Define the port for clients to connect, and policy client matching statements to select the configuration files to be used for clients. Create user IDs on the server to match the user IDs of clients, and set up security.
If you want to use the Policy Agent as a policy server, perform these steps:
You can use a regular expression for the policy client name on the DynamicConfigPolicyLoad statement to cause the statement to match multiple policy clients. For a description of supported regular expressions on the DynamicConfigPolicyLoad statement, see z/OS Communications Server: IP Configuration Reference.
For example, the expression (.+)_(.+) matches any client name composed of one or more characters, followed by an underscore, followed by one or more characters. The default client names configured on the PolicyServer statement on the policy client would match this expression.
You can use two different methods to substitute all or part of the client name in parts of the image-specific file name.
The matching hierarchy used is as follows:
The following example shows the DynamicConfigPolicyLoad statement matching by using a regular expression to simulate a simple wildcard, and the resulting configuration files that are used, using IPSec policies.
DynamicConfigPolicyLoad Rem.*
{
PolicyType IPSec
{
CommonPolicyLoad //'ETC.COMMON.IPSEC'
PolicyLoad //'ETC.IPSEC(*)'
}
}
DynamicConfigPolicyLoad Remote.*
{
PolicyType IPSec
{
PolicyLoad /etc/*.ipsec
}
}
DynamicConfigPolicyLoad Remote5
{
PolicyType IPSec
{
CommonPolicyLoad /user10/common_remote.ipsec
PolicyLoad /user10/pagent_remote5.ipsec
}
}
The resulting configuration files used for a variety of policy clients are shown in Table 1:
Policy client name | Matching statement | Common IPSec configuration file | Image IPSec configuration file |
---|---|---|---|
Remote1 | Remote.* | None | /etc/Remote1.ipsec |
Remote5 | Remote5 | /user10/common_remote.ipsec | /user10/pagent_remote5.ipsec |
Rem42 | Rem.* | //'ETC.COMMON.IPSEC' | //'ETC.IPSEC(REM42)' |
remote5 | Not applicable | None | /etc/pagent_remote.ipsec |
The following example shows the DynamicConfigPolicyLoad statement matching by using a more complex regular expression, and the resulting configuration files that are used, using IDS policies. The regular expression matches two strings separated by an underscore character. Each string must begin with an uppercase alphabetic character and end with a numeric character.
DynamicConfigPolicyLoad ^([A-Z].+[0-9]+)_([A-Z].+[0-9]+)$
{
PolicyType IDS
{
CommonPolicyLoad //'ETC.COMMON.IDS'
PolicyLoad //'ETC.$1($2)'
}
}
The resulting configuration files used for a variety of policy clients are shown in Table 2:
Policy client name | Matching statement | Common IDS configuration file | Image IDS configuration file |
---|---|---|---|
SYS42_TCPIP2 | ^([A-Z].+[0-9]+)_([A-Z].+[0-9]+)$ | //'ETC.COMMON.IDS' | //'ETC.SYS42(TCPIP2)' |
Remote1_Image5 | ^([A-Z].+[0-9]+)_([A-Z].+[0-9]+)$ | //'ETC.COMMON.IDS' | //'ETC.REMOTE1(IMAGE5)' |
SYS123_TCPIP | Not applicable | None | /etc/pagent_remote.ids |
A SAF user ID representing a policy client must be defined to the security product. The user ID must be defined with an OMVS segment. When RACF® is used as the security product, define the SAF user ID with the following command:
ADDUSER client PASSWORD(password) DFLTGRP(OMVSGRP) OMVS(UID(x) HOME('/home/client'))
Each policy client does not need to use a unique user ID, although that is a configuration option. The user ID is used for two purposes on the policy server:
PERMIT BPX.DAEMON CLASS(FACILITY) ID(userid) ACCESS(READ)
RDEFINE PTKTDATA profile SSIGNON(KEYMASKED(key)) UACC(UPDATE)
The application name used by Policy Agent is PAGENT, so you need to define a profile with this name. The application key defined in the profiles must be the same on the policy client and policy server.
An example of the AT-TLS policy statements used to enable AT-TLS for the policy server is as follows:
TTLSRule PolicyServerRule
{
LocalPortRange 16310
JobName PAGENT
Direction Inbound
TTLSGroupActionRef PolicyServerGroup
TTLSEnvironmentActionRef PolicyServerConn
}
TTLSGroupAction PolicyServerGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction PolicyServerConn
{
TTLSKeyRingParms
{
Keyring PAGENT/keyring
}
TTLSCipherParmsRef RequireEncryption
HandshakeRole SERVER
}
TTLSCipherParms RequireEncryption
{
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_RSA_WITH_RC4_128_SHA
V3CipherSuites TLS_RSA_WITH_RC4_128_MD5
V3CipherSuites TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
V3CipherSuites TLS_RSA_EXPORT_WITH_RC4_40_MD5
}
PERMIT EZB.INITSTACK.sysname.tcpname CLASS(SERVAUTH) ID(userid) ACCESS(READ)