General updates of z/OS UNIX commands

Table 1. Summary of new and changed Communications Server z/OS UNIX commands
Command Parm Release Description Reason for change
certbundle N/A V1R12 New command to create a certificate bundle file. IKE version 2 support
dig @server V1R12 This parameter is no longer required for a name server which exists on an IPv6-only host. Resolver support for IPv6 connections to DNS name servers
dnsmigrate   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
dnssec-keygen   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
dnssec-makekeyset   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
dnssec-signkey   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
dnssec-signzone   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
ipsec -F add V2R1 The loglimit keyword is a new keyword that you can use to limit the number of filter-match log messages generated for the defensive filter being added. Limit defensive filter logging
-F update V2R1 The loglimit keyword is a new keyword that you can use to limit the number of filter-match log messages generated for the defensive filter being added. Limit defensive filter logging

-F display  
-f display
-t

 V2R1 A new field, LogLimit, is included in filters displayed with the ipsec command. For defensive filters, it indicates whether filter-match messages are being limited. For all other filter types, it has a value of N/A. Limit defensive filter logging
-k display V1R13 The NATTSupportLevel field is changed to support two additional values: IKEv2 and IKEv2_zOS.
The following fields previously reported N/A for all IKEv2 tunnels because NAT traversal was not supported for IKEv2. They are now populated appropriately when an IKEv2 tunnel traverses one or more NAT devices:
  • NATInFrntLclScEndPt
  • NATInFrntRmtScEndPt
  • zOSCanInitiateP1SA
  • AllowNAt
  • RmtNAPTDetected
  • RmtUdpEncapPort
 Network address translation traversal support for IKE version 2
ipsec (continued) -y display -b V1R13 The following fields previously reported N/A for all IKEv2 tunnels because NAT traversal was not supported for IKEv2. They are now populated appropriately when an IKEv2 tunnel traverses one or more NAT devices:
  • RmtIsGw
  • RmtIsZOS
  • zOSCanInitP2SA
  • RmtUdpEncapPort
  • SrcNATOARcvd
  • DstNATOARcvd
  • LclIpSpecExIDPayload
  • RmtIpSpecExIDPayload
 Network address translation traversal support for IKE version 2
-y display V1R13 The following fields previously reported N/A for all IKEv2 tunnels because NAT traversal was not supported for IKEv2. They are now populated appropriately when an IKEv2 tunnel traverses one or more NAT devices:
  • RmtIsGw
  • RmtIsZOS
  • zOSCanInitP2SA
  • RmtUdpEncapPort
  • SrcNATOARcvd
  • DstNATOARcvd
 Network address translation traversal support for IKE version 2
-y display V1R12 The report is changed as follows:
  • The IKEVersion field includes a new value of 2.x to indicate IKE version 2.
  • The AssociatedFiltSrcPort, AssociatedFiltType, Code, LocalPort and Type fields changed to include values of All, Opaque, and n/a.
  • The HowToEncrypt field has a new value of KeyLength.
  • The HowToAuth field has new values for AuthAlgorithm: NULL, AES-GMAC-128, AES-XCBC-MAC-96, HMAC-SHA-256-128 HMAC-SHA-384-192, and HMAC-SHA-512-256.
  • The possible values for the HowToEncrypt field are changed to DoNot, AES-CBC, AES-GCM-16, DES-CBC, and 3DES-CBC
ipsec (continued) -k display (continued) V1R12 Report is changed as follows:
  • The possible AuthenticationAlgorithm values for IKEv1 tunnels are changed from HMAC-MD5 and HMAC-SHA1 to HMAC-MD5, HMAC-SHA1, HMAC-SHA2-256-128, HMAC-SHA2-384-192, and HMAC-SHA2-512-256. The possible values for IKEv2 tunnels are: AES128-XCBC-96, HMAC-MD5-96, HMAC-SHA1-96, HMAC-SHA2-256-128, HMAC-SHA2-384-192, and HMAC-SHA2-512-256.
  • The ExchangeMode field is always set to n/a for IKEv2 because only IKEv1 supports this field
  • The IKEVersion field includes a new value of 2.x to indicate IKE version 2.
  • The LocalIDType and RemoteIDType fields include a KEYID value. The LocalAuthenticationMethod and RemoteAuthenticationMethod fields include new values of ECDSA-256, ECDSA-384 and ECDSA-521.
  • The State fields that existed prior to V1R12 are applicable to IKEv1. State values that are applicable to IKEv2 are INIT, WAIT KE, WAITAUTH, DONE, HALF-CLOSED, and EXPIRED.
  • The EncryptionAlgorithm value of TripleDES-CBC changed to 3DES-CBC.
  • The EncryptionAlgorithm field has a new value of KeyLength.
  • The PseudoRandomFunction, LocalAuthenticationMethod, and RemoteAuthenticationMethod field values are processed differently depending on if you are using IKEv1 or IKEv2.
  • For IKEv2, the PseudoRandomFunction field has the new values of AES-XCBC-128, HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512.
  • The NAT traversal fields are not supported for IKEv2.
IKE version 2 support
ipsec (continued) -m display V1R12 The report is changed as follows:
  • Report output includes new value for KeyLength on the HowToEncrypt field.
  • The HowToAuth field has the following new values for AuthAlgorithm: NULL, AES-GMAC-128, AES-XCBC-MAC-96, HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-256.
  • The possible values for the HowToEncrypt field are changed to DoNot, AES-CBC, AES-GCM-16, DES-CBC, and 3DES-CBC.
-f display V1R12 Report output includes new field for FIPS140.
The following fields are changed:
  • DestPort, ICMPCode, ICMPType, MIPv6Type, and SourcePort - fields changed to include values of All, Opaque, and n/a.
  • ICMPTypeGranularity, ICMPCodeGranularity, and MIPv6TypeGranularity - fields changed to include values of Rule, Packet, and n/a.
  • OSPFType - field changed to include values of All and n/a.
  • RemoteIdentityType - field changed to include a KEYID value to indicate an opaque byte stream.
  • TypeRange, CodeRange, and SourcePortRange - fields changed to include a value of n/a.
 IPSec support for FIPS 140 cryptographic mode
named   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
nslookup
  • -server_name
  • -server_address
 V1R12 These parameters are no longer required to specify a name server that exists on an IPv6-only host. Resolver support for IPv6 connections to DNS name servers
orpcinfo or rpcinfo1 -p V1R13 The program version column is wider than in prior releases. The offsets of all columns following the first column are different. Release update
pasearch -i V1R13 The display is changed to include the settings for new IDS configuration fields. Expanded Intrusion Detection Services
V1R13 The display is changed to include the settings for new IDS configuration fields. Intrusion Detection Services support for Enterprise Extender
-R V2R1 IPv6 policy is included in the display of all Routing policy entries that match the input options for pasearch. IPv6 support for policy-based routing
-T V2R1 IPv6 routes and dynamic routing parameters are included in the display of all Routing tables that match the input options for pasearch. IPv6 support for policy-based routing
-t V2R1 Displays new parameters on AT-TLS configuration statements. AT-TLS support for TLS v1.2 and related features
rndc   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
rndc-confgen   V2R1 This command is no longer supported. Removal of BIND DNS Name Server from z/OS
trmdstat All of report options V1R13 The following changes were made:
  • All reports are updated to support IPv6 addresses
  • The heading of all reports is updated to display the trmdstat command that was entered and to remove fields that displayed filters that were entered on the command.
  • The default report (if there is no report option specified) is changed to IDS summary (-I) report
 Expanded Intrusion Detection Services
-A V1R13 The summary (-A), detail (-A -D), and statistics (-A -S) displays are changed to include information for the following new attack types: DATA_HIDING, OUTBOUND_RAW_IPV6, RESTRICTED_IPV6_DST_OPTIONS, RESTRICTED_IPV6_HOP_OPTIONS, and RESTRICTED_IPV6_NEXT_HDR.

