Network configuration example for Db2 Data Gate

Use the following example as a reference. It covers almost the entire network configuration for Db2 Data Gate.

Reminder

The only network configuration step that is not covered by the examples in this topic is the definition of a DDF secure port. So do not forget to define such a port before or after running customized jobs that are based on the examples here. For more information, see Defining a secure network port for connections to Db2 Data Gate.

Definitions

The following user IDs and route names are used in the examples:

Table 1. User IDs and route names in examples
Description Value
Db2 for z/OS started task user ID DB2USER
Db2 subsystem name DB2A
Log reader user LOGUSR
Privileged Db2 for z/OS user for Db2 Data Gate IBMDBUSR
Route for Db2 Data Gate instance dg1.apps.dgnoiam3.cp.fyre.ibm.com

AQTSSLDG example

This is what the AQTSSLDG sample job looks like after inserting the Db2 subsystem name and the user IDs from the Table 1 table:

//SAMPLE   JOB CLASS=H,MSGLEVEL=(1,1),MSGCLASS=H,
//  USER=RACF000,PASSWORD=CHANGIT
//*
//*    IDAA Sample Application
//*
//*    SSL SETUP FOR IBM DB2 FOR Z/OS DATA GATE
//*
//*    LICENSED MATERIALS - PROPERTY OF IBM
//*    5697-DA7
//*    (C) COPYRIGHT IBM Corp. 2022.
//*
//* US Government Users Restricted Rights
//* Use, duplication or disclosure restricted by GSA ADP Schedule
//* Contract with IBM Corporation
//*
//* DISCLAIMER OF WARRANTIES :
//* Permission is granted to copy and modify this  Sample code provided
//* that both the copyright  notice,- and this permission notice and
//* warranty disclaimer  appear in all copies and modified versions.
//*
//* THIS SAMPLE CODE IS LICENSED TO YOU AS-IS.
//* IBM  AND ITS SUPPLIERS AND LICENSORS  DISCLAIM ALL WARRANTIES,
//* EITHER EXPRESS OR IMPLIED, IN SUCH SAMPLE CODE, INCLUDING THE
//* WARRANTY OF NON-INFRINGEMENT AND THE IMPLIED WARRANTIES OF
//* MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
//* WILL IBM OR ITS LICENSORS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES
//* ARISING OUT OF THE USE OF OR INABILITY TO USE THE SAMPLE CODE OR
//* COMBINATION OF THE SAMPLE CODE WITH ANY OTHER CODE. IN NO EVENT
//* SHALL IBM OR ITS LICENSORS AND SUPPLIERS BE LIABLE FOR ANY LOST
//* REVENUE, LOST PROFITS OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
//* CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND
//* REGARDLESS OF THE THEORY OF LIABILITY,-, EVEN IF IBM OR ITS
//* LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
//* DAMAGES.
//*
//*  Function =
//*    CREATE A SIGNER CERTIFICATE FOR DB2 DATA GATE. GENERATE A
//*    SERVER CERTIFICATE FOR DB2 FOR Z/OS AND STORE IT IN A KEYRING
//*    FOR INBOUND CONNECTION. GENERATE ANOTHER SERVER CERTIFICATE,
//*    EXPORT IT AS PKCS#12 FILE FOR IMPORT INTO DB2 DATA GATE ON
//*    IBM CLOUD PAK FOR DATA FOR OUTBOUND CONNECTION. ASSIGN
//*    APPROPRIATE RACF PERMISSIONS TO DB2 USERS REQUIRED BY
//*    DB2 DATA GATE.
//*
//*    CAUTION: ONLY EXPERIENCED USERS SHOULD USE THIS PROCEDURE.
//*             READ THE DESCRIPTION OF EACH STEP CAREFULLY!
//*             IF NOT USED PROPERLY, A DATA LOSS MIGHT OCCUR!
//*
//*  Dependencies =
//*   ICSF (IBM Encryption Facility for z/OS) must be available.
//*   TTLS must be specified in the TCPCONFIG statement of the
//*   TCPIP started task.
//*   PAGENT (Policy agent) must be started.
//*
//*  Notes =
//*    PRIOR TO RUNNING THIS JOB, customize it for your system:
//*    (1) Add a valid job card.
//*    (2) Locate and change all occurrences of the following strings
//*        as indicated:
//*        (A) !DB2OWNER!       TO THE USER WHO RUNS DB2 STARTED TASKS
//*          //* SIGNER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//*          //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//*        (B) !SIGNORGUNIT!    TO THE ORGANIZATIONALUNIT
//*        (C) !SIGNORG!        TO THE ORGANIZATION
//*        (D) !SIGNLOC!        TO THE LOCALITY
//*        (E) !SIGNSOP!        TO THE STATEORPROVINCENAME
//*        (F) !SIGNCON!        TO THE COUNTRYNAME
//*        (G) !SIGNNOTAFTER!   TO THE CERTFICATE EXPIRATION DATE
//*          //* EXPORT DETAILS *//
//*        (H) !EXPDSN!         TO THE DATASET FOR THE CERT
//*        (I) !DGPASS!         TO THE PASSWORD
//*          //* SERVER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//*          //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//*        (J) !SERORGUNIT!     TO THE ORGANIZATIONALUNIT
//*        (K) !SERVORG!        TO THE ORGANIZATION
//*        (L) !SERVCON!        TO THE COUNTRYNAME
//*        (M) !SERVNOTAFTER!   TO THE CERT EXPIRATION DATE
//*        (N) !SERVCN!         TO THE COMMON NAME
//*          //* DB2 DATA GATE DETAILS, THESE OPTIONS ARE OPTIONAL *//
//*          //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//*        (O) !DGORGUNIT!      TO THE ORGANIZATIONALUNIT
