General syntax rules for Policy Agent

The following list shows the general configuration rules. Unless otherwise noted, these rules apply to both the configuration file and the Lightweight Directory Access Protocol (LDAP) server:

Specify Policy Agent configuration files using code page IBM®-1047 for EBCDIC, unless the Codepage statement is configured.
Only one attribute and its values can be specified per line.
Text beyond the specified attribute and value is ignored.
Text beginning with the # character is a comment and is ignored, unless documented otherwise.
Comments beginning with the # character in an LDAP server ldif configuration file might only be recognized as comments at the beginning of the file; therefore do not specify such comments elsewhere in the file, as they are interpreted as part of an attribute or attribute value.
For most range specifications, the ranges can be delimited by a colon (:), a dash (-), or a blank ( ), but these delimiters cannot be mixed within a single range specification. IP address ranges cannot use the colon or blank delimiter, unless stated otherwise.
See z/OS Communications Server: IPv6 Network and Application Design Guide for information about types of policies that support IPv6.
IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.
IPv4-mapped IPv6 addresses and IPv6 addresses with the reserved prefix ::/96 are valid only for IP filter rules and for the Identity parameter on local and remote security end points.
The maximum decimal value for numeric values is 4294967295, unless otherwise noted.
Policy rule and action names are limited to 32 characters. If QoS and IDS LDAP statement names longer than 32 characters are specified, they are silently truncated. All other statements longer than 32 characters cause an error message to be written to the log.
If a configuration file or LDAP configuration contains duplicate statement or object names, Policy Agent keeps the first or the last statement or object, as follows. The following situations are considered warnings, not errors.
- For IDS (LDAP) and QoS, Policy Agent keeps the first entry.
- For IDS (configuration file), IPSec, Routing, AT-TLS and ZERT, Policy Agent keeps the last entry.
If a QoS or IDS statement or object is defined with the same name in both a configuration file and LDAP, Policy Agent keeps the first such statement or object that it reads. This is typically the statement or object in the configuration file, but as a result of timing constraints, it could also be the statement in LDAP. The last duplicate statement or object is discarded; this is considered an error.

Specify most attributes for configuration file statements only once per statement (exceptions are noted where appropriate). If you specify multiple attributes, no error or warning messages are written to the log, and the last instance of the attribute is used.
Attributes for policies defined on an LDAP server can be single- or multi-valued (meaning a single value or multiple values are allowed for that attribute). The Policy Agent detects multiple values for attributes that are defined as single valued, and treats the policy object as in error.
The policy version is specified by the configuration file statement name, as follows:
- ServicePolicyRules and ServiceCategories statements specify version 1 policies.
- PolicyRule and PolicyAction statements specify version 2 policies.
  Result: The policy version of LDAP-defined objects is determined by the LDAP_SchemaVersion parameter on the ReadFromDirectory statement.
For more information about policy version definitions, see z/OS Communications Server: IP Configuration Guide. For more information about policy version differences, see z/OS Communications Server: IP Diagnosis Guide.
Some configuration statements use an inline statement syntax. When a given statement is specified inline within another statement, only the inline statement name is shown in the syntax diagrams. However, the entire statement being inlined must be specified, including its own set of start and end braces ({}) and all parameters.
Tip: The name parameter on the statement name might or might not be optional, depending on the specific statement. In the following example, the IpFilterRule statement is included inline within the IpFilterGroup statement. A name is required on the IpFilterRule statement, for example, Rule1All-Permit, as follows:
```
IpFilterGroup ZoneAll 
{ 
  IpFilterRule Rule1All-Permit 
  { 
  IpSourceAddr All 
  IpDestAddr All 
  IpServiceGroupRef Resolver 
  IpServiceRef PathMtuDiscovery 
  IpServiceGroupRef Ping-Outbound-Only 
  IpGenericFilterActionRef permit 
  } 
} 
```
For named inline statements where the name is optional, a nonpersistent system name is created using the named portion of the statement name with a unique identifier. This prevents reuse of the named inline statement as a reference name.
Errors detected in a policy rule or action result in that policy object being discarded.
For IPSec, Routing, AT-TLS or ZERT policies, any errors detected during parsing results in no new policies being installed. For all other policy types, only the policy objects that contain errors are discarded.
If a rule refers to an action that does not exist (or has been discarded due to an error) then the rule is also discarded.
If a Routing action refers to a route table that does not exist (or has been discarded as the result of an error), the action is also discarded.
Some statements, parameters, parameter values, rules, or restrictions apply only to certain release levels. See the Policy-based networking information in z/OS Communications Server: IP Configuration Guide for more details about mixed release levels when using policy clients with a policy server. The following tables list the definitions that are supported for each release level.

