General updates for the non-PROFILE.TCPIP IP configuration files

Table 1 lists the general updates for the Communications Server IP configuration files.

Table 1. Summary of new and changed non-PROFILE.TCPIP configuration files
File	Statement / Entry	Release	Description	Reason for change
certificate bundle specification file	CertBundleOptions	V1R12	New file to identify the location of certificates and certificate revocation that is to be included in a certificate bundle.	IPSec support for certificate trust chains and certificate revocation lists IKE version 2 support
Communications Server SMTP (CSSMTP) configuration file	ExtendedRetry	V1R13	New statement to describe the extended retry function.	CSSMTP extended retry
	Header	V2R1	Use the Header statement to change the behavior of CSSMTP when creating RFC 2822 Mail headers.	CSSMTP mail message date header handling option
	JESSyntaxErrLimit	V1R13	New statement to set the maximum number of syntax errors to be tolerated in a JES spool file.	CSSMTP enhancements
	SMF119	V1R12	New statement to activate the creation of new SMF 119 records, as shown by the ezamlcnf.sample.	Management data for CSSMTP
dcas.conf	KEYRING	V2R1	The existing KEYRING keyword is used to define the z/OS UNIX file containing the certificate to be used during the SSL handshake. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
	LDAPPORT	V2R1	The existing LDAPPORT keyword is used to allow authentication of the client certificate by an X.500 host. LDAPPORT is used in combination with LDAPSERVER. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
	LDAPSERVER	V2R1	The existing LDAPSERVER keyword is used to allow authentication of the client certificate by an X.500 host. LDAPSERVER is used in combination with LDAPPORT. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
	SAFKEYRING	V2R1	The existing SAFKEYRING keyword is used to define the RACF-defined key ring containing the certificate to be used during the SSL handshake. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
	STASHFILE	V2R1	The existing STASHFILE keyword is used to specify the key ring password file to the associated key ring file. This password file contains the encrypted password. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
	TLSMECHANISM	V2R1	This new keyword can be used to select whether to use AT-TLS policies or call IBM System SSL directly. See Customizing DCAS for TLS/SSL in z/OS V2R1.0 Communications Server: IP Configuration Guide to use either AT-TLS policies (ATTLS) or IBM System SSL. (DCAS). The default is DCAS.	AT-TLS enablement for DCAS
	TLSV1ONLY	V2R1	New parameter to control whether the supported SSL version is limited to TLSv1.0 for connections that are secured using SSL implemented by DCAS.	Release update
	V3CIPHER	V2R1	The existing V3CIPHER keyword is used to specify a subset of the supported SSL V3 cipher algorithms. This keyword is ignored if TLSMECHANISM is ATTLS.	AT-TLS enablement for DCAS
DMD configuration file	DmStackConfig	V2R1	New parameter that can be used to limit the number of filter-match log messages generated for a defensive filter.	Real-time application-controlled TCP/IP trace NMI
IKED configuration file	IkeConfig	V1R12	New FIPS140 parameter.	IPSec support for FIPS 140 cryptographic mode
inetd configuration file	otelnetd	V1R13	The z/OS® UNIX Telnet server (otelnetd) supports a new parameter, -g. If it is specified, it will not issue gethostbyaddr or getnameinfo for the client IP address.	Support for bypassing host name lookup in otelnetd
Network security services (NSS) server configuration file /etc/security/nssd	IPSecDisciplineConfig	V1R12	New statement used to specify parameters for the IPSec Discipline.	IPSec support for certificate trust chains and certificate revocation lists IKE version 2 support IPSec support for FIPS 140 cryptographic mode
NETRC	N/A	V1R13	Single quotation marks to enclose a password phrase of more than one token are now allowed.	FTP support for password phrases
OSNMP.CONF	N/A	V2R1	New privacy protocol value AESCFB128 can be specified in the privProto field of a statement for an SNMPv3 user, to request AES 128-bit encryption.	Network security enhancements for SNMP
pagent.conf	ServerConnection/ServerSSLV3CipherSuites	V2R1	z/OS V2R1 Communications Server Policy Agent, centralized Policy Agent now supports TLSv1.1 and TLSv1.2 2-byte ciphers. For detailed information, see the ServerSSLV3CipherSuites parameter of the ServerConnection statement in z/OS V2R1.0 Communications Server: IP Configuration Reference.	TLS security enhancements for Policy Agent
pagent.conf	ServicesConnection/Security Basic	V2R1	In z/OS V2R1 Communications Server, the import services between Policy Agent and IBM Configuration Assistant for z/OS Communications Server can have user defined AT-TLS policies to create a secure SSL connection.	TLS security enhancements for Policy Agent
Policy Agent configuration files	IDSAttackCondition	V2R1	You can configure attack detection by using the IP_FRAGMENT value on the AttackType parameter. It detects suspicious fragmented packets for both IPv4 and IPv6, such as fragments that overlay and change the data in the packet, including changes to the length of the packet.	Enhanced IDS IP fragment attack detection
	RouteTable	V2R1	Changed to allow the specification of IPv6 routes and IPv6 dynamic routing parameters. Three parameters are added: Multipath6 can be used to indicate whether the multipath routing selection algorithm is enabled for outbound IPv6 traffic by using the policy-based route table. DynamicXCFRoutes6 can be used to indicate whether direct routes to IPv6 dynamic XCF addresses on other TCP/IP stacks should be added to the route table. IgnorePathMtuUpdate6 can be used to indicate whether IPv6 ICMP Packet Too Big messages should be ignored for this route table.	IPv6 support for policy-based routing
	RoutingRule	V2R1	Changed to allow IPv6 addresses.	IPv6 support for policy-based routing
Policy Agent configuration files (continued)	IDSAction	V1R13	The following new values are provided on the ActionType Attack parameter: ResetConn NoResetConn	Expanded Intrusion Detection Services
	IDSAttackCondition	V1R13	New attack detection can be configured using the following new values on the AttackType parameter: DATA_HIDING GLOBAL_TCP_STALL OUTBOUND_RAW_IPV6 RESTRICTED_IPV6_DST_OPTIONS RESTRICTED_IPV6_HOP_OPTIONS RESTRICTED_IPV6_NEXT_HDR TCP_QUEUE_SIZE The following new parameters can be configured for the new attack detection: OptionPadChk and IcmpEmbedPktChk - for the DATA_HIDING attack type RestrictedIPv6OptionRange, RestrictedIPv6OptionRangeRef, and RestrictedIPv6OptionGroupRef - for the RESTRICTED_IPV6_DST_OPTIONS and the RESTRICTED_IPV6_HOP_OPTIONS attack types IPv6NextHdrRange, IPv6NextHdrRangeRef, and IPv6NextHdrGroupRef - for the RESTRICTED_IPV6_NEXT_HDR attack type TcpQueueSize - for the TCP_QUEUE_SIZE attack type IDSExclusion and IDSExclusionRef - for the TCP_QUEUE_SIZE attack type	Expanded Intrusion Detection Services
	IDSAttackCondition	V1R13	New attack detection can be configured using the following new values on the AttackType parameter: EE_MALFORMED_PACKET EE_PORT_CHECK EE_LDLC_CHECK EE_XID_FLOOD The following new parameters can be configured for the new attack detection: EEXIDTimeout - for the EE_XID_FLOOD attack type IDSExclusion and IDSExclusionRef - for the EE_MALFORMED_PACKET, EE_PORT_CHECK, EE_LDLC_CHECK, and EE_XID_FLOOD attack types	Intrusion Detection Services support for Enterprise Extender
	IDSExclusion	V1R13	IDSExclusion is a new statement that can be used to exclude remote peers from attack detection.	Expanded Intrusion Detection Services
Policy Agent configuration files (continued)	IDSScanEventcondition	V1R13	Scan detection for ICMPv6 events can be configured using the new Icmpv6 value on the protocol parameter. IPv6 addresses can be configured for the LocalHostAddr parameter.	Expanded Intrusion Detection Services
	IDSScanExclusion	V1R13	IPv6 addresses can be configured for the ExcludedAddrPort parameter, allowing remote peers using those addresses to be excluded from scan detection.	Expanded Intrusion Detection Services
	IDSTRCondition	V1R13	IPv6 addresses can be configured for the LocalHostAddr parameter.	Expanded Intrusion Detection Services
	IpAddr and IpAddrSet	V1R13	IPv6 addresses can be configured.	Expanded Intrusion Detection Services
