What’s New in z/OS V2R1 Communications Server?
It has been said "z/OS is not just a node on the network, z/OS is the network," and that is largely
due to the wide array of networking technologies included in z/OS Communications Server,
including both TCP/IP and SNA. System and data security technologies, fault tolerance,
autodetection and autorecovery capabilities—all mean that z/OS can provide reliable and
trustworthy networking services. With intelligent configuration, dynamic optimization, self
tuning, and network routing, it adapts to different networking conditions and is capable of
shifting workloads and traffic to meet quality of service and business needs.
This page provides an overview of select enhancements provided by z/OS V2R1
System z Platform Efficiency
With z/OS V2R1 and related System z technologies, IBM delivers improved performance, scale, and economics to the platform. These technologies are intended to help you to leverage existing
resources better or to free up existing resources to run more workload within your existing
System z servers more efficiently.
- z/OS V2R1 and zEC12 and zBC12 systems with the 10 GbE RoCE Express feature support a
new communications protocol, Shared Memory Communications-RDMA (SMC-R). This new
protocol provides low-latency, high-bandwidth cross-server connections for applications by
providing RDMA communications to TCP endpoints over RoCE (RDMA over Converged
Ethernet) in a manner transparent to socket applications. This is expected to provide a
significant performance benefit compared to standard TCP/IP communications over the Open
Systems Adapter (OSA).
For more on SMC-R, refer to the SMC-R RoCE FAQ:
- Implementation of RFC 2018 and RFC 3517 provides support for selective acknowledgment
(SACK) and selective packet retransmission based on SACKs. This is intended to help
improve performance when multiple packets are lost in a single TCP window.
- Supported socket APIs are now designed to use fast path sockets processing automatically,
without system programmer or application enablement. Fast path sockets processing can
provide a significant reduction in CPU utilization, especially for interactive workloads.
- In z/OS V2R1, Communications Server supports the specification of QDIOACCELERATOR
in a TCP/IP profile with IPSECURITY enabled. Existing QDIOACCELERATOR function
can improve performance by allowing packets to be directly routed between HiperSockets and
OSA QDIO connections. This enhancement provides that support under certain conditions for
those TCP/IP stacks that have IPSECURITY enabled.
z/OS Simplification Enhancements and Ease of Use
z/OS V2R1 introduces many new simplification capabilities. This is to address the need for skills
by making existing personnel more productive and by reducing the time needed for someone
new to gain proficiency on the platform.
- z/OS V2R1 Communications Server with z/OSMF V2R1 provides a redesigned version of the
IBM Configuration Assistant for z/OS Communications Server that replaces the Microsoft
Windows based version. It helps reduce CPU consumption, supports configuration of
additional policy-based networking functions, and is more consistent with the look and feel of
other z/OSMF functions.
- In z/OS V2R1, Communications Server provides a new command to enable you to validate the
syntax of statements in your TCP/IP profile. This can help you find errors in the profile that
might exist before making configuration changes, which can help prevent network problems
- Enhancements to the INTERFACE statement in the TCP/IP profile support configuration of
IPv4 interfaces for HiperSockets and static virtual IP addresses (VIPAs). This enhancement
provides a simpler method for configuring IPv4 HiperSockets interfaces and static VIPAs than
using DEVICE/LINK/HOME statements.
- New TCP/IP profile configuration statements enable you to specify the range of ephemeral
ports to be assigned to UDP and TCP sockets. This can help simplify firewall configuration
- z/OS V2R1 Communications Server provides two new FTP subcommands, MVSPut and
MVSGet. These commands are designed to simplify the transfer of sequential and partitioned
(PDS and PDSE) data sets between z/OS systems.
- z/OS V2R1 Communications Server provides additional flexibility in configuring Enterprise
Extender by allowing progressive mode ARB to be configured on the GROUP definition in the
switched major node. Additionally, z/OS Communications Server enhances your ability to
provide an IPv6 address for an EE connection by allowing the IPADDR parameter to accept
either an IPv6 address or an IPv4 address.
z/OS V2R1 introduces new capabilities to help you write applications and systems programs, and
extend existing programs. z/OS V2R1 Communications Server provides these new and enhanced
application programming interfaces:
- A new API to allow retrieval of configuration information for the TN3270 server. This is
designed to improve the ability of network management applications to verify the best
practices compliance of the z/OS CS TN3270 server.
- A new API to allow retrieval of configuration information for the z/OS FTP server and FTP
client. This is designed to improve the ability of network management applications to verify
the best practices compliance of the z/OS FTP server and client.
- Support for an additional network management interface (NMI) that can allow multiple
independent, concurrent TCP/IP traces. This allows for both real-time packet traces and data
traces in a single trace data stream. With proper RACF authorization, it also enables you to
include decrypted IPSec and AT-TLS data. These extensions are intended to be used by
network management applications to provide additional functions.
- A mechanism that allows a sockets application to issue a synchronous or asynchronous receive
socket API call that only completes when a TCP connection is terminated. This provides an
application with the ability to improve performance by choosing either an asynchronous or
synchronous communication model (whichever is more beneficial for the application) while
assuring the ability to respond to connection termination events.
The z/OS Communications Server can provide highly secure networking, via capabilities such as
IPSec, Application Transparent Transport Layer Security (AT-TLS), and Intrusion Detection
- In z/OS V2R1, Communications Server supports the TLS V1.2 protocol and the new
cryptography suites implemented by System SSL, in Application Transparent Transport Layer
Security (AT-TLS). This is intended to enable these new cipher suites to be used to encrypt
application traffic through system programmer-defined policy without application changes.
- In z/OS V2R1, Communications Server supports two new security exits for the z/OS FTP
client to help provide more control over FTP file transfer activities. An EZAFCCMD exit is
designed to enable inspection, modification and rejection of FTP commands, and the
cancellation of FTP client sessions. An EZAFCREP exit is designed to enable inspection of
reply message lines from FTP servers and cancellation of FTP client sessions.
- Sysplex-wide security associations (SWSA) enable IPSec-protected traffic to be distributed
through a Parallel Sysplex while maintaining end-to-end security to all endpoints within the
sysplex. In z/OS V2R1, SWSA is extended to provide support for IPv6.
- In z/OS V2R1, z/OS Communications Server introduces configuration settings to enable
control over the level of caching used for network access control checks. A reduction in the
level of caching enables more network access control checks to be passed to the System
Authorization Facility (SAF), thereby enabling the security manager product to provide more
meaningful auditing of access control checks. Additionally, z/OS V2R1 Communications
Server adds the IP address the user is attempting to access to the log string provided to the
external security manager on each network access control check.
- z/OS Communications Server provides a configuration option to limit the number of defensive
filter messages written to syslog when defensive filtering is enabled through the Defense
Manager Daemon (DMD).
- z/OS V2R1 Communications Server provides enhanced diagnostics for the IKE and NSS
daemons as well as the AT-TLS function when FIPS 140 processing is required. New
messages indicate ICSF status during IKED and NSSD initialization, and during the
installation of AT-TLS policy groups. Furthermore, when FIPS 140 processing is required,
IKED and NSSD will not initialize if ICSF is not active; and AT-TLS policy groups will be
installed but left inactive if ICSF is not active.
According to IBM market research, the System z platform is recognized by both customers and
industry analysts for its industry-leading resilience capabilities; furthermore, high availability is
the top reason for running existing workloads on and migrating new workloads to System z.
z/OS V2R1 improves availability by delivering the following enhancements:
- In z/OS V2R1, the RPCBIND and NFS Servers allow the NFS Server to re-register with
RPCBIND when RPCBIND is restarted, without an NFS Server restart. This helps preserve
existing connections to the NFS Server and allows new mounts when RPCBIND is restarted,
thereby improving availability by eliminating a reason for NFS Server restarts.
- z/OS V2R1 Communications Server adds the ability for an application-instance dynamic
VIPA to be created with an affinity for a particular address space. This ensures the correct
routing of application traffic destined for one of multiple applications bound to the unspecified
address (inaddr_any or in6addr_any) and listening on a common port.
- System resolver enhancements allow the resolver to start even if errors are detected with
statements in the resolver setup file. This allows TCP/IP stacks and other applications
dependent on resolver processing to continue their initialization despite any resolver setup file
Standards and Statements of Direction
- z/OS V2R1 continues the platform's tradition of rich IPv6 support. z/OS Version 1 has earned
the IPv6 Phase 2 Ready logo and USGv6 Profile Version 1.0 (NIST SP500-267) certification.
z/OS V2R1 is designed to meet these standards as well.
- IBM intends for z/OS V2R1 to be the last release to support the GATEWAY configuration
statement in the TCP/IP profile. If you are using the GATEWAY statement to define static
routes, you should use the BEGINROUTES/ENDROUTES configuration block instead.
All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal