Policy Agent policies

Policies can be defined in several different ways.

Table 1 shows the format you can use for different policy types.

Table 1. Policy formats
Policy type	Text file format ¹	LDAP format
QoS	Yes	Yes ²
IDS	Yes	Yes ²
AT-TLS	Yes	No
IPSec	Yes	No
Policy-based routing	Yes	No
¹ The Configuration Assistant builds policy definitions only in text file format. ² The format of the LDAP schema for IDS and QoS policies was stabilized in z/OS® V1R2. Only IDS and QoS policies supported by that release are supported when you are using an LDAP server to store IDS and QoS policies. For information about defining policies on an LDAP server, see Using an LDAP server for policy definitions.

When acting as the Policy Decision Point (PDP) for a single system, Policy Agent can read policy definitions from local configuration files, a central repository that uses the Lightweight Directory Access Protocol (LDAP), or both. The Policy Agent also installs policies in one or more z/OS Communications Server stacks. It can be used to replace existing policies or to update them as necessary.

When acting as a policy server, Policy Agent also acts as a PDP for the local system, and thus can read policies from local configuration files or an LDAP server and install them in local stacks. However, it also reads policies from local configuration files on behalf of policy clients. These policies are retrieved by policy clients, but are not installed in the local stacks on the policy server.

Restriction: Dynamic monitoring for file updates using the -i startup option is not supported for files read on behalf of policy clients.

When acting as a policy client, Policy Agent retrieves remote policies from the policy server, and can also use local policies from configuration files or an LDAP server. The choice of local or remote policies can be made separately for each supported policy type (QoS, IDS, IPSec, Routing, or AT-TLS). The policy client informs the policy server of its local capabilities, so that the policy server can perform appropriate parsing of the policies. For example, the policy client might not support the IPSec 3DES encryption algorithm, so the policy server needs to fail IPSec policies that specify 3DES, even if the policy server itself does support 3DES.

If the policy client and policy server are at different release levels, you must be careful when defining policies on the policy server.

If the policy client is at a higher release level than that of the policy server, you can define policies using the syntax and semantics of only the lower-level policy server. You cannot use the capabilities that exist only in the higher release level, such as new statements, parameters, or parameter values. Error checking might also be unavailable for use; rules or restrictions might be added to or removed from the higher release level.
If the policy server is at a higher release level than that of the policy client, you cannot define policies using syntax and semantics that are available only in the higher release level. The policy server cannot parse such policies on behalf of a policy client at a lower release level, so the policies are reported as containing errors.
If the policy server is at a lower release level than that of the policy client, any polices using syntax and semantics that were removed from the higher release level are still parsed and returned from the policy server to the policy client.

As a general rule, configure policies based on the target system, not on the system where the policies are defined.

For a table of statements, parameters, parameter values, and rules or restrictions that are valid only for certain release levels, see z/OS Communications Server: IP Configuration Reference.

The policy client can be configured with a backup as well as a primary policy server. The policy client continually tries the connection to the primary policy server (and the connection to the backup if a backup is configured) using the connection retry values configured on the ServerConnection statement, until a connection is successfully established.

For more information, see the following topics:

Restriction: You cannot define AT-TLS policies, IPSec policies, or routing policies on LDAP servers.

Tip: Policies defined on an LDAP server use the configuration files and mechanisms provided by the LDAP server product. The definition of the elements of policies is known as the schema. z/OS Communications Server provides the schema definition for policies that may be defined on an LDAP server in a set of sample files. The sample files are provided in LDAP protocol version 3 format (see LDAP sample files for the names of these samples). These sample files must be installed on the LDAP server as the schema definition. Policy Agent uses the z/OS Integrated Security Server LDAP Client library to communicate with an LDAP server. See z/OS IBM Tivoli Directory Server Administration and Use for z/OS for more information about LDAP. A copy of the LDAP definition files that define the policy definitions for LDAP is available in z/OS Communications Server: IP Configuration Reference.

Local policies are defined in Policy Agent configuration files, in the LDAP server, or both. Remote policies are defined in Policy Agent configuration files on the policy server. Policies from configuration files and the LDAP server are combined into a single list. This requires unique policy object names per type (QoS, IDS, IPSec, Routing, and AT-TLS). On a policy client, policies for a given type are retrieved either locally or remotely, but not both.

For policies defined on the LDAP server, the distinguished name (DN) must be unique, but the user-friendly name does not have to be unique (although it should be). The Policy Agent appends a unique suffix if it is required to make LDAP user-friendly names unique within the scope of policies defined on the LDAP server. When policies from a configuration file are combined with LDAP-defined policies, the LDAP user-friendly names must be unique with respect to the names defined in the configuration file. Any policy objects of the same type (that is, QoS or IDS) with duplicate names at this point are discarded by the Policy Agent and an error is reported.