IMS 15 Continous Delivery - IMS UG Oct 2017 Omaha

1

© Copyright IBM Corporation 2017.

IMS Continuous Delivery

2


• The ability to become more agile by delivering code/function more

frequently

• Eliminates ad hoc SPEs

• Allows flexibility for certain types of changes that are best on a release

boundary including:

• Raising the bar on minimum hardware and software levels

• Dropping support for function

• Major changes to infrastructure control blocks

• Changes that require full reassembly of IMS

• IMS 14

• Continues to deliver new function

• IMS 15 has just been announced (10/3/2017)

IMS is Moving toward Continuous Delivery

3


Why Continuous Delivery?

Issues with current process

• Two year release cycle causes new function to be delivered too late

Clients already have solutions in place by the time release is delivered

• Major enhancements not widely exploited across our client set

• Exploitation of new technology is provided too late for clients to be among the

first to exploit for business critical applications

Focus for Continuous Delivery

• Right function is available at the right time

• Strategic function delivered when ready

• Focus is on delivering what our client set needs to drive their business forward

4


Customer Feedback

• Allow me to enable the function, do not make it a default

• Customers are OK if CD is delivered via the service process

• Deliver code every 4 to 6 months

• Sync deliveries with RSUs (recommended service upgrades)

• Delivery and implementation should be consistent within the Z platform

5


• For the z/OS Environment

• http://www.redbooks.ibm.com/redpapers/pdfs/redp5340.pdf

• For the IMS environment

• https://www.linkedin.com/pulse/do-you-have-questions-ibms-move-continuous-

delivery-jasminder-singh

• “In March 2016, this IBM Redpaper was released, articulating how z/OS was moving to

a continuous delivery implementation model. As software that runs on z/OS, IMS chose

to align with this and deliver production-ready features and functions on a more frequent

basis.”

• Almost all new functions will be shipped disabled, or turned off with a few exceptions

• A command or parameter will allow the function to be activated

Continuous Delivery Strategy

http://www.redbooks.ibm.com/redpapers/pdfs/redp5340.pdf

https://www.linkedin.com/pulse/do-you-have-questions-ibms-move-continuous-delivery-jasminder-singh

http://www.redbooks.ibm.com/redpapers/pdfs/redp5340.pdf

6


• For the IMS Environment…

• The continuous delivery (CD) model is intended to enhance the most recent

in-service version of IMS

• As soon as new IMS function or support for new technology is developed and tested, it

is immediately released in a PTF

• When a new version of IMS is released, continuous delivery enhancements are applied

only to the new version of IMS, and the previous version is designated as a long term

support release (LTSR) and is no longer enhanced

• In most cases, new functionality or support is delivered disabled by default, so that you can enable

them when you are ready. However, some functionality might be delivered enabled, due to

technical or strategic requirements. For those enhancements that are delivered disabled, most will

be enabled by a command or new parameter.

• https://www.ibm.com/support/knowledgecenter/SSEPH2_14.1.0/com.ibm.ims14.doc.rpg/ims_cd_p

rocess_overview.htm

Continuous Delivery Strategy …

IMS 14 and IMS 14 CD

https://www.ibm.com/support/knowledgecenter/SSEPH2_14.1.0/com.ibm.ims14.doc.rpg/ims_cd_process_overview.htm

7


IMS 14 Base Level Summary

Agility •DEDB Alter enhancements

•User Exit enhancements

•IMS Connect Command enhancements

•OTMA Descriptor enhancements

•Dynamic MSC

Application Deployment/Management •Catalog - DDL interface

•IMS Management of ACBs

•Catalog Audit Trail

•ODBM Accounting

•Native SQL enhancements

•Cascaded Transaction Support

•DL/I ICAL support for control data

•Dynamic Refresh of (P)WFI regions

IMS & DB2 •FDBR Resolve In-doubt Notification Exit enh

•ESAF Subsystem Definition enhancement

•ESAF Associate Thread Exit

Business Growth •OSAM DEB 24-bit storage VSCR

•OSAM HALDBs 8G support

•Automatic SDEP Buffer Management

•Fast Path 64-bit for high speed utilities

•OTMA TPIPE parallelism

Infrastructure •DBRC Migration and Coexistence

•DBRC REPAIR Command

•Reduced TCO enhancements

•IMS Repository enhancements

•64-bit Storage Manager

•OTMA enhancements

•APPC Flood Control

•ISC VTAM Enhancement for ERP messages

•Shared Queues Overflow protection

8


IMS 14 Continuous Delivery

• IMS 14 recently delivered APARs • WLM Mobile/Cloud Workload Pricing (PI46933/PI51948)

• Repository Support for MSC resources (PI50129)

• Shared Queues Buffer Pool – increase queue buffers to 9999999 from 9999 (PI71929)

• MFS protected field validation (PI51565)

