NSS client connection problems
The following table lists common problems when a network security services (NSS) client is unable to obtain services from the NSS server.
Problem | Symptom | Cause/response |
---|---|---|
SSL is not properly configured for the NSS client connection to the NSS server. NSS client fails to connect. | When NSS server syslog level 8 is set (NSS_SYSLOG_LEVEL_CLIENTLIFECYCLE),
debug message DBG0104I is generated:
|
For NSS IPSec client connections:
For NSS XMLAppliance client connections:
|
The userid used for the NSS client connection to the NSS server has insufficient authority to access services requested. | When NSS server syslog level 2 is set (NSS_SYSLOG_LEVEL_VERBOSE),
debug message DBG0032I is generated. For example:
|
SAF resource permissions are required to
access NSS IPSec services:
SAF resource permissions are required to access the NSS
XMLAppliance services:
These resources must be defined on the NSS server system and the client userid must be permitted read access to them. |
An NSS client appears to be connected to two instances of the NSS server. | For an NSS IPSec client, the ipsec -x display
for both NSS servers shows the same client connected. For an NSS client, the nssctl -d for both NSS servers shows the same client connected. |
Under normal termination, an NSS client will
issue a disconnect to close its connection with the NSS server. In
some rare recovery situations, the NSS server may not be aware that
a connection with an NSS client has ended. When the client restarts
or attempts to reconnect, it is possible it may connect to a different
NSS server instance, such as the backup server or an NSS server on
another system when the client is connecting on a distributed dynamic
VIPA. Use the ipsec -w display on the system running the affected NSS IPSec client to determine which NSS server the IPSec client is actually connected. Optionally, use the Netstat DRop/-D command to close out the old connection on the other NSS server. |
NSS clients are failing to connect to the NSS server. | The NSS server issues the EZD1371I console message to indicate the disabled discipline and closes the connection. | The NSS server has been configured to disable the specified discipline. Modify the NSS server configuration to enable the specified discipline. See z/OS Communications Server: IP Configuration Reference for more information about the NSS server configuration. |
The following table lists common problems when requests from a network security services (NSS) client fails.
Problem | Symptom | Cause/response |
---|---|---|
The userid used for the NSS client connection has insufficient authority to access client certificates. | When NSS server syslog level 4 is set (NSS_SYSLOG_LEVEL_CERTINFO
), debug message DBG0004I is generated:
|
SAF resource permissions are required to access
certificates from the NSS server:
These resources must be defined on the NSS server system and the client userid must be permitted read access to them. |
The userid used for the NSS client connection has insufficient authority to access the private keys associated with client certificates. | When NSS server syslog level 4 is set (NSS_SYSLOG_LEVEL_CERTINFO
), debug message DBG0004I is generated:
|
SAF resource permissions are required to
access private keys associated with certificates from the NSS server:
These resources must be defined on the NSS server system and the client userid must be permitted read access to them. |