A fix is available
APAR status
Closed as new function.
Error description
When a client is on the same TCPIP stack as the sysplex distributor and initiates a connection to a target server on another TCPIP stack using a distributed DVIPA, the outbound packets are not encapsulated even when IPSEC is enabled and that OPTLOCAL is specifed on the VIPADISTRIBUTE statement for the sysplex distributor. When client and distributor are on the same TCPIP stack, there is no tunnel formed or used for the negotiation. They will still go through the policy check to verify that the connection is allowed. Once the distributor decides that the local server is to be the target, communication then reverts to fast local sockets where outbound packets are not encapsulated even when the client and the distributor are on the same TCPIP stack and the server is on another. The initial SYN packet for the connection setup request will flow over the IPSEC tunnel but all subsequent traffic will use the fast local sockets.
Local fix
1) Have the client initiate a connection outside the sysplex distributor so that fast local sockets are not used. In effect, the packets flowing to the selected target for the listener outside the distributor are encapsulated. 2) If the client has to be on the same TCPIP stack as the distributor, then use the VIPARANGE method such that the server on the target system will allocate the DVIPA for the listener. All LPARs in the sysplex must have the same VIPARANGE statement(s) to handle failovers of one listener from LPAR to another. In this case, the distributed DVIPA is not used and the packets flowing to the server owning the DVIPA will be encapulated after tunnel negotiation. KEYWORDS: IPSEC DRVIPA DVIPA IKED TRMD TUNNEL POLICY PAGENT OPTLOCAL FAST LOCAL SOCKETS SYSPLEX DISTRIBUTOR TARGET LISTENER CLIENT SERVER VIPADISTRIBUTE VIPARANGE
Problem summary
**************************************************************** * USERS AFFECTED: * * Users of the IBM Communications Server for z/OS Version 2 * * Release 2 IP: Sysplex-wide Security Associations * **************************************************************** * PROBLEM DESCRIPTION: * * Connection fails when target stack expects traffic to be * * IPSec encapsulated but IP filtering is not done for client * * because the client and DVIPA are on the same stack. * **************************************************************** * RECOMMENDATION: * * Apply the PTF * **************************************************************** When the client and DVIPA are on the same TCP/IP stack, traffic is treated as local on the outbound path even though the connection could be forwarded to a target on another TCP/IP stack. IP filtering is not done for the local traffic. If IPSec policy is in place to require IPSec protection, the connection fails when the target server receives the packet in the clear, without IPSec protection.
Problem conclusion
A new TCPIP profile parameter, DVLOCALFLTR, is provided on the IPSEC statement to enable filtering of TCP traffic between a client and an IPv4 dynamic VIPA defined on the same TCP/IP stack.
Temporary fix
Comments
APAR Information
APAR number
PI44865
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
220
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2015-07-13
Closed date
2015-11-16
Last modified date
2017-01-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI32990 UI32991
Modules/Macros
EZBTCFWR EZBNMSEC EZBISIOC EZBIPINB EZAI2IPF EZAISMSG EZACFYAC EZBTCSND EZBISEPR EZACFPSC EZACFPSE EZBIPEPR EZBISFLT EZAI2IPT EZANMFTR EZBIPOUT EZBTLFWR EZANMGTT EZBISGFT EZANMI EZBTCSYN EZBTCRD EZBTCRDG EZAI2CSE EZAIKA@M EZAI2XLI EZBISLVC EZAI2ISA EZATCADE EZAIKA@U EZBISEVT EZATDECP EZAI2CIS EZBISTTP EZAI2CCQ EZAI2CCR EZAPSCAN EZAI2CCX EZAIKRAD EZAIKANC EZAI2IXL EZAIKSKO EZATCAIN EZAI2SAP EZAI2SAQ EZAI2SAR EZBISEN6 EZATENCP EZBNMSEA EZAQUEWR EZAI2EXC EZAIKSMT EZAI2DSA EZACFMMN EZATHSCH EZAIKP1@ EZAIKFIN
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R220 PSY UI32990
UP15/12/16 P F512
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
25 January 2017