Connectivity Supplement

Setting Up the Application Server in a VM Environment

The application server support in DB2 for VM allows DB2 for VM to act as a server for DRDA application requesters. The application requester connected to an DB2 for VM application server can be one of the following:

• A DB2 for VM requester

• A DB2 Universal Database for OS/390 requester

• A OS/400 requester

• A DB2 for Windows 95 & Windows NT requester

• Any DB2 family application requester, including DB2 CONNECT, or any other product that supports DRDA Application Requester protocols can connect to a DB2 for VM application server.

For any application requester connected to a DB2 for VM application server, the DB2 for VM application server allows the application requester to access database objects (such as tables) stored locally at the DB2 for VM application server. The application requester must create a package containing the application's SQL statements at the DB2 for VM application server before the connection can be established.

For the DB2 for VM Application Server to process distributed database requests, you must take the following steps:

1. Define the Application Server to the local communication subsystem.

2. Provide the necessary security.

3. Provide for data representation.

Provide Network Information

Defining the Application Server

For the Application Server to receive distributed database requests, define the Application Server to the local communications subsystem and assign a unique RDB_NAME.

Follow these steps to define the application server:

1. Define the DB2 for VM application server to the SNA network. After selecting the gateway name and RDB_NAME for the DB2 for VM Application Server, follow the procedures described in Provide Network Information. The RDB_NAME you choose for DB2 for VM must be supplied to all users (Application Requesters) that might require connection to the DB2 for VM Application Server.

   The NETID is defined to VTAM as a startup parameter, and all distributed requests from the Application Requester are routed to it correctly. The DB2 for VM Application Server does not set the NETID.

   The DB2 for VM Application Server does not determine which gateway to use to route the inbound distributed requests from the Application Requester. The Application Requester always controls this. In the case of an DB2 for VM Application Requester, the CMS Communications Directory specifies it using the :luname and :tpn tags.

   In order for the DB2 for VM Application Server to support distributed unit of work activity, the Application Requester must select an AVS gateway that has been defined to VTAM using the SYNCLVL=SYNCPT parameter. Make sure that the AVS gateway has been defined to support distributed units of work.

2. Create a CRR recovery server used to manage distributed unit of work activity for DB2 for VM Application Servers on this VM system. To do this, perform the steps to post-install load the IBM-supplied servers and file pools described in the VM/ESA Installation Guide. This includes defining a CRR server (VMSERVR) and a CRR file pool (VMSYSR). Make sure that when starting the CRR recovery server, an LUNAME is specified that equals the name of an AVS gateway for which SYNCLVL=SYNCPT was specified.

3. Ensure that the CP directory for the application server machine has an IUCV *IDENT statement. This identifies the server as a global resource.

4. Create an entry in the VTAM mode name table for each mode name that an Application Requester requests. These entries describe session characteristics such as RU size, pacing count, and class of service for a particular mode name.

5. Define session limits for the Application Requesters that connect to the DB2 for VM Application Server. The VTAM APPL statement defines default session limits for all partner systems. To establish unique defaults for a particular partner, use the AGW CNOS command from the AVS virtual machine running at the Application Server site. (Session limits are usually requested by the application requester.)

   After choosing RU sizes, session limits, and pacing counts, consider the impact these values have on the VTAM IOBUF pool.

Mapping the server name to a RESID:  

A resource ID (RESID) is the VM term for transaction program name. In the VM environment, it is commonly defined as an alphanumeric name up to 8 bytes long. You normally define a RESID that is identical to the server name, to keep administration easy. Figure 34 shows a sample RESID names file.

