You
can use the operator console and the MODIFY command to control the
Policy Agent functions.
Format
>>-+-MODIFY-+--procname--,-------------------------------------->
'-F------'
>--+-LOGLEVEL--,--LEVEL=n----------------------------------+---><
+-TRACE--,--LEVEL=t-------------------------------------+
+-DEBUG--,--LEVEL=d-------------------------------------+
+-MEMTRC------------------------------------------------+
+-QUERY-------------------------------------------------+
+-REFRESH-----------------------------------------------+
+-SRVLSTN-----------------------------------------------+
+-UPDATE------------------------------------------------+
'-MON--,--+-DISPLAY-----------------------------------+-'
'-+-START---+--,--+-ALL-------------------+-'
+-RESTART-+ +-DMD-------------------+
'-STOP----' +-IKED------------------+
+-NSSD------------------+
+-SYSLOGD---------------+
'-TRMD--+-------------+-'
'-,-- P=image-'
Parameters
- procname
- The member name of the cataloged procedure used to start the Policy
Agent.
- LOGLEVEL,LEVEL=n
- Changes the Policy Agent LogLevel. The required log level is n.
If n is not specified, then the current
LogLevel remains the same. See LogLevel statement information
in the z/OS Communications Server: IP Configuration
Reference for details on how to define the Policy Agent
LogLevel.
- TRACE,LEVEL=t
- Changes the Policy Agent start option trace level. The required
trace level is t. If t is
not specified, then the current trace level remains the same. See
the Starting Policy Agent from the z/OS® shell information in
the z/OS Communications Server: IP Configuration
Reference for details on valid Policy Agent trace levels.
Note: If
Policy Agent was started with the trace option disabled, then the
output destination of stderr will be closed. This option cannot later
be enabled by using the MODIFY command.
- DEBUG,LEVEL=d
- Changes the Policy Agent start option debug level. The required
debug level is d. If d is
not specified, then the current debug level remains the same. See
the Starting Policy Agent from the z/OS shell information in
the z/OS Communications Server: IP Configuration
Reference for details on valid Policy Agent debug levels.
- MEMTRC
- Causes the Policy Agent to dump the contents of the memory request
buffer to the log file. This buffer is used when the -m startup option
is specified, so if this option is not specified, the MEMTRC parameter
has no effect.
- QUERY
- Displays the current LogLevel, debug level, and trace level in
effect for the Policy Agent.
- REFRESH
- Triggers the Policy Agent to reread the configuration files, and,
if requested, download objects from the LDAP server. Basically you
download objects from the LDAP server only if a ReadFromDirectory
statement is included in the configuration file. Note that policies
are also refreshed if the SIGHUP signal is received by the Policy
Agent. This signal can be sent using the UNIX kill command.
If the FLUSH parameter was specified on the TcpImage or discipline
configuration statement, the REFRESH command triggers FLUSH processing.
One consequence of this is that policy statistics being collected
in the TCPIP stack are reset, because FLUSH deletes and reinstalls
all policies.
See FLUSH and PURGE considerations details
in z/OS Communications Server: IP Configuration
Guide for more information concerning the FLUSH/NOFLUSH
and PURGE/NOPURGE parameters.
Tip: If
you specify the Security Secure value on the ServicesConnection statement
and the generated AT-TLS policy is installed successfully, then the
MODIFY REFRESH command removes all AT-TLS policies, including the
generated AT-TLS policy, if FLUSH is specified for AT-TLS. The AT-TLS
policies, including the generated AT-TLS policy, are then reinstalled.
The services connection might be unavailable until the generated AT-TLS
policy is reinstalled.
- SRVLSTN
- Triggers the Policy Agent to restart the listen for services requestor
connections and if required, to reinstall the generated AT-TLS policy.
See ServicesConnection statement
information in z/OS Communications Server: IP Configuration
Reference for more details about
configuring the ServicesConnection statement.
Tips:
- If you specify the Security Secure value on the ServicesConnection
statement and the generated AT-TLS policy is installed successfully,
use the MODIFY command with the SRVLSTN parameter to trigger the Policy
Agent to reinstall the generated AT-TLS policy. Use this command when
the contents of the key ring have changed, but the key ring name is
unchanged.
