• Download the 02.02.09 Initial Installation (.aws).
• Download the 02.02.09 Service Pack (2023-07-19) with fixes pre-applied (.bjb).

A service pack contains new fixes and all fixes of prior service packs.

When a TN3270 session terminated abnormally due to a reset the count of active sessions was not being decremented and issued a:

TEL929D SOCKCLOS CLOSE REQUEST FAILED R15=xx

This also applies to the Q STATS command and shutdown statistics for the maximum active TN3270 sessions.

This zap corrects these problems.

The stack must be recycled to pick up this zap.

The "Miss Routed IP counter" was incorrectly being incremented when a TCP reset datagram was discarded. This zap corrects this problem. To verify use DIAG MISROUT and when a TCP reset for a non-existent connection is discarded a IPT308 message will be issued. In addition the discarded TCP datagram will be dumped for the first 99 occurences of this condition.

The stack must be recycled to pick up this zap.

When running multiple subtasks using the initialize function for the Crypto-Express card a call to IJBHCDRV is issued which could cause a zero parameter to be passed to IJBHCDRV. This zap corrects this problem by moving the parmameters for initialize to dynamic getvis.

The stack must be recycled to pick up this zap.

This zap adds diagnostic messages and dumps when sending data when DIAG TELPROXY is active. This zap may generate large amounts of output to SYSLST in the TCP/IP partition when DIAG TELPROXY is active.

Issue DIAG TELPROXY to activate these messages and dumps.

Issue DIAG -TELPROXY to deactivate these messages and dumps.

In addition that zap corrects an error when the default translate table was being used. If the SET TELNET_TRANSLATE was not being used it should use the default translate table, but this was not occurring. This zap corrects this problem by validating and using the default translate table when no SET TELNET_TRANSLATE has been issued.

In addition upon reviewing the diagnostics and code the ebcdic NL x15 should be translated to ascii CR/LF x0D0A but only the CR was being set. This zap also corrects that problem.

The stack must be recycled to pick up this zap.

New events have been added to CLIENTD that are used for diagnosing problems in it. This zap adds them so they will be displayed in a RAPTRAC REPORT.

The stack must be recycled to pick up this zap.

Logic has been added to detect and suppress the duplicate processing of the same Power queue entry.

The TCP/IP stack must be recycled to activate this correction.

A certificate containing a RSA-SHA-384-bit signature was not being recognized. This zap corrects this problem.

The stack must be recycled to pick up this zap.

A certificate containing a RSA-SHA-384-bit signature was not being recognized. This zap corrects this problem.

The stack must be recycled to pick up this zap.

This zap corrects these problems with the external automation service.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

After a fresh IPL and a invalid product key fails a low storage area may be corrupted. This may also result in a hardwait.

The stack must be recycled to pick up this zap.

After a fresh IPL and a invalid product key fails a low storage area may be corrupted. This may also result in a hardwait.

The stack must be recycled to pick up this zap.

The XPCC connect to Power can at times be delayed and will set return code 4 in R15 indicating that the application should then wait for the connect ECB to be posted. We were incorrectly checking R1:

CL R1,=F'4'

This zap corrects this to be R15: CL R15,=F'4'

It will now correctly wait on the connect ecb when the connect is delayed.

The stack must be recycled to pick up this zap.

The PDF conversion failed can be issued for multiple reasons. This zap adds diagnostics to clearly identify the reason the PDF conversion failed.

The stack must be recycled to pick up this zap.

This zap adds an additional check to verify that a Power LST entry is only processed once.

The TCP/IP stack must be recycled to activate this correction.

An abend could occur in the HTTPD when using LISTENFAIL ON. This zap corrects this abend.

The TCP/IP stack does need to be recycled to pick up this zap.

The external automation service should not issue messages prefixed with TCP. It should issue messages prefixed with AUD. This zap adds new AUD prefixed messages for the external automation service.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

On the console the FTP script name would be truncated if the message is on only one line. If the message is continued on another line it displays correctly.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

This zap corrects a problem that could produce this symptom message.

When determining if we need to get into key zero to update an external partitions socket request block a program check could occur while determining if the external address is in the same key as the TCP/IP partition which can occur when both the stack and socket request partition are both in dynamic partitions. This is used to reduce the non-parallel time when key zero is used.

Dynamic Names table was only being used for the most recently added domain name. This zap corrects this problem.

The stack must be recycled to pick up this zap.

When a TN3270 session terminated abnormally the count of active sessions was not being decremented. This also applies to the Q STATS command and shutdown statistics for the maximum active TN3270 sessions.

This zap corrects this problem.

The stack must be recycled to pick up this zap.

The IPF403W warning message is issued when a invalid Power job name, number, suffix number is invalid. This invalid job number could then cause a program check abend.

This zap will reject the invalid Power file name to avoid the abend.

The stack must be recycled to pick up this zap.

This zap adds new message skeletons used by other zaps.

The stack must be recycled to pick up this zap.

The XPCC SENDR request to Power intermittently can fail with the above TCP906E error message. It is caused by an invalid address being set for the request. This zap detects the invalid address and will issue a:

TCP910W EPOWE607 XPCC invalid address detected

message. In addition pdumps will occur to SYSLST:

IPN861I Storage Dump IJBXAD31 0 IJBXAD31

Page at location XXXXXXXX is invalid

IPN861I Storage Dump IJBXPCCB 0 POWXPCCB

In addition when a:

IPN436I NULLFILE: Skipped

message occurred a:

TCP917W Suspending listing due to failure

message would be issued. In that it did not fail the TCP917W should not be issued. This zap also suppresses the TCP917W when a NULLFILE is skipped.

The TCP/IP stack must be recycled to activate this correction.

During the close of the foreign control connection after a QUIT command the close exchanges TCP FINs, but the connection may be removed before the exchange is acknowledged by the application. This can result in FTPBATCH completing with a non-zero return code even though all files have been successfully transferred. This zap will change this message to only be issued when DIAG FTP is active, and will ignore the error allowing the FTPBATCH to complete with a return code zero.

The TCP/IP partition does not need to be recycled to pick up this zap for use by FTPBATCH.

The TCP/IP stack does need to be recycled for use with other internal FTP applications that run inside the stack.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 IPSPINCP=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 CSOCKET=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 CSOCKET=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 CSOCKET=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 CSOCKET=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap implements priority sharing for the subtasks in the TCP/IP stack partition. It is a retrofit of the 2.3.1. PRTYSHARE command documented in the 2.3.1 $Release_Notes. But there is no PRTYSHARE command in 2.2.9. These 2.2.9 zaps will use the following default settings:

PRTYSHARE ON DRIVER=0 CSOCKET=0 FILEIO=0

SPINCHECK ON TIMER=15 LOOPCNT=2

These settings will cause each of the TCP/IP subtasks to change priorities every 15 seconds. This should allow for improved overall workflow. And correct problems and performance of external applications such as FTPBATCH that issue a large number of socket requests.

This zap corrects locks from IPNTYTCP that are being released by the dispatcher.

ZP228256 causes an error when attempting to open an empty VSAM ESDS file. This zap corrects this problem.

The IPN832D ASYNCH SOCKET FAILED could occur during a failed asynchronous open. This zap corrects this problem, but also activates an additional diagnotic messaages and dumps. If the condition is detected a IPN898D diagnostic message will be issued followed by a dump of the callers socket open request.

This zap corrects this problem.

This zap corrects a problem with port queueing not releasing a lock after a failed queued connection.

This zap corrects this problem of blanks lines containing "* Blank Line",

The LPR client program was made re-entrant to reduce storage usage. But it may have caused new problems due to some fields in a static CSECT. This zap changes the LPR client (IPNACMLP) to be non-reentrant.

This zap removes the code in ZP228258 that attempted to make it re-entrant, but leaves in the PORTRANGE LPRLOW and LPRHIGH for port numbers.

In addition the diagnostic IPA627 will be issued even without DIAG LPR active to clearly identify the local port being used.

This zap corrects a problem that can occur when the BSI stack is brought up first.

This zap adds diagnostic messages before and after the selectex waitm. These messages are only displayed with a custom $SOCKDBG.PHASE that enables debugging.

This Query Log command displays information about the message logs. The "Total lines" count for the console log in message IPT242I was always zero. This zap corrects this to be the number of lines that have been written to the console log. The number of lines per page and page count were also removed since they are not used.

This zap corrects problems with the external automation service.

This zap corrects messages for the external automation service.

This zap corrects problems with the external automation service.

FTP139 is added in conjunctions with ZP229260.

IPT240, IPT241, and IPT242 are corrected in conjunction with ZP229265.

The stack must be recycled to pick up this zap.

The above failure message could occur for multiple reasons. This zap activates diagnostics to identify the exact reason. It also adds a:

FTP139I GETVIS for 24-bit subpool xxxxxx failed RC=yy

to identify if the cause was a request for below the line storage.

In addition if any traces are defined this zap will automatically issue a DUMP TRACES when a FTP STOR fails.

) DESC If a timed receive on the data connection fails and it has not been more than 3 seconds a:

FTP946W DATA CONNECTION RECEIVE FALSE RECEIVE TIMEOUT

message will be issued and the receive will be retried.

The stack must be recycled to pick up this zap.

This zap corrects an error when FTP is used to store a file into the Power RDR queue with records > 80 bytes. A wrong length record is reported and the FTP fails, but a file is still stored in the Power RDR queue. This zap should cause no entry to be stored when a failure occurs.

This zap corrects a problem where additional blank pages are contained in the output when using a SET FCB command.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds logic to retry the open to the foreign FTP server after a failure. A timer will be set for 1/3 of a second, and the active open(connect) will be retried up to a total of 4 times. A important level message:

IPA417I Open of control connection retried to foreign-ipaddr,foreign-port.

will be issued each time the open is retried.

The TCP/IP partition does not need to be recycled to pick up this zap for use by FTPBATCH.

