z/OS Communications Server

What’s new in IBM Knowledge Center?

Erin Zhang ‎ 1 Comment ‎ 3,825 Views

IBM Knowledge Center has been updated with a new appearance in June. The homepage is updated as below. To learn more about the new IBM Knowledge Center, take a look at the IBM Knowledge Center Version 2 video tour.

To get the right information, you can search for a keyword or select a product from an alphabetical list. For z/OS Communications Server documentation, you can use the following links to quickly locate the information.

Compared with the former version of IBM Knowledge Center, the new IBM Knowledge Center has the following enhancements for search and navigation:

Show the table of contents by clicking on the TOC icon

By default, IBM Knowledge Center opens a full page content view with a breadcrumb and previous topic / next topic controls on every page. Therefore, when reading the information, you may be wondering where the Table of Contents is. In fact, the Table of Contents is always available, but hidden by default. Click the TOC icon () to show the Table of Contents.

Select the same topic in other versions of your product

If you get the topic you want but not the version you want, you can switch to the version you want. For example, if you search by using Google, and land on the wrong version of a topic that you are interested in, click the drop-down in the topic title area to switch versions.

See related documents from other IBM technical content sites
When you search, the Knowledge Center also returns results related to your keywords from IBM developerWorks, IBM Redbooks, and IBM Support technotes to the right of the main results.

Search scope and filter
In the new IBM Knowledge Center, you can search all of IBM Knowledge Center, a set of product versions, or just within a single version by changing the "search in" drop-down next to the search entry field. By default, IBM KC search selects the product scope you are currently browsing (auto-context search), but you need to click on the content itself for the filter to activate.

Modified on by SamReynolds

z/OS CS TCP/IP Implementation Redbooks - V1R13 Editions

SamReynolds Tags: documentation ‎ 1 Comment ‎ 5,457 Views

The IBM z/OS Communications Server TCP/IP Implementation Redbook series provides understandable, step-by-step guidance about how to enable the most commonly used and important functions of z/OS Communications Server TCP/IP. Final versions of the four V1R13 volumes are now available for you to download and enjoy:

IBM z/OS V1R13 Communications Server TCP/IP Implementation: Volume 1 Base Functions, Connectivity, and Routing (SG24-7996-00)

http://www.redbooks.ibm.com/abstracts/sg247996.html?Open

IBM z/OS V1R13 Communications Server TCP/IP Implementation: Volume 2 Standard Applications (SG24-7997-00)

http://www.redbooks.ibm.com/abstracts/sg247997.html?Open

IBM z/OS V1R13 Communications Server TCP/IP Implementation: Volume 3 High Availability, Scalability, and Performance (SG24-7998-00)

http://www.redbooks.ibm.com/abstracts/sg247998.html?Open

IBM z/OS V1R13 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking (SG24-7999-00)

http://www.redbooks.ibm.com/abstracts/sg247999.html?Open

Happy reading!

zERT | Understanding zERT - zERT discovery

FloraGui ‎ 54 Views

100-second glimpse of zERT: http://ibm.biz/zerttotherescue

Learn about zERT discovery on IBM Knowledge Center: zERT discovery

To help system administrators to better monitor system network cryptographic status, IBM launched z/OS Encryption Readiness Technology (zERT) discovery as phase one of zERT in z/OS V2R3 Communications Server.

zERT discovery collects and records a wide variety of cryptographic protection attributes for TCP and Enterprise Extender (EE) traffic on your z/OS system. Having all of this information collected in one place makes it possible to build a clear picture of your z/OS network protection status.

zERT Configuration
To configure zERT and turn on Discovery, we have three new parameters in the TCP/IP profile.

The GLOBALCONFIG ZERT | NOZERT parameter turns zERT in-memory monitoring on and off (the default value is NOZERT).
The SMGCONFIG ZERTDETail | NOZERTDETail parameter enable and disables writing of SMF 119 subtype 11 (zERT Connection Detail) records to the System Management Facility (SMF) (the default value is NOZERTDETAIL).
The NETMONITOR ZERTSERvice | NOZERTSERvice parameter enables and disables writing of SMF records to the zERT real-time NMI service (the default value is NOZERTSERVICE).

You should note that the zERT discovery function is enabled independently of the destinations to which records are written. All parameters can be dynamically enabled or disabled. You can configure all these parameters through the z/OSMF-based Configuration Assistant for Communications Server under the TCP/IP profile perspective.

The following facilities are updated to report on the new zERT-related configuration parameters:

NETSTAT CONFIG command
SMF 119 subtype 4 (TCP/IP profile event) record
Callable NMI (EZBNMIFR) GetProfile function

Realtime zERT discovery network monitoring service

The new SYSTCPER NMI service makes zERT 119 SMF zERT Connection Detail (subtype 11) records available to network management applications as they are generated. SYSTCPER uses the same programming model as SYSTCPCN (TCP connection service). For more details, see the z/OS Communications Server: IP Programmer’s Guide in the IBM Knowledge Center.

SMF 119 subtype 11 "zERT Connection Detail" record
zERT connection detail records are written to record the cryptographic protection history of individual TCP application and Enterprise Extender connections. Subtype 11 records are written for six different events:

Cryptographic protection attributes at connection initiation (zERT Connection Init)
Change to the connection's cryptographic protection attributes (zERT Change)
Cryptographic protection attributes at connection termination (zERT Connection Term)
Cryptographic protection attributes at the termination of a short-lived connection (zERT Short Connection Term). In this case, there is no associated zERT Connection Init record for the subject connection. A connection is considered short-lived if it lasts less than 10 seconds.
zERT function enabled (zERT Enabled)
zERT function disabled (zERT Disabled)

The format of the zERT connection detail record is the same for all event types. The general layout of this record is illustrated in the graphic at the top of this blog entry. The record will contain zero or more cryptographic protocol-specific sections (TLS/SSL, IPSec, and SSH) depending on what cryptographic protocols were used to protect that subject connection. For example:

A cleartext connection will have zero cryptographic protocol-specific sections.
A connection that is protected by TLS only will have a single TLS-specific section.
A connection that is protected by both SSH and IPSec will have sections for each of those cryptographic protocols.

It is very important to note that zERT does not collect, store, or record the values of secret keys, initialization vectors, or any other secret values that are negotiated or derived during cryptographic protocol handshakes.

For a detailed description of the zERT Connection Details (SMF 119 subtype 11) record, see the z/OS Communications Server: IP Programmer’s Guide in the IBM Knowledge Center.

IBM Connect:Direct corequisite APAR

If you are an IBM Connect:Direct customer and you use the Secure Plus feature to protect your z/OS Connect:Direct traffic with TLS/SSL, then you will need to apply Connect:Direct APAR PI77316 to ensure that zERT properly monitors the Connect:Direct TLS/SSL-protected connections. Without this APAR, zERT will always report Connect:Direct traffic as being unprotected.

IBM Security zSecure Audit v2.3
IBM Security zSecure Audit V2.3 provides reporting of SMF 119 subtype 11 records and can feed them to SIEMs like QRadar.

With zERT, a z/OS network administrator can discover and audit the network encryption attributes associated with TCP and Enterprise Extender traffic by analyzing new SMF records.

For more details of zERT discovery, see the z/OS Communications Server: New Function Summary in the IBM Knowledge Center.

Modified on by SamReynolds

zERT | Is your z/OS network traffic properly protected? zERT to the rescue!

FloraGui Tags: security encryption function v2r3 zert new ‎ 896 Views

100-second glimpse of zERT: http://ibm.biz/zerttotherescue

Learn about zERT details on IBM Knowledge Center: zERT discovery / zERT aggregation

With the increasing number of corporate, industry, and government regulations regarding cryptographic protection of data in flight, as well as discoveries of weaknesses in existing cryptographic protocols and algorithms, it is very important for z/OS® administrators and auditors to be able to assess the quality of the cryptographic network protection being applied to their key z/OS workloads.

Currently, z/OS provides 4 mechanisms for cryptographic protection of TCP/IP traffic:

TLS/SSL direct usage
Application Transparent TLS (AT-TLS)
Virtual Private Networks using IPSec and IKE
Secure Shell using z/OS OpenSSH

However, the 4 mechanisms vary widely in protocol, configuration methods, and audit and log records. Given these variations, it can be difficult to clearly understand the overall state of cryptographic network protection for your z/OS system.

This all leads to the question: how do you effectively ensure that your z/OS network traffic is properly protected?

Don't worry, zERT is here to the rescue!

z/OS Encryption Readiness Technology, known as zERT, positions the z/OS TCP/IP stack as a central collection and reporting point for the cryptographic protection attributes for TLS, SSL, SSH and IPSec security sessions that are protecting TCP and Enterprise Extender connections that terminate on the local stack.

zERT is designed for z/OS network security administrators. Two methods are used to discover the security sessions and their attributes:

Stream observation (for TLS, SSL and SSH) - the TCP/IP stack observes the protocol handshakes as they flow over the TCP connection
Advice of the cryptographic protocol provider (z/OS System SSL, z/OS OpenSSH, z/OS TCP/IP's IPsec support)

The cryptographic attributes are reported through new SMF 119 records via SMF and/or new real-time NMI services.

To help you better monitor cryptographic network protection, we are happy to present two features of zERT: zERT discovery and zERT aggregation.

zERT discovery is available with z/OS V2R3. With zERT discovery, attributes are collected and recorded at the connection level. These attributes are provided in SMF 119 subtype 11 "zERT Connection Detail" records. These records describe the cryptographic protection history of each TCP and EE connection. At least one record is written for every such connection, so the number of subtype 11 records could be quite large in some environments.

zERT aggregation was introduced in March 2018 via new function APAR PI83362. With zERT aggregation, attributes collected by zERT discovery are aggregated by security session. These attributes are provided in SMF 119 subtype 12 "zERT Summary" records. These records describe the repeated use of security sessions over time. Aggregation can greatly reduce the volume of SMF records while maintaining the fidelity of the information, which is well suited for reporting applications.

With zERT discovery and aggregation in place, more advanced capabilities for analyzing z/OS network cryptographic protection become possible. For example, IBM Security zSecure Audit V2.3 already supports zERT Connection Detail records, providing the ability to search and display the records based on a variety of query criteria.

Watch this space for more articles about zERT – they will be coming your way soon!

A glimpse at new capabilities available with z/OS V2R3 Communications Server

Erin Zhang Tags: v2r3 comm apar new function server ‎ 492 Views

Still exploring z/OS V2R3 Communications Server new functions released in September 2017? Our team has never stopped improving it to ensure unmatched availability, scalability, and security to meet your business challenges.

Come and check out three new function APARs available in March 2018. We provide much more now!

Security enhancements

z/OS Encryption Readiness Technology (zERT) aggregation

z/OS V2R3 Communications Server introduced a brand new solution called z/OS Encryption Readiness Technology (zERT) to discover the network encryption attributes for each TCP and Enterprise Extender connection. This video, z/OS Encryption Readiness Technology to the Rescue, provides an overview of what zERT can do for your business.

