NSS client
The NSS client enables integration with RACF® on the z/OS® server for RBM and AAA processing.
Before you begin
To support NSS integration, you must configure the NSS server to support the NSS client. See the
following z/OS documentation for these configuration steps.
- Enable the
XMLAppliance
discipline support, as defined in network security services. - Authorize the client user ID to SAF profiles by representing security services and resources, as defined in preparing to provide network security services.
- Configure a secure TCP connection between the client and server, as defined in configuring the NSS server.
About this task
The configuration of an NSS client defines the authentication information for the DataPower® Gateway to function as an NSS client.
Only one physical connection is allowed per remote address, remote port, and client ID. Although you can define multiple NSS clients on the DataPower Gateway, the connection fails if more than one client with the same tuple tries to connect.
Based on the configuration and the request type, the following actions occur.
- DataPower requests a secure connection to the z/OS server.
- RACF authenticates users.
- RACF authorizes resources.
- RACF logs authorized and unauthorized attempts to access protected resources.
- NSS protocol provides return codes and reason codes for connectivity requests.
If the connection is not established or the provided parameters are invalid, the operational
state of the NSS client configuration is in the
down
operational state. When in
this state, one of the following event codes is shown.- Invalid registration parameters.
- TCP connection-retry (interval is 1 minute).
- TCP connection in progress.
- Communication failed.
- Cannot connect to host.