Scribd
Upload
408 views87 pages

Connecting CICS With TCP

Introduction to cics sockets

Uploaded by

Patrícia Rosa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
408 views87 pages

Connecting CICS With TCP

Introduction to cics sockets

Uploaded by

Patrícia Rosa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 87

Connecting CICS with TCP/IP

Gus Kassimis - [email protected]


IBM Senior Technical Staff Member
z/OS Communications Server

Ian J Mitchell [email protected]


IBM Distinguished Engineer
z Systems Software Application Runtimes

Session: 17148
Thursday, March 5, 2015: 10:00 AM-11:00 AM
Insert
Custom
Session
QR if
Desired.

Trademarks, notices, and disclaimers

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States or other countries or both:
Advanced Peer-to-Peer
Networking
AIX
alphaWorks
AnyNet
AS/400
BladeCenter
Candle
CICS
DataPower
DB2 Connect
DB2
DRDA
e-business on demand
e-business (logo)
e business(logo)
ESCON
FICON

GDDM
GDPS
Geographically Dispersed
Parallel Sysplex
HiperSockets
HPR Channel Connectivity
HyperSwap
i5/OS (logo)
i5/OS
IBM eServer
IBM (logo)
IBM
IBM zEnterprise System
IMS
InfiniBand
IP PrintWay
IPDS
iSeries
LANDP

Language Environment
MQSeries
MVS
NetView
OMEGAMON
Open Power
OpenPower
Operating System/2
Operating System/400
OS/2
OS/390
OS/400
Parallel Sysplex
POWER
POWER7
PowerVM
PR/SM
pSeries
RACF

Rational Suite
Rational
Redbooks
Redbooks (logo)
Sysplex Timer
System i5
System p5
System x
System z
System z9
System z10
Tivoli (logo)
Tivoli
VTAM
WebSphere
xSeries
z9
z10 BC
z10 EC

zEnterprise
zSeries
z/Architecture
z/OS
z/VM
z/VSE

* All other products may be


trademarks or registered
trademarks of their
respective companies.

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States or other countries or both:
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license there from.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
InfiniBand is a trademark and service mark of the InfiniBand Trade Association.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload
processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to
change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the
performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Refer to www.ibm.com/legal/us for further legal information.

Page 2

2015 SHARE and IBM Corporation

Agenda
CICS and TCP/IP Connectivity Overview
CICS Sockets (aka IP Sockets) and the CICS Sockets Domain
Configuration of CICS Sockets (IP Sockets)
Configuration of TCPIPSERVICE for CICS Sockets Domain
Monitoring TCP/IP connectivity (CICS Transaction Tracking, APPLDATA
support in TCP/IP)
High Availability Considerations
Sysplex Distributor, SHAREPORT, CP/SM
Securing TCP/IP Communications in CICS
AT-TLS overview, Native SSL/TLS support, future directions
CICS Connection Management

Page 3

2015 SHARE and IBM Corporation

CICS and TCP/IP Connectivity Overview


CICS clients:
Distributed Platforms, Mobile
Apps, DataPower, CICS TXSeries,
WAS, CTG, z/OS Systems, etc.

Inbound
Connections
CICS
Sockets
Domain

HTTP
IPIC
ECI
USER

CICS
IP
Sockets

z/OS

z/OS

CICS
Sockets
Domain

Page 4

HTTP
IPIC

CICS
IMS

IPIC

CICS

Outbound
Connections

CICS
Sockets
Domain

CICS
IP
Sockets
dd

Distributed Platforms,
DataPower, CICS TXSeries,
WAS, CTG, z/OS Systems, etc.

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

What is CICS Sockets and what is


CICS Sockets Domain?

CICS Sockets (aka IP Sockets) vs. CICS Sockets Domain


A CICS Sockets transaction has direct access to
the TCP/IP socket and can issue native sockets
calls to receive and send data over the socket.
Secure connectivity via AT-TLS support. No
restrictions in application layer protocol.

A CICS Sockets Domain transaction does not have direct access


to the socket, but communicates with CICS Sockets Domain
services to receive a request and to send a reply over a socket.
Secure connections are supported via native system SSL calls.
Restricted to supported application layer protocols.

CICS Application Program

Application-layer
protocol is
transparent to the
enhanced CICS
Sockets listener.
These services are
based on the
Sockets Extended
sockets APIs
(provided by
Communications
server)

Inbound and
outbound
connections,
UDP and
multicast
support, IPv4
and IPv6

Page 6

CICS Sockets APIs and


traditional CICS APIs
CICS
Sockets
generic
Listener

CICS
Sockets
generic
Listener

Traditional CICS APIs (COMMAREA)


CICS
Web C
Listener

ECI over
TCP/IP
Listener

USER
Listener

IPIC
Listener

CICS Sockets (TRUE


and MVS subtasks or
OTE)

CICS Sockets Domain integral part of CICS TS

EZASOKET

C/C++/Callable BPX Sockets

A conversational
model - or a
request/reply model

Primarily a request/reply
model but persistent
connections supported

TCPIPServices
represent the
"application" layer
protocols
supported by CICS
Sockets Domain

These services are


based on the UNIX
System Services
C/C++ sockets API
(provided by
Language
Environment) and
the UNIX System
Services callable
APIs
Inbound connections to
supported application
protocols and outbound
from all except ECI.

2015 SHARE and IBM Corporation

z/OS Sockets programming interfaces


Sockets application programs or subsystems utilizing sockets APIs

CICS Sockets
transaction

P
a
s
c
a
l

R
e
x
x

C
I
C
S

C
a
l
l

EZASOKET

EZASMI

A
S
M
M
A
C
R
O

X
T
I

R
P
C

R
P
C

RFC
1006

SUN
3.9

NCS

X
W
I
N

S
N
M
P

X
T
I

R
P
C

R
P
C

X11
R4

DPI
1.2

XPG
4.2

SUN
4.0

DCE

TCP/IP provided C sockets API

CICS Sockets
Domain

X
W
I
N

S
N
M
P

X11
R6

DPI
2.0

LE provided C/C++ sockets API

UNIX Systems Services provided callable BPX sockets API

UNIX Systems Services provided Logical File System (LFS)

UNIX Systems Services and TCP/IP provided Physical File Systems (PFS) - AF_INET and AF_INET6

TCP/IP provided TCP/IP protocol stack

Page 7

2015 SHARE and IBM Corporation

An attempt at a comparison
Attribute

CICS Sockets

CICS Sockets Domain

Ease of use from a programmer


perspective

Easy if you are a sockets


programmer, otherwise very
difficult

Easy if you are a CICS


programmer

Development productivity

Low to medium

Very high if one of the CICS


Sockets Domain application layer
protocols can be used

Application layer protocol


flexibility (message formats, code
pages, interaction model, error
processing, etc.)

