Connectivity Supplement

Setting Up the Application Server in a VSE Environment

The application server support for DB2 for VSE allows DB2 for VSE to act as a server for DRDA application requesters. The application requester connected to a DB2 for VSE application server can be one of the following:

A DB2 for VM requester
A DB2 Universal Database for OS/390 requester
A DB2 requester
A OS/400 requester
Any DB2 family application requester, including DB2 CONNECT, or any other product that supports DRDA Application Requester protocols can connect to a DB2 for VSE application server.

Provide Network Information

The following steps are required to establish the network connection to the VSE application server:

Establish CICS LU 6.2 sessions to the remote systems
Define the Application Server

Establishing CICS LU 6.2 sessions

The DB2 for VSE application server communicates with its application requester via CICS LU 6.2 links. The CICS partition used for this purpose must have LU 6.2 links to the remote systems with the application requesters. The CICS/VSE Intercommunications Guide contains details on defining and establishing CICS LU 6.2 links with remote systems.

CICS installation and resource definition for LU 6.2 communications:

Install modules required for ISC.
You must include the following modules in your system by using SIT or initialization overrides:
- The EXEC interface programs (specify EXEC=YES or allow it to default).
- The intersystem communication programs (specify ISC=YES).
- The terminal control program generated by DFHSG PROGRAM=TCP. A version specifying ACCMETH=VTAM, CHNASSY=YES, and VTAMDEV=LUTYPE6 is required.

Install CICS Restart Resynchronization Support

If the CICS Restart Resynchronization Support was not enabled when the CICS system was installed, you have to update the following CICS tables to enable the CICS Restart Resynchronization capability:

   DFHJCT    Journal Control Table                                
                                                                  
             A journal used for the CICS system log must be       
             defined in the DFHJCT specifying JFILEID=SYSTEM in a 
             DFHJCT TYPE=ENTRY macro.                             
                                                                  
   DFHPCT    Program Control Table                                
                                                                  
             To generate the DFHPCT entry to use the CICS Restart 
             Resynchronization capability, enter:                 
                                                                  
                 DFHPCT TYPE=GROUP,FN=RMI                         
                                                                  
   DFHPPT    Processing Program Table                             
                                                                  
             To generate the DFHPPT entry to use the CICS Restart 
             Resynchronization capability, enter:                 
                                                                  
                 DFHPPT TYPE=GROUP,FN=RMI                         
                                                                  
   DFHSIT    System Initialization Table.                         
                                                               
             The DFHSIT macro must include the JCT parameter.
             Specify JCT=YES or JCT=(jj<,....>)  where jj is the
             SUFFIX parameter value specified in th DFHJCT
             TYPE=INITIAL macro defining the CICS system log
             journal data set.

Define CICS to VTAM for VSE.

To support LU 6.2 connections, CICS must be defined to VTAM for VSE as a VTAM application major node. The application major node name coded in the VTAM APPL statement is the APPLID for the CICS partition specified in the SIT by the APPLID parameter. It is the LU name used by VTAM (and hence used by the CICS communication partners) to identify the CICS system.

See Figure 36.

Figure 36. Example VTAM APPL Definition for CICS

VBUILD TYPE=APPL ************************************************************************ * * * LU Definition for Toronto VSE SQL/DS System * * * ************************************************************************ VSEGATE APPL ACBNAME=VSEGATE, AUTH=(ACQ,SPO,VPACE), APPC=NO, SONSCIP=YES, ESA=30 MODTAB=RDBMODES, PARSESS=YES, VPACING=0

AUTH=(ACQ,SPO,VPACE)

ACQ allows CICS to acquire LU 6.2 sessions.

SPO allows CICS to issue the MODIFY vtamname USERVAR command.

VPACE allows pacing of the intersystem flows.

ESA=30

This option specifies the number of network-addressable units that CICS can establish sessions. The number must include the total number of parallel sessions for this CICS system.

PARSESS=YES

Specifies LUTYPE6 parallel session support.

SONSCIP=YES

Specifies session outage notification (SON) support. SON enables CICS, in particular cases, to recover a failed session without requiring operator intervention.

APPC=NO

This is necessary to let CICS use VTAM macros. CICS does not issue APPCCMD macro instructions.

Note:

SYNCLVL=SYNCPT is not required since APPC=NO is specified. CICS manages all SYNCPT syncpoint level activity for distributed units of work.

Define links to remote systems using LU 6.2 protocol.
1. Define all remote LUs to CICS.
  Define all remote LUs using the CEDA DEFINE CONNECTION command on resource definition online online (RDO):
  - Specify the remote LU name on the NETNAME parameter.
  - Specify PROTOCOL=APPC to ensure that LU6.2 protocols are used.
  - Specify AUTOCONNECT=YES and INSERVICE=YES so that the connection, when installed, is put in service automatically and so that sessions are automatically acquired.
  - Specify the conversation level security using the ATTACHSEC parameter. ATTACHSEC=IDENTIFY is the minimum security level required by DRDA.
  - Specify the session level security using the BINDPASSWORD parameter. The default is no session-level security.
  For more details on conversation and session level security, refer to Provide Security.
2. Define groups of LU 6.2 sessions with the remote system.
  For each connection defined above, define groups of parallel sessions for each link to the remote LU using the CEDA DEFINE SESSIONS command:
  - Specify the name of the connection (defined above) on the CONNECTION parameter.
  - Specify the VTAM logmode table entry on the MODENAME parameter.
  - Use the MAXIMUM parameter to specify:
    - The maximum number of sessions
    - The maximum number of sessions that are to be supported as contention winners.
    Specify the values used by the DRDA Application Requester communications software, for example IBM Communications Server for OS/2.
  Note that defining the SENDSize and RECEIVESize with a larger number may improve data transmission rate, however, more virtual storage will also be required across the network. 4 Kilobyte is the size that all layers in the SNA network support. Therefore, when setting up the DRDA Server, set send and receive buffer sizes to 4 Kilobyte. When connections can be made successfully from remote users, adjust these parameters to determine the optimum value.
3. Define user IDs and passwords to CICS
  Define all users in the CICS sign-on table (DFHSNT). You can test the validity of a user ID by performing a CESN logon at a CICS terminal. The local sign-on must be successful.
4. Define the load modules (phases) to CICS using the CEDA DEFINE PROGRAM command:
  1. ARICAXED - the AXE transaction
  2. ARICDIRD - the DBNAME Directory, and search routine
  3. ARICDAXD - DAXP and DAXT transaction handler
  4. ARICDEBD - CICS TRUE support enablement handler
  5. ARICDRAD - CICS TRUE itself
  6. ARICDR2 - DR2DFLT control block
  For each of these, the LANGUAGE=ASSEMBLER option should be specified.
5. For each TPN specified by the application requester, define an AXE transaction using the CEDA DEFINE TRANSACTION command:
  - Use the TRANSACTION parameter to specify the TPN
  - Specify PROGRAM=ARICAXED to specify the phase
  - Use the XTRANID parameter to specify a second hexadecimal transaction name.
  At this time, also define the DAXP and DAXT transactions, specifying PROGRAM=ARICDAXD.

Sample definitions:

Refer to DRDA Connectivity Guide for sample definitions.

Defining the Application Server

Update the DB2 for VSE DBNAME directory.
Add an entry to the DBNAME directory for each transaction defined above using the CEDA DEFINE TRANSACTION command. With LU 6.2 sessions established, a remote application requester can start a conversation with the DB2 for VSE Application Server. It does so by allocating an LU 6.2 conversation with the Application Server, specifying a TPN (transaction program name). This TPN must be the CICS transaction ID of the AXE transaction responsible for routing requests to or from the DB2 for VSE server. The TPN must be in the DB2 for VSE DBNAME directory mapped to the DB2 for VSE server to be accessed by the application requester. The DB2 for VSE database administrator is responsible for updating the DBNAME directory and informing the remote users of the TPN-to-server mapping.
Both the TPN and its corresponding server name (database name as defined in the DBNAME directory) must be identified to the application requester:
- The application requester uses the TPN to initiate the AXE router transaction.
- The application requester quotes the server name in the initial DRDA flow as the target database name. The DB2 for VSE server uses this server name to verify that the application requester is accessing the right server. A mismatch in server name denies the Application Requester access to the server, and the Application Requester ends the conversation.
Use the procedure ARISBDID to build and assemble the DBNAME directory (member ARISDIRD.A).

For more details, please see DB2 for VSE System Administration manual.

Preparing and Starting the DB2 for VSE Application Server

The AXE transaction maintains an error log that is a CICS temporary storage queue named ARIAXELG. This error log contains useful error messages recording communication problems and abnormal termination of the DRDA sessions. Define this log as "recoverable" using the CICS TST.
Run procedure ARIS342D to install the DRDA Application Server support.
If necessary, issue the DAXP transaction to specify the default password and language that will be used when CICS TRUE support is enabled for a particular server. See the DB2 for VSE Operation manual for more details.
Start DB2 for VSE with the DBNAME, RMTUSERS, and SYNCPNT parameter:
- The DBNAME used must be defined in the DBNAME directory.
- The RMTUSERS parameter must be nonzero.
- Specify SYNCPNT=Y to enable distributed unit of work support.
All remote users must be authorized by the DB2 for VSE server with different levels of authorization. Refer to DB2 for VSE Database Administration for more details.

