Consider the configuration shown in Figure 1.
In this example, note the following configuration:
- Stack STACK1 is defined as an NSS IPSec client in the IKE daemon configuration file on system SYSTEMA. The client name for STACK1 is SYSTEMA_STACK1. The user ID associated with SYSTEMA_STACK1 is A1S1. The user ID A1S1 must be defined to the external security manager on system SYSTEMB.
- Client SYSTEMA_STACK1 is configured to use the NSS certificate
service. On system SYSTEMB, the user ID A1S1 must be given read access
to the following SERVAUTH profile:
EZB.NSS.SYSTEMB.SYSTEMA_STACK1.IPSEC.CERT - Client SYSTEMA_STACK1 is configured to use the NSS remote management
service. On system SYSTEMB, the user ID A1S1 must be given read access
to the following SERVAUTH profile:
EZB.NSS.SYSTEMB.SYSTEMA_STACK1.IPSEC.NETMGMT - The NSS server on system SYSTEMB is configured to use the key
ring EnterpriseRing. This key ring is owned by the NSSD user ID. Certificates
for all NSS IPSec clients are stored on this key ring.
The NSS server's AT-TLS policy must also specify a key ring from which to obtain the NSS server's personal certificate for use during the TLS negotiation with an NSS client. The NSS server's AT-TLS policy can specify the same key ring as the NSS server's configuration file, or it can specify a different key ring. In either case, the AT-TLS policy should specify which personal certificate to use to represent the NSS server by using the CertificateLabel parameter on the TTLSConnectionAdvancedParms statement. If this parameter is not configured, AT-TLS attempts to use the default certificate, if one exists, on the configured key ring. If no default certificate exists on the configured key ring and the CertificateLabel parameter is not configured, the TLS negotiation between the NSS client and the NSS server will fail.
The IKE daemon's AT-TLS policy also specifies a key ring. This key ring is used to locate the certificate that was used to sign the NSS server's personal certificate. If the IKE deamon's AT-TLS key ring does not contain this signing certificate, TLS negotiation will fail to verify the NSS server's certificate and the TLS negotiation between the NSS client and the NSS server will fail.
In this example, there is one Personal certificate stored on the key ring for client SYSTEMA_STACK1. On system SYSYEMB, the user ID A1S1 must be given read access to the following SERVAUTH profile before the NSS server can use this certificate to create a signature for client SYSTEMA_STACK1:
EZB.NSSCERT.SYSTEMB.A1S1_CERT.HOSTIn this example, there is also one CertAuth certificate stored on the key ring that should be advertised to IPSec peers by client SYSTEMA_STACK1. On system SYSYEMB, the user ID A1S1 must be given read access to the following SERVAUTH profile before the NSS server can inform client SYSTEMA_STACK1 that it can advertise this CERTAUTH certificate to its peers:
EZB.NSSCERT.SYSTEMB.CA.CERTAUTH - The user LARRY will issue the ipsec command
with the -z option to monitor and manage
client SYSTEMA_STACK1. On system SYSTEMB, the user ID LARRY must be
given read access to the following SERVAUTH profiles:
EZB.NETMGMT.SYSTEMB.SYSTEMA_STACK1.IPSEC.DISPLAY EZB.NETMGMT.SYSTEMB.SYSTEMA_STACK1.IPSEC.CONTROLThe user LARRY will also issue the ipsec command with the -x option to display information about the NSS server. On system SYSTEMB, the user ID LARRY must be given read access to the following SERVAUTH profile:
EZB.NETMGMT.SYSTEMB.SYSTEMB.NSS.DISPLAYIn addition, the user LARRY will issue the ipsec command with the -w option to display information from the IKE daemon about NSS IPSec clients. On system SYSTEMA, the user ID LARRY must be given read access to the following SERVAUTH profile:
EZB.NETMGMT.SYSTEMA.SYSTEMA.IKED.DISPLAYTip: A wildcard can be used in the profiles to reduce the number of profile entries that must be defined.