The TCP/IP stack does need to be recycled for use with other internal FTP appliations that run inside the stack.

This zap detects a problem in the writing of records to a VSAM ESDS file. This zap will reject any write request greater than 32,768 bytes.

The TCP/IP partition must be recycled to pick up this zap.

This zap will detect a corrupted pointer that could cause an abend. If a corrupted pointer is detected it will be restored to the correct address. The next message issued will also contain the letter B as the 7th character of the message similiar to this:

IPN861B Storage Dump WRITESD4...

Notice the "B" in the above message.

This zap also optionally allows the 7th character of the message identifier to be the severity of the associated message. The following message severity letters will be used:

C for CRITICAL

V for VITAL

E for ERROR

W for WARNING

M for IMPORTANT

I for INFORMATIONAL

R for RESPONSE

D for DIAGNOSTIC

S for SECURITY

The MODIFY LOG command also contains a new keyword LETTER= which can be used to use either the old or new message lettering.

MODIFY LOG,ID=CONSOLE,LETTER=SEV

MODIFY LOG,ID=CONSOLE,LETTER=DEF

can be used to deactivate the new lettering methodology.

See ZP228241-IPNET for additional information on activating this optional behavior during TCP/IP startup.

The TCP/IP partition must be recycled to pick up this zap.

The TN3270 server uses the TELNTD getvis subpool for multiple requests. This zap changes this to be 5 subpools TNDGV1-TNDGV5 to more clearly identify the getvis storage usage.

The TCP/IP partition must be recycled to pick up this zap.

This zaps causes statistics for OSA express links to be displayed during shutdown. The output is the same as from a:

QUERY STATS,LINKID=xxxxxxxx

where xxxxxxx is the ID from the corresponding DEFINE LINK.

The TCP/IP partition must be recycled to pick up this zap.

This zaps adds a warning message for ftpbatch: FTP338W SET commands should be issued before the LOPEN

The TCP/IP partition must be recycled to pick up this zap.

A storage dump of the socket request block(SOBLOK) was occurring when the foreign IP address was all zeros. This zap corrects this problem.

The TCP/IP partition must be recycled to pick up this zap.

The DELETE EVENTS,ALL command would only delete the last defined event. This zap corrects that problem.

This zap also adds support for the LETTER= keyword of the MODIFY LOG command. See ZP228255 for information on this new keyword.

The TCP/IP partition must be recycled to pick up this zap.

The DELETE EVENTS,ALL command would only delete the last defined event. This zap corrects that problem.

This zap also adds support for the LETTER= keyword of the MODIFY LOG command. See ZP228255 for information on this new keyword.

The TCP/IP partition must be recycled to pick up this zap.

The IPT306 message was incorrect and is now corrected.

This zap also corrects a problem with the CCBLOK lock being held that would cause a IPN155W message.

The TCP/IP partition must be recycled to pick up this zap.

A FTP307D message with FREPFNZE could occur when running the ftpbatch as a external server and multiple connections are simultaneously active. It indicates a failure during a request for a free port number. A pdump will also be issued that shows the characters 'ALLGOOD1'. This response is incorrect since this was a request for a free port number. A control call connection is used for communicating with the TCP/IP partition and is now gated to correct this problem.

A additional problem is that a program check could occur when a VSAM KSDS duplicate record occurs. The IPNFKSDS file I/O driver will attempt to use the IPPDUMP service with the header "IPNFKSDS-BADRECRD" and then issue a:

IPF306W VSAM KSDS File duplicate record key, write failed DLBL: xxxxxx

but an abend could occur due to a incorrect control block address. This zap also corrects that problem.

The SET EXTTYPES command can now use ON/OFF in addition to YES/NO. ON is the same as YES. OFF is the same as NO.

For most SET commands to be effective they must be entered before the LOPEN. This zap also adds a:

FTP338W SET commands should be issued before the LOPEN

when a SET command occurs after the LOPEN.

The TCP/IP partition does not need to be recycled to pick up this zap.

If using the external ftpbatch server it must be recycled to pick up this zap.

When using the FTPBATCH SET IGNORERR ON and multiple GET commands are issued the reply numbers for the prior failing get were not being drained. This zap should correct this problem.

The TCP/IP partition does not need to be recycled to pick up this zap.

This zap adds new diagnostic messages for the external automation utility.

The TCP/IP partition does not need to be recycled to pick up this zap.

When using the external AUTOSEND utility and email successfully processes a DISP=K entry, the Power queue entry is changed to DISP=L. Then after altering it back to DISP=K the entry is not processed. This zap corrects this problem.

This zap also adds some diagnostic messages.

The TCP/IP partition does not need to be recycled to pick up this zap. The extertal automation service (// EXEC AUTOSEND) must be recycled to pick up this zap.

When using auto email after successfully processing a DISP=K Power queue entry it is changed to DISP=L. Then after altering it back to DISP=K the entry is not processed. This zap corrects this problem.

This zap also adds some diagnostic messages for counting of the number of handles, and detects corrupt handles to avoid a loop.

The TCP/IP partition must be recycled to pick up this zap.

This zap adds additional diagnostic messages for give/take processing. By default these diagnostics messages will not occur. A custom $SOCKDBG.PHASE must be created for them to be issued.

It also corrects a problem where after a successful take socket the giver select ecb was not posted. The clientid structure contains a type field which can be set to x01 to close and release the given socket. The type field can also be set to x02 to cause the select ecb of the giver to be posted after the take socket is completed. This post will now occur when the type field is any value other than x01.

The partition the BSD give/take application must be recycled to pick up this zap.

This adds informational message:

IPN526I PRODKEYS loaded from LIB.SUBLIB

to identify the library.sublibrary that the PRODKEYS.PHASE was loaded from. This can be useful when diagnosing problems with product key authorization.

The // EXEC IPNET,PARM='parmdata'

The parmdata was not fully documented and the following values are valid:

DEBUG this option will turn on a general debugging flag.

FIREWALL= FIREWARN= These options are used to activate the FIREWALL feature which is documented in the Optional Features manual.

ID= This sets the system identifier and must be from 00-99 inclusive. It is documented in the Installation manual.

INIT= This identifies the system intialization file to be used. It is also documented in the Installation manual.

MSGSEV This parameter enables the use of severity levels in messages before the command processor is acitve. It is equivalent to the MODIFY LOG,ID=CONSOLE,LETTER=SEV command which is documented in ZP228255-IPMSSG.

STORMON This parameter enables storage monitoring before the command processor is active. It is equivalent to the VERIFY_MEMORY ON command which is documented in the Command Reference manual.

UPCASE This option causes all messages to be translated to upper case before the command processor is acitve. It is equivalent to the UPCASE ON command which is also documented in the Command Reference manual.

The TCP/IP stack must be recycled to pick up this zap.

The SYSIPT commands of the SVSESRVR job were not being executed.

The MONPHASE command can be used to monitor the loading on any phase in any partition and could be used to perform an instruction trace before a phase begins execution. The below uses the FTPDAEMN phase as an example phase to be monitored. Either MSG XX,DATA=MONPHASE FTPDAEMN or add MONPHASE FTPDAEMN to the SVSESRVR SYSIPT commands. After successful completion of the MONPHASE command a message similiar to this will be displayed:

SEE123R FTPDAEMN phase monitored INFO=00283630 TRACE=802835AE

A VM CP instruction trace could then be set for address 2835AE. Then when the system loads the FTPDAEMN phase the virtual machine will be placed in a CP read wait state. At that time a CP D G command can be issued to display the general registers.

R0 will be the load address of the phase

R1 will be the entry address of the phase

R14 will be the length of the phase.

R2 will be the address of the following data:

PHSNAME DS CL8 PHASE NAME

PHS@LOAD DS A PHASE LOAD POINT

PHSLNGTH DS F PHASE LENGTH

PHS@SRTN DS A PHASE SVA FRONT END ROUTINE

PHSPIK DS H PARTITION PIK AT TIME OF LOAD

PHSTID DS H TASK ID AT TIME OF LOAD

PHSSTCK DS D STORE CLOCK TIME OF LOAD

LOCPHASE * command can also be used to display the last time any of the monitored phases was loaded.

This zap allows a common encryption cipher interface(CECI) application to supply the raw cipher key to be used during the encryption and decryption of data. To use this feature the following must be done.

During the initialization request(MEMAINIT) the key phrase phase name must be set to all asterisks. This indicates that the application will be supplying the cipher key.

MVC MEMAKYPH,=C'********' Key phrase phase name

In addition the application must set the cipher suite that will be used.

The CIALMEMA macro with the single operand EQUATES can be used to generate the equates for all the available cipher suites. Here is some example assembler code:

CIALMEMA EQUATES Generate the available cipher suites

LA R0,CIPH0048 Use AES256-SHA1-CBC cipher suite

ST R0,MEMACIPH Pass the cipher suite to be used

In addition a new request(MEMASKEY) must be issued. It is in place of the MEMACRKY request. The MEMACRKY and MEMASKEY requests are mutually exclusive. You must use one or the other but not both. The key material is passed in two new fields of the CIALMEMA macro. They are the MEMALKEY and MEMA@KEY.

MEMALKEY is the length of the key material.

MEMA@KEY is the address of the key material.

The MEMALKEY must be the exact size required by the cipher set in the initialization request. CIPH0048(AES256-SHA1-CBC) requires 16 bytes for the initialization vector(IV) and 32 bytes for the key for a total of 48 bytes. Here is some example assembler code for calling this new function:

*

* * Now we send the key material... LA R0,MEMASKEY Set key material to be used

ST R0,MEMARQST Store requested functon

LA R0,AESKEYLN Length of key material

ST R0,MEMALKEY Store key length

LA R1,AESKEYXX Address of key material

ST R1,MEMA@KEY Store key address

The TCP/IP stack does not need to be recycled to pick up this zap.

This zap updates the CIALMEMA.A macro to include new fields for allowing a applicaton using the common encryption cipher interface(CECI) to supply the cipher key material to be used during the encryption and decryption of data. See ZP227239 for detailed information on using this feature.

The TCP/IP stack does not need to be recycled to pick up this zap.

The Q LOCKS identified a lock held that was caused by a queued connection not releasing the lock. This zap corrects this by properly releasing this CCBLOK lock.

The TCP/IP stack must be recycled to pick up this zap.

The IPI513I GETVIS high water marks have been reset message was incorrectly being issued during start up when DIAG GETVIS was not being used.

This zap corrects this problem. The TCP/IP stack must be recycled to pick up this zap.

An FTP fails with the IPF402 XPCC message but the reason codes are not in the message to identify the exact cause of the connect failure. This zap adds the XPCC reason codes to the IPF402 error message to diagnose why the CONNECT is intermittently failing.

The TCP/IP stack must be recycled to pick up this zap.

A IPN099W and IPN082I messages could be incorrectly issued when the product key phase contains a IBM license product key and other CSI products such as FAQS, EPIC, etc.

This zap also stores the adjusted CPU serial number for each product code so it can be displayed by the Q PROD,ALL command.

This zap also corrects problems when multiple product keys for the same product exist in the PRODKEYS.PHASE. The key with the most days left will now be used. Other rejected keys will be displayed with new messages.

IPN080W prodkey1 has more days and replaces prior prodkey2

Message is issued when duplicate product keys exist for the same product number. The one(prodkey1) with more days until expiration is used. The prodkey2 should be removed from your prodkeys assembly job.

IPN081W CSI product key prodkey is expired and ignored

Message is issued when a expired key is detected in the prodkeys phase. The product key should be removed from your prodkeys assembly job.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

This zap releases queued UDP inbound datagrams that are not being received by the UDP application. See ZP227232 description for more information.

This zap corrects this problem. The TCP/IP stack must be recycled to pick up this zap.

When a UDP application is active inbound UDP datagrams are accumulated and passed to the application when it issues a receive for the incoming data. This accumulation could become excessive and can be controlled with the UDPSET MAXIBQUE=nnnn command. See ZP227226 for more details on this command. When UDPSET MAXIBQUE is set to a number greater than zero the inbound UDP process will reject datagrams that exceed this value. In addition a:

IPU109W UDP queued inbound exceeds nnnn for local port llll

Where nnnn is the UDPSET MAXIBQUE value and llll is the local port number of the UDP application.

The TCP/IP stack must be recycled to pick up this zap.

The IBBLOK RELEASE command releases all free IBBLOKs, and may cause a loop. In addition a new:

IPN523 aaaa IBBLOKs released freeing bbbb bytes of storage

message will be issued to display the total number of IBBLOKs released and the number of partition getvis bytes freed.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

If multiple events are defined and the last defined event is deleted the query events command would no longer display any of the remaining events.

After issuing a DELETE EVENT command while pseudo tasks are actively processing could cause an abend.

DELETE EVENT was defaulting to use the FORCE option which deletes events that are actively running and can lead to abends. The default action will now be to wait until all active events are completed then the event will be deleted. But if new work is coming into the Power class it will also be processed. The FORCE option can be used to immediately remove the defined event, but if there are active tasks they will be abnormally terminated.

This zap also changes the CLIENTD phase to be loaded into 31-bit above the line partition getvis storage thus reducing the 24-bit usage by about 84K.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

New and updated message skeletons in support of the other zap message changes are included in this zap.

The TCP/IP stack must be recycled to pick up this zap.

When a local LPR client on VSE such as the batch LPR client or AUTO-LPR connects to a remote LPD server by default only local port 721 was being used to establish the connection.

In a system with multiple LPRs going to the same LPD server at the same time a conflict can occur because of connections using the same port and IP address. This can especially be true for sites using a Virtual Print Server(VPS) that supports receiving multiple simultaneous print outputs. This zap uses the LPRLOW= and LPRHIGH= settings from the PORTRANGE command to override the use of the single default port 721. It allows a range of ports to be used. by the batch LPR client and autoLPR events. RFC1174 states that a LPD server should listen on port 515, but some implementations may use a different port number. The LPR client should connect to the LPD server with local ports in the range of 721 to 731, inclusive. With this zap using the following command: PORTRANGE LPRLOW=721 LPRHIGH=731

will cause the LPR client running on VSE to connect to the remote LPD server using ports 721-731 consecutively for each LPR connection.

It should also be noted that this is dependent on what the remote LPD server allows. In fact it may allow any local port number to be used when connecting to it. If the remote LPD allows it a setting of LPRLOW=4096 LPRHIGH=65535 can also be used.

To reset the LPR client back to the horrible use of just port 721 a

PORTRANGE LPRPORT=0 LPRHIGH=0

can be used.

This zap also reduces 24-bit partition getvis used by loading it into 31-bit above the line storage.

The TCP/IP stack must be recycled to pick up this zap.

See the description in ZP227226 for a detailed description of new and updated commands.

In addition when issuing a DELETE EVENT the FORCE option was not being correctly passed to the automation daemon(CLIENTD).

This zap also corrects a problem where no commands were allowed to be processed due to an internal lock conflict.

IPN194 Lock unavailable for @1 @2 RC:@3 command @4

will now be ssued when this condition is detected.

@1 is the type of lock.

@2 is the name of the program and location of the failed lock.

@3 is the return code from the internal lock request that failed.

@4 is either ignored or allowed for the associated command result. If it is ignored try re-issuing the command.

If this problem occurs issue a QUERY LOCKS and contact technical support to report this problem occurring.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

Added LPRLOW and LPRHIGH to PORTRANGE command. Currently by default only port 721 is used when connecting to a remote LPD server. This zap allows a range of ports to be used by the LPR client when it is connecting to a remote LPD server. RFC1174 states that a LPD server should listen on port 515. And the LPR client should connect to the LPD server with local ports in the range of 721 to 731, inclusive. With this zap using the following command:

PORTRANGE LPRLOW=721 LPRHIGH=731 will cause the LPR client running on VSE to connect to the remote LPD server using ports 721-731, inclusive.

The LPRLOW must be 721 or higher, and less than LPRHIGH. The LPRHIGH must be higher than LPRLOW and less than or equal to 65,535.

The PORTRANGE command with no keywords will display the current settings for these settings.

This zap also adds the UDPSET MAXIBQUE=99 command for controlling the number of inbound UDP datagrams queued to an application. The default setting is 99. See ZP227232 for more information.

This zap also corrects the IBBLOK command. The MTU= keyword always failed with a

IPN316I Invalid keyword: MTU

error message. This zap corrects this problem and allows the use of MTU= on the IBBLOK command. The minimum allowed MTU= was 128 and the miniumum SIZE= was 512. The minimum MTU= is now 64. The minimum SIZE= is now 384.

This zap also adds the DUMP option to the QUERY PROD command. Q PROD,DUMP will cause a dump of the product key entries. This may be requested by CSI technical support when diagnosing problems with product keys.

The TCP/IP stack must be recycled to pick up this zap.

When using FTPBATCH as an external FTP server and more than one client connects into it at the exact same time a compare and swap is used to update the number of active sessions. If the compare and swap fails an incorrect branch was taken. Two tasks could then end up in a wait on the same listen ECB which could lead to unpredictable results such as multiple hung tasks during task termination. This zap corrects this incorrect branch.

The TCP/IP stack does not need to be recycled, but FTPBATCH external ftp servers must be recycled to pick up this zap.

IPN597I Shutdown Stage: 4: Could not obtain lock...

could occur during shutdown due to a prior IPN155W message.

In addition during an active open connect the foreign IP address was incorrectly using 127.0.0.1. This was very intermittent (happened once in 3 months on a very busy system). This zap corrects this condition by adding a additional check for the IP address from the original socket request. If it does not match a:

IPT306W IPNTYTCP FOIP changed from 127.0.0.1 back to ip-addr fport lport

message will be issued to identify that this condition was detected and corrected.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

During an active open connect the original socket request IP address was incorrectly using 127.0.0.1. This was very intermittent (happened once in 3 months on a very busy system). This zap corrects this problem by saving the original socket request IP address so the connection manager(IPNTYTCP) can verify that the correct IP address is used during the active open.

This zap also adds a:

IPN123D SOBLOK active open issued to foip foport partid execname

This message is only issued when DIAG CONREJECT is active.

When using phase monitoring an address is now displayed in the SEE123 message that can be used to trace a phase before it begins to execute instructions. See ZP227221 for more details on the SEE123 message.

The SVSESRVR must be recycled to pick up this zap.

SEE123 @1 phase will be monitored PHSINFO=@2 TRACEADR=@3

The SEE123 response message is issued in response to the MONPHASE command. @1 is the phase name now being monitored. @2 is the adddress of the phase monitoring table entry. @3 is the address where a diagnostic trace can be set before the phase executes any instructions.

The LOCPHASE command can be used to see more information about the phase after it has been loaded.

In addition a SEE308 diagnostic message is now issued when the SVSESRVR has successfully accessed the TCP/IP partition IVBLOK. @1, @2, @3, @4, and @5 contain internal information about the TCP/IP stack being accessed.

The SeeVSE server must be recycled to pick up this zap.

This zap reduces the SVSESRVR overhead by not activating certain data collection functions that are not used by the Velocity performance monitor. But to accomplish this the sysipt VELOCITY command must be placed in the parm data used to execute the SVSESRVR similar to this:

// EXEC SVSESRVR,SIZE=SVSESRVR,PARM='VELOCITY'

The TCP/IP stack does not need to be recycled to pick up this zap. But the SVSESRVR must be recycled to pick up this zap.

A IPN594W warning message is issued daily starting 45 days before TCP/IP will expire and it was missing the time on a system using the MM/DD/YY date format.

