ibm z/os communications server technical...
TRANSCRIPT
© 2017 IBM Corporation1
IBM z/OS Communications Server Technical Update
Jerry StevensHank [email protected]/11/2017Session EB
© 2017 IBM Corporation2
TrademarksThe following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM*IBM Logo*
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
© 2017 IBM Corporation3
Agenda
• z/OS Encryption Readiness Technology (zERT)• z/OS mail updates• Wildcard support for jobnames on PORT &
PORTRANGE statements• AT-TLS currency with System SSL• VTAM 3270 Intrusion Detection Services (3270 IDS)• Miscellaneous V2R3 topics• Configuration Assistant Updates• Full VTAM Internal Trace (VIT) control• Appendix: Additional Details on z/OS V2R3 CS Content and Other
Topics
© 2017 IBM Corporation4
IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remain at our sole discretion.
© 2017 IBM Corporation5
z/OS Encryption
Readiness
Technology (zERT)
© 2017 IBM Corporation6
Background: Encrypting TCP/IP network traffic on z/OS
z/OS provides 4 mechanisms to protect TCP/IP traffic:
TLS/SSL direct usage• Application is explicitly coded to use these• Configuration and auditing is unique to each application• Per-session protection• TCP only
Application Transparent TLS (AT-TLS)• TLS/SSL applied in TCP layer as defined by policy• Configured in AT-TLS policy via Configuration Assistant• Auditing through SMF 119 records• Typically transparent to application • TCP/IP stack is user of System SSL services
Virtual Private Networks using IPSec and IKE• “Platform to platform” encryption• IPSec implemented in IP layer as defined by policy• Auditing via SMF 119 records at tunnel level only• Completely transparent to application• Wide variety (any to all) of traffic is protected• IKE negotiates IPSec tunnels dynamically
Secure Shell using z/OS OpenSSH• Mainly used for sftp on z/OS, but also offers secure terminal
access and TCP port forwarding• Configured in ssh configuration file and on command line• Auditing via SMF 119 records• TCP only
TCP/IP
CommServer
z/OS
Application
JSSE
DB2, CICS, IMS Connect, Guardium, FTP, TN3270, JES/NJE, RACF RRSF, ….
AT-TLS
Prot
ecte
d
Prot
ecte
d
TLS/SSL
System SSL
System SSL
1
2
IPSec
Systems
Prot
ecte
d
Any application or subsystem
VPN
IKE
IPSec3
Open SSH
SSH
Prot
ecte
d
4
MQ, CICS, Connect:Direct, …
WAS, Java applications
1
2
3
4
sftp, TCP appls (port forwarding)
© 2017 IBM Corporation7
Background …
Given all these mechanisms, configuration methods and variation in audit detail… § How can I tell…
• Which traffic is being protected (and which is not)?• How is that traffic being protected?
- Security protocol?- Protocol version?- Cryptographic algorithms?- Key lengths?- …and so on
• Who does on the traffic belong to in case I need to follow up with them?
§ How can I ensure that new configurations adhere to my company’s security policies?
§ Once I’ve answered the above questions, how can I provide the information to my auditors or compliance officers?
§ Many factors driving these questions:• Regulatory compliance (corporate, industry,
government)• Vulnerabilities in protocols and algorithms• Internal audits• …and so on
TCP/IP
CommServer
z/OS
Application
DB2, CICS, IMS Connect, Guardium, FTP, TN3270, JES/NJE, RACF RRSF, ….
AT-TLS
Prot
ecte
d
Prot
ecte
d
TLS/SSL
System SSL2
IPSec
Systems
Prot
ecte
d
Any application or subsystem
VPN
IKE
IPSec3
Open SSH
SSH
Prot
ecte
d
4
MQ, CICS, Connect:Direct, …
WAS, Java applications sftp, TCP
appls (port forwarding)
JSSE
System SSL1
© 2017 IBM Corporation8
A z/OS network administrator can discover and audit the network encryption attributes associated with z/OS TCP and Enterprise Extender traffic by analyzing new SMF records.
§ zERT positions the TCP/IP stack as a central collection point and repository for cryptographic security attributes for:• TCP connections that are protected by TLS, SSL, SSH, IPsec or are unprotected• Enterprise Extender connections that are protected by IPsec or are unprotected
Learn about zERT…
Introducing z/OS Encryption Readiness Technology (zERT)
Session EE: Determining who’s using what network encryption on your z/OS system:zERT to the Rescue!
Tuesday November 07, 2017 16:30 PM - 17:30 PMMelbourneSpeaker: Jerry Stevens (IBM Corporation)
© 2017 IBM Corporation9
z/OS Mail Updates
© 2017 IBM Corporation10
Statement of Direction: z/OS Communications Server Internet mail applications: Sendmail and SMTPD (Issued July 28, 2015)
As previously announced in Hardware Announcement 114-009, dated February 24, 2014, the Simple Mail Transport Protocol Network Job Entry (SMTPD NJE) Mail Gateway and Sendmail mail transports are planned to be removed from z/OS. IBM now plans for z/OS V2.2 to be the last release to include these functions. If you use the SMTPD NJE Gateway to send mail, IBM recommends you use the existing CSSMTP SMTP NJE Mail Gateway instead. In that same announcement, IBM announced plans to provide a replacement program for the Sendmail client that would not require programming changes. Those plans have changed, and IBM now plans to provide a compatible subset of functions for Sendmail in the replacement program and to announce those functions in the future. Programming changes or alternative solutions to currently provided Sendmail functions might be required. No replacement function is planned in z/OS Communications Server to support using SMTPD or Sendmail as a (SMTP) server for receiving mail for delivery to local TSO/E or z/OS UNIX System Services user mailboxes, or for forwarding mail to other destinations.
§ Migration Health Checks in V2R1 and V2R2 for SMTPD and Sendmail alert users of these applications to their coming removal
© 2017 IBM Corporation11
Mail components supported in z/OS V2R2
z/OS Application
TSO userIMAP, POP,
(E)SMTP protocols
CSSMTP (SMTP client)
SMTPD (SMTP client and server)
MTA
JES spoolWrite to SYSOUT
z/OS UNIX shell user
z/OS Sendmail (SMTP client and server)
non-z/OS user using z/OS Sendmail as the target server
z/OS
(E)SMTP protocols
(E)SMTP protocol
SMTP protocol
(E)SMTP protocol
MTA
SMTP network
NJE network
z/OS
z/VSE
z/VM
MTAUnix FileSystem
© 2017 IBM Corporation12
Mail component changes in z/OS V2R3
z/OS Application
TSO userIMAP, POP,
(E)SMTP protocols
CSSMTP (SMTP client)
SMTPD (SMTP client and server)
MTA
JES spoolWrite to SYSOUT
z/OS UNIX shell user
z/OS Sendmail (SMTP client and server)
non-z/OS user using z/OS Sendmail as the target server
z/OS
(E)SMTP protocols
(E)SMTP protocol
SMTP protocol
(E)SMTP protocol
MTA
SMTP network
NJE network
z/OS
z/VSE
z/VM
MTAUnix FileSystem
X
X
XX
XX
X
XX
X
© 2017 IBM Corporation13
Mail components in z/OS V2R3
z/OS Application
TSO userIMAP, POP,
(E)SMTP protocols
CSSMTP (SMTP client)
MTA
JES spoolWrite to SYSOUT
z/OS UNIX shell user
z/OS sendmail to CSSMTP bridge
z/OS
(E)SMTP protocols
(E)SMTP protocol
MTA
SMTP network
NJE network
z/OS
z/VSE
z/VM
MTAUnix FileSystem
Strategic Mail Solution
Messages formatted for CSSMTP and placed into JES spool for CSSMTP to
process
Bottom line: You can still send mail from z/OS using CSSMTPD and the sendmail bridge. But you cannot receive it.