• Transaction expiration enhancement (PI51834)

• OTMA ACEE aging enhancements (PI68466)

• AOI Exit DFSAOE000 enhancement (PI79352)

• New RACFMSG startup parameter (PI65025)

• Enhancement to AUTOSIGNON for TCO terminals (PI60293)

• Option to bypass password checking in ETO exit (PI72015/PI73204)

• Remove IMSid from the Repository

• Minimum thread specification for ODBM (PI64152)

• IMS ESS enhancements (PI64496/PI60400)

• IMS Java applications heap storage relief (PI64241)

• Support for defining java environment variables in the JCL (PI68127)

• IMS Service Provider inclusion is z/OS Connect EE V2.0.5 (PI70342)

• IMS Soap Gateway customized headers for sync callout using control data (PI52861)

• IMS Explorer for Development 3.2.1.8 - TLS v1.2 protocol support

• CNBA specification for CCTL connectors (PI60717)

• IMS Catalog Directory Recovery Utility (PI70082)

9


Completed Enhancements for IMS Managed ACBs

• IMS 14 Database utility support for ACBMGMT=CATALOG

UTILITY APAR Available

Support for ULU utility regions to run under IMS Managed

ACBs

PI46907

UI36467

2016-03-23

Support for HD Unload / Reload utilities in ULU region to

run under IMS Managed ACBs

PI46912

UI39920

2016-08-12

Support for Batch Backout utility to run under IMS

Managed ACBs

PI63855

UI38976

2016-07-02

Support for DB Recovery utility to run under the under IMS

Managed ACBs

PI66598

UI40944

2016-09-24

Support for Batch Image Copy (DFSUDMP0) utility to run

under IMS Managed ACBs

PI61703

UI39976

2016-08-12

Support for FP-DEDB Area initialization (DBFUMIN0) utility

to run under IMS Managed ACBs

PI55596

UI39974

2016-08-12

10


Completed Enhancements for IMS Managed ACBs (cont’d)

• IMS Catalog utility support for ACBMGMT=CATALOG

• IMS ACBSHR=Y environment support

• IMPORT command

• DDL for DROP DB

• Support for DDL DROP of database and PROGRAMVIEWs which were never activated with IMPORT command


IMS catalog populate utility (DFS3PU00) has support to allow

for DOPT PSBs to be added or updated

PI46909

UI35217

2016-02-12

IMS catalog purge utility will now delete ACBs corresponding to

instances of DBDs and PSBs being purged from the IMS

catalog

PI55521

UI35249

2016-02-12

IMS catalog copy utility for import / export (DFS3CCI0 &

DFS3CCE0) will import / export ACBs in the catalog directory

PI58722

UI40956

2016-09-24

11


Completed Enhancements for IMS Managed ACBs (cont’d)

• PI67569, PI70082: IMS Catalog Recovery Utility support

• Utility to rebuild the IMS “catalog directory” from the catalog

• Intended for use when a user is fully DDL enabled and no longer maintains DBD and PSB source

• PI51217: IMPORT DEFN SOURCE(CATALOG) enhancement

• Extends IMPORT DEFN with new keywords

• Addresses Global OLC concerns


HD Reload utility support with Pending changes PI46914

UI41626

2016-10-14

IMS V14 Catalog Recovery Utility

preconditioning

PI67569

UI41849

2016-10-21

New Function: Introduces Catalog Directory Recovery Utility to

recover the directory component of an IMS catalog

PI70082

UI43385

SPE

2016-12-22

New Function - IMPORT DEFN SOURCE(CATALOG)

