Network security services for the XMLAppliance discipline

The network security services (NSS) server provides a set of network security services for the XMLAppliance discipline. Services include the SAF access service, the certificate service, and the private key service. NSS XMLAppliance clients can use the network security services in the XMLAppliance discipline. When an NSS XMLAppliance client uses the XMLAppliance SAF access service, the NSS server performs SAF user authentication and access control checks on behalf of the NSS XMLAppliance client. The XMLAppliance certificate service allows an authorized NSS XMLAppliance client to list and retrieve certificates on the configured key ring of the NSS server. The XMLAppliance private key service allows an authorized NSS XMLAppliance client to retrieve private keys that are stored in RACF®, generate digital signatures using private keys protected by Integrated Cryptographic Service Facility (ICSF), and perform decryption using ICSF-protected private keys. The NSS server does not support retrieval of ICSF-protected private keys. The NSS server uses its z/OS® SAF database to protect unauthorized access to individual certificates and private keys.

An NSS XMLAppliance client requires a SAF user ID on the NSS server system. To use the XMLAppliance services provided by the NSS server, this user ID must have read access to SERVAUTH resource profiles for each XMLAppliance service. The following SERVAUTH resource profiles apply to an NSS client using XMLAppliance services:

• EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS

  This profile authorizes an NSS XMLAppliance client to access the XMLAppliance SAF access service of the NSS server.

• EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT

  This profile authorizes an NSS XMLAppliance client to access the XMLAppliance certificate service of the NSS server.

• EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY

  This profile authorizes an NSS XMLAppliance client to access the XMLAppliance private key service of the NSS server.

• EZB.NSSCERT.sysname.mappedlabelname.HOST

  This profile authorizes an NSS XMLAppliance client to access a certificate on the key ring of the NSS server. Use the .HOST or .CERTAUTH profile to authorize an NSS XMLAppliance client to list or retrieve a particular certificate.

• EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH

  This profile authorizes an NSS XMLAppliance client to access a certificate on the key ring of the NSS server. Use the .CERTAUTH or .HOST profile to authorize an NSS XMLAppliance client to list or retrieve a particular certificate.

• EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY
  This profile authorizes an NSS XMLAppliance client to access the private key associated with a certificate on the key ring of the NSS server. Access to the private key is allowed only if all of the following conditions are true:

  • The private key of the certificate is stored in RACF
  • The private key of the certificate is not stored in the ICSF public key data set (PKDS)
  • The ring usage of the certificate is personal
  • The user ID of the NSS XMLAppliance client has read access to the appropriate certificate label profile (EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY).
• EZB.NETMGMT.sysname.sysname.NSS.DISPLAY

  This profile authorizes a user ID to issue the nssctl command to make NMI requests to obtain information about an NSS server.

Before accessing the XMLAppliance services, an NSS XMLAppliance client must present a valid credential. A valid credential consists of the user ID that represents the NSS XMLAppliance client and a valid password or PassTicket. For additional information about using a PassTicket, see z/OS Security Server RACF Security Administrator's Guide.

You control access to certificates and private keys using SAF profiles. The profile name contains a mapped label name that represents the label of the certificate. For information about this profile name, see NSS server certificate label naming considerations.