IOCTL

Use the IOCTL command to perform control functions on sockets.

Format

Read syntax diagramSkip visual syntax diagramSOCKET("IOCTL" ,socketid,icmd ,ivalue,idata)

Parameters

socketid
The socket descriptor.
icmd
The control function. The following commands are supported:
FIONBIO
Enables or disables blocking mode. When the ivalue parameter is set to ON, the socket is set to nonblocking mode. When the ivalue parameter is set to OFF, the socket is in blocking mode. The command returns a string that contains the return code.
FIONREAD
Requests the number of bytes on the receive queue that are ready for reading. The command returns a string that contains the return code and the number of bytes that are ready for reading.
SIOCATMARK
Determines whether the current location in the input data points to out-of-band data. The command returns a string that contains the return code and YES or NO. YES indicates that there is out-of-band data.
SIOCGIFADDR
Obtains a network interface address. The ivalue parameter must specify the name of the network interface, for example, LOGETH13. The network interface name can be 1-16 characters in length. The command returns a string that contains the return code and the network interface address, which has the following format: interface domain port ipaddress.
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFBRDADDR
Obtains the network broadcast address of an interface. The ivalue parameter must specify the name of the network interface, for example, LOGETH13. The network interface name can be 1-16 characters in length. The command returns a string that contains the return code and the network broadcast address, which has the following format: Hinterface domain port ipaddress.
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFCONF
Obtains the list of the interfaces that are defined to the system. The ivalue parameter must specify the maximum number of interfaces to be returned. The command returns a string that contains the return code and a list of interfaces, which has the following format: interface domain port ipaddress
Restriction: Only IPv4 interface information is returned.
Tip: You can parse the information in the following way: 
Drop st.
l_retcode = socket("IOCTL",l_sockid,"SIOCGIFCONF",10);
parse var l_retcode l_rc l_iflist
i=0;
do until l_iflist = ""
i=i+1;
parse var l_iflist st.i.interface st.i.domain st.i.port,
st.i.address l_iflist
st.i.name = st.i.domain st.i.port st.i.address;
end;
st.0 = i;
SIOCGIFDSTADDR
Obtains the network destination address of an interface. The ivalue parameter must specify the name of the network interface, for example, LOGETH13. The network interface name can be 1-16 characters in length. The command returns a string that contains the return code and the network destination address, which has the following format: interface domain port ipaddress
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFMTU
Obtains the network MTU (maximum transmission unit) of an interface. The ivalue parameter must specify the name of the network interface, for example, LOGETH13. The network interface name can be 1-16 characters in length. The command returns a string that contains the return code, the interface name, and the numeric MTU value.
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFNAMEINDEX
Obtains a list of all interface names and device indexes that are defined to the system. This list includes loopback addresses, but excludes VIPA addresses. The command returns a string that contains the return code and a list of interfaces, which have the following format: interface_index interface_name.
Tip: You can parse the information in the following way: 
DROP st.
l_retcode = socket(“IOCTL”,1,”SIOCGIFNAMEINDEX”);
i = 0;
do until l_retcode = ‘'
    i=i+1;
    parse var l_retcode st.i.interfindex st.i.name l_retcode;
end;
SIOCGIFFLAGS
Obtains the network interface flags of an interface. The ivalue parameter must specify the link name of the interface, for example, LOGETH13. The command returns a string that contains the return code, the interface name, the flags in four hexadecimal digits, and the symbolic names of the flags.
The following string is an example of what is returned by the SIOCGIFFLAGS function: 
0 LOOPBACK 0049 IFF_UP IFF_LOOPBACK IFF_RUNNING
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFMETRIC
Obtains the network routing metric of an interface. The ivalue parameter must specify the link name of the interface, for example, LOGETH13. The command returns a string that contains the return code, interface name, and routing metric.
Restriction: This function is valid only for IPv4 interfaces.
SIOCGIFNETMASK
Obtains the network mask of an interface. The ivalue parameter must specify the interface name, for example, LOGETH13. The command returns a string that contains the return code, interface name, and a socket NAME with the network mask, for example, 0 LOFETH13 AF_INET 0 255.255.240.0.

For more information about the format of the NAME string, see How structures are represented.

