You can configure the IKE daemon to use its own certificate service or to use the certificate service from a network security services (NSS) server. You can control whether to use the native certificate service or the NSS certificate service at the stack level. A single stack can use either the native certificate service or the NSS certificate service, but it cannot use both. If the IKED is to use an IKEv2 signature-based authentication method on behalf of a stack, that stack must be defined as a network security services (NSS) client.
By default, the IKE daemon uses the native certificate service for all stacks. Certificates for stacks configured to use the native certificate service must be on the key ring specified by the KeyRing parameter of the IkeConfig statement.
The IKE daemon native certificate service does not consult certificate revocation information when it authenticates a digital signature. If you want revocation checking, then direct the IKED to use the IPSec certificate service of an NSS server and enable revocation checking for the remote security endpoint. For information about enabling revocation checking for a remote security endpoint using the KeyExchangeAction statement, see z/OS Communications Server: IP Configuration Reference.
The IKE daemon can be directed to use an NSS server's certificate service for an individual stack by specifying the Cert option on the ServiceType parameter of an NssStackConfig statement for that stack. The NssStackConfig statement is specified in the IKE daemon configuration file. The NSS server does not have to be on the same system as the IKE daemon. The location of the NSS server is specified by the NetworkSecurityServer parameter and optionally the NetworkSecurityServerBackup parameter of the IkeConfig statement. For more information about the IkeConfig statement, see z/OS Communications Server: IP Configuration Reference.
Certificates for stacks configured to use an NSS server for certificate service must be on the key ring specified on the KeyRing parameter of the NssConfig statement in the NSS server configuration file. For more information about the NssConfig statement, see z/OS Communications Server: IP Configuration Reference.
Figure 1 shows a partial configuration for the IKE daemon on system SYSTEMA and an NSS server. The NetworkSecurityServer parameter on the IkeConfig statement specifies that the IKE daemon is configured to use network security services from an NSS server that is listening on IP address 9.1.1.1. Two NssStackConfig statements are shown. The ClientName parameters associate a local TCP/IP stack with an NSS client name. This is the name by which the NSS server knows this stack. The UserId parameter associates the client name with a user ID defined on the NSS server's system. Both the client name and user ID are used by the NSS server to verify that an NSS client is authorized to request certificate service, and to determine what certificates the client is authorized to use (For additional details, see Steps for authorizing resources for NSS). The KeyRing parameter on the IkeConfig statement identifies the location of certificates for all stacks for which there are no NssStackConfig statements. The KeyRing parameter on the NssConfig statement identifies the location of certificates for all NSS client stacks that use the NSS server certificate service.
The following subtopics provide steps for setting up the IKE daemon for RSA signature mode authentication:
- When the native certificate service is used
- When the certificate service of an NSS server is used
- For more information about RACF key rings and digital certificates, see z/OS Security Server RACF Security Administrator's Guide.
- For more information about controlling the use of the RACDCERT command, see z/OS Security Server RACF Security Administrator's Guide.
- For a complete description of the facilities and authorizations that are needed to create and modify digital certificates and key rings, see z/OS Security Server RACF Command Language Reference.