The NSS XMLAppliance discipline includes the NSS XMLAppliance SAF access service, the NSS XMLAppliance certificate service, and the NSS XMLAppliance private key service.
An NSS XMLAppliance client uses the NSS XMLAppliance SAF access service to perform SAF user authentication and access control checks. The NSS server consults SERVAUTH profiles for access control checks. For details about these profiles, see step 7.d and step 7.e, under Steps for authorizing resources for NSS.
The NSS XMLAppliance certificate service enables an NSS server to provide a list of authorized certificates on its key ring. Those certificates can then be retrieved on behalf of an NSS XMLAppliance client. Certificates for all NSS XMLAppliance clients are stored on a single key ring. The NSS server must have access to this key ring and must have access to the certificates on this key ring. When the NSS server provides the NSS XMLAppliance certificate service, it consults SERVAUTH profiles to verify that an NSS XMLAppliance client is authorized to access the certificates involved. For details about these profiles, see step 7.d and step 7.e, in Steps for authorizing resources for NSS.
An NSS XMLAppliance client uses the NSS XMLAppliance private key service to retrieve authorized private keys stored in the SAF database of the NSS server. The private key service also enables the NSS server to perform RSA signature and RSA decryption operations using private keys protected by Integrated Cryptographic Service Facility (ICSF) on behalf of an NSS XMLAppliance client. An NSS XMLAppliance client can use a retrievable private key to sign and decrypt XML messages locally. XML appliances that are in less-trusted network zones can use a centralized NSS server to perform critical RSA operations using ICSF-protected private keys on behalf of the appliance. Certificates and private keys for all NSS XMLAppliance clients are stored on a single key ring. The NSS server must have access to this key ring and must have access to the certificates and private keys on this key ring. Retrieval of the private key is not allowed if the private key is stored in the ICSF public key data set (PKDS). When providing NSS XMLAppliance private key service, the NSS server consults SERVAUTH profiles to verify that an NSS XMLAppliance client is authorized to access the certificates and associated keys involved. For details about these profiles, see step 7.d, step 7.e, and step 7.g under Steps for authorizing resources for NSS.