The statistics display (-A -S) is changed to also include information for the GLOBAL_TCP_STALL and TCP_QUEUE_SIZE attack types.

 Expanded Intrusion Detection Services
V1R13 The summary (-A), detail (-A -D), and statistics (-A -S) displays are changed to include information for the following new attack types: EE_MALFORMED_PACKET, EE_PORT_CHECK, and EE_LDLC_CHECK.

The statistics display (-A -S) is changed to also include information for the EE_XID_FLOOD attack type.

 Intrusion Detection Services support for Enterprise Extender
-F V1R13 The summary (-F), detail (-F -D), and statistics (-F -S) displays are changed to include information for the new EE_XID_FLOOD attack type. Intrusion Detection Services support for Enterprise Extender
-I V1R13 This report is changed to include information for the GLOBAL_TCP_STALL and TCP_QUEUE_SIZE attack types. Expanded Intrusion Detection Services
-G V1R13 This new option can be used to display summary (-G) or detail (-G -D) information for the new Global TCP Stall attack type. Expanded Intrusion Detection Services
-Q V1R13 This new option can be used to display summary (-Q) or detail (-Q -D) information for the new TCP Queue Size attack type. Expanded Intrusion Detection Services
Note:
  1. In the z/OS UNIX shell, rpcinfo is a synonym for the orpcinfo command.
Parent topic: z/OS UNIX commands