Network configuration example for Db2 Data Gate
Use the following example as a reference. It covers almost the entire network configuration for Db2 Data Gate.
Reminder
The only network configuration step that is not covered by the examples in this topic is the definition of a DDF secure port. So do not forget to define such a port before or after running customized jobs that are based on the examples here. For more information, see Defining a secure network port for connections to Db2 Data Gate.
Definitions
The following user IDs and route names are used in the examples:
Description | Value |
---|---|
Db2 for z/OS started task user ID | DB2USER |
Db2 subsystem name | DB2A |
Log reader user | LOGUSR |
Privileged Db2 for z/OS user for Db2 Data Gate | IBMDBUSR |
Route for Db2 Data Gate instance | dg1.apps.dgnoiam3.cp.fyre.ibm.com |
AQTSSLDG example
This is what the AQTSSLDG sample job looks like after inserting the Db2 subsystem name and the user IDs from the Table 1 table:
//SAMPLE JOB CLASS=H,MSGLEVEL=(1,1),MSGCLASS=H,
// USER=RACF000,PASSWORD=CHANGIT
//*
//* IDAA Sample Application
//*
//* SSL SETUP FOR IBM DB2 FOR Z/OS DATA GATE
//*
//* LICENSED MATERIALS - PROPERTY OF IBM
//* 5697-DA7
//* (C) COPYRIGHT IBM Corp. 2022.
//*
//* US Government Users Restricted Rights
//* Use, duplication or disclosure restricted by GSA ADP Schedule
//* Contract with IBM Corporation
//*
//* DISCLAIMER OF WARRANTIES :
//* Permission is granted to copy and modify this Sample code provided
//* that both the copyright notice,- and this permission notice and
//* warranty disclaimer appear in all copies and modified versions.
//*
//* THIS SAMPLE CODE IS LICENSED TO YOU AS-IS.
//* IBM AND ITS SUPPLIERS AND LICENSORS DISCLAIM ALL WARRANTIES,
//* EITHER EXPRESS OR IMPLIED, IN SUCH SAMPLE CODE, INCLUDING THE
//* WARRANTY OF NON-INFRINGEMENT AND THE IMPLIED WARRANTIES OF
//* MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
//* WILL IBM OR ITS LICENSORS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES
//* ARISING OUT OF THE USE OF OR INABILITY TO USE THE SAMPLE CODE OR
//* COMBINATION OF THE SAMPLE CODE WITH ANY OTHER CODE. IN NO EVENT
//* SHALL IBM OR ITS LICENSORS AND SUPPLIERS BE LIABLE FOR ANY LOST
//* REVENUE, LOST PROFITS OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
//* CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND
//* REGARDLESS OF THE THEORY OF LIABILITY,-, EVEN IF IBM OR ITS
//* LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
//* DAMAGES.
//*
//* Function =
//* CREATE A SIGNER CERTIFICATE FOR DB2 DATA GATE. GENERATE A
//* SERVER CERTIFICATE FOR DB2 FOR Z/OS AND STORE IT IN A KEYRING
//* FOR INBOUND CONNECTION. GENERATE ANOTHER SERVER CERTIFICATE,
//* EXPORT IT AS PKCS#12 FILE FOR IMPORT INTO DB2 DATA GATE ON
//* IBM CLOUD PAK FOR DATA FOR OUTBOUND CONNECTION. ASSIGN
//* APPROPRIATE RACF PERMISSIONS TO DB2 USERS REQUIRED BY
//* DB2 DATA GATE.
//*
//* CAUTION: ONLY EXPERIENCED USERS SHOULD USE THIS PROCEDURE.
//* READ THE DESCRIPTION OF EACH STEP CAREFULLY!
//* IF NOT USED PROPERLY, A DATA LOSS MIGHT OCCUR!
//*
//* Dependencies =
//* ICSF (IBM Encryption Facility for z/OS) must be available.
//* TTLS must be specified in the TCPCONFIG statement of the
//* TCPIP started task.
//* PAGENT (Policy agent) must be started.
//*
//* Notes =
//* PRIOR TO RUNNING THIS JOB, customize it for your system:
//* (1) Add a valid job card.