With APAR PI83362, the zERT aggregation function is introduced to bring more benefits:

Summarizes the repetitive use of security sessions over time
Retains the key details about the network encryption attributes
Greatly reduces the number of zERT SMF records in many cases

With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 TCP and Enterprise Extender traffic that is protected using the TLS/SSL, SSH, or IPSec cryptographic network security protocols. The collected connection level data is written to SMF in SMF 119 subtype 11 records.

In certain environments, the volume of SMF 119 subtype 11 records can be large. The zERT aggregation function provides an alternative SMF view of the collected security session data. This alternate view is written in the form of new SMF 119 subtype 12 records that summarize the use of security sessions by many application connections over time and which are written at the end of each SMF interval. This alternate view condenses the volume of SMF record data while still providing all the critical security information.

Quick links:

Security enhancements

TN3270E Telnet server Express Logon Feature support for Multi-Factor Authentication

z/OS V2R3 Communications Server, with APAR PI85185, RACF APAR OA53002, and IBM MFA for z/OS APARs PI86470 and PI93341, extends the TN3270E Telnet server Express Logon Feature (ELF) to support IBM Multi-Factor Authentication (MFA) for z/OS.

With this support, TN3270 clients can experience the same single sign-on behavior that is already offered by the PassTicket-based ELF, but now via an MFA token that is assigned by a SAF-compliant external security manager like IBM Security Server RACF. With the new EXPRESSLOGONMFA parameter in the TN3270E Telnet server profile, ELF attempts to authenticate clients by using their X.509 client certificate through MFA. If no MFA token is available for the user, the authentication fails by default. ELF can be configured to revert back to PassTicket authentication in certain cases where MFA authentication is unsuccessful.

Note: This new function is also available in V2R1 and V2R2 via the same APARs.

Dependencies:

IBM Security Server RACF APAR OA53002
IBM Multi-Factor Authentication for z/OS APARs PI86470 and PI93341

Quick links:

Usability improvements

HiperSockets Converged Interface support

z/OS V2R3 Communications Server, with APARs PI83372 and OA53198, provides the HiperSockets Converged Interface (HSCI) solution to support the z/VM bridge environment. With this solution, a Linux guest can connect to z/OS via Layer 2 HiperSockets and to the external network by using a single IP interface.

You will benefit from this new function in the following aspects:

Significantly improves HiperSockets usability by dynamically provisioning and activating a HiperSockets interface when an OSD interface is activated for the same physical network ID (PNetID).
Greatly reduces the network administration costs as HiperSockets interfaces no longer are required to be configured, operated, or managed in z/OS Communications Server. This solution allows a single IP interface (OSD) to provide access to the external Ethernet LAN and transparent access to HiperSockets for LPAR to LPAR communications within the central processor complex (CPC). This single HiperSockets converged interface is also referred to as an IQDC interface.
Eliminates the need to reconfigure z/OS HiperSockets interfaces when moving a z/OS instance from one CPC to another.

Incompatibilities:

This function does not support IPAQENET interfaces that are defined by using the DEVICE, LINK, and HOME statements. Convert your IPAQENET definitions to use the INTERFACE statement to enable this support.
This function also requires the virtual MAC (VMAC) operand be specified on your IPAQENET interfaces to request OSA-generated VMACs.

Dependencies:

This function minimally requires a zEnterprise EC12 (zEC12).
This function requires an Internal Queued Direct I/O (IQD) channel path ID (CHPID) configured with the external bridge function.

Quick links:

Bookmark the z/OS Communications Server V2R3 New Function APAR Summary page to keep track of more new function APARs to come.

Modified on by SamReynolds

Winter 2018 SHARE Conference Wrap-up

SamReynolds ‎ 753 Views

The Winter 2018 SHARE Conference came to a close on Friday. Five speakers from the Enterprise Networking Solutions organization presented 23 sessions on z/OS Communications Server and 3 on ISPF, including two-part hands-on labs for the IBM Configuration Assistant for z/OS CS, and the ISPF editor. We also participated in a panel session where our attendees brought in a number of great questions for discussion.

Given the recent delivery of z/OS V2R3, we provided a look at the CS and ISPF changes in z/OS V2R3, including functions like the new z/OS Encryption Readiness Technology (zERT). And of course, there was plenty of discussion of already available functions like Shared Memory Communications-Direct Memory Access (SMC-D), Enterprise Extender, sysplex technologies, network security, and the IBM Configuration Assistant for z/OS CS. We would like to thank all of you who attended our sessions for the great feedback and dialogue.

For those that couldn't be at the conference, note that you can download most of the charts for the topics we presented by going to the following link:

http://events.share.org/Winter2018/Public/sessions.aspx

Please plan to join us for the Summer 2018 SHARE Conference in St. Louis, Missouri, August 12-17, 2018.

z/OS Communications Server sessions at the 2018 Winter SHARE conference in Sacramento

Erin Zhang ‎ 817 Views

The winter 2018 SHARE conference is March 11-16 in the Sacramento convention center. As always, there will be a good selection of content focused on z/OS Communications Server, including the following sessions from our Comm Server team in Research Triangle Park, NC.


