Skip to main content

z/OS Communications Server

Mainframe network security for on demand transactions

What's New

What’s New in z/OS V1R13 Communications Server?

It has been said "z/OS is not just a node on the network, z/OS is the network," and that is largely due to the wide array of networking technologies included in z/OS Communications Server, including both TCP/IP and SNA. System and data security technologies, fault tolerance, autodetection and autorecovery capabilities—all mean that z/OS can provide reliable and trustworthy networking services. With intelligent configuration, dynamic optimization, self tuning, and network routing, it adapts to different networking conditions and is capable of shifting workloads and traffic to meet quality of service and business needs.

z/OS Simplification Enhancements and Ease of Use
z/OS V1.13 introduces many new simplification capabilities. It is designed to address the need for skills by making existing personnel more productive and by reducing the time needed for someone new to gain proficiency on the platform.

  • In z/OS Communications Server, the TCP/IP PORTRANGE profile statement allows ranges of TCP/IP ports to be reserved for specific job names. This statement is enhanced to allow specification of the job name as a wildcard, specified as a 1-7 character prefix followed by an asterisk (*). This allows several jobs with the same prefix to have access to the ports in the specified port range.

  • In z/OS Communications Server, the requirement for using UID(0) for the Policy Agent (PAGENT) and Internet Key Exchange (IKED) daemons is removed. These daemons can now be started using any user ID and UID with access to the necessary directories and files. Additional documentation is provided to help you start the OMPROUTE and TN3270E daemons using UIDs other than zero.

  • In z/OS V1.13, several enhancements are available for the Configuration Assistant for z/OS Communications Server to support:
    - Retrieving TCP/IP profile information from active TCP/IP stacks (only available with the z/OSMF version of the Configuration Assistant)
    - Allowing a single instance of the Configuration Assistant to be used to configure both z/OS V1.12 and z/OS V1.13 Communications Server
    - Allowing a policy rule to be defined once for multiple stacks
    - Improving network protection with new Intrusion Detection Services

Scalability and Performance
With z/OS V1.13 and related System z technologies, IBM delivers improved performance, scale, and economics to the platform. These technologies are intended to help enable you to leverage existing resources better or to free up existing resources to run more workload within your existing System z servers more efficiently.

  • Extended Address Volumes (EAVs) allow more data to be stored on direct access storage devices. z/OS V1.13 Communications Server FTP, which already supports SMS-managed extended format sequential data sets, sup- ports these additional data set types when they reside in the Extended Addressing Space (EAS) of an EAV: both SMS-managed and non-SMS-managed physical sequential basic and large format data sets, PDS and PDSE data sets, and GDG data sets. Also, SDSF is designed to support extended format sequential (DSNTYPE=LARGE) print files, and print files that are placed in the extended addressing space (EAS) of an Extended Address Volume (EAV).

  • z/OS Communications Server adds support to FTP for large format data sets. With this support, FTP is designed to transfer, restart transfers for, and allocate large format data sets, which can have more than 65,535 tracks per volume or more than 2 gigabytes of data, without requiring them to be SMS managed.

  • The CSSMTP application provided by z/OS Communications Server can be used to send bulk email from z/OS JES2 or JES3 spool. In z/OS V1.13, CSSMTP supports extended retry processing for emails that cannot be delivered during the initial configured retry time. CSSMTP also releases memory and JES resources for emails in extended retries, allowing it to retry those emails for an extended period of time with less overall system impact.

  • The number of VLANs supported by z/OS Communications Server on OSA Express is expanded. You can now define up to 32 VLANs per OSA port per IP version.

Application Integration
z/OS V1.13 introduces many capabilities to help you write new applications and systems programs, and extend existing programs. Businesses with applications on z/OS understand the value of its qualities of service, including availability, scalability, and security for these applications and their data on z/OS. Extending these critical applications and expanding the access to the z/OS data hub can drive business agility, enhance usability, and provide unprecedented levels of business integration.

  • z/OS Communications Server provides a DISPLAY TCPIP,TELNET command to display a list of TN3270E Telnet servers.

  • z/OS Communications Server supports Network Management Interface (NMI) functions for the system resolver to allow the resolver configuration file and the contents of the global TCPIP.DATA file to be retrieved when they are in use. Also, the NMI TMI_Copybuffer callable services (EZBTMIC1, EZBTMIC4, and TMI_Copybuffer()) are available for use by unauthorized programs when the user IDs under which they run are given access to resources defined to an external security manager, such as RACF.

Security
The z/OS Communications Server can provide highly secure networking, via its Intrusion Detection Services (IDS), Application Transparent Transport Layer Security (AT-TLS), IPSec, Network Security Services (NSS), Defensive Filtering, and more.

  • Network communications capabilities designed with security in mind. z/OS Communications Server supports a wide range of security technologies for your networks designed to help you create end-to-end secure networking solutions. Extended and enhanced support for Internet Key Exchange version 2 (IKEv2) and Federal Information Processing Standards (FIPS 140-2) can help you meet stringent government or industry security compliance guidelines

  • z/OS Communications Server intrusion detection technology is enhanced to add support for IPv6 traffic and also additional attack types related to data hiding, TCP-related denial of service, and Enterprise Extender. This is intended to provide IPv6 intrusion detection security equivalent to that provided for IPv4 and help you prevent certain error situations and denial of service attacks on z/OS Communications Server from causing system-wide storage constraint situations. The Configuration Assistant for z/OS Communications Server provides a quick and easy interface to create the configuration for this new intrusion detection services (IDS) support.