© 2017 IBM Corporation14
• Difficult to continue to support three mail programs• SMTPD NJE Gateway:
• Pascal API application• Supports older SMTP RFCs, no support for TLS/SSL or IPv6• Performance issues (single-threaded)
• z/OS UNIX sendmail:• Ported code version 8.12.1 (2001/10/01) – out of date
§ CSSMTP was introduced in z/OS V1R11 and has been the strategic mail program• All development/support efforts focused on CSSMTP• CSSMTP already provides superior performance, function, and currency as
compared to SMTPD and sendmail• The CSSMTP Test Mode capability and the EZBMCOPY utility program were
provided on V2R1 (via APAR) and V2R2 to assist with verifying SMTPD mail workloads in your production environment (see appendix)
Removal of SMTPD and Sendmail
© 2017 IBM Corporation15
§ The SMTPD NJE Gateway and z/OS UNIX sendmail are removed in z/OS V2R3• Neither SMTPD nor the sendmail daemon can be configured or
started in z/OS V2R3• No replacement function provided by z/OS Communications
Server for receiving mail for delivery to local TSO/E or z/OS UNIX System Services user mailboxes or for forwarding mail to other destinations
• While some users may be accustomed to issuing sendmailcommands from the UNIX shell, more problematic is the fact that some applications may issue sendmail commands as part of their processing- Sendmail commands can still be issued in V2R3 due to the
presence of the sendmail to CSSMTP bridge (see next chart)
Removal of SMTPD and Sendmail …
© 2017 IBM Corporation16
Sendmail to CSSMTP bridge
§ To allow the processing of many existing sendmail command variations, z/OS V2R3 CS provides a sendmail to CSSMTP bridge (sendmail bridge)
§ The sendmail bridge:
§ Parses input options from the command line
§ Reads mail message from UNIX System Services file
§ Mail message updated by adding SMTP commands and SMTP headers (if no header specified in input mail message)
§ Mail message transmitted to JES spool data set
§ CSSMTP processes mail messages on the JES spool data set
§ The sendmail command is now a symbolic link to the sendmail bridge, allowing applications and users to continue to issue sendmail commands
© 2017 IBM Corporation17
Sendmail to CSSMTP bridge …
© 2017 IBM Corporation18
Sendmail to CSSMTP bridge …
§ sendmail command is directed to the sendmail bridge (ezatmail) sendmail comand_switch(es) recipient name(s) <input mail message
Example: sendmail [email protected] </tmp/mymail1
/tmp/mymail1 contains: From: [email protected]: Good job today Great work!
Result: Message updated with SMTP commands & headers, and transmitted to JES spool data set
§ Sendmail could be invoked both from the OMVS shell and through JCL (via BPXBATCH), so the sendmail bridge is able to be invoked in the same way
§ See the appendix for more information on the sendmail bridge, including configuration statements, command line switches, and options supported
© 2017 IBM Corporation19
§ Support for the sendmail to CSSMTP bridge will also be provided for z/OS V2R1 and V2R2 with APAR PI71175• ezatmail (name of the sendmail to CSSMTP bridge executable)
command invokes sendmail bridge• sendmail unchanged• Symbolic link can be added for sendmail to invoke sendmail
bridge (ezatmail) for testing
Sendmail to CSSMTP bridge on V2R1 and V2R2
© 2017 IBM Corporation20
§ The CSSMTP Compatibility Enhancements are several items intended to improve the compatibility of CSSMTP with existing customer environments.• Intent is to remove remaining inhibitors to migrating from
SMTPD-based mail to CSSMTP-based mail§ The items are:
• Improved TLS compatibility with mail servers• CSSMTP customizable ATSIGN character for mail addresses• Improved CSSMTP code page compatibility with target servers
§ Information on these items is available in the appendix.
CSSMTP compatibility enhancements
© 2017 IBM Corporation21
Wildcard Support for
Jobnames on PORT &
PORTRANGE Statements
© 2017 IBM Corporation22
• The PORT and PORTRANGE configuration statements allow a user to restrict which programs can bind or listen to a particular port• The PORT statement is used to restrict a single port• The PORTRANGE statement is used to restrict multiple ports
• The JOBNAME parameter on the PORT and PORTRANGE statements specify which jobs are authorized to bind or listen to a port
• A wildcard character of asterisk can be used to specify which jobs can bind or listen to a port• An asterisk by itself can be used to mean match on any job
name• An asterisk is allowed at the end of a partial job name
§ Customers have requested more flexible wildcard support to avoid having to code extra PORT/PORTRANGE statements
Jobnames on PORT and PORTRANGE statements
© 2017 IBM Corporation23
• The PORT/PORTRANGE statements are changed to support:• Asterisks in any position
- Asterisk represents zero or more unspecified characters• Question marks in any position
- Question mark represents a single unspecified character§ It is possible for multiple PORT/PORTRANGE statements to match a job
name. In that case, these rules determine the best match:• The job name is compared character by character from left to right
- When a character in the job name does not match the specification, the following hierarchy is used to determine which is the best match:– A non-wildcard character takes precedence over a wildcard
specification– A single wildcard character of question mark takes precedence
over the multiple wildcard character of asterisk
Enhanced wildcard support for Jobnames on PORT and PORTRANGE statements
© 2017 IBM Corporation24
• Example 1:
PORT 6001 TCP JOBNAME US?R*PORT 6002 TCP JOBNAME US*R*
• A job with name USER15 binds to port 6001• The JOBNAME of US?R* would match.
- Single wildcard of '?' beats multiple wildcard of '*’
• Example 2:
PORT 6001 TCP JOBNAME U?ER*PORT 6002 TCP JOBNAME US*R*
• A job with name USER15 binds to port 6002• The JOBNAME of US*R* would match.
- Specific match on 'S' beats '?'
Enhanced wildcard support examples
© 2017 IBM Corporation25
AT-TLS Currency
with System SSL
© 2017 IBM Corporation26
Application Transparent Transport Layer Security (AT-TLS)
§ Stack-based TLS• TLS process performed in TCP layer (via
System SSL) without requiring any application change (transparent)
• AT-TLS policy specifies which TCP traffic is to be TLS protected based on a variety of criteria
§ Application transparency• Can be fully transparent to application• An optional API allows applications to inspect or
control certain aspects of AT-TLS processing –“application-aware” and “application-controlled” AT-TLS, respectively
§ Uses System SSL for TLS protocol processing• Remote endpoint sees an RFC-compliant
implementation• Interoperates with other compliant
implementationsen
cryp
ted Networking
IPv4, IPv6
DLC
Transport (TCP)
Sockets API
TCP/IP Application
AT-TLS
z/O
S C
S Po
licy
infr
astr
uctu
re
AT-TLSpolicy
AT-TLS policy administratorusing Configuration Assistant
System SSL
© 2017 IBM Corporation27
• Since z/OS CS handles the TLS processing transparently for exploiting applications, it is necessary for AT-TLS to support enhancements made by System SSL. This will usually include:• Externalizing new options and parameters through policy
definitions• Updating the Configuration Assistant to support those new
parameters and options§ And may include:
• Updates to netstat and/or pasearch commands• Updates to IPCS formatters• Updates to NMIs, SMF records, or IOCTLs
AT-TLS currency with System SSL
© 2017 IBM Corporation28
• Provide FIPS 140-2 security levels to enforce different cryptographic strengths (NIST SP800-131A Revision 1)
• Support new certificate processing controls defined in NIST SP800-52A Revision 1
• Support new OCSP features, such as OCSP stapling (RFC 6066, 6277, 6960, 6961) • OCSP stapling supports the inclusion of the OCSP response for
the server's certificate as a TLS extension during the TLS handshake
§ Support new 128Min and 192Min profiles for the Suite B Profile (RFCs 6460 and 5759)
§ Support the Signaling Cipher Suite Value (SCSV) which can provide protection against protocol downgrade attacks (RFC 7507)• Allows the server to detect and avoid an inappropriate fallback to
an earlier protocol version during the handshake
AT-TLS currency with System SSL …
© 2017 IBM Corporation29
VTAM 3270
Intrusion Detection
Services (3270 IDS)
© 2017 IBM Corporation30
Background: 3270 data streams
§ The 3270 data stream protocol is part of SNA (Systems Network Architecture) • Set of rules that governs how data is transmitted in a SNA network
- When communicating with a 3270 display terminal or printer- Can also be used between application programs
§ 3270-based applications and middleware are still quite pervasive:• From IBM: TSO/E, ISPF, CICS, IMS, etc.• Many vendor products• Even more customer-written applications (compiled languages as well as CLISTs and REXX execs)
§ Historically, 3270 devices were exactly that – hardware devices that enforced adherence to the 3270
data stream protocol in hardware. As such, they were fairly impenetrable to protocol violations or attack.
§ Older software was often written under the assumption that hardware devices would ensure the integrity
of the 3270 data streams, so little or no defensive code was included with 3270 protocol processing
§ However,• Since the 1980s, hardware devices have been almost completely replaced by software emulators.
As such, the promise of hardware-enforced protocol adherence has all but disappeared• Since the 1990s, native SNA connectivity for 3270 emulators has been largely replaced by TN3270
connections over TCP/IP. As such, the “closed” nature of SNA networks has been replaced by a more open and accessible network in TCP/IP.
© 2017 IBM Corporation31
Background: Potential 3270 data stream protocol manipulation§ A hacked 3270 emulator could expose issues for z Systems 3270 applications that are lax in validating
input data streams from their clients• Overrun of input fields (similar to buffer overflow) • Overlay of protected fields
§ Such an emulator has been implemented and discussed at a hacker’s conference
§ All IBM z/OS software products (OS, middleware, and applications) were assessed and, if necessary, any exposures were closed via the service stream
§ However, customers have many home grown and 3rd party 3270 applications and the level of support varies greatly. In some cases, source code may no longer be available.
§ IBM wants to help customers protect such applications
© 2017 IBM Corporation32
Solution: 3270 protocol monitoring in key IBM software§ 3270 protocol validation logic has been developed for three key z/OS components:
– CICS BMS (for CICS applications that use BMS to build their 3270 data streams)– IMS MFS (for IMS applications that use MFS to build their 3270 data streams)– VTAM (for any 3270 data streams) ß Focus of this presentation
§ All of these solutions are purely reactive in detecting protocol violations in real time§ None of them are designed to search for or identify vulnerabilities in your z/OS 3270 applications
§ CICS BMS and IMS MFS solutions– Fairly lightweight since they are built into existing 3270 protocol handling logic– Available now via service stream
§ VTAM solution handles any 3270 application data streams– Provides protocol violation reporting as well as optional defensive action (session termination)– Why VTAM? It is the only single point in the overall 3270 network through which all z/OS-related
3270 application traffic passes
(In addition, a white paper entitled “3270 Emulation: Security Considerations” was published in February, 2015 to recommend best practices for minimizing the 3270 emulation exposure)
© 2017 IBM Corporation33
Solution: Architecture
TN3270Clients
z/OS
VTAMTN3270Clients
• Laptops,workstationsrunningTN3270emulators (IBM,ISV)
• DistributedServers- Programmaticinvocationoflegacy3270applications(HATS,ISV,Customerwritten)
3270ApplicationLayer
(Customerwritten,ISV,IBM)
3270Clients
Native3270SNAClients• Emulatorsandphysicalterminals• Programmaticinvocation• Smallanddecreasingusecase
TN3270 protocol(TCP/IP)
3270 protocol(SNA)
3270 Data StreamProtocol Validation
Areal-timedetectionandpreventionsystemtoguardagainstpotentialexploitationof3270vulnerabilitiesforCICSBMS,IMSMFSandallother3270applications
TN3270
TCP/IP
3270 protocolSNA
CICS
BMS APIIDS
Non-BMS API
IMS
MFS APIIDS
Non-MFS API
OtherSubsystems/Middleware(TSO,IBM,ISV,etc.)
VTAM 3270 IDS
2 3
1
© 2017 IBM Corporation34
VTAM Solution: Overview of Externals
§ New VTAM start options
– Global options that allow IDS to be enabled/disabled globally or to disable by default and allow
selective application enablement, as well as specifying the action to take when a 3270 protocol
violation is detected (do nothing, return a sense code to the application, or terminate the session).
§ New major node APPL and GROUP parameters to override VTAM-wide start options
– Enable/disable on an application basis
§ Updated reports from the following commands:
– DISPLAY ID
– DISPLAY SESSION
– DISPLAY STATS,TYPE=VTAM
– DISPLAY VTAMOPTS,FUNCTION=SECURITY
§ New parameters on the MODIFY CSM and MODIFY VTAMOPTS command
– Ability to modify configuration dynamically
§ New GTF trace records under a new GTF Event Identifier (EID)
– New trace record that captures detected IDS event (along with outbound and inbound data stream)
§ Serviceability updates
© 2017 IBM Corporation35
VTAM solution: Logistics
§ In addition to being included in V2R3, the VTAM 3270 IDS is available for V2R1 & V2R2– V2R1:
• APAR OA48802 • Documentation available at:
http://www-01.ibm.com/support/docview.wss?uid=swg27047235• TSO APAR OA49682 is highly recommended
– V2R2:• APAR OA49911• Documentation available at:
http://www-01.ibm.com/support/docview.wss?uid=swg27047957• Must also apply TN3270E server APAR PI57735
– The VTAM 3270 IDS function provided by APARs OA48802 (V2R1) and OA 49911 (V2R2) is initially disabled.
