• Download the 02.03.04 Service Pack (2025-03-25) with fixes pre-applied.

A service pack contains new fixes and all fixes of prior service packs.

This zap adds support for storing of a binary string file into a libarian member. It is recomended you use the member type BIN due to library member type restrictions.

The BLOCLIP service needs it to store the block table during a BLOCKIP SAVE request.

See ZP234166 for complete a description of this new service.

The stack must be recycled to pick up this zap.

See ZP234166 for a description of this new service.

The stack must be recycled to pick up this zap.

See ZP234166 for a description of this new command.

The stack must be recycled to pick up this zap.

BLOCKIP is a new service that can be used to manually or automatically block ip-addrs. This can be useful for systems that are open to the entire worldwide Internet. It is recommended that when placing a VSE system on the open Internet the FIREWALL feature and BLOCKIP service be used. The BLOCKIP service is intergrated with the FIREWALL feature. Therefore the FIREWALL feature must be active to utilize the BLOCKIP service.

The BLOCKIP service will also automatically block ip-addrs that are causing Denial of Servie(DoS) SYN flood attacks. This type of DoS can cause slow network performance and availability of a server application.

https://en.wikipedia.org/wiki/Denial-of-service_attack

contains additional information on DoS attacks. One type of DoS is a SYN flood attack. A SYN flood attack occurs when a remote client attempts to connect to a TCP server sending the initial SYN packet. The server application on VSE then responds with a SYN-ACK to acknowledge the SYN request which also establishes the starting TCP sequence numbers that will be used. The remote normally acknowledges this SYN-ACK completing the standard TCP handshake that establishes a TCP connection.

https://en.wikipedia.org/wiki/Transmission_Control_Protocol

for additional information on the TCP protocol and connection establishment. During a SYN flood attack the remote client does not ACK the SYN-ACK. These half-open connections exhaust the available connections the sever can handle, and keep it from responding to legitimate requests until after the attack ends.

The BLOCKIP command is used to activate, control, and monitor the BLOCKIP service to defend against this type of DoS attack. The format is this new command is:

BLOCKIP @1 @2

@1 is the action to be performed and can be either ON, OFF, CLEAR, LOAD, SAVE, REPORT, or DUMP.

@2 is the keyword IPADDR=ip-addr, or LSMT=lib.sublib.member.type.

The keyword IPADDR= is only valid with the ON or OFF action(@1).

The keyword LSMT= is only valid with the LOAD or SAVE action(@1). LSMT stands for Library, Sublibrary, Member-Name, and Member-Type.

By default BLOCKIP is OFF.

To activate the BLOCKIP service issue a:

BLOCKIP ON

with no other operands.

IPI501R BLOCKIP is ON table length:@1 table address:@2

is issued after successfully activating the BLOCKIP service.

@1 is the length of the block table.

@2 is the address of the block table.

You can then manually block all traffic with a specific ip-addr by issuing:

BLOCKIP ON IPADDR=ip-addr

IPI503R BLOCKIP ON for @1 SLOT=@2

is issued after it is successfully added to the blocked table.

IPI524R BLOCKIP @1 is already in the block table at @2

is issued when the ip-addr is already in the blocked table.

@1 is ip-addr being blocked.

@2 is the address in the block table for this ip-addr.

Once the BLOCKIP service is active and a possible SYN flood attack is detected a:

IPI235S Possible SYN flood attack(@1) from @2 to local port @3

is issued.

@1 is the number of times this condition has been detected.

@2 is the remote ip-addr that is suspected of causing the problem.

@3 is the local port number being attacked.

The IPI235S is from the TCP connection manager and indicates a server in a listen state is actively waiting for a ACK to its SYN-ACK. Unless multiple instances of a server are active on the local port new client connections to this server application may be rejected. The PORTQUEUE command can also be used to avoid rejections. For example, multiple instances of a server causing multiple listens on a single local port can be created issuing multiple DEFINE FTPDs or DEFINE TELNETDs. Q CONN,STATE-LISTEN can be used to display all servers currently in a listen state and the local port being used.

IPT310S No ACK to SYN-ACK too many times(@1) @2 @3 @4

@1 is the number of times this condition has been detected from this ip-addr.

@2 is the local port being being attacked.

@3 is the remote ip-addr the attack came from.

@4 is the foreign port number the attack came from.

Immediately after the IPT310S a:

IPT311S IVLIFABK=@1 CCNOAKSY=@2 for @3

is issued when the @2 exceeds the FIREWALL NOACKSYN COUNT=nn.

@1 is the FIREWALL NOACKSYN COUNT=nn number.

@2 is the number of times this has occurred during this connection.

@3 is the remote ip-addr of the connection.

IPI107S All traffic with @1 will be prevented

@1 is the remote ip-addr of being prevented.

This is functionally the same as if a:

ACCESS PREVENT IPADDR=ip-addr had been issued.

The ACCESS PREVENT command uses the statistics control block(ISBLOK) which is about 512 bytes in size, and can cause excessive storage usage when a large number of ip-addrs are prevented. BLOCKIP uses a table of 4 bytes for each blocked ip-addr.

The garbage collector by default wakes up every 15 seconds and checks for prevented ip-addrs. If a prevented ip-addr is detected a:

IPI518W Watchdog is watching @1 grrrowl ISNOSYAK=@2

is initially issued warning by the garbage collector.

@1 is the remote ip-addr suspected of causing the attack.

@2 is the number of times this has occurred for this ip-addr.

If this condition is detected three or more times a:

IPI519M @1 placed in BLOCKIP table, @2. removed from ISBLOK chain

is issued and the ip-addr is moved into the table of blocked ip-addrs. The associated ISBLOK is then deleted.

@1 is a ip-addr.

@2 is the address of the ISBLOK deleted.

The ISBLOK storage is also released.

BLOCKIP OFF

will turn off the blocking of ip-addrs in the blocked table. The table of blocked ip-addrs is still there, but it will not be used to block ip-addrs. In fact even after BLOCKIP OFF is issued the BLOCKIP REPORT can be used to display ip-addrs that are in the table. Specific ip-addrs can also be removed with the BLOCK OFF IPADDR= command even when it is off. This does not affect ip-addrs currently flagged as prevented. The ACCESS CLEAR or ACCESS ALLOW can be used to remove ip-addrs that are in the prevent state. ACCESS QUERY can be used to display all ip-addrs in the prevent state.

IPI510R BLOCKIP turned off

is issued when BLOCKIP is turned off.

BLOCKIP CLEAR

is the same as BLOCKIP OFF but in addtion the current table of blocked ip-addrs is cleared to binary zeros and the blocked counter is reset to zero.

IPI511R BLOCKIP turned OFF table cleared counter reset

is issued when BLOCKIP is cleared.

BLOCKIP OFF IPADDR=ip-addr

can be used to remove an ip-addr from the table of blocked ip-addrs.

IPI509R BLOCKIP OFF for @1 unblocked slot:@2

message will be issued after the ip-addr is removed from the BLOCKIP table.

BLOCKIP SAVE LSMT=lib.sublib.member.type can be used to save the current table of blocked ip-addrs into a librarian member.

IPI525R SAVE @1. is not a valid lib.sublib.memname.memtytpe

is issued when the LSMT= is not a valid lib.sublib.memname.memtype.

IPI526R @1. Lib:@2. Sublib:@3. Member:@4. Memtype:@5. IPs=@6.

is issued when the LSMT= is valid.

If BLOCKIP SAVE is issued without the LSMT= keyword a:

IPI528R LSMT= @1. was last valid used...

will be issued. @1 will either be NONE or the lib.sulib.member.type of the last issued BLOCKIP SAVE with the LSMT= keyword. In case you forgot the prior value used for LSMT=.

BLOCKIP LOAD LSMT=lib.sublib.member.type can be used to load a previously saved table of blocked ip-addrs.

Note that once a BLOCKIP LOAD or SAVE has been successfully issued then during shutdown it will automatically be saved into the same name as the last BLOCKIP LOAD or SAVE command that was issued. The idea here is to build and update a table of blocked ip-addrs that can then be loaded during startup.

IPI527R @1 IP-Addrs loaded into BLOCKIP TABLE from @2..@3.

is issued after successfully loading a table of blocked ip-addrs.

If BLOCKIP LOAD is issued without the LSMT= keyword a:

IPI528R LSMT= @1. was last valid used...

will be issued. @1 will either be NONE or the lib.sulib.member.type of the last issued BLOCKIP LOAD with the LSMT= keyword. In case you forgot the prior value used for LSMT=.

