Abstract for IP Configuration Guide
Summary of changes
Changes made in z/OS Version 2 Release 1, as updated February 2015
Changes made in z/OS Version 2 Release 1, as updated September 2014
Changes made in z/OS Version 2 Release 1, as updated December 2013
Summary of changes for z/OS Version 2 Release 1
Base TCP⁄IP system
Overview of z/OS Communications Server
TCP/IP protocol stack
Multipath channel I/O process
Communications Storage Manager
Connectivity and gateway functions
Network protocol layer
Transport layer
File systems
Application Programming Interfaces
TCP/IP socket APIs provided by z/OS Communications Server
z/OS UNIX APIs
IP configuration overview
IPv6 support
z/OS UNIX System Services concepts
Overview of data sets and UNIX files
Hierarchical file system concepts
References to installation data sets
Understanding search orders of configuration information
Configuration data set naming conventions
Dynamic data set allocation
High-level qualifier
Middle-level qualifiers
Naming conventions for dynamically allocated data sets
TCP/IP configuration data sets
Configuration files for the TCP/IP stack
PROFILE.TCPIP search order
Examples
Example when DD cards are in your TCP/IP startup procedure
Example when no DD cards are in your TCP/IP startup procedure
TCPIP.DATA search order
Configuration files for TCP/IP applications
Environment variables
MVS-related considerations
MVS system symbols
Automatic restart manager
Logging of system messages
Accounting - SMF records
Security considerations
Nonreusable ASIDs
TSO command authorization
UNIX System Services security considerations
Requirement for an OMVS segment
Authorization of TCP/IP started task user ID
Other user IDs requiring z/OS UNIX superuser authority
BPX.DAEMON FACILITY class profile
Program control
Defining TCP/IP as a UNIX System Services physical file system
Performance considerations
Fast path support
TCP receive window
Considerations for multiple instances of TCP/IP
Common INET PFS
Port management overview
Generic server versus server with affinity for a specific transport provider
Generic server
Server with an affinity for a specific transport provider
Generic servers in a CINET environment
Port reservation across multiple transport providers
Ephemeral ports
Selecting a stack when running multiple instances of TCP/IP
Standard servers and clients
Nonstandard servers and clients
TCP/IP TSO clients
Selecting configuration data sets
Sharing resolver configuration data sets
Specifying BPXPRMxx values for a CINET configuration
Considerations for Enterprise Extender
Considerations for VIPA
Considerations for Fast Response Cache Accelerator
Considerations for extended address volumes
Considerations for networking hardware attachment
OSA-Express feature in QDIO mode
Steps for converting from IPv4 IPAQENET DEVICE, LINK, and HOME definitions to the IPv4 IPAQENET INTERFACE statement
Virtual LAN
OSA VLAN
OSA routing
OSA-Express virtual MAC routing
Primary router
Relationship of VLAN and primary router
Network configuration strategy with VLAN
VLAN switch concepts
VLAN configuration recommendations
OSA-Express port sharing
OSA-Express connection isolation
ARP offload and VIPA ARP processing
Checksum offload
TCP segmentation offload
Dynamic LAN idle timer
Optimized latency mode
QDIO inbound workload queueing
Steps for enabling QDIO inbound workload queueing
Displaying OSA-Express QDIO interface information
HiperSockets concepts and connectivity
Steps for converting from IPv4 IPAQIDIO DEVICE, LINK, and HOME definitions to the IPv4 IPAQIDIO INTERFACE statement
Concepts and considerations for the IQD CHPID
HiperSockets and VLAN
Steps for configuring virtual LANs for a HiperSockets CHPID
Planning for IQD CHPID spanning
The HiperSockets MPC group
HiperSockets maximum frame size
Modifying HiperSockets connectivity [TCP/IP device and link and the VTAM HiperSockets MPC group (IUTIQDIO)]
HiperSockets connectivity and routing
Efficient routing using HiperSockets Accelerator
HiperSockets multiple write
HiperSockets multiple write assist with IBM zIIP
QDIO Accelerator
QDIO Accelerator and IP security
Steps to allow QDIO Accelerator to forward routed traffic when IP security is enabled
OSA-Express network traffic analyzer trace
Synchronization of OSA-Express2 or later diagnostic data
Prioritizing outbound OSA-Express data using the Workload Manager service class
Fixed storage requirements for OSA-Express QDIO and HiperSockets interfaces
Using TEMPIP interfaces
Guidelines for using TEMPIP interfaces
Determining the maximum transmission unit
Considerations for multiple servers sharing a TCP port
Considerations for Common Information Model providers
Required steps before starting TCP/IP
Planning your installation and migration
Step 1: Install z/OS Communications Server
Verifying the initial installation
Step 2: Customize z/OS Communications Server
Making SYS1.PARMLIB changes
Common z/OS UNIX configuration problems
Step 3: Configure VMCF and TNF
Restartable subsystems
Non-restartable subsystems
VMCF commands
Common VMCF problems
IUCV/VMCF considerations
Step 4: Update the VTAM application definitions
Step 5: Verify that the required address spaces are active
Step 6: Start the TCP/IP address space
Step 7: Set up cataloged procedures and configuration data sets
Security
Application security
TCP/IP resource protection
Local user access control to TCP/IP resources using SAF
Stack access control
Port access control
Controlling access to particular ports
Controlling access to unreserved ports
Using the PORT statement to control access to all unreserved ports
Using the RESTRICTLOWPORTS parameter to control access to unreserved ports below port 1024
Network access control
OSM access control
Socket option access control
SO_BROADCAST socket option
IPv6 advanced socket API options
TCP/IP applications that set IPv6 advanced socket API options
Netstat access control
Fast Response Cache Accelerator access control
TCP/IP stack initialization access control
TCP/IP packet trace service access control
TCP connection information service access control
Real-time SMF information service access control
TCP/IP OSAENTA trace service access control
IPSec network management interface access control
CIM provider access control
Real-time application-controlled TCP/IP trace NMI access control
Syslogd isolation
IP filtering
Security considerations for the VARY command
Multilevel security
Network security principles
Cryptography: The foundation of good security
Cryptographic standards and FIPS 140
End to end security
Workload-based security deployment
Existing workload
New workload
Network security protocols
IPSec and VPNs
Hardware features for encryption, decryption and hashing
Additional IPSec assist using System z Integrated Information Processor (zIIP IP security)
SSL and TLS
TN3270E Telnet server security
Multiple port support
Secure and non-secure connections using a single Telnet port
Express Logon Feature
TLS-enabled FTP
Application Transparent Transport Layer Security
Kerberos
OSPF authentication
SNMPv3
Security event reporting: Integrated intrusion detection services
Defensive filtering
Network security services for the IPSec discipline
Network security services for the XMLAppliance discipline
Preparing for IP networking in a multilevel secure environment
Understanding multilevel security concepts
Multilevel secure networking
Nonsecure systems
Managed systems
Multilevel secure systems
z/OS Communications Server TCP/IP stacks on z/OS multilevel secure systems
Restricted stacks
Unrestricted stacks
Stack recognition of a multilevel secure environment
Common INET in a multilevel secure environment
Network security zones
IBM zEnterprise System ensemble
Where your z/OS systems fit in your network
Planning stacks on your z/OS systems
Required configuration in a multilevel secure environment
Considerations for IPv6-enabled stacks
Deciding whether to use restricted or unrestricted stacks
Configuring a restricted stack
Configuring an unrestricted stack
Steps for configuring global definitions for all stacks
Exempting certain users of certain programs from full Network Access Control
Configuring stack sysplex features in a multilevel secure environment
Defining security labels on other profiles in the SERVAUTH class
Planning your multilevel secure network
Planning for interactive UNIX System Services users in a multilevel secure environment
Steps for creating a separate home directory for each security label
Steps for setting stack affinity by security label
Host and domain name by security label