  • Internet Key Exchange version 2 (IKEv2) is the latest version of the Internet Key Exchange (IKE) protocol specified by RFC 5996, and support for IKEv2 was added to z/OS Communications Server V1.12. z/OS V1.13 Communications Server adds Network Address Translation (NAT) traversal support using IKEv2 for IPv4 to make it easier to migrate to IKEv2 if you use NAT. The Configuration Assistant for z/OS Communications Server provides a quick and easy interface to create the configuration for IKEv2 support.

  • Sysplex-wide security associations in z/OS Communications Server allow IPSec protected workloads to benefit from workload balancing. This function works in conjunction with Sysplex Distributor to support both takeover and distribution of IPSec tunnels and traffic for dynamic VIPAs in a Parallel Sysplex environment. In prior releases, this function supports tunnels negotiated using IKEv1 and IPv4 addresses; in z/OS V1.13, sysplex-wide security associations support IPSec tunnels negotiated using IKEv2 and IPv4 addresses.

  • Resources defined to a security manager, such as RACF, are currently available to control which user IDs are allowed to create and destroy VIPARANGE DVIPAs. This capability is extended to allow you to specify authorization for specific ranges of VIPARANGE DVIPAs, or for individual VIPARANGE DVIPAs.

  • IPSec support for FIPS 140-2 cryptographic mode is enhanced. AES-GCM and AES-GMAC support is added when using sysplex-wide security associations in FIPS 140-2 mode, and the IKE daemon is enhanced to take advantage of new services provided by ICSF when running in FIPS mode. The Configuration Assistant for z/OS Communications Server provides a quick and easy interface to configure FIPS 140-2 mode.

  • The FTP and TN3270 servers provided with z/OS Communications Server are updated to support password phrases. This is intended to enable FTP users and applications and TN3270 users to take advantage of the security and usability advantages of password phrases.

  • Processing of the LIST=SUMMARY option of the DISPLAY NET,EEDIAG,TEST=YES command from z/OS Communications Server is enhanced. This is designed to expedite Enterprise Extender connectivity test results and eliminate the dependency on ICMP messages, which are often blocked by firewalls. This is expected to provide value to you when your IP configuration includes firewalls that block ICMP messages, resulting in delayed EE connectivity test results. Processing for DISPLAY NET,EEDIAG,TEST=YES,LIST=DETAIL remains unchanged. It requires ICMP messages to display routing information for EE connections.

Availability
According to IBM market research, the System z platform is recognized by both customers and industry analysts for its industry-leading resilience capabilities; furthermore, high availability is the top reason for running existing workloads on and migrating new workloads to System z. z/OS V1R13 improves availability by delivering the following enhancements:

  • The z/OS system resolver was enhanced in Version 1.12 to detect unresponsive name servers and issue operator messages when one is detected. In Version 1.13, this support is taken a step further so that the system resolver will automatically stop using name servers that become unresponsive, and automatically start using them again when they recover. This is intended to enhance network availability for processes that rely on name resolution services by avoiding long time-out periods for unresponsive name servers.

  • The z/OS Communications Server sysplex distributor VIPAROUTE function is enhanced to make it more responsive to changes in the routing topology as a TCP/IP stack joins or rejoins a sysplex group, and when OMPROUTE is recycled. This is expected to improve responsiveness of distributed dynamic VIPA connections during TCP/IP initialization and when TCP/IP rejoins a sysplex group.

  • z/OS V1.13 Communications Server processing is enhanced to provide autonomic recovery from APPN routing tree corruption. Support for manual recovery using an operator command is also provided for recovery from cases of incorrect route selection.

  • Sysplex autonomics functions provided by z/OS Communications Server are enhanced to monitor for a CSM-constrained condition and take recovery action based on configuration options. This is designed to allow autonomic recovery actions to prevent CSM-constrained conditions from affecting overall sysplex operations.

Hardware Support
The capabilities of the System z platform continue to evolve, and z/OS V1R13 Communications Server supports that hardware evolution through the following enhancements:

  • Software support is provided for the OSA Express3 and OSA Express4S inbound workload queueing for Enterprise Extender as described in Hardware Announcement 111-121, (RFA54727) dated July 12, 2011.

  • Software support is provided for OSA-Express4S QDIO IPv6 checksum and segmentation offload enhancements and for LPAR-to-LPAR checksum offload for both IPv4 and IPv6 packets as described in Hardware Announcement 111-121, (RFA54727) dated July 12, 2011.

  • z/OS Communications Server is enhanced to allow Hipersockets to be integrated with the intraensemble data network (IEDN), extending the reach of the HiperSockets network outside of the central processor complex (CPC) to the entire ensemble, appearing as a single Layer 2 network. This enhancement works in conjunction with new Hipersockets integration with the IEDN support intended for the IBM zEnterprise and referenced in Hardware Announcement 111-121 (RFA54727), dated July 12, 2011.

Statements of Direction

  • z/OS V1.13 is planned to be the final release for which the IBM Configuration Assistant for z/OS Communications Server tool that runs on Microsoft Windows will be provided by IBM. This tool is currently available as an as-is, nonwarranted web download. Customers who currently use Windows-based IBM Configuration Assistant for z/OS Communications Server tool should migrate to the z/OS Management Facility (z/OSMF) Configuration Assistant application. The IBM Configuration Assistant for z/OS Communications Server that runs within z/OSMF is part of a supported IBM product and contains all functions supported with the Windows tool.

  • z/OS V1.13 is planned to be the last release in which the BIND 9.2.0 function will be available. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a caching-only name server should use the resolver function, which became generally available in z/OS V1.11, to cache Domain Name Server (DNS) responses. Customers who currently use or plan to use the z/OS BIND 9.2.0 function as a primary or secondary authoritative name server should investigate using BIND on Linux for System z or BIND on an IBM blade in an IBM zEnterprise BladeCenter® Extension (zBX).

All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice.

Content navigation