The Policy Agent component is responsible for implementing policy decisions that control network security and traffic prioritization for the z/OS environment. When initiated, the Policy Agent reads the configuration files, parses the policies, and stores the policy definitions in the TCP/IP stack, which then operates based on the policies. When the policy rule is true, one set of actions is initiated; when it is false, a different set of actions is initiated.
The Policy Agent main configuration file points to other policy files that contain specific policies for TCP/IP images. It can contain a TcpImage statement that identifies the z/OS UNIX file or MVS data set that contains the policy to be received by a stack. On its end, the TCP/IP image policy file can contain a TTLSConfig statement that identifies the z/OS UNIX file or MVS data set that contains the AT-TLS policy.
There are several types of configuration files:
Main configuration file, determined by using a standard search order
Common IPSec configuration files
Common AT-TLS configuration files
Image configuration files
Image AT-TLS configuration files
Within the AT-TLS policy file, a TTLSRule statement defines a set of conditions that are compared against the connection being checked. When a match is found, policy look-up stops, and the connection is assigned the actions associated with the rule.
The rule conditions apply to connect parameters as follows:
LocalAddr
RemoteAddr
LocalPortrange
RemotePortrange
Jobname
Userid
Direction and at least one other condition must be specified. The TTLSRule statement can reference up to three action statements. In a simple implementation for AT-TLS, these configuration statements should be defined:
TTLSGroupAction, which must specify TTLSEnabled=ON. The AT-TLS group action represents a single Language Environment process and enclave, and initializes one instance of the System SSL DLL.
TTLSEnvironmentAction, which must specify a key ring and the handshake role. The AT-TLS environment action initializes a System SSL environment within the Language Environment process that was created to represent an AT-TLS group action.
TTLSConnectionAction, which specifies attributes for a subset of connections. It is not required for a simple implementation.
You can start the Policy Agent, which runs as a UNIX process, using one of two methods:
From the z/OS shell, where its executable resides in /usr/lpp/tcpip/sbin, or
As a started task using the PAGENT command on an MVS console. You can find a sample started task procedure for PAGENT in TCPIP.SEZAINST(EZAPAGSP).
To start Policy Agent from z/OS, you need security
product authorization definition (for RACF or any other product).
The Policy Agent search order for accessing the main configuration file (PAGENT.CONF information) is:
File or data set specified with the -c startup option
File or data set specified with the PAGENT_CONFIG_FILE environment variable
The etc/pagent.conf file
These environment variables are used to tailor the Policy Agent to a particular installation:
PAGENT_CONFIG_FILE, which points to the main configuration file or data set
PAGENT_LOG_FILE, which points to the log file
PAGENT_LOG_FILE_CONTROL, which controls the number and size of log files
You might also need to define these:
TZ, which defines the local time zone, even if it is defined in /etc/profile
LIBPATH, which points to the dynamic link libraries (DLLs) needed to act as an LDAP client
To start the Policy Agent