Consider the configuration shown in Figure 1.
In this example, note the following configuration:
EZB.NSS.SYSTEMB.SYSTEMA_STACK1.IPSEC.CERT
EZB.NSS.SYSTEMB.SYSTEMA_STACK1.IPSEC.NETMGMT
The NSS server's AT-TLS policy must also specify a key ring from which to obtain the NSS server's personal certificate for use during the TLS negotiation with an NSS client. The NSS server's AT-TLS policy can specify the same key ring as the NSS server's configuration file, or it can specify a different key ring. In either case, the AT-TLS policy should specify which personal certificate to use to represent the NSS server by using the CertificateLabel parameter on the TTLSConnectionAdvancedParms statement. If this parameter is not configured, AT-TLS attempts to use the default certificate, if one exists, on the configured key ring. If no default certificate exists on the configured key ring and the CertificateLabel parameter is not configured, the TLS negotiation between the NSS client and the NSS server will fail.
The IKE daemon's AT-TLS policy also specifies a key ring. This key ring is used to locate the certificate that was used to sign the NSS server's personal certificate. If the IKE deamon's AT-TLS key ring does not contain this signing certificate, TLS negotiation will fail to verify the NSS server's certificate and the TLS negotiation between the NSS client and the NSS server will fail.
In this example, there is one Personal certificate stored on the key ring for client SYSTEMA_STACK1. On system SYSYEMB, the user ID A1S1 must be given read access to the following SERVAUTH profile before the NSS server can use this certificate to create a signature for client SYSTEMA_STACK1:
EZB.NSSCERT.SYSTEMB.A1S1_CERT.HOST
In this example, there is also one CertAuth certificate stored on the key ring that should be advertised to IPSec peers by client SYSTEMA_STACK1. On system SYSYEMB, the user ID A1S1 must be given read access to the following SERVAUTH profile before the NSS server can inform client SYSTEMA_STACK1 that it can advertise this CERTAUTH certificate to its peers:
EZB.NSSCERT.SYSTEMB.CA.CERTAUTH
EZB.NETMGMT.SYSTEMB.SYSTEMA_STACK1.IPSEC.DISPLAY
EZB.NETMGMT.SYSTEMB.SYSTEMA_STACK1.IPSEC.CONTROL
The user LARRY will also issue the ipsec command with the -x option to display information about the NSS server. On system SYSTEMB, the user ID LARRY must be given read access to the following SERVAUTH profile:
EZB.NETMGMT.SYSTEMB.SYSTEMB.NSS.DISPLAY
In addition, the user LARRY will issue the ipsec command with the -w option to display information from the IKE daemon about NSS IPSec clients. On system SYSTEMA, the user ID LARRY must be given read access to the following SERVAUTH profile:
EZB.NETMGMT.SYSTEMA.SYSTEMA.IKED.DISPLAY