Network configuration example for Data Gate on Cloud
Use the following example as a reference. It covers almost the entire network configuration for Data Gate on Cloud.
Reminder
The only network configuration step that is not covered by the examples in this topic is the definition of a DDF secure port. So do not forget to define such a port before or after running customized jobs that are based on the examples here. For more information, see Defining a secure network port for connections to Data Gate on Cloud.
Definitions
The following user IDs and route names are used in the examples:
| Description | Value |
|---|---|
| Db2 for z/OS started task user ID | DB2USER |
| Db2 subsystem name | DB2A |
| Log reader user | LOGUSR |
| Privileged Db2 for z/OS user for Data Gate on Cloud | IBMDBUSR |
| Route for Data Gate on Cloud instance (Data Gate on Cloud endpoint) | vpce-0562f7e7c37e1a520-d6i0cik5.vpce-svc-012c4baccc8c64f1e.us-east-2.vpce.amazonaws.com |
AQTSSLDG example
This is what the AQTSSLDG sample job looks like after inserting the Db2 subsystem name and the user IDs from the Table 1 table:
//SAMPLE JOB CLASS=H,MSGLEVEL=(1,1),MSGCLASS=H,
// USER=RACF000,PASSWORD=CHANGIT
//*
//* IDAA Sample Application
//*
//* SSL SETUP FOR IBM DB2 FOR Z/OS DATA GATE
//*
//* LICENSED MATERIALS - PROPERTY OF IBM
//* 5697-DA7
//* (C) COPYRIGHT IBM Corp. 2022.
//*
//* US Government Users Restricted Rights
//* Use, duplication or disclosure restricted by GSA ADP Schedule
//* Contract with IBM Corporation
//*
//* DISCLAIMER OF WARRANTIES :
//* Permission is granted to copy and modify this Sample code provided
//* that both the copyright notice,- and this permission notice and
//* warranty disclaimer appear in all copies and modified versions.
//*
//* THIS SAMPLE CODE IS LICENSED TO YOU AS-IS.
//* IBM AND ITS SUPPLIERS AND LICENSORS DISCLAIM ALL WARRANTIES,
//* EITHER EXPRESS OR IMPLIED, IN SUCH SAMPLE CODE, INCLUDING THE
//* WARRANTY OF NON-INFRINGEMENT AND THE IMPLIED WARRANTIES OF
//* MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
//* WILL IBM OR ITS LICENSORS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES
//* ARISING OUT OF THE USE OF OR INABILITY TO USE THE SAMPLE CODE OR
//* COMBINATION OF THE SAMPLE CODE WITH ANY OTHER CODE. IN NO EVENT
//* SHALL IBM OR ITS LICENSORS AND SUPPLIERS BE LIABLE FOR ANY LOST
//* REVENUE, LOST PROFITS OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
//* CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND
//* REGARDLESS OF THE THEORY OF LIABILITY,-, EVEN IF IBM OR ITS
//* LICENSORS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
//* DAMAGES.
//*
//* Function =
//* CREATE A SIGNER CERTIFICATE FOR DB2 DATA GATE. GENERATE A
//* SERVER CERTIFICATE FOR DB2 FOR Z/OS AND STORE IT IN A KEYRING
//* FOR INBOUND CONNECTION. GENERATE ANOTHER SERVER CERTIFICATE,
//* EXPORT IT AS PKCS#12 FILE FOR IMPORT INTO DB2 DATA GATE ON
//* IBM CLOUD PAK FOR DATA FOR OUTBOUND CONNECTION. ASSIGN
//* APPROPRIATE RACF PERMISSIONS TO DB2 USERS REQUIRED BY
//* DB2 DATA GATE.
//*
//* CAUTION: ONLY EXPERIENCED USERS SHOULD USE THIS PROCEDURE.
//* READ THE DESCRIPTION OF EACH STEP CAREFULLY!
//* IF NOT USED PROPERLY, A DATA LOSS MIGHT OCCUR!
//*
//* Dependencies =
//* ICSF (IBM Encryption Facility for z/OS) must be available.
//* TTLS must be specified in the TCPCONFIG statement of the
//* TCPIP started task.