This zap also sets the default maximum queued inbound UDP datagrams for a single connection to 99. See zap ZP227226 for more information on the new UDPSET MAXIBQUE command to override this default setting.

This zap also enhances the CSI product code checking by displaying the adjusted CPU serial number to assist in diagnosing problems with CSI product keys. The Q PROD,ALL and Q PROD,DUMP commands should be used when reporting product key problems to clearly identify the source of the problem.

This zap corrects these problems. The TCP/IP stack must be recycled to pick up this zap.

The SOCKOPT macro can be used to generate a custom $SOCKOPT phase. The keyword SSLFLG1 now has an additional option:$OPTCLHV which can be used to have the client_hello propose an older version of the protocol to be used. This can be set in addition to the default $OPTFBUR for example with:

SSLFLG1=$OPTFBUR+$OPTCLHV, special options.

By default we send a client_hello with the highest level of the protocol supported which is TLS 1.2. But older servers that do not recognize TLS 1.2 may abruptly close the connection. The $OPTCLHV option can be used to use older versions of the protocol. It is also recommended that older servers be updated to support TLS 1.2 since it provides a higher level of security.

When connecting to a remote server the client_hello should contain the highest level of the protocol that can be negotiated. This zap sets the TLS 1.2 as the highest level supported. But older servers that do not support TLS 1.2 may abruptly terminate when the new TLS 1.2 is proposed. If problems occur connecting to older servers that do not support TLS 1.2 a new SOCKOPT option SSLFLAG1 $OPTCLHV can be used. See ZP226218 for more information on this SOCKOPT setting.

This zap adds a diagnostic message to help identify when DEFINE EVENT SINGLE=YES causes a wait to occur.

TCP925D Delayed due to single=yes event-name type action

The TCP/IP stack must be recycled to pick up this zap.

The SSL unitialize function was releasing storage that by subpool id, and one of the subpools contained a save area that was still in use. Releasing it caused an abend. This zap corrects this problem.

The TCP/IP stack must be recycled to pick up this zap.

The Q SET revealed that verify_memory is on. By default it should be off which should reduce overhead. This zap corrects this problem.

The TCP/IP stack must be recycled to pick up this zap.

When a file is being retrieved and an active data connection open failed the opened file was not being closed. This could cause other tasks to be hung waiting for a locked resource. The condition was using the librarian for retrieving and storing files with an external ftpbatch server. In addition a:

FTP946W RETRFAIL closed file

message will be issued when this condition is detected.

The TCP/IP stack must be recycled to pick up this zap.

The $EDCTCPV.PHASE provides support for the LE/VSE C language applications. See the IBM TCP/IP Support manual SC34-2706 for more information on LE/VSE C socket interface. This zap includes IBM correction PTF-UI65405(Apar-PH17029). Contact IBM for information on this corrective fix.

The default setting for the DEFINE FTPD DYNFILES=YES allows access to any file with a DLBL and could cause a security problem. By default only files defined with the DEFINE FILE command should be allowed. The default setting for DYNFILES is set to NO with this zap.

The TCP/IP stack must be recycled to pick up this zap.

An abend is occurring intermittently during ftp shutdown after a failed get request. This zap should correct this condition.

Intermittently a ftpbatch open to a remote ftp server incorrectly connects to an internally defined ftpdaemn. This zap adds an edit check for this condition and will now cause ftp to fail right after the open by comparing the connected remote IP address to the IP address from the OPEN command.

If using ftpbatch the TCP/IP stack does not need to be recycled to pick up this zap.

This zap catalogs the $SOCKOPT.Z example to match the settings in the distributed $SOCKOPT.PHASE.

This zap corrects and error caused by ZP225189 that would cause the crypto initialization to fail when no CEX card is found on the system.

The TCP/IP stack must be recycled to pick up this zap.

When using FTP to access VSAM files the catalog name(CAT=) is added to the VSAM user catalog DLBL. If this DLBL is in system standard labels the IBM CICS IUI interface will display UNKNOWN in the catalog name. To circumvent this problem the DLBL for the VSAM user catalogs should be placed in the TCP/IP partition labels. A new message:

IPF514I xxxxxxx found in system standard labels CAT=xxxxxxx added

will be issued when this occurs.

The TCP/IP stack must be recycled to pick up this zap.

After issuing a AIO_CANCEL a failure during the close function could occur. This zap corrects this problem.

The partition the aynchrounous application is running in must be recycled to pick up this zap.

When processing a remote password greater than 64 bytes an abend could occur due to a buffer overrun. This zap adds an edit check for the password length to be less than the maximum allowed(64) to avoid this abend.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds new counters for the currently active and maximum active tasks by port.

The TCP/IP stack must be recycled to pick up this zap.

When using the Query Statistics command to display the number of active and the maximum number of TN3270 sessions it does not break it down by port. This zap adds the new command Query TNPORTSTAT command. The minimum abbrevation is Q TNP to display the number of active and maximum number of TN3270 sessions by port.

The TCP/IP stack must be recycled to pick up this zap.

When using the Query Statistics command to display the number of active and the maximum number of TN3270 sessions it does not break it down by port. This zap adds the new command Query TNPORTSTAT command. The minimum abbrevation is Q TNP to display the number of active and maximum number of TN3270 sessions by port.

The TCP/IP stack must be recycled to pick up this zap.

When using the Query Statistics command to display the number of active and the maximum number of TN3270 sessions it does not break it down by port. This zap adds the messages for a new Query TNPORTSTAT command.

The TCP/IP stack must be recycled to pick up this zap.

The DEFINE EVENT with NULLFILE=DELETE should cause an empty file Power file(contains 0 bytes) to be deleted. But the the file was not being deleted. This zap corrects this problem.

The TCP/IP stack must be recycled to pick up this zap.

SEE310 Velocity data collection active

will be issued in response to the VELOCITY sysipt command.

The TCP/IP stack must be recycled to pick up this zap.

When using OUTPUT=LPR the local port was set to 721. This zap uses the DEFINE GPSD LPORT= value. If not specified the LPORT= defaults to 721.

The TCP/IP stack must be recycled to pick up this zap.

This zap allows the Velocity performance monitor to request specific TCP/IP performance data from the SeeVSE server. A SeeVSE product key is still required. The VELOCITY command must be added to the sysipt commands for the SVSESRVR.

The TCP/IP stack does not have to be recycled to pick up this zap.

When a RSH client on VSE connects to a RSHD server the next free dynamic local port was being used causing the remote to respond with "illegal port" since the RSH protocol requires the client to use port numbers 512-1023. This zap sets the local port to 1023 to correct this problem.

The TCP/IP stack should be recycled to pick up this fix.

The DEFINE EVENT with NULLFILE=DELETE should cause an empty file Power file(contains 0 bytes) to be deleted. This zap adds the:

IPN436I NULLFILE: Deleted

to inform the user when a null file is detected and it is deleted.

In addition the QUERY EVENTS command will display a:

IPN436I NULLFILE: Delete

to display the current setting of the NULLFILE keyword.

The QUERY GPSD will now include a GPS927 message containing the defined OUTPUT(L=LPR,D=DIRECT), PORT(remote), and LPORT settings.

The TCP/IP stack must be recycled to pick up this zap.

See ZP226193 for a full description of this new keyword.

The stack must be recycled to pick up this correction.

When using a print server multiple connections to a single IP address are required, but the local port was always set to 721. This zap adds the LPORT= to the DEFINE GPSD command to allow the specification of any local port number(0-65,535). If not specified the LPORT= defaults to 721. Also note that LPORT= is only used with OUTPUT=LPR.

The DEFINE EVENT with NULLFILE=DELETE would fail as an invalid command. The NULLFILE= is used to determine how to process an empty Power file(contains 0 bytes). The default is NULLFILE=PROCESS which processes it as a normal file. But the NULLFILE=DELETE would fail. This zap corrects that problem.

The TCP/IP stack must be recycled to pick up this zap.

When a ftp data connection failed the close for the data connection was not being issued. Also, the SOWORK area which was being allocated in 24-bit storage, was not being released. This zap changes the SOWORK area to be allocated in 31-bit storage and corrects this storage leak problem.

You should recycle the TCP/IP stack after applying this fix.

When processing a certificate a buffer is allocated. A large certificate could cause the above TLS117I diagnostic error messaage and the TLS 1.2 session would fail. This zap corrects the problem by allocating a larger buffer for processing certitficates.

This zap also changes the TCP100I message that displays the version of IPCRTLSX from important to informational.

The TCP/IP stack must be recycled to pick up this zap.

When using the CryptoVSE API call CRY_GEN_RANDOM(CRYGENRA) to request less than 256 bytes of random data a clear was being done for 256 bytes of the callers return area causing a storage overlay. This zap corrects the problem by only clearing the passed area equal to the number of requested random bytes.

The TCP/IP stack does not have to be recycled to pick up this zap.

When attempting to use the CryptoVSE API calls such as CRY_GEN_RANDOM, CRY_RSA_ENCRYPT, CRY_RSA_DECRYPT a hardware crypto-express card is requited, but was not being initialized when not using the SSL or TLS protocols. This zap corrects that problem by calling the crypto-express initiialization when using the base cryptographic functions.

The TCP/IP stack does not have to be recycled to pick up this zap.

When an active open(connect) is issued to a remote server port that is not in a listen state the remote stack may send a reset(RST) with a sequence number of zero. This reset(RST) was being ignored due to the invalid sequence number. But since the TCP sequence numbers have not yet been established the ignored RST could then cause the connect to fail after the associated routing connection retry values. Thiz zap corrects this problem by accepting a RST with a sequence number zero in response to the initial SYN request sent from VSE and will immediately post the applications active open(connect) request as failed due to a reset connection.

The TCP/IP stack must be recycled to pick up this zap.

This zap allows the Velocity performance monitor to request specific TCP/IP performance data from the SeeVSE server. A SeeVSE product key is still required, but there will be no charge for it. A VELOCITY command must be added to the sysipt commands for the SVSESRVR.

The TCP/IP stack does not have to be recycled to pick up this zap.

An abend could occur with DIAG FTP active after a data connection failure.

The ftp client manager was allocating the SOWORK area in 24-bit storage. This zap changes the SOWORK area to be allocated in 31-bit storage and corrects a possible storage leak problem.

This zap corrects these problems. You should recycle the TCP/IP stack after applying this fix.

A TEL929I messasge was incorrectly being issued due to a check to compare the incoming client IP address to verify it was connecting to the correct DEFINE TELNETD IPADDR=. But this check should only be performed when CONNECT_SEQUENCE ON is in effect.

A TEL927 diagnostic messasge was being issued when a failed SSL receive occurred. The TEL927 messages from a failed receive will now only be issued when DIAG TELNET is in effect.

An excessive number of TEL934 diagnostic messages could be issued when remote clients abruptly disconnect. The TEL934 messages from a failed receive or send will now only be issued when DIAG TELNET is in effect.

A IPN22E message could occur after an unbind because the associated ECB was not being reset. This zap resets the ECB to avoid a loop from occuring.

TEL929I Unbind ECB POSTED for acbname ip-addr luname

will also be issued when this condition occurs.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds messages for CLIENTDX which are prefixed with AUD, and messages for AUTOSEND which are prefixed with AUT.

The external automation processing now uses the CLIENTDX phase to allow exploitation of functions outside of the TCP/IP partition.

Since this program runs outside of the stack, there is no need to recycle the stack after applying this fix.

When running an external ftpbatch server real VSE subtasks are attached and detached to service remote FTP clients. When a session terminated, then the detached task also issued a wait for all messages to be written to syslst and syslog. This wait could hang when multiple tasks were waiting for the message queue to be drained. This could be more likely when the VSE system console is being scrolled backwards and a lot of messages are being issued to the console are queued.

If running external ftpbatch server(s) they do need to be recycled to pick up this zap.

You should recycle the TCP/IP stack after applying this fix.

The external automation processing batch utility will now use the CLIENTDX phase to isolate it from the internal CLIENTD program. This should allow the exploitation of functions outside of the TCP/IP partition.

Since this program runs outside of the stack, there is no need to recycle the stack after applying this fix.

The storage manager obtains work areas that had a limited number of real VSE subtasks. This zap increases the number of work areas when running ftpbatch as an external server to allow more simultaneous sessions.

The stack must be recycled after applying this fix.

A control command is sent from ftpbatch for free ports and security requests. The response to this request could cause a delay or hang an external ftpbatch partition.

This fix corrects this problem. The stack must be recycled after applying this fix.

The watch dog task among other things detects when an external partition has terminated but still had socket requests queued. This can be for different reasons, but the IPI504I diagnostic level message that is issued when this occurs did not contain a reason code. This zap adds a specific reason code to the IPI504I message to assist in diagnosing when a external partition is terminated with outstanding socket requests. For example if a ftpbatch running in a dynamic partition is pflushed(Power F command) then a:

IPI504I TCP/IP connection severed from S1, FTPBATCH Port 2121 RS:WDNOCMRG

will now occur with the reason code WDNOCMRG since the dynamic partition comreg is no longer present after flushing a partition.

The TCP/IP stack must be recycled to pick up this zap.

When using the FIREWALL port blocking feature the counter for the number of port blocks in the IPI213 message may be higher than the actual number of blocks.

The TCP/IP stack must be recycled to pick up this zap.

When running ftpbatch as an external server real VSE subtasks are used for each session. Calls are made to the TCP/IP partition for security and free ports using a shared control connection. Hung tasks could occur due to a shared work area being used by the different session subtasks. This is corrected by using dynamically allocated work areas for each attached subtask.

When running multiple simultaneous ftpbatch jobs the same lock name was being used when calling the security exit. The partition id will now be included in the lock name to avoid lock wait conditions between partitions. In addition a STATUS LOCKS command can be issued to the ftpbatch partition to see the number of lock and unlock requests.

The TCP/IP stack does not need to be recycled to pick up this zap.

If running external ftpbatch server(s) they do need to be recycled to pick up this zap.

After a:

IPF205E VSAM ESDS File write error, Return: 8 Feedback: 58

The IPF309I Reason is undetermined messge is issued. The feedback 58 is x3A and is RPLMXRBA. and means the output fille being written has exceeded maximum RBA for a VSAM ESDS file. This zap adds this to table of feedback codes and the IPF309I will now contain "Exceeded maximum RBA" when this condition occurs.

This fix provides the enhancement. You will need to recycle the stack after applying this fix.

The OSA-Express link driver must PFIX storage but was using below the line(24-bit) real storage. This zap changes it to use above the line(31-bit) real storage. After applying this zap a reduction of about 172K of 24-bit pfixed real storage should be seen, and an increase of about the same in 31-bit pfixed real storage. The z/VSE MAP REAL console command can be used to display the amount of storage pfixed in the system and partitions. The TCP/IP start up job should contain a SETPFIX command to establish the maximum amount of storage that is allowed to be pfixed by it. Since there is no performance penalty for setting a maximum value greater than the actual amount of storage pfixed, it is recommended to use a statement similiar to this in your TCP/IP start up job:

// SETPFIX LIMIT=(512K,2048K)

But this can be changed based on the MAP REAL output. See the IBM System Control Statements manual(SC34-2679) for more information on the MAP REAL and SETPFIX commands.

The TCP/IP stack must be recycled to pick up this zap.

When a firewall table of allowed addresses has a IP address that was allowed, and then a new table is loaded blocking the previously allowed IP address the count in the IPI228I of blocked IP addresses may be incorrect.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds support to allow reading of a string librarian member.

The TCP/IP stack must be recycled to pick up this zap.

The message write support variable substition for 8-byte hexadecimal displays and the leading zeros of a variable were being suppressed. This zap correct that problem.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds new messages for the QUERY MACHINE and CHECKPRD commands.

The TCP/IP stack must be recycled to pick up this zap.

System information for the CHECKPRD an QUERY MACHINE is now obtained using the store system information(STSI) privileged operation instruction.

The TCP/IP stack must be recycled to pick up this zap.

See ZP225167 for descriptions of these new commands.

The TCP/IP stack must be recycled to pick up this zap.

This zap changes the DEFINE FTPD DATAPORT default setting from 0 to 2. ZP224147 stated that DATAPORT=0 is the default for the internal FTP servers (DEFINE FTPD). But to be compatible with prior releases and avoid a possible data port conflict, the default and recommended setting is DATAPORT=2. The conflict with DATAPORT=0 could occur when simultaneous file transfers are occurring since both data connections would issue a passive listen on the same port number (control port -1). This could result in a remote FTP server connecting into the wrong passive listen since 2 listens are active at the same time on the same port number. Although this could be quite rare, the conflict warranted changing the default and recommendation to use DATAPORT=2, which uses the next available dynamic free port for the passive listen on the data connection. See DEFINE FTPD in the TCP/IP for z/VSE Command Reference manual for additional information on this topic.

This zap also adds the QUERY MACHINE and CHECKPRD commands. The QUERY MACHINE can be used to obtain information about the machine that is currently running. The Store System Information(STSI) instruction as documented in the IBM Principles of Operation manual(SA22-7832) is used to obtain this information, The output is contained in the following messages:

IPN237I Q MACHINE

IPN568I System mode 30000000 VM Guest

IPN583I Manufacturer:IBM Machine Type:2818 Model Capacity Indicator:A02

IPN584I Sequence configuration code:000000000003D377 Model identification:M05

IPN585I Perm-Capacity Identifier:A02 Temp-Capacity Identifier:A02

IPN586I CR:6 PR:6 TR:6

IPN588I NCR:6 NPR:6 NTR:6

IPN589I Type N Pctg:0000000000000000

IPN511I LPARNAME:LPAR1 LPARNUMB:1 LPARCPUC:00

IPN512I LPARTLCP:2 LPARCLCP:2 LPARBLCP:0 LPARRLCP:0

IPN513I LPARLCAF:1000 LPARDLCP:0 LPARSLCP:2

IPN514I VMINNAME:ZVSE62DS VMINDBCT:01 VMINCPID:z/VM 6.2.0 VMINCAF:1000

IPN515I VMINTLCP:3 VMINCLCP:3 VMINSLCP:0 VMINRLCP:0

The TCP/IP stack must be recycled to pick up this zap.

When attempting to open an Epic dataset a failure may occur but the return code from the Epic pre-open routine is not displayed. This zap will display the return code from the Epic pre-open routine.

The SITE RDW ON command can now be used to add the record descriptor word. The use of SITE RDW ON is recognized in conjunction with MODE BLOCK. Here is a ftpbatch example of using it:

BINARY

LQUOTE MODE BLOCK

LQUOTE SITE RDW ON

PUT %SAMOUT1,SAM,V,32768 FTPBRDW1.BJB

In the above the %SAMOUT1 is a variable length sequential disk file. The LQUOTE commands will cause the local VSE side of the connection to prefix each record being sent with a 4-byte record descriptor word(RDW). The first 2-bytes of the RDW contain the record length, the last 2-bytes of the RDW will contain binary zeros.

You should recycle the TCP/IP stack after applying this fix.

The product key check required the stack to be recycled. This zap removes this restriction in conjunction with the new CHECKPRD command. See ZP225167 for more information on this command.

You will need to recycle the stack after applying this fix for the update to take effect.

The SeeVSE server did not recognize the 2.2 release of TCP/IP. In addition the SEE118I message contained VSE UNKNOWN when running on z/VSE 6.2. This zap corrects this problem.

The TCP/IP stack does not have to be recycled to pick up this zap.