BLOCKIP ON

BLOCKIP LOAD LSMT=lib.sublib.memname.memtype

can then be placed into the stack initialization to block ip-addrs without the overhead of detecting SYN flood attacks.

BLOCKIP DUMP can be used to dump the current contents of the block table.

BLOCKIP REPORT

can be used to create a report of all currently blocked ip-addrs. First a:

IPI512R @1 IVBLKTAL=@2 IVBLKTAB=@3 IVBLKTCN=@4 IVBLKCNT=@5

is issued.

@1 is either ON or OFF to indicate the current state of BLOCKIP.

@2 is the length of the blocked table.

@3 is the address of the blocked table.

@4 is the number of ip-addrs in the blocked table.

@5 is the number of times a datagram was blocked because it matched a ip-addr in the blocked table.

Next a:

IPI521R @BLOCKIP @1.

is issued for each ip-addr in the table.

@1 is the ip-addr that is in the table.

This report of blocked ip-addrs could also then be passed onto your Internet Service Provider(ISP) to add to a router before the ip-addr is passed to the VSE system.

IPI520M BLOCKIP size increased IVBLKTAL=@1 IVBLKTAB=@2

is issued when attempting to add a new ip-addr to the table but the table is full. The full table is copied into a new larger table. The initial size of the table is 4096, and can hold up to 1024 ip-addrs. When full the new size is increased by 4096.

@1 is the new larger increased table size.

@2 is the new table address.

IPI522E @@1. failed rs:@2. rc:@3. offset:@4.

is issued when a BLOCKIP command fails.

IPI523E @ISBLOK:@1. PRIOR:@2. ISNEXT:@3. ISNEXTSV:@4. IP:@5. @6.

is issued when the garbage collector detects a problem in the ISBLOK chain. Report thie error to CSI technical support.

The stack must be recycled to pick up this zap.

See ZP234166 for a description of the BLOCKIP service.

The stack must be recycled to pick up this zap.

See ZP234166 for a description of this new service.

The stack must be recycled to pick up this zap.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The stack must be recycled to pick up this zap.

The IPT311 messages was a diagnostic level message, but now is changed to be a security level message.

In addition small dump titled "PASQ2000 TCBLOK" was being issued when a SYN-ACK was being retransmitted. This dump now is only issued when DIAG CONREJECT is active

The stack must be recycled to pick up this zap.

This zap removes a field that is not used in order to shorten the length of a control block.

The stack does not need to be recycled to pick up this zap.

This zap resovles a problem with a field name being the same in different macros.

The stack must be recycled to pick up this zap.

Make it smaller with ipstats off.

The stack must be recycled to pick up this zap.

Make it smaller with ipstats off.

The stack must be recycled to pick up this zap.

Make it smaller with ipstats off.

The stack must be recycled to pick up this zap.

Fix it.

The stack must be recycled to pick up this zap.

When a site is experiencing a TCP SYN-FLOOD attack these messages can be excessive due to the large number occurring. This zap changes the IPT234, IPT310, IPT311, IPT313, IPT314 messages to be diagnostic and will only be issued with DIAG CONREJECT is active. The IPT311S message will still be issued and contains the foreign IP address causing the problem.

The stack must be recycled to pick up this zap.

When a site is experiencing a TCP SYN-FLOOD attack a large number of IP addresses can be allocated. This zap reduces the size of the ISBLOK when IPSTATS OFF from 592 bytes to 72 bytes.

The stack must be recycled to pick up this zap.

The deleting of an event would fail with:

AUT035R Console command: DELETE EVENT,ID=event-id

In addition when defining a event for the Power LST and PUN queue that use the same class a:

AUT026E Lock falied for AUTOPOWCLASF

would occur. The lock name now includes the queue name(LST, RDR, or PUN) replacing POW in the lock name. The 12 character lock name is AUTOqueCLASx.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

The deleting of an event would fail.

In addition when defining a event for the Power LST and PUN queue that use the same class a:

AUT026E Lock falied for AUTOPOWCLASF

would occur. The lock name now includes the queue name(LST, RDR, or PUN) replacing POW in the lock name. The 12 character lock name is AUTOqueCLASx.

This zap corrects these problems.

The AUTOSEND external automation service must be recycled to pick up this zap.

The TCP/IP stack does not need to be recycled to activate this correction.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The TCP/IP stack does not need to be recycled to pick up this zap.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The stack must be recycled to pick up this zap.

This zap adds a dataspace for collecting datagrams.

The stack does not need to be recycled to pick up this zap.

The 21C distribution does not update the VERCHECK phase and zap numbers are not accurate. This zap changes the IPN115R message response to a Q VERsion:

IPN115R Fixes applied: 21C uses MSHP RETRACE to see maintenance

for the 21st Century distribution.

This zap also adds a lock to control the monitoring of Power queues and a class to one and only one defined event. The name of the lock is 12 characters AUTOqueCLASx where que is LST or PUN and the last character(x) is the class. In addition if DIAG AUTO is active:

TCP942D @1 @2 successfully completed

will be issued with @1 is the lock name(AUTOqueCLASx) and @2 is either LOCK or UNLOCKED to indicate the successfully completed LOCK or UNLOCK.

If a lock or unlock request fails a:

TCP943W @1 @2 failed RC=@3

will be issued with @1 is the lock name(AUTOqueCLASx) and @2 is either LOCK or UNLOCKED to indicate the failed request. @3 is the lock or unlock return code. A non-zero RC= indicates another internal DEFINE EVENT or AUTSEND is running with a DEFINE EVENT for the same Power queue and class.

In addition the Q SET will now display a new line: IPN806R IPSTAT: On Firewall: On

to indicate that statistics and firewall are on or off.

The stack must be recycled to pick up this zap.

This zap corrects and enhances the external AUTOSEND service.

Messages prefixed with AUT are synchronized with the message skeleton(MSKELBS,PHASE).

CLIENTDZ is loaded into 31-bit storage and called directly from the maintask. Before this zap CLIENTDZ was attached as a separate subtask. But now since it is directly called from the maintask the number of subtasks used is reduced by one compared to prior versions of CLIENTDZ that attached it as a separate subtask.

The operator commands when using MSG xx,DATA=command where xx is the partition AUTOSEND is running in are updated to perform the following.

MSG xx,DATA=SHUT will shutdown after active events are completed. It will also issue a:

AUD121W Waited for 1 minute during shutdown, but tasks(@2.) still active

every minute while waiting for the active subtask(s) to complete. @2 is the number of subtasks active. But after issuing this message 60 times each minute for a total of 1 hour waiting a:

AUD122W Waited for @1. times use cancel to terminate AUTOSEND

MSG xx,DATA=TERM will shutdown immediately without waiting for active events to complete.

MSG xx,DATA=KILL will shutdown immediately with a program check dump.

MSG xx,DATA=DUMPON will activate diagnostic dumps.

MSG xx,DATA=DUMPOFF will deactivate diagnostic dumps.

MSG xx,DATA=DUMP will issue a VSE DUMP macro to terminate.

MSG xx,DATA=CANCEL will issue a VSE CANCEL macro to terminate.

Error handling has also been improved.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

This zap corrects and enhances the external AUTOSEND service.

Messages prefixed with AUD are synchronized with the message skeleton(MSKELBS.PHASE).

AUD119W Power Display failed PXPRETCD=04...

warning message would occur because of a buffer used to contain the Power PDISPLAY out for an event was not being completely cleared before being reused.

Correct limiting of the simultaneous execution of events using the:

SET MAX_EVENTS=nn command.

The default is five subtasks running at the same time. The maximum that can be specified is 30. If a number greater than 30 is specified a:

AUD008W MAX_EVENTS:nn reduced to VSE partition limit:30

will be issued and MAX_EVENTS will be reduced to 30. The VSE limit for a partition is 31, but a message writer subtask is also attached resulting in 30 maximum.

The AUTOSEND external automation service must be recycled to pick up this zap.

The TCP/IP stack does not need to be recycled to activate this correction.

The external batch AUTOSEND and CLIENTDZ services issue messages pre-fixed with AUD and AUT. They are updated in this updated message skeleton phase.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

Automation services can have problems when both AUTOSEND and a internally defined event are monitoring the same Power queue and class. This zap adds a lock to control the monitoring of Power queues and a class to one and only one defined event. The name of the lock is 12 characters AUTOqueCLASx where que is LST or PUN and the last character(x) is the class. In addition if DIAG AUTO is active:

TCP942D @1 @2 successfully completed

will be issued with @1 is the lock name(AUTOqueCLASx) and @2 is either LOCK or UNLOCKED to indicate the successfully completed LOCK or UNLOCK.

If a lock or unlock request fails a:

TCP943W @1 @2 failed RC=@3

will be issued with @1 is the lock name(AUTOqueCLASx) and @2 is either LOCK or UNLOCKED to indicate the failed request. @3 is the lock or unlock return code. RC=00000004 indicates another internal DEFINE EVENT or AUTSEND is running with a DEFINE EVENT for the same Power queue and class.

The TCP/IP stack must be recycled to activate this correction.

The watchdog was using a method that was not detecting a partition has terminated, but still has outstanding socket requests. This zap corrects the method to determine when a partition is terminated, and then removes outstanding socket requests.

The stack must be recycled to pick up this zap.

The SET SENDSNOT ON or SET SENDFAST ON The number of buffers sent before waiting for acknowledgement was defaulting to four. It now defaults to two and can be overridden with a number between one and nine. Example:

SET SENDFAST ON 2 this is the default...

SET SENDFAST ON 3 override to 3 buffers...

SET SENDSNOT is a synonym for SET SENDFAST.

The stack does not need to be recycled to pick up this zap.

This zap replaces a previous diagnotic IPT308D message with a:

IPT300D Open failed for @1. @2. LOPORT=@3. FOIP=@4. FOPORT=@5.

@1. is the partition the open was requested by.

@2. is the // exec phase name of the partition that requested the open.

@3. @4. and @5. are the local port, foreign IP address, and foreign port the open was attempted to.

The stack must be recycled to pick up this zap.

Currently if a SET BUFFSIZE less than 64K is used it is forced to 64K without any warning that it was overridden. This zap allows a minimum BUFFSIZE to be 32,768(32K). In addition a new informational message will be issued when the default(64K) is overridden:

FTP356I FTP data connection send buffer size:65520 MaxUnack:262080

clearly showing the buffer size that will be used when sending data.

The stack must be recycled to pick up this zap.

This zap corrects a problem with the TEL929 message in response to a Q TELNETD. The TEL929 character string "Total TELNET daemons:" is now in the message skeleton file(MSKELIP).

In addition when using INCLUDE with DELAY a IPN193 message could occur and the included commands are not executed. This zap corrects this problem and issues the following messages to clearly identify the execution of INCLUDE commands with the DELAY option.

IPN447R xxxxxxxx from include with delayed commands is now being issued

IPN411R xxxxxxxx delayed waiting for initialization to complete

IPN412R xxxxxxxx waiting for prior delayed command to complete

The stack must be recycled to pick up this zap.

This zap corrects an abend when a corrupt IBBLOK is detected a:

IPN549V IBBK IBID error

message will be issued. It will clear the IBBLOK queue for this task and continue to execute.

In addition this zap removes unnecessary lock manager calls.

The stack must be recycled to pick up this zap.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The stack must be recycled to pick up this zap.

This IPNOME.Z is a VSE job that contains new and updated messages for the Online Messages File(OME) which is the VSAM IESMSGS file defined in system standard labels. It contains all messages from the current TCP/IP 2.3.3 Messages manual. Additionally it contains all the AUTnnn and AUDnnn messages for the current AUTOSEND service utility. It is recommended that internal DEFINE EVENTs be moved to run externally using the AUTOSEND service utility for improved performance and better handling of large number of simultaneous spool file transfers. .

To install it copy the IPNOME.Z member into your editor, and the Power JECL, and submit it to run in any partition on your VSE system.

The VSE system console can be used by simply placing the cursor on the message identifier and pressing PF9 as documented in the z/VSE Operations manual(SC33-8309) Displaying Message Explanations section.

The FAQS/ASO MSG xxxnnn command can also be used to display messages. The xxxnnn is the message identifier. xxx is three alphabetic characters of the message identifier. nnn is three numeric characters of the message identifier.

The initial version of this zap omitted the TEL940D message. It has now been added.

When using DEFINE TELNETD with POOL=YES a shared set of buffers is allocated. If a session attempts to start with no free pool buffer available a timer is issued to wait for a free pool buffer. The timer value should be 1/3 second which is 100 in 300ths of a second. But the assembler code to set timer value used a load instruction that would load the value from low storage location 100(x64). On my VSE system location 100(x64) contains x80017F2E which would be a very very large timer amount... This zap corrects the problem by loading the correct timer value. When this condition occurs a:

TEL524I ip-addr waiting for buffer

will now be issued. If this message is occurring often then additional buffers should be allocated with the:

SET TELNETD_BUFFERS = nnn

In addition when attempting to establish a TLS\SSL secured session the initial handshake may fail and issue the TEL906C critical message. This is not critical and the TEL906C is replaced with a:

TEL934D @1. problem: @2. RC=@3. RS=@4.

diagnostic messaage to clarify the reason for the failure.

TEL931V text failure

indicates a bad pointer or corrupted storage, and is enhanced to display additional information for diagnosing the problem.

TEL931V Corrupted @1. detected during @2. at @3.

The @1. will be the name of the corrupted control block.

The @2. will be the name of the routine that detected the corrupted control block.

The @3. will be the address of the corrupted storage.

In addition the TEL930 and TEL931 messages contained all variables with different text literals. All of these messages are diagnostic and can only occur with DIAG TELNETD active. They are replaced with these messages:

TEL930 @@1. SHOWCB OPEN Error. Error=@2.

TEL931 @Corrupted @1. detected during @2. at @3.

TEL932 @...various text literals...

TEL500 @OPEN failed for @1. @2. @3.

TEL501 @Attempting to OPEN @1. @2. @3.

TEL502 @SETLOGON is being issued for @1. @2. @3.

TEL503 @TPEND setting found. Reopening for @1. @2. @3.

TEL504 @Forcing a CLOSE of the ACB for @1. @2. @3.

TEL505 @Reopen worked for @1. @2. @3.

TEL507 @REQSESS is being issued for @1. @2. @3.

TEL508 @TERMSESS is being issued for @1. @2. @3.

TEL509 @Waiting for UNBIND to end for @1. @2. @3.

TEL510 @CLOSE is being issued for @1. @2. @3.

TEL511 @No ACB CLOSE due to SELDOM for @1. @2. @3.

TEL512 @Bypassing CLOSE (already closed) for @1. @2. @3.

TEL513 @ACB has been closed for @1. @2. @3.

TEL515 @LU was reactivated for @1. @2. @3.

TEL518 @Closing SOCKET before opening @1. @2. @3.

TEL519 @Closing SOCKET for @1. @2. @3.

TEL520 @Closing SOCKET to restart @1. @2. @3.

TEL521 @Closing SOCKET in order to drop @1. @2. @3.

TEL522 @Attempt to OPEN an ACB that is already OPEN. @1. @2. @3.

TEL523 @Invalid IP-ADDRESS selection detected @1. @2.

The stack needs to be recycled to pick up this zap.

During a PUT operation from FTPBATCH a:

"Error: during PUT, invalid syntax"

could occur if the control connection is terminated before the data connection has completed the file transfer. This is not an accurate error message for this failure. This zap corrects this problem by issuing a:

Error: during PUT, foreign receive failed

In addition if columns 73-80 contained serial numbers or any non-blank characters the EXECUTE command which AUTO-FTP uses would fail due to the data in 73-80 being used as part of the command. This zap corrects this error by clearing 73-80 with blanks after reading the script record.

The stack needs to be recycled to pick up this zap.

This zap corrects a problem when using explicit mode in a TLS\SSL connection.

The stack does not need to be recycled to pick up this zap.

When a application is reading data using the Common Encryption Cipher Interface(CECI) during the decryption the SHA hash of the data block is calculated and compared to the original SHA hash contained in the data block. If they do not match the "CCZ601V ERROR DBLKXHSH..." message is issued and a failing negative return code is returned to the application. In addition SDUMPs are issued for both of the compared hashes.

This zap adds a SDUMP of the entire data block, and sets the RC= with either 120(x78) or 256(x100) to identify the SHA-120 or SHA-256 that was being used at the time of this error(DBLKXHSH).

This zap adds a new message skeleton.

This member contains the 21st Century copyright and product identifier.

A stxit pc has been added to allow the message driver subtask to recover from a program check.

The stack needs to be recycled to pick up this zap.

When using OPENSSL a invalid request could occur. The stack does not need to be recycled to pick up this zap.

This zap updates the storage subpool used to DSBLOK.

The stack needs to be recycled to pick up this zap.

This zap removes unneeded LOCKMGR calls to reduce overhead.

The stack needs to be recycled to pick up this zap.

A FTPBATCH with SET IGNORERR ON would hang and stall out after a failed GET or PUT when using a passive data connection.

This zap should correct this problem.

The stack does not need to be recycled to pick up this zap.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The stack must be recycled to pick up this zap.

This zap adds new events for when a listen fails.

The stack must be recycled to pick up this zap.

The Q ROUTE command displays all the defined routes. The *Internal route is for the 127.0.0.1 internal loopback address. And displayed as:

ID: *Internal Link ID: *Internal

IP Address: 127.0.0.0 Mask: 255.0.0.0

Net: 127.0.0.0 Subnet: -- Host: --

MTU: 32767 Max Seg: 32727 Pulse: 60s

SYN Retran: 100ms Data Retran: 100ms Fixed: Yes

Retran Min: 100ms Max: 100ms

Retry Delay: 100ms Retries 10

RWin: 65534

The *Internal001 is for the SET IPADDR home address similar to this:

ID: *Internal001 Link ID: *Internal

IP Address: 192.168.1.242 Mask: 255.255.255.0

Net: 192.168.1.0 Subnet: -- Host: 0.0.0.242

MTU: 32767 Max Seg: 32727 Pulse: 60s

SYN Retran: 100ms Data Retran: 100ms Fixed: Yes

Retran Min: 100ms Max: 100ms

Retry Delay: 100ms Retries 10

RWin: 65534

Note 192.168.1.242 will be the SET IPADDR on your system.

The 100ms values are 100/1000 which is equal to 1/10th of a second. When using external applications like FTPBATCH that issues a LOPEN to a locally attached FTP server could result in a failed LOPEN due to this 1/10th of a second value. It appears that the 100 value for default were used on the false assumption that the value was in 1/300ths of a second. These are millisecond values with 1000 equal to 1 second. A setting of 333 milliseconds(1/3 of a second) is the updated default settings for these internal values.

In addition the MODIFY ROUTE command did not allow these values to be changed because the ID of *Internal was not allowed and resulted in a:

IPN301R First operand character is invalid. Operand: *INTERNAL

The ID *Internal is changed to INTERNALLOOPBACK and the link ID changed to LOOPBACK. The ID *Internal001 is changed to INTERNALHOME and the link ID changed to LOOPBACK. This will allow the MODIFY ROUTE command to be used to update these values. The default values have also been increased to avoid local open failures. By default Q ROUTE will now display:

ID: INTERNALLOOPBACK Link ID: LOOPBACK

IP Address: 127.0.0.0 Mask: 255.0.0.0

Net: 127.0.0.0 Subnet: -- Host: --

MTU: 32767 Max Seg: 32727 Pulse: 60s

SYN Retran: 333ms Data Retran: 333ms Fixed: Yes

Retran Min: 333ms Max: 333ms

Retry Delay: 333ms Retries 10

RWin: 65534

The 333ms is 333/1000 which is one third of a second.

ID: INTERNALHOME Link ID: LOOPBACK

IP Address: 192.168.1.242 Mask: 255.255.255.0

Net: 192.168.1.0 Subnet: -- Host: 0.0.0.242

MTU: 32767 Max Seg: 32727 Pulse: 60s

SYN Retran: 333ms Data Retran: 333ms Fixed: Yes

Retran Min: 333ms Max: 333ms

Retry Delay: 333ms Retries 10

RWin: 65534

The stack must be recycled to pick up this zap.

When using OPENSSL a invalid request would occur for applications using the IPCRSINI SSL interface. This zap passes control directly to OPENSSL for these requests. The stack does not need to be recycled to pick up this zap.

The stack does not need to be recycled to pick up this zap.

When using OPENSSL a invalid request would occur for applications using the IPCRSINI SSL interface. This zap passes control directly to OPENSSL for these requests. The stack does not need to be recycled to pick up this zap.

See ZP233117 for additional information,

This zap should correct this problem.

The stack does not need to be recycled to pick up this zap.

When using an active data connection in a FTPBATCH job a PASV command is sent to the remote FTP server. A 227 reply to the PASV command contains the IP address and port number that the remote is in a passive listen on for the data connection. A informational message:

IPA439 @PASV reply received with IP:@1. PORT:@2.

will now also be issued that contains the IP address and port from the 227 reply message. If the 227 reply IP address does not match the remote control connection IP address a:

IPA452W @1. from 227-reply does not match foreign @2. using @3. for @4.

will be issued. @1 is the IP address from the 227 message.

@2 is the IP address of the remote control connection.

@3 is the IP address that will be used to open the data connection.

@4 will be either foreign or local. This will be "foreign" almost always, but could occur on the local connection if the LOPEN is not using the dynamically attached FTPDAEMN.

The IP address of the remote control connection(@3) will be used for the PORT command being sent to the local FTP server. A active connect will then be issued from the FTPBATCH job to open the data connection.

In addition if using FTPBATCH with:

LOPEN 127.0.0.1

the loopback address without a port number the job would hang. The default is port number 21. And it will connect to a internal FTPD in the stack partition on the default port 21.

In addition support is added for a 5th operand of a OPEN to a remote SSL\TLS server. The value can be PRIVATE which is the default, or CLEAR. The remote data connection will then be private(encrypted) or clear(unencrypted).

In addition since new operands were added to the LOPEN some sites may have had comments in the LOPEN that results in a failed LOPEN. If invalid operands are detected on a LOPEN a:

IPA453 Invalid operands on LOPEN will be ignored using ip-addr local-port will be issued, and the invalid operands will be ignored. If DIAG FTP is active a dump of the invalid operands will also occur.

In addition the SITE NAT YES now also allows SITE NAT ON.

The stack must be recycled to pick up this zap.

When a PORT command is issued to a remote FTP server and the 227 reply message contains a IP address that is different from the foreign control connection IP address the file transfer could fail. This zap adds a diagnostic FTP937 message similiar to this:

FTP937W ip-addr from PORT does not match foreign ip-addr using ip-addr

LSITE NAT ON

can be used in a FTPBATCH job to force the use of the foreign control connection IP address.

This zap corrects this problem.

The stack must be recycled to pick up this zap.

This zap adds or changes message skeletons for messages issued by other zaps. The new or changed message(s) are described in the zap that issues the message.

The stack must be recycled to pick up this zap.

The MODIFY ROUTE command ID=*Internal or ID=*Internal001 would fail with:

IPN301R First operand character is invalid. Operand: *INTERNAL

There are two internal routes created one for the 127.0.0.1 loopback and one for the SET IPADDR home address.

This *Internal route is also referred to as the loopback and is used by applications that are external to the TCP/IP stack partition. The FTPBATCH LOPEN command for example uses this route for the 127.0.0.1 loopback address, and depending on partition priorites and workload it may be necessary to increase the default route settings such as CRETRAN. A command similiar to this:

MODIFY ROUTE,ID=INTERNALLOOPBACK,CRETRAN=900

MODIFY ROUTE,ID=INTERNALHOME,CRETRAN=900

can now be issued to adjust any of the route values. See the MODIFY ROUTE command for a complete list of keywords and values that can be modified.

The FIREWALL BLOCKED command will now also display ACCESS QUERY blocked IP addresses.

The stack must be recycled to pick up this zap.

TEL940D Socket close request failed R15=rc

will be issued when DIAG TELNET is active and a close socket for a TN3270 session fails. The rc is the return code from the socket request.

The stack needs to be recycled to pick up this zap.

When using INCLUDE with the DELAY option and multiple includes were present an abend could occur. The DELAY was an arbitrary 10 second timer which is not practical. This has been changed to post an ecb after the:

IPN631I Control has been passed to the TCP/IP engine

The INCLUDEs will then be executed serially. See ZP233106-CMDEXEC for additional details.

In addition there was a settle time of 10 seconds that has been reduced to 1 second resulting in a much faster start up.

The stack needs to be recycled to pick up this zap.

The SITE NAT YES should allow SITE NAT ON. This zap should correct this problem.

In addition if using FTPBATCH with:

LOPEN 127.0.0.1

the loopback address without a port number the job would hang. The default is port number 21. And it will connect to a internal FTPD in the stack partition.

In addition support is added for a 5th operand of a OPEN to a remote SSL\TLS server. The value can be PRIVATE which is the default, or CLEAR. The remote data connection will then be private(encrypted) or clear(unencrypted).

The stack needs to be recycled to pick up this zap.

When using LISTENFAIL with APPLPOST=YES and a newly allocated socket fails because it exceeds the maximum retry counter the server should re-enter the listen state.

This zap should correct this problem.

The stack does not need to be recycled to pick up this zap.

The external application partition running IESVCSRV must be recyled to pick up this zap.

When in client mode in prior releases the .cert, .root, and .prvk were not required when connecting to a FTP server without client_authentication. The remote FTP server will provide its certificate and these files are no longer required on the VSE system.

This zap should correct this problem.

The stack does not need to be recycled to pick up this zap.

When using CSINTSSL and FTPBATCH with PARM='TLS=CLIENT' or PARM='SSL=CLIENT' normally a command similiar to this is issued:

SET TLS12 PRIVATE CRYPTO.KEYRING.SAMPLE04 NOCLAUTH ALL LOCNOSSL

to set the SSL/TLS settings for the dynamically attached local ftp server(FTPDAEMN). The CRYPTO.KEYRING.SAMPLE04 contains the library, sublibrary, and member name of the certificate(.cert), root(.root), and private key(.prvk) files. These files should exist, but in prior releases these 3 library members were not required when connecting to a FTP server without client_authentication. The remote FTP server will provide its certificate and these are not required on the VSE system.

The issuing of the SET TLS command itself is also no longer required.

When using OPENSSL instead of CSINTSSL these files, and a .PEM file must exist.

This zap should correct this problem.

The stack does not need to be recycled to pick up this zap.

This zap adds and/or changes messages in the message skeleton phase.

This zap should correct these problems.

The stack must be recycled to pick up this zap.

When an incoming connect(SYN) to a server in a listen state occurs, a SYN-ACK is sent and then requires an ACK from the remote client. If a retransmission occurs of the SYN-ACK, a counter is updated for the related remote IP address. If this counter exceeds a threshold(default 3) the IPT310 message is issued and the connection request fails. The counter for the number of times no-syn-ack occurred was stored in our IP statistics and is not reset. Once it hit the threshhold it would incorrectly terminate the next connection attempt on the first occurrence. This counter is now added to the connection control block(CCBLOK) and set to zero for each new incoming connect request.

In addition a:

IPT311S IVLIFABK=nn CCNOAKSY=nn ISNOSYAK=nn for ip-address

will be issued when the threshold is exceeded. IVLIFABK is the threshold which by default is 3

CCNOAKSY is the number of times the SYN-ACK was retried during the current connection request.

ISNOSYAK is the number of times the SYN-ACK was retried for a specific IP-address.

The FIREWALL NOACKSYN COUNT=nnn command can be used to update the IVLIFABK threshold. Note the FIREWALL feature does not need to be active or licensed for this command to be issued.

Note the LISTENFAIL RETRYCNT=nnn is very similiar to the FIREWALL NOACKSYN COUNT=4 but is maintained separetly. The LISTENFAIL RETRYCNT is checked after the FIREWALL NOACKSYN COUNT threshold, and handles a different condition.

In addition most timers are specified in 1/300ths of a second. 300 equals 1 second.

BUT the:

DEFINE ROUTE CRETRAN= DRETRAN= MINRET= MAXRET= RETRY=

keywords are specified in milliseconds(1/1000ths of a second). 1000 equals 1 second.

This has been identifed as a problem in that sites specify for example if a DEFINE ROUTE with CRETRAN=150 is used it may have incorrectly thought to be in 1/300ths of a second(half a second). But 150 in milliseconds is 150/1000 = .15(about 1/10th of a second) which is not a practical value, and can cause unneccessary overhead. Therefore if any of the above DEFINE ROUTE keywords is less than 300 it will automatically be increased to 300 milliseconds which is about 1/3 of a second. Another way to say it is that the minimum timer for these keywords is 300 milliseconds which equals 300/1000(a little less than 1/3 of a second).

This zap should correct these problems.

The stack must be recycled to pick up this zap.

The INCLUDE member_name,DELAY command can be used during initialization to wait until initialization is complete. The ,DELAY was actually a ten second timer wait which is plenty of time for initialization to complete. The INCLUDEs are then executed as separate pseudo tasks from the same real VSE DRIVER subtask. If there were multiple INCLUDEs with DELAY, they would all start running simultaneously after this delay period. An abend could occur(rarely) in VSE librarian code due to reading of different librarian members from the same real VSE subtask.

This zap changes the time to three seconds to wait for initialization to complete, and then single threads each of the delayed includes to avoid this possible abend.

In addition the:

IPN411R Delayed commands now being issued

is replaced with additional descriptive information to see the progress of the delayed INCLUDE commands.

IPN411R Delayed commands in xxxxxxxx are now being issued

is issued when the xxxxxxxx with ,DELAY is starting to be executed.

IPN411R yyyyyyyy is waiting for prior include with delay to complete.

is issued for the next include with delay that is waiting for the prior include to complete.

IPN411R Delayed commands from xxxxxxxx are now complete.

is issued when processing commands from xxxxxxxx are completed.

The stack must be recycled to pick up this zap.

Some critical messages such as IPN594C by default should not scroll off of the system console. The MESSAGE command SCROLL=NO option can also be used to make any message non-scrollable. Non-scrollable messages will stay on the console until they are manually deleted by the operator. The default PF6

'%DELETE '?CL',"'SYSTEM'

VSE system console command can then be used to delete the non-scrollable message by placing the cursor on the message and pressing PF6.

The stack must be recycled to pick up this zap.

This zap adds new and modified messages.

'IPA607R Unable to locate EXTTYPES.L.L'

contained an incorrect 2nd .L. This is corrected.

The stack must be recycled to pick up this zap.

When a AutoFTP transfers fails after the data connection is in a passsive wait it can take a minute or longer for the script to complete. An example of this would be a PUT with filename that is not valid on the foreign FTP server. This zap will close the passive data connection and termination of the AutoFTP script will complete immediately.

In addition if a invalid SETVAR was issued the other commands in the script would continue to be executed with incorrect results. If a invalid SETVAR such as:

SETVAR &TON2 = "V2V\" + &OFN ".TXT"

with the required plus sign(+) after the &OFN is missing, and the ending ".TXT" is not concatenated into the &TON2 variable. It will now issue a message similar to this:

IPA451W SETVAR &TON2 = "V2V\" + &OFN ".TXT" IS NOT VALID

IPA450I FLUSHING REST OF EXECUTE SCRIPT WITH &ERROR=EXIT

In addition the automation service will issue messages similar to this: TCP977W ERROR: DURING SETVAR, MISSING OPERAND(S)

TCP977W ERROR: DURING SETVAR, COMMAND FAILED

TCP977W ERROR: DURING SETVAR, WITH &ERROR=EXIT

Note this assumes the default &ERROR=EXIT variable is active. Alternately, if a: SETVAR &ERROR = "IGNORE"

is used before the invalid statement it is ignored and the next statement(s) in the script will continue to be executed.

The stack must be recycled to pick up this zap.

This zap adds the SEE311 message as described in ZP232100.

The stack does not need to be recycled to pick up this zap.

The Century 21 VSEn operating system was not being recognized.

This zap corrects this problem.

The stack must be recycled to pick up this zap.

The Century 21 VSEn operating system was not being recognized.

In addition, the monitored phases table can now be cleared with a:

MONPHASE CLEAR

that will clear all monitored phases and issue a:

SEE311R Table(xxxxxxxx) of monitored phases(nn) cleared

The xxxxxxxx is the address of the phase table. The nn is the number phase entries in the phase table.

It should also be noted that the maximum number of phases that can be monitored is 3.

This zap corrects these problems.

The stack does not need to be recycled to pick up this zap.

The node name in the FTP900 message for an internal FTP server was being changed to include the pseudo task number after the first FTP session. It will now consistently always contain the ID= from the associated DEFINE FTPD command.

The stack must be recycled to pick up this zap.

Allow for larger buffer length. During the reading of the librarian for an execute command columns 73-80 were being cleared. This corrects this problem. See coreq ZP232097 for additional information.

The stack must be recycled to pick up this zap.

The DEFINE EVENT ACTION=FTP invokes the FTP client execute command for automation scripts. The size of a command read from a execute command could not exceed a total of 80 characters. This includes the command being issued and all the expanded variables. This zap increases the maximum length to 256 characters. The buffer includes the command, operands, and all variables. If the expansion of variables exceeds the maximum the following new messages will be issued:

IPA446W &V variable would overrun buffer max length(256)

The IPA446W indicates the variable(&V) that was being processed. The maximum length for a command, operands, and resolved variables cannot exceed 256 characters.

IPA448W &V variable length(99) exceeds buffer by nnn characters

The IPA448W indicates the variable(&V) that was being expanded. The nnn is number of characters of it that exceeded the maximum buffer length.

IPA449W Buffer used nnn characters for command and other variables

The IPA449W indicates the number(nnn) of characters that was used in the buffer before expansion of the variable that exceeded the maximum buffer length.

This zap also increases the data contained in a single variable from 128 to 242 characters. Of course since the total buffer with commands and other variables cannot exceed 256 characters so that size should be plenty.

If a variable is not found meaning no SETVAR was done for it a IPA447 warning message with the name of the not found variable will be issued. The amphersand(&) and characters following it are included in the command. It assumes you literally want amphersand(&) characters in the command to be issued.

A asterisk(*) in column 1 is assumed to be a comment and variables are not resolved in a comment statement.

One other thing for those who need to know is that the size of the area reserved for variables and their associated data is controlled with the IPNAFTPC.L:

SET FTPCLLN4 16000 Variable table length

So the default from IPNAFTPC.L is 16,000 bytes, and can be customized to a maximum(999999) 6 digits no commas or about 900K. Not actually sure if 999K would work since the partition would probably run out of getvis and crash, so don't try that unless you have a very large partition for TCP/IP...600-900meg...

Each variable in the table has this structure:

VARENTRY DSECT

VARENAML DS XL1 Length of this var name

VARENAME DS CL12 Variable Name

VAREDATL DS XL1 Variable Data Length

VAREDATA DS CL242 Variable Data

VAREL EQU *-VARENAML Length of a variable entry

VAREL = 1+12+1+variable-amount-of-data = 256 max. But only 242 bytes of it can be the actual variable data. So if If all the variables contained 242 characters(highly unlikely) the max possible SETVARs would be:

16,000 / 256 = 62.5 but round down and say 62 variables with 242 characters of data in each variable.

Or if you had 64 characters of data in each variable you could have:

16,000 / (1+12+1+64) = 16000 / 78 = 205 max different variables.

Of course most sites will have lots of different lengths of data, so the possibilities are endless...

And last but not least use DUMPVAR to see the current contents of all variables.

This zap also adds a diagnostic for SET IGNORERR ON not working.

The stack must be recycled to pick up this zap.

This zap adds the CMD= and MSG= keywords to the PRTYSHARE command. Both can be a number from 0 to 255. The higher number gives higher priority for the associated subtask.

The ACCESS PREVENT IP=nnn.nnn.nnn.nnn required that the IP address being prevented/blocked would have to had activity. This zap also enhances the ACCESS PREVENT to allow an IP address to be prevented/blocked before any activity is detected. This negates the note in the command reference manual for the ACCESS command that states:

Before an address can be automatically added to the prevent table, the address must make a connection attempt.

The stack must be recycled to pick up this zap.

This zap adds the CMD= and MSG= keywords to the PRTYSHARE command. Both can be a number from 0 to 255. The higher number gives higher priority for the associated subtask.

The stack must be recycled to pick up this zap.

This zap adds new and modified messages.

The stack must be recycled to pick up this zap.

This zap adds weights for the command and message subtasks. See ZP232095 for the new keyword descriptions.

In addition during startup 2 new messages will be issued.

IPN481M Priority Sharing is ON

IPN485M Priority Sharing subtask weights are CSOCKET=0 DRIVER=0 MSG=0 CMD=2 FILEIO=0

The stack must be recycled to pick up this zap.

By default the priority sharing for balancing the TCP/IP stack subtasks should be on. This zap activates priority sharing on as the default.

In addition the command subtask is given a higher weight than the other subtasks to allow operator commands for a stack that is very busy.

This zap also adds support for the PARM= settings from the // EXEC IPNET to be placed as SYSIPT cards. These are settings that are processed before the command processor is available. No TCP/IP commands can be placed in the SYSIPT cards. PARMDATA must be upper case and in columns 1-8. The parameter must start in column 10. The SYSIPT PARMDATA will override the values specified in the // EXEC PARM=data. But with the SYSIPT PARMDATA there is no need for them in the // EXEC PARM=data. This also has the advantages of adding comments, no need to perform continuation, and adds clarity for these settings. For example if your TCP/IP start up contains:

// EXEC IPNET,SIZE=IPNET,PARM='ID=00,INIT=TCP232DS,FIREWALL=FIREWALL'

/*

This can be alternately be changed to:

// EXEC IPNET,SIZE=IPNET

PARMDATA ID=00 TCP/IP System ID

PARMDATA INIT=TCP232DS Configuration library .L member

PARMDATA FIREWALL=xxxxxxxx Name of the firewall phase in fail mode

PARMDATA FIREWALL=xxxxxxxx Name of the firewall phase in warn mode

PARMDATA STORMON Verify_Memory ON at start up

PARMDATA UPCASE Upper case messages

The SYSIPT cards will also be logged with messages:

IPN186I SYSIPT CARD PARMDATA xxxxxxxxx

IPN185I PROCESSING OF nn SYSIPT CARDS IS COMPLETE /*

The stack must be recycled to pick up this zap.

When a TN3270 session terminated abnormally due to a reset the count of active sessions was not being decremented and issued a:

TEL929D SOCKCLOS CLOSE REQUEST FAILED R15=xx

This also applies to the Q STATS command and shutdown statistics for the maximum active TN3270 sessions.

This zap corrects these problems.

The stack must be recycled to pick up this zap.

This zap adds the message skeleton for message IPT310.

The stack must be recycled to pick up this zap.

Allow Listenfail to have on=yes and off=no as synonyms.

The stack must be recycled to pick up this zap.

When running in a partition with multiple subtasks it was difficult to identify which task was issuing a message. This zap adds the task id to all messages issued to allow easier debugging.

The stack must be recycled to pick up this zap.

When running in a partition with multiple subtasks it was difficult to identify which task was issuing a message. This zap adds the task id to all messages issued to allow easier debugging.

The stack must be recycled to pick up this zap.

When running in a partition with multiple subtasks it was difficult to identify which task was issuing a message. This zap adds the task id to all messages issued to allow easier debugging.

The stack must be recycled to pick up this zap.

A small amount of code that would diagnose where a call for IPCCSERV was issued from and then used in diagnose hashing messages that should only be executed when DIAG HASHING is active has now been bypassed. DIAG HASHING would be required to execute it.

The stack must be recycled to pick up this zap.

This zap increases the size from 512 entries to 4096 blocked entries before a IPI226 msg is issued and the blocked table reset.

The stack must be recycled to pick up this zap.

This zap increases the size from 512 entries to 1024 blocked entries before a IPI226 msg is issued and the blocked table reset.

The stack must be recycled to pick up this zap.

This zap removes ZP232052 since it is suspected to cause problems.

The stack must be recycled to pick up this zap.

This zap removes ZP232058 since it is suspected to cause problems.

The stack must be recycled to pick up this zap.

This zap removes ZP232059 since it is suspected to cause problems.

The stack must be recycled to pick up this zap.

This zap removes ZP232063 since it is suspected to cause problems.

The stack must be recycled to pick up this zap.

During shutdown an abend could occur when clearing connection blocks. This zap corrects this problem.

This zap also removes ZP232057 since it is suspected to cause problems.

The stack must be recycled to pick up this zap.

A certificate with a RSA-384 bit signature would fail to catalog because the object identifier(OID) was not recognized. This zap corrects this problem.

This zap adds the IPT310 security message to identify the cause of a failed TCP handshake. The normal TCP 3-way handshake starts with a client sending a SYN. We then locate a defined server in a listen state, and send back our SYN-ACK, and then wait for the ACK of our SYN-ACK. But during the time between our sending SYN-ACK the associated server is not in a listen state which can result in rejecteded connections.

This "No-ACK" to our SYN-ACK can be a purposeful denial of service attack. This zap adds to identify and block the foreign system not acknowledging the SYN-ACK.

In addition a recommended circumvention would be to add multiple servers in a listen state on the port experiencing this problem. An example of this would be to change from 2 DEFINE FTPDs with MAXACTIVE=10 to 5 DEFINE FTPDs with MAXACTIVE=4,

The stack must be recycled to pick up this zap.

When both the local FTP server and local FTP client are running in the FTPBATCH partition the local data connection does not need to be private(encrypted) for local directory information. The LDIR and LNLST commands use this local data connection when talking to the dynamicaly attached FTP server(FTPDAEMN). This also applies to the MPUT which internally issue a LNLST for the file names being sent(put).

See corequisite ZP232072 and ZP232074 descriptions for additional information.

The stack must be recycled to pick up this zap.

When both the local FTP server and local FTP client are on the same system the local data connection does not need to be private(encrypted) for local directory information. The LDIR and LNLST commands use this local data connection when talking to the FTPBATCH dynamically attached server(FTPDAEMN). This also applies to the MPUT which internally issue a LNLST for the file names being sent(PUT).

See corequiste ZP232072 and ZP232075 descriptions for additional information.

The stack must be recycled to pick up this zap.

Remove unnecessary lockmgr calls to improve performance.

The stack must be recycled to pick up this zap.

FTPBATCH attaches a client(IPNAFTPC) and server(FTPDAEMN) subtasks in the partition FTPBATCH is executing. The local connections between the attached subtasks by default should not use TLS/SSL, It is not necessary since the data sent and received is all contained in the same partition and does not leave the VSE system. The foreign control and data connections will always use TLS/SSL when using the PARM TLS=CLIENT. This also applies to the LNLST and LDIR commands which return local directory information directly to the local client(IPNAFTPC), The LNLST is also invoked by the MPUT command to obtain the file names for generating PUTs to the foreign FTP server.

But if a customer wants to secure the local connection new operands have been added to the FTPBATCH SET TLSnn and LOPEN to use TLS/SSL on the local connections. This also allows the LOPEN to a remote system that requires the use of TLS/SSL.

The FTPBATCH SET TLSnn command settings are passed to the dynamically attached FTP server(FTPDAEMN) subtask. If the LOPEN is for a remote FTP server and PARM FTPD=NO is used then its values are not used since the remote system settings will be used. The SET TLSnn now supports a 6th optional operand that can be LOCNOSSL or LOCALSSL similiar to this:

SET TLS12 PRIVATE CRYPTO.KEYRING.SAMPLE04 NOCLAUTH ALL LOCNOSSL

The default value is LOCNOSSL, but can be overridden with LOCALSSL. If LOCALSSL is used then the local control and data connections will also use TLS/SSL.

In addition the FTPBATCH LOPEN command has new optional operands to allow the usage of TLS/SSL on the local connections. These LOPEN settings are passed to the dynamically attached FTP client(IPNAFTPC) subtask. The default values are:

LOPEN DYNAMIC ATTACHED LOCNOSSL TLS12 PRIVATE

The DYNAMIC ATTACHED operands tell the dynamically attached FTP server(FTPDAEMN) subtask will be used as the local FTP server. The LOCNOSSL tells the FTP client(IPNAFTPC) to not use SSL/TLS on the local control and data connections.

To use TLS/SSL on local connections a LOPEN similiar to this:

LOPEN DYNAMIC ATTACHED LOCALSSL TLS12 PRIVATE

must be used. The LOCALSSL TLS12 PRIVATE tells the FTP client(IPNAFTPC) to use SSL/TLS on the local control and data connections.

The stack must be recycled to pick up this zap.

This zap corrects a possible hardwait with a bad product code.

The stack must be recycled to pick up this zap.

The IPN418 diagnostic message was being issued when the lock diagnostic was not active. This zap corrects this by issuing IPN418 messages only when DIAG=LOCK is active.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are not necessary during inbound UDP processing.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are not necessary during the shutdown processing.

The stack must be recycled to pick up this zap.

An abend may occur when different subtasks attempt to attach a pseudo task. This zap corrects this problem.

The stack must be recycled to pick up this zap.

The ping command was using informational message type causing output to only go to syslst. This zap change the ping messages to response and will display on the console.

The stack must be recycled to pick up this zap.

The convert to binary(CVB) instruction performs better when a doubleword alignment is used. This zap corrects this minor problem.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

This zap removes calls to the lock manager that are no longer necessary to improve performance and remove bottlenecks.

The stack must be recycled to pick up this zap.

The loop back IP address should not be in this message. It is now removed and the message returns just the local port number being used on the data connection.

The stack must be recycled to pick up this zap.

The PASV 227 reply message contained the 127.0.0.1 internal loop back ip address. The 227 reply should contain the external network IP address.

This zap corrects this problem.

The stack must be recycled to pick up this zap.

If a dash(-) is used as the last character of a password it would fail because it was incorrectly being considered a continuation indicator. A continuation line should have a space before the dash, but this was not being checked. This zap corrects this problem by checking for a preceding blank before the dash(-). But if the dash is placed in column 72 it does not have to have a preceding blank.

The stack does not need to be recycled to pick up this zap.

When using FTPBATCH with a variable or variable blocked sequential disk file the GET and PUT of a text file may fail to be exactly the same. Since it is a variable length file the LSITE RDW ON command similiar to the below should be used.

// EXEC FTPBATCH,SIZE=FTPBATCH

...

ASCII

GET TESTFIL2.TXT %FIL2,SAM,V,16008

or

GET TESTFIL2.TXT %FIL2,SAM,VB,16000,32768

LSITE RDW ON

PUT %FIL2,SAM,VB,16000,32700 FTPBGLOU.TXT

The MS-DOS file compare command(FC) can then be used similiar to this:

FC TESTFIL2.TXT FTPBGLOU.TXT

Comparing files TESTFIL2.TXT and FTPBGLOU.TXT

FC: no differences encountered

The stack does not need to be recycled to pick up this zap.

The Query Locks command will display the IBBLOK lock requests and conflicts. This zap should reduce the number of internal lock requests for the IBBLOK resource.

Note that this internal lock mechanism is unrelated to the VSE lock manager.

The stack must be recycled to pick up this zap.

When using the FTPBATCH SET RETRY command it did not drain prior reply messages from the local ftp server that was in a passive listen state on the data connection.

In addition this zap corrects a problem that could cause a MPUT or MGET to fail.

This zap should correct these problems.

The stack must be recycled to pick up this zap.

The external automation service utility used the CLIENTDX phase. It now uses the CLIENTDZ phase.

The TCP/IP stack does not need to be recycled to activate this correction.

The Query STORage command displays the number of storage request for each subpool rounded to the nearest k. This was not correct and now displays the numer of k/nnn where nnn is the count of requests less than 1000. This zap corrects this problem.

The TCP/IP stack must be recycled to activate this correction.

An abend could occur with a heavy load. This zap corrects this problem.

The TCP/IP stack must be recycled to activate this correction.

When checking for key zero a insert virtual key instruction could abend. This zap corrects this problem.

The TCP/IP stack must be recycled to activate this correction.

If more than 1000 Power spool files are active for a event a large number of TCP932 messages could occur. This zap should correct the problem and improve overall performance.

The TCP/IP stack must be recycled to pick up this zap.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

This zap will also abend if the subtask save area eye-catcher is not IPDRIVER to assist in debugging the DRIVER subtask entering IPDRIVER code.

An abend could occur when multiple real and pseudo tasks conflict during the locking of the CCBLOK chain. This zap should correct the problem and improve overall performance.

This zap corrects locks from IPNTYTCP that are being released by the dispatcher.

This zap corrects these problems with the external automation service.

This zap picks up ZP229302 for 2.3.1.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

The external AUTOSEND utility messages were missing.

The TCP/IP stack does not need to be recycled to activate this correction.

The AUTOSEND job does need to be recycled to activate this correction.

This zap corrects diagnostic messages that were incorrect.

This zap picks up ZP229288 for 2.3.1.

The TCP/IP stack does not need to be recycled to pick up this zap.

The AUTOSEND external automation service must be recycled to pick up this zap.

New events have been added to CLIENTD that are used for diagnosing problems in it. This zap adds them so they will be displayed in a RAPTRAC REPORT.

The stack must be recycled to pick up this zap.

When using below TLS 1.2 level of the SSL\TLS protocol the close_notify was not being correctly processed resulting in a failed data connection. This zap and its co-requiste should correct this problem.

When using SSL/TLS below the 1.2 protocol level the new SOCKDBG SDUMPON command would not produce dumps. This zap adds that capability to enhance diagnostics problem identification.

The stack must be recycled to pick up this zap.

When running the 21st Century distribution of TCP/IP the IPA702W message may be produced and the application fails.

This updated production version of this zap supersedes the one issued on 2023/02/08.

This zap should correct this problem.

The stack needs to be recycled to pick up this zap.

If no SSL\TLS cipher strength is specified it should default to ALL, but was not and issuing the FTP906 message. This zap corrects this problem to default to ALL.

This zap also corrects a failed data connection failure when using below the TLS 1.2 protocol during processing of a SSL/TLS close_notify.

The stack needs to be recycled to pick up this zap.

When issuing a execute encrypted command(EXENUTE) with no member name.type or non-encrypted member name.type an abend can occur. This zap corrects this problem.

See the TCP/IP Command reference manual for additonal information on using the execute encrypted (EXENUTE) command.

The TCP/IP stack must be recycled to activate this correction.

This zap corrects the automation processing by using a job number bit table instead of actual VSE locks.

It also now does not lock the job number until after the spool file has been successfully retrieved.

The TCP/IP stack must be recycled to activate this correction.

These new messages are used by the automation serivice(CLIENTD).

The stack needs to be recycled to pick up this zap.

A close_notify during a DIR command to the foreign FTP server using below TLS 1.2 protocol vesion was not correctly handling a close_notify from the foreign server. This zap should correct this problem.

When running multiple subtasks using the initialize function for the Crypto-Express card a call to IJBHCDRV is issued that was not completely re-entrant which could cause a zero parameter to be passed to IJBHCDRV. This zap corrects this problem by moving the parmameters for initialize to dynamic getvis.

The stack must be recycled to pick up this zap.

Excessive locks could occur due to unnecessary locking of the CCBLOK resource. This zap removes these unnecessary locks from the connection service.

Note the internal CSI lock manager is not related to the VSE lock manager. It does not use the VSE lock manager.

This updated production version of this zap supersedes the one issued on 2023/01/11.

The TCP/IP stack must be recycled to activate this correction.

The external AUTOSEND utility messages were misssing.

The TCP/IP stack does not need to be recycled to activate this correction.

The AUTOSEND job does need to be recycled to activate this correction.

Excessive locks could occur due to unnecessary locking of the CCBLOK resource. This zap removes these unnecessary locks from the FTP connection manager.

Note the internal CSI lock manager is not related to the VSE lock manager. It does not use the VSE lock manager.

The TCP/IP stack must be recycled to activate this correction.

When librarian open fails the SSL303M message does not identify the libary, sublibrary, member name, or member type. This zap adds an additional SSL113 message to display the lib, sublib, member, and member type that failed to open.

The TCP/IP stack does not need to be recycled to activate this correction.

Excessive locks could occur due to unnecessary locking of the CCBLOK resource. This zap removes these unnecessary locks from the CMD connection manager.

Note the internal CSI lock manager is not related to the VSE lock manager. It does not use the VSE lock manager.

The TCP/IP stack must be recycled to activate this correction.

Excessive locks could occur due to unnecessary locking of the CCBLOK resource. This zap removes these unnecessary locks from the UDP connection manager.

Note the internal CSI lock manager is not related to the VSE lock manager. It does not use the VSE lock manager.

The TCP/IP stack must be recycled to activate this correction.

Excessive locks could occur due to unnecessary locking of the CCBLOK resource. This zap removes these unnecessary locks from the control connection manager.

Note the internal CSI lock manager is not related to the VSE lock manager. It does not use the VSE lock manager.

The TCP/IP stack must be recycled to activate this correction.

This zap adds the return code to the TCP936 message.

TCP936W Lock for PowerName PowerNumber-SegmentNumber held by other task 1 RC=nnn PowerName PowerNumber-SegmentNumber is the Power queue entry which failed an internal lock. The number at the very end in this case "1" is the total number of times lock requests have failed. It is a count of the total number of times this lock attempt fail has occurred. The lock was added to detect and suppress the duplicate processing of the same Power queue entry. The RC=nnn is the decimal return code from the lock request.

In addition after a TCP936 message a call will be made to free and unlock the handle.

The TCP936W will now be a TCP936D diagnostic level message and will only be issued when DIAGNOSE AUTO is on. This should reduce the excessive issuing of this message.

The TCP/IP stack must be recycled to activate this correction.

This message was missing from the message skeleton file.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

The TCP connection manager did not release an internal lock for a queued connection causing the IPN155W followed by IPN418D, IPN419V, and IPN418D.

This zap also reduces the number of CCBLOK lock conflicts. Q LOCKS can be used to see the number of CCBLOK conflicts before and after applying this zap.

The stack needs to be recycled to pick up this zap.

The global commands of MODIFY CONSOLE and MODIFY LOG,ID=xxxxxxxx in the TCP/IP stack partition to control which message levels are written to a log were not being obeyed.

The FTPBATCH command of SET CONSOLE in a FTPBATCH job to control which message levels are written to a log was not being used.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

The IBM Java utility IPTRACE.BAT reads DUMP TRACE datagrams and converts them to WireShark PCAP format. It depends on the IPN861I message which was changed to IPN861R.

This zap corrects this problem by changing the IPN861R to IPN861I.

The stack needs to be recycled to pick up this zap.

When doing a store of a file from a remote FTP client the data connection incorrectly fails with OPENSSL because it fails to detect the exchange of SSL/TLS close_notify messages.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

When doing a store of a file from a remote FTP client the data connection incorrectly fails with OPENSSL because it fails to detect the exchange of SSL/TLS close_notify messages.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

This zap adds an additional check to verify that a Power LST entry is only processed once.

The TCP/IP stack must be recycled to activate this correction.

The lock manager phase LOCKMGRX was not being displayed in the Q VERS output.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

The default ciper suite used by the dynamically attached FTP server of FTPBATCH was defaulting to strong. The documented default is all.

This zap corrects this problem.

The stack does not need to be recycled to pick up this zap.

A new keyword(VERBOSE=YES/NO) has now been added to the DEFINE FTPD command. The VERBOSE=NO will suppress this invalid password from being displayed in the FTP136 message during a failed logon attempt. It will still display the userid.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

A new keyword(VERBOSE=YES/NO) has now been added to the DEFINE FTPD command. The VERBOSE=NO will suppress this invalid password from being displayed in the FTP136 message during a failed logon attempt. It will still display the userid.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

The customer request to display the invalid password for a failed logon to the FTP server was viewed negatively by another customer since it hints at what a password value. A new keyword(VERBOSE=YES/NO) has now been added to the DEFINE FTPD. The VERBOSE=NO will suppress this invalid password from being displayed.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

The first handle in the chanin of handles was not always being freed even though it was completed and flagged to be freed.

This zap corrects this problem.

The stack does not need to be recycled to pick up this zap.

The local IP address contained 33.34.35.36 on a file not found failure when using a passive connection from a FTPBATCH job.

This zap corrects this problem.

The stack needs to be recycled to pick up this zap.

During a GET for a file that does not exist a invalid syntax message was being issued.

This zap removes this incorrect message.

The stack must be recycled to pick up this zap.

When debugging is active the BSD interface was checking the wrong flag value to issue sdumps. This zap corrects the problem.

The partition using the BSD interface must be recycled to pick up this zap.

Correction for a corrupted handle chain.

This zap corrects this problem.

The stack does not need to be recycled to pick up this zap.

The MGET command was incorrectly usinng the NLST from the local FTP server. This zap corrects it to issue the NLST to the remote FTP server to retrieve the correct files.

The stack must be recycled to pick up this zap.

During the execution of a long running command a pulse could fail on the control connection while waiting for the command to complete. Pulses on the control connection are automatically turned off during a STOR or RETR, and this zap adds a site command to turn pulsing on or off during any other long running command.

SITE PULSE OFF will turn off pulsing on the control connection

SITE PULSE ON will turn on pulsing on the control connection

The stack must be recycled to pick up this zap.

When using a private SSL\TLS data connection the detection of the close_notify message was not being correctly relflected to the application resulting in a failed data connection transfer.

The stack must be recycled to pick up this zap.

By default the FTPBATCH SETVAR allows variable data to be mixed case. But the displayed output from the command showed it as upper which could be misleading. This zap corrects this problem by displaying it in mixed case.

Here is an example of the error:

SETVAR &RDIR = 'aaaJUNK' &RDIR =AAAJUNK

CD &RDIR

F: CWD aaaJUNK

This correction will now correctly display:

&RDIR =aaaJUNK (instead of AAAJUNK)

In addition, after issuing the new "SETVAR U" command to FTPBATCH the variable data should be translated to upper case. But this was not occurring. This zap also corrects this problem.

The SERTVAR L was misleading in that it really allows mixed upper and lower case data in a varialbe. The SETVAR L is now SETVAR M for mixed case.

The stack does not need to be recycled to pick up this zap.

The Optional Features guide contains a sample CIALEXIT job that should be included in the distribution. This correction adds it to the distribution.

There was also a SSLTLS22.Z member in the distribution that contained a sample RSA private key and sample certificates. The sample files are no longer being distributed, and this zap also deletes this file from the distribution. The free IBM z/VSE KEYMAN utility should be used to generate RSA private keys and testing certificates.

This page and all materials residing on this site Copyright 1996, 2024 by CSI International. You may read, download, and copy these materials only for the purpose of evaluating or publicizing CSI International, its services and products or in accordance with a license agreement with CSI International.