Restriction: This function is valid only for IPv4 interfaces.
SIOCGIPMSFILTER
Obtains a list of the IPv4 source addresses from the stack for a specified interface and multicast group. The ivalue parameter must be a space-delimited string that contains an IPv4 multicast address, an IPv4 interface address, and the number of addresses to be returned, for example, "224.224.224.1 176.11.16.103 5". If the number of addresses to be returned is set to 0, all source filters are returned. The command returns a string that contains the return code, filter mode (either MCAST_INCLUDE or MCAST_EXCLUDE), number of IPV4 source addresses that are returned, and the IPv4 source addresses. Depending on the filter mode, source addresses are included or excluded.
The following string is an example of what is returned by the SIOCGIPMSFILTER function: 
0 MCAST_INCLUDE 2 10.11.103.1 176.11.16.103
SIOCGMSFILTER
Obtains a list of the IPv4 or IPv6 source addresses for the specified interface index and multicast group. The ivalue parameter must be a space-delimited string that contains an interface index, a socket name for the multicast address, and the number of addresses to be returned, for example, "34 AF_INET 21 224.224.224.1 5". If the number of addresses to be returned is set to 0, all source addresses are returned. The command returns a string that contains the return code, filter mode (either MCAST_INCLUDE or MCAST_EXCLUDE), the number of source addresses that are returned, and a list of the source-socket name groups.
The following string is an example of what is returned by the SIOCGMSFILTER function: 
0 MCAST_INCLUDE 1 AF_INET 21 176.11.16.103
In the example, AF_INET 12 176.11.16.103 is the source-socket name.

For more information about the format of the NAME string, see How structures are represented or the BIND or CONNECT commands.

SIOCGPARTNERINFO
Provides an interface for an application to retrieve security information about its partner. The ivalue parameter must be a space-delimited string that contains a request type and a timeout value in the range 0 – 60.

The request type is one of the following values:

  • PI_REQTYPE_CONNTYPE, CONNTYPE, C, or 0
  • PI_REQTYPE_PARTNER_USERID, USERID, U, or 1

The command returns a string that contains the return code and the output data.

The return code is either 0 or -1, with 0 indicating successful completion and -1 indicating that an error occurred.

The output data includes the following information:

  • Status

    The status indicates the type of information that is returned, which includes connection routing information that can be followed by partner user ID information. If the partner user ID information is not returned, or only the address-space user ID is returned, the appropriate user ID fields are set to 0.

  • Connection type (8 hexadecimal digits)
  • Length of the returned address-space user ID
  • Returned address space user ID
  • Length of the returned task-level user ID
  • Returned task-level user ID
  • Additional error code and the text version of the error (if the return code is -1)
The following string is an example of the output data for a successful command: 
0 3 0000000E 5 USER1 0 0
In this example, 0 is the return code, 3 is the PI_STATUS (indicating that the connection routing information and the partner user ID are returned), 0000000E is the connection routing value (indicating PI_CONNTYPE_SAME_CLUSTER, PI_CONNTYPE_SAME_IMAGE, and PI_CONNTYPE_INTERNAL), 5 is the length of the returned address space user ID, USER1 is the returned address space user ID, and 0 0 indicates that there is no task-level user ID.
If an error occurs, the output data is similar to the following example:
-1 1 0000000E 0 0 0 0 ( 73 ETIME Timer expired
In this example, -1 is the return code, 1 is the PI_STATUS (indicates that the connection routing information is returned), 0000000E is the connection routing value (indicates PI_CONNTYPE_SAME_CLUSTER, PI_CONNTYPE_SAME_IMAGE, and PI_CONNTYPE_INTERNAL), 0 0 0 0 indicates that no user ID information is returned, 73 is the error code, and ETIME Timer expired is the error description.

For more information about using the SIOCGPARTNERINFO IOCTL, see z/OS Communications Server: IP Programmer's Guide and Reference.

