IMS 15 Continous Delivery - IMS UG Oct 2017 Omaha
-
Upload
ibm-ims -
Category
Technology
-
view
202 -
download
7
Transcript of IMS 15 Continous Delivery - IMS UG Oct 2017 Omaha
1
© Copyright IBM Corporation 2017.
IMS Continuous Delivery
2
© Copyright IBM Corporation 2017.
• The ability to become more agile by delivering code/function more
frequently
• Eliminates ad hoc SPEs
• Allows flexibility for certain types of changes that are best on a release
boundary including:
• Raising the bar on minimum hardware and software levels
• Dropping support for function
• Major changes to infrastructure control blocks
• Changes that require full reassembly of IMS
• IMS 14
• Continues to deliver new function
• IMS 15 has just been announced (10/3/2017)
IMS is Moving toward Continuous Delivery
3
© Copyright IBM Corporation 2017.
Why Continuous Delivery?
Issues with current process
• Two year release cycle causes new function to be delivered too late
Clients already have solutions in place by the time release is delivered
• Major enhancements not widely exploited across our client set
• Exploitation of new technology is provided too late for clients to be among the
first to exploit for business critical applications
Focus for Continuous Delivery
• Right function is available at the right time
• Strategic function delivered when ready
• Focus is on delivering what our client set needs to drive their business forward
4
© Copyright IBM Corporation 2017.
Customer Feedback
• Allow me to enable the function, do not make it a default
• Customers are OK if CD is delivered via the service process
• Deliver code every 4 to 6 months
• Sync deliveries with RSUs (recommended service upgrades)
• Delivery and implementation should be consistent within the Z platform
5
© Copyright IBM Corporation 2017.
• For the z/OS Environment
• http://www.redbooks.ibm.com/redpapers/pdfs/redp5340.pdf
• For the IMS environment
• https://www.linkedin.com/pulse/do-you-have-questions-ibms-move-continuous-
delivery-jasminder-singh
• “In March 2016, this IBM Redpaper was released, articulating how z/OS was moving to
a continuous delivery implementation model. As software that runs on z/OS, IMS chose
to align with this and deliver production-ready features and functions on a more frequent
basis.”
• Almost all new functions will be shipped disabled, or turned off with a few exceptions
• A command or parameter will allow the function to be activated
Continuous Delivery Strategy
6
© Copyright IBM Corporation 2017.
• For the IMS Environment…
• The continuous delivery (CD) model is intended to enhance the most recent
in-service version of IMS
• As soon as new IMS function or support for new technology is developed and tested, it
is immediately released in a PTF
• When a new version of IMS is released, continuous delivery enhancements are applied
only to the new version of IMS, and the previous version is designated as a long term
support release (LTSR) and is no longer enhanced
• In most cases, new functionality or support is delivered disabled by default, so that you can enable
them when you are ready. However, some functionality might be delivered enabled, due to
technical or strategic requirements. For those enhancements that are delivered disabled, most will
be enabled by a command or new parameter.
• https://www.ibm.com/support/knowledgecenter/SSEPH2_14.1.0/com.ibm.ims14.doc.rpg/ims_cd_p
rocess_overview.htm
Continuous Delivery Strategy …
IMS 14 and IMS 14 CD
7
© Copyright IBM Corporation 2017.
IMS 14 Base Level Summary
Agility •DEDB Alter enhancements
•User Exit enhancements
•IMS Connect Command enhancements
•OTMA Descriptor enhancements
•Dynamic MSC
Application Deployment/Management •Catalog - DDL interface
•IMS Management of ACBs
•Catalog Audit Trail
•ODBM Accounting
•Native SQL enhancements
•Cascaded Transaction Support
•DL/I ICAL support for control data
•Dynamic Refresh of (P)WFI regions
IMS & DB2 •FDBR Resolve In-doubt Notification Exit enh
•ESAF Subsystem Definition enhancement
•ESAF Associate Thread Exit
Business Growth •OSAM DEB 24-bit storage VSCR
•OSAM HALDBs 8G support
•Automatic SDEP Buffer Management
•Fast Path 64-bit for high speed utilities
•OTMA TPIPE parallelism
Infrastructure •DBRC Migration and Coexistence
•DBRC REPAIR Command
•Reduced TCO enhancements
•IMS Repository enhancements
•64-bit Storage Manager
•OTMA enhancements
•APPC Flood Control
•ISC VTAM Enhancement for ERP messages
•Shared Queues Overflow protection
8
© Copyright IBM Corporation 2017.