Problem determination:

If the application requester succeeded in reaching its partner CICS with a valid TPN (TPN defined in the DBNAME directory), an AXE transaction is started. The use count on program ARICAXED is increased by one (verified by issuing CEMT I PR(ARICAXED) ).
To ensure that a remote user ID is established in the CICS sign-on table, perform a local sign-on using the CESN transaction with the remote user's user ID and password. The local sign-on must be successful.
When the DB2 for VSE server is running and an application first performs DRDA-2 distributed unit of work activity, TRUE support to a server will enable automatically. Look for message ARI0187I, which indicates that TRUE support was enabled successfully. However if message ARI0190E appears, which indicates that an error occurred while enabling the TRUE, look for prior error messages on the console.
If your DRDA application program receives sense code X'08063426' or X'FFFE0101', it could be a sign that CICS is running out of sessions. CICS can run out of sessions if all sessions are either in use, or scheduled to be unbound, but the UNBIND has not yet completed. CICS can run out of sessions if there are many concurrent incoming transactions that are short in duration. In this case, increase the number of sessions specified on the CEDA DEFINE SESSIONS MAXIMUM parameter to account for the sessions that are scheduled to be UNBINDed, but the UNBIND has not yet completed.

Provide Security

The DB2 for VSE application server depends on CICS for intersystem communication security. CICS offers several levels of security:

Bind-time security

The CICS implementation of the SNA LU 6.2 session-level LU-to-LU verification. The implementation of bind-time security is optional in the LU 6.2 architecture. On the application server side, it can be enabled by supplying a BINDPASSWORD in the CEDA DEFINE CONNECTION command when defining the connection to the Application Requester. On the application requester, the partner LU that serves the Application Requester must also support bind-time security and use the same password for partner-LU verification.
You can use bind-time security to stop unauthorized remote systems from establishing (binding) sessions with CICS.
Link security

Link security can be used to limit a remote system (and its resident DRDA application requester) to attach a certain set of AXE transactions only.
For example, you can define two AXE transactions: AXE2 with security key 2, and AXE3 with security key 3. Application requesters from a remote system can be assigned an operator security of 3 (for example, using the OPERSECURITY parameter in the CEDA DEFINE SESSION command), allowing them to attach AXE3 only. AXE3 might not have privileged access to the server while AXE2 has privileged access. Refer to DB2 for VSE System Administration for a description of privileged access to the application server by remote application requesters.
Refer to the CICS Intercommunication Guide for how to enable link security.
User security

The CICS implementation of the SNA LU 6.2 conversation-level security providing end user verification.
User security validates the user ID with the CICS sign-on table (DFHSNT) before accepting a request to start a conversation. For example, DRDA application requesters not defined in the CICS sign-on table are not allowed to attach an AXE transaction to start a conversation with the DB2 for VSE server. User security level for a remote system can be selected in the CEDA DEFINE CONNECTION command using the ATTACHSEC parameter. The three levels of attach securities are:
- LOCAL. Not supported by DRDA.
- IDENTIFY. Equivalent to SECURITY=SAME (or already-verified) in LU 6.2 terminology. With this security level, CICS "trusts" the remote system to verify its users before allowing them to allocate a conversation to the DB2 for VSE server. Only the user ID is required for the CICS sign-on process. However, if the password is also passed, CICS performs the sign-on with the password.
- VERIFY. Equivalent to SECURITY=PGM in LU 6.2 terminology. With this security level, CICS expects the remote system to send both the user ID and password when allocating the conversation, and rejects the connection if a password is not supplied.
SNA LU 6.2 session-level mandatory cryptography. Not supported.

Because the application server is responsible for managing the database resources, it dictates which network security mechanisms the application requester must provide. For example, with a DB2 for VM application requester, you must record the application server's conversation-level security requirements in the application requester's communications directory by setting the appropriate value in the :security tag, as in Figure 37:

Figure 37. Sample CMS Communication Directory entry

+--------------------------------------------------------------------------------+ | :nick.VSE1 :tpn.TOR3 | | :luname.TORGATE VSEGATE | | :modename.IBMRDB | | :security.PGM | | :userid.SALESMGR | | :password.PROFIT | | :dbname.TORONTO3 | | | | | | | | Where: TOR3 - AXE transaction ID mapped to database TORONTO3. | | TORGATE - VM/APPC gateway. | | VSEGATE - APPLID of the CICS/VSE partition serving as gateway | | to TORONTO3. | | SALESMGR/PROFIT - USERID/PASSWORD defined in the DFHSNT of | | VSEGATE, and authorized in TORONTO3 | | TORONTO3 - The name specified on the DBNAME startup parameter when | | the DB2 for VSE application server was started (or the | | name of the default database determined by the DBNAME | | Directory if DBNAME was omitted at startup). | +--------------------------------------------------------------------------------+

Database Manager Security

User ID translation is not supported by the VSE application server. CICS uses the user ID transmitted directly from the requester.

