Skip to main content

IBM Systems  >   z Systems  >   z/VM  >  

TCP/IP for z/VM
Migration Considerations and
Release-to-Release Changes


The information herein describes changes to various aspects of TCP/IP for z/VM that warrant consideration when migrating from previous levels to the most current, supported level.

For information about changes that have been implemented in levels of TCP/IP for z/VM that are not listed here, check the Migration Considerations for End-of-Service Levels information.

Note that in a some cases, existing functions may have been deleted or replaced by alternate functions. High-level descriptions of these kinds of changes, as well as the level at which a change was introduced, are indicated in the text that follows.

Client Topics:

TCP/IP Usage FTP Client NETSTAT Printing Services
Remote Execution      

Server Topics:

Server Configuration DNS Server FTP Server IMAP Server
Kerberos Server LDAP Server MPRoute Server RouteD Server
Remote Execution SMTP Server SNMP SSL Server
TCP/IP Stack Server Telnet    

Other Topics:

Packaging      

Notes:

  • TCP/IP and related features are supported on associated releases of CP and CMS only.
  • ( )   Select the TCP/IP Stack server link to review information about changes introduced that establish changes to the following defaults:
    • RestrictLowPorts

   TCP/IP Usage

Changes Introduced in TCP/IP Level 640

  • Domain Name Server (DNS) IPv6 support is included, which:
    • accommodates use of IPv6 domain name server addresses as part of the TCPIP DATA configuration file NSINTERADDR statement
    • includes various CMS resolver IPv6 enhancements
    • adds TCP/IP stack support for UDP over IPv6
    • updates IPWIZARD configuration support to accommodate of IPv6 domain name server addresses
    • provides REXX Sockets toleration for IPv6 addresses specified for an NSINTERADDR statement

Changes Introduced in TCP/IP Level 620

  • The IPFORMAT diagnostic utility has been updated to support a PCAP operand, which causes which causes TYPE GT and TYPE LAN trace data to be formatted in PCAP data format, to allow for its review and evaluation using a GUI-based trace analysis tool.

  • The CMS NOTE and SENDFILE commands (SMTP clients) have been updated to accommodate the use of IPv6.

    Note that IPv6 SMTP connections cannot be secured using SSL because the z/VM SSL server does not incorporate IPv6 support.

Changes Introduced in TCP/IP Level 540

  • The RPCINFO function has been updated to use the ETC HOSTS file as the local site table when host names are resolved. If the ETC HOSTS file is not present, RPCINFO continues to use the HOSTS SITEINFO file.

  • Processing of the CERTNOCHECK operand for TLS connections associated with the FTP and Telnet clients (and, the SMTP server) has been changed such that this operand is equivalent to the CERTFULLCHECK operand.

  • The TCPSLVL utility has been modified such that results now are directed to a file (named partname SLVLDATA) by default. To direct command output to the console, a new CONSOLE option must be used. For more information, see Appendix A of the TCP/IP for z/VM Level 540 Program Directory

Changes Introduced in Prior Levels

Top of Page

   FTP Client

Changes Introduced in TCP/IP Level 640

  • The FTP client has been udpated to include support for the FTP DATA file statement EPSV4 TRUE/FALSE (introduced with TCP/IP for z/VM level 630 APAR PM90145).

    This statement, and corresponding LOCSITE command operands EPSV4 / NOEPSV4 allow one to control whether the FTP client attempts use of the EPRT/EPSV command when connections with a remote server are established for data transfer.

Changes Introduced in TCP/IP Level 630

  • The FTP client has been updated to accommodate the use of SSL to secure IPv6 FTP connections.

Changes Introduced in TCP/IP Level 620

  • The FTP client has been updated to accommodate the use of IPv6.

    Note that IPv6 FTP connections cannot be secured using SSL because the z/VM SSL server does not incorporate IPv6 support.

  • The LISTFORMAT UNIX command now supports ASCII, BINARY and EBCDIC parameters, which influence the computation of the file size returned by the SIZE command and in directory listings.

  • File name pattern matching now can be used for Byte File System (BFS) files and directories

  • The LOCSTAT command now reports secure connection settings.

