NSS client

The NSS client enables integration with RACF® on the z/OS® server for RBM and AAA processing.

Before you begin

To support NSS integration, you must configure the NSS server to support the NSS client. See the following z/OS documentation for these configuration steps.
  • Enable the XMLAppliance discipline support, as defined in network security services.
  • Authorize the client user ID to SAF profiles by representing security services and resources, as defined in preparing to provide network security services.
  • Configure a secure TCP connection between the client and server, as defined in configuring the NSS server.

About this task

The configuration of an NSS client defines the authentication information for the DataPower® Gateway to function as an NSS client.

Only one physical connection is allowed per remote address, remote port, and client ID. Although you can define multiple NSS clients on the DataPower Gateway, the connection fails if more than one client with the same tuple tries to connect.

Based on the configuration and the request type, the following actions occur.
  • DataPower requests a secure connection to the z/OS server.
  • RACF authenticates users.
  • RACF authorizes resources.
  • RACF logs authorized and unauthorized attempts to access protected resources.
  • NSS protocol provides return codes and reason codes for connectivity requests.
If the connection is not established or the provided parameters are invalid, the operational state of the NSS client configuration is in the down operational state. When in this state, one of the following event codes is shown.
  • Invalid registration parameters.
  • TCP connection-retry (interval is 1 minute).
  • TCP connection in progress.
  • Communication failed.
  • Cannot connect to host.

Procedure

  1. In the search field, enter nss.
  2. From the search results, click NSS client.
  3. Click Add.
  4. Define the basic properties - Name, administrative state, and comments.
  5. In the Remote address field, specify the IP address or hostname of the NSS server.
  6. In the Remote port field, specify the port that the NSS server listens on.
  7. From the TLS client profile list, select the TLS client profile to secure connections to targets.
  8. In the Client ID field, specify the client ID to register with the NSS server.
  9. In the System name field, specify the system name to identify the NSS client to the NSS server.
  10. Define the credentials for SAF authentication.
    1. In the Username field, specify the user.
    2. Define the password for the user.
  11. Click Apply to save changes to the running configuration.
  12. Click Save to save changes to the persisted configuration.