Step 6: Configure Policy Agent for configuration file import services

You can connect an import requester to the Policy Agent to provide policy configuration file or TCP/IP profile information import services.

To configure the Policy Agent for configuration file import services, perform the following steps:

1. Define the port and TCP/IP image name to which import requesters will connect. If import requesters are to be used, the ServicesConnection statement in the main configuration file provides the port and TCP/IP image name that the Policy Agent listens on for remote connections. An import requester is one type of services requester provided for by the ServicesConnection statement. The Policy Agent listens for services requester connections on only one TCP/IP image. You can specify the image name to be used, or use the name specified (or specified by default) on the TCPIPUSERID statement or TCPIPJOBNAME statement in TCPIP.DATA. If the default TCP/IP image cannot be determined, the Policy Agent uses the image name INET. In any case, the image name might or might not match an image name specified on a TcpImage statement:
   • If the specified name does not match any TcpImage statement, the Policy Agent generates an internal TcpImage statement with default values to represent the TCP/IP image. This means that you can specify a maximum of only 7 (instead of 8) TcpImage or PEPInstance statements.
   • In a single stack (INET) environment, the Policy Agent uses the active TCP/IP image to listen for services connection requests.
   Rule: The ServicesConnection statement is required for any Policy Agent that accepts connections from an import requester.
   Guideline: Reserve the port specified on the ServicesConnection statement using the PORT statement in the TCP/IP profile.
   Restriction: The port value cannot match the port value configured on the ClientConnection statement.
2. Optionally configure secure connections from the import requesters.
   • By default, the ServicesConnection statement defines a basic connection that is not explicitly secured. This option can be used for an unsecure connection, or you can define AT-TLS policies for this import services connection to create a secure SSL connection.
   • You can define a secure connection instead, and specify the level of tracing and the TLS/SSL key ring to use. You must specify the name of a SAF key ring. Key ring files created by the System SSL gskkyman utility are not supported. When you configure a secure connection, Policy Agent automatically creates an AT-TLS policy for the connection, and the import requester must also specify that the connection is to be secured. You must enable the TTLS parameter on the TCPCONFIG statement in the TCP/IP profile for the generated AT-TLS policy to be effective.
   Tip: This option only supports TLSv1.0 and is not recommended for secure SSL. It is recommended for secure SSL to configure Security Basic and to supply user defined AT-TLS policies.

   The following example shows a ServicesConnection statement for a secure connection:

   ServicesConnection
   {
      Port       17000
      ImageName  TCPIP1
      Security   Secure
      Trace      14
      Keyring    PAGRING
   }

   The following AT-TLS policy is generated from this ServicesConnection statement:

   TTLSRule                      TTLS_RULE_______________GENERATED
   {
      LocalPortRange             17000
      JobName                    PAGENT
      Direction                  Inbound
      TTLSGroupActionRef         TTLS_GROUP_ACTION_______GENERATED
      TTLSEnvironmentActionRef   TTLS_ENVIRONMENT_ACTION_GENERATED
   }  
   
             
   TTLSGroupAction               TTLS_GROUP_ACTION_______GENERATED
   {
      TTLSEnabled                On
      Trace                      14
   }
    
   TTLSEnvironmentAction         TTLS_ENVIRONMENT_ACTION_GENERATED
   {
      HandshakeRole              SERVER
      TTLSKeyRingParms
      {
         Keyring                 PAGRING 
      }
   }

   The Policy Agent installs this generated policy in the TCP/IP image specified explicitly or by default on the ServicesConnection statement. This generated policy uses a priority value that is lower than any specified AT-TLS policies, so it is installed as the last policy in the TCP/IP image. If local or remote AT-TLS policies are configured, the Policy Agent installs those policies before installing the generated policy. If you configure AT-TLS policies on a policy server, those policies must be successfully retrieved before the Policy Agent is able to accept connections from services requesters. Accepting connections from services requesters can be affected by problems or delays in retrieving the AT-TLS policies from the policy server.

   If you change the ServicesConnection statement, the generated policy is uninstalled or reinstalled as follows:

   • If you change the Port, Trace or Keyring parameters, the Policy Agent regenerates and reinstalls the policy.
   • If you change the ImageName parameter, the Policy Agent uninstalls the generated policy from the previous image and installs the policy on the new image.
   • If you change the Security parameter value from Secure to Basic, the Policy Agent uninstalls the generated policy.

   If you delete the ServicesConnection statement, the Policy Agent uninstalls the generated policy.

3. To restart the listen for services requester connections and, if required, to reinstall the generated AT-TLS policy, issue the MODIFY SRVLSTN command. For information about when you might use the MODIFY command for Policy Agent, see z/OS Communications Server: IP System Administrator's Commands.