IBM Support

PI44865: ENHANCE IPSEC SUPPORT FOR CLIENTS USING DRVIPA TO INITIATE CONNECTIONS FROM LOCAL SYSPLEX DISTRIBUTOR TO TARGET SERVER

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • When a client is on the same TCPIP stack as the sysplex
    distributor and initiates a connection to a target server on
    another TCPIP stack using a distributed DVIPA, the outbound
    packets are not encapsulated even when IPSEC is enabled and
    that OPTLOCAL is specifed on the VIPADISTRIBUTE statement for
    the sysplex distributor.
    
    When client and distributor are on the same TCPIP stack, there
    is no tunnel formed or used for the negotiation. They will
    still go through the policy check to verify that the connection
    is allowed. Once the distributor decides that the local server
    is to be the target, communication then reverts to fast local
    sockets where outbound packets are not encapsulated even when
    the client and the distributor are on the same TCPIP stack
    and the server is on another. The initial SYN packet for the
    connection setup request will flow over the IPSEC tunnel but
    all subsequent traffic will use the fast local sockets.
    

Local fix

  • 1) Have the client initiate a connection outside the sysplex
       distributor so that fast local sockets are not used. In
       effect, the packets flowing to the selected target for the
       listener outside the distributor are encapsulated.
    
    2) If the client has to be on the same TCPIP stack as the
       distributor, then use the VIPARANGE method such that the
       server on the target system will allocate the DVIPA for the
       listener. All LPARs in the sysplex must have the same
       VIPARANGE statement(s) to handle failovers of one listener
       from LPAR to another. In this case, the distributed DVIPA
       is not used and the packets flowing to the server owning
       the DVIPA will be encapulated after tunnel negotiation.
    
    KEYWORDS:
    IPSEC DRVIPA DVIPA IKED TRMD TUNNEL POLICY PAGENT OPTLOCAL
    FAST LOCAL SOCKETS SYSPLEX DISTRIBUTOR TARGET LISTENER CLIENT
    SERVER VIPADISTRIBUTE VIPARANGE
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Users of the IBM Communications Server for z/OS Version 2    *
    * Release 2 IP: Sysplex-wide Security Associations             *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Connection fails when target stack expects traffic to be     *
    * IPSec encapsulated but IP filtering is not done for client   *
    * because the client and DVIPA are on the same stack.          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply the PTF                                                *
    ****************************************************************
    When the client and DVIPA are on the same TCP/IP stack, traffic
    is treated as local on the outbound path even though the
    connection could be forwarded to a target on another TCP/IP
    stack. IP filtering is not done for the local traffic. If IPSec
    policy is in place to require IPSec protection, the connection
    fails when the target server receives the packet in the clear,
    without IPSec protection.
    

Problem conclusion

  • A new TCPIP profile parameter, DVLOCALFLTR, is provided on the
    IPSEC statement to enable filtering of TCP traffic between a
    client and an IPv4 dynamic VIPA defined on the same TCP/IP
    stack.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI44865

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    220

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2015-07-13

  • Closed date

    2015-11-16

  • Last modified date

    2017-01-25

  • APAR is sysrouted FROM one or more of the following:

    PI40291

  • APAR is sysrouted TO one or more of the following:

    UI32990 UI32991

Modules/Macros

  • EZBTCFWR EZBNMSEC EZBISIOC EZBIPINB EZAI2IPF EZAISMSG EZACFYAC
    EZBTCSND EZBISEPR EZACFPSC EZACFPSE EZBIPEPR EZBISFLT EZAI2IPT
    EZANMFTR EZBIPOUT EZBTLFWR EZANMGTT EZBISGFT EZANMI   EZBTCSYN
    EZBTCRD  EZBTCRDG EZAI2CSE EZAIKA@M EZAI2XLI EZBISLVC EZAI2ISA
    EZATCADE EZAIKA@U EZBISEVT EZATDECP EZAI2CIS EZBISTTP EZAI2CCQ
    EZAI2CCR EZAPSCAN EZAI2CCX EZAIKRAD EZAIKANC EZAI2IXL EZAIKSKO
    EZATCAIN EZAI2SAP EZAI2SAQ EZAI2SAR EZBISEN6 EZATENCP EZBNMSEA
    EZAQUEWR EZAI2EXC EZAIKSMT EZAI2DSA EZACFMMN EZATHSCH EZAIKP1@
    EZAIKFIN
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R220 PSY UI32990

       UP15/12/16 P F512

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 220

Reference #: PI44865

Modified date: 25 January 2017