You can configure remote IP security policy for all stacks
on the z/OS® policy client system
using only a common IP security configuration file. In this instance,
a stack-specific IP security configuration file is not necessary.
Procedure
Perform the following steps to configure remote IP security
policy using only a common IP security configuration file.
- In the main Policy Agent configuration file on the policy
client, include the ServerConnection statement, and a line with the
TcpImage statement for each IP security stack to be configured:
ServerConnection
{
…
}
TcpImage TCPCS /etc/TCPCS.image
TcpImage TCPCS2 /etc/TCPCS2.image
⋮
- In each configuration file that was identified on the TcpImage
statement shown in step 1, include a PolicyServer statement. For example, in /etc/TCPCS.image:
PolicyServer
{
ClientName IPSecClientTCPCS
PolicyType IPSec
{
…
}
…
}
In /etc/TCPCS2.image:
PolicyServer
{
ClientName IPSecClientTCPCS2
PolicyType IPSec
{
…
}
…
}
- In the main configuration file on the policy server, include
a DynamicConfigPolicyLoad statement, as follows:
DynamicConfigPolicyLoad IPSecClient.*
{
PolicyType IPSec
{
CommonPolicyLoad /etc/common.ipsecpol
}
…
}
Results
All stacks on the z/OS policy client system will adhere to the policy that is specified
in the /etc/common.ipsecpol file on the policy server.