NSS IPSec clients can use the NSS certificate service when negotiating
phase 1 Security Associations. Network monitoring applications can
use the NSS remote management service to display information about
NSS IPSec clients. The NSS server should be treated as an application
that requires high availability, an application that is able to recover
quickly from an outage that impacts the ability of the NSS server
to respond to IPSec clients.
Recovery configurations for the NSS server include:
- For recovery of NSS server workload by another NSS server within
a sysplex, configure NSS IPSec clients to connect to the NSS server
on a non-distributed dynamic VIPA. TCP/IP stacks configured as backup
for the dynamic VIPA must have the necessary external security manager
definitions and certificates to support the NSS IPSec clients, and
an NSS server must be running on the z/OS® system
hosting the TCP/IP stack configured as backup.
Guideline: Do not configure NSS IPSec clients to connect to a distributed
DVIPA address on the NSS server. If a distributed DVIPA is used, the ipsec command
and IPSec NMI can manage only NSS IPSec clients that have been distributed
to the system on which the ipsec command is being
run or to the system on which the IPSec NMI is invoked.
- Alternatively, you can configure an IKE daemon running as an NSS
IPSec client to connect to a backup NSS server with the NetworkSecurityServerBackup
parameter on the IkeConfig statement in the IKE daemon configuration
file. When the IKE daemon is unable to connect to the primary NSS
server, or when it loses its connection with the primary server, the
IKE daemon attempts to connect to the server configured as backup.
This recovery configuration can be used regardless of sysplex configurations.
The backup server must be configured with all necessary external security
manager definitions and certificates to support the NSS IPSec clients.
For additional details about the IkeConfig statement, see z/OS Communications Server: IP Configuration
Reference.