A000 System Z Networking

ibm.
com yourdotcom
International Technical Support Organization and Authoring Services
System z and z/OS Networking 2009
www.ibm.com/redbooks
Enterprise Networking Solutions, RTP, Raleigh, NC, USA
2009 IBM Corporation
ibm.com
yourdotcom
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Page 1
IBM ITSO - International Technical Support Organization
ibm.com
yourdotcom
Trademarks, notices, and disclaimers

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States or other countries or both:
Advanced Peer-to-Peer Networking AIX alphaWorks AnyNet AS/400 BladeCenter Candle CICS DB2 Connect DB2 DRDA e-business on demand e-business (logo) e business(logo) ESCON FICON GDDM HiperSockets HPR Channel Connectivity HyperSwap i5/OS (logo) i5/OS IBM (logo) IBM IMS IP PrintWay IPDS iSeries LANDP Language Environment MQSeries MVS NetView OMEGAMON Open Power OpenPower Operating System/2 Operating System/400 OS/2 OS/390 OS/400 Parallel Sysplex PR/SM pSeries RACF Rational Suite Rational Redbooks Redbooks (logo) Sysplex Timer System i5 System p5 System x System z System z9 Tivoli (logo) Tivoli VTAM WebSphere xSeries z9 zSeries z/Architecture z/OS z/VM z/VSE
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Red Hat is a trademark of Red Hat, Inc. SUSE LINUX Professional 9.2 from Novell Other company, product, or service names may be trademarks or service marks of others. This information is for planning purposes only. The information herein is subject to change before the products described become generally available. Disclaimer: All statements regarding IBM future direction or intent, including current product plans, are subject to change or withdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only, on an as is basis, without warranty of any kind.
All performance data contained in this publication was obtained in the specific operating environment and under the conditions described and is presented as an illustration. Performance obtained in other operating environments may vary and customers should conduct their own testing. Refer to www.ibm.com/legal/us for further legal information.
Page 2
ibm.com
yourdotcom
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
IBM has two registered trademarks for the branding of ITSO publications. These registered marks are for the text word "IBM Redbooks" and the Redbooks logo. In a nutshell, the term Redbooks must always be used in the plural form (for both text and logo) since IBM only owns the registered mark for the plural form. Usage must follow the guidelines below: Using the term Redbooks in written text Redbooks are only to be referred to in the plural form, NEVER in the singular. For the initial reference (first occurrence), you must use "IBM Redbooks" and include "IBM" as well as the . For instances thereafter you may use "Redbooks" without "IBM" preceding the word or following it. Correct usage for written text : In this IBM Redbooks publication we will explore..( symbol required for 1st usage) This Redbooks publication will show you..(2nd usage or later - no or "IBM" needed) Using the logo:
Redbooks (logo)
OTHER ITSO PUBLICATIONS - Marks not yet registered Trademark registration is a lengthy process and until we are officially registered, we cannot use the symbol. For those terms/logos in process, we will be using the symbol. In contrast to the symbol (placed in the lower right hand corner), the symbol is placed in the upper right hand corner. Please see examples below: Redpaper Redpapers Redwiki Redwikis
TM
The following terms are trademarks of other companies: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
Page 3
ibm.com
yourdotcom
Agenda
Workshop introduction z/OS V1R11 Communications Server
Application integration, data consolidation, and standards Availability and business resilience Scalability, performance, constraint relief, and accelerators Networking security Simplification and ease-of-use SNA and Enterprise Extender Virtualization Systems management and monitoring
What does Web services mean to your z/OS networking environment Next generation Internet: IPv6 Roadmap for SNA modernization Trends and direction
Disclaimer: All statements regarding IBM future direction or intent, including current product plans, are subject to change or withdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only, on an as is basis, without warranty of any kind. 2009 IBM Corporation
Page 4
ibm.com
yourdotcom
Some practical information before we start A certain level of familiarity with both SNA and TCP/IP networking technologies in general and on z/OS specifically is assumed. This is a technical update workshop. However the content has been designed so both the experienced and not so experienced participant is expected to acquire useful new knowledge and skills.
Anything that says BEEP, BOINK, DING-DONG, or plays Beethoven's Ninth
Questions are welcome all the time.
We will take frequent breaks for coffee, tea, lunch, or other personal needs.
Please put phones into buzzer, vibrate, or whatever non-noisy mode they support.
Page 5
ibm.com
yourdotcom
z/OS networking what are the current focus areas?

Application integration, data consolidation, and standards
IPv6 compliance (DoD, NIST, IPv6-forum) Extend support for SOA workload on z/OS: WAS, IMS, CICS, DB2 Continue to support traditional workload on z/OS: TN3270, SNA, IMS, CICS, DB2, MQ, TSO, NetView, etc.
Security
Continue to provide transparent networking security technologies (IPSec, SSL/TLS, Intrusion Detection, IP filtering, etc.)
Traditional workload coexisting peacefully with SOA workload
Continue to focus on true end-to-end security Enable customers to meet security compliance requirements (FIPS,PCI, DoD, NIST, etc.) Enable z/OS to be the enterprise-wide network security services hub
Scalability, Performance, Constraint relief and Accelerators

Release to release price/performance improvements Reduce latency and increase throughput for network IO (OSA using Queued Direct IO) DataPower System z integration improvements Exploit newest System z network adapters (OSA)
WAS IMS TN3270 TSO
CICS FTP MQ DB2

SNA API
Virtualization, dynamic infrastructure, and Cloud computing

Extend Virtual LAN support and OSA adapter sharing capabilities Virtual server clusters through the Dynamic Virtual IP Address (DVIPA) technologies
Systems management and monitoring

Enable network management products by providing open interfaces to pertinent z/OS CS functions and data
Availability and business resilience

Sysplex-wide IP workload management Sysplex-wide single system image for both SNA and IP workload
IPv6+IPv4 IPv4-only API API
SNA and TCP/IP OSA
SNA and Enterprise Extender

Keep SNA operational for as long as our customers need it Continue to support both an APPN/EE and a CCL/NCP based SNA infrastructure modernization strategy
Simplification and consumability

GUI-based z/OS CS configuration Broaden scope of CS Config Assistant Improvements in time to value of Policy Agent
IPv4
"The services are in the cloud"

IPv6
SNA
Full end-to-end security
Multi-network protocol support
Page 6
ibm.com
yourdotcom
z/OS Communications Server Redbooks

IBM Communications Server for z/OS V1R10 TCP/IP Implementation Volume 1: Base Functions, Connectivity, and Routing - SG24-7696
http://www.redbooks.ibm.com/redpieces/abstracts/sg247696.html?Open
IBM Communications Server for z/OS V1R10 TCP/IP Implementation: Volume 2: Standard Applications - SG24-7697
IBM Communications Server for z/OS V1R10 TCP/IP Implementation Volume 3: High Availability, Scalability, and Performance - SG24-7698
IBM Communications Server for z/OS V1R10 TCP/IP Implementation Volume 4: Security and Policy-Based Networking - SG24-7699
z/OS V1R11 versions of these three Redbooks will be made available later this year or early 2010:
Volume 1: SG24-7798, Volume 2: SG24-7799, Volume 3: SG24-7800, and Volume 4: SG24-7801. Search on http://www.ibm.com/redbooks
Page 7
ibm.com
yourdotcom
z/OS Communications Server homepage: http://www.ibm.com/software/network/commserver/zos
Page 8
ibm.com
yourdotcom
For more information

URL http://www.twitter.com/IBM_Commserver http://www.facebook.com/IBMCommserver http://www.ibm.com/systems/z/ http://www.ibm.com/systems/z/hardware/networking/ http://www.ibm.com/software/network/commserver/ http://www.ibm.com/software/network/commserver/zos/ http://www.ibm.com/software/network/commserver/z_lin/ http://www.ibm.com/software/network/ccl/ http://www.ibm.com/software/network/commserver/library/ http://www.redbooks.ibm.com http://www.ibm.com/software/network/commserver/zos/support/ http://www.ibm.com/support/techdocs/atsmastr.nsf/Web/TechDocs Content IBM Communications Server Twitter Feed IBM Communications Server Facebook Fan Page IBM System z in general IBM Mainframe System z networking IBM Software Communications Server products IBM z/OS Communications Server IBM Communications Server for Linux on System z IBM Communication Controller for Linux on System z IBM Communications Server library ITSO Redbooks IBM z/OS Communications Server technical Support including TechNotes from service Technical support documentation from Washington Systems Center (techdocs, flashes, presentations, white papers, etc.) Request For Comments (RFC) IBM z/OS Internet library PDF files of all z/OS manuals including Communications Server
http://www.rfc-editor.org/rfcsearch.html http://www.ibm.com/systems/z/os/zos/bkserv/
For pleasant reading .

Page 9
ibm.com
yourdotcom
Agenda
Page 10
ibm.com
yourdotcom
z/OS Communications Server architectural overview

Customer-written SNA and TCP/IP applications + IBM and OEM middleware using SNA and/or TCP/IP for network communications
Record API, APPC, CPI-C BSD Sockets, Callable Sockets, ONC RPC, X-Windows, XTI, SNMP DPI, etc.
SNA and TCP/IP programming interfaces Generic APIs Systems management APIs Policy-based networking technologies (QoS, PBR, IDS, ATTLS, IPSec) zMF-based GUI configuration of policies Network workload management technologies Sysplex Distributor, Load Balancing Advisor, SNA generic resources Dual TCP/IP stack in support of both IPv4 and IPv6 Transparent network security services (ATTLS, IPSec VPNs, IDS) Standard TCP/IP application suite (TN3270, FTP, SMTP, SNTP, etc.) IP system services (SNMPv3, OSPFv3, DNS, etc.) z/OS Sysplex-specific support for HA (Dynamic VIPA technologies) Legacy SNA support SNA subarea and SNA APPN SNA over TCP/IP (Enterprise Extender) Hardware device drivers for network interfaces (OSA QDIO, HiperSockets, XCF, MPC+, etc.)
TN3270 Services (Sysplex-enabled) SNA API layer
UNIX LFS Layer AF_INET PFS AF_INET6 PFS
SNA APPN/HPR over IP (EE) SNA APPN w. SNA Subarea ISR and HPR
TCP/UDP/RAW
Communications Storage Manager
IPv4
IPv6
SNA
SNA
SNA, IPv4, IPv6 SNA, IPv4, IPv6
IPv4, IPv6
IPv4, IPv6
IPv4
OSA OSN protocols

OSA-E2 and OSA-E3 (to CCL in same-CEC System z)
OSA LSA protocols

All levels of OSA
System z channel protocols

ESCON and Fiber Channel
XCF protocols
Coupling Facility (CF) links
OSA QDIO protocols
HiperSockets iQDIO protocols
OSA LCS protocols

All levels of OSA
OSA-E, Hiper OSA-E2, and Sockets OSA-E3 incl. VLAN support (up to 10 Gb)
Page 11
ibm.com
yourdotcom
Where does the z/OS Communications Server content come from?

Direct Customer and Vendor FITS requirements Customer Advocate Program (CAP) SHARE GuideShare Europe (GSE) System z Expo zBLC z/OS Communications Server Beta programs ISV Technical Disclosure Meeting
z/OS CS
IBM SWG Platform Competitiveness Items

Business Resiliency, Security,
Price/Performance Enhancements Subsystem Demands Architecture Boards SOA Enablement Common Components/Share Services IBM STG Hardware and z/OS Demands Mandatory changes due to z/OS changes Currently 10 network technologies on six generations of hardware z/OS Communications Server does not control the priorities here External Network Connectivity
OSA iQDIO, QDIO, XCF, MPC, LSA, CDLC
Standards Bodies Demands Approx 50 of the 100 IETF working groups alter Internet protocols
TCP/IP, APIs, TN3270, FTP, DNS, SNMP, IPSec,
System z Platform Compatibility issues (Certifications)

Page 12
Internal Network Connectivity

HiperSockets, VSWITCH, z/VM Guest LAN (2 modes)
ibm.com
yourdotcom
z/OS V1R11 Communications Server release themes

Business Scenario: z/OS customers need a secure, resilient system that is easy to use, is able to adapt to growing workloads, and supports existing and new applications. These needs lead to issues (pain, problems, and so on) that are addressed through the release themes
Page 13
Difficult-to-use systems and limited skills
Simplification and Consumability
High cost of outages
Availability and Business Resilience System Management and Monitoring

CICS WAS
Difficult-to-use systems and limited skills
Ability to respond to workload growth and spikes
DB2 IMS Tvoli
Pressure of price/performance on distributed platforms
Scalability, Performance, Constraint Relief and Accelerators
SNA and EE
z/OS CS
Adapt to new workloads while maintaining legacy workload
Application Integration, Data Consolidation, and Standards

Increased interoperability and standards compliance
Virtualization Security
Increased security requirements
Ability to respond to workload growth and spikes
ibm.com
yourdotcom
Agenda
Page 14
ibm.com
yourdotcom
Application integration, data consolidation, and standards

New SMTP client for sending Internet mail FTP access to z/OS UNIX named pipes FTP large-volume access FTP passive mode enhancements CICS sockets enhancements Customizable pre-logon banner for otelnetd Remote execution server enhancements TN3270 support of TSO logon reconnect IPv6 stateless address auto-configuration enhancements New API to obtain IPv4 network interface MTU RFC 5095 deprecation of IPv6 type 0 route header
Page 15
ibm.com
yourdotcom
Existing SMTPD (SMTP/NJE gateway) The SMTP server (SMTPD) mail gateway provides important mail services for business applications on z/OS Heavily used for sending mail from MVS batch and TSO to internet destinations SMTPD reads JES spool data sets created from batch jobs and TSO users locally and from NJE network Acts as SMTP MTA, does not use the system resolver and can resolve individual recipient addresses to deliver mail to their destinations Acts as listening MTA server, accepting mail and sending to the next hop or delivers to local or NJE users
Page 16
ibm.com
yourdotcom
SMTPD is showing its age

Many requirements from customers need to be addressed Uses older RFC 821 and RFC 822, when newer RFCs are available AT-TLS for TLS/SSL is not supported IPv6 is not supported Performance and DASD problems:
Single threaded Fully capable MTA role Resolves recipient with an attempt to deliver each note (with required retry attempts with a minimum of 1 day) causes heavy I/O use Stores each mail read from spool to DASD
Sendmail has not been very popular among z/OS installations

Perceived as being too complex for the purpose of just mailing from z/OS
SMTPD continues to be supported on z/OS

Page 17
For those customers who may have a need to continue to receive mail into TSO
ibm.com
yourdotcom
CSSMTP - New SMTP client for sending Internet mail Allows existing users of SMTPD that use forwarder feature to migrate easily Uses newer mail standards and additional message size and security RFCs Improves performance and storage management issues with SMTPD when forwarding mail Improved usability features
Displays, changes Configuration Logging
Allows multiple JES spool processing threads and concurrent IP connection threads Supports both IPv4 and IPv6 addresses
Page 18
ibm.com
yourdotcom
CSSMTP: Read and forward mail messages from JES spool data set
Final Destination
JES Node2
z/OS
JES network
JES Node1
Target Server Destination 1
JES Node3
CSSMTP
Internet
1.Read 2. process 3. Forward
spool
Target Server Destination 3 (Sendmail daemon 8.12.1)

(Not Required)
Target Server Destination 2
Page 19
ibm.com
yourdotcom
CSSMTP, SMTPD and Sendmail can all run on z/OS simultaneously z/OS
z/OS Application
Write to SYSOUT
TIP: All z/OS mailers can be run concurrently

(E)SMTP protocol
JES spool
CSSMTP (an SMTP client)
MTA SMTPD (an MTA)

NJE network SMTP protocol
TSO user
z/OS z/VSE z/VM (E)SMTP protocol SMTP network
IMAP, POP, (E)SMTP protocols
z/OS Sendmail (an MTA) MTA z/OS UNIX shell user

(E)SMTP protocols
MTA
non-z/OS user using z/OS Sendmail as the target server

Page 20
ibm.com
yourdotcom
Configuring CSSMTP configuration file CONFIG DD in started procedure is name of PDS(E), an MVS sequential data set or z/OS UNIX file Sample configuration file is located in SEZAINST(CSSMTPCF) CSSMTP will fail initialization if no configuration file is found TargetServer statement is the only required configuration statement
Page 21
ibm.com
yourdotcom
Configuring TargetServer statement Use to configure target servers and their connection attributes Target servers are used for sending mail messages Use either parameters 1) or 2) to define target servers
TargetIP, TargetName (or both) TargetMx
Up to four target servers will be used
Multiple TargetServer statements can be used for TargetIP, TargetName or both TargetIP defines a single configured IP address, TargetName or TargetMx resolves to one or more IP addresses each representing a target server
Page 22
ibm.com
yourdotcom
Configuring mail error handling
RetryLimit statement
Retry count and interval time when attempting to resend mail messages that are not immediately deliverable
Undeliverable statement
Method to use for handling undeliverable mail messages and whether to create an undeliverable mail notification
Report statement
Use to set the action required for error reporting on JES spool files
MailAdministrator Statement
Defines an e-mail address to receive error reports
Page 23
ibm.com
yourdotcom
Starting and stopping CSSMTP Start CSSMTP as a z/OS started procedure Sample in SEZAINST(CSSMTP) - you should start and stop from operator console
start jobname or stop jobname
Start options:
-p or P tcpipJobName Use in common INET environment to choose a specific TCPIP stack -f or F Use to perform a cold start and flush any checkpoint records from previous execution
Must run under a SAF user ID with an associated OMVS segment

UID zero is not required
Must reside in an APF-authorized library

Page 24
ibm.com
yourdotcom
Display CSSMTP targets

How to follow mail progress using the display targets command: F CSSMTP,D,TARGET EZD1831I CSSMTP TARGETS: GLOBAL INFORMATION: MAIL SENT : 1562 DEADLETTER: 0 UNDELIVER : 0 TARGET SERVER 2000:197:2:107::1 STATE : ACTIVE ESMTP : YES STARTTLS : NO MAIL SENT : 438 TARGET SERVER 197.11.108.1 STATE : ACTIVE ESMTP : NO STARTTLS : NO MAIL SENT : 350
Page 25
TOTAL RETRY : 15 CURRENT RETRY: 0
MESSAGE SIZE : 0 MAIL ATTEMPTS: 493 CONNECT FAIL : 0
MESSAGE SIZE : 524288 MAIL ATTEMPTS: 350 CONNECT FAIL : 0
ibm.com
yourdotcom
The logic of trying to send a mail message
Yes
Write to dead letter queue

No Yes MSG1 Done
OK?
Try to send undeliverable mail notification

Yes
Governed by Undeliverable stmt options
Yes
MSG1 Done No MSG1 Done The normal loop! Yes
ReturntomailFrom?
Retry exceeded?
No
MSG1 MSG2
JES IO
MSG1 Done
Yes No Permanent error? No
Try Initial send
OK?
No
Long retry
Try to send
OK?
Yes
JES Spool
MSG1 Done
Governed by RetryLimit stmt options

Page 26
ibm.com
yourdotcom
Migrating an SMTP/NJE setup to CSSMTP - example

Is your current SMTP/NJE server configured as a simple mail forwarder?
IPMAILERADDRESS a.b.c.d RESOLVERUSAGE NO
RetryLimit { Count Interval 5 1 # # # # # number of times the CSSMTP application will attempt to esend amount of time in minutes, the CSSMTP application will wait each time before attempting to resend
Then create a CSSMTP configuration file with the same mail server address:
TargetIP a.b.c.d or TargetName host.xyz.com
} TargetServer { TargetName ConnectPort ConnectLimit MaxMsgSent MessageSize Secure } Timeout { AnyCmd ConnectRetry DataBlock DATACmd DataTerm InitialMsg MAILCmd RCPTCmd
d03nm118.boulder.ibm.com 25 # port to connect to target server 5 # limit the number of concurrent # connections to the target server 0 # when to take down a connection to # a target server and reconnect 524288 # size for non-ESMTP target servers No # no Transport Layer Security
300 120 180 120 600 300 300 300
Set the ExtWrtName to what you used for your old SMTP/NJE server
ExtWrtName writername
BadSpoolDisp Hold ChkPointSizeLimit 64000 # Hold or Delete # number of concurrent mail that # will have checkpoint information ExtWrtName SMTPCS2 # the external writer name JESJobSize 0 # Thousands (no max specified) JESMsgSize 0 # Thousands (no max specified) LogLevel 32 # Error and various events MailAdministrator alfredch@us.ibm.com Report Sysout # Admin, None, Sysout
# # # # # # # # # # #
waits for response on any other SMTP command waits before trying again to connect waits for the TCP send call to complete while transferring a block of data waits for response on DATA command waits for response from the final period terminating the message data waits for initial resposne after the connection is established waits for response on MAIL command waits for response on RCPT command
} Translate ibm-1047 Undeliverable { DeadLetterAction Store DeadLetterDirectory /var/dl
ReturnToMailFrom } UserExit None
Yes
# # # # #
Store or Delete z/OS UNIX file system fully qualified directory name to reate the dead letter mail messages Yes or No
# None, Version2 or Version3
Page 27
ibm.com
yourdotcom
FTP access to UNIX named pipes (also known as FIFOs)

Helps save total processing time when pre/post processing is needed for files transferred from/into z/OS Support available in both the z/OS FTP client and server FTP can be either the reading end or the writing end of the pipe PTFs for prior releases
APAR PK71213 provides z/OS FTP server support
z/OS V1R8, V1R9, and V1R10
Distributed FTP Client Distributed FTP Client
DB2
Example based on DB2 batch load utility
DB2
DB2 batch load utilities Temporary intermediate file on z/OS (store and forward) z/OS FTP Server
DB2 batch load utilities z/OS UNIX pipe between z/OS FTP server and DB2 batch load utilities
An un-broken pipe from the distributed data to DB2
z/OS FTP Server
The SAP on DB2 for z/OS Unicode FASTLOAD conversion utility exploits named pipes
Page 28
Distributed data
Distributed data
ibm.com
yourdotcom
Overview of z/OS FTP UNIX pipe support

The sample commands will allow all components up to 60 seconds to open the FIFO end points for read or write.
You can extend that if need be
When all three pipes (/var/appafifo, the FTP data TCP connection, and /var/appbfifo) have been successfully opened, transfer can begin When Application A writes a byte onto /var/appafifo, it will within a very short period of time (milliseconds) arrive at Application B as data to be read over the /var/appbfifo
An unbroken pipe between Application A and Application B with no store-and-forward in between
Application A
Write Read /VAR/APPAFIFO FTP DATA Connection
FTP Client
Write
FTP Server
Write Read /VAR/APPBFIFO
Application B
Read
LOCSITE UNIXFILETYPE=FIFO LOCSITE FIFOOPENTIME=60 LOCSITE FIFOIOTIME=20 SITE UNIXFILETYPE=FIFO SITE FIFOOPENTIME=60 SITE FIFOIOTIME=20 PUT /VAR/APPAFIFO /VAR/APPBFIFO Page 29
New client and server FTP.DATA options, LOCSITE, and SITE commands.
ibm.com
yourdotcom
z/OS FTPs journey to extended address volumes

z/OS V1R10
DFSMS added support for VSAM data sets in Extended Addressing Space (EAS) FTP doesnt support VSAM data set, so no impact
z/OS V1R11
DFSMS adds support for extended format sequential data sets eligible to reside in the EAS FTP adds support for reading/writing to/from existing EAS data sets, but not creating them (toleration mode) FTP to understand Format-8 DSCBs FTP to use TRKADDR for track calculations FTP qdisk option for SITE/LOCSITE output format will change to (sample)
ftp> quote site qdisk 200Percent Free 200- Volume Free Cyls 200- CPDLB3 45 1507 200- CPDLB0 44 80486 200- CPDLB1 99 66619 200 SITE command was accepted ftp>
VSAM Data Sets 21-cylinder allocation units Extended Format Data Sets etc.
Free Trks 108 156 5
Largest Cyls-Trks 1440 2 461 0 65362 5
Free Exts 22 25 3
Use Attr Storage Storage Storage
CCHHR Catalogs Pagespace KEYRANGE or IMBED
All Data Set Types

3390-9 3390-9
2314-1
3330-1
3350
3390-3
3390-9
3390-A EAV
223GB*
262,668 cyl
29 MB
~300 cyl
101MB
404 cyl
317MB
555 cyl
3GB
3,339 cyl
9GB
10,017 cyl
27GB
32,760 cyl 2009 IBM Corporation
54GB
65,520 cyl
Architectural Limit:
100s of TB*
Page 30
EAS
ibm.com
yourdotcom
FTP extended passive mode (even when servers dont know what it is)
Extended passive mode FTP transfer solves a set of problems with FTP through NAT firewalls
But not all FTP servers support extended passive mode
New z/OS FTP client support emulates extended passive mode behavior even when remote FTP server does not support EPSV
Translate private address 10.1.1.1 to external address 1.1.1.1 Translate private address 192.168.1.1 to external address 2.2.2.2
Private IP address 10.1.1.1 z/OS FTP client
Private IP address 192.168.1.1 non-z/OS FTP server that does not support EPSV
Company A intranet
Internet / public net
Company B intranet
ftp 2.2.2.2
src=10.1.1.1 dest=2.2.2.2 src=2.2.2.2 dest=10.1.1.1 PASV
src=1.1.1.1 dest=2.2.2.2 src=2.2.2.2 dest=1.1.1.1
src=1.1.1.1 dest=192.168.1.1 src=192.168.1.1 dest=1.1.1.1
Ignore 192.168.1.1 in 227 reply - connect back to 2.2.2.2 port 60001
227 Entering Passive Mode (192.168.1.1, 60001) src=10.1.1.1 dest=2.2.2.2 src=1.1.1.1 dest=2.2.2.2 src=1.1.1.1 dest=192.168.1.1
Page 31
ibm.com
yourdotcom
CICS Sockets enhancements in z/OS V1R11

About 75% of z/OS customers use CICS Sockets
Of those, around 40% have enabled CICS Sockets in an Open Transaction Environment (OTE) Most run heavy workloads over 300 transactions per second
Rebased CICS Sockets on latest CICS TS release CICS TS 4.1

Compatible with earlier CICS TS releases Except when Open Transaction Environment (OTE) is used with TCBLIM > zero Various internal structural changes to use relative branching technologies
CICS TS 4.1 OTE support for CICS Sockets with TCBLIM > zero
OTE uses CICS open TCBs (L8 TCBs) TCBLIM is a CICS Sockets configuration option Allows to limit the number of L8 TCBs CICS Sockets may use (out of CICSs MAXOPENTCBS total limit on L8 TCBs) If TCBLIM is defined with a value greater than zero on a CICS TS 4.1 system, then one of the following requirements must be met: z/OS V1R11 is OK as-is z/OS V1R10 + APAR PK85446 z/OS V1R9 + APAR PK85446
Page 32
LST1 LST2 TRNA EZAO EZAC PLTx

Conf. file
Pool of reusable socket subtasks or OTE threads TCP/IP Stack T R U E CICS TS Region
ibm.com
yourdotcom
OtelnetD support for both pre-login and post-login banners

Post login banner has been supported all the time
/etc/banner
Pre login banner added in this release:

/etc/otelnetd.banner
Display of both banners can be suppressed via a -h OtelnetD start option in the inetd configuration file
#====================================================================== # service | socket | protocol | wait/ | user | server | server program # name | type | | nowait| | program | arguments #====================================================================== # otelnet stream tcp nowait bpxroot /usr/sbin/otelnetd otelnetd m
You would add a h flag here if you wanted to suppress display of the banners.
/etc/banner
* * Welcome to the UNIX telnet server on * mvs098o.tcp.raleigh.ibm.com. * You are now logged in. *
Page 33
/etc/otelnetd.banner
* * This system is to be used for * management approved purposes only. *
ibm.com
yourdotcom
Sample logon to OtelnetD using both banners
Page 34
ibm.com
yourdotcom
Improved REXECD remote job management

REXECD more aggressively cleans up internal job table entries for purged or stalled jobs
Helps when REXECD is started with PURGE=N Maximum of 9999 jobs can be active
New messages written to console when REXECD detects there are too many jobs
Issued when 85% of available jobs used
EZA4434I rexecd: Number of available job numbers is being depleted
EZA4435E rexecd: Number of available jobs is depleted No jobs can be started

Page 35
ibm.com
yourdotcom
Improved TSO LOGON reconnect processing through TN3270
LOSTERM exit
TCP connection
TN3270 Server
SLU LUX
SNA session
PLU TSOA001
USERxxxx TSO AS
Combined effort by TSO and CS development New LOGONHERE option in IKJTSOxx member to enable new support LOGONHERE(ON) - default LOGONHERE(OFF) Enables reconnecting TSO user from a new SNA session Helps further reduce number of USERID already in use errors Make sure you dont have a RECONLIM=0 in your TSOKEY00 member
Page 36
If old SNA session exists, when user attempts reconnect, disconnect old SNA session and proceed with TSO logon reconnect.
TSO Reconnect Possible
Single session
Multiple sessions
NATed connectivity
TKOGENLU[RECON] CheckClientConn TKOSPECLU[RECON] TSO LOGONHERE TIMEMARK/SCANINTERVAL

ibm.com
yourdotcom
TSO reconnect example
1 5
4 2 3
Page 37
ibm.com
yourdotcom
IPv6 development status on z/OS Communications Server status per z/OS V1R11
z/OS V1R4
Stack support for IPv6 base functions - (APIs, Protocol layers) Resolver High speed attach (OSA Express QDIO)) Service tools (Trace, Dump, and so on.) Configuration and netstat, ping, traceroute, SMF Static Routing FTP, otelnetd,unix rexec, unix rshd/rexecd
z/OS V1R7
SNMP UDP standard MIB (RFC2013) and IBM MVS TCP/IP Enterprise-specific MIB for UDP Advanced Socket API support - RFC3542 IPv6 Two Default Routers - required for IPv6 compliance IPv6 over HiperSockets
z/OS V1R8
Integrated filtering and IPSec for IPv6 RPCBIND Server
z/OS V1R5

IPv6 Network Management Phase 1 Applications and DPI Ready Version-neutral Tcp/Ip Standard MIBs Additional SMF records Applications/Clients/APIs TN3270 server, CICS sockets, sendmail,ntp,dcas, rxserve,rsh client Enterprise Extender Point to Point - type DLCS Dynamic Routing Protocol w/ OMPROUTE (RIPng)
IPv6 Phase 2 Ready
z/OS V1R9
RFC currency Scoped IPv6 architecture APIs After z/OS V1R9 Extended Stats MIB, OSPFv3 MIB
V1R10
FRCA Resolver enhancements
V1R11
SMTP client IPv6 enabled from start Privacy extensions and stateless address auto-configuration enhancements Type 0 Routing Header deprecation
z/OS V1R6
Sysplex Exploitation (Dynamic VIPA, Sysplex Distributor functions) Dynamic Routing Protocol w/ OMPROUTE (OSPFv3) Additional Network Management MIBs Page 38
ibm.com
yourdotcom
Security concern with stateless address auto-configuration

RFC 4941 Privacy Extensions for Stateless Address Auto-configuration in IPv6
RFC 4941 addresses a potential security concern that can arise with the use of stateless address autoconfiguration. An auto-configured address contains an embedded static interface identifier. The static interface ID makes it possible to correlate independent transactions even if the overall IPv6 address changes. RFC 4941 also defines solutions: A mechanism to generate a random interface ID that changes over time A mechanism to generate an IPv6 temporary auto-configured address using the random interface ID
Temporary auto-configured addresses have same characteristics as public autoconfigured addresses.

generated when router advertisement processed deprecated at the end of the preferred lifetime deleted at the end of the valid lifetime.
A short-lived client application can use temporary addresses to make it more difficult to correlate activity.
a server needs a known IP address so that it can be reached by clients a long-lived client connection can become unusable if the source IP address is deleted while the connection is active
Page 39
ibm.com
yourdotcom
Agenda
Page 40
ibm.com
yourdotcom
Availability and business resilience
OMPROUTE detection of duplicate router ID Improved responsiveness to storage shortage conditions Disable moving DVIPA as source IP address Support for enhanced WLM routing algorithms
Page 41
ibm.com
yourdotcom
OMPROUTE to aid in detecting duplicate router IDs

If multiple OSPF routers use the same router ID, routing problems will occur
Routes are continuously added and deleted by neighboring routers Increased OSPF traffic as designated router floods new LSAs Packet loss or connectivity loss depending upon routing environment My router ID: 10.1.1.1
Problem can be difficult to diagnose due to varied symptoms OMPROUTE will detect when another adjacent OSPF router is using the same router ID as this OMPROUTE instance Message EZZ8165I is issued to the console once every 10 minutes per OSPF version (IPv4 or IPv6)
Page 42
My router ID: 10.1.1.1
?? ?
10.1.1.254
ibm.com
yourdotcom
Improved responsiveness to storage shortage conditions

Improved OMPROUTE tolerance for storage shortage situations
Application
Page space
Improved handling of situations where slow applications use excessive amounts of storage buffers at the transport protocol layer Throttle amount of parallel QDIO operations Data-link control (DLC) level discard of QDIO input buffers to relieve inbound overrun
When storage shortage occurs: Stay up! Throttle workload at the source Prevent network spikes from monopolizing common z/OS storage Report which connections use excessive amounts of storage
Page 43
RECV QDIO
Memory
SEND
OSA
Application
ibm.com
yourdotcom
Communications Server virtual storage overview

16 EB
System Resolver
High resolver private
TCP/IP
High TCP/IP private 64-bit shared (TCP/IP for SCBs)
VTAM
High VTAM private
Kilo Mega Giga Tera Peta Exa
2**10 2**20 2**30 2**40 2**50 2**60
Low resolver private (cache) 2 GB Extended resolver private
Low TCP/IP private
Low VTAM private
Extended TCP/IP private
Extended VTAM private
ECSA TCP/IP use ECSA VTAM use ECSA CSM use Extended nucleus, ESAQ 16 MB LPA,SQA, Nucleus CSA (both VTAM and TCP/IP use a little) CSM Data Space 31 (backed by 31-bit real storage frames) CSM Data Space 64 (backed by 64-bit real storage frames)
Resolver private
TCP/IP private
VTAM private
Both TCP/IP and VTAM use various forms of common storage The shared Communications Storage Manager component also uses common storage in addition to data spaces Common storage is a limited resource for which many components on z/OS contend During abnormal scenarios, network spikes can cause transient demands for significant amounts of common storage
Both VTAM, TCP/IP, and CSM storage
PSA
Page 44
ibm.com
yourdotcom
Storage shortages and OMPROUTE

OMPROUTE and the TCP/IP stack work together to make OMPROUTE more tolerant of storage shortage conditions:
TCP/IP stack informs OMPROUTE of stack storage shortage conditions During a storage shortage, OMPROUTE temporarily suspends requirement for periodic routing updates from neighbor routers TCP/IP stack ensures that dispatch-able units for OMPROUTE can always obtain the control blocks that they require TCP/IP stack satisfies storage requests for OMPROUTE as long as storage remains available
Temporarily keeps OMPROUTE from timing out routes due to lack of routing updates from neighbor routers during a storage shortage Decreases likelihood of OMPROUTE exiting or failing to send routing updates to neighbor routers
Hello, I am still here!!! Storage shortage!!! OK Ill tolerate for a period not hearing from those guys as fast as I normally want to hear from them !!!!
Router TCP/IP Stack Router

Hello, we are here too!!! buffer
OMPROUTE
Get me one of those outbound buffers youve reserved for me!!!
Page 45
ibm.com
yourdotcom
Storage shortages and slow or stalled applications

Stalled application
Local receiving application Full Fullreceive receive buffer buffer Local TCP/IP stack on z/OS Local sending application Full Fullsend send buffer buffer Local TCP/IP stack on z/OS
Data in a send buffer is page fixed awaiting IO operations to be initiated

When application is not making progress or fixed storage is constrained All new data added to TCP send queue is marked as page-able When storage becomes constrained, all unsent data on send queues for all non-local TCP connections is marked as page-able Before data is sent to remote stack it is changed back to fixed, as required by the DLC
Remote TCP/IP stack Send buffer Remote sending application
Remote TCP/IP stack Receive buffer Remote receiving application
It was very difficult to identify which local applications caused excessive amounts of space to be used on the send or receive queues
Alerts issued to indicate TCP queue in constrained state Indicate old data on send or receive queue Identify connection (connection id, job name, addresses, ports) Constrained state entry and exit indicated Issued to syslogd using TRMD
Stalled application
Page 46
ibm.com
yourdotcom
Storage shortages and QDIO device driver actions

Before z/OS V1R11, there was no limits on 1.Number of SRBs 2.Number of containers on the staging queue
Number of parallel SRBs is now limited to:

For 1 Gigabit Ethernet: Maximum execution threads per QDIO data device = 4 For 10 Gigabit Ethernet and HiperSockets: Maximum execution threads per QDIO data device = Min(LPAR CPUs + 1, 4) * 2
Up through the TCP/IP stack SRB SRB SRB ECSA CSM storage Container of inbound Container of ackets inbound Container of packets inbound packets
Use of CSM storage for containers on the staging queue is also being limited:
Gigabit speed OSA-Express
Schedule SRBs
Two Meg if CSM critical/constrained Four Meg if CSM not critical/constrained Ten-Gigabit speed OSA-Express or HiperSockets Four Meg if CSM critical/constrained Six Meg if CSM not critical/constrained
Staging queue PCI Exit routine
OSA QDIO
If more data arrives than the current limit allows, packets are discarded
IST2273E PACKETS DISCARDED FOR jobname - READ QUEUE CONGESTION
Page 47
ibm.com
yourdotcom
Sysplex Distributor with ServerWLM and specialty processors

When using WLM server-specific weights, WLM returns three sets of weights
1. 2. 3. Raw CP, zAAP, and zIIP system weights. Proportional weights raw weight modified by actual server usage Composite weight
Raw weights: CP 30 ZAAP 60 ZIIP 60
Usage Pattern: CP 11% ZAAP 89% ZIIP 0%
Proportional weights: CP 3 ZAAP 54 ZIIP 0
Composite weight: 57
TCP/IP Target Server Responsiveness: 90%
Health-adjusted weight: 51
Page 48
Normalized weight: 13
ibm.com
yourdotcom
Workload distribution algorithm enhancements by Sysplex Distributor and Workload Manager in z/OS V1R11 New workload at Importance level 2 Which LPAR is best?
They both have 500 service units of displaceable workload Before R11, they would be equal
New workload at Importance level 2 Which LPAR is best?

They both have equal amount of displaceable service units Before R11, they would be equal
z/OS V1R11 takes importance level of displaceable workload into consideration

LPAR2 will be preferred
z/OS V1R11 takes amount of crossover to CP of displaceable workload into consideration

LPAR2 will be preferred since it has the least amount of crossover
LPAR1
IL 0 SUs 0 0 0 500 0 0 0 0
LPAR2
IL 0 1 2 3 4 5 6 7 SUs 0 0 0 0 0 500 0 0
LPAR1 New workload designed to use 90% zAAP and 10% CP New workload at IL=2 (can displace IL=3 to IL=7 workload)
IL 0 1 2 3 4 5 6 7 CP SUs 0 0 0 900 0 0 0 0 zAAP SUs 0 0 0 100 0 0 0 0
LPAR2
IL 0 1 2 3 4 5 6 7 CP SUs 0 0 0 100 0 0 0 0 zAAP SUs 0 0 0 900 0 0 0 0
New workload at IL=2 (can displace IL=3 to IL=7 workload)

IL 0: High IL 7: Low
1 2 3 4 5 6 7
Page 49
ibm.com
yourdotcom
Importance level example

Importance level weighting factor of zero (IL0) means no change as compared to pre-R11 behavior Importance level weighting factors of one through 3 (IL1 through IL3), gradually shifts new workloads towards LPARs with the lowest importance level work to displace
In this example, LPAR2
New workload to run at Importance Level 2
Adjusted displaceable service units

8000 6000 4000 2000 0
Raw Service Units IL0 IL1 IL2 IL3
Displaceable service units per importance level

500 400 300 200 100 0 0 1 2 3 4 5 6 7 Importance Levels LPAR1
Page 50
IL factor LPAR1
LPAR2
LPAR2
ibm.com
yourdotcom
Cross-over cost example

Application designed to use 10% CP and 90% zAAP LPAR1 and LPAR2 are targets LPAR1:
Has 900 CP SUs and 100 zAAP SUs that can be displaced
Displaceable Service Units
Application Workload Design
900 800 700 600 500 400 300 200 100 0 LPAR1 LPAR2
CP
zAAP
LPAR2:
Has 100 CP SUs and 900 zAAP SUs that can be displaced
Relative weights of LPAR1 and LPAR2

100 90 80 70 Weight 60 50 40 30 20 10 0 0 10 20 30 40 50 60 70 80 90 Cross-over Cost LPAR1 LPAR2
Without a cross-over cost, the two targets are equally good to receive new workload As a cross-over cost is applied, LPAR1 is less attractive than LPAR2 Cross-over cost can be set to a value between 1 and 100
1: as before R11 100: maximum penalty for cross-over
Page 51
ibm.com
yourdotcom
Configuring and displaying the new SERVERWLM options

The new configuration parameters are
Only valid when server-specific recommendations are being used Only used by WLM when all systems in the sysplex are V1R11 or later Importance Level values range from 0 (no impact) to 3 (aggressive weighting). Guideline use Moderate (IL 1) value initially. Crossover cost values range from 1 (no impact) to 100 (crossover cost very expensive). Guideline Use a low cost initially.
These parameters can affect performance
VIPADISTRIBUTE DISTMETHOD SERVERWLM PROCXCOST ZIIP 5 ZAAP 20 ILWEIGHTING 1 201.2.10.11 PORT 8000 DESTIP ALL NETSTAT VIPADCFG DETAIL VIPA Distribute: Dest: 201.2.10.11..8000 DestXCF: ALL SysPt: No TimAff: No Flg: ServerWLM OptLoc: No ProcXCost: zAAP: 020 zIIP: 005 ILWeighting: 1
Page 52
ibm.com
yourdotcom
Agenda
Page 53
ibm.com
yourdotcom
Scalability, performance, constraint relief, and accelerators

Accept_and_receive API enhancements TCP/IP support for system z10 hardware instrumentation TCP/IP path length improvements Virtual storage constraint relief TCP throughput improvements for high-latency networks Resolver DNS cache NSS private key and certificate services for XML appliances Sysplex autonomics improvements for FRCA QDIO accelerator Sysplex Distributor connection routing accelerator Sysplex Distributor optimization for multi-tier z/OS workload Sysplex Distributor support for DataPower
Page 54
ibm.com
yourdotcom
General TCP/IP path length improvement objectives

*ITR = ETR/CPU busy percentage where ETR is transaction rate (or throughput)
The PERFORMANCE Team
Internal Throughput Rate; a statement of how much work the system can do at 100% busy Generally ETR is very difficult to impact; so our focus is usually on reducing the denominator (CPU consumption)
For years, z/OS products goal was no release-to-release ITR degradation Goal for last few years has become provide release-to-release ITR improvement
Continual process to improve overall System z price/performance Communications Server ITR goal in z/OS V1R11: Reduce Communication Servers CPU Consumption for Request/Response workloads, while not elongating network latency, and while also providing 31-bit Common Storage (ECSA) Constraint Relief
The challenge:
Our z/OS V1R11 ECSA constraint relief item (using 64-bit Common Storage for Socket Control Block) introduces new, cycle-intensive addressing mode-switching coupled with save/restore of high-order general purpose register (GPR) halves Well need to overcome path-length growth due to 64-bit memory access, before we can show any path-length improvement in V1R11. z/OS V1R10 path-length is quite good; much effort went into providing significant ITR gains comparison against V1R10 will be tough
Page 55
ibm.com
yourdotcom
Asynchronous accept_and_receive sockets call

The accept_and_receive call has existed for a few releases BPX1ANR It combines three sockets API crossings into a single API crossing Reduced latency and CPU time for server applications that receive connections z/OS V1R11 adds the following capabilities to the accept_and_receive call: 64-bit support
BPX4ANR
Application Accept() GetSockName() Recv() Process the transaction
PFS layer
TCP/IP Stack
Application Accept_and_ receive()
PFS layer
TCP/IP Stack
Asynchronous support
BPX1AIO BPX4AIO (64-bit)
Process the transaction
Is available to be exploited by all server implementations on z/OS

Page 56
ibm.com
yourdotcom
General TCP/IP path length improvements in z/OS V1R11 Use z/Architecture 64-bit arithmetic instructions to maintain double-word SNMP and diagnostic counters
As opposed to using earlier (System 390) 31-bit instructions which need to load up and store a pair of registers
Exploit asynchronous Cache Line pre-fetching when we know well soon need to access +256, +512, .. bytes beyond current location Minimize TCP/IP data-path references to the new 64-bit Socket Control Block, to avoid address-mode switching Code scrubbing certain critical paths; new fast-paths for normal cases.
Page 57
ibm.com
yourdotcom
TCP/IP path-length improvements: helping application programmers avoid common Sockets pitfalls
Client TCP TCP Server Need data from both sends before reply
Nagle (on send side)

Data from a small send() cannot be put on the wire if there is outstanding unacknowledged data Applications can disable Nagle by setting the TCP_NODELAY sockets options
Two small sends and then a receive
200 msec delay ACK
Delayed ACK (on receive side)

TCP generally ACKs every 2nd segment TCP generally waits 200 msec before sending a stand-alone ACK if no 2nd segment arrives
New transactional applications often encounter severe performance problems due to this behavior
Most application programmers dont know about Nagle Very often seen with CICS Sockets applications Sample test run: transaction rate jumped from 3 transactions per second to 2650 transactions per second
Note: The performance measurements discussed in this presentation are preliminary z/OS V1R11 Communications Server numbers and were collected using a dedicated system environment. The results obtained in other configurations or operating system environments may vary.
Page 58
ibm.com
yourdotcom
Relaxed Nagle algorithm to avoid traffic stalls

For transactional workload, such as CICS Sockets, the client often calls send() to send a transaction header (transaction code), and then calls send() a second time to send the input data
If client calls send() more than twice with small amounts of data, the z/OS V1R11 solution will not prevent the Nagle algorithm to wait for an ACK before sending the third small segment
The application view of the exchange

Client
Short transaction header
Server Need data from both sends before reply
Transaction input data
Server needs both before it can start processing and produce a reply
How it worked before z/OS V1R11

Client TCP TCP Server Need data from both sends before reply Client
How it works in z/OS V1R11

TCP TCP Server Need data from both sends before reply
200 msec delay ACK
ACK
Page 59
ibm.com
yourdotcom
Use of 64-bit common virtual storage for Sockets Control Blocks

16 EB
System Resolver
High resolver private
TCP/IP
High TCP/IP private 64-bit shared (TCP/IP for SCBs)
VTAM
High VTAM private
64-bit shared memory objects are allocated in one MB chunks above the bar
2 GB
Low resolver private (cache)
Low TCP/IP private
Low VTAM private
Sockets Control Blocks (SCBs) are in z/OS V1R11 moved from ECSA to 64-bit shared memory objects Each SCB is 384 bytes long freeing up (384 * number of open sockets) in your ECSA storage
Page 60
Extended resolver private
Extended TCP/IP private
Extended VTAM private
ECSA TCP/IP use ECSA VTAM use ECSA CSM use Extended nucleus, ESAQ 16 MB LPA,SQA, Nucleus CSA (both VTAM and TCP/IP use a little) CSM Data Space 31 (backed by 31-bit real storage frames) CSM Data Space 64 (backed by 64-bit real storage frames)
Resolver private
TCP/IP private
VTAM private
0 2009 IBM Corporation
PSA
ibm.com
yourdotcom
Monitoring use of 64-bit memory objects

You can monitor the systems use of 64-bit memory objects through the RMF monitor III STORM (option 7A) report:
RMF V1R11 Storage Memory Objects Command ===> Samples: 60 System: 3090 Line 1 of 8 Scroll ===> CSR Time: 10.01.00 Range: 60 Sec
Date: 06/12/09
------------------------------- System Summary --------------------------------- Memory Objects ---------- Frames ------------ Area Used % ---Common Shared Large Common Fixed Shared 1 MB Common Shared 1 MB 6 0 800 0 0 0.0 0.0 ------------------------------------------------------------------------------Service ---- Memory Objects --- Frames ----- Bytes ----Jobname C Class ASID Total Comm Shr Large 1 MB Total Comm Shr SMSPDSE TRACE GRS ABCRESO JESEAUX ZFS *MASTER* TCPCS S S S S S S S S SYSTEM SYSTEM SYSTEM SYSSTC SYSSTC SYSSTC SYSTEM SYSSTC 0008 0004 0007 0040 0027 0049 0001 0058 12 8 4 4 3 2 1 1 0 0 0 0 3 0 1 1 0 0 0 0 0 0 0 0 76.0M 0 8192K 0 140G 0 4096K 0 3072K 3072K 22.0M 0 1024K 1024K 1024K 1024K 0 0 0 0 0 0 0 0
System resolver uses 64bit private memory objects for name server cache TCP/IP uses 64-bit common memory objects for SCBs
You can also monitor TCP/IPs use via the D TCPIP,,STOR command
Page 61
10.22.08 10.22.09 EZZ8454I EZZ8455I EZZ8455I EZZ8455I EZZ8459I
d tcpip,tcpcs,stor EZZ8453I TCPIP STORAGE TCPCS STORAGE CURRENT MAXIMUM TCPCS ECSA 9645K 10074K TCPCS POOL 13949K 14047K TCPCS 64-BIT COMMON 1M 1M DISPLAY TCPIP STOR COMPLETED SUCCESSFULLY
LIMIT NOLIMIT NOLIMIT NOLIMIT
ibm.com
yourdotcom
TN3270 server ECSA usage improvement up to and including z/OS V1R11 Communications Server
ECSA for 256K TN3270 sessions
900
Release V1R7 V1R8 V1R9 V1R10 V1R11 (1)
ECSA for 256K TN3270 sessions 798M 708M 480M 440M 352M
Megabytes
800 700 600 500 400 300 V1R7 V1R8 V1R9 Release V1R10 V1R11
The numbers are configuration dependent, but they should give you an idea of the magnitude of the savings achieved in the recent releases.
Note (1): The V1R11 number is a preliminary number - it may change before general availability of z/OS V1R11 Communications Server Note (2): APAR II13442 and II13951 are worth revisiting in general for storage
Page 62
ibm.com
yourdotcom
Reduction in CSA requirements for Rapid Transport Protocol (RTP) pipes

Before V1R11, each RTP pipe is represented by a control block in ECSA In V1R11, a large portion of the RTP control block was moved to an extension control block in VTAM private storage. This resulted in a significant ECSA savings for installations with a large number of RTP pipes Preliminary estimates of the reduction in required RTP pipe ECSA storage for various RTP counts:
RTP pipes 4000 12000 20000
ECSA reduction 11.5% 23.5% 29.5%
Page 63
ibm.com
yourdotcom
High latency network and window size

Inefficient window size
Sender Receiver
Efficient window size

Sender Receiver
Round trip time (RTT)
data data
Window size
K AC K AC
data data
Round trip time (RTT)
data
K AC
Window size
K AC K AC
Time
Time
In this example, the window size is too small for the high-latency network (large RTT). Both sender and receiver spend time waiting for data or ACKs to arrive
In this example, the window size is large enough for the high-latency network. The sender has not yet sent the last bit of the window size before it receives an ACK for the first bit of the current window. However, a window size of 512K may not always be enough to achieve this behavior.
Page 64
ibm.com
yourdotcom
TCP throughput improvements for high-latency networks TCP/IP in z/OS V1R11 implements and enhancement known as dynamic right sizing. Helps improve performance for streaming TCP connections over networks with large bandwidth and high latency
When z/OS is the receiver By automatically tuning the ideal window size beyond the current maximum window size of 512K for such TCP connections. The window size may grow up to 2MB
K 64
FTP
I can't send more than the window size till I have an ACK that advances the window! I can't ACK till I have some data to ACK!
FTP
FTP Throughput AIX -> z/OS

Single FTP Session
11 MB/Sec 9 7 5 3 1
Base code D y n a m ic R ig h t S iz in g
This function does not take effect for applications which use a TCP receive buffer size smaller than 64K.
Thruput
Time (10 sec increments)---->

z10 Fast Eth RTT = 51ms
Page 65
ibm.com
yourdotcom
Existing resolver logic always contacts a name server

No memory in resolver of output from previous requests Specified DNS name servers contacted on each request
query for host.raleigh.ibm.com
z/OS LPAR
2,6
Query Answer
1,5
4,8
Resolver
Name Server (10.1.1.1)
3,7
TCPIP.DATA
NSINTERADDR 10.1.1.1 NSINTERADDR 10.1.1.2
Page 66
ibm.com
yourdotcom
Caching-only name server provided some relief

Each request directed to local caching-only name server, which retains the information Still requires building a DNS request for each resolution attempt
z/OS LPAR
2,8
Query
3
Query
1,7
6,10
Resolver
Answer
Caching-only name server
Answer
5,9
4
TCPIP.DATA
NSINTERADDR 127.0.0.1
Page 67
ibm.com
yourdotcom
z/OS V1R11 introduces resolver caching

Resolver cache queried for each request Communication with name server only if cache information not available
z/OS LPAR
2
Query Answer
1,5
4,6
Resolver Cache
3
TCPIP.DATA
NSINTERADDR 10.1.1.1 NSINTERADDR 10.1.1.2
Page 68
ibm.com
yourdotcom
Configuring resolver caching its all optional!!

Resolver caching started automatically
Can be turned off using NOCACHE statement
Use CACHESIZE to adjust maximum storage limits

If modifying limit, select value that is 50% larger than anticipated needs
Use MAXTTL to adjust maximum entry retention time value

MAXTTL defaults to use name server supplied value
F RESOLVER,DISPLAY EZZ9298I EZZ9298I EZZ9298I EZZ9298I EZZ9304I EZZ9304I EZZ9298I EZZ9298I EZZ9293I DEFAULTTCPIPDATA - None GLOBALTCPIPDATA - SYS1.TCPPARMS(TCPDATA) DEFAULTIPNODES - USER1.ETC.IPNODES GLOBALIPNODES - None COMMONSEARCH CACHE CACHESIZE - 200M MAXTTL 214748364 DISPLAY COMMAND PROCESSED
CACHESIZE defaults to 200M of storage, about 80K entries
Page 69
ibm.com
yourdotcom
Resolver DNS cache benefits

The performance benefits of local name caching depend on
Amount of calls to the resolver in general Client application workload, Web Services workload, some services that do reverse resolution of client IP address, etc. Amount of repetitive resolutions of the same host names or addresses The more repetitive resolutions, the more cache hits The time-to-live (TTL) values that are returned by the name server TTL values of zero cannot be cached
Setup Topology overview
Throughput CPU
No caching
Application
Resolver
Authoritative DNS
100
Cache
Caching-only DNS
Application
Resolver
Local caching DNS
Authoritative DNS
4.1
81
Cache
Resolver caching
Application
Resolver
Authoritative DNS
7.7
58
Page 70
ibm.com
yourdotcom
What is and is not cached?

(1) Low-level API invocation data (2) Name Server timeouts (3) Local host data (1) DNS A, AAAA, and PTR records (2) Negative Cache information
Resolver
Organized by DNS name server that supplied the response data
Storage obtained as needed
No more than 20% of cache is ever used for negative entries
Page 71
ibm.com
yourdotcom
Example of different entries cached on a name server basis

z/OS Communications Server Getaddrinfo (af_inet, host.ibm.com) Test Application Production Application Getaddrinfo (af_inet, host.ibm.com)
Resolver
TCPIP.DATA Dataset specifies: NSINTERADDR 10.3.3.3 Test TCP Stack Production TCP Stack TCPIP.DATA Dataset specifies: NSINTERADDR 10.6.6.6
DNS @10.3.3.3
DNS @10.6.6.6
Test DNS returns IP address=10.45.5.5

host.ibm.com A 10.45.5.5
Production DNS returns IP address=10.145.5.5

host.ibm.com A 10.145.5.5
Result: Two cache records are created by resolver!!

Page 72
ibm.com
yourdotcom
Re-use of cache entries, different data for same hostname

z/OS Communications Server Getaddrinfo (af_inet, host.ibm.com) Test Application Production Application Getaddrinfo (af_inet, host.ibm.com)
Resolver
TCPIP.DATA Dataset specifies: NSINTERADDR 10.6.6.6 NSINTERADDR 10.3.3.3 Resolver Cache Data TCPIP.DATA Dataset specifies: NSINTERADDR 10.7.7.7 NSINTERADDR 10.6.6.6
DNS IP address=10.6.6.6 host.ibm.com=10.145.5.5 DNS IP address=10.3.3.3 host.ibm.com=10.45.5.5
Result: Resolver returns 10.145.5.5 to both applications!!
Page 73
ibm.com
yourdotcom
Using the cached information

No change to the resolver APIs Data saved independent of API used to acquire cache entry Data cached by Getaddrinfo can be retrieved using Gethostbyname, and vice versa Data cached by Getnameinfo can be retrieved using Gethostbyaddr, and vice versa Usable by both EBCDIC and ASCII applications
No round robin algorithm applied to cached data before delivery to application

Sorted by Getaddrinfo automatically SORTLIST directive applies to IPv4 addresses
Page 74
ibm.com
yourdotcom
Displaying cache entry data (Netstat RESCache/-q report) Display information about the resolver cache
Statistical information (use the SUMMARY modifier) Detailed entry information (use the DETAIL modifier)
MVS Operator Command, TSO, and z/OS UNIX
Options to influence amount of information displayed

Display statistical information on name server basis using DNS modifier Display all entry information provided by a specific DNS name server using the DNSAddr/-Q filter Display all DNS A or AAAA entries associated with a specific host name using the HOSTName/-H filter Display all DNS PTR entries associated with a IP address using the IPAddr/-I filter Display some or all negative cache entries using the NEGative modifier
RACF Controls available
Page 75
ibm.com
yourdotcom
Displaying cache statistics (Netstat RESCache/-q SUMmary)

Display overall (and per name server) statistical information about the cache
Storage Usage: Maximum: 10M Current: 143K
Percentage of queries satisfied by information in the cache
MaxUsed: 1M
Storage values: CACHESIZE encoding plus current and high-water mark values
Cache Usage: Total Number of entries: 64 Non-NX entries: 44 A: 20 AAAA: 13 NX entries: 20 A: 9 AAAA: 2 Queries: 112 SuccessRatio: 30% DNS address: 19.52.206.22 Total Number of entries: 54 Non-NX entries: 39 A: 18 AAAA: 11 NX entries: 15 A: 7 AAAA: 2 References: 77
PTR: 11 PTR: 9 Hits: 34 Number of entries in cache, grouped by negative (NX) entries and other (Non-NX) entries
IP address of the name server providing cache data
PTR: 10 PTR: 6 Hits: 21
Page 76
ibm.com
yourdotcom
Displaying cache entry data (NETSTAT RESCache/-q DETAIL)

Display detailed information about entries in cache
Entry identified by lookup key (host name or IP address) Applicable HostName to IPAddress translation DNS A and AAAA --------------------------------records displayed HostName: HOSTNAME5.TCP.RALEIGH.IBM.COM first, then DNS DNS IPAddress: 19.52.206.22 PTR records DNS Record Type: T_A Canonical Name: hostname55.pok.ibm.com Cache Time: 10/27/2008 19:06:36 Expired Time: 10/27/2008 20:09:37 Hits: 15 IPAddress: 29.236.231.65 Up to 35 29.236.231.88 addresses saved IPAddress to HostName translation --------------------------------IPAddress: 152.12.39.164 DNS IPAddress: 19.52.206.22 Report includes DNS Record Type: T_PTR only unexpired Cache Time: 10/27/2008 19:05:59 entries Expired Time: 10/27/2008 20:05:59 Hits: 1 HostName: ***NA***
Entry re-usage DNS that provided entry
Negative Cache entry

Page 77
ibm.com
yourdotcom
Wildcard capabilities for HOSTName/-H filter
Standard wildcard characters (*, ?) supported Implicit wildcarding supported as well

Similar to how resolver performs host name searches by appending possible domain names to input host name value HOSTNAME charlie is EQUIVALENT to HOSTNAME charlie.* HOSTNAME charlie* is NOT EQUIVALENT to HOSTNAME charlie.* HOSTNAME charlie. returns ONLY the information for resource charlie
Page 78
ibm.com
yourdotcom
Managing the cache storage

Entries remain valid for time-to-live (TTL) value duration Resolver will periodically delete expired entries
Intervals can range from 30 seconds to 10 minutes More aggressive as storage usage grows
EZZ9307E RESOLVER CACHE STORAGE IS DEPLETED
Issued when cache is 98% full
Operator can manually delete the entire cache contents as well

F RESOLVER,FLUSH,ALL EZZ9305I 200 CACHE ENTRIES DELETED EZZ9293I FLUSH COMMAND PROCESSED
Page 79
ibm.com
yourdotcom
What is IBM WebSphere DataPower?

DataPower can perform advanced Web services operations, contents-based routing, and transformation of requests to traditional z/OS applications
Security: XML/SOAP firewall capability, WSS processing XML offload: XML parsing on specialty device Message transformation: transform XML/SOAP to traditional z/OS application data formats and interface with existing z/OS applications via HTTP, MQ, JMS, IMS-Connect, or DB2 DRDA Contents-based routing: based on data in request (including data protected by WSS), select proper target server, request type, format, and mode Monitoring and SOA governance
Request type:
HTTP(S) MQ JMS IMS-Connect DRDA
Request format:
XML COBOL Copy book Binary
HTTP(S) XML/SOAP Request HTTP(S) XML/SOAP Response
HTTP(S) processing
XML Parsing
XML/SOAP firewall processing
WSS Processing
Message transformation
Content-based routing
Request mode:
Synchronous Asynchronous
IMS CICS DB2 WAS
Page 80
ibm.com
yourdotcom
DataPower integration with z/OS security - extending NSS

The integrated infrastructure provides the following basic operations:
Central z/OS-resident NSS services to perform operations that require access to a private key: Data decryption Signing of outbound XML messages (DataPower provides hash to sign) Download private keys where the DataPower device is configured to perform private key operations locally Supported when private keys are managed by RACF Not allowed when private keys are secured and managed by ICSF Services to download and maintain local certificate cache Services to provide access for DataPower to SAF-based identification, authentication, and access control functions were delivered as part of z/OS V1R10: Remote SAF checks
Integrating DataPower processing with z/OS - without losing centralized security control
Web Services request
z/OS
NSS Server
Client management and infrastructure Certificate Services Private Key Services SAF Access Services
SMF Audit Records SMF
DataPower
Private key cache
Secured TCP Connection
RACF Profiles and keyrings
RACF
NSS client incl. Cert cache
ICSF
Page 81
ibm.com
yourdotcom
Health of a Sysplex Distributor target stack - overview

The distributor uses several health metrics to monitor target stacks and servers:
TSR: Target Server Responsiveness fraction, which is a compound health-metric per target server (range from 0 (bad) to 100 (good)): TCSR: Target Connectivity Success Rate. Connectivity between the distributing stack and the target stack - are the new connection requests reaching the target? (0 is bad, 100 is good) SEF: Server accept Efficiency Fraction. Target Server accept efficiency - is the server accepting new work? (0 is bad, 100 is good) QoS: QoS fractions. Taking retransmits and packet loss into consideration. (0 is good, 100 is bad) Number of half-open connections also impact the TSR value CER: Connection Establishment Rate. Network connectivity between Server and client - are new connections being established? (0 is bad, 100 is good) CER no longer impacts the TSR value, but is still calculated and included in netstat displays
Distributor
1. TCSR
Client
2. CER
Target 1 System Stack Stack DVIPA1 Port 8000
SEF 3. SEF Server 3. SEF 80
Page 82
ibm.com
yourdotcom
Fast Response Cache Accelerator - FRCA FRCA provides a hybrid Web server environment
Partly Web server Partly TCP/IP stack
Web server Sockets layer TCP Layer
FRCA
The Web server stores static objects in the cache The Web server provides simple exits to parse URIs
FRCA Cache
The Web server loads a set of TCP/IP stack exits to parse received data
Allows FRCA to work with any protocol, not just HTTP
Web pages are cached within the TCP/IP stack

Requests are handled without traversing the full protocol stack up to to the Web server Significant performance improvements when compared to the Web server handling all requests
Page 83
IP networking layer Network interfaces
Cached static objects are served from the cache without the Web server accepting the TCP connection
ibm.com
yourdotcom
Fast Response Cache Accelerator (FRCA) use by WebSphere Application Server - overview The FRCA cache is an HTTP cache that is maintained by TCP/IP Cached responses can be served with high performance using a minimal amount of CPU cycles
Serve static requests from the FRCA cache Provide equivalent performance on WAS as is possible with the FRCA cache on the web server Serve dynamic content from the FRCA cache Serve the same content that the Dynamic Cache serves but serve it from the FRCA cache Record HTTP Access Log entries for requests served from the FRCA cache
WebSphere Application Server V7 will start exploiting the FRCA cache

Page 84
ibm.com
yourdotcom
z/OS: CPU Cost Savings Using FRCA Cache Compared to Dyna Cache
The amount of CPU time needed to process a request is dramatically reduced using FRCA as compared to Dyna Caching
Lower is better
CPU Time Savings Using FRCA Caching Compared to Dyna Cache

4000 3500 3000 2500 2000 1500 1000 500 0 1k 5k 10k File Size 50k 100k 786
37x
3690
Dyna Cache is 37 times more costly than FRCA caching for 1k file sizes Larger file sizes, 5k to 100k, Dyna Cache is 27 to 11 times more costly
C P U T im e p e r P a g e ( u s )
2254
11x
Dyna Cache FRCA Cache
844
27x
955
22x
13x
21
32
44
171
323
System Configuration Workload: Simple File Server App SUT: IBM z10 Processor (model 2097 720) 4 x 4.4 GHz, 32 GB Real Driver: x/335 model 8676-21X, 4x3.06 GHz, 2 GB RAM
Page 85
ibm.com
yourdotcom
Sysplex Distributor enhancements FRCA connections that are serviced by the cache will not be measured against a servers health Half-open connections will not be weighed as heavily against the servers health
Half-open connections reflect more of a routing issue than a problem with the server
The CER will now be a diagnostic aid only
TCPSTACKSOURCEVIPA will no longer use MOVING DVIPAs (Dynamic VIPA) Allow DVIPA to transition to original state Normal source IP address selection process will be used
Page 86
ibm.com
yourdotcom
Improved netstat visibility in backlog details

Display TCPIP,,NETSTAT,ALL to see the new ServerBacklog and FRCABacklog fields
MVS TCP/IP NETSTAT CS V1R11 Client Name: BPXOINIT Local Socket: 0.0.0.0..10007 Foreign Socket: 0.0.0.0..0 MaximumBacklog: 0000000010 CurrentBacklog: 0000000008 ServerBacklog: 0000000003 CurrentConnections: 0000000000 TCPIP Name: TCPCS Client Id: 00000021 16:49:28
FRCABAcklog: 0000000002 SEF: 100
Current Backlog
Established: Full three-way handshake has completed. Half-open: You have received SYN and responded with a SYN+ACK, but are waiting for the final ACK from the client
Half-open
Established
FRCA Backlog
Page 87
Server Backlog
ibm.com
yourdotcom
HiperSockets Accelerator scope is limited
Provides fast path IP forwarding for these DLC combinations:

Inbound OSA-Express QDIO HiperSockets Inbound HiperSockets QDIO Outbound Outbound OSA-Express
No support for Sysplex Distributor acceleration No acceleration between two OSAExpress QDIO interfaces No acceleration between two HiperSockets interfaces
Page 88
Note: Unrelated, but worth mentioning: Fix to HiperSockets Retry logic APAR OA26541 R08 PTF UA44268, HVT6180 R09 PTF UA44269, HVT6190 R10 PTF UA44267, HVT61A0
ibm.com
yourdotcom
A new, more complete QDIO routing accelerator

Provides fast path IP forwarding for these DLC combinations:
Inbound OSA-E QDIO HiperSockets Inbound HiperSockets HiperSockets Outbound OSA-E QDIO or Outbound OSA-E QDIO or
Traditional routing
Transport protocols Networking protocols (IPv4/IPv6) DLC protocols
Adds Sysplex Distributor (SD) acceleration

Inbound packets over HiperSockets or OSA-E QDIO When SD gets to the target stack using either: Dynamic XCF connectivity over HiperSockets VIPAROUTE over OSA-E QDIO
QDIO accelerator
OSA
Improves performance and reduces processor usage for such workloads Configure QDIOACCELERATOR on the IPCONFIG statement in the TCPIP profile
OSA
Page 89
ibm.com
yourdotcom
Sysplex Distributor accelerator performance

Intended to benefit all existing Sysplex Distributor users Measurements with Interactive workload Small data sizes (100 in, 800 out) Percentages relative to no acceleration
0 -10 -20 -30
Configuration A Three z10 LPARs with OSA Express 3 cards and HiperSockets between SD and server LPARs
z/OS 1 Client z/OS 2 SD HS z/OS 3 Server
1 GbE
%
-40 -50 -60
z/OS 1 z/OS 2 SD z/OS 3 Server
Configuration B Three z10 LPARs with OSA Express 3 cards
-70
A
CPU SD CPU server
Client
1 GbE
1 GbE
Page 90
ibm.com
yourdotcom
Netstat VCRT/-V example

NETSTAT VCRT DETAIL MVS TCP/IP NETSTAT CS V1R11 TCPIP Name: TCPCS Dynamic VIPA Connection Routing Table: Dest IPaddr DPort Src IPaddr SPort DestXCF Addr --------------- -------------- -----------201.2.10.11 00021 201.1.10.85 01027 201.1.10.10 Intf: OSAQDIOLINK VipaRoute: Yes Gw: 199.100.1.1 Accelerator: Yes 14:16:16
Netstat ROUTe/-r example

NETSTAT ROUTE QDIOACCEL MVS TCP/IP NETSTAT CS V1R11 Destination Gateway ----------------9.67.4.1/32 0.0.0.0 9.67.5.2/32 0.0.0.0 9.67.20.3/32 0.0.0.0
Page 91
TCPIP NAME: TCPCS Interface --------OSAQDIO4 OSAQDIO5 HIPERSOCK2

09:51:02
ibm.com
yourdotcom
Use VTAM tuning statistics to verify packets are being accelerated

Shows packets/bytes which are:
received over an interface and then accelerated (read direction) accelerated over an interface (write direction)
IST1233I DEV = 0E2A DIR = READ IST1236I BYTECNTO = 0 BYTECNT = 9628 IST1810I PKTIQDO = 0 PKTIQD = 14 IST1811I BYTIQDO = 0 BYTIQD = 9368 IST924I ------------------------------------------------------------ IST1233I DEV = 0E2F DIR = WR/1 IST1236I BYTECNTO = 0 BYTECNT = 7424 IST1810I PKTIQDO = 0 PKTIQD = 10 IST1811I BYTIQDO = 0 BYTIQD = 6840 IST924I -------------------------------------------------------------
Page 92
ibm.com
yourdotcom
Before you enable QDIO accelerator QDIO routing accelerator is IPv4 only Mutually exclusive with IPSECURITY Requires IP Forwarding to be enabled (for non-SD acceleration) No acceleration for:
Traffic which requires fragmentation in order to be forwarded VIPAROUTE over HiperSockets Incoming fragments for an SD connection Interfaces using optimized latency mode (OLM)
Page 93
ibm.com
yourdotcom
Sysplex Distributor enhancements for multi-tier applications and non-z/OS targets
Extend Sysplex Distributor scope by adding support for non-z/OS targets

Enable SD to load balance to non-z/OS targets initial candidate targets are XML appliances, such as DataPower Note: Depends on upcoming DataPower support for which a GA date is not yet available. Support requires an SD-specific agent on the target platform to provide weights, availability, and connection state information back to SD Connection forwarding based on MAC-level forwarding using GRE encapsulation
Enhance the quality of Sysplex Distributor load balancing decisions for multi-tiered z/OS workloads
When choosing a tier-1 z/OS server, consider the availability and WLM recommendations of the tier-2 server that will be used on the same system Increase the value of the existing optimized local support
Page 94
ibm.com
yourdotcom
Tier 1 awareness of Tier 2 applications - configuration example

LPAR1 TCPIP1 CICS1 LPAR2 TCPIP2 CICS2 WLM 10 Tier 2 GROUP1 LPAR3 TCPIP3 CICS3 WLM 10 LPAR4 TCPIP4 CICS4 WLM 10
2 VIPADEFINE TIER2 255.255.255.0 DVIPA2 VIPADISTRIBUTE TIER2 GROUP1 OPTLOCAL 1 DISTMETHOD SERVERWLM DVIPA2 Port 10002 DESTIP ALL
WLM 1
Tier 2 SD DVIPA2 WAS1 WLM 10 T1T2 5 WAS2 WLM 10 T1T2 10 Tier 1 GROUP1 WAS3 WLM 10 T1T2 10
2
WAS4 WLM 10 T1T2 10
VIPADEFINE TIER1 255.255.255.0 DVIPA1 VIPADISTRIBUTE TIER1 GROUP1 DISTMETHOD SERVERWLM DVIPA1 Port 10000 DESTIP ALL
Tier 1 SD DVIPA1
Reducing cross-LPAR traffic for multi-tier z/OS workloads, reducing final end-user response times
Page 95
ibm.com
yourdotcom
CPCSCOPE of dynamic VIPA addresses
CPC1
SYS1 - z/OS EIS tier SYS2 - z/OS EIS tier
CPC2
SYS3 - z/OS EIS tier SYS4 - z/OS EIS tier
SD @1
SD @1
SD @2
SD @2
Linux on System z HTTP tier
Linux on System z HTTP tier
External load balancer
Page 96
ibm.com
yourdotcom
DataPower integration with Sysplex Distributor
DataPower appliances
SD Agent DP @A1 SYS1 SYS2
z/OS
z/OS
SD Agent
DP @A2
SD Agent
DP @A3
SD Tier-1 @1
SD Acceleration
SD Tier-1 @1
Connect to @1
Note: Depends on upcoming DataPower support for which a GA date is not yet available. Page 97
ibm.com
yourdotcom
Sysplex Distributor multi-site support for DataPower - configuration example

VIPADEFINE CPCSCOPE 3 255.255.255.0 201.81.10.7 VIPADEFINE TIER2 CPCSCOPE 255.255.255.0 DVIPA2 VIPADISTRIBUTE TIER2 GROUP1 DISTMETHOD SERVERWLM DVIPA2 Port 10002 DESTIP ALL VIPADEFINE CPCSCOPE 2 255.255.255.0 201.81.20.7 VIPADEFINE TIER2 CPCSCOPE 255.255.255.0 DVIPA3 VIPADISTRIBUTE TIER2 GROUP1 DISTMETHOD SERVERWLM DVIPA3 Port 10002 DESTIP ALL
Site 1
CPC1 LPAR1 TCPIP1 WAS1 LPAR2 TCPIP2 WAS2
Site 2
CPC2 LPAR3 TCPIP3 WAS3 LPAR4 TCPIP4 WAS4
Tier 2 GROUP1
3 Tier 2 SD CPCSCOPE DVIPA2 CPCSCOPE 201.81.10.7
2 Tier 2 SD CPCSCOPE DVIPA3 CPCSCOPE 201.81.20.7
VIPADEFINE TIER1 1 255.255.255.0 DVIPA1 VIPADISTRIBUTE TIER1 GROUP1 GRE CONTROLPORT 1702 DISTMETHOD TARGCONTROLLED DVIPA1 Port 10000 DESTIP 201.81.10.1 201.81.10.2 201.81.20.3 201.81.20.4
DATAP1
DATAP2
201.81.10.1 201.81.10.2
Tier 1 GROUP1 Tier 1 SD
DATAP3
DATAP4
201.81.20.3 201.81.20.4
Note: Depends on upcoming DataPower support for which a GA date is not yet available.
Page 98
ibm.com
yourdotcom
Agenda
Page 99
ibm.com
yourdotcom
Security
SSH
IPSec enhancements AT-TLS enhancements

SSL/TLS
IDS
Filters IPSec
Note: Be aware there is a known interoperability issue between z/OS IPSEC and Microsoft Vista, Windows 2008 Server and Windows 7. See http://support.microsoft.com/kb/968485 The interoperability problem only occurs if z/OS is the responder (and hence, the Windows server is the initiator). When z/OS is the initiator, the two do interoperate z/OS successfully interoperates with Windows 2000, XP and 2003 Server
Page 100
True end-to-end security
ibm.com
yourdotcom
z/OS Communications Server networking security technologies

Two general types of network encryption:
IPSec/VPNs (Virtual Private Networks) system to system, transparent to applications SSL (Secure Sockets Layer) application to application (TCP only) The IETF standardized SSLv3 under the name TLS (Transport Layer Security)
z/OS
zAAP CICS SSL WAS SSL MQ SSL
NetView, OMEGAMON, DB2, CIMOM, FTP, TN3270, IMS, JES/NJE, CICS Sockets, 3rd party, any customer application
Any application or sub system including EE and other UDP-based applications
System SSL z/OS service
Two ways SSL has been implemented on z/OS:

Application or subsystem layer encryption (per connection) Requires changes to the application Network layer encryption (also per connection), but using common service transparent to the z/OS application or subsystem in z/OS V1R7+ z/OS Communications server IPSec on z/OS: System to system encryption, transparent to all applications and subsystems (including UDP traffic, which Enterprise Extender uses) IPSec can use zIIP today (z/OS V1R8+) Use of zIIP depends on network traffic the more traffic, the higher the zIIP usage Page 101
AT-TLS
TCP connections
IP-Sec
zIIP
IPSec VPNs
SSL/TLS remote application
IP-Sec Enabled systems
ibm.com
yourdotcom
IPSec VPN usage

IPSec VPNs to platforms
100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 z/OS Window s Linux AIX Other
Cisco MS HIS Firewall
Bae: 39 responses
Are you using IPSec tunnels on z/OS today? Yes: 26% No: 74 %
Source: z/OS Communications Server CAP customer survey early 2009. Page 102
ibm.com
yourdotcom
Expectations to amount of secured traffic
Percentage of traffic secured

100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Today 2010 2011 2012 2013 2014 2015
ibm.com
yourdotcom
IPSec enhancements
In compliance with RFC 2408, in V1R11 z/OS Communications Server IKED supports an exponential back-off retransmission algorithm.
This is a more efficient retransmission algorithm, which will also help improve IKEDs response to network congestion situations.
In V1R11, z/OS Communications Server reports additional tunnel selector and attribute information on the ipsec command, network management interfaces (NMIs) and SMF records.
This information can currently be inferred from other attributes, but is provided for completeness.
z/OS V1R11 continues to support the IKE version 1 protocol, but plans are in place for support of IKE version 2 as the following statement of direction indicates:
IBM intends to update z/OS with support for the latest Internet Key Exchange protocol, version 2 (IKEv2), as defined by industry standards documented in "Internet Key Exchange (IKEv2) Protocol", RFC4306 and "IKEv2 Clarifications and Implementation Guidelines", RFC4718 and other publications. This support is intended to allow z/OS to maintain compliance with industry standard IPv6 profiles, and to expand the options available to network administrators for configuring IPSecprotected communications with z/OS systems.
Page 104
ibm.com
yourdotcom
AT-TLS enhancements AT-TLS to support new System SSL functions that have been added to System SSL since z/OS V1R7:
TLS V1.1 Using RFC3280 to validate a certificate Negotiation and use of a truncated HMAC Negotiation and use of a maximum SSL fragment size Negotiation and use of handshake server name indication Setting the CRL LDAP server access security level
Applications
Policy Agent
Application Transparent TLS policy flat file
Sockets
System SSL calls
TCP IP Networking Layer Network Interfaces
AT-TLS is also updated to address FIPS 1402 requirements for applications that use ATTLS to provide secure connections.
Page 105
ibm.com
yourdotcom
What are z/OS installations using AT-TLS for
AT-TLS usage
100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 TN3270 FTP CICS Sockets JES/NJE traffic Other
DB2/DRDA OEM products
ibm.com
yourdotcom
TLS Version 1.1 support by AT-TLS

Compared to the TLS 1.0 protocol, the TLS 1.1 protocol contains some small security improvements, clarifications, and editorial improvements. The major changes are:
The implicit Initialization Vector (IV) is replaced with an explicit IV to protect against CBC attacks. Handling of padding errors is changed to use the bad_record_mac alert rather than the decryption_failed alert to protect against Cipher Block Chaining (CBC) attacks. IANA registries are defined for protocol parameters. Premature closes no longer cause a session to be non-resumable. Additional informational notes were added for various new attacks on TLS.
The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346 Perspective -> AT-TLS -> Security Levels -> Add -> Next
Page 107
ibm.com
yourdotcom
What is FIPS 140-2?

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules.
The title is Security Requirements for Cryptographic Modules. Includes both hardware and software components. Initial publication was on May 25, 2001 and was last updated December 3, 2002.
Cryptographic Module Validation Program

FIPS 140-2 establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the National Institute of Standards and Technology (NIST) for the US, and the Communications Security Establishment (CSE) for the Canadian government. Specific products must pass the validation - FIPS 140-1 and FIPS 140-2 Vendor List http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
z/OS V1R11 addresses FIPS 140-2 level 1

Support for code signing for Program Objects in PDSEs Support in Binder & Loader to sign and verify signature System SSL support for a new mode of operation designed to meet NIST FIPS 140-2 Level 1 criteria AT-TLS support for FIPS 140-2, for TN3270, FTP, CICS Sockets, and other applications that use ATTLS for secure connections
Page 108
ibm.com
yourdotcom
AT-TLS support for System SSL FIPS 140-2 mode

A new advanced settings attribute in an AT-TLS security level Perspective -> AT-TLS -> Security Levels -> Add -> Next -> Next
Page 109
ibm.com
yourdotcom
Agenda
Page 110
ibm.com
yourdotcom
Simplification and ease-of-use

Removal of NDB, DHCP Server, BINL, and BIND 4.9.3 Syslogd enhancements Syslogd browser and search facility Policy infrastructure management MVS console support for selected TCP/IP commands Configuration Assistant - AT-TLS and IPSec improvements Configuration Assistant - policy infrastructure simplification
Consumability: Can be easily installed, configured, administered, integrated and used without sacrificing flexibility or features.
Page 111
ibm.com
yourdotcom
Removal of selected functions As described in earlier statements of direction (SODs), the following functions are as of z/OS V1R11 no longer shipped with z/OS Communications Server:
Network Database (NDB) Use Distributed Relational Database Aarchitecure (DRDA) protocols instead for remote access to DB2 databases on z/OS Dynamic Host Configuration Protocol (DHCP) server Use a DHCP server on another operating system platform, such as Linux on System z Boot Information Negotiation Layer (BINL) Use a BINL server on another operating system platform, such as Linux on System z You may be able to use IBM Tivoli Provisioning Manager for OS Deployment V5 (5724-Q99) for network-based operating system installation services Bind 4.9.3 server with WLM extensions Use Sysplex Distributor for TCP connection workload management in a z/OS Sysplex Use the Automated Domain Name Registration (ADNR) component on z/OS for dynamic registration of hostnames in a name server based on server start-up and shut-down
Page 112
ibm.com
yourdotcom
z/OS Communications Server policy-based networking infrastructure overview

Perceived by some as a complex infrastructure Some initial cost to set up and enable the infrastructure Difficult to manage and operate the infrastructure But many valuable functions z/OS V1R11 Communications Server simplifies the overall setup and operation of the networking policy infrastructure Making it simpler to gain the benefits of the networking policy-based functions on z/OS
Configuration Assistant for z/OS Communications Server
Text editor, such as ISPF on TSO

SyslogD log files OPERLOG
MVS Console
Store policy and configuration files on z/OS NSSD
Local networking policies
Install IKE policy IKED daemon
Defensive Actions database
Policy Agent: Install and maintain policies in TCP/IP components
Defense Manager
RSVPD
TRMD (one per stack)
SyslogD
NSLAPM2 (one per stack)
IP Packet
IDS Policies PBR Policies IPSec filter and VPN Policies QoS Policies AT-TLS Policies
Selected policy events
Log buffers
z/OS TCP/IP Stack
IP Network
IP Filtering to block unwanted traffic from entering or leaving your z/OS system Application-specific selection of outbound interface and route (Policy-based routing PBR)
Connection-level security for TCP applications without application changes Providing secure end-to-end IPSec VPN tunnels on z/OS
Making sure high-priority applications also get high-priority processing by the network
Protection against "bad guys" trying to attack your z/OS system
Page 113
ibm.com
yourdotcom
Policy infrastructure simplification - overview

Syslogd performance, management, and usability
Multi-threaded syslogd for improved performance and message capturing reliability Archival processing of active z/OS UNIX log files to MVS data sets z/OS console command support to start, stop, and monitor syslogd Search and browse interface to syslogd log data in TSO/ISPF
Configuration Assistant improvements in support of policy infrastructure simplifications

Beyond policies component configuration files, RACF definitions, started task procedures, task lists, and so forth z/OS base location: z/OS UNIX directory or PDS(E) library structure The installation interface is improved to allow multiple installation files to be delivered to the target z/OS system in a single transaction
Extend selected USS command usage to TSO, NetView, and the MVS console (pasearch, ipsec, trmdstat, and others)
Console support based on System REXX support for REXX Unix System Services
NLS enabling the policy infrastructure

Support for EBCDIC codepages other than IBM-1047 for the syslogD, PAGENT, IKED, NSSD, and DMD configuration files Support for EBCDIC codepages other than IBM-1047 for the policy definition files
Policy infrastructure management

Simplified start/stop/monitoring of syslogD, IKED, NSSD, TRMD, and DMD Configuration Assistant configuration of PAGENT and DMD configuration files
Page 114
ibm.com
yourdotcom
z/OS Syslogd overview
z/OS LPAR
Archived MVS data set logs Active UNIX log files MVS operations log /dev/operlog Active UNIX log files Archived MVS data set logs
Some remote host
Some central logging host
UDP Port 514
Archive
Archive
Local Syslogd configuration
Local Syslogd syslogd -i
z/OS Console
Network Syslogd syslogd -n

UDP Port 514
SMF
Network Syslogd configuration
AF_INET
Local log message (/dev/log) AF_UNIX
Local application A
Local application B
Note: SyslogD is not the same as your normal system log. SyslogD:
UNIX logging
System log:
JES-based system logging
Page 115
ibm.com
yourdotcom
Syslogd performance, management, and usability

New
Configuration Assistant
SyslogD Configuration file
Syslogd changed to be multithreaded for improved scalability

SyslogD
New
MVS Console command support P SYSLOGD F SYSLOGD,RESTART F SYSLOGD,ARCHIVE F SYSLOGD,DISPLAY

New
Main thread
Archive control thread
Destination thread Destination thread Destination thread
Active log files
Automated archival support Archival initiated by: 1. 2. 3. Time of day (example: midnight) File system utilization above threshold Operator command
SyslogD file ARCHIVE jobs
Archived log files (GDG data sets or data sets with date/time info as LLQ)
ISPF-based search and browse support application

New
Page 116
ibm.com
yourdotcom
Archival process timeline

Archive starts
iked.log.Dxx.Tyy
hlq.ARCH.IKED.Dxx.Tyy
iked.log
iked.log.Dxx.Tyy
iked.log.Dxx.Tyy
iked.log
iked.log
1 Syslogd has opened and writes to iked.log
2 iked.log is renamed to iked.log.Dxx.Tyy
3 Syslogd continues to write to the file that is now named iked.log.Dxx.Tyy
4 Signal syslogd to re-initialize which makes syslogd close iked.log.Dxx.Tyy and create a new iked.log to which it starts to write, freeing up iked.log.Dxx.Tyy
Time 5 Archive iked.log.Dxx.Tyy to HLQ.ARCH.IKED.Dxx.Tyy and delete iked.log.Dxx.Tyy after the archival is done
Renamed UNIX files: filename.Dyymmdd.Thhmmss Contains all records for current and previously failed archives Sequential target data sets: prefix.qualifier.Dyymmdd.Thhmmss GDG target data sets: prefix.qualifier.GnnnnVnn
Page 117
ibm.com
yourdotcom
Sample syslogd configuration file with archive options
# -N LLQ indicates low level # Syslogd configuration file qualifier of archive data set # name. If the LLQ end in (+1), it # USER1.TCPCS.TCPPARMS(SYSLOGT) is a GDG. Otherwise Syslogd # adds date and time LLQs after DSNPrefix indicates the archive data ArchiveThreshold 75 the LLQ you specify and set high level qualifier(s). You may use ArchiveCheckInterval 30 allocates a plain sequential MVS System symbols in this value. ArchiveTimeOfDay 00:01 data set. You may have more ArchiveParms # blocks in your Syslogd configuration BeginArchiveParms file if you need to use different HLQs. DSNPrefix USER1.SYSLOGT -X indicates that Syslogd Volume DB2ABC may clear this file when MgmtClas STANDARD archival processing is EndArchiveParms being performed. # *.* /var/syslog/logs/syslog.log -N SYSLOG(+1) *.INETD*.*.* /var/syslog/logs/inetd.log -X *.OSNMP*.*.* /var/syslog/logs/osnmpd.log -X *.PAGENT*.*.* /var/syslog/logs/pagent.log -N PAGENT(+1) These are the Syslogd rule *.FTP*.*.* /var/syslog/logs/ftp.log -N FTP(+1) criteria that govern where *.TCPCS.daemon.* /var/syslog/logs/ATTLS.log -N ATTLS(+1) messages received by Syslogd *.TRMD*.local4.* /var/syslog/logs/FILT.log -N TRMD(+1) are being logged. In this *.IKED*.local4.* /var/syslog/logs/IKED.log -N IKED(+1) example only UNIX files are *.TRMD*.daemon.* /var/syslog/logs/IDS.log -N IDS(+1) used to log messages to: Userid.jobname.facility.priority Page 118
ibm.com
yourdotcom
Starting, stopping, and operating syslogd

//SYSLOGD PROC //* //* Start Syslogd //* //SYSLOGD EXEC PGM=SYSLOGD,REGION=0K,TIME=NOLIMIT, // PARM=('POSIX(ON) ENVAR("_CEE_ENVFILE=DD:MYENV")', // '/ -c -u -i -f //''USER1.TCPCS.TCPPARMS(SYSLOGT)''') //SYSPRINT DD SYSOUT=* //MYENV DD DSN=USER1.TCPCS.TCPPARMS(SYSLOGEV),DISP=SHR //SYSERR DD SYSOUT=* //SYSOUT DD SYSOUT=* //CEEDUMP DD SYSOUT=*
-c
Create log files and directories Include userID and job name Local-only mode Configuration file
-u -I -f

If you start Syslogd from the UNIX shell, you must include a trailing ampersand character (&) to run it as a background process. Especially important if you start Syslogd from a shell script such as /etc/rc
Action S SYSLOGD F SYSLOGD
Prior to z/OS V1R11 Resulting address space name became SYSLOGD1 Not supported
z/OS V1R11 Resulting address space name becomes SYSLOGD F SYSLOGD,RESTART F SYSLOGD,ARCHIVE F SYSLOGD,DISPLAY SYSLOGD will terminate
Syslogd in z/OS V1R11 no longer forks after start-up!
P SYSLOGD
Not supported
Page 119
ibm.com
yourdotcom
Preparing for using the syslogd browser ISPF tool

ISPF setup
hlq.SEZAPENU - ISPF panel library hlq.SEZAMENU - ISPF message library hlq.SEZAEXEC - REXX program library (all REXX programs, except EZABROWS, are compiled REXX programs) hlq.SEZALOAD - load module library (in your LNKLST or on TSO STEPLIB)
Note the following limitations if the REXX Alternate runtime Library is used (hlq.SEAGALT instead of hlq.SEAGLPA):
No performance benefits as compared to interpreted REXX
Two ways to start the Syslogd browser:

If TCPIP ISPF and REXX libraries are pre-allocated: Start the EZASYRGO REXX program If TCPIP ISPF and REXX libraries are not pre-allocated: Copy EZABROWS to your REXX library and make local modifications This REXX program is delivered in source form Start the customized EZABROWS REXX program
/* -----------------------------------------------------------------/* Change the value in the following statement----------------------/* -----------------------------------------------------------------hlq = TCPIP /* -----------------------------------------------------------------/* No customization is needed below this point in this REXX---------/* -----------------------------------------------------------------Page 120
*/ */ */ */ */ */
ibm.com
yourdotcom
Syslogd browser entry panel

In z/OS V1R11, a TSO/ISPF interface to browse and search messages captured by Syslogd is also introduced. The Syslogd browser works with active UNIX files and archived MVS data sets. The panel shown here is the initial panel when you start the Syslogd browser. This panel is used to set general options and to select the Syslogd configuration file representing the syslog daemon you want to work with.
Page 121
*------------------------- z/OS CS Syslogd Browser ----------- Row 1 to 7 of 7 Command ===> Scroll ===> PAGE Enter Syslogd browser options Recall migrated data sets ==> Maximum hits to display ==> Maximum file archives ==> Display start date/time ==> Display active files only ==> DSN Prefix override value ==>
NO 5 10 YES NO
(Yes/No) Recall data sets or not (1-99999) Search results to display (0-400) Days to look for file archives (Yes/No) Retrieve start date/time (Yes/No) Active files only, no archives
Enter file or data set name of Syslogd configuration, or select one from below: File/DS Name ==> 'user1.tcpcs.tcpparms(syslogt)' Press ENTER to continue, press END to exit without a selection Line commands: S Select, R Remove from list, B Browse content, E Edit content Cmd Recently used Syslogd configuration file or data set name --- -------------------------------------------------------------------------'user1.tcpcs.tcpparms(syslogt)' 'user1.tcpcs.tcpparms(syslogn)' 'user1.tcpcs.tcpparms(sysltom)' *---- z/OS CS Syslogd Browser ----* tcpcs.tcpparms(test) tcpcs.tcpparms(syslogt) Collecting information about /etc/syslog.test active Syslogd files and /etc/syslog.alfred.conf archives ******************************* Bottom of data ******************************** Please be patient.
ibm.com
yourdotcom

*------------------------- z/OS CS Syslogd Browser ---------- Row 1 to 7 of 12 OPTION ===> Scroll ===> PAGE 1 2 3 4 Change current syslogd configuration file and/or options Guide me to a possible syslogd destination Clear guide-me hits (indicated by ==> in the Cmd column) Search across all active syslogd files
Syslogd destination view
Current config file ==> 'user1.tcpcs.tcpparms(syslogt)' Press ENTER to select an entry, press END to exit the syslogd browser Line commands: B Browse, A List archives, S Search active file and archives, SF Search active file, SA Search archives, I File/DSN info Archive Cmd Rule/Active UNIX file name Start Time Type Avail. --- --------------------------------------------- ----------------- ---- -----*.* 09 Dec 2008 00:00 GDG 3 /var/syslog/logs/syslog.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.TCPCS*.*.* 09 Dec 2008 13:47 SEQ 9 /var/syslog/logs/tcpcs.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.INETD*.*.* Empty N/A None 0 /var/syslog/logs/inetd.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.OSNMP*.*.* 09 Dec 2008 13:47 CLR 0 /var/syslog/logs/osnmpd.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.PAGENT*.*.* 09 Dec 2008 00:01 SEQ 13 /var/syslog/logs/pagent.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.FTP*.*.* 08 Dec 2008 15:22 FILE 2 /var/syslog/logs/ftp.08.12.08.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *.FTP*.*.* 08 Dec 2008 15:22 FILE 2 /var/syslog/logs/ftp.08.12.2008.log
This panel shows the syslogd destination rules that direct messages to z/OS UNIX files. The files on this panel are referred to as the active log files.
Page 122
ibm.com
yourdotcom

BROWSE /var/syslog/logs/pagent.log Line 00000000 Col 001 080 Command ===> Scroll ===> PAGE ********************************* Top of Data ********************************** 00000001 Dec 9 00:01:10 MVS098/TCPCS PAGENT Pagent[13]: EVENT :006: policy_perf_get_sampling_data(): Obtained 2 policy performance data entries from the stack 00000002 Dec 9 00:01:10 MVS098/TCPCS PAGENT Pagent[13]: EVENT :006: pqos_refresh_perf_cache: Refreshing cache with 2 performance entries 00000003 Dec 9 00:01:10 MVS098/TCPCS PAGENT Pagent[13]: EVENT :006: pqos_refresh_perf_cache: Refresh complete: #sla=2, #cache=1, #SL=1, #cacheSL=1 00000004 Dec 9 00:01:10 MVS098/TCPCS PAGENT Pagent[13]: EVENT :006: policy_perf_send_msg_to_SD(): Sending 1 default fractions to the stack 00000005 Dec 9 00:01:10 MVS098/TCPCS PAGENT Pagent[13]: EVENT :008: pqos_send_frns_to_SD: Sending fractions to the stack, 1 headers, 1 entries 00000006 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :001: check_main_config_file: Main configuration file updated 00000007 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :001: check_main_config_file: pagentRefresh = NO 00000008 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :005: check_config_files: Thread cleanup completed 00000009 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :007: qosListener: Thread cleanup completed 00000010 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: SYSERR :008: pqos_recv_msg_from_listener: recv with peek failed, errno EDC8121I Connection reset., errno2 76650446 00000011 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: OBJERR :008: pqos_get_info_from_listeners: pqos_recv_msg_from_listener failed 00000012 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: LOG :008: pqos_get_info_from_listeners: EZZ8775I PAGENT ON TCPCS CONNECTION NO LONGER ACTIVE TO 192.168.5.1..1700 00000013 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :008: pqos_get_info_from_listeners: Thread cleanup completed 00000014 Dec 9 00:02:09 MVS098/TCPCS PAGENT Pagent[13]: EVENT :006: policy_perf_monitor: Thread cleanup completed
Browse an active syslogd file
A normal ISPF browser interface.
Page 123
ibm.com
yourdotcom
Search argument panel
*------------------------- z/OS CS Syslogd Browser ---------------------------* OPTION ===> Enter your search options. Case sensitive Maximum hits Result DSN name Result DSN UNIT Result DSN disp ==> ==> ==> ==> ==> NO (Yes/No) Are string arguments case sensitive? 5 (1-99999) Max number of hits to display 'USER1.SYSLOGD.LIST' SYSALLDA Unit name for allocating new result DSN 1 1:Keep, 2:Delete, 3:Display print menu All arguments will be logically ANDed. (yyyy/mm/dd) (hh:mm:ss) (yyyy/mm/dd) (hh:mm:ss) z/OS user ID z/OS jobname Search from date and time (24-hour clock) Search to date and time (24-hour clock) of logging process of logging process
Enter your search arguments. From date . . .==> - and time . . .==> To date . . . .==> - and time . . .==> User ID . . . .==> Job name . . . .==> Rem. host name .==> Rem. IP address ==> Message tag . .==> Process ID . . .==> String 1 . . . .==> String 2 . . . .==> String 3 . . . .==> String 4 . . . .==>
2008/12/07 10:50:00 2008/12/08 02:00:00
syslogd
Enter ? for list z/OS UNIX process ID *------ z/OS CS Syslogd Browser ------* *** S E A R C H I N G ***
The search data entry panel is used to initiate a search across one or more syslogd files and data sets.
Message tags are typically component names. PID1availability depends on of 4 files/dsn processed so far options set by the logging application. UserID and Jobnames are available 150000 lines processed so far for local messages if syslogd is started with the -u option. 24% |****................| UserID, jobname, message tag, and remote host name will always be case insensitive. Please be patient. Press ENTER to start search, press END to returnHalt to main panel without search by pressing ATTN and enter HI
Page 124
ibm.com
yourdotcom
The anatomy of a message logged by syslogd

A message logged by a local application Syslogd started with the u option
To have user ID and job name included in each logged message
Jun 25 09:52:08 MVS098/TCPCS PAGENT Pagent[15]: text --timestamp---- -host- -userID- Jobname- -Tag-- PID -message-->
Timestamp
Month is always 3-character English month name followed by the day in the month. Note that syslogd never includes the year Time of day is always in 24-hour clock format (hh:mm:ss where hh goes from 00 to 24) Time value can be controlled by way of the TZ environment variable As it is set for the logging application, not syslogd itself! Sample CEEPRMxx member in SYS1.PARMLIB:
CEEDOPT( ENVAR(NLSPATH=/COPY/%N:/USR/LIB/NLS/MSG/%L/%N,TZ=EST5EDT), ) CEECOPT( ENVAR(NLSPATH=/COPY/%N:/USR/LIB/NLS/MSG/%L/%N,TZ=EST5EDT), ) CELQDOPT( ENVAR(NLSPATH=/COPY/%N:/USR/LIB/NLS/MSG/%L/%N,TZ=EST5EDT), )
Page 125
ibm.com
yourdotcom
Policy infrastructure management overview

You start PAGENT, STACKA, and STACKB
Policy backing store file
You define it with Configuration Assistant, you start and manage it with Policy Agent.
Install policy
IKED
IKED configuration file NSSD configuration file DMD configuration file
Policy definition files

PAGENT
START, MONITOR, STOP
NSSD
DMD
PAGENT configuration file
Syslogd
Syslogd configuration file
NLS-enabling
Configuration and policy definition files are in z/OS V1R11 NLS enabled. Their content can be encoded in code pages other than IBM-1047.
STACKA TRMDA
Install policy
STACKB TRMDB
Page 126
ibm.com
yourdotcom
Sample Policy Agent configuration for monitoring dependent functions
AutoMonitorParms { MonitorInterval RetryLimitCount RetryLimitPeriod } AutoMonitorApps { AppName { ProcName JobName EnvVar } AppName { ProcName JobName EnvVar StartParms } AppName { TcpImageName { ProcName JobName StartParms } } }
10 5 600
IKED IKED IKED IKED_FILE=//'USER1.POLICY.PROD.MVS098(IKEDCONF)' SYSLOGD SYSLOGD SYSLOGD SYSLOGD_CONFIG_FILE=//'USER1.TCPCS.TCPPARMS(SYSLOGT)' -c -u -i TRMD TCPCS TRMD TRMD1 -p TCPCS
The Configuration Assistant will generate the initial set of definitions. You may want to update file locations, etc.
Page 127
ibm.com
yourdotcom
Simplified JCL procedures for the policy infrastructure components

The cataloged procedure specified on the AutoMonitorApps statement must accept the following JCL keyword parameters:
Parameter PROG VARS PARMS Description Name of the executable program Name of environment variable file Start parameter string Value Passed by Pagent DMD, IKED, NSSD, SYSLOGD, or TRMD Temporary file name generated by pagent String configured on AutoMonitorApps, or a null string
//POLPROC PROC PROG='', // VARS='', Sample JCL procedure in // PARMS='' hlq.SEZAINST(POLPROC) //POLPROC EXEC PGM=&PROG.,REGION=0K,TIME=NOLIMIT, // PARM=('POSIX(ON) ALL31(ON)', // 'ENVAR("_CEE_ENVFILE=DD:VARS")', // '/&PARMS.') Remember: started task user //VARS DD PATH='&VARS.',PATHOPTS=(ORDONLY) IDs are assigned based on the //STDENV DD DUMMY proc name (not the job name). If you need different started //SYSPRINT DD SYSOUT=*,DCB=(RECFM=F,LRECL=80,BLKSIZE=80) task user IDs, you need to //SYSIN DD DUMMY copy POLPROC into multiple //SYSERR DD SYSOUT=* members with different //SYSOUT DD SYSOUT=*,DCB=(RECFM=F,LRECL=80,BLKSIZE=80) names. //CEEDUMP DD SYSOUT=*,DCB=(RECFM=FB,LRECL=132,BLKSIZE=132) Page 128
ibm.com
yourdotcom
New Policy Agent console commands

You must use new operator commands to start, stop, or restart monitored applications, so status can be maintained
For example if you monitor IKED, and issue a P IKED command, Policy Agent automatically restarts IKED
Format of Policy Agent operator command for applications: F pagproc,MON,operation,application[,P=image]

operation is START, STOP, RESTART application is DMD, IKED, NSSD, SYSLOGD, TRMD, ALL image is TCP/IP stack name for TRMD
Example: F PAGENT,MON,STOP,IKED Tip: Stop all monitored applications before stopping Policy Agent if you want to shut down the whole policy infrastructure
F PAGENT,MON,DISPLAY EZD1588I PAGENT MONITOR APPLICATION MONITORED DMD NO IKED YES NSSD NO SYSLOGD YES TRMD YES Page 129
INFORMATION 142 JOBNAME STATUS N/A N/A IKED ACTIVE N/A N/A SYSLOGD ACTIVE TRMD1 ACTIVE
TCP/IP STACK N/A N/A N/A N/A TCPCS
ibm.com
yourdotcom
Extended policy UNIX command support

z/OS console
pasearch, trmdstat, nssctl, ipsec, and ping
z/OS NetView
pasearch, trmdstat, nssctl, ipsec, and ping
z/OS TSO
pasearch, trmdstat, nssctl, and ipsec
Generalized command interface: EZACMD EZACMD command-name command-options [MAX=nnn]

Command-name
One of the supported z/OS UNIX command names The command name can be entered in any case
Command-options
The z/OS UNIX command options Options are as documented for the z/OS UNIX commands Options are case sensitive and must be entered in the required case
MAX=nnn
Optional maximum number of output lines Default is 100, Maximum is 64000 Page 130
ibm.com
yourdotcom
EZACMD z/OS console support

The EZACMD command name and options must be entered in quotes to avoid having the input translated to upper-case
16.06.59 16.06.59 16.06.59 %%ezacmd 'ping -v w3.ibm.com max=20' System REXX EZACMD: ping command - start - userID=USER1 System REXX EZACMD: ping -v w3.ibm.com
16.06.59 CS V1R11: Pinging host w3.ibm.com (9.17.137.11) 16.06.59 with 256 bytes of ICMP data 16.06.59 Ping #1 from 9.17.137.11: bytes=264 seq=1 ttl=242 time=66.17 ms 16.06.59 Ping #2 from 9.17.137.11: bytes=264 seq=2 ttl=242 time=61.77 ms 16.06.59 Ping #3 from 9.17.137.11: bytes=264 seq=3 ttl=242 time=61.06 ms 16.06.59 Ping statistics for w3.ibm.com (9.17.137.11) 16.06.59 Packets: Sent=3, Received=3, Lost=0 (0% loss) 16.06.59 Approximate round trip times in milliseconds: 16.06.59 Minimum=61.06 ms, Maximum=66.17 ms, Average=63.00 ms, StdDev=2.77 ms 16.06.59
Page 131
System REXX EZACMD: ping command - end - RC=0

ibm.com
yourdotcom
EZACMD NetView support

Make EZACMD available to NetView
Copy EZACMD to a REXX library that is used by NetView Concatenate tcpip.SEZAEXEC to the DSICLD DD name
Review your NetView security setup and understand which z/OS UNIX security credentials the UNIX commands will run under:
NetView SECOPTS.OPERSEC setting SAFDEF SAFCHECK SAFPW NETVPW MINIMAL _BPX_USERID passed to z/OS UNIX by EZACMD NetView operator SAF user ID NetView operator SAF user ID NetView operator SAF user ID NetView started task user ID NetView started task user ID z/OS UNIX command started under NetView operator SAF user ID, UID, and GID NetView operator SAF user ID, UID, and GID NetView operator SAF user ID, UID, and GID NetView started task SAF user ID, UID, and GID NetView started task SAF user ID, UID, and GID
To preserve the case of the entered arguments, prefix the EZACMD command with the NetView NETVASIS command
netvasis ezacmd ping -v w3.ibm.com max=20
Page 132
ibm.com
yourdotcom
Sample policy configuration
LPAR: MVS098
TRMDA1 TRMDB1 IKED. Syslogd
hlq.POLICY.BACKSTOR.V1R11.MVS098 hlq.POLICY.BACKSTOR.V1R11.MVS098.LCK
TCPCS
TCPCS2
PAGENT
Update backing store file
Issue: F PAGENT,REFRESH command
1 5
hlq.POLICY.PROD.MVS098 hlq.POLICY.PROD.MVS098.TCPCS
Prod
Configuration Assistant
Back up current production data
3 4
hlq.POLICY.PROD.MVS098.TCPCS2
Backout
hlq.POLICY.BACKOUT.MVS098 hlq.POLICY.BACKOUT.MVS098.TCPCS hlq.POLICY.BACKOUT.MVS098.TCPCS2
Place new data into production
Transfer
hlq.POLICY.TRANSFER.MVS098 hlq.POLICY.TRANSFER.MVS098.TCPCS hlq.POLICY.TRANSFER.MVS098.TCPCS2 2009 IBM Corporation
2
Generate and transfer new configuration data
Page 133
ibm.com
yourdotcom
Application setup tasks - base location
Page 134
ibm.com
yourdotcom
Content of policy base locations after application setup tasks performed

