z/OS Communications Server Technical Update

© 2023 IBM Corporation 1
z/OS Communications Server
Technical Update
Mike Fitzpatrick – mfitz@us.ibm.com
Sam Reynolds - samr@us.ibm.com
May 17, 2023
Enterprise Network Solutions Customer Advocate Program
PDF available on Slideshare:
https://ibm.biz/zOS31CS

Agenda
• Network security enhancements
• FTP Server JES access control
• AT-TLS currency with System SSL
• zERT Network Analyzer enhanced upgrade support
• z/OS UNIX syslogd support for secure logging over TCP
• Networking support for z/OS containers
• Communications Server support for RoCE Express3
• Communications Server exploitation of the IBM Function Registry for z/OS
• Function removals
• Additional Information
• Appendix
• Functional removal statements of direction for V2R5 removals

IBM's statements regarding its plans, directions, and intent are subject
to change or withdrawal without notice at IBM's sole discretion.
Information regarding potential future products is intended to outline our
general product direction and it should not be relied on in making a
purchasing decision. The information mentioned regarding potential
future products is not a commitment, promise, or legal obligation to
deliver any material, code, or functionality. Information about potential
future products may not be incorporated into any contract. The
development, release, and timing of any future features or functionality
described for our products remain at our sole discretion.

Network Security
Enhancements

FTP Server JES
Access Control

JES interface support in the z/OS FTP server
Submit
Job
Retrieve
output
Query
status
JES
Job
PUT
DIR
GET
z/OS
FTP
Server
JES interface characteristics
•All JES types (Jobs, started tasks, TSO, APPC)
•Details on DIR command output for jobs in input, active, or output status
•JESINTERFACELEVEL determines whether FTP users have access to jobs matching
their logged-in user ID plus one character (JESINTERFACELEVEL=1, the default) or
broader access (JESINTERFACELEVEL=2).
•Filtering and access based on SAF interface
•Filtering of jobs controlled via three SITE options:
–JESJOBNAME (default <userID>*)
–JESOWNER (default <userID>)
–JESSTATUS
FTP-based
RJE to z/OS

FTP JES interface - Sample DIR command output
ftp> quote site filetype=jes jesjobname=testjob*
200 SITE command was accepted
ftp> dir
200 Port request OK.
125 List started OK for JESJOBNAME=TESTJOB*, JESSTATUS=ALL and JESOWNER=USER1
JOBNAME JOBID OWNER STATUS CLASS
TESTJOB1 JOB00051 USER1 OUTPUT A RC=000 4 spool files
TESTJOB2 JOB00050 USER1 OUTPUT A RC=000 4 spool files
TESTJOB2 JOB00049 USER1 OUTPUT A ABEND=806 3 spool files
TESTJOB2 JOB00048 USER1 OUTPUT A (JCL error) 3 spool files
TESTJOB4 JOB00055 USER1 INPUT A -DUP-
TESTJOB4 JOB00054 USER1 ACTIVE A
250 List completed successfully.
ftp: 500 bytes received in 0.22Seconds 2.27Kbytes/sec.
ftp>

FTP Server JES interface
§ Some security experts have expressed concern over this interface
§ There are existing mechanisms to control access to FTP JES mode:
• SAF JESJOBS and JESSPOOL classes (with FTP
JESINTERFACELEVEL 2)
• FTP server exits (FTCHKJES, FTCHKCMD)
- Many customers do not like solutions based on the use of exits
§ Customers have requested a simple way to disable FILETYPE=JES, or at
least limit the users who can access it
• RFE 125660 Increasing Security and Control for FTP JES Interface
- Aha! Idea ZOS-I-482
- 54 votes

FTP Server JES interface
§ A SERVAUTH class resource is added to z/OS V2R3-V2R5 via
APAR PH42618 to explicitly control user access to FTP JES mode:
§ Permission to this resource allows a user to enter JES mode. Without it,
any attempt to enter JES mode is rejected:
§ This new resource is NOT a replacement for the JESJOBS or JESSPOOL
classes! Those classes (and FTP JESINTERFACELEVEL 2) should still
be implemented as they control JES access well beyond FTP
EZB.FTP.sysname.ftpdaemonname.ACCESS.JES
200 – User username is not allowed to use FILETYPE=JES

AT-TLS Currency
with System SSL

AT-TLS currency - Support for x25519 and x448 KEX under TLSv1.2
§ System SSL provides support for:
• x25519 and x448 elliptic curves (ecurves) key exchange for TLSv1.0, TLSv1.1,
and TLSv1.2 protocols
• Option to limit the TLS server’s allowable ecurves
§ AT-TLS is exposing this functionality through AT-TLS configuration
parameters

