TCP/IP for z/VM
Migration Considerations and
Release-to-Release Changes


The information herein describes changes to various aspects of TCP/IP for z/VM that warrant consideration when migrating from previous levels to the most current, supported level.

For information about changes that have been implemented in levels of TCP/IP for z/VM that are not listed here, check the Migration Considerations for End-of-Service Levels information.

Note that in a some cases, existing functions may have been deleted or replaced by alternate functions. High-level descriptions of these kinds of changes, as well as the level at which a change was introduced, are indicated in the text that follows.

Client Topics:

TCP/IP Usage FTP Client NETSTAT Printing Services
Remote Execution      

Server Topics:

Server Configuration DNS Server FTP Server IMAP Server
Kerberos Server LDAP Server MPRoute Server RouteD Server
Remote Execution SMTP Server SNMP SSL Server
TCP/IP Stack Server Telnet    

Other Topics:

Packaging      

Notes:

  • TCP/IP and related features are supported on associated releases of CP and CMS only.

   TCP/IP Usage

Changes Introduced in TCP/IP Level 640

  • Domain Name Server (DNS) IPv6 support is included, which:
    • accommodates use of IPv6 domain name server addresses as part of the TCPIP DATA configuration file NSINTERADDR statement
    • includes various CMS resolver IPv6 enhancements
    • adds TCP/IP stack support for UDP over IPv6
    • updates IPWIZARD configuration support to accommodate of IPv6 domain name server addresses
    • provides REXX Sockets toleration for IPv6 addresses specified for an NSINTERADDR statement

Changes Introduced in Prior Levels

Top of Page

   FTP Client

Changes Introduced in TCP/IP Level 640

  • The FTP client has been udpated to include support for the FTP DATA file statement EPSV4 TRUE/FALSE (introduced with TCP/IP for z/VM level 630 APAR PM90145).

    This statement, and corresponding LOCSITE command operands EPSV4 / NOEPSV4 allow one to control whether the FTP client attempts use of the EPRT/EPSV command when connections with a remote server are established for data transfer.

Changes Introduced in Prior Levels

Top of Page

   Printing Services

Changes Introduced in Prior Levels

Top of Page

   Server Configuration

Changes Introduced in Prior Levels

Top of Page

   DNS Server

Changes Introduced in Prior Levels

Top of Page

   FTP Server

Changes Introduced in Prior Levels

Top of Page

   IMAP Server

Changes Introduced in Prior Levels

Top of Page

   Kerberos Server

Changes Introduced in Prior Levels

Top of Page

   LDAP Server

Changes Introduced in TCP/IP Level 640

  • The Lightweight Directory Access Protocol (LDAP) server (LDAPSRV) and client utilities have been upgraded to z/OS V2.2 equivalency. This upgrade includes these functional enhancements:
    • Group Search Limits updates, which enhances the setting of search limits by allowing search and time limits to be set on a group basis.
    • Admin Roles updates, which enhances the server to allow for multiple DNs, group or non-group, to be set as administration DNs. Currently, only one DN can be given administration privileges. The definitions can be in the LDAP directory or in SAF.
    • Page and Sort Search updates, which enhances the server and ldapsearch client utility to provide paged and/or sorted search results.

      Paged search results allows clients to receive just a subset of search results (a page) instead of the entire list. The next page of entries is returned to the client application for each subsequent paged results request submitted by the client until the operation is canceled or the last result is returned.

      Sorted search results allows clients to receive sorted search results based on a list of criteria, where each criterion represents a sort key.

    • TLS V1.2 Support, which makes use of the TLS V1.1, TLS V1.2 and NSA Suite B Cryptography support in System SSL.
    • Activity Log enhancements that provide improved activity log features by adding new records for events that were previously not logged, and useful information to existing records so that better auditing and problem determination can be done.
    • Dynamic Group Performance, which provides performance enhancements for Dynamic Groups.
    • Password Policy Attribute Replication, which provides consistent replication updates of password policy operational attributes on all servers when they get updated in a read-only server in a replication topology.

Changes Introduced in Prior Levels

Top of Page

   NETSTAT Command

Changes Introduced in Prior Levels

Top of Page

   MPRoute / RouteD Servers

Changes Introduced in TCP/IP Level 640

  • The MPRoute server has been upgraded to z/OS V2.2 Equivalency, and includes these functional enhancements:
    • Deprecates the OMPROUTE_OPTIONS.hello_hi environment variable.
    • Processes inbound OSPF hello packets from neighbors at the highest priority, for the purpose of maintaining OSPF adjacencies.
    • Modifications to avoid the potential for an abend when formatting or parsing OSPF packet content.
    • Enhancements to existing informational and debug messages, to cite more specific information when an IOCTL call has failed.

Changes Introduced in Prior Levels

Top of Page

   Remote Execution Services

Changes Introduced in Prior Levels

Top of Page

   SMTP Server

Changes Introduced in TCP/IP Level 640

  • The SMTP server server command exit (SMTPCMDX) has been updated to reject VRFY and EXPN commands, by default.

Changes Introduced in Prior Levels

Top of Page

   SNMP Server / Client

Changes Introduced in Prior Levels

Top of Page

   SSL Server

Changes Introduced in TCP/IP Level 640

  • The z/VM SSL server has been upgraded to z/OS V2.2 Equivalency, and includes support for:
    • RFC 5280 Certificate Validation Upgrade (introduces support for Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)
    • PKCS #12 Certificate Store (function already introduced with TCP/IP for z/VM level 630 APAR PI29130)
    • OCSP support, which enhances certificate revocation checking and flexibility, with:
      • support for retrieval of CRLs through HTTP URLs
      • more flexible processing of CRLs from LDAP
      • support for retrieval of revocation information through OCSP
    In addition, these z/VM TLS/SSL server changes have been implemented:
    • Inclusion of z/OS V2.1 Equivalency support (introduced with TCP/IP for z/VM level 630 APAR PI40702), which facilitate exploitation of these functions:
      • AES Galois-Counter Mode (AES GCM), a TLS 1.2 symmetric key algorithm which is more secure than the current CBC mechanism employed today.
      • Enablement of DSA Certificates in MODE NIST-800-131a, an update to the size of the DSS certificates the server can support for asymmetric encryption
    • Inclusion of support to use PKCS #12 formatted files as certificate and key repositories. PKCS #12 is a more common format than the .kdb files used by gskkyman and System SSL today. Inclusion of this functionality allows for greater interoperability between platforms (including OpenSSL) and ease of use.
    • The default protocol levels for now are TLS 1.2 and TLS 1.1. All other protocols are disabled by default.
    • Inclusion of support for the VMSSL command ENABLE operand, which enables use of a specific cipher suite that is disabled by default — these being: 00, 01, 02, 03, 04, 05, 06 and 3B.
    • These fixed Diffie Hellman cipher suites now are disabled by default:
      • 0F, 0C, 10, 0D, 31, 30, 37, 36, 3F, 3E, 69, 68, A5, A1, A0 and A4.
    • Inclusion of secure RSCS TCPNJE links support (introduced with TCP/IP for z/VM level 630 APAR PI56474).

Changes Introduced in Prior Levels

Top of Page

   TCP/IP (Stack) Server

Changes Introduced in Prior Levels

Top of Page

   Telnet Server / Client

Changes Introduced in Prior Levels

Top of Page

   Packaging

General Information

  • TCP/IP Level 640 is included as a pre-installed component of the z/VM product; its use is governed by your license for z/VM.

  • TCP/IP Level 640 is not separately orderable or installable from the z/VM product. However, service that is obtained for TCP/IP for z/VM can be applied separately from that for z/VM.

  • TCP/IP Level 640 RSU service is provided as part of the z/VM RSU, and not as a separately orderable RSU. Corrective (COR) service for TCP/IP for z/VM can be obtained and applied separately from other z/VM service.

  • This level of TCP/IP relies on the presence of certain functions in the z/VM 6.4.0 levels of CP and CMS. The converse is also true — using z/VM 6.4.0 CMS requires that TCP/IP level 640 be present, to accommodate functions that use TCP/IP (DNS) resolver services.

    Abends and incorrect results are possible if you attempt to use mixed levels of TCP/IP, CP and CMS.

  • TCP/IP softcopy publications are provided in the same manner as other z/VM softcopy publications, and are included with these z/VM publications.

Packaging-specific Changes

Changes Introduced in TCP/IP Level 640

  • Resources associated with the following services have been removed:
    • IBM zEnterprise Unified Resource Manager - Ensemble Management server (DTCENS1)
    • IBM zEnterprise Unified Resource Manager - Ensemble Management server (DTCENS2)
    and have been replaced with resources for additional virtual switch (VSWITCH) controller virtual machines:
    • Virtual switch controller virtual machine (DTCVSW3)
    • Virtual switch controller virtual machine (DTCVSW4)

    These changes are part of an ongoing effort to provide only those TCP/IP services that are required by customers to support their enterprise.

  • The MAINTvrm user ID for performing TCP/IP for z/VM service activity is MAINT640, whereas the 6VMTCP40 user ID is the designated owner of TCP/IP minidisks and SFS resources.

Changes Introduced in Prior Levels

Top of Page