General syntax rules for Policy Agent
- Specify Policy Agent configuration files using code page IBM®-1047 for EBCDIC, unless the Codepage statement is configured.
- Only one attribute and its values can be specified per line.
- Text beyond the specified attribute and value is ignored.
- Text beginning with the # character is a comment and is ignored, unless documented otherwise.
- Comments beginning with the # character in an LDAP server ldif configuration file might only be recognized as comments at the beginning of the file; therefore do not specify such comments elsewhere in the file, as they are interpreted as part of an attribute or attribute value.
- For most range specifications, the ranges can be delimited by a colon (:), a dash (-), or a blank ( ), but these delimiters cannot be mixed within a single range specification. IP address ranges cannot use the colon or blank delimiter, unless stated otherwise.
- See z/OS Communications Server: IPv6 Network and Application Design Guide for information about types of policies that support IPv6.
- IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
- IPv4-mapped IPv6 addresses and IPv6 addresses with the reserved prefix ::/96 are valid only for IP filter rules and for the Identity parameter on local and remote security end points.
- The maximum decimal value for numeric values is 4294967295, unless otherwise noted.
- Policy rule and action names are limited to 32 characters. If QoS and IDS LDAP statement names longer than 32 characters are specified, they are silently truncated. All other statements longer than 32 characters cause an error message to be written to the log.
- If a configuration file or LDAP configuration contains duplicate
statement or object names, Policy Agent keeps the first or the last
statement or object, as follows. The following situations are considered
warnings, not errors.
- For IDS (LDAP) and QoS, Policy Agent keeps the first entry.
- For IDS (configuration file), IPSec, Routing, AT-TLS and ZERT, Policy Agent keeps the last entry.
- If a QoS or IDS statement or object is defined with the same name in both a configuration file and LDAP, Policy Agent keeps the first such statement or object that it reads. This is typically the statement or object in the configuration file, but as a result of timing constraints, it could also be the statement in LDAP. The last duplicate statement or object is discarded; this is considered an error.
- Specify most attributes for configuration file statements only once per statement (exceptions are noted where appropriate). If you specify multiple attributes, no error or warning messages are written to the log, and the last instance of the attribute is used.
- Attributes for policies defined on an LDAP server can be single- or multi-valued (meaning a single value or multiple values are allowed for that attribute). The Policy Agent detects multiple values for attributes that are defined as single valued, and treats the policy object as in error.
- The policy version is specified by the configuration file statement
name, as follows:
- ServicePolicyRules and ServiceCategories statements specify version 1 policies.
- PolicyRule and PolicyAction statements specify version 2 policies.
Result: The policy version of LDAP-defined objects is determined by the LDAP_SchemaVersion parameter on the ReadFromDirectory statement.
- Some configuration statements use an inline statement syntax.
When a given statement is specified inline within another statement,
only the inline statement name is shown in the syntax diagrams. However,
the entire statement being inlined must be specified, including its
own set of start and end braces ({}) and all parameters.
Tip: The name parameter on the statement name might or might not be optional, depending on the specific statement. In the following example, the IpFilterRule statement is included inline within the IpFilterGroup statement. A name is required on the IpFilterRule statement, for example, Rule1All-Permit, as follows:
IpFilterGroup ZoneAll { IpFilterRule Rule1All-Permit { IpSourceAddr All IpDestAddr All IpServiceGroupRef Resolver IpServiceRef PathMtuDiscovery IpServiceGroupRef Ping-Outbound-Only IpGenericFilterActionRef permit } }
- For named inline statements where the name is optional, a nonpersistent system name is created using the named portion of the statement name with a unique identifier. This prevents reuse of the named inline statement as a reference name.
- Errors detected in a policy rule or action result in that policy object being discarded.
- For IPSec, Routing, AT-TLS or ZERT policies, any errors detected during parsing results in no new policies being installed. For all other policy types, only the policy objects that contain errors are discarded.
- If a rule refers to an action that does not exist (or has been discarded due to an error) then the rule is also discarded.
- If a Routing action refers to a route table that does not exist (or has been discarded as the result of an error), the action is also discarded.
- Some statements, parameters, parameter values, rules, or restrictions apply only to certain release levels. See the Policy-based networking information in z/OS Communications Server: IP Configuration Guide for more details about mixed release levels when using policy clients with a policy server. The following tables list the definitions that are supported for each release level.