Image PDS(E) library members
Component DMDCONF DMDPROC DMDPROF IKEDCONF IKEDPROC IMGPAG` IPSPROF PAGPROC RDMD RIKED RIPSEC RPAGENT RPOLICY RSYSLOGD RTRMD SYSLOCONF SYSLOGD Page 135 Description DM configuration file DM JCL start procedure TCP/IP Profile sample IPSECURITY stmts. IKE configuration file IKE JCL start procedure Image PAGENT configuration file TCP/IP Profile sample IPSECURITY stmts. Pagent JCL start procedure DM RACF setup commands IKE RACF setup commands RACF setup commands for ipsec cmd. Pagent RACF setup commands RACF setup commands for Policy data import Syslogd RACF setup commands TRMD RACF setup commands Snippets for Syslogd configuration file Syslogd JCL start procedure
Stack PDS(E) library members

Component IDSPOL IPSPOL QOSPOL STKPAG TLSPOL TRMDPROC Description IDS policy IPSec policy QoS policy Stack Pagent configuration ATTLS policy TRMD JCL procedure
Start PAGENT before any stacks are started

Pagent will start SYSLOGD and other LPAR-wide components, such as IKED
When a stack is started, PAGENT notices it

Pagent will then start the stack-specific TRMD Pagent will load all the relevant policies into that stack
ibm.com
yourdotcom
Configuration Assistant for z/OS Communications Server Configuration Assistant for z/OS V1R11 Communications Server is shipped with the z/OSMF product
Runs on z/OS Accessed from a Web browser Support is via normal IBM support channels Same basic functions as the Windows-based version
The Windows-based standalone version remains available for z/OS V1R11, and can be downloaded from the web:
Versions for z/OS V1R7, V1R8, V1R9, V1R10, and V1R11 are available for download http://www.ibm.com/support/docview.wss?rs= 852&context=SSSN3L&dc=D400&uid=swg24 013160&loc=en_US&cs=UTF8&lang=en&rss=ct852other Support is informal via a forum
Tired of that long URL above try this one instead: http://tinyurl.com/cgoqsa
Page 136
ibm.com
yourdotcom
Configuration Assistant in z/OSMF
Page 137
ibm.com
yourdotcom
Agenda
Disclaimer: All statements regarding IBM future direction or intent, including current product plans, are subject to change or withdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only, on an as is basis, without warranty of any kind.
Page 138
ibm.com
yourdotcom
SNA and EE
HPR performance enhancements progressive mode ARB HPR performance enhancements path switch delay APPN topology database update enhancements Display potential model application name Provide ACF/TAP as part of z/OS Communications Server Include data space VIT with INOP dump Reduction in CSA requirements for RTP pipes EE IPSec performance improvements
SNA SNA
Page 139
ibm.com
yourdotcom
Progressive Mode ARB implemented Progressive Mode ARB is an adjustment to Responsive Mode ARB
When ARB Slowdown messages received Amount of data awaiting acknowledgment is checked If amount of data is small, Slowdown messages treated as Restraints Slowdowns normally trigger transmission rate cuts, restraints do not
This solution is limited to one hop HPR pipes over EE

Includes a two hop HPR pipe through a VRN
PTFS for OA26490 are available for prior releases Ensures that prior releases of VTAM dont regress to using Base Mode ARB when they see the new ARB mode bits set
Page 140
ibm.com
yourdotcom
Using Progressive Mode ARB HPREEARB=PROGRESS can be specified in three major nodes
On the PU in a Switched Major Node On the connection network GROUP in an XCA Major Node On the EE model PU in a Model Major Node
HPREEARB=PROGRESS
Issue Display NET,ID=rtp_pu to see the ARB mode being used

D NET,ID=CNR00004 IST097I DISPLAY ACCEPTED IST075I NAME = CNR00004, TYPE = PU_T2.1 . . . IST2267I RTP PACING ALGORITHM = ARB PROGRESSIVE MODE . . .
Page 141
ibm.com
yourdotcom
HPR path switch processing can be too sensitive

An HPR path switch is an effort to improve reliability
However, at times the HPR path switch logic is too sensitive Transient network conditions cause temporary swings in round trip time (RTT) which can cause a path switch HPR in such cases often path switches back to same route Consumes processor cycles and produces unwanted messages
Unresponsive partner example:

CP-CP RTP pipe enters path switch after three unsuccessful retries Minimum SRQ timer value is 250ms CP-CP pipe can enter path switch in roughly one second
New controls will allow you to specify an HPR path switch delay value
Specifies the minimum amount of time a z/OS CS RTP endpoint must wait before initiating a path switch due to an unresponsive partner Does not control path switches initiated due to a TG INOP, MODIFY RTP command, or the PSRETRY function
Solution is available for all RTP pipes with endpoints in this z/OS CS node
Only controls the path switch logic on this side of the pipe Path switch delay value is not negotiated with the RTP partner
Page 142
ibm.com
yourdotcom
How to specify the delay time for HPR path switches New start option (HPRPSDLY) specifies time to wait Defaults to zero (no delay in starting a path switch)
HPRPSDLY=ps_delay
HPRPSDLY can also be specified in three major nodes On the PU in a Switched Major Node On the connection network GROUP in an XCA Major Node On the EE model PU in a Model Major Node
MMNEEA1 EEMODEL VBUILD TYPE=MODEL PU CPCP=YES, HPRPSDLY=ps_delay, DISCNT=NO, DYNTYPE=EE
Page 143
ibm.com
yourdotcom
Allow VTAM to calculate delay value for EE connections Specify HPRPSDLY=EEDELAY to allow VTAM to calculate proper time delay value
MMNEEA1 EEMODEL VBUILD TYPE=MODEL PU CPCP=YES, HPRPSDLY=EEDELAY, DISCNT=NO, DYNTYPE=EE
Display NET,ID=rtp_pu,HPRDIAG=YES to see the calculated path switch delay value:

D NET,ID=CNR00004,HPRDIAG=YES IST097I DISPLAY ACCEPTED IST075I NAME = CNR00004, TYPE = PU_T2.1 . . . IST924I ------------------------IST1984I PATH SWITCH INFORMATION: IST2271I PATH SWITCH DELAY = 90
Page 144
ibm.com
yourdotcom
Wrong model APPL definition can be used

Customers use model APPL definitions to reduce definition requirements Sometimes, a different model APPL definition is used than is expected
Intended definition is not active Overlap between model definitions Which model best fits APPL1?
APPLMOD2 APPL* APPL?* APP?1 APP?? A?PL*
VBUILD TYPE=APPL APPL AUTH=(PASS,ACQ) APPL AUTH=(PASS,ACQ) APPL AUTH=(PASS,ACQ) APPL AUTH=(PASS,ACQ) APPL AUTH=(PASS,ACQ)
Page 145
ibm.com
yourdotcom
Enhance DISPLAY MODELS command for APPL models Added APPL keyword to DISPLAY MODELS command Display NET,MODELS,APPL to see which model APPL is best
D NET,MODELS,APPL=appl1 IST097I DISPLAY ACCEPTED IST350I DISPLAY TYPE = MODELS IST2302I MODEL APPL?* IS THE BEST ACTIVE MATCH FOR APPL1 IST314I END
Can display situations when there is no matching model

D NET,MODELS,APPL=appl1 IST097I DISPLAY ACCEPTED IST350I DISPLAY TYPE = MODELS IST2303I THERE IS NO ACTIVE MODEL MATCH FOR APPL1 IST2304I APPL1 ALREADY EXISTS, TYPE = APPL IST314I END
Page 146
ibm.com
yourdotcom
ACF/TAP provided as part of z/OS Communications Server ACF/TAP (Trace Analysis Program), previously delivered as part of NCP/SSP, provides good formatting and analysis of VTAM buffer traces VTAM will now provide ACF/TAP to allow customers to use ACF/TAP and debug their problems
No need to obtain SSP license just to use ACF/TAP Same level of functionality provided
New book added to z/OS Communication Server library: z/OS V1R11 Communications Server: SNA ACF/TAP Trace Analysis Handbook (GC23-858800)
Page 147
ibm.com
yourdotcom
Data space VIT automatically collected with VTAM INOP DUMPs VTAM Internal Trace (VIT) table: 100-999 4K pages in ECSA Data space VIT table: 10 50 megabytes in ISTITDS1 data space
Number of VIT records preserved 999-page ECSA VIT: 127,872 VIT records 50-megabyte data space VIT: 1,638,400 VIT records
VTAM INOP dumps

Taken automatically for certain inoperative conditions Controlled by modifiable INOPDUMP start option
VTAM will now include the data space VIT in INOP dumps
Reduces need for re-creates due to insufficient trace information
No externals to activate function
Page 148
ibm.com
yourdotcom
Topology Database Update (TDU) wars can be challenging to diagnose Continuing improvements to APPN topology component processing have slightly increased the possibility of TDU wars Determining which APPN nodes are at fault is not always easy Node undergoing performance degradation might be innocent victim, not perpetrator
CP1 NN
CP2 NN
CP5 NN
Symptom: CP1 performance is affected
CP3 NN
CP4 NN
CP4 and CP5 engaged in TDU War
Page 149
ibm.com
yourdotcom
Enhance topology updates to identify node updating resource Define Topology Resource Sequence Number Update (x4E) control vector on TDU flows
Can be appended to any TDU that contains a node update or TG update Can identify last two nodes that generated updates about this resource
New start option available to control when control vector is included

Specify ALWAYS to include it on all TDU flows Specify NEVER to exclude it from all TDU flows Specify resource_threshold to include x4E only if RSN is updated that often within a 24hour interval
TDUDIAG=1000
Page 150
ibm.com
yourdotcom
Partner-specific handling of unknown topology vectors

VTAM will now send unknown vectors to adjacent nodes that support them, even if one adjacent partner does not For example, CP2 wants to broadcast a TDU with the new CV x4E TDU War information
CP1 NN
Only CP1 does not get new topology information
VM or VSE
CP2 NN
CP5 NN
CP3 NN
CP4 NN
Rest of APPN network is aware of the TDU updates
Page 151
ibm.com
yourdotcom
EE IPSec performance improvements

Improved performance for EE over IPSec
The bursty nature of HPR traffic can cause significant performance degradation when it is carried over IPSec tunnels Smaller bursts frequently get encrypted and sent before larger bursts. This results in out-oforder segments that are dropped at the other end of the IPSec tunnel, forcing retransmits. Primarily observed for streaming traffic over EE Very large volumes of SNA interactive traffic (such as tens of thousands of sessions that may appear similar to bulk data traffic) are likely to see issues too V1R11 breaks large bursts into batches of smaller bursts PTFed back to z/OS V1R10 APAR PK93190 z/OS V1R10 IPSec performance in general is significantly better than z/OPS V1R9 with the PTF applied, those general performance benefits will also be available for EE traffic over IPsec
Improved support for EE over IPSec when IPSec processing offloaded to a zIIP
Support for offloading outbound EE over IPSec traffic to a zIIP processor. Previously only inbound EE over IPSec traffic was processed on the zIIP.
Protecting both interactive and streaming EE workload with IPSec is now fully recommended
Page 152
ibm.com
yourdotcom
EE over IPSec preliminary performance impacts

1 bulk session retrieving 20MB
General CPU Consumption
30 120 100
Raw Throughput
Test did not include the benefits of zIIP. With zIIP, the amount of general CPU resources used for EE over IPSec is expected to drop significantly.
CPU milliseconds per MByte
25
MBytes per second
20 15 10 5 0
80 60 40 20 0
No IPSEC IPSEC - base IPSEC - PK93190
No IPSEC IPSEC - base IPSEC - PK93190
With PK93190
Networking CPU is reduce from a 466% increase to a 242% increase compared to non-secure Throughput rate reduction improves from a 95% decrease to a 27% decrease compared to non-secure
Page 153
ibm.com
yourdotcom
Agenda
Page 154
ibm.com
yourdotcom
Virtualization
QDIO enhancements for WLM IO priority QDIO support for OSA interface isolation OSA-Express optimized latency mode Review status of OSA segmentation offload Review OSA-E3 channel path and port topology
Page 155
ibm.com
yourdotcom
QDIO enhancements for WLM IO priority
Basic principle is that if QoS policies are active, they will determine which priority queue to use.
QoS Policy
Application
WLM service class importance level (SCIL)
Optional TOS
TCPIP Profile
Use workload objective of application address spaces to select QDIO outbound priority queue
WLMPRIORITYQ
SetSubnetPrioTosMask { SubnetTosMask 11100000 PriorityTosMapping 1 11100000 PriorityTosMapping 1 11000000 PriorityTosMapping 1 10100000 PriorityTosMapping 1 10000000 PriorityTosMapping 2 01100000 PriorityTosMapping 2 01000000 PriorityTosMapping 3 00100000 PriorityTosMapping 4 00000000 }
Q1 Q2 Q3 Q4
OSA
Page 156
ibm.com
yourdotcom
The default QDIO priority queue mapping

WLM Service classes SYSTEM SYSSTC User-defined with IL 1 User-defined with IL 2 User-defined with IL 3 User-defined with IL 4 User-defined with IL 5 User-defined with discretionary goal GLOBALCONFIG WLMPRIORITYQ IOPRI1 0 IOPRI2 1 IOPRI3 2 3 IOPRI4 4 5 6 FWD
Page 157
TCP/IP assigned control value n/a 0 1 2 3 4 5 6
Default QDIO queue mapping Always queue 1 Queue 1 Queue 2 Queue 3 Queue 3 Queue 4 Queue 4 Queue 4
FWD indicates forwarded (or routed) traffic, which by default will use QDIO priority queue 4
ibm.com
yourdotcom
Which QDIO priority queues are being used?

From Display tcpip,,n,devlinks:
DEVNAME: NSQDIO1 DEVSTATUS: READY LNKNAME: LNSQDIO1 SPEED: 0000001000 DEVTYPE: MPCIPA LNKTYPE: IPAQENET LNKSTATUS: READY
From VTAMLST MACLIB:

NSQDIO11 TRLE This is your TRLE name LNCTL=MPC, MPCLEVEL=QDIO, READ=(0E28), WRITE=(0E29), DATAPATH=(0E2A,0E2B), PORTNAME=(NSQDIO1,0)
Match TCP/IP DEVNAME with PORTNAME in your TRLE VTAM definitions
* * * * *
d net,trl,trle=NSQDIO11 . IST1802I P1 CURRENT = 25 AVERAGE = 51 MAXIMUM IST1802I P2 CURRENT = 0 AVERAGE = 0 MAXIMUM = IST1802I P3 CURRENT = 0 AVERAGE = 0 MAXIMUM = IST1802I P4 CURRENT = 0 AVERAGE = 0 MAXIMUM =
Page 158
= 116 0 0 0
ibm.com
yourdotcom
Example of enabling WLMPRIORITYQ

VTAM TNSTATS before enabling WLMPRIORITYQ
IST1233I DEV = 2E02 DIR = WR/1 .. IST1236I BYTECNTO = 0 BYTECNT = 72 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/2 .. IST1236I BYTECNTO = 0 BYTECNT = 0 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/3 .. IST1236I BYTECNTO = 0 BYTECNT = 0 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/4 .. IST1236I BYTECNTO = 0 BYTECNT = 34738 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0
VTAM TNSTATS after enabling WLMPRIORITYQ with defaults

IST1233I DEV = 2E02 DIR = WR/1 .. IST1236I BYTECNTO = 0 BYTECNT = 1552 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/2 .. IST1236I BYTECNTO = 0 BYTECNT = 55421 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/3 .. IST1236I BYTECNTO = 0 BYTECNT = 0 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0 IST924I --------------------------------------------IST1233I DEV = 2E02 DIR = WR/4 .. IST1236I BYTECNTO = 0 BYTECNT = 90411 IST1810I PKTIQDO = 0 PKTIQD = 0 IST1811I BYTIQDO = 0 BYTIQD = 0
Page 159
ibm.com
yourdotcom
OSA interface isolation New function added to the OSA adapter

z/OS Communications Server adds support for this new function in z/OS V1R11
Be careful using ISOLATE if you use OSPF and share a subnet between stacks that share an OSA port. If you enable ISOLATE, packets with a nexthop IP address of another stack that share the OSA port, will be discarded.
LPAR1 IP@1 Next IP: IP@3 Next IP: IP@2
LPAR2 IP@2
Allow customers to disable shared OSA local routing functions

ISOLATE/NOISOLATE option on QDIO network interface definition
OSA
OSA local routing can in some scenarios be seen as a security exposure Depends on OSA MCL update
IP@3
Router or switch (optionally with access rules)
Page 160
ibm.com
yourdotcom
OSA-Express optimized latency mode (OLM)

OSA-Express3 has significantly better latency characteristics than OSAExpress2 The z/OS software and OSA microcode can further reduce latency:
If z/OS Communications Server knows that latency is the most critical factor If z/OS Communications Server knows that the traffic pattern is not streaming bulk data
Inbound
OSA-Express signals host if data is on its way (Early Interrupt) Host looks more frequently for data from OSA-Express
Outbound
OSA-Express does not wait for SIGA to look for outbound data (SIGA reduction)
Will be enabled via PTFs for z/OS V1R11

PK90205 (PTF UK49041) and OA29634 (UA49172).
Request SIGA-write
Application client TCP/IP Stack
PCI
TCP/IP Stack Application server
OSA
Network Network
OSA
PCI Response
SIGA-write
Page 161
ibm.com
yourdotcom
Preliminary performance indications of OLM for interactive workload

End-to-end latency (response time) in Micro seconds
Client TCPIP OSA-E3 Server TCPIP OSA-E3 z10 (4 CP LPARs), z/OS V1R11, OSA-E3
1200 1000 800 600 400 Base W. OLM
Client and Server

Has close to no application logic 1 session 1 byte in 1 byte out 20 sessions 128 bytes in, 1024 bytes out 40 sessions 128 bytes in, 1024 bytes out 80 sessions 128 bytes in, 1024 bytes out 80 sessions Mix of 100/128 bytes in and 800/1024 out
200 0 RR1 RR20 RR40 RR80 RR20/60
RR1 RR20
Transaction rate transactions per second
140000 120000 100000 80000 60000 40000 20000 0 RR1 RR20 RR40 RR80 RR20/60 Base W. OLM
RR40 RR80 RR20/60
Page 162
ibm.com
yourdotcom
Enabling OLM on an OSA-E3 interface

INTERFACE NSQDIO411 DEFINE IPAQENET IPADDR 172.16.11.1/24 PORTNAME NSQDIO1 MTU 1492 VMAC OLM INBPERF -----MINCPU DYNAMIC SOURCEVIPAINTERFACE LVIPA1 INTERFACE NSQDIO412 DEFINE IPAQENET6 IPADDR 2001:0DB8:1:9:67:115:66 PORTNAME NSQDIO1 MTU 1492 VMAC NOOLM SOURCEVIPAINTERFACE LVIPA2 How do you know OLM is working?
Enable tuning statistics for the OSA-Express3 device Look for Message 2316I and 2317I to be non-zero Look for outbound traffic on Queue 1 If not, verify WLMPRIORITYQ and SETSUBNETPRIOTOSMASK
Page 163
New OLM parameter

IPAQENET IPAQENET6 Not allowed on DEVICE/LINK
Enables Optimized Latency Mode for this INTERFACE only Forces INBPERF to Dynamic Default NOOLM
ibm.com
yourdotcom
Restrictions for use of OLM

Concurrent interfaces to an OSAExpress port using OLM is limited to four
If one or more interfaces operate OLM, only four total interfaces allowed All four interfaces can operate in OLM An interface can be: Another LPAR using the OSA-Express port Another VLAN defined for this OSA-Express port Another protocol (IPv4 or IPv6) interface defined for this OSA-Express port Another stack on the same LPAR using the OSA-Express port Any stack activating the OSA-Express Network Traffic Analyzer (OSAENTA)
QDIO Accelerator or HiperSockets Accelerator will not accelerate traffic to or from an OSA-Express operating in OLM
Page 164
ibm.com
yourdotcom
OSA Express segmentation offload (large send) - update

For 2097 and 2098 systems (z10)
For OSA Express 2 customers required code levels are: Driver-73: Segmentation Offload Not currently supported or Driver-76 EC Level N10953 (HYNET3X) MCL001 For OSA Express 3 customers Driver-73: EC Level F85897 (HYNETST) MCL010 or Driver-76:EC Level N10959 ( HYNETST) MCL001
z/OS V1R9 Communications Server

APAR PK47376 - PTF UK26977 APAR PK56723 - PTF UK32713 APAR PK64756 - PTF UK37435

APAR PK64756 - PTF UK37433
For 2094 and 2096 systems (z9)

OSA Express2 Cards Driver-67 EC Level G40946 (HYNET3X) MCL007

No additional PTFs
For 2084 and 2086 systems (z990 and z890)

OSA Express2 Cards Driver-55 EC Level J13476 (HYNET3X) MCL023 Page 165
Proceed with caution !
ibm.com
yourdotcom

Note: The performance measurements discussed in this presentation were collected using a dedicated system environment. The results obtained in other configurations or operating system i t
z/OS V1R10 segmentation offload performance measurements on a z10
OSA Express3 1Gb

10 10
OSA Express3 10Gb

10
OSA Express2 1Gb
% relative to no segmentation offload
-10
-10
-10
-20
-20
-20
-30
-30
-30
Segmentation offload is generally considered safe to enable at this point in time. Please always check latest PSP buckets for OSA driver levels.
-40
-40
-40
-50 RR CRR STR CPU Cost Throughput
Send buffer size: 180K for streaming workload
Segmentation offload may significantly reduce CPU cycles when sending bulk data from z/OS
Page 166
ibm.com
yourdotcom
OSA-E2 and OSA-E3 1GbE port structure

TCP/IP OSAE200 10.1.1.1 VTAM OSAE200 Port 0 z/OS E200-E203 TCP/IP OSAE204 10.2.1.1 VTAM OSAE204 Port 1 z/OS E204-E207 TCP/IP OSAE300 10.3.1.1 VTAM OSAE300 Port 0 z/OS E300-E303 TCP/IP OSAE304 10.4.1.1 VTAM OSAE304 Port 1 z/OS E304-E307
TCP/IP OSAE200 10.1.1.1
TCP/IP OSA2D80 10.2.1.1
VTAM OSAE200
VTAM OSA2D80
z/OS E200-E203
z/OS 2D80-2D83
CHPID 0A
CHPID 0B
CHPID 0A
CHPID 0B
OSAE200
OSA2D80
OSAE200
OSAE204
OSAE300
OSAE304
Port 0
Port 0
Port 0
Port 1
Port 1
Port 0
OSA-Express2 1GbE adapter

Two LAN ports per OSA-E2 adapter Two Channel Path IDs (CHPIDs) One LAN port per CHPID PORTNAMEs must be unique per LPAR and the same on all LPARs that share the port
OSA-Express3 1GbE adapter

Four LAN ports per OSA-E3 adapter Two Channel Path IDs (CHPIDs) Two LAN ports per CHPID No IOCP changes are required Maybe more device numbers will be needed New TRLE PORTNUM keyword PORTNUM = 0 or 1 PORTNAMEs for each port on a CHPID must be unique In addition to rules for OSA-E2 Enhanced "transparent error handling"
Page 167
ibm.com
yourdotcom
OSA-E3 dual port support by z/OS CS

Transparent error handling
Prior to this support, if one packet within a QDIO read operation was in error, all packets within that entire read operation were discarded as part of error handling. With the new transparent error handling of OSA-Express3, individually packets with errors are marked as invalid. The z/OS Communications Server later discards the packets which are marked as invalid. This new efficiency reduces the number of unnecessary retransmissions which improves overall I/O efficiency. To support the new "transparent error handling" function: Available with z/OS V1R10 z/OS V1R9: PTF UA37872 z/OS V1R8: PTF UA37871
Without specific z/OS CS support, only the two port 0 ports on an OSA-E3 adapter can be used
One port 0 per CHPID
Support for both port 0 and port 1 (the ability to configure PORTNUM in the TRLE)
Available with z/OS V1R10 z/OS V1R9: APAR OA25548 (PTF: UA42717) z/OS V1R8: APAR OA25548 (PTF: UA42716) OSAE200T TRLE LNCTL=MPC, MPCLEVEL=QDIO, READ=(E200), WRITE=(E201), DATAPATH=(E202,E203), PORTNAME=OSAE200, PORTNUM=0
Page 168
ibm.com
yourdotcom
Agenda
Page 169
ibm.com
yourdotcom
System management and monitoring

Network management interface enhancements - Sysplex networking data Network management interface enhancements - stack configuration data Network management interface enhancements - OSA Network Traffic Analyzer data Network management interface enhancements - detailed CSM usage Verbose ping Netstat status display enhancements Add time stamps to resolver trace IBM migration health checker for z/OS RFC4301 compliance IBM migration health checker for DNS usage
Page 170
ibm.com
yourdotcom
Network Management Interface (NMI) has multiple variations

The TCP/IP callable NMI (EZBNMIFR) provides a highspeed, low-overhead callable interface for applications to access TCP/IP stack information The Packet and data trace formatting NMI (EZBCTAPI) provides a mechanism to collect real-time TCP/IP trace information The Real-time TCP/IP network monitoring NMI can collect SMF records (SYSTCPSM) and trace records (SYSTCPDA) in real-time The SNA network monitoring NMI provides a mechanism to collect information about Common Storage Manager (CSM) usage
NMI introduced in V1R5
Page 171
ibm.com
yourdotcom
TCP/IP callable NMI now provides sysplex networking data Five new requests for the TCP/IP callable NMI provide sysplex networking data:
Obtain information about all TCP/IP stacks in the same sysplex as the target stack processing the NMI request Obtain list of all Dynamic VIPAs (DVIPAs) known to a target TCP/IP stack Obtain all DVIPA port distribution information from the destination port table Obtain information about the routes defined by a VIPAROUTE substatement Obtain all DVIPA connections from the connection table
Same data that is available using SNMP or Netstat
Target stack must be part of a sysplex group for the NMI request to succeed
Exception is the request for all DVIPAs know to the target stack
Page 172
ibm.com
yourdotcom
TCP/IP configuration data available using SMF recording New SMF 119 record contains TCP/IP configuration data
Created at stack initialization Created when a VARY TCPIP,,OBEYFILE command is issued to change the stack configuration Only contains sections whose configuration data changed Application must compare old to new SMF records to identify changes Subtype 4
SMF 119 record contents and attributes Contains normal SMF header and TCP/IP Identification section Contains a maximum of 20 different sections of configuration data Only support configuration data from profile statements
No support for dynamically-created interfaces or IP addresses
Page 173
SMF record data can span multiple buffers
ibm.com
yourdotcom
TCP/IP configuration data available across NMI
TCP/IP callable NMI interface, EZBNMIFR, can be used to acquire TCP/IP configuration data: Returns a maximum of 20 different sections of configuration data Returns current configuration values, which can be an accumulation of many configuration updates
SMF subtype 4 records can be collected using the real-time network monitoring NMI
Page 174
ibm.com
yourdotcom
Use SMF and NMI together to monitor configuration updates

