Network security services client problems

IKED can be configured to request network security services (NSS) from an NSS server. The following table lists common problems when IKED, running as an NSS client, is unable to obtain services from the NSS server.

Table 1. Common problems when IKED, running as an NSS client, is unable to obtain services from the NSS server
Problem	Symptom	Cause/response
SSL is not properly configured for IKED, running as an NSS client, to connect to the NSS server.	When AT-TLS is not enabled or is misconfigured on the TCP/IP stack used by IKED or the NSS server, IKED issues message EZD1149I indicating that the connection is not secure.	AT-TLS must be enabled on both the client and server stacks with the TCPCONFIG TTLS statement in the TCP/IP profile. AT-TLS policies must be defined for both the client and the server to secure the connection. See "Define AT-TLS policy to protect communication with an NSS server" in z/OS Communications Server: IP Configuration Guide. If AT-TLS is enabled and the definitions are configured on the client and server stacks but EZD1149I is still displayed then see Diagnosing Application Transparent Transport Layer Security (AT-TLS).
The userid used for the IKED connection to the NSS server has insufficient authority to connect.	IKED issues message EZD1139I with reason code NSSRsnUserAuthentication. For example: `EZD1139I Request type NSS_ConnectClientReqToSrv with correlator ID 00000000000000040000000000000000 for stack TCPCS2 failed - return code EACCES reason code NSSRsnUserAuthentication`	The IKED connection to the NSS server requires configuration of a valid userid and password or passticket on the NssStackConfig statement in the IKED configuration file.
The userid used for the IKED connection to the NSS server has insufficient authority to access services requested.	IKED issues messages indicating which requested services are not available. For example: EZD1145I The network security certificate service is not available for stack TCPCS2 EZD1147I The network security remote management service is not available for stack TCPCS2	The following SAF resource permissions are required to access network security services: EZB.NSS.sysname.clientname.IPSEC.CERT EZB.NSS.sysname.clientname.IPSEC.NETMGMT These resources must be defined on the NSS server system and the userid configured on the NssStackConfig statement in the IKED configuration file must be permitted read access to them.
IKED fails to retrieve certificates from the NSS server.	IKED syslog daemon traces may show that no cache entries were received from the NSS server. For example: `IKE: Initializing CA Cache with 0 entries for stack TCPCS2` Dynamic tunnel negotiations using RSA signature mode fail.	The following SAF resource permissions are required to access certificates from the NSS server: EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH EZB.NSSCERT.sysname.mappedlabelname.HOST These resources must be defined on the NSS server system and the userid configured on the NssStackConfig statement in the IKED configuration file must be permitted read access to it. See "Steps for authorizing resources for NSS" in z/OS Communications Server: IP Configuration Guide.
IKED does not attempt to connect to the NSS server for a given stack.	IKED does not issue message EZD1138I for the given stack.	A valid NssStackConfig statement is required for each stack to use NSS. See IKE daemon in z/OS Communications Server: IP Configuration Reference for information about configuring the NssStackConfig statement.
IKED connects to NSSD but cannot use NSS IPSec certificate services.	Message EZD1916I was issued.	IKED is configured in FIPS 140 mode, but the NSS server is not. Therefore, IKED cannot use the NSS certificate services provided by the NSS server because the cryptographic operations performed by the NSS server on behalf of IKED will not be performed in a manner consistent with FIPS 140 requirements. IKED remains connected to the NSS server so it can use the NSS remote management services.