Figure 34. Example of a RESID names file

+--------------------------------------------------------------------------------+ | RESID NAMES A1 V 132 Trunc=132 Size=4 Line=1 Col=1 Alt=3 | |====> | |00001 :nick.MTLTPN | |00002 :dbname.MONTREAL_SALES_DB | |00003 :resid.SALES | |00004 | +--------------------------------------------------------------------------------+

See Figure 33 for the Communications Directory entry that defines this dbname and RESID (as the TPN). If the application server name cannot be the same as the RESID, then the DB2 for VM application server uses a RESID NAMES file to provide the mapping. This mapping is needed if you:

• Use a RESID different from the server name

• Use a server name longer than 8 bytes

• Use a RESID with a 4-byte hexadecimal value, such as the default DRDA TPN X'07F6C4C2'

During installation, the default is to use the server name specified on the SQLDBINS EXEC as the RESID. To create a mapping entry in the RESID NAMES file, specify the RESID parameter on SQLDBINS.

When you start up the database using SQLSTART DB(server_name), DB2 for VM looks up the corresponding RESID and informs VM that this is the resource that VM is to control. If an entry is not found in the RESID NAMES file, DB2 for VM assumes the RESID is the same as the server name and tells VM so. For more information, see the DB2 for VM System Administration manual.

Preparing and starting the DB2 for VM Application Server

The DB2 for VM application server may not have DRDA support installed. Follow the following steps to prepare the DB2 for VM application server for DRDA communications:

1. Use the ARISDBMA exec to install the DRDA support:

   • Use "ARISDBMA DRDA(ARAS=Y)" if installing support for the requester and server.

   • Use "ARISDBMA DRDA(AS=Y)" if installing support for the server only.

   See the VM/ESA System Administration manual for details.

2. After issuing ARISDBMA, rebuild the DB2 for VM ARISQLLD LOADLIB. See the chapter Using a DRDA Environment of the manual DB2 for VM System Administration for more details.

Provide Security

When an Application Requester routes a distributed database request to the DB2 for VM application server, the following security considerations can apply:

• Inbound end user name translation

• Network security parameters

• Database manager security

• Security enforced by an external security subsystem

End User Names

In both SQL and LU 6.2, end users are assigned a 1- to 8-byte user ID. This user ID must be unique within a particular operating system, but does not need to be unique throughout the SNA network. To eliminate naming conflicts, DB2 for VM can optionally use the user ID translation function provided by AVS, but only under the following conditions:

• The DB2 for VM Application Server must run in a VM/ESA environment.

• The inbound connection request must be routed through an AVS gateway.

• The partner Application Requester must use conversation SECURITY=SAME (also known as already verified in SNA terminology).

If a connection is routed to a server through AVS using the SECURITY=SAME option, then AVS user ID translation is required. The AGW ADD USERID command, issued from the AVS machine, must provide security clearance to the connecting users coming from a specific remote LU or AVS gateway. A mapping must exist for all inbound LUs and user IDs that connect using SECURITY=SAME. The command is flexible; you can accept all user IDs from a particular LU or all remote LUs generically. Or you can accept only a specific set of user IDs from a specific LU.

If you use the AGW ADD USERID command to authorize the inbound (already-verified) user IDs at the local AVS machine, no validation is performed by the host. This means that the authorized ID does not necessarily exist on the host, but the connection is accepted anyway.

Two ways to change the current AVS user ID authorization are:

• Stop AVS, using the AGW STOP command. This nullifies the user ID authorization in its entirety.

• Delete the user ID, using the AGW DELETE USERID command.

As an example, the case of identical user IDs in different cities shows how the AVS translation function can resolve a naming conflict. Suppose a user exists with an ID of JONES in the Toronto system, and another user exists with the same ID in the Montreal system. If JONES in Montreal wants to access data in the Toronto system, the following actions at the Toronto system eliminate the naming conflict and prevent JONES in Montreal from using the privileges granted to JONES at the Toronto system:

1. The AVS operator must use the AGW ADD USERID command to translate the ID of the Montreal user to a local user ID. For example, if the operator issues AGW ADD USERID MTLGATE JONES MONTJON, the Montreal user is known as MONTJON at the Toronto system. If all other Montreal users are allowed to connect (connecting via remote LU MTLGATE) and are known locally by their remote user IDs, then the operator must issue the command AGW ADD USERID MTLGATE * =. These AVS commands can also be added to the AVS profile so that they are executed automatically when AVS is started.

