Setting up TCP/IP operating characteristics in PROFILE.TCPIP

Figure 1 shows a portion of the sample configuration file for the TCP/IP address space, PROFILE.TCPIP. This sample can be copied from SEZAINST(SAMPPROF). Figure 1 includes the portion of the sample that shows how to set up TCP/IP operating characteristics. Descriptions for the statements follow Figure 1.

; ======================================================================
; ======================================================================
; General TCP/IP address space configuration
; ======================================================================
;
; ARPAGE: Specifies the number of minutes between creation or
;   revalidation of an LCS ARP table entry and the deletion of the
;   entry.
;
ARPAGE 20
;
; ----------------------------------------------------------------------
;
; GLOBALCONFIG: Provides settings for the entire TCP/IP stack
;
; Example GLOBALCONFIG to offload TCP segmentation to OSA-Express
; features
;
; GLOBALCONFIG SEGMENTATIONOFFLOAD
;
; Example GLOBALCONFIG to exploit HiperSockets multiple write
; support
;
; GLOBALCONFIG IQDMULTIWRITE
;
; Example GLOBALCONFIG to displace TCP/IP CPU cycles onto a zIIP
; for certain workloads
;
; GLOBALCONFIG ZIIP IPSECURITY IQDIOMULTIWRITE
;
; Example GLOBALCONFIG to assign OSA-Express QDIO write priority
; values to packets associated with WorkLoad Manager service classes,
; and to forwarded packets
;
; GLOBALCONFIG WLMPRIORITYQ
;              IOPRI1 0
;              IOPRI2 1
;              IOPRI3 2 3
;              IOPRI4 4 5 6 FWD
;
; Example GLOBALCONFIG to enable SMC-R and SMC-D processing
; 
; GLOBALCONFIG SMCD FIXEDMEMORY 1000
;                             SMCR PFID 203 PFID 205 FIXEDMEMORY 1000 
;
; Example GLOBALCONFIG to enable zERT processing
;
; GLOBALCONFIG ZERT AGGREGATION
; ----------------------------------------------------------------------
;
; IPCONFIG: Provides settings for the IPv4 IP layer of TCP/IP.
;
; Example IPCONFIG for single stack/single system:
;
IPCONFIG DATAGRAMFWD SYSPLEXROUTING
;
; Example IPCONFIG for automatic activation of inter-stack dynamic XCF
;   and Same Host (IUTSAMEH) interfaces
;
; IPCONFIG DYNAMICXCF 201.1.10.10 255.255.255.0 2
;
; Example IPCONFIG for IPSECURITY support:
;
; IPCONFIG IPSECURITY
;
; Example IPCONFIG to provide accelerated forwarding at the DLC layer
;   for OSA-Express QDIO and HiperSockets packets
;
; IPCONFIG QDIOACCELERATOR
;
; ----------------------------------------------------------------------
;
; IPCONFIG6: Provides settings for the IPv6 IP layer of TCP/IP.
;
; Example IPCONFIG6 to enable IPv6 packet forwarding and the use of
;   virtual IP addresses as source addresses in outbound datagrams:
;
; IPCONFIG6 DATAGRAMFWD SOURCEVIPA
;
; Example IPCONFIG6 for automatic activation of inter-stack dynamic XCF
;   and Same Host (IUTSAMEH) interfaces
;
; IPCONFIG6 DYNAMICXCF 2001::151:0000
;
; ----------------------------------------------------------------------
;
; SOMAXCONN: Specifies maximum length for the connection request queue
;   created by the socket call listen().
;
SOMAXCONN 10
;
; ----------------------------------------------------------------------
;
; TCPCONFIG: Provides settings for the TCP layer of TCP/IP.
;            RESTRICTLOWPORTS limits access to ports below 1024
;            to authorized applications.  Applications can be
;            authorized to low ports in three ways:
;             - via PORT or PORTRANGE with the appropriate jobname
;                or wildcard jobname
;             - APF authorized
;             - superuser
;
TCPCONFIG TCPSENDBFRSIZE 32K TCPRCVBUFRSIZE 32K SENDGARBAGE FALSE
          RESTRICTLOWPORTS
;
; Example TCPCONFIG to change the KEEPALIVE interval for applications
; that enable the SO_KEEPALIVE socket option but do not override
; the interval using the TCP_KEEPALIVE socket option.
;
; TCPCONFIG INTERVAL 30
;
; Example TCPCONFIG for AT-TLS support:
;
; TCPCONFIG TTLS
;
; ----------------------------------------------------------------------
;
; UDPCONFIG: Provides settings for the UDP layer of TCP/IP
;            RESTRICTLOWPORTS limits access to ports below 1024
;            to authorized applications.  Applications can be
;            authorized to low ports in three ways:
;             - via PORT or PORTRANGE with the appropriate jobname
;                or wildcard jobname
;             - APF authorized
;             - superuser
;
UDPCONFIG RESTRICTLOWPORTS
;
; ----------------------------------------------------------------------
;
; SRCIP: Provides the following functionality:
;   - Provides for the substitution of a source IP address on a
;     jobname-specific or destination-specific basis, for applications
;     which specify either the IPv4 INADDR_ANY address, or the IPv6
;     unspecified address (in6addr_any) for the source IP address.
;     This may be done when an application issues an explicit bind()
;     call with either of these addresses, or when it bypasses issuing
;     an explicit bind() call and issues a connect().
;   - Provides the ability to designate if default source address
;     selection should prefer a public or a temporary IPv6 address
;     for the specified jobs.
;
;
; Example SRCIP to substitute a source IP address
;
;SRCIP
; JOBNAME      USER15            9.43.242.5
; JOBNAME      USER*             9.43.242.4
; JOBNAME      USER15            2001::092B:F203
; JOBNAME      JOB*              ETHER1
; DESTINATION  9.67.114.02       9.43.240.7
; DESTINATION  2003::090C:F246   INTF1
; JOBNAME      *                 9.43.242.3
; JOBNAME      *                 9.43.242.3
; JOBNAME      PAYROLL*          9.42.242.5              BOTH
; JOBNAME      SERVER1           9.42.242.4              SERVER
; JOBNAME      CLIENT*           2001:0DB8::9:43:242:6   CLIENT
;ENDSRCIP
;
; Example SRCIP to cause default source address selection to prefer
; public or temporary IPv6 addresses
;
;SRCIP
; JOBNAME      IPV6PUB            PUBLICADDRS
; JOBNAME      IPV6TEMP           TEMPADDRS
;ENDSRCIP
;
; ----------------------------------------------------------------------
;
; DEFADDRTABLE: Can be used to configure the policy table for IPv6
; default address selection.
;
;DEFADDRTABLE
; Prefix          Precedence Label
; ::1/128           50         0
; ::/0              40         1
; 2002::/16         30         2
; ::/96             20         3
; ::ffff:0.0.0.0/96 10         4
;ENDDEFADDRTABLE

