If you start the Policy Agent with a user ID that does not have
superuser authority [UID(0)], then read and write permission is required
for the following directories and files:
- Directories
- Files
- Files created when you configure the PerformanceLogFile parameter
on the PolicyPerformanceCollection statement
For information about
the PolicyPerformanceCollection
statement, see z/OS Communications Server: IP Configuration
Reference.
- Policy Agent log files
For information about using the -l parameter
when starting Policy Agent from the z/OS® shell to specify the destination
for the log file, see z/OS Communications Server: IP Configuration
Reference.
- Policy Agent pid file
The
/tmp/pagent.pid is a temporary file that the Policy Agent creates.
This file contains the process ID of the current invocation
of the Policy Agent.
Restrictions:
- If /tmp/pagent.pid is a symbolic link, it must have an owning
UID or GID that matches the EUID or EGID that is assigned
to the Policy Agent.
- If /tmp/pagent.pid is a hard link or the target of a hard link,
users that are outside the owner or group of the directory
in which /tmp/pagent.pid is stored cannot have write access
to the directory. Additionally, write access to /tmp/pagent.pid must
be limited to the owning UID or group, for example, --w--w----permissions.
Requirement: To automatically monitor
applications, you must start Policy Agent with a user ID that has
superuser authority UID(0). For sample RACF® commands,
see the EZARACF member of SEZAINST.
At initialization, the Policy Agent creates a z/OS UNIX file
called /tmp/tcpname.Pagent.tmp. This occurs
for every TCP/IP stack defined on a TcpImage statement.
In this z/OS UNIX file, tcpname is
the name of a TCP/IP stack from a TcpImage statement. During TCP/IP
stack initialization, the TCP/IP stack will attempt to modify a file
by this name to notify the Policy Agent that the stack has been reactivated.
This causes the Policy Agent to automatically attempt to reinstall
the existing policies to this stack.
When /tmp/tcpname.Pagent.tmp is in a
read/write sysplex-aware z/OS file
system (zFS), a symbolic link can be created to a file that is in
a hierarchical file system (HFS) or in a read-only zFS to enable the
update notification. In the following example, the ln command
is used to create a symbolic link to a file in /mydir, where /mydir
is in an HFS or a read-only zFS:
ln -s /mydir/TCPIP.Pagent.link /tmp/TCPIP.Pagent.tmp
Restrictions: - Policy Agent
- If /tmp/tcpname.Pagent.tmp is a symbolic link, it must
have an owning UID or GID that matches the EUID or EGID that is assigned
to the Policy Agent.
- If /tmp/tcpname.Pagent.tmp is a hard link or the target
of a hard link, users that are outside the owner or group of
the directory in which /tmp/tcpname.Pagent.tmp is stored
cannot have write access to the directory. Additionally, write
access to /tmp/tcpname.Pagent.tmp must be limited to
the owning UID or group, for example, --w--w----permissions.
- TCP/IP stack
- If /tmp/tcpname.Pagent.tmp is a symbolic link, it must
have an owning UID or GID that matches the EUID or EGID that is assigned
to the TCP/IP stack.
- If /tmp/tcpname.Pagent.tmp is a hard link or the target
of a hard link, users that are outside the owner or group of the directory
in which /tmp/tcpname.Pagent.tmp is stored cannot have write
access to the directory.
To ensure that only one Policy Agent is started, the Policy Agent
uses the following enqueue:
- Enqueue name is TCP_TCPI
- Resource name is TCPIP.PAGENT
When starting from the shell, note that the Policy Agent executable
file is in the /usr/lpp/tcpip/sbin directory. There is also a link
from the /usr/sbin directory. Make sure your PATH statement contains
either the /usr/sbin or /usr/lpp/tcpip/sbin directory.
For example, the following command starts Policy Agent with these
characteristics:
pagent -c /u/user10/pldap.conf -l SYSLOGD &
- Policy Agent uses the configuration file /u/user10/pldap.conf
- Policy Agent logs output to the syslog daemon (SYSLOGD). Note
that "SYSLOGD" must be specified in uppercase to obtain
this behavior
Use the S PAGENT command on an MVS™ console
or SDSF to start the Policy Agent as a started task. A sample procedure
is shipped in member EZAPAGSP in SEZAINST.