NSS client connection problems

The following table lists common problems when a network security services (NSS) client is unable to obtain services from the NSS server.

Table 1. Common NSS client connection problems
Problem	Symptom	Cause/response
SSL is not properly configured for the NSS client connection to the NSS server. NSS client fails to connect.	When NSS server syslog level 8 is set (NSS_SYSLOG_LEVEL_CLIENTLIFECYCLE), debug message DBG0104I is generated: `DBG0104I NSS_LIFECYCLE NSS connID 1 - the connection is not secure - the connection will be closed`	For NSS IPSec client connections: AT-TLS must be enabled on both the client and server stacks with the TCPCONFIG TTLS statement in the TCP/IP profile. AT-TLS policies must be defined to secure the connection. See "AT-TLS policy" in z/OS Communications Server: IP Configuration Guide. If AT-TLS is enabled and the definitions are configured on the client and server stacks but DBG0104I is still displayed then see Diagnosing Application Transparent Transport Layer Security (AT-TLS). For NSS XMLAppliance client connections: The NSS XMLAppliance client must support an SSL/TLS negotiation protocol that is compatible with that which is configured for the NSS server. The NSS server stack must have AT-TLS enabled with the TCPCONFIG TTLS statement in the TCP/IP profile. AT-TLS policies must be defined for the NSS server stack to secure the connection. See AT-TLS policy in z/OS Communications Server: IP Configuration Guide. If AT-TLS is enabled on the server stack, and the definition is configured on the server stack but DBG0104I is still displayed then see Diagnosing Application Transparent Transport Layer Security (AT-TLS). Configuration of the client's TLS settings are left up to the client application's implementation.
The userid used for the NSS client connection to the NSS server has insufficient authority to access services requested.	When NSS server syslog level 2 is set (NSS_SYSLOG_LEVEL_VERBOSE), debug message DBG0032I is generated. For example: `DBG0032I NSS_VERBOSE ServauthCheck (USER2 , EZB.NSS.MVS093.CLIENT2.IPSEC.CERT) rc 4 (DENY) racfRC 4 racfRsn 0`	SAF resource permissions are required to access NSS IPSec services: EZB.NSS.`sysname.clientname`.IPSEC.CERT EZB.NSS.`sysname.clientname`.IPSEC.NETMGMT SAF resource permissions are required to access the NSS XMLAppliance services: `EZB.NSS.sysname.clientname. XMLAPPLIANCE.SAFACCESS` `EZB.NSS.sysname.clientname. XMLAPPLIANCE.CERT` `EZB.NSS.sysname.clientname. XMLAPPLIANCE.PRIVKEY` These resources must be defined on the NSS server system and the client userid must be permitted read access to them.
An NSS client appears to be connected to two instances of the NSS server.	For an NSS IPSec client, the ipsec -x display for both NSS servers shows the same client connected. For an NSS client, the nssctl -d for both NSS servers shows the same client connected.	Under normal termination, an NSS client will issue a disconnect to close its connection with the NSS server. In some rare recovery situations, the NSS server may not be aware that a connection with an NSS client has ended. When the client restarts or attempts to reconnect, it is possible it may connect to a different NSS server instance, such as the backup server or an NSS server on another system when the client is connecting on a distributed dynamic VIPA. Use the ipsec -w display on the system running the affected NSS IPSec client to determine which NSS server the IPSec client is actually connected. Optionally, use the Netstat DRop/-D command to close out the old connection on the other NSS server.
NSS clients are failing to connect to the NSS server.	The NSS server issues the EZD1371I console message to indicate the disabled discipline and closes the connection.	The NSS server has been configured to disable the specified discipline. Modify the NSS server configuration to enable the specified discipline. See z/OS Communications Server: IP Configuration Reference for more information about the NSS server configuration.

The following table lists common problems when requests from a network security services (NSS) client fails.

Table 2. Common NSS client request failures
Problem	Symptom	Cause/response
The userid used for the NSS client connection has insufficient authority to access client certificates.	When NSS server syslog level 4 is set (NSS_SYSLOG_LEVEL_CERTINFO ), debug message DBG0004I is generated: `DBG0004I NSS_CERTINFO Client MVS093_TCPCS3 connected as userid USER1 is not authorized to profile EZB.NSSCERT.VIC012.NSCLIENT3.HOST associated with matching certificate ( NSCLIENT3 ) for request 00000000000000150000000000000000`	SAF resource permissions are required to access certificates from the NSS server: `EZB.NSSCERT.sysname. mappedlabelname.HOST` `EZB.NSSCERT.sysname. mappedlabelname.CERTAUTH` These resources must be defined on the NSS server system and the client userid must be permitted read access to them.
The userid used for the NSS client connection has insufficient authority to access the private keys associated with client certificates.	When NSS server syslog level 4 is set (NSS_SYSLOG_LEVEL_CERTINFO ), debug message DBG0004I is generated: `Jun 25 14:54:43 MVS093 NSSD: DBG0004I NSS_CERTINFO Client XML_ClientB8 connected as userid USER198 is not authorized to profile EZB.NSSCERT.MVS093. KEY1024ICSF.PRIVKEY associated with matching certificate ( Key1024ICSF ) for req uest 9987A24B879696844B824BF0F0F10000`	SAF resource permissions are required to access private keys associated with certificates from the NSS server: `EZB.NSSCERT.sysname.mappedlabelname. PRIVKEY` These resources must be defined on the NSS server system and the client userid must be permitted read access to them.