The firewall report command should display all allowed IP addresses. By allowed it is in the table of allowed IP addresses, but if it was then blocked by the port blocking an additional message should be displayed showing the number of times it was blocked by port or ICMP(PING) requests not allowed.

The firewall blocked command should display all blocked IP addresses. But when using port blocking it was not displaying IP addresses blocked by port.

Additional messages were added to provide more information on blocks.

The TCP/IP stack must be recycled to pick up this zap.

The version of the TCP output processor(IPNTOTCP) was not being displayed. Q VER will now display an additional message similiar to this:

IPN220I IPNTOTCP = ZP225162 20190401 12.51 @ 01390884

The TCP/IP stack must be recycled to pick up this zap.

This zap adds unique subpool identifiers for the storage allocated. The Q STOR should now show subpools SSLAAA, SSLBBB, SSLCCC, SSLDDD, SSLEEE, SSLFFF. This should help identify the storage usage for applications that run in the TCP/IP partition.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds unique subpool identifiers for the storage allocated. The Q STOR should now show subpools TLSAAA, TLSBBB, TLSCCC, TLSDDD, TLSEEE, TLSFFF. This should help identify the storage usage for applications that run in the TCP/IP partition.

The default list of cipher suites was being proposed from weakest to strongest. This zap changes the order to be from strongest to weakest.

The TCP/IP stack must be recycled to pick up this zap.

When DIAG GETIVS detects a new high water mark for getvis usage it issues a IPI514 message informing the user about the increased storage usage has hit a new high amount. There is no way to reset the high water marks. This zap corrects this by resetting the high water marks when DIAG -GETVIS is issued to turn off getvis monitoring. But the reset does not occur until the next time the getvis usage is analyzed.

IPI513I Diagnostic GETVIS high water marks have been reset

is issued when the last high values are reset. This can take up to 30 seconds to occur. After the IPI513 message occurs the DIAG GETVIS command can be issued and new high water usage messages should again occur.

The TCP/IP stack must be recycled to pick up this zap.

The Query PortQueue command has been enhanced to more clearly display statistics.

The TCP/IP stack must be recycled to pick up this zap.

The number of queued connections has been increased from 100 to 1000.

The TCP/IP stack must be recycled to pick up this zap.

The PortQueue command limits the maximum number of queued connections to 100. This limit has been increased to 1000.

The TCP/IP stack must be recycled to pick up this zap.

The diagnostic message IPN832 was missing from the message skeleton file. This zap adds it.

The IPN401I message in response to Q PORTQ has also been enhanced.

The IPI513 message has been added to inform user when getvis monitoring has reset the high usage amounts.

The IPI225 message was updated to clarify the block was because the IP address was to in the allowed range.

Added the following message to the FIREWALL BLOCKED command:

IPI228 ipaddr IP addresses blocked because no matching IP address range

IPI229 FIREWALL BLOCKED ipaddr PORT:aaa ICMP:bbb

IPI230 nnn IP addresses blocked because of no matching PORT range

IPI231 nnn IP addresses blocked because of ICMP=NO

The TCP/IP stack must be recycled to pick up this zap.

The CICS web services shuts down when it receives the enetdown errno 1117. This zap detects and corrects this problem.

The TCP/IP stack must be recycled to pick up this zap.

This zap adds some diagnostics to identify when a port queueing failure occurs. It will also not terminate a connection on a failed port queue attempt.

The TCP/IP stack must be recycled to pick up this zap.

The QUERY FILES for VSAM ESDS files has been enhanced by adding a message to show how many tasks are accessing that file and what they are doing (OPEN, ,CLOSE, READ, WRITE). This is useful in debugging file activity issues.

This fix provides the enhancement. You will need to recycle the stack after applying this fix.

TLS134 SSLV2 Client_Hello rejected will be issued when a SSLv2 client_hello is received. This error message will be issued to more clearly identify the cause of the failed attempt to connect into a server using the the deprecated SSLv2 client_hello. The remote client should be re-configured to use TLS 1.0 or higher.

See ZP224149 for a full description of these new keywords.

The stack must be recycled to pick up this correction.

This zap adds new keyword operands to the PORTRANGE command. FTPLOW=nnnn in conjunction wiht FTPHIGH= can be used to establish a range of ports for the internal ftp server created with DEFINE FTPD command. The FTP data connection will then use the FTPLOW and FTPHIGH port range when a DEFINE FTPD with DATAPORT=4 or DATAPORT=5 setting is in effect. DATAPORT=4 will use these for the data connection in passive mode. DATAPORT=5 will use these for the data connection in passive and active mode.

In addition the PORTRANGE command with no operands will display the current port range settings.

The stack must be recycled to pick up this correction.

The SSL protocol version of TLSV1 was being rejected. The application should change to use TLS10 but for backward compatability we should allow the deprecated TLSV1 value. This zap allows the TLSV1 value to be accepted.

The ftp data connection was defaulting to use the next free local port for internal ftp servers created with the DEFINE FTPD command. The default should be the control port - 1(DEFINE FTPD PORT=). The usage of the data connection local port numbers may have varied between prior releases and maintenance zaps of TCP/IP. The local data connection ports can now be set in conjunction with firewall port settings. The local ports used for the FTP data connection can be controlled with the FTPBATCH DATAPORT= and the DEFINE FTPD DATAPORT= settings. The local ports used for the FTP data connection can be configured with DATAPORT=NNNN. Where NNNN can be a specific port. The values 0, 1, 2, 3, 4, and 5 can also be used with the following effect.

DATAPORT=0 can be used for the following effect. When in passive mode it will use the contol port minus 1 to issue a listen on and wait for the remote to connect into it. When in active mode it will use the next available free port to connect to the remote server that is in a listen state. DATAPORT=0 is the default for the internal ftp servers(DEFINE FTPD).

DATAPORT=1 can be used to force the use of control port minus 1 for both passive and active mode.

DATAPORT=2 can be used to force the use of the next available free port for both passive and active mode. DATAPORT=2 is the default for the external FTPBATCH utility.

DATAPORT=3 can be used for the following effect. When in passive mode it will use the next available free port to issue a listen on and wait for the remote to connect into it. When in active mode it will use the contol port minus 1 to connect to the remote server that is in a listen state.

DATAPORT=4 will force the use of a specific range of ports for only passive data connections. For FTPBATCH the range is set by the SET DATAPORT command. For internal ftp servers created with DEFINE FTPD with DATAPORT=4 the range is set by the PORTRANGE FTPLOW= and FTPHIGH= settings. When in active mode it will use the next available free port to connect to the remote server that is in a listen state.

DATAPORT=5 will force the use of a specific range of ports for both passive and active data connections. For FTPBATCH the range is set by the SET DATAPORT command. For internal ftp servers created with DEFINE FTPD with PORT=5 the range is set by the PORTRANGE FTPLOW= and FTPHIGH= settings.

DATAPORT=NNNN with any value greater than five and less than 65,536 will force the use of a single port number for both passive and active data connections. Caution should be used since a connection is defined by the combination of the local_IPaddr+local_port+remote_IPaddr+remote_port. Only a single connection with this combination can be used at any one time.

Also note that the local FTP server on VSE(FTPDAEMN) cannot control what port numbers the remote FTP server chooses to use. That configuation would have to be done on the remote FTP server. See chapter 2 of the TCP/IP for z/VSE User Guide for more information and diagrams showing the ports used for a data connection.

The IPN551I should only occur when DIAG GETVIS is active and network traffic has been turned off because of low 31-bit getvis storage. But it was incorrectly issued after a TRAFFIC OFF command had been issued and turned network traffic back on. Issuing a TRAFFIC OFF prior to shutting down TCP/IP is a good procedure. The above could also cause problems when attempting to shutdown TCP/IP after issuing a TRAFFIC OFF command.

The IPN155I should only occur when DIAG GETVIS is active and network traffic has been turned off because of low 31-bit getvis storage. But it was incorrectly issued after a TRAFFIC OFF command had been issued and turned network traffic back on. Issuing a TRAFFIC OFF prior to shutting down TCP/IP is a good procedure. The above could also cause problems when attempting to shutdown TCP/IP after issuing a TRAFFIC OFF command.

Some diagnostic messages such as the BSD103I during a close were being displayed when diagnostics were not active. This zap changes the message level to diagnostic.

The shutdown processing may hang after the above IPN597 message. A previous abend during a pseudo task that obtained the connection manager lock is one possible cause of the shutdown hanging. This zap uses a no wait request for the lock and will terminate with a:

IPN597I Shutdown Stage: 4: Could not obtain lock retrying now...

message and issue a:

IPN597I Shutdown Stage: 4: Could not obtain lock going on without it

when it determines it is unable to obtain the lock to allow the shutdown processing to complete.

You will need to recycle the stack after applying this fix for the update to take effect.

A new command can be added to FTPBATCH.L or as card input to a FTPBATCH job. SET DATAPORT startport nnnn can be used to set a specific set of ports to be used for the ftpbatch data connection. SET DATAPORT is actually a synonym for SET PASVPORT but since this port range can now apply to both an active and/or passive connection the SET DATAPORT is more technically accurate. When using PARM DATAPORT=4 this range will be used when using a passive data connection. When using PARM DATAPORT=5 this range will be used when using a passive or active data connection.

The ports used for the FTPBATCH data connection can be configured using the PARM DATAPORT=nnnn. See ZP224147 for more detailed information on the effect this parameter can have on data connections.

The maximum received record from a foreign reply message terminated with a cr/lf was 1024 bytes. A 220 welcome message text may exceed this and cause a failure. This zap increases the maximum received relpy to 2048 bytes.

In addition this zap corrects a problem where a single ftp session closes the remote control connection and opens a new remote connection. A automation FTP event for example could send a file to multiple remote ftp servers and this could fail. This zap should correct that problem.

The SQBLOK.A macro is referenced by the SOCKET.A macro and was not included in the 2.2 distribution. This zap catalogs the SQBLOK.A macro for the 2.2 distribution.

