PJ41170: ENHANCE INETD SERVER FOR Z/TPF TO INCLUDE AN SSL MODEL.
Closed as program error.
See Problem Summary.
APAR NUMBER: PJ41170 PRODUCT: z/TPF FUNCTIONAL AREA: TCP/IP APPLICATION LAYER SHIPPED IN PUT: 10 ABSTRACT: Enhance z/TPF Internet Daemon (INETD) support to include an SSL model. PACKAGE CONTENTS: Source Segments: (C) base/cntl/tpf_app_base.cntl (C) base/cntl/tpf_app_base_ux.cntl (N) base/include/tpf/cussl.h (N) base/include/tpf/inetdssl.h (C) base/include/tpf/i_netd.h (C) base/rt/cinet1.c (C) base/rt/cinet2.c (C) base/rt/cinet3.c (C) base/rt/cinet4.c (C) base/rt/cinet5.c (C) base/rt/cinetb.c (N) base/rt/cinetc.c (N) base/rt/cltc.mak (C) base/rt/cltx.mak (C) base/rt/ctkr.asm (N) base/rt/ussl.c (N) base/rt/ussl.mak Object Only Binaries: None. Configuration Independent Binaries: (N) base/lib/libCLTC.so (C) base/lib/libCLTV.so (C) base/lib/libCLTY.so (C) base/load/CLTB.so (N) base/load/CLTC.so (C) base/load/CLTV.so (C) base/load/CLTW.so (C) base/load/CLTX.so (C) base/load/CLTY.so (C) base/load/CTKR.so (C) base/obj/cinet1.o (C) base/obj/cinet2.o (C) base/obj/cinet3.o (C) base/obj/cinet4.o (C) base/obj/cinet5.o (C) base/obj/cinetb.o (N) base/obj/cinetc.o (C) base/obj/ctkr.o Support Files: base/lst/cinet1.lst base/lst/cinet2.lst base/lst/cinet3.lst base/lst/cinet4.lst base/lst/cinet5.lst base/lst/cinetb.lst base/lst/cinetc.lst base/lst/ctkr.lst base/lst/CLTB.map base/lst/CLTC.map base/lst/CLTV.map base/lst/CLTW.map base/lst/CLTX.map base/lst/CLTY.map base/lst/CTKR.map OTHER BINARIES TO BUILD: YES (N) <sys>/lib/libUSSL.so (N) <sys>/load/USSL.so (N) <sys>/obj/ussl.o (C) <sys>/load/IPAT.so (C) <sys>/stdlib/libTPFSTUB.so (C) <sys>/stdload/TPFSTUB.so (C) <sys>/obj/ipat.o COMMENTS: The z/TPF system can enable shared secure sockets layer (SSL) sessions across multiple processes. To use shared SSL sessions, SSL server applications create and manage a context (CTX) structure that is shared by all of the SSL sessions for the application. These applications also issue the SSL functions needed to set up and complete the SSL handshake with an SSL client. However, using shared SSL sessions does not ensure that shared SSL server applications are written efficiently. Shared SSL server applications can consume a large amount of resources if they are not written efficiently. For example, a shared SSL server application program can create one CTX structure for each SSL session instead of creating one CTX for each SSL application. By creating one CTX per SSL session, more system resources are consumed and more file system input/output (I/O) is performed, thus decreasing the efficiency of the server application. A new Internet Daemon model is needed to create the CTX and issue the SSL functions needed to complete the SSL handshake with other SSL clients in order to spare the SSL application from issuing those functions and improve the efficiency of the application. There is also a base z/TPF problem in which the z/TPF CRAS to 1052 schedule does not stop the SSL daemon on system cycle-down. When the system cycles back to CRAS state or above, the SSL deamon is not started because it was not stopped during the system cycle-down.
SOLUTION: z/TPF Internet Daemon support has been enhanced to include an SSL model. This new model will issue the SSL functions needed to complete the handshake with the SSL client and share SSL sessions across multiple processes. In addition, the new Internet Daemon model will create and manage the CTX structure that is shared by all sessions of a server application. A new user exit, the INETD SSL model server application user exit (USSL), has been created to allow users to perform initialization and cleanup tasks when an INETD SSL server is being started or stopped. Users of the new INETD SSL model will need to provide a new application configuration file for SSL. This configuration file must be placed in a new directory called /etc/inetd/ssl and use the following naming convention: /etc/ssl/inetd/servername.conf, where servername is the name of the z/TPF SSL server to be created and managed by the INETD SSL model. In addition, users of the INETD SSL model must provide the server application programs that read and write data to and from each SSL client and handle the freeing of the SSL structure and the closing of the connection. With the new INETD SSL model support installed, the application program is freed from creating and managing the SSL context structure and from setting up and completing the SSL handshake. This allows applications to become simpler and more efficient. This APAR also ensures that the z/TPF CRAS to 1052 schedule in program ctkr.asm stops the SSL daemons on system cycle-down. COREQS: NO None. MIGRATION CONSIDERATIONS: YES Functional, automation, and operation changes: A new parameter for the MODEL parameter of the ZINET ADD command has been defined, called SSL. New message IDs INET0133E, INET0134E, INET0135E, INET0136W, INET0140E, INET0141E, INET0142E, INET0143E, and INET0144E have been created. Application programming interface (API) changes: Program cinetc.c issues an __ENTDC() function to enter the SSL server application. Program cinetc.c will provide the following interface to the server application: EBROUT of the ECB work area is set to 0. EBW008-EBW011 contains the client connection socket. EBW016-EBW023 contains the parameter string specified with the PARM parameter of the ZINET ADD command. EBW023-EBW031 contains the SSL token associated with the new SSL session. User exit changes: A new user exit, the INETD SSL model server application user exit (USSL), has been created to allow customers to perform initialization tasks when an INETD SSL model server is being started or cleanup operations when the server is being stopped. Communications changes: Users of the new INETD SSL model will need to provide a new application configuration file for SSL. This configuration file must be placed in a new directory called /etc/inetd/ssl and use the following naming convention: /etc/ssl/inetd/servername.conf, where servername is the name of the z/TPF SSL server to be created and managed by the INETD SSL model. Coexistence, migration, and fallback considerations: When adding servers for the INETD SSL model with the ZINET ADD command, the servers will be added to the Internet daemon configuration file for all images on a z/TPF system. These images must have the code for this APAR installed or an OPR-7707 system error (INETD LISTENER MODEL ERROR) will occur if the INETD SSL server is started on those images that do not have the APAR installed. BUILD COMMANDS AND INSTRUCTIONS: YES #maketpf commands for linux maketpf -f USSL ussl.o maketpf -f CTKR ctkr.o maketpf -f CLTY cinet2.o cinet5.o maketpf -f CLTB cinetb.o maketpf -f CLTC cinetc.o maketpf -f CLTV cinet1.o maketpf -f CLTW cinet3.o maketpf -f CLTX cinet4.o maketpf -f TPFSTUB maketpf -f IPAT maketpf USSL link TPF_VERIFY_LINK_REFS=NO maketpf CTKR link maketpf CLTY link TPF_VERIFY_LINK_REFS=NO maketpf CLTB link maketpf CLTC link TPF_VERIFY_LINK_REFS=NO maketpf CLTV link maketpf CLTW link maketpf CLTX link TPF_VERIFY_LINK_REFS=NO maketpf USSL link maketpf CLTY link maketpf CLTC link maketpf CLTX link UPDATED INFORMATION UNITS: YES z/TPF and z/TPFDF Migration Guide: PUT 2 and Later z/TPF and z/TPFDF System Installation and Support Reference z/TPF Application Programming z/TPF Concepts and Structures z/TPF Messages (Online, SQLCODEs, and errno Values) z/TPF Messages (System Error, Offline, and Program Status Word) z/TPF Operations z/TPF Security z/TPF TCP/IP See your IBM representative if you need additional information. DOWNLOAD INSTRUCTIONS: http://www.ibm.com/software/htp/tpf/maint/maintztpf.html APAR URL: http://www.ibm.com/software/htp/tpf/ztpfmaint/put10/PJ41170.htm
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels