Verifying That TCP/IP End System Security Is Operable

You can use the TCP/IP end system security feature to control TCP/IP traffic to and from your host server. This feature is operable only when it is enabled, when the TCPIPSECURITY library is linked, and when a rules file is loaded.

When TCP/IP end system security is enabled, all TCP/IP traffic is denied if the TCPIPSECURITY library cannot be linked or if a rules file cannot be loaded.

If the TCPIPSECURITY library is correctly SLed, the default TCP/IP end system security state is enabled. If this library is not SLed, the default state is disabled.

To verify proper operation of the TCP/IP end system security feature, perform the following steps:

  1. Enter NW TCPIP SECURITY at the system console.

  2. Continue in accordance with the message response that is received.

Note: The TCPIP STATUS inquiry also provides TCP/IP end system security information. While TCPIP STATUS obtains the same end system security information as TCPIP SECURITY, its response format is significantly different.

If this message is returned . . .

Then . . .

TCP/IP Security Disabled . . .

The TCP/IP end system security feature is not active and all TCP/IP messages will be allowed.

See Controlling TCP/IP End System Security for information on enabling and running this feature.

If the message “TCP/IP End System Security Library Not Linked” is logged, check that the TCPIPSECURITY library has been properly SLed with the LINKCLASS=1 attribute.

TCP/IP Security Enabled . . .

The TCP/IP end system security feature is enabled but all TCP/IP requests are currently being denied.

To correct this condition, enter the command NW TCPIP SECURITY + [“<filename>”] at the system console.

  • Where <filename> is the name of a rules file; if no name is specified, the *SYSTEM/TCPIPSECURITY/RULES file is used.

  • If the message “TCP/IP End System Security Rule File Missing” is returned, check that the rules file is present, properly named, and located on the specified pack.

  • If the message “TCP/IP End System Security Rule in Error” is returned, a syntactically incorrect rule has been detected in the rules file. You must correct this file before it can be used. The MCP Security Overview and Implementation Guide describes how to create and modify TCP/IP end system security rules.

TCP/IP Security Running <filename>

The TCP/IP end system security feature is active and <filename> is running as the active rules file.

All TCP/IP requests are being evaluated against the Deny and Allow rules provided in the file. If unexpected results occur, the rules file can contain one or more incorrectly coded (but syntactically correct) rules.

Consult the system SUMLOG for information about each denied request.

Prev  Up  Next
Troubleshooting TCP/IP Installation and Configuration Problems  Home  Verifying that IP Security (IPsec) Is Operable