A fix is available
APAR status
Closed as new function.
Error description
DB2DDF DB2TCPIP Story 92706 s92706 Db2 for z/os has a restriction if the PORT and SECPORT are defined (i.e not equal to 00 and they are equal in value, message DSNL521I displays and DDF is terminated. *************************************************************** Additional Symptoms and Keywords: DB2 DDF DSNL521I MSGDSNL521I
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All Db2 12 Distributed Data Facility (DDF) * * users. Specifically those who are planning * * to only allow access to Db2 via secure * * sockets layer (SSL) communications. * **************************************************************** * PROBLEM DESCRIPTION: * * Update to Db2 support of secure socket * * layer (SSL) communications. * **************************************************************** * RECOMMENDATION: * * Apply corrective PTF when available * **************************************************************** Db2 must be configured with a non-zero value for its PORT if the Db2 TCP/IP communications environment is desired. This requirement does not allow Db2 to be configured so that ONLY TCP/IP secure socket layer (SSL) communications be used when accessing Db2. Also, different rules exist when defining the main LOCATION PORT and SECPORT, a static subsetting location alias PORT and SECPORT, and a dynamic subsetting location alias PORT and SECPORT. This makes it difficult to configure Db2 to only allow SSL communications when accessing Db2 via any of its configured ports.
Problem conclusion
Temporary fix
Comments
Db2 is being changed as follows: * the main subsystem PORT and SECPORT can now be defined with identical values. * both static and dynamic subsetting location aliases can now be defined with the same value for PORT and SECPORT. When the above ports are configured in this manner, access to those ports will be allowed if, and only if, TCP/IP SSL communication protocols are used. Db2 documentation changes are necessary: ************************************************************ The -MODIFY DDF command has explanations for its parameters which will require the following changes: PORT(port-name) Adds or replaces an existing port that can be used by DDF to accept distributed requests for the specified alias. The value specified for port-name value must be a decimal number between 1 and 65535, including 65535, and must be different than the values for the ports of other aliases. Specify a PORT value for an alias when you want to identify a subset of data sharing members to which a distributed request can go. SECPORT(secport-name) Adds or replaces an existing secure port that can be used by DDF to accept secure distributed requests using SSL for the specified alias. The value specified for secport-name must be a decimal number between 1 and 65535, including 65535, and must be different than the values for ports of other aliases. Specify a SECPORT value for an alias when you want to identify a subset of data sharing members to which a secure distributed request can go. The description of the standalone change log utility, DSNJU003, will require the following changes for the ALIAS option of the DDF subcommand: :alias-port specifies a TCP/IP port number for the alias that can be used by DDF to accept distributed requests. This value must be a decimal number between 1 and 65535, including 65535. The value must be different from the values for the PORT, RESPORT, and SECPORT options and any value that was specified for alias-port or alias-secport of any other defined alias. Specify a value for alias-port when you want to identify a subset of data sharing members to which a distributed request can go. Note: :alias-port can be the same value specified for :alias_secport of the same location alias. :alias-secport specifies a secure TCP/IP port number for the alias that can be used by DDF to accept secure distributed requests using SSL. This value must be a decimal number between 1 and 65535, including 65535. The value must be different from the values for the SECPORT, PORT, and RESPORT options, and any value that was specified for alias-port or alias-secport of any other defined alias. Specify a value for alias-secport when you want to identify a subset of data sharing members to which a secure distributed request can go. Note: :alias-secport can be the same value specified for :alias_port of the same location alias. ************************************************************ IBM Knowledge Center is updated for this change: http://www.ibm.com/support/knowledgecenter/SSEPEK
APAR Information
APAR number
PH08188
Reported component name
DB2 OS/390 & Z/
Reported component ID
5740XYR00
Reported release
C10
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-02-05
Closed date
2019-03-27
Last modified date
2019-05-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI62168
Modules/Macros
DSNLTMDF DSNJU003 DSNLILNR DSNLIIN2
Fix information
Fixed component name
DB2 OS/390 & Z/
Fixed component ID
5740XYR00
Applicable component levels
RC10 PSY UI62168
UP19/04/16 P F904
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPEK","label":"Db2 for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 May 2019