Very high - this is the main reason


for using CICS Sockets instead of
CICS Sockets Domain the user
protocol needed is unique and not
supported by CICS Sockets
Domain

Low

Sysplex CICS transaction routing

Limited to CICS regions in an


LPAR (sharing a TCP/IP stack)

No GIVE/TAKE Socket support,


but DPL can be used across a
Sysplex. Response must be sent
from same CICS region into which
the request arrived

IPv6 support

Yes

Yes from CICS TS 4.1

Web services support (REST,


SOAP, XML, JSON)

No specific support

Yes

Page 8

2015 SHARE and IBM Corporation

An attempt at a comparison (cont)


Attribute

CICS Sockets

CICS Sockets Domain

Secure connections

Yes (via AT-TLS)

Yes (via native system SSL usage)

OTE support

Yes

Yes

Application control over socket


options in use (KEEPALIVE,
TCP_NODELAY, etc.)

Yes

No

CICS as a client (outbound


connections)

Yes

Yes for all services except ECI

Support for connectionless


sockets (UDP including
multicast)

Yes

No

Management (configuration),
trace/debug, and monitoring
integral part of CICS

No

Yes

Standard client support

No

Yes (HTTP, REST, etc.)

Connection persistence

Somewhat complicated
requires use of an iterative
server design or home-written
listener

Yes

Cost of high-volume transaction


processing

Perceived lower

Perceived higher

Page 9

2015 SHARE and IBM Corporation

Performance attributes of various TCP/IP connectivity options


So which connectivity option performs best?
It depends!
Several factors:
o Persistence of TCP connections
o Protocol/Data Representation
o Encryption requirements
o Payload size
o Etc.
The following Redpaper presents a comprehensive performance study of all major
connectivity options into CICS an excellent source of information if you are
interested in this topic:

http://www.redbooks.ibm.com/redpapers/pdfs/redp4906.pdf
Page 10

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

Configuring TCPIPSERVICE

Explanation of a few of the TCPIPService options


OVERTYPE TO MODIFY
CEDA ALter TCpipservice( HTTP
TCpipservice
: HTTP
GROup
: SOCKETS
DEscription ==> ABC HTTP SERVER
Urm
==> DFHWBAAX
POrtnumber
==> 05081
STatus
==> Open
PROtocol
==> Http
TRansaction ==> CWXN
Backlog
==> 00020
TSqprefix
==>
Ipaddress
==>
SOcketclose ==> No
Maxdatalen
==> 000032
SECURITY
SSl
==> No
CErtificate ==>

CICS RELEASE = 0650


)

1-65535
Open | Closed
IIop | Http | Eci | User | IPic
0-32767

No | 0-240000 (HHMMSS)
3-524288
Yes | No | Clientauth

When a client connects to your service, it is according to the


underlying application protocol expected to send a request
for the service to process. If the client is in error and
doesn't send any input data after having connected, how
long should your service wait before it closes the
connection down?
Leave this at No if you want to use persistent connections!

Page 12

The TCP/IP port your


service will operate
on - value should be
coordinated with your
TCP/IP systems
programmer to have
him/her reserve that
port in the TCP/IP
profile for this
purpose only
(through port
reservation or RACF
SERVAUTH resource
definitions)

IP address is used to
turn your service into a
bind-specific server only servicing
connection requests
that are received for this
local IP address.

Backlog is used to specify the maximum


number of connections waiting in TCP/IP to
be serviced by your service. If the backlog
queue is full, then new connection requests
will be rejected until the backlog queue falls
below this value again. This has nothing to
do with how many concurrent connections
your service can process at any point in time!
Note: Make sure your TCP/IP systems
programmer has specified an SOMAXCONN
value that supports the maximum backlog
you want/need!
2015 SHARE and IBM Corporation

How do you make your CICS Sockets Domain services bind-specific?


There are two ways you can do it:
1. Specify the local IP address to bind to when defining your TCPIP service:
OVERTYPE TO MODIFY
CEDA ALter TCpipservice( HTTP
TCpipservice
: HTTP
GROup
: SOCKETS
DEscription ==> ABC HTTP SERVER
Urm
==> DFHWBAAX
POrtnumber
==> 05081
STatus
==> Open
PROtocol
==> Http
TRansaction ==> CWXN
Backlog
==> 00020
TSqprefix
==>
Ipaddress
==> 10.1.1.161
SOcketclose ==> No
Maxdatalen
==> 000032
SECURITY
SSl
==> No
CErtificate ==>

2.

CICS RELEASE = 0650


)

1-65535
Open | Closed
IIop | Http | Eci | User | IPic
0-32767
No | 0-240000 (HHMMSS)
3-524288
Yes | No | Clientauth

Or have the TCP/IP systems programmer control it in the TCP/IP configuration data set (the
TCP/IP Profile)
PORT
5081 TCP IMWEBSRV BIND 10.1.1.64
5081 TCP CICSTS32 BIND 10.1.1.161

Page 13

; z/OS HTTP server


; CICS HTTP service

2015 SHARE and IBM Corporation

How do you decide which IP address your server is listening on?

The easiest way is to use the netstat command from either TSO or the UNIX shell (or the
MVS console).
TSO: ALLCONN APPLDATA TCP TCPCS ( CLI

CICSTS32

MVS TCP/IP NETSTAT CS V1R11


TCPIP Name: TCPCS
User Id Conn
State
------- -------CICSTS32 000000A4 Listen
10.1.1.161..5081
Local Socket:
Foreign Socket: 0.0.0.0..0
Application Data: DFHICICS1A CWXNHTTP
HTTP
CICSTS32 00000045 Listen
Local Socket:
0.0.0.0..5082
Foreign Socket: 0.0.0.0..0
Application Data: DFHICICS1A CIEPECI
ECI
CICSTS32 00000048 Listen
0.0.0.0..5084
Local Socket:
Foreign Socket: 0.0.0.0..0
Application Data: DFHICICS1A CISSIPIC
IPIC

13:22:46

ABC HTTP

CICS ECI

CICS IPI

The services you did not make bind-specific - in this example ECI on port 5082, and IPIC on port 5084 show
up in your netstat display with the local socket IP address as 0.0.0.0.
They will receive connection requests that arrive on any of the IP addresses in the HOME list.
Which is better? Bind-specific or not?
It depends! When using Dynamic VIPAs (DVIPA) bind-specific is typically preferred
Guarantees that clients only use DVIPA addresses
Allows multiple TCPIPServices to use use the same well known port
Page 14

2015 SHARE and IBM Corporation

TCP/IP for CICS Systems Programmers

Introduction to CICS Sockets (aka


IP sockets)

CICS Sockets overview


Multiple listeners each instance
separately configurable

Enhanced listener has no


requirements on client input data

Multiple listeners in many CICS


regions can share listener port number
User ID security

CICS Sockets is a component of the


Communications Server for z/OS, not CICS
TS itself.
It is a general-purpose sockets
programming API to be used by CICS
application programmers for implementing
native (low-level) sockets communication in
z/OS CICS transaction programs.

SSL/TLS support by means of AT-TLS


Configuration file and transaction
(EZAC)
Operations transaction to start/stop
individual listeners (EZAO)
PLT-enabled start and termination
Reusable subtasks

UDP and multicast support


Page 16

TCP/IP
Stack

LST2
TRNA

T
R
U
E

EZAO
EZAC

OTE enabled
IPv6 support

Pool of reusable
socket subtasks

LST1

PLTx
Build
EZACICD

Conf.
file

CICS/ESA or
CICS TS Region

CICS Sockets is implemented as an External


Resource Manager in CICS (using a Task
Related User Exit - a TRUE).
2015 SHARE and IBM Corporation

CICS entry in CICS Sockets configuration file - EZAC transaction


EZAC,ALTer,CICS

APPLID = CICS1A

Overtype to Enter
APPLID
TCPADDR
NTASKS
DPRTY
CACHMIN
CACHMAX
CACHRES
ERRORTD
SMSGSUP
TERMLIM
TRACE
OTE
TCBLIM
PLTSDI
APPLDAT

PF 3 END

===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>

CICS1A
TCPCS
100
010
010
020
005
CSMT
NO
000
YES
NO
00000
NO
YES

APPLID of CICS System


Name of TCP Address Space
Number of Reusable Tasks
DPRTY Value for ATTACH
Minimum Refresh Time for Cache
Maximum Refresh Time for Cache
Maximum Number of Resolvers
TD Queue for Error Messages
Suppress Task Started Messages
Subtask Termination Limit
Trace CICS Sockets
Open Transaction Environment
Number of Open API TCBs
CICS PLT Shutdown Immediately
Register Application Data

CICS Sockets
always uses
one TCP/IP
stack only which one is
specified with
the TCPADDR
keyword.

12 CNCL

To get APPLDATA in Netstat for CICS Sockets Sockets, you must specify YES to APPLDAT on the CICS entry
Page 17

2015 SHARE and IBM Corporation

Listener entry in CICS Sockets configuration file - EZAC transaction screen 1 of 2


EZAC,ALTer,LISTENER (standard listener.

screen 1 of 2)

APPLID = CICS1A

Overtype to Enter
APPLID
TRANID
PORT
AF
IMMEDIATE
BACKLOG
NUMSOCK
ACCTIME
GIVTIME
REATIME
RTYTIME
LAPPLD

===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>
===>

CICS1A
CSKL
03001
INET
YES
040
100
060
000
000
015
INHERIT

APPLID of CICS System


Transaction Name of Listener
Port Number of Listener
Listener Address Family
Immediate Startup
Yes|No
Backlog Value for Listener
Number of Sockets in Listener
Timeout Value for ACCEPT
Timeout Value for GIVESOCKET
Timeout Value for READ
Stack Connection Retry Time
Register Application Data

You specify if
the listener is
an IPv4 or an
IPv6 listener
(INET or INET6)

Similar
comments
about the
backlog value.
Ensure this is
large enough to
handle
workload spikes

Verify parameters, press PF8 to go to screen 2


or ENTER if finished making changes
PF 3 END

8 NEXT

12 CNCL

To get APPLDATA in Netstat for this listener, specify YES or INHERIT (inherit from the CICS entry)
Page 18

2015 SHARE and IBM Corporation

Listener entry in CICS Sockets configuration file - EZAC transaction screen 2 of 2


EZAC,ALTer,LISTENER (standard listener.

screen 2 of 2)

APPLID = CICS1A

Overtype to Enter

MINMSGL
TRANTRN
TRANUSR
SECEXIT
GETTID
USERID

===>
===>
===>
===>
===>
===>

004
NO
NO
NO

Minimum Message Length


Translate TRNID
Yes|No
Translate User Data Yes|No
Name of Security Exit
Get AT-TLS ID (YES|NO)
Listener User ID

Verify parameters, press PF7 to go back to screen 1


or ENTER if finished making changes
PF 3 END

Page 19

7 PREV

12 CNCL

2015 SHARE and IBM Corporation

CICS Sockets program categories in CICS


Remote
Sockets
Server

Connect
Send/Receive

CICS Task
Sockets Client
CICS Task

Remote
Sockets
Client

Connect
Send/Receive

Iterative Socket Server


Started via PLT
or via EZAO
transaction.

CICS Task
Connect
Remote
Sockets
Client

Send TRM

Sockets Listener
(CSKL)
Pass the socket

CICS Task
Send/Receive

EXEC
CICS
START

Concurrent Sockets
Child Server
Concurrent Sockets Server

CICS Region

TRM: Transaction Request Message


Please note that use of the Enhanced Sockets Listener removes the requirement for the client sending a transaction request
message - in reality removing any requirements from the CICS Sockets infrastructure on the application-level protocol between
the client and the server running in CICS.
Page 20

2015 SHARE and IBM Corporation

Concurrent CICS Sockets server - overview


Listener

Client
Connect to listener
[Send TRM]

Do Forever
Accept connection request
[Read TRM from client]
[Call security exit]
Givesocket
EXEC CICS START passing TIM
If errors, send err message
end

Transaction Initiation Message

[Read OK/Error Message]

Listener socket descriptor number


Listener TCP/IP ID
TRM user data
Remote client socket address

Send Request
Read Reply
Close socket

Child Server
EXEC CICS Retrieve of TIM
Takesocket
[Send OK Message to client]
Read request data from client
Process request
Send reply to client
Close socket

Page 21

2015 SHARE and IBM Corporation

Client Listener interactions


CICS Sockets configuration

CICS Sockets
Listener port1

CICS Transaction
TRA1

Application input

CICS Sockets
Listener port2
Associate to TRA2

CICS Transaction
TRA2

Application input

CICS Sockets
Listener port3
User exit to assign
transaction code

CICS Transaction
TRA3

Application input

TRA1,user1/pwd1

TCP/IP
Network

CICS Region

Three ways to launch CICS transactions:


Via a Transaction Request Message standard listener
Via a listener configuration option to associate listener instance (and port) with one specific CICS
transaction code
Via the listener security user exit, driven by the listener
With the last two options, data may be sent by the client in completely free format.
Page 22

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

Monitoring TCP/IP connectivity

Providing CICS context to TCP Connections - APPLDATA


APPLDATA is identification data a sockets application can associate with a sockets end
point.
APPLDATA can be displayed with Netstat, it is included in TCP/IP SMF records, and in
the Network Management API.
Allows correlation of CICS transactions and TCP connections bridges the gap
between CICS and TCP/IP
Netstat also supports filtering using APPLDATA (can search through TCP
connections using CICS context)
Enables better troubleshooting for CICS related TCP connections from the network
side (e.g. Identify a problem TCP connection, debug problems, drop the
connection, etc.)
Both CICS IP Sockets and CICS Sockets Domain exploit APPLDATA to provide context
information to TCP/IP
CICS IP Sockets provides varying information based on current state of the socket
(Listen, Connect, GiveSocket, TakeSocket details in the appendix)
CICS Sockets domain information varies depending on whether connection is
associated with a TCPIPSERVICE or IPCONN resource
Page 24

2015 SHARE and IBM Corporation

Sample Netstat ALL command for CICS sockets with APPLDATA


Client Name: TCPCS
Client Id: 0000001E
Local Socket: 9.67.115.5..23
Foreign Socket: 9.27.11.182..4665
BytesIn:
00000000000000001062
BytesOut:
00000000000000000480
SegmentsIn:
00000000000000000019
SegmentsOut:
00000000000000000018
StartDate:
01/09/2012
StartTime:
Last Touched:
14:27:37
State:

14:27:37
Establsh

.
.
.
Ancillary Input Queue: N/A
Application Data:
EZACICSO SRV1 0000038 CICSUSER CICP

CICS
Sockets
Interface

Page 25

Tran ID

Task
Userid
Number associated
with
transaction

CICS ID

2015 SHARE and IBM Corporation

Sample Netstat ALL command for CICS Sockets Domain with


APPLDATA

CLIENT NAME: CICSTORA


CLIENT ID: 02921E93
LCLSOCK: 10.1.1.5..5000
FGNSOCK: 10.1.1.6..10915
BYTESIN:
0000529787
BYTESOUT:
0001358551
SEGMENTSIN:
0000000916
SEGMENTSOUT:
0000001198
STARTDATE:
01/29/2015
STARTTIME:
14:25:05
LAST TOUCHED:
14:25:47
STATE:
ESTABLSH
.
.
.
.
ANCILLARY INPUT QUEUE: N/A
APPLICATION DATA:
DFHICIPABC CWXNHTTP
T5000N PORT 500

I
First 8 characters of
CICS
HTTP
Inbound
TCPIPSERVICE
APPLID
Protocol
Connection
Description
Tranid
TCPIPSERVICE
CWXN
Name
HTTP inbound

Page 26

2015 SHARE and IBM Corporation

CICS transaction tracking Multiple ports of origin


CICS Sockets

Page 27

2015 SHARE and IBM Corporation

CICS transaction tracking Propagating tracking info across CICS


tasks/transactions (CICS TS 4.2)

CICS Transaction tracking enables you to locate a transaction in CICS based on


knowledge of the entry point, such as an IP address or queue name. With this
information, it is possible to use new search functions in the CICS Explorer to
search the CICSplex to locate other active tasks that have been initiated from the
originating task, and to build a picture of the relationships between the associated
tasks.
Page 28

2015 SHARE and IBM Corporation

CICS Sockets transaction tracking support for CICS TCP/IP IBM Listener
In z/OS V2R2, the CICS Sockets Listener will provide to CICS the IP addresses and port
numbers of the local and remote session partners for use by the CICS Explorer or Session
Monitor.
This support is only for transactions that are started via the CSKL listener.

Page 29

2015 SHARE and IBM Corporation

CICS transaction tracking support for CICS TCP/IP IBM Listener


Parameters to be provided by the EZACIC01 TRUE:
Parameters

Value

ODAPTRID

ID=z/OS COMMUNICATIONS SERVER CICS SOCKETS


LISTENER (CSKL)

ODAPTRDATA1

TCP=tcpip_name

ODAPTRDATA2

LIP=local IP address LPORT=local port number

ODAPTRDATA3

RIP=remote IP address RPORT=remote port number

Page 30

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

CICS, TCP/IP and High Availability


considerations

IBM Software Group Enterprise Networking Solutions

The network view of a Parallel Sysplex - a single large server with


many network interfaces and many application services
The promises of the Parallel Sysplex
cluster environment are:

My virtual z/OS host

Application location
independence

VIPA#2
CICS Appl-A

Ability to shift application


workload between LPARs

VIPA#1
VIPA#4

TN3270e Server

Application single system image


from the network
Application capacity on-demand
Component failure does not lead
to application failure

FTP Services

VIPA#5
Web Services

OSA

Gaining the benefits, depend on:

Cooperation by applications
Operations procedures

Page 32

OSA

IP#10

Carefully designed redundancy


of all key hardware and software
components in symmetric
configurations
Supporting functions in z/OS and
middleware

DB2 subsystem

VIPA#3

The objective is to
make the Sysplex
look like one large
server that has a
number of physical
network interfaces
for performance and
availability - and that
provides a number of
highly available and
scalable services.

OSA
SNA
LLC2

IP#11

Use IP address VIPA#2

Name
server
Connect to VIPA#1

SNA and
TCP/IP

Connect to
CICS-Appl-A.xyz.com
Resolve CICS-Appl-A.xyz.com

Single-system image (SSI)


Scalable
Highly available
Secure
2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

A summary of the different types of z/OS VIPA addresses


Static VIPA
Belongs to one TCP/IP stack. Manual configuration changes are needed to move it.

No dependencies on Sysplex functions can be used in non-Sysplex LPARs


Required for certain functions such as Enterprise Extender
Beneficial for interface resilience, source IP addressing, etc.

Dynamic VIPA (DVIPA)


Stack-managed (VIPADEFINE/VIPABACKUP)

Belongs to one TCP/IP stack, but backup policies govern which TCP/IP stack in the Sysplex takes it over if the primary TCP/IP
stack leaves the Sysplex
Individual stack-managed dynamic VIPAs can be moved between primary and backup stacks using MVS operator commands

Application-specific also known as bind-activated (VIPARANGE)

Belongs to an application. Becomes active on the TCP/IP stack in the Sysplex where the application is started. Moves with
the application.

Command- or utility activated (VIPARANGE)

Belongs to whatever TCP/IP stack in the Sysplex on which a MODDVIPA utility to activate the address has been executed.
Moves between TCP/IP stacks based on execution of the MODDVIPA utility.

Distributed also known as a DRVIPA or sometimes DDVIPA (VIPADEFINE/VIPABACKUP + VIPADISTRIBUTE)

Used with Sysplex Distributor as a cluster IP address that represents a cluster of equal server instances in the Sysplex.
From a routing perspective it belongs to one TCP/IP stack.
From an application perspective it is distributed among the TCP/IP stacks in the Sysplex where an instance of the server
application is executing.

Page 33

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Basic principles for recovery of single-instance IP application in a Sysplex


Single-instance applications are applications that only run in one instance in the Sysplex.

Either because the application needs exclusive access to certain resources, or because
there is no need to start it in more than one instance.
Availability from an IP perspective then becomes an issue of being able to restart the
application on the same LPAR or on another LPAR with as little impact to end-users as
possible.

Speed of movement - ARM or automated operations procedures


Retain identity from a network perspective (its IP address) - Application Instance DVIPAs

10.1.1.1

10.1.1.1

New for z/OS V2R2


Up to 4096
Application
Instance DVIPAs
supported

cicsappl
1

Restart application

cicsappl
1

Application-specific
dynamic VIPA
addresses come in
very handy for this
purpose.

Connect to 10.1.1.1
Use 10.1.1.1
DNS
cicsappl1.mycom.com
:
10.1.1.1

Page 34

Either
1 Resolve cicsappl1.mycom.com
2 connect to returned address

or
Resolve cicsappl1.mycom.com

3 Connect to cached (or hardcoded!) address

3
4
2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

Workload Balancing Considerations

IBM Software Group Enterprise Networking Solutions

What are the main objectives of network workload balancing?


All server instances must be able
to provide the same basic service.
In a z/OS Sysplex that means the
applications must be Sysplexenabled and be able to share data
across all LPARs in the Sysplex.

Performance
Workload management across a cluster of server
instances
One server instance on one hardware node may not
be sufficient to handle all the workload

Server Cluster
Server

Availability
As long as one server instance is up-and-running, the
service is available
Individual server instances and associated hardware
components may fail without impacting overall
availability

Data

Load
Balancing
decision
maker

Capacity management / horizontal growth


Transparently add/remove server instances and/or
hardware nodes to/from the pool of servers in the
cluster
Single System Image
Give users one target hostname to direct requests to
Number of and location of server instances is
transparent to the user
Page 36

Server

Server

Server

Data

Mirroring w.
HyperSwap

Coupling
Facility

Feedback
loop
In order for the load balancing decision maker
to meet those objectives, it must be capable of
obtaining feedback dynamically, such as server
instance availability, capacity, performance,
and overall health.
2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

z/OS IP network workload balancing overview


Two main technologies:
Sysplex Distributor
Port sharing
App1
Sysplex Distributor

App2

PortSharing

Sysplex Distributor is a layer-4 load balancer

It makes a decision when it sees an inbound SYN segment for one of the Distributed Dynamic VIPA
(DDVIPA) IP address/port combinations it load balances for

SD

Sysplex Distributor uses MAC-level forwarding when connection routing takes place over XCF
Sysplex Distributor uses GRE when connection routing takes place over any network between
the z/OS images

Based on definition of VIPAROUTE

WLM

All inbound packets for a distributed connection must be routed through the Sysplex Distributor
LPAR

Only the Sysplex Distributor LPAR advertises routing ownership for a DDVIPA, so downstream
routers will forward all inbound packets for a given DDVIPA to the distributing LPAR

All outbound packets from the server instances can take whatever route is most optimal from the
server instance node back to the client

App3

App4

PortSharing

Port sharing
PORTSHARING can be used within a z/OS node to distribute connections among multiple
server address spaces within that z/OS node

Page 37

SHAREPORT TCP/IP Server Efficiency Factor (SEF) value used to perform a weighted round robin
distribution to the server instances
SHAREPORTWLM WLM input is used to select server for new connection
2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Sysplex Distributor distribution method overview


z/OS targets without WLM recommendations
ROUNDROBIN
Static distribution of incoming connections, does not account for target system capacity to absorb
new workload

WEIGHTEDACTIVE
Incoming connections are distributed so the available server instances percentage of active
connections match specified weights

z/OS targets with WLM recommendations


BASEWLM
Based on LPAR level CPU capacity/availability and workload importance levels

SERVERWLM
Similar to BASEWLM but takes into account WLM service class and how well individual application
servers are performing (i.e. meeting specified WLM goals) and how much CPU capacity is available
for the specific workload being load balanced
Enhanced to account for WLM provided server health
Supports autonomic TCP/IP health detection metrics
Generally, the recommended distribution method for Sysplex Distributor

Page 38

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Sysplex Distributor distribution method overview


HOTSTANDBY
Incoming connections are distributed to a primary server instance and only rerouted to a
backup server instance (the hot standby) when the primary server instance is not ready,
unreachable, or unhealthy.
Method added in z/OS V1R12
DB2 Data
sharing group
DB2

DB2

Preferred
CICS
server

Backup
CICS
server

Sysplex
Distributor

Page 39

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Sysplex Distributor built-in awareness of abnormal conditions


TSR Target Server Responsiveness
How healthy is the target system and application from an SD perspective? A percentage, 0-100%
Comprised of several individual health metrics:
TCSR Target Connectivity Success Rate
Are connections being sent to the Target System making it there?
A Percentage: 100 is good, 0 is bad

Target
Client

SD

Target

CER Connectivity Establishment Rate

Is connectivity between the target system and the client ok?


By monitoring TCP Connection Establishment state (requires 3 way handshake between client and server) we
can detect whether a connectivity issue exists
A percentage: 100 is good, 0 is bad
Note: CER no longer part of TSR directly but is included in SEF and continues to be calculated and reported
separately
Page 40

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Sysplex Distributor built-in awareness of abnormal conditions


TSR Target Server Responsiveness (cont)
SEF Server Efficiency Fraction
Is the target server application server keeping up with new connections in its backlog queue?
> Is the new connection arrival rate higher than the application accept rate? (i.e. is backlog
growing over time)
> How many connections in the TCP backlog queue? How close to maximum backlog queue
depth? Did we have to drop any new connections because the backlog queue max was
exceeded?
> Is the server application hung? (i.e. not accepting any connections)
> Are the number of half-open connections on the backlog queue growing? (Similar to CER
One such scenario is when the target system does not have network connectivity to the
client)
Target
A Percentage: 100 is good, 0 is bad
TCP Backlog Queue
accept()
Server
Application

TCP
Client

Lower SEF

SD
Target
New TCP
Connections

TCP Backlog Queue

accept()

TCP
Page 41

Higher SEF

Server
Application
2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Middleware/Application Issues and the Storm Drain Problem


TCP/IP and WLM are not aware of all problems experienced by load balancing
targets (middleware/applications) Examples:
The server application needs a resource such as a database, but the resource
is unavailable
The server application is failing most of the transactions routed to it because of
internal processing problems
The server application acts as a transaction router for other back-end
applications on other system(s), but the path to the back-end application is
unavailable
In each of these scenarios, the server may appear to be completing the
transactions quickly (using little CPU capacity) when they are actually being failed
This is sometimes referred to as the Storm Drain Problem
The server is favored by WLM since it is using very little CPU capacity
As workloads increase, the server is favored more and more over other servers
All this work goes "down the drain"
Page 42

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Improving WLM awareness of Application Health Avoiding "Storm Drain" Issues


Server Scenarios

z/OS

WLM
Transaction Service Class
Server Specific Capacity
Abnormal Terminations

1 IWM4SRSC WLM Service


Used by Sysplex Distributor to obtain
WLM recommendations
Abnormal Termination information:
Reported by 1st tier server when
transactions can not complete
because back end resource
managers are not available

WLM uses this information to


reduce the recommendation for
ailing server

CICS

SD
TCPIP

2 IWM4HLTH WLM Service

Page 43

WLM instumented
and managed

TCPIP

TCPIP

Allows address spaces which are


not instrumented with WLM to set
a a health status which is also
returned by IWM4SRSC
The ServerWLM
recommendations are reduced
when the health is <100%
Exploited by CICS Transaction
Gateway, DB2 and LDAP

DB2

WLM
STC Service Class
Server Specific Capacity
Health Status

2
Connector
address
space

z/OS

EIS

WLM instrumented
and managed

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

Using Netstat VDPT Detail display to monitor Sysplex Distributor

Target Server
Responsiveness
(TSR) and
subcomponents
(applied to WLM
weight)

ActConn: Active number


of connections to this
target at this time. Note
connections in Timewait
or Finwait states also
show up here. This is a
snapshot, can vary
significantly across
netstat invocations

WLM Information:
Raw Weights,
Proportional
Weights, Abnormal
Transaction Rate
and Midleware
reported health

NETSTAT VDPT DETAIL


MVS TCP/IP NETSTAT CS V1R13

TCPIP Name: TCPCS

15:35:26

Dynamic VIPA Distribution Port Table for TCP/IP Stacks:


Dest IPaddr

DPort DestXCF Addr

Rdy TotalConn

WLM TSR

Flg

-----------

----- ------------

--- ---------

--- ---

---

201.2.10.14

00244 201.3.10.16

001 0002304546 12

080

WLM Weight after all


adjustments
TSR, Subsystem Health,
Abnornal Connection
Rate. Final value divided
by 4 to end up with 0-16
value range

DistMethod: ServerWLM
TCSR: 100

CER: 095

SEF: 080

TotalConn: Total number


of connections since
DVIPA was activated
ever increasing value

Weight: 58
Raw

CP: 58 zAAP: 00 zIIP: 58

Proportional CP: 04 zAAP: 00 zIIP: 54


Abnorm: 0000

Health: 100

ActConn:

0000000101

QosPlcAct:

*DEFAULT*

201.2.10.14

W/Q: 01

00244 201.3.10.17

001 0001543454 10

100

DistMethod: ServerWLM
TCSR: 100

CER: 100

SEF: 100

Weight: 40
Raw

CP: 40 zAAP: 00 zIIP: 40

Proportional CP: 06 zAAP: 00 zIIP: 34


Abnorm: 0000

Page 44

Health: 100

ActConn:

0000000030

QosPlcAct:

*DEFAULT*

W/Q: 01

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

What impacts the final selection of a target server instance?


Target LPAR
displaceable
capacity as
seen by WLM

Server instance
performance as
seen by WLM

Server instance
self-perceived
health (as
reported to
WLM)

SD ROUNDROBIN

No

No

No

SD WEIGHTEDACTIVE

No

No

Yes

Yes

No

SD BASEWLM

Yes

No

No

Yes

Yes

SD SERVERWLM

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes

Yes

No

Technology

SD TARGETCONTROLLED

SD HOTSTANDBY

Yes
(SD agent)
No

Server instance
TCP/IP
perceived
health (the TSR
value)
Yes
(if TSR=zero)

QoS perceived
network
performance
(the QoS
fraction)
No

Yes
PORT SHAREPORT

No

No

No

(Only SEF
value)

No

Yes
PORT SHAREPORTWLM

Page 45

No

Yes

Yes

(Only SEF
value)

No

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

CICS Web support - HTTP

Sysplex

z/OS LPAR
CICS
Region

V
I
P
A
Advertised
Dynamic
TCP/IP

VIPA
HTTP

Distributing
Stack
V
I
P
A

XCF

HTTP Client

Port
sharing

Coupling
Facility

XCF

Target Stack 1

z/OS LPAR
V
I
P
A

Target Stack 2

CICS
Region
Port
sharing

HTTP requests used for HTML and SOAP requests to CICS


HTTP 1.0 (with Keep Alives) and HTTP 1.1 supported
Can be used with either TCP/IP port sharing or Sysplex Distributor
Requires that any session data is in shared storage (i.e. RLS or shared TS)

Page 46

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions


CICS Sockets

LPAR
Routing
region

Listener
region
1.

Distributing
Stack
V
I
P
A

CSKL

givesocket

AOR
region

Child

Mirror

takesocket Server

2.

START

RETRIEVE

Txn

DPL

3
socket

LPAR
Routing
region

Listener
region
CSKL

Child
Server
Txn

AOR
region
Mirror

CICS Sockets
Child server transaction can be defined in a remote CICS region
CICS dynamic routing can be used to route remote START to AOR
Routing region must be on the same LPAR and share the same TCP/IP stack
Can exploit TCP/IP port sharing or Sysplex Distributor
Page 47

2015 SHARE and IBM Corporation

IBM Software Group Enterprise Networking Solutions

CICS TS V5.2 IPIC High Availability


Server regions

Client regions
LPAR 1
CICS B

IPIC

Syplex
Distributor

1.2.3.4

TCPIPSERVICE
(Generic)
1.2.3.4

Static IP
1.2.3.9

TCPIPSERVICE
(Specific)
1.2.3.9

CICS 1

1.2.3.4

CICS A

DVIPA
LPAR 2

Reconnect
on failure

1.2.3.4

TCPIPSERVICE
(Generic)
1.2.3.4

Static IP
1.2.3.8

TCPIPSERVICE
(Specific)
1.2.3.8

CICS 2

Sysplex

CICS server regions listen on a generic and a specific TCPIPService


Client region reconnects to specific TCPIPService if connection terminated
leaving UOW affinities
Supports Sysplex Distributor DVIPAs and Port Sharing
Page 48

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

Securing CICS TCP/IP


Communications

Transport Layer Security (TLS/SSL) overview


Transport Layer Security (TLS) is defined by
the IETF **
Based on Secure Sockets Layer (SSL)
TLS defines SSL as a version of TLS for
compatibility

Provides secure connectivity between two


TLS security session endpoints
TLS session
Full application payload encryption and data
authentication / integrity
TLS security session endpoint plays either a
client or server role
Session endpoint authentication via X.509
certificates
Server authentication required
Client authentication optional (mutual
authentication)

TLS
server
TLS
client

TLS
session

IP network

Full application payload encryption

TLS/SSL
encryption:

SrcIP

DestIP

SrcPort

DestPort

Data

192.168.100.1

192.168.1.1

50002

443

@%$#*&&^^!:"J)*GVM><

** For our purposes, SSL and TLS are equivalent and one term implies the other
Page 50

2015 SHARE and IBM Corporation

TLS/SSL protocol basics

Client application initiates TLS


handshake which authenticates
the server (and, optionally,
client) and negotiates a cipher
suite to be used to protect data

TCP connection

appl
(client)

appl
(server)

Handshake messages

Upon successful completion of


the handshake, a secure TLS
session exists for the
application partners

Page 51

Data flows through secure


session using symmetric
encryption and message
authentication negotiated
during handshake

appl
(client)

appl
(server)

TLS session

Data flows through secure TLS session

2015 SHARE and IBM Corporation

Transport Layer Security enablement


Applications
System SSL API

TLS
Encrypted

Applications

TLS/SSL
System SSL API

Sockets

Sockets

TCP

TCP

IP Networking Layer
Network Interfaces

Page 52

IP Networking Layer

Network

Network Interfaces

TLS traditionally provides security services as a socket layer service


TLS requires reliable transport layer,
Typically TCP (but architecturally doesnt have to be TCP)
UDP applications cannot be enabled with traditional TLS
There is now a TLS variant called Datagram Transport Layer Security (DTLS) which
is defined by the IETF for unreliable transports
On z/OS, System SSL (a component of z/OS Cryptographic Services) provides an API
library for TLS-enabling your C and C++ applications
Java Secure Sockets Extension (JSSE) provides libraries to enable TLS support for Java
applications
However, there is an easier way
Application Transparent TLS!
2015 SHARE and IBM Corporation

z/OS Application Transparent TLS overview


Stack-based TLS
TLS process performed in TCP layer (via System SSL)
without requiring any application change (transparent)
AT-TLS policy specifies which TCP traffic is to be TLS
protected based on a variety of criteria

