IPSecDisciplineConfig statement

The IPSecDisciplineConfig statement contains parameters that apply to the IPSec discipline only. If more than one IPSecDisciplineConfig statement is coded, the last one is used. If a parameter within the IPSecDisciplineConfig statement is specified more than once, the value from the last one is used.

Syntax


>>-IPSecDisciplineConfig--| Braces & Parms on Separate Lines |-><

Braces & Parms on Separate Lines

|--+-{------------------------------------+---------------------|
   +-| IPSecDisciplineConfig Parameters |-+   
   '-}------------------------------------'   

IPSecDisciplineConfig Parameters

   .-FIPS140 no-------.  .-URLCacheInterval 10080-.   
|--+------------------+--+------------------------+------------->
   '-FIPS140 -+-yes-+-'  '-URLCacheInterval-------'   
              '-no--'                                 

   .------------------------------.   
   V                              |   
>----+--------------------------+-+----------------------------->
     '-CertificateURL label url-'     

   .------------------------------------.   
   V                                    |   
>----+--------------------------------+-+-----------------------|
     '-CertificateBundleURL label url-'

Parameters

FIPS140 Yes | No

Specifies whether the NSS server should perform cryptographic operations by invoking cryptographic modules that are designed to meet the Level 1 security requirements documented in the Federal Information Processing Standard (FIPS) publication 140 (FIPS 140).

yes: Perform all IPSec discipline cryptographic operations using cryptographic modules that are designed to meet FIPS 140 requirements. When the value of yes is specified, the NSS server is running in FIPS 140 mode.
no: NSS server might perform some cryptographic operations using cryptographic modules that do not adhere to the FIPS 140 requirements. When the value of no is specified, the NSS server is not running in FIPS 140 mode.

Requirement: ICSF must be active before starting the NSS server when FIPS140 YES is specified. For information about configuring ICSF to support FIPS 140-2, see Operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Rule: If the FIPS140 parameter is modified while the NSS server is running it will not take effect until the NSSD is restarted. Attempts to modify the value while the NSS server is running are ignored and a warning message is issued.

Tip: Enabling FIPS 140 mode provides a higher degree of assurance of the integrity of the cryptographic modules that the NSS server uses, including ICSF and System SSL. However, enabling FIPS 140 mode might require additional setup and configuration, it will restrict the available set of cryptographic algorithms, and it might result in a reduction in performance. See Cryptographic standards and FIPS 140 in z/OS Communications Server: IP Configuration Guide for more information.

URLCacheInterval minutes

Specifies the maximum amount of time in minutes that data retrieved from an HTTP server will be cached before an attempt to reload the data is made. If 0 is specified for the minutes value, then data retrieved from an HTTP server will not be cached. The default value is 10080 which is one week. The maximum value is 999999.

Tip: Table 1 shows when cached data must be reloaded.

Table 1. Cached data events that cause a reload
Cached data	Events that cause a reload
Certificate Data	The following events cause a reload: The Validity notAfter time in the certificate is reached The URLCacheInterval is reached The NSSD MODIFY REFRESH command is issued
Certificate Bundle Data	The following events cause a reload: The Validity notAfter time in any certificate in the bundle is reached The nextUpdate time in any CRL in the bundle is reached The URLCacheInterval is reached The NSSD MODIFY REFRESH command is issued
Certificate Revocation Data	The following events cause a reload: The nextUpdate time in the CRL is reached The URLCacheInterval is reached The NSSD MODIFY REFRESH command is issued

CertificateURL label url

The label is the label of a certificate on the key ring specified by the KeyRing parameter. If this label value contains imbedded blanks, then the value must be enclosed in double quote characters ("). Empty ("") and blank (" ") label names are not allowed. Any leading or trailing blanks within the double quotes will be ignored (for example, " label name " is treated as "label name"). If the string also contains a double quote character, then the imbedded double quote character must be coded as a sequence of two such characters (""). For example, the label in the following statement contains both imbedded blanks and imbedded double quotes:

CertificateURL   "my ""new"" certificate"    http://xyz.edu/cert51

The url is an HTTP based URL identifying a file on an HTTP server that contains the DER encoded representation of the certificate identified by label. The file should not contain the private key associated with the certificate. See Using hash and URL certificate encoding types in z/OS Communications Server: IP Configuration Guide for additional details.

Rule: If the same label is specified on multiple CertificateURL statements only the last CertificateURL statement for that label is used.

Tip: This keyword is applicable only to network security clients utilizing certificate services during an IKE version 2 Phase 1 SA negotiation.

CertificateBundleURL label url

The label value is the label of a certificate on the key ring specified by the KeyRing parameter. If this label value contains imbedded blanks, then the value must be enclosed in double quote characters ("). Empty ("") and blank (" ") label names are not allowed. Any leading or trailing blanks within the double quotes will be ignored (for example, " label name " is treated as "label name"). If the string also contains a double quote character, then the imbedded double quote character must be coded as a sequence of two such characters (""). For example, the label in the following statement contains both imbedded blanks and imbedded double quotes:

CertificateBundleURL   "my ""new"" certificates"    http://xyz.edu/certbundle

The url is an HTTP based URL identifying a file on an HTTP server that contains an x509 certificate bundle pertaining to the certificate identified by label. The z/OS® UNIX certbundle command may be used to create an x509 certificate bundle. See Using hash and URL certificate encoding types in z/OS Communications Server: IP Configuration Guide for additional details.

Rules:

If the same label is specified on multiple CertificateBundleURL statements, only the last CertificateBundeURL statement for that label is used.
If the same label is specified on both a CertificateURL statement and CertificateBundleURL statement, the statement specified last is used.

Tip: This keyword is applicable only to network security clients utilizing certificate services during an IKE version 2 Phase 1 SA negotiation.