GSS credentials enable the communicating applications to establish security contexts with each other. They can contain multiple cryptographic keys that are required for authentication and message encryption to be performed with different algorithms. The z/OS NFS server uses Kerberos V5 as its security mechanism for acquiring the GSS credentials. The z/OS NFS server initially acquires these credentials during server startup. The z/OS NFS server uses the credentials for accepting the security context requests from NFS clients, and the same credentials may be used for initiating security contexts during RPC callbacks. The Kerberos principal for the z/OS NFS server must be defined in the Kerberos key table identified by the KRB5_KTNAME environment variable.

The z/OS NFS server will attempt to acquire the GSS credentials for the maximum credential lifetime but the actual lifetime of credentials will depend on the lifetime of the underlying Ticket Granting Ticket of the Kerberos Security Server, and is not controlled or governed by the z/OS NFS server. On expiration of the server's GSS credentials, client requests will receive the RPCSEC_GSS documented errors and the client is expected to refresh the contexts and retry the requests.