NssStackConfig statement

The NssStackConfig statement contains NSS server stack configuration information for the IKE daemon. Only stacks with a corresponding NssStackConfig statement are eligible for management services provided by network security services. Stacks that are not configured with an NssStackConfig statement do not use network security services.

Restriction: NssStackConfig statements require that a valid NSS server is set up in the IkeConfig statement. See the NetworkSecurityServer and NetworkSecurityServerBackup parameters in the IkeConfig statement. It is a configuration error to have an NSSStackConfig statement without also specifying a NetworkSecurityServer parameter, a NetworkSecurityServerBackup parameter, or both.

If more than one NssStackConfig statement is coded for the same TCP/IP stack, the last one is used. Likewise, if a parameter within the NssStackConfig statement is specified more than once, the value from the last one is used.

Use the MODIFY IKED,REFRESH command to change which TCP/IP stacks are configured as NSS clients, as follows:

Deleting an NSS client: If it is determined after a refresh that an NSSStackConfig statement was removed, then the connection associated with the removed NssStackConfig statement is closed
Adding NSS client: If it is determined after a refresh that a new NssStackConfig statement was added, then the connection for the new stack is opened.
Changing internal NssStackConfig values: Any change to an internal parameter of the NssStackConfig statement results in a disconnect followed by a reconnect.

Syntax


>>-NssStackConfig--stackname------------------------------------>

>--| Braces & Parms on Separate Lines |------------------------><

Braces & Parms on Separate Lines

|--+---------------------------------+--------------------------|
   +-{-------------------------------+   
   +-ClientName --clientname---------+   
   | .-----------------------------. |   
   | V                             | |   
   +---ServiceType--+-RemoteMgmt-+-+-+   
   |                '-Cert-------'   |   
   +-UserId userid-------------------+   
   +-AuthBy--+-Password password-+---+   
   |         '-Passticket--------'   |   
   '-}-------------------------------'

Parameters

stackname

The name of the NSS client TCP/IP stack. This is a required parameter. There is no default value.

ClientName clientname

The NSS client name for the stack. By default, client names have the form sysname_stackname, where the sysname value is the MVS™ system name, and the stackname value is the TCP/IP stack name. This name must match the clientname portion of the associated SERVAUTH profile (EZB.NSS.sysname.clientname.IPSEC.CERT and EZB.NSS.sysname.clientame.IPSEC.NETMGMT) and can be 1 - 24 characters in length.

Restriction: Only alphanumeric characters (a-z, A-Z, 0-9), the hyphen (-), and the underscore (_) are valid for the ClientName parameter. Embedded spaces are also not permitted in the ClientName parameter; only trailing spaces are permitted.

If no client name is configured, then the IKE daemon generates this parameter based on the system's host name and the associated TCP/IP stack name.

For example, if the system host name is MVSIBM and the TCP/IP stack name is TCPCS, then the generated client name is MVSIBM_TCPCS.

ServiceType

The ServiceType parameter should be specified once for each network security service that is to be enabled for the stack. The following service types are supported:

RemoteMgmt: Indicates that this stack is eligible for remote management.
Cert: Indicates that this stack uses centralized certificate management.

Requirement: There must be as least one ServiceType statement in the NssStackConfig statement.

UserId userid

The RACF® user ID that the NSS server uses to authenticate the NSS client and to verify its access to the SERVAUTH profiles that protect the certificate and remote management resources on the NSS server. User IDs can be 1 - 8 characters in length.

AuthBy

Authorization of the client TCP/IP stack to the NSS server can be accomplished either by the use of a password or by a Pass Ticket.

Password password: The password value is the RACF password for the user ID specified for the user. There is no default value for the password value; a valid password is required if password authentication is being used. Passwords can be 1 - 8 characters in length.
Passticket: The Pass Ticket option causes the client to generate a one-time session key. See the information about the secured signon function in z/OS Security Server RACF Security Administrator's Guide.

Authby is a required parameter and there is no default value. Either the Password option or Passticket option (but not both), must be specified.

During the installation, ensure that you prevent access to the IKE configuration file by unauthorized users to protect this sensitive data. The most secure approach to protecting this information is to use Pass Tickets, which store the application keys in the RACF database.