Policy client connection problems

When acting as a policy client, Policy Agent needs to connect to a policy server. The policy client can be configured with just a primary, or both a primary and a backup, policy server. See z/OS Communications Server: IP Configuration Guide, Policy Agent and policy applications for more information about how the policy client connects to a policy server.

If the policy client does not connect successfully, run Policy Agent on the policy client and policy server with the -d 128 startup option, and check the log files for error conditions. Connection problems are indicated by message EZZ8780I or message EZZ8782I. Check the log files for the specific error encountered.

Table 1 describes common policy client connection problems.

Table 1. Common policy client connection problems
Problem	Cause/action	Symptom
Incorrect configuration on the policy client or policy server	The policy server must be configured with the ClientConnection statement specifying the port to which policy clients connect. If you use secure connections from any policy clients, the policy server must be configured with AT-TLS policies that allow those policy clients to establish SSL connections to the policy server. The policy client must be configured with the ServerConnection statement specifying the host name or IP address, and port of the primary and optional backup policy server, as well as connection retry information. If you want to use a secure connection to the policy server, you must configure the policy client with SSL information about the ServerConnection statement. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details.
Incorrect SSL configuration on the policy client or policy server	If you use secure connections from the policy client: The policy server must be configured with AT-TLS policies that allow the policy clients to establish SSL connections to the policy server. The policy server must be configured with a certificate that allows the policy clients to authenticate the server. If a self-signed server certificate is used, the policy client must import the server's certificate into the client's key ring. The ServerConnection statement on the policy client must be configured with the correct SSL parameters. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details.
Mismatched security configuration between the policy client and policy server	The configuration on the policy client must match the configuration on the policy server with respect to SSL and AT-TLS: If the policy client is configured with SSL parameters on the ServerConnection statement, the policy server must have an AT-TLS policy that protects connections from that policy client. If the policy client is not configured with SSL parameters on the ServerConnection statement, the policy server must not have an AT-TLS policy that protects connections from that policy client. Use the pasearch command to display the AT-TLS policies on the policy server, and verify that the selection criteria in the policy rules select only those policy clients that use SSL. Look for policy rules that specify the port specified on the ClientConnection statement as the local port, and in particular, verify that the remote IP address and remote port parameters on those policy rules are correct for your configuration. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details.
Incorrect certificate name specified on the ServerSSLName parameter on the ServerConnection statement	If the AT-TLS policy on the policy server specifies HandshakeRole Server, the ServerSSLName parameter on the ServerConnection statement on the policy client must specify the name of the server's certificate. If the AT-TLS policy on the policy server specifies HandshakeRole ServerWithClientAuth, the ServerSSLName parameter on the ServerConnection statement on the policy client must specify the name of the client's certificate. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem.
Policy client not authorized to access policy server	The policy server must be configured with one or more user IDs and credentials for the set of policy clients that are authorized to connect. Rule: If you use a password for credentials, the password must match the password configured using the AuthBy password parameter on the PolicyServer statement on the policy client. The policy client must be configured with a PolicyServer statement for each stack that will retrieve policies from the policy server, indicating the user ID and credentials that will be used to access the policy server. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct authorization.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular authorization problem details.
Incorrect passticket configuration on the policy client or policy server	If the policy client is configured to use a passticket on the PolicyServer statement, the proper PTKTDATA class profiles must be defined on both the policy server and policy client. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details.
The policy server is not listening on the port defined on the ClientConnection statement.	If the ClientConnection statement is configured on the policy server, the port specified on this statement may need to be reserved using the PORT statement in the TCP/IP profile. See z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration.	Message EZZ8788I, along with messages in the log files, indicating the particular connection problem details.
Duplicate policy client name reported	If you use the configuration file import service on the policy server, you might encounter a duplicate policy client name for a policy client. The reason for this is that temporary names are generated in order to process a configuration file import. If a policy client tries to connect to the policy server while a configuration file import is in progress, it's possible that the policy client name matches the generated temporary name. If this happens, issue a MODIFY UPDATE command on the policy client to cause it to reconnect to the policy server, once the configuration file import service has completed.	Message EZZ8781I followed by message EZZ8782I, along with messages in the log files indicating a duplicate policy client name was detected.