Figure 1. Example of TCP/IP operating characteristics in PROFILE.TCPIP

The following information describes the statements that are shown in Figure 1. For more information about any of these statements, see z/OS Communications Server: IP Configuration Reference. For information specific to IPv6 support, see z/OS Communications Server: IPv6 Network and Application Design Guide.

ARPAGE

Use ARPAGE to set the number of minutes between a revalidation and deletion of ARP table entries for LCS devices. If you want to describe this value in seconds versus minutes, use the IPCONFIG ARPTO statement.

GLOBALCONFIG

Use GLOBALCONFIG to print several counters in text format. These counters include number of TCP retransmissions and total number of TCP segments sent from the TCP/IP system. Most installations use the SMF facility of MVS™ to collect these counters in a more standard way.

Use GLOBALCONFIG to enable use of Shared Memory Communications over RMDA (SMC-R) and Shared Memory Communication - Direct Memory Access (SMC-D). For more details about SMC-R and SMC-D, see Shared Memory Communications.

Use the ECSALIMIT parameter on the GLOBALCONFIG statement to limit TCP/IP use of common storage. The POOLLIMIT parameter can be used to limit TCP/IP use of private storage pools.

Use ZERT to enable z/OS® Encryption Readiness Technology (zERT). For more information, see Monitoring cryptographic network protection: z/OS encryption readiness technology (zERT).

IPCONFIG

Use IPCONFIG to configure various settings of the IP layer of TCP/IP. Use ARPTO to specify the ARP timeout value in seconds for LCS devices. For more information, see the ARPAGE description.

Use CLAWUSEDOUBLENOP on vendor devices that document the need for double NOPs on each CCW.

Use DATAGRAMFWD if this TCP/IP is to be a router and must forward datagrams to other routers. Use IGNOREREDIRECT when a dynamic routing program is used and ICMP redirect packets are to be ignored by the TCP/IP address space. MULTIPATH is used to inform TCP/IP how to distribute traffic across equal cost routes.

Use IPSECURITY to restrict this host to be a network firewall.

SOURCEVIPA enables interface fault tolerance for z/OS clients that establish outbound connections. When SOURCEVIPA is set, outbound datagrams use the corresponding virtual IP address (VIPA) in the HOME list instead of the physical interfaces IP address. SOURCEVIPA has no effect on RIP servers such as OMPROUTE.

