The network security services (NSS) server supports the
IPSec and XMLAppliance disciplines. IPSec discipline services include
the IPSec certificate service and the IPSec remote management service,
and XMLAppliance discipline services include the XMLAppliance SAF
access service, the XMLAppliance certificate service, and the XMLAppliance
private key service.
Procedure
Perform the following steps to configure the NSS server:
- Create the NSS server configuration file. Use the IBM® Configuration
Assistant for z/OS® Communications
Server to establish NSS server settings. Establish the settings using
the NSS perspective of the Configuration Assistant, and then use the Install
Configuration File button on the Image Information tab
to store the generated NSS server configuration file on the z/OS system.
Tip: A
sample configuration file is provided in /usr/lpp/tcpip/samples/nssd.conf.
The
following search order is used by the NSS server to locate the configuration
data set or file:
- If the environment variable NSSD_FILE has been defined, the NSS
server uses the value as the name of an MVS™ data
set or z/OS UNIX file to access the configuration data.
- /etc/security/nssd.conf
You can specify statements in the configuration file using
a variety of EBCDIC code pages. Use the NSSD_CODEPAGE environment
variable to specify the code page that you want to use. The default
code page is IBM-1047.
The NSS server configuration file allows
the URL of a certificate or certificate bundle that is on an HTTP
web server to be associated with the label of a certificate on the
key ring of the network security server. See Using hash and URL certificate encoding types for additional
details.
- Optionally, set the _BPX_JOBNAME environment variable. When starting the NSS server from the z/OS shell, you should set the environment variable
_BPX_JOBNAME. This enables a specific job name to be used when reserving
ports for the NSS server. This name can also be used with the STOP
or MODIFY console commands. For more information about _BPX_JOBNAME,
see z/OS UNIX System Services Planning.
- Authorize the NSS server to the external security manager,
as described in Steps for authorizing resources for NSS.
- Configure and start syslogd. The NSS server
uses the local4 facility when writing messages to syslogd. For performance
purposes, syslogd should use z/OS File
System as its underlying file system. For more information about syslogd,
see Configuring the syslog daemon.
- Optionally, update the NSS server environment variables. The following environment variables are used by the NSS server
and can be tailored to a particular installation.
- NSSD_CODEPAGE
- Use the NSSD_CODEPAGE variable to specify the EBCDIC code page
to be used when reading the configuration file. For more information
about NSSD environment variables and the supported
code pages, see z/OS Communications Server: IP Configuration
Reference.
- NSSD_CTRACE_MEMBER
- Used by the NSS server to locate a parmlib member for NSS server
CTRACE customization. For more information about the TCP/IP services component trace for the NSS server,
see z/OS Communications Server: IP Diagnosis Guide.
- NSSD_FILE
- Used by the NSS server in the search order for the NSS server
configuration file. For details about the search order used for locating
this configuration file, see step 1.
- NSSD_PIDFILE
- Used by the NSS server in the search order for the NSS server
PID file. The search order for the NSS server PID file is as follows:
- NSSD_PIDFILE environment variable
- /etc/nssd.pid
- Set up the NSS server key ring. The NSS server's
key ring serves a similar purpose as the IKE daemon's key ring. It
contains certificates that are used in the process of creating and
verifying signatures that are exchanged during digital signature authentication.
A personal certificate or site certificate contained on the key ring
of the NSS server represents the identity of an NSS IPSec client,
whereas a certificate contained on the IKE daemon's key ring represents
a local stack's identity. Certificates for all NSS IPSec clients must
be on this one key ring.
If a personal certificate or site certificate
that is contained on the key ring of the NSS server is signed by a
certificate authority, then the certificate of that certificate authority
must also be connected to the key ring of the NSS server. If the
certificate authority is a subordinate certificate authority (such
as one that was created by another certificate authority) you should
ensure that all the certificate authority certificates that make up
the trust chain are connected to the key ring of the NSS server.
The
same commands that are used to create and manage the IKE daemon's
key ring also apply to the NSS server's key ring. For examples of
how to create and manage the IKE daemon's key ring, see Steps for preparing to run IP security.
You must create a SERVAUTH resource
profile for each NSS IPSec client certificate that is added to the
key ring of the NSS server. For details, see step 7.d.
- Update the TCP/IP profile and policy files. You
should update the TCP/IP profile to reserve the port on which the
NSS server will listen. If IP security is enabled, consider updating
the default IP filter rules in the TCP/IP profile to enable the NSS
server to communicate with NSS clients. The IP security policy defined
in Policy Agent configuration files must be updated to enable the
NSS server to communicate with NSS clients. AT-TLS should be enabled
and rules should be defined to protect NSS server communication with
NSS clients.
For additional details concerning these tasks, see TCP/IP stack considerations.
- Update the NSS server cataloged procedure (if starting
as a started procedure). If the NSS server is to be started
by a procedure, create the cataloged procedure by copying the sample
in SEZAINST(NSSD) to your system. Specify NSS server parameters and
change the data set names to suit your local configuration. For a copy of the sample, see z/OS Communications Server: IP Configuration
Reference.
Results
If these steps are completed successfully, you should
be able to start the NSS server. For details, see Starting the NSS server.