//* PAGENT (Policy agent) must be started.
//*
//* Notes =
//* PRIOR TO RUNNING THIS JOB, customize it for your system:
//* (1) Add a valid job card.
//* (2) Locate and change all occurrences of the following strings
//* as indicated:
//* (A) !DB2OWNER! TO THE USER WHO RUNS DB2 STARTED TASKS
//* //* SIGNER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (B) !SIGNORGUNIT! TO THE ORGANIZATIONALUNIT
//* (C) !SIGNORG! TO THE ORGANIZATION
//* (D) !SIGNLOC! TO THE LOCALITY
//* (E) !SIGNSOP! TO THE STATEORPROVINCENAME
//* (F) !SIGNCON! TO THE COUNTRYNAME
//* (G) !SIGNNOTAFTER! TO THE CERTFICATE EXPIRATION DATE
//* //* EXPORT DETAILS *//
//* (H) !EXPDSN! TO THE DATASET FOR THE CERT
//* (I) !DGPASS! TO THE PASSWORD
//* //* SERVER DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (J) !SERORGUNIT! TO THE ORGANIZATIONALUNIT
//* (K) !SERVORG! TO THE ORGANIZATION
//* (L) !SERVCON! TO THE COUNTRYNAME
//* (M) !SERVNOTAFTER! TO THE CERT EXPIRATION DATE
//* (N) !SERVCN! TO THE COMMON NAME
//* //* DB2 DATA GATE DETAILS, THESE OPTIONS ARE OPTIONAL *//
//* //* IF NOT NEEDED, PROPERTIES CAN BE REMOVED */
//* (O) !DGORGUNIT! TO THE ORGANIZATIONALUNIT
//* (P) !DGORG! TO THE ORGANIZATION
//* (Q) !DGCON! TO THE COUNTRYNAME
//* (R) !DGNOTAFTER! TO THE CERT EXPIRATION DATE
//* (S) !DGCN! TO THE COMMON NAME
//* //* OTHER DETAILS *//
//* (T) !KEYRING! TO THE KEYRING NAME
//* (U) !SIGNLABEL! TO THE SIGNER CERTIFICATE LABEL
//* (V) !SERVLABEL! TO THE DB2 CERTIFICATE LABEL
//* (W) !DGLABEL! TO THE DB2 DATA GATE CERTIFICATE LABEL
//* (X) !DB2SUB! TO THE DB2 SUBSYSTEM NAME
//* (Y) !PRIVUSER! TO THE DB2 PRIVILEGED USER
//* (Z) !LOGUSER! TO THE DB2 LOG READER USER
//*
//* Change Activity =
//*********************************************************************
//* SETUP RACF KEYRING INFRASTRUCTURE AND ACCESS PERMISSIONS FOR DDF
//*********************************************************************
//CRTCA EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
SETROPTS CLASSACT(DIGTCERT DIGTRING)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PERMIT IRR.DIGTCERT.LIST -
CLASS(FACILITY) ID(DB2USER) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING -
CLASS(FACILITY) ID(DB2USER) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST -
CLASS(FACILITY) ID(IBMDBUSR) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING -
CLASS(FACILITY) ID(IBMDBUSR) ACCESS(UPDATE)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SIGNER CERTIFICATE
//*********************************************************************
//CRTSIG EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT CERTAUTH -
GENCERT -
SUBJECTSDN(OU('DB2 SERVER CA') -
O('IBM') -
L('SVL') -
SP('SVL') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
WITHLABEL('DB2 SERVER CA') -
KEYUSAGE(CERTSIGN)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2
//*********************************************************************
//CRTSER EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) -
DELETE(LABEL('DB2ASERVER CERTIFICATE'))
RACDCERT ID(DB2USER) -
GENCERT -
SUBJECTSDN(CN('DB2A') -
OU('SVL') -
O('IBM') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
WITHLABEL('DB2ASERVER CERTIFICATE') -
SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* CREATE SERVER CERTIFICATE FOR DB2 DATA GATE
//*********************************************************************
