What’s New in z/OS V2R1 Communications Server?
It has been said "z/OS is not just a node on the network, z/OS is the network," and that is largely due to the wide array of networking technologies included in z/OS Communications Server, including both TCP/IP and SNA. System and data security technologies, fault tolerance, autodetection and autorecovery capabilities—all mean that z/OS can provide reliable and trustworthy networking services. With intelligent configuration, dynamic optimization, self tuning, and network routing, it adapts to different networking conditions and is capable of shifting workloads and traffic to meet quality of service and business needs.
This page provides an overview of select enhancements provided by z/OS V2R1 Communications Server.
System z Platform Efficiency
With z/OS V2R1 and related System z technologies, IBM delivers improved performance, scale, and economics to the platform. These technologies are intended to help you to leverage existing resources better or to free up existing resources to run more workload within your existing System z servers more efficiently.
- z/OS V2R1 and zEC12 and zBC12 systems with the 10 GbE RoCE Express feature support a new communications protocol, Shared Memory Communications-RDMA (SMC-R). This new protocol provides low-latency, high-bandwidth cross-server connections for applications by providing RDMA communications to TCP endpoints over RoCE (RDMA over Converged Ethernet) in a manner transparent to socket applications. This is expected to provide a significant performance benefit compared to standard TCP/IP communications over the Open Systems Adapter (OSA).
For more on SMC-R, refer to the Shared Memory over RDMA Reference Information page.
- Implementation of RFC 2018 and RFC 3517 provides support for selective acknowledgment (SACK) and selective packet retransmission based on SACKs. This is intended to help improve performance when multiple packets are lost in a single TCP window.
- Supported socket APIs are now designed to use fast path sockets processing automatically, without system programmer or application enablement. Fast path sockets processing can provide a significant reduction in CPU utilization, especially for interactive workloads.
- In z/OS V2R1, Communications Server supports the specification of QDIOACCELERATOR in a TCP/IP profile with IPSECURITY enabled. Existing QDIOACCELERATOR function can improve performance by allowing packets to be directly routed between HiperSockets and OSA QDIO connections. This enhancement provides that support under certain conditions for those TCP/IP stacks that have IPSECURITY enabled.
z/OS Simplification Enhancements and Ease of Use
z/OS V2R1 introduces many new simplification capabilities. This is to address the need for skills by making existing personnel more productive and by reducing the time needed for someone new to gain proficiency on the platform.
- z/OS V2R1 Communications Server with z/OSMF V2R1 provides a redesigned version of the IBM Configuration Assistant for z/OS Communications Server that replaces the Microsoft Windows based version. It helps reduce CPU consumption, supports configuration of additional policy-based networking functions, and is more consistent with the look and feel of other z/OSMF functions.
- In z/OS V2R1, Communications Server provides a new command to enable you to validate the syntax of statements in your TCP/IP profile. This can help you find errors in the profile that might exist before making configuration changes, which can help prevent network problems from occurring.
- Enhancements to the INTERFACE statement in the TCP/IP profile support configuration of IPv4 interfaces for HiperSockets and static virtual IP addresses (VIPAs). This enhancement provides a simpler method for configuring IPv4 HiperSockets interfaces and static VIPAs than using DEVICE/LINK/HOME statements.
- New TCP/IP profile configuration statements enable you to specify the range of ephemeral ports to be assigned to UDP and TCP sockets. This can help simplify firewall configuration rules.
- z/OS V2R1 Communications Server provides two new FTP subcommands, MVSPut and MVSGet. These commands are designed to simplify the transfer of sequential and partitioned (PDS and PDSE) data sets between z/OS systems.
- z/OS V2R1 Communications Server provides additional flexibility in configuring Enterprise Extender by allowing progressive mode ARB to be configured on the GROUP definition in the switched major node. Additionally, z/OS Communications Server enhances your ability to provide an IPv6 address for an EE connection by allowing the IPADDR parameter to accept either an IPv6 address or an IPv4 address.
z/OS V2R1 introduces new capabilities to help you write applications and systems programs, and extend existing programs. z/OS V2R1 Communications Server provides these new and enhanced application programming interfaces:
- A new API to allow retrieval of configuration information for the TN3270 server. This is designed to improve the ability of network management applications to verify the best practices compliance of the z/OS CS TN3270 server.
