Use the ipsec command to display information about NSS IPSec clients that are connected to the NSS server. You can also use this command to manage NSS IPSec clients that are enabled to use the NSS IPSec remote management service and that are currently connected to the NSS server.
Use the -x primary option on the ipsec command to display connection information about NSS IPSec clients connected to the NSS server.
ipsec -x display
CS V1R12 ipsec NS Client Name: n/a Mon Nov 27 12:40:02 2006
Primary: NS Server Function: Display Format: Detail
Source: Server Scope: n/a TotAvail: 1
SystemName: MVS052
ClientName: client4
ClientAPIVersion: 2
StackName: TCPCS4
SystemName: MVS052
ClientIPAddress: ::ffff:10.10.10.1
ClientPort: 50003
ServerIPAddress: ::ffff:10.10.10.99
ServerPort: 4159
UserID: USER1
RemoteManagementSelected: Yes
RemoteManagementEnabled: Yes
CertificateServicesSelected: Yes
CertificateServicesEnabled: Yes
ConnectState: connected
TimeConnected: 2006/11/27 12:37:08
TimeOfLastMessageFromClient: 2006/11/27 12:37:08
***********************************************************************
1 entries selected
Use the nssctl command to display information about all of NSS clients that are connected to the NSS server.
nssctl -d
CS V1R12 nssctl SystemName: MVS046 Mon Jun 9 17:05:16 2008
Function: Display NSSClientName: n/a
ClientName: MVS046_TCPCS
ClientAPIVersion: 2
StackName: TCPCS
SystemName: MVS046
ClientIPAddress: ::ffff:9.42.105.149
ClientPort: 50000
ServerIPAddress: ::ffff:9.42.105.149
ServerPort: 4159
UserID: user1
ConnectState: connected
TimeConnected: 2008/06/09 12:22:32
TimeOfLastMessageFromClient: 2008/06/09 12:22:48
Discipline: IPSec
CertificateServiceSelected: Yes
CertificateServiceEnabled: Yes
RemoteManagementSelected: Yes
RemoteManagementEnabled: Yes
***************************************************************
ClientName: XMLAllClient1
ClientAPIVersion: 3
StackName: Any
SystemName: dpsys01
ClientIPAddress: ::ffff:9.42.105.149
ClientPort: 1026
ServerIPAddress: ::ffff:9.42.105.149
ServerPort: 4159
UserID: USER1
ConnectState: connected
TimeConnected: 2008/06/09 17:05:11
TimeOfLastMessageFromClient: 2008/06/09 17:05:11
Discipline: XMLAppliance
CertificateServiceSelected: Yes
CertificateServiceEnabled: Yes
PrivateKeyServiceSelected: Yes
PrivateKeyServiceEnabled: Yes
SAFAccessServiceSelected: Yes
SAFAccessServiceEnabled: Yes
***************************************************************
2 entries selected
Use the -z option on the ipsec command to specify the name of an NSS client rather than a name of a local TCP/IP stack. When the -z option is specified, the ipsec command obtains information about the NSS client from the NSS server. The -z option is valid only on the system that is running the NSS server. The NSS client that is identified by the -z option must be connected to the NSS server. The NSS client must also be enabled to use the NSS remote management service. The following example uses the -z option to display phase 2 Security Association information about the NSS client client4, where the name client4 was obtained from the previous ipsec -x display command.
ipsec -y display -z client4
CS V1R12 ipsec NS Client Name: client4 Mon Nov 27 12:44:35 2006
Primary: Dynamic tunnel Function: Display Format: Detail
Source: Stack Scope: Current TotAvail: 1
TunnelID: Y2
Generation: 1
IKEVersion: 1.0
ParentIKETunnelID: K1
VpnActionName: Dvpn
LocalDynVpnRule: mvs052_192
State: Active
HowToEncap: Tunnel
LocalEndPoint: 10.10.10.1
RemoteEndPoint: 10.10.10.2
LocalAddressBase: 10.10.10.1
LocalAddressPrefix: n/a
LocalAddressRange: n/a
RemoteAddressBase: 10.10.10.2
RemoteAddressPrefix: n/a
RemoteAddressRange: n/a
HowToAuth: AH
AuthAlgorithm: Hmac_Sha
AuthInboundSpi: 2401615039
AuthOutboundSpi: 1971620597
HowToEncrypt: 3DES
EncryptInboundSpi: 4088723240
EncryptOutboundSpi: 445063417
Protocol: ALL(0)
LocalPort: 0
LocalPortRange: n/a
RemotePort: 0
RemotePortRange: n/a
Type: n/a
TypeRange: n/a
Code: n/a
CodeRange: n/a
OutboundPackets: 0
OutboundBytes: 0
InboundPackets: 0
InboundBytes: 0
Lifesize: 0K
LifesizeRefresh: 0K
CurrentByteCount: 0b
LifetimeRefresh: 2006/11/27 14:09:19
LifetimeExpires: 2006/11/27 14:44:19
CurrentTime: 2006/11/27 12:44:35
VPNLifeExpires: 2007/03/07 12:44:19
NAT Traversal Topology:
UdpEncapMode: No
LclNATDetected: No
RmtNATDetected: No
RmtNAPTDetected: No
RmtIsGw: n/a
RmtIsZOS: n/a
zOSCanInitP2SA: n/a
RmtUdpEncapPort: n/a
SrcNATOARcvd: n/a
DstNATOARcvd: n/a
PassthroughDF: No
PassthroughDSCP: No
***********************************************************************
1 entries selected
For details about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.