Configuring and activating the policy agent (PAGENT)
Configure PAGENT by updating the
TCP/IP profile, granting RACF® permission
to TCP/IP resources, preparing the PAGENT startup JCL, and activating
syslogd.
To enable PAGENT for AT-TLS, complete
the following steps. For a more detailed description of how to install
and configure PAGENT, see the
Policy-based networking chapter
of the z/OS® Communications
Server IP Configuration Guide on the
z/OS library web page.
- Update the TCP/IP profile.
You must make
two changes to the TCP/IP profile to enable AT-TLS:
- Add the statement TCPCONFIG TTLS to activate
the functionality of AT-TLS inside the TCP/IP stack.
- Add PAGENT to the AUTOLOG list.
- Grant RACF permissions
to TCP/IP resources.
Users require permissions to
the following resources as part of activating PAGENT:
- Define PAGENT as a started task with its own user ID.
- The EZB.INITSTACK.sysname.tcpprocname resource
profile controls which users can have access to the TCP/IP stack before
PAGENT is active. Give READ access to all users who do not require
PAGENT policies to access the TCP/IP stack; for example, PAGENT, NETVIEW, DB2®, and so on.
- The EZB.PAGENT.sysname.tcpprocname.* resource
controls which users can start, stop, and refresh PAGENT. Give READ
access to the users who are allowed to run the TSO/Unix commands Pagent or pasearch.
- The user ID of PAGENT must have READ access to the BPX.DAEMON
facility.
For more detailed information about the RACF permissions, check the sample
EZARACF in
the
TCPIP.SEZAINST library.
- Prepare the PAGENT startup JCL.
- Copy the sample JCL PAGENT in the TCPIP.SEZAINST library
to the system procedure library (for example, SYS1.PROCLIB).
- Edit the JCL according to your installation standards.
Specify the location of the PAGENT configuration file (for example, /etc/pagent/pagent.config).
You can specify the location and name of the configuration file by
setting the environment variable PAGENT_CONFIG_FILE=/etc/pagent/pagent.config.
The environment variables for the TCP/IP stack are usually specified
in a member (for example, ENVVARS) of the TCP/IP parameters library
(for example, TCPIP.PARMS). The PAGENT JCL has ddname
STDENV that points to the member with the environment variables definitions.
The PAGENT configuration file (/etc/pagent/pagent.config)
specifies the location and name of the PAGENT stack-specific configuration
file by using the statement TcpImage: TcpImage TCPIP /etc/pagent/TCPIP.image
FLUSH NOPURGE 1800.
The stack-specific configuration
file (/etc/pagent/TCPIP.image) specifies the
location and name of the AT-TLS policies file by using the statement TTLSConfig:
TTLSConfig /etc/pagent/TCPIP_TTLS.policy.
- Activate the system log daemon (syslogd).
Syslogd
acts as the central message logging facility for PAGENT and AT-TLS.
Syslogd is not specific to the policy infrastructure, but the policy
infrastructure depends on syslogd to provide a central logging facility
to maintain an audit trail. If you do not start syslogd, messages
are lost. Start one syslog daemon per LPAR.
Define and install AT-TLS policies
for
IBM Integration Bus by following the instructions
in
Defining and installing AT-TLS policies.