NssConfig statement

The NssConfig statement contains parameters that apply globally to the NSS server and all supported disciplines. If more than one NssConfig statement is coded, the parameters coded within all the statements are combined as if they had all been coded under one NssConfig statement. If a parameter within the NssConfig statement is specified more than once, the value from the last one is used.

Syntax


>>-NssConfig--| Braces & Parms on Separate Lines |-------------><

Braces & Parms on Separate Lines

|--+-{------------------------+---------------------------------|
   +-| NSSConfig Parameters |-+   
   '-}------------------------'   

NSSConfig Parameters

   .-Port 4159-.  .-SyslogLevel 0-.   
|--+-----------+--+---------------+----------------------------->
   '-Port n----'  '-SyslogLevel n-'   

>--+-------------------------+---------------------------------->
   +-KeyRing userid/ringname-+   
   '-KeyRing ringname--------'   

   .------------------------------------------------.   
   | .-Discipline XMLAppliance Enable-------------. |   
   V +-Discipline IPSec Enable--------------------+ |   
>----+--------------------------------------------+-+-----------|
     '-Discipline--+-IPSec---------+--+-Enable--+-'     
                   '-XMLApplicance-'  '-Disable-'

Parameters

Port n

The TCP port that the NSS server binds to. All NSS clients must connect to the server through this port.

The default value is 4159. Valid values are in the range 1 - 65535. Use the MODIFY NSSD,REFRESH command to change the value of this parameter. When the TCP port is changed, existing connections remain open, but all new client connections must come through the new port.

Tip: The NSS server binds to INADDR_ANY. Configuring NSS clients to connect to the NSS server on a dynamic VIPA might increase availability of the NSS server. See NSS server failover considerations in z/OS Communications Server: IP Configuration Guide for more information.

SyslogLevel level

Specifies the level of logging to be obtained from the NSS server. The following levels are supported:

0 - NSS_SYSLOG_LEVEL_NONE: Disable NSS server syslog messages.
1 - NSS_SYSLOG_LEVEL_MINIMUM: Minimal NSS daemon syslog output.
2 - NSS_SYSLOG_LEVEL_VERBOSE: Include cascaded internal error messages (for IBM® service).
4 - NSS_SYSLOG_LEVEL_CERTINFO: Include information about certificate cache.
8 - NSS_SYSLOG_LEVEL_CLIENTLIFECYCLE: Include information about client lifecycle (connect, update, and disconnect).
16 - NSS_SYSLOG_LEVEL_SAF_ACCESS_INFO: Include information about SAF access operations.
32: Reserved
64: Reserved
128: Reserved

These levels can be added together to create a cumulative logging effect.

Use the MODIFY NSSD,REFRESH command to change this value. The default value is 1.

Rules:

The default SyslogLevel is in effect until the parameter is read from the configuration file.
Any level higher than 1 automatically includes 1.

KeyRing ringname | userid/ringname

The owning user ID and ring name used by the NSS server when you are creating and verifying signatures on behalf of a NSS client. When using a key ring owned by the NSS server, specify the ring name as ringname value. When using a key ring owned by another user, specify the ring name as a userid/ringname value. There is no default value. If KeyRing is not specified, then the NSS server cannot supply certificate services.

Restriction: The NSS server does not support PKCS #11 Tokens for the KeyRing parameter.

Use the MODIFY NSSD,REFRESH command to change this value.

Discipline discipline Enable | Disable

Specifies that a discipline is enabled or disabled by the NSS server. Valid disciplines are:

IPSec: Includes the IPSec certificate service and IPSec remote management service. The default for the IPSec discipline is Enable.
XMLAppliance: Includes the XMLAppliance SAF access service, the XMLAppliance certificate service, and the XMLAppliance private key service. The default for the XMLAppliance discipline is Enable.

Use the MODIFY NSSD, REFRESH command to change which disciplines are enabled or disabled, as follows:

Enabling a discipline

If, during refresh processing, the NSS server detects a Discipline statement that has been added or modified with the Enable keyword, the NSS server enables the required services to allow NSS clients to connect to the indicated discipline.

Disabling a discipline

If, after a refresh, a Discipline statement was modified with the Disable keyword, then connections for all NSS clients of the indicated discipline are removed and services for the indicated discipline are disabled. The NSS server prevents new clients from connecting to the indicated discipline.