Configuring the agent

BMC AMI Enterprise Connector for Venafi (EC for Venafi) agents receive transaction requests from the gateway and manage the necessary RACF, TSS, or ACF2 commands according to the environment in which they are installed.

To set up your agents, you must configure the following statements. You can find a sample configuration member, ECVAPARM, in the hlq.RSSSAMP library.

Related topics

Planning

Installing

Configuring-after-installation

Global statement

The following global parameters define general functionality:

Parameter

Description

Activate appName

Name of the application to be loaded

The value of this parameter must be Venafi.

MessageLevel level level

Message level written to RSSPRINT

You can define multiple message levels.

We recommend that you include message level Info Error.

RACFAdminUser userID

User ID for issuing commands to the external security manager (ESM)

If you omit this parameter, the user ID of the agent task is used.

      

Example

MessageLevel     Info Error
Activate         Venafi

ECAgent statement

The following ECAgent parameters define the REST API server for the agent instance. Only one ECAgent statement is required per instance.

Parameter

Description

ECAgent

Begins the ECAgent statement

HostName hostName | IPaddress

(Required) Location of the agent instance

Enter the host name or IP address for the server on which the agent is located.

Port portNumber

Port number used by the agent instance

(Required) Enter the port number to be used by the REST API for the agent.

DatasetHLQ hlq

High-level qualifier for temporary data sets

EC for Venafi passes the specified hlq to the REXX procedures that generate the full data set name. 

Specify up to 17 characters. The high-level qualifier cannot end with a period and it must conform to z/OS data set naming standards for data set qualifiers. For example:

  • DatasetHLQ CERT.ABC.HLQ
  • DatasetHLQ CERTIFIC.ATEHLQ

The default value is what is set for the RACFAdminUser in the RSS Global configuration parameters.

If no value is set for RACFAdminUser, then the value is the user ID for the address space on which EC for Venafi runs, with no APF authorization.

CheckpointDataset vsamDataSetName

Name of the VSAM KSDS data set for checkpointing

This parameter has no default.

CheckpointShared Yes | No

Specifies whether the checkpoint data set should be shared across multiple agent instances in the same sysplex

The default value is No.

TLSAware Yes | No

Verifies whether incoming transactions have been secured by a valid AT-TLS policy

Transactions that are flagged as insecure or not having an AT-TLS policy are rejected.

The default value is No.

VerifyGateway Yes | No

Verifies whether incoming transactions have been sent by a genuine EC for Venafi gateway

Transactions that are flagged as not coming from a genuine gateway are rejected.

The default value is No.

VipaGroup dvipaName

Specifies the name of the DVIPA target 

Use this parameter if you are using Dynamic Virtual IP Addressing (DVIPA) from your Venafi Trust Protection Platform (TPP), instead of an LPAR, to process agent requests. System symbolics, such as &SYSNAME, are supported. The DVIPA name can be up to 16 characters in length.

ExpirySearchTime hh:mm

Time of day that EC for Venafi searches for expired certificates

Enter the hour and minutes to perform the search.

The default value is 00:00.

DeleteAfter days

Number of days after which an expired certificate is deleted 

EC for Venafi does not act on this parameter. Instead, the agent passes the transaction to ExpiryRexx routine for processing.

The default value is 5.

EndECAgent

Ends the ECAgent statement

Sample eC Agent statements

Standard eC Agent statement

***********************************************     
* Define eC Agent                            *     
***********************************************     
ECAgent                                           
   HostName             SYS1              
   Port                 4000                        
   DatasetHLQ           ECTPP
   TLSAware             Yes
   VerifyGateway        Yes
   ExpirySearchTime     04:00                      
EndECAgent   

DVIPA eC Agent statement

***********************************************     
* Define eC Agent                            *     
***********************************************     

ECAgent                                        
   HostName            vipa.ip.address  
   Port                portNumber                   
   DATASETHLQ          hlq           
   ExpirySearchTime    hh:mm                  
   DeleteAfter         days                     
   CheckpointDataset   vsamDataSetName      
   CheckpointShared    no                     
   VipaGroup           dvipaName          
EndECAgent

EmailProfile statement

The following EmailProfile parameters define the type of email that the agent sends to the JES destination:

Parameter

Description

EmailProfile

Begins the EmailProfile statement

FromEmail emailAddress

(Required) Email address assigned to the agent that sent the email

SysoutClass class

(Required) Output print class for printing email data that the IBM Communications Server Simple Mail Transfer Protocol (CSSMTP) application scans for

SysoutDEST systemName

(Required) JES destination for routing email data, which is the name of the system on which CSSMTP is running

SysoutWriter writerName

(Required) External writer name used by CSSMTP to scan email data

The value of this parameter must be the same as the value of the ExtWrtName statement that is defined in the CSSMTP configuration.

EndEmailProfile

Ends the EmailProfile statement


Example

***********************************************     
* Email Profile Settings                      *     
***********************************************     
EmailProfile                                           
   FromEmail            ecagent@bmc.com          
   SysoutClass          B                                   
   SysoutDest           PLX1                             
   SysoutWriter         SMTP                                
EndEmailProfile

EmailRecipients statement

The following EmailRecipients parameters define the email addresses of individuals and groups who should receive email notifications from the agent:

Parameter

Description

EmailRecipients

Begins the EmailRecipients statement

Expired emailAddress

(Optional) Sends an email to a person or group when EC for Venafi detects an expired certificate

You can repeat this parameter for as many recipients as you want.

Failures emailAddress

(Optional) Sends an email to a person or group when EC for Venafi fails to process a TPP request

You can repeat this parameter for as many recipients as you want.

Success emailAddress

(Optional) Sends an email to a person or group when EC for Venafi succeeds in processing a TPP request

You can repeat this parameter for as many recipients as you want.

EndEmailRecipients

Ends the EmailRecipients statement


Example of a EmailRecipients statement

***********************************************     
* Email Recipients.                           *     
***********************************************     
EmailRecipients                                           
   Expired              cyber1@bmc.com          
   Failures             cyber1@bmc.com          
   Failures             sysprogs@bmc.com
   Success              ops@bmc.com                             
EndEmailRecipients 


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*