TCP/IP Level 440 Preventive Service Planning
(PSP) Bucket
**> Last update: 30 Sep 2006 **> Synch'd w/RETAIN: 02 Oct 2006 *********************** * SUBSET VM440 * *********************** This SUBSET contains installation information for TCP/IP Level 440 for z/VM Version 4 Release 4.0. ************************************************************************ * C H A N G E S U M M A R Y * ************************************************************************ Date Last Changed Section 1. 2004/12/02 Installation Information 2. yyyy/mm/dd Documentation Changes 3. 2003/07/31 General Information 4. 2006/09/30 Service Recommendations -- See 0601RSU and 0501RSU 5. yyyy/mm/dd Cross Product Dependencies Service Recommendation Summary DATE APAR PTF VOLID COMMENTS 1. yyyy/mm/dd xxnnnnn xxnnnnn nnnn N/A ************************************************************************ * SECTION 1. I N S T A L L A T I O N I N F O R M A T I O N * ************************************************************************ This section contains changes relevant to the installation of the product, or to its Program Directory. 8. 2004/12/02 Beginning with the 0404 RSU, TCP/IP RSU service includes updates to the following sample files: FTPEXIT SEXEC FTPEXIT SAMPASM Because these files have been updated through service, messages DTCPRD3036W and DTCPRD3043I will be reported for each of these files when they are placed into production by the TCP2PROD utility. These messages serve to raise awareness that the content of these sample files differs from their production-use counterparts (FTPEXIT EXEC and FTPEXIT ASSEMBLE) -- and, that such changes may affect the use of these files in a production environment. Messages DTCPRD3045I and DTCPRD3046I will also be reported, which cite basic file attributes of the pertinent sample and production-use files. If a production file listed by message DTCPRD3046I is -NOT USED- for your installation, you can manually replace that file with its serviced sample counterpart to prevent future occurrences of these messages, when files are again processed after the installation of TCP/IP service. File replacement in this instance should be done using the VMSES/E VMFCOPY command illustrated here: VMFCOPY samp_file_ID prod_file_ID (OLDDATE REPLACE PRODID 4TCPIP40%TCPIP SPRODID 4TCPIP40%TCPIP If a production file listed by message DTCPRD3046I -IS USED- by your installation, do not replace that file. Instead, review the content of the (serviced) sample counterpart (cited by messages DTCPRD3045I) and adapt your production file based on any changes present, as warranted. Once this has been done, message DTCPRD3036W (and its associated messages) then can be ignored. 7. 2003/07/31 Action Required -- Port Restriction Defaults Have Changed Multiple TCP/IP Applications May Be Affected Various TCP/IP applications may no longer function unless you take action. The security of the z/VM TCP/IP stack has been improved by making the RESTRICTLOWPORTS operand of the ASSORTEDPARMS statement active by default. Thus, all TCP/IP applications that listen on "well-known" ports (ports 1 through 1023) must be given permission to do so. Such permission can be granted by customizing the TCP/IP server configuration file (PROFILE TCPIP, or its equivalent) in one of three ways: 1) Use the PORT statement to reserve the specific port (or ports) required by each application (virtual machine) used on your system. This is the preferred method. Note that with z/VM Version 4 Release 4, ports can be reserved within a specific range, in addition to being reserved on an individual basis. 2) Modify the OBEY statement such that affected application virtual machines are included in the TCP/IP obey list. 3) Include the FREELOWPORTS operand as part of an ASSORTEDPARMS statement. This method removes the default protection for all well-known ports. Note: When the RESTRICTLOWPORTS default is in effect and appropriate port authorizations have not been provided, applications that rely upon "well-known" ports (for example, VM-based web servers or remote printing functions such as LPR) are likely to report "Unable to open port(s)" or "Permission denied" conditions 6. 2003/07/31 When network devices are configured for the TCP/IP (stack) server virtual machine, ensure that any virtual device addresses specified for a device are available for use. (Such virtual addresses are specified as part of DEVICE statements within the TCP/IP server configuration file -- PROFILE TCPIP, or its equivalent.) For example, for a default installation environment, virtual addresses 401, 402 and 405 cannot be used for network devices unless local adjustments are made. These addresses have been reserved and defined within the z/VM system directory for establishing links to MAINT-owned National Language Support (NLS) HELP minidisks, to allow specific help information to be referenced in the appropriate environments. 