IMS 14 Continuous Delivery
• IMS 14 recently delivered APARs • WLM Mobile/Cloud Workload Pricing (PI46933/PI51948)
• Repository Support for MSC resources (PI50129)
• Shared Queues Buffer Pool – increase queue buffers to 9999999 from 9999 (PI71929)
• MFS protected field validation (PI51565)
• Transaction expiration enhancement (PI51834)
• OTMA ACEE aging enhancements (PI68466)
• AOI Exit DFSAOE000 enhancement (PI79352)
• New RACFMSG startup parameter (PI65025)
• Enhancement to AUTOSIGNON for TCO terminals (PI60293)
• Option to bypass password checking in ETO exit (PI72015/PI73204)
• Remove IMSid from the Repository
• Minimum thread specification for ODBM (PI64152)
• IMS ESS enhancements (PI64496/PI60400)
• IMS Java applications heap storage relief (PI64241)
• Support for defining java environment variables in the JCL (PI68127)
• IMS Service Provider inclusion is z/OS Connect EE V2.0.5 (PI70342)
• IMS Soap Gateway customized headers for sync callout using control data (PI52861)
• IMS Explorer for Development 3.2.1.8 - TLS v1.2 protocol support
• CNBA specification for CCTL connectors (PI60717)
• IMS Catalog Directory Recovery Utility (PI70082)
9
© Copyright IBM Corporation 2017.
Completed Enhancements for IMS Managed ACBs
• IMS 14 Database utility support for ACBMGMT=CATALOG
UTILITY APAR Available
Support for ULU utility regions to run under IMS Managed
ACBs
PI46907
UI36467
2016-03-23
Support for HD Unload / Reload utilities in ULU region to
run under IMS Managed ACBs
PI46912
UI39920
2016-08-12
Support for Batch Backout utility to run under IMS
Managed ACBs
PI63855
UI38976
2016-07-02
Support for DB Recovery utility to run under the under IMS
Managed ACBs
PI66598
UI40944
2016-09-24
Support for Batch Image Copy (DFSUDMP0) utility to run
under IMS Managed ACBs
PI61703
UI39976
2016-08-12
Support for FP-DEDB Area initialization (DBFUMIN0) utility
to run under IMS Managed ACBs
PI55596
UI39974
2016-08-12
10
© Copyright IBM Corporation 2017.
Completed Enhancements for IMS Managed ACBs (cont’d)
• IMS Catalog utility support for ACBMGMT=CATALOG
• IMS ACBSHR=Y environment support
• IMPORT command
• DDL for DROP DB
• Support for DDL DROP of database and PROGRAMVIEWs which were never activated with IMPORT command
UTILITY APAR Available
IMS catalog populate utility (DFS3PU00) has support to allow
for DOPT PSBs to be added or updated
PI46909
UI35217
2016-02-12
IMS catalog purge utility will now delete ACBs corresponding to
instances of DBDs and PSBs being purged from the IMS
catalog
PI55521
UI35249
2016-02-12
IMS catalog copy utility for import / export (DFS3CCI0 &
DFS3CCE0) will import / export ACBs in the catalog directory
PI58722
UI40956
2016-09-24
11
© Copyright IBM Corporation 2017.
Completed Enhancements for IMS Managed ACBs (cont’d)
• PI67569, PI70082: IMS Catalog Recovery Utility support
• Utility to rebuild the IMS “catalog directory” from the catalog
• Intended for use when a user is fully DDL enabled and no longer maintains DBD and PSB source
• PI51217: IMPORT DEFN SOURCE(CATALOG) enhancement
• Extends IMPORT DEFN with new keywords
• Addresses Global OLC concerns
UTILITY APAR Available
HD Reload utility support with Pending changes PI46914
UI41626
2016-10-14
IMS V14 Catalog Recovery Utility
preconditioning
PI67569
UI41849
2016-10-21
New Function: Introduces Catalog Directory Recovery Utility to
recover the directory component of an IMS catalog
PI70082
UI43385
SPE
2016-12-22
New Function - IMPORT DEFN SOURCE(CATALOG)
enhancement to allow activation of pending changes of PSBs
to only a subset of systems in the IMSplex
PI51217
UI41861
SPE
2016-10-21
GSAM PSB with IMS Explorer for Development PI76835
UI48922
2017-07-28
12
© Copyright IBM Corporation 2017.
In Progress Enhancements for IMS 14
UTILITY APAR Target
DFS3PU00 BMP Support PI81427 2017-09-27
GSAM PSB with IMS Explorer for Development PI76838
UI48922
2017-09-29
13
© Copyright IBM Corporation 2017.
IMS 14… IMS 15
Continuous Delivery enhancements
to IMS 14 will be discussed in the
sessions today in addition to an
overview of the IMS 15 base support
14
© Copyright IBM Corporation 2017.
IMS 15 Enhancements
15
© Copyright IBM Corporation 2017.
An application developer
can use standard methods
to create/modify DB
schema definitions
without an
application
or DB outage
An API developer
can create a REST API
using a selection of
existing or new assets
without writing any
new code and in a
single common
tooling experience
An application developer
can deploy an application
in IMS using a web-based
user interface
with limited
knowledge of IMS
z Systems Synergy
RFEs RASAnalytics Security
Cloud API EconomyDatabase
Agility
Arnold Ally Dan
Technical Foundation
IMS Hills
16
© Copyright IBM Corporation 2017.
IMS Hills…
16
CloudAPI Economy Database Agility
• Introducing use of
z/OSMF workflows
• Program create user exit
• Reduce need for IMS
system definition/sysgen
• Extend PGM refresh for
preloaded programs
• Extend PGM refresh for
IFPs
• On-line lifecycle
operations for APIs with
role-based controls
• API and service
deployment with UI and
automation
• DEDB Alter ALTERAREA
Enhancements
• Enable zHyperWrite for WADS
• Enable zHyperWrite for OLDS
• Move logger parms to DFSDFxxx
• Change Default for clearing of VATVPTR
• Allow audit of Network Security Credentials
• CQS Enhanced RCs for Logger Errors
• DBRC Mig/Coex
• zMidas Support
• WADS Encryption
• DEDB Encryption
• FF Compression
• Removal of Functional Support
• IMS Connect System SSL
• IMS Connect Local Option support
• Remote Site Recovery (RSR)
• Message Format Service SOA
support
• Source Shipped modules converted to OCO
• IMS Connect RAS Items
• CQS RAS Items
• IMS Exploitation of Async CF Lock
Structure Duplexing
Technical Foundation
17
© Copyright IBM Corporation 2017.
IMS 15 (5635-A06) Packaging
IMS 15 Compid: 5635A0600 FMID Comment
IMS 15 System Services HMK1500
IMS 15 Database Manager JMK1501
IMS 15 Transaction Manager JMK1502
IMS 15 ETO Feature JMK1503
IMS 15 Java On Demand Feature JMK1506
IMS Recovery Level Tracker Deleted for IMS 15
IMS DB Level Tracker Deleted for IMS 15
IMS 15 VUE JMK151Z
IMS IRLM V2R3 HIR2230
18
© Copyright IBM Corporation 2017.
IMS 15…
• Packaging
• IMS 15 Transaction manager Value Unit Edition (VUE)
IMS 15 ETO Value Unit Edition (VUE)
• Program number: 5655-TM4
• Subscription and Support (5655-TMS)
• IMS 15 Database manager Value Unit Edition (VUE)
• Program number: 5655-DS5
• Subscription and Support (5655-DSR)
• IMS Enterprise Suite 3.2
• Program number: 5655-TDA
• Subscription and Support (5655-T61)
19
© Copyright IBM Corporation 2017.
IMS 15…
• Packaging …
• IMS Service Provider (formerly IMS Mobile Feature Pack)
• Available with z/OS Connect EE (5655-CEE V2.0.5 or later)
• APAR PI70458/ PTF UI42590
• Notified users that the IMS Mobile Feature Pack was removed from the IMS Enterprise Suite (5655-TDA)
• APAR PI70342/ PTF UI42113
• Added the IMS Service Provider to zOS Connect EE V2.0.5
• Configuration steps for the IMS Service Provider
• http://tinyurl.com/h87zegn
20
© Copyright IBM Corporation 2017.
IMS 15…
• Packaging …
• JMS API will no longer be packaged with the IMS Enterprise Suite
• It can be obtained through the Java EE installation or the publicly available Maven
repository
• z/OSMF (z/OS Management Facility) Workflows
• Support the provisioning of an IMS system
• In addition to the IVP, z/OSMF
• Enables new functions and maintains a history of all actions and output
21
© Copyright IBM Corporation 2017.
IMS 15 Prerequisites …
• IMS 15 QPP announcement letter -
• IBM United States Software Announcement 217-398
• www.ibm.com/ims and follow the links to IMS 15
• https://www.ibm.com/us-en/marketplace/ims-15
• Minimum level of Hardware
• IMS 15 runs only in z/Architecture mode on an IBM System z10 processor or
later
• A coupling facility level of 15 or later is required for the following IMS 15
functions:
• Operations Manager (OM) Audit Trail, if a coupling facility log stream is used
• Repository Server Audit Log, if a coupling facility log stream is used
• Resource Manager (RM), if a resource structure is used
• Shared-EMH support
• Shared queues
• Sysplex data sharing (including data caching and VSO data sharing) with Internal Resource Lock
Manager (IRLM) V2.3
22
© Copyright IBM Corporation 2017.
IMS 15 Prerequisites
• Minimum level of operating system software
• z/OS Version 2 Release 2 (5650-ZOS)
• RACF (included in a separately orderable Security Server feature of z/OS V2.2), or equivalent, if
security is used
• IBM High-Level Assembler Toolkit , a separately orderable feature of z/OS V2.2
• DFSMS 2.2 APAR OA51385 for WADS z/HYPERWRITE support
• APAR OA50569 for Data Set Encryption support
• Other Products
• Java Development Kit (JDK) 8
• DB2 for z/OS V11 or later
• CICS V4.2 or later
• CICS V5.1 is required for ISC TCP/IP
• WebSphere MQ 7.5
• WebSphere Application Server for z/OS (5655-W65) or WebSphere Application Server
for distributed platforms (5724-J08), V8.5.5
• COBOL all versions (V5.1 required for Native SQL)
• RD/z V9.0.1.1 for SOAP Gateway
23
© Copyright IBM Corporation 2017.
IMS Transaction Manager
24
© Copyright IBM Corporation 2017.
• Challenge Addressed
• Max message queue buffers for the queue pool was limited to 9999
• Solution
• Increase the max limit to 9999999
• IMS 14: APAR PI71929/ PTFs UI44745, UI44747
• Business Value
• Provides more capacity for Shared Queues message processing
Shared Queues Buffer Pool Enhancement
Target Market:
IMS Shared Queues users
25
© Copyright IBM Corporation 2017.