	How can I tell how (or if) my z/OS network traffic is being encrypted? zERT to the rescue! z/OS Communication Server IPSec and IP Packet Filtering z/OS Communications Server Application Transparent TLS z/OS Communications Server Network Security Overview z/OS Communications Server Free-for-All

	z/OS Communications Server: Technical Update, Part 1 of 2 z/OS Communications Server: Technical Update, Part 2 of 2 Sysplex and Network Technologies and Considerations IBM z/OS Communications Server: Shared Memory Communications (SMC) Dynamic Deployment of z/OS TCP/IP Resources at the Speed of Cloud z/OS Communications Server Free-for-All

	Getting the Most Out of Your OSA Adapter with z/OS Communications Server z/OS Communications Server performance: Optimizing your network encryption with z14 Understanding z/OS Communication Server Storage Usage z/OS Communications Server Free-for-All

	IP Routing on z/OS: The Basics; Part 1 of 2 IP Routing on z/OS: Dynamic Routing; Part 2 of 2 TCP/IP Stack Configuration with Configuration Assistant for z/OS CS Lab: TCP/IP Stack Configuration with Configuration Assistant for z/OS V2R3 CS, Part 1 of 2 Lab: TCP/IP Stack Configuration with Configuration Assistant for z/OS V2R3 CS, Part 2 of 2 z/OS Communications Server Free-for-All

	z/OS Communications Server: Technical Update, Part 1 of 2 z/OS Communications Server: Technical Update, Part 2 of 2 SNA: Dead or Alive? Enterprise Extender and the Current State of SNA Introduction to IBM z/OS FTP z/OS Communications Server Free-for-All ISPF Hidden Treasures and Recent Updates Lab: ISPF Editor - Beyond the Basics - Part 1 of 2 Lab: ISPF Editor - Beyond the Basics - Part 2 of 2

We hope to see you there!

Modified on by Erin Zhang

z/OS Communications Server Information Experience Questionnaire

Erin Zhang ‎ 2,335 Views

The z/OS Communications Server team continues to improve your information experience with our product. Your answers to this brief survey will be very helpful in enhancing our channels and deliverables to meet your needs.

This survey will only take a few minutes. Your anonymous responses will only be used to help us understand and enhance your information experience with z/OS Communications Server. If you have any questions about the survey, please send an email to comsvrcf@us.ibm.com.

Click the survey link to provide feedback: https://ibm.biz/BdjeQX

Thank you very much for your time and suggestions. We really appreciate your input!

Modified on by SamReynolds

What's new in z/OS V2R3 Communications Server?

Erin Zhang ‎ 3,474 Views

IBM Z, the next generation of the world’s most powerful transaction system, introduces a breakthrough encryption engine that, for the first time, makes it possible to pervasively encrypt data associated with any application, cloud service or database all the time.

IBM z14 and z/OS V2R3 provide a simple and consumable approach to help customers keep applications and data available, system resources secure, server utilization high, and programming environments adaptable while maintaining compatibility for existing applications.

This is an overview of selected enhancements that are provided by z/OS V2R3 Communications Server that helps build the next-generation infrastructure with high-speed connectivity, availability, and security.

Enhanced security and data protection

z/OS Encryption Readiness Technology

In z/OS V2R3, Communications Server includes z/OS Encryption Readiness Technology (zERT) to help z/OS administrators to determine which TCP and Enterprise Extender (EE) traffic patterns to and from their z/OS systems meet approved encryption criteria and which do not.

Using zERT, you have a single source of information to determine which traffic is cryptographically protected and which is not. For the traffic that is cryptographically protected, you can determine which cryptographic protocol is used, which cryptographic algorithms are used, the length of the cryptographic keys, and other important attributes of the cryptographic protection. This information is valuable for determining regulatory compliance and for identifying connections that might need stronger cryptographic protection.

With zERT, two new types of z/OS System Management Facility (SMF) records can be collected to build a record of the cryptographic protection of all TCP and EE connections:

zERT connection detail records provide a complete cryptographic protection history for each TCP and EE connection as that protection is applied.
zERT summary records summarize, at regular intervals, the repetitive use of security sessions between each client and server.

You can also decide which of these records are recorded to SMF or are made available through a new real-time service for network management applications. Note that support for zERT summary records is planned as a post-GA deliverable in first quarter 2018 with the PTF for APAR PI83362.

AT-TLS currency with System SSL

The Application Transparent TLS (AT-TLS) support in z/OS Communications Server is updated to support new System SSL functions, including updated NIST and IETF standards for encryption algorithms, use of keys and certificates, and Online Certificate Status Protocol updates.

Simplification, usability, and skills

Configuration Assistant: Import of existing TCP/IP configuration

With the enhanced TCP/IP technology in Configuration Assistant for z/OS Communications Server, you can import your current TCP/IP stack profiles into the Configuration Assistant, to help you transition to using the Configuration Assistant for your TCP/IP profile management. This support is also available on z/OS V2R2 with the PTF for Configuration Assistant APAR PI66143 and with the PTF for z/OS Communications Server APAR PI63449.

Configuration Assistant: TCP/IP dynamic reconfiguration using change sets

With the Configuration Assistant for z/OS Communications Server, you can dynamically change an active TCP/IP stack configuration by generating the required VARY OBEY member. This support is also available on z/OS V2R2 with the PTF for Configuration Assistant APAR PI80101.

HiperSockets L2 and z/VM bridge support

z/OS V2R3 Communications Server plans to include HiperSockets Converged Interface (HSCI) support as a post-GA deliverable in first quarter 2018 with the PTFs for APARs OA53198 and PI83372. HSCI support provides the following benefits:

Linux on z Systems layer 2 and z/VM VSwitch bridge compatibility

With the z/VM VSwitch bridge support, Linux guests can configure a single IP interface for HiperSockets (HS), providing both internal CPC and external LAN communications. The current z/OS HS support only provides layer 3 connectivity, which is incompatible with this Linux and z/VM environment. The new z/OS V2R3 HSCI support resolves this issue by providing compatibility for both HS layer 2 and Linux guests using HS with the z/VM VSwitch bridge.

Improved ("hands free") HS usability for z/OS environments

HSCI transparently "converges" an HS interface with your OSA interface, providing transparent and dynamic usage of HS. You can benefit from the following HSCI enhancements:

As a z/OS network administrator, to get access to HS, you don't need to configure, provision, or operate an HS interface
A z/OS instance can be relocated to another CPC without making any HS definition changes or taking any operator actions to access HS on the new CPC. Your external LAN is re-created within each CPC providing a single seamless LAN topology within your data center. When your OSA interface is restarted on the new z/OS location, your HSCI is dynamically re-established.

Systems management

Enhanced wildcard support for jobname on PORT and PORTRANGE statements

z/OS V2R3 Communications Server enhances the wildcard support for the jobname parameter on the PORT and PORTRANGE TCP/IP configuration statements. Asterisks can be used in any position to indicate zero or more unspecified characters. The question mark can be used in any position to indicate a single unspecified character.

Communications Server support for enhanced system symbols

z/OS Communications Server supports enhanced system symbols: TCP/IP profile, System Resolver, OMPROUTE, CSSMTP, VTAMLST, and other networking configuration files that support z/OS system symbols can use z/OS system symbols that contain underscores.

Hardware support

Shared Memory Communications - Direct Memory Access

z/OS V2R3 provides new support for fast, low-latency TCP/IP traffic between LPARs within a CPC by using the Shared Memory Communications - Direct Memory Access (SMC-D) software protocol over firmware-provided Internal Shared Memory (ISM) devices. SMC-D provides substantial performance, throughput, response time, and CPU consumption benefits compared to standard TCP/IP communications over HS. This support is also available on z/OS V2R2 with the PTFs for APARs OA48411 and PI45028.

Support for new IBM z14 network interface updates

z/OS V2R3 Communications Server provides support for the new OSA-Express6S and RoCE Express2 adapters. z/OS V2R2 and V2R3 support is also provided for both adapters with PTFs.

Scalability and performance

Improved control over default VTAM VIT options

In z/OS V2R3, Communications Server provides a new VTAM start option that enables improved user control of the default VTAM Internal Trace (VIT) options. Previously, a set of VIT options (API, PIU, SSCP, NRM, MSG, and CIO) was always active and could not be disabled. With the VITCTRL start option, you can enable a new "VIT control" mode to enable or disable any VIT option independently. While this capability is provided, IBM still recommends that the standard VIT options remain enabled to provide first-failure data capture capability for problem diagnosis. This VIT control capability is also available on z/OS V2R1 and z/OS V2R2 with the PTF for APAR OA50271.

Improved scalability for Sysplex-wide Security Associations (SWSA)

z/OS V2R3 increases capacity for simultaneous IPSec tunnels in a sysplex by increasing the amount of sysplex-wide security association data that can be stored in the EZBDVIPA coupling facility structure, allowing up to 16,384 lists to be configured.

Application development

IPv6 getaddrinfo() API standards compliance

The getaddrinfo (BPX1GAI/BPX4GAI) API in z/OS Communications Server is updated in z/OS V2R3. The new enhancement allows the Resolver to return both IPv4 and IPv6 addresses under certain conditions. The updates are intended to comply with RFC 3493 and the Single UNIX specification version 3.

Sendmail to CSSMTP bridge

In z/OS V2R3, the sendmail daemon is removed from z/OS, but a new sendmail to CSSMTP bridge is designed to provide a compatible subset of sendmail functions so that z/OS UNIX users can still use the sendmail command to send mail messages with the CSSMTP application. The sendmail to CSSMTP bridge is also available on z/OS V2R1 and z/OS V2R2 with the PTF for APAR PI71175.

For more information about what's new in z/OS V2R3 Communications Server, see z/OS V2R3 Communications Server: New Function Summary.

All statements regarding IBM's plan, directions, and intent are subject to change or withdrawal without notice.

Modified on by SamReynolds

Summer 2017 SHARE Conference Wrap-up

SamReynolds ‎ 3,243 Views

The Summer 2017 SHARE Conference was a great educational event! Five speakers from the Enterprise Networking Solutions organization presented 18 sessions on z/OS Communications Server and 3 on ISPF, including two-part hands-on labs for the IBM Configuration Assistant for z/OS CS, and the ISPF editor. We also participated in a panel session where our attendees brought in a number of great questions for discussion (and we provided a few of our own).

Given the recent availability announcement of z/OS V2R3, we were able to provide a look at the CS and ISPF changes planned for z/OS V2R3, including functions like the new z/OS Encryption Readiness Technology (zERT). And of course, there was plenty of discussion of already available functions like Shared Memory Communications-Direct Memory Access (SMC-D), Enterprise Extender, sysplex technologies, network security, z/OS CS performance, and the IBM Configuration Assistant for z/OS CS. We would like to thank all of you who attended our sessions for the great feedback and dialogue.

For those that couldn't be at the conference, note that you can download most of the charts for the topics we presented by going to the following link:

http://events.share.org/Summer2017/Public/Sessions.aspx

Please plan to join us for the Winter 2018 SHARE Conference in Sacramento, California, March 11-16, 2018.

z/OS CS at the Summer 2017 SHARE Conference in Providence

SamReynolds ‎ 3,069 Views

The Summer 2017 SHARE Conference is in Providence, Rhode Island next week (August 6th - 11th). As always, there will be a good selection of content focused on z/OS Communications Server, including the following sessions from five of our CS team here in Research Triangle Park, NC:

z/OS Communications Server Technical Update, Part 1 of 2 (Gus Kassimis and Sam Reynolds)
z/OS Communications Server Technical Update, Part 2 of 2 (Gus Kassimis and Sam Reynolds)
IBM z/OS Communications Server: Shared Memory Communication (Gus Kassimis)
Dynamic Deployment of z/OS TCP/IP Resources at the Speed of Cloud (Gus Kassimis)
Sysplex and Network Technologies and Considerations (Gus Kassimis)
TCP/IP Stack Configuration with Configuration Assistant for z/OS (Mike Fox)
Lab: TCP/IP Stack Configuration with Configuration Assistant for z/OS V2R2 CS, Part 1 of 2 (Mike Fox)
Lab: TCP/IP Stack Configuration with Configuration Assistant for z/OS V2R2 CS, Part 2 of 2 (Mike Fox)
SNA: Dead or Alive? Enterprise Extender and the Current State of SNA (Sam Reynolds)
Introduction to IBM z/OS FTP (Sam Reynolds)
z/OS CS Network Security Overview (Chris Meyer)
z/OS Communications Server Application Transparent TLS (Chris Meyer)
Determining who's using what network encryption on your z/OS system: zERT is coming! (Chris Meyer)
Getting the Most Out of Your OSA Adapter with z/OS Communications Server (Dave Herr)
z/OS Communications Server Performance - Updates and Recommendations (Dave Herr)
Understanding z/OS Communications Server Storage Usage (Dave Herr)
Introduction to Networking Diagnostics (Mike Fox)
IP Routing on IBM z/OS (Mike Fox)
z/OS Communications Server Free-for-All (Mike Fox, Dave Herr, Gus Kassimis, Chris Meyer, and Sam Reynolds)

Linda Harrison from the Washington Systems Center will be presenting sessions on several CS-related topics:

z/OS Communications Server Security Using Policy Agent
HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and Routing to Linux on z
Lab: Encryption Using Configuration Assistant for z/OS V2R2, Part 1 of 2
Lab: Encryption Using Configuration Assistant for z/OS V2R2, Part 2 of 2

Lastly, I will be presenting the following ISPF topics:

ISPF Hidden Treasures and Recent Updates
Lab: ISPF Editor - Beyond the Basics - Part 1 of 2 (with Tom Conley and Liam Doherty)
Lab: ISPF Editor - Beyond the Basics - Part 2 of 2 (with Tom Conley and Liam Doherty)

We hope to see you there! For those that can’t join us, I’ll be tweeting (IBM_Commserver on Twitter) throughout the week.

z/OS Communications Server: Social Media Channels

Erin Zhang ‎ 5,083 Views

Get connected with z/OS Communications Server, ISPF, and Multi-site Workload Lifeline!

The Communications Server team continues to build and expand the content we offer over social media outlets. Follow our online discussions, find online presentations, and participate in online virtual Q&A sessions. You can find us on the following venues:

zOSCommServer

@IBM_Commserver

z/OS Communications Server

You can find Chinese contents in the following venues:

Weibo/CommServer中国

WeChat/CommServer中国

Youku/CommServer中国

DeveloperWorks/CommServer中国

Modified on by SamReynolds

New Features in z/OS V2R2 Communications Server

Erin Zhang ‎ 4,869 Views

What's New in z/OS V2R2 Communications Server?

Throughout the journey to the new digital enterprise, z/OS network capability supports a fully featured Communications Server with integration of SNA and TCP/IP protocols, making the mainframe a large server capable of serving worldwide clients simultaneously. Through its unique design and qualities of service, z/OS Communications Server offers unmatched availability, scalability, and security to meet the emerging business challenges of cloud, data analytics, and the security demands of mobile and social applications.

This page provides an overview of selected enhancements that are provided by z/OS V2R2 Communications Server.

Capture the potential of the mobile enterprise via scalability, economics, and platform efficiency

In the new competitive market, it is essential for you to understand customer sentiment, analyze information for more targeted insights, conduct transactions with a mobile device, and serve customers across the globe. In z/OS V2R2, enhancements to Communications Server can help you reduce the time to respond, even more critical in the new mobile landscape. Communications Server delivers improved scalability and performance for outstanding throughput and service within your existing environment. Smarter scalability can better prepare you to handle growth and spikes in workloads while maintaining the qualities of service at the same time.

Shared Memory Communications over RDMA adapter (RoCE) virtualization

The enhanced Communications Server support for RDMA over converged Ethernet (RoCE), which is designed to reduce communications latency and lower CPU cost for many workloads, now can deliver improved economics with as many as 31 z/OS images that share each RoCE adapter. It also supports selecting between TCP/IP and RoCE transport layer protocols automatically based on traffic characteristics, and MTU sizes up to 4K for RoCE adapters.

This enhancement requires IBM z13 or later systems, and is also available with the PTF for APARs OA44576 and PI12223 on z/OS V2R1.