AT-TLS currency - Support for x25519 and x448 KEX under TLSv1.2 …
§ AT-TLS allows elliptic curves x25519 and x448 to be used in key
exchange negotiation during handshake process for TLSv1.0, TLSv1.1,
and TLSv1.2 protocol
§ AT-TLS server also has the ability limit its curve list used for key exchange
negotiation
§ This function is available in z/OS V2R5 with APAR PH45902
• System SSL APAR (OA61783) is required
• NCA APAR PH47400 provides the ability to configure the new parameters for
V2R5

AT-TLS currency – TLSv1.3 sysplex session ticket caching
§ Up through TLSv1.2 System SSL supported sysplex-wide Session ID
(SID) caches
§ TLSv1.3 protocol supports session resumption through a different
approach
• Uses “session tickets” that contain all the information the server needs to
resume a TLSv1.3 session
• No server-side cache
• Client caches one-time-use “session tickets” returned by server
• Session ticket is encrypted and decrypted by server using AES
• To perform an abbreviated handshake, the client sends a Client Hello message
to the server that contains a cached session ticket from the client cache
• If the server recognizes the ticket and can successfully decrypt it, it continues
with the abbreviated handshake with many of the same advantages seen in
previous TLS versions
§ AT-TLS supported TLSv1.3 beginning in V2R4 including support for
session resumption using session tickets but only within the scope of a
single application address space. There was no sysplex-wide support.

AT-TLS currency – TLSv1.3 sysplex session ticket caching …
§ System SSL is adding sysplex-wide support for TLSv1.3 session tickets
§ AT-TLS is exposing this functionality through AT-TLS configuration
parameters
• To enable sysplex-wide TLSv1.3 session ticket caching for an AT-TLS server
- Configure the new AT-TLS parameter GSK_SYSPLEX_SESSION_TICKET_CACHE
on the TTLSGskAdvancedParms statement
- Optionally configure GSK_SESSION_TICKET_CLIENT_MAXCACHED parameter on
the client to specify the maximum number of session tickets that are allowed to be
cached by the client for each unique TLSv1.3 session
- Can also be configured through the NCA
- GSKSRVR task must be started for all systems in the sysplex that require TLS
session resumption

zERT Network
Analyzer Enhanced
Upgrade Support

Background: Encrypting TCP/IP network traffic on z/OS
z/OS provides 4 mechanisms to cryptographically
protect TCP/IP traffic:
TLS/SSL direct usage
• Application is explicitly coded to use these
• Configuration and auditing is unique to each application
• Per-session protection
• TCP only
Application Transparent TLS (AT-TLS)
• TLS/SSL applied in TCP layer as defined by policy
• Configured in AT-TLS policy via Configuration Assistant
• Auditing through SMF 119 records
• Typically transparent to application
• TCP/IP stack is user of System SSL services
Virtual Private Networks using IPSec and IKE
• “Platform to platform” encryption
• IPSec implemented in IP layer as defined by policy
• Auditing via SMF 119 records at tunnel level only
• Completely transparent to application
• Wide variety (any to all) of traffic is protected
• IKE negotiates IPSec tunnels dynamically
Secure Shell using z/OS OpenSSH
• Mainly used for sftp on z/OS, but also offers secure terminal
access and TCP port forwarding
• Configured in ssh configuration file and on command line
• Auditing via SMF 119 records
• TCP only
TCP/IP
Comm
Server
z/OS
Application
JSSE
DB2, CICS, IMS Connect,
Guardium, FTP, TN3270,
JES/NJE, RACF RRSF, ….
AT-TLS
Protected
Protected
TLS/SSL
System SSL
System SSL
1
2
IPSec
Systems
Protected
Any application
or subsystem
VPN
IKE
IPSec
3
Open SSH
SSH
Protected
4
MQ, CICS,
Connect:Direct, …
WAS, Java
applications
1
2
3
4
sftp, TCP
appls (port
forwarding)

Background (cont)
Given all these mechanisms, configuration methods
and
variation in audit detail…
§ How can I tell…
• Which traffic is being protected (and which is not)?
• How is that traffic being protected?
- Security protocol?
- Protocol version?
- Cryptographic algorithms?
- Key lengths?
- …and so on
• Who does on the traffic belong to in case I need to
follow up with them?
§ How can I ensure that new configurations adhere
to my company’s security policies?
§ Once I’ve answered the above questions, how can
I provide the information to my auditors or
compliance officers?
§ Many factors driving these questions:
• Regulatory compliance (corporate, industry,
government)
• Vulnerabilities in protocols and algorithms
• Internal audits
• …and so on
TCP/IP
Comm
Server
z/OS
Application
DB2, CICS, IMS Connect,
Guardium, FTP, TN3270,
JES/NJE, RACF RRSF, ….
AT-TLS
Protected
Protected
TLS/SSL
System SSL
2
IPSec
Systems
Protected
Any application
or subsystem
VPN
IKE
IPSec
3
Open SSH
SSH
Protected
4
MQ, CICS,
Connect:Direct, …
WAS, Java
applications sftp, TCP
appls (port
forwarding)
JSSE
System SSL
1

§ zERT Discovery
• SMF 119 subtype 11 “zERT Connection Detail” records
• These records describe the complete cryptographic protection history of each TCP and EE
connection
• At least one record is written for each connection - and each describes all cryptographic protection
for that connection
• Well suited for real-time monitoring applications
• Depending on your z/OS network traffic, these could be generated in very high volume
§ zERT Aggregation
• SMF 119 subtype 12 “zERT Summary” records
• These records describe the repeated use of security sessions over time
• Writes one zERT Summary record at the end of each recording interval for each security session
active during the interval
• Well suited for reporting and analysis
• Can greatly reduce the volume of SMF records (over Discovery) while providing the same level of
cryptographic detail
§ zERT Network Analyzer
• Web-based (z/OSMF) UI to query and analyze zERT Summary (subtype 12) records
• You can just install the latest network analyzer PTF – each one contains an up-to-date fresh
install image
• Intended for z/OS network security administrators (typically systems programmers)
Introducing z/OS Encryption Readiness Technology (zERT)

zERT Network Analyzer (zNA)
SMF
SMF
SMF
Db2 for z/OS 11
or later
IBM zERT Network Analyzer
z/OSMF
Liberty
z/OS
SMF
119-12
.csv file
SMF dump data sets generated
by IFASMFDP or IFASMFDL
IBM zERT Network Analyzer
consumes only SMF type 119
subtype 12 “zERT Summary” records
Users can build queries with scope and security filters:
• Scope filters: Sysplex / system / stack, IP addresses
/ server port, z/OS role (client or server) and range
of dates
• Security filters: crypto protocol, protocol version,
crypto algorithms and key lengths, etc.
Contains zERT summary data
for the range of time specified in
the query
Query results can be exported
as a CSV file to z/OS UNIX file
system

zERT Network Analyzer Enhanced Upgrade Support
§ When upgrading zNA to releases prior to 3.1:
• Database connection and application settings need to be manually copied
from one release to another
• Previous releases required the creation of a new IBM zERT Network
Analyzer database instead of reusing an existing database.

zERT Network Analyzer Enhanced Upgrade Support …
§ z/OS 3.1 will provide easier
migration of the zNA settings
and database
• New panel to reset or import zNA
application settings from a prior
release
- Prior to 3.1, application settings
needed to be manually copied
from one release to another.
• New panel to import zNA
database connection settings from a prior release
- Prior to 3.1, database connection settings needed to be manually copied from one
release to another.
• New DDL templates to facilitate migrating IBM zERT Network Analyzer
database to a current schema level

z/OS Encryption
Readiness Technology
- Enforce local network encryption standards for TCP traffic in real-time.
- Policy-based rules you build in the Network Configuration Assistant describe
acceptable or unacceptable levels of cryptographic protection along with the
actions to take when TCP connections match those rules.
zERT policy-based enforcement – new in z/OS V2R5
Visit Things you should know about zERT on
IBM Community and discover blogs, product documentation, videos, event
information, webinar, and presentations about zERT.
- “We're building self-serve capability for each business unit with zERT data as the
basis for monitoring security of the mainframe.”
- “We use zERT data for compliance checks.”
- “zERT has given us the upper hand in monitoring mainframe connection security.”
What are users saying about zERT?
Scan the QR code to visit
z/OS Communications Server on IBM
Community.
(https://ibm.biz/cscommunity)

z/OS UNIX syslogd
support for secure
logging over TCP

What is syslogd?
syslogd (syslog daemon) – A server process running in the z/OS UNIX environment
• System applications and components can use syslogd for logging messages and
capturing debug information
Controlled by defining rules in a configuration file called /etc/syslog.conf
• Rules define how messages and debug info are received by syslogd
– Local applications write to syslogd using syslog() API
– List of remote hosts permitted to send messages and debug info
• Rules define where messages and debug info received by syslogd are to be
written
– Local file(s)
– SMF (record type 109)
– Remote destination(s)