MFS protected field validation enhancement
• Challenge Addressed
• 3270 MFS protected field data is not validated
• Solution
• Option to validate content of protected fields for changes when the field is
returned and reject the input if data alteration has occurred.
• IMS 14: APAR PI51565/ PTFs UI45620, UI45621
• Business Value
• detects that the content of a protected data field has been altered from the
original formatted content transmitted to the 3270/SLU2 device
• Improves data integrity
Target Market:
IMS device type 3270/SLU2 users of
Message Format Service (MFS).
26
© Copyright IBM Corporation 2017. 26
• Challenge addressed
• The ETO function needs the flexibility to request that certain terminals be
allowed to signon without a password check
• Solution
• Provide a new PASSCHK=NO option flag to the ETO signon exit routine,
DFSSGNX0
• When specified, IMS issues RACROUTE REQUEST=VERIFY with PASSCHK=NO.
• IMS 14: APAR PI72015/ PTFs UI44788, UI44789
• IMS 15: APAR PI73204/ PTFs UI44793 UI44794
• Business value
• Provides greater control for terminal signon requirements
• Corresponding enhancements in the IMS ETO Support Tool can take advantage
of this capability
Option to Bypass Password Checking in ETO exit
DFSSGNX0Target Market:
Users of ETO
27
© Copyright IBM Corporation 2017.
OTMA ACEE Aging Enhancement
• Challenge Addressed
• Potential for abend , e.g., S878, due to unlimited number of cached ACEEs
• Primarily caused by using the ACEE aging default value of 11 days
• Solution
• Enable flood control for OTMA ACEEs and allow specification of a maximum
number of ACEEs that can be cached
• Enhance the /DISPLAY OTMA command to show ACEE usage
• Enhance the /SECURE OTMA command to dynamically override the ACEE aging value
and expedite the ACEE cleanup process
• IMS 14: APAR PI68466/PTFs UI47190, UI47191
• Business Value
• Greater control of the OTMA environment and protection from flooding the
ACEE cache
Target Market:
All OTMA users who use security
Checking of FULL or CHECK
28
© Copyright IBM Corporation 2017.
Transaction Expiration enhancement
• Challenge Addressed
• Inconsistency between OTMA and non-OTMA environments when a transaction
reaches the expiration time value
• Solution
• New default action which discards the expired OTMA input message without
abending the message region with a pseudo ABENDU0243
• Similar to existing support for non-OTMA expired messages
• New U243 option to continue ABENDU0243 without DFS554A and symptom
dump
• IMS 14: APARs PI51834/ PTF UI36100, IMS 13: APAR PI51833/ PTFs UI36299
• IMS 15: APAR PI83453, PTF UI48974
• Business Value
• Greater control over the transaction expiration action
• Saves CPU cycles needed to process the ABENDU0243 and addresses potential
flooding of the console
Target Market:
OTMA transactions that have coded
EXPRTIME
29
© Copyright IBM Corporation 2017.
Transaction Expiration enhancement …
• TODUMP = YES | NO | U243 parameter (optional) in the OTMA member
client descriptor (M descriptor) in DFSYDTX member of proclib
• If YES is specified, a pseudo ABENDU0243 with DFS554A and symptom dump will be
generated
• Same action prior to these enhancements
• For each expired OTMA transaction or for a transaction in a shared queues back-end reaching MAXTP at GU
• If NO is specified (new default) , IMS will simply discard the expired transaction without
the ABENDU0243 to save CPU cycles.
• No x’56’ log record
• X’67D0’ log record can be used for diagnostic information associated with the affected transaction.
• If U243 is specified, a pseudo ABENDU0243 is issued but without a DFS554A message
and without generating a symptom dump
• X’56’ log record associated with the ABENDU0243 continues to be issued
• For shared queues environment, TODUMP= needs to be specified in the front-
end IMS descriptor
30
© Copyright IBM Corporation 2017.
30
• Challenge addressed
• Customers need more information, e.g. last access time, when the DFS3650I
successful signon message is displayed
• Solution
• New parameter, RACFMSG, that specifies whether (Y) or not (N) to pass RACF
signon messages (ICH70001I) to user exit DFSGMSG0 (Greetings Message
Exit Routine)
• The exit routine can be modified to take this information and pass it to the end
user
• IMS 14 : APAR PI65025, IMS13: PI60288/ PTFs UI72425, UI42746
• IMS 15: APAR PI85328
• Business value
• Allows the DFS3650 welcome screen to be enhanced to include more
information from RACF, e.g., date and time of last access
New RACFMSG Startup Parameter
Target Market:
All users
31
© Copyright IBM Corporation 2017.
• RACF introduced 14 special characters that can be used in RACF
passwords (SAF APAR OA43998 and RACF APAR OA43999)
• The symbols shown are for EBCDIC code page 1047 or 037
• Special Characters (EBCDIC):
4B 4C 4E 4F 50 5A 5C 60 6C 6D 6E 6F 7A 7E <-- Hex value
. < + | & ! * - % _ > ? : = <-- Symbol
• These special characters are in addition to the existing national characters: 5B 7B 7C $ # @
• PI48111/ PUI34376 (IMS14) , PI54037/UI36544/UI36545(IMS 13)
• Additional fixes PI55645/ PTF UI34969 (IMS14), and PI74890 (IMS 14)
• IMS Connect
• Accepts passwords, sent by TCP/IP clients, that contain the new special characters
• APAR PI48112/PTF UI33600 (IMS14), APAR PI54038/PTF UI36524 (IMS13)
• Business Value
• Support for the RACF SETROPTS PASSWORD(SPECIALCHARS) installation
specification
RACF Special Characters
Target Market:
All users
32
© Copyright IBM Corporation 2017.
RACF Special Characters …
• Impact on passwords in IMS commands when the extended set of
characters is used
• If a period is needed to end the command (delimiter) and the last parameter is a
password, a space should be entered before the period to signify the end of
command:
• /Sign
• Since a period becomes a valid character as part of the RACF password
• If it is intended to be the end-of-command delimiter then when a password is specified at the end of the command,
a space should be inserted prior to the end-of-command period
• Before: /SIGN ON userid pswd. After: /SIGN ON userid pswd .
• /OPNDEST - if last parameter of the command is a password, add a blank before the
period
• /LOCK , /UNLOCK, /SET, /UNSET
• Period in the password brackets will not be treated as a delimiter
33
© Copyright IBM Corporation 2017.
RACF Special Characters …
• Impact
• The client password change exit routine HWSPWCH0 has been modified to
support special characters in RACF passwords
• You may need to bind this new copy to your existing user message exit(s)
• HWSDPWR1, HWSJAVA0, HWSSMPL0, HWSSMPL1
• The service includes the IMS-supplied exits
• Depending on how your zones are configured, SMP/E APPLY of this service may re-bind the user
message exits into SDFSRESL
• Otherwise, or if you have written your own version of the exit, then you may need to re-assemble
and re-bind the routines
• Possible unpredictable results
• If you have enabled special character support in RACF and you have systems running
mixed versions of IMS Connect and/or IMS Connect systems without the maintenance
applied
34
© Copyright IBM Corporation 2017.
RACF Special Characters …
• IMS Connect clients
• When passing the special characters to IMS Connect
• Must use the appropriate hexadecimal values
• Additional service for IMS Connect clients to enable the client support for the
special characters
• IMS Universal Drivers - APAR PI30848/ PTF UI34793
• IMS Enterprise Suite Connect API for Java – APAR PI52846/ PTF UI34749
• The following clients do not need additional service
• IMS Enterprise Suite SOAP Gateway
• IMS Transaction Manager (TM) Resource Adapter
Before enabling special character support in RACF, ensure:
IMS Connect systems have the appropriate service applied
IMS Connect TCP/IP clients support sending password with special characters
35
© Copyright IBM Corporation 2017.
35
• Challenge addressed
• TCO script security is based on issuing the /SIGN on command in the script to
provide a userid to use for transaction/command authorization
• Solution
• New parameters in DFSDCxxx provide userids for transaction/command
authorization for TCO terminals
• TCOUSID: x’03’ log records do not show value (userid is not signed on)
• SIGNTCO: LTERM is signed on and is shown in the x’03’ log records. IMS will
also signon with this front-end userid for transaction authorization on a back-
end system
• IMS 14: APAR PI60293/ PTFs UI42280,UI42281
• Business value
• Removes the need to issue /SIGN command in the TCO script
• TCO script can still issue /SIGN command
Enhancement to AUTOSIGNON for TCO terminalsTarget Market:
All users of TCO
36
© Copyright IBM Corporation 2017.
Repository support for dynamically defined MSC
Resources
• Challenge Addressed
• MSC resources that were created or modified dynamically were saved across
an IMS cold start only if stage-1 system definition macros were used and IMS
was taken offline
• Solution
• MSC resources exported to the IMSRSC repository can automatically be
retrieved by IMS at cold start
• IMS 14 APARs PI50129/ PTF UI44232
• Pre-conditioning code: APAR PI71641/ PTF UI42667
• Business Value
• All MSC definitions are stored in a single centralized location
• Can reduce the time to cold start IMS
Target Market:
IMS MSC users who dynamically create
MSC resources
37
© Copyright IBM Corporation 2017.
• Background
• Dynamic MSC support was introduced as part of base IMS 14
• Optional functionality to dynamically create/delete/update MSC definitions
• Specified through the MSC options in the DFSDFxxx proclib member
• MSCRSCS=DYN
• Leverages enhanced Type 2 commands to create and delete MSC links
dynamically
• Requires implementation of the CSL (Common Service Layer)
• SCI, OM
• Supports movement away from static system definitions
Repository support for MSC …
38
© Copyright IBM Corporation 2017.
• What’s new?
• MSC Repository Enablement
• Enhancement to the Repository capability to include MSC resources
• Option to harden or EXPORT runtime resources that have been modified since
the last checkpoint
• Automatically during shutdown
• At IMS checkpoint (system or by command /CHE)
• Option to load or IMPORT definitions from the IMSRSC repository during a cold
start
Repository support for MSC …
39
© Copyright IBM Corporation 2017.
• Implication for Dynamic Resource Definition (DRD) environments
• Movement away from using the RDDS (resource definition data sets) to harden
DRD resources
• New functionality such as MSC support will only be implemented in the IMSRSC
Respository
• Consider a migration strategy from the use of RDDS to the Repository
Repository support for MSC …
40
© Copyright IBM Corporation 2017.
• Challenge Addressed
• Inability to log and audit a distributed end-user’s identity
• Network security credentials may differ from the SAF identity used for IMS security
• Solution
• Enhancement that propagates the network security credential to IMS
• Up to 246 bytes for client end-user identity
• Plus up to 254 bytes for a realm or registry identity
• Requires:
• IMS 15, IMS Connect 15, IMS TMRA 15
• For mobile support, IMS Service Provider and z/OS Connect EE
• Business Value
• Provides enhanced auditability and accountability in enterprise environments
• Enhances IMS callout security with the original user credential for external
IMS 15 – Network Security Credential PropagationTarget Market:
IMS environments that need
to keep track of the original
network security credential
41
© Copyright IBM Corporation 2017.
• Each distributed identity consists of two parts:
• Distributed client end user's identity – “Network user id”
• This identity can be up to 246 bytes. For example, it can be a Distinguished Name (DN)
which is fully documented in the X.500 series of standards.
• Example: CN=Jane Doe,OU=Sales,DC=IBM,DC=COM
• CN (commonName), L (localityName), ST (stateOrProvinceName), O (organizationName), OU
(organizationalUnitName), C (countryName), STREET(streetAddress), DC (domainComponent), UID (userid)
• Registry identity – “Network session id”
• This identity can be up to 254 bytes. It can be a realm or registry. For example, it can be
a Domain name which is name of security database used to authenticate the distributed
user.
• Example: LDAP server ldaps://us.svl.ibm.com
Network Security Credential Propagation…
42
© Copyright IBM Corporation 2017.
NSCP – The Problem
System z
z/OS
Distributed
Application, such as WAS
RACF user-ID
“IMSADMIN”
IMS Log Record
01,03..
Msg Q.
IMS
1.
User initiates transaction.
Provides Login Credentials
For example,
2. User is authenticated.
3.
User distributed identity discarded
And RACF user ID, for example
IMSADMIN, selected and passed to
IMS.
5.
Jane initiates the transaction,
But RACF user id IMSADMIN is
Logged in IMS log record.
4.
IMS runs transaction
Authorization using
Selected RACF ID.
I
C
O
N
Issue: Need to propagate original network ID of end user to IMS for logging / auditing
42
Jane’s distributed identity is lost
43
© Copyright IBM Corporation 2017.
NSCP – The Solution
System z
z/OS
Distributed
Application, such as WAS
RACF user-ID
Distributed ID
IMS Log Record
01,03..
Msg Q.
IMS
2. User is authenticated.
3.
User distributed identity and
Selected RACF user ID are
passed to IMS.
6.
Jane initiates the transaction,
Both RACF user id and user
Distributed ID are
Logged in IMS log record.
5.
IMS runs transaction
Authorization using
Selected RACF ID.
I
C
O
N
4.
ICON builds security
Prefix with both RACF
User ID and user
Distributed ID.
1.
User initiates transaction.
Provides Login Credentials
For example,
44
© Copyright IBM Corporation 2017.
• IMS enhances the following to participate in network security credential
propagation
• IMS TM Resource adapter – e.g., when implemented in a JEE server such as
WebSphere Application Server
• WAS Liberty with z/OS Connect and the IMS Service Provider
• In progress
• OTMA C/I
• Maximum network userid is 100 bytes
• Maximum network session id is 100 bytes
• Roll-Your-Own IMS Connect clients
• Security extensions to the IRM header
Client support for IMS NSCP
45
© Copyright IBM Corporation 2017.
NSCP – IMS View
Distributed
Application,
Such as WAS
Sysplex
Shared-
Queues
Back-end
IMS Back-end(s)
z/OS
RACF-ID
Distributed ID
Audit Record
SMF
Log
IMS
IMS Front-end
LOGSTR=NO|YES
z/OS
z/OS
IMS ConnectForwards
network
credential on to
IMS OTMA
1) IMS OTMA security prefix
is expanded to include
network userid and network
session ID.
2) First 255 bytes of network
credential is included in
RACF SMF record if OTMA
descriptor LOGSTR=
parameter is YES.
3) IMS transaction
authorization exit
DFSCTRN0 can be passed
with the network userid and
session ID.
4) OTMA exits, DFSYIOE0,
DFSYPRX0, and DFSYDRU0
can be used to access
OTMA security prefix.
Logstream data
MSC remote
OTMA descriptor
RACF
45
46
© Copyright IBM Corporation 2017.