//*        (P) !DGORG!          TO THE ORGANIZATION
//*        (Q) !DGCON!          TO THE COUNTRYNAME
//*        (R) !DGNOTAFTER!     TO THE CERT EXPIRATION DATE
//*        (S) !DGCN!           TO THE COMMON NAME
//*          //* OTHER DETAILS  *//
//*        (T) !KEYRING!        TO THE KEYRING NAME
//*        (U) !SIGNLABEL!      TO THE SIGNER CERTIFICATE LABEL
//*        (V) !SERVLABEL!      TO THE DB2 CERTIFICATE LABEL
//*        (W) !DGLABEL!        TO THE DB2 DATA GATE CERTIFICATE LABEL
//*        (X) !DB2SUB!         TO THE DB2 SUBSYSTEM NAME
//*        (Y) !PRIVUSER!       TO THE DB2 PRIVILEGED USER
//*        (Z) !LOGUSER!        TO THE DB2 LOG READER USER
//*
//*  Change Activity =
//*********************************************************************
//* SETUP RACF KEYRING INFRASTRUCTURE AND ACCESS PERMISSIONS FOR DDF
//*********************************************************************
//CRTCA    EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
 SETROPTS CLASSACT(DIGTCERT DIGTRING)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 PERMIT IRR.DIGTCERT.LIST -
        CLASS(FACILITY) ID(DB2USER) ACCESS(CONTROL)
 PERMIT IRR.DIGTCERT.LISTRING -
        CLASS(FACILITY) ID(DB2USER) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LIST -
        CLASS(FACILITY) ID(IBMDBUSR) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING -
        CLASS(FACILITY) ID(IBMDBUSR) ACCESS(UPDATE)
 SETR RACLIST (DIGTRING) REFRESH
 SETR RACLIST (DIGTCERT) REFRESH
 SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SIGNER CERTIFICATE
//*********************************************************************
//CRTSIG    EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
RACDCERT CERTAUTH -
         GENCERT -
         SUBJECTSDN(OU('DB2 SERVER CA') -
                    O('IBM') -
                    L('SVL') -
                    SP('SVL') -
                    C('USA')) -
         NOTAFTER(DATE(2030-12-31)) -
         WITHLABEL('DB2 SERVER CA') -
         KEYUSAGE(CERTSIGN)
 SETR RACLIST (DIGTRING) REFRESH
 SETR RACLIST (DIGTCERT) REFRESH
 SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2
//*********************************************************************
//CRTSER    EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
RACDCERT ID(DB2USER) -
         DELETE(LABEL('DB2ASERVER CERTIFICATE'))
RACDCERT ID(DB2USER) -
         GENCERT   -
         SUBJECTSDN(CN('DB2A') -
                    OU('SVL') -
                    O('IBM') -
                    C('USA')) -
         NOTAFTER(DATE(2030-12-31)) -
         WITHLABEL('DB2ASERVER CERTIFICATE') -
         SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2 DATA GATE
//*********************************************************************
//CRTSER2   EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
RACDCERT ID(DB2USER) -
         DELETE(LABEL('DG SERVER'))
RACDCERT ID(DB2USER) -
         GENCERT   -
         SUBJECTSDN(CN('DGSERVER') -
                    OU('SVL') -
                    O('IBM') -
                    C('USA')) -
         NOTAFTER(DATE(2030-12-31)) -
         SIZE(2048) -
         WITHLABEL('DG SERVER') -
         KEYUSAGE(HANDSHAKE) -
         SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* EXPORT DB2 DATA GATE CERTIFICATE
//*********************************************************************
//CRTEX    EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
RACDCERT -
         EXPORT(LABEL('DG SERVER')) -
         ID(DB2USER) -
         DSN('LABEC588.P12') -
         FORMAT(PKCS12DER) -
         PASSWORD('PASSWORD')
//*********************************************************************
//* CREATE KEY RING FOR DB2 SERVER
//*********************************************************************
//CRTKR    EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
RACDCERT ID(DB2USER) ADDRING(DB2AKEYRING)
RACDCERT ID(DB2USER) -
         CONNECT(CERTAUTH -
         LABEL('DB2 SERVER CA') RING(DB2AKEYRING))
RACDCERT ID(DB2USER) -
         CONNECT(ID(DB2USER) -
         LABEL('DB2ASERVER CERTIFICATE') -
         RING(DB2AKEYRING) DEFAULT)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* PERMIT USER RACF ACCESS TO RUN INTEGRATED SYNCHRONIZATION
//*********************************************************************
//ACCELACC EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS  DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN  DD *
  RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
  RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
  PERMIT DB2A.ACCEL CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
  PERMIT DB2A.DIST CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
  PERMIT DB2A.ACCEL CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
  PERMIT DB2A.DIST CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
/*

Policy Agent configuration file

This is the Policy Agent configuration file after inserting the values from the Table 1 table.

TTLSRule DB12Rule448
{
   LocalPortRange           448
   JobName                  DB2ADIST
   Direction                Inbound
   TTLSGroupActionRef       Db2SslGroup
   TTLSEnvironmentActionRef DB12SslEnv
}
TTLSGroupAction Db2SslGroup
{
   TTLSEnabled       On
   CtraceClearText   On
}
TTLSEnvironmentAction DB12SslEnv
{
   TTLSKeyRingParms
   {
       Keyring           DB2AKEYRING
   }
   TTLSENVIRONMENTADVANCEDPARMS
   {
    SSLV2 OFF
    SSLV3 OFF
    TLSV1 OFF
    TLSV1.1 OFF
    TLSV1.2 ON
    ClientAuthType    PassThru
   }
   HandShakeRole         Server
   TTLSCipherParmsRef    Db2SslCipherParms
}
TTLSCipherParms Db2SslCipherParms
{
    V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
}

TTLSCipherParms              StunnelParms
{
   V3CipherSuites4Char       C02FC030
}
TTLSGroupAction              StunnelGroup
{
       TTLSEnabled                       On
}

TTLSEnvironmentAction        StunnelClientEnvironment
{
       TTLSKeyRingParms
         {
           Keyring                       DB2USER/DB2AKEYRING
         }
 TTLSEnvironmentAdvancedParms
    {
        SSLv2 Off
        SSLv3 Off
        TLSv1 Off
        TLSv1.1 Off
        TLSv1.2 On
        ClientAuthType PassThru
        CLIENTHANDSHAKESNI REQUIRED
        CLIENTHANDSHAKESNIMATCH OPTIONAL
        CLIENTHANDSHAKESNILIST  dg1.apps.dgnoiam3.cp.fyre.ibm.com
    }
    HandshakeRole CLIENT
    TTLSCipherParmsRef StunnelParms
    Trace 7
}

TTLSRule                     StunnelDWP1Sim148
{
       REMOTEPORTRANGE                   443
       REMOTEADDR                        9.46.195.180
       Direction                         Outbound
       TTLSGroupActionRef                StunnelGroup
       TTLSEnvironmentActionRef          StunnelClientEnvironment
}