- If you specify the Security Secure value on the ServicesConnection
statement and the configured local or remote AT-TLS policies did not
install successfully, use the MODIFY command with the SRVLSTN parameter
to force the generated AT-TLS policy to be installed before the local
or remote AT-TLS policies are installed. See the AT-TLS TCP/IP stack initialization access
control information in z/OS Communications Server: IP Configuration
Guide for more details about stack initialization
access control.
- If the ImageName value that is configured on the ServicesConnection
statement is not active when the ServicesConnection statement is processed,
issue the MODIFY command with the SRVLSTN parameter after the TCP/IP
image becomes active.
- UPDATE
- Triggers the Policy Agent to reread configuration files and, if
requested, download objects from the LDAP server. Basically you download
objects from the LDAP server only if a ReadFromDirectory statement
is included in the configuration file. This command is different
from the REFRESH command because Pagent only installs or removes from
the stack as appropriate any new, changed, or deleted policies.
See FLUSH and PURGE considerations information in
the in the z/OS Communications Server: IP Configuration
Guide for more information concerning the FLUSH/NOFLUSH
and PURGE/NOPURGE parameters.
- MON
- Send a command to an application that is being monitored by the
Policy Agent.
- DISPLAY
- Display information about the set of applications, including whether
or not they are being monitored, their status, and the associated
TCP/IP stack name, if any.
- START
- Start a specified application or start all applications that are
configured on the AutoMonitorApps statement to be started and stopped.
Policy Agent starts the applications using the cataloged procedure
and other parameters that are configured on the AutoMonitorApps statement.
Result: If
the Policy Agent has stopped monitoring the applications because the
applications failed to successfully start within the retry period
that was specified on the AutoMonitorParms statement, Policy Agent
resumes monitoring the running status of the applications.
- ALL
- Start all applications that are configured on the AutoMonitorApps
statement.
- DMD
- Start the Defense Manager daemon (DMD).
- IKED
- Start the IKE daemon (IKED).
- NSSD
- Start the network security services daemon (NSSD).
- SYSLOGD
- Start the syslog daemon (syslogd).
- TRMD
- Start the traffic regulation management daemon (TRMD).
- P=image
- Specifies the name of the TCP/IP stack on which the TRMD application
is running. If only one instance of TRMD is configured on the AutoMonitorApps
statement, this parameter is optional.
- RESTART
- Stop and restart a specified application or stop and restart all
applications that are configured on the AutoMonitorApps statement
to be started and stopped. Policy Agent restarts the applications
using the cataloged procedure and other parameters that are configured
on the AutoMonitorApps statement.
- ALL
- Restart all applications that are configured on the AutoMonitorApps
statement.
- DMD
- Restart the Defense Manager daemon (DMD).
- IKED
- Restart the IKE daemon (IKED).
- NSSD
- Restart the network security services daemon (NSSD).
- SYSLOGD
- Restart the syslog daemon (syslogd).
- TRMD
- Restart the traffic regulation management daemon (TRMD).
- P=image
- Specifies the name of the TCP/IP stack on which the TRMD application
is running. If only one instance of TRMD is configured on the AutoMonitorApps
statement, this parameter is optional.
- STOP
- Stop a specified application or stop all applications that are
configured on the AutoMonitorApps statement to be started and stopped.
Result: Policy
Agent stops monitoring the running status of the applications.
- ALL
- Stop all applications that are configured on the AutoMonitorApps
statement.
- DMD
- Stop the Defense Manager daemon (DMD).
- IKED
- Stop the IKE daemon (IKED).
- NSSD
- Stop the network security services daemon (NSSD).
- SYSLOGD
- Stop the syslog daemon (SYSLOGD).
- TRMD
- Stop the traffic regulation management daemon (TRMD).
- P=image
- Specifies the name of the TCP/IP stack on which the TRMD application
is running. If only one instance of TRMD is configured on the AutoMonitorApps
statement, this parameter is optional.
Examples
The following example displays
the status of applications that are monitored by the Policy Agent.
F PAGENT,MON,DISPLAY
EZD1587I PAGENT MONITOR INFORMATION
APPLICATION MONITORED JOBNAME STATUS TCP/IP STACK
DMD NO N/A N/A N/A
IKED YES IKED ACTIVE N/A
NSSD YES NSSD RESTARTING N/A
SYSLOGD YES SYSLOGD ACTIVE N/A
TRMD YES TRMD2 ACTIVE TCPIP2
TRMD YES TRMD3 INACTIVE TCPIP3