SMC Applicability Tool (SMCAT)

In z/OS V2R2, the SMC Applicability Tool provides the capability to evaluate TCP/IP network traffic for potential applicability for exploiting SMC-R. SMCAT can be utilized without requiring enablement of the SMC-R function on any system or requiring any special hardware. You can use SMCAT to monitor a TCP/IP stack for a set of configured destination IP addresses or subnets, and to provide a report in the TCP/IP stack job log. The report provides details of the amount of TCP workload that can potentially use SMC-R if SMC-R is available.

This monitoring tool is also available on z/OS V2R1 with the PTF for APAR PI29165 and z/OS V1R13 with the PTF for APAR PI27252.

64-bit enablement of the TCP/IP stack

By enabling the TCP/IP stack and its strategic device drivers (including OSA-Express QDIO, HiperSockets, and RoCE) to utilize 64-bit (above the bar) storage, a substantial inhibitor to workload growth is relieved. These z/OS V2R2 Communications Server enhancements provide performance improvements and virtual storage constraint relief by significantly reducing ECSA use.

Enhanced Enterprise Extender scalability

z/OS V2R2 Communications Server improves the scalability of Enterprise Extender connections. Internal optimizations are intended to improve performance for installations with thousands of Enterprise Extender connections per LPAR.

Enhanced IKED scalability

z/OS V2R2 Communications Server provides increased scalability by improving the Internet Key Exchange daemon (IKED) to concurrently negotiate IPSec tunnels with a large number of remote IKE peers. This enhancement significantly reduces the amount of time needed to establish a large number of IPSec tunnels, while also reducing CPU utilization.

Increase single stack DVIPA limit to 4096

z/OS V2R2 Communications Server supports an increased number of application-instance dynamic virtual IP addresses (DVIPAs) for a single TCP/IP stack, raising the previous limit of 1024 to 4096. With this enhancement, up to 4096 application instance DVIPAs that are defined by VIPARANGE statements can be defined on a single TCP/IP stack. This improves scalability within a Parallel Sysplex, particularly when the sysplex is operating with a smaller number of systems than usual, as might be the case during planned outages for one or more LPARs.

VIPAROUTE fragmentation avoidance

z/OS V2R2 Communications Server enhances its support for VIPAROUTE by automatically adjusting the TCP Maximum Segment Size (MSS) for each IPv4 route to prevent fragmentation within the sysplex. This new support simplifies VIPAROUTE configuration and helps improve VIPAROUTE performance by eliminating packet fragmentation issues that can arise for some routes.

This enhancement is also available on z/OS V2R1 with the PTF for APAR PI39519.

TCP autonomic tuning enhancements

z/OS V2R2 Communications Server offers new autonomic features to provide for smarter self-monitoring and tuning of the TCP/IP stack, with a focus on performance-related functions such as dynamic right sizing (DRS) and delayed acknowledgements (DELAYACKs). The enhancements are based on real-time data and can improve overall performance of TCP connections.

Security

Today's enterprise environment accesses data from many untrusted network sources, such as from mobile devices, social computing sites, and new cloud environments. Therefore, security of critical information assets remains a top priority, including defending your networks, protecting your data, and authenticating users and business partners. z/OS V2R2 Communications Server can help you meet this security challenge by strengthening the use of z/OS as a secured networking hub that helps protect your most valuable information, and helps you to develop innovative applications while reducing operational risk.

AT-TLS certificate processing enhancements

z/OS V2R2 Communications Server enhances Application Transparent Transport Layer Security (AT-TLS) to support new System SSL enhancements for OCSP (online certificate status protocol), CRL retrieval over HTTP and LDAP, and certificate validation as described by RFC 5280.

TLS session reuse support for FTP and AT-TLS applications (AT-TLS)

With SSL sessions enabled to be reused across different TCP ports in z/OS V2R2, Communications Server provides FTP support to enable new data connections to reuse associated SSL sessions for better compatibility, security, and performance with compatible FTP servers and clients. This enhancement is available for System SSL users and for both AT-TLS and native SSL users of FTP.

Simplified access permissions to ICSF cryptographic functions for IPSec

z/OS V2R2 Communications Server is enhanced to help simplify security configuration for IPSec. You are no longer required to permit all network applications that are sending or receiving IPSec protected traffic to the relevant SAF resources in the CSFSERV class. Only the user ID that is associated with the TCP/IP stack must be permitted to those SAF resource profiles.

TCP/IP profile IP security filter enhancements

With z/OS Communications Server, you can define a set of limited default IP filters in the TCP/IP Profile to help you protect the TCP/IP stack during initialization before Policy Agent installs an IPSec policy. In z/OS V2R2, you can specify additional default filter parameters, including source and destination address ranges, and source and destination port ranges. This enhancement enables greater flexibility in configuring the default filter rules.

Simplification and usability

IBM continues to simplify z/OS administration and management, and extends the reach of your existing skills. By improving administrative ease, the Configuration Assistant for z/OS Communications Server can help your company gain quality and productivity improvements while reducing opportunities for error.

TCP/IP stack configuration with Configuration Assistant for z/OS Communications Server

As a valuable tool for configuring policy-based networking functions such as AT-TLS, IPSec, and Intrusion Detection Services, z/OS V2R2 Communications Server further extends its functions in Configuration Assistant. With an entirely new discipline, you can now configure TCP/IP profiles with an integrated graphical interface and wizard-driven help. These new functions, which build on existing capabilities for the policy agent, can make it faster and easier to create and maintain TCP/IP configurations.

With the PTFs for APARs PI66143 and PI63449, Configuration Assistant also provides a function to import existing TCP/IP profile data.

