Configure PAGENT by updating the TCP/IP profile, granting RACF® permission to TCP/IP resources,
preparing the PAGENT startup JCL, and activating syslogd.
About this task
To enable PAGENT for AT-TLS, complete the following steps.
For a more detailed description of how to install and configure PAGENT,
see the Policy-based networking chapter of the z/OS® Communications Server IP Configuration
Guide on the z/OS product documentation.
Procedure
- Update the TCP/IP profile.
You must make
two changes to the TCP/IP profile to enable AT-TLS:
- Add the statement
TCPCONFIG TTLS
to activate
the functionality of AT-TLS inside the TCP/IP stack.
- Add PAGENT to the AUTOLOG list.
- Grant RACF permissions
to TCP/IP resources.
Users require permissions to
the following resources as part of activating PAGENT:
- Define PAGENT as a started task with its own user ID.
- The
EZB.INITSTACK.sysname.tcpprocname
resource
profile controls which users can have access to the TCP/IP stack before
PAGENT is active. Give READ access to all users who do not require
PAGENT policies to access the TCP/IP stack; for example, PAGENT, NETVIEW, DB2®, and so on.
- The
EZB.PAGENT.sysname.tcpprocname.*
resource
controls which users can start, stop, and refresh PAGENT. Give READ
access to the users who are allowed to run the TSO/Unix commands Pagent or pasearch.
- The user ID of PAGENT must have READ access to the BPX.DAEMON
facility.
For more detailed information about the RACF permissions, check the sample
EZARACF
in
the
TCPIP.SEZAINST
library.
- Prepare the PAGENT startup JCL.
- Copy the sample JCL PAGENT in the
TCPIP.SEZAINST
library
to the system procedure library (for example, SYS1.PROCLIB
).
- Edit the JCL according to your installation standards.
Specify the location of the PAGENT configuration file (for example, /etc/pagent/pagent.config).
You can specify the location and name of the configuration file by
setting the environment variable
PAGENT_CONFIG_FILE=/etc/pagent/pagent.config
.
The environment variables for the TCP/IP stack are usually specified
in a member (for example, ENVVARS) of the TCP/IP parameters library
(for example, TCPIP.PARMS
). The PAGENT JCL has ddname
STDENV that points to the member with the environment variables definitions.
The PAGENT configuration file (/etc/pagent/pagent.config)
specifies the location and name of the PAGENT stack-specific configuration
file by using the statement TcpImage: TcpImage TCPIP /etc/pagent/TCPIP.image
FLUSH NOPURGE 1800
.
The stack-specific configuration
file (/etc/pagent/TCPIP.image) specifies the
location and name of the AT-TLS policies file by using the statement TTLSConfig:
TTLSConfig /etc/pagent/TCPIP_TTLS.policy
.
- Activate the system log daemon (syslogd).
Syslogd
acts as the central message logging facility for PAGENT and AT-TLS.
Syslogd is not specific to the policy infrastructure, but the policy
infrastructure depends on syslogd to provide a central logging facility
to maintain an audit trail. If you do not start syslogd, messages
are lost. Start one syslog daemon per LPAR.
What to do next
Define and install AT-TLS policies for IBM Integration Bus by following the instructions
in Defining and installing AT-TLS policies.