Defining a secure network port for connections to Db2 Data Gate
Db2 Data Gate uses the distributed data facility (DDF) to connect to Db2 for z/OS®. Connections between Db2 Data Gate and Db2 for z/OS must be encrypted.
About this task
Procedure
- To check if a secure port exists, run the Db2 for z/OS
-DISPLAY DDF command from TSO. For example, the following command output shows that the secure port (SECPORT) is set to 15111:
RESPONSE=XYZ1 DSNL080I -DB12 DSNLTDDF DISPLAY DDF REPORT FOLLOWS: DSNL081I STATUS=STARTD DSNL082I LOCATION LUNAME GENERICLU DSNL083I LOCDB12 NATIVE.IPWADB12 -NONE DSNL084I TCPPORT=12511 SECPORT=15111 RESPORT=15011 IPNAME=-NONE
If the value ofSECPORT
is0
, you must define a secure port. - To define a secure port, use one of the following methods:
- Set the Db2 for z/OS SECURE PORT subsystem parameter on the DSNTIPR panel.
- Specify the secure port in the boot strap data set (BSDS) by using the DSNJU003 change log inventory utility. Important: This method requires a restart of Db2 for z/OS because the BSDS can only be updated while Db2 is not running.
- To work with data sharing groups, Db2 Data
Gate requires a stable connection to the log reader
task of the member that the session was started from. That is, for incremental update processing, the connection must always go to the same member. To achieve this, use one of the following options:
- Option 1:
This is a full data sharing setup that uses DDVIPA with the TIMEDAFFINITY option. With this type of setup, a dedicated SECPORT is assigned to the Db2 members and an exclusive location alias for Db2 Data Gate is defined on each member. This means that all members have the same SECPORT.
- Define a dedicated location alias and a secure port (SECPORT) for Db2 Data Gate on all data sharing members. If you already use a SECPORT for other workloads, choose a different SECPORT for Db2 Data Gate.
- Set up high availability for Db2 Data Gate as described in Suggestion for a high-availability setup and start the location alias on all data sharing members that participate in the high-availability setup.
- Option 2:
In a setup like this, the data sharing setup uses a DDVIPA network, but the TIMEDAFFINITY option is not set. A dedicated SECPORT is assigned to the Db2 members and an exclusive location alias for Db2 Data Gate is defined on each member. This means that all members have the same SECPORT.
However, the location alias is started on a single member only. To shift the workload from a member A to a member B, you must stop the location alias on member A and then start the alias on member B.
- Define a dedicated location alias and a secure port (SECPORT) for Db2 Data Gate on all data sharing members. If you already use a SECPORT for other workloads, choose a different SECPORT for Db2 Data Gate.
- Start the location alias on the member that provides the Db2 log data for Db2 Data Gate. Make sure that the location alias is started on this member only. If this member or the network fails, or if you have to shut down the member for maintenance purposes, the location alias can be started on another member so that Db2 Data Gate can continue to work.
With a configuration like this, all members used for connections can share the same DDVIPA IP address. This makes the handling and the setup of SSL certificates easier because a single, shared certificate can be used.
The following example shows how to use the -MODIFY DDF command to define and start a location alias for a single member DB1CMBR1 that listens on secure port 15011:-DB1C MODIFY DDF ALIAS(DB1CMBR1) ADD -DSNL300I -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS: -DSNL302I ALIAS DB1CMBR1 IS SET TO ADD -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE -DB1C MODIFY DDF ALIAS(DB1CMBR1) SECPORT(15011) -DSNL300I -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS: -DSNL302I ALIAS DB1CMBR1 IS SET TO SECPORT 15011 -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE -DB1C MODIFY DDF ALIAS(DB1CMBR1) START -DSNL300I -DB1C DSNLTMDF MODIFY DDF REPORT FOLLOWS: -DSNL302I ALIAS DB1CMBR1 IS SET TO START -DSNL301I DSNLTMDF MODIFY DDF REPORT COMPLETE -DSNL314I -DB1C DSNLILNR THE ALIAS DB1CMBR1 IS STARTED
Running -DISPLAY DDF generates the following screen output:
-DIS DDF -DSNL080I -DB1C DSNLTDDF DISPLAY DDF REPORT FOLLOWS: -DSNL081I STATUS=STARTD -DSNL082I LOCATION LUNAME GENERICLU -DSNL083I LOCDB2 NATIVE.APP2DB2A -NONE -DSNL084I TCPPORT=446 SECPORT=12000 RESPORT=5001 IPNAME=-NONE ... -DSNL087I ALIAS PORT SECPORT STATUS -DSNL088I DB1CMBR1 0 15011 STARTD ... -DSNL099I DSNLTDDF DISPLAY DDF REPORT COMPLETE
- Option 1: