The
NssStackConfig statement contains NSS server stack configuration information
for the IKE daemon. Only stacks with a corresponding NssStackConfig
statement are eligible for management services provided by network
security services. Stacks that are not configured with an NssStackConfig
statement do not use network security services.
Restriction: NssStackConfig
statements require that a valid NSS server is set up in the IkeConfig
statement. See the NetworkSecurityServer and NetworkSecurityServerBackup
parameters in the IkeConfig statement. It is a configuration error
to have an NSSStackConfig statement without also specifying a NetworkSecurityServer
parameter, a NetworkSecurityServerBackup parameter, or both.
If
more than one NssStackConfig statement is coded for the same TCP/IP
stack, the last one is used. Likewise, if a parameter within the
NssStackConfig statement is specified more than once, the value from
the last one is used.
Use the MODIFY IKED,REFRESH command to
change which TCP/IP stacks are configured as NSS clients, as follows:
- Deleting an NSS client
- If it is determined after a refresh that an NSSStackConfig statement
was removed, then the connection associated with the removed NssStackConfig
statement is closed
- Adding NSS client
- If it is determined after a refresh that a new NssStackConfig
statement was added, then the connection for the new stack is opened.
- Changing internal NssStackConfig values
- Any change to an internal parameter of the NssStackConfig statement
results in a disconnect followed by a reconnect.
Syntax
>>-NssStackConfig--stackname------------------------------------>
>--| Braces & Parms on Separate Lines |------------------------><
Braces & Parms on Separate Lines
|--+---------------------------------+--------------------------|
+-{-------------------------------+
+-ClientName --clientname---------+
| .-----------------------------. |
| V | |
+---ServiceType--+-RemoteMgmt-+-+-+
| '-Cert-------' |
+-UserId userid-------------------+
+-AuthBy--+-Password password-+---+
| '-Passticket--------' |
'-}-------------------------------'
Parameters
- stackname
- The name of the NSS client TCP/IP stack. This is a required parameter.
There is no default value.
- ClientName clientname
- The NSS client name for the stack. By default, client names have
the form sysname_stackname, where the sysname value
is the MVS™ system name, and the stackname value
is the TCP/IP stack name. This name must match the clientname portion
of the associated SERVAUTH profile (EZB.NSS.sysname.clientname.IPSEC.CERT
and EZB.NSS.sysname.clientame.IPSEC.NETMGMT) and can be 1 - 24 characters
in length.
Restriction: Only alphanumeric characters (a-z,
A-Z, 0-9), the hyphen (-), and the underscore (_) are valid for the
ClientName parameter. Embedded spaces are also not permitted in the
ClientName parameter; only trailing spaces are permitted.
If
no client name is configured, then the IKE daemon generates this parameter
based on the system's host name and the associated TCP/IP stack name.
For
example, if the system host name is MVSIBM and the TCP/IP stack name
is TCPCS, then the generated client name is MVSIBM_TCPCS.
- ServiceType
- The ServiceType parameter should be specified once for each network
security service that is to be enabled for the stack. The following
service types are supported:
- RemoteMgmt
- Indicates that this stack is eligible for remote management.
- Cert
- Indicates that this stack uses centralized certificate management.
Requirement: There must be as least one
ServiceType statement in the NssStackConfig statement.
- UserId userid
- The RACF® user ID that the
NSS server uses to authenticate the NSS client and to verify its access
to the SERVAUTH profiles that protect the certificate and remote management
resources on the NSS server. User IDs can be 1 - 8 characters in length.
- AuthBy
- Authorization of the client TCP/IP stack to the NSS server can
be accomplished either by the use of a password or by a Pass Ticket.
- Password password
- The password value is the RACF password for the user ID specified for
the user. There is no default value for the password value;
a valid password is required if password authentication is being used.
Passwords can be 1 - 8 characters in length.
- Passticket
- The Pass Ticket option causes the client to generate a one-time
session key. See the information about the secured signon function
in z/OS Security Server RACF Security Administrator's
Guide.
Authby is a required parameter and there is no default
value. Either the Password option or Passticket option (but not both),
must be specified. During the installation, ensure that you prevent
access to the IKE configuration file by unauthorized users to protect
this sensitive data. The most secure approach to protecting this
information is to use Pass Tickets, which store the application keys
in the RACF database.