When Policy Agent is stopped and restarted, or when policy files are changed, policy objects that are currently in use might be deleted or replaced. When an AT-TLS action is deleted or replaced, connections using the old object continue processing without change. Connections that search AT-TLS policy after the change use the new action objects. A change to an AT-TLS group action causes a new Language Environment® process to be created, along with new SSL environments for each user or application environment associated with that group. A change to an AT-TLS environment action causes new SSL environments to be initialized within each group with which that environment is associated. System SSL reopens key rings and certificates, and creates an empty session ID cache when it initializes an SSL environment.
There are cases when a change is made that is not reflected by a change in the action. For example, the default certificate in a key ring might change. The key ring name has not changed, but there is a need to open a new environment. Simply refreshing policy will not refresh the AT-TLS environment action in AT-TLS, because no values within the action have changed. To force a refresh in AT-TLS, some parameter must be changed. The EnvironmentUserInstance parameter can be used for this purpose. Incrementing the instance number forces a refresh of AT-TLS without changing any of the security parameters. Similarly, changes to the contents of the environment file named in a group action will not be applied until the group action is changed. The GroupUserInstance parameter can be used to force an AT-TLS refresh of the group, creating a new Language Environment process using the new environment file contents.
Sometimes after you have made a change to an AT-TLS policy, the changed policies are not automatically reinstalled by the Policy Agent; new connections might fail until the policies are reinstalled. If you see AT-TLS connection setup errors with message EZD1286I or EZD1287I after you made an AT-TLS configuration change, you can force all AT-TLS policies to be reinstalled by refreshing the Policy Agent. From the MVS™ console, issue the MODIFY procname,REFRESH command. For more information about controlling the refresh of polices using the TcpImage and PEPInstance statements, see z/OS Communications Server: IP Configuration Reference.