Changes Introduced in TCP/IP Level 540

  • Support is added for changing an FTP control connection from a secure state to a clear state through use of the Clear Control Connection (CCC) subcommand.

  • Processing of the CERTNOCHECK operand for TLS connections associated with the FTP client has been changed such that this operand is equivalent to the CERTFULLCHECK operand.

Changes Introduced in Prior Levels

Top of Page

   Printing Services

Changes Introduced in TCP/IP Level 630

  • The Line Printer Daemon server (LPSERVE) and its associated resources have been removed.

Changes Introduced in Prior Levels

Top of Page

   Server Configuration

Changes Introduced in Prior Levels

Top of Page

   DNS Server

Changes Introduced in Prior Levels

Top of Page

   FTP Server

Changes Introduced in TCP/IP Level 630

  • The FTP server has been updated to accommodate the use of SSL to secure IPv6 FTP connections.

Changes Introduced in TCP/IP Level 620

  • The FTP server has been updated to accommodate connections using IPv6.

    Note that IPv6 FTP connections cannot be secured using SSL because the z/VM SSL server does not incorporate IPv6 support.

  • The LISTFORMAT UNIX command now supports ASCII, BINARY and EBCDIC parameters, which influence the computation of the file size returned by the SIZE command and in directory listings.

  • File name pattern matching now can be used for Byte File System (BFS) files and directories

Changes Introduced in Prior Levels

Top of Page

   IMAP Server

Changes Introduced in TCP/IP Level 540

  • The mechanism for defining User IDs that are to be authorized to use the IMAPADM EXEC has changed. Instead of directly creating a $SERVER$ NAMES private resource registration file, authorized User IDs are now listed via the DTCPARMS file tag :Admin_ID_List.

Changes Introduced in Prior Levels

Top of Page

   Kerberos Server

Changes Introduced in Prior Levels

Top of Page

   LDAP Server

Changes Introduced in TCP/IP Level 640

  • The Lightweight Directory Access Protocol (LDAP) server (LDAPSRV) and client utilities have been upgraded to z/OS V2.2 equivalency. This upgrade includes these functional enhancements:
    • Group Search Limits updates, which enhances the setting of search limits by allowing search and time limits to be set on a group basis.
    • Admin Roles updates, which enhances the server to allow for multiple DNs, group or non-group, to be set as administration DNs. Currently, only one DN can be given administration privileges. The definitions can be in the LDAP directory or in SAF.
    • Page and Sort Search updates, which enhances the server and ldapsearch client utility to provide paged and/or sorted search results.

      Paged search results allows clients to receive just a subset of search results (a page) instead of the entire list. The next page of entries is returned to the client application for each subsequent paged results request submitted by the client until the operation is canceled or the last result is returned.

      Sorted search results allows clients to receive sorted search results based on a list of criteria, where each criterion represents a sort key.

    • TLS V1.2 Support, which makes use of the TLS V1.1, TLS V1.2 and NSA Suite B Cryptography support in System SSL.
    • Activity Log enhancements that provide improved activity log features by adding new records for events that were previously not logged, and useful information to existing records so that better auditing and problem determination can be done.
    • Dynamic Group Performance, which provides performance enhancements for Dynamic Groups.
    • Password Policy Attribute Replication, which provides consistent replication updates of password policy operational attributes on all servers when they get updated in a read-only server in a replication topology.

Changes Introduced in TCP/IP Level 540

  • The Lightweight Directory Access Protocol (LDAP) server (LDAPSRV) has been updated to a function level equivalent to the z/OS level 1.10 Tivoli Directory Server.

  • Server plug-in support has been added, to allow the functionality of the directory server to be extended.

  • Support for RACF change logging and password/phrase enveloping is introduced.

Changes Introduced in Prior Levels

Top of Page

   NETSTAT Command

Changes Introduced in TCP/IP Level 630

  • As part of the updates to provide SSL support for IPv6 secure connections, the NETSTAT IDENT SSL command has been enhanced to handle and display IPv6 secure connection data.

Changes Introduced in TCP/IP Level 620

  • With the upgrade of MPROUTE to z/OS 1.12 equivalency, the following updates are included:
    • support for a ROUTERADV option for the NETSTAT CONFIG command. This option can be used to display the router advertisement configuration parameters of a TCP/IP server.
    • the NETSTAT GATE and NETSTAT CONFIG HELP commands include new output fields.
  • Support for the OSAINFO option is introduced. This option displays basic information (such as IP and MAC addresses) from the OSA Address Table (OAT) for TCP/IP devices that are defined on supported OSA-Express cards.

Changes Introduced in TCP/IP Level 540

  • NETSTAT GATE command output has been updated to include two new flags — one indicates if the MTU was modified by path MTU discovery for a given route; the other indicates whether a route was created as a result of path MTU discovery.

  • NETSTAT DEVLINKS command output for an OSD device has been updated to include the OSA-Express port number, the designated transport type (ETHERNET or IP, for Layer 2 or Layer 3 mode, respectively), and local MAC address (for transport type ETHERNET only).

  • (IPv4 only) NETSTAT DEVLINKS command output has been updated for all non-VIPA devices to display path MTU discovery status.

Changes Introduced in Prior Levels

Top of Page

   MPRoute / RouteD Servers

Changes Introduced in TCP/IP Level 640

  • The MPRoute server has been upgraded to z/OS V2.2 Equivalency, and includes these functional enhancements:
    • Deprecates the OMPROUTE_OPTIONS.hello_hi environment variable.
    • Processes inbound OSPF hello packets from neighbors at the highest priority, for the purpose of maintaining OSPF adjacencies.
    • Modifications to avoid the potential for an abend when formatting or parsing OSPF packet content.
    • Enhancements to existing informational and debug messages, to cite more specific information when an IOCTL call has failed.

Changes Introduced in TCP/IP Level 630

  • The MPRoute server has been upgraded to z/OS 1.13 Equivalency, and includes these functional enhancements:
    • support for RFC 2328 for IPv4 OSPF
    • support for RFC 2740 for IPv6 OSPF

Changes Introduced in TCP/IP Level 620

  • The MPRoute server has been upgraded to z/OS 1.12 Equivalency, and includes these functional enhancements:
    • support for RFC 4191 and RFC 5175
    • support for MPRoute configuration file INCLUDE statements
    • updates to report and help prevent futile neighbor state loops
    • SMSG command updates to support DELETED, ACTIVATE, and SUSPEND keywords for selected commands
    • ROUTERADV statement support changes that allow router advertisements to be sent with a HIGH, MEDIUM, or LOW preference value.

Changes Introduced in Prior Levels

Top of Page

   Remote Execution Services

Changes Introduced in TCP/IP Level 540

  • The logon password default for the RXAGENT1 virtual machine has been changed to AUTOONLY, to reinforce the concept that REXEC agents should be used for handling only anonymous requests.

Changes Introduced in Prior Levels

Top of Page

   SMTP Server

Changes Introduced in TCP/IP Level 640

  • The SMTP server server command exit (SMTPCMDX) has been updated to reject VRFY and EXPN commands, by default.

Changes Introduced in TCP/IP Level 630

  • The SMTP server has been updated to accommodate the use of SSL to secure IPv6 SMTP connections.

Changes Introduced in TCP/IP Level 620

  • The SMTP server has been updated to accommodate connections using IPv6.

    Note that IPv6 SMTP connections cannot be secured using SSL because the z/VM SSL server does not incorporate IPv6 support.

Changes Introduced in TCP/IP Level 540

  • Processing of the CERTNOCHECK operand for TLS connections associated with SMTP server has been changed such that this operand is equivalent to the CERTFULLCHECK operand.

Changes Introduced in Prior Levels

Top of Page

   SNMP Server / Client

Changes Introduced in TCP/IP Level 540

  • An SNMPTRAP command is introduced that can be used to generate SNMP version 1 enterprise-specific traps for reporting events to an SNMP manager.

Changes Introduced in Prior Levels

Top of Page

   SSL Server

Changes Introduced in TCP/IP Level 640

  • The z/VM SSL server has been upgraded to z/OS V2.2 Equivalency, and includes support for:
    • RFC 5280 Certificate Validation Upgrade (introduces support for Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)
    • PKCS #12 Certificate Store (function already introduced with TCP/IP for z/VM level 630 APAR PI29130)
    • OCSP support, which enhances certificate revocation checking and flexibility, with:
      • support for retrieval of CRLs through HTTP URLs
      • more flexible processing of CRLs from LDAP
      • support for retrieval of revocation information through OCSP
    In addition, these z/VM TLS/SSL server changes have been implemented:
    • Inclusion of z/OS V2.1 Equivalency support (introduced with TCP/IP for z/VM level 630 APAR PI40702), which facilitate exploitation of these functions:
      • AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today.
      • Enablement of DSA Certificates in MODE NIST-800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption
    • Inclusion of support to use PKCS #12 formatted files as certificate and key repositories. PKCS #12 is a more common format than the .kdb files used by gskkyman and System SSL today. Inclusion of this functionality allows for greater interoperability between platforms (including OpenSSL) and ease of use.
    • The default protocol levels for now are TLS 1.2 and TLS 1.1. All other protocols are disabled by default.
    • Inclusion of support for the VMSSL command ENABLE operand, which enables use of a specific cipher suite that is disabled by default — these being: 00, 01, 02, 03, 04, 05, 06 and 3B.
    • These fixed Diffie Hellman cipher suites now are disabled by default:
      • 0F, 0C, 10, 0D, 31, 30, 37, 36, 3F, 3E, 69, 68, A5, A1, A0 and A4.
    • Inclusion of secure RSCS TCPNJE links support (introduced with TCP/IP for z/VM level 630 APAR PI56474).

Changes Introduced in TCP/IP Level 630

  • The z/VM SSL server has been upgraded to z/OS 1.13 Equivalency. This upgrade includes support for Transport Layer Security (TLS) protocol, version 1.2, which provides support for SHA-256 certificates. A new PROTOCOL operand on the VMSSL command allows the system administrator to enable and disable SSL and TLS protocols for cryptographic use in the operation of the SSL server. In addition, the SSL server has been updated to accommodate the use of SSL to secure IPv6 connections.

    With this change, the SSLADMIN and NETSTAT IDENT SSL commands have been enhanced to handle and display IPv6 secure connection data.

Changes Introduced in TCP/IP Level 620

    Inclusion of the SSL Server Performance and Scalability Enhancements (introduced in TCP/IP for z/VM level 540 and level 610 via the PTFs for APARs PK97437, PK97438 and PK75662). These enhancements improve upon the ability of an SSL server to provide concurrent secure connectivity by increasing its overall performance and decreasing the amount of required system resources.

    Changes included as part of these enhancements include:

    • support for a new VMSSL command operand, CACHECLEANUP, and changes associated with support of the CACHELIFE operand
    • updates to the SSLADMIN command, with changes that affect the SSLADMIN QUERY, SSLADMIN REFRESH, and SSLADMIN TRACE/NOTRACE commands
    • support for new SSL server administration (SSLADMIN) commands — SSLADMIN CLEAR, SSLADMIN SET and SSLADMIN START
    • introduction of a new TCP/IP server configuration statement, SSLLIMITS, and changes that affect processing of the SSLSERVERID statement.

    With this change, the SSLSERV user ID no longer is included as part of the z/VM version 6 release 2 System Deliverable. In its place, an SSL server "pool" of five servers now is defined as part of the system. While continued use of a single-instance, minidisk-based server (such as SSLSERV) still is possible and remains supported, the preferred configuration for running a single SSL server is to alter the SSL pool definition such that only one pool sever is defined. This can readily be accomplished by a CP directory change to the SSL server POOL definition.

  • Inclusion of SSL Server Federal Information Processing Standard (FIPS) 140-2 Support (introduced in TCP/IP for z/VM level 610 via the PTF for APAR PM10616).