2. The DBA must use the DB2 for VM GRANT command to grant a set of privileges specifically for the translated user ID, MONTJON in this particular case.

These actions can also be performed at the Montreal system to ensure JONES in Toronto does not use privileges granted to JONES in Montreal when accessing remote data at the Montreal system.

The AVS commands that support user ID translation are described in VM/ESA Connectivity Planning, Administration and Operation.

Network Security

LU 6.2 provides three major network security features:

• Session-level security

• Conversation-level security

• Encryption

See Network Security for the discussion on how to specify session-level security for DB2 for VM. The DB2 for VM Application Server uses session-level security the same way the DB2 for VM Application Requester does.

The Application Requester can send either an already-verified user ID (SECURITY=SAME) or a user ID and password (SECURITY=PGM). If a user ID and password are sent, CP, RACF, or an equivalent validates them with the VM directory at the Application Server host. If validation fails, the connection request is rejected; otherwise it is accepted. If the request contains only a user ID, DB2 for VM accepts the request without validating the user ID.

Note:

DB2 for VM does not provide encryption capability because VM/ESA does not support encryption.

Database Manager Security

The DB2 for VM Application Server verifies if the user ID given by VM has CONNECT authority to access the database, and then rejects the connection if it does not have authority.

As the owner of database resources, the DB2 for VM Application Server controls the database security functions for SQL objects residing at the DB2 for VM Application Server. Access to objects managed by DB2 for VM is controlled through a set of privileges, which are granted to users by the DB2 for VM system administrator or the owner of the particular object. The DB2 for VM Application Server controls two classes of objects:

• Packages: Individual end users are authorized to create, replace, and run packages with the DB2 for VM GRANT statement. When an end user creates a package, that user is automatically authorized to run or replace a package. Other end users must be specifically authorized to run a package at the DB2 for VM Application Server with the GRANT execute statement. The RUN privilege can be granted to individual end users or to PUBLIC, which allows all end users to run the package.

  When an application is preprocessed on DB2 for VM, the package contains the SQL statements contained in the application program. These SQL statements are classified as:

  • Static SQL: This means the SQL statement and the SQL objects referenced by the statement are known at the time the application is preprocessed. The creator of the package must have authority to execute each of the static SQL statements in the package.

    When an end user is granted the privilege to execute a package, the end user automatically has the authority to execute each of the static SQL statements contained in the package. Thus, end users do not need any DB2 for VM table privileges if the package contains only static SQL statements.

  • Dynamic SQL: Describes an SQL statement that is not known until the package is run. The SQL statement is built by the program and dynamically preprocessed to DB2 for VM with the SQL PREPARE statement or the EXECUTE IMMEDIATE statement. When an end user runs a dynamic SQL statement, the user must have the table privileges required to execute the SQL statement. Because the SQL statement is not known when the package is created, the end user is not automatically given the required authority by the package owner.

• SQL objects: These can be tables, views, and synonyms. DB2 for VM users can be granted various levels of authority to create, delete, change, or read individual SQL objects. This authority is required to preprocess static SQL statements or execute dynamic SQL statements.

Security Subsystem

The use of this subsystem by the DB2 for VM application server is optional. If the application server needs to check the identity of the application requester LU name, VTAM calls the security subsystem to perform the partner LU verification exchange. The decision to perform partner LU verification is made depending on the value specified in the VERIFY parameter of the VTAM APPL statement for the gateway that the DB2 for VM application server uses to receive inbound distributed database requests.

