IP services: Ensure storage availability for IWQ IPSec traffic

As of z/OS V2R3 with TCP/IP APAR PI77649, or z/OS V2R2 with TCP/IP APAR PI77649 and SNA APAR OA52275, the processing of IPAQENET and IPAQENET6 INTERFACE statements is enhanced when you use OSA-Express6S. If you enabled QDIO inbound workload queuing (WORKLOADQ) and you have IPSec traffic, an additional ancillary input queue (AIQ) is established for IPSec inbound traffic. Additional storage is allocated for this input queue.

Each AIQ increases storage utilization in the following two areas:
  • Approximately 36 KB of fixed ECSA
  • 64-bit CSM HVCOMMON for READSTORAGE

    If you are using IPSec, when the first IPSec tunnel is activated (protocols ESP or AH), the new AIQ will be backed with 64-bit CSM HVCOMMON fixed storage. The amount of HVCOMMON storage that is used is based on the specification of the INTERFACE READSTORAGE parameter.

If you configured QDIO inbound workload queuing (WORKLOADQ), ensure that sufficient fixed ECSA and fixed (real) 4 KB CSM HVCOMMON storage is available for the AIQ for IPSec traffic.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: z/OS® Communications Server.
When change was introduced: z/OS V2R2 (with APARs PI77649 and OA52275) and z/OS V2R3 (with APAR PI77649).
Applies to migration from: z/OS V2R2 (without APARs PI77649 and OA52275) and z/OS V2R1.
Timing: Before installing z/OS V2R3.
Is the migration action required? No, but it is recommended if you have the WORKLOADQ parameter that is specified on the OSA IPAQENET and IPAQENET6 INTERFACE statements, you have IPSec traffic and you have concerns about using additional ECSA or real (fixed) storage.
Target system hardware requirements: OSA-Express6S Ethernet features or later in QDIO mode running on IBM z14.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: None.
Related IBM® Health Checker for z/OS check: None.

Steps to take

  1. If you are using or plan to use OSA-Express6S or later, verify the following conditions are true:
    • WORKLOADQ is specified on the IPAQENET and IPAQENET6 INTERFACE statements.
    • Have IPSec traffic; protocols ESP or AH.
  2. If step 1 is applicable, IWQ IPSec will use additional storage. Continue with step 3 - 6. Otherwise, there is no increase in storage usage, and no further action is required.
  3. To calculate the total storage increase, count the total number of IPAQENET and IPAQENET6 INTERFACE statements coded with the WORKLOADQ parameter that are associated with OSA-Express6S or later. Make a note of the number.
  4. Verify that sufficient ECSA is available. To calculate this, multiply the total INTERFACE statements counted in step 3 by 36 KB. The resulting number indicates how much additional ECSA is required.
    To determine whether sufficient ECSA is available to enable this function, verify the following ECSA definitions:
    • D CSM usage (PARMLIB member IVTPRM00, ECSA MAX value)
    • VTAM (Start Options CSALIMIT and CSA24)
    • TCPIP (GLOBALCONFIG ECSALIMIT statement in the TCPIP PROFILE)
  5. Verify that sufficient real (fixed) storage is available. 64-bit fixed (CSM HVCOMMON) storage is used for the IPSec AIQ read buffers. To calculate this value, multiply the total number of INTERFACE statements that are counted in step 3 by your configured READSTORAGE value (for example, 4 MB). You can verify how much storage is being used for READSTORAGE by using the D NET, TRLE command. The resulting number indicates how much additional fixed (64-bit) storage is required. To verify that the additional fixed storage is not a constraint for your system, take the following actions:
    • Use the DISPLAY CSM command to verify that sufficient fixed storage is available (CSM FIXED MAXIMUM defined in IVTPRM00).
    • Verify the actual amount of real storage available to this z/OS system by using D M=STOR or D M=HIGH.
  6. If sufficient ECSA or real storage is not available, increase the available real storage or consider defining some of the OSA-Express6S (or later) INTERFACE statements with the NOWORKLOADQ parameter. If your CSM FIXED MAXIMUM is too low, increase this value in IVTPRM00.

Reference information

For information about ECSA usage, see the IBM technote Communications Server ECSA and CSM Storage Usage.