enhancement to allow activation of pending changes of PSBs

to only a subset of systems in the IMSplex

PI51217

UI41861

SPE

2016-10-21

GSAM PSB with IMS Explorer for Development PI76835

UI48922

2017-07-28

12


In Progress Enhancements for IMS 14

UTILITY APAR Target

DFS3PU00 BMP Support PI81427 2017-09-27

GSAM PSB with IMS Explorer for Development PI76838

UI48922

2017-09-29

13


IMS 14… IMS 15

Continuous Delivery enhancements

to IMS 14 will be discussed in the

sessions today in addition to an

overview of the IMS 15 base support

14


IMS 15 Enhancements

15


An application developer

can use standard methods

to create/modify DB

schema definitions

without an

application

or DB outage

An API developer

can create a REST API

using a selection of

existing or new assets

without writing any

new code and in a

single common

tooling experience

An application developer

can deploy an application

in IMS using a web-based

user interface

with limited

knowledge of IMS

z Systems Synergy

RFEs RASAnalytics Security

Cloud API EconomyDatabase

Agility

Arnold Ally Dan

Technical Foundation

IMS Hills

16


IMS Hills…

16

CloudAPI Economy Database Agility

• Introducing use of

z/OSMF workflows

• Program create user exit

• Reduce need for IMS

system definition/sysgen

• Extend PGM refresh for

preloaded programs

• Extend PGM refresh for

IFPs

• On-line lifecycle

operations for APIs with

role-based controls

• API and service

deployment with UI and

automation

• DEDB Alter ALTERAREA

Enhancements

• Enable zHyperWrite for WADS

• Enable zHyperWrite for OLDS

• Move logger parms to DFSDFxxx

• Change Default for clearing of VATVPTR

• Allow audit of Network Security Credentials

• CQS Enhanced RCs for Logger Errors

• DBRC Mig/Coex

• zMidas Support

• WADS Encryption

• DEDB Encryption

• FF Compression

• Removal of Functional Support

• IMS Connect System SSL

• IMS Connect Local Option support

• Remote Site Recovery (RSR)

• Message Format Service SOA

support

• Source Shipped modules converted to OCO

• IMS Connect RAS Items

• CQS RAS Items

• IMS Exploitation of Async CF Lock

Structure Duplexing

Technical Foundation

17


IMS 15 (5635-A06) Packaging

IMS 15 Compid: 5635A0600 FMID Comment

IMS 15 System Services HMK1500

IMS 15 Database Manager JMK1501

IMS 15 Transaction Manager JMK1502

IMS 15 ETO Feature JMK1503

IMS 15 Java On Demand Feature JMK1506

IMS Recovery Level Tracker Deleted for IMS 15

IMS DB Level Tracker Deleted for IMS 15

IMS 15 VUE JMK151Z

IMS IRLM V2R3 HIR2230

18


IMS 15…

• Packaging

• IMS 15 Transaction manager Value Unit Edition (VUE)

IMS 15 ETO Value Unit Edition (VUE)

• Program number: 5655-TM4

• Subscription and Support (5655-TMS)

• IMS 15 Database manager Value Unit Edition (VUE)

• Program number: 5655-DS5

• Subscription and Support (5655-DSR)

• IMS Enterprise Suite 3.2

• Program number: 5655-TDA

• Subscription and Support (5655-T61)

19


IMS 15…

• Packaging …

• IMS Service Provider (formerly IMS Mobile Feature Pack)

• Available with z/OS Connect EE (5655-CEE V2.0.5 or later)

• APAR PI70458/ PTF UI42590

• Notified users that the IMS Mobile Feature Pack was removed from the IMS Enterprise Suite (5655-TDA)

• APAR PI70342/ PTF UI42113

• Added the IMS Service Provider to zOS Connect EE V2.0.5

• Configuration steps for the IMS Service Provider

• http://tinyurl.com/h87zegn

20


IMS 15…

• Packaging …

• JMS API will no longer be packaged with the IMS Enterprise Suite

• It can be obtained through the Java EE installation or the publicly available Maven

repository

• z/OSMF (z/OS Management Facility) Workflows

• Support the provisioning of an IMS system

• In addition to the IVP, z/OSMF

• Enables new functions and maintains a history of all actions and output

21


IMS 15 Prerequisites …

• IMS 15 QPP announcement letter -

• IBM United States Software Announcement 217-398

• www.ibm.com/ims and follow the links to IMS 15

• https://www.ibm.com/us-en/marketplace/ims-15

• Minimum level of Hardware

• IMS 15 runs only in z/Architecture mode on an IBM System z10 processor or

later

• A coupling facility level of 15 or later is required for the following IMS 15

functions:

• Operations Manager (OM) Audit Trail, if a coupling facility log stream is used

• Repository Server Audit Log, if a coupling facility log stream is used

• Resource Manager (RM), if a resource structure is used

• Shared-EMH support

• Shared queues

• Sysplex data sharing (including data caching and VSO data sharing) with Internal Resource Lock

Manager (IRLM) V2.3

22


IMS 15 Prerequisites

• Minimum level of operating system software

• z/OS Version 2 Release 2 (5650-ZOS)

• RACF (included in a separately orderable Security Server feature of z/OS V2.2), or equivalent, if

security is used

• IBM High-Level Assembler Toolkit , a separately orderable feature of z/OS V2.2

• DFSMS 2.2 APAR OA51385 for WADS z/HYPERWRITE support

• APAR OA50569 for Data Set Encryption support

• Other Products

• Java Development Kit (JDK) 8

• DB2 for z/OS V11 or later

• CICS V4.2 or later

• CICS V5.1 is required for ISC TCP/IP

• WebSphere MQ 7.5

• WebSphere Application Server for z/OS (5655-W65) or WebSphere Application Server

for distributed platforms (5724-J08), V8.5.5

• COBOL all versions (V5.1 required for Native SQL)

• RD/z V9.0.1.1 for SOAP Gateway

23


IMS Transaction Manager

24


• Challenge Addressed

• Max message queue buffers for the queue pool was limited to 9999

• Solution

• Increase the max limit to 9999999

• IMS 14: APAR PI71929/ PTFs UI44745, UI44747

• Business Value

• Provides more capacity for Shared Queues message processing

Shared Queues Buffer Pool Enhancement

Target Market:

IMS Shared Queues users

25


MFS protected field validation enhancement


• 3270 MFS protected field data is not validated

• Solution

• Option to validate content of protected fields for changes when the field is

returned and reject the input if data alteration has occurred.


