Question & Answer
Question
IKED successfully connected to the NSS server, as indicated by this message:
EZD1136I The IKE daemon is connected to the NSS server at location port port for stack stackname
Immediately after seeing EZD1136I, however, we see the following error message:
EZD1916I NSS server cryptographic services are disabled for stack tcpname - FIPS140 support is enabled for the IKE daemon but is not enabled for the NSS server
What do we have to do to resolve the problem indicated by this message?
Answer
EZD1916I indicates that IKED is configured in FIPS 140 mode, but the NSS server is not. Therefore, IKED cannot use the NSS certificate services provided by the NSS server because the cryptographic operations performed by the NSS server on behalf of IKED will not be performed in a manner consistent with FIPS 140 requirements. IKED remains connected to the NSS server so it can use the NSS remote management services.
As the IP Configuration Guide points out, "The NSS server uses ICSF and System SSL for encryption and key management services to provide certificate services to NSS IPSec clients. If the NSS IPSec clients are configured in FIPS 140 mode, you must also configure the NSS server in FIPS 140 mode so that it invokes ICSF and System SSL in FIPS 140 mode. This configuration is required for the entire system to be in FIPS 140 mode."
To enable FIPS 140 mode for the NSSD server, specify the parameter FIPS140 yes on the IPSecDisciplineConfig statement. If the FIPS140 parameter is modified while the NSS server is running it will not take effect until the NSSD is restarted. Attempts to modify the value while the NSS server is running are ignored and a warning message is issued.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
07 March 2018
UID
dwa1254123