Network security services client problems
IKED can be configured to request network security services (NSS) from an NSS server. The following table lists common problems when IKED, running as an NSS client, is unable to obtain services from the NSS server.
Problem | Symptom | Cause/response |
---|---|---|
SSL is not properly configured for IKED, running as an NSS client, to connect to the NSS server. | When AT-TLS is not enabled or is misconfigured on the TCP/IP stack used by IKED or the NSS server, IKED issues message EZD1149I indicating that the connection is not secure. | AT-TLS must be enabled on both the client
and server stacks with the TCPCONFIG TTLS statement in the TCP/IP
profile. AT-TLS policies must be defined for both the client and the server to secure the connection. See "Define AT-TLS policy to protect communication with an NSS server" in z/OS Communications Server: IP Configuration Guide. If AT-TLS is enabled and the definitions are configured on the client and server stacks but EZD1149I is still displayed then see Diagnosing Application Transparent Transport Layer Security (AT-TLS). |
The userid used for the IKED connection to the NSS server has insufficient authority to connect. | IKED issues message
EZD1139I with reason code NSSRsnUserAuthentication. For example:
|
The IKED connection to the NSS server requires configuration of a valid userid and password or passticket on the NssStackConfig statement in the IKED configuration file. |
The userid used for the IKED connection to the NSS server has insufficient authority to access services requested. | IKED issues messages indicating which requested
services are not available. For example:
|
The following SAF resource permissions are
required to access network security services:
These resources must be defined on the NSS server system and the userid configured on the NssStackConfig statement in the IKED configuration file must be permitted read access to them. |
IKED fails to retrieve certificates from the NSS server. | IKED syslog daemon traces may show that
no cache entries were received from the NSS server. For example:
Dynamic tunnel negotiations using RSA signature mode fail. |
The following SAF resource permissions are
required to access certificates from the NSS server:
These resources must be defined on the NSS server system and the userid configured on the NssStackConfig statement in the IKED configuration file must be permitted read access to it. See "Steps for authorizing resources for NSS" in z/OS Communications Server: IP Configuration Guide. |
IKED does not attempt to connect to the NSS server for a given stack. | IKED does not issue message EZD1138I for the given stack. | A valid NssStackConfig statement is required
for each stack to use NSS. See IKE daemon in z/OS Communications Server: IP Configuration Reference for information about configuring the NssStackConfig statement. |
IKED connects to NSSD but cannot use NSS IPSec certificate services. | Message EZD1916I was issued. | IKED is configured in FIPS 140 mode, but the NSS server is not. Therefore, IKED cannot use the NSS certificate services provided by the NSS server because the cryptographic operations performed by the NSS server on behalf of IKED will not be performed in a manner consistent with FIPS 140 requirements. IKED remains connected to the NSS server so it can use the NSS remote management services. |