TCP/IP for z/VM
SSL Server - Alternate Stack Server Pool Configuration

The information herein describes how to establish an SSL server pool for a secondary TCP/IP stack server.

Notes:

  1. APAR PI70089 provides additional updates that correct problems introduced with the PTF for APAR PI59963.
  2. For the purpose of discussion, assume the secondary TCP/IP stack has been defined with the user ID TCPIPTST, and that its corresponding SSL server pool is to be named using the user pool prefix: STS

    More, assume the added "STS"-prefixed server pool is to be based in the VMSYS file pool and is to be administered by the TCPMAINT user ID (in the same manner as the default "SSL" server pool that is supplied with the z/VM system deliverable)

  3. The system on which the additional pool is being created is a z/VM 7.1.0 system.

  4. Definition and configuration of the alternate stack server is not addressed by this information.

Steps for definition and configuration of the STS-prefixed SSL server pool

  1. Log on the MAINTvrm user ID (for example, MAINT710), then LINK and ACCESS the TCPMAINT 591 and TCPMAINT 592 minidisks.

  2. Invoke the SSLPOOL utility with operands that pertain to the secondary TCP/IP stack and the intended SSL sever pool: 

      sslpool plan vmsys tcpmaint sts tcpiptst 5
    The file SSLPOOL PLANINFO will be produced, which contains samples of the various system and configuration changes needed for addition of the subject server pool. Two differing examples of this file are available for reference:

  3. Use the sample CP directory entries in the SSLPOOL PLANINFO file to update the CP system directory for the system (sysname) in use. After all user definition changes are complete, bring the updated CP directory on-line.

  4. Invoke the SSLPOOL utility to enroll the server pool user IDs in the appropriate Shared File System (SFS) file pool, and to prepare this file space for use. 

      sslpool enroll vmsys tcpmaint sts tcpiptst 5
  • (Optional)

    Invoke the SSLPOOL utility to establish SFS authorizations appropriate for each user ID that will (or, might) need to perform SSL server administrative or problem diagnostic tasks: 

      sslpool setauth vmsys tcpmaint sts gskadmin
  sslpool setauth vmsys tcpmaint sts maint
  • (ESM Environment Only)

    If an External Security Manager (ESM) is used to control the management of user POSIX data on the subject system, appropriate ESM updates also must be completed for each pool user. For example, if RACF is in use, the commands that follow should be used to establish an appropriate RACF group (here, named SECURITY) and connect the pool servers to this group.

    1. Define the RACF user group (if not already defined): 

        RAC ADDGROUP SECURITY
  RAC ALTGROUP SECURITY OVM(GID(7))
    2. Then, for each pool server, issue the commands that follow (here, the added pool user ID prefix of STS is assumed): 

        RAC CONNECT STSnnnnn GROUP(SECURITY)
  RAC ALTUSER STSnnnnn OVM(UID(7))
      For example: 

        RAC CONNECT STS00001 GROUP(SECURITY)
  RAC ALTUSER STS00001 OVM(UID(7))
    Note:
    The same POSIX UID value (7) is assigned to all pool server user IDs.

  • Prepare the new SSL DCSS Management Agent user ID for use.

    Log on the SSL DCSS Management Agent user ID (STSDCSSM, for this example), and perform these steps:

    1. Format the server 191 minidisk: 

        format 191 a 1
      The suggested disk label for this minidisk is: SDM191
    2. Create the appropriate PROFILE EXEC for the server, as follows: 

        link tcpmaint 591 591 rr
  access 591 e
  copyfile tcprofil exec e profile exec a (olddate
  release e
    3. Logoff the SSL DCSS Management Agent user ID

  • Update DTCPARMS and TCP/IP Server Configuration File Definitions

    The TCP/IP configuration needs to be modified to account for addition of the newly-defined SSL DCSS Management Agent server (STSDCSSM) and the STSnnnnn SSL pool servers.

    1. Logon the TCPMAINT user ID (or its equivalent). If necessary, access the TCP/IP server configuration minidisk (TCPMAINT 198, by default). 

        access 198 d
    2. Modify the nodeID or SYSTEM DTCPARMS file used for your installation, to implement the changes outlined in the previously created SSLPOOL PLANINFO file.

      Note:
      Several of the DTCPARMS tags and values required for the SSL, SSL DCSS Management Agent, and TCP/IP (stack) servers are cross-referenced during the initialization of these servers. Thus, the changes cited in the PLANINFO file must be implemented in a nodeID or a SYSTEM -named DTCPARMS file, that can be referenced by all servers involved.

    3. Modify the TCP/IP server configuration file to include the appropriate SSLSERVERID statement (as warranted) and addition of the SSLLIMITS statement.

      If necessary, consult the information in the TCP/IP Planning and Customization book for details about the SSLLIMITS and SSLSERVERID statements, or for more information about the DCPARMS file tags and values cited in the SSLPOOL PLANINFO file.

    4. Logoff the TCPMAINT user ID. The changes necessary for initialization and use of the STS server pool, its SSL DCSS Management Agent (STSDCSSM) and the TCPIPTST stack servers now should be complete.

  • Create a private-use "data" file for use with the alternate TCPIPTST stack user ID.
    1. Copy the existing TCPIP DATA file to a file named: TCPIPTST DATA

      Notes:

      1. The TCPIPTST DATA file can reside on the TCPMAINT 592 disk (as does the TCPIP DATA file) although no z/VM TCP/IP client or server applications can, or will, make use of this file directly, given its alternate file name.
      2. With the PTF for APAR PI59963 installed, the SSLPOOL PLANINFO file includes :TcpDataFile. tags that cite a TCP/IP data file name that matches the altnerate stack user ID (here, TCPIPTST).
    2. Edit the TCPIPTST DATA and alter the TCPIPUSERID statement such that the TCPIPTST user ID is cited instead of user ID "TCPIP."

    3. Implement any additional configuration values (if any) that are needed for the TCPIPTST user ID, then save (FILE the changed file.

    4. Confirm correct :TcpDataFile. tag values, OR, manually create a private-use TCPIP DATA file for use by the alternate SSL server pool.
      1. If the PTF for APAR PI59963 is installed:
        1. For any :TcpDataFile. tags associated with DTCPARMS file entries added for the STS server pool and its SSL DCSS Management Agent (STSDCSSM), ensure the file ID of the alternate TCP/IP date file (just created) is cited correctly. For example: 

            :TcpDataFile.TCPIPTST DATA *
      2. If the PTF for APAR PI59963 is not installed:
        1. Log on the MAINTvrm user ID (for example, MAINT710), and copy the TCPIPTST DATA file to the root SFS directory for each of the SST STSnnnnn servers: 

            vmlink tcpmaint 592 <* f>
  vmlink .dir vmsys:stsnnnnn <* g>
  copyfile tcpiptst data f tcpip data g
  (Repeat the previous two commands for each STS* server)
  release g
  release f
        2. Log off the MAINTvrm user ID.

    Additional Notes

    • Unless there is a compelling reason to do so, a separate key database need not be defined for the newly-added "STS" SSL server pool. If use of a separate key database file is required, the appropriate KEYFILE parameter value then needs to specified (using a :parms. tag) for the :nick.SST :type.server definition for this server pool.

    • When administrative tasks associated with the alternate SSL server pool are performed, the SSLADMIN command SSLserver and TCPserver options exist for directing administrative commands to the appropriate SSL servers. The SSLADMIN SET command can be used to establish the working server set for the case when prolonged interaction with a set of pool severs is required.

      For more information, consult the SSLADMIN documentation provided in the section titled "Dynamic Server Operation" in TCP/IP Planning and Customization.