• OA52255 (V2R1 and V2R2) will be available at V2R3 GA to enable the VTAM 3270 IDS function
• A ++APAR for OA52255 is available now for any customers wishing to request it through a PMR
© 2017 IBM Corporation36
VTAM solution: Logistics …§ General considerations:
– No application changes are required to exploit this function– Function is disabled by default – must be explicitly enabled– ”VTAM 3270 Intrusion Detection Services - Overview, Considerations, and
Assessment” should be read before you consider implementation.• Provides detailed instructions on evaluating the need for the 3270 IDS in your
environment, as well as exploitation costs and other considerations.• OA48802_Prerequisite.pdf (V2R1) and OA49911_Prerequisite.pdf (V2R2)
available at the links above– The VTAM operator display command D NET,APPLS,SCOPE=3270CAND can
assist in starting your evaluation:• Displays a list of active VTAM applications that have any LU-LU sessions (since
the ACB was opened) that qualify for the 3270 IDS monitoring• Also provides a cumulative session count (since the ACB was opened) of the
number of qualifying LU sessions
§ There are additional details in the appendix
© 2017 IBM Corporation37
Miscellaneous
V2R3 Topics
© 2017 IBM Corporation38
New IBM z14 – Network Interface Updates
§ OSA-Express6S• Technology Refresh• Supported on all existing supported
releases - APAR PI75733 (z/OS V2R1 and z/OS
V2R2 - updates the output of D OSA,INFO command when using OSA-Express6S)
§ RoCE Express2 10GbE• Technology Refresh• Can be shared across 63 Virtual
Functions (VFs) per physical port –earlier version supported 31 VFs
• Requires the following APARs on prior releases:
- V2R1: OA51949 / PI75199- V2R2: OA51950 / PI75200
§ OSA-Express6S features:• OSA-Express6S 10 Gigabit Ethernet
(GbE) Long Reach (LR)• OSA-Express6S 10 Gigabit Ethernet
(GbE) Short Reach (SR)• OSA-Express6S Gigabit Ethernet Long
Wavelength (GbE LX)• OSA-Express6S Gigabit Ethernet Short
Wavelength (GbE SX)• OSA-Express6S 1000BASE-T Ethernet
© 2017 IBM Corporation39
z/OS without HSCI: Each host sees multiple IP networks (subnets)
If A If B
OSA NIC HS NIC
If C If E If G If I If KIf D If F If H If J If L
HS NIC HS NICHS NIC HS NIC HS NICOSA NIC OSA NIC OSA NIC OSA NIC OSA NIC
OSD
Server Az/OS 1
Server Bz/OS 2
Server Cz/OS 3
Server Dz/OS 4
Server Ez/OS 5
Server Fz/OS 6
IP A.1 IP X.1VLAN A VLAN X
LAN
PR/SM
CPC Y
IQD CHPID A Network ‘X’
IP Route AIP Route B
IP Route CIP Route D
IP Route EIP Route F
IP Route GIP Route H
IP Route IIP Route J
IP Route KIP Route L
User must provision and managethree independent networks
Net A, Net X and Net Y
IQD CHPID B Network ‘Y’
VLAN A Each z/OS image hasmultiple (2) networks(the 2 systems have
3 networks)
IP A.2 IP X.2VLAN A VLAN X
IP A.3 IP X.3VLAN A VLAN X
IP A.4 IP Y.1VLAN A VLAN Y
IP A.5 IP Y.2VLAN A VLAN Y
IP A.6 IP Y.3VLAN A VLAN Y
Sysplex A Sysplex ACPC X
PR/SM
OSD
1
2 3 Net Y
Net A
Net X
© 2017 IBM Corporation40
If A
OSA NIC HS NIC
If B If C If D If E If F
HS NIC HS NICHS NIC HS NIC HS NICOSA NIC OSA NIC OSA NIC OSA NIC OSA NIC
OSD
Server Az/OS 1
Server Bz/OS 2
Server Cz/OS 3
Server Dz/OS 4
Server Ez/OS 5
Server Fz/OS 6
IP A.1 VLAN A
LAN
PR/SM
CPC Y
IQD CHPID A Network ‘A’
IP Route A IP Route B IP Route C IP Route D IP Route E IP Route F
User provisions and managesa single network, Net A !
IQD CHPID B Network ‘A’
VLAN A
Now each z/OS imagehas access to 1 network
(via OSA)HS is not visible to the
TCP/IP stack!
With HSCI: Each host sees a single IP network
IP A.2 VLAN A
IP A.3 VLAN A
IP A.4 VLAN A
IP A.5 VLAN A
IP A.6 VLAN B
Sysplex A Sysplex ACPC X
PR/SM
OSD
1
1 1 Net ANet A
Net A
© 2017 IBM Corporation41
A z/OS network administrator can transparently provision and exploit HiperSockets providing improved z/OS HiperSockets usability and compatibility with z/VM VSwitch Bridge (layer 2 mode)
HSCI was covered in session EA…
If you missed the HSCI session take a look at the materials and contact me if you have questions.
Introducing HiperSockets Converged Interface (HSCI)
Session EA: Introducing the new HiperSockets Converged Interface Support
Tuesday November 07, 2017 10:45 PM - 11:45 PMStoweSpeaker: Jerry Stevens (IBM Corporation)
© 2017 IBM Corporation42
Shared Memory Communications: RoCE Express & ISM (intra-system)
SMC-R and SMC-D enabled z13 platform
z/OS image 1 (WAS) z/OS image 3 (WAS)
Shared Memory Communications via DMA (SMC-D using vPCI ISM)
client
Both forms of SMC can be used concurrently combining to provide a highly optimized solution.
Shared Memory Communications: via z Systems PCI architecture:
1. RDMA (SMC-R for cross platforms via RoCE)
2. DMA (SMC-D for same CPC via ISM)
Shared Memory Communications
via RDMA (SMC-R using RoCE)
SMC
RDMA enabled (RoCE)
Clustered Systems: Example: Local and Remote access to DB2 from WAS (JDBC using DRDA)
SMC-R enabled platform
shared memory
Sockets
SMC
Server
shared memory
Sockets
z/OS image 2 (DB2)
shared memory
clientSockets
SMC
RoCE RoCEISM ISMVCHID
© 2017 IBM Corporation43
A z/OS network administrator can transform z/OS network communications for the future!
Learn about Shared Memory Communications with RoCE Express2 and Internal Shared Memory (ISM) on the z14 …
Shared Memory Communications – (SMC-R and SMC-D)
Session EC: Shared Memory Communications: Improve Performance, Throughput and Response Time !
Tuesday November 07, 2017 14:00 PM - 14:45 PMStoweSpeaker: Jerry Stevens (IBM Corporation)
© 2017 IBM Corporation44
• z/OS V2R2 added enhanced system symbol support:• Longer system symbol names (up to 16 characters) and longer
symbol substitution values- Note that the length of symbol substitution values should not
exceed the length of the symbol names• Underscore added as a valid character in a system symbol name
- z/OS V2R2 CS did not support a system symbol with an underscore in a TCP/IP profile configuration file
- z/OS V2R2 CS did not support longer symbol substitution values in some cases
§ z/OS V2R3 CS adds support for a system symbol with an underscore character, and support for longer symbol substitution values
Support for enhanced system symbols
© 2017 IBM Corporation45
Background: getaddrinfo() is an API that allows socket applications to resolve hostnames to IP addresses
• Supports both IPv4 and IPv6 address lookups• Very flexible API that provides many options to customize the results of the
lookup• Ability to request IPv4 only, IPv6 only, or both IPv4 and IPv6• Supported on z/OS since z/OS V1R4 when IPv6 support was introduced on
z/OS- Initially designed using a late level draft of RFC2553- After z/OS introduced this new API in z/OS V1R4, a later level of RFC
2553 was defined, and subsequent to that, RFC 3493 was created which made RFC 2553 obsolete
- While the z/OS implementation is compliant to the standards for most use cases, there is one very specific scenario where non-compliance has been detected
– As a result, some IPv6 enabled applications being ported to the platform have required some minor changes
IPv6 getaddrinfo() API standards compliance
© 2017 IBM Corporation46
• Specific scenario of concern – getaddrinfo() invoked with the following options and configuration:
• AF_UNSPEC is specified as the ai_family• AI_ALL flag is not specified• IPv6 is enabled on the z/OS system• IPv6 addresses are defined for the hostname
§ Prior to V2R3, this would have resulted in only IPv6 addresses being returned on the query
§ Beginning with z/OS V2R3, the getaddrinfo API returns all IPv4 and IPv6 addresses that are associated with the hostname when the above settings are true.
