MODIFY command: Policy Agent

You can use the operator console and the MODIFY command to control the Policy Agent functions.

Format:

Parameters:

procname

The member name of the cataloged procedure used to start the Policy Agent.

LOGLEVEL,LEVEL=n

Changes the Policy Agent LogLevel. The required log level is n. If n is not specified, then the current LogLevel remains the same. See LogLevel statement information in the z/OS Communications Server: IP Configuration Reference for details on how to define the Policy Agent LogLevel.

TRACE,LEVEL=t

Changes the Policy Agent start option trace level. The required trace level is t. If t is not specified, then the current trace level remains the same. See the Starting Policy Agent from the z/OS® shell information in the z/OS Communications Server: IP Configuration Reference for details on valid Policy Agent trace levels.

Note: If Policy Agent was started with the trace option disabled, then the output destination of stderr will be closed. This option cannot later be enabled by using the MODIFY command.

DEBUG,LEVEL=d

Changes the Policy Agent start option debug level. The required debug level is d. If d is not specified, then the current debug level remains the same. See the Starting Policy Agent from the z/OS shell information in the z/OS Communications Server: IP Configuration Reference for details on valid Policy Agent debug levels.

MEMTRC

Causes the Policy Agent to dump the contents of the memory request buffer to the log file. This buffer is used when the -m startup option is specified, so if this option is not specified, the MEMTRC parameter has no effect.

QUERY

Displays the current LogLevel, debug level, and trace level in effect for the Policy Agent.

REFRESH

Triggers the Policy Agent to reread the configuration files, and, if requested, download objects from the LDAP server. Basically you download objects from the LDAP server only if a ReadFromDirectory statement is included in the configuration file. Note that policies are also refreshed if the SIGHUP signal is received by the Policy Agent. This signal can be sent using the UNIX kill command. If the FLUSH parameter was specified on the TcpImage or discipline configuration statement, the REFRESH command triggers FLUSH processing. One consequence of this is that policy statistics being collected in the TCPIP stack are reset, because FLUSH deletes and reinstalls all policies.

See FLUSH and PURGE considerations details in z/OS Communications Server: IP Configuration Guide for more information concerning the FLUSH/NOFLUSH and PURGE/NOPURGE parameters.

Tip: If you specify the Security Secure value on the ServicesConnection statement and the generated AT-TLS policy is installed successfully, then the MODIFY REFRESH command removes all AT-TLS policies, including the generated AT-TLS policy, if FLUSH is specified for AT-TLS. The AT-TLS policies, including the generated AT-TLS policy, are then reinstalled. The services connection might be unavailable until the generated AT-TLS policy is reinstalled.

SRVLSTN

Triggers the Policy Agent to restart the listen for services requestor connections and if required, to reinstall the generated AT-TLS policy. See ServicesConnection statement information in z/OS Communications Server: IP Configuration Reference for more details about configuring the ServicesConnection statement.

Tips:

• If you specify the Security Secure value on the ServicesConnection statement and the generated AT-TLS policy is installed successfully, use the MODIFY command with the SRVLSTN parameter to trigger the Policy Agent to reinstall the generated AT-TLS policy. Use this command when the contents of the key ring have changed, but the key ring name is unchanged.
• If you specify the Security Secure value on the ServicesConnection statement and the configured local or remote AT-TLS policies did not install successfully, use the MODIFY command with the SRVLSTN parameter to force the generated AT-TLS policy to be installed before the local or remote AT-TLS policies are installed. See the AT-TLS TCP/IP stack initialization access control information in z/OS Communications Server: IP Configuration Guide for more details about stack initialization access control.
• If the ImageName value that is configured on the ServicesConnection statement is not active when the ServicesConnection statement is processed, issue the MODIFY command with the SRVLSTN parameter after the TCP/IP image becomes active.

UPDATE

Triggers the Policy Agent to reread configuration files and, if requested, download objects from the LDAP server. Basically you download objects from the LDAP server only if a ReadFromDirectory statement is included in the configuration file. This command is different from the REFRESH command because Pagent only installs or removes from the stack as appropriate any new, changed, or deleted policies.

See FLUSH and PURGE considerations information in the in the z/OS Communications Server: IP Configuration Guide for more information concerning the FLUSH/NOFLUSH and PURGE/NOPURGE parameters.

MON

Send a command to an application that is being monitored by the Policy Agent.

DISPLAY

Display information about the set of applications, including whether or not they are being monitored, their status, and the associated TCP/IP stack name, if any.

START

Start a specified application or start all applications that are configured on the AutoMonitorApps statement to be started and stopped. Policy Agent starts the applications using the cataloged procedure and other parameters that are configured on the AutoMonitorApps statement.

Result: If the Policy Agent has stopped monitoring the applications because the applications failed to successfully start within the retry period that was specified on the AutoMonitorParms statement, Policy Agent resumes monitoring the running status of the applications.

ALL

Start all applications that are configured on the AutoMonitorApps statement.

DMD

Start the Defense Manager daemon (DMD).

IKED

Start the IKE daemon (IKED).

NSSD

Start the network security services daemon (NSSD).

SYSLOGD

Start the syslog daemon (syslogd).

TRMD

Start the traffic regulation management daemon (TRMD).

P=image

Specifies the name of the TCP/IP stack on which the TRMD application is running. If only one instance of TRMD is configured on the AutoMonitorApps statement, this parameter is optional.

RESTART

Stop and restart a specified application or stop and restart all applications that are configured on the AutoMonitorApps statement to be started and stopped. Policy Agent restarts the applications using the cataloged procedure and other parameters that are configured on the AutoMonitorApps statement.

ALL

Restart all applications that are configured on the AutoMonitorApps statement.

DMD

Restart the Defense Manager daemon (DMD).

IKED

Restart the IKE daemon (IKED).

NSSD

Restart the network security services daemon (NSSD).

SYSLOGD

Restart the syslog daemon (syslogd).

TRMD

Restart the traffic regulation management daemon (TRMD).

P=image

Specifies the name of the TCP/IP stack on which the TRMD application is running. If only one instance of TRMD is configured on the AutoMonitorApps statement, this parameter is optional.

STOP

Stop a specified application or stop all applications that are configured on the AutoMonitorApps statement to be started and stopped.

Result: Policy Agent stops monitoring the running status of the applications.

ALL

Stop all applications that are configured on the AutoMonitorApps statement.

DMD

Stop the Defense Manager daemon (DMD).

IKED

Stop the IKE daemon (IKED).

NSSD

Stop the network security services daemon (NSSD).

SYSLOGD

Stop the syslog daemon (SYSLOGD).

TRMD

Stop the traffic regulation management daemon (TRMD).

P=image

Specifies the name of the TCP/IP stack on which the TRMD application is running. If only one instance of TRMD is configured on the AutoMonitorApps statement, this parameter is optional.