z/OS Communications Server

Still exploring z/OS V2R3 Communications Server new functions released in September 2017? Our team has never stopped improving it to ensure unmatched availability, scalability, and security to meet your business challenges.

Come and check out three new function APARs available in March 2018. We provide much more now!

Security enhancements

z/OS Encryption Readiness Technology (zERT) aggregation

z/OS V2R3 Communications Server introduced a brand new solution called z/OS Encryption Readiness Technology (zERT) to discover the network encryption attributes for each TCP and Enterprise Extender connection. This video, z/OS Encryption Readiness Technology to the Rescue, provides an overview of what zERT can do for your business.

With APAR PI83362, the zERT aggregation function is introduced to bring more benefits:

• Summarizes the repetitive use of security sessions over time
• Retains the key details about the network encryption attributes
• Greatly reduces the number of zERT SMF records in many cases

With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 TCP and Enterprise Extender traffic that is protected using the TLS/SSL, SSH, or IPSec cryptographic network security protocols. The collected connection level data is written to SMF in SMF 119 subtype 11 records.

In certain environments, the volume of SMF 119 subtype 11 records can be large. The zERT aggregation function provides an alternative SMF view of the collected security session data. This alternate view is written in the form of new SMF 119 subtype 12 records that summarize the use of security sessions by many application connections over time and which are written at the end of each SMF interval. This alternate view condenses the volume of SMF record data while still providing all the critical security information.

Quick links:

• APAR PI83362
• How to enable and use the zERT aggregation function

Security enhancements

TN3270E Telnet server Express Logon Feature support for Multi-Factor Authentication

z/OS V2R3 Communications Server, with APAR PI85185, RACF APAR OA53002, and IBM MFA for z/OS APARs PI86470 and PI93341, extends the TN3270E Telnet server Express Logon Feature (ELF) to support IBM Multi-Factor Authentication (MFA) for z/OS.

With this support, TN3270 clients can experience the same single sign-on behavior that is already offered by the PassTicket-based ELF, but now via an MFA token that is assigned by a SAF-compliant external security manager like IBM Security Server RACF. With the new EXPRESSLOGONMFA parameter in the TN3270E Telnet server profile, ELF attempts to authenticate clients by using their X.509 client certificate through MFA. If no MFA token is available for the user, the authentication fails by default. ELF can be configured to revert back to PassTicket authentication in certain cases where MFA authentication is unsuccessful.

Note: This new function is also available in V2R1 and V2R2 via the same APARs.

Dependencies:

• IBM Security Server RACF APAR OA53002
• IBM Multi-Factor Authentication for z/OS APARs PI86470 and PI93341

Quick links:

• APAR PI85185
• How to enable and use this new function

Usability improvements

HiperSockets Converged Interface support

z/OS V2R3 Communications Server, with APARs PI83372 and OA53198, provides the HiperSockets Converged Interface (HSCI) solution to support the z/VM bridge environment. With this solution, a Linux guest can connect to z/OS via Layer 2 HiperSockets and to the external network by using a single IP interface.

You will benefit from this new function in the following aspects:

• Significantly improves HiperSockets usability by dynamically provisioning and activating a HiperSockets interface when an OSD interface is activated for the same physical network ID (PNetID).
• Greatly reduces the network administration costs as HiperSockets interfaces no longer are required to be configured, operated, or managed in z/OS Communications Server. This solution allows a single IP interface (OSD) to provide access to the external Ethernet LAN and transparent access to HiperSockets for LPAR to LPAR communications within the central processor complex (CPC). This single HiperSockets converged interface is also referred to as an IQDC interface.
• Eliminates the need to reconfigure z/OS HiperSockets interfaces when moving a z/OS instance from one CPC to another. 

Incompatibilities:

• This function does not support IPAQENET interfaces that are defined by using the DEVICE, LINK, and HOME statements. Convert your IPAQENET definitions to use the INTERFACE statement to enable this support.
• This function also requires the virtual MAC (VMAC) operand be specified on your IPAQENET interfaces to request OSA-generated VMACs.

Dependencies:

• This function minimally requires a zEnterprise EC12 (zEC12).
• This function requires an Internal Queued Direct I/O (IQD) channel path ID (CHPID) configured with the external bridge function.

Quick links:

• APAR PI83372
• APAR OA53198
• How to enable and use this new function

Bookmark the z/OS Communications Server V2R3 New Function APAR Summary page to keep track of more new function APARs to come.