The Policy Agent acting as a policy server uses the DynamicConfigPolicyLoad statement to obtain the file names of the configuration files to be retrieved by policy clients.
The DynamicConfigPolicyLoad statement can appear only in the main configuration file.
Result: When a DynamicConfigPolicyLoad statement is removed, the policy clients that were using that statement change to use another statement, or default values.
EZB.PAGENT.sysname.image.ptype
Multiple DynamicConfigPolicyLoad statements can appear in the main configuration file. The policy server maintains a list of these DynamicConfigPolicyLoad statements. When a policy client connects to the policy server, then the policy client name configured on the PolicyServer statement is matched to the clientname parameter. The names are case sensitive with regard to matching. This clientname parameter can be a regular expression. The policy server matches these names in the following order:
Result: The PolicyLoad and CommonPolicyLoad parameters are optional; however, if neither the PolicyLoad parameter or the CommonPolicyLoad parameters are configured, this DynamicConfigPolicyLoad statement results in an error and the statement is discarded.
>>-DynamicConfigPolicyLoad--clientname--| Put Braces and Parameters on Separate Lines |->< Put Braces and Parameters on Separate Lines |--+-{--------------------------------------+-------------------| +-| DynamicConfigPolicyLoad Parameters |-+ '-}--------------------------------------' DynamicConfigPolicyLoad Parameters .----------------------------------------------------------. V | |----+------------------------------------------------------+-+--> '-PolicyType--+-IDS-----+--| PolicyTypeSpecification |-' +-IPSec---+ +-QoS-----+ +-Routing-+ '-TTLS----' .-RefreshInterval 1800-. >--+----------------------+-------------------------------------| '-RefreshInterval i----' PolicyTypeSpecification |--+-{--------------------------------------+-------------------| +-| PolicyTypeSpecification Parameters |-+ '-}--------------------------------------' PolicyTypeSpecification Parameters |--+-----------------------+--+-----------------+---------------| '-CommonPolicyLoad path-' '-PolicyLoad path-'
Requirement: If this is a regular expression, the string must consist of 1 - 511 characters. Otherwise, it must consist of 1-24 characters.
This clientname parameter is used to match the policy client name when it connects to Policy Agent to derive its policy files.
Symbol | Description |
---|---|
. | The period symbol matches any one character except the terminal newline character. |
[character–character] | The hyphen symbol (-), within square brackets, means through. It fills in the intervening characters according to the current collating sequence. For example, [a–z] can be equivalent to [abc...xyz] or, with a different collating sequence, it can be equivalent to [aAbBcC...xXyYzZ]. |
[string] | A string within square brackets specifies any of the characters in the string. Thus [abc], if compared to other strings, matches any that contain a, b, or c. |
[m] [m,] [m,u] | Integer values enclosed within square brackets
indicate the number of times to apply the preceding regular expression.
The m value is the minimum number, and the u value is the maximum
number. The u value must be less than 256. If you specify only the
m value, it indicates the exact number of times to apply the regular
expression. [m,] is equivalent to [m,u]. They both match m or more occurrences of the expression. The plus (+) and asterisk (*) operations are equivalent to [1,] and [0,], respectively. |
* | The asterisk (*) indicates 0 or more of any characters. For example, [a*e] matches any of the following: 99ae9, aaaaae, or a999e99. |
^ | The caret symbol matches the beginning of the string. |
$ | The dollar symbol matches the end of the string. (Use \n to match a newline character.) |
+ | The plus symbol specifies one or more occurrences of a character. Thus, smith+ern is equivalent to smithhhern. |
[^string] | The caret symbol inside square brackets, negates the characters within the square brackets. Thus [^abc] matches any characters except a, b, or c. |
(expression) | Groups a sub-expression allowing an operator, such as * or +, to work on the sub-expression enclosed in parentheses. For example, (a*(cb+)*). |
Rule: If duplicate PolicyType parameters for the same policy type are configured, then the policy server keeps the last entry for that policy type.
For example, if the refresh interval is set to 300, the corresponding policy file is checked for changes every five minutes. If the policy file changed within the last 5 minutes, it is read again. Any new, changed, or deleted policies are either added to or removed from the policy client configuration.
Result: If the RefreshInterval parameter is updated, this new refresh interval takes effect the next time these policies are refreshed.
Restriction: Dynamic monitoring for file updates using the -i startup option is not supported for files configured on the DynamicConfigPolicyLoad statement.
DynamicConfigPolicyLoad (.*)_(.*)
{
PolicyType IDS
{
CommonPolicyLoad //'USER1.PAGENT.REMCONF(COMIDS)'
PolicyLoad //'USER1.PAGENT.REMCONF(IDS)'
}
PolicyType TTLS
{
CommonPolicyLoad /u/user1/pagent.remote.common.ttls
PolicyLoad /u/user1/pagent.remote.ttls
}
}
The common remote policy file statements can be referenced from the stack-specific remote policy file of the associated policy configuration. Stack-specific remote policies are defined in the stack-specific remote policy file within the same policy configuration. A stack-specific remote policy file is identified by the PolicyLoad parameter.
The configuration information defined in the file identified with the CommonPolicyLoad parameter is prepended to the configuration information defined in the file identified with the PolicyLoad parameter.
Rule: If the DynamicConfigPolicyLoad statement matches multiple policy clients, then the CommonPolicyLoad file is parsed for each policy client. Any errors contained in the file are reported multiple times.
DynamicConfigPolicyLoad (.*)_(.*)
{
PolicyType IDS
{
CommonPolicyLoad //'USER1.PAGENT.REMCONF(COMIDS)'
PolicyLoad //'USER1.PAGENT.REMCONF(IDS)'
}
PolicyType TTLS
{
CommonPolicyLoad /u/user1/pagent.remote.common.ttls
PolicyLoad /u/user1/pagent.remote.ttls
}
}
PolicyLoad //'ETC.REMOTE.CONF(*)'
policy client name = Remote1
Stack-specific remote IPSec policy file is:
//'ETC.REMOTE.CONF(REMOTE1)'
PolicyLoad /etc/*.remote
policy client name = REMOTE1
Stack-specific remote IPSec policy file is:
/etc/REMOTE1.remote
Regular expression = ^([A-Z].+[a-z]+)\.([A-Z].+[a-z]+)$
PolicyLoad //'ETC.$1($2)'
policy client name = SYSa.IDSClient
Stack-specific remote IDS policy file will be: //'ETC.SYSA(IDSCLIENT)
Result: If more symbolic replacement values are specified in a file name than there are parenthesized sub-expressions in the regular expression, the extra symbolic replacement values are not replaced and exist as literal values in the file name.
Restriction: Dynamic monitoring for file updates using the -istartup option is not supported for the stack-specific remote policy file.