You are previewing Enhanced Networking on IBM z/VSE.
O'Reilly logo
Enhanced Networking on IBM z/VSE

Book Description

The importance of modern computer networks is steadily growing as increasing amounts of data are exchanged over company intranets and the Internet. Understanding current networking technologies and communication protocols that are available for the IBM® mainframe and System z® operating systems is essential for setting up your network infrastructure with IBM z/VSE®.

This IBM Redbooks® publication helps you install, tailor, and configure new networking options for z/VSE that are available with TCP/IP for VSE/ESA, IPv6/VSE, and Fast Path to Linux on System z (Linux Fast Path). We put a strong focus on network security and describe how the new OpenSSL-based SSL runtime component can be used to enhance the security of your business.

This IBM Redbooks publication extends the information that is provided in Security on IBM z/VSE, SG24-7691.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. IBM Redbooks promotions
  5. Summary of changes
    1. December 2014, Second Edition
  6. Chapter 1. Networking options overview
    1. 1.1 Overview
    2. 1.2 Hardware options
      1. 1.2.1 OSA-Express
      2. 1.2.2 OSA-Integrated Console Controller
      3. 1.2.3 OSA-Express in QDIO mode
      4. 1.2.4 OSA-Express
      5. 1.2.5 OSA for NCP support
      6. 1.2.6 Intra-Ensemble Data Network support
      7. 1.2.7 OSA-Express multi-port support
      8. 1.2.8 Using VTAM (SNA) and TCP/IP (non-QDIO) parallel on the same CHPID
      9. 1.2.9 HiperSockets (IQD)
      10. 1.2.10 Virtual local area network
      11. 1.2.11 Shared OSA adapter versus HiperSockets
      12. 1.2.12 Using HiperSockets to communicate with Linux on System z
      13. 1.2.13 QDIO buffer configuration
      14. 1.2.14 Virtual OSA devices and VMAC
      15. 1.2.15 OSAX Hotswap support
    3. 1.3 Software options
      1. 1.3.1 IPv4
      2. 1.3.2 IPv6
      3. 1.3.3 Why IPv6?
      4. 1.3.4 Dual stack support
      5. 1.3.5 Migration from IPv4 to IPv6
      6. 1.3.6 IPv6 products for z/VSE
      7. 1.3.7 Securing your connections with Secure Sockets Layer
      8. 1.3.8 Options for printing
      9. 1.3.9 Overview of APIs
      10. 1.3.10 Available applications
      11. 1.3.11 Choosing a socket API when designing your applications
      12. 1.3.12 Enabling your applications for IPv6
    4. 1.4 Known problems
      1. 1.4.1 ERROR DURING OSA EXPRESS PROCESSING,REASON=002C CUU=nnnn,RETCODE=E00A
  7. Chapter 2. TCP/IP for VSE/ESA
    1. 2.1 Overview
    2. 2.2 Standard features
    3. 2.3 Other optional features
    4. 2.4 Applications that are provided with TCP/IP for VSE
    5. 2.5 Application programming interfaces
    6. 2.6 Setting up and running TCP/IP for VSE
    7. 2.7 FTP hints
      1. 2.7.1 Internal FTP server suggestions
      2. 2.7.2 Using external FTPBATCH servers
    8. 2.8 Partition priorities
    9. 2.9 Security
    10. 2.10 Remote running with REXX
    11. 2.11 Version checking
    12. 2.12 Datagram analysis
    13. 2.13 Known problems
      1. 2.13.1 Routing in a subnet
      2. 2.13.2 Using SSL ciphers
      3. 2.13.3 Secure SSL port
      4. 2.13.4 SSL client does not verify the server certificate
      5. 2.13.5 TLS issue with IBM Personal Communications 6.0.7
  8. Chapter 3. IPv6/VSE
    1. 3.1 Overview
    2. 3.2 Obtaining and activating a license key
    3. 3.3 Stack setup
      1. 3.3.1 IPv4 stack setup
      2. 3.3.2 IPv6 stack setup
      3. 3.3.3 Mixed IPv4 and IPv6 network setup
      4. 3.3.4 Setting up a dual-stacked system
      5. 3.3.5 UDPv4 in a coupled stack environment
