General updates for the non-PROFILE.TCPIP IP configuration files
Table 1 lists the general updates for the Communications Server IP configuration files.
File | Statement / Entry | Release | Description | Reason for change |
---|---|---|---|---|
Communications Server SMTP (CSSMTP) configuration file | OPTIONS
|
V2R2 with APAR PI52704 V2R1 with APAR PI52704 |
The AtSign option is used to specify the at sign symbol that is used in SMTP mail message commands and headers. | CSSMTP customizable ATSIGN character for mail addresses (APAR PI52704) |
OPTIONS
|
V2R2 with APAR PI56614 V2R1 with APAR PI56614 |
The TLSEhlo option is used for requesting an EHLO SMTP command after successful TLS negotiation. | Improved CSSMTP TLS compatibility with mail servers (APAR PI56614) | |
TargetServer
|
V2R2 with APAR PI73909 V2R1 with APAR PI73909 |
The code page is used by target server to translate mail messages. | Improved CSSMTP code page compatibility with target servers (APAR PI73909) | |
OPTIONS | V2R2 | The DataLineTrunc option modifies CSSMTP behavior when a mail message contains data lines that are longer than the limit specified in RFC 2821. | CSSMTP migration enablement | |
TIMEOUT | V2R2 | The ConnectIdle option causes CSSMTP to keep connections with mail gateways for a configured amount of time after it sends the last mail message in a spool file. | CSSMTP migration enablement | |
OPTIONS NULLTRNC | V2R1 | Specifies whether SMTP control commands are edited to remove trailing null characters. | APAR PM94506 | |
Header | V2R1 | Use the Header statement to change the behavior of CSSMTP when creating RFC 2822 Mail headers. | CSSMTP mail message date header handling option | |
ExtendedRetry | V1R13 | New statement to describe the extended retry function. | CSSMTP extended retry | |
JESSyntaxErrLimit | V1R13 | New statement to set the maximum number of syntax errors to be tolerated in a JES spool file. | CSSMTP enhancements | |
dcas.conf | KEYRING | V2R1 | The existing KEYRING keyword is used to define the z/OS UNIX file containing the certificate to be used during the SSL handshake. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS |
LDAPPORT | V2R1 | The existing LDAPPORT keyword is used to allow authentication of the client certificate by an X.500 host. LDAPPORT is used in combination with LDAPSERVER. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS | |
LDAPSERVER | V2R1 | The existing LDAPSERVER keyword is used to allow authentication of the client certificate by an X.500 host. LDAPSERVER is used in combination with LDAPPORT. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS | |
SAFKEYRING | V2R1 | The existing SAFKEYRING keyword is used to define the RACF-defined key ring containing the certificate to be used during the SSL handshake. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS | |
STASHFILE | V2R1 | The existing STASHFILE keyword is used to specify the key ring password file to the associated key ring file. This password file contains the encrypted password. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS | |
TLSMECHANISM | V2R1 | This new keyword can be used to select whether to use AT-TLS policies or call IBM System SSL directly. See Customizing DCAS for TLS/SSL in z/OS Communications Server: IP Configuration Guide to use either AT-TLS policies (ATTLS) or IBM System SSL. (DCAS). The default is DCAS. | AT-TLS enablement for DCAS | |
TLSV1ONLY | V2R1 | New parameter to control whether the supported SSL version is limited to TLSv1.0 for connections that are secured using SSL implemented by DCAS. | APAR PI28679 | |
V3CIPHER | V2R1 | The existing V3CIPHER keyword is used to specify a subset of the supported SSL V3 cipher algorithms. This keyword is ignored if TLSMECHANISM is ATTLS. | AT-TLS enablement for DCAS | |
DMD configuration file | DmStackConfig | V2R1 | New parameter, DefaultLogLimit, can be used to limit the number of filter-match log messages generated for a defensive filter. | Limit defensive filter logging |
ezatmail.cf | N/A | V2R2 | New configuration file for sendmail to CSSMTP bridge. See z/OS Communications Server: IP Configuration Reference for more information. | sendmail to CSSMTP bridge (APAR PI71175) |
IKE daemon configuration | IkeConfig | V2R2 | New value of 128 is supported for the IkeSyslogLevel parameter. Specifying this value results in log messages that show additional information regarding primary thread pool scheduling. | Enhanced IKED scalability |
inetd configuration file | otelnetd | V1R13 | The z/OS® UNIX Telnet server (otelnetd) supports a new parameter, -g. If it is specified, it will not issue gethostbyaddr or getnameinfo for the client IP address. | Support for bypassing host name lookup in otelnetd |
NETRC | N/A | V1R13 | Single quotation marks to enclose a password phrase of more than one token are now allowed. | FTP support for password phrases |
OSNMP.CONF | N/A | V2R1 | New privacy protocol value AESCFB128 can be specified in the privProto field of a statement for an SNMPv3 user, to request AES 128-bit encryption. | Network security enhancements for SNMP |
pagent.conf (main Policy Agent configuration file) | Serverconnection ServerSSL ServerSSLV3CipherSuites | V2R1 | z/OS V2R1 Communications Server Policy Agent, centralized Policy Agent now supports TLSv1.1 and TLSv1.2 2-byte ciphers. For detailed information, see the ServerSSLV3CipherSuites parameter of the ServerConnection statement in z/OS Communications Server: IP Configuration Reference. | TLS security enhancements for Policy Agent |
ServicesConnection/Security Basic | V2R1 | In z/OS V2R1 Communications Server, the import services between Policy Agent and IBM Configuration Assistant for z/OS Communications Server can have user defined AT-TLS policies to create a secure SSL connection. | TLS security enhancements for Policy Agent | |
Policy client configuration file | Serverconnection ServerSSL ServerSSLv3 | V2R1 | New parameter to control whether SSLv3 is enabled for the policy client that connects to the server. | APAR PI28679 |
Policy Agent configuration files | IDSAttackCondition | V2R1 | You can configure attack detection by using the IP_FRAGMENT value on the AttackType parameter. It detects suspicious fragmented packets for both IPv4 and IPv6, such as fragments that overlay and change the data in the packet, including changes to the length of the packet. | Enhanced IDS IP fragment attack detection |
RouteTable | V2R1 | Changed to allow the specification of IPv6 routes and IPv6
dynamic routing parameters. Three parameters are added:
|
IPv6 support for policy-based routing | |
RoutingRule | V2R1 | Changed to allow IPv6 addresses. | IPv6 support for policy-based routing | |
Policy Agent configuration files (continued) | IDSAction | V1R13 | The following new values are provided on the ActionType Attack parameter:
|
Expanded Intrusion Detection Services |
IDSAttackCondition | V1R13 | New attack detection can be configured using the following new values on
the AttackType parameter:
The following new parameters can be configured for the new attack detection:
|
Expanded Intrusion Detection Services | |
V1R13 | New attack detection can be configured using the following new values on
the AttackType parameter:
The following new parameters can be configured for the new attack detection:
|
Intrusion Detection Services support for Enterprise Extender | ||
IDSExclusion | V1R13 | IDSExclusion is a new statement that can be used to exclude remote peers from attack detection. | Expanded Intrusion Detection Services | |
Policy Agent configuration files (continued) | IDSScanEventcondition | V1R13 | Scan detection for ICMPv6 events can be configured using the new Icmpv6 value on the protocol parameter. IPv6 addresses can be configured for the LocalHostAddr parameter. | Expanded Intrusion Detection Services |
IDSScanExclusion | V1R13 | IPv6 addresses can be configured for the ExcludedAddrPort parameter, allowing remote peers using those addresses to be excluded from scan detection. | Expanded Intrusion Detection Services | |
IDSTRCondition | V1R13 | IPv6 addresses can be configured for the LocalHostAddr parameter. | Expanded Intrusion Detection Services | |
IpAddr and IpAddrSet | V1R13 | IPv6 addresses can be configured. | Expanded Intrusion Detection Services | |
IpDataOffer | V1R13 | When the Integrated Cryptographic Services Facility (ICSF) is started in
FIPS 140 compatibility mode and FIPS 140 is not enabled for the TCP/IP stack, the following
conditions are no longer required when HowToEncrypt AES_GCM_16, HowToAuth AES_GMAC_128 or HowToAuth
AES_GMAC_256 is configured:
Also for HowToEncrypt AES_GCM_16 and HowToAuth AES_GMAC_128 and AES_GMAC_256, the restriction for tunnel traffic is removed. As of V1R13, when FIPS 140 mode is enabled for TCP/IP, tunnels that use the AES-GCM or AES-GMAC combined-mode algorithm are eligible for distribution of traffic using sysplex-wide security associations (SWSA). |
Enhanced IPsec support for FIPS 140 cryptographic mode | |
Policy Agent configuration files (continued) | IPv6NextHdrGroup and IPv6NextHdrRange | V1R13 | IPv6NextHdrGroup and IPv6NextHdrRange are new statements that can be referenced by the RESTRICTED_IPV6_NEXT_HDR attack type to restrict certain next header values in an inbound packet. | Expanded Intrusion Detection Services |
KeyExchangeAction | V1R13 | Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used. | Network address translation traversal support for IKE version 2 | |
Policy Agent configuration files (continued) | KeyExchangePolicy | V1R13 | Removed the restriction for AllowNAT that stated that AllowNat is ignored when the IKE version 2 protocol is being used. | Network address translation traversal support for IKE version 2 |
TTLSGskAdvancedParms statement | V2R2 | This statement supports the new TTLSGskHttpCdpParms statement, the new TTLSGskOcspParms statement, and the new SSL global certificate revocation list (CRL) retrieval parameters. | AT-TLS certificate processing enhancements | |
TTLSGskLdapParms | V2R2 | Supports new parameters for use in retrieving CRLs from LDAP servers. | AT-TLS certificate processing enhancements | |
TTLSGskHttpCdpParms | V2R2 | New statement for use in retrieving CRLs from HTTP servers. | AT-TLS certificate processing enhancements | |
TTLSGskOcspParms | V2R2 | New statement for use in retrieving CRLs from OCSP servers. | AT-TLS certificate processing enhancements | |
Policy Agent configuration files (continued) | TTLSSignatureParms statement | V2R1 | New ClientECurves and SignaturePairs parameters | AT-TLS support for TLS v1.2 and related features |
TTLSCipherParms | V2R1 |
|
AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAction | V2R1 | New SuiteBProfile parameter | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAction and TTLSConnectionAction | V2R1 | New TTLSSignatureParms or TTLSSignatureParmsRef parameter | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAdvancedParms | V2R2 | New value, RFC5280, added to the CertValidationMode parameter. | AT-TLS certificate processing enhancements | |
TTLSEnvironmentAdvancedParms | V2R1 | New Renegotiation, RenegotiationCertCheck, and RenegotiationIndicator parameters | AT-TLS support for TLS v1.2 and related features | |
TTLSEnvironmentAdvancedParms and TTLSConnectionAdvancedParms | V2R1 | New TLSv1.2 parameter | AT-TLS support for TLS v1.2 and related features | |
Resolver Setup File SEZAINST(RESSETUP) | CACHEREORDER | V2R2 | Added the new configuration statement to indicate that system-wide cache reordering is used. | Reordering of cached Resolver results |
NOCACHEREORDER | V2R2 | Added the new configuration statement to indicate that system-wide cache reordering is not used. This is the default value. | Reordering of cached Resolver results | |
All statements | V2R1 | The resolver handles syntax errors differently depending on
when the error is detected:
|
Resolver initialization resiliency | |
UNRESPONSIVETHRESHOLD | V1R13 | New AUTOQUIESCE operand specifies whether resolver should automatically stop forwarding DNS queries generated by an application to an unresponsive name server. You must code the GLOBALTCPIPDATA statement if using the AUTOQUIESCE operand. | System resolver autonomic quiescing of unresponsive name servers | |
Sendmail configuration file: zOS.cf | CipherLevel | V2R1 | z/OS UNIX sendmail CipherLevel statement now supports TLSv1.2 2-byte ciphers. | TLS Security enhancements for Sendmail |
SSLV3 | V2R1 | New parameter to control whether SSLV3 is enabled for connections that are secured using System SSL. | APAR PI28679 | |
SNMP Manager API configuration file | N/A | V2R1 | New privacy protocol value AESCFB128 can be specified in the privProto field of a statement for an SNMPv3 user, to request AES 128-bit encryption. | Network security enhancements for SNMP |
SNMPD.CONF | USM_USER | V2R1 | New privacy protocol value AESCFB128 can be specified in the privProto field of the statement to request AES 128-bit encryption. | Network security enhancements for SNMP |
TCPIP.Data | NOCACHEREORDER | V2R2 | New configuration statement indicates that system-wide cache reordering is not used on resolver API calls that are issued by applications by using this configuration file. | Reordering of cached Resolver results |
zOS.cf | CipherLevel | V2R1 | z/OS UNIX sendmail CipherLevel statement now supports TLSv1.2 2-byte ciphers. See the CipherLevel statement in the Creating the z/OS specific file topic in z/OS Communications Server: IP Configuration Guide. | TLS security enhancements for sendmail |