5. 2003/07/31 It my be possible to address certain z/VM host connectivity problems by including specific ASSORTEDPARMS operands in the TCP/IP server configuration file (PROFILE TCPIP, or its equivalent). The OVERRIDEPRECEDENCE operand may help alleviate general connectivity problems that arise when clients alter TCP/IP Type-of-Service (TOS) values after a connection has been established. Connections that appear to close unexpectedly are symptomatic of a possible need for using the OVERRIDEPRECEDENCE operand. The NORFC1323 operand may help alleviate TN3270 connectivity problems that arise with Telnet connections that are associated with Windows 95 (Win95) hosts. Win95-initiated Telnet connections that appear to "hang" on a regular basis, and with consistent duration, are symptomatic of a possible need for using the NORFC1323 operand. Note: The use of the NORFC1323 operand may impact TCP connection performance for other TCP clients, as this operand prevents the z/VM TCP/IP server from initiating RFC 1323-related performance features (although client requests to enable these facilities are always accepted). 4. 2003/07/31 For customers who plan to use the Secure Socket Layer (SSL) server support, please note the following: To use the Secure Socket Layer (SSL) server, a suitably configured Linux kernel and file system must be installed on your z/VM system. Detailed information about Linux requirements and preparation for use by the SSL server are available at the TCP/IP for z/VM home page on the World Wide Web. The URL for this home page is: http://www.vm.ibm.com/related/tcpip/ Note: If no specific action is taken to configure the SSL server and an attempt is made to initialize this server, the SSL server will report errors similar to those shown here and will fail to initialize: DTCRUN1011I Server started at nn:nn:nn on dd mmm yyyy (day) DTCRUN1011I Running "VMSSL" DTCSSL2428I Port 9999 is used for SSL administration. HCPVMI232E IPL UNIT ERROR; IRB 00404017 00000010 00200018 00800000 HCPGIR450W CP entered; disabled wait PSW 000E0000 00000232 3. 2003/07/31 Customers who plan to use an External Security Manager (ESM) different from the IBM Resource Access Control Facility (RACF), such as VMSECURE from Sterling Software Inc., should review Informational APAR II11256 for additional information about configuring TCP/IP servers in such an environment. 2. 2003/07/31 Missing interrupt conditions for I/O operations involving devices dedicated to the TCPIP virtual machine should be detected, but *not* dealt with. For z/VM, the default MIH setting of OFF will accomplish this. (This default is in effect when MIH is not specified on the user directory OPTION statement or the SET MIH command is not issued within a virtual machine). However, when MIH OFF is in effect, CP issues HCPMHT2150I messages to the operator, to indicate that an I/O operation was started but the MIH interval expired before the device sent an interrupt. In some instances, these messages may flood the OPERATOR console. Use of the 'OFF' parameter of a related command, CP SET MITIME, can prevent excessive HCPMHT2150I messages related to TCPIP from appearing on the OPERATOR console. This command controls the time interval at which a specified device is checked for missing interrupts. To reduce occurrences of HCPMHT2150I messages, use the following command. Note that only the device(s) dedicated to the TCPIP server should be specified with this command. CP SET MITIME rdev1-rdev2 OFF The CP SET MITIME command should be issued within an "exit" exec, identified by an ":Exit." tag that is defined for the TCPIP server entry in a locally created DTCPARMS file. 1. 2003/07/31 Prior to installing TCP/IP for z/VM, you may find it useful to review the content of the following ITSO Redbooks if you're not familiar with TCP/IP protocols, functions and networking principles: * "TCP/IP Tutorial and Technical Overview", (GG24-3376) * "IP Network Design Guide", (SG24-2580) * "TCP/IP Solutions for VM/ESA", (SG24-5459) * "IBM Communications Server for OS/390 V2R10 TCP/IP Implementation Guide, Volume 1: Configuration and Routing", (SG24-5227) Additional textbook references that may be useful are: * "TCP/IP Illustrated, Volume 1: The Protocols," Richard W. Stevens, Addison-Wesley, Reading, Massachusetts, 1994. ISBN: 0-201-63346-9 (SR28-5586-00) * "Internetworking with TCP/IP Volume I:Principles, Protocols, and Architecture," Douglas E. Comer, Prentice Hall, Englewood Cliffs, New Jersey, 1991. ISBN: 0-13-216987-8 (SC31-6144-00) * "DNS and BIND in a Nutshell," Paul Albitz & Cricket Liu, O'Reilly & Associates, Sebastopol, California, 1992. ISBN: 1-56592-010-4 (SR28-4970-00) ************************************************************************ * SECTION 2. D O C U M E N T A T I O N C H A N G E S * ************************************************************************ This section provides corrections for significant errors in TCP/IP Level 440 documentation. This item contains no records. ************************************************************************ * SECTION 3. G E N E R A L I N F O R M A T I O N * ************************************************************************ This section contains general information, i.e., hints/tips. 4. 2003/07/31 Several TCP/IP for VM functions are Pascal-based, and use VMCF communications to communicate with the TCPIP server. Therefore, these functions cannot be reliably used in conjunction with other applications that also use VMCF communications (such as the CMS Utility, WAKEUP); doing so may produce intermittent hangs during processing or other unpredictable results. The TCP/IP Pascal-base functions for which such problems may arise are: FTP HOMETEST LPQ LPR LPRM NETSTAT OBEYFILE PING REXEC TELNET TESTSITE TFTP See CMS Utilities APAR VM58540 for more information about problems when using FTP in conjunction with WAKEUP. 3. 2003/07/31 With RSCS Version 3 Release 1 (V3 R1), enhanced configuration features, such as embedded files, new configuration statements (such as LINKDEFINE), and the ability to use additional comment delimiters ('/*' and '*/') are available for configuring RSCS. For example: IMBED fn ft /* RSCS V3 R1 style comments */ The TCP/IP for VM program, SMTPRSCS, uses the RSCS CONFIG file to build an RSCS host table file (SMTPRSCS HOSTINFO). SMTPRSCS can process RSCS V3 R1 embedded files, its new configuration definitions, and the additional comment delimiters. However, if "generic routing" is used in your environment (as from using a "ROUTE *" statement), you still need to identify -- with respect to SMTPRSCS -- any additional RSCS host names that are relevant to your RSCS network, which are not in the RSCS CONFIG configuration file. To do this, you can create a separate file to be used as input for the SMTPRSCS program. For example, a file named TCP-RSCS CONFIG, that contains: IMBED RSCS CONFIG ROUTE nodeid1 ROUTE nodeid2 : where each ROUTE statement must have two tokens -- "ROUTE" and a nodeid name of an additional RSCS node to be identified for use by the SMTP server. 2. 2003/07/31 APAR VM63168, through its associated PTF, UM97440, is used as the ordering mechanism for the current level of the TCP/IP Function Level 440 RSU. This APAR/PTF will be updated during every RSU cycle to indicate the RSU level that is currently available through ISMD service. The RSU can be ordered upon request by contacting the Level 2 support group, or through the SRD (Service Request & Delivery) function of IBMLink. Please see the text of APAR VM63168 for more information, if necessary. Note: TCP/IP RSU maintenance is provided only as part of the z/VM 4.4.0 "stacked" RSU. 1. 2003/07/31 When appropriate, the support center will open informational APARs covering various aspects of TCP/IP for VM. These APARs will cover installation and maintenance specific information, information on using the product, and other information that will often assist the customer. Customers can search for these APARs by using The product component ID (5735FAL00) and the keyword TCPIPINFO. It's recommended that customers using TCP/IP for VM review these APARs for information specific to their needs. ************************************************************************ * SECTION 4. S E R V I C E R E C O M M E N D A T I O N S * ************************************************************************ 1. 2006/09/30 Refer to 0601RSU and 0501RSU for service recommendations. ************************************************************************ * SECTION 5. C R O S S P R O D U C T D E P E N D E N C I E S * ************************************************************************ This section contains information that is dependent upon another product other than this subset ID. It also contains information dealing with migration and product coexistence. This item contains no records. 1. yyyy/mm/dd Interdependent Product: Problem: Users Affected: Recommendation: Install xxxxxxx on Volid xxxx ************************************************************************ * I N F O R M A T I O N A L / D O C U M E N T A T I O N * * APARs Follow (If Any) * ************************************************************************ ------------------------------------------------------------------------ PTF Include List: This item contains no records. ------------------------------------------------------------------------ PTF Exclude List: This item contains no records. ------------------------------------------------------------------------ PE APAR List: This item contains no records. ------------------------------------------------------------------------ Pending PE APAR List: This item contains no records.