§ This will make the API consistent with the specifications and make the processing consistent with the existing (pre-V2R3) behavior of the API when invoked on a system that does not have IPv6 enabled.
• Provides getaddrinfo compliance with RFC 3493 and the Single UNIX Specification v3 (SUSv3)• Eliminate a migration consideration when porting applications to z/OS.
§ Do not expect many applications to be impacted• Applications following the suggested IPv6 enablement for getaddrinfo() should not be impacted
- More information on gettaddrinfo can be found in the “Protocol-independent nodename and service name translation” section of the z/OS Communications Server: IPv6 Network and Application Design Guide.
IPv6 getaddrinfo() API standards compliance …
© 2017 IBM Corporation47
Sysplex-wide security associations (SWSA)
APP
APPSysplexDistributor
WLM
SysplexDistributor
Hot Standby
VIPA1
HiddenVIPA1
HiddenVIPA1
z/OS SysplexPagent
Inbound data path
Outbound data path
• Sysplex-wide security associations (SWSA) combine sysplex distributor technology with IPSectechnology
• Sysplex distributor negotiates security associations (SAs) with remote clients using the Internet Key Exchange protocol (IKE)
• Copies of SAs (shadows) to are sent to target stacks
• Target stacks use the SAs to encrypt and decrypt data
• Backups can recover SAs in case of planned or unplanned DVIPA takeover• Information about SAs is maintained in the EZBDVIPA coupling facility structure
• Used for DVIPA takeover and sysplex distribution• In V2R2 and earlier, the number of available lists is fixed at 2048.
• Number of lists actually utilized is determined by the number of DVIPAs and the number of security associations (tunnels)
© 2017 IBM Corporation48
• In V2R2, the maximum number of DVIPAs for a single stack was increased from 1024 to 4096
• In V2R2, the IKE daemon was redesigned to make heavy use of multithreading in order to increase its scalability
• These scalability improvements, along with the growing adoption of IPSec, increases the likelihood that a customer will encounter the current maximum of 2048 lists in EZBDVIPA
Sysplex-wide security associations (SWSA) scalability improvement
© 2017 IBM Corporation49
• V2R3 adds a new VTAM start option, DVLSTCNT, that specifies the number of lists that the EZBDVIPA structure(s) can have• DVLSTCNT can be set to one of four possible values: 2048
(default), 4096, 8192, or 16384• The same value should be specified on all z/OS systems in the
sysplex• All systems must be at V2R3• DVLSTCNT is changeable by the Modify VTAMOPTS command
• The CFSIZER tool has been updated to provide guidance in choosing the value for DVLSTCNT
Sysplex-wide security associations (SWSA) scalability improvement …
© 2017 IBM Corporation50
Summary of z/OS CS TCP/IP device drivers – V2R1 and priorDevice driver type Supported
SMC-R and SMC-D yes
OSA Express QDIO (OSD, OSX) yes
Hipersockets (iQDIO) yes
Legacy OSA (LCS – OSE) yes
CTC P2P yes
MPC P2P (Multi-path Channel Point-to-Point) yes
XCF (Dynamic XCF) yes
MPC SAMEHOST yes
SNALINK (LU0 and LU6.2) yes
X.25 SAMEHOST yes
CLAW (e.g. Cisco CIPs) yes
Hyperchannel yes
CDLC (3745/3746 connections) yes
ATM yes
FDDI and Token Ring (LCS with LINKs FDDI/IBMTR) yes
Token Ring (MPCIPA with LINK IPAQTR) yes
ENet and FDDI (MPCOSA with LINKs OSANET/OSAFDDI) yes
© 2017 IBM Corporation51
Summary of z/OS CS TCP/IP device drivers – V2R2Device driver type Supported
SMC-R and SMC-D yes
OSA Express QDIO (OSD, OSX) yes
Hipersockets (iQDIO) yes
Legacy OSA (LCS – OSE) yes
CTC P2P yes
MPC P2P (Multi-path Channel Point-to-Point) yes
XCF (Dynamic XCF) yes
MPC SAMEHOST yes
SNALINK (LU0 and LU6.2) No - Removed in V2R2
X.25 SAMEHOST No - Removed in V2R2
CLAW (e.g. Cisco CIPs) No - Removed in V2R2
Hyperchannel No - Removed in V2R2
CDLC (3745/3746 connections) No - Removed in V2R2
ATM No - Removed in V2R2
FDDI and Token Ring (LCS with LINKs FDDI/IBMTR) yes
Token Ring (MPCIPA with LINK IPAQTR) yes
ENet and FDDI (MPCOSA with LINKs OSANET/OSAFDDI) yes
© 2017 IBM Corporation52
Statement of Direction: End of support for additional TCP/IP legacy device drivers (Issued July 28, 2015)
z/OS V2.2 is planned to be the last release to include the TCP/IP legacy device drivers for FDDI and Token Ring (LCS with LINKs FDDI and IBMTR), Token Ring (MPCIPA with LINK IPAQTR), and ENet and FDDI (MPCOSA with LINKs OSAENET and OSAFDDI). If you are using any of these devices, IBM recommends you migrate to newer devices such as OSA Express QDIO and Hipersockets. Note that this withdrawal is only for TCP/IP device types, and not for any of the SNA device drivers.
© 2017 IBM Corporation53
Summary of z/OS CS TCP/IP device drivers – V2R3Device driver type Supported
SMC-R and SMC-D yes
OSA Express QDIO (OSD, OSX) yes
Hipersockets (iQDIO) yes
Legacy OSA (LCS – OSE) yes
CTC P2P yes
MPC P2P (Multi-path Channel Point-to-Point) yes
XCF (Dynamic XCF) yes
MPC SAMEHOST yes
SNALINK (LU0 and LU6.2) No - Removed in V2R2
X.25 SAMEHOST No - Removed in V2R2
CLAW (e.g. Cisco CIPs) No - Removed in V2R2
Hyperchannel No - Removed in V2R2
CDLC (3745/3746 connections) No - Removed in V2R2
ATM No - Removed in V2R2
FDDI and Token Ring (LCS with LINKs FDDI/IBMTR) No – Removed in V2R3
Token Ring (MPCIPA with LINK IPAQTR) No – Removed in V2R3
ENet and FDDI (MPCOSA with LINKs OSANET/OSAFDDI) No – Removed in V2R3
© 2017 IBM Corporation54
Statement of Direction: Trivial File Transfer Daemon (TFTPD) (Issued July 28, 2015)
z/OS V2.2 is planned to be the last release to include the Trivial File Transfer Protocol Daemon (TFTPD) function in z/OS Communications Server.
