TCP/IP for VM Secure Socket Layer (SSL) Server
Configuration Information and Requirements
for z/VM 530

Note: Support for TCP/IP Level 530 ended on 30 September, 2010.

Before the TCP/IP for VM Secure Socket Layer (SSL) server can be utilized, a Linux for S/390 kernel and file system must be installed and configured for exclusive use by the SSL server virtual machine.

The z/VM SSL server implementation is supported on specific Linux distributions and kernel levels.

Supported distributions, kernel levels and the z/VM-supplied SSL RPM packages for each distribution are listed in the tables that follow.

Use the information that follows to install and configure the SSL server for your environment.

Note!:

The SSL sever has been modified to accommodate "Dynamic SSL/TLS Support," which introduces a set of Application Programming Interfaces (APIs) that permit a Pascal or Assembler client or server application to control the acceptance and establishment of TCP/IP sessions encrypted using SSL/TLS.

To provide this capability, the interface used by the SSL server to communicate with the TCP/IP stack server has been modified. Due to the nature of these changes, one of the SSL-related RPM packages supplied with TCP/IP level 530 must be used for SSL server setup and configuration. Note also that the TCP/IP level 530 SSL server cannot be used with prior levels of TCP/IP for z/VM.

The various SSL-related RPM packages provided with TCP/IP for z/VM are supplied on the 493 minidisk owned by the TCP/IP installation and service user ID (for example, the 5VMTCP30 493 minidisk), and have a file type of RPMBIN.

If IBM-supplied user IDs and minidisk defaults have been maintained for your z/VM system, remote access to these files should be possible using either the z/VM TCP/IP installation and service user ID (the TCP_install_ID, such as 5VMTCP30), or the SSL server user ID (SSLSERV). The necessary files can be obtained by referencing the 493 minidisk associated with either of these user IDs. (This is possible because the IBM-supplied CP directory entry for the SSLSERV user ID provides access to the TCP_install_ID 493 minidisk via a LINK statement that uses the same device number — 493.)

However, if TCP/IP service minidisks have been moved to the z/VM Shared File System (SFS), the RPM package files then must be accessed using the z/VM TCP/IP installation and service user ID. The default SFS directory used in place of the TCP_install_ID 493 minidisk is: VMSYS:TCP_install_ID.TCPIP.BINARY

Notes:

• Two RPM package files (appropriate for the Linux distribution in use) must be transferred and installed on the Linux guest that has been selected for running the z/VM SSL server:
  • an IBM GSKit RPM package
  • an SSL server RPM package

• An X at the end of RPMBIN file name (for example, VMSR4X RPMBIN) indicates that the subject package file is supplied for use with a 64-bit Linux distribution. Package files with no such suffix are supplied for use with 31-bit distributions.

Use the tables that follow to determine which z/VM RPMBIN files should be used for your installation, as well as the (Linux) naming that should be applied to those files when they are transferred to the Linux guest designated for running the z/VM SSL server.

Note:

If the Linux distribution selected for running the SSL server is of a more-recent service level than that cited above (due to the application of kernel patches, by the distributor or by your installation), the vmsock kernel module (supplied with the z/VM SSL RPM for the selected distribution) must be locally rebuilt so that it is compatible with the level of the Linux kernel in use.

Also, note that the vmsock modules provided via the various SSL RPM files have been verified by IBM for only the stated kernel levels. Unexpected problems could arise through the use of a locally-rebuilt vmsock module.

Use this link to obtain additional information to assist you with rebuilding the vmsock module:

• Rebuild Information for vmsock

Sample instructions for an FTP transfer of the necessary RPM package files to a Linux guest system follow:

1. Login as the root user on the selected Linux system.

2. Initiate an FTP session to the z/VM host where the needed RPMBIN package files reside:

     ftp vm_host_ip_address
   

3. Login using one of the previously mentioned user IDs and then change the working directory to the appropriate resource:
   1. For an installation in which TCP/IP service minidisks are used:

        user sslserv
        pass pass_word
        cd sslserv.493
      

   2. For an installation in which TCP/IP service SFS directories are used:

        user 5vmtcp30
        pass pass_word
        cd vmsys:5vmtcp30.tcpip.binary
      

4. Establish Binary transfer mode and retrieve the appropriate RPMBIN files:

     bin
     get VM_IBMgskit_name.rpmbin Linux_IBMgskit_name.rpm
     get VM_SSLpackage_name.rpmbin Linux_SSLpackage_name.rpm
   

5. End the FTP session, after the files have been successfully transferred.

After having transferred the necessary RPM package files, you can install each package using the Linux rpm command, as described in the next section.

To verify that you have installable packages, first issue the rpm -i commands that follow. Each command will display general information about the specified package:

  rpm -qpi Linux_IBMgskit_name.rpm
  rpm -qpi Linux_SSLpackage_name.rpm

Assuming each command displayed the proper information, install each package.

Note:
Install the IBM GSKit package first, then install the SSL server package:

  rpm -Uvh Linux_IBMgskit_name.rpm
  rpm -Uvh Linux_SSLpackage_name.rpm

After the IBM GSKit and SSL server packages have been installed, additional installation and configuration steps must be performed which are specifically associated with the SSL package. Information and instructions regarding these steps are provided as separate INSTALL and README files, which are placed in package-specific documentation directories as part of the SSL server package installation.

For example: /usr/share/doc/packages/Linux_SSLpackage_name

To determine where this information resides, issue the rpm "query" command that follows:

  rpm -qd Linux_SSLpackage_name

Note that the .rpm qualifier is not included as part of the package name that is used for this command.

As a convenience, the INSTALL and README files that pertain to a given RPM package are also provided on the TCP_install_ID 493 minidisk, with file names that match the RPMBIN file with which they are associated.

Please note the following requirements and restrictions regarding the SSLSERV user ID (or your selected equivalent):

• Virtual storage defined for the user ID selected to run the z/VM SSL server must not exceed 2G. This restriction also applies to any non-contiguous storage extents that might be defined for this user ID.

• The minidisk used as the SSL server TRANSITION minidisk (device address 0203, by default) must be a CMS-formatted minidisk.

Optional SSL server Linux source RPM (SRPM) package files (and their counterpart z/VM CMS files) are listed in the table that follows. These packages provide a select set of source files for interested customers.

To install a source package, use the information provided for it's non-source counterpart, while adapting the package file name in an appropriate manner.

Check the following link for detailed information about documentation updates that are available for the z/VM SSL server.

• Documentation Updates