TCPSTACKSOURCEVIPA allows z/OS clients to specify a sysplex-wide source IP address for TCP connections. When TCPSTACKSOURCEVIPA is set, outbound TCP datagrams use the IP address that is specified in the TCPSTACKSOURCEVIPA statement instead of static VIPA addresses or physical interface addresses.

Use SYSPLEXROUTING to communicate interface changes within a sysplex domain to the workload manager (WLM). DYNAMICXCF allows the cross communication facility within a sysplex to dynamically generate connections within a sysplex domain. If DYNAMICXCF is used with a dynamic routing program like OMPROUTE, the BSDROUTINGPARMS and the OMPROUTE configuration files must be updated with subnet mask and cost information. For more information about other configuration parameters that are required, see the usage notes related to the DYNAMICXCF parameter under the IPCONFIG statement in z/OS Communications Server: IP Configuration Reference.

Use REASSEMBLYTIMEOUT to specify the TCP/IP reassemble timeout value in seconds, and the TTL specifies the TCP/IP time to live or hop count value.

Use PATHMTUDISCOVERY to indicate to TCP/IP that it is to dynamically discover the path MTU, which is the minimum of MTUs of each hop in the path.

Use STOPONCLAWERROR to indicate to the TCP/IP stack to stop channel programs (HALTIO and HALTSIO) when a device error is detected.

Use QDIOACCELERATOR to request accelerated packet forwarding for OSA-Express® QDIO Ethernet and HiperSockets interfaces.

IPCONFIG6

Use IPCONFIG6 to update the IP layer of TCP/IP with information that pertains to IPv6.

Use DATAGRAMFWD to enable the transfer of data between networks.

Use DYNAMICXCF to enable Dynamic XCF support for IPv6.

SOMAXCONN

Use SOMAXCON to specify the maximum number of sockets queued on a listener.

SRCIP

Use the SRCIP - ENDSRCIP profile statement block to configure one of the following functions:

Enable an application to use a designated IP address as its source address for outbound TCP connections, or to enable a TCP server application to bind to a specific IP address when it is establishing its listening socket.
Indicate that the default source address selection algorithm prefers public or temporary IPv6 addresses for specific jobs.

For outbound TCP connections, when a source IP address was designated for a specified job name or destination address and the source IP address exists at the time the outbound TCP connection is initiated, this source IP address is used, overriding other source IP address selection methods as described in Source IP address selection. This source address selection occurs for applications that issue a connect() call and that did not previously bind the socket to an IP address, or for those applications that bind to the IPv4 INADDR_ANY address or to the IPv6 unspecified address (in6addr_any) before they issue the connect() call.

For TCP server applications, when the application issues a bind to INADDR_ANY or in6addr_any and a matching JOBNAME rule for SERVER or BOTH is specified, the designated IP address is used on the listening socket. This situation makes the server application bind specific, where client applications can connect to the server by using only the designated IP address. This capability can be useful when the applications do not provide a method for the user to specify a specific IP address for their listening sockets, or in situations when the server application creates listening sockets by using an ephemeral port that is assigned dynamically by TCP/IP. For scenarios when the application binds to specific, well-known ports, the BIND keyword on the PORT reservation statement in the TCP/IP profile can be used instead and has precedence over the SRCIP block specifications.

If you use distributed DVIPAs as a designated source within the SRCIP block, you might also be required to specify the EXPLICITBINDPORTRANGE parameter on the GLOBALCONFIG statement. For more information about the GLOBALCONFIG statement and its parameters, see z/OS Communications Server: IP Configuration Reference.

Guidelines:

Applications that bind to INADDR_ANY or in6addr_any that match on an SRCIP JOBNAME or DESTINATION statement do not have the designated IP address as their source address upon completion of the bind() call. The source address is not set to the designated address until completion of the subsequent connect() (client applications) or listen() (server applications) call. This situation is important to note for applications that issue a getsockname() call after a bind() call to retrieve the source IP address. This processing is different from the processing that occurs when a TCP server application is converted to being bind specific using the BIND keyword on the PORT statements in the TCP/IP profile. When you are using the BIND keyword on the PORT statement, the designated IP address is set upon completion of the bind() call, and some applications such as Db2® depend on this behavior.
When you are using an SRCIP JOBNAME statement for an IPv6 server application, code an IPv6 address and not an IPv6 interface. Otherwise, the source address that is chosen for that IP interface might not be the best choice for the server application to be bound to. For information about the default source address selection algorithm, see z/OS Communications Server: IPv6 Network and Application Design Guide.

TCPCONFIG

Use the TCPCONFIG statement to configure various settings of the TCP protocol layer:

Use the INTERVAL parameter if necessary to change the default keepalive value to a value other than 120 minutes. Use the KEEPALIVEPROBES parameter to specify the number of probes to send before a connection times out. Use the KEEPALIVEPROBEINTERVAL parameter to specify the amount of time between the sending of each probe.
Use the FINWAIT2TIME parameter to specify a different timeout value for a TCP connection that is in the FINWAIT2 state.
Use the TIMEWAITINTERVAL parameter to specify a different timeout value for a TCP connection that is in the TIMEWAIT state.
Use the SENDGARBAGE parameter to cause the keepalive packet to contain 1 byte of random data and an incorrect sequence number. The random data and incorrect sequence number assure that the remote TCP does not accept the data.
Use the TCPTIMESTAMP parameter to choose whether to participate in time stamp negotiation.
Use the MAXIMUMRETRANSMITTIME parameter to limit the length of time before a connection times out.
Use the RETRANSMITATTEMPTS parameter to indicate the number of packets to retransmit before a connection times out.
Use the CONNECTTIMEOUT parameter to limit the amount of time before the initial connection times out.
Use the CONNECTINITINTERVAL parameter to specify the initial retransmit interval for a connect call.
Use the QUEUEDRTT parameter to specify the round trip time that triggers outbound serialization logic.
Use the FRRTHRESHOLD parameter to specify the number of duplicates that are needed to trigger Fast Retransmit, Fast Recovery logic.
Use the DELAYACKS parameter to alter the behavior of acknowledgments and delay their transmission.
Use the NONAGLE parameter to override use of the Nagle algorithm. The Nagle algorithm is used to delay small packets from being sent.
If you specify the RESTRICTLOWPORTS parameter, only applications that meet at least one of the following criteria are allowed to bind to low ports (1–1023):
- The port is reserved for the application by the PORT or PORTRANGE statement.
- The application runs with APF authorization.
- The application runs with effective POSIX UID zero.
If you want to control TCP buffering to limit storage usage or to manage large bandwidth devices, use the TCPSENDBFRSIZE, TCPRCVBUFRSIZE, TCPMAXSENDBUFRSIZE, and TCPMAXRCVBUFRSIZE parameters.
Use the TTLS parameter to configure the TCP/IP stack for AT-TLS support.
Use the EPHEMERALPORTS parameter to limit the ephemeral port range that the TCP/IP stack uses to assign a port to a socket. The EPHEMERALPORTS port range is used in the following situations when EXPLICITBINDPORTRANGE, SYSPLEXPORTS, or FTP PASSIVEDATAPORTS processing cannot determine the port number to assign:
- An application issues an explicit bind() call for port 0
- An application bypasses issuing an explicit bind() call and issues a connect() call
The SELECTIVEACK parameter causes the TCP/IP stack to generate selective acknowledgments as defined in RFC 2018 and to use incoming selective acknowledgments to improve TCP retransmission processing as defined in RFC 3517. A TCP connection can experience poor performance when multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can learn about only a single lost packet per round-trip time. A Selective Acknowledgment (SACK) mechanism with a selective repeat retransmission policy can help to overcome these limitations. The receiving TCP sends back SACK packets to the sender to inform the sender of data that was received. The sending TCP can then retransmit only the missing data segments.

UDPCONFIG

Use UDPCONFIG to configure various settings of the UDP protocol layer. NOUDPCHKSUM can be used to eliminate check summing overhead for IPv4 UDP packets. This option is ignored for UDP datagrams that are flowing over an IPv6 network, as UDP Checksum is a required function on an IPv6 network.

If RESTRICTLOWPORTS is specified, only applications that meet at least one of the following criteria are allowed to bind to low ports (1–1023):

The port is reserved for the application by the PORT or PORTRANGE statement.
The application runs with APF authorization.
The application runs with effective POSIX UID zero.

If an installation wants to control UDP buffering (to limit storage usage or to manage large bandwidth devices), use the UDPSENDBFRSIZE and UDPRCVBUFRSIZE parameters. UDPQUEUELIMIT can be used to set a queue limit for UDP. UDPQUEUELIMIT is useful for installations that want to limit the size of the queue of UDP datagrams that an application can have waiting before the TCP/IP address space starts discarding them.

Use EPHEMERALPORTS to limit the ephemeral port range that the TCP/IP stack uses to assign a port to a socket in the following situations:

An application issues an explicit bind() call for port 0
An application bypasses issuing an explicit bind() call