The diagnostic FTP949D nnnn is the port being used on the data connection. Previously it incorrectly contained the free port when it should be the control port - 1.

ranges with the new IPN375I message.

See ZP224137 for information on using this utility.

The is no need to recycle the stack after applying this fix.

Are you concerned about the security exposure when attempting to share sensitive information like userids and passwords between VSE systems at different locations? We have created two new batch utilities that use RSA public/private keys and a certificate to share sensitive information. This can be accomplised with the below example steps.

1) Use Keyman and CIALSRVR to generate a private key and certificate on your local VSE system(let's call it VSESYSDC).

2) Send just the certificate to another VSE system(let's call it VSESYSEC) On VSESYSEC run CIALCERT to catalog just the .CERT file on VSESYSEC. That's right no .ROOT or .PRVK on VSESYSEC. The certificate contains the RSA public key that will be used to encrypt cards(SYSIPT input). Below is a hypothetical example of the job to encrypt cards, Replace 'lib.sublib.memname' with the certificate cataloged by CIALCERT.

// JOB CIALEPAS

// EXEC CIALEPAS,SIZE=CIALEPAS,PARM='lib.sublib.memname'

The quick brown fox jumped over the moon.

Tom's secret password is "GetAclue1853".

/*

/&

The syslst output will then contain the RSA encrypted block in Base64 encoding.

3) Below is a hypothetical example of the job to decrypt the above Base64 syslst output which could simply be cut and pasted from an email. This job must must be run on VSESYSDC since it has the private part of the RSA key. Replace 'lib.sublib.memname' with the private key(.PRVK) created in step 1. It is decryted using the private part of the RSA key.

// JOB CIALDPAS

// EXEC CIALDPAS,SIZE=CIALDPAS,PARM='lib.sublib.memname'

Base64 output from CIALEPAS copied to here as sysipt data

/*

/&

The output from this job would be the decrypted original text of the CIALEPAS encrypted cards.

The quick brown fox jumped over the moon.

Tom's secret password is get a clue.

Thus making the world a better more secure place for transmitting sensitive information between VSE systems in different locations.

The is no need to recycle the stack after applying this fix.

An abend may occur due to a label in an error recovery routine using a "DS 0D" causing binary zeros between the in-line instructions. This zap usues a "DS 0H" to correct this problem.

This zap also corrects a IPN832I and IPN898I diagnostic messages that should have only been issued when DIAG CONREJECT is active.

The TCP/IP stack must be recycled after appplying this zap.

The SSL protocol version of TLSV1 was being rejected. The application should change to use TLS10 but for backward compatability we should allow the deprecated TLSV1 value. This zap allows the TLSV1 value to be accepted.

A program check abend could occur in the pseudo task dispatcher when a post request contains an ecb with an invalid address. This zap will detect this condtion and issue a:

IPN219W IPPOST invalid TKBLOK address in ecb address1 ecb contained xxxxxxxx called from address2

The above message should be reported to CSI technical support to further analyze the application running that failed.

You will need to recycle the stack after applying this fix.

The control command for get vendor information used a 8-byte field to retrun 12-bytes of information which causes storage corruption of 4-bytes. This zap exapands the return area to 12-bytes to correct this problem.

This fix corrects this problem. The stack must be recycled after applying this fix.

If multiple deliveries are occurring and one of them fails, for any reason, it is possible that the deliveries that follow that one will terminate with DISP=Y, even though the reports were successfully delivered.

This fix corrects that problem. No recycling of the stack is needed.

This zap add a TEL937 message to idenitify the valid or invalid cipher suites being used when using SSL/TLS secure connections.

You will need to recycle the stack after applying this fix for the update to take effect.

The TN3270 server was not using the cipher suite list from the corresponding DEFINE TLSD CIPHER= speicification. Instead it was using the default list of cipher suites. The DEFINE TLSD CIPHER= should have been used. To use the default cipher suite specify DEFINE TLSD with CIPHER=00. In addition while processing the list of cipher suites the following new message may be issued.

TEL937W Define TLSD CIPHER=xx is not valid for SSL or TLS

The TEL937 with "is not valid" indicates a cipher from the DEFINE TLSD CIPHER= list is not a valid supported cipher suite, and should be removed from the Define TLSD CIPHER= list.

TEL937W Define TLSD CIPHER=08 is not available for TLS 1.2

The TEL937 with "is not available" indicates a cipher from the DEFINE TLSD CIPHER= list contained a cipher that will not be used when the TLS 1.2 protocol version is negotiated. These are usually DES ciphers that are no longer considered secure and should be replaced with more secure AES cipher suites.

See ZP223127 for more information on controlling the cipher suites that will be used during SSL/TLS connection negotiation.

The TN3270 server was not setting the cipher suite list from the corresponding define tlsd cipher= speicification. See ZP223130 for a more detailed description of this problem.

This zap adds the below messages.

TLS150 SOCKOPT $OPTTLSX setting forces only TLS 1.2 to be negotiated

TLS151 SOCKOPT $OPTTLSX overrides xxx to be yyy for zzzz

TLS152 Deprecated protocol version changed from xxx to yyy

By default an applications sets the SSL or TLS protocol version during the gsk_initialize(TLSRINIT) function call. It can be desirable to override and force the use of the latest more secure protocol version which is TLS 1.2. A custom $SOCKOPT phase with the SSLFLG1=$OPTTLSX can be used to force the override of the applications protocol version.

By default applications also set the list of cipher suites to be used during the gsk_secure_soc_init(TLSRSINI) function call. It can also be desirable to override and force the use of more secure cipher suites. A custom $SOCKOPT phase with the SSLFLG1=$OPTCIPH can be used to force the override of the applications list of cipher suites. When $OPTCIPH is in use the SSLCIPH= setting will be used to override the applications list of cipher suites.

SSLCIPH=A is for All supported cipher suites. This is the default setting and includes all the below strong, medium, and weak cipher suites.

SSLCIPH=S is for Strong cipher suites. For TLS 1.2 this is x3D which is RSA_AES256CBC_SHA256.

SSLCIPH=M is for Medium strength cipher suites. For TLS 1.2 these are x35 and x3C which are RSA_AES256CBC_SHA1 and RSA_AES128CBC_SHA256.

SSLCIPH=W is for Weak cipher suites. For TLS 1.2 this is x2F which is RSA_AES128CBC_SHA1

For example to force the use of TLS 1.2 and use the strongest ciper suites you would have SOCKOPT with SSLCIPH=A and SSLFLG1=$OPTTLSX+$OPTCIPH. This would mean that all applications would be forced to use only TLS 1.2 and the strongest cipher suites. Caution should be used in that some remote client and servers may not be able to support these levels of the protocol version and cipher suites.

The $OPTTLSX and $OPTCIPH apply to all applications running in the same partition. Different partitions could have unique $SOCKOPT phases since it is cdloaded in the partition running the application.

When multiple SSL/TLS records are received with a single header a hang could occur. The TLS protocol allows this combining of multiple records as described in RFC5246 under the "6.2.1. Fragmentation" section. But when connecting to a remote server a hung session could occur because of multiple TLS records contained in a single header. FTPBATCH could have this occur when it proposes TLS 1.2 but the remote server responds that it wants to use an older version of the SSL/TLS protocol. This zap should correct this condition.

When multiple SSL/TLS records are received with a single header a hang could occur. The TLS protocol allows this combining of multiple records as described in RFC5246 under the "6.2.1. Fragmentation" section. But when connecting to a remote server a hung session could occur because of multiple TLS records contained in a single header. FTPBATCH could have this occur when it proposes TLS 1.2 but the remote server responds that it wants to use an older version of the SSL/TLS protocol. This zap should correct this condition.

See ZP223123 for a full description of this new command.

The stack must be recycled to pick up this correction.

This zap adds a new command CONNECTFAIL with the keyword operands OPENACKS=NO/YES, OPENACKN=1-32, OPENACKT=100-18000. This command can be used to control the number of ACKs clients on VSE send when connecting to servers. The default setting is: "CONNECTFAIL OPENACKS=NO OPENACKN=1 OPENACKT=100"

Normally when a client on VSE connects to a server a TCP handshake occurs which begins with a synchronize(SYN) from the client to the server. The SYN establishes the TCP starting sequence number of the client. A SYN-ACK is then received to establish the starting TCP sequence number of the server. And finally a ACK is sent from the client to the server and the connection is established. But on some networks the final ACK was not being received by the remote server and the connection fails to be established.

The CONNECTFAIL command can be used to send multiple ACKS with a time delay in response to the SYN-ACK of the remote server.

The OPENACKN is the number of ACKs that will be sent. The OPENACKT is the time delay between the sending of these initial ACKs.

The Query SET command can be used to display the current the CONNECTFAIL settings.

A certificate with a RSA-512 bit signature would fail to catalog because the object identifier(OID) was not recognized. This zap corrects this problem.

A certificate with a RSA-512 bit signature would fail to catalog because the object identifier(OID) was not recognized. This zap corrects this problem.

A certificate with a RSA-512 bit signature would fail to catalog because the object identifier(OID) was not recognized. This zap corrects this problem.

A certificate with a RSA-512 bit signature would fail to catalog because the object identifier(OID) was not recognized. This zap corrects this problem.

This zap corrects a problem with poor performance for active open(connects). ZP223089 corrected a problem by sending multiple acks with a time delay in response to the final SYN-ACK of the TCP initial handshake, but this could also cause poor performance. With this zap applied the default behavior will be to remove this sending of multiple acks with a time delay. The new CONNECTFAIL command documented in ZP223123 can be used to send multiple ACKs with a time delay in response to the final SYN-ACK of the TCP initial handshake.

The TCP/IP stack must be recycled after appplying this zap.

The SET JSEP command was accidentally removed at some point, and any attempt to use it would fail.