AT-TLS
policy

z/OS userid, jobname


Time, day, week, month
TCP/IP
Application

Application transparency
Can be fully transparent to application
An optional API allows applications to inspect or control
certain aspects of AT-TLS processing applicationaware and application-controlled AT-TLS, respectively

Supports standard configurations


z/OS as a client or as a server
Server authentication (server identifies self to client)
Client authentication (both ends identify selves to other)

Transport (TCP)
AT-TLS
System SSL
encrypted

Available to TCP applications


Includes CICS Sockets
Supports all programming languages except PASCAL

Sockets API

z/OS CS Policy
infrastructure

Local address, port


Remote address, port
Connection direction

AT-TLS policy
administrator
using
Configuration
Assistant

Networking
IPv4, IPv6
DLC

Uses System SSL for TLS protocol processing


Remote endpoint sees an RFC-compliant implementation
interoperates with other compliant implementations
Page 53

2015 SHARE and IBM Corporation

Some z/OS applications that use AT-TLS


Comm Server applications
TN3270 Server
FTP Client and Server
CSSMTP
Load Balancing Advisor
IKE NSS client
NSS server
Policy agent
DCAS server
DB2 DRDA
IMS-Connect
JES2 NJE

IBM Multi-Site Workload Lifeline


Tivoli Netview applications
MultiSystem Manager
NetView Management Console
RACF Remote Sharing Facility
CICS Sockets applications
InfoSphere Guardium S-TAP
3rd Party applications
Customer applications

Customer Survey Results


1Q2014
AT-TLS Adoption and
Plans for Adoption

Page 54

2015 SHARE and IBM Corporation

Advantages of using AT-TLS


Reduce costs
Application development
Cost of System SSL integration
Cost of applications TLS-related configuration support
Consistent TLS administration across z/OS applications
Gain access to new features with little or no incremental
development cost
Complete and up-to-date exploitation of System SSL features
AT-TLS makes the vast majority of System SSL features
available to applications
AT-TLS keeps up with System SSL enhancements as new
features are added, your applications can use them by changing
AT-TLS policy, not code
Ongoing performance improvements
Focus on efficiency in use of System SSL
Great choice if you havent already invested in System SSL integration
Even if you have, consider the long-term cost of keeping up vs. short term
cost of conversion
Page 55

2015 SHARE and IBM Corporation

AT-TLS support for TLS v1.2 and Related Features


Added in z/OS V2R1
TLS Protocol Version 1.2 (RFC 5246):
Twenty-one new cipher suites
11 new HMAC-SHA256 cipher suites
10 new AES-GCM cipher suites
Addresses NIST SP800-131a requirements
Support Elliptic Curve Cryptography (ECC)
Twenty new ECC cipher suites
ECC cipher suites for TLS (RFC 4492)
Support for Suite B cipher suites (RFC 5430)
TLS 1.2 is required
ECC is required
Suite B has two levels of cryptographic strength that can be selected
128 or 192 bit
Transport Layer Security (TLS) Renegotiation Extension (RFC 5746):
Provides a mechanism to protect peers that permit re-handshakes
When supported, it enables both peers to validate that the re-handshake is truly a
continuation of the previous handshake

Planned for z/OS V2R2


Support retrieval of revocation information through the Online Certificate Status Protocol (OCSP)
Support HTTP retrieval of CRLs
Support for RFC 5280 certificate validation mode
Page 56

2015 SHARE and IBM Corporation

AT-TLS application types


Not enabled
No policy or policy explicitly disables AT-TLS for application traffic
Application may optionally use System SSL directly

Basic
Policy enables AT-TLS for application traffic
Application is unchanged and unaware of AT-TLS
Application protocol unaffected by use of AT-TLS (think HTTP vs. HTTPS)

Aware
Policy enables AT-TLS for application traffic
Application uses the SIOCTTLSCTL ioctl to extract AT-TLS information such as
partner certificate, negotiated version and cipher, policy status, etc.

Controlling
Policy enables AT-TLS and specifies ApplicationControlled ON for application
traffic
Application protocol may negotiate the use of TLS in cleartext with its partner
Application uses the SIOCTTLSCTL ioctl to extract AT-TLS information (like an
aware application) and to control TLS operations:
Start secure session
Reset session
Reset cipher

Page 57

2015 SHARE and IBM Corporation

CICS IP Sockets & CICS Sockets Domain TLS/SSL considerations


CICS Sockets (IP Sockets)
Depends exclusively on AT-TLS for its
TLS/SSL encryption processing
Works for inbound and outbound
connections
Is an AT-TLS Aware Application
Listener Configuration options
(GETTID=YES) allow the Listener to extract
the userid associated with the client
certificate)
The listener can then associated that
userid with the started child server
transaction (Requires that the userid
associated with the Listener transaction
has SAF CICS Surrogate Authority)

Page 58

CICS Sockets Domain


Current support:
Imbedded TLS/SSL support built into the
CICS Sockets domain
Direct invocation of System SSL services
Configuration options to indicate various
TLS/SSL encryption criteria
Works for inbound and outbound
connections
Future direction:
Become AT-TLS aware application
Allows CICS to extract client certificate
and userid information
Inbound (server-side) support initially
Allows CICS Sockets domain to
optimize communications performance
by minimizing context switches
Allows CICS to pick up latest TLS/SSL
enhancements transparently
Outbound (client-side) enablement for ATTLS is a future objective
2015 SHARE and IBM Corporation

Policy-based network security on z/OS: Configuration Assistant


Configures:

AT-TLS
IPSec and IP filtering
IDS
Quality of Service
Policy-based routing

Separate perspectives but


consistent model for each
discipline
Focus on concepts, not details
what traffic to protect
how to protect it
De-emphasize low-level details
(though they are accessible
through advanced panels)

z/OSMF-based web interface


Standalone Windows application
Not supported after z/OS
V1R13

Builds and maintains


Policy files
Related configuration files
JCL procs and RACF directives

Supports import of existing


policy files
Page 59

2015 SHARE and IBM Corporation

Examining the FTP server pre-defined connectivity rule

Page 60

2015 SHARE and IBM Corporation

Describe traffic

Page 61

2015 SHARE and IBM Corporation

Describe role Not changeable

Page 62

2015 SHARE and IBM Corporation

Define key ring in this case use the z/OS image level key ring

Page 63

2015 SHARE and IBM Corporation

Describe data endpoints in this case apply rule to all endpoints

Page 64

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

CICS Connection Management

HTTP Inbound Connection Throttling

Option to limit the number of persistent connections from web clients that
are allowed on a port (at any one time)

MAXPERSIST option on TCPIPSERVICE

Number of persistent connections

Socket 'closed' if number exceeded

Default is NO

Provides a way to throttle incoming requests without leaving them


queueing

66
Page 66

2015 SHARE and IBM Corporation

Max Persist Attribute

67
Page 67

2015 SHARE and IBM Corporation

Inbound IP Connection Throttling Diagram

Region A

Running
Task
Running
Task

P
or
t
S
pr
ay

Region B

3. New request flagged as nonpersistent


4. The task responds
Region C

1. New Request Routed to


Region C
2. Connections > Maxpersist

TCPIPSERVICE

<MAXPERSIST> 1
<CONNECTIONS> 2
1

Running
Task

5. The connection is closed

Running Task
6. The task handles a closed
connection.

Running
Task
68

Page 68

2015 SHARE and IBM Corporation

HTTP Outbound Connection Pooling

Reuse of connections for outbound HTTP requests in or across tasks

Re-use connections which have the same properties, as defined by URIMAP

SOCKETCLOSE timeout option on client URIMAP

Non-zero value means HTTP requests using that URIMAP can use connections
(sockets) from a pool

Applies to any HTTP requests using the same client URIMAP

No code changes needed to benefit, except when using CICS WEB


interface

Benefits HTTP EP adapter

SOCKETCLOSE is timeout time for length of time socket remains available for
reuse from the pool

Socket will be removed from pool if errors returned, or if any problems are
detected
69

Page 69

2015 SHARE and IBM Corporation

Socket Close Attribute

70
Page 70

2015 SHARE and IBM Corporation

HTTP Connection Pooling Diagram


URIMAP

URIMAP

SocketClose>0

Sockets Domain

0..1

Socket Pool
<Timeout>
Socket Pool
<Chain>
<Timeout>
<Count>
<Chain>
<Count> 1

Socket
Connected

71
Page 71

2015 SHARE and IBM Corporation

HTTP Connection Pooling Diagram


URIMAP

Sockets Domain

URIMAP

SocketClose>0

0..1

Socket Pool
<Timeout>
Socket Pool
<Chain>
<Timeout>
<Count>
<Chain>
<Count> 0

1. Create a connection

Task
Socket
Connected

2. Socket owned by
task. No longer in pool
72
Page 72

2015 SHARE and IBM Corporation

HTTP Connection Pooling Diagram


URIMAP

Sockets Domain

URIMAP

SocketClose>0

0..1

Socket Pool
<Timeout>
Socket Pool
<Chain>
<Timeout>
<Count>
<Chain>
<Count> 0

Task
Socket
Error

3a. Connection fails.


Close as before
73
Page 73

2015 SHARE and IBM Corporation

HTTP Connection Pooling Diagram


URIMAP

URIMAP

SocketClose>0

Task

Sockets Domain

0..1

Socket Pool
<Timeout>
Socket Pool
<Chain>
<Timeout>
<Count>
<Chain>
<Count> 1

Socket
Connected

3b. Task completes ok


Return socket to pool

74
Page 74

2015 SHARE and IBM Corporation

CICS TS V5.3 open beta Performance


Improvements
HTTP efficiency, including for web services
SSL/TLS improvements
Other areas of improvement
Some numbers from a CICS TS V5.3 open beta
development level

Page 75

2015 SHARE and IBM Corporation

HTTP Pre open beta


CSOL
HTTP
Requests

CWXN
Long running task on its own
TCB that listens for work.

Process next piece of work

Determines the context


of the user transaction
that is started.
This is known as the
Web attach task.

User Transaction
i.e. CWBA, CPIH

Application processing run


under the context
established by CWXN

Page 76

2015 SHARE and IBM Corporation

HTTP in CICS TS V5.3 open beta


CSOL
HTTP
Requests

CWXN
Long running task on its own
TCB. It must not be blocked
by an individual request.
If CICS SSL OR
Web analyser program OR
Static response OR
Not enough data => CWXN
Gets tran ID and user ID from
URIMAP and/or AT-TLS
Start the application
transaction with the specific
tranid and userid

Run when
unable to
establish
context
in SOLS

Lower overhead
results in lower
CPU usage

User Transaction
i.e. CWBA, CPIH

Sync receive the body


data and pass to the next
step in application
Application processing run
as before

Process next piece of work

Page 77

2015 SHARE and IBM Corporation

SSL in CICS TS V5.3 open beta


Less TCB switching means
CSOL
HTTPS
Requests

CWXN
Long running task on its own
TCB. It must not be blocked
by an individual request.
If CICS SSL

lower CPU usage

The decryption of the


request happens in
this transaction.
Switching to and from
S8 TCBs has been
decreased reducing
CPU usage.

User Transaction
i.e. CWBA, CPIH

Process next piece of work


SSL

Decryption

I want SSL but I dont want CWXN!


TCPIPSERVICE
PORT(number)
SSL(CLIENTAUTH)

Page 78

2015 SHARE and IBM Corporation

For the latest news on z/OS Communications Server

Page 79

2015 SHARE and IBM Corporation

Please fill out your session evaluation

Connecting CICS with TCP/IP


Session # 16472
QR Code:

Thank you!

Page 80

2015 SHARE and IBM Corporation

Connecting CICS with TCP/IP

Appendix Backup

Page 81

2015 SHARE and IBM Corporation

APPLDATA CONNECT (Client socket in CICS)

Page 82

2015 SHARE and IBM Corporation

APPLDATA GIVESOCKET (Socket given by listener to child server)

Page 83

2015 SHARE and IBM Corporation

APPLDATA TAKESOCKET (Socket taken by child server)

Page 84

2015 SHARE and IBM Corporation

APPLDATA LISTEN (Listener socket)

Page 85

2015 SHARE and IBM Corporation

What you can do with APPLDATA in Netstat CICS Sockets


APPLDATA is identification data a sockets application can associate with a sockets end point.
CICS Sockets uses that feature to associate CICS-specific identification data with sockets that are
used by the CICS Sockets.
APPLDATA can be displayed with netstat, it is included in TCP/IP SMF records, and in the Network
Management API.

*-------------------- MVS TCP/IP NETSTAT CS z/OS V1R10 -----------------------*


Command ===>
Please enter optional selection criteria for CICS Sockets connection overview or press END to continue without any selection criteria.
Remote IP address
Local IP address
CICS Sockets server port
CICS address space name
CICS user ID
CICS transaction code
CICS task number
CICS system name
CICS Sockets type

==>
==>
==>
==>
==>
==>
==>
==>
==>

CICS listener server port


CICS address space that owns socket
CICS assigned user ID
CICS transaction identifier
CICS internal task number
CICS name transaction assigned to
Listener, Given, Taken, Connect

If you want a display of all your CICS Socket connections, leave all
selection fields above blank.
Page 86

2015 SHARE and IBM Corporation

APPLDATA socket states


Listener transaction
Listener
socket
Connect()

Remote
client

Child server transaction

LISTENER

TakeSocket()
Connected
Socket (taken)

Accept()

TAKEN

Connected
Socket (given)
GiveSocket()

GIVEN
Connected
Socket (given)

CONNECT
Remote
server

Connected
Socket

CICS
Page 87

2015 SHARE and IBM Corporation

You might also like