NSCP – OTMA SupportExtensions to the OTMA Security Prefix
OTMA Prefix
MCI | State Data | Security | User Data LLZZ Trancode App Data Seg(s)
Security prefix length (2 bytes)
Security flag for OTMA profile security (1 byte)
Reserved field (1 byte)
RACF User ID (1 byte length + x'02' + 1-8 bytes of RACF user ID)
RACF group name (1 byte length + x'03' + 1-8 bytes of RACF group name)
RACF Utoken (1 byte length + x'00' + up-to 50 bytes of RACF utoken)
Network userid (1 byte length + x'04' + 1-246 bytes of network user ID)
Network session ID (1 byte length + x'05' + 1-254 bytes of network session ID)
OTMA Security Prefix:
OTMA State Data Prefix
For transaction and callout messagesByte 2 of Server state - new flag x’02’ identifies callout message with the original
security credential in the security prefix
For Resume output for the hold queue for a tpipie
New value of x’10’ under byte 3 of the Callout Mode indicates Resume TPIPE supports NSCP
47
© Copyright IBM Corporation 2017.
When the distributed network security credentials are in the OTMA security prefix
Non-fast path transactions
All existing log records that carry the OTMA prefix will also contain the network security credentials, e.g., IMS log records x’01’ and x’03’.
Local EMH processing
X’5901’ log record which is logged after the input message also contains the credentials
• Shared EMH processing
• Front-end IMS: credentials are logged in the x’5911’ log record
• Back-end IMS which is the processing IMS
• X’5901’ log record (as in local EMH processing) contains the credentials
NSCP – IMS Support
48
© Copyright IBM Corporation 2017.
To have the network security credential included in the RACF SMF records, code LOGSTR=YES in OTMA client descriptor.
LOGSTR=NO | YES
• LOGSTR is an optional parameter
• No: default
• Yes: specifies up to 255 bytes of user-distributed identity need to be included in the RACF SMF x’80’ process records
• The identity which consists of network user id and session id must exist in the OTMA input security prefix in order to be included in the SMF records
• The format of network user id and network session id in the SMF records is identical to corresponding format in the OTMA security prefix.
• Syntax errors result in DFS2385E
DFS2385E SYNTAX ERROR FOR DESCRIPTOR = descriptor errortext
NSCP - SMF
49
© Copyright IBM Corporation 2017.
>>-INQY--aib--i/o area----------------------------><
Where aib consists:– AIBID
– AIBLEN
– AIBSFUNC
MSGINFO (for Network Security Credential Propagation)– AIBOALEN – size of I/O Area
IMS Application
OTMA INQY
i/o area
Version number = 2
Original IMS ID
Addr(Network ID) or zero
Addr(Session ID) or zero
LL + Network ID
LL + Session ID
Example: CALL ‘AIBTDLI’ USING INQY, AIB, IOAREA
NSCP - Enhanced INQY call to get network info
60 bytes reserved
Note: Version number will be 2 when there is any network security
credentials returned. Otherwise it will be 1.
INQMSGIN DSECT in DFSINQY MACRO
Locate the field by using the address of the field that is returned
in the data output of the INQY MSGINFO call
50
© Copyright IBM Corporation 2017.
NSCP - Enhanced Callout with original user credential
5. Transaction
Response
IMS Application
OTMA
2. ICAL
GU, IOPCB
ISRT, IOPCB
IMSConnect
External
Server
Callout Request
Callout Response
WAS
3. Callout request with the original user security credential (consumer scenario)
4. Callout Response
1. Send network security credential to IMS (provider scenario)
Response
If the original transaction input message from an OTMA client, e.g., IMS Connect,
contains a distributed network credential
– The callout message from an IMS dependent region will keep the original network
credential in the OTMA security prefix
• If the Resume Tpipe request does not support the distributed network credentials
– IMS will delete the credentials from the OTMA security prefix for the output message
51
© Copyright IBM Corporation 2017.
• To log the network credentials in RACF SMF records
• If LOGSTR=YES is specified in the OTMA client descriptor, up to 255 bytes of
the network credential will be logged in the RACF SMF x’80’ record.
• Large number of messages with network security credential propagation
• Can impact XCF and TCP/IP transmission
• Operational Considerations
• Since OTMA message prefix with the additional network security credential info
is stored on IMS message queue data sets
• Log volume and the usage of the queue buffer pool will be increased
• SHMSG and LGMSG might need to be resized
Planning for NSCP
52
© Copyright IBM Corporation 2017.
• End of support for SSL
• Migrate to the use of z/OS Application Transport Layer Security (AT-TLS)
• Standardization of secure sockets at a z/OS TCP/IP stack layer
• End of support for Local Option
• Used only by IMS TM Resource Adapter (IMS TMRA in zWAS)
• Migrate to the use of standard TCP/IP sockets
• IMS Connect RAS Enhancements
• Increase of Maximum number of ports
• Performance improvement when obtaining storage
• New idle timeout parameter for sockets
• New options for controlling RACF statistics
• …
IMS 15 - IMS Connect
Target Market:
All users of IMS Connect
solutions
53
© Copyright IBM Corporation 2017.