After being started by an application requester, the AXE transaction extracts the user ID from CICS and passes it on to the DB2 for VSE server. To set up the required level of user authority on database resources, you must update the user ID into the DB2 for VSE catalog SYSTEM.SYSUSERAUTH.

The DB2 for VSE application server verifies if the user ID given by CICS has CONNECT authority to access the database, and rejects the connection if it does not have authority.

As the owner of database resources, the DB2 for VSE Application Server controls the database security functions for SQL objects residing at the DB2 for VSE Application Server. Access to objects managed by DB2 for VSE is controlled through a set of privileges, which are granted to users by the DB2 for VSE system administrator or the owner of the particular object. The DB2 for VSE Application Server controls two classes of objects:

Packages: Individual end users are authorized to create, replace, and run packages with the DB2 for VSE GRANT statement. When an end user creates a package, that user is automatically authorized to run or replace a package. Other end users must be specifically authorized to run a package at the DB2 for VSE Application Server with the GRANT execute statement. The RUN privilege can be granted to individual end users or to PUBLIC, which allows all end users to run the package.
When an application is preprocessed on DB2 for VSE, the package contains the SQL statements contained in the application program. These SQL statements are classified as:
- Static SQL: This means the SQL statement and the SQL objects referenced by the statement are known at the time the application is preprocessed. The creator of the package must have authority to execute each of the static SQL statements in the package.
  When an end user is granted the privilege to execute a package, that user automatically has the authority to execute each of the static SQL statements contained in the package. Thus, end users do not need any DB2 for VSE table privileges if the package contains only static SQL statements.
- Dynamic SQL: Describes an SQL statement that is not known until the package is run. The SQL statement is built by the program and dynamically preprocessed to DB2 for VSE with the SQL PREPARE statement or the EXECUTE IMMEDIATE statement. When an end user runs a dynamic SQL statement, the user must have the table privileges required to execute the SQL statement. Because the SQL statement is not known when the package is created, the end user is not automatically given the required authority by the package owner.
SQL objects: These can be tables, views, and synonyms. DB2 for VSE users can be granted various levels of authority to create, delete, change, or read individual SQL objects. This authority is required to preprocess static SQL statements or execute dynamic SQL statements.

Represent Data

See Represent Data.

Checklist for Enabling a DB2 for VSE DRDA Application Server

The following checklist summarizes the steps needed to enable a DRDA Application Server, starting with the assumption that your VSE system is installed with ACF/VTAM as its teleprocessing access method, and that VTAM definitions needed to communicate with the remote systems, such as NCP definitions are completed.

Install CICS ISC support and Restart Resynchronization support.
Define CICS to VTAM for VSE.
Assemble the VTAM LOGMODE table with the IBMRDB entry.
Assemble the CICS sign-on table with all remote user IDs and passwords defined.
Start CICS with the right SIT information:
- ISC=YES
- TST=YES, ARIAXELG defined as RECOVERABLE in the DFHTST and assembled
- APPLID=LU name (as defined in the VTAM APPL statement)
Define the remote systems to CICS (RDO can be used):
- CEDA DEF CONNECTION
- CEDA DEF SESSION
- CEDA DEF PROGRAM
- CEDA DEF TRANSACTION
  These statements should have all definitions under one group, for example, named IBMG. Install the group with: CEDA INSTALL GROUP(IBMG).
Update the DBNAME directory (ARISDIRD.A):
- Define all TPNs listed in the directory to CICS. TPNs not defined to CICS are not usable.
- Define each DB2 for VSE DRDA application server in the directory with a valid TPN.
Run procedure ARISBDID to assemble the updated DBNAME directory.
Prepare the DB2 for VSE server:
- Run procedure ARIS342D to install the DRDA support.
- If online DB2 for VSE applications (for example, ISQL) are run from the CICS partition, grant schedule authority to the CICS APPLID specified in the CICS SIT table.
- Grant authority to all remote users.
If necessary, run the DAXP CICS transaction.
Start DB2 for VSE with the correct RMTUSERS parameter and, optionally, the DBNAME parameter and SYNCPNT parameter.
Prepare applications on the VSE DRDA Application Server.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

[ DB2 List of Books | Search the DB2 Books ]