• TFTPD has been removed from z/OS Communications Server in V2R3
© 2017 IBM Corporation55
Configuration Assistant
Updates
© 2017 IBM Corporation56
Configuration Assistant: TCP/IP stack configuration
§ Skilled z/OS system programmers and administrators are an aging skillset, leading to concerns about future skill shortages.
§ Configuration Assistant (CA) only supports configuration of z/OS CS policy-based networking functions, such as IPSec, AT-TLS, and IDS.
§ While TCP/IP configuration is not that complex, some aspects are not intuitive.
§ User must look through a lot of documentation.§ Some statements are not easy to configure. V2R1 Configuration Assistant:
Interface for Communications Server policy based definition,
installation and activation
z/OSWebSphere Application Server
z/OSMF
© 2017 IBM Corporation57
Configuration Assistant: TCP/IP stack configuration …
§ V2R2 provided a new “TCP/IP” configuration perspective in the CA
§ Support is provided for both novice and more experienced users.
§ The configuration model supports “levels of configuration” which include a sysplex level, image level, and a stack level with the goal to allow for configuration to be applied for grouping of stacks that require related configuration.
§ CA assists with “install” of the generated configuration files as it does with policy configuration.
© 2017 IBM Corporation58
Configuration Assistant: Importing TCP/IP configuration
• Most customers already have working TCP/IP profiles and need a way to import them into the Configuration Assistant.
• TCP/IP profile import for the Configuration Assistant was shipped on 9/1/2016 via APAR PI66143.• Requires companion
z/OS Communications Server APAR PI63449.
• TCP/IP profile import works in three major steps:1. Run the VARY TCPIP,,EXPORTPROF operator command on z/OS
Communications Server to format a TCP/IP configuration into a file that can be read by the Configuration Assistant.
2. Import the file created in step 1 into the Configuration Assistant.3. Correct any errors as required to make the imported configuration installable.
© 2017 IBM Corporation59
Configuration Assistant: Change sets
• VARY OBEY is supported in Configuration Assistant by introducing a new configuration object called a “Change Set”• You create a change set based
on an existing configuration object• a stack or group of stacks, or • a reusable configuration, or• a sysplex
• The change set is seeded with the configuration from the object it’s based on• You edit the change set to make the configuration changes you want• When you install the change set, Configuration Assistant will generate the
VARY OBEY files necessary to put the changes you made into effect• The VARY OBEY files, once placed onto the system are manually applied by
the operator• Provides an opportunity for review of the OBEY files before they are applied
to production systems. • Change set support is delivered on V2R2 in APAR PI80101/PTF UI47643,
and will be included in the V2R3 base.
© 2017 IBM Corporation60
Full VTAM Internal
Trace (VIT)
Control
© 2017 IBM Corporation61
VTAM Internal Trace – Disabling SMS VIT option
§ There are eight VIT options that are enabled by default• API,CIO,MSG,NRM,PIU,PSS,SMS,SSCP
§ Given the infrequent need for the SMS option during problem diagnosis, it is often not worth the CPU cost of the SMS option for the slight improvement in first failure data capture.
§ Therefore, we believe that disabling the SMS VIT option is the best choice for most customers except those actively working to gather problem documentation under the direction of IBM Level 2 support.
§ APAR OA49999 changed the default option set to no longer include SMS• Available on V2R1 and V2R2• Base behavior in V2R3
© 2017 IBM Corporation62
Improved control over default VTAM VIT options
§ APAR OA50271 is a new function APAR that allows the full capability of controlling (including disabling) all VIT options• APAR is available on V2R1 and V2R2 • Base behavior in V2R3
§ This support does not change the IBM minimum-recommended set of VIT options• API, PIU, SSCP, NRM, MSG, CIO, PSS – existing VIT options group STDOPTS• Disabling any or all of these options will impact IBM Level 2 support’s ability to
diagnose problems- More likely to need to ask for a recreate
§ This new VIT operator control capability is enabled with a new VTAM start option called VITCTRL (VTAM Internal Trace Control) that by default preserves the existing behavior, but allows the user to enable the new behavior (full control of the VIT options).
© 2017 IBM Corporation63
Improved control over default VTAM VIT options …
§ VITCTRL supports two modes:• BASE: Preserves the existing support. This is the default.• FULL: New mode allowing the operator to fully control all VIT options using the existing
MODIFY TRACE and NOTRACE commands§ VITCTRL only applies to MODE=INTERNAL VITs. It has no impact on external
VITs.§ The health check CSVTAM_VIT_OPT_STDOPTS will detect if any options within
STDOPTS have been disabled
© 2017 IBM Corporation64
Summary of Additional z/OS CS sessions at this GSE conference.
Repeat of this z/OS 2.3 Technical Update:
Session EC: Shared Memory Communications: Improve Performance, Throughput and Response Time ! Tuesday November 07, 2017 14:00 PM - 14:45 PMStoweSpeaker: Jerry Stevens (IBM Corporation)
Session EJ: Getting the most out of your OSA Adapter with z/OS Communications Server Wednesday November 08, 2017 14:00 PM - 14:45 PMStoweSpeaker: Jerry Stevens (IBM Corporation)
Session EE: Determining who’s using what network encryption on your z/OS system:zERT to the Rescue!
Tuesday November 07, 2017 16:30 PM - 17:30 PMMelbourneSpeaker: Jerry Stevens (IBM Corporation)
Session EH: z/OS Communications Server V2R3 New Features UpdateWednesday November 08, 2017 12:00 PM - 13:00 PMStoweSpeaker: Jerry Stevens (IBM Corporation)
IBM Doc Buddy v2.0With the IBM Doc Buddy mobile app, you can search messages and codes issued from IBM Z products online and offline. IBM Doc Buddy V2 also aggregates mainframe content including blogs, videos, IBM Knowledge Center topics, and Thought Leader opinions.
IBM Doc Buddy
[email protected]://ibmdocbuddy.mybluemix.net/
iOS Android
Session feedback• Please submit your feedback online at:
http://conferences.gse.org.uk/2017/feedback/nn
• Paper feedback forms also available from the Chair person
• This session is:– EB (Tuesday)
– EH (Wednesday)
© 2017 IBM Corporation67
Additional Details on
z/OS V2R3 CS Content
and Other Topics
© 2017 IBM Corporation68
Additional Details on
CSSMTP to
Sendmail Bridge
© 2017 IBM Corporation69
Sendmail to CSSMTP bridge
§ The bridge may also be directly invoked by using the ezatmail command:
§ Example:
ezatmail -t </tmp/mymail2
/tmp/mymail2 contains:
From: [email protected]: [email protected], [email protected]: Good job today
Great work!
© 2017 IBM Corporation70
Sendmail to CSSMTP bridge: Functions supported§ The sendmail bridge is a limited function replacement for the full sendmail program.
It does not support everything that sendmail supports. When it does support a function that sendmail supports, the configuration or invocation of that function is compatible with the sendmail command.
