then a connection security object still
needs to be created but you should not define any IP security rules.</div><img src="deltaend.gif" alt="End of change" />
<p>To configure IPSec, or to change IPSec credentials, do the following steps:</p>
<ol type="1">
<li>This step is required if you haven't already generated the first
pre-shared key. You can also perform this step at any time to change the pre-shared
key: With the server shut down (NWSD varied off), use the procedure described
in <a href="rzahqchangeconnectionsecurityconfig.htm#rzahqchangeconnectionsecurityconfig">Change connection security configuration properties</a> to change the properties
of the connection security configuration for the server.
<ul>
<li>Go to the <span class="bold">IP Security Rules</span> tab.</li>
<li>Click the <span class="bold">Add</span> button and select the <span class="bold">Generate pre-shared key once</span> option.</li>
<li>Click <span class="bold">OK</span> to add the new IP security rule to the
table and click <span class="bold">OK</span> again to save the connection security
configuration and cause the pre-shared key to be generated.
<a name="wq214"></a>
<div class="notetitle" id="wq214">Note:</div>
<div class="notebody"> You must have security administrator (*SECADM) special authority to create,
change, or display a pre-shared key.</div></li></ul></li>
<li>Use the procedure described in <a href="rzahqdispconsecprops.htm#rzahqdispconsecprops">Display connection security configuration properties</a> to
display the properties of the connection security configuration for the server.
<ul>
<li>Go to the <span class="bold">IP Security Rules</span> tab.</li>
<li><img src="delta.gif" alt="Start of change" />Note the first row in the table value, which contains a random
pre-shared key generated by i5/OS&trade;. This information will be used in step <a href="rzahqconfiguringipsec.htm#rzahqenterpres">5</a>.<img src="deltaend.gif" alt="End of change" /></li></ul></li>
<li>Using iSeries Navigator:
<ul>
<li>Select <span class="bold">Integrated Server Administration</span> -> <span class="bold">Servers</span>.</li>
<li>Right-click the integrated server and select <span class="bold">Properties</span>.</li>
<li>Go to the <span class="bold">iSCSI Security</span> tab.</li>
<li>For the <span class="bold">Default IP security rule</span>, select <span class="bold">1</span>, then click <span class="bold">OK</span> to save the change. This tells i5/OS to do the following things: wherever a <span class="bold">Default</span> value
appears for an IP security rule in the server properties, use the first value
in the connection security configuration (specified by the server's <span class="bold">Connection security configuration</span> value on the <span class="bold">iSCSI
Security</span> tab of the server properties).</li></ul></li>
<li>This step is required only if you don't want IPSec enabled on all
of the server's NWSD's connections, or if remote interface rules in the
server properties have been changed from the Default value.
<p>Using iSeries Navigator:</p>
<ul>
<li>Select <span class="bold">Integrated Server Administration</span> -> <span class="bold">Servers</span>.</li>
<li>Right-click the integrated server and select <span class="bold">Properties</span>.</li>
<li>Go to the <span class="bold">Storage Paths</span> tab.</li>
<li>Each <span class="bold">Remote Interface IP Security Rule</span> corresponds
to an iSCSI HBA pair consisting of an iSCSI HBA for iSeries port and
a hosted system iSCSI HBA port.
<p>Repeat the following for all of the <span class="bold">Remote Interface IP Security Rule</span> columns on the <span class="bold">Storage Paths</span> and the <span class="bold">Virtual Ethernet Paths</span> tabs.</p>
<a name="wq215"></a>
<div class="notetitle" id="wq215">Note:</div>
<div class="notebody">Any NWSH used more than once in an NWSD must have identical
sets of Remote Interface IP Security Rule values in each of the storage or
virtual Ethernet paths that reference it.</div>
<p>Set each Remote
Interface IP Security Rule to either None or Default, whichever is appropriate
for the way you are using that particular iSCSI HBA port pair:</p>
<ul>
<li>Use <span class="bold">None</span> if you want network traffic to flow in
the clear between the iSCSI HBA ports, regardless of the ability of either
iSCSI HBA to support IPSec.</li>
<li>Use <span class="bold">Default</span> if the corresponding iSCSI HBA for iSeries supports IPSec, and you want to allow only encrypted traffic (or no
traffic if the hosted system's iSCSI HBA port does not support IPSec).</li></ul></li></ul></li>
<li id="rzahqenterpres">
<a name="rzahqenterpres"></a>This step is required only if the Delivery method
in the remote system configuration is <span class="bold">Manually configured
on remote system</span> or <span class="bold"><img src="delta.gif" alt="Start of change" />Dynamically delivered
to remote system via CHAP<img src="deltaend.gif" alt="End of change" /></span>: Upon the next server start (NWSD vary on),
watch the hosted system's console for a prompt to press CTRL-Q. Immediately
on seeing the prompt, press CTRL-Q. In the CTRL-Q utility, select the adapter
that is configured to boot the hosted OS. Enter the pre-shared key from the
connection security configuration properties into the pre-shared key of the
target security configuration panel. See <a href="rzahqdisklessbootingoveriscsi.htm#rzahqdisklessbootingoveriscsi">Diskless booting over iSCSI</a> more
information about the CTRL-Q utility.
<a name="wq216"></a>
<div class="notetitle" id="wq216">Note:</div>
<div class="notebody">Any non-boot iSCSI HBAs
in the hosted system are automatically configured from the i5/OS configuration.</div></li></ol><img src="deltaend.gif" alt="End of change" /><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>