You can configure remote IP security policy using a unique
and separate stack-specific IP security configuration file for each
stack on the z/OS® policy client
system. In this instance, a common IP security configuration file
is not necessary.
Procedure
Perform the following steps to configure remote IP security
policy using only a stack-specific IP security configuration file.
- In the main Policy Agent configuration file on the policy
client, include the ServerConnection statement, and a line with the
TcpImage statement for each IP security stack to be configured:
ServerConnection
{
…
}
TcpImage TCPCS /etc/TCPCS.image
TcpImage TCPCS2 /etc/TCPCS2.image
⋮
- In each configuration file that was identified on the TcpImage
statement shown in step 1, include a PolicyServer statement. For example, in /etc/TCPCS.image:
PolicyServer
{
ClientName IPSecClientTCPCS
PolicyType IPSec
{
…
}
…
}
In /etc/TCPCS2.image:
PolicyServer
{
ClientName IPSecClientTCPCS2
PolicyType IPSec
{
…
}
…
}
- In the main configuration file on the policy server, include
DynamicConfigPolicyLoad statements, as follows:
DynamicConfigPolicyLoad IPSecClientTCPCS
{
PolicyType IPSec
{
PolicyLoad /etc/TCPCS.ipsecpol
}
…
}
DynamicConfigPolicyLoad IPSecClientTCPCS2
{
PolicyType IPSec
{
PolicyLoad /etc/TCPCS2.ipsecpol
}
…
}
Results
Each stack on the z/OS policy
client system will adhere to the policy that is specified by its unique
policy file. Stack TCPCS uses the policy that is configured in /etc/TCPCS.ipsecpol
on the policy server, and stack TCPCS2 uses the policy that is configured
in /etc/TCPCS2.ipsecpol on the policy server.