• Pre-15 IMS Connect limits the total number of ports to 50
• Includes the sum of: Regular ports, DRDA ports, and CICS ports
• Issue: For >50 ports, another IMS Connect instance must be started
• Potential issues with management and automation when dealing with multiple IMS
Connect instances
• IMS Connect 15 increases the port limit to 200
• Ports in HWSCFGxxx can be a combination of the following
• Regular ports defined by PORT or PORTID (TCPIP statement)
• DRDA ports defined by DRDAPORT (ODACCESS statement)
• CICS ports defined by the CICSPORT (TCPIP statement)
• If more than 200 ports are defined, when IMS Connect tries to start, it issues
the following existing error message and abends with U3401:
• HWSX0909E ERROR IN PROCESSING CONFIG MEMBER confname; M=XCFG
HWSX0909E TOTAL NUMBER OF PORTS EXCEEDS MAXIMUM; R=184, S=MAXPORTS
Increase in the Maximum Port Limit
54
© Copyright IBM Corporation 2017.
• The existing TIMEOUT= parameter in the TCPIP statement controls:
• The amount of time IMS Connect waits for the first message from the client
following the initial socket connection
• The amount of time IMS Connect waits for a response from IMS after receipt of
the initial message
• IMS Connect 15 introduces a new IDLETO= parameter
• Specified in the TCPIP statement and/or PORT statement
• Idle timeout value for a client connection
• Controls the amount of time IMS Connect waits for a new message from the client (in
RECV state) before it terminates the socket connection due to inactivity
• IDLETO=0 disables the timeout (default)
• Valid values: 0 to 2147483647
• IMS 15 APARs PI73213, PI77200/ PTFs UI44506, UI45413
Idle timeout on socket connection
55
© Copyright IBM Corporation 2017.
Idle timeout on socket connection
Initial connection
No initial msg TIMEOUT
Transaction msg Transaction msg
TIMEOUT No response msg
Transaction msg Transaction msg
Response msg Response msg
IDLETONo next msg
ICONClient IMS
Scenario1
Scenario2
Scenario3
• IDLETO Considerations
• The global idle timeout value in the TCPIP statement applies to all PORT= and PORTID=
ports
• The PORT specific idle timeout value in the PORT statement overrides the global idle
timeout value
• Note: When using connection pooling, do not specify the IDLETO parameter
• Connection pooling expects connections to be available even in periods of slow activity
56
© Copyright IBM Corporation 2017.
• Issue
• When using DRDA port connections, IMS Connect always issues
• RACF RACROUTE REQUEST=VERIFY STAT=NO (even when RACF=Y)
• The STAT=NO option specifies RACF to NOT update the statistics
• Customers may want statistics such as the users’ “last access” date and time to
perform password change frequencies and automatic revoke due to inactivity
• Solution
• New ODRACFST parameter in the ODACCESS statement controls RACF calls
• When enabled, minimizes performance impact by updating RACF statistics only once
a day
• N results in STAT=NO on the RACF RACROUTE user authentication calls
• Y results in STAT=ASIS. The messages and statistics are further controlled by the
installation’s statistics option on the RACF SETROPTS command
• IMS 14: APAR PI80202/ PTF UI47653
ODRACFST parameter in ODACCESS statement
57
© Copyright IBM Corporation 2017.
Other IMS Connect RAS Enhancements
• New option to enable the Recorder trace on a port level
• Trace data is captured only for the port specified in the command
• More granular level
• Enhancement to add the transaction code associated with an output
message that cannot be sent
• HWSD0252W UNABLE TO SEND RESPONSE FROM DS=IMS1 TO CLIENT=CLIENT01;
R=4, S=LATEMSG , TRAN=ITOC04 , M=DREC
• New exits HWSSMPL2 and HWSSMPL3
• Provide the same functionality as HWSSMPL0 and HWSSMPL1
• With improved addressability and cleanup of unused code
• Allows more room for modifications
• Optional WTOR parameter for IMS Connect command input
• Provides a configuration parameter to show or not show the WTOR command
input prompt
• Disabling the command prompt clears screen space for environments that have multiple
IMS Connect systems but where WTOR commands are not used
58
© Copyright IBM Corporation 2017.
Other IMS Connect RAS Enhancements…
• Change some FWE block from STORAGE OBTAIN to CPOOL
• Improves performance and CPU utilization (performance)
• Delay IMS Connect Ready message until all initialization completes
• Provides automation the correct timing for when IMS Connect is ready to
process commands (reliability)
• Close the listening socket earlier on shutdown
• Reduces CPU usage by rejecting client reconnects (reliability, performance)
• Enhanced diagnostics on RRS-related DRDA errors• Provides more diagnostic information for RRS related errors (serviceability)
• User debug mode in message
• Provides a bit indicator to notify user exits that they can perform their own
debug processing. (serviceability)
• BPETRACE before and after User Message Exit calls
• Provides additional diagnostic information. (serviceability)
59
© Copyright IBM Corporation 2017.
IMS 15 IMS Connect
• Migration Consideration
• In IMS 15, IMS Connect requires at least 3 MB more storage than in previous
releases
• Review IMS Connect region size accordingly
• Overall Business Value• Improvements to performance, reliability, availability, and serviceability of IMS
Connect functionality which is a key component of the IMS integration strategy