TCP/IP for z/VM
SSL Server Performance and Scalability Enhancements
Planning and Installation Information

Important Service Application and Installation Notice

The information and instructions that follow describe system definition and configuration changes that must be implemented when the PTF for the following APARs are applied to a z/VM 540 or 610 system:

• PK97437: SSLADMIN, TCPRUN and Related Packaging Changes
• PK97438: SSLSERV Module Updates
• PK75662: TCPIP Module Updates

If the SSL server (SSLSERV, by default) currently is used by your installation:

• The changes described herein must be implemented before the updated service provided by the applicable PTF is placed into production (that is, before the PUT2PROD or TCP2PROD commands are used).

  If the necessary changes are not implemented, the SSL server will not properly initialize and will not function.

  Note also that these APARs must be applied and installed together. For this reason, these APARs have been packaged together as part of a single PTF. The various components updated by each APAR are interdependent, and must be used together in an operational environment. These APARs cannot be selectively applied, and then used on an individual basis.

If an SSL server is not in use by your installation, then the above-listed service can be placed into production on your system without the need to modify the TCP/IP configuration or define additional server user IDs. However, note that such changes will be necessary if an SSL server is deployed at a later time.

Requisite APARs

In addition to the PTF for the aforementioned "SSL Server Performance and Scalability Enhancements," APARs, the PTFs for the following APARs also must be applied:

• VM64740: Fix ABENDs in CMS Queue Management in a DCSS and add STFL to CMS Initialization
• PM06244: Operation Exception in crypto_aes_assist

Rationale and Overview

Following the introduction of the CMS-based SSL server with z/VM 540, and its functional enablement via the PTF for APAR PK65850, IBM recognized and acknowledged several performance and scalability limitations with this implementation (these are discussed in the intial CMS-Based SSL Server z/VM Performance Report).

To this end, the aforementioned "SSL Server Performance and Scalability Enhancements" PTF (now) is provided to address these concerns, and provide the following:

• Improved scalability, with respect to the number of concurrent secure connections allowed per TCP/IP stack
• Increased secure connection "back-up" capability, through the use of multiple SSL pool servers with a given TCP/IP stack server. While true failover support for secure connections is not possible, the failure of a given SSL pool server will not disrupt future connectivity, nor cause the associated TCP/IP stack server (or, a dependent application protocol server, such as an FTP server) to shut down.
• SSLADMIN (administrative) command improvements, that support the administration of multiple SSL pool servers, and which better convey the operational characteristics for such a group of servers (or, for a single such server). In addition, several new SSLADMIN commands are introduced to allow for interaction with a specific server or set of servers, and to provide selective server control, when needed.

The SSL Multiple Server Support z/VM Performance Report provides analysis results for this updated server implementation.

However, to implement these enhancements has required several significant infrastructure changes, which affect the user ID, minidisk and Shared File System (SFS) resources that comprise the z/VM 540 and 610 TCP/IP z/VM operational environments.

Significant among the changes requried to install and use these enhancements is the need to define an additional server virtual machine — this being the SSL Discontiguous Saved Segment (DCSS) Management Agent virtual machine (SSLDCSSM, by default). The SSL server updates (provided by the PTF for APAR PK97438) require this agent for management of the session connection cache — whether the system configuration employs multiple SSL pool servers, or a single-instance SSL server (such as the existing SSLSERV server).

If multiple SSL servers are to be deployed, then these servers also must be defined (via a CP directory POOL statement) and prepared for use. However, if a single-instance SSL server (SSLSERV) is expected to (or, currently does) accommodate the secure connection requirements for your installation, then this server can instead be used (with several minor configuration changes in place).

In addition to new server definitions, several DTCPARMS definition changes also are required, which affect not only the newly introduced SSL pool and SSL DCSS Management Agent servers, but the TCP/IP (stack) server and any existing SSL server (if use of the latter is continued).

Note:
The SSL Key database administrative user ID (GSKADMIN), the key database itself, and the Byte File System configuration used to maintain this database are not affected by the "SSL Server Performance and Scalability Enhancements" PTF. No changes to these resources are required to install or use these enhancements.

SSL Server Pool (Multiple Server) and Single-Instance SSL Server Configurations

With the introduction of the "SSL Server Performance and Scalability Enhancements," secure communications support now can be provided via one of the following SSL configurations:

• a single-instance SSL server
• a server "pool," for which multiple SSL servers are employed.

Consult the SSL Server Pool (Multiple Server) / Single-Instance SSL Server Configuration Considerations page for more information about these configurations, and considerations for determining which might be most applicable for a given z/VM installation.

Required z/VM System and TCP/IP Configuration Changes

To assist with planning and implementing the z/VM system and TCP/IP configuration changes required to utilize the "SSL Server Performance and Scalability Enhancements," a utility program (SSLPOOL) is provided (in sample form) by the PTF for APAR PK97437.

Instructions for using this utility are provided via System Preparation and Installation Instructions page. Information about creating and preparing the SSLDCSSM and SSL server pool user IDs for is included as well.

Note:
Ensure all appropriate z/VM system and TCP/IP configuration changes are complete before the service provided by the aformentioned PTF is placed into production.

Reference Information

Use the links that follow for detailed information and documentation about changes to TCP/IP for z/VM that are introduced with the "SSL Server Performance and Scalability Enhancements" PTF.

Server Definition and Configuration Changes

• SSL Pool Server and SSL DCSS Management Agent Virtual Machines
• DTCPARMS File Configuration Updates (General TCP/IP Server Configuration)
• Configuring the TCP/IP Server
• Configuring the SSL DCSS Management Agent Server
• Configuring the SSL Server

New and Changed Commands

• NETSTAT Command Updates
• SSLIDCSS Command
• VMSSL Command Updates
• SSLADMIN Command Updates
• SSLPOOL Utility Command

New and Changed Messages

• TCP/IP Server Message Updates
• NETSTAT Command Message Updates
• SSL Server Message Updates
• SSLADMIN, SSLIDCSS and VMSSL Message Updates
• TCPRUN Message Updates

Miscellaneous Updates

• Planning and Customization
• Diagnosis Guide Updates
• Monitor Record / Data Updates
• Programmer's Reference Updates