• Business Value

• detects that the content of a protected data field has been altered from the

original formatted content transmitted to the 3270/SLU2 device

• Improves data integrity

Target Market:

IMS device type 3270/SLU2 users of

Message Format Service (MFS).

26

© Copyright IBM Corporation 2017. 26

• Challenge addressed

• The ETO function needs the flexibility to request that certain terminals be

allowed to signon without a password check

• Solution

• Provide a new PASSCHK=NO option flag to the ETO signon exit routine,

DFSSGNX0

• When specified, IMS issues RACROUTE REQUEST=VERIFY with PASSCHK=NO.


• IMS 15: APAR PI73204/ PTFs UI44793 UI44794

• Business value

• Provides greater control for terminal signon requirements

• Corresponding enhancements in the IMS ETO Support Tool can take advantage

of this capability

Option to Bypass Password Checking in ETO exit

DFSSGNX0Target Market:

Users of ETO

27


OTMA ACEE Aging Enhancement


• Potential for abend , e.g., S878, due to unlimited number of cached ACEEs

• Primarily caused by using the ACEE aging default value of 11 days

• Solution

• Enable flood control for OTMA ACEEs and allow specification of a maximum

number of ACEEs that can be cached

• Enhance the /DISPLAY OTMA command to show ACEE usage

• Enhance the /SECURE OTMA command to dynamically override the ACEE aging value

and expedite the ACEE cleanup process

• IMS 14: APAR PI68466/PTFs UI47190, UI47191

• Business Value

• Greater control of the OTMA environment and protection from flooding the

ACEE cache

Target Market:

All OTMA users who use security

Checking of FULL or CHECK

28


Transaction Expiration enhancement


• Inconsistency between OTMA and non-OTMA environments when a transaction

reaches the expiration time value

• Solution

• New default action which discards the expired OTMA input message without

abending the message region with a pseudo ABENDU0243

• Similar to existing support for non-OTMA expired messages

• New U243 option to continue ABENDU0243 without DFS554A and symptom

dump

• IMS 14: APARs PI51834/ PTF UI36100, IMS 13: APAR PI51833/ PTFs UI36299

• IMS 15: APAR PI83453, PTF UI48974

• Business Value

• Greater control over the transaction expiration action

• Saves CPU cycles needed to process the ABENDU0243 and addresses potential

flooding of the console

Target Market:

OTMA transactions that have coded

EXPRTIME

29


Transaction Expiration enhancement …

• TODUMP = YES | NO | U243 parameter (optional) in the OTMA member

client descriptor (M descriptor) in DFSYDTX member of proclib

• If YES is specified, a pseudo ABENDU0243 with DFS554A and symptom dump will be

generated

• Same action prior to these enhancements

• For each expired OTMA transaction or for a transaction in a shared queues back-end reaching MAXTP at GU

• If NO is specified (new default) , IMS will simply discard the expired transaction without

the ABENDU0243 to save CPU cycles.

• No x’56’ log record

• X’67D0’ log record can be used for diagnostic information associated with the affected transaction.

• If U243 is specified, a pseudo ABENDU0243 is issued but without a DFS554A message

and without generating a symptom dump

• X’56’ log record associated with the ABENDU0243 continues to be issued

• For shared queues environment, TODUMP= needs to be specified in the front-

end IMS descriptor

30


30


• Customers need more information, e.g. last access time, when the DFS3650I

successful signon message is displayed

• Solution

• New parameter, RACFMSG, that specifies whether (Y) or not (N) to pass RACF

signon messages (ICH70001I) to user exit DFSGMSG0 (Greetings Message

Exit Routine)

• The exit routine can be modified to take this information and pass it to the end

user

• IMS 14 : APAR PI65025, IMS13: PI60288/ PTFs UI72425, UI42746

• IMS 15: APAR PI85328

• Business value

• Allows the DFS3650 welcome screen to be enhanced to include more

information from RACF, e.g., date and time of last access

New RACFMSG Startup Parameter

Target Market:

All users

31


• RACF introduced 14 special characters that can be used in RACF

passwords (SAF APAR OA43998 and RACF APAR OA43999)

• The symbols shown are for EBCDIC code page 1047 or 037

• Special Characters (EBCDIC):

4B 4C 4E 4F 50 5A 5C 60 6C 6D 6E 6F 7A 7E <-- Hex value

. < + | & ! * - % _ > ? : = <-- Symbol

• These special characters are in addition to the existing national characters: 5B 7B 7C $ # @

