DynamicConfigPolicyLoad statement

The Policy Agent acting as a policy server uses the DynamicConfigPolicyLoad statement to obtain the file names of the configuration files to be retrieved by policy clients.

The DynamicConfigPolicyLoad statement can appear only in the main configuration file.

Result: When a DynamicConfigPolicyLoad statement is removed, the policy clients that were using that statement change to use another statement, or default values.

EZB.PAGENT.sysname.image.ptype

Multiple DynamicConfigPolicyLoad statements can appear in the main configuration file. The policy server maintains a list of these DynamicConfigPolicyLoad statements. When a policy client connects to the policy server, then the policy client name configured on the PolicyServer statement is matched to the clientname parameter. The names are case sensitive with regard to matching. This clientname parameter can be a regular expression. The policy server matches these names in the following order:

1. A clientname parameter that has an exact match to the policy client name. The policy client name must not contain any regular expression characters.
2. A regular expression clientname parameter that matches the policy client name. The longest matching regular expression is chosen. If multiple statements match with the same length clientname parameter, the statement chosen is based on alphabetical order.
3. If there is no matching clientname parameter or a matching clientname value does not have a corresponding PolicyType parameter for this policy type, then the following default remote files are used:
   • Stack-specific remote files used for each policy type:
     • IDS - /etc/pagent_remote.ids
     • IPSec - /etc/pagent_remote.ipsec
     • QoS - /etc/pagent_remote.qos
     • Routing - /etc/pagent_remote.routing
     • AT-TLS - /etc/pagent_remote.ttls
   • For any default stack-specific remote file used, there is no corresponding common configuration file.
   • If no matching clientname parameter is found, then the refresh interval is set to 30 minutes.

Result: The PolicyLoad and CommonPolicyLoad parameters are optional; however, if neither the PolicyLoad parameter or the CommonPolicyLoad parameters are configured, this DynamicConfigPolicyLoad statement results in an error and the statement is discarded.

Parameters

clientname

A string 1 - 24 characters in length specifying the client name to be matched to the policy client name.

Requirement: If this is a regular expression, the string must consist of 1 - 511 characters. Otherwise, it must consist of 1-24 characters.

This clientname parameter is used to match the policy client name when it connects to Policy Agent to derive its policy files.

The clientname parameter can also consist of a regular expression. The simplest form of regular expression is a string of characters without a special meaning. Such a string matches only itself. Table 1 shows the characters with special meaning:

Table 1. Characters with special meaning

Symbol	Description
.	The period symbol matches any one character except the terminal newline character.
[character–character]	The hyphen symbol (-), within square brackets, means through. It fills in the intervening characters according to the current collating sequence. For example, [a–z] can be equivalent to [abc...xyz] or, with a different collating sequence, it can be equivalent to [aAbBcC...xXyYzZ].
[string]	A string within square brackets specifies any of the characters in the string. Thus [abc], if compared to other strings, matches any that contain a, b, or c.
[m] [m,] [m,u]	Integer values enclosed within square brackets indicate the number of times to apply the preceding regular expression. The m value is the minimum number, and the u value is the maximum number. The u value must be less than 256. If you specify only the m value, it indicates the exact number of times to apply the regular expression. [m,] is equivalent to [m,u]. They both match m or more occurrences of the expression. The plus (+) and asterisk (*) operations are equivalent to [1,] and [0,], respectively.
*	The asterisk (*) indicates 0 or more of any characters. For example, [a*e] matches any of the following: 99ae9, aaaaae, or a999e99.
^	The caret symbol matches the beginning of the string.
$	The dollar symbol matches the end of the string. (Use \n to match a newline character.)
+	The plus symbol specifies one or more occurrences of a character. Thus, smith+ern is equivalent to smithhhern.
[^string]	The caret symbol inside square brackets, negates the characters within the square brackets. Thus [^abc] matches any characters except a, b, or c.
(expression)	Groups a sub-expression allowing an operator, such as * or +, to work on the sub-expression enclosed in parentheses. For example, (a*(cb+)*).

Rules:

• Do not use multibyte characters.
• You can use the right square bracket ( ] ) alone within a pair of square brackets, but only if it immediately follows either the opening left square bracket or if it immediately follows [^. For example, []–] matches the ] and – characters.
• All the preceding symbols are special. Precede them with a slash (\) to use the symbol itself. For example, a\.e is equivalent to a.e.
• You can use the hyphen (-) by itself, but only if it is the first or last character in the expression. For example, the expression []--0] matches either the ] or else the characters – through 0. Otherwise, use \–.
• If duplicate DynamicConfigPolicyLoad statements with the same clientname parameter are specified, Policy Agent keeps the last entry.
• If a matching DynamicConfigPolicyLoad statement cannot be found, then the default stack-specific remote policy file is used.
• You cannot specify duplicate symbolic values in a single file name. For example, you cannot specify /etc/$1.$2_$1.
• You cannot use both wildcard and symbolic values in the same file name. For example, you cannot use /etc/$1.* .

PolicyType

Indicates additional policy configuration information for a specific policy type.

Rule: If duplicate PolicyType parameters for the same policy type are configured, then the policy server keeps the last entry for that policy type.

