Overview of NSS

Network security services (NSS) provides a centralized certificate service, monitoring and management for IP security across z/OS® systems:

  • Certificate service for IPSec
    • A z/OS image configured as a NSS server can use a single, centralized certificate repository to handle requests from NSS clients on distributed z/OS systems for signature validation, signature creation, and related operations. This enables sensitive key ring material to be kept in a single secure location, rather than having it reside on each z/OS node.
    • z/OS images configured as NSS clients can have their certificate operations handled by an NSS server. The z/OS IKE daemon can be configured as an NSS client. IKE daemon configuration is on a per-stack basis, such that each NSS-enabled stack appears to the NSS server as an independent client. For stacks not configured to use NSS, the IKE daemon continues to manage certificates out of a local key ring.
  • IPSec monitoring and management
    • The NSS server also provides a network monitoring and management interface that enables it to act as a focal point for IPSec monitoring and management requests for each of its NSS clients. Through this interface, network monitors can obtain statistics and status information regarding filtering, manual tunnel and dynamic tunnel definitions on the stacks configured as NSS clients. Network management systems can activate, deactivate and refresh specific security associations on NSS clients through the NSS server.
    • The ipsec command may be used on an image configured as an NSS server to direct monitoring and management requests to IKE daemons on remote z/OS images that are configured as NSS clients.

The Network Configuration Assistant supports the implementation of network security services by creating required policy and configuration files. These include:

  • For the NSS server:
    • NSSD configuration file (NSSD.CONF)
    • AT-TLS policy to allow secured communication between the NSS server and NSS clients
    • Optionally, IPSec policy to permit traffic to and from the server, if the NSS server is enabled for IPSec
  • For IKED running as an NSS client:
    • IKED configuration file (IKED.CONF)
    • AT-TLS policy to allow secured communication with the NSS server
    • IPSec policy that includes rules to permit traffic between IKED and the NSS server.

In addition to these configuration files, the user implementing NSS will need to define key rings containing certificates:

  • For the NSS server system:
    • A key ring containing all the certificates for all the NSS clients to be used for their phase 1 SA negotiations
    • A key ring containing the NSS server and NSS client certificates used for the AT-TLS communication between the server and client
  • For the NSS client system:
    • A key ring containing the NSS server and NSS client certificates used for the AT-TLS communication between the server and client

Finally, external security manager definitions are required on the NSS server image to control the use of network security services. Refer to the z/OS Communications Server: IP Configuration Guide chapter on Network Security Services for additional information.

The image below depicts the relationship between the NSS server and NSS clients as well as the policy and key ring definitions required to use network security services.

Network Configuration Assistant screen capture