Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    Notices
    Preface
    Part 1: SAF-based security
    Chapter 1: RACF demystified
    Chapter 2: Protecting network resources
    Part 2: Managing security
    Chapter 3: Certificate management in z/OS
    Part 3: Policy-based networking
    Chapter 4: Policy agent
    Chapter 5: Central Policy Server
    Chapter 6: Quality of service
    Chapter 7: IP filtering
    Chapter 8: IP Security
    Chapter 9: Network Security Services for IPSec clients
    9.1: Basic concepts
    9.2: Configuring NSS for the IPSec discipline
    Overview of preliminary tasks
    NSS client and NSS server
    Preparing for configuration
    Configuring the NSS environment
    Configuring prerequisites for NSS for an IKED Client
    Configuring authorizations for NSS
    Configuring the NSS server for an IKED Client
    Enabling an IKED NSS client to use NSS
    Creating NSS files for an IKED Client with z/OSMF Configuration Assistant
    9.3: Verifying the NSS environment for the IKED Client
    9.4: Diagnosing the NSSD environment
    9.5: Worksheet questions for NSSD implementation (IKED Client)
    9.6: Additional information
    Chapter 10: Network Security Services for WebSphere DataPower appliances
    Chapter 11: Network Address Translation traversal support
    Chapter 12: Application Transparent Transport Layer Security
    Chapter 13: Intrusion detection services
    Chapter 14: IP defensive filtering
    Chapter 15: Policy-based routing
    Part 4: Application-based security
    Chapter 16: Telnet security
    Chapter 17: Secure File Transfer Protocol
    Part 5: Appendixes
    Appendix A: Basic cryptography
    Appendix B: Telnet security advanced settings
    Appendix C: Configuring IPSec between z/OS and Windows
    Appendix D: zIIP Assisted IPSec
    Appendix E: z/OS Communications Server IPSec RFC currency
    Appendix F: Our implementation environment
    Related publications
    Index
    Back cover
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • PrintPrint
    Share this Page URL
    Help

    9.2: Configuring NSS for the IPSec disci... > Configuring the NSS server for an IK... - Pg. 359

    9.2.7 Configuring the NSS server for an IKED Client The NSS server requires a configuration file, environment variables, a job or procedure with which to start the file, changes to the TCP/IP profile, an AT-TLS policy, and TLS and IPSec certificates. This section explains these elements. The NSS configuration file The NSS server requires a configuration file, which you can create using either of these methods: Copy nssd.conf from /usr/lpp/tcpip/samples into /etc and then modify the copied file. Create the nssd.conf file with the Network Configuration Assistant. Initially, for our scenario, we chose to create the file manually with the sample file stored in the HFS. Later, we allowed the IBM Configuration Assistant to create the file so that we could compare the two methods. Example 9-23 shows the pertinent parts of our NSS configuration file, which we stored in /etc as nssd.sc33.conf. Example 9-23 The /etc/nssd.sc33.conf file created from nssd.conf in /usr/lpp/tcpip/samples # # IBM Communications Server for z/OS # SMP/E distribution path: /usr/lpp/tcpip/samples/IBM/EZANSCFG # NssConfig { # Port portNumber (dynamically modifiable) # This is the TCP port that the Network Security Server will bind to. # Default: 4159 Port 4159 1 # # Sys 0-255 (dynamically modifiable) # Default: 1 SyslogLevel 255 2 # # KeyRing userid/ringname (dynamically modifiable) # This is the keyring holding the IKE certificates for IKED Server/Clients KeyRing NSSD/NSSD_keyring 3 # # Discipline disciplineName Enable | Disable (dynamically modifiable) # Default: IPSec Enable # Default: XMLAppliance Enable Discipline IPSec Enable 4 Discipline XMLAppliance Enable 5 } In this example, we specify the port to which the NSS server is to bind and on which it is to listen when it is initialized at 1. Port 4159 is the default port. We specify a SYSLOG level of 255 at 2, which can help with problem determination. The default SYSLOG level is 4. We set the level quite high to ensure that we trap all possible messages. Chapter 9. Network Security Services for IPSec clients 359