Availability and business resilience

Activate Resolver trace without restarting applications

z/OS Communications Server includes a Trace Resolver function to provide a variety of diagnostic information that can be used by application programmers and network administrators. In z/OS V2R2, Communications Server provides a new component trace (CTRACE) option to capture the same information recorded by the Trace Resolver in CTRACE records, and to view formatted trace data using IPCS. With this new function, you can dynamically enable and disable tracing without an application restart.

Reordering of cached resolver results

On systems where the system resolver cache has been implemented, z/OS V2R2 Communications Server can help improve load balancing by allowing you to request system-wide round-robin reordering of the IP address lists associated with each cached host name.

Standards and statements of direction

z/OS V2R2 Communications Server supports a number of capabilities intended to make it meet the requirements of the United States National Institute of Standards and Technology (NIST) Special Publication SP800-131A.
IBM plans to further extend the capabilities of the Configuration Assistant for z/OS Communications Server, a plug-in for z/OSMF, in z/OS V2R2. Additional planned enhancements will be designed to support making dynamic configuration changes to an active TCP/IP configuration.
z/OS V2R2 is planned to be the last release to include the Trivial File Transfer Protocol Daemon (TFTPD) function in z/OS Communications Server.
As previously announced in Hardware Announcement 114-009, dated February 24, 2014, the Simple Mail Transport Protocol Network Job Entry (SMTPD NJE) Mail Gateway and Sendmail mail transports are planned to be removed from z/OS. IBM now plans for z/OS V2R2 to be the last release to include these functions. If you use the SMTPD NJE Gateway to send mail, IBM recommends that you use the existing CSSMTP SMTP NJE Mail Gateway instead. In that same announcement, IBM announced plans to provide a replacement program for the Sendmail client that would not require programming changes. Those plans have changed, and IBM now plans to provide a compatible subset of functions for Sendmail in the replacement program and to announce those functions in the future. Programming changes or alternative solutions to currently provided Sendmail functions might be required. No replacement function is planned in z/OS Communications Server to support using SMTPD or Sendmail as a (SMTP) server for receiving mail for delivery to local TSO/E or z/OS UNIX System Services user mailboxes, or for forwarding mail to other destinations.
- To help you plan for migration to CSSMTP functions for sending SMTP mail and to other solutions for receiving SMTP mail, z/OS V2R2 Communications Server includes migration health checks designed to help you determine whether the mail functions planned to be withdrawn are in use. Also, z/OS V2R2 Communications Server provides a test mode for CSSMTP along with a utility program that copies JES email job output to both CSSMTP and SMTPD, allowing the two daemons to be run simultaneously. When run in this mode, CSSMTP is designed only to log errors while SMTPD continues to serve as the production mail program.

For more information about what's new in z/OS V2R2 Communications Server, see z/OS V2R2 Communications Server: New Function Summary and z/OS Communication Server V2R2 New Function APAR Summary.

All statements regarding IBM's plan, directions, and intent are subject to change or withdrawal without notice.

Modified on by SamReynolds

IBM Doc Buddy V1.3.0 available

FloraGui ‎ 2,960 Views

IBM Doc Buddy V1.3.0 is now available for download in the Apple App Store and Google Play!

IBM Doc Buddy is a mobile app which enables retrieving product error messages for IBM z Systems. Once you install this tool on your smart phone or tablet, you can search the explanation of z Systems product messages within seconds.

This release includes major search enhancements:

The app now supports online search in addition to offline search.

You can get instant search results if you are connected to the Internet. Online search is enabled by default in Settings. Thus, IBM Doc Buddy can be a perfect replacement for LookAt, the previous z/OS message tool which was sunset.

An overview of the app features is provided for first-time app users to help you get started.

After you install the app, you can have a quick glance at the handy 3-panel display to see the key features provided in IBM Doc Buddy.

Messages are added for these products: Tivoli OMEGAMON for Storage on z/OS and Tivoli OMEGAMON XE on z/VM and Linux. Our team appreciate your comments and would like to provide you with more product messages to meet your needs.

Contact our support email account sptast@cn.ibm.com if you have more questions or concerns.

More information about IBM Doc Buddy is available on https://ibmdocbuddy.mybluemix.net/. Scan the QR code to download and install the app.

Modified on by SamReynolds

Winter 2017 SHARE Conference Wrap-up

SamReynolds ‎ 3,932 Views

The Winter 2017 SHARE Conference was a great educational event! Five speakers from the Enterprise Networking Solutions organization presented 15 sessions on z/OS Communications Server, 3 on ISPF, and one on IBM Multi-Site Workload Lifeline, including two-part hands-on labs for the IBM Configuration Assistant for z/OS CS, and the ISPF editor. We also participated in a panel session where our attendees brought in a number of great questions for discussion.

Given the recent preview announcement of z/OS V2R3, we were able to provide an early look at the CS and ISPF changes planned for z/OS V2R3, including functions like the new z/OS Encryption Readiness Technology (zERT). And of course, there was plenty of discussion of already available functions like Shared Memory Communications-Direct Memory Access (SMC-D), Enterprise Extender, sysplex technologies, network security, z/OS CS performance, and the IBM Configuration Assistant for z/OS CS. We would like to thank all of you who attended our sessions for the great feedback and dialogue.

For those that couldn't be at the conference, note that you can download most of the charts for the topics we presented by going to the following link:

http://events.share.org/Winter2017/Public/sessions.aspx#

Please plan to join us for the Summer 2017 SHARE Conference in Providence, Rhode Island, August 6 - August 11, 2017.

Feed for Blog Entries Feed for Blog Comments

Blogs