SIOCSAPPLDATA
Associates user-defined data with a socket descriptor. This data can be used to identify socket endpoints for network-management applications or tools such as Netstat or SMF. The ivalue parameter is a string that contains the user-defined data; it can be up to 40 bytes in length. The command returns an error code.
Guideline: The content of this field is determined by the application that owns the connection. See application-specific documentation for explanations of the layout, format, and meaning of this field. Typically, the field contains printable EBCDIC characters, although some applications might include binary data.
The application data is displayed by the following items only when the TCP connection has application data associated with it:
SIOCSIPMSFILTER
Sets the list of the IPv4 source addresses and the filter mode for an interface and multicast group. The ivalue parameter must be a space-delimited string that contains an IPv4 multicast address, an IPv4 interface address, filter mode, the number of IPv4 source addresses to be added, and the list of IPv4 source addresses, for example: 
224.224.224.1 176.11.16.103 MCAST_INCLUDE 2 48.11.16.103
		176.11.16.103
The filter mode is one of the following values:
Include
MCAST_INCLUDE, INCLUDE, I, or 0
Exclude
MCAST_EXCLUDE, EXCLUDE, E, or 1

The maximum number of source addresses is 64. If the interface address is 0.0.0.0, then the stack selects the default IPv4-multicast interface address. The command returns a string that contains the return code.

SIOCSMSFILTER
Sets a list of the IPv4 or IPv6 source addresses and the filter mode for an interface and multicast group. The ivalue parameter must be a space-delimited string that contains an interface index, the socket address name for the multicast address, the filter mode, the number of source address names, and a list of the source address names, for example: 
34 AF_INET6 56504 0 FF02::67:69 0 MCAST_INCLUDE 1 2001:10:11:103::1
The filter mode is one of the following values:
Include
MCAST_INCLUDE, INCLUDE, I, or 0
Exclude
MCAST_EXCLUDE, EXCLUDE, E, or 1

The maximum number of source addresses is 64. If the interface index is 0, then the stack selects an interface. The command returns a string that contains the return code.

For more information about the format of the NAME string, see How structures are represented.

SIOCSPARTNERINFO
The SIOCSPARTNERINFO IOCTL sets an indicator to retrieve the partner security credentials during connection setup and saves the information. In this way, an application can issue a SIOCGPARTNERINFO IOCTL without suspending the application or at least minimizing the time to retrieve the information. The ivalue parameter must be set to PI_REQTYPE_SET_PARTNERDATA, PARTNERDATA, P, or 1. The command returns a string that contains the return code.

For more information about using the SIOCSPARTNERINFO IOCTL, see z/OS Communications Server: IP Programmer's Guide and Reference.

SIOCTTLSCTL
Queries or controls Application Transparent Transport Layer Security (AT-TLS) for a TCP stream socket connection. If the socket is in blocking mode, this function blocks during the initial handshake. If the socket is in nonblocking mode, it returns the 36 EWOULDBLOCK error. See the Application Transparent TLS information in z/OS Communications Server: IP Programmer's Guide and Reference for more information.
Unless the ivalue parameter is set to QUERYONLY, the application must be mapped to an AT-TLS policy and the parameter ApplicationControlled must be set to ON. The ivalue parameter can have the following values:
QUERYONLY
Requests security information about the current socket. This request can be issued by any application, regardless of the value of the ApplicationControlled parameter. If the socket is not mapped to an AT-TLS policy and the socket is in a writable state, issuing this command causes AT-TLS to try to locate and assign a policy. The command returns a string that contains status information about the security level of the connection.
QUERYHOST
Queries the partner certificate to validate that the certificate matches the host name. The idata parameter must specify the host name. This request returns one of the following values:
0
Host name validation succeeded. The host name in the partner certificate matches the value of the idata parameter.
1
Validation status unknown. This value is returned if no partner certificate is present. This can occur for servers if client authentication is not enabled in the policy.
2
Host name validation failed. The host name in the partner certificate did not match the value of the idata parameter.
3
Host name validation failed with an unexpected gsk_validate_hostname value.
4
Host name validation failed with an unexpected gsk_decode_certificate value.
QUERYRULENAME
Queries the TTLSRule name that is mapped to the connection. This request returns the TTLSRule name or *N/A*, if no mapping exists.
QUERYGROUPACTIONNAME
Queries the TTLSGroupAction name that is mapped to the connection. This request returns the TTLSGroupAction name or *N/A*, if no mapping exists.
QUERYENVIRONMENTACTIONNAME
Queries the TTLSEnvironmentAction name that is mapped to the connection. This request returns the TTLSEnvironmentAction name or *N/A*, if no mapping exists.
QUERYCONNECTIONACTIONNAME
Queries the TTLSConnectionAction name that is mapped to the connection. This request returns the TTLSConnectionAction name or *N/A*, if no mapping exists.
QUERYSESSIONID
Obtains the session identifier for the SSL session.
QUERYSESSIONTOKEN
Obtains a token for the SSL session. The token represents the AT-TLS environment and session identifier for the secure connection.
INITCONNECTION
Initializes a secure SSL connection using the role that is defined by the Handshake parameter in the mapped policy. When this command is successful, it returns a string that contains status information about the security level of the connection.
INITCONNHSTIMEOUT
Initializes a secure SSL connection using the role that is defined by the Handshake parameter in the mapped policy. The Handshake parameter must be set to Server or ServerWithClientAuth. If the SSL handshake times out before receiving data from the client, SSL is stopped on the connection and the TCP connection remains established. Using this command is equivalent to requesting TTLS_INIT_CONNECTION and TTLS_ALLOW_HSTIMEOUT.
INITCONNECTIONWITHTOKEN
Initializes a secure SSL connection by using the role that is defined by the Handshake parameter in the mapped policy, and sets a token for the SSL session. When this command is issued successfully, it returns a string that contains status information about the security level of the connection.
The idata parameter must contain 3 input values delimited by a single space, for example, "0 1 tokenstring".
  • The first input value determines whether the TCP connection stays alive if the SSL handshake times out. A value of 0 or OFF indicates that the TCP connection does not stay alive. A value of 1 or ON indicates that the TCP connection stays alive.
  • The second input value determines whether the application requires that the SSL session ID should be reused. A value of 0 or OFF indicates the session ID is not reused. A value or 1 or ON indicates that the session ID is reused.
  • The third input value is the token for the SSL session. It represents the AT-TLS environment and session identifier for the secure connection. The token must be obtained previously by a QUERYSESSIONTOKEN call.
RESETSESSION
For a connection secured with TLSv1.2 or earlier TLS/SSL versions, resets the session ID so that it is not reused by another connection. For a connection secured with TLSv1.3, deletes all session tickets for the session so that they are not reused by another connection. When this command is successful, it returns a string that contains status information about the security level of the connection.
RESETCIPHER
Resets the cipher that is used for the secure session, updating the encryption key. For TLSv1.2 and earlier TLS/SSL versions, a renegotiation is done. If the session ID times out or has been reset, a full handshake is performed. Otherwise, a short handshake is performed.

For TLSv1.3, the encryption key is updated and a Key Update message is sent to the session partner. The message requests that the session partner also update its encryption key.

When this command is successful, it returns a string that contains status information about the security level of the connection.

RESETWRITECIPHER
For a connection secured with TLSv1.3, resets the write cipher used for the secure session, updating the encryption key. The encryption key is updated and a Key Update message is sent to the session partner. The message does not request that the session partner update its encryption key. When this command is successful, it returns a string that contains status information about the security level of the connection.
SENDSESSIONTICKET
For a connection secured with TLSv1.3, requests that the server generate and send a session ticket to the client for use resuming the session later. When this command is successful, it returns a string that contains status information about the security level of the connection.
STOPCONNECTION
Stops SSL security on the connection. The TCP connection remains established. Future sends and receives are not encrypted.
If an error occurs, the SIOCTTLSCTL function returns an error code. Unless otherwise specified in the ivalue parameter, if the command is completed, the SIOCTTLSCTL function returns a string that contains the following information:
  • Return code
  • Policy status
  • Connection status
  • Security type
  • SSL protocol
  • Negotiated cipher that can be presented in 2 bytes
  • Client user ID if available
  • FIPS status
  • Four-byte negotiated cipher
  • Four-byte negotiated TLSv1.3 key share
For example, the following string is an example of what is returned by the SIOCTTLSCTL function: 
0 5 2 2 0300 05 userid 01 0005 *NA*
In the example, 0 is the return code, 5 is the policy status, 2 is the connection status, the second 2 is the security type, 0300 is the SSL protocol, the second 05 is the negotiated cipher, userid is the user ID that is associated with the client's certificate in the SAF database, 01 is the FIPS 140 status, and 0005 is the four-byte negotiated cipher, and *NA* indicates that the key share is not applicable.
The policy status is one of the following values:
1
AT-TLS function is off. The TCP/IP address space is not enabled to support AT-TLS.
2
No AT-TLS policy is defined for the connection.
3
A policy is defined for the connection, but AT-TLS is not enabled for the connection.
4
A policy is defined for the connection, and AT-TLS is enabled for the connection.
5
A policy is defined for the connection, and both AT-TLS and the ApplicationControlled parameter are enabled for this connection.
The connection status is one of the following values:
1
The connection is not secure.
2
The connection handshake is in progress.
3
The connection is secure.
The security type is one of the following values:
0
Unknown. The connection is not secure.
1
Client.
2
Server.
3
Server with client authentication and authentication type set to PASSTHRU.
4
Server with client authentication and authentication type set to FULL.
5
Server with client authentication and authentication type set to REQUIRED.
6
Server with client authentication and authentication type set to SAFCheck.
The SSL protocol is one of the following values:
0000
Unknown. The connection is not secure.
0200
SSL Version 2.
0300
SSL Version 3.
0301
TLS Version 1.0
0302
TLS Version 1.1
0303
TLS Version 1.2
0304
TLS Version 1.3

The value FF indicates that the cipher has not been negotiated. SSL Version 2 cipher suites are 1 character. SSL Version 3 and TLS ciphers are 2 or 4 characters. The value 4X indicates that the cipher cannot be represented in 2 bytes. The 2-byte cipher must be obtained from the 4-byte cipher field. See the TTLSCipherParms statement description in z/OS Communications Server: IP Configuration Reference for additional cipher values.

The client user ID value is either the user ID that is associated with the client's certificate in the SAF database, or the character string **NONE** that indicates that the client ID is unknown.

The FIPS 140 status is one of the following values:
00
No FIPS 140 support
01
FIPS 140 On support
02
FIPS 140 Level1 support
03
FIPS 140 Level2 support
04
FIPS 140 Level3 support

If the cipher is not negotiated, the 4-byte cipher value is *NA*; otherwise, the 4-byte value of the negotiated cipher is returned. See the TTLSCipherParms statement description in z/OS Communications Server: IP Configuration Reference for additional cipher values.

When the negotiated protocol is TLSv1.3 (0304), the 4-byte value is the negotiated key share. See the ClientKeyShareGroups parameter in the TTLSSignatureParms statement in z/OS Communications Server: IP Configuration Reference for key share values. Otherwise, the field is *NA*.

Rule: When using AT-TLS application control, you must ensure that no outstanding data resides in the socket receive buffers for the application. If data exists when AT-TLS is enabled, the negotiation will fail. To flush the receive buffers, you can issue a nonblocking RECV command on the socket before you issue the IOCTL command.
Tips:
ivalue
Additional information that is needed to run the requested command. The value of the ivalue parameter can be either input or output; it is independent of the icmd parameter.
idata
Additional information that is needed to run the requested command. The value of the idata parameter can be either input or output; it is independent of the icmd and ivalue parameter.

Returned value

The return code can be 0, a REXX socket API error number, or the REXX TCP/IP error number that is set by the socket command. The return code 0 indicates that the requested socket command was completed successfully.

See Socket call error return codes for additional information about the numeric error codes that are returned by this command.

The following REXX TCP/IP error numbers can be returned:
  • 9 EBADF
  • 6 ENXIO
  • 22 EINVAL
  • 41 EPROTOTYPE
  • 45 EOPNOTSUPP
  • 54 ECONNRESET
The following REXX socket API error numbers can be returned:
  • 2001 EINVALIDRXSOCKETCALL
  • 2005 ESUBTASKNOTACTIVE
  • 2009 ESOCKETNOTDEFINED
  • 2023 EICWTNOINPUTDATA
  • 2024 EICWTINVALIDTIMEOUT
  • 2025 EICWTINVALIDREUSE
  • 2026 EICWTINVALIDTOKEN

LE C/C++ equivalent

This command has no LE C/C++ equivalent.

Code example

See the EZARXS05 REXX sample in the SBLSCLI0 file for an example of using the IOCTL command.