Table 1 lists the general updates for the Communications Server IP configuration files.
File | Statement / Entry | Release | Description | Reason for change |
---|---|---|---|---|
certificate bundle specification file | CertBundleOptions | V1R12 | New file to identify the location of certificates and certificate revocation that is to be included in a certificate bundle. |
|
Communications Server SMTP (CSSMTP) configuration file | ExtendedRetry | V1R13 | New statement to describe the extended retry function. | CSSMTP extended retry |
Header | V2R1 | Use the Header statement to change the behavior of CSSMTP when creating RFC 2822 Mail headers. | CSSMTP mail message date header handling option | |
JESSyntaxErrLimit | V1R13 | New statement to set the maximum number of syntax errors to be tolerated in a JES spool file. | CSSMTP enhancements | |
SMF119 | V1R12 | New statement to activate the creation of new SMF 119 records, as shown by the ezamlcnf.sample. | Management data for CSSMTP | |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
DMD configuration file | DmStackConfig | V2R1 | New parameter that can be used to limit the number of filter-match log messages generated for a defensive filter. | Real-time application-controlled TCP/IP trace NMI |
IKED configuration file | IkeConfig | V1R12 | New FIPS140 parameter. | IPSec support for FIPS 140 cryptographic mode |
inetd configuration file | otelnetd | V1R13 | The z/OS® UNIX Telnet server (otelnetd) supports a new parameter, -g. If it is specified, it will not issue gethostbyaddr or getnameinfo for the client IP address. | Support for bypassing host name lookup in otelnetd |
Network security services (NSS) server configuration file /etc/security/nssd | IPSecDisciplineConfig | V1R12 | New statement used to specify parameters for the IPSec Discipline. |
|
NETRC | N/A | V1R13 | Single quotation marks to enclose a password phrase of more than one token are now allowed. | FTP support for password phrases |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
|
Policy Agent configuration files | IDSAttackCondition | V2R1 | You can configure attack detection by using the IP_FRAGMENT value on the AttackType parameter. It detects suspicious fragmented packets for both IPv4 and IPv6, such as fragments that overlay and change the data in the packet, including changes to the length of the packet. | Enhanced IDS IP fragment attack detection |
RouteTable | V2R1 | Changed to allow the specification
of IPv6 routes and IPv6 dynamic routing parameters. Three parameters
are added:
|
IPv6 support for policy-based routing | |
RoutingRule | V2R1 | Changed to allow IPv6 addresses. | IPv6 support for policy-based routing | |
Policy Agent configuration files (continued) | IDSAction | V1R13 | The following new values are provided on
the ActionType Attack parameter:
|
Expanded Intrusion Detection Services |
IDSAttackCondition | V1R13 | New attack detection can be configured using
the following new values on the AttackType parameter:
The following new parameters can be configured for the new
attack detection:
|
Expanded Intrusion Detection Services | |
V1R13 | New attack detection can be configured using
the following new values on the AttackType parameter:
The following new parameters can be configured for the new
attack detection:
|
Intrusion Detection Services support for Enterprise Extender | ||
IDSExclusion | V1R13 | IDSExclusion is a new statement that can be used to exclude remote peers from attack detection. | Expanded Intrusion Detection Services | |
Policy Agent configuration files (continued) | IDSScanEventcondition | V1R13 | Scan detection for ICMPv6 events can be configured using the new Icmpv6 value on the protocol parameter. IPv6 addresses can be configured for the LocalHostAddr parameter. | Expanded Intrusion Detection Services |
IDSScanExclusion | V1R13 | IPv6 addresses can be configured for the ExcludedAddrPort parameter, allowing remote peers using those addresses to be excluded from scan detection. | Expanded Intrusion Detection Services | |
IDSTRCondition | V1R13 | IPv6 addresses can be configured for the LocalHostAddr parameter. | Expanded Intrusion Detection Services | |
IpAddr and IpAddrSet | V1R13 | IPv6 addresses can be configured. | Expanded Intrusion Detection Services | |
IpDataOffer | V1R13 | When the Integrated Cryptographic Services
Facility (ICSF) is started in FIPS 140 compatibility mode and FIPS
140 is not enabled for the TCP/IP stack, the following conditions
are no longer required when HowToEncrypt AES_GCM_16, HowToAuth AES_GMAC_128
or HowToAuth AES_GMAC_256 is configured:
Also for HowToEncrypt AES_GCM_16 and HowToAuth AES_GMAC_128 and AES_GMAC_256, the restriction for tunnel traffic is removed. As of V1R13, when FIPS 140 mode is enabled for TCP/IP, tunnels that use the AES-GCM or AES-GMAC combined-mode algorithm are eligible for distribution of traffic using sysplex-wide security associations (SWSA). |
Enhanced IPsec support for FIPS 140 cryptographic mode | |
V1R12 | The following parameters are changed:
|
|
||
IpDynVpnAction | V1R12 | The HowToEncapIKEv2 parameter is new. The following parameters are changed to allow groups of 19, 20, 21,
and 24:
|
IKE version 2 support | |
IpFilterPolicy | V1R12 | The RFC4301Compliance parameter is deprecated for V1R12 and later releases. | Release update | |
V1R12 | The FIPS140 parameter is new. | IPSec support for FIPS 140 cryptographic mode | ||
Policy Agent configuration files (continued) | IpLocalStartAction | V1R12 | The following parameters are new:
|
IKE version 2 support |
IpManVpnAction | V1R12 |
|
|
|
IPv6NextHdrGroup and IPv6NextHdrRange | V1R13 | IPv6NextHdrGroup and IPv6NextHdrRange are new statements that can be referenced by the RESTRICTED_IPV6_NEXT_HDR attack type to restrict certain next header values in an inbound packet. | Expanded Intrusion Detection Services | |
KeyExchangeAction | V1R13 | Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used. | Network address translation traversal support for IKE version 2 | |
V1R12 | The following parameters are new:
The HowToInitiate parameter is changed. It has a new value of IKEv2. The HowToInitiate parameter is also changed in that the default value is obtained from the HowToInitiate parameter on the KeyExchangePolicy statement. |
|
||
Policy Agent configuration files (continued) | KeyExchangeOffer | V1R12 | The following parameters are new:
|
|
KeyExchangePolicy | V1R13 | Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used. | Network address translation traversal support for IKE version 2 | |
V1R12 | The following parameters are new:
|
|
||
LocalSecurityEndpoint | V1R12 | The Identity parameter has a new value of KeyID. | IKE version 2 support | |
RemoteIdentity | V1R12 | The Identity parameter has a new value of KeyID. | IKE version 2 support | |
RemoteSecurityEndpoint | V1R12 | The Identity parameter has a new value of KeyID. | IKE version 2 support | |
Policy Agent TTLSConfig files | New TTLSSignatureParms statement | V2R1 | New ClientECurves and SignaturePairs parameters | AT-TLS support for TLS v1.2 and related features |
TTLSCipherParms | V2R1 |
|
AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAction | V2R1 | New SuiteBProfile parameter | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAction and TTLSConnectionAction | V2R1 | New TTLSSignatureParms or TTLSSignatureParmsRef parameter | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAdvancedParms | V2R1 | New Renegotiation, RenegotiationCertCheck, and RenegotiationIndicator parameters | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAdvancedParms and TTLSConnectionAdvancedParms | V2R1 | New TLSv1.2 parameter | AT-TLS support for TLS v1.2 and related features | |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
Resolver setup file | All statements | V2R1 | The resolver handles syntax
errors differently depending on when the error is detected:
|
Resolver initialization resiliency |
Resolver Setup File SEZAINST(RESSETUP) | UNRESPONSIVETHRESHOLD | V1R13 | New AUTOQUIESCE operand specifies whether resolver should automatically stop forwarding DNS queries generated by an application to an unresponsive name server. You must code the GLOBALTCPIPDATA statement if using the AUTOQUIESCE operand. | System resolver autonomic quiescing of unresponsive name servers |
V1R12 | New statement specifies the threshold value for when resolver should declare a name server to be unresponsive. | Improved resolver reaction to unresponsive DNS name servers | ||
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
SNMP Configuration Entry | V1R12 | A new configuration parameter, authEngineID, is added to the end of the existing SNMPv3 configuration entry parameter list. This new parameter specifies the authoritative engine ID to use when sending an SNMPv2 trap with USM security. | Enhancements to SNMP manager API | |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
TCPIP.DATA | NAMESERVER/NSINTERADDR | V1R12 | Statement to define the IP address of a name server. Changed so that the IP address can be either IPv4 or IPv6. | Resolver support for IPv6 connections to DNS name servers |
RESOLVERTIMEOUT | V1R12 | Statement to define the amount of time resolver waits for a response from a name server. The default is changed from 30 seconds to 5 seconds. | Improved resolver reaction to unresponsive DNS name servers | |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |