IP Services: Ensure ICSF is active before starting the NSS daemon in FIPS 140 mode
Description
As of z/OS V2R1, FIPS 140 support now requires ICSF services. If the NSS daemon is configured in FIPS 140 mode, the daemon will fail to activate if ICSF is not active. Ensure that ICSF is started before starting the NSS daemon if it is configured in FIPS 140 mode.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | Communications Server. |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if the NSS daemon is configured in FIPS 140 mode. |
| Target system hardware requirements: | None. |
| Target system software requirements: | ICSF must be active. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | The NSS daemon will fail to initialize. |
| Related IBM Health Checker for z/OS check: | None. |
Steps to take
If the NSS daemon is configured in FIPS 140 mode, ensure that ICSF is active prior to starting the NSS daemon.
Reference information
For more information, see "Steps for preparing the z/OS system for IP security" and " Steps for configuring IP security to support FIPS 140 mode" in Chapter 19 "IP Security" in z/OS Communications Server: IP Configuration Guide.