Table 1 lists statements, parameters, and parameter values that are no longer supported:
Statement | Parameter | Parameter value | Description/Notes | Last release supported |
---|---|---|---|---|
PolicyAction | PolicyScope | TR | TR indicates that the scope is Traffic Regulation. | z/OS® V1R9 |
PolicyAction |
|
z/OS V1R9 | ||
IpFilterPolicy | RFC4301Compliance | This parameter is deprecated. RFC 4301 compliance is no longer optional as of V1R12. | z/OS V1R11 |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
ZERTKeyExchange | SSHKeyExchange |
|
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
ConnectionDescriptor | |||
ConnectionDescriptorGroup | |||
TTLSEnvironmentAdvancedParms |
|
||
TTLSConnectionAdvancedParms |
|
||
TTLSConnectionAdvancedParms |
|
APAR PH49284 required | |
TTLSEnvironmentAdvancedParms |
|
APAR PH49284 required | |
TTLSGskAdvancedParms | GSK_SYSPLEX_SESSION_TICKET_CACHE | APAR PH49284 required | |
TTLSGskAdvancedParms | GSK_SESSION_TICKET_CLIENT_MAXCACHED | APAR PH49284 required | |
TTLSGskAdvancedParms | GSK_SESSION_TICKET_SERVER_TIMEOUT |
|
|
TTLSSignatureParms | ServerKexECurves | APAR PH45902 required | |
ZERTAction | |||
ZERTConfig | |||
ZERTKeyExchange | |||
ZERTMessageAuthentication | |||
ZERTRule | |||
ZERTSSHProtocol | |||
ZERTSymmetricEncryption | |||
ZERTTLSProtocol |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
TTLSEnvironmentAdvancedParms |
|
||
TTLSConnectionAdvancedParms | TLSv1.3 | ||
TTLSCipherParms | V3CiperSuites4Char |
|
|
TTLSSignatureParms |
|
Default values added. | |
TTLSSignatureParms | ClientECurves |
|
|
TTLSSignatureParms | SignaturePairs |
|
|
TTLSSignatureParms |
|
||
TTLSGskOcspParms | OcspRequestSigalg |
|
|
TTLSGskOcspParms | OcspResponseSigAlgPairs |
|
|
TTLSGskAdvancedParms |
|
||
TTLSGskAdvancedParms |
|
Default values added that are equivalent to the existing System SSL default values. |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
TTLSEnvironmentAction | SuiteBProfile | New values 128Min and 192Min | |
TTLSGroupAction | FIPS140 | New values Level1, Level2, and Level3 | |
TTLSEnvironmentAdvancedParms |
|
||
TTLSConnectionAdvancedParms | ServerCertificateLabel | ||
TTLSGskOscpParms |
|
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
TTLSEnvironmentAdvancedParms | CertValidationMode | RFC5280 | |
TTLSGskHttpCdpParms | Use this statement to configure the HTTP CDP certificate revocation checking method. | ||
TTLSGskOcspParms | Use this statement to configure the OCSP certificate revocation checking method. | ||
TTLSGskLdapParms |
|
Enhance the LDAP certificate revocation checking method. | |
TTLSGskAdvancedParms |
|
Use these parameters to further configure HTTP CDP and OCSP certificate revocation checking. |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
RouteTable | DynamicRoutingParms | gateway_addr | Value can be an IPv4 address, an IPv6 address, the keyword IPV4, or the keyword IPV6. |
RouteTable | Route | ipaddress | Value can be an IPv4 address, an IPv6 address, the keyword DEFAULT, or the keyword DEFAULT6. |
RouteTable | Route | gateway_addr | Value can be an IPv4 address or an IPv6 address. |
RouteTable | Multipath6 | ||
RouteTable | DynamicXCFRoutes6 | ||
RouteTable | IgnorePathMtuUpdate6 | ||
RoutingRule | IpSourceAddr | ipaddress | Value can be an IPv4 address, an IPv6 address, or the keyword All. If a source address is not specified, the default value is All. |
RoutingRule |
|
An IPv4 addresses, an IPv6 addresses, or both, can be referenced. If a source address is not specified, the default value is All. | |
RoutingRule | IpDestAddr | ipaddress | Value can be an IPv4 address, an IPv6 address, or the keyword All. If a destination address is not specified, the default value is All. |
RoutingRule |
|
An IPv4 addresses, an IPv6 addresses, or both, can be referenced. If a destination address is not specified, the default value is All. | |
TTLSCipherParms |
|
See Table 78 for list of new cipher names and 2 or 4 hexadecimal character values. |
|
TTLSConnection Action |
|
||
TTLSConnection AdvancedParms | TLSv1.2 |
|
|
TTLSEnvironment Action |
|
|
|
TTLSEnvironment AdvancedParms |
|
|
|
TTLSSignatureParms |
|
|
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
IDSAction | ActionType Attack |
|
|
IDSAttackCondition | AttackType |
|
|
IDSAttackCondition |
|
||
IDSExclusion | |||
IDSScanEvent Condition | Protocol |
|
|
IDSScanEvent Condition | LocalHostAddr |
|
