DB2 - L

Expand all | Collapse all

Can You Have Both TCPIP Port and SECPORT for Db2 v12?

  • 1.  Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 05, 2021 05:07 PM
    Edited by Gloria Fries May 07, 2021 11:32 AM
    Hi,

    We have Db2 v12 V12R1M505 for z/OS.

    Can we have threads connecting to either port?  In other words, can we have some threads connecting to the TCPIP port and other threads connecting to the SECPORT for the same Db2 member?  We use data-sharing so I'm assuming we'll do the same for all members of the DSG.

    We currently have TCPALVER set to No.  Will we need to change this to SERVER_ENCRYPT?  Would that change prevent threads from connecting to the TCPIP port and only allow connections to the SECPORT?

    Eventually we would switch all distributed threads to the SECPORT but for now, I'd just like to test without blowing up what we've got working.

    Thanks.
    Gloria Fries


  • 2.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 05, 2021 05:52 PM
    HI Gloria,
    You have some excellent questions!  Interestingly, I am currently create a blog post for IDUG on the subject of Db2 Z and network encryption.  It will be posted to IDUG content committee blog on Friday or Monday.  It will detail my experiences on all the steps and teams involved in getting Db2 Z network encryption up and running and how and why I made some decisions.
    check here and check again soon:   https://www.idug.org/learn/content-articles

    but to attempt to answer your questions today.
    You can use both TCPPORT and SECPORT at the same time.  That is fine. I currently have a mix of distributed computers with a mix of some using TCPPORT and some using SECPORT.

    You cannot set TCPALVER to value SERVEr_ENCRYPT until all clients are using SECPORT exclusively.  The SERVER_ENCRYPT will prevent people from using the TCPPORT.  I think the intent is to set TCPALVER to SERVER_ENCRYPT after all the clients have been updated to use SECPORT.  this will prevent subsequent connections from using TCPPORT (which I suppose you could then set to zero)

    My favourit simple test for SECPORT is using REST services.  ASsuming you have REST enabled in your mainframe already
    validate your mainframe has REST services by using the default "services" service
    http://mymainframe.server.name.com:5025/services
    where mymainframe.server.name.com is your mainframe lpar serve name
    and 5025 is your tcpport

    assuming the REST works on the above open TCPPORT then try secport
    https://mymainframe.server.name.com:6025/services
    where mymainframe.server.name.com is your mainframe lpar serve name
    and 6025 is your secport

    If you don't have REST enabled...  then you can validate with otther tools. 
    They require a bit extra work to configure for SECPORT and configure ("simplified SSL setup")
    You can try your SECPORT with simple tools like Data Studio (which uses JAVA type 4 JDBC driver) or IBM Data Server CLI driver client  (and ODBC)
    Those tools require that you have a copy of your CA public root cert.



    regards,
    Brian






    ------------------------------
    BrianLaube Manulife Financial
    ------------------------------



  • 3.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 06, 2021 10:26 AM
    Edited by Gloria Fries May 07, 2021 11:34 AM
    Brian,

    Thanks so much for replying to my questions.  You've cleared up a lot of the mystery for me.  I do have Data Studio v4.1.3 and I plan to test with that.

    I'll definitely check out your encryption article.

    Gloria




  • 4.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 06, 2021 03:36 PM
    Edited by Gloria Fries May 07, 2021 11:34 AM
    Brian,

    I've tried testing today with Data Studio v4.1.3 because I don't have REST services but am stymied by your comment "Those tools require that you have a copy of your CA public root cert."  What is this and where do I get it?  I've asked our RACF team and z/OS team and they don't know.

    The IBM Support Site has a page on "Creating DB2 z/os SSL enabled connection through Data Studio."

    https://www.ibm.com/support/pages/creating-db2-zos-ssl-enabled-connection-through-data-studio

    It says:

    Steps to follow:

    1. Get SSL certificate file from your DBA.

    2. Copy and paste this file into your Data Studio instillation directory. For ex.: C:\Program Files\IBM\DS4.1.2\jdk\bin

    3. Open command prompt (cmd) and go to the location: C:\Program Files\IBM\DS4.1.2\jdk\bin and execute below command-

    Keytool -import -file ******filename******* -alias firstCA -keystore myTrustStore
    4. It will prompt you "Trust this certificate?" [y/n].

    Type y and press enter.

    5. Now open IBM Data Studio and create a new connection using Data Source Explorer and enter the value for trusted file location in connection paramaters as follow:

    C:\Program Files\IBM\DS4.1.2\jdk\bin\myTrustStore .

    Is this what I need to do?  My question is where do I get the certificate?  

    Thanks,
    Gloria




  • 5.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 06, 2021 03:50 PM
    Your RACF administrator should have it. You may need to ask your AT-TLS / PAGENT / network admin for the name first.

    ------------------------------
    Jørn Thyssen
    Rocket Software
    2021 IBM Champion
    ------------------------------



  • 6.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 07, 2021 01:45 AM
    Hi Gloria 

    I agree with Jorn.  Your mainframe security (RACR or ACF2 or whatever) should have a copy of the ROOT CA (usertrust) certificate.
    It is not a secret.  Once I found mine I googled the first hex line and found copies out on the internet!  Proving to me that it is not a secret
    > They always begin with "-----BEGIN CERTIFICATE----- followed by 30 odd lines of hex looking stuff.

    Another way to confirm/find your common root CA (usertrust) certificate is to look in your workstationj!
    I use WINDOWS control panel "manage certificates" ("certlm" utility program) to look at your locally installed certificates.
    I poked around the fairly logical "trusted root certificate" directory and found something that looked like it could be my ROOT CA (usertrust) certificate.  I right clicked on it and exported it in "Base-64 encoded x.509" format and the viewed the actual certificate in my text editor.  It was identical to the thing that my mainframe security administrator shared with me.  It is nice when things line up like that!  
    > this must be the certificate used by my browser when I invoked my REST service! (it is making more sense now)

    And finally.  With regards to the internet instructions for "trust store".   I saw similiar instructions in a presentation from 2018.  But as of 2019, I saw other presentations that showed me how to forget about trust store and use truly "simplified SSL setup"

    First, I assume you find a copy of your ROOT CA (usertrust) certificate.  Copy it to your machine. (in my case, into c:\mycertdir\
    And then set your Data Studio connection propertires.  In the "optional" tab set
    sslConnection = True
    sslCertLocation = C:\mycertdir\cacert.CER

    It works for me!

    good luck

    Brian

    ------------------------------
    BrianLaube Manulife Financial
    ------------------------------



  • 7.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 07, 2021 10:41 AM
      |   view attached
    Hi Gloria,


    If you RACF admin claims ignorance then try entering the URL for your Db2: https://lpar:secport 
    Then view the certificate, find the top level certificate (typically name "XYZ CA Root" or similar) and download it

    ------------------------------
    Jørn Thyssen
    Rocket Software
    2021 IBM Champion
    ------------------------------



  • 8.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 08, 2021 12:12 AM
    HI Gloria,

    If you are interested... the IDUG content committee just released a blog article that I wrote on the subject of enabling Db2 Z network encryption.  I tried to explain all the steps I went through in order to get it to work.  It might be helpful.  Let me know!

    https://www.idug.org/blogs/brian-laube1/2021/05/05/configuring-db2-for-zos-for-encrypted-network

    regards,
    Brian Laube

    ------------------------------
    BrianLaube Manulife Financial
    ------------------------------



  • 9.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 05, 2021 05:55 PM
    Yes, you can use both ports at the same time. Brian Laube is going to be releasing an IDUG Content blog post imminently which can be used to help set up your clients if you haven't already done that.
    Dan

    +--------------------------------------+-----------------------------------------------------------+
    | Daniel L Luksetich | IBM Certified Advanced Database Administrator – |
    | IBM GOLD Consultant | Db2 10.1 for Linux UNIX and Windows |
    | IDUG Content Committee Past-Chairman | IBM Certified Database Adminstrator – Db2 12 for z/OS |
    | IDUG DB2-L Administrator | IBM Certified System Administrator – Db2 11 for z/OS |
    | URL: https://db2expert.com | IBM Certified Application Developer – Db2 11 for z/OS |
    +--------------------------------------+-----------------------------------------------------------+




  • 10.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 06, 2021 10:53 AM
    Edited by Gloria Fries May 07, 2021 11:33 AM
    Daniel,
    Thanks for answering my question.  Now I feel better about testing the secure port and leaving the TCPIP port alone.  I'll definitely check out Brian Laube's blog post when it's available.

    Gloria




  • 11.  RE: Can You Have Both TCPIP Port and SECPORT for Db2 v12?

    Posted May 06, 2021 12:13 PM
    Hi Gloria,

    There was a recent thread about how to track usage of secure vs unsecure traffic through IFCID 365: https://www.idug.org/communities/community-home/digestviewer/viewthread?MessageKey=b3247dd1-4a95-4389-be07-c783fc66d1b8&CommunityKey=02a8700a-dc76-4190-9a3c-24f0738c1067&tab=digestviewer

    ------------------------------
    Jørn Thyssen
    Rocket Software
    2021 IBM Champion
    ------------------------------