Changes Introduced in TCP/IP Level 610

  • SSL Server Federal Information Processing Standard (FIPS) 140-2 Support is introduced with the PTF for APAR PM10616).

  • With the PTFs for APARs PK97437, PK97438 and PK75662, SSL Server Performance and Scalability Enhancements are introduced. These enhancements improve upon the ability of an SSL server to provide concurrent secure connectivity by increasing its overall performance and decreasing the amount of required system resources. With these enhancements, support for multiple SSL servers, defined as a server "pool" is introduced as well.

  • With TCP/IP level 610, the PTF for APAR PK65850 (SSL Server Enablement) is not required — the CMS-based SSL server supplied with the z/VM version 6 release 2 System Deliverable is fully enabled.

Changes Introduced in TCP/IP Level 540

  • With the PTF for APAR PK65850, a CMS-based SSL server is provided with TCP/IP for z/VM that no longer requires operation within a Linux guest. The components required for running this updated server implementation are installed and serviced through the same means as other CMS-based TCP/IP servers.

    With this implementation, the SSL server and TCP/IP stack server interfaces have been modified, as have SSL server command (VMSSL) and DTCPARMS file configuration operands and requirements. Due to the nature of these changes, an SSL server implementation that is based on prior levels of TCP/IP for z/VM cannot be used with the TCP/IP level 540 TCP/IP server. The converse is also true — the TCP/IP level 540 SSL server cannot be used with prior levels of TCP/IP for z/VM.

    TCP/IP Level 540 SSL and TCP/IP server compatibility is summarized here:

    TCP/IP Level 540 SSL and TCP/IP Server Compatibility
      TCP/IP Level 540
    SSL Server
    Prior-level
    SSL Server
    TCP/IP Level 540
    Stack Server
    Compatible Not Compatible
    Prior-level TCP/IP
    Stack Server
    Not Compatible Compatible
  • Additional changes associated with the level 540 SSL server include:

    • Use of z/OS V1.10 System SSL technology by the SSL server for encryption, decryption, and certificate management functions. Significant functional changes associated with the use of this technology include:
      • Implementation of Federal Information Processing Standard (FIPS) 140-2 is not available with this level of TCP/IP for z/VM.

      • Relaxed certificate checking, through use of selected application CERTNOCHECK options or operands, is not available at this level. Thus, self-signed certificates are accepted only if they are stored in both client- and-server-side certificate databases.

      • Addition of support for changing an FTP control connection from a secure state to a clear state through use of the FTP CCC subcommand.

      • Several cipher suites, including suites that provide 128-bit and 256-bit AES encryption, have been added. Two ciphers — RC4_EXP1024_56_SHA and DES_EXP1024_56_SHA have been removed. All other previously supported cipher suites have been renamed to more closely match specifications in RFCs 2246 and 4346.

      • z/OS System SSL will use hardware-assisted encryption and decryption through use of a processor-specific instruction, if it is available. Cryptographic cards are not supported.

    • Use of the gskkyman (previously introduced with LDAP server support) for SSL server certificate management functions.

    • The z/VM SSL server now references a certificate database that is maintained in the z/VM Byte File System (BFS).

    • A GSKADMIN User ID has been added. This User ID has been defined with appropriate authorization to perform certificate management operations for the SSL server key database. The GSKADMIN User ID is also defined as an SSL server administrative User ID.

    • The SSLADMIN command has been revised such that a network connection is no longer used to perform server administrative functions. Thus, the server administrative port (previously defined at port number 9999) is no longer used and has been removed from the TCP/IP server configuration and ETC SERVICES sample files.

    • OBEY authorization is no longer used to determine SSL server administrative authority. Such authorization is now controlled by the DTCPARMS file :Admin_ID_List. tag entry.

    • Additional or different DTCPARMS file configuration tags and SSL server command (VMSSL) parameters now are used for configuration of the SSL server. Detailed information about such changes are provided in TCP/IP Planning and Customization (SC24-6125).

Changes Introduced in Prior Levels

Top of Page

   TCP/IP (Stack) Server

Changes Introduced in TCP/IP Level 630

  • Support for Common Link Access to Workstation (CLAW) and HYPERchannel A220 devices has been removed.

