Configuring TCP/IP group access by using the BINDSPECIFIC method

The BINDSPECIFIC method for configuring TCP/IP group access involves assigning dynamic virtual IP addresses (DVIPAs) to listener ports by using the BIND parameter in the PORT statement of the TCP/IP profile.

Before you begin

You should be familiar with general instructions for configuring TCP/IP communications for Db2®. See Connecting systems with TCP/IP.

The steps in this topic require you to specify several types of VIPADYNAMIC statements. For more information, see TCP/IP profile (PROFILE.TCPIP) and configuration statements.

About this task

This task describes how to define the DVIPAs that are needed by a Db2 data sharing group by specifying those DVIPAs on the PORT statement of the TCP/IP profile, and associating those DVIPAs with ports by using the BIND parameter. For example purposes, the data sharing group in this task consists of three members. One of the DVIPAs will function as a sysplex distributor, which is also referred to as a distributing DVIPA (DDVIPA). This task uses ipv4 addressing to illustrate the configuration process, but ipv6 addresses are also supported.
  • Using the BSDS (INADDR_ANY) method is the preferred way to configure TCP/IP group access. However, if you need to restrict clients to using specific IP addresses to target Db2, use the BINDSPECIFIC method. The BINDSPECIFIC method ensures that the only IP addresses that can be used to target any member of the data sharing group are member-specific IP addresses (DVIPAs) or the group IP address (DDVIPA). No other IP address, including those that can reach an LPAR where a Db2 subsystem resides, can be used. The BINDSPECIFIC method provides this level of control by binding its TCP/IP listener sockets to the group and member IP addresses rather than to the INADDR_ANY address.
  • The BINDSPECIFIC and BSDS methods are mutually exclusive; use only one of these methods to define a DVIPA.
    Important: The BINDSPECIFIC method requires that no IP addresses are specified in the BSDS. If any IP addresses are specified in the BSDS, the DDF TCPIP listener fails to start, and Db2 issues message DSNL512I.
  • This task is typically performed by or in consultation with a network communications administrator.

Procedure

  1. Reserve the SQL port and resynchronization ports for each member of the data sharing group, and bind IP addresses to each of these port statements. If your environment is set up to receive SSL connection requests, also reserve the secure SQL port.

    Edit the PROFILE.TCPIP file for each LPAR in the sysplex where a member of the data sharing group could be started, and add entries for these ports and IP addresses to the PORT reservation statement as shown in the following example:

    PORT
    446 TCP DB2A SHAREPORT BIND 10.1.1.1   /* DRDA port for SQL requests */
    448 TCP DB2A SHAREPORT                 /* Secure SQL port for SSL requests */
   5001 TCP DB2A BIND 10.1.1.2             /* Resync port; unique for each member */
    446 TCP DB2B SHAREPORT BIND 10.1.1.1  
    448 TCP DB2B SHAREPORT
   5002 TCP DB2B BIND 10.1.1.3
    446 TCP DB2C SHAREPORT BIND 10.1.1.1  
    448 TCP DB2C SHAREPORT
   5003 TCP DB2C BIND 10.1.1.4

    In this example, ports and IP addresses are reserved for a data sharing group that includes members DB2A, DB2B, and DB2C. The following ports and IP addresses are reserved for each of these members:

    • Port 446 is the DRDA port number for initially receiving SQL requests (TCPPORT) and also the port where RESTful service requests are processed. 10.1.1.1 is the listener address that is assigned to port 446 and that will function as the sysplex distributor (DDVIPA) and is then also known as the group IP address.
    • Ports 5001, 5002, and 5003 are the resynchronization ports (RESPORT). 10.1.1.2, 10.1.1.3, and 10.1.1.4 are the IP addresses associated with each of these ports, which function as the member IP addresses. The RESPORTs and IP addresses must be unique for each member of the data sharing group.
    • Port 448 is the secure DRDA port number for receiving SSL connection requests (SECPORT). You need to reserve this port only if you configured Db2 to accept connection requests that use the SSL protocol. This port can also be used to accept RESTful service requests over connections that use the SSL protocol.
    Note: Only the main PORT (TCPPORT) and the member RESPORTs require the BIND specification.

    If more than one member is started on the same LPAR, you must specify the SHAREPORT parameter on the DRDA port statement and on the secure SQL port statement if it is used. The SHAREPORT parameter permits multiple listeners on the same port within the same LPAR TCP/IP configuration.