TCP/IP stack
TCP/IP Configuration task
MVS SMF data sets
Application - Issues NMI request
- Connects to SYSTCPSM
- Receives SMF records
SMFSERVICE task (SYSTCPSM)
Use NMI request to obtain complete set of initial or current configuration data Collect SMF 119 records to monitor configuration changes
Page 175
ibm.com
yourdotcom
Types of configuration data provided

Profile common and Profile data set names AUTOLOG procedure names and network access definitions IPv4, IPv6, TCP, UDP, and Global configuration statements Port reservations, IPv6 addresses and prefixes, network interface information and Route information Source IP address control and management information IPSec common and default rules DVIPA addresses and routes, distributed DVIPA configuration information
Page 176
SMF and NMI records have the same formats
ibm.com
yourdotcom
Packet and data trace NMI now collects OSAENTA records Existing NMI support collecting packet trace records in real-time Function expanded to collect OSAENTA trace records now as well Function available to format the OSAENTA records in addition to collecting them Be sure to filter output on production systems!
Page 177
System z LAN sniffer
LPAR 1 z/OS
NMI application
LPAR 2
LPAR 3
LPAR 4 Guest 1
Guest 2
Guest 3
TCP/IP
z/OS
z/OS z/VM
System z Hypervisor (PRSM) OSA E2/E3 with OSA LAN Analyzer LAN media
ibm.com
yourdotcom
Controlling NMI and SMF record collections

No configuration required to collect NMI Sysplex information Use the SMFCONFIG profile statement to control the creation of the new SMF 119 subtype 4 record
SMFCONFIG TYPE119 PROFILE
Use the NETMONITOR profile statement to control whether the new NMI or SMF information should be collected using the real-time NMI monitor
NETMONITOR SMFService PROFILE SMF Type 119 subtype 4 records
OSAENTA records NETMONITOR NTATRCService
Page 178
ibm.com
yourdotcom
SNA NMI request now can request detailed CSM usage SNA NMI now provides statistics on a per storage owner basis for CSM statistics information
Can request detailed CSM usage data for all owners or up to four specific owners Detailed CSM usage data is only returned when explicitly requested Current CSM storage pool statistics and CSM summary information are always still returned
What type of detailed information is provided? Jobname and ASID Amount of storage owned in each storage pool Includes owners which have freed all CSM buffers
Page 179
ibm.com
yourdotcom
Verbose ping
z/OS ping by default sends one echo request and displays the result as follows:
ping mvs098 CS V1R11: Pinging host MVS098.tcp.raleigh.ibm.com (9.42.103.11) Ping #1 response took 0.054 seconds.
Most other platforms send more requests and provide more details z/OS V1R11 implements a verbose option for ping, which makes z/OS ping output look more like other platforms:
ping mvs098 (verbose CS V1R11: Pinging host MVS098.tcp.raleigh.ibm.com (9.42.103.11) with 256 bytes of ICMP data Ping #1 from 9.42.103.11: bytes=264 seq=1 ttl=64 time=0.57 ms Ping #2 from 9.42.103.11: bytes=264 seq=2 ttl=64 time=0.17 ms Ping #3 from 9.42.103.11: bytes=264 seq=3 ttl=64 time=0.13 ms Ping statistics for MVS098.tcp.raleigh.ibm.com (9.42.103.11) Packets: Sent=3, Received=3, Lost=0 (0% loss) Approximate round trip times in milliseconds: Minimum=0.13 ms, Maximum=0.57 ms, Average=0.29 ms, StdDev=0.24 ms
Page 180
ibm.com
yourdotcom
Netstat to show connections in SYN_RCVD state
Starting Point
CLOSED
appl: passive open send: <nothing> recv: SYN send: SYN,ACK
A half-open connection is a connection in the SYN_RCVD state. Netstat did not use to display such connections, but netstat in z/OS V1R11 will for completeness include connections in that state
LISTEN
recv: RST passive open
SYN_RCVD
recv: ACK send: <nothing>
ESTABLISHED
data transfer state
MVS TCP/IP NETSTAT CS V1R11 TCPIP Name: TCPCS 20:56:52 User Id Conn Local Socket Foreign Socket State -------------------------------------FTPD1 00001475 9.42.104.19..21 9.27.40.29..4053 Synrcvd FTPD1 00000010 0.0.0.0..21 0.0.0.0..0 Listen
Page 181
ibm.com
yourdotcom
Agenda
Page 182
ibm.com
yourdotcom
The clash of two cultures

The networking world and the Web services world can both seem intimidating with all their acronym jargon
SOAP XML WSDL SAML UDDI JAZZ WSS JCA WEB20 ODR WSXL BPEL MTOM JDCB
The Web services world
UDP
The networking world
ICMP FR APPN TCP BGP SDLC
ND TLS IPv6
X.25 IPv4
IOCTL IPSec OSPF
Kerberos
To perform a successful Web services implementation project, the two groups of experts need to work together and understand parts of each others jargon.
Page 183
ibm.com
yourdotcom
What is a Service Oriented Architecture (SOA)

What is
a service?
service orientation? A way of integrating your business as linked services and the outcomes that they bring
A repeatable business task e.g., check customer credit; open new account
service oriented architecture (SOA)?
a composite application?
An IT architectural style that supports service orientation
A set of related & integrated services that support a business process built on an SOA
Page 184
ibm.com
yourdotcom
What is a Web service?

The World Wide Web Consortium (W3C) defines a Web service as:
A software system designed to support interoperable machine-to-machine interaction over a network.
Web Services are frequently just APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested service. Core elements of the Web services technology are:
SOAP (Simple Object Access Protocol - Describes the services communication protocols WSDL (Web Services Description Language - an XML-based language that provides a model for describing Web services) UDDI (Universal Description, Discovery and Integration) - defines a way to publish and discover information about Web services
In many aspects, a Web service is not much different from the functions of traditional transaction management systems we have had on z/OS for many years, like CICS and IMS
One can look upon Web services as the next step in the evolution of transaction processing
W3C: http://www.w3.org/
Page 185
ibm.com
yourdotcom
Web services core technologies

SOAP - Simple Object Access Protocol
SOAP is an XML-based protocol that enables applications to exchange information over other open protocols, such as HTTP - SOAP is a protocol for accessing a Web Service. SOAP is a format for exchanging XML-based messages SOAP is platform independent SOAP is language independent SOAP is based on XML
WSDL - Web Services Description Language

WSDL is an XML-based language for locating and describing Web services. WSDL is XML-based and is extensible WSDL is an industry standard way to describe Web services WSDL is used to locate Web services
UDDI - Universal Description, Discovery and Integration

UDDI is a directory service where Web services providers can register and search for Web services. UDDI is a directory for storing information about web services UDDI is a directory of web service interfaces described by WSDL UDDI communicates via SOAP
Page 186
ibm.com
yourdotcom
Example of UDDI in use

Software companies, standards bodies, and programmers populate the registry with different types of services Marketplaces, search engines, and business applications query the registry to discover services at other companies
Registry
UDDI Registry Businesses populate the registry with descriptions of the services they support
h lis b Pu
Fi nd
Service type registrations Business type registrations

Provider
Interact Requester
A unique identifier is assigned to each service and business registration

Page 187
Businesses obtain the locations and implementation details of other businesses services from the registry entries and use this data to facilitate e-business integration with each other over the Web
ibm.com
yourdotcom
A little more on SOAP?

SOAP (Simple Object Access Protocol) is a protocol for exchanging XML-based messages over computer networks, normally using HTTP. SOAP forms the foundation layer of the Web services stack, providing a basic messaging framework that more abstract layers can build on. SOAP uses the Remote Procedure Call (RPC) pattern in which one network node (the client) sends a request message to another node (the server), and the server sends a response message to the client. Both SMTP and HTTP (and others) are valid application layer transport protocols for SOAP.
HTTP has gained wider acceptance as it works well with today's Internet infrastructure because firewall rules have been setup for HTTP traffic. Both non-secure HTTP on port 80 and Secure HTTPS on port 443 MQ is also often used as a SOAP transport technology
Page 188
ibm.com
yourdotcom
How do HTTP and SOAP fit together?

Hypertext Transfer Protocol (HTTP) is a method used to transfer or convey information on the World Wide Web.
Its original purpose was to provide a way to publish and retrieve HTML pages.
Has become the typical transport for Web services

Example: SOAP over HTTP A Web services implementer needs a basic HTTP(S) listener to get started
HTTP is a request/response protocol between clients and servers to access resources through the following functions:
GET PUT POST DELETE .and others
IP Packet
TCP Segment
HTTP Request or response
SOAP Message Request or response
Page 189
ibm.com
yourdotcom
Example Web Service HTTP with SOAP message encoded in XML

HTTP
POST /EndorsementSearch HTTP/1.1 Host: www.snowboard-info.com Content-Type: text/xml; charset="utf-8" Content-Length: 261 SOAPAction: http://www.snowboard-info.com/EndorsementSearch <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <m:GetEndorsingBoarder xmlns:m="http://namespaces.snowboard-info.com"> <manufacturer>K2</manufacturer> <model>Fatbob</model> </m:GetEndorsingBoarder> </SOAP-ENV:Body> </SOAP-ENV:Envelope> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <m:GetEndorsingBoarderResponse xmlns:m="http://namespaces.snowboard-info.com"> <endorsingBoarder>Chris Englesmann</endorsingBoarder> </m:GetEndorsingBoarderResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
SOAP Request
SOAP Reply
SOAP messages are text-based messages that are encoded in a markup language that is known as Extensible Markup Language, or for short, XML
Page 190
ibm.com
yourdotcom
So whats so special about Web services workload from a z/OS networking perspective?
Just another transactional workload
XML messages formatted according to SOAP and transported over various ISO application-layer protocols HTTP, HTTPS, MQ, SMTP, etc.
File Transfers (FTP, ConnectDirect, sftp, etc.)
z/OS is designed to handle many types of concurrently executing workloads

That includes the networking aspects of such workloads
Real-time Data Access (DB2 DRDA, NFS, DFS, SMB, etc.)
Traditional transactional access (CTG, CWS, IMS-Connect, MQ, IHS, etc.)
z/OS
Web services access (WAS, CICS, IMS, DB2) Traditional SNA access (SNA 3270, LU0, LU6.2, EE, etc.) Terminal Access (TN3270, Telnet, Rlogin, SSH, etc.)
But SOA workload does have some special networking characteristics

That may impact certain elements of your overall z/OS networking infrastructure
Page 191
ibm.com
yourdotcom
Networking workload characteristics

Three generalized networking workload types:
Non-persistent HTTP(S), CICS or IMS transactions, etc.
CRR - Connect, Request, Response
Connect
Request + Response
Close
RR - Request, Response
Connect
Request + Response
Close
Persistent HTTP(S), TN3270, SMTP, IMS-Connect, DB2-DRDA, etc.
Streaming
Connect
"File" transfer
Close
FTP, sftp, etc.
Web services are all over the place: May be CRR (HTTP(S) over non-persistent connections) May be RR (HTTP(S) over persistent connections or a message queuing-based transport) May be streaming in nature
Some very large requests or responses have been observed File-transfers imbedded in a Web service is not unusual
Page 192
ibm.com
yourdotcom
Web services generally use lots of networking bandwidth A typical IBM 3270 terminal-based transaction
Average 200 bytes in Up to 2000 bytes out
A typical SOAP-based transaction

Thousands of bytes in Typically XML and binary data in Many thousands of bytes out Mix of XML and binary data out
XML may be powerful from a capability perspective, but it isnt cheap from a networking perspective Web services are mostly text-based (XML), but binary data may be intermixed in the data stream as attachments
SOAP MTOM - SOAP Message Transmission Optimization Mechanism
Adding Web services traffic to a network infrastructure that was built for traditional z/OS transactional workload, requires some thoughtful planning
Increasing network bandwidth, number of switches, routers, network adapters, and so forth.
Page 193
ibm.com
yourdotcom
z/OS and Web services external gateway/ESB approaches

Type-4 Connectors
XML/SOAP message formats are mostly used on the network between the clients and the gateways, and to a lesser extent on the network between the gateways and System z
Web Services Requester
WebSphere Application Server

Various subsystem-specific JCA implementations (SNA, IMS-Connect, CTG, etc.)
JCA, JDBC
z/OS
TCP/IP
SNA or TCP/IP
IMS
IMS Connect
WebSphere ESB
WebSphere Message Broker
MQ, JCA, JDBC, and others
DB2
IMS-Connect
DB2 DRDA
IMS SOAP Gateway
Several of the gateway/ESB solutions can be run natively on z/OS or in Linux on System z. HiperSockets will then typically be used for the IP communication inside System z between Linux, z/VM, and z/OS
Page 194
3rd party ESBs and Gateways

(Iona's Artix, GT Software's Ivory Server, etc.)
Legacy protocols
CICS
CICS Transaction Gateway
IBM
MQ, WS, DRDA, etc.
XML/SOAP message formats
DataPower
Traditional (legacy) message formats
ibm.com
yourdotcom
What does IBM WebSphere DataPower do in a z/OS installation?
DataPower can perform advanced Web services operations, contents-based routing, and transformation of requests to traditional z/OS applications
Security: XML/SOAP firewall capability, WSS processing XML offload: XML parsing on specialty device Message transformation: transform XML/SOAP to traditional z/OS application data formats and interface with existing z/OS applications via HTTP, MQ, JMS, IMS-Connect, or DB2 DRDA Contents-based routing: based on data in request (including data protected by WSS), select proper target server, request type, format, and mode Monitoring and SOA governance
Request type:
HTTP(S) MQ JMS IMS-Connect DRDA
Request format:
XML COBOL Copy book Binary
HTTP(S) processing
XML Parsing
XML/SOAP firewall processing
WSS Processing
Message transformation
Content-based routing
Request mode:
Synchronous Asynchronous
IMS CICS DB2 WAS
Page 195
ibm.com
yourdotcom
z/OS and Web services native z/OS support

z/OS internal connectors are either: Type-2 Type-4 Cross-memory TCP/IP sockets (fast local sockets)
Cross-memory or TCP/IP local sockets JCA, JDBC
WebSphere Application Server on z/OS

Various subsystem-specific JCA implementations (SNA, IMS-Connect, CTG, etc.)
z/OS
IMS
MQ, JCA, JDBC, and others
IMS Connect Via IMS SOAP Gateway (IMS V10 and IMS SOAP Gateway Version 10.1)
WebSphere ESB on z/OS

WebSphere Message Broker
DB2
IMS Connect
DB2 DRDA
In this scenario, XML/SOAP message traffic extends to z/OS and the System z network interfaces to z/OS and the surrounding network equipment must be up to the task!
Page 196
IMS SOAP Gateway Version 10.1 on z/OS
Web Services Requester
Traditional (legacy) message formats XML/SOAP message formats
CICS
CICS Transaction Gateway
Outbound Web services request
CICS Web Services CICS TS 3.1 and 3.2
ibm.com
yourdotcom
How do you know if your data center network can handle the anticipated traffic volumes?
You typically dont, but you will likely need to know before your applications are ready for stress-test Application Workload Modeler (AWM) can be used to generate an artificial network workload to test how well your infrastructure stands up to the anticipated traffic volumes
AWM is a multi-platform technology Runs on z/OS, Linux on System z, and Linux on Intel Network traffic can be created using two general modes: Client/server AWM provides both clients and servers The clients and servers generate Connect Request Response (CRR), Request/response (RR), and streaming workloads Application client mode AWM provides standard clients (HTTP, FTP, TN3270, SMTP, DNS, etc.) You deploy your normal server subsystems and implement skeleton server applications matching your client (AWM provides some of those)
You can create tests based on a mix of these different workloads

A simple capacity test based on a mix of CRR, RR, and streaming workload A more complex test based on use of the clients provided by AWM
For more information on AWM

http://www.ibm.com/software/network/awm/index.html
Page 197
ibm.com
yourdotcom
z/OS WebSphere Application Server Base Configuration

z/OS LPAR-1
CR
Location Service Daemon
This is a configuration that is easy to set up, but not a highly available or scalable configuration
If you just replicate a base configuration, they wont cooperate to share the workload No exploitation of the z/OS Sysplex facilities No central administration Not possible to present a single system image
NODE
CR
Control Region
SR SR SR Servants
CRA
APPLICATION SERVER
If you want high-availability, you need a network deployment configuration
Page 198
ibm.com
yourdotcom
z/OS WebSphere Application Server Network Deployment Configuration
z/OS LPAR-1 CELL

Location Name Service Daemon
CR CR
z/OS LPAR-2
Scalability and availability:

Adding servants Adding servers to a cluster Adding nodes (LPARs) to a cell Adding more processor and memory capacity Adding more network interfaces Etc.
Location Name Service Daemon
NODE
Node Agent
CR CR
NODE
Node Agent
CR Control Region SR SR SR Servants
CRA
CR Control Region SR SR SR Servants
CRA
APPLICATION SERVER CLUSTER
APPLICATION SERVER
CR
Control Region
Deployment Manager
SR SR
SR Servants
All nodes start out as base application server nodes, which are then federated into network deployment configuration nodes
Page 199
ibm.com
yourdotcom
Default port numbers in a Network Deployment Cell

Sample Cell
Daemon CR Dep. Mgr. CR SR SR SOAP JMX Data Replication Services Bootstrap/ORB IIOP ORB SSL Cell/Node Discovery Daemon CR HTTP SSL Node Agent CR App Server CR SR SR SD: Stands for Sysplex Distributor SD can be used with those ports Note 1: SD can be used for the application server HTTP Ports if session affinity is not required. See the following pages for information on session affinity. HA Mgr. n/a n/a 9043 (SD) 9352 (SD) n/a 9354 9443 (SD1) n/a Multi-cast discovery HTTP One per z/OS image n/a n/a 5755 (SD) 5756 (SD) n/a n/a n/a One per cell One per z/OS image 9360 7888 2809 (SD) 0 (SD) 7272 5000 n/a One or more per cell 8880 7973 9810 0 n/a n/a 9080 (SD1)
Before using the default port numbers, please read: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100653

Function Daemon Dep. Mgr Node Agent App Server
Node Agent CR
App Server CR SR SR
8879 (SD) 7989 (SD) 9809 (SD) 0 (SD) 7277 (SD) n/a 9060 (SD)
Page 200
ibm.com
yourdotcom
What some of the ports are used for
SOAP JMX Connector port

Port number for the JMX HTTP connection to this server based on the SOAP protocol. JMX is used for remote administrative functions, such as invoking scripts through wsadmin.sh.
DRS Client Address port

Port address for access to the servers data replication service. This is important for configurations that define replication groups.
ORB port
Port for IIOP requests which acts as the bootstrap port for this server and also as the port through which the ORB accepts IIOP requests
ORB SSL port

Port for secure IIOP requests. The default is 0, which allows the system to choose this port.
HTTP port
Port for HTTP requests.
HTTP SSL port

Port for secure HTTP requests.
Page 201
ibm.com
yourdotcom
Assigning IP addresses to a z/OS WebSphere Application Server cell

A cell listens on many TCP port numbers
Most are known in advance
Sometimes you need to host multiple cells on the same LPAR, and you may want to use the well-known port numbers (80 and 443) for all of them
Test, development, etc.
You need a very good job name naming standard so all address spaces belonging to a cell can easily be identified
Use a common 3 or 4-character job name prefix to group them together
How do we assign a DVIPA per cell to be used on all the cells listening sockets in an LPAR?
Use the SRCIP definitions in TCP/IP with the: SERVER option all listening sockets will use the specified IP address BOTH option - as SERVER plus all outgoing connections will use the same IP address
SRCIP JOBNAME JOBNAME JOBNAME JOBNAME ENDSRCIP

Page 202
WAS1* WAS2* WAS3* WAS4*
10.1.5.15 10.1.5.16 10.1.5.17 10.1.5.18
SERVER SERVER BOTH CLIENT
ibm.com
yourdotcom
State-less vs. state-full WebSphere workload TCP connection load-balancing has many advantages:
Efficient workload management across multiple server instances in a cluster of servers Service availability as long as just one server instance is up-and-running, clients can connect to the service Scalability server instances can be added and removed dynamically as demand for capacity increases or decreases
Works fine for state-less workload, but what about state-full workload?
Server instance may save state data and succeeding HTTP TCP connections from same client must be able to re-use that saved state data Session persistence: store state data in shared memory (DB2) accessible from all server instances Session affinity: choose the same server for the next HTTP request allowing state data to be stored in local memory
Different approaches are possible for session affinity:

Timed affinity in load balancer based on client IP address Not really fine-grained enough Content-inspection of HTTP request by load-balancer to detect session affinity information and use that when determining where connection should go Use of persistent HTTP TCP connections for the duration of the session
Page 203
ibm.com
yourdotcom
When using session affinity, who handles state cookies in the HTTP requests? Two technologies available
z/OS WebSphere Application Server plug-in for a front-end HTTP server z/OS WebSphere Application Server Version 6 or later Extended Deployment with OnDemand Router (ODR)
z/OS Sysplex
WAS1 VIPA0 VIPA1 WAS2 VIPA0 VIPA2
WAS Cluster
WAS3 VIPA0 VIPA3
WAS Cluster
WAS1 VIPA1 WAS2 VIPA2 WAS3 VIPA3
Sysplex Distributor VIPA0 HTTP Request with no JSESSIONID
HTTP Request with a JSESSION ID mapping to WAS3
ODR VIPA0
ODR VIPA0
WAS Plugin
HTTP Server
HTTP Server can be the z/OS Internet HTTP Server (IHS) on z/OS - or one of more distributed HTTP servers
Sysplex Distributor VIPA0
HTTP Request
In many topologies, the front-end HTTP tier is implemented in Linux on System z, using HiperSockets for communication to same-CEC z/OS LPARs
Page 204
ibm.com
yourdotcom
ODR is part of WAS-XD On-Demand Router (ODR) is a Java Application that comes with WebSphere Application Server
It can run within the same cell as the real application servers, or externally. It uses an installation-defined policy to classify and route incoming transactions. It assigns WLM classes to HTTP transactions, based on the policy. It runs on multiple servant regions for easy scalability. It has logic to determine HTTP session affinity and direct transactions to the correct server instance. It uses WLM input to determine where to route work with no affinity. Sysplex Distributor can be used for incoming connections to ODR to assure high availability Incoming requests have no affinity until ODR determines what they are. It has logic to detect ailing servers, for example those experiencing the Storm Drain effect, and direct work away from those servers.
Page 205
ibm.com
yourdotcom
On Demand Router compared to other workload routing technologies

Session affinity Dynamic workload balancing Automatic capacity manage-ment Storm drain avoidance Application lazy start Application edition routing
HTTP server with plug-in
Not supported
Not supported
Not supported Not supported Not supported
Not supported Partly supported Partly supported
Sysplex Distributor HTTP server with plug-in and Sysplex Distributor On Demand Router
With On Demand Router, Sysplex Distributor is still used to balance connections to the ODR application across LPARs
A connection does not have affinity until after ODR processes it
Page 206
ibm.com
yourdotcom
What is Web Services Security (WSS)?
WS-Security (Web Services Security) is a communications protocol providing a means for applying security to Web Services. The protocol contains specifications on how integrity and confidentiality can be enforced on Web Services messaging.
The WSS protocol includes details on the use of Security Assertion Markup Language (SAML) and Kerberos, and certificate formats such as X.509
WS-Security adds security information in the header of a SOAP message. It ensures end-to-end security
Authentication, confidentially, and integrity.
How is it different from SSL/TLS or IPSec?

It allows for more granular encryption of application data payload For example, allow some data in the message to be encrypted while other data is not
Page 207
ibm.com
yourdotcom
Web Services Security example

<soapenv:Envelope> <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1"> <xenc:EncryptedKey> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlen/> <dsig:KeyInfo> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-2004</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </dsig:KeyInfo> <CipherData xmlns="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <CipherValue>k//nQmHdy</CipherValue> </CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#body"/> </xenc:ReferenceList> </xenc:EncryptedKey> </wsse:Security> </soapenv:Header> <soapenv:Body xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:pretend=http://www.pitt.org/steelers/> <xenc:EncryptedData Id="body" Type="http://www.w3.org/2001/04/xmlenc#Content"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/tripledes" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <Ciphedata>xeorll4%6</Cipherdata> <CipherValue>fVPFM6BC9O93FPC</CipherValue> </CipherData> </xenc:EncryptedData> </soapenv:Body> </soapenv:Envelope> </soapenv:Envelope>
Soap Headers
Encryption Algorithm
Page 208
ibm.com
yourdotcom
Web services position in the traditional ISO layer model
Anything above the sockets API layer is an application from a TCP/IP point of view, but it may not necessarily be your application
Your application ????? Web Services Security layer
"Application"-specific security protocols
z/OS subsystems using TCP/IP directly DB2 DRDA, CICS, IMS, MQ, IHS, etc.
TCP/IP standard applications FTP, TN3270, SNMP, NFS, etc.
Customer written TCP/IP sockets applications
SOAP protocol layer HTTP/HTTPS protocol layer
TCP/IP API layer - Sockets
"Application"-specific SSL/TLS (using System SSL calls) Application Transparent SSL/TLS IPSec security
Transport protocol layer (TCP, UDP, and RAW)
IPv4 and IPv6 Networking layer
Network Interfaces
Page 209
ibm.com
yourdotcom
IPSec, SSL/TLS, or Web services security (WSS)?

Characteristic
Type of traffic that can be protected True end-to-end protection possible Network segment protection possible Scope of protection How controlled Requires ISO layer-7 application modifications Type of security Type of authentication Authentication credentials Authentication principals Authentication frequency Session key generation or refresh zIIP or zAAP support System z hardware crypto support IPv4 or IPv6 support
IPSec VPN
All traffic (TCP, UDP, ICMP, etc.) Yes Yes IPSec Security Association (all traffic, selected protocol, single connection or application) IPSec policy No Device to device (IP address to IP address) Peer to peer (IP node to IP node) Preshared keys or X.509 certificate Represents host (IP address) Per secure channel setup Yes with dynamic tunnels (IKE), No with manual tunnels zIIP (from z/OS V1R8 Aug. 2007) Yes IPv4: optional IPv6: required
SSL/TLS
All TCP connections Yes No (not without proxy servers) SSL/TLS session (Single connection) AT-TLS policy or application controlled AT-TLS: No System SSL: Yes Application to application Server to client and optionally client to server X.509 certificate Represents application or user Per TCP connection setup SSL/TLS handshake
WSS
Web services application workload only Yes No (not without proxy/relay servers) Message or field in message Web services-specific configuration Yes (done in the Web services stack) Message-based application to application Server to client and/or client to server X.509 certificates, Kerberos, etc. Represents application or user Per message or per Web services secure conversation Per message or per Web services secure conversation WAS: runs on zAAP IMS: runs on zAAP CICS: no Yes Both
No Yes Both
Page 210
ibm.com
yourdotcom
What is encrypted and what are the impacts to boxes-in-themiddle

Types of such boxes: Firewalls Intrusion detection devices (signature-based) Contents-based routers
I am a firewall who wants to inspect the data in these IP packets !
SrcIP
DestIP 192.168.1.1
SrcPort 50001
DestPort 80
Data POST / HTTP/1.1 ... <soapenv:Envelope ...
No encryption:
192.168.100.1
SrcIP
DestIP 192.168.1.1
SrcPort 50001
DestPort 80
Data POST / HTTP/1.1 ... <soapenv:Envelope ... <xenc:EncryptedData ...
WSS encryption:
192.168.100.1
^%$$##%%%%
SrcIP
DestIP 192.168.1.1
SrcPort 50002
DestPort 443
Data @%$#*&&^^!:"J)*GVM><
SSL/TLS encryption:
192.168.100.1
SrcIP
DestIP 192.168.1.1
SrcPort >::"
DestPort *&hU$$$$
Data @%$#dd*&&^s^!:"J)*bGVM> (*hhgvvv<
IPSec encryption:
192.168.100.1
IP header encryption varies based on transport/tunnel mode, and AH/ESP protocol
Page 211
ibm.com
yourdotcom
DataPower as a Web services secure gateway and firewall

To analyze Web services data, the firewall needs to be Web services aware
DataPower is
XML/SOAP Firewall:
Filter on any content, metadata or network variables (IP-layer, SSL, HTTP header, well-known XML threats in SOAP headers and payload, etc.)
Data Validation:
Approve incoming/outgoing XML and SOAP at wire-speed (XML wel-formedness, SOAP protocol checks, XML schema validation options, etc.)
Field Level Security:

WS-Security, encrypt & sign individual fields, non-repudiation
XML Web Services Access Control/AAA:

SAML, LDAP, RADIUS, etc.
HTTP XML/SOAP Request HTTP XML/SOAP Response
Web services-aware firewall and secure gateway

Page 212
ibm.com
yourdotcom
Web services summary

Topology is important from a network impact perspective
Web services traffic to z/OS Network interfaces and network infrastructure around z/OS need to be provisioned for anticipated network traffic volumes Web services traffic to Linux on System z with transformation to traditional z/OS transaction formats Network interfaces and network infrastructure around System z need to be provisions for anticipated network traffic volume Connectivity between Linux on System z and z/OS needs to be provisioned via HiperSockets and/or external LAN Web services traffic to non-System z platform with transformation to traditional z/OS transaction formats Connectivity between gateways and System z most likely via external LAN
If WebSphere Application Server is deployed on z/OS, planning is needed in order to:

Ensure assignment of specific virtual IP addresses to different cells in the z/OS Sysplex Please do read: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100653 Manage connection availability and load balancing Via front-end HTTP server with WAS plug-in followed by Sysplex Distributor Via Sysplex Distributor to ODR servers
Network security technology needs to be addressed

To what extent will WSS provide adequate security? Does WSS need to be accompanied by use of SSL/TLS (HTTPS) or IPSec on all or selected network segments? WSS security is selective WSS does not cover HTTP headers and SOAP envelope
Page 213
ibm.com
yourdotcom
Agenda
Page 214
ibm.com
yourdotcom
When do our z/OS customers believe they will need IPv6?

The majority of z/OS customers, who answered the question, did not know
Expectations are that it will be needed slightly earlier on other platforms than z/OS
It is time to start thinking and preparing now !

IPv6 on z/OS
100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 2009 2010 2011 2012 2013 2014 2015 2016 Later than 2016 Do not know
IPv6 on other platforms

100.00 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 2009 2010 2011 2012 2013 2014 2015 2016 Later than 2016 Do not know
Source: Survey conducted by ENS early 2009 among a selected set of customers (39 responses to this question) Page 215
ibm.com
yourdotcom
IPv4 address usage since early 1993

Projected Internet Assigned Numbers Authority (IANA) Unallocated Address Pool Exhaustion
July 2011
Hosts on the Internet

Advertised by DNS servers
800 Number of hosts in millions 700 600 500 400 300 200 100 0
Projected Regional Internet Registries (RIR) Unallocated Address Pool Exhaustion

April 2012
z/OS Communications Server continues to focus on IPv6 standards currency

US DoD/NIST IPv6 Forum
What is the upper practical limit (the ultimate pain threshold) for number of assigned IPv4 addresses? Some predictions said 250,000,000 (250 million), others go up to 1,000,000,000 (one billion or one milliard). Source: https://www.isc.org/solutions/survey Source: http://www.potaroo.net/tools/ipv4/index.html Source: http://penrose.uk6x.com/
If you want to stay in business after 2011/2012, youd better start paying attention! Do not worry, the sky isnt falling IPv4 and IPv6 will coexist for many years to come. Your applications need to be able to use both. If you write directly to the TCP/IP sockets layer, you need to start changing those applications.
Page 216
01/1993 07/1993 01/1994 07/1994 01/1995 07/1995 01/1996 07/1996 01/1997 07/1997 01/1998 07/1998 01/1999 07/1999 01/2000 07/2000 01/2001 07/2001 01/2002 07/2002 01/2003 01/2004 07/2004 01/2005 07/2005 01/2006 07/2006 01/2007 07/2007 01/2008 07/2008 01/2009 07/2009
Year
ibm.com
yourdotcom
Is Doomsday approaching?
Page 217
ibm.com
yourdotcom
How the IPv4 address space is managed
IANA
Internet Assigned Numbers Authority
The IPv4 Address Space Allocated

Un-allocated IPv4 Unicast pool
Reserved
Address allocation to RIRs RIR

Regional Internet Registries (RIRs): AFRINIC, APNIC, ARIN, LACNIC, RIPENCC
LRIR
Local Internet Registries (LRIRs)
Internet Service Providers (ISPs)
Companies or "consumers"
The most current predictions estimate that the un-allocated pool will be exhausted July 2011. Some of the assigned but not advertized space may potentially be re-used to prolong the life of IPv4.
Source: "IPv4 Address Report" - http://www.potaroo.net/tools/ipv4/ Page 218

ibm.com
yourdotcom
IPv4 address space data as of June 2009
Reserved: Un-allocated: IANA-Registry: Various: AFRINIC: APNIC: ARIN: RIPENCC: LACNIC:
Reserved by the IETF Available to be allocated to the RIRs Addresses assigned directly by the IANA from before the time of regional registries Space allocated to various registries (before regional registries were introduced) Africa, portions of the Indian Ocean Portions of Asia, portions of Oceania (inlcudes Australia, China, India) Canada, United States, islands in the Caribbean Sea and North Atlantic Ocean Europe, the Middle East, Central Asia Latin America, portions of the Caribbean 2009 IBM Corporation
Page 219
ibm.com
yourdotcom
It's this simple: IPv4 addresses are running short!

Forget about fancy IPv6 features as a reason for moving to IPv6 IPv6 deployment is inevitable
Literally running out of IPv4 addresses IPv4 address pool projected to be exhausted soon To minimize disruption, IPv6 needs to be in place and in actual use before exhaustion occurs No other credible alternative to IPv6 Only alternative is IPv4 with significant increase in NAT Increased use of private addresses and resulting address collisions Complete loss of globally unique addressing Even NAT requires pools of public IPv4 addresses
Regional ISPs
The Internet - a worldwide digital utility.
Backbone ISPs
AT&T, MCI, GTE, BT, etc.
Large corporations and universities
Local ISPs
All major vendors have maturing IPv6 product lines

All IBM operating systems support IPv6, with middleware and application support starting to ship as well Router vendors (such as Cisco) have supported IPv6 for several years Microsoft VISTA was IPv6-enabled out of the box
Connectivity for anyone from anywhere (car, plane, home, office) to anything! More and more "push" applications being deployed in the wireless market space.
IPv6 promises true end-toend connectivity for peerbased collaborative solutions.
Page 220
ibm.com
yourdotcom
By 2011, the world will be 10 times more instrumented than it was in 2006. Internet connected devices will leap from 500M to 1 Trillion
1,800 1,600 1,400
10x growth in five years
RFID, Digital TV, MP3 players,
Exabytes
1,200 1,000 800 600 400 200 0 2005 2006 2007 2008 2009
BluRay DVD players Digital cameras, Camera phones, VoIP, Medical imaging, Laptops, smart meters, multi-player games, Satellite images, GPS, ATMs, Scanners, Sensors, Digital radio, DLP theaters, Telematics , Peer-to-peer, Email, Instant messaging, Videoconferencing, CAD/CAM, Toys, Industrial machines, Security systems, Appliances
2010
2011
Approximately 70% of the digital universe is created by individuals, but enterprises are responsible for 85% of the security, privacy, reliability, and compliance.
Page 221
ibm.com
yourdotcom
What is IPv6?
IPv6 is an evolution of the current version of IP, which is known as IPv4
Work on new IETF standard started in early 90's Not backward compatible, but migration techniques defined
Today's IPv4 has 32 bit addresses

Practical limit is less than 1 billion useable global addresses
IPv4 Address: 9.67.122.66
IPv6 provides almost unlimited number of addresses

IPv6 addresses are 128 bits No practical limit on global addressability More addresses cannot be retrofitted into IPv4
IPv6 Address: 2001:0DB8:4545:2::09FF:FEF7:62DC
Enough address space to meet all imaginable needs for the whole world and for generations to come
Other improvements important, but secondary:

Facilities for automatic configuration Improved support for site renumbering End to end IP security Mobility with route optimization (important for wireless) Miscellaneous minor improvements
Page 222
ibm.com
yourdotcom
Important IPv6 technical features

IPv6 header and extensions header
Streamlined IPv6 header Optional extensions for fragmentation, security, etc.
Neighbor Discovery and Stateless Autoconfiguration

Router Discovery and Neighbor Unreachability Detection (NUD) Address configuration with no manual or server-based configuration
Routers no longer fragment forwarded datagrams Extended IP Address

Address space increased to 128 bits Provides 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses Enough for 1.8x1019 addresses per person on the planet A 64-bit subnet prefix identifies the link Followed by a 64-bit Interface Identifier (IID) IID derived from IEEE identifier (i.e., MAC address) Only leftmost 64 bits available for routing and "network addressing" The rightmost 64-bits identify the host on the target link
IPv4/IPv6 Coexistence and Transition Mechanisms

Coexistence for IPv4 and IPv6 Tunneling and transition mechanisms
Network Prefix (n bits)

Page 223
Subnet ID (64-n bits)

Interface Identifier (IID) (64 bits)
ibm.com
yourdotcom
IPv6 scoped unicast addressing

Concept of scoped unicast addresses part of architecture Link-local addresses for use on a single link
Primarily used for bootstrapping and infrastructure protocols such as Neighbor Discovery Address = well-known link-local prefix plus node-generated IID
Unique Local IPv6 Unicast addresses for use within a site

Like net 10 (not routable in the Internet backbone) Site-local addresses Part of early IPv6 standards. meant to address some similar issues But introduced a lot of complexity Has been deprecated by the IETF
Global address prefixes are provided by ISPs

This is legal because the fe80::12 address is only required to be unique per-link
fe80::1234:5678:9999:aaaa
fe80::1111
link 1
fe80::12
fe80::12
link 2
fe80::1234
fe80::1234 fe80::1234:5678:9abc:def0
this is illegal because the fe80::1234 address is not unique on the link
Page 224
ibm.com
yourdotcom
IPv6 address textual representation

Addresses are represented as 8 bits of 4 hex digits (16 bits), separated by colons
2001:0DB8:0:0:240:2BFF:FE3D:71AD
Two colons in a row can be used to denote one or more sets of zeroes, usually used between the prefix and the interface ID
2001:0DB8::240:2BFF:FE3D:71AD
The prefix length can be indicated after a slash at the end

2001:0DB8::240:2BFF:FE3D:71AD/64
A prefix alone is represented as if the interface ID bits are all zero

2001:0DB8::/64
IPv4-Mapped IPv6 Address

::FFFF:a.b.c.d
Obviously, this syntax may be a bit difficult for humans..

Use of DNS/hostnames no longer an option
Page 225
ibm.com
yourdotcom
IPv4 to IPv6 Internet evolution
IPv6 network
Gateways
Tunnels
So where are we? In stage 1, preparing to move to stage 2.
IPv4 Internet IPv6 network
IPv4 Internet IPv6 network

Wireless clients, 3G cellphones
Yesterday
Pervasive clients
Stage 1
IPv4 network
IPv4 Internet
IPv6 Internet
IPv4 network
IPv6 Internet
Pervasive clients
Wireless clients
Stage 2
Page 226
Stage 3
There may be a stage 4 with only IPv6, but it will take some years to get there.
ibm.com
yourdotcom
General transition considerations

N N
How do we share the physical network so that both IPv4 and IPv6 can be transported over one and the same physical network? Dual-stack Tunneling of IPv6 over IPv4
?
IPv6
Tunnel
IPv6
IPv4
How do applications that have not yet been enhanced to support IPv6 communicate with applications that have been enhanced to support IPv6? Dual-stack Application Layer Gateways (ALG) Network Address Translation Protocol Translation (NAT-PT)
IPv6 Web browser

N
IPv6
IPv6 Sockets
IPv4 Web server
?
IPv4
Application layer gateway or protocol converter with dual-mode IP stack
IPv4 Sockets
Page 227
ibm.com
yourdotcom
Isnt IPv6 enablement just a network engineering exercise?

Wish so !! A few facts:
The network infrastructure will have to be updated to support IPv6 network infrastructure functions, such as neighbor discovery (an auto-addressing technology), IPv6 routing tables (OSPFv3), ICMPv6, Name servers with IPv4 and IPv6 addresses, DHCP servers for IPv6, etc. Layer-3 routers Firewalls Intrusion Detection devices Application layer gateways (ALGs) Etc. The physical media you use today can carry both IPv4 and IPv6 so no new cabling (!) A TCP/IP stack must be updated to support IPv6 alongside with IPv4 (known as dual-mode TCP/IP stack) IPv6 requires a new sockets interface, known as AF_INET6 (Addressing Family IPv6) IPv4 sockets programs today use AF_INET, which is IPv4 only. An AF_INET sockets program can communicate with an IPv4 sockets partner only Sockets programs that are updated to support AF_INET6 can communicate with both IPv4 and IPv6 sockets partners
Sockets programs must be updated to talk IPv6 !!

Page 228
ibm.com
yourdotcom
z/OS TCP/IP is a dual-mode TCP/IP stack

A dual-mode (or dual-stack) TCP/IP implementation supports both IPv4 and IPv6 interfaces and both old AF_INET and new AF_INET6 applications. The dual-mode TCP/IP implementation is a key technology for IPv4 and IPv6 coexistence in an internet. For AF_INET6 applications, the common TCP or UDP transport layer determines per communication partner if the partner is an IPv4 or an IPv6 partner - and chooses IPv4 or IPv6 networking layer component based on that.
Application migration
IPv4 and IPv6 application AF_INET6 PFS IPv4-only application AF_INET PFS
IPv6 Raw Transport
Common TCP and UDP Transport
IPv4 Raw Transport
IPv6
NeD MLD Stateless autoconfig
IPv4
ICMPv6
QoS (IDS) IPSec
QoS IDS IPSec
ARP
IGMP
ICMP
Common DLC Functions IPv4 DLCs
IPv6 DLCs
z/OS TCP/IP
Network Interface Adapter
IPv4 and IPv6 packets on the same LAN over the same OSA port
Raw applications make the determination themselves when they choose IPv4 or IPv6 raw transport.
Page 229
ibm.com
yourdotcom
IPv6-enabled application on a dual mode stack

IPv6-only node IPv4-only node Dual-mode node
Client
AF_INET6
Client
AF_INET
Server (0::0)
AF_INET6
TCP/UDP
TCP/UDP
::FFFF:192.168.1.1
TCP/UDP
2001:0DB8::1
IPv6
2001:0DB8::1
IPv4
192.168.1.1 IPv4 Packets IPv6 Packets
IPv4
IPv6
An IPv6-enabled application can communicate with both IPv4 and IPv6 peers
A single socket can be used to send or receive traffic from either IPv4 or IPv6 partners IPv4 packets to the IPv4 partner and IPv6 packets to the IPv6 partner No changes need to be made to the partner application
An IPv6-enabled application uses AF_INET6 sockets for both IPv4 and IPv6 partners
An IPv4 address is mapped to IPv6 addresses by the Transport Layer in the TCP/IP stack Uses a special address format which identifies the IPv6 address as an IPv4-mapped IPv6 address For example, 9.67.115.69 would be represented as ::FFFF:9.67.115.69
Page 230
ibm.com
yourdotcom
IPv4-only application on a dual-mode stack

IPv6-only node IPv4-only node Dual-mode node
Client
AF_INET6
Client
AF_INET
Server (0.0.0.0)
AF_INET
TCP/UDP
TCP/UDP
192.168.1.1
TCP/UDP
2001:0DB8::1
IPv6
2001:0DB8::1
IPv4
192.168.1.1 IPv4 Packets IPv6 Packets
IPv4
IPv6
An IPv4 application running on a dual-mode stack can communicate with an IPv4 partner.
The source and destination addresses will be native IPv4 addresses The packet which is sent will be an IPv4 packet
If partner is IPv6 running on an IPv6 only stack, then communication fails

If partner was on dual-mode stack, then it would fit in previous page discussion The partner only has a native IPv6 address, not an IPv4-mapped IPv6 address The native IPv6 address for the partner cannot be converted into a form the AF_INET application will understand
Page 231
ibm.com
yourdotcom
Accessing IPv4-only applications through an IPv6 application layer gateway (ALG)

IPv6-only node Dual-mode node IPv4-only node
Client IPv6 Web browser AF_INET6
Server (0::0) IPv6 enabled Web server AF_INET6
Server (0.0.0.0) IPv4-only application AF_INET
Server (0.0.0.0) IPv4-only application AF_INET
TCP/UDP
TCP/UDP
IPv4 Packets
TCP/UDP
IPv6
IPv6
IPv4
IPv4
192.168.1.1
IPv6 Packets
IPv4 Packets
An IPv6-only client can access IPv4-only servers via an IPv6 proxy

The IPv6 proxy communicates with the IPv6-only client using IPv6, and accesses the IPv4-only server using IPv4 The IPv4-only server may be on the same node as the IPv6 proxy, or may reside on a different node The use of a backend IPv4-only server is, in most cases, completely transparent to the IPv6 client
Page 232
ibm.com
yourdotcom
Enabling IPv6 support on z/OS

IPv6 is enabled at an LPAR level via an option in BPXPRMxx to enable AF_INET6 support. Both INET and CINET are supported.
When IPv6 is enabled, a z/OS TCP/IP stack will always have an IPv6 Loopback interface. You can define real IPv6 interfaces in addition to the loopback interface.
AF_INET6 socket AF_INET socket
LFS CINET
IPv4 Routes IPv6 Routes
AF_INET6 Transform PFS AF_INET6 PFS AF_INET PFS
AF_INET6 PFS
AF_INET PFS
Existing AF_INET sockets programs will continue to work as they always did - no difference in behavior or support. AF_INET6 enabled sockets programs will be able to communicate with IPv4 partners (just as before they were changed to support IPv6), but in addition to that they will also be able to communicate with IPv6 partners.
TCP, UDP, and RAW IPv6 Network Interfaces
TCP, UDP, and RAW IPv4 and IPv6 Network Interfaces
TCP, UDP, and RAW IPv4 Network Interfaces
IPv6-only TCP/IP Stack

This will not be the case on z/OS for the foreseeable future! An AF_INET6 stack is required to also support AF_INET!
Dual Mode TCP/IP Stack

A z/OS TCP/IP stack will always come up as dual-mode if AF_INET6 is enabled in BPXPRMxx
IPv4-only TCP/IP Stack

(such as AnyNet or an OEM TCP/IP stack)
Page 233
ibm.com
yourdotcom
Netstat output format LONG or SHORT

When IPv6 is enabled, most netstat reports will look different because of the potential for long IPv6 addresses.
Without IPv6 enabled, Netstat uses what is known as a SHORT report format It is possible to have both local and remote IP address in one 80-character line You ca override the SHORT format by coding IPCONFIG FORMAT LONG With IPv6 enabled, Netstat uses a LONG report format Each IPv6 address may potentially be up to 45 characters long, which makes it impossible to have both local and remote IPv6 addresses in a single 80-character line
Make sure you update any netstat screen-scraping REXX programs you might have developed in the past!
MVS TCP/IP NETSTAT CS V1R11 TCPIP Name: TCPCS User Id Conn State ------- -------MYINETD1 00000025 Listen Local Socket: 9.42.104.161..23 Foreign Socket: 0.0.0.0..0 TN3270A 00000045 Listen Local Socket: ::..23 Foreign Socket: ::..0 TN3270A 00001B5E Establsh Local Socket: ::ffff:9.42.105.45..23 Foreign Socket: ::ffff:9.50.52.109..58646 Application Data: EZBTNSRV TCPABC81 TSO10001 ET B Page 234
12:50:02
ibm.com
yourdotcom
Steps for moving to an IPv6 Environment

1. Network access
A LAN can carry both IPv4 and IPv6 packets over the same media An OSA-EXPRESS port can be used for both IPv4 and IPv6 Update TCP/IP Profile to include the INTERFACE statement(s) for any IPv6 interfaces For LPAR-LPAR communication for IPv6, several options exist:
using QDIO to a shared LAN (or a Shared OSA) MPCPTP6 interfaces (via XCF if on the same sysplex or ESCON CTC links) IPv6 HiperSocket connections (if on the same CEC)
2. IPv6 address selection

Obtain an address block from your ISP, or use one of your IPv4 addresses to create a 6to4 prefix For test purposes, site-local IPv6 addresses is sufficient, but avoid using them in production Should look into using emerging Unique Local IPv6 Unicast Addresses instead of site-local IPv6 addresses can be assigned to the IPv6 Interfaces and static VIPAs Addresses can be manually configured on the INTERFACE statement in the TCP/IP Profile or autoconfigured using Neighbor Discovery Stateless Auto-configuration VIPA addresses must be manually configured
Page 235
ibm.com
yourdotcom

3. DNS setup
DNS BIND 9 Name Server can be used for both IPv4 and IPv6 resources Continue to use the existing host name for IPv4 connectivity to avoid possible disruption in network connectivity and IPv4-only applications on an IPv6-enabled stack Create a new host name to be used for IPv6 and IPv4 connectivity Optionally, a third host name which may be used only for IPv6 can be configured If using stateless auto-configuration to define IPv6 addresses, static VIPA addresses should be stored in DNS since the auto-configured addresses will change over time
4. INET or Common INET

Both are supported for IPv6, but INET is much simpler Running IPv4 and dual-mode stacks under CINET is not recommended - run dual-mode stacks in a separate LPAR from IPv4 only stacks All z/OS TCP/IP stacks in an LPAR are either IPv4-only or dual-mode Based on your BPXPRMxx definitions Only case where this could become an issue is if you start CAs TCPAccess TCP/IP stack sideby-side with a z/OS TCP/IP stack in an LPAR that have been enabled for IPv6 in the BPXPRMxx parmlib member AF_INET6 NETWORK statement must be coded in BPXPRMxx before starting IPv6-enabled stacks
Page 236
ibm.com
yourdotcom

5. Selection and placement of IPv6 to IPv4 protocol converter or application gateway
z/OS does not implement any functions that will allow IPv6-only nodes to communicate with z/OSresident AF_INET applications, so an outboard protocol converter or application-layer gateway component may be needed This component will only be needed if the test configuration includes IPv6-only platforms Various technologies are being made available by various vendors; SOCKS64 seems the simplest technology right now
6. Connectivity to non-local IPv6 locations

Tunneling may be needed between a router connected to the LAN that z/OS is connected to, and a router at another location where IPv6 test equipment is located
Page 237
ibm.com
yourdotcom
Accessing z/OS from a remote site

Remember: You can enable IPv6 today on z/OS without impact to your existing IPv4 users. Do it on your test system initially without defining any IPv6 interfaces. All IPv4 communication continues to work as before.
Test LPAR
AF_INET6 application AF_INET6 AF_INET application AF_INET AF_INET application AF_INET INET PFS
z/OS CS does not support being a tunnel endpoint, although it can route traffic through an intermediate tunnel
INET PFS
Dual-mode stack
IPv6 IPv4 OSA-E IPv4 and IPv6 packets
IPv4-only stack
IPv4
Router IPv6 over IPv4 tunnel
Only IPv4
Both IPv4 and IPv6
Only IPv6
Use IPv6 over IPv4 tunneling when native IPv6 connectivity does not exist
IPv4-only network
Router
IPv4 and IPv6 packets Only IPv4 Only IPv6
Page 238
ibm.com
yourdotcom
z/OS and IPv6 - certifications z/OS V1R5 is IPv6 Ready Phase 1 certified by the IPv6 Forum z/OS V1R8 is IPv6 Ready Phase 2 certified by the IPv6 Forum z/OS V1R10 is IPv6 certified according to the US DoD IPv6 requirements!
See the Special Interoperability Test Certification of the IBM z/OS Version 1.10 Operating System for IBM Mainframe Computer Systems for Internet Protocol Version 6 Capability From US government, Defense Information Systems Agency, Joint Interoperability Test Command (http://jitc.fhu.disa.mil/adv_ip/register/certs/ibmzosv110_dec08.pdf)
TheIBM IBMz/OS z/OSVersion Version1.10 1.10operating operatingsystem systemfor forIBM IBMmainframe mainframecomputer computersystems systemshas hasmet metthe the The InternetProtocol Protocol(IP) (IP)Version Version66(IPv6) (IPv6)Capable Capableinteroperability interoperabilityrequirements requirementsof ofan anAdvanced Advanced Internet Serveras asdescribed describedin inthe theDepartment Departmentof ofDefense Defense(DoD) (DoD)Information InformationTechnology TechnologyStandards Standards Server Registry,DoD DoDIPv6 IPv6Standard StandardProfiles Profilesfor forIPv6 IPv6Capable CapableProducts ProductsVersion Version2.0, 2.0,11August August2007, 2007, Registry, reference(c). (c).The TheIBM IBMz/OS z/OSVersion Version1.10 1.10operating operatingsystem systemfor forIBM IBMmainframe mainframecomputer computer reference systemshas hassuccessfully successfullycompleted completedthe therelated relatedIPv6 IPv6Interoperability Interoperabilityportions portionsof ofthe theDoD DoDIPv6 IPv6 systems GenericTest TestPlan Plan(GTP) (GTP)Version Version3, 3,August August2007, 2007,reference reference(d), (d),and andis iscertified certifiedfor forlisting listingon onthe the Generic UnifiedCapabilities Capabilities(UC) (UC)Approved ApprovedProducts ProductsList List(APL) (APL)as asIPv6 IPv6Capable. Capable. Unified
Page 239
ibm.com
yourdotcom
What can you do today? Start planning and testing!

Develop a multi-step plan
Eventual goal is fully IPv6-enabled dual-stack operating environment
Choose a target date for being IPv6enabled

Work backwards in developing a timeline on when key steps need to be completed
Develop detailed plan for each substep

To resolve critical dependencies in the necessary timeframe
Understand your ISPs IPv6 plans Perform a detailed inventory of all systems
Determine what is involved in IPv6-enabling them All network hardware and software All client and server hardware, software and applications
Not too early to begin planning today

Need for IPv6 may occur quickly and with little advanced warning Rapid realization that IPv6 is needed Take several years to actually get IPv6 deployed Need to have IPv6 already in use (and tested) before it becomes a requirement that it be used operationally
Develop plans to ensure all components are IPv6-enabled according to a workable timeline
Work with vendors to understand their plans for adding IPv6 support for all critical components
Develop an internal addressing plan for distributing/managing IPv6 addresses

Determine how IPv6 addresses will be obtained Either from your ISP, or from a Regional Internet Registry (RIR) Consider whether Unique Local Addresses are appropriate
Determine how end users will use IPv6 services

Likely involve tunneling initially But need IPv6-capable routers on the edge links where clients connect Need to provide remote IPv6 access
Develop plans for IPv6 training, education and consulting
Page 240
ibm.com
yourdotcom
Things to consider ..
z/OS is ready for IPv6 are you?

Phase-1
Phase-2
Uif! J Q w7! qppm
Page 241
ibm.com
yourdotcom
Agenda
Page 242
ibm.com
yourdotcom
SNA modernization is about preserving SNA applications, not replacing them

Analysts estimate that 200 billion lines of COBOL code exist today
5 billion lines are added each year Similar inventory of PL/I code
The typical mainframe customer has:

30M lines of COBOL code Worth $600M Automating 100,000 business processes
Any mainframe customer

Banking, Insurance, Government, Manufacturing, Travel and Transportation, Distribution and Retail, Media and Utilities, Healthcare Industries
Various consultants estimate it costs 5 times more to rewrite a business function than to reuse existing code
A majority (70-80% according to some studies) of these existing applications are terminal-access based
Modernizing SNA is not about re-writing or throwing away SNA applications. It is about preserving core SNA business applications in an IP-based network infrastructure and it is about enabling re-use of those applications in new end-user environments in an application-transparent manner.
Page 243
ibm.com
yourdotcom
What are the next steps for SNA? - SNA modernization strategy
Green Solution - Server consolidation at datacenter and on A. Modernize SNA network System z reduces total floor space and power consumption
infrastructure
z/OS z/VSE z/VM z/TPF
Preserve and re-use

CICS ICCF IMS CMS RYO TSO
OSA
CCL CSL
Linux on z
SNI: IP-TG, XOT, DLSw (when both sides do not have IP-TG) SNA/APPN: Enterprise Extender (EE)
Deploy EE architecture at SNA end-points
IP/SNA Integration HATS Servers

SNA network infrastructure
Token-ring LANs IBM 37xx Controllers Channel-attached SNA gateways (IBM 2216, Cisco CIP or CPA) AnyNet solutions SNA-specific data links ESCON channels
WebSphere Application Server
B. SNA topology simplification and centralized management

TN3270 Remote SNA APIs Deploy IP to SNA integration point closest to the Host application
Extend or build up the IP network infrastructure so it integrates both SNA and IP traffic
C. Enable new client technologies

HTML transformation Web services integration Deploy IP to SNA integration point closest to the Host application
Frame relay, SDLC, X.25 (SNA and non-SNA), LAN bridge
B
3270 3270
Emulator
C
3270
3270
Emulator
ATM, POS
Real IBM 3270 devices
SNA 3270 emulators
SNA client (LU0/LU6.2)
SNA client over remote SNA API
TN3270 emulators
TN3270 emulator integrated with Web browser
Web browser with HTML transformation
Web services requester
Traditional SNA clients with client SNA stacks (SNA nodes)
Traditional SNA client interfaces, without distributed SNA stacks (Thin SNA nodes)
New client interfaces (Thin clients)
Page 244
ibm.com
yourdotcom
SNA application access without an SNA network

SNA applications do not care about an SNA network, they care about SNA programming interfaces!
SNA application traffic across the IP-based enterprise network infrastructure SNA network traffic consolidated into the data center on a few SNA-specific link types, such as MPC+ channels, XCF messaging, or the data center LAN environment.
SNA Business Partner
Data center, non System z based services, such as WTS server IP network core (HTTP, TN3270, WTS, Remote API, XOT, DLSw, EE)
z/OS, z/VSE, z/VM, z/TPF z/OS, z/VSE, z/VM, z/TPF z/OS, z/VSE, z/VM, z/TPF
SNA applications: SNA 3270 and SNA LU0/LU6.2 servers SNA applications: SNA 3270 and SNA LU0/LU6.2 servers SNA applications: SNA 3270 and SNA LU0/LU6.2 servers Application subsystem: CICS, IMS, TSO, etc. Application subsystem: CICS, IMS, TSO, etc. Application subsystem: CICS, IMS, TSO, WebSphere, etc. stack: VTAM or z/TPF SNA SNA protocol TCP/IP protocol stack SNA protocol stack: VTAM or z/TPF SNA TCP/IP protocol stack SNA protocol stack: VTAM or z/TPF SNA TCP/IP protocol stack
SNA "Network" Traffic SNA "Application" Traffic
Linux on System z - Networking Utilities

CCL: NCP and WebSphere: NPSI w. HATS DLSw, IP-TG, and XOT WebSphere HATS
Linux on System z - Networking Utilities Linux on System z - Networking Remote Utilities API
CS Linux: Remote API server and EE gateway CS Linux: Remote API CCL: server and NCP and EE gateway NPSI w. DLSw, IP-TG, and XOT CS Linux: CCL: server and NCP and EE gateway WebSphere NPSI w. HATS DLSw, IP-TG, and XOT
IP Network Traffic
TN3270 client
MS Remote Desktop client
Web browser or Web services requester
SNA client or CS server (using EE)
SNA client or CS server (using DLSw)
Serial-line attached traditional SNA nodes and non-SNA X.25 nodes
Page 245
ibm.com
yourdotcom
SNA modernization technologies

SNA network infrastructure modernization
Primary objective is to remove dependency on old SNA-specific hardware, merge SNA and IP traffic over a common IPbased network, while preserving the existing full-function SNA end-user interfaces/functions and SNA node infrastructure in the branch and the data center. Technologies of primary interest: APPN with High Performance Routing over IP (Enterprise Extender (EE)) Next-generation communication controller (Communication Controller for Linux (CCL)) Data Link Switching (DLSw) Infrastructure IP Transmission Group (IP-TG) modernization X.25 over TCP/IP (XOT)
SNA node topology simplification

Preserve existing SNA end-user interfaces and SNA client functions while at the same time providing means to remove SNA protocol stacks on workstations and branch servers, consolidating SNA protocol stacks into the data center. Technologies of primary interest: Telnet 5250 and 3270 (TN5250 and TN3270) Remote SNA API for desktop or remote server applications (split stack) X-Windows or Windows Remote Desktop and Terminal Services (split GUI)
Simplification
Enable use of existing SNA applications from new client technologies

Provide ways for re-using existing SNA server applications from new client environments, such as a Web browser or a Web service requester. Technologies of primary interest: SNA data stream to HTTP(S)/HTML transformation for use from a Web browser Expose SNA applications as Web services and transform SNA data stream to SOAP/XML New clients for use from a Web service requester and for integration into new business process workflows
Page 246
ibm.com
yourdotcom
SNA infrastructure modernization

The three SNA architecture levels:
Subarea SNA (also sometimes referred to as traditional SNA or hierarchical SNA) This is where you find an NCP along with the typical boundary functions and SNA network interconnect (SNI) functions to SNA business partners Advanced Peer to Peer Networking (APPN) with the original Intermediate Session Routing (ISR) routing protocol APPN with High Performance Routing (HPR) HPR may use various types of network technologies, of which one is an entire IP network - known as HPR over IP or more commonly as Enterprise Extender
If your SNA mainframe environment today is SNA subarea

You can keep that subarea environment including SNI business partner communication - modernizing the SNA subarea infrastructure using CCL, DLSw, IP-TG, XOT technologies or Communications Server Remote API for LU 0,1,2,3 and 6.2 to integrate SNA subarea traffic with your IP network Or you can migrate from an SNA subarea environment to an APPN environment before you start looking at how to integrate your APPN traffic with your IP network
If your SNA mainframe environment today is APPN-enabled

You can use HPR over IP to modernize the SNA APPN infrastructure and to integrate your APPN traffic with your IP network
Often it is both
Even with APPN enabled and use of APPN connectivity to the bulk of your SNA nodes, you may still have some SNA subarea connectivity to handle also, such as SNI connections to business partners Page 247
ibm.com
yourdotcom
SNA subarea modernization: IBM Communication Controllers - the foundation of SNA application access to the IBM mainframe since 1974
What is CCL?
For SNA subarea connectivity, an NCP is a key component For SNA boundary functions For SNA business partner connectivity (SNI) In combination with NPSI: for SNA and non-SNA X.25 access
The next generation IBM Communication Controller for the majority of SNA workloads
Enhanced availability and performance
A mainframe software solution that provides a virtualized Communication Controller on the System z hardware platform
Utilizes IFL capacity
NCP and NPSI 1982: The IBM 3725 Communication Controller (NCP
V4R3.1 latest supported level)
Move selected NCP and NPSI functions Linux on System z with no or minor changes to the CCL definitions NCP
and NPSI
A platform for modernizing the traditional SNA environments

Replace token-ring and ESCON channel connectivity Supporting DLSw to the mainframe
1974: The IBM 3705 Communication Controller
1985: The IBM 3720 Communication Controller (NCP

V5R4 latest supported level)
1988: The IBM 3745 Communication Controller (NCP V7R3+ latest supported level) and the IBM 3746 Multiprotocol Controller
Server 2005: The IBM Communication Controller for Linux (CCL) on System z
(NCP V7R5+ latest supported level)
System z
Supports existing NCP and NPSI software

Including most existing SNA management software and procedures
1975
1980
1985
1990
1995
2000
2005
2006
March 2005: CCL V1.1 November 2005: CCL V1.2 May 2006: CCL V1.2.1 Oct 2008: CCL V1.3
Page 248
ibm.com
yourdotcom
CCL - topology and connectivity overview

SNA LLC2 LAN SNA LLC2 LAN
- or OSA LSA
- or OSA-E LCS/QDIO OSA-E LCS/QDIO
OSA-E2 OSN CDLC
Linux on System z with CCL
Linux on System z with CCL
OSA-E2 OSN CDLC
OSA LSA
SNI Business Partners
CCL with DLSw NCP and XOT NPSI IP-TG

OSA-E LCS/QDIO
DLSw CCL with XOT NCP and IP-TG NPSI

OSA-E LCS/QDIO

CDLC
Please note that z/TPF does not support OSA LSA connectivity. z/TPF supports OSN (emulated ESCON CDLC) connectivity to CCL only.
SNA LLC2 and SNA over IP
SNA LLC2 and SNA over IP

Public Network
DLSw and XOT SDLC FR X.25 QLLC X.25 non-SNA
TR
DLSw
NCP
Intranet IP and SNA
Business Partner IP and SNA
Firewall Firewall
DLSw and XOT
Preserve existing NCP-based SNI capabilities and topology for business partner connectivity.
SDLC FR X.25 QLLC X.25 non-SNA
SNI to business partner CCL NCP or IBM 3745/46 NCP No change to SNI topology
SNA 3270 client

SNA protocol stack
SNA client (LU0 / LU6.2)

SNA protocol stack
Preserve existing SNA subarea capabilities and topology for peripheral node connectivity - including NPSI connectivity. Direct LAN SNA LLC2 connectivity to CCL NCP
Supports both token-ring and Ethernet
Selected SNA serial line termination is supported via a network aggregation layer routers
SDLC, frame relay, X.25 QLLC
Simplify network infrastructure by supporting multiple SNA over IP technologies, such as imbedded DLSw, XOT, and IP-TG Preserves existing network operations and management functions
Page 249
ibm.com
yourdotcom
Transporting non-SNA X.25 access to CCL/NPSI over an IP Network - X.25 over TCP
z/OS, z/VM, z/VSE, (z/TPF)
NPSI non-SNA application

LU Type 1
MOSS
NCP
NPSI
Linux on System z
XOT is an open standard and defined in RFC 1613 "Cisco Systems X.25 over TCP (XOT)". XOT is used to encapsulate X.25 packets over a TCP/IP network.
Supported by various router vendors - including Cisco
Coupler interface
VTAM
VTAM's XCA device driver
OSA Express LSA
LU Type 1 SNA session
Network Device Handler (NDH)
IBM X.25 over TCP/IP (XOT)

Linux's QDIO device driver OSA Express QDIO
CCL
Linux's LCS device driver OSA Express LCS
OSA Express2 OSN
XOT TCP connection

SNA LLC2 LAN frames IP (XOT)
non-SNA terminal X.25 Network
Mainframe NPSI application, VTAM, NCP, and NPSI setup is as usual.

If mainframe operating system is z/TPF, only OSN connectivity between CCL and z/TPF is supported
XOT protocol driver
SNA terminal (QLLC)
XOT with CCL enables continued use of NPSI-based applications and X.25 connectvity to the System z platform via an XOT router.
NPSI processing remains offloaded from the mainframe OS environment. Physical connectivity to X.25 network is via an aggregation layer router.
Connectivity between aggregation layer router and NPSI is via an X.25 Over TCP/IP (XOT) TCP connection (IP network flows).
Interface between NPSI and local XOT protocol component is the same as NPSI uses today when communicating over X.25 adapters in an IBM 3746 unit - the Coupler interface. X.25 over TCP/IP for CCL is a separate IBM software product that is needed in conjunction with CCL for X.25 connectivity to NPSI
Page 250
ibm.com
yourdotcom
Modernizing an SNA APPN Infrastructure: Enterprise Extender

Workstation or VTAM SNA Application SNA APIs Distributed CS, SNA Switch, or VTAM Distributed CS, SNA Switch, or VTAM Workstation or VTAM SNA Application SNA APIs
EE Node
SNA Application SNA APIs TCP/IP APIs
EE Node
SNA Application TCP/IP APIs SNA APIs
SNA protocol stack
SNA protocol stack EE
TCP/IP protocol stack
SNA protocol EE stack
SNA protocol stack
Subarea, ISR, or HPR routing
HPR routing
Subarea, ISR, or HPR routing
IP Network
Uses latest SNA architecture enhancements True IP end-to-end technology Conceptually simple (HPR over IP using UDP transport protocols) Covers both branch access and business partner connectivity Be aware of IP firewalls
Page 251
ibm.com
yourdotcom
An SNA application view of SNA modernization

SNA 3270 applications
It is the "server" part we need to preserve CICS or IMS transactions (BMS/MFS) TSO, NetView, etc. Client environments Traditional 3270 screen interface SNA emulators or real IBM 3270 devices SNA network infrastructure modernization focus TN3270 emulators (fat clients and on-demand clients) SNA node simplification focus Web browser via HTTP(S)/HTML Web services requester
CICS Coax cabling

IBM 3270 Terminal
CICS CEDA
SNA LU Type 1, 2, or 3 Serial line, Channel, or LAN ISPF
IBM 3x74 Terminal Control Unit
TSO ISPF
SNA Network
VTAM
IMS /DIS
IBM 3270 Terminal
SNA LU0/LU6.2 client/server applications

The "server" part: CICS or IMS transactions APPC/MVS, etc. Client environments User-written client Serial Preserve SNA client where it runs line, or LAN SNA network infrastructure modernization focus SNA node simplification focus (Remote SNA API technology) Client Web browser via HTTP(S)/HTML Application New "presentation" logic in HTTP server Workstation or Branch Server Web services requester New "presentation" logic in Web service wrapper
SNA LU Type 0 or 6.2
CICS APPC Server
SNA Network
VTAM
IMS SLUTYPEP Server
Page 252
ibm.com
yourdotcom
SNA/IP integration using Communications Server for Linux on System z

SNA
Linux on System z QDIO CS Linux on System z
LCS
CTCMPC or HiperSockets
LSA z/OS VSE/ESA z/VM VTAM
TN3270 Server TN Redirector Enterprise Extender gateway SNA application gateway Remote SNA API server
CS Linux on System z offers SNA/IP integration technologies on zSeries, but with no or minimal changes to the traditional mainframe OS environment. TN3270 server on System z
Supports TN3270 access to z/OS, VSE/ESA, and z/VM Can be combined with WebSphere Application Server and Host Access Transformation Services IP all the way to System z No or minimal change to VTAM definitions if consolidating existing distributed TN3270 servers
SNA
Ethernet-based IP infrastructure
OSA-E QDIO
SNA Network
IP Network
IP to the mainframe SNA network infrastructure simplification

Enterprise Extender
TN3270 SSL offload - using the TN3270 redirector Enterprise Extender same-NETID gateway functions
Using APPN/ISR routing to/from VTAM and EE downstream EE gateway to z/OS, VSE/ESA, or z/VM VTAM
APPN Network
SNA devices
APPN Network Node or Branch Extender node in an APPN network infrastructure

Replacing IBM 3746 MAE or NNP
IP Network
IP Network
SNA gateway for consolidation of multiple downstream SNA PUs SNA application platform for Web-based access to SNA applications Remote API services for secure remote SNA application access without having SNA protocol stacks on distributed AIX, Windows and Linux (xSeries, System p and System z) nodes
Pull the SNA network into the mainframe!
TN3270 or Web clients
SNA Remote API clients on AIX, Windows or Linux
Page 253
ibm.com
yourdotcom
Remote SNA API overview

Supports both dependent and independent LUs
For independent LUs that includes support for outbound attach requests Might be used for SNA 3270 emulation, where a migration to TN3270 isn't possible due to EHLLAPI issues IBM PCOMM can be configured to be an SNA 3270 emulator using the remote SNA API
Remote API servers can be configured in a server pool for load-balancing and availability Two transports between remote API client and remote API server:
Plain TCP connection to remote API server-specific TCP port number HTTP(S) as transport requires WebSphere Application Server on the Remote SNA API server node
Workstation or remote server SNA Application SNA APIs Remote SNA API client TCP/IP APIs
SNA Application "Session"

CS/Linux or CS/AIX VTAM
TCP Connection or HTTP(S)
Remote SNA API server
SNA LU Session
SNA Application SNA APIs
TCP/IP APIs
SNA APIs
SNA protocol stack
SNA protocol stack
The remote SNA API client/server technology is a simple, efficient, and transparent technology that allows continued use of SNA clients on workstations and distributed servers without the full footprint of SNA protocol software on those client nodes.
IP network
SNA or IP network (can be IP network with EE)
LAN Channel-to-channel EE
Page 254
ibm.com
yourdotcom
Some IBM Solutions to help with Web-enabling SNA applications
SNA 3270 Applications Subsystem independent (Gateway approach) CICS-specific IMS-specific
SNA LU0 and LU6.2 Applications Subsystem independent (Gateway approach) CICS-specific IMS-specific
Presentation integration SNA data stream / HTML transformation
Host Access Transformation Services (HATS)
CICS Web Support and 3270 Web bridge or CICS Transaction Gateway
IMS MFS Web Enablement
Branch Transformation Toolkit (BTT) or RYO
CICS Web Support or CICS Transaction Gateway
IMS MFS Web Support
Programmatic integration expose SNA core business applications as Web services
Host Access Transformation Services (HATS)
CICS Web Services
IMS MFS Web Services
Branch Transformation Toolkit (BTT) or RYO
CICS Web Services
IMS MFS Web Services
Page 255
ibm.com
yourdotcom
SNA 3270 mainframe application: multiple channels, one mainframe application

A technology such as IBM Host Access Transformation Services (HATS) is subsystem independent Can be located in the network or on z/OS itself Transforms the SNA 3270 data stream No change to the SNA 3270 application, the SNA application subsystem, or the SNA host operating system environment The same SNA 3270 application can be used from traditional 3270 interfaces, such as real SNA 3270 terminals, SNA 3270 emulators, or TN3270 emulators Transform IMS, CICS, TSO, etc. SNA 3270 applications Can combine data from multiple SNA 3270 sessions into a single HTML page or Web service
No change to this tier
SNA 3270 client
SNA LLC SNA (VTAM) 3270 transaction Subsystem
TN3270 TN3270/IP
Web browser
HTTP(S)/HTML WebSphere Application Server with HATS TN3270 server
SNA Network EE, SNA Switch, CCL, DLSw, IP-TG, XOT
3270 transaction Subsystem
Web service requester
SOAP/XML
3270 transaction Subsystem Transformation Rules
Clients
HTTP(S)/HTML and SOAP/XML Transformation tier
TN3270 to SNA intgeration tier
SNA application tier
Page 256
ibm.com
yourdotcom
For more information
SG24-7334-00 A Structured Approach to Modernizing the SNA environment It is not about rip-and-replace it is about reusing and sharing existing business assets in a new services oriented environment
Page 257
ibm.com
yourdotcom
Agenda
Next generation Internet: IPv6 Roadmap for SNA modernization What does Web services mean to your z/OS networking environment Trends and direction
Page 258
ibm.com
yourdotcom
RFC 4301 compliance migration health check

z/OS V1R11 is planned to be the last z/OS release where RFC4301 compliance is optional. In a future release of z/OS, IBM intends to make RFC4301 compliance mandatory. RFC4301 "Security Architecture for the Internet Protocol" specifies the base architecture for IPSec-compliant systems, including restrictions on the routing of fragmented packets. In z/OS V1R10 and V1R11 RFC4301 compliance enforcement is an optional setting in the z/OS IPSec policy. Changing an IPSec policy from being non-compliant to compliant, may require minor changes to IP filters for IP traffic that is routed through z/OS. The Configuration Assistant for z/OS Communications Server includes functions to assist with identifying and making such changes.
RFC4301 "Security Architecture for the Internet Protocol" specifies the base architecture for IPSec-compliant systems
Includes restrictions on the routing of fragmented packets

In z/OS V1R10 and V1R11, RFC4301 compliance enforcement is an optional setting in the z/OS IPSec policy
Changing an IPSec policy from non-compliant to compliant might require minor changes to IP filters for IP traffic that is routed through z/OS
New migration health check will determine if you have such filter rules:
ISTM010E IPSec filter rules that violate RFC4301 compliance are in use on this system during this IPL
* Disclaimer: "All statements regarding IBM future direction or intent, including current product plans, are subject to change or withdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only, on an as is basis, without warranty of any kind."
Page 259
ibm.com
yourdotcom
Filter rules and routed fragments

Local Traffic (No changes to become RFC4301 compliant) Routed Traffic (Possibly changes to become RFC4301 compliant)
Filters for local traffic can be based on ports, types, or codes. Fragments are reassembled before filter rules are checked.
IP Filters
IP Filters
Filters for routed (or either) traffic cannot be based on ports, types, or codes. Each fragment is checked against filter rules as fragments are routed through this node.
First fragment
IP Hdr first part
TCP Hdr (port)
Data first part
Can apply filter rule to this packet But not to this
Second fragment
IP Hdr second part
Data second part
Routing filter rule using port number as selection
Page 260
ibm.com
yourdotcom
Enabling RFC4301 compliance with non-compliant connectivity rules
RFC4301 compliance report
Page 261
ibm.com
yourdotcom
BIND 9 DNS server in-use migration health check
In a future release of z/OS, the BIND 9.2.0 function will be removed from the z/OS Communications Server component. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a caching-only name server should use the Resolver function, which will be available in z/OS V1.11, to cache DNS responses. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a primary or secondary authoritative name server should investigate using BIND on Linux for System z.
If you are using BIND 9 server on z/OS as a caching-only name server, migrate to the Resolver caching function, which is available in z/OS V1.11 If you are using a BIND 9 server ion z/OS as a primary or secondary authoritative name server, investigate moving the name server function to another operating system platform, such as using BIND on Linux for System z
ISTM012E One or more DNS servers are in use on this system during this IPL
A new migration health check will determine if you have a BIND 9 server running on your system:
Page 262
ibm.com
yourdotcom
z/OS V1R11 Statement of Direction: FIPS 140-2 support
z/OS V1R11 Communications Server is designed to address FIPS 140-2 requirements for SSL/TLS connections via the Application Transparent Transport Layer Security (AT-TLS) component. The native SSL/TLS support in the TN3270 server and FTP client and server will not be enhanced to address FIPS 140-2 requirements. Customers who need to provide SSL/TLS-secured TN3270 and FTP connections that are designed to be consistent with FIPS 140-2 requirements are advised to use ATTLS for this purpose.
FIPS 140-2 support has in z/OS V1R11 been added to AT-TLS, not to the native SSL/TLS support in of any of the z/OS Communications Server applications, such as the TN3270 server, the z/OS FTP client and server Customers who need FIPS 140-2 support or other recent enhancements to SSL/TLS on z/OS are encouraged to use AT-TLS
Page 263
ibm.com
yourdotcom
z/OS V1R11 Statement of Direction: Planned IKEv2 support

IBM intends to update z/OS with support for the latest Internet Key Exchange protocol, version 2 (IKEv2), as defined by industry standards documented in "Internet Key Exchange (IKEv2) Protocol", RFC4306 and "IKEv2 Clarifications and Implementation Guidelines", RFC4718 and other publications. This support is intended to allow z/OS to maintain compliance with industry standard IPv6 profiles, and expand the options available to network administrators for configuring secure communications with z/OS systems.
IKEv2 is the latest version of the IKE protocol as documented in "Internet Key Exchange (IKEv2) Protocol", RFC4306 and "IKEv2 Clarifications and Implementation Guidelines", RFC4718 Various government compliance lists are picking up requirements for IKEv2.
Page 264
ibm.com
yourdotcom
z/OS CS V1R11 things to be aware of If you monitor the IP SMF 119 statistic, SMF119AP_TSIPAttFwdData, which is the number of attempts to forward datagrams, be aware that this statistic will not be incremented for datagrams that are forwarded via acceleration. Remember!! If you start syslogd from a UNIX shell script (or BPXBATCH) you must include an & after the command.
Page 265
ibm.com
yourdotcom
Page 266

A000 System Z Networking

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A000 System Z Networking

Uploaded by

Copyright:

Available Formats

ibm.

System z and z/OS Networking 2009

Enterprise Networking Solutions, RTP, Raleigh, NC, USA

2009 IBM Corporation

International Technical Support Organization and Authoring Services

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

Trademarks, notices, and disclaimers

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

IBM ITSO - International Technical Support Organization

International Technical Support Organization and Authoring Services

Questions are welcome all the time.

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

z/OS networking what are the current focus areas?

Traditional workload coexisting peacefully with SOA workload

Scalability, Performance, Constraint relief and Accelerators

WAS IMS TN3270 TSO

CICS FTP MQ DB2

Virtualization, dynamic infrastructure, and Cloud computing

Systems management and monitoring

Availability and business resilience

IPv6+IPv4 IPv4-only API API

SNA and TCP/IP OSA

SNA and Enterprise Extender

Simplification and consumability

"The services are in the cloud"

Full end-to-end security

Multi-network protocol support

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

z/OS Communications Server Redbooks

2009 IBM Corporation

International Technical Support Organization and Authoring Services

z/OS Communications Server homepage: http://www.ibm.com/software/network/commserver/zos

IBM ITSO - International Technical Support Organization

2009 IBM Corporation

International Technical Support Organization and Authoring Services

For more information

For pleasant reading .

2009 IBM Corporation

International Technical Support Organization and Authoring Services

IBM ITSO - International Technical Support Organization

International Technical Support Organization and Authoring Services

z/OS Communications Server architectural overview

TN3270 Services (Sysplex-enabled) SNA API layer

UNIX LFS Layer AF_INET PFS AF_INET6 PFS

Communications Storage Manager

SNA, IPv4, IPv6 SNA, IPv4, IPv6

OSA OSN protocols

OSA LSA protocols

System z channel protocols

OSA QDIO protocols

HiperSockets iQDIO protocols

OSA LCS protocols