- A new API to allow retrieval of configuration information for the z/OS FTP server and FTP client. This is designed to improve the ability of network management applications to verify the best practices compliance of the z/OS FTP server and client.
- Support for an additional network management interface (NMI) that can allow multiple independent, concurrent TCP/IP traces. This allows for both real-time packet traces and data traces in a single trace data stream. With proper RACF authorization, it also enables you to include decrypted IPSec and AT-TLS data. These extensions are intended to be used by network management applications to provide additional functions.
- A mechanism that allows a sockets application to issue a synchronous or asynchronous receive socket API call that only completes when a TCP connection is terminated. This provides an application with the ability to improve performance by choosing either an asynchronous or synchronous communication model (whichever is more beneficial for the application) while assuring the ability to respond to connection termination events.
The z/OS Communications Server can provide highly secure networking, via capabilities such as IPSec, Application Transparent Transport Layer Security (AT-TLS), and Intrusion Detection Services (IDS).
- In z/OS V2R1, Communications Server supports the TLS V1.2 protocol and the new cryptography suites implemented by System SSL, in Application Transparent Transport Layer Security (AT-TLS). This is intended to enable these new cipher suites to be used to encrypt application traffic through system programmer-defined policy without application changes.
- In z/OS V2R1, Communications Server supports two new security exits for the z/OS FTP client to help provide more control over FTP file transfer activities. An EZAFCCMD exit is designed to enable inspection, modification and rejection of FTP commands, and the cancellation of FTP client sessions. An EZAFCREP exit is designed to enable inspection of reply message lines from FTP servers and cancellation of FTP client sessions.
- Sysplex-wide security associations (SWSA) enable IPSec-protected traffic to be distributed through a Parallel Sysplex while maintaining end-to-end security to all endpoints within the sysplex. In z/OS V2R1, SWSA is extended to provide support for IPv6.
- In z/OS V2R1, z/OS Communications Server introduces configuration settings to enable control over the level of caching used for network access control checks. A reduction in the level of caching enables more network access control checks to be passed to the System Authorization Facility (SAF), thereby enabling the security manager product to provide more meaningful auditing of access control checks. Additionally, z/OS V2R1 Communications Server adds the IP address the user is attempting to access to the log string provided to the external security manager on each network access control check.
- z/OS Communications Server provides a configuration option to limit the number of defensive filter messages written to syslog when defensive filtering is enabled through the Defense Manager Daemon (DMD).
- z/OS V2R1 Communications Server provides enhanced diagnostics for the IKE and NSS daemons as well as the AT-TLS function when FIPS 140 processing is required. New messages indicate ICSF status during IKED and NSSD initialization, and during the installation of AT-TLS policy groups. Furthermore, when FIPS 140 processing is required, IKED and NSSD will not initialize if ICSF is not active; and AT-TLS policy groups will be installed but left inactive if ICSF is not active.
According to IBM market research, the System z platform is recognized by both customers and industry analysts for its industry-leading resilience capabilities; furthermore, high availability is the top reason for running existing workloads on and migrating new workloads to System z. z/OS V2R1 improves availability by delivering the following enhancements:
- In z/OS V2R1, the RPCBIND and NFS Servers allow the NFS Server to re-register with RPCBIND when RPCBIND is restarted, without an NFS Server restart. This helps preserve existing connections to the NFS Server and allows new mounts when RPCBIND is restarted, thereby improving availability by eliminating a reason for NFS Server restarts.
- z/OS V2R1 Communications Server adds the ability for an application-instance dynamic VIPA to be created with an affinity for a particular address space. This ensures the correct routing of application traffic destined for one of multiple applications bound to the unspecified address (inaddr_any or in6addr_any) and listening on a common port.
- System resolver enhancements allow the resolver to start even if errors are detected with statements in the resolver setup file. This allows TCP/IP stacks and other applications dependent on resolver processing to continue their initialization despite any resolver setup file errors.
Standards and Statements of Direction
- z/OS V2R1 continues the platform's tradition of rich IPv6 support. z/OS Version 1 has earned the IPv6 Phase 2 Ready logo and USGv6 Profile Version 1.0 (NIST SP500-267) certification. z/OS V2R1 is designed to meet these standards as well.
- IBM intends for z/OS V2R1 to be the last release to support the GATEWAY configuration statement in the TCP/IP profile. If you are using the GATEWAY statement to define static routes, you should use the BEGINROUTES/ENDROUTES configuration block instead.
All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice.