Steps for configuring the NSS server

The network security services (NSS) server supports the IPSec and XMLAppliance disciplines. IPSec discipline services include the IPSec certificate service and the IPSec remote management service, and XMLAppliance discipline services include the XMLAppliance SAF access service, the XMLAppliance certificate service, and the XMLAppliance private key service.

Perform the following steps to configure the NSS server:

1. Create the NSS server configuration file. Use the IBM® Configuration Assistant for z/OS® Communications Server to establish NSS server settings. Establish the settings using the NSS perspective of the Configuration Assistant, and then use the Install Configuration File button on the Image Information tab to store the generated NSS server configuration file on the z/OS system.
   Tip: A sample configuration file is provided in /usr/lpp/tcpip/samples/nssd.conf.

   The following search order is used by the NSS server to locate the configuration data set or file:

   1. If the environment variable NSSD_FILE has been defined, the NSS server uses the value as the name of an MVS™ data set or z/OS UNIX file to access the configuration data.
   2. /etc/security/nssd.conf

   You can specify statements in the configuration file using a variety of EBCDIC code pages. Use the NSSD_CODEPAGE environment variable to specify the code page that you want to use. The default code page is IBM-1047.

   The NSS server configuration file allows the URL of a certificate or certificate bundle that is on an HTTP web server to be associated with the label of a certificate on the key ring of the network security server. See Using hash and URL certificate encoding types for additional details.

2. Optionally, set the _BPX_JOBNAME environment variable. When starting the NSS server from the z/OS shell, you should set the environment variable _BPX_JOBNAME. This enables a specific job name to be used when reserving ports for the NSS server. This name can also be used with the STOP or MODIFY console commands. For more information about _BPX_JOBNAME, see z/OS UNIX System Services Planning.
3. Authorize the NSS server to the external security manager, as described in Steps for authorizing resources for NSS.
4. Configure and start syslogd. The NSS server uses the local4 facility when writing messages to syslogd. For performance purposes, syslogd should use z/OS File System as its underlying file system. For more information about syslogd, see Configuring the syslog daemon.
5. Optionally, update the NSS server environment variables. The following environment variables are used by the NSS server and can be tailored to a particular installation.

   NSSD_CODEPAGE

   Use the NSSD_CODEPAGE variable to specify the EBCDIC code page to be used when reading the configuration file. For more information about NSSD environment variables and the supported code pages, see z/OS Communications Server: IP Configuration Reference.

   NSSD_CTRACE_MEMBER

   Used by the NSS server to locate a parmlib member for NSS server CTRACE customization. For more information about the TCP/IP services component trace for the NSS server, see z/OS Communications Server: IP Diagnosis Guide.

   NSSD_FILE

   Used by the NSS server in the search order for the NSS server configuration file. For details about the search order used for locating this configuration file, see step 1.

   NSSD_PIDFILE

   Used by the NSS server in the search order for the NSS server PID file. The search order for the NSS server PID file is as follows:

   1. NSSD_PIDFILE environment variable
   2. /etc/nssd.pid

6. Set up the NSS server key ring. The NSS server's key ring serves a similar purpose as the IKE daemon's key ring. It contains certificates that are used in the process of creating and verifying signatures that are exchanged during digital signature authentication. A personal certificate or site certificate contained on the key ring of the NSS server represents the identity of an NSS IPSec client, whereas a certificate contained on the IKE daemon's key ring represents a local stack's identity. Certificates for all NSS IPSec clients must be on this one key ring.

   If a personal certificate or site certificate that is contained on the key ring of the NSS server is signed by a certificate authority, then the certificate of that certificate authority must also be connected to the key ring of the NSS server. If the certificate authority is a subordinate certificate authority (such as one that was created by another certificate authority) you should ensure that all the certificate authority certificates that make up the trust chain are connected to the key ring of the NSS server.

   The same commands that are used to create and manage the IKE daemon's key ring also apply to the NSS server's key ring. For examples of how to create and manage the IKE daemon's key ring, see Steps for preparing to run IP security.

   You must create a SERVAUTH resource profile for each NSS IPSec client certificate that is added to the key ring of the NSS server. For details, see step 7.d.

7. Update the TCP/IP profile and policy files. You should update the TCP/IP profile to reserve the port on which the NSS server will listen. If IP security is enabled, consider updating the default IP filter rules in the TCP/IP profile to enable the NSS server to communicate with NSS clients. The IP security policy defined in Policy Agent configuration files must be updated to enable the NSS server to communicate with NSS clients. AT-TLS should be enabled and rules should be defined to protect NSS server communication with NSS clients.

   For additional details concerning these tasks, see TCP/IP stack considerations.

8. Update the NSS server cataloged procedure (if starting as a started procedure). If the NSS server is to be started by a procedure, create the cataloged procedure by copying the sample in SEZAINST(NSSD) to your system. Specify NSS server parameters and change the data set names to suit your local configuration. For a copy of the sample, see z/OS Communications Server: IP Configuration Reference.