The security subsystem can also be called by CP to validate the user ID and password sent from the application requester. If the security subsystem is RACF and you do not have a RACF system profile, the validation is performed by RACF. If you do have a RACF system profile, for example, RACFPROF, use the following instructions to request this validation from RACF:

   RALTER VMXEVENT RACFPROF DELMEM (APPCPWVL/NOCTL                  
                                                                    
   RALTER VMXEVENT RACFPROF ADDMEM (APPCPWVL/CTL                    
                                                                    
   SETEVENT REFRESH RACFPROF

Represent Data

You must choose the most appropriate default CHARNAME and CCSID for your installation. Using the most appropriate values ensures the integrity of the character data representation and reduces the performance overhead associated with CCSID conversion.

For example, if your DB2 for VM application server is accessed only by local users whose terminal controllers are generated with code page 37 and character set 697 (CP/CS 37/697) for the US ENGLISH characters, then you should set the application server default CHARNAME to ENGLISH. This is because CP/CS 37/697 corresponds to the CCSID of 37, which corresponds to the CHARNAME of ENGLISH.

To eliminate unnecessary CCSID conversion, choose an application server default CCSID to be the same as the CCSID of the application requesters that access your application server most often.

Following is an example of how these two goals can be in conflict:

An application server has less than five application requesters that are local (for VM application requesters, the protocol parameter would be set to SQL/DS) and many (around 100) application requesters that access the application server using the DRDA protocol. The local application requesters have controllers that are defined with CP/CS 37/697. The remote application requesters use CCSID 285.

If the application server default CHARNAME is set to ENGLISH, this keeps the data integrity for the local application requesters, but incurs CCSID conversion overhead for all the remote application requesters.

If the application server default CHARNAME is set to UK-ENGLISH, this avoids the CCSID conversion overhead incurred for all the remote application requesters, but causes data integrity problems for the local application requesters--certain characters are not displayed correctly at the local application requesters; for example, a British pound sign is displayed as a dollar sign.

To display the current CCSID of the system, query the SYSTEM.SYSOPTIONS table. The application server default CCSID is usually the value of CCSIDMIXED. If this value is zero, then the system default CCSID is the value of CCSIDSBCS. The CHARNAME, CCSIDSBCS, CCSIDMIXED, and CCSIDGRAPHIC values in this table are updated to the values used as the system defaults every time the database is started. The values in this table might not always be the system defaults. A user with DBA authority might have changed these values, though this is not recommended. To change the application server default CCSID, you must specify the CHARNAME parameter of the SQLSTART EXEC the next time the application server is started. See the VM/ESA System Administration manual for more detailed information.

For a newly installed database, the application server default CHARNAME is INTERNATIONAL, and the application server default CCSID is 500. This is probably not correct for your system. The default CHARNAME for a migrated system is ENGLISH, and the default CCSID is 37.

Checklist for Enabling a DB2 for VM DRDA Application Server

The following checklist summarizes the steps needed to enable a DRDA Application Server for DRDA communications, starting with the assumption that your VM system is installed with ACF/VTAM as its teleprocessing access method, and that VTAM definitions needed to communicate with the remote systems, such as NCP definitions are completed.

1. Define the local AVS gateway to VTAM.

2. Create a CRR Recovery Server. Make sure that the LUNAME specified by the CRR Recovery Server matches the name of an AVS gateway that can handle SYNCLVL=SYNCPNT conversations.

3. Install DRDA support into the DB2 for VM Application Server using the ARISDBMA exec.

4. Add an IUCV *IDENT statement to the CP directory of the VM server machine so it can identify itself as a global resource.

5. Define local user IDs and passwords to CP that will be used by remote Application Requesters. If necessary, map any remote user IDs to local VM user IDs using the AVS AGW ADD USERID command.

6. Create an entry in the VTAM mode name table for each mode that an Application Requester requests.

7. Start up VTAM and AVS so that VM applications can communicate remotely through the SNA network.

8. Establish session limits for all partner systems where the Application Requesters are located.

9. Start up the DB2 for VM application server with the DBNAME, PROTOCOL and SYNCPNT parameters. When the database manager has started up, make sure that it has identified itself as a GLOBAL resource.

10. Prepare applications on the DB2 for VM Application Server.

[ DB2 List of Books | Search the DB2 Books ]