Configuring Db2 data sharing groups for member-specific and group access with RACF PassTickets

You can use PassTickets for both member-specific and group access to a Db2 data sharing group by adopting an appropriate naming scheme and using a distributed dynamic IP address (DDVIPA) for the group.

Procedure

Configure the data sharing group with a common location name and port, such as LOCATION name MYLOC1 and port 446.
Install each data sharing member on a separate LPAR. Alternatively, you can specify the GRPIPV4 and IPV4 combination in the BSDS for each member.
Configure the data sharing members with a common IPNAME specification, or if using SNA communications, a common LUNAME (GENERIC) specification, in the BSDS for each member.
You must also both define and start a location alias for each member, as shown in the following example Db2 data sharing group.

Member DB2A

RESPORT (BSDS): 5001

IPNAME or GENERIC (BSDS): SYEC1GLU

Location alias: MYLOC1_DB2A with port: 1446

Member DB2B

RESPORT (BSDS): 5002

IPNAME or GENERIC (BSDS): SYEC1GLU

Location alias: MYLOC1_DB2B with port: 2446

Member DB2C

RESPORT (BSDS): 5003

IPNAME or GENERIC (BSDS): SYEC1GLU

Location alias: MYLOC1_DB2C with port: 3446
Create a DDVIPA to serve the Sysplex, which can spray multiple ports. You can use one of the following approaches:
- Define the VIPADISTRIBUTE independently of the data sharing group.
- Specify the VIPADISTRIBUTE as the GRPIPV4 the in the BSDS for each member.
For the example group, define the VIPADISTRIBUTE with a PORT clause that contains the following list of port numbers: 446, 1446, 2446, and 3446. The VIPADISTRIBUTE IP address is 1.1.1.100. For more information, see Supported methods for specifying DVIPAs.
Create and activate equal PTKTDATA profiles named SYEC1GLU(GENERIC LUNAME/IPNAME) for both the serving Db2 sysplex and the requesting Db2 sysplex.
Add rows in the communications database (CDB) tables of the requesting Db2 Sysplex, as shown in the following example.

SYSIBM.LOCATIONS

LOCATION LINKNAME PORT

MYLOC1 SYEC1GLU 446

MYLOC1_DB2A SYEC1GLU 1446

MYLOC1_DB2B SYEC1GLU 2446

MYLOC1_DB2C SYEC1GLU 3446

SYSIBM.IPNAMES

LINKNAME SECURITY_OUT IPADDR

SYEC1GLU R 1.1.1.100

RESPORT (BSDS):	5001
IPNAME or GENERIC (BSDS):	SYEC1GLU
Location alias:	MYLOC1_DB2A with port: 1446

RESPORT (BSDS):	5002
IPNAME or GENERIC (BSDS):	SYEC1GLU
Location alias:	MYLOC1_DB2B with port: 2446

RESPORT (BSDS):	5003
IPNAME or GENERIC (BSDS):	SYEC1GLU
Location alias:	MYLOC1_DB2C with port: 3446

LOCATION	LINKNAME	PORT
MYLOC1	SYEC1GLU	446
MYLOC1_DB2A	SYEC1GLU	1446
MYLOC1_DB2B	SYEC1GLU	2446
MYLOC1_DB2C	SYEC1GLU	3446

LINKNAME	SECURITY_OUT	IPADDR
SYEC1GLU	R	1.1.1.100

Results

When you issue CONNECT TO MYLOC1 with the example configuration, the requesting Db2 contacts any of the serving Db2 members listening on port 446. Because the LINKNAME matches the IPNAME or GENERICLU of any serving Db2 member, the PassTicket created on the requesting system can be evaluated on the serving system.

When you issue CONNECT TO MYLOC1_DB2A, the DDVIPA directs the connection to the DB2A member only, and because the PassTicket on the requesting system was generated under the LINKNAME of SYEC1GLU, and DB2A has a GENERICLU of SYEC1GLU, DB2A can evaluate the PassTicket successfully. The same is true when accessing the other members specifically.