//* (2) Locate and change all occurrences of the following strings
//* as indicated:
//* (A) !DB2OWNER! TO THE USER WHO RUNS DB2 STARTED TASKS
//* //* SIGNER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (B) !SIGNORGUNIT! TO THE ORGANIZATIONALUNIT
//* (C) !SIGNORG! TO THE ORGANIZATION
//* (D) !SIGNLOC! TO THE LOCALITY
//* (E) !SIGNSOP! TO THE STATEORPROVINCENAME
//* (F) !SIGNCON! TO THE COUNTRYNAME
//* (G) !SIGNNOTAFTER! TO THE CERTFICATE EXPIRATION DATE
//* //* EXPORT DETAILS *//
//* (H) !EXPDSN! TO THE DATASET FOR THE CERT
//* (I) !DGPASS! TO THE PASSWORD
//* //* SERVER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (J) !SERORGUNIT! TO THE ORGANIZATIONALUNIT
//* (K) !SERVORG! TO THE ORGANIZATION
//* (L) !SERVCON! TO THE COUNTRYNAME
//* (M) !SERVNOTAFTER! TO THE CERT EXPIRATION DATE
//* (N) !SERVCN! TO THE COMMON NAME
//* //* DB2 DATA GATE DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (O) !DGORGUNIT! TO THE ORGANIZATIONALUNIT
//* (P) !DGORG! TO THE ORGANIZATION
//* (Q) !DGCON! TO THE COUNTRYNAME
//* (R) !DGNOTAFTER! TO THE CERT EXPIRATION DATE
//* (S) !DGCN! TO THE COMMON NAME
//* //* OTHER DETAILS *//
//* (T) !KEYRING! TO THE KEYRING NAME
//* (U) !SIGNLABEL! TO THE SIGNER CERTIFICATE LABEL
//* (V) !SERVLABEL! TO THE DB2 CERTIFICATE LABEL
//* (W) !DGLABEL! TO THE DB2 DATA GATE CERTIFICATE LABEL
//* (X) !DB2SUB! TO THE DB2 SUBSYSTEM NAME
//* (Y) !PRIVUSER! TO THE DB2 PRIVILEGED USER
//* (Z) !LOGUSER! TO THE DB2 LOG READER USER
//*
//* Change Activity =
//*********************************************************************
//* SETUP RACF KEYRING INFRASTRUCTURE AND ACCESS PERMISSIONS FOR DDF
//*********************************************************************
//CRTCA EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
SETROPTS CLASSACT(DIGTCERT DIGTRING)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PERMIT IRR.DIGTCERT.LIST -
CLASS(FACILITY) ID(DB2USER) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING -
CLASS(FACILITY) ID(DB2USER) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST -
CLASS(FACILITY) ID(IBMDBUSR) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING -
CLASS(FACILITY) ID(IBMDBUSR) ACCESS(UPDATE)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SIGNER CERTIFICATE
//*********************************************************************
//CRTSIG EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT CERTAUTH -
GENCERT -
SUBJECTSDN(OU('DB2 SERVER CA') -
O('IBM') -
L('SVL') -
SP('SVL') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
WITHLABEL('DB2 SERVER CA') -
KEYUSAGE(CERTSIGN)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2
//*********************************************************************
//CRTSER EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) -
DELETE(LABEL('DB2ASERVER CERTIFICATE'))
RACDCERT ID(DB2USER) -
GENCERT -
SUBJECTSDN(CN('DB2A') -
OU('SVL') -
O('IBM') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
WITHLABEL('DB2ASERVER CERTIFICATE') -
SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2 DATA GATE
//*********************************************************************
//CRTSER2 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) -
DELETE(LABEL('DG SERVER'))
RACDCERT ID(DB2USER) -
GENCERT -
SUBJECTSDN(CN('DGSERVER') -
OU('SVL') -
O('IBM') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
SIZE(2048) -
WITHLABEL('DG SERVER') -
KEYUSAGE(HANDSHAKE) -
SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* EXPORT DB2 DATA GATE CERTIFICATE
//*********************************************************************
//CRTEX EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT -
EXPORT(LABEL('DG SERVER')) -
ID(DB2USER) -
DSN('LABEC588.P12') -
FORMAT(PKCS12DER) -
PASSWORD('PASSWORD')
//*********************************************************************
//* CREATE KEY RING FOR DB2 SERVER
//*********************************************************************
//CRTKR EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) ADDRING(DB2AKEYRING)
RACDCERT ID(DB2USER) -
CONNECT(CERTAUTH -
LABEL('DB2 SERVER CA') RING(DB2AKEYRING))
RACDCERT ID(DB2USER) -
CONNECT(ID(DB2USER) -
LABEL('DB2ASERVER CERTIFICATE') -
RING(DB2AKEYRING) DEFAULT)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* PERMIT USER RACF ACCESS TO RUN INTEGRATED SYNCHRONIZATION
//*********************************************************************
//ACCELACC EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
PERMIT DB2A.DIST CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
PERMIT DB2A.DIST CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
/*
Policy Agent configuration file
This is the Policy Agent configuration file after inserting the values from the Table 1 table.
TTLSRule DB12Rule448
{
LocalPortRange 448
JobName DB2ADIST
Direction Inbound
TTLSGroupActionRef Db2SslGroup
TTLSEnvironmentActionRef DB12SslEnv
}
TTLSGroupAction Db2SslGroup
{
TTLSEnabled On
CtraceClearText On
}
TTLSEnvironmentAction DB12SslEnv
{
TTLSKeyRingParms
{
Keyring DB2AKEYRING
}
TTLSENVIRONMENTADVANCEDPARMS
{
SSLV2 OFF
SSLV3 OFF
TLSV1 OFF
TLSV1.1 OFF
TLSV1.2 ON
ClientAuthType PassThru
}
HandShakeRole Server
TTLSCipherParmsRef Db2SslCipherParms
}
TTLSCipherParms Db2SslCipherParms
{
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
}
TTLSCipherParms StunnelParms
{
V3CipherSuites4Char C02FC030
}
TTLSGroupAction StunnelGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction StunnelClientEnvironment
{
TTLSKeyRingParms
{
Keyring DB2USER/DB2AKEYRING
}
TTLSEnvironmentAdvancedParms
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
ClientAuthType PassThru
CLIENTHANDSHAKESNI REQUIRED
CLIENTHANDSHAKESNIMATCH OPTIONAL
CLIENTHANDSHAKESNILIST dg1.apps.dgnoiam3.cp.fyre.ibm.com
}
HandshakeRole CLIENT
TTLSCipherParmsRef StunnelParms
Trace 7
}
TTLSRule StunnelDWP1Sim148
{
REMOTEPORTRANGE 443
REMOTEADDR 9.46.195.180
Direction Outbound
TTLSGroupActionRef StunnelGroup
TTLSEnvironmentActionRef StunnelClientEnvironment
}