//CRTSER2 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) -
DELETE(LABEL('DG SERVER'))
RACDCERT ID(DB2USER) -
GENCERT -
SUBJECTSDN(CN('DGSERVER') -
OU('SVL') -
O('IBM') -
C('USA')) -
NOTAFTER(DATE(2030-12-31)) -
SIZE(2048) -
WITHLABEL('DG SERVER') -
KEYUSAGE(HANDSHAKE) -
SIGNWITH(CERTAUTH LABEL('DB2 SERVER CA'))
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* EXPORT DB2 DATA GATE CERTIFICATE
//*********************************************************************
//CRTEX EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT -
EXPORT(LABEL('DG SERVER')) -
ID(DB2USER) -
DSN('LABEC588.P12') -
FORMAT(PKCS12DER) -
PASSWORD('PASSWORD')
//*********************************************************************
//* CREATE KEY RING FOR DB2 SERVER
//*********************************************************************
//CRTKR EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RACDCERT ID(DB2USER) ADDRING(DB2AKEYRING)
RACDCERT ID(DB2USER) -
CONNECT(CERTAUTH -
LABEL('DB2 SERVER CA') RING(DB2AKEYRING))
RACDCERT ID(DB2USER) -
CONNECT(ID(DB2USER) -
LABEL('DB2ASERVER CERTIFICATE') -
RING(DB2AKEYRING) DEFAULT)
SETR RACLIST (DIGTRING) REFRESH
SETR RACLIST (DIGTCERT) REFRESH
SETR RACLIST (FACILITY) REFRESH
//*********************************************************************
//* PERMIT USER RACF ACCESS TO RUN INTEGRATED SYNCHRONIZATION
//*********************************************************************
//ACCELACC EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSUADS DD DSN=SYS1.UADS,DISP=SHR
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSIN DD *
RDEFINE DSNR (DB2A.ACCEL) OWNER(DB2USER) UACC(NONE)
RDEFINE DSNR (DB2A.DIST) OWNER(DB2USER) UACC(NONE)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
PERMIT DB2A.DIST CLASS(DSNR) ID(IBMDBUSR) ACCESS(READ)
PERMIT DB2A.ACCEL CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
PERMIT DB2A.DIST CLASS(DSNR) ID(LOGUSR) ACCESS(READ)
/*Policy Agent configuration file
This is the Policy Agent configuration file after inserting the values from the Table 1 table.
TTLSRule DB12Rule448
{
LocalPortRange 448
JobName DB2ADIST
Direction Inbound
TTLSGroupActionRef Db2SslGroup
TTLSEnvironmentActionRef DB12SslEnv
}
TTLSGroupAction Db2SslGroup
{
TTLSEnabled On
CtraceClearText On
}
TTLSEnvironmentAction DB12SslEnv
{
TTLSKeyRingParms
{
Keyring DB2AKEYRING
}
TTLSENVIRONMENTADVANCEDPARMS
{
SSLV2 OFF
SSLV3 OFF
TLSV1 OFF
TLSV1.1 OFF
TLSV1.2 ON
ClientAuthType PassThru
}
HandShakeRole Server
TTLSCipherParmsRef Db2SslCipherParms
}
TTLSCipherParms Db2SslCipherParms
{
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
}
TTLSCipherParms StunnelParms
{
V3CipherSuites4Char C02FC030
}
TTLSGroupAction StunnelGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction StunnelClientEnvironment
{
TTLSKeyRingParms
{
Keyring DB2USER/DB2AKEYRING
}
TTLSEnvironmentAdvancedParms
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
ClientAuthType PassThru
CLIENTHANDSHAKESNI REQUIRED
CLIENTHANDSHAKESNIMATCH OPTIONAL
CLIENTHANDSHAKESNILIST vpce-0562f7e7c37e1a520-d6i0cik5.vpce-svc-012c4baccc8c64f1e.us-east-2.vpce.amazonaws.com
}
HandshakeRole CLIENT
TTLSCipherParmsRef StunnelParms
Trace 7
}
TTLSRule StunnelDWP1Sim148
{
REMOTEPORTRANGE 443
REMOTEADDR 9.46.195.180
Direction Outbound
TTLSGroupActionRef StunnelGroup
TTLSEnvironmentActionRef StunnelClientEnvironment
}