Table 1 lists statements, parameters, and parameter values that are no longer supported:

Table 1. Statements, parameters, and parameter values that are no longer supported
Statement	Parameter	Parameter value	Description/Notes	Last release supported
PolicyAction	PolicyScope	TR	TR indicates that the scope is Traffic Regulation.	z/OS® V1R9
PolicyAction	TypeActions TotalConnections Percentage TimeInterval LoggingLevel			z/OS V1R9
IpFilterPolicy	RFC4301Compliance		This parameter is deprecated. RFC 4301 compliance is no longer optional as of V1R12.	z/OS V1R11

Table 2. Valid statements, parameters, and parameter values for z/OS 3.1 and later releases
Statement	Parameter	Parameter value	Description of change
ZERTKeyExchange	SSHKeyExchange	GSS_GROUP14_SHA256 GSS_GROUP16_SHA512 GSS_NISTP256_SHA256 GSS_CURVE25519_SHA256

Table 3. Valid statements, parameters, and parameter values for z/OS V2R5 and later releases
Statement	Parameter	Description of change
ConnectionDescriptor
ConnectionDescriptorGroup
TTLSEnvironmentAdvancedParms	ClientExtendedMasterSecret ServerExtendedMasterSecret
TTLSConnectionAdvancedParms	ClientExtendedMasterSecret ServerExtendedMasterSecret
TTLSConnectionAdvancedParms	HostReferenceIdDNS HostReferenceIdCN HostRefWildcardValidation	APAR PH49284 required
TTLSEnvironmentAdvancedParms	HostReferenceIdDNS HostReferenceIdCN HostRefWildcardValidation	APAR PH49284 required
TTLSGskAdvancedParms	GSK_SYSPLEX_SESSION_TICKET_CACHE	APAR PH49284 required
TTLSGskAdvancedParms	GSK_SESSION_TICKET_CLIENT_MAXCACHED	APAR PH49284 required
TTLSGskAdvancedParms	GSK_SESSION_TICKET_SERVER_TIMEOUT	Default value logic changed APAR PH49284 required
TTLSSignatureParms	ServerKexECurves	APAR PH45902 required
ZERTAction
ZERTConfig
ZERTKeyExchange
ZERTMessageAuthentication
ZERTRule
ZERTSSHProtocol
ZERTSymmetricEncryption
ZERTTLSProtocol

Table 4. Valid statements, parameters, and parameter values for z/OS V2R4 and later releases
Statement	Parameter	Parameter value
TTLSEnvironmentAdvancedParms	TLSv1.3 MiddleBoxCompatMode
TTLSConnectionAdvancedParms	TLSv1.3
TTLSCipherParms	V3CiperSuites4Char	TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
TTLSSignatureParms	ClientECurves SignaturePairs	Default values added.
TTLSSignatureParms	ClientECurves	x25519 x448
TTLSSignatureParms	SignaturePairs	TLS_SIGALG_SHA256_WITH_RSASSA_PSS TLS_SIGALG_SHA384_WITH_RSASSA_PSS TLS_SIGALG_SHA512_WITH_RSASSA_PSS
TTLSSignatureParms	ClientKeyShareGroups ServerKeyShareGroups SignaturePairsCert
TTLSGskOcspParms	OcspRequestSigalg	TLS_SIGALG_SHA256_WITH_RSASSA_PSS TLS_SIGALG_SHA384_WITH_RSASSA_PSS TLS_SIGALG_SHA512_WITH_RSASSA_PSS
TTLSGskOcspParms	OcspResponseSigAlgPairs	TLS_SIGALG_SHA256_WITH_RSASSA_PSS TLS_SIGALG_SHA384_WITH_RSASSA_PSS TLS_SIGALG_SHA512_WITH_RSASSA_PSS
TTLSGskAdvancedParms	GSK_SESSION_TICKET_CLIENT_ENABLE GSK_SESSION_TICKET_CLIENT_MAXSIZE GSK_SESSION_TICKET_SERVER_ALGORITHM GSK_SESSION_TICKET_SERVER_COUNT GSK_SESSION_TICKET_SERVER_ENABLE GSK_SESSION_TICKET_SERVER_TIMEOUT GSK_SESSION_TICKET_SERVER_KEY_REFRESH
TTLSGskAdvancedParms	GSK_V3_SESSION_TIMEOUT GSK_V3_SIDCACHE_SIZE	Default values added that are equivalent to the existing System SSL default values.