• PI48111/ PUI34376 (IMS14) , PI54037/UI36544/UI36545(IMS 13)

• Additional fixes PI55645/ PTF UI34969 (IMS14), and PI74890 (IMS 14)

• IMS Connect

• Accepts passwords, sent by TCP/IP clients, that contain the new special characters

• APAR PI48112/PTF UI33600 (IMS14), APAR PI54038/PTF UI36524 (IMS13)

• Business Value

• Support for the RACF SETROPTS PASSWORD(SPECIALCHARS) installation

specification

RACF Special Characters

Target Market:

All users

32


RACF Special Characters …

• Impact on passwords in IMS commands when the extended set of

characters is used

• If a period is needed to end the command (delimiter) and the last parameter is a

password, a space should be entered before the period to signify the end of

command:

• /Sign

• Since a period becomes a valid character as part of the RACF password

• If it is intended to be the end-of-command delimiter then when a password is specified at the end of the command,

a space should be inserted prior to the end-of-command period

• Before: /SIGN ON userid pswd. After: /SIGN ON userid pswd .

• /OPNDEST - if last parameter of the command is a password, add a blank before the

period

• /LOCK , /UNLOCK, /SET, /UNSET

• Period in the password brackets will not be treated as a delimiter

33



• Impact

• The client password change exit routine HWSPWCH0 has been modified to

support special characters in RACF passwords

• You may need to bind this new copy to your existing user message exit(s)

• HWSDPWR1, HWSJAVA0, HWSSMPL0, HWSSMPL1

• The service includes the IMS-supplied exits

• Depending on how your zones are configured, SMP/E APPLY of this service may re-bind the user

message exits into SDFSRESL

• Otherwise, or if you have written your own version of the exit, then you may need to re-assemble

and re-bind the routines

• Possible unpredictable results

• If you have enabled special character support in RACF and you have systems running

mixed versions of IMS Connect and/or IMS Connect systems without the maintenance

applied

34



• IMS Connect clients

• When passing the special characters to IMS Connect

• Must use the appropriate hexadecimal values

• Additional service for IMS Connect clients to enable the client support for the

special characters

• IMS Universal Drivers - APAR PI30848/ PTF UI34793

• IMS Enterprise Suite Connect API for Java – APAR PI52846/ PTF UI34749

• The following clients do not need additional service

• IMS Enterprise Suite SOAP Gateway

• IMS Transaction Manager (TM) Resource Adapter

Before enabling special character support in RACF, ensure:

IMS Connect systems have the appropriate service applied

IMS Connect TCP/IP clients support sending password with special characters

35


35


• TCO script security is based on issuing the /SIGN on command in the script to

provide a userid to use for transaction/command authorization

• Solution

• New parameters in DFSDCxxx provide userids for transaction/command

authorization for TCO terminals

• TCOUSID: x’03’ log records do not show value (userid is not signed on)

• SIGNTCO: LTERM is signed on and is shown in the x’03’ log records. IMS will

also signon with this front-end userid for transaction authorization on a back-

end system

• IMS 14: APAR PI60293/ PTFs UI42280,UI42281

• Business value

• Removes the need to issue /SIGN command in the TCO script

• TCO script can still issue /SIGN command

Enhancement to AUTOSIGNON for TCO terminalsTarget Market:

All users of TCO

36


Repository support for dynamically defined MSC

Resources


• MSC resources that were created or modified dynamically were saved across

an IMS cold start only if stage-1 system definition macros were used and IMS

was taken offline

• Solution

• MSC resources exported to the IMSRSC repository can automatically be

retrieved by IMS at cold start

• IMS 14 APARs PI50129/ PTF UI44232

• Pre-conditioning code: APAR PI71641/ PTF UI42667

• Business Value

• All MSC definitions are stored in a single centralized location

• Can reduce the time to cold start IMS

Target Market:

IMS MSC users who dynamically create

MSC resources

37


• Background

• Dynamic MSC support was introduced as part of base IMS 14

• Optional functionality to dynamically create/delete/update MSC definitions

• Specified through the MSC options in the DFSDFxxx proclib member

• MSCRSCS=DYN

• Leverages enhanced Type 2 commands to create and delete MSC links

dynamically

• Requires implementation of the CSL (Common Service Layer)

• SCI, OM

• Supports movement away from static system definitions

Repository support for MSC …

38


• What’s new?

