A fix is available
APAR status
Closed as new function.
Error description
Support a new capability: Directory Network Authorization (DNA). With this new capability, each virtual NIC can be configured and authorized entirely within the user directory, simplifying virtual server provisioning. Support a common VSWITCH model that can be operated using USERBASED and PORTBASED functions.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All systems using VSWITCH networks. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** VM65925 provides support for Directory Network Authorization (DNA). With this new capability, each virtual NIC can be configured and authorized entirely within the user directory, simplifying virtual server provisioning. New operands on the NICDEF statement enable specification of the following attributes for a virtual NIC: o Virtual port number on the connected VSWITCH o Virtual trunk port enablement o VLAN associations o Promiscuous (virtual sniffer) authorization When these attributes are specified on NICDEF, the use of the SET VSWITCH and COUPLE commands is no longer required. However, VSWITCH access, VLAN authorization, and promiscuous mode enablement controls provided by an external security manager (ESM) such as the RACF Security Server feature continue to override any CP authorizations. DNA is enabled by default, but to assist with migration efforts, a new CP SET VMLAN DNA command is provided to temporarily disable the NICDEF enhancements. If DNA is disabled, CP will require an ESM or SET VSWITCH to authorize connection to the NICDEF LAN, and will not apply any of the new NICDEF options. This support eliminates the major operational differences between PORTBASED and USERBASED VSWITCH networks. A system administrator has the option to manage access to a VSWITCH by user ID, by virtual port, or by using a combination of the two methods. Virtual ports 1-2048 are reserved for explicit user configuration. Virtual ports 2176-4095 are reserved for the system to create temporary ports as needed. VSWITCH port management is not affected by the SET VMLAN DNA command. To ensure the integrity of virtual port numbers, Live Guest Relocation requires that the VSWITCH on the destination node must continue to match the PORTBASED or USERBASED designation on the source node. Changes have also been made to the RACF database initialization program RPIDIRCT (VM65931) and to DIRMAINT (VM65926) to recognize the new NICDEF operands in the user directory. Refer to z/VM Connectivity Version 6 Release 4 (SC24-6174-07) for more information.
Problem conclusion
Temporary fix
FOR RELEASE VM/ESA CP/ESA R640 : PREREQ: VM65877 VM65872 CO-REQ: NONE IF-REQ: UV61338(VM65926-6VMDIR40) UV61339(VM65931-6VMRAC40)
Comments
NICDEF statement (in USER DIRECT): With the PTFs for APARs VM65925, VM65926 and VM65931, the NICDEF user directory statement is enhanced to provide a set of new operands referred to as Directory Network Authorization (DNA). With DNA, a system administrator can configure and consolidate a virtual NIC device and its network properties in a secure, centralized location - z/VM's User Directory. The following new NICDEF operands are supported by DNA: o PORTNUMBER <portnum> o PORTTYPE ACCESS|TRUNK o VLAN <vidset> o PROMISCUOUS | NOPROMISCUOUS When a network configuration is added to the NICDEF statement, the MODIFY VSWITCH statement (SYSTEM CONFIG) and CP SET VSWITCH command can be eliminated. In this case, DNA satisfies the authorization previously provided by these other methods. When a new user is added to an existing network, the virtual NIC can be configured using the NICDEF statement to specify PORTTYPE, VLAN, and any other attributes that would have been specified with a separate "SET VSWITCH" network configuration. Example (using prior configuration methods): SYSTEM CONFIG includes: DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200 MODIFY VSWITCH ETH1 GRANT LNXSV01 PORTTYPE ACCESS VLAN 42 USER DIRECT includes (for USER LNXSV01): NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200 Example (using NICDEF to configure the connection): SYSTEM CONFIG only includes the VSWITCH definition: DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200 USER DIRECT includes (for USER LNXSV01): NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200 NICDEF 4200 PORTTYPE ACCESS VLAN 42 By default, CP Directory Network Authorization is enabled after applying the PTF for APAR VM65925. Directory Network Authorization support can be disabled or enabled by the SET VMLAN DNA command or configuration statement. When DNA is disabled, the NICDEF LAN statement will not be accepted as authorization to couple to the specified network, and the new NICDEF operands will not be applied during COUPLE processing. USERBASED and PORTBASED VSWITCH designations: Operational differences between PORTBASED and USERBASED VSWITCHes have been minimized with this support. A system administrator has the option to manage a VSWITCH by user, by port number, or by a combination of the two methods. While the management of USERBASED and PORTBASED VSWITCHes is now simplified, Note that merged PORTBASED/USERBASED behavior is not affected by the SET VMLAN DNA command. Notes: o Live Guest Relocation of a guest connected to a VSWITCH still requires a matching designation (PORTBASED or USERBASED) on the destination node. o After applying the PTF for APAR VM65925 to all members of the SSI cluster, the USERBASED and PORTBASED designations can be eliminated (simultaneously) from all DEFINE VSWITCH statements to avoid future relocation issues. o Note that merged PORTBASED/USERBASED behavior is not affected by the SET VMLAN DNA command. Refer to SC24-6174-07 z/VM Connectivity Version 6 Release 4 for more information.
APAR Information
APAR number
VM65925
Reported component name
VM CP
Reported component ID
568411202
Reported release
640
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2016-10-25
Closed date
2017-07-27
Last modified date
2017-11-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UM35188 UM35189
Modules/Macros
CBITABLE COUPLE HCPCBI HCPCPL HCPCSIBK HCPDDEV HCPDHDR HCPDIR HCPEQUAT HCPLAN HCPLANBK HCPMES HCPMESA HCPMESB HCPMXRBK HCPNDCBK HCPNDF HCPNET HCPNIC HCPNICBK HCPOM1 HCPRLF HCPRLI HCPSCFBK HCPSLMBK HCPSWD HCPSWM HCPSWQ HCPSWS HCPSWY HCPUDR HCPVLDBK HCPVLF HCPVLQ HCPVLS HCPVLU HCPVNABK HCPZSC HCP1882E HCP1982I HCP3022E HCP3034E HCP3043E HCP3044E HCP3046E HCP3222E HCP3224I HCP6011E LAN LGRNETWK LOGON VMLAN VMRELOCA VSWITCH
SC24617407 | SC24617510 | SC24617709 | SC24617811 | SC24617910 |
SC24618806 | SC24618905 | SC24619006 | SC24620111 | SC24621806 |
Fix information
Fixed component name
VM CP
Fixed component ID
568411202
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27M","label":"APARs - z\/VM environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"640","Edition":"","Line of Business":{"code":"LOB16","label":"Mainframe HW"}}]
Document Information
Modified date:
24 November 2017