Changes Introduced in TCP/IP Level 620

  • Inclusion of the TCP/IP server-specific changes associated with the SSL Server Performance and Scalability Enhancements (introduced in TCP/IP for z/VM level 540 and level 610 via the PTFs for APARs PK97437, PK97438 and PK75662). Stack specific updates introduced with the PTF for APAR PK75662 include:
    • support for the SSLLIMITS statement is added, which is used to specify the total number of secure connections that are to be supported by the TCP/IP server, as well as the connection limit for each SSL server.
    • support for the SSLSERVERID statement is modified to accept an asterisk (*) as a user_id value. In addition, a different TIMEOUT operand default (of 30 seconds, formerly 60 seconds) now is employed, with boundary values imposed.

Changes Introduced in TCP/IP Level 610

  • z/VM version 6 release 1 implements a new Architecture Level Set (ALS) and is available on only the IBM System z10 Enterprise Class server and System z10 Business Class server (and, future generations of System z® servers). Because of this ALS, TCP/IP for z/VM no longer supports these network devices, communication methods and related configuration statements:
    • Devices
      • Open System Adapter 2 (OSA-2)
      • OSA-Express (first generation only)
      • IBM 3172 Interconnect Controller
    • Communication Methods
      • Asynchronous Transfer Mode (ATM)
      • Fiber Distributed Data Interface (FDDI)
      • IBM Token-Ring (IBMTR)
    • Configuration Statements
      • DEVICE and LINK statements for ATM device types
      • DEVICE and LINK statements for LCS device types other than an OSA-Express configured for LAN emulation mode
      • LINK statements for IBMTR networks
      • LINK statements for FDDI networks
      • LCS device 3172-specific NETMAN operand
      • ATMARPSERVER
      • ATMLIS
      • ATMPVC

Changes Introduced in TCP/IP Level 540

  • The TCP/IP server has been updated such that the OVERRIDEPRECEDENCE operand of the AssortedParms configuration statement is always in effect. This change has been made in support of RFC 2873. The OVERRIDEPRECEDENCE operand continues to be accepted to maintain compatibility with prior levels of TCP/IP for z/VM, but will be reported as an obsolete parameter when encountered.

  • The TCP/IP server has been updated such that the EQUALCOSTMULTIPATH and EQUALCOSTIPV6MULTIPATH operands of the AssortedParms configuration statement are always in effect. These operands continue to be accepted to maintain compatibility with prior levels of TCP/IP for z/VM, but will be reported as no longer required, when encountered.

  • The OSD and the HIPERSockets DEVICE statements have been updated to make AUTORestart the default. Thus, the TCP/IP server automatically will attempt to restart the device in the event of a device failure. AUTORestart is attempted only after successful data transfer has occurred.

  • The OSD DEVICE statement has been updated to include a PORTNUMBER operand for which the additional port on each channel of an OSA-Express3 device can be specified. If a port number is not specified, the default is port number 0.

  • The IFCONFIG command has been updated to allow a port number to specified for a QDIO (OSA-Express) device. Additionally, IFCONFIG command output now reports the transport type (ETHERNET or IP) for links that are associated with an OSD device.

  • (IPv4 only) The IFCONFIG command has been updated to accept two new operands — PATHMTU and NOPATHMTU — to enable or disable path MTU discovery for a given link.

  • (IPv4 only) Various LINK statements have been updated to include two new operands — PATHMTU and NOPATHMTU — that respectively enable or disable path MTU discovery on a link-by-link basis.

  • (IPv4 only) The PATHMTU operand is accepted for the ASSORTEDPARMS statement, to enable path MTU discovery by default for links for which this has not explicitly been configured.

  • Support for The PATHMTUAGE statement has been added, which allows for the specification of how long (in minutes) path MTU discovery information is to be retained for a given route.

  • The QDIOETHERNET LINK statement has been updated to accept an ETHERNET or IP operand, which designates the transport type for the link (Layer 2 or Layer 3 mode, respectively).

  • Due to SSLADMIN command revisions that eliminate the need for a network connection to perform SSL server administrative functions, an administrative port (previously defined at port number 9999, by default) no longer needs to be reserved for the SSL server.

Changes to TCP/IP Server Defaults

  • Port Restriction Defaults Have Changed - Action Required

    With TCP/IP Level 440, the RestrictLowPorts operand of the AssortedParms statement was changed to be active by default.

    Because of this change, various TCP/IP applications may no longer function unless you take action.

    Refer to the TCP/IP Stack Server Reference Information for more detail about this change.

Changes Introduced in Prior Levels

Top of Page

   Telnet Server / Client

Changes Introduced in TCP/IP Level 630

  • The Telnet server and client have been updated to accommodate the use of SSL to secure IPv6 connections.

Changes Introduced in TCP/IP Level 540

  • The Telnet server and client have been updated to accommodate connections using IPv6. For the Telnet server, the telnet session connection and printer management exits (SCEXIT and PMEXIT, respectively) have been updated accordingly. The Telnet client includes support for a new ADDRTYPE option.

    Note that because the z/VM SSL server does not incorporate IPv6 support, IPv6 Telnet connections cannot be secured using SSL.

  • Processing of the CERTNOCHECK operand for TLS connections associated with the Telnet client has been changed such that this operand is equivalent to the CERTFULLCHECK operand.

Changes Introduced in Prior Levels

Top of Page

   Packaging

General Information

  • TCP/IP Level 640 is included as a pre-installed component of the z/VM product; its use is governed by your license for z/VM.

  • TCP/IP Level 640 is not separately orderable or installable from the z/VM product. However, service that is obtained for TCP/IP for z/VM can be applied separately from that for z/VM.

  • TCP/IP Level 640 RSU service is provided as part of the z/VM RSU, and not as a separately orderable RSU. Corrective (COR) service for TCP/IP for z/VM can be obtained and applied separately from other z/VM service.

  • This level of TCP/IP relies on the presence of certain functions in the z/VM 6.4.0 levels of CP and CMS. The converse is also true — using z/VM 6.4.0 CMS requires that TCP/IP level 640 be present, to accommodate functions that use TCP/IP (DNS) resolver services.

    Abends and incorrect results are possible if you attempt to use mixed levels of TCP/IP, CP and CMS.

  • TCP/IP softcopy publications are provided in the same manner as other z/VM softcopy publications, and are included with these z/VM publications.

Packaging-specific Changes

Changes Introduced in TCP/IP Level 640

  • Resources associated with the following services have been removed:
    • IBM zEnterprise Unified Resource Manager - Ensemble Management server (DTCENS1)
    • IBM zEnterprise Unified Resource Manager - Ensemble Management server (DTCENS2)
    and have been replaced with resources for additional virtual switch (VSWITCH) controller virtual machines:
    • Virtual switch controller virtual machine (DTCVSW3)
    • Virtual switch controller virtual machine (DTCVSW4)

    These changes are part of an ongoing effort to provide only those TCP/IP services that are required by customers to support their enterprise.

  • The MAINTvrm user ID for performing TCP/IP for z/VM service activity is MAINT640, whereas the 6VMTCP40 user ID is the designated owner of TCP/IP minidisks and SFS resources.

Changes Introduced in TCP/IP Level 630

  • Resources associated with the following services have been removed:
    • Dynamic Host Configuration Protocol server (DHCPD)
    • Line Printer Daemon server (LPSERVE)

    These changes are part of an ongoing effort to provide only those TCP/IP services that are required by customers to support their enterprise.

  • The MAINTvrm user ID for performing TCP/IP for z/VM service activity is MAINT630, whereas the 6VMTCP30 user ID is the designated owner of TCP/IP minidisks and SFS resources.

Changes Introduced in TCP/IP Level 620

  • Significant packaging changes, which affect all of z/VM and its components, have been implemented with z/VM version 6 release 2 to provide support for a z/VM single system image (SSI) environment. With these changes, the role of the 6VMTCP20 user ID has changed. This user ID no longer is intended for use to service and maintain TCP/IP for z/VM. Instead, the 6VMTCP20 user ID serves only as the designated owner of the various minidisks and SFS resources required for product maintenance purposes.

    Thus, all TCP/IP for z/VM service activity now must be performed using the MAINTvrm user ID — MAINT620.

  • The TCP2PROD command no longer is used for placing TCP/IP files into production; instead, the VMSES/E PUT2PROD command now directly performs this function. With this change, the TCP2PROD command no longer is supplied with z/VM. The PRODUTL command, included as part of the VMSES/E component of z/VM, provides equivalent function and capabilities, and can be used (if needed) in place of TCP2PROD.

  • The TCP/IP CATALOG file (6VMTCP20 CATALOG) no longer is used for control purposes when TCP/IP product files are placed into production. For the most part, this file now is used for select processing that pertains to TCP/IP for z/VM sample files..

  • Resources associated with the following services (for which support was withdrawn from TCP/IP for z/VM, effective as of level 540) have been removed:
    • Network Database (NDB),
    • SNALINK
    • Trivial File Transfer Protocol (TFTP)
    • X.25 support

    Included with these changes is removal of these user IDs and any associated minidisks:

    • ADMSERV
    • GCSXA
    • NAMESRV
    • NDBPMGR
    • NDBSRV01
    • SNALNKA
    • TFTPD
    • VMKERB
    • VSMSERVE
    • X25IPI
  • The SSLSERV user ID no longer is included as part of the z/VM version 6 release 2 System Deliverable. In its place, an SSL server "pool" of five servers now is defined as part of the system. While continued use of a single-instance, minidisk-based server (such as SSLSERV) still is possible and remains supported, the preferred configuration for running a single SSL server is to alter the SSL pool definition such that only one pool sever is defined. This can readily be accomplished by a CP directory change to the SSL server POOL definition.

  • The SSLPOOL utility, supplied as a sample exec with the PTFs for the SSL Server Performance and Scalability Enhancements, has been incorporated as a formally supported command. The SSLPOOL SAMPEXEC file no longer is supplied.

  • Consult the 6VMTCP20 PLANINFO file for detailed information about how specific TCP/IP user IDs have been defined. This file is located on the 6VMTCP20 191 minidisk.

Changes Introduced in TCP/IP Level 610

  • No significant changes have been introduced with TCP/IP level 610.

    note
    With TCP/IP level 610, the PTF for APAR PK65850 (SSL Server Enablement) is not required — the CMS-based SSL server supplied with the z/VM version 6 release-2 System Deliverable is fully enabled.

Changes Introduced in TCP/IP Level 540

  • The default minimum virtual storage size defined for the TCPIP (stack) server virtual machines has been increased to 128M, to better accommodate a wide variety of workloads without the need to redefine storage allocated for this server.

  • The directory entries for the MPROUTE and the SSLSERV virtual machines now include a SHARE RELATIVE 3000 statement, to allow these servers to better handle activity that is closely associated with TCP/IP server processing.

  • With the PTF for APAR PK65850, a CMS-based SSL server is provided with TCP/IP for z/VM that no longer requires operation within a Linux guest. The components required for running this updated server implementation are installed and serviced through the same means as other CMS-based TCP/IP servers — installation of an updated RPM file within a Linux guest is no longer necessary. For this reason, the minidisks that follow have been deleted with this level of TCP/IP for z/VM:

    • 5VMTCP40 493
    • SSLSERV 201
    • SSLSERV 203

    Note
    Coincident with the change in implementation of the z/VM 540 SSL server, the (Linux-only) vmsock module and its program source are no longer provided with z/VM.

  • The GSKADMIN User ID has been added. This User ID has been defined with appropriate authorization to perform certificate management operations for the SSL server key database, now maintained within the z/VM Byte File System (BFS). The GSKADMIN User ID is also defined as an SSL server administrative User ID.

    For detailed information about how specific TCP/IP User IDs have been defined, consult the 5VMTCP40 PLANINFO file. This file is located on the 5VMTCP40 191 minidisk.

Changes Introduced in Prior Levels

Top of Page