• MSC Repository Enablement

• Enhancement to the Repository capability to include MSC resources

• Option to harden or EXPORT runtime resources that have been modified since

the last checkpoint

• Automatically during shutdown

• At IMS checkpoint (system or by command /CHE)

• Option to load or IMPORT definitions from the IMSRSC repository during a cold

start


39


• Implication for Dynamic Resource Definition (DRD) environments

• Movement away from using the RDDS (resource definition data sets) to harden

DRD resources

• New functionality such as MSC support will only be implemented in the IMSRSC

Respository

• Consider a migration strategy from the use of RDDS to the Repository


40



• Inability to log and audit a distributed end-user’s identity

• Network security credentials may differ from the SAF identity used for IMS security

• Solution

• Enhancement that propagates the network security credential to IMS

• Up to 246 bytes for client end-user identity

• Plus up to 254 bytes for a realm or registry identity

• Requires:

• IMS 15, IMS Connect 15, IMS TMRA 15

• For mobile support, IMS Service Provider and z/OS Connect EE

• Business Value

• Provides enhanced auditability and accountability in enterprise environments

• Enhances IMS callout security with the original user credential for external

IMS 15 – Network Security Credential PropagationTarget Market:

IMS environments that need

to keep track of the original

network security credential

41


• Each distributed identity consists of two parts:

• Distributed client end user's identity – “Network user id”

• This identity can be up to 246 bytes. For example, it can be a Distinguished Name (DN)

which is fully documented in the X.500 series of standards.

• Example: CN=Jane Doe,OU=Sales,DC=IBM,DC=COM

• CN (commonName), L (localityName), ST (stateOrProvinceName), O (organizationName), OU

(organizationalUnitName), C (countryName), STREET(streetAddress), DC (domainComponent), UID (userid)

• Registry identity – “Network session id”

• This identity can be up to 254 bytes. It can be a realm or registry. For example, it can be

a Domain name which is name of security database used to authenticate the distributed

user.

• Example: LDAP server ldaps://us.svl.ibm.com

Network Security Credential Propagation…

42


NSCP – The Problem

System z

z/OS

Distributed

Application, such as WAS

RACF user-ID

“IMSADMIN”

IMS Log Record

01,03..

Msg Q.

IMS

1.

User initiates transaction.

Provides Login Credentials

For example,

[email protected]

2. User is authenticated.

3.

User distributed identity discarded

And RACF user ID, for example

IMSADMIN, selected and passed to

IMS.

5.

Jane initiates the transaction,

But RACF user id IMSADMIN is

Logged in IMS log record.

4.

IMS runs transaction

Authorization using

Selected RACF ID.

I

C

O

N

Issue: Need to propagate original network ID of end user to IMS for logging / auditing

42

Jane’s distributed identity is lost

43


NSCP – The Solution

System z

z/OS

Distributed

Application, such as WAS

RACF user-ID

Distributed ID

IMS Log Record

01,03..

Msg Q.

IMS

2. User is authenticated.

3.

User distributed identity and

Selected RACF user ID are

passed to IMS.

6.

Jane initiates the transaction,

Both RACF user id and user

Distributed ID are

Logged in IMS log record.

5.

IMS runs transaction

Authorization using

Selected RACF ID.

I

C

O

N

4.

ICON builds security

Prefix with both RACF

User ID and user

Distributed ID.

1.

User initiates transaction.

Provides Login Credentials

For example,

[email protected]

44


• IMS enhances the following to participate in network security credential

propagation

• IMS TM Resource adapter – e.g., when implemented in a JEE server such as

WebSphere Application Server

• WAS Liberty with z/OS Connect and the IMS Service Provider

• In progress

• OTMA C/I

• Maximum network userid is 100 bytes

• Maximum network session id is 100 bytes

• Roll-Your-Own IMS Connect clients

• Security extensions to the IRM header

Client support for IMS NSCP

45


NSCP – IMS View

Distributed

Application,

Such as WAS

Sysplex

Shared-

Queues

Back-end

IMS Back-end(s)

z/OS

RACF-ID

Distributed ID

Audit Record

SMF

Log

IMS

IMS Front-end

LOGSTR=NO|YES

z/OS

z/OS

IMS ConnectForwards

network

credential on to

IMS OTMA

1) IMS OTMA security prefix

is expanded to include

network userid and network

session ID.

2) First 255 bytes of network

credential is included in

RACF SMF record if OTMA

descriptor LOGSTR=

parameter is YES.

3) IMS transaction

authorization exit

DFSCTRN0 can be passed

with the network userid and

session ID.

4) OTMA exits, DFSYIOE0,

DFSYPRX0, and DFSYDRU0

can be used to access

OTMA security prefix.