Value can be an IPv4 address or an IPv6 address. All includes both IPv4 and IPv6 addresses. |
IDSScanExclusion | ExcludedAddrPort | ipaddress | Value can be an IPv4 address or an IPv6 address. |
IDSTRCondition | LocalHostAddr |
|
Value can be an IPv4 address or an IPv6 address. All includes both IPv4 and IPv6 addresses. |
Ipv6NextHdrGroup | |||
Ipv6NextHdrRange | |||
IpAddr | Addr | ipaddress | Value can be an IPv4 address or an IPv6 address |
IpAddrSet | Prefix
Range
|
ipaddress | Value can be an IPv4 address or an IPv6 address |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
IpDataOffer | HowToEncap | This is no longer a required parameter. The default is Tunnel. | |
HowToEncrypt |
|
AES is deprecated and treated as a synonym for AES_CBC KeyLength 128. | |
HowToAuth |
|
|
|
IpDynVpnAction | HowToEncapIKEv2 | ||
|
|
||
IpFilterPolicy | FIPS140 | ||
IpLocalStartAction | ICMPCodeGranularity | ||
ICMPTypeGranularity | |||
ICMPv6CodeGranularity | |||
ICMPv6TypeGranularity | |||
MIPv6TypeGranularity | |||
IpManVpnAction | AuthInboundSa | New values are allowed for the key length, for the new algorithms added to the HowToAuth parameter. | |
AuthOutboundSa | New values are allowed for the key length, for the new algorithms added to the HowToAuth parameter. | ||
EncryptInboundSa | New values are allowed for the key length, for the new algorithms added to the HowToEncrypt parameter. | ||
EncryptOutboundSa | New values are allowed for the key length, for the new algorithms added to the HowToEncrypt parameter. | ||
HowToAuth |
|
HMAC_SHA is deprecated and treated as a synonym for HMAC_SHA1. | |
HowToEncrypt |
|
AES is deprecated and treated as a synonym for AES_CBC KeyLength 128. | |
KeyExchangeAction | BypassIpValidation | ||
CertificateURLLookupPreference | |||
HowToAuthMe | |||
HowToInitiate | IKEv2 | The default for this parameter is now obtained from the HowToInitiate parameter on the KeyExchangePolicy statement. | |
HowToRespond | Deprecated and treated as a synonym for HowToRespondIKEv1. | ||
HowToRespondIKEv1 | This is introduced as a more accurate synonym for HowToRespond, which is now deprecated. | ||
ReauthInterval | |||
RevocationChecking | |||
KeyExchangeOffer | DHGroup |
|
|
HowToEncrypt |
|
AES is deprecated and treated as a synonym for AES_CBC KeyLength 128. | |
HowToAuthMsgs |
|
||
HowToVerifyMsgs | |||
PseudoRandomFunction | |||
KeyExchangePolicy | BypassIpValidation | ||
CertificateURLLookupPreference | |||
HowToInitiate | |||
LivenessInterval | |||
RevocationChecking | |||
LocalSecurityEndpoint | Identity | KeyId | |
RemoteIdentity | Identity | KeyId | |
RemoteSecurityEndpoint | Identity | KeyId |
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
IpDynVpnAction |
|
||
IPFilterPolicy |
|
||
IPFilterRule |
|
||
IpGenericFilterAction | DiscardAction | ||
IpManVpnAction |
|
||
IpManVpnAction |
|
|
|
IpService | Protocol |
|
|
IpService | FragmentsOnly | ||
IpService | Type Code | A range of values is allowed when the Protocol parameter value is Icmp or Icmpv6. | |
IpService | Protocol | IPv6Frag | IPv6Frag is not valid. This IPv6Frag value does not match any traffic. |
KeyExchangeAction |
|
||
LocalSecurityEndpoint | Location |
|
|
LocalSecurityEndpoint |
|
||
RemoteIdentity | |||
RemoteSecurityEndpoint |
|
Table 11 lists statements, parameters, and parameter values that contain rules or restrictions that differ for z/OS V1R12 and later releases, as compared to earlier releases.
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
IpService |
|
The rule about certain Type and Code values not being allowed in combination with the IpDynVpnAction statement is removed. |
Table 12 lists statements, parameters, and parameter values that contain rules or restrictions that differ for z/OS V1R10 and later releases, as compared to earlier releases.
Statement | Parameter | Parameter value | Description of change |
---|---|---|---|
IpManVpnAction |
|
address | The IPv6 and IPv4 unspecified addresses are not allowed. |
IpManVpnAction |
|
spi | In prior releases, IpManVpnAction objects were required to have unique inbound AH or ESP spi values. spi values no longer need to be unique if the LocalSecurityEndpointAddr specification differs from that of other IpManVpnAction objects that share the same AH or ESP spi value. |
IpService |
|
For V1R12 and later releases, or if RFC4301Compliance
Yes is specified on the IpFilterPolicy statement, the Routing specification
Routed or Either must have one of the following configurations:
|