IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring and activating the policy agent (PAGENT)

Configure PAGENT by updating the TCP/IP profile, granting RACF® permission to TCP/IP resources, preparing the PAGENT startup JCL, and activating syslogd.

Before you start:
To enable PAGENT for AT-TLS, complete the following steps. For a more detailed description of how to install and configure PAGENT, see the Policy-based networking chapter of the z/OS® Communications Server IP Configuration Guide on the z/OS library web page.
  1. Update the TCP/IP profile.
    You must make two changes to the TCP/IP profile to enable AT-TLS:
    • Add the statement TCPCONFIG TTLS to activate the functionality of AT-TLS inside the TCP/IP stack.
    • Add PAGENT to the AUTOLOG list.
  2. Grant RACF permissions to TCP/IP resources.
    Users require permissions to the following resources as part of activating PAGENT:
    1. Define PAGENT as a started task with its own user ID.
    2. The EZB.INITSTACK.sysname.tcpprocname resource profile controls which users can have access to the TCP/IP stack before PAGENT is active. Give READ access to all users who do not require PAGENT policies to access the TCP/IP stack; for example, PAGENT, NETVIEW, DB2®, and so on.
    3. The EZB.PAGENT.sysname.tcpprocname.* resource controls which users can start, stop, and refresh PAGENT. Give READ access to the users who are allowed to run the TSO/Unix commands Pagent or pasearch.
    4. The user ID of PAGENT must have READ access to the BPX.DAEMON facility.
    For more detailed information about the RACF permissions, check the sample EZARACF in the TCPIP.SEZAINST library.
  3. Prepare the PAGENT startup JCL.
    1. Copy the sample JCL PAGENT in the TCPIP.SEZAINST library to the system procedure library (for example, SYS1.PROCLIB).
    2. Edit the JCL according to your installation standards. Specify the location of the PAGENT configuration file (for example, /etc/pagent/pagent.config). You can specify the location and name of the configuration file by setting the environment variable PAGENT_CONFIG_FILE=/etc/pagent/pagent.config. The environment variables for the TCP/IP stack are usually specified in a member (for example, ENVVARS) of the TCP/IP parameters library (for example, TCPIP.PARMS). The PAGENT JCL has ddname STDENV that points to the member with the environment variables definitions.

      The PAGENT configuration file (/etc/pagent/pagent.config) specifies the location and name of the PAGENT stack-specific configuration file by using the statement TcpImage: TcpImage TCPIP /etc/pagent/TCPIP.image FLUSH NOPURGE 1800.

      The stack-specific configuration file (/etc/pagent/TCPIP.image) specifies the location and name of the AT-TLS policies file by using the statement TTLSConfig: TTLSConfig /etc/pagent/TCPIP_TTLS.policy.

  4. Activate the system log daemon (syslogd).

    Syslogd acts as the central message logging facility for PAGENT and AT-TLS. Syslogd is not specific to the policy infrastructure, but the policy infrastructure depends on syslogd to provide a central logging facility to maintain an audit trail. If you do not start syslogd, messages are lost. Start one syslog daemon per LPAR.

Define and install AT-TLS policies for IBM Integration Bus by following the instructions in Defining and installing AT-TLS policies.

bp22800_.htm | Last updated Friday, 21 July 2017