§ Configuration statements supported for the sendmail bridge:
Configuration Statement
Description Note(s)
# CommentsD Define macro definition See "Macro definitions supported"
O Define an option See ”Options supported"
W Define the CSSMTP writer name Search order for determining the CSSMTP external writer name : • The -W command switch• The EZATMAIL_CSSMTP_EXTWRTNAME
environment variable is used • The W statement is specified in the
configuration file• Defaults to CSSMTP
© 2017 IBM Corporation71
Sendmail to CSSMTP bridge: Command line switches supported§ The sendmail bridge command can only be invoked from z/OS UNIX Shell
command or by submitting a batch job that invokes BPXBATCH Switch Description Note(s)
-bM Set operating role to be a mail sender (client role)
-bm (Mail sender) is the only value supported
-C Location of the configuration file
-dcategory.level Debugging mode
-F Set sender’s full name (only one name)
-f Set sender’s address (only one address)
-n Don’t do aliasing See “alias support”-O Set a multi-character option See “Options supported”
-t Get recipients from message header
-v Run in verbose mode Logs the content of the built JES spool data set
-Wextwtr Define CSSMTP external writer name Option to provide the CSSMTP external writer name. The default is CSSMTP.
© 2017 IBM Corporation72
Sendmail to CSSMTP bridge: Macro definitions supported§ The following sendmail macro definitions are supported
Macro definition
Description Example(s)
Dj hostname.domain_name Dj$w.$m Dj$w.DOMAIN.IBMDjMVSTST1.DOMAIN.IBM
Dm domain name DmDOMAIN.IBM
Dw short hostname DwMVSTST1
D{tls_version} If defined, then STARTTLS SMTP command is generated, otherwise only EHLO is generated.
D{tls_version}=tlsv1
© 2017 IBM Corporation73
Sendmail to CSSMTP bridge: Options supported§ The following options are supported by the sendmail bridge
§ For information on supported command line switches, macro definitions, and options, see “Sending emails by using the sendmail to CSSMTP bridge” in z/OS Communications Server: IP User's Guide and Commands
Option Example DescriptionAliasFile O AliasFile=/u/user1/alias.txt
-OAliasFile=/u/user1/alias.txtDefine the full alias file name path
MaxAliasRecursion O MaxAliasRecursion=n-OMaxAliasRecursion=n
Define the maximum recursive depth when resolving aliases
MaxRecipientsPerMessage O MaxRecipientsPerMessage=n-OMaxRecipientsPerMessage=n
Range 0-2000. Sets the maximum number of recipients per email message
© 2017 IBM Corporation74
Sendmail to CSSMTP bridge: Alias support
§ Notes on alias support
§ Will support mail addresses or other alias
§ Will support mailing lists with :include
§ Will not support delivery of a message by appending to a file (/file)
§ Will not support delivery by piping the message through a program (|program)
§ Will not support rebuild of alias database
/u/user1/alias.txt contains: cssmtp: sue1, sue2 mike: [email protected]: [email protected]: [email protected]: [email protected]: :include:/u/user1/maillist
/u/user1/maillist contains:[email protected]@[email protected]
© 2017 IBM Corporation75
CSSMTP Compatibility
Enhancements
© 2017 IBM Corporation76
§ CSSMTP reads mail jobs from JES and sends emails to a target server for delivery to destination
§ TLS security setup between a client (CSSMTP) and target server defined in RFC 3207, with an optional second EHLO and capabilities exchange after TLS negotiation• CSSMTP does not do 2nd EHLO and capabilities exchange
§ Some target servers will not connect with CSSMTP after TLS negotiation without the second EHLO and capabilities exchange
§ Mail sent by CSSMTP to some target servers cannot be secured with TLS
§ V2R3 provides a configuration option to enable an EHLO and capabilities exchange following TLS negotiation• Provides CSSMTP compatibility with target servers that require a
second EHLO and capabilities exchange
Improved TLS compatibility with mail servers
© 2017 IBM Corporation77
§ CSSMTP configuration file:• New parameter on the Options statement: TLSEhlo No | Yes • Example:
Options {
TLSEhlo Yes }
§ If the server requires an EHLO command to be sent after a successful TLS negotiation, set TLSEhlo to Yes• Default value is No
§ Support also provided for z/OS V2R1 and V2R2 with APAR PI56614. • APAR PI77267 is additional recommended maintenance.
Improved TLS compatibility with mail servers …
© 2017 IBM Corporation78
Improved TLS compatibility with mail servers …
§ The new option can be seen via the F CSSMTP,DISPLAY,CONFIG command:
F CSSMTP,DISPLAY,CONFIG EZD1829I CSSMTP CONFIGURATION:
CONFIGFILENAME : /u/user1/cssmtp/cssmtp.confnewLOGFILENAME : /u/user1/cssmtp/cssmtp.log
... OPTIONS: NULLTRNC : NO DATALINETRUNC : NO TESTMODE : NO ATSIGN : 7C TLSEHLO : NO ...
TARGETSERVER: TARGETNAME : us.ibm.comCONNECTPORT : 25 CONNECTLIMIT : 5 MAXMSGSENT : 0 MESSAGESIZE : 524288 SECURE : NO CHARSET : ISO8859-1
TIMEOUT: ANYCMD : 300 CONNECTRETRY : 120 DATABLOCK : 180 DATACMD : 120 ...
© 2017 IBM Corporation79
§ SMTPD has limited code page support• IBM-1047 was used for EBCDIC to ASCII conversion• SMTPD had no knowledge of IBM-273 or other code pages
§ Code point for ATSIGN (@) symbol varies in code pages, for example:
§ Many customers that use IBM-273 modified mail generating programs to force x'7C' character to represent ATSIGN to overcome SMTPD's limited code page support
§ CSSMTP does translation of input mail messages through iconv• So, if the above modification is left in place, the wrong ’@’ character
will result now that CSSMTP uses the correct code page§ To migrate from SMTPD to CSSMTP, customer must update mail
generating programs
CSSMTP customizable ATSIGN character for mail addresses
© 2017 IBM Corporation80
§ Configuration option provided to define the ATSIGN character used by mail generating programs
§ CSSMTP processing:• Read mail data set from JES and translate it to IBM-1047• Search SMTP commands and headers for the configured
ATSIGN symbol• Update character to x'7C' (@ in IBM-1047) • Body of mail remains unchanged
§ Simplifies migration path from SMTPD to CSSMTP• no change required to mail generating programs
CSSMTP customizable ATSIGN character for mail addresses …
© 2017 IBM Corporation81
§ CSSMTP configuration file:• New parameter on the Options statement : AtSign character• Example:
Options {
AtSign §}
• Default is ‘@’ (hex ‘7C’)§ Support also provided for z/OS V2R1 and V2R2 with APAR
PI52704
CSSMTP customizable ATSIGN character for mail addresses …
© 2017 IBM Corporation82
CSSMTP customizable ATSIGN character for mail addresses …
§ The new option can be seen via the F CSSMTP,DISPLAY,CONFIG command:
F CSSMTP,DISPLAY,CONFIG EZD1829I CSSMTP CONFIGURATION:
CONFIGFILENAME : /u/user1/cssmtp/cssmtp.confnewLOGFILENAME : /u/user1/cssmtp/cssmtp.log
... OPTIONS: NULLTRNC : NO DATALINETRUNC : NO TESTMODE : NO ATSIGN : 7C TLSEHLO : NO ...
TARGETSERVER: TARGETNAME : us.ibm.comCONNECTPORT : 25 CONNECTLIMIT : 5 MAXMSGSENT : 0 MESSAGESIZE : 524288 SECURE : NO CHARSET : ISO8859-1
TIMEOUT: ANYCMD : 300 CONNECTRETRY : 120 DATABLOCK : 180 DATACMD : 120 ...
© 2017 IBM Corporation83
§ CSSMTP TRANSLATE configuration statement specifies code page of the JES spool files
§ Mail message commands and headers translated from configured TRANSLATE code page to IBM-1047 EBCDIC for processing, then translated to ISO8859-1 ASCII before sending to target server
§ Body of mail message directly translated to ISO8859-1 ASCII before sending to target server
§ No option to configure the ASCII code page for the target server§ The euro sign (€) is not included in ISO8859-1 or IBM-1047§ ISO8859-1 not always compatible with target server code page
Improved CSSMTP code page compatibility with target servers
© 2017 IBM Corporation84
§ Configuration parameter, Charset, provided to specify code page to be used when translating mail message to be sent to target server
§ Mail message body translated from the TRANSLATE code page directly to configured Charset code page
§ Mail message headers translated from IBM-1047 code page to Charset code page
§ Charset code page must be defined to Unicode System Services§ Improves CSSMTP code page compatibility with target servers§ CSSMTP can be configured to use same code page as target
server• Characters, such as the euro sign (€), are supported in body of
mail message
Improved CSSMTP code page compatibility with target servers …
© 2017 IBM Corporation85
§ CSSMTP configuration file• New parameter on the TargetServer statement : Charset
codepage- Defines the code page that the target server expects to be
used for mail messages• Example:
TargetServer{
. . . Charset 1252
}
• Default value is ISO8859-1§ Support will also be provided for z/OS V2R1 and V2R2 with APAR
PI73909
Improved CSSMTP code page compatibility with target servers …
© 2017 IBM Corporation86
Improved CSSMTP code page compatibility with target servers …
§ The new option can be seen via the F CSSMTP,DISPLAY,CONFIG command:
F CSSMTP,DISPLAY,CONFIG EZD1829I CSSMTP CONFIGURATION:
CONFIGFILENAME : /u/user1/cssmtp/cssmtp.confnewLOGFILENAME : /u/user1/cssmtp/cssmtp.log
... OPTIONS: NULLTRNC : NO DATALINETRUNC : NO TESTMODE : NO ATSIGN : 7C TLSEHLO : NO ...
TARGETSERVER: TARGETNAME : us.ibm.comCONNECTPORT : 25 CONNECTLIMIT : 5 MAXMSGSENT : 0 MESSAGESIZE : 524288 SECURE : NO CHARSET : ISO8859-1
TIMEOUT: ANYCMD : 300 CONNECTRETRY : 120 DATABLOCK : 180 DATACMD : 120 ...
© 2017 IBM Corporation87
CSSMTP Test
Mode Support and
EZBMCOPY
© 2017 IBM Corporation88
• CSSMTP has stricter standards than SMTP• How do you verify that CSSMTP will process your existing production
mail workload?• V2R2 function: CSSMTP test mode
• A new configuration parameter that causes CSSMTP to run in Test Mode- CSSMTP will perform its normal email processing, except it will not
actually send emails- It will report email failures and discard successful emails- You can address incompatible emails before migrating to CSSMTP
• SMTPD continues to process your mail messages- Production emails are unaffected during the test
• EZBMCOPY- Utility program provided by IBM to copy JES email messages to two
destinations, SMTPD and CSSMTP•This is available on V2R1 via APAR PI48700
Mail migration strategy: SMTPD to CSSMTP
© 2017 IBM Corporation89
TEST Mode/EZBMCOPY architecture
© 2017 IBM Corporation90
CSSMTP Test Mode
• Notes on TestMode:• TestMode cannot be dynamically altered. CSSMTP must be recycled
to change its value • If no errors are found in a spool file, CSSMTP will release spool files
when it has completed processing. If errors are found, CSSMTP will honor the setting of BADSPOOLDISP
• Make sure the REPORT statement is coded with a valid destination for the error report. Warning message EZD1841I is issued if it is not.
• Parameters on the CSSMTP Options statement:
>>--Options-----| Put Braces and Parameters on Separate Lines |--><
Options Parameters:
+--TestMode NO------+
|----+-------------------+----->
+--TestMode-+-NO--+-+
+-YES-+
© 2017 IBM Corporation91
CSSMTP display config
The new configuration parameter is also externalized using the CSSMTP SMF configuration record (CONFIG subtype 48)
F CSSMTP,DISPLAY,CONFIGEZD1829I CSSMTP CONFIGURATION:CONFIGFILENAME : /U/USER1/CSSMTP/CSSMTP.CONF
[…]
BADSPOOLDISP : HOLD REPORT : SYSOUTOPTIONS:NULLTRUNC : NO DATALINETRUNC : NOTESTMODE: : NO
[…]
© 2017 IBM Corporation92
• Parm value:• WRITER=w Select program name (writer name) w
• EZBMCOPY assumes the writer name specified by the WRITER parameter. It selects spool files in two ways:
• The file's writer name matches the WRITER parameter, or• The file's destination matches the WRITER parameter
• Then it makes as many copies as there are OUTPUT cards in the JCL, then deallocates the original data set
• Restriction: a maximum of two output cards can be coded
EZBMCOPY
© 2017 IBM Corporation93
EZBMCOPY usage example
• Assume the JCL shown here and SMTPD running with writer name SMTPD. (note: SMTPD's writer name is its jobname)
•Change the writer name of SMTPD to SMTPD1 for this test by changing its jobname to SMTPD1•Start CSSMTP in TESTMODE with writer name CSSMTP•Start EZBMCOPY using the example JCL above
//EZBMCOPY PROC //STEP EXEC PGM=EZBMCOPY,PARM='WRITER=SMTPD'//OUT1 OUTPUT WRITER=SMTPD1 //OUT2 OUTPUT WRITER=CSSMTP //STEPLIB DD DSN=JES2.TESTING.LOAD,DISP=SHR//SYSUT2 DD SYSOUT=*,SPIN=UNALLOC,OUTPUT=(*.OUT1,*.OUT2) //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY
© 2017 IBM Corporation94
Mail Tool:
CUNMRCSM /
CUNMCSMM
© 2017 IBM Corporation95
Unicode Services Batch Tools for z/OS – CUNMRCSM/CUNMCSMM
• CUNMRCSM/CUNMCSMM is a new feature of z/OS• Provides capabilities in attachment handling and code page
support that can be helpful in migrating to CSSMTP• The intention of this tool is to send MIME data via SMTP. The
output of the program is put into the JES spool where CSSMTP will pick it up and send it as an SMTP message.
CUNMRCSM
- Source in EBCDIC
CSSMTPMail
message MTA
- Translation toASCII or UNICODE
- Tranfer messagedata in base64
- Only header istranslated byCSSMTP
- Correctcharacterset(UTF-8, WIN1252, etc.)
SPOOL
© 2017 IBM Corporation96
Unicode Services Batch Tools for z/OS – CUNMRCSM/CUNMCSMM …
• Features:• CUNMRCSM is a batch interface. CUNMCSMM provides an API.• You can send multiple MIME parts in one message to the
recipients as text attachments or inline parts. Examples:- EBCDIC HTML inline or as attachments- EBCDIC Text inline or as attachments- Binary data embedded in HTML or as attachments
• Text can be translated by UNICODE Services from specified EBCDIC code page to default ASCII code page, UTF-8, or UTF-16, and then sent as binary in base64 format.
• Data source can be in any code page, independent of CSSMTP.
§ Available via PTF on V2R1 (UA81197) and V2R2 (UA81196)