Policy client connection problems
When acting as a policy client, Policy Agent needs to connect to a policy server. The policy client can be configured with just a primary, or both a primary and a backup, policy server. See z/OS Communications Server: IP Configuration Guide, Policy Agent and policy applications for more information about how the policy client connects to a policy server.
If the policy client does not connect successfully, run Policy Agent on the policy client and policy server with the -d 128 startup option, and check the log files for error conditions. Connection problems are indicated by message EZZ8780I or message EZZ8782I. Check the log files for the specific error encountered.
Table 1 describes common policy client connection problems.
Problem | Cause/action | Symptom |
---|---|---|
Incorrect configuration on the policy client or policy server |
See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details. |
Incorrect SSL configuration on the policy client or policy server | If you use secure connections from the policy client:
See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details. |
Mismatched security configuration between the policy client and policy server | The configuration on the policy client must match the configuration on the policy server with respect to SSL and AT-TLS:
Use the pasearch command to display the AT-TLS policies on the policy server, and verify that the selection criteria in the policy rules select only those policy clients that use SSL. Look for policy rules that specify the port specified on the ClientConnection statement as the local port, and in particular, verify that the remote IP address and remote port parameters on those policy rules are correct for your configuration. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details. |
Incorrect certificate name specified on the ServerSSLName parameter on the ServerConnection statement |
See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem. |
Policy client not authorized to access policy server |
See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct authorization. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular authorization problem details. |
Incorrect passticket configuration on the policy client or policy server | If the policy client is configured to use
a passticket on the PolicyServer statement, the proper PTKTDATA class
profiles must be defined on both the policy server and policy client. See the policy-based networking topic in z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8780I or EZZ8782I, along with messages in the log files indicating the particular connection problem details. |
The policy server is not listening on the port defined on the ClientConnection statement. | If the ClientConnection statement is configured
on the policy server, the port specified on this statement may need
to be reserved using the PORT statement in the TCP/IP profile. See z/OS Communications Server: IP Configuration Guide for details about setting up the correct configuration. |
Message EZZ8788I, along with messages in the log files, indicating the particular connection problem details. |
Duplicate policy client name reported | If you use the configuration file import
service on the policy server, you might encounter a duplicate policy
client name for a policy client. The reason for this is that temporary
names are generated in order to process a configuration file import.
If a policy client tries to connect to the policy server while a
configuration file import is in progress, it's possible that the policy
client name matches the generated temporary name. If this happens, issue a MODIFY UPDATE command on the policy client to cause it to reconnect to the policy server, once the configuration file import service has completed. |
Message EZZ8781I followed by message EZZ8782I, along with messages in the log files indicating a duplicate policy client name was detected. |