Policy client retrieval problems

When acting as a policy client, Policy Agent retrieves policies for one or more policy types, on behalf of one or more stacks, from a policy server. The choice of local or remote policy retrieval can be made separately for each policy type, and for each configured stack. See z/OS Communications Server: IP Configuration Guide, Policy Agent and policy applications for more information about policy client retrieval of remote policies.

If the policy client does not successfully retrieve policies, run Policy Agent on the policy client and policy server with the -d 128 startup option, and check the log files for error conditions. Retrieval problems are indicated by message EZZ8438I. Check the log files for the specific error encountered.

Table 1 describes common policy client retrieval problems.

Table 1. Common policy client retrieval problems
Problem Cause/action Symptom
Incorrect configuration on the policy client or policy server
  • The policy server should be configured with one or more DynamicConfigPolicyLoad statements that match the client name. The DynamicConfigPolicyLoad statement determines the configuration files that get loaded after a policy client successfully connects. If a matching DynamicConfigPolicyLoad statement is not found, the policy server will attempt to load policies from a default file. Ensure that the correct set of DynamicConfigPolicyLoad statements is specified, and that the correct configuration files are specified on these statements.
  • The policy client must be configured with a PolicyServer statement for each stack that will retrieve policies from the policy server. The ClientName specified on this statement is used to match a DynamicConfigPolicyLoad statement on the policy server. If the ClientName parameter is not specified, the default client name used is remotesysname_tcpimage where:

    remotesysname value is the policy client system name and tcpimage value is the policy client image name

See z/OS Communications Server: IP Configuration Guide , Policy Agent and policy applications, and z/OS Communications Server: IP Configuration Reference, general configuration file statements topic for more information.

Incorrect or no policies retrieved from the policy server.
Incorrect regular expressions coded on the DynamicConfigPolicyLoad statement The DynamicConfigPolicyLoad statements can be configured with regular expressions to match against policy client names. Regular expressions are very powerful, but also can be complex, and might not produce results that are intuitive. For example, the expression [a-z] matches any lower case alphabetic character, which means that any string containing at least one such character will match. As another example, the expression [^abc] means any character except a, b, or c matches. So the only strings that won't match are those containing ONLY the characters a, b, or c.

See z/OS Communications Server: IP Configuration Guide , Policy Agent and policy applications, and z/OS Communications Server: IP Configuration Reference, DynamicConfigPolicyLoad statement for more information.

Incorrect or no policies retrieved from the policy server.
Policy client not authorized to access policies on the policy server The policy server must be configured with SERVAUTH profiles that allow the policy clients to access policies. The format of the SERVAUTH profiles is: EZB.PAGENT.sysname.image.ptype where:
  • sysname is the policy server system name
  • image is the policy client name
    Rule: The image portion of the profile name on the policy server must match or include the name of the policy clients. Each policy client name is configured or defaulted using the ClientName parameter on the PolicyServer statement.
  • ptype is the policy type (QOS, IDS, IPSEC, ROUTING, or TTLS)
See z/OS Communications Server: IP Configuration Guide, Policy Agent and policy applications for more information.
Incorrect or no policies retrieved from the policy server.