Logstream data

MSC remote

OTMA descriptor

RACF

45

46


NSCP – OTMA SupportExtensions to the OTMA Security Prefix

OTMA Prefix

MCI | State Data | Security | User Data LLZZ Trancode App Data Seg(s)

Security prefix length (2 bytes)

Security flag for OTMA profile security (1 byte)

Reserved field (1 byte)

RACF User ID (1 byte length + x'02' + 1-8 bytes of RACF user ID)

RACF group name (1 byte length + x'03' + 1-8 bytes of RACF group name)

RACF Utoken (1 byte length + x'00' + up-to 50 bytes of RACF utoken)

Network userid (1 byte length + x'04' + 1-246 bytes of network user ID)

Network session ID (1 byte length + x'05' + 1-254 bytes of network session ID)

OTMA Security Prefix:

OTMA State Data Prefix

For transaction and callout messagesByte 2 of Server state - new flag x’02’ identifies callout message with the original

security credential in the security prefix

For Resume output for the hold queue for a tpipie

New value of x’10’ under byte 3 of the Callout Mode indicates Resume TPIPE supports NSCP

47


When the distributed network security credentials are in the OTMA security prefix

Non-fast path transactions

All existing log records that carry the OTMA prefix will also contain the network security credentials, e.g., IMS log records x’01’ and x’03’.

Local EMH processing

X’5901’ log record which is logged after the input message also contains the credentials

• Shared EMH processing

• Front-end IMS: credentials are logged in the x’5911’ log record

• Back-end IMS which is the processing IMS

• X’5901’ log record (as in local EMH processing) contains the credentials

NSCP – IMS Support

48


To have the network security credential included in the RACF SMF records, code LOGSTR=YES in OTMA client descriptor.

LOGSTR=NO | YES

• LOGSTR is an optional parameter

• No: default

• Yes: specifies up to 255 bytes of user-distributed identity need to be included in the RACF SMF x’80’ process records

• The identity which consists of network user id and session id must exist in the OTMA input security prefix in order to be included in the SMF records

• The format of network user id and network session id in the SMF records is identical to corresponding format in the OTMA security prefix.

• Syntax errors result in DFS2385E

DFS2385E SYNTAX ERROR FOR DESCRIPTOR = descriptor errortext

NSCP - SMF

49


>>-INQY--aib--i/o area----------------------------><

Where aib consists:– AIBID

– AIBLEN

– AIBSFUNC

MSGINFO (for Network Security Credential Propagation)– AIBOALEN – size of I/O Area

IMS Application

OTMA INQY

i/o area

Version number = 2

Original IMS ID

Addr(Network ID) or zero

Addr(Session ID) or zero

LL + Network ID

LL + Session ID

Example: CALL ‘AIBTDLI’ USING INQY, AIB, IOAREA

NSCP - Enhanced INQY call to get network info

60 bytes reserved

Note: Version number will be 2 when there is any network security

credentials returned. Otherwise it will be 1.

INQMSGIN DSECT in DFSINQY MACRO

Locate the field by using the address of the field that is returned

in the data output of the INQY MSGINFO call

50


NSCP - Enhanced Callout with original user credential

5. Transaction

Response

IMS Application

OTMA

2. ICAL

GU, IOPCB

ISRT, IOPCB

IMSConnect

External

Server

Callout Request

Callout Response

WAS

3. Callout request with the original user security credential (consumer scenario)

4. Callout Response

1. Send network security credential to IMS (provider scenario)

Response

If the original transaction input message from an OTMA client, e.g., IMS Connect,

contains a distributed network credential

– The callout message from an IMS dependent region will keep the original network

credential in the OTMA security prefix

• If the Resume Tpipe request does not support the distributed network credentials

– IMS will delete the credentials from the OTMA security prefix for the output message

51


• To log the network credentials in RACF SMF records

• If LOGSTR=YES is specified in the OTMA client descriptor, up to 255 bytes of

the network credential will be logged in the RACF SMF x’80’ record.

• Large number of messages with network security credential propagation

• Can impact XCF and TCP/IP transmission

• Operational Considerations

• Since OTMA message prefix with the additional network security credential info

is stored on IMS message queue data sets

• Log volume and the usage of the queue buffer pool will be increased

• SHMSG and LGMSG might need to be resized

Planning for NSCP

52


• End of support for SSL

• Migrate to the use of z/OS Application Transport Layer Security (AT-TLS)

• Standardization of secure sockets at a z/OS TCP/IP stack layer

• End of support for Local Option

• Used only by IMS TM Resource Adapter (IMS TMRA in zWAS)

• Migrate to the use of standard TCP/IP sockets

• IMS Connect RAS Enhancements

• Increase of Maximum number of ports

• Performance improvement when obtaining storage

• New idle timeout parameter for sockets

• New options for controlling RACF statistics

• …

IMS 15 - IMS Connect

Target Market:

All users of IMS Connect

solutions

53


• Pre-15 IMS Connect limits the total number of ports to 50

• Includes the sum of: Regular ports, DRDA ports, and CICS ports

• Issue: For >50 ports, another IMS Connect instance must be started

• Potential issues with management and automation when dealing with multiple IMS

Connect instances

• IMS Connect 15 increases the port limit to 200

• Ports in HWSCFGxxx can be a combination of the following

• Regular ports defined by PORT or PORTID (TCPIP statement)