Table 5. Valid statements, parameters, and parameter values for z/OS V2R3 and later releases
Statement	Parameter	Parameter value
TTLSEnvironmentAction	SuiteBProfile	New values 128Min and 192Min
TTLSGroupAction	FIPS140	New values Level1, Level2, and Level3
TTLSEnvironmentAdvancedParms	3DesKeyCheck ClientEDHGroupSize PeerMinCertVersion PeerMinDHKeySize PeerMinDSAKeySize PeerMinECCKeySize PeerMinRsaKeySize ServerEDHGroupSize ServerCertificateLabel ServerScsv
TTLSConnectionAdvancedParms	ServerCertificateLabel
TTLSGskOscpParms	OcspResponseSigAlgPairs OcspServerStapling

Table 6. Valid statements, parameters, and parameter values for z/OS V2R2 and later releases
Statement	Parameter	Parameter value	Description of change
TTLSEnvironmentAdvancedParms	CertValidationMode	RFC5280
TTLSGskHttpCdpParms			Use this statement to configure the HTTP CDP certificate revocation checking method.
TTLSGskOcspParms			Use this statement to configure the OCSP certificate revocation checking method.
TTLSGskLdapParms	CRLCacheSize CRLCacheEntryMaxsize CRLCacheExtended CRLCacheTempCRL CRLCacheTempCRLTimeout LDAPResponseTimeout		Enhance the LDAP certificate revocation checking method.
TTLSGskAdvancedParms	TTLSGskOcspParmsRef TTLSGskHttpCdpParmsRef AIACDPPriority MaxSrcRevExtLocValues MaxValidRevExtLocValues RevocationSecurityLevel		Use these parameters to further configure HTTP CDP and OCSP certificate revocation checking.

Table 7. Valid statements, parameters, and parameter values for z/OS V2R1 and later releases
Statement	Parameter	Parameter value	Description of change
RouteTable	DynamicRoutingParms	`gateway_addr`	Value can be an IPv4 address, an IPv6 address, the keyword IPV4, or the keyword IPV6.
RouteTable	Route	`ipaddress`	Value can be an IPv4 address, an IPv6 address, the keyword DEFAULT, or the keyword DEFAULT6.
RouteTable	Route	`gateway_addr`	Value can be an IPv4 address or an IPv6 address.
RouteTable	Multipath6
RouteTable	DynamicXCFRoutes6
RouteTable	IgnorePathMtuUpdate6
RoutingRule	IpSourceAddr	`ipaddress`	Value can be an IPv4 address, an IPv6 address, or the keyword All. If a source address is not specified, the default value is All.
RoutingRule	IpSourceAddrRef IpSourceAddrSetRef IpSourceAddrGroupRef		An IPv4 addresses, an IPv6 addresses, or both, can be referenced. If a source address is not specified, the default value is All.
RoutingRule	IpDestAddr	`ipaddress`	Value can be an IPv4 address, an IPv6 address, or the keyword All. If a destination address is not specified, the default value is All.
RoutingRule	IpDestAddrRef IpDestAddrSetRef IpDestAddrGroupRef		An IPv4 addresses, an IPv6 addresses, or both, can be referenced. If a destination address is not specified, the default value is All.
TTLSCipherParms	V3CipherSuites V3CipherSuites4Char	See Table 78 for list of new cipher names and 2 or 4 hexadecimal character values.	V3CipherSuites New 2-hexadecimal character values New cipher names defined V3CipherSuites4Char New 4-hexadecimal character values
TTLSConnection Action	TTLSSignatureParms TTLSSignatureParmsRef
TTLSConnection AdvancedParms	TLSv1.2	Off On
TTLSEnvironment Action	SuiteBProfile TTLSSignatureParms TTLSSignatureParmsRef	SuiteBProfile Off 128 192 All
TTLSEnvironment AdvancedParms	TLSv1.2 Renegotiation RenegotiationIndicator RenegotiationCertCheck	TTLSv1.2 Off On Renegotiation Default Disabled All Abbreviated RenegotiationIndicator Optional Client Server Both RenegotiationCertCheck Off On
TTLSSignatureParms	ClientECurves SignaturePairs		ClientECurves Specifies the list of elliptic curves that are supported by the client, in order of preference for use. The elliptical curve specifications are used by the client to tell the server which elliptical curves can be used when using cipher suites that use elliptical curve cryptography for the TLSv1.0 protocol or later. SignaturePairs Specifies the TLS version 1.2 signature algorithm pairs that are supported for the server certificate. These pairs are sent by the client when proposing use of the TLSv1.2 protocol to indicate to the server which signature/hash algorithm pairs might be used in digital signatures of the server certificate. SignaturePairs is meaningful only when performing a handshake with a Server that supports the TLSv1.2 protocol and will be ignored by any Server that only supports TLSv1.1 protocol or earlier.

Table 8. Valid statements, parameters, and parameter values for z/OS V1R13 and later releases
Statement	Parameter	Parameter value	Description of change
IDSAction	ActionType Attack	ResetConn NoResetconn
IDSAttackCondition	AttackType	DATA_HIDING OUTBOUND_RAW_IPV6 RESTRICTED_IPV6_DST_OPTIONS RESTRICTED_IPV6_HOP_OPTIONS RESTRICTED_IPV6_NEXT_HDR TCP_QUEUE_SIZE GLOBAL_TCP_STALL EE_MALFORMED_PACKET EE_LDLC_CHECK EE_PORT_CHECK EE_XID_FLOOD
IDSAttackCondition	OptionPadChk IcmpEmbedPktChk RestrictedIPv6OptionRange RestrictedIPv6OptionRangeRef RestrictedIPv6OptionGroupRef IPv6NextHdrRange IPv6NextHdrRangeRef IPv6NextHdrGroupRef TcpQueueSize IDSExclusion IDSExclusionRef EEXIDTimeout
IDSExclusion
IDSScanEvent Condition	Protocol	Icmpv6 58
IDSScanEvent Condition	LocalHostAddr	ipaddress All	Value can be an IPv4 address or an IPv6 address. All includes both IPv4 and IPv6 addresses.
IDSScanExclusion	ExcludedAddrPort	ipaddress	Value can be an IPv4 address or an IPv6 address.
IDSTRCondition	LocalHostAddr	ipaddress All	Value can be an IPv4 address or an IPv6 address. All includes both IPv4 and IPv6 addresses.
Ipv6NextHdrGroup
Ipv6NextHdrRange
IpAddr	Addr	ipaddress	Value can be an IPv4 address or an IPv6 address
IpAddrSet	Prefix Range	ipaddress	Value can be an IPv4 address or an IPv6 address

Table 9. Valid statements, parameters, and parameter values for z/OS V1R12 and later releases
Statement	Parameter	Parameter value	Description of change
IpDataOffer	HowToEncap		This is no longer a required parameter. The default is Tunnel.
	HowToEncrypt	AES AES_CBC KeyLength 128 AES_CBC KeyLength 256 AES_GCM_16 KeyLength 128 AES_GCM_16 KeyLength 256	AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.
	HowToAuth	Null AES128_XCBC_96 AES_GMAC_128 AES_GMAC_256 HMAC_SHA HMAC_SHA1 HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256	Null is allowed only in combination with HowToEncrypt AES_GCM_16. AES_GMAC_128 and AES_GMAC_256 are allowed only in combination with HowToEncrypt DoNot. HMAC_SHA is deprecated and treated as a synonym for HMAC_SHA1.
IpDynVpnAction	HowToEncapIKEv2
IpDynVpnAction	InitiateWithPFS AcceptablePFS	Group19 Group20 Group21 Group24
IpFilterPolicy	FIPS140
IpLocalStartAction	ICMPCodeGranularity
	ICMPTypeGranularity
	ICMPv6CodeGranularity
	ICMPv6TypeGranularity
	MIPv6TypeGranularity
IpManVpnAction	AuthInboundSa		New values are allowed for the key length, for the new algorithms added to the HowToAuth parameter.
	AuthOutboundSa		New values are allowed for the key length, for the new algorithms added to the HowToAuth parameter.
	EncryptInboundSa		New values are allowed for the key length, for the new algorithms added to the HowToEncrypt parameter.
	EncryptOutboundSa		New values are allowed for the key length, for the new algorithms added to the HowToEncrypt parameter.
	HowToAuth	AES128_XCBC_96 HMAC_SHA HMAC_SHA1 HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256	HMAC_SHA is deprecated and treated as a synonym for HMAC_SHA1.
	HowToEncrypt	AES AES_CBC KeyLength 128 AES_CBC KeyLength 256	AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.
KeyExchangeAction	BypassIpValidation
	CertificateURLLookupPreference
	HowToAuthMe
	HowToInitiate	IKEv2	The default for this parameter is now obtained from the HowToInitiate parameter on the KeyExchangePolicy statement.
	HowToRespond		Deprecated and treated as a synonym for HowToRespondIKEv1.
	HowToRespondIKEv1		This is introduced as a more accurate synonym for HowToRespond, which is now deprecated.
	ReauthInterval
	RevocationChecking
KeyExchangeOffer	DHGroup	Group19 Group20 Group21 Group24
	HowToEncrypt	AES AES_CBC KeyLength 128 AES_CBC KeyLength 256	AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.
	HowToAuthMsgs	SHA2_256 SHA2_384 SHA2_512
	HowToVerifyMsgs
	PseudoRandomFunction
KeyExchangePolicy	BypassIpValidation
	CertificateURLLookupPreference
	HowToInitiate
	LivenessInterval
	RevocationChecking
LocalSecurityEndpoint	Identity	KeyId
RemoteIdentity	Identity	KeyId
RemoteSecurityEndpoint	Identity	KeyId

Table 10. Valid statements, parameters, and parameter values for z/OS V1R10 and later releases
Statement	Parameter	Parameter value	Description of change
IpDynVpnAction	PassthroughDF PassthroughDSCP
IPFilterPolicy	ImplicitDiscardAction RFC4301Compliance
IPFilterRule	RemoteIdentity RemoteIdentityRef
IpGenericFilterAction	DiscardAction
IpManVpnAction	PassthroughDF PassthroughDSCP
IpManVpnAction	LocalSecurityEndpointAddr RemoteSecurityEndpointAdd	Any Any4
IpService	Protocol	MIPv6 Opaque
IpService	FragmentsOnly
IpService	Type Code		A range of values is allowed when the Protocol parameter value is Icmp or Icmpv6.
IpService	Protocol	IPv6Frag	IPv6Frag is not valid. This IPv6Frag value does not match any traffic.
KeyExchangeAction	FilterByIdentity ConstrainSource ConstrainSourceRef ConstrainSourceSetRef ConstrainSourceGroupRef ConstrainDest ConstrainDestRef ConstrainDestSetRef ConstrainDestGroupRef
LocalSecurityEndpoint	Location	ipaddress/ prefixLength ipaddress-ipaddress
LocalSecurityEndpoint	LocationSetRef LocationGroupRef
RemoteIdentity
RemoteSecurityEndpoint	LocationGroupRef RemoteIdentityRef

Table 11 lists statements, parameters, and parameter values that contain rules or restrictions that differ for z/OS V1R12 and later releases, as compared to earlier releases.

Table 11. Valid rules and restrictions for V1R12 and later releases
Statement	Parameter	Parameter value	Description of change
IpService	Type Code		The rule about certain Type and Code values not being allowed in combination with the IpDynVpnAction statement is removed.

Table 12 lists statements, parameters, and parameter values that contain rules or restrictions that differ for z/OS V1R10 and later releases, as compared to earlier releases.

Table 12. Valid rules and restrictions for V1R10 and later releases
Statement	Parameter	Parameter value	Description of change
IpManVpnAction	LocalSecurityEndpointAddr RemoteSecurityEndpointAdd	address	The IPv6 and IPv4 unspecified addresses are not allowed.
IpManVpnAction	AuthInboundSa EncryptInboundSa	spi	In prior releases, IpManVpnAction objects were required to have unique inbound AH or ESP spi values. spi values no longer need to be unique if the LocalSecurityEndpointAddr specification differs from that of other IpManVpnAction objects that share the same AH or ESP spi value.
IpService	SourcePortRange DestinationPortRange Type Code		For V1R12 and later releases, or if RFC4301Compliance Yes is specified on the IpFilterPolicy statement, the Routing specification Routed or Either must have one of the following configurations: A SourcePortRange and DestinationPortRange specification configured to 0 (if applicable) A Type and Code specification configured to Any (if applicable)