Question & Answer
In z/OSMF Configuration Assistant, how do I import policy data from the Policy Agent?
The IBM Configuration Assistant for z/OS Communications Server can request that existing policy configuration files be imported from the Policy Agent for further changes and additions. When the Policy Agent provides this configuration file import service, the IBM Configuration Assistant is acting as an import requester. These policy files are import configuration files and the resulting policies are import policies.
There are two primary uses for the Policy Data Import function.
The administrator has never used the Configuration Assistant but wants to initialize a Configuration Assistant configuration with data from existing policy files.
The administrator uses and manages configuration data with the Configuration Assistant, but an emergency change was made to a policy file. The policy statement change must be incorporated into the primary backing store configuration data.
When the Policy Data Import function runs, it goes through the following steps:
Establish a connection to a Policy Agent server.
Extract policy data for the specified image, stack, and technology.
Transform the policy data into Configuration Assistant objects.
Import the new Configuration Assistant objects into the current configuration.
Generate an import report with details about the objects that were adopted into the current configuration.
With a successful import, the current configuration reflects changes as a result of integrating the import data, but no Save operation has yet been performed. The administrator may use the report to check the validity of the new configuration before performing a Save or Save As.
If an error occurred during any phase of the process, the current configuration remains unchanged.
Configure the following values on the Configuration Assistant's Import Policy Data panel:
Host connection IP address and port for the Policy Agent
Host connection user name and password to identify resources that this user can access
Indication of whether a secure connection (SSL) should be used.
Policy type to identify what type of policies to import
Optional policy configuration file names (common file, stack-specific file, or both)
Import request name to identify the stack name
In the Policy Agent main configuration file, define a ServicesConnection statement, specifying the following parameters:
Port: the port that the Policy Agent listens on for TCP connections from services requestors on the specified TCP/IP image name. This port must be the same as the host connection port that is specified on the Configuration Assistant Import Policy Data request panel for any import requestor that connects to this Policy Agent. Valid port values are in the range 1 - 65 535. The default port value is 16 311.
ImageName: a string 1 - 8 characters in length that specifies the TCP/IP image name.
Security: the level of security that is used for the services requestor connection. Basic specifies one of the following connections: (1) The connection does not use SSL and is unsecure, (2) You define AT-TLS policies for this import services connection to create a secure SSL connection. Secure specifies that the connection uses SSL.
Keyring: A string 1 - 1 023 in length that specifies the ring name of the SAF key ring. This key ring typically contains the certificates of the trusted (by the client) Certificate Authorities. Restriction: If Security is configured with Secure, then this parameter is required. If you specify Security Basic, this parameter is ignored.
Use the z/OS system security facility (for example, RACF) to specify permissions for system access to policy technologies. Here are the sample commands to allow "userid" to obtain the IPSec policy for SYSTEMA, TCP/IP stack STACKB.
RDEFINE SERVAUTH EZB.PAGENT.SYSTEMA.STACKB.IPSEC UACC(NONE)
PERMIT EZB.PAGENT.SYSTEMA.STACKB.IPSEC CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH
In the SERVAUTH class profile, specify the last component as the technology. The technology value must be one of the following:
Note that as with other SERVAUTH class profiles, the final three name components may be wildcarded.
24 April 2015