Steps for creating a separate resolver configuration file for each security label
Planning for applications in a multilevel secure environment
Configuring z/OS CS applications in a multilevel secure environment
Trusted network administration server applications
OMPROUTE
Steps for avoiding adjacency failures
Resolver
SNTPD
TIMED
TRMD
z/OS syslog daemon (syslogd)
z/OS UNIX Policy Agent
Trusted multilevel secure server applications
TN3270E Telnet server
z/OS UNIX FTP server
z/OS UNIX rpcbind server
z/OS UNIX INET daemon
Trusted single-level secure server applications
SMTP server (SMTPPROC)
TFTP
Steps for running a separate instance of TFTP for each security label
TSO REXEC and RSH servers
z/OS UNIX sendmail
Considerations for sendmail daemons
Considerations for sendmail clients and sendmail MSP
Other considerations
Steps for setting up and running sendmail in a multiple security label environment
Network administration client applications
nsupdate
Netstat
pasearch
Ping
Traceroute
trmdstat
IBM zEnterprise System platform management applications
General user client applications
Network management interfaces
Real-time application-controlled TCP/IP trace NMI
Unsupported applications
Changing your multilevel secure networking environment
TCP/IP Customization
Configuring the syslog daemon
Starting and stopping syslogd
Configuring syslogd to receive remote messages
Improving the efficiency of syslogd remote logging functions
Security considerations
Availability considerations
Additional considerations
Offloading log files
Setting permissions for log files and directories
Configuring syslogd for automatic archiving
Steps for configuring the events that trigger automatic archival
Steps for configuring the archive details for each z/OS UNIX file
Using syslogd for z/OS UNIX application programs
Usage notes
Diagnosing syslogd configuration problems
Syslog daemon name/token pair and ECSA storage mapping
Configuring TCPIP.DATA
Use of TCPIP.DATA and /etc/resolv.conf
Creating TCPIP.DATA
TCPIP.DATA statements
Using MVS system symbols in TCPIP.DATA
Configuring PROFILE.TCPIP
Changing configuration information
Setting up TCP/IP operating characteristics in PROFILE.TCPIP
Source IP address selection
How TCP/IP selects a source IP address
Ephemeral port selection
Port selection interactions
Setting up physical characteristics in PROFILE.TCPIP
Devices that support ARP offload
Interface-layer fault-tolerance for local area networks (interface-takeover function)
IPv6 considerations: Stateless autoconfiguration and duplicate address detection
Setting up reserved port number definitions in PROFILE.TCPIP
Setting up the System Authorization Facility server access authorization class (optional)
Configuring the local host table (optional)
Creating HOSTS.LOCAL site host table
HOST entries
NET and GATEWAY entries
Sample HOSTS.LOCAL data set (HOSTS)
Using MAKESITE
Creating /etc/hosts
Creating ETC.IPNODES and /etc/ipnodes
Verifying your configuration
Verifying TCPIP.DATA statement values in the native MVS environment
Verifying TCPIP.DATA statement values in the z/OS UNIX environment
Verifying PROFILE.TCPIP
Verifying interfaces with Ping and Traceroute
Verifying local name resolution with TESTSITE
Verifying PROFILE.TCPIP and TCPIP.DATA using HOMETEST
Verifying your X Window System installation (Optional)
Verifying the X Window X11R4 System installation
Verifying the X Window X11R6 System installation
Customizing TCP/IP messages
Customizing message catalogs
Message format
Rules for modifying messages
Steps for creating a modified message catalog
Customizing message data sets
Message text
Message format
Rules for customizing the messages
Routing
Routing terminology
General terms
Interior Gateway Protocols
Route selection algorithm
The sample network
IPv4 static routing
Replaceable static routes
IPv6 static routing
Replaceable static routes
Static routing configuration examples
z/OS TCPCS4
z/OS TCPCS7
IPv4 dynamic routing using OMPROUTE
Open Shortest Path First
Routing Information Protocol
IPv6 dynamic routing using router discovery
Multiple routes from router advertisements
IPv6 dynamic routing using OMPROUTE
IPv6 OSPF protocol
IPv6 RIP protocol
OMPROUTE configuration
Run-time environment
Language Environment run-time considerations
OMPROUTE tuning considerations
Multiple TCP/IP stacks
TCP/IP stack routing table management
Using RIP, IPv6 RIP, OSPF, and IPv6 OSPF with OMPROUTE
Token-ring multicast
Virtual IP addresses
Service policy
Multiple equal-cost routes
Sysplex autonomics
Steps for configuring OMPROUTE
Starting and controlling OMPROUTE
OMPROUTE parameters
The -tn and -6tn command line parameters
The -dn, -6dn, and -sn command line parameters
Controlling OMPROUTE
Stopping OMPROUTE
Rereading the configuration file
Enabling or disabling the OMPROUTE subagent
Changing the cost of OSPF links
Controlling OMPROUTE tracing and debugging
Steps for configuring OSPF and RIP (IPv4 and IPv6)
Minimizing the routing responsibility of z/OS Communications Server
Preventing futile neighbor state loops during adjacency formation
Verification of OMPROUTE IPv4 configuration and state
Displaying all OSPF configuration information
Displaying information about configured OSPF areas
Displaying configuration information about configured OSPF interfaces
Displaying information about configured Non-broadcast Multiple Access OSPF interfaces
Displaying information about configured OSPF virtual links
Displaying information about configured OSPF neighbors
Displaying the contents of a single OSPF link state advertisement
Displaying statistics and parameters for OSPF areas
Displaying the list of AS external advertisements
Displaying a list of non-AS external advertisements
Displaying current, run-time statistics and parameters for OSPF interfaces
Displaying current, run-time statistics and parameters for a specific OSPF interface
Displaying current, run-time statistics and parameters for OSPF neighbors
Displaying current run-time statistics and parameters for a specific OSPF neighbor
Displaying routes to other routers that have been calculated by OSPF
Displaying the number of LSAs currently in the link state database
Displaying statistics generated by the OSPF routing protocol
Displaying all of the RIP configuration information
Displaying information about configured RIP interfaces
Displaying the routes to be unconditionally accepted
Displaying current run-time information about RIP interfaces
Displaying current run-time information about a specific RIP interface
Displaying the global RIP filters
Displaying the routes in the OMPROUTE main routing table
Displaying the routes to a specific destination in the main routing table
Displaying the routes in all OMPROUTE IPv4 policy-based routing tables
Displaying the routes in an OMPROUTE IPv4 policy-based routing table
Displaying the routes to a specific destination in an IPv4 policy-based routing table
Displaying all of the generic configuration information
Displaying information about configured generic interfaces
Displaying current run-time information about generic interfaces
Verification of OMPROUTE IPv6 configuration and state
Displaying all IPv6 OSPF information
Displaying IPv6 OSPF area statistics and parameters
Displaying IPv6 OSPF interface statistics and parameters
Displaying statistics and parameters for a specific IPv6 OSPF interface
Displaying IPv6 OSPF virtual link statistics and parameters
Displaying statistics and parameters for a specific IPv6 OSPF virtual link
Displaying IPv6 OSPF neighbor statistics and parameters
Displaying statistics and parameters for a specific IPv6 OSPF neighbor
Displaying IPv6 OSPF link state database statistics
Displaying IPv6 OSPF link state advertisement
Displaying IPv6 OSPF external advertisements
Displaying IPv6 OSPF area link state database
Displaying IPv6 OSPF router routes
Displaying IPv6 OSPF routing protocol statistics
Displaying all of the IPv6 RIP information
Displaying information about IPv6 RIP interfaces
Displaying information about a specific IPv6 RIP interface
Displaying the routes to be unconditionally accepted by IPv6 RIP
Displaying the global IPv6 RIP filters
Displaying the routes in the OMPROUTE IPv6 main routing table
Displaying the routes to a specific destination in the IPv6 main routing table
Displaying the routes in all OMPROUTE IPv6 policy-based routing tables
Displaying the routes in an OMPROUTE IPv6 policy-based routing table
Displaying the routes to a specific destination in an IPv6 policy-based routing table
Displaying all of the IPv6 generic information
Displaying information about IPv6 generic interfaces
Displaying information about a specific IPv6 generic interface
Sample OMPROUTE configuration files
Policy-based routing
Options for configuring policy-based routing
Option 1: Use the IBM Configuration Assistant for z/OS Communications Server
Option 2: Manual configuration
Specifying the routing configuration file based on Policy Agent role
Routing policy configuration
Routing rules
Routing actions
Routing tables
Getting started with policy-based routing
Configuring policy-based routing
Considerations for using policy-based routing with IP security
Considerations for mixed routing environments
Use of static routing with OMPROUTE
Use of IPv6 static routing with router advertisements
Use of policy-based routing with static or dynamic routing
Verifying static, dynamic, and policy-based routing
Verifying connections with Netstat, Ping, and Traceroute
Virtual IP Addressing
Terminology
Introduction to VIPA
Moving a VIPA (for TCP/IP outage)
Static VIPAs, dynamic VIPAs, distributed DVIPAs
Using static VIPAs
Steps for configuring static VIPAs for a z/OS TCP/IP stack
Steps for converting from IPv4 VIRTUAL DEVICE, LINK, and HOME definitions to the IPv4 VIRTUAL INTERFACE statement
Configuring static VIPAs for Enterprise Extender
Considerations when using static VIPAs with IPv6
Planning for static VIPA takeover and takeback
Using dynamic VIPAs
Configuring DVIPA support
Planning for dynamic VIPA takeover
Manually initiating takeover for an individual dynamic VIPA
Different application uses of IP addresses and DVIPAs
Configuring dynamic VIPAs
Configuring the multiple application-instance scenario
Configuring the unique application-instance scenario
Use of the SIOCSVIPA or SIOCSVIPA6 ioctl command
Using the MODDVIPA utility
Input parameters
Output
Examples
Defining a security profile for SIOCSVIPA, SIOCSVIPA6, and MODDVIPA
Steps for controlling which applications can issue a SIOCSVIPA ioctl call or call the MODDVIPA utility to create a DVIPA
Steps for controlling whether an application can issue a SIOCSVIPA ioctl call or call the MODDVIPA utility to create a DVIPA within a specific VIPARANGE subnet
Choosing which form of dynamic VIPA support to use
Configuring distributed DVIPAs — sysplex distributor
Manually quiescing DVIPA sysplex distributor server applications
Route selection for distributing packets
Generic routing encapsulation
Fragmentation considerations
Dynamic port assignment
Sysplex-wide source VIPA
Sysplex-wide source VIPAs for TCP connections
SYSPLEXPORTS
GLOBALCONFIG EXPLICITBINDPORTRANGE
Timed affinities
Sysplex-Wide Security Associations
DVIPA takeover
Sysplex distributor
Using IPSec with DVIPAs and sysplex distributor
Loss of access to coupling facility
Resolution of dynamic VIPA conflicts
Restart of the original VIPADEFINE TCP/IP after an outage
VIPADEFINE MOVEABLE IMMEDIATE
VIPADEFINE MOVEABLE WHENIDLE
Movement of unique application-instance (BIND)
VIPARANGE (DEFINE) MOVEABLE NONDISRUPTIVE
VIPARANGE (DEFINE) MOVEABLE DISRUPTIVE
Defining a security profile for binding to DVIPAs in the VIPARANGE statement
Steps for controlling which applications can bind to create a DVIPA
Steps for controlling whether an application can bind to create a DVIPA within a specific VIPARANGE subnet
Movement of a unique APF-authorized application instance (ioctl)
VIPARANGE (DEFINE) MOVEABLE NONDISRUPTIVE
VIPARANGE (DEFINE) MOVEABLE DISRUPTIVE
Same dynamic VIPA for VIPADEFINE and BIND(), SIOCSVIPA or SIOCSVIPA6 ioctl, or MODDVIPA utility
Dynamic VIPA creation results
TIER1, TIER2, and CPCSCOPE keyword DVIPA contention resolution
IPv6 considerations
VIPARANGE
VIPADEFINE and VIPABACKUP
Unique application-instance scenario and IPv6-enabled applications
VIPAs, OSA-Express QDIO, and Spanning Tree Protocol
Mixture of types of dynamic VIPAs within subnets
MVS failure and sysplex failure management
Applications and dynamic VIPAs
Configuring VIPAs for activation with VIPABACKUP
Example of configuring dynamic and distributed VIPAs
Verifying the DVIPAs in a sysplex
Using Netstat support to verify dynamic VIPA configuration
Verifying sysplex distributor workload
Dynamic VIPAs and routing protocols
IPv4 considerations for OMPROUTE
IPv4 considerations for Routing Information Protocol
IPv6 considerations
TCP/IP in a sysplex
Connectivity in a sysplex
Sysplex subplexing
TCP/IP and VTAM subplex concepts and example
Setting up a subplex
Steps for preparing your sysplex for subplexing
Steps for partitioning a set of TCP/IP stacks in a sysplex into a subplex
Dynamic XCF
Getting started with dynamic XCF
Dynamic XCF for IPv4 addresses
Scenario number 1
Scenario number 2
Scenario number 3
Dynamic XCF for IPv6 addresses
Scenario number 1
Scenario number 2
IUTSAMEH
XCF
Examples of definitions generated by dynamic XCF
Deleting dynamically defined XCF devices
HiperSockets
Network interfaces monitoring
Sysplex problem detection and recovery
Problem detection
Recovery
Setting TIMERSECS
Summary of problems monitored and actions taken
Target server connection setup responsiveness monitoring
TSR
CER
Workload balancing
Single systemwide image
Horizontal growth
Ease of management
Internal load balancing solutions
Sysplex-aware external load balancing solutions
External IP workload balancing solutions
Choosing a load balancing solution
Sysplex distributor
BASEWLM - Distribution using WLM system weights
SERVERWLM - Distribution using WLM server-specific weights
Choosing between the BASEWLM and SERVERWLM distribution methods
BASEWLM and SERVERWLM display example
WEIGHTEDACTIVE - Distribution based on active connection load
Choosing between RoundRobin and WeightedActive distribution
Hot standby distribution
Steps for configuring hot standby distribution
Hot standby configuration example
Timed affinity
SHAREPORT
QDIO Accelerator
QDIO inbound workload queueing
Optimizing local connections
Policy interactions
Steps for enabling Policy Agent load distribution functions
Optimized connection load balancing using sysplex distributor in a network with CISCO routers (IPv4 only)
Steps for setting up sysplex distributor to be the service manager for the Cisco MNLB (IPv4 only)
Sysplex distribution optimizations for multi-tier z/OS workloads
Sysplex distributor optimization with the OPTLOCAL keyword
Sysplex distributor enhanced workload distribution for z/OS multi-tier, OPTLOCAL configurations
Sysplex distributor enhanced workload distribution for z/OS multi-tier, OPTLOCAL configurations with CPC affinity
Sysplex distribution with DataPower
Scenario 1 overview - sysplex distributor load balancing to DataPower
Steps for configuring scenario 1 - sysplex distributor load balancing to DataPower
Configure sysplex distributor tier 1 distributed DVIPAs and ports
Configure DataPower appliances to work with a tier 1 sysplex distributor and act as targets of the tier 1 DVIPAs and ports
Configure a distributed DVIPA for the target z/OS application servers used by the group of DataPower appliances (optional)
Scenario 2 overview - sysplex distributor load balancing to DataPower in a multi-tier and multisite environment
Steps for configuring scenario 2 - sysplex distributor load balancing to DataPower in a multi-tier and multisite environment
Configure sysplex distributor tier 1 distributed DVIPAs and ports
Configure DataPower appliances to work with a tier 1 sysplex distributor and act as targets of the tier 1 DVIPAs and ports
Configure tier 2 distributed DVIPAs for each CPC containing target servers used by a group of DataPower appliances
Configure a CPCSCOPE dynamic VIPA for each CPC for use by a group of DataPower target applications
TCP/IP in an ensemble
Steps for configuring an interface for the intraensemble data network (CHPID type OSX)
HiperSockets connectivity to the intraensemble data network
Operating and managing IEDN-enabled HiperSockets interfaces
Performance considerations for the IEDN-enabled HiperSockets function
Steps for enabling HiperSockets access to the intraensemble data network
Steps for enabling IPv6 on a stack for access to the intranode management network
Steps for using the intranode management network (CHPID type OSM)
Routing considerations for the intraensemble data network
OMPROUTE considerations for the intraensemble data network
Sysplex distributor considerations for the intraensemble data network
Multilevel security and network access control considerations
Shared Memory Communications over Remote Direct Memory Access
Shared Memory Communications over RDMA terms and concepts
Remote Direct Memory Access over Converged Ethernet
Comparing 10GbE RoCE Express feature environments
Dedicated RoCE environment
Shared RoCE environment
Rendezvous processing
SMC-R links
SMC-R link groups
Remote memory buffers
Staging buffers
Using Shared Memory Communications over RDMA
Configuration considerations for Shared Memory Communications over RDMA
VLANID considerations
Physical network considerations
High availability considerations
Storage considerations
SMC-R real memory requirements
Steps for estimating minimum SMC-R real memory requirements
TCP/IP variable SMC-R storage allocations
System requirements for SMC-R in a dedicated RoCE environment
System requirements for SMC-R in a shared RoCE environment
Setting up the environment for Shared Memory Communications over RDMA
Configuring Shared Memory Communications over RDMA
SMC-R interactions with other z/OS Communications Server functions
Sysplex distributor
Security functions
Intrusion detection services (IDS)
TCP keepalive
TCP application data transfer options
Packet trace
RoCE maximum transmission unit
Managing SMC-R communications
Managing your 10GbE RoCE Express interfaces
Steps for dynamically adding an IBM 10GbE RoCE Express interface
Steps for dynamically removing an IBM 10GbE RoCE Express interface
Displaying SMC-R information
Monitoring SMC-R information
Network Management Interface
SMF records
SNMP
VTAM displays and tuning statistics
Steps for stopping SMC-R
Server applications
Network connectivity with an SNA network
SNALINK LU0 environment
Understanding the SNALINK environment
Configuring SNALINK LU0
Step 1: Specify configuration statements in hlq.PROFILE.TCPIP
Defining SNA DLC links
Defining NCPROUTE and 3745 LAN attachments
Step 2: Update the SNALINK cataloged procedure
Step 3: Define the SNALINK application to VTAM
VTAM considerations
Step 4: Configure PPT for SNALINK LU0
Stopping and starting SNALINK
Sample console
Verifying connection status using Netstat DEVLINKS/-d
Controlling the SNALINK LU0 interface with the MODIFY command
SNALINK LU6.2
Configuring SNALINK LU6.2
Step 1: Specify DEVICE and LINK statements in hlq.PROFILE.TCPIP
Step 2: Update the SNALINK LU6.2 cataloged procedure
Step 3: Define the SNALINK LU6.2 application to VTAM
Step 4: Update the SNALINK LU6.2 configuration data set
Sample console
X.25 NCP Packet Switching Interface
Configuring X.25 NPSI
Step 1: Specify X.25 configuration statements in hlq.PROFILE.TCPIP
Step 2: Update the X.25 NPSI cataloged procedure
Step 3: Update the X.25 NPSI server configuration data set
Step 4: Define the X.25 NPSI configuration
Step 5: Define the X.25 NPSI application to VTAM
Step 6: Define VTAM switched circuits
NCPROUTE
Understanding the NCPROUTE environment
Server requirements
NCPROUTE operation
NCPROUTE gateways
Passive RIP route
External RIP route
RIP route advertising rules
NCPROUTE active gateways
NCPROUTE gateways summary
RIP input/output filters
Configuring NCPROUTE
Step 1: Specify configuration statements in hlq.PROFILE.TCPIP
Step 2: Configure VTAM and SNALINK applications
Step 3: Configure the IP over CDLC DEVICE and LINK statements
Step 4: Update the NCPROUTE cataloged procedure
Step 5: Update hlq.ETC.SERVICES
Step 6: Configure the host-dependent NCP clients
Generating the routing information tables
Determining the gateway route table name
NCST session interface definition
Channel PU interface definition
NCP host interface definition
Step 7: Configure the NCPROUTE profile data set (Optional)
Step 8: Configure the NCPROUTE gateways data set (Optional)
Configuring a passive route
Configuring an external route
Configuring an active gateway
Configuring a default route
Configuration examples
Step 9: Define a directly connected host route for the NCST session
Controlling the NCPROUTE address space with the MODIFY command
Accessing remote hosts using Telnet
The TN3270E Telnet server
Steps for starting the TN3270E Telnet server
Steps for defining security for a user ID and associating the user ID with the Telnet procedure name
Steps for customizing the VTAM configuration data set for Telnet
The TN3270E Telnet server configuration data set
Steps for customizing the TN3270E Telnet server configuration data set
Telnet CTRACE
Managing Telnet
Telnet commands
Using the VARY TCPIP,tnproc,OBEYFILE command to update Telnet configuration
OMVS shutdown
Telnet diagnostic tools
DEBUG messages
MSG07
Abend trap
TESTMODE
Displays
Tracing
Telnet configuration data set customization details
Associating Telnet with one TCP/IP stack
Shared LU name groups for Telnet servers
Steps for defining a LUNS and a LUNR
Qualified ports
Multiple ports
Connection mode choices
TN3270 Enhanced
TN3270
Linemode
Connection security
Data overrun security
MAXRECEIVE
MAXREQSESS
MAXRUCHAIN
MAXTCPSENDQ
MAXVTAMSENDQ
Auto-reconnect loop
Transport Layer Security
Network Access Control
Connection persistence
The INACTIVE family of timers
SCANINTERVAL and TIMEMARK
Setting the timers
MSG07 and LUSESSIONPEND
Mapping Objects to Client Identifiers
Objects
Client Identifiers
Client Identifier selection rules
The mapping rule search order
Examples
Object assignment examples
Client mappings
LU name mapping statements
DEFAULTLUS
DEFAULTPRT
LUMAP, PRTMAP, LUGROUP, PRTGROUP
LU range specification
SEQUENTIALLU
Application mapping statements
DEFAULTAPPL
PRTDEFAULTAPPL and LINEMODEAPPL
USSTCP
INTERPTCP
Resolving DEFAULTAPPL and USS table conflicts
ALLOWAPPL
RESTRICTAPPL
Connection parameters mapping statement
Advanced LU name mapping topics
Generic and Specific connection requests
Default LU groups
Mapping groups to Client Identifiers
LU name assignment user exit
Associated printer function
Drop the printer connection when dropping the terminal connection
Map default application and ParmsGroup by LU group
Multiple LUMAP statements
Keep LU for the Client Identifier
LU group capacity warning
LU mapping by application name
LU mapping selection rules
TN3270E LU mapping
TN3270 LU mapping
LU mapping with multilevel security active
Advanced application topics
Connection information passed on the CINIT control vector 64
Session initiation management (LOGAPPL, QINIT, FIRSTONLY, and DEFONLY)
Check client connection and connection/session takeover
Queueing sessions
Disconnect on session error
Bypass RESTRICTAPPL with CERTAUTH
Allow printer sessions with RESTRICTAPPL
Keeping the ACB open
Express Logon Feature
Device types and logmode considerations
Using the Telnet solicitor or USS logon screen
Using the Telnet solicitor logon screen
Using the Telnet USS and INTERPRET support
USS table customization
Creating a USS table
Considerations when using mixed-case passwords
INTERPRET table customization
Creating an INTERPRET table
Assemble, link, and load a table
SMF
Connection monitoring mapping statement
Collecting response time data
Average response time data collection
Life-of-connection response time averages
Sliding-window response time averages
Variance and standard deviation of response time averages
Time buckets
Reducing demand for ECSA storage
Configuring the z/OS UNIX Telnet server
Installation information
Environment variables
Starting, stopping, and administration of z/OS UNIX Telnet
otelnetd
SMF record handling
BPX.DAEMON considerations
Kerberos
Transferring files using FTP
Configuring PROFILE.TCPIP for FTP
Configuring ETC.SERVICES
Configuring /etc/syslog.conf
Configuring the FTPD cataloged procedure
Security for the FTP server
(Optional) Steps for activating and defining the SERVAUTH class
Steps for setting up security for your FTP server
Steps for controlling user access to the FTP server
Steps for setting up a port of entry for users of the FTP server
(Optional) Steps for controlling user access to the z/OS UNIX file system
Preventing exploitation of your FTP server
(Optional) Assigning password phrases to user IDs that are used to log in to the FTP server
Defining environment variables for the FTP server (optional)
Using _FTPXLATE_name for translation
Using TZ and other UNIX environment variables
Using _BPX_JOBNAME for similar job names
Using _BPXK_SETIBMOPT_TRANSPORT for an affinity to a specific stack
Configuring FTP with multiple TCP/IP stacks
Configuring TCPIP.DATA for FTP
Configuring FTP.DATA
Optionally configuring user-level server options using FTPS.RC
Data set attributes
Specifying attributes for new MVS data sets
Dynamic allocation
Storage Management Subsystem
Translation of data
z/OS UNIX named pipes
FTP code page conversion
Code page conversions for the control connection
Priority
Code page conversions for the data connection
Priority for single-byte conversions
Multibyte character sets (MBCS) support
Master catalog access
Customizing FTP message catalogs
Steps for creating a message catalog from the shipped catalog and preserving its timestamp
Accounting
Configure the FTP server for SMF (optional)
Customizing Transport Layer Security and Kerberos security
Steps for customizing the FTP server for TLS
Steps for customizing the FTP server for Kerberos
Steps for customizing the FTP client for TLS
Steps for customizing the FTP client for Kerberos
Port 990
Steps for migrating the FTP server and client to use AT-TLS
Traversing firewalls with SSL/TLS secure FTP
DB2 and JES
Configuring the optional FTP user exits
The FTPSMFEX user exit (for the FTP server)
The FTCHKIP user exit (for the FTP server)
The FTCHKPWD user exit (for the FTP server)
The FTCHKCMD user exit (for the FTP server)
The FTCHKJES user exit (for the FTP server)
The FTPOSTPR user exit (for the FTP server)
The EZAFCCMD user exit (for the FTP client)
The EZAFCREP user exit (for the FTP client)
Customizing the FTP-to-JES interface for JESINTERFACELevel 2 (optional)
Configuring the FTP server for anonymous FTP (optional)
Creating an anonymous directory structure in the z/OS UNIX file system
Configure the welcome banner page, login, and directory message (optional)
Using magic cookies to represent information
Configuring the FTP server to log session (user ID) activity
Configuring to send detailed login failure replies to an FTP client (optional)
Install the SQL query function (optional) and access the DB2 modules
Accessing DB2 modules
FTP.DATA updates for SQL query function
Verifying the FTP server
Verifying the FTP client
Verifying FTP.DATA statements
Verifying anonymous, banner, and other optional configuration information
Verifying the FTP-JES interface (optional)
Trivial File Transfer Protocol
Starting TFTP from the command line
Starting TFTPD as a procedure
Stopping the TFTP server
The resolver
DNS overview
Domain names
Domain name servers
Authoritative servers
Master name servers
Secondary name servers
Caching-only servers
Forwarders
Stealth server
Resolvers
Resolver directives for nslookup
Resolver directives for dig
Query Packets
Resource Records
Querying name servers
nslookup command
Entering the interactive mode
Entering the command line mode
nslookup configuration
Recommended reading
Resolver API calls
Starting the resolver
The default resolver settings
Customizing the resolver
The resolver setup file
Resolver processing of the setup file when the resolver is started
The resolver and the global TCPIP.DATA file
Steps for creating a resolver setup file
The resolver address space
Steps for defining the resolver address space
Managing the resolver address space
Steps for manually restarting the resolver
Steps for applying an interim fix to the resolver
IPv6 name servers and the resolver
Resolver functions
Resolver caching
Information that is cached by the resolver
The organization of the cached data
Steps for configuring resolver caching (optional)
Steps for disabling caching for selected applications
Managing the cache size and cache storage
Steps for manually managing the storage capacity of the resolver cache
Step for deleting cache entries
Step for displaying the contents of the cache
Migrating from a local caching-only name server to resolver caching
Monitoring the responsiveness of Domain Name System name servers
Network operator notification
Messages generated by the resolver for the network operator notification function
Diagnosing problems with unresponsive name servers
Autonomic quiescing of unresponsive name servers
Messages generated by the resolver for the autonomic quiescing of unresponsive name servers function
How the resolver polls unresponsive name servers
Examples of resolver monitoring of DNS name servers
Optimizing the UNRESPONSIVETHRESHOLD value for your network
Steps for modifying the UNRESPONSIVETHRESHOLD value
Extension Mechanisms for DNS standards and the resolver
Resolver configuration files
z/OS XL C⁄C++ environment variables for configuration files
Setting z/OS XL C⁄C++ environment variables
Setting z/OS XL C/C++ environment variables from the z/OS shell
Setting z/OS XL C/C++ environment variables from JCL
Search orders used in the z/OS UNIX environment
Base resolver configuration files
Translate tables
Local host tables
IPv4-unique search order for sitename information
IPv4-unique search order for address information
IPv6/common search order
Protocol information
Services information
Host alias table
Search orders used in the native MVS environment
Base resolver configuration files
Translate tables
Local host tables
IPv4-unique search order for sitename information
IPv4-unique search order for address information
IPv6/common search order
Protocol information
Services information
Policy-based networking
Policy types and infrastructure overview
Configuration files and policy definition files
Managing changes to configuration files and policy definition files
Storing configuration files and policy definition files
Steps for managing policy changes
Policy infrastructure components
TCP/IP stack
Policy Agent
Policy Agent roles
Policy Agent services
Policy Agent policies
Configuration file import services
Additional QoS services
Policy API
Traffic regulation management daemon
IKE daemon
Network security services daemon
Defense Manager daemon
SNMP Network SLAPM2 subagent
Sample policy infrastructure
Policy sample files
Policy types
QoS policy
IDS policy
IPSec policy
AT-TLS policy
Policy-based routing policy
Policy configuration files
Steps for configuring the Policy Agent
Step 1: Configure general information
Step 2: Configure Policy Agent as a policy server
Step 3: Configure Policy Agent as a policy client
Step 4: Configure policies in Policy Agent configuration files
Step 5: Configure Policy Agent to use the LDAP server using the ReadFromDirectory statement
Step 6: Configure Policy Agent for configuration file import services
Step 7: Configuring Policy Agent to automatically monitor applications
Add SSL to Policy Agent connections
Starting and stopping the Policy Agent
AUTOLOG considerations
Specifying environment variables
Main configuration file search order
Other considerations when starting the Policy Agent
Stopping the Policy Agent
Refreshing policies
FLUSH and PURGE considerations
Switching between local and remote policies
Verifying that policies are correctly defined and functioning properly
Quality of service
Differentiated Services policies
Integrated Services policies
Sysplex distributor policies
QoS-specific Policy Agent functions
Sysplex distributor policy performance monitoring configuration
Policy performance collection configuration
IPv4 type of service or IPv6 traffic class mapping configuration
Options for configuring QoS
Option 1: Use the IBM Configuration Assistant for z/OS Communications Server
Option 2: Manual configuration
Specifying the QoS configuration file based on Policy Agent role
Defining policies in a Policy Agent configuration file
Differentiated Services policy examples
RSVP policy example
Sysplex distributor policy example
Defining policies using LDAP
RSVP
Configuring the RSVP agent
Starting and stopping RSVP
SNMP Network SLAPM2 (nslapm2) performance monitor
Configuring the Network SLAPM2 subagent
Starting and stopping the Network SLAPM2 subagent
Verification
Verifying that the policies are installed in the TCP/IP stacks
Verifying that the expected traffic is mapping to the correct QoS policies
Verifying that the sysplex distributor policy functions are working correctly
Monitoring performance and tuning policies
Using pasearch
Using the Network SLAPM2 MIB to monitor policies
Creating monitor table entries and enabling SNMP traps
Creating the monitor table index
Monitor table examples
Intrusion detection services
Scan policies
ICMP scans
ICMPv6 scans
UDP port scans
TCP port scans
Attack policies
Traffic regulation policies
Traffic regulation policies for TCP ports
Traffic regulation policies for UDP ports
Options for configuring IDS
Option 1: Use the IBM Configuration Assistant for z/OS Communications Server
Option 2: Manual configuration
Specifying the IDS configuration file based on Policy Agent role
Defining IDS policies
IDS policy definition considerations
IDS scan policy example
IDS attack policy examples
Traffic Regulation policy examples
Verification
Are the correct policies active?
Is the expected traffic mapping to the correct policies?
Are the IDS policy functions working correctly?
TRMD
Running TRMD as a started task
Running TRMD from the z/OS UNIX shell
Stopping TRMD
trmdstat
Defensive filtering
IP security
Terms and concepts for IP security
Terminology conventions for IP security
Commands used to administer IP security
Overview of using IP security
FIPS 140 mode and IP security
Steps for configuring IP security to support FIPS 140 mode
Configuring IP security
Configuring IP security using the IBM Configuration Assistant for z/OS Communications Server
Configuring IP security using manual configuration
Specifying the IP security configuration file based on Policy Agent role
IP filtering
Filter rules and actions
Filtering criteria in an IP packet
Additional filtering criteria based on protocol
Additional filtering criteria based on network attributes
IP traffic patterns
Routed traffic and fragmented packets
Conditionally controlling IP filters
Special considerations when using IP security for IPv6
Neighbor discovery and multicast listener discovery
Stateless address autoconfiguration
IPv6-specific protocols
IPv6 address types
IPv6 extension headers
Considerations for IPv6 OSPF security
Virtual links
Default IP filter policy and IP security policy
Modifying the default IP filter policy
IP filter logging
IP filter discard action
Data encryption and authentication — IPSec
AH and ESP protocols
Encapsulation
Transport mode and tunnel mode
UDP encapsulation of IPSec ESP packets
IPSec and symmetric key management
Manual key management
Dynamic key management - IKE and IPSec negotiations
Phase 1
Peer authentication
Identity information
Digital signatures
Pre-shared key
Negotiation modes for phase 1
Phase 2
Refreshing phase 1 Security Associations
IPSec and network address translation devices
NATT support level
Dynamic structures used to map Security Associations
Anchor filters and dynamic filters
NATT anchor and NATT dynamic filters
NAT resolution filters
Remote port translation
Steps for preparing the z/OS system for IP security
IP security policy configuration
Overview of configuring IP security policy
Structure of an IP security configuration file
Groups
Reference statements
Steps for configuring local IP security policy using only a common IP security configuration file
Steps for configuring remote IP security policy using only a common IP security configuration file
Steps for configuring local IP security policy using only a stack-specific IP security configuration file
Steps for configuring remote IP security policy using only a stack-specific IP security configuration file
Steps for configuring local IP security policy using both a stack-specific file and a common file
Steps for configuring remote IP security policy using both a stack-specific file and a common file
Component policies of IP security policy configuration files
IP filter policy
Example 1
Example 2
Example 3
IP filter rule order
Key exchange policy
Example 1
Example 2
Example 3
Key exchange rule order
Local dynamic VPN policy
Example 1 - wide Security Association
Example 2 - narrow Security Association
Quick start using IP filtering and IPSec host-to-host
Displaying filters, rules, and actions
Activating the quick start Security Association
Displaying the quick start Security Associations
Steps for configuring IP security policy
Configuring specific security models
Steps for configuring the trusted internal network model (simple IP filtering)
Using a common IP security configuration file for reusable statements
Steps for configuring the partner company model (host-to-host with IPSec)
Steps for configuring the partner company with NAT model (host-to-host with IPSec)
Steps for configuring the partner company with NAPT model (host-to-host with IPSec)
Steps for configuring the branch office model: Part 1 (host-to-gateway with IPSec)
Steps for configuring the branch office with NAT model (host-to-gateway with IPSec)
Steps for configuring the branch office model: Part 2 (gateway-to-gateway with IPSec)
Additional topologies
Cascaded tunnels
Nested tunnels
Mobile users
Multicast traffic
Configuration scenarios supported for NAT traversal
Host-to-host scenario 1 — z/OS-to-z/OS
Host-to-host scenario 2 — z/OS-to-non-z/OS
Interoperability Considerations
Host-to-security gateway scenario
Considerations for IPSec-encapsulated FTP traffic when traversing a NAT
Enterprise Extender considerations when traversing a NAT
Additional configuration concerns for NAT traversal
Configuring the IKE daemon
Multiple TCP/IP stacks
Run-time environment
Language Environment run-time considerations
IKE daemon configuration source information
Policy Agent considerations
Using network security services
Certificate revocation checking
Steps for configuring the IKE daemon
Starting the IKE daemon
Stopping the IKE daemon
Controlling the IKE daemon
Verifying policy installation
Console messages
Displaying TCP/IP configuration
Displaying active filters with the ipsec command
Anchor filters and dynamic filters
NATT anchor and NATT dynamic filters
NAT resolution filters
Displaying remote port translation with the ipsec command
Displaying Security Associations with the ipsec command
Displaying IKE tunnel information with the ipsec command
Displaying IPSec tunnel information with the ipsec command
Displaying filter rules with the pasearch command
Verifying filter action
Security Associations
Activating a Security Association
Verifying the activation of a Security Association
Verifying the use of an active Security Association
Refreshing Security Associations
Phase 1
Phase 2
Deactivating Security Associations
Modifying active IP security policy
IP security policy files
Policy Agent image configuration files
Policy Agent main configuration file
Active Security Associations and the ipsec -f default command
Displaying NSS client information
Sysplex-Wide Security Associations and IP security
NAT traversal and Sysplex-Wide Security Associations
AES-GCM
DVIPA recovery support
FIPS 140 mode and Sysplex-Wide Security Associations
Sysplex-Wide Security Associations in a mixed-level environment
Using encryption or authentication algorithms
Using IPv6 DVIPAs
Using IKEv2 tunnels
AES-GCM and AES-GMAC in FIPS 140 mode
Shadow Security Associations
Sample IP security policy files
Network security services
Terms and concepts for network security services
Network security services overview
NSS IPSec discipline overview
NSS XMLAppliance discipline
Preparing to provide network security services
Steps for authorizing resources for NSS
NSS server certificate label naming considerations
NSS client authorization example
NSS server configuration considerations
Run-time environment
Language Environment run-time considerations
Steps for configuring the NSS server
TCP/IP stack considerations
Port reservation
IP filtering
AT-TLS policy
Using hash and URL certificate encoding types
Enabling the NSSD to generate hash and URL certificate encoding
Enabling the NSSD to process received hash and URL certificate encoding
Controlling the use of hash and URL certificate encoding
Creating certificate bundles
Steps for creating certificate bundles
Controlling the NSS server
Starting the NSS server
Stopping the NSS server
Using the NSS server MODIFY command
NSS server failover considerations
NSS server capacity considerations
NSS server certificate revocation support
Managing network security services
Defensive filtering
Global and stack-specific defensive filters
Defensive filter names
Defensive filter modes
Allowing administrative access
Filter-match logging
TRMD
Disabling defensive filters for a single stack
Relationship between intrusion detection services and defensive filters
Comparison of IP security filters and defensive filters
The DMD run-time environment
The DMD and Language Environment run-time options
Enabling defensive filtering
Enabling the IP security function
Steps for configuring the DMD
Steps for authorizing resources for the DMD and the ipsec command
Starting the DMD
Stopping the DMD
Using the DMD MODIFY command
Application Transparent Transport Layer Security data protection
AT-TLS configuration in PROFILE.TCPIP
TCP/IP stack initialization access control
Options for configuring AT-TLS security
Option 1: Use the IBM Configuration Assistant for z/OS Communications Server
Option 2: Manual configuration
Specifying the AT-TLS configuration file based on Policy Agent role
AT-TLS policy configuration
AT-TLS rules
AT-TLS actions
AT-TLS group action
AT-TLS environment action
AT-TLS connection action
Getting started with AT-TLS
Configuring the server system
Configuring the client systems
Steps for starting AT-TLS and verifying its operation
Application compatibility with AT-TLS
Policy considerations
Reusable objects
Common AT-TLS configuration file
Exempting specific connections from AT-TLS
Action refresh
Achieving the basic level of security
Picking the handshake roles
Specifying the key ring
Configuring more sophisticated security
Protocol versions
Cipher suite specification
Certificate validation
FIPS 140-2 support
LDAP servers
Encryption key refresh
Additional security customization considerations
Handshake timer
Diagnostic traces
Diagnosis considerations
TLS function negotiation
Wireless performance
Certificate selection
Session caching
AT-TLS access control considerations
Application model considerations
Client application model
Server application model
Forked server application model
CICS transaction model
Advanced application considerations
AT-TLS aware application considerations
AT-TLS controlling application considerations
Secondary connection application model
z/OS Load Balancing Advisor
Steps for preparing to use the z/OS Load Balancing Advisor
Step 1: Consider whether to use TLS/SSL (using AT-TLS on z/OS)
Step 2: Evaluate TCP/IP workloads to be load balanced and select a load balancing solution (optional)
Step 3: Decide who will have authority to start the Advisor (optional)
Steps for granting authority to start the Advisor
Step 4: Decide who will have authority to start the Agents (optional)
Steps for granting authority to start the Agents
Step 5: Authorize the Agents to use WLM services
Steps for defining the resource profile with RACF
Step 6: Determine how the Advisor and agent are to interact in a subplexing environment (optional)
Steps for configuring the z/OS Load Balancing Advisor
Step 1: Configure the Advisor and Agents to automatically restart in case of application or system failure (optional)
Considerations for automatic restart in a CINET environment
Considerations for automatic restart in a subplexing environment
Step 2: Configure and start syslogd
Syslogd considerations in a subplexing environment
Step 3: Configure one Advisor per sysplex
Define listening sockets/ports (required)
Define the access control list
Customizing optional statements
Configuring one Advisor per sysplex in a CINET environment
Configuring Advisors in a subplexing environment
Step 4: Configure one Agent per z/OS system in the sysplex
Defining the IP address and port to bind to for communications with the Advisor
Identifying the location of the Advisor (required)
Customizing optional statements
Configuring one Agent per z/OS system in the sysplex in a CINET environment
Configuring Agents in a subplexing environment
Step 5: Customize the TCP/IP profiles of the TCP/IP stacks on which the Advisor and Agents are to run (optional)
Enabling TLS/SSL for z/OS Load Balancing Advisor (optional)
Customizing TCP/IP profiles in a CINET environment
Customizing TCP/IP profiles in a subplexing environment
Step 6: Customize WLM policies for the Advisor and Agents (optional)
Step 7: Configure the external load balancers
Configuring the external load balancers in a subplexing environment
Steps for starting the z/OS Load Balancing Advisor
Step 1: Start the TCP/IP stacks that the Advisor and the Agents will use
Starting the TCP/IP stacks in a CINET environment
Step 2: Start the target applications that will be the targets of load balancing
Step 3: Start one Agent on each sysplex system you want to participate in this method of workload balancing
Starting Agents in a subplexing environment
Step 4: Start the one instance of the Advisor in the sysplex
Starting Advisors in a subplexing environment
Step 5: Start the load balancers
Verifying that the Advisor system is functioning correctly (optional)
Operating the z/OS Load Balancing Advisor
Changing the logging level of the Advisor and Agents
Interpreting Agent and Advisor display information
MODIFY procname,DISPLAY,LB
LB INDEX
NOCHANGE, PUSH, TRUST
MODIFY procname,DISPLAY,LB,INDEX=lbindex
Group flags - BASEWLM, BASEWLM*, and SERVERWLM
Member flags - LBQ and OPQ
Member flags - NOTARGETSYS, NOTARGETIP, and NOTARGETAPP
Member flag - NODATA
Member field - AVAIL
Member field - NET WEIGHT
Member field - WLM WEIGHT
Member field - CS WEIGHT
Member field - ABNORM
Member field - HEALTH
Member field - ProcType
MODIFY procname,DISPLAY,MEMBERS,DETAIL
Member flag - ANY
Member flag - V6
Stopping or resuming workload distribution to particular members (QUIESCE and ENABLE)
z/OS Load Balancing Advisor configuration example
Load balancer configuration details
Advisor configuration details
Agent configuration file on SYSB
Agent configuration file on SYSA
Customization of PROFILE.TCPIP
Example displays
Automated domain name registration
System overview
Interaction with name servers
Interaction with the z/OS Load Balancing Advisor
Enabling TLS/SSL for ADNR
Steps for configuring automated domain name registration
Step 1: Decide which sysplex resources should be managed by ADNR
Step 2: Decide on one or more domain names to be managed by ADNR
Step 3: Decide which name server or name servers are to be managed by ADNR
Step 4: Configure the selected name servers to be the primary master name servers for the domain names that ADNR is to manage
Step 5: Delegate the domain names to be managed by ADNR to the selected name servers from the parent domain's name server
Step 6: Configure the z/OS Load Balancing Advisor function
Step 7: Define security server profiles for ADNR
Steps for granting authority to start ADNR
Step 8: Configure ADNR to automatically restart in case of application or system failure (optional)
Step 9: Configure and start syslogd (optional, but required to have ADNR write log messages and trace data to syslogd)
Step 10: Configure one ADNR application per sysplex
Identifying the name servers to update and the zones to be updated in those name servers
Identifying the GWM to connect to and IP address to bind to for communications with the GWM
Identifying the sysplex resources to be managed by ADNR
Host groups
Server groups
Uniquely identifying this ADNR instance
Customizing optional statements
Step 11: Customize the TCP/IP profiles of the TCP/IP stacks on which ADNR and the LBA applications are to run (optional)
Step 12: Start the TCP/IP stacks on which ADNR and the LBA applications are to run
Step 13: Start the z/OS Load Balancing Advisor and Agent
Step 14: Start the target applications that are to be managed by ADNR
Step 15: Start the ADNR application
Step 16: Verify that the ADNR system is functioning correctly (optional)
z/OS Load Balancing Advisor configuration considerations
Connectivity considerations
Near real-time availability information of sysplex resources
z/OS Load Balancing Advisor and Agent operational considerations
Advisor operational considerations
Agent operational considerations
Name server configuration considerations
Initial zone configuration
Authorizing dynamic updates
Updates to an ADNR-managed zone
Update forwarding
Authorizing zone transfers
Limiting the duration of an outbound zone transfer
Limiting the total number of simultaneous outbound zone transfers
The .digrc file
Split DNS (views)
Zone transfer formats
ADNR configuration considerations
Changing the ADNR configuration file
Flushing a zone
Maintaining zone data integrity
Steps for using the ADNR application in a sysplex subplexing environment
Step 1: Plan how the new subdomains representing each subplex will fit into your DNS hierarchy
Step 2: Configure the name servers that will be updated for the new subplex domains
Step 3: Define and configure one Advisor per subplex
Step 4: Update the Agent configuration files to communicate with the Advisor running in its subplex
Step 5: Define one ADNR application per subplex
Step 6: Assign the host_group and server_group statements from the sysplex ADNR configuration to the correct subplex domains
Step 7: Configure the new ADNR instances to update the name server and zone for its subplex
Step 8: Configure the new ADNR instances to communicate with the subplex Advisor
Step 9: Update resolver configuration files (optional)
Step 10: Start the TCP/IP stacks, Advisor, Agent, ADNR, and target applications that are to be managed by ADNR
Step 11: Verify that each subplex ADNR is functioning correctly
Operating ADNR
Changing the logging level of ADNR
Changing the ADNR configuration dynamically
Interpreting ADNR display information
Diagnosing problems
ADNR configuration example
ADNR display examples
Simple Network Management Protocol
SNMP overview
Network management application
SNMP protocols
SNMPv1
SNMPv2
SNMPv3
SNMP agent
Overview of SNMP security models
SNMPv1 and SNMPv2c
SNMPv3
SNMP subagents
TCP/IP subagent
OMPROUTE subagent
TN3270E Telnet subagent
Network SLAPM2 subagent
OSA-Express Direct subagent
Key generation commands
Distributed Protocol Interface
Trap forwarder daemon
Processing an SNMP request
Deciding on SNMP security needs
Community-based security
User-based security
Decide on your security needs—community-based or user-based
Step 1: Configure the SNMP agent
Provide TCP/IP profile statements
Provide community-based security and notification destination information
Provide community name information
PW.SRC example
Provide trap destination information
SNMPTRAP.DEST example
Provide community-based and user-based security and notification destination information
SNMPD.CONF file
SNMPD.CONF dynamic configuration
SNMPD.CONF example
SNMPD.BOOTS
Creating user keys
Migrating community-based configuration to SNMPD.CONF format
Provide secure access to agent from subagents
Connecting to the agent through z/OS UNIX
Connecting to the agent through TCP
Allowing subagents with duplicate identifiers to connect
Provide MIB object configuration information
Common INET considerations
Start the SNMP agent
Sample JCL procedure for starting OSNMPD from MVS
Starting OSNMPD from z/OS UNIX
Step 2: Configure the SNMP commands
Configure the z/OS UNIX snmp command
Provide snmp configuration information
Examples
Provide MIB object information in MIBS.DATA
MIBS.DATA statement syntax
Configure the NetView SNMP command
Configure the SNMP query engine
MIBDESC.DATA data set
Specifying the SNMPQE parameters
Setting up authorization for SNMPQE
Configure NetView as an SNMP monitor
Configure for SNMPIUCV
Configure for the SNMP command processor
Configure for the SNMP messages
Update the SNMP initialization parameters
Step 3: Configure the SNMP subagents
TCP/IP subagent configuration
Step 4: Configure the Open Systems Adapter support
OSA/SF prerequisites
Required TCP/IP profile statements
Subagent connection to OSA/SF when there are multiple TCP/IP instances
Step 5: Configure the trap forwarder daemon
Provide PROFILE.TCPIP statements
Provide trap forwarder configuration information
Starting and stopping the trap forwarder daemon
Starting the trap forwarder daemon from z/OS UNIX
Starting the trap forwarder daemon from an MVS console
Stopping the trap forwarder daemon
Tracing
Dynamically refreshing configuration
Remote print server
Configuring the Remote Print Server
Step 1: Configuring PROFILE.TCPIP for LPD
Step 2: Updating the LPD server cataloged procedure
Specifying LPD server parameters
Configuring LPDDATA
Step 3: Updating the LPD server configuration data set
Step 4: Creating a banner page (optional)
Remote procedure calls
Steps for configuring the PORTMAP address space
Step 1: Configuring PROFILE.TCPIP for PORTMAP
Step 2: Updating the PORTMAP cataloged procedure
Step 3: Defining the data set for well-known procedure names
Starting the PORTMAP address space
Steps for configuring the z/OS UNIX PORTMAP address space
Step 1: Configuring PROFILE.TCPIP for UNIX PORTMAP
Step 2: Updating the PORTMAP cataloged procedure
Starting the PORTMAP address space
Steps for configuring the rpcbind address space
Step 1: Configuring the PROFILE.TCPIP data set for rpcbind
Step 2: Configuring security server (or RACF equivalent) items
Step 3: Updating the RPCBIND cataloged procedure
Step 4: Updating the /etc/services file
Step 5: Configure SYS1.PARMLIB for rpcbind
Starting the rpcbind address space
Steps for configuring the NCS interface
Step 1: Configuring PROFILE.TCPIP for NCS
Step 2: Updating the NRGLBD cataloged procedure
Step 3: Updating the LLBD cataloged procedure
Mail on z/OS
Configuring the CSSMTP application
Terms and concepts
Setting up CSSMTP
Steps for configuring and starting CSSMTP
Steps for creating mail on the JES spool data set for CSSMTP
Steps for initial setup for CSSMTP
Steps for customizing the SMTPNOTE CLIST (optional)
Customizing the CSSMTP configuration file to try mail again
Customizing the CSSMTP configuration file to handle undeliverable mail
Steps for granting authority to start CSSMTP
Security for CSSMTP
Steps for using Transport Layer Security for CSSMTP
Steps for configuring SMF records for CSSMTP (optional)
Monitoring CSSMTP
Differences between CSSMTP and SMTPD
Configuring the SMTP server (SMTPD)
Checklist for working within the SMTP environment
Configuration process
Step 1: Verify TCP/IP profile statements in the TCP/IP profile data set
AUTOLOG
PORT
Other TCP/IP profile considerations
Step 2: Update the SMTP cataloged procedure
Step 3: Customize the SMTPNOTE CLIST and modify parmlib data sets
Step 4: Customize the SMTP mail headers (Optional)
The SMTP rules data set
Statement syntax
Format of the field definition section
Format of the rule definition section
SMTP rules syntax conventions
Predefined keywords within the SMTP rules
Default SMTP rules
SMTP nonsecure gateway configuration defaults
SMTP secure gateway configuration defaults
Examples of header rewrite rules
Step 5: Set up a TCP-to-NJE mail gateway (Optional)
Step 6: Specify configuration statements in SMTP configuration data set
Summary of SMTP configuration statements
Sample SMTP configuration data set (SMTPCONF)
Step 7: Create an SMTP security table (Optional)
SMTP security data set examples
Rejected mail examples
Step 8: Enable SMTP domain name resolution
Step 9: Enable sending of non-local messages to other mail servers
Step 10: Design SMTP exit to inspect and filter unwanted mail (optional)
Step 11: Set up automation to monitor how much mail is queued
Configuring z/OS UNIX sendmail and popper
Overview
The sendmail samples directory
Steps for configuring z/OS UNIX sendmail
Creating the configuration file
Retrieve the m4 preprocessor
Creating the .mc file
The minimal mc file
Building the configuration file
Creating the z/OS-specific file
Using sendmail databases
Configuration option
Three basic files
Aliases database
Configuring an IPv6 daemon and relay client (optional)
Configuring TLS support (optional)
Configuring Security Server (RACF or equivalent) items
Setting up a Milter (optional)
Creating the Message Submission Program file submit.cf
Running sendmail as a daemon
Configuration hints and tips
Environment variables
Configuring popper
Update the /etc/services file
Update the /etc/inetd.conf file
Create the directory for the temporary maildrop file
Start inetd
Correct connection
Popper command - administering received mail
TIMED daemon
Starting TIMED from the z/OS shell
Starting TIMED as a procedure
SNTP daemon
Steps for starting SNTPD from the z/OS UNIX shell
Steps for starting SNTPD as a procedure
Stack affinity
Remote Execution
UNIX REXEC
TSO REXEC
Configuring the TSO Remote Execution server
Step 1: Configuring PROFILE.TCPIP for TSO Remote Execution server
Step 2: Determine whether Remote Execution client will send REXEC or RSH commands
Step 3: Permit remote users to access MVS resources (optional)
Step 4: Update the TSO Remote Execution cataloged procedure
Step 5: Create a user exit routine (optional)
Step 6: Permit access to JESSPOOL files
Configuring the z/OS UNIX Remote Execution servers
Files for z/OS UNIX REXECD
Files for z/OS UNIX RSHD
Setting up the z/OS UNIX RSHD installation exit
Configuring TSO and z/OS UNIX Remote Execution servers to use the same port
Express logon services with the Digital Certificate Access Server
Express Logon Feature
Web Express Logon
Using the DCAS server interface for your logon solutions
What DCAS provides
Customizing DCAS for TLS/SSL
Migrating the DCAS server to use AT-TLS policies
Transport Layer Security (TLS) terms
Miscellaneous server
Discard protocol
Echo protocol
Character generator protocol
Configuring the MISC server
Step 1: Configuring PROFILE.TCPIP for the MISC server
Step 2: Updating the MISC server cataloged procedure
MISC server cataloged procedure (MISCSERV)
Specifying the MISC server parameters
Setting up the InetD configuration file
TLS/SSL security
Secure Socket Layer overview
Server authentication
Client authentication
Encryption algorithms
Enable CSFSERV resources
Express Logon Feature
Configuring RACF services for Express Logon
Configuring the Express Logon components
Configuring the Host On Demand Telnet client
Configuring the z/OS TN3270E Telnet server
Configuring the middle-tier Telnet server (CS/2 example)
Using HCD
Steps for preparing to run IP security
Step 1: Setting appropriate UNIX System Services parameters
Step 2: Authorizing the IKE daemon to the external security manager
Steps for authorizing the IKE daemon to RACF
Step 3: Authorizing the ipsec command to the external security manager
Steps for authorizing the ipsec command to RACF
Step 4: Authorizing IP security to ICSF/MVS (optional)
Steps for setting up profiles in the CSFSERV resource class
Step 5: Setting up the IKE daemon for digital signature authentication (optional)
Steps for setting up the IKE daemon for digital signature authentication when the native certificate service is used
Step 1: Define RACF facilities and access controls
Step 2: Define profiles to control access to the RACDCERT command
Step 3: Create a RACF key ring for the user ID under which the IKED is to run
Step 4: Install an X509 digital certificate to be used by the native certificate service
Steps for setting up the IKE daemon for digital signature authentication using the certificate service of an NSS server
Step 1: Update the IKE daemon configuration file to define NSS clients
Step 2: Install X509 digital certificates for NSS clients on the NSS server's key ring
Step 3: Authorize the NSS clients
Step 4: Enable HTTP Certificate Lookup (optional)
IPSec certificate management
Steps for generating an X509 digital certificate and having it signed by a certificate authority
Steps for generating a self-signed X509 digital certificate
Steps for migrating an existing key database to a RACF key ring
Using an LDAP server for policy definitions
Policy object model overview
Overview of the object classes
Considerations for defining LDAP objects
Policy Agent retrieval of LDAP objects
LDAP sample files
Installing the schema definition on the LDAP server
Using the sample LDAP objects
Defining QoS policies using LDAP
Differentiated Services policy example
RSVP policy example
Sysplex distributor routing policy example
Defining IDS policies using LDAP
IDS scan policy example
IDS attack policy example
IDS TCP traffic regulation policy example
IDS UDP traffic regulation policy example
Related protocol specifications
Accessibility
Bibliography
Index for Communications Server: IP Configuration Guide