VM65925: New Function - Simplified virtual NIC configuration and VSWITCH operation with enhanced NICDEF statement

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Support a new capability: Directory Network Authorization
  (DNA). With this new capability, each virtual NIC can be
  configured and authorized entirely within the user directory,
  simplifying virtual server provisioning.
  Support a common VSWITCH model that can be operated using
  USERBASED and PORTBASED functions.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All systems using VSWITCH networks.          *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  VM65925 provides support for Directory Network Authorization
  (DNA). With this new capability, each virtual NIC can be
  configured and authorized entirely within the user directory,
  simplifying virtual server provisioning.
  
  New operands on the NICDEF statement enable specification of
  the following attributes for a virtual NIC:
  o Virtual port number on the connected VSWITCH
  o Virtual trunk port enablement
  o VLAN associations
  o Promiscuous (virtual sniffer) authorization
  
  When these attributes are specified on NICDEF, the use of the
  SET VSWITCH and COUPLE commands is no longer required. However,
  VSWITCH access, VLAN authorization, and promiscuous mode
  enablement controls provided by an external security manager
  (ESM) such as the RACF Security Server feature continue to
  override any CP authorizations.
  
  DNA is enabled by default, but to assist with migration efforts,
  a new CP SET VMLAN DNA command is provided to temporarily
  disable the NICDEF enhancements. If DNA is disabled, CP will
  require an ESM or SET VSWITCH to authorize connection to the
  NICDEF LAN, and will not apply any of the new NICDEF options.
  
  This support eliminates the major operational differences
  between PORTBASED and USERBASED VSWITCH networks. A system
  administrator has the option to manage access to a VSWITCH by
  user ID, by virtual port, or by using a combination of the two
  methods. Virtual ports 1-2048 are reserved for explicit user
  configuration. Virtual ports 2176-4095 are reserved for the
  system to create temporary ports as needed. VSWITCH port
  management is not affected by the SET VMLAN DNA command.
  
  To ensure the integrity of virtual port numbers, Live Guest
  Relocation requires that the VSWITCH on the destination node
  must continue to match the PORTBASED or USERBASED designation
  on the source node.
  
  Changes have also been made to the RACF database initialization
  program RPIDIRCT (VM65931) and to DIRMAINT (VM65926) to
  recognize the new NICDEF operands in the user directory.
  
  Refer to z/VM Connectivity Version 6 Release 4 (SC24-6174-07)
  for more information.
  

Problem conclusion

Temporary fix

• FOR RELEASE VM/ESA CP/ESA R640 :
  PREREQ: VM65877 VM65872
  CO-REQ: NONE
  IF-REQ: UV61338(VM65926-6VMDIR40) UV61339(VM65931-6VMRAC40)
  

Comments

• NICDEF statement (in USER DIRECT):
  
  With the PTFs for APARs VM65925, VM65926 and VM65931, the
  NICDEF user directory statement is enhanced to provide a set
  of new operands referred to as Directory Network Authorization
  (DNA). With DNA, a system administrator can configure and
  consolidate a virtual NIC device and its network properties in
  a secure, centralized location - z/VM's User Directory.
  
  The following new NICDEF operands are supported by DNA:
  o PORTNUMBER <portnum>
  o PORTTYPE ACCESS|TRUNK
  o VLAN <vidset>
  o PROMISCUOUS | NOPROMISCUOUS
  
  When a network configuration is added to the NICDEF statement,
  the MODIFY VSWITCH statement (SYSTEM CONFIG) and CP SET VSWITCH
  command can be eliminated. In this case, DNA satisfies the
  authorization previously provided by these other methods.
  When a new user is added to an existing network, the virtual
  NIC can be configured using the NICDEF statement to specify
  PORTTYPE, VLAN, and any other attributes that would have been
  specified with a separate "SET VSWITCH" network configuration.
  
  Example (using prior configuration methods):
  
    SYSTEM CONFIG includes:
      DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200
      MODIFY VSWITCH ETH1 GRANT LNXSV01 PORTTYPE ACCESS VLAN 42
    USER DIRECT includes (for USER LNXSV01):
      NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200
  
  Example (using NICDEF to configure the connection):
  
    SYSTEM CONFIG only includes the VSWITCH definition:
      DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200
    USER DIRECT includes (for USER LNXSV01):
      NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200
      NICDEF 4200 PORTTYPE ACCESS VLAN 42
  
  By default, CP Directory Network Authorization is enabled
  after applying the PTF for APAR VM65925. Directory Network
  Authorization support can be disabled or enabled by the
  SET VMLAN DNA command or configuration statement. When DNA is
  disabled, the NICDEF LAN statement will not be accepted as
  authorization to couple to the specified network, and the new
  NICDEF operands will not be applied during COUPLE processing.
  
  USERBASED and PORTBASED VSWITCH designations:
  
  Operational differences between PORTBASED and USERBASED
  VSWITCHes have been minimized with this support. A system
  administrator has the option to manage a VSWITCH by user, by
  port number, or by a combination of the two methods. While
  the management of USERBASED and PORTBASED VSWITCHes is now
  simplified, Note that merged PORTBASED/USERBASED behavior
  is not affected by the SET VMLAN DNA command.
  
  Notes:
  o Live Guest Relocation of a guest connected to a VSWITCH still
    requires a matching designation (PORTBASED or USERBASED) on
    the destination node.
  o After applying the PTF for APAR VM65925 to all members of
    the SSI cluster, the USERBASED and PORTBASED designations
    can be eliminated (simultaneously) from all DEFINE VSWITCH
    statements to avoid future relocation issues.
  o Note that merged PORTBASED/USERBASED behavior is not affected
    by the SET VMLAN DNA command.
  
  Refer to SC24-6174-07 z/VM Connectivity Version 6 Release 4
  for more information.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UM35188 UM35189

Modules/Macros

• CBITABLE COUPLE   HCPCBI   HCPCPL   HCPCSIBK HCPDDEV  HCPDHDR
  HCPDIR   HCPEQUAT HCPLAN   HCPLANBK HCPMES   HCPMESA  HCPMESB
  HCPMXRBK HCPNDCBK HCPNDF   HCPNET   HCPNIC   HCPNICBK HCPOM1
  HCPRLF   HCPRLI   HCPSCFBK HCPSLMBK HCPSWD   HCPSWM   HCPSWQ
  HCPSWS   HCPSWY   HCPUDR   HCPVLDBK HCPVLF   HCPVLQ   HCPVLS
  HCPVLU   HCPVNABK HCPZSC   HCP1882E HCP1982I HCP3022E HCP3034E
  HCP3043E HCP3044E HCP3046E HCP3222E HCP3224I HCP6011E LAN
  LGRNETWK LOGON    VMLAN    VMRELOCA VSWITCH
  

Fix information

• Fixed component name

  VM CP

• Fixed component ID

  568411202

Applicable component levels

• RA64 PSY UM35188

     UP17/11/24 P 1702  

• R640 PSY UM35189

     UP17/08/02 P 1702  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.