NSS server failover considerations

NSS IPSec clients can use the NSS certificate service when negotiating phase 1 Security Associations. Network monitoring applications can use the NSS remote management service to display information about NSS IPSec clients. The NSS server should be treated as an application that requires high availability, an application that is able to recover quickly from an outage that impacts the ability of the NSS server to respond to IPSec clients.

Recovery configurations for the NSS server include:

• For recovery of NSS server workload by another NSS server within a sysplex, configure NSS IPSec clients to connect to the NSS server on a non-distributed dynamic VIPA. TCP/IP stacks configured as backup for the dynamic VIPA must have the necessary external security manager definitions and certificates to support the NSS IPSec clients, and an NSS server must be running on the z/OS® system hosting the TCP/IP stack configured as backup.
  Guideline: Do not configure NSS IPSec clients to connect to a distributed DVIPA address on the NSS server. If a distributed DVIPA is used, the ipsec command and IPSec NMI can manage only NSS IPSec clients that have been distributed to the system on which the ipsec command is being run or to the system on which the IPSec NMI is invoked.
• Alternatively, you can configure an IKE daemon running as an NSS IPSec client to connect to a backup NSS server with the NetworkSecurityServerBackup parameter on the IkeConfig statement in the IKE daemon configuration file. When the IKE daemon is unable to connect to the primary NSS server, or when it loses its connection with the primary server, the IKE daemon attempts to connect to the server configured as backup. This recovery configuration can be used regardless of sysplex configurations. The backup server must be configured with all necessary external security manager definitions and certificates to support the NSS IPSec clients. For additional details about the IkeConfig statement, see z/OS Communications Server: IP Configuration Reference.