syslogd network communication
(1) Local communication
over AF_UNIX sockets
(2) Remote hosts
communicate over UDP
sockets
(3) Remote destinations are
reached over UDP sockets
z/OS Host
syslogd
applications
applications
AF_UNIX
Remote Hosts
syslogd
applications
applications
UDP
Remote Destinations
syslogd
applications
applications
UDP
(1)
(2)
(3)
UDP is unreliable transport - to secure, requires deploying a Virtual Private Network (VPN) using IPSec

syslogd network communication using TCP
Rules in syslogd
configuration file determine
what transport to use
Rules can also be specified
to require encryption of
network communication
using TLS
z/OS Host
syslogd
applications
applications
AF_UNIX
Remote Hosts
syslogd
applications
applications
UDP or TCP
Remote Destinations
syslogd
applications
applications
UDP or TCP
New in 3.1!

Networking Support
for z/OS Containers

z/OS Containers Disclaimer
§ Communications Server support for z/OS Containers is a post-3.1 GA
deliverable
§ All content being discussed is subject to change

29
Evolution of Application Deployment
Physical Servers Virtualized Servers Servers with Containers

Kubernetes Definitions
Kubernetes (K8s) - An open-source system for automating deployment, scaling, and management of containerized applications
• Groups containers that make up an application into logical units (called Pods) for easy management and discovery
Node - Virtual or physical servers where one or more Pods can be scheduled
• A control plane node hosts the Kubernetes Control Plane that controls and manages the whole Kubernetes system
− Runs the API Server, Scheduler, Controller Manager, and etcd (data store for cluster configuration)
• A worker node runs the containerized applications being deployed
− Runs the container runtime, kubelet (communicates with API Server), and z/OS CNI
Cluster: A control plane node and zero or more worker nodes
API Server
Scheduler
Controller Manager
etcd
CLI
kubectl
cri-o
kubelet
Pod1 Pod2 Pod3
Container 1
Container 2
Container 1 Container 1
Container 2
zos-cni
Worker nodes
(on z/OS)
Control plane node
(on z/OS Control Plane Appliance)

z/OS Containers positioning
Linux on zSystems Containers z/OS Container Extensions (zCX) z/OS Containers
Similar to Linux on zSystems containers
Integrated, z/OS managed hosting
environment for Linux on Z containers
deployed in support of z/OS workloads or
data
Provide a container-based cloud native
development and deployment experience
for Linux on Z software
Intended for Linux workloads that benefit
from consolidation and other IBM Z QoS.
Available today Available in z/OS 2.4 Statement of Direction
Provide container-based cloud native
development and deployment experience
for z/OS software
Intended to support all native z/OS
application hosting environments (CICS,
IMS, WebSphere, z/OS UNIX, Node.js,
etc…)

z/OS Containers networking
z/OS System
z/OS Worker Node
Pod1
10.10.21.1
z/OS System
z/OS Worker Node
z/OS System
Control Plane Node
z/OS Control
Plane Appliance
10.10.10.1
Pod2
10.10.21.2
Pod1
10.10.22.1
Pod2
10.10.22.2
VIPADYNAMIC
VIPARANGE 255.255.255.255 10.10.10.1 ZCPA
ENDVIPADYNAMIC
VIPADYNAMIC
VIPARANGE 255.255.255.0 10.10.22.0 ZCONTAINER
ENDVIPADYNAMIC
VIPADYNAMIC
VIPARANGE 255.255.255.0 10.10.21.0 ZCONTAINER
ENDVIPADYNAMIC

Learn more about networking support for z/OS containers
§ For more details, stay tuned for a future CAP education session dedicated
to z/OS containers

Communications
Server Support for
RoCE Express3

Shared Memory Communications over RDMA (SMC-R)
35
OS image OS image
Virtual server instance
server client
RNIC
RDMA technology provides the capability to allow hosts to logically share
memory. The SMC-R protocol defines a means to exploit the shared memory
for communications - transparent to the applications!
Shared Memory Communications
via RDMA
SMC
SMC
RDMA enabled (RoCE)
RNIC
Clustered Systems
SMC-R is an open sockets over RDMA protocol that provides transparent exploitation of RDMA (for TCP
based applications) while preserving key functions and qualities of service from the TCP/IP ecosystem that
enterprise level servers/network depend on!
IETF RFC for SMC-R:
http://www.rfc-editor.org/rfc/rfc7609.txt
Virtual server instance
shared memory shared memory
Sockets Sockets

