The IPSecDisciplineConfig statement contains parameters that apply to the IPSec discipline only. If more than one IPSecDisciplineConfig statement is coded, the last one is used. If a parameter within the IPSecDisciplineConfig statement is specified more than once, the value from the last one is used.
>>-IPSecDisciplineConfig--| Braces & Parms on Separate Lines |->< Braces & Parms on Separate Lines |--+-{------------------------------------+---------------------| +-| IPSecDisciplineConfig Parameters |-+ '-}------------------------------------' IPSecDisciplineConfig Parameters .-FIPS140 no-------. .-URLCacheInterval 10080-. |--+------------------+--+------------------------+-------------> '-FIPS140 -+-yes-+-' '-URLCacheInterval-------' '-no--' .------------------------------. V | >----+--------------------------+-+-----------------------------> '-CertificateURL label url-' .------------------------------------. V | >----+--------------------------------+-+-----------------------| '-CertificateBundleURL label url-'
Requirement: ICSF must be active before starting the NSS server when FIPS140 YES is specified. For information about configuring ICSF to support FIPS 140-2, see Operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
Rule: If the FIPS140 parameter is modified while the NSS server is running it will not take effect until the NSSD is restarted. Attempts to modify the value while the NSS server is running are ignored and a warning message is issued.
Tip: Enabling FIPS 140 mode provides a higher degree of assurance of the integrity of the cryptographic modules that the NSS server uses, including ICSF and System SSL. However, enabling FIPS 140 mode might require additional setup and configuration, it will restrict the available set of cryptographic algorithms, and it might result in a reduction in performance. See Cryptographic standards and FIPS 140 in z/OS Communications Server: IP Configuration Guide for more information.
Cached data | Events that cause a reload |
---|---|
Certificate Data | The following events cause a reload:
|
Certificate Bundle Data | The following events cause a reload:
|
Certificate Revocation Data | The following events cause a reload:
|
CertificateURL "my ""new"" certificate" http://xyz.edu/cert51
The url is an HTTP based URL identifying a file on an HTTP server that contains the DER encoded representation of the certificate identified by label. The file should not contain the private key associated with the certificate. See Using hash and URL certificate encoding types in z/OS Communications Server: IP Configuration Guide for additional details.
Rule: If the same label is specified on multiple CertificateURL statements only the last CertificateURL statement for that label is used.
Tip: This keyword is applicable only to network security clients utilizing certificate services during an IKE version 2 Phase 1 SA negotiation.
CertificateBundleURL "my ""new"" certificates" http://xyz.edu/certbundle
The url is an HTTP based URL identifying a file on an HTTP server that contains an x509 certificate bundle pertaining to the certificate identified by label. The z/OS® UNIX certbundle command may be used to create an x509 certificate bundle. See Using hash and URL certificate encoding types in z/OS Communications Server: IP Configuration Guide for additional details.
Tip: This keyword is applicable only to network security clients utilizing certificate services during an IKE version 2 Phase 1 SA negotiation.