Defining a secure network port for connections to Db2 Data Gate

Db2 Data Gate uses the distributed data facility (DDF) to connect to Db2 for z/OS®. Connections between Db2 Data Gate and Db2 for z/OS must be encrypted.

About this task

Encrypted connections are required because the log records and data transferred by Db2 Data Gate might contain sensitive information. Unencrypted connections will be refused. Check if a secure port (SECPORT) exists, and if not define one.

Procedure

  1. To check if a secure port exists, run the Db2 for z/OS -DISPLAY DDF command from TSO.
    For example, the following command output shows that the secure port (SECPORT) is set to 15111:
    RESPONSE=XYZ1  
    DSNL080I -DB12 DSNLTDDF DISPLAY DDF REPORT FOLLOWS:            
    DSNL081I STATUS=STARTD                                          
    DSNL082I LOCATION           LUNAME            GENERICLU         
    DSNL083I LOCDB12            NATIVE.IPWADB12   -NONE             
    DSNL084I TCPPORT=12511 SECPORT=15111 RESPORT=15011 IPNAME=-NONE
    If the value of SECPORT is 0, you must define a secure port.
  2. To define a secure port, use one of the following methods:
    • Set the Db2 for z/OS SECURE PORT subsystem parameter on the DSNTIPR panel.
    • Specify the secure port in the boot strap data set (BSDS) by using the DSNJU003 change log inventory utility.
      Important: This method requires a restart of Db2 for z/OS because the BSDS can only be updated while Db2 is not running.
  3. To work with data sharing groups, Db2 Data Gate requires a stable connection to the log reader task of the member that the session was started from.
    That is, for incremental update processing, the connection must always go to the same member. To achieve this, use one of the following options:
    • Option 1:

      This is a full data sharing setup that uses DDVIPA with the TIMEDAFFINITY option. With this type of setup, a dedicated SECPORT is assigned to the Db2 members and an exclusive location alias for Db2 Data Gate is defined on each member. This means that all members have the same SECPORT.

      1. Define a dedicated location alias and a secure port (SECPORT) for Db2 Data Gate on all data sharing members. If you already use a SECPORT for other workloads, choose a different SECPORT for Db2 Data Gate.
      2. Set up high availability for Db2 Data Gate as described in Suggestion for a high-availability setup and start the location alias on all data sharing members that participate in the high-availability setup.
    • Option 2:

      In a setup like this, the data sharing setup uses a DDVIPA network, but the TIMEDAFFINITY option is not set. A dedicated SECPORT is assigned to the Db2 members and an exclusive location alias for Db2 Data Gate is defined on each member. This means that all members have the same SECPORT.

      However, the location alias is started on a single member only. To shift the workload from a member A to a member B, you must stop the location alias on member A and then start the alias on member B.

      1. Define a dedicated location alias and a secure port (SECPORT) for Db2 Data Gate on all data sharing members. If you already use a SECPORT for other workloads, choose a different SECPORT for Db2 Data Gate.
      2. Start the location alias on the member that provides the Db2 log data for Db2 Data Gate. Make sure that the location alias is started on this member only. If this member or the network fails, or if you have to shut down the member for maintenance purposes, the location alias can be started on another member so that Db2 Data Gate can continue to work.

    With a configuration like this, all members used for connections can share the same DDVIPA IP address. This makes the handling and the setup of SSL certificates easier because a single, shared certificate can be used.

    The following example shows how to use the -MODIFY DDF command to define and start a location alias for a single member DB1CMBR1 that listens on secure port 15011:
    -DB1C MODIFY DDF ALIAS(DB1CMBR1) ADD
    -DSNL300I  -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS:
    -DSNL302I ALIAS DB1CMBR1 IS SET TO ADD
    -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE
    
    -DB1C MODIFY DDF ALIAS(DB1CMBR1) SECPORT(15011)
    -DSNL300I  -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS:
    -DSNL302I ALIAS DB1CMBR1 IS SET TO SECPORT 15011
    -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE
    
    -DB1C MODIFY DDF ALIAS(DB1CMBR1) START
    -DSNL300I  -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS:
    -DSNL302I ALIAS DB1CMBR1 IS SET TO START
    -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE
    -DSNL314I  -DB1C DSNLILNR THE ALIAS DB1CMBR1 IS STARTED

    Running -DISPLAY DDF generates the following screen output:

    -DIS DDF
    -DSNL080I  -DB1C DSNLTDDF DISPLAY DDF REPORT FOLLOWS:
    -DSNL081I STATUS=STARTD
    -DSNL082I LOCATION           LUNAME            GENERICLU
    -DSNL083I LOCDB2             NATIVE.APP2DB2A   -NONE
    -DSNL084I TCPPORT=446   SECPORT=12000   RESPORT=5001  IPNAME=-NONE
    ...
    -DSNL087I ALIAS              PORT  SECPORT STATUS
    -DSNL088I DB1CMBR1           0     15011   STARTD
    ...
    -DSNL099I DSNLTDDF DISPLAY DDF REPORT COMPLETE