RefreshInterval

Specifies the time interval (in seconds) that lapses between checks for changes to the creation or modification time of the common and stack-specific remote policy files. This attribute applies to all configured policy types. In the following cases, the update interval is changed:

• If a value is not specified, the default is 1 800 seconds (30 minutes).
• If a value of 0 is specified, the default value of 1 800 seconds (30 minutes) is used.
• Any value from 1 to 299 is rounded up to 300 seconds (5 minutes).

For example, if the refresh interval is set to 300, the corresponding policy file is checked for changes every five minutes. If the policy file changed within the last 5 minutes, it is read again. Any new, changed, or deleted policies are either added to or removed from the policy client configuration.

Result: If the RefreshInterval parameter is updated, this new refresh interval takes effect the next time these policies are refreshed.

Restriction: Dynamic monitoring for file updates using the -i startup option is not supported for files configured on the DynamicConfigPolicyLoad statement.

CommonPolicyLoad

The path of the common remote policy file to be used for the defined policy type.

You can specify an MVS™ data set name or a z/OS® UNIX file name. MVS data set names must be enclosed in single quotation marks (' ') and preceded by a double slash (//). Following are examples of both types of names:

DynamicConfigPolicyLoad (.*)_(.*)
{
PolicyType  IDS
{
CommonPolicyLoad  //'USER1.PAGENT.REMCONF(COMIDS)'
PolicyLoad        //'USER1.PAGENT.REMCONF(IDS)'
}
PolicyType  TTLS
{
CommonPolicyLoad  /u/user1/pagent.remote.common.ttls
PolicyLoad        /u/user1/pagent.remote.ttls
}
}

The common remote policy file statements can be referenced from the stack-specific remote policy file of the associated policy configuration. Stack-specific remote policies are defined in the stack-specific remote policy file within the same policy configuration. A stack-specific remote policy file is identified by the PolicyLoad parameter.

The configuration information defined in the file identified with the CommonPolicyLoad parameter is prepended to the configuration information defined in the file identified with the PolicyLoad parameter.

Rule: If the DynamicConfigPolicyLoad statement matches multiple policy clients, then the CommonPolicyLoad file is parsed for each policy client. Any errors contained in the file are reported multiple times.

Restrictions:

• Dynamic monitoring for file updates using the-istartup option is not supported for the common remote policy file.
• The CommonPolicyLoad parameter is not supported for PolicyType QoS.

Results:

• When the common remote policy file is an MVS data set, it is reread at each refresh interval, regardless of whether it has actually been changed or not. The policy server also rereads all the associated stack-specific remote policy files when the common remote policy file is reread.
• If the CommonPolicyLoad parameter file name is updated, this new common file is read when policies are refreshed.

PolicyLoad

The path of the stack-specific remote policy file to be used for the defined policy type.

You can specify an MVS data set name or a z/OS UNIX file name. MVS data set names must be enclosed in single quotation marks (' ') and preceded by a double slash (//). Following are examples of both types of names:

DynamicConfigPolicyLoad (.*)_(.*)
{
PolicyType  IDS
{
CommonPolicyLoad  //'USER1.PAGENT.REMCONF(COMIDS)'
PolicyLoad        //'USER1.PAGENT.REMCONF(IDS)'
}
PolicyType  TTLS
{
CommonPolicyLoad  /u/user1/pagent.remote.common.ttls
PolicyLoad        /u/user1/pagent.remote.ttls
}
}

Rules:

• If the PolicyLoad parameter is not specified, then the associated common remote policy file specified on the CommonPolicyLoad parameter is used.
• The client names and DynamicConfigPolicyLoad statement names are case sensitive, but MVS data set names are not. Therefore, use caution when defining MVS data set configuration files that include a wildcard to be substituted with the client name. For example, the client names client42 and Client42, if used as a substitution variable in an MVS data set name, would result in the same configuration file being used for both clients.

Results:

• The path name can contain a single wildcard character (*). The policy client name replaces the wildcard position to obtain the stack-specific remote policy file.
  The following examples use a wildcard path for an IPSec file:

  PolicyLoad    //'ETC.REMOTE.CONF(*)'    
  policy client name = Remote1
  Stack-specific remote IPSec policy file is:   
  //'ETC.REMOTE.CONF(REMOTE1)'

  PolicyLoad    /etc/*.remote              
  policy client name = REMOTE1
  Stack-specific remote IPSec policy file is:   
  /etc/REMOTE1.remote

• The path name can contain symbolic replacement values $0 through $9. $0 represents the entire portion of the client name that matched, while $1 through $9 represent portions of the client name that match corresponding parenthesized sub-expressions in the regular expression.
  Example of using symbolic replacement values for an IDS file:

  Regular expression = ^([A-Z].+[a-z]+)\.([A-Z].+[a-z]+)$

  PolicyLoad    //'ETC.$1($2)'
  
  policy client name = SYSa.IDSClient
  Stack-specific remote IDS policy file will be: //'ETC.SYSA(IDSCLIENT)

  Result: If more symbolic replacement values are specified in a file name than there are parenthesized sub-expressions in the regular expression, the extra symbolic replacement values are not replaced and exist as literal values in the file name.

Restriction: Dynamic monitoring for file updates using the -istartup option is not supported for the stack-specific remote policy file.

Results:

• When the stack-specific remote policy file is an MVS data set, it is reread at each refresh interval, regardless of whether it has actually been changed or not.
• If the PolicyLoad parameter file name is updated, the new stack-specific file is read when policies are refreshed.