• DRDA ports defined by DRDAPORT (ODACCESS statement)

• CICS ports defined by the CICSPORT (TCPIP statement)

• If more than 200 ports are defined, when IMS Connect tries to start, it issues

the following existing error message and abends with U3401:

• HWSX0909E ERROR IN PROCESSING CONFIG MEMBER confname; M=XCFG

HWSX0909E TOTAL NUMBER OF PORTS EXCEEDS MAXIMUM; R=184, S=MAXPORTS

Increase in the Maximum Port Limit

54


• The existing TIMEOUT= parameter in the TCPIP statement controls:

• The amount of time IMS Connect waits for the first message from the client

following the initial socket connection

• The amount of time IMS Connect waits for a response from IMS after receipt of

the initial message

• IMS Connect 15 introduces a new IDLETO= parameter

• Specified in the TCPIP statement and/or PORT statement

• Idle timeout value for a client connection

• Controls the amount of time IMS Connect waits for a new message from the client (in

RECV state) before it terminates the socket connection due to inactivity

• IDLETO=0 disables the timeout (default)

• Valid values: 0 to 2147483647

• IMS 15 APARs PI73213, PI77200/ PTFs UI44506, UI45413

Idle timeout on socket connection

55


Idle timeout on socket connection

Initial connection

No initial msg TIMEOUT

Transaction msg Transaction msg

TIMEOUT No response msg

Transaction msg Transaction msg

Response msg Response msg

IDLETONo next msg

ICONClient IMS

Scenario1

Scenario2

Scenario3

• IDLETO Considerations

• The global idle timeout value in the TCPIP statement applies to all PORT= and PORTID=

ports

• The PORT specific idle timeout value in the PORT statement overrides the global idle

timeout value

• Note: When using connection pooling, do not specify the IDLETO parameter

• Connection pooling expects connections to be available even in periods of slow activity

56


• Issue

• When using DRDA port connections, IMS Connect always issues

• RACF RACROUTE REQUEST=VERIFY STAT=NO (even when RACF=Y)

• The STAT=NO option specifies RACF to NOT update the statistics

• Customers may want statistics such as the users’ “last access” date and time to

perform password change frequencies and automatic revoke due to inactivity

• Solution

• New ODRACFST parameter in the ODACCESS statement controls RACF calls

• When enabled, minimizes performance impact by updating RACF statistics only once

a day

• N results in STAT=NO on the RACF RACROUTE user authentication calls

• Y results in STAT=ASIS. The messages and statistics are further controlled by the

installation’s statistics option on the RACF SETROPTS command

• IMS 14: APAR PI80202/ PTF UI47653

ODRACFST parameter in ODACCESS statement

57


Other IMS Connect RAS Enhancements

• New option to enable the Recorder trace on a port level

• Trace data is captured only for the port specified in the command

• More granular level

• Enhancement to add the transaction code associated with an output

message that cannot be sent

• HWSD0252W UNABLE TO SEND RESPONSE FROM DS=IMS1 TO CLIENT=CLIENT01;

R=4, S=LATEMSG , TRAN=ITOC04 , M=DREC

• New exits HWSSMPL2 and HWSSMPL3

• Provide the same functionality as HWSSMPL0 and HWSSMPL1

• With improved addressability and cleanup of unused code

• Allows more room for modifications

• Optional WTOR parameter for IMS Connect command input

• Provides a configuration parameter to show or not show the WTOR command

input prompt

• Disabling the command prompt clears screen space for environments that have multiple

IMS Connect systems but where WTOR commands are not used

58


Other IMS Connect RAS Enhancements…

• Change some FWE block from STORAGE OBTAIN to CPOOL

• Improves performance and CPU utilization (performance)

• Delay IMS Connect Ready message until all initialization completes

• Provides automation the correct timing for when IMS Connect is ready to

process commands (reliability)

• Close the listening socket earlier on shutdown

• Reduces CPU usage by rejecting client reconnects (reliability, performance)

• Enhanced diagnostics on RRS-related DRDA errors• Provides more diagnostic information for RRS related errors (serviceability)

• User debug mode in message

• Provides a bit indicator to notify user exits that they can perform their own

debug processing. (serviceability)

• BPETRACE before and after User Message Exit calls

• Provides additional diagnostic information. (serviceability)

59


IMS 15 IMS Connect

• Migration Consideration

• In IMS 15, IMS Connect requires at least 3 MB more storage than in previous

releases

• Review IMS Connect region size accordingly

• Overall Business Value• Improvements to performance, reliability, availability, and serviceability of IMS

Connect functionality which is a key component of the IMS integration strategy

IMS 15 Continous Delivery - IMS UG Oct 2017 Omaha

Technology

Transcript of IMS 15 Continous Delivery - IMS UG Oct 2017 Omaha