OSA ROCE
TCP
IP
Interface
Sockets
Middleware/Application
z/OS System B
SMC-R
OSA
ROCE
TCP
IP
Interface
Sockets
Middleware/Application
z/OS System A
SMC-R
Dynamic Transition from TCP/IP to SMC-R
TCP connection establishment over IP
IP Network (Ethernet)
RDMA Network RoCE
TCP connection transitions to SMC-R allowing application data to be exchanged using RDMA
Dynamic (in-line) negotiation for SMC-R is initiated by presence of TCP Options
TCP syn flows (with TCP Options
indicating SMC-R capability)
data exchanged
using RDMA
data exchanged
using RDMA

IP subnet A IP subnet B
Layer 3 networks
SMC Version 2 for SMC-R: SMC-Rv2 (“Routable RoCE”) (V2R5)
Layer 2 networks
SMC V2
connections are not
restricted the same
IP subnet
SMC V2 / RoCEv2 traffic now
crosses IP routers -
encapsulated in UDP/IP
packets – IP routable
RoCEv2 is no longer
limited to a LAN
RoCEv2 uses
UDP Port 4791
(must be open)
CPC -A CPC -B
z/OS
images
z/OS
images

RoCE Express3
§ Technology refresh
§ Dual ports (10GbE or 25GbE)
§ RoCE Express3 features can be shared across LPARs (SR-IOV)
§ 63 virtual functions (VFs) per physical port
§ Maximum of 16 features per CPC
§ Supports RoCEv1 and RoCEv2
§ Provides improved performance and RAS

Communications Server
Exploitation of the IBM
Function Registry for z/OS

CS exploitation of the IBM Function Registry for z/OS
§ IBM Function Registry for
z/OS provides information
about the usage of functions
registered with it.
§ In z/OS 3.1, Communications
Server makes usage statistics
for a customer’s SNA
applications and sessions
available in the IBM Function
Registry.
§ The information obtained can help customers better understand their SNA
application usage.

CS exploitation of the IBM Function Registry for z/OS …
§ High-water mark for SNA Open ACB and associated session counts is
collected.
§ Function Registry is updated with metrics at 5-minute timer intervals
§ SNA usage data can provide insight into the extent of SNA application
activity in the network
§ The function information can be displayed using IBM Function Registry for
z/OS utilities/commands
• FXEPRINT utility located at SYS1.SAMPLIB (see example on next two charts)
• Display FXE command
§ Also available on z/OS CS V2R4 and V2R5 via APAR OA63555. This
APAR has a dependency on BCP Function Registry APAR OA63360.

---------------------------------------------------------------------
Vendor Name: IBM
Vendor Description: International Business Machines Corporation
Vendor Slot Path: VS(1)
---------------------------------------------------------------------
Product Name: z/OS Communications Server
Product Release: 03.01.00
Product ID: HVT6310
Instance ID: VTAMCS
Product Description: VTAM
Product Slot Path: VS(1) PS(1,-)
Product Parent: IBM
Product Attributes:
Attribute Name: Counters Last Updated On
Attribute Value: 10/28/22 13:19:54
---------------------------------------------------------------------
…
§ Sample output from FXEPRINT:

Function Name: SNA - General
Function Description: General SNA Information
Function Slot Path: VS(1) PS(1,-) FS(1,AUTHONLY)
Function Parent: z/OS Communications Server
Function Used: YES
Function Enabled: YES
Function Attributes:
Attribute Name: Maximum number of RAPI only applications
Attribute Value: 114
Attribute Name: Maximum number of APPC capable applications
Attribute Value: 16
Attribute Name: Maximum number of TSO applications
Attribute Value: 2
Attribute Name: Maximum number of TN3270 applications
Attribute Value: 7
Attribute Name: Maximum number of RAPI sessions
Attribute Value: 20
Attribute Name: Maximum number of APPC sessions
Attribute Value: 36
Attribute Name: Maximum number of TSO sessions
Attribute Value: 1
Attribute Name: Maximum number of TN3270 sessions
Attribute Value: 5
--------------------------------------------------------------

Function Removals

Function removals in z/OS 3.1
§ Several functions were removed from Communications
Server in z/OS 3.1:
• Withdrawal of support for VTAM® Link Station Architecture (LSA) and
TCP/IP LAN Channel Station (LCS) devices
• Removal of OSA DEVICE/LINK/HOME configuration support
§ The statements of direction for these removals are included on the
following charts

Statement of Direction: Withdrawal of support for VTAM®
Link Station Architecture (LSA) and TCP/ IP LAN Channel
Station (LCS) devices (Issued July 27, 2021)
As stated in Hardware Announcement 121-029, dated May 4, 2021, many IBM
clients continue to rely on Systems Network Architecture (SNA) applications for
mission-critical workloads, and IBM has no plans to discontinue support of the
SNA protocol, including the SNA APIs. However, IBM support for the SNA protocol
being transported natively out of the server using OSA Express 1000BASE-T
adapters configured as channel type “OSE” will be eliminated in a future hardware
system family. With the support for OSE planned to be discontinued, support for
the related VTAM and TCP/IP device drivers is also planned to be discontinued.
IBM intends z/OS V2.5 to be the last z/OS release to provide support for LSA
(SNA) and LCS (TCP/IP) devices. z/OS systems that have workloads that rely on
the SNA protocol and utilize OSE networking channels as the transport should be
updated to make use of some form of SNA over IP technology, where possible,
such as Enterprise Extender.
•A migration health check is provided to identify if VTAM Link Station Architecture
(LSA) devices are in use. These devices are configured with MEDIUM=CSMACD in
the XCA major node PORT statement. This health check is available with SNA
APAR OA62208 on z/OS V2R3, V2R4, and V2R5.

Statement of Direction: Removal of OSA
DEVICE/LINK/HOME configuration support (Issued July 27,
2021)
z/OS V2.5 is planned to be the last z/OS release to provide support
for the TCP/IP profile statements DEVICE, LINK, and HOME for OSA
connectivity. All z/OS users who currently use DEVICE, LINK, or
HOME for OSA connectivity should migrate to the INTERFACE
statement for defining OSA Express connectivity in their TCP/IP
profile.
• A migration health check is provided to identify if TCP/IP profile statements
DEVICE, LINK, and HOME for OSA-Express connectivity are in use. This
health check is available with SNA APAR OA62208 and TCP/IP APAR
PH40875 on z/OS V2R3, V2R4, and V2R5.
• For guidance, refer to the z/OS Communications Server IP Configuration
Guide topic “Steps for converting from IPv4 IPAQENET DEVICE, LINK, and
HOME definitions to the IPv4 IPAQENET INTERFACE statement”.

Additional Information

• Support for SMF compliance evidence (z/OS V2R4 and V2R5)
• z/OS® Communications Server with APAR PH37372 generates new
SMF type 1154 records that provide compliance evidence for the
TCP/IP stack (subtype 1), FTP daemon (subtype 2), TN3270E Telnet
server (subtype 3), and CSSMTP client (subtype 4).
• See the z/OS Communication Server New Function APAR
Summary pages for more information, including dependencies
and restrictions
Additional recent Communications Server deliveries

• IBM zERT Network Analyzer passphrase and password management
support (z/OS V2R3, V2R4, and V2R5)
• The IBM zERT Network Analyzer with APAR PH43119 (z/OS V2R4
and V2R5) or APAR PH43118 (z/OS V2R3) supports the use of
passphrases up to 100 characters to connect to the Db2 for z/OS
database. The IBM zERT Network Analyzer includes additional
enhancements in the Database Settings panel to clear existing
database credentials to allow for easier switching to a different
database user ID.
• See the z/OS Communication Server New Function APAR Summary
pages for more information, including dependencies and restrictions
Additional recent Communications Server deliveries …

The IBM Ideas Portal
§ A New Way to Submit Ideas
The IBM Ideas Portal provides a new way for
customers, business partners and IBMers to suggest
changes to our products and services, replacing the
Request for Enhancements (RFE) process.
§ Why is it changing?
The IBM Ideas Portal is a single, company-wide
portal, which will improve your experience by
providing you with:
a single view into your ideas
an easier way to track them
the ability to collaborate with users, partners and
IBMers around the world.
§ For more details about the
migration, visit www.ibm.com/ideas
The new IBM Software Ideas portal for mainframe hardware and operating systems:
https://ibm-z-hardware-and-operating-systems.ideas.ibm.com/?project=ZOS
§ Use ideas.ibm.com to:
- Submit new ideas
- View the status of ideas you have
previously submitted
- Vote, comment or subscribe to others’
ideas
- View the status of ideas you have
previously voted or commented on, or
subscribed to

The IBM Ideas Portal …

• We maintain web pages that provide a summary of the new function
APARs available for each release:
• Includes a summary of the function, a link to the APAR, and a
link to the function documentation
• V2R4: https://www.ibm.com/support/pages/zos-v2r4-
communication-server-new-function-apar-summary
• V2R5: https://www.ibm.com/support/pages/zos-v2r5-
communication-server-new-function-apar-summary
New function APAR summary web pages

New function APAR summary web pages - Example

White paper on OSA-Express best practices
http://ibm.biz/OSACSBP
This white paper is provided for the purpose of aiding IBM z/OS
customers by providing a general set of considerations (a checklist) for
guidance focused on configuring OSA-Express for optimizing network
performance.
IBM z/OS Communications Server
and OSA-Express Best Practices

V2R5: z/OS Communications Server Performance Summary Report
https://ibm.biz/zcsv2r5perfsummary
z/OS CS Performance Summary Reports for all releases are available,
in the “z/OS Communications Server Performance Index” at:
https://www.ibm.com/support/pages/zos-communications-server-
performance-index

Start your free IBM online learning and
earn IBM open badges!
Digital Badges & Online Courses
Networking on z/OS - Foundations • IBM Open Badge:
https://ibm.biz/zosnetworkingbadge
z/OS TCP/IP Configuration with NCA • IBM Open Badge:
http://ibm.biz/NCAbadge
z/OS Network Security - Foundations • IBM Open Badge:
http://ibm.biz/zosnetsecuritybadge
zERT Policy Enforcement Configuration with NCA • IBM Open Badge:
http://ibm.biz/NCA_zERTbadge
Use the IBM Configuration Assistant for z/OS Communications
Server (NCA) to create and manage TCP/IP profiles.
Foundational understanding of networking on z/OS.
• Online course:
https://ibm.biz/zosnetworkingcourse
• Online course:
http://ibm.biz/NCATCPIPcourse
Knowledge and foundational understanding of z/OS
network security.
• Online course:
http://ibm.biz/zosnetsecuritycourse
Configure zERT Policy Enforcement using the IBM Configuration
Assistant for z/OS Communications Server (NCA)
• Online course:
http://ibm.biz/NCA_zERTcourse
• IBM Open Badge:
http://ibm.biz/tcpipl1badge
• Online course:
https://ibm.biz/tcpipl1course
TCP/IP on z/OS Essentials - Level 1
General knowledge and understanding of TCP/IP on z/OS, including
network layers, protocols at each layer, and the hardware that
facilitates the transport of data.

Join Us on the
IBM Community!
Scan the QR code to visit
the z/OS Communications
Server home page on IBM
Community.
The z/OS Communications Server page on the IBM
Community provides rich and up-to-date technical
content including blogs, videos, and event
information.
Join us at our new home:
https://www.ibm.com/community/z/software/comm-server/

Thank You!
Any Questions?
Mike Fitzpatrick
STSM, CPO for Communications Server, Lead Architect Multi-site
Workload Lifeline. Performance & Design
mfitz@us.ibm.com
Sam Reynolds
Enterprise Networking Solutions - Architecture, Design, and Strategy
samr@us.ibm.com
PDF available on Slideshare:
https://ibm.biz/zOS31CS

Appendix
• Functional removal statements of direction for V2R5
removals

Functional Removal
Statements of Direction
for V2R5 Removals

Statement of Direction: Removal of native TLS/SSL support
from TN3270E Telnet server, FTP server, and DCAS (Issued
July 23, 2019)
z/OS V2.4 is planned to be the last release in which the z/OS TN3270E
Telnet server, FTP server, and Digital Certificate Access Server (DCAS) will
support direct invocation of System SSL APIs for TLS/SSL protection. In the
future, the only TLS/SSL protection option for these servers will be
Application Transparent Transport Layer Security (AT-TLS). The direct
System SSL support in each of these components is functionally outdated
and only supports TLS protocols up through TLSv1.1. IBM recommends
converting your TN3270E Telnet, FTP server, and DCAS configurations to
use AT-TLS, which supports the latest System SSL features, including the
TLSv1.2 and TLSv1.3 protocols and related cipher suites. Note that while
native TLS/SSL support for z/OS FTP client is not being withdrawn at this
time, no future enhancements are planned for that support. IBM
recommends using AT- TLS to secure FTP client traffic.
§ A migration health check to alert users of the native TLS/SSL support in the
TN3270E server, the FTP server and DCAS to the coming removal of that support
will be available via APARs OA59022, OA58255, PH21573, and PH16144.

Statement of Direction: Removal of policy data import
function from the Network Configuration Assistant (Issued
July 23, 2019)
z/OS V2.4 will be the last release that the Network Configuration
Assistant (NCA) z/OSMF plug-in supports the policy data import
function, which allows you to import existing Policy Agent
configuration files into the Network Configuration Assistant. After
z/OS V2.4, import of policy configuration files will no longer be
supported for AT-TLS, IPSec, PBR, and IDS technologies.
Import of TCP/IP profiles into NCA is not affected.

Statement of Direction: Withdrawal of Support for CMIP
(Issued February 26, 2019)
z/OS V2.4 is planned to be the last release to support the VTAM
Common Management Information Protocol (CMIP). CMIP services
is an API that enables a management application program to gather
various types of SNA topology data from a CMIP application called
the topology agent that runs within VTAM. IBM recommends using
the SNA network monitoring network management interface (NMI) to
monitor SNA Enterprise Extender and High Performance Routing
data.
• A migration health check to alert CMIP users to the coming removal is
available via APARs OA57227 (V2R2, V2R3) and OA57753 (V2R4).
Note: IBM has announced that IBM Z NetView V6.3 will be the
last release to support the SNA Topology Manager (the main
consumer of CMIP data).

Statement of Direction: Removal of Sysplex Distributor
support for workload balancing to IBM DataPower(R) Gateway
products (Issued July 23, 2019)
z/OS V2.4 is the last release to support Sysplex Distributor target
controlled distribution to DataPower Gateway products. This feature
is deprecated in the DataPower Gateway. IBM recommends that you
implement another solution for workload balancing that might be
through an external load balancer. This removal does not impact any
other Sysplex Distributor functions, only configurations that have
TARGCONTROLLED specified on the VIPADISTRIBUTE statement.

Notices and disclaimers
— © 2023 International Business Machines Corporation. No part of this
document may be reproduced or transmitted in any form without
written permission from IBM.
— U.S. Government Users Restricted Rights — use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM.
— Information in these presentations (including information relating to
products that have not yet been announced by IBM) has been reviewed
for accuracy as of the date of initial publication and could include
unintentional technical or typographical errors. IBM shall have no
responsibility to update this information. This document is distributed
“as is” without any warranty, either express or implied. In no
event, shall IBM be liable for any damage arising from the use of
this information, including but not limited to, loss of data,
business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted per the terms and conditions
of the agreements under which they are provided.
— IBM products are manufactured from new parts or new and used parts.
In some cases, a product may not be new and may have been
previously installed. Regardless, our warranty terms apply.”
— Any statements regarding IBM's future direction, intent or product
plans are subject to change or withdrawal without notice.
— Performance data contained herein was generally obtained in a
controlled, isolated environments. Customer examples are presented
as illustrations of how those
— customers have used IBM products and the results they may have
achieved. Actual performance, cost, savings or other results in other
operating environments may vary.
— References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products,
programs or services available in all countries in which
IBM operates or does business.
— Workshops, sessions and associated materials may have been
prepared by independent session speakers, and do not necessarily
reflect the views of IBM. All materials and discussions are provided
for informational purposes only, and are neither intended to, nor shall
constitute legal or other guidance or advice to any individual
participant or their specific situation.
— It is the customer’s responsibility to insure its own compliance
with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws
and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that
its services or products will ensure that the customer follows any law.

Notices and disclaimers
— Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products about
this publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should
be addressed to the suppliers of those products. IBM does not
warrant the quality of any third-party products, or the ability of
any such third-party products to interoperate with IBM’s products.
IBM expressly disclaims all warranties, expressed or implied,
including but not limited to, the implied warranties of
merchantability and fitness for a purpose.
— The provision of the information contained herein is not intended to,
and does not, grant any right or license under any IBM patents,
copyrights, trademarks or other intellectual property right.
— IBM, the IBM logo, ibm.com and [names of other referenced
IBM products and services used in the presentation] are
trademarks of International Business Machines Corporation,
registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at:
www.ibm.com/legal/copytrade.shtml

Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the
workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject
to change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the
performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM*
IBM Logo*
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark
rights in other terms used herein.

z/OS Communications Server Technical Update

z/OS Communications Server Technical Update

More Related Content

What's hot

Similar to z/OS Communications Server Technical Update

More from zOSCommserver

Recently uploaded

z/OS Communications Server Technical Update