      6. 3.3.6 Connectivity considerations
    4. 3.4 Setting up FTP
      1. 3.4.1 Security
      2. 3.4.2 VSE as a server
      3. 3.4.3 VSE as a client
    5. 3.5 Setting up TN3270
      1. 3.5.1 Setting up VTAM
      2. 3.5.2 Starting a TN3270 server
      3. 3.5.3 Controlling the terminal type
      4. 3.5.4 Connecting with IBM Personal Communications
      5. 3.5.5 Connecting with Open Text Exceed
      6. 3.5.6 Connecting with wc3270
      7. 3.5.7 Recovering from broken connections
    6. 3.6 Setting up TN3270E printing
      1. 3.6.1 TN3270E setup
      2. 3.6.2 BSTTVNET JCL
      3. 3.6.3 Node error program
    7. 3.7 Setting up SSL
      1. 3.7.1 Installing the prerequisite programs
      2. 3.7.2 Creating the keystore
      3. 3.7.3 Removing the private CA key from the client keyring file
      4. 3.7.4 Deciding whether to use the SSL proxy server or AT-TLS
      5. 3.7.5 Specifying parameters
      6. 3.7.6 Configuring the SSL proxy server
      7. 3.7.7 Configuring the AT-TLS server
      8. 3.7.8 Considerations on SSL performance
      9. 3.7.9 Considerations on blocking clear ports
      10. 3.7.10 Configuring wc3270 for SSL
      11. 3.7.11 Configuring IBM Personal Communications for SSL
      12. 3.7.12 Configuring secure FTP
      13. 3.7.13 Configuring VSE Connector Server
      14. 3.7.14 SSL client authentication
      15. 3.7.15 Using TLSv1.2
    8. 3.8 Setting up CICS Web Support
      1. 3.8.1 Modifying the CICS startup job
      2. 3.8.2 Defining the TCP/IP host name
      3. 3.8.3 Considerations for SSL
    9. 3.9 Known problems
      1. 3.9.1 VSE cannot be reached
      2. 3.9.2 BSTT075E LUNAME NOT AVAIL
      3. 3.9.3 SSL connect error with wc3270
      4. 3.9.4 Other SSL connect errors
      5. 3.9.5 Hang situation with BSTTATLS/BSTTPRXY
      6. 3.9.6 Return codes 3100 / 1700 from IJBCRLIB
      7. 3.9.7 BSTTFTPC fails to connect to Windows Server 2008
      8. 3.9.8 Batch email cannot relay mail
      9. 3.9.9 LDAP sign on by using SSL does not work
      10. 3.9.10 GnuTLS error -53: Error in the push function
  9. Chapter 4. Fast Path to Linux on System z
    1. 4.1 Overview
    2. 4.2 Concept of LFP instances and LFP daemons
    3. 4.3 LFP in a z/VM environment
      1. 4.3.1 Linux guest setup
      2. 4.3.2 VSE guest setup
    4. 4.4 z/VM IP Assist
      1. 4.4.1 Configuration user setup
      2. 4.4.2 Setting up the VIA guest
      3. 4.4.3 Setting up VSE guest
      4. 4.4.4 Using the LFP trace with VIA
    5. 4.5 LFP in an LPAR environment
      1. 4.5.1 Prerequisites
      2. 4.5.2 Hardware setup
      3. 4.5.3 VSE setup
      4. 4.5.4 Linux setup
    6. 4.6 IBM applications that support LFP
      1. 4.6.1 VSE Connector Server
      2. 4.6.2 Using the Virtual z/VSE FTP Daemon
    7. 4.7 Using secure connections with SSL
      1. 4.7.1 Using a VIA guest
      2. 4.7.2 Using a Linux on System z guest
      3. 4.7.3 Configuring the z/VSE virtual FTP daemon for SSL
    8. 4.8 Known problems
      1. 4.8.1 Error accessing the config disk
      2. 4.8.2 SE file transfer had a problem
      3. 4.8.3 User ID not authorized for SMSG
      4. 4.8.4 Invalid command response from VIA user
      5. 4.8.5 No response from VIA user
      6. 4.8.6 Profile cannot be loaded
  10. Chapter 5. OpenSSL
    1. 5.1 Overview
      1. 5.1.1 What is available on z/VSE
      2. 5.1.2 What is unique in z/VSE
      3. 5.1.3 Runtime variables
      4. 5.1.4 What is not available in z/VSE
    2. 5.2 Access to the OpenSSL API
    3. 5.3 Creating random numbers
      1. 5.3.1 Characteristics of random number generators
      2. 5.3.2 Random number generation in OpenSSL
      3. 5.3.3 Alternatives
      4. 5.3.4 Considerations for the z/VSE crypto device driver
      5. 5.3.5 Performance
    4. 5.4 Keystore considerations
      1. 5.4.1 Creating a PEM keystore
      2. 5.4.2 Exporting PEM to PFX
      3. 5.4.3 Importing PFX to PEM
      4. 5.4.4 Password-protected keystores
    5. 5.5 Programming
      1. 5.5.1 Include files
      2. 5.5.2 Passed socket number
      3. 5.5.3 Socket calls
      4. 5.5.4 Switching between GSK and OpenSSL socket calls
      5. 5.5.5 Specifying the key ring
      6. 5.5.6 Using a password-protected keyring
      7. 5.5.7 Supported cipher suites
      8. 5.5.8 Specifying cipher suites
      9. 5.5.9 Supported RSA key lengths
      10. 5.5.10 Debugging
      11. 5.5.11 Hardware crypto support
      12. 5.5.12 Programming example
    6. 5.6 Performing the OpenSSL speed test
      1. 5.6.1 Test parameters
      2. 5.6.2 Test results
    7. 5.7 How OpenSSL is used on z/VSE
    8. 5.8 OpenSSL vulnerabilities
    9. 5.9 Considerations on TLSv1.2
    10. 5.10 Considerations about Diffie-Hellman
      1. 5.10.1 RSA
      2. 5.10.2 Diffie-Hellman
      3. 5.10.3 Variants of Diffie-Hellman
    11. 5.11 Using DHE-RSA with OpenSSL on z/VSE
      1. 5.11.1 Generating DH parameters
      2. 5.11.2 Using DHE-RSA with Java-based connector
    12. 5.12 Considerations on Elliptic Curve Cryptography
    13. 5.13 Using ECDHE-RSA with OpenSSL on z/VSE
      1. 5.13.1 Generating the EC key
      2. 5.13.2 Uploading the EC key to VSE
      3. 5.13.3 Using ECDHE-RSA with Java-based connector
    14. 5.14 Restrictions
      1. 5.14.1 No SHA-512 support
  11. Chapter 6. Comparison of stacks and protocols
    1. 6.1 Stacks comparison
      1. 6.1.1 Licensing
      2. 6.1.2 Installation libraries
      3. 6.1.3 Virtual storage organization
      4. 6.1.4 Commands
      5. 6.1.5 Comparison of protocols
    2. 6.2 Applications comparison
      1. 6.2.1 FTP server
      2. 6.2.2 FTP clients
      3. 6.2.3 Uploading a virtual tape into VSAM
      4. 6.2.4 AutoFTP
      5. 6.2.5 TN3270
      6. 6.2.6 Printing
      7. 6.2.7 AutoLPR
      8. 6.2.8 Inserts coding
      9. 6.2.9 Email
      10. 6.2.10 Creating PDF documents
      11. 6.2.11 Remote EXEC client
    3. 6.3 Performance
    4. 6.4 SSL
    5. 6.5 Comparison of APIs
      1. 6.5.1 Socket APIs
      2. 6.5.2 SSL APIs
      3. 6.5.3 Crypto APIs
    6. 6.6 Considerations for DB2 Server for VSE interfaces
    7. 6.7 Considerations for IBM applications
      1. 6.7.1 VSE Connector Server
      2. 6.7.2 Virtual tape
      3. 6.7.3 CICS Web Support
      4. 6.7.4 Encryption Facility for z/VSE
      5. 6.7.5 Basic Security Manager
      6. 6.7.6 Uploading PTF files to IJSYSPF
    8. 6.8 Known problem: ftp.exe hangs on Windows 7
      1. 6.8.1 Symptom
      2. 6.8.2 Solution
  12. Appendix A. API reference
    1. Socket APIs
    2. SSL APIs
  13. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  14. Back cover
  15. IBM System x Reference Architecture for Hadoop: IBM InfoSphere BigInsights Reference Architecture
    1. Introduction
    2. Business problem and business value
    3. Reference architecture use
    4. Requirements
    5. InfoSphere BigInsights predefined configuration
    6. InfoSphere BigInsights HBase predefined configuration
    7. Deployment considerations
    8. Customizing the predefined configurations
    9. Predefined configuration bill of materials
    10. References
    11. The team who wrote this paper
    12. Now you can become a published author, too!
    13. Stay connected to IBM Redbooks
  16. Notices
    1. Trademarks