This fix restores that command. No recycling of the stack is needed after applying this fix.

The COMREG job step name has changed. This zap will dump the socket request block that was dropped to further identify the cause of this error.

The TCP/IP stack must be recycled after appplying this zap.

If the client issues a "EXEC member" and there is a "SET USER" or "SET PASS" within it, the complete contents are displayed, unlike if they were part of the JCL stream, where it would be masked over with "(SUPPRESSED)".

This fix enables masking. No recycling of the stack is needed after applying this fix.

When connecting to a remote server that does not support TLS 1.2 a failure could occur. This zap corrects this problem.

When connecting to a remote server that does not support TLS 1.2 a failure could occur. This zap corrects this problem.

Applications using the old EXEC TCP which included the deprecated IPNETXCO.OBJ from 1.5D could fail under the current release. Applications using the old 1.5D object deck must be re-compiled and re-linked with the IPNETXB.OBJ(batch) or IPNETXC.OBJ(cics). But the use of the older IPNETXCO will now be detected and a:

IPN696I Deprecated SOBLOK detected from XXXXXXXX

will be issued where XXXXXXXX is the job step name of the external application using the deprecated object deck.

The TCP/IP stack must be recycled after appplying this zap.

Applications using the old EXEC TCP which included the deprecated IPNETXCO.OBJ from 1.5D could fail under the current release. Applications using the old 1.5D object deck must be re-compiled and re-linked with the IPNETXB.OBJ(batch) or IPNETXC.OBJ(cics). But the use of the older IPNETXCO will now be detected and a:

IPN696I Deprecated SOBLOK detected from XXXXXXXX

will be issued where XXXXXXXX is the job step name of the external application using the deprecated object deck.

The TCP/IP stack must be recycled after appplying this zap.

Applications using the old EXEC TCP which included the deprecated IPNETXCO.OBJ from 1.5D could fail under the current release. Applications using the old 1.5D object deck must be re-compiled and re-linked with the IPNETXB.OBJ(batch) or IPNETXC.OBJ(cics). But the use of the older IPNETXCO will now be detected and a:

IPN696I Deprecated SOBLOK detected from XXXXXXXX

will be issued where XXXXXXXX is the job step name of the external application using the deprecated object deck.

The TCP/IP stack must be recycled after appplying this zap.

The following new messages may be issued when attempting to open connections from the FTP client.

"IPA417 Open of control connection retried to ip-addr,port" is issued when the local open fails and a retry is attempted.

"IPA418 Receive timed out retrying it now" is issued when a local receive times out and a retry is attempted.

"IPA419 Data connection listening on port nnnn" is issued when a a passive data connection is used to receive directory output.

"IPA420 Data connection open ip-addr,remote-port(local-port)" is issued when DIAG FTP is active and contains the IP address and ports to receive directory output.

"IPA421 Waiting for data connection to be established" is issued when a a passive data connection is used to receive directory output and we are waiting for the remote to connect into the passive port.

"IPA422 Open of control connection successfully retried to ip-addr,port" is issued when the local open fails and a retry is successful.

See ZP218346 for a full description of this new command.

The stack must be recycled to pick up this correction.

This zap adds a new command LISTENFAIL with the keyword operands APPLPOST=NO/YES, RETRYCNTR=0-99, and RETRYTIME=0-9000. This command can be used to control servers on VSE in a listen state. The default setting is: "LISTENFAIL APPLPOST=NO RETRYCNTR=0 RETRYTIME=0"

Normally when a remote client connects into a server on VSE a TCP handshake occurs which begins with a synchronize(SYN) from the client to the VSE server. The SYN establishes the TCP starting sequence number of the remote client. A SYN-ACK is then sent to establish the starting TCP sequence number of the VSE server. The remote client should then respond with an acknowledgement(ACK) to complete the standard 3-way TCP handshake that establishes a connection. But when a remote client does not respond in a timely fashion to the SYN-ACK sent to it the SYN-ACK is retransmitted and a time wait is entered for the ACK to our SYN-ACK. This is a rare occurence but on heavily congested networks it can and does happen. In addition a known denial of service virus/attack can occur where the remote sends in SYN's without ever ACKing the SYN-ACKs. This condition is referred to as a SYN flood attack. For more details on it see:

https://en.wikipedia.org/wiki/SYN_flood#Technical_details

These can be difficult to block since the source IP address is often forged and it can also delay processing since the listener/server on VSE is not in a listen state during this initial TCP handshake. The PORTQUEUE command can/has been used in the past to alleviate this type of problem but it can also eventually be overwhelmed. Poor performance and legitimate connection requests can be rejected if the flooding is excessive(beyond the PORTQUEUE settings).

The LISTENFAIL command can be used to control how many times and for how long we will attempt to re-send our SYN-ACK in response to an incoming client connection request(SYN) and if we should post the VSE server application for a failed initial TCP handshake.

re-enter the listen state without posting the associated application after RETRYCNT and RETRYTIME values are exceeded.

the VSE server application after the RETRYCNT and RETRYTIME values are exceeded. The application is posted with a failure return code and should re-issue the listen request.

The Query SET command can be used to display current LISTENFAIL settings.

ZP218317 incorrectly could cause excessive storage usage and produce a false system loop detection.

This zap also corrects a problem with the retranmission of our SYN-ACK during the initial TCP handshake for a listener(server) application running on VSE. In response to remote clients connections we respond with a SYN-ACK as part of the TCP protocol exchange to establish the initial sequence numbers. The SYN counts as one in the TCP sequence numbering. But during a retransmission of our initial SYN-ACK the send sequence number was incorrectly being advanced. The could result in a rejected connection on a congested network in the rare instance of a SYN-ACK being retransmited during the the initial TCP handshake. By default this resending of our SYN-ACK will be attempted 3 times with a time wait of 1 second bewtween each attempt. The new command LISTENFAILL RETRYCNT=nn RETRYTIME=nnnn command can be issued to override these default settings.

In addition the listener(server) application on VSE is by default not posted and the connection is recovered into a listen state after the failure of this initial TCP handshake. A new command LISTENFAIL can be used to post an application with a listen(passive open) failure. The default is to not post the application. LISTENFAIL APPLPOST=YES will cause the application to be posted when a initial TCP handshake fails. See ZP218346 for additional information on the LISTENFAIL command.

The TCP/IP stack must be recycled after appplying this zap.

For IBM licensed sites a check is made for the correct VSE/AF level. This check included the modification level which may change. The check now only checks for the VSE/AR version and release.

The BARS command has additional options, such as LEFT, WIDTH, and DEPTH. The LEFT command was off by one point, and the WIDTH value was off by several.

Apply this fix to correct the problem. You will need to recycle the stack after applying this fix for the correction to take effect.

AUTOSEND runs in an external partition and should use a unique message prefixes. This zap adds the AUT prefix for AUTOSEND.

This zap picks up changes to messages for various modules.

You will need to recycle the stack after applying this fix for the update to take effect.

This zap adds new internal debugging events for the RAPTRAC event recording facility.

You should recycle the TCP/IP stack after applying this fix.

The open of the local ftp server may fail on a heavy loaded system. This zap corrects this by adding a retry to open.

If the wrong SYSID was issued for CHECKTCP with WAIT=YES, the SOCKET OPEN request would still terminate normally, causing it to appear that the stack was actually up, when it was not.

This fix corrects that problem. No recycling of the stack is needed.

When attached as a real VSE subtask by the external AUTOSEND program duplicated ECBs could occur. This zap corrects this problem.

You should recycle the stack after applying this fix.

AUTOSEND runs in an external partition and should use a unique message prefixes. This zap adds the AUT prefix for AUTOSEND.

Since this program runs outside of the stack, there is no need to recycle the stack after applying this fix.

This zap checks for the EXTPSTAT ON command before updating statistical counters in system getvis to reduce key zero cpu time.

Note that the use of the SOCKOPT MAXSOCO=00 to enforce the detection of maximum outstanding socket requests requires EXTPSTAT ON. This options default setting of 00 is not to enforce and is rarely used in custom $SOCKOPT phases.

This zap reduces the amount of non-parallel cpu time when the TCP/IP stack and external partition being serviced are both running in dynamic partitions. Static partitions use different storage protection keys so TCP/IP must enter key zero state to update the external partition socket buffers and result areas, but dynamic partitions are use the same storage protection keys and it is not necessary to enter key zero state. This zap also requires that external partition getvis statistics be turned off with the EXTPSTAT OFF command(see ZP15G326) since these statistics reside in system getvis and would negate the improved performance.

The checking of the return code from a close may not have detected a close failure. This zap corrects this problem.

This fix will correct the problem. You should recycle the stack after applying this fix as well as any external FTPD service.

The checking of the return code from a close may not have detected a failure. This zap corrects this problem.

This fix will correct the problem. You should recycle the stack after applying this fix as well as any external FTPD service.

The IBBLOK command erroneously put out an IPN341E error message when using just the SIZE= keyword. This zap corrects this error.

This zap also adds support for the EXTPSTAT command described in ZP223091.

The stack must be recycled to pick up this correction.

This zap adds a new command EXTPSTAT ON/OFF. The default is off but the changes described in ZP15G328 are also required to reduce the overhead caused by updating these counters. When on the Query EXTERNAL command can be used to display internal statistical counters. These statistics do cause some additional overhead.

This zap adds a diagnostic message:

BSD114I Reserved socket number nnnn for control and monitoring

to identify the socket number reserved for internal control and monitoring.

During the initial TCP handshake we currently send one ACK to a received SYN-ACK from a server during an active open(connect). We will now send three ACKs with a small wait time between the ACKs using the retransmission time interval of the associated route for the connection. This should reduce the number of failed connections on heavily loaded systems with congested networks.

The TCP/IP stack must be recycled after appplying this zap.

was being issued as a warning message. This zap changes it from warn to diagnostic.

You will need to recycle the stack after applying this fix.