  2. Designate an LPAR of the sysplex to be the primary sysplex distributor for the group IP address. This LPAR's activated PROFILE.TCPIP VIPADYNAMIC statements must include the VIPADISTRIBUTE statement and a related VIPADEFINE statement for the group IP address. For example: 
    VIPADEFINE 255.255.255.255 10.1.1.1 
VIPADISTRIBUTE DEFINE 10.1.1.1 PORT 446 448 DESTIP ALL
    In this example:
    • The VIPADEFINE statement designates the LPAR where this statement is activated to be the primary sysplex distributor of the sysplex.
    • The VIPADISTRIBUTE statement specifies that 10.1.1.1 is to be a distributing IP address and includes in its definition the DRDA SQL/REST port numbers and secure port numbers that you reserved in a previous step.
    • DESTIP ALL specifies that all TCP/IP stacks that are active in the sysplex and that contain servers that are listening on any of the specified PORTs can receive the connection requests that target the IP address.
  3. Define a range of member IP addresses for use by the data sharing group.
    In the PROFILE.TCPIP file for each LPAR in the sysplex where a member of the data sharing group can be started, use the VIPARANGE statement to specify the range of IP addresses that will be available to the data sharing group. The IP addresses that you specify here must match the IP addresses in the BIND specifications of the RESPORTs in step 1. For example:
    VIPARANGE DEFINE 255.255.255.255 10.1.1.2
          VIPARANGE DEFINE 255.255.255.255 10.1.1.3
          VIPARANGE DEFINE 255.255.255.255 10.1.1.4

    Because this data sharing group includes three members, three VIPARANGE statements are required.

  4. Designate one or more LPARs of the sysplex to provide backup sysplex distributor capability for the group IP address. The LPARs’ activated PROFILE.TCPIP VIPADYNAMIC statements must include a VIPADISTRIBUTE and a related VIPABACKUP statement of the group IP address. For example: 
    VIPABACKUP 1 10.1.1.1	  
VIPADISTRIBUTE DEFINE 10.1.1.1 PORT 446 448 DESTIP ALL
    In this example:
    • The VIPABACKUP statement designates this LPAR as a backup sysplex distributor. The number 1 indicates the priority of this member.
    • The VIPADISTRIBUTE statement matches the statement for the primary member.

Example

The following example TCPIP.PROFILE PORT statements show how you might define the ports and IP addresses to configure TCP/IP for group access by using the BINDSPECIFIC method. The values that are used in these examples match the values that are used in the procedure section of this topic.
z/OS LPAR1: Primary sysplex distributor
PORT
   446 TCP DB2A SHAREPORT BIND 10.1.1.1
   448 TCP DB2A SHAREPORT
 5001 TCP DB2A BIND 10.1.1.2
   446 TCP DB2B SHAREPORT BIND 10.1.1.1
   448 TCP DB2B SHAREPORT
 5002 TCP DB2B BIND 10.1.1.3
   446 TCP DB2C SHAREPORT BIND 10.1.1.1
   448 TCP DB2C SHAREPORT
 5003 TCP DB2C BIND 10.1.1.4
VIPADYNAMIC
  VIPARANGE DEFINE 255.255.255.255 10.1.1.2
  VIPARANGE DEFINE 255.255.255.255 10.1.1.3
  VIPARANGE DEFINE 255.255.255.255 10.1.1.4
  VIPADEFINE 255.255.255.255 10.1.1.1
  VIPADISTRIBUTE DEFINE 10.1.1.1 PORT 446 448 DESTIP ALL
ENDVIPADYNAMIC
z/OS LPAR2: Backup sysplex distributor 1
PORT
   446 TCP DB2A SHAREPORT BIND 10.1.1.1
   448 TCP DB2A SHAREPORT
 5001 TCP DB2A BIND 10.1.1.2
   446 TCP DB2B SHAREPORT BIND 10.1.1.1
   448 TCP DB2B SHAREPORT
 5002 TCP DB2B BIND 10.1.1.3
   446 TCP DB2C SHAREPORT BIND 10.1.1.1
   448 TCP DB2C SHAREPORT
 5003 TCP DB2C BIND 10.1.1.4
VIPADYNAMIC
  VIPARANGE DEFINE 255.255.255.255 10.1.1.2
  VIPARANGE DEFINE 255.255.255.255 10.1.1.3
  VIPARANGE DEFINE 255.255.255.255 10.1.1.4
  VIPABACKUP 2 10.1.1.1
  VIPADISTRIBUTE DEFINE 10.1.1.1 PORT 446 448 DESTIP ALL
ENDVIPADYNAMIC
z/OS LPAR3: Backup sysplex distributor 2
PORT
   446 TCP DB2A SHAREPORT BIND 10.1.1.1
   448 TCP DB2A SHAREPORT
 5001 TCP DB2A BIND 10.1.1.2
   446 TCP DB2B SHAREPORT BIND 10.1.1.1
   448 TCP DB2B SHAREPORT
 5002 TCP DB2B BIND 10.1.1.3
   446 TCP DB2C SHAREPORT BIND 10.1.1.1
   448 TCP DB2C SHAREPORT
 5003 TCP DB2C BIND 10.1.1.4
VIPADYNAMIC
  VIPARANGE DEFINE 255.255.255.255 10.1.1.2
  VIPARANGE DEFINE 255.255.255.255 10.1.1.3
  VIPARANGE DEFINE 255.255.255.255 10.1.1.4
  VIPABACKUP 1 10.1.1.1
  VIPADISTRIBUTE DEFINE 10.1.1.1 PORT 446 448 DESTIP ALL
ENDVIPADYNAMIC