	IpDataOffer	V1R13	When the Integrated Cryptographic Services Facility (ICSF) is started in FIPS 140 compatibility mode and FIPS 140 is not enabled for the TCP/IP stack, the following conditions are no longer required when HowToEncrypt AES_GCM_16, HowToAuth AES_GMAC_128 or HowToAuth AES_GMAC_256 is configured: The CRYPTOZ class is active. A SAF profile exist for the FIPSEXEMPT.SYSTOK-SESSIONONLY resource in the CRYPTOZ class. All users of the tunnel have READ access to the SAF resource FIPSEXEMPT.SYSTOK-SESSION-ONLY. Also for HowToEncrypt AES_GCM_16 and HowToAuth AES_GMAC_128 and AES_GMAC_256, the restriction for tunnel traffic is removed. As of V1R13, when FIPS 140 mode is enabled for TCP/IP, tunnels that use the AES-GCM or AES-GMAC combined-mode algorithm are eligible for distribution of traffic using sysplex-wide security associations (SWSA).	Enhanced IPsec support for FIPS 140 cryptographic mode
	IpDataOffer	V1R12	The following parameters are changed: HowToEncap - no longer a required parameter. Default is Tunnel. HowToEncrypt - changed to include new values of AES_CBC and AES_GCM_16. Value of AES is deprecated and treated as a synonym for AES_CBC KeyLength 128. HowToAuth - changed to include new values of Null, AES128_XCBC_96, AES_GMAC_128, AES_GMAC_256, HMAC_SHA1, HMAC_SHA2_256_128, HMAC_SHA2_384_192, and HMAC_SHA2_512_256. HMAC_SHA is deprecated and treated as a synonym for HMAC_SHA1.	IKE version 2 support IPSec support for cryptographic currency
	IpDynVpnAction	V1R12	The HowToEncapIKEv2 parameter is new. The following parameters are changed to allow groups of 19, 20, 21, and 24: InitiateWithPfs AcceptablePfs	IKE version 2 support
	IpFilterPolicy	V1R12	The RFC4301Compliance parameter is deprecated for V1R12 and later releases.	Release update
	IpFilterPolicy	V1R12	The FIPS140 parameter is new.	IPSec support for FIPS 140 cryptographic mode
Policy Agent configuration files (continued)	IpLocalStartAction	V1R12	The following parameters are new: ICMPCodeGranularity ICMPTypeGranularity ICMPv6CodeGranularity ICMPv6TypeGranularity MIPv6TypeGranularity	IKE version 2 support
	IpManVpnAction	V1R12	AuthInboundSa and AuthOutboundSa parameters are changed in that new values are required for the key length for the new algorithms added to the HowToAuth parameter. EncryptInboundSa and EncryptOutboundSa parameters are changed in that new values are required for the key length for the new algorithms added to the HowToEncrypt parameter. HowToAuth parameter is changed to include values of AES128_XCBC_96, HMAC_SHA1, HMAC_SHA2_256_128, HMAC_SHA2_384_192, and HMAC_SHA2_512_256. HMAC_SHA is deprecated and treated as a synonym for HMAC_SHA1. HowToEncrypt parameter is changed to include a new value of AES_CBC. AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.	IKE version 2 support IPSec support for cryptographic currency
	IPv6NextHdrGroup and IPv6NextHdrRange	V1R13	IPv6NextHdrGroup and IPv6NextHdrRange are new statements that can be referenced by the RESTRICTED_IPV6_NEXT_HDR attack type to restrict certain next header values in an inbound packet.	Expanded Intrusion Detection Services
	KeyExchangeAction	V1R13	Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used.	Network address translation traversal support for IKE version 2
	KeyExchangeAction	V1R12	The following parameters are new: BypassIpValidation CertificateURLLookupPreference HowToAuthMe HowToRespondIKEv1 - introduced as a synonym for the deprecated HowToRespond parameter. ReauthInterval RevocationChecking The HowToInitiate parameter is changed. It has a new value of IKEv2. The HowToInitiate parameter is also changed in that the default value is obtained from the HowToInitiate parameter on the KeyExchangePolicy statement.	IKE version 2 support IPSec support for cryptographic currency
Policy Agent configuration files (continued)	KeyExchangeOffer	V1R12	The following parameters are new: HowToVerifyMsgs PseudoRandomFunction The following parameters are changed: DHGroup - allows new groups of 19, 20, 21, and 24 HowToAuthMsgs - has new values of SHA2_256, SHA2_384, and SHA2_512 HowToEncrypt - has new value of AES_CBC. AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.	IKE version 2 support IPSec support for cryptographic currency
	KeyExchangePolicy	V1R13	Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used.	Network address translation traversal support for IKE version 2
	KeyExchangePolicy	V1R12	The following parameters are new: ByPassIpValidation CertificateURLLookupPreference HowToInitiate LivenessInterval RevocationChecking The following parameters are changed: DHGroup - allows new groups of 19, 20, 21, and 24 HowToAuthMsgs - has new values of SHA2_256, SHA2_384, and SHA2_512 HowToEncrypt - has new value of AES_CBC. AES is deprecated and treated as a synonym for AES_CBC KeyLength 128.	IKE version 2 support IPSec support for certificate trust chains and certificate revocation lists
	LocalSecurityEndpoint	V1R12	The Identity parameter has a new value of KeyID.	IKE version 2 support
	RemoteIdentity	V1R12	The Identity parameter has a new value of KeyID.	IKE version 2 support
	RemoteSecurityEndpoint	V1R12	The Identity parameter has a new value of KeyID.	IKE version 2 support
Policy Agent TTLSConfig files	New TTLSSignatureParms statement	V2R1	New ClientECurves and SignaturePairs parameters	AT-TLS support for TLS v1.2 and related features
	TTLSCipherParms	V2R1	New cipher codes and cipher name constants supported on V3CipherSuites. New V3CipherSuites4Char parameter with support for new four character cipher codes.	AT-TLS support for TLS v1.2 and related features
	TTLSEnvironmentAction	V2R1	New SuiteBProfile parameter	AT-TLS support for TLS v1.2 and related features
	TTLSEnvironmentAction and TTLSConnectionAction	V2R1	New TTLSSignatureParms or TTLSSignatureParmsRef parameter	AT-TLS support for TLS v1.2 and related features
	TTLSEnvironmentAdvancedParms	V2R1	New Renegotiation, RenegotiationCertCheck, and RenegotiationIndicator parameters	AT-TLS support for TLS v1.2 and related features
	TTLSEnvironmentAdvancedParms and TTLSConnectionAdvancedParms	V2R1	New TLSv1.2 parameter	AT-TLS support for TLS v1.2 and related features
Policy client configuration file	ServerSSLv3	V2R1	New parameter to control whether SSLv3 is enabled for the policy client that connects to the server.	Release update
Resolver setup file	All statements	V2R1	The resolver handles syntax errors differently depending on when the error is detected: If the error is detected during the resolver address space initialization, the resolver issues a warning message but continues processing the setup file. The resolver address space initialization continues despite the error. If the error is detected while processing a MODIFY RESOLVER,REFRESH,SETUP command, the resolver issues a warning message and stops processing the setup file. The MODIFY command fails.	Resolver initialization resiliency
Resolver Setup File SEZAINST(RESSETUP)	UNRESPONSIVETHRESHOLD	V1R13	New AUTOQUIESCE operand specifies whether resolver should automatically stop forwarding DNS queries generated by an application to an unresponsive name server. You must code the GLOBALTCPIPDATA statement if using the AUTOQUIESCE operand.	System resolver autonomic quiescing of unresponsive name servers
Resolver Setup File SEZAINST(RESSETUP)	UNRESPONSIVETHRESHOLD	V1R12	New statement specifies the threshold value for when resolver should declare a name server to be unresponsive.	Improved resolver reaction to unresponsive DNS name servers
Sendmail configuration file: /etc/mail/zOS.cf	SSLV3	V2R1	New parameter to control whether SSLV3 is enabled for connections that are secured using System SSL.	Release update
SNMP Manager API configuration file	N/A	V2R1	New privacy protocol value AESCFB128 can be specified in the privProto field of a statement for an SNMPv3 user, to request AES 128-bit encryption.	Network security enhancements for SNMP
SNMP Manager API configuration file	SNMP Configuration Entry	V1R12	A new configuration parameter, authEngineID, is added to the end of the existing SNMPv3 configuration entry parameter list. This new parameter specifies the authoritative engine ID to use when sending an SNMPv2 trap with USM security.	Enhancements to SNMP manager API
SNMPD.CONF	USM_USER	V2R1	New privacy protocol value AESCFB128 can be specified in the privProto field of the statement to request AES 128-bit encryption.	Network security enhancements for SNMP
TCPIP.DATA	NAMESERVER/NSINTERADDR	V1R12	Statement to define the IP address of a name server. Changed so that the IP address can be either IPv4 or IPv6.	Resolver support for IPv6 connections to DNS name servers
TCPIP.DATA	RESOLVERTIMEOUT	V1R12	Statement to define the amount of time resolver waits for a response from a name server. The default is changed from 30 seconds to 5 seconds.	Improved resolver reaction to unresponsive DNS name servers
zOS.cf	CipherLevel	V2R1	z/OS UNIX sendmail CipherLevel statement now supports TLSv1.2 2-byte ciphers. See the CipherLevel statement in the Creating the z/OS specific file topic in z/OS V2R1.0 Communications Server: IP Configuration Guide.	TLS security enhancements for sendmail