The NSS IPSec discipline includes the NSS IPSec certificate service and NSS IPSec remote management service.
The NSS server provides the NSS IPSec certificate service to perform digital signature and verification operations on behalf of an NSS IPSec client. The NSS IPSec certificate service is used by an NSS IPSec client during a phase 1 negotiation when digital signature authentication is required. Certificates and private keys for all NSS IPSec clients are stored on a single key ring. The NSS server must have access to this key ring and must have access to the certificates and private keys on this key ring. When providing the NSS IPSec certificate service, the NSS server consults SERVAUTH profiles to verify that an NSS IPSec client is authorized to access the certificates that are involved. For details about these profiles, see step 7.d and step 7.e, under Steps for authorizing resources for NSS.
The NSS server uses the NSS IPSec remote management service to request IPSec monitoring data from an NSS IPSec client and to make IPSec control requests to an NSS IPSec client. Control requests include the ability to activate, deactivate, or refresh a Security Association, and to switch between default IP filter policy and IP security filter policy. Use the ipsec command and the IPSec network management interface (NMI) to make these requests. For details about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands. For details about the IPSec NMI, see z/OS Communications Server: IP Programmer's Guide and Reference.