background image

IBM United States Software Announcement

210-008

IBM is a registered trademark of International Business Machines Corporation

25

and business needs. Designed for the largest enterprises in the world, z/OS provides

network scalability, supporting both IPv4 and IPv6.

• It has been said "z/OS is not just a node on the network, it IS the network,"

and in some cases this is no exaggeration. What sets z/OS apart from other

technologies is its sophisticated networking in a cluster (Parallel Sysplex). In a

cluster, the z/OS Communications Server supports multiple applications, tools,

databases, operating system images, partitions, servers, locations, and remote

locations, with the ability to support multiple TCP/IP stacks, to provide different

security and networking characteristics for these TCP/IP stacks, to automatically

fail over a network, to dynamically manage networking traffic routing it by

security, workload priority, or other quality of service characteristics, and to apply

TCP/IP security capabilities centrally from an attractive, easy-to-use graphic user

interface (the Configuration Assistant for the z/OS Communications Server).

This is all integrated into and included with z/OS; the networking, its dynamic

routing, and its policy-based security are not an optional add-on, but a vital part

of the system. z/OS V1.12 is planned to support new trusted TCP connections

in a sysplex, providing a faster, simpler method for members in a sysplex to

communicate. The next release is planned to have the ability to automatically add

TCP/IP stacks to a sysplex at a later time, when you need it.

• Many data security breaches arise from data being plucked from an unsecured

network connection. The Internet Protocol Security (IPSec) standard is just

one of the industry standards useful for encrypting packets of a data stream.

The z/OS Communications Server already allows for simplified and centralized

configuration of IPSec security through its Configuration Assistant and allows most

IPSec encryption and decryption to be eligible for the zIIP specialty engine. IPSec

encryption on z/OS has the value of encrypting data right at the source. z/OS

V1.12 is planned to support Internet Key Exchange version 2 (IKEv2), which is

a more streamlined and efficient method of IPSec dynamic key exchange than

the currently available IKEv1. Also for z/OS V1.12, z/OS Communications Server

IPSec and IKE support is planned to leverage z/OS cryptographic modules that

are designed to address the Federal Information Processing Standard (FIPS)

140-2 security requirements for cryptographic modules. Additionally, z/OS

Communications Server IPSec and IKE are planned to support a variety of new

cryptographic algorithms, enhanced X.509 digital certificate support, and more.

Details on the latest on IPSec and IKEv2 can be found in the 

Security

 section.

Details on the networking improvements planned for z/OS V1.12 include:

• z/OS Communications Server V1.12 is planned to provide notification to the

operator console when a Domain Name System (DNS) name server does not

respond to a certain percentage of resolver queries sent to the name server

during a sliding five-minute interval. In addition to the notification, statistics

regarding the number of queries attempted and the number of queries that

received no response are displayed for each currently unresponsive name server

at five-minute intervals. This can alert you to a possible problem with your

DNS name server configuration that may be adversely affecting applications on

your z/OS system. The default value for the TCPIP.DATA RESOLVERTIMEOUT

configuration statement, which controls the timeout value for UDP requests sent

to a name server, is planned to be modified to be five seconds instead of 30

seconds.

• z/OS Communications Server plans to extend the VARY TCPIP,,DROP command to

allow the dropping of all established TCP connections for servers that match the

specified filter parameters. When issued, each server that is found to match the

specified filter parameters will have all its established TCP connections dropped.

You can filter by port, jobname, or server ASID. This function is expected to make

it easier to move workload from one application instance to another application

instance.

• z/OS Communications Server is planned to provide the option of keeping a TCP/

IP stack isolated from the sysplex; you can use a new configuration parameter

to prevent a stack from automatically joining the sysplex group at startup. You

can have the stack join the sysplex group at a later time by issuing the VARY

TCPIP,,SYSPLEX,JOINGROUP command.

• z/OS Communications Server is planned to enhance the performance of fast local

sockets for TCP connections. This function is planned to be automatically enabled.

Summary of Contents for ZOS V1.12

Page 1: ...wide problems that can result from unresponsive critical components Avoiding data fragmentation and planned outages for data reorganizations With the new CA Control Area Reclaim capability applicatio...

Page 2: ...ay not be fast enough and the system must have the ability to act quickly and decisively In a Parallel Sysplex the GRS and XCF components are planned to have the ability to automatically initiate acti...

Page 3: ...ontrol capabilities DB2 Data Studio provides an integrated set of tooling to support all phases of the data management life cycle IMS is planned to provide a new integrated development environment and...

Page 4: ...ions are planned for z OSMF V1 12 The z OSMF Configuration Assistant for z OS Communications Server is planned to Support the configuration of IKE version 2 Enforce RFC4301 compliance for IPSec filter...

Page 5: ...ection functions introduced in recent releases and locating eligible I O related control blocks above the 16 MB line These health checks are designed to notify you when these functions are not being u...

Page 6: ...each data set In z OS V1 12 partial release is planned to be extended to support releasing unused volumes in addition to releasing space on the last volume of a multivolume VSAM data set that contains...

Page 7: ...be made to the processing of PROGxx parmlib members and to Link List Lookaside LLA processing These include support in PROGxx for passing a specified parameter to a dynamic exit automatically includi...

Page 8: ...mlessly move to where they are needed for over a decade Parallel Sysplex provides a large single system image dynamic load balancing fault tolerance and automatic restart capabilities No other technol...

Page 9: ...data sets The SNAP SNAPX services and dump processing including that for SVC SYSABEND SYSMDUMP and SYSUDUMP dumps and the AMASPZAP program are planned to support XTIOT The Program Management Binder w...

Page 10: ...is being updated PDSE will be designed to improve its cross system sharing capabilities including member level sharing within a GRS complex but outside a Parallel Sysplex These changes are intended to...

Page 11: ...isting applications within the same system and in close proximity to your corporate data residing on z OS New applications based on Java WebSphere Application Server Perl PHP XML C C Unicode HTML HTTP...

Page 12: ...ded using the z OS UNIX System Services load service loadhfs z OS XML System Services will be updated to enhance XML schema validation support by allowing applications to extract schema location infor...

Page 13: ...customized conversion tables using Unicode Services to replace these functions The WLM service for requesting LPAR related data REQLPDAT is planned to be enhanced to include character based data about...

Page 14: ...ity enhancements intended for z OS V1 12 ICSF is planned to provide support for translation of external RSA tokens wrapped with key encrypting keys into one of three smart card formats A new callable...

Page 15: ...request revoke suspend and resume certificates This is intended to allow you to use CMP in a centralized certificate generation model Elliptic Curve Cryptography ECC See more information below RACDCE...

Page 16: ...r a defined number of failed attempts In addition when a password policy control has been received native or SDBM authentication will map RACF response codes to password policy response codes where po...

Page 17: ...Re keying and re authentication of IKE SAs and child SAs Hash and URL specification of certificates and certificate bundles A new certbundle command which can create certificate bundles as specified b...

Page 18: ...ase architecture for IPSec compliant systems including restrictions on the routing of fragmented packets Compliance enforcement may require minor changes to IP filters for IP traffic that is routed th...

Page 19: ...so a single cluster can be used for scalability and performance as well as for availability and disaster recovery With z OS V1 12 Parallel Sysplex technology is planned to be updated with new health...

Page 20: ...such problems by allowing less important data to be discarded while keeping the data from critical SMF records intact Additionally new function is planned for the SMF dump program IFASMFDL to provide...

Page 21: ...ses from CF structure connectors One focus area in z OS V1 12 is the time it takes to shut down and restart the z OS system itself and major subsystems such as DB2 Substantial reductions in shutdown a...

Page 22: ...ses are not associated with a particular batch job There can be considerable variation in the processor time consumed by an initiator for different jobs To help you better understand the resources con...

Page 23: ...s Network management applications can use the requested output to monitor interface status and TCP IP stack activity z OS V1 12 Communications Server is planned to provide the following new requests G...

Page 24: ...ns Server planned improvements include The ability to learn indirect prefix routes from IPv6 Router Advertisement messages The ability to associate preference values with all routes that are learned f...

Page 25: ...key exchange than the currently available IKEv1 Also for z OS V1 12 z OS Communications Server IPSec and IKE support is planned to leverage z OS cryptographic modules that are designed to address the...

Page 26: ...cords A Start record with State field API Data Flow Starts that indicates the first data sent or received by the application for the associated TCP or UDP socket An End record with State field API Dat...

Page 27: ...he need for FIPS 140 2 validated cryptographic functions when using z OS Communications Server capabilities such as the IPSec protocol Plans related to Extended Address Volume EAV larger volume sizes...

Page 28: ...nternet and DVD the supported tape delivery options for CBPDO ServerPac and SystemPac include 3590 3592 Note Product delivery on all 3480 and 3490 tape media is planned to be discontinued October 26 2...

Page 29: ...es which are announced and available in your country can be ordered under the applicable standard agreements terms conditions and prices in effect at the time IBM reserves the right to modify or withd...

Reviews: