Communications between the NSS server and NSS clients must be secured
using Application Transparent Transport Layer Security (AT-TLS). You
must define AT-TLS rules to secure this communication. Enable AT-TLS
processing for a stack by specifying the TTLS parameter on the TCPCONFIG
statement in the TCP/IP profile. Specific AT-TLS policy is configured
in Policy Agent configuration files. For details about enabling AT-TLS
and configuring AT-TLS policy, see Application Transparent Transport Layer Security data protection.
Tip: Define AT-TLS policy such that only cipher suites
requiring TLS encryption are exchanged with NSS clients. Failure to
restrict the cipher suites to those requiring encryption can result
in sensitive information flowing in the clear across an untrusted
network.
Rule: You must define AT-TLS policy
for each stack through which the NSS server will communicate with
an NSS client.
Requirement: The NSS server acts as
the server during an SSL handshake. To act in the server role of an
SSL handshake, the NSS server must have access to a private key and
certificate verifying its ownership of that private key. For information
about creating and managing keys and certificates for servers using
AT-TLS, see
TLS/SSL security.
A sample AT-TLS policy is located in /usr/lpp/tcpip/samples/pagent_TTLS.conf.
Rule: The LocalPortRange value on the
TTLSRule statement must include the value specified on the port parameter
of the NssConfig statement in the NSS server configuration file.