IBM United States Software Announcement
210-008
IBM is a registered trademark of International Business Machines Corporation
25
and business needs. Designed for the largest enterprises in the world, z/OS provides
network scalability, supporting both IPv4 and IPv6.
• It has been said "z/OS is not just a node on the network, it IS the network,"
and in some cases this is no exaggeration. What sets z/OS apart from other
technologies is its sophisticated networking in a cluster (Parallel Sysplex). In a
cluster, the z/OS Communications Server supports multiple applications, tools,
databases, operating system images, partitions, servers, locations, and remote
locations, with the ability to support multiple TCP/IP stacks, to provide different
security and networking characteristics for these TCP/IP stacks, to automatically
fail over a network, to dynamically manage networking traffic routing it by
security, workload priority, or other quality of service characteristics, and to apply
TCP/IP security capabilities centrally from an attractive, easy-to-use graphic user
interface (the Configuration Assistant for the z/OS Communications Server).
This is all integrated into and included with z/OS; the networking, its dynamic
routing, and its policy-based security are not an optional add-on, but a vital part
of the system. z/OS V1.12 is planned to support new trusted TCP connections
in a sysplex, providing a faster, simpler method for members in a sysplex to
communicate. The next release is planned to have the ability to automatically add
TCP/IP stacks to a sysplex at a later time, when you need it.
• Many data security breaches arise from data being plucked from an unsecured
network connection. The Internet Protocol Security (IPSec) standard is just
one of the industry standards useful for encrypting packets of a data stream.
The z/OS Communications Server already allows for simplified and centralized
configuration of IPSec security through its Configuration Assistant and allows most
IPSec encryption and decryption to be eligible for the zIIP specialty engine. IPSec
encryption on z/OS has the value of encrypting data right at the source. z/OS
V1.12 is planned to support Internet Key Exchange version 2 (IKEv2), which is
a more streamlined and efficient method of IPSec dynamic key exchange than
the currently available IKEv1. Also for z/OS V1.12, z/OS Communications Server
IPSec and IKE support is planned to leverage z/OS cryptographic modules that
are designed to address the Federal Information Processing Standard (FIPS)
140-2 security requirements for cryptographic modules. Additionally, z/OS
Communications Server IPSec and IKE are planned to support a variety of new
cryptographic algorithms, enhanced X.509 digital certificate support, and more.
Details on the latest on IPSec and IKEv2 can be found in the
Security
section.
Details on the networking improvements planned for z/OS V1.12 include:
• z/OS Communications Server V1.12 is planned to provide notification to the
operator console when a Domain Name System (DNS) name server does not
respond to a certain percentage of resolver queries sent to the name server
during a sliding five-minute interval. In addition to the notification, statistics
regarding the number of queries attempted and the number of queries that
received no response are displayed for each currently unresponsive name server
at five-minute intervals. This can alert you to a possible problem with your
DNS name server configuration that may be adversely affecting applications on
your z/OS system. The default value for the TCPIP.DATA RESOLVERTIMEOUT
configuration statement, which controls the timeout value for UDP requests sent
to a name server, is planned to be modified to be five seconds instead of 30
seconds.
• z/OS Communications Server plans to extend the VARY TCPIP,,DROP command to
allow the dropping of all established TCP connections for servers that match the
specified filter parameters. When issued, each server that is found to match the
specified filter parameters will have all its established TCP connections dropped.
You can filter by port, jobname, or server ASID. This function is expected to make
it easier to move workload from one application instance to another application
instance.
• z/OS Communications Server is planned to provide the option of keeping a TCP/
IP stack isolated from the sysplex; you can use a new configuration parameter
to prevent a stack from automatically joining the sysplex group at startup. You
can have the stack join the sysplex group at a later time by issuing the VARY
TCPIP,,SYSPLEX,JOINGROUP command.
• z/OS Communications Server is planned to enhance the performance of fast local
sockets for TCP connections. This function is planned to be automatically enabled.
