friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajaprotectyourkeys.htm

96 lines
6.9 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure an Internet Key Exchange (IKE) policy" />
<meta name="abstract" content="The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations." />
<meta name="description" content="The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations." />
<meta name="DC.Relation" scheme="URI" content="rzajavpnpolicy.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaprotectyourkeys" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure an Internet Key Exchange (IKE) policy</title>
</head>
<body id="rzajaprotectyourkeys"><a name="rzajaprotectyourkeys"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure an Internet Key Exchange (IKE) policy</h1>
<div><p>The IKE policy defines what level of authentication and encryption
protection IKE uses during phase 1 negotiations.</p>
<div class="section"><p>IKE phase 1 establishes the keys that protect the messages that
flow in the subsequent phase 2 negotiations. You do not need to define an
IKE policy when you create a manual connection. In addition, if you create
your VPN with the New Connection wizard, the wizard can create your IKE policy
for you.</p>
<p>VPN uses either RSA signature mode or preshared keys to authenticate
phase 1 negotiations. If you plan to use digital certificates for authenticating
the key servers, you must first configure them by using the <span class="keyword">Digital Certificate Manager</span>
(5722-SS1 Option 34). The IKE policy also identifies which remote key server
will use this policy.</p>
<p>To define an IKE policy or make changes to an
existing one, follow these steps:</p>
</div>
<ol><li><span>In <span class="keyword">iSeries™ Navigator</span>, expand
your <span class="menucascade"><span class="uicontrol">server</span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP Policies</span> &gt; <span class="uicontrol">Virtual Private Networking</span> &gt; <span class="uicontrol">IP Security Policies</span></span>.</span></li>
<li><span>To create a new policy, right-click <span class="uicontrol">Internet Key Exchange
Policies</span> and select <span class="uicontrol">New Internet Key Exchange Policy</span>.
To make changes to an existing policy, click <span class="uicontrol">Internet Key Exchange
Policies</span> in the left pane then right-click the policy you want
to change in the right pane, and select <span class="uicontrol">Properties</span>.</span></li>
<li><span>Complete each of the property sheets. Click <span class="uicontrol">Help</span> if
you have questions about how complete a page or any of its fields.</span></li>
<li><span>Click <span class="uicontrol">OK</span> to save your changes.</span></li>
</ol>
<div class="section">It is recommended that you use main mode negotiation whenever a preshared
key is used for authentication. They provide a more secure exchange. If you
must use preshared keys and aggressive mode negotiation, select obscure passwords
that are unlikely to be cracked in attacks that scan the dictionary. It is
also recommended you periodically change your passwords. To force a key exchange
to use main mode negotiation, perform the following tasks: <ol><li>In <span class="keyword">iSeries Navigator</span>, expand your
server <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP Policies.</span></span> </li>
<li>Select <span class="menucascade"><span class="uicontrol">Virtual Private Networking</span> &gt; <span class="uicontrol">IP Security Policies</span> &gt; <span class="uicontrol">Internet Key Exchange
Policies</span></span> to view the currently defined key exchange
policies within the right-hand pane.</li>
<li>Right-click a particular key exchange policy and select <span class="uicontrol">Properties</span>. </li>
<li>On the Transforms page, click <span class="uicontrol">Responding Policy</span>.
The Responding Internet Key Exchange Policy dialog appears. </li>
<li>In the Identity protection field, deselect <span class="uicontrol">IKE aggressive mode
negotiation (no identity protection)</span>. </li>
<li>Click <span class="uicontrol">OK</span> to return to the Properties dialog.</li>
<li>Click <span class="uicontrol">OK</span> again to save your changes.</li>
</ol>
<div class="note"><span class="notetitle">Note:</span> When you set the identity protection field, the change is effective
for all exchanges with remote key servers, because there is only one responding
IKE policy for the entire system. Main mode negotiation ensures that the initiating
system can only request a main mode key policy exchange.</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajavpnpolicy.htm" title="After you determine how you will use your VPN you must define your VPN security policies.">Configure VPN security policies</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajasecassociations.htm" title="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals.">Key management</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink