Import requestor connection problems

The import requestor connects to a Policy Agent. The IBM® Configuration Assistant for z/OS® Communications Server can be an import requestor. See z/OS Communications Server: IP Configuration Guide for information about the import services.

If the import requestor does not connect successfully, run Policy Agent with the -d 128 startup option, and check the log files for error conditions. Connection problems are indicated by message EZD1578I in the log. Check the log files for the specific error encountered.

Table 1 describes common import requestor connection problems.

Table 1. Common import requestor connection problems
Problem Cause/action Symptom
Incorrect configuration on Policy Agent You must configure the Policy Agent with the ServicesConnection statement specifying the port and TCP/IP stack name to which the import requestor will connect.

See z/OS Communications Server: IP Configuration Guide , import service, for details about setting up the correct configuration.

Message EZD1578I, along with messages in the log files, indicating the particular connection problem details.
Incorrect SSL configuration on the Policy Agent or import requestor
  • If the import requestor is using SSL, you must configure the Policy Agent with a SAF keyring and the Security parameter set to Secure on the ServicesConnection statement.
    • The Policy Agent generates and installs an AT-TLS policy that allows the import requestors to establish SSL connections to the Policy Agent.
    • You must configure a certificate in a SAF keyring that allows the import requestors to authenticate the server.
    Tip: This option only supports TLSv1.0 and is not recommended for securing the import connection. The recommended approach is to specify Security Basic and supply user defined AT-TLS policies that provide the required protection.
  • If the import requester is not using SSL, you must configure the Policy Agent with the Security parameter set to Basic on the ServicesConnection statement and use a default unsecure connection. You must not configure an AT-TLS policy that includes the port configured on the ServicesConnection statement.
  • If the import requester is using user defined SSL, you must configure the Policy Agent with the Security parameter set to Basic on the ServicesConnection statement.
    • You must define AT-TLS policies for the ServicesConnection ImageName and port that are configured for this secure SSL connection.
    • You must configure the matching import requester and Policy Agent AT-TLS policies.

See z/OS Communications Server: IP Configuration Guide , import service, for details about setting up the correct configuration.

Message EZD1578I, along with messages in the log files, indicating the particular connection problem details.
The Policy Agent did not issue message EZD1576I indicating it is ready for services connection requests. If you are using secured connections for import requestors, and have AT-TLS policies configured on a policy server, the Policy Agent waits for the remote AT-TLS policies to be retrieved and installed before installing the generated AT-TLS policy for the port specified on the ServicesConnection statement. If the policy server is down or cannot be contacted immediately, the generated AT-TLS policy cannot be installed and the Policy Agent does not listen for import requestor connections.
  • Verify the policy server is available and the Policy Agent is active.
  • You might consider using a backup policy server to handle policy client connections when the primary is not available.
  • The MODIFY SRVLSTN command could be used to force the generated AT-TLS policy to be installed before the remote AT-TLS policies are installed.
  • Run the policy client and policy server with debug level 128 and check the Policy Agent log files to determine the cause of any connectivity problems.
See z/OS Communications Server: IP System Administrator's Commands for information about the MODIFY command and z/OS Communications Server: IP Configuration Guide, for AT-TLS data protection information.
Message EZD1576I is not issued, and import requestors cannot connect to the Policy Agent.

Message EZD1578I, along with messages in the log files, indicating the particular connection problem details.

The Policy Agent did not issue message EZD1576I indicating it is ready for services connection requests. If you are using secured connections for import requestors, and have local or remote AT-TLS policies configured that contain errors, Policy Agent waits for the local or remote AT-TLS policies to be installed.
  • Correct the configured AT-TLS policies and refresh policies.
  • The MODIFY SRVLSTN command could be used to force the generated AT-TLS policy to be installed before the local or remote AT-TLS policies are installed.
See z/OS Communications Server: IP System Administrator's Commands for information about the MODIFY command and z/OS Communications Server: IP Configuration Guide, for AT-TLS data protection information.
Message EZZ8438I, indicating errors in the local or remote AT-TLS policies for a TCP/IP image, where the secured connections for import requestor is requested.

Message EZD1578I, along with messages in the log files indicating the particular connection problem details.

Message EZD1576I is not issued, and import requestors cannot connect to the Policy Agent.

Import requestor does not successfully connect to the Policy Agent. If you are using secured connections for import requestors and the SAF keyring is correct but the connection from the import requestor fails, (indicating key ring problems) check the following:
  • If the key ring certificate has expired, then update the expiration date and issue the MODIFY SRVLSTN command for Policy Agent to reinstall the generated AT-TLS policy and to restart the listen for services requestor connections
  • If the contents of the key ring has changed, but the key ring name is unchanged, issue the MODIFY SRVLSTN for Policy Agent to reinstall the generated AT-TLS policy and to restart the listen for services requestor connections
See z/OS Communications Server: IP System Administrator's Commands for information about the MODIFY command and z/OS Communications Server: IP Configuration Guide, for AT-TLS data protection information.
Message EZD1576I is issued, but import requestors cannot connect to the Policy Agent.
The Policy Agent is not listening on the port defined on the ServicesConnection statement. If the ServicesConnection statement is configured, the port specified on this statement may need to be reserved using the PORT statement in the TCP/IP profile.

See z/OS Communications Server: IP Configuration Guide for details on setting up the correct configuration.

Message EZD1578I, along with messages in the log files, indicating the particular connection problem details.
Import requestor not authorized to access Policy Agent system The Policy Agent system must be configured with one or more user IDs and credentials for the set of import requestors that are authorized to connect.
Rule: If you use a password for credentials, the password must match the password configured on the import requestor. If you use the IBM Configuration Assistant for z/OS Communications Server as the import requestor, the user ID and password are configured on the Import Policy Data panel or request panels for discovery import (for example Discover Stack Local Addresses panel).

See z/OS Communications Server: IP Configuration Guide for details on setting up the correct configuration.

Message EZD1578I, along with messages in the log files, indicating the particular connection problem details.