DFS_SMB Setup for High Availability Systems With DB2 for Z_OS and Windows Application Servers

DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers

Applies to: SAP Netweaver with DB2 for z/OS . For more information, visit the Software Logistics homepage.

Summary In a high availability (HA) installation with IBM DB2 for z/OS and SAP application servers on Windows, directories on the mainframe are to be shared from Windows. This document is intended to help you in setting up DFS/SMB explicitly for an SAP HA system on the mainframe.

Author: Dr. Christian Schaefer

Company: SAP AG

Created on: 17 October 2008

Author Bio Dr. Christian Schaefer is Development Architect at the joint SAP/IBM platform team and has over 23 years of experience in SAP on IBM mainframes. He joined the SAP in 1985. He worked on the interfaces of SAP R/2 to CICS and MVS. He holds a DSC in Theoretical Physics from the University of Heidelberg, Germany. Christian can be reached at [email protected] .

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2008 SAP AG 1

https://www.sdn.sap.com/irj/sdn/softwarelogistics

mailto:[email protected]


Table of Contents DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers ..............3

Procedure........................................................................................................................................................3 Export Mainframe File Systems ......................................................................................................................4 Define Shared Directories ...............................................................................................................................5 Map SMB User IDs to z/OS User IDs .............................................................................................................6 Select Method for User Authentication Without Prompting the User for a Password.....................................6

Pass-through Authentication ........................................................................................................................................6 RACF DCE Segments for SMB Encrypted Password Support ....................................................................................7

Define Environment Variables ........................................................................................................................7 Windows Vista, Windows Server 2008 ...........................................................................................................8

Related Content..................................................................................................................................................9 Copyright...........................................................................................................................................................10



DFS/SMB Setup for High Availability Systems with DB2 for z/OS and Windows Application Servers In a high availability (HA) installation with IBM DB2 for z/OS and SAP application servers on Windows, the following run on the z/OS mainframe server: the DB2 database, the SAP central services for ABAP and Java (ASCS and SCS, respectively), as well as the enqueue replication server (ERS). The SAP global host of such a system is the mainframe. The SAP directories located on the mainframe under "/usr/sap" must be available to Windows through the share "/sapmnt" on Windows. This enables Windows to access the data in "/usr/sap“ in USS on z/OS.

Unix

/(root)

Windows

<Computer>

usr usr

sap sapmnt

\\<SAPGLOBALHOST>\sapmnt

sap

global

profile

exe profil exe

global

<SID>

SYS

symbolic link

<SID>

share

Figure: SAP Directories

You can use the IBM component DFS/SMB to share data between systems located on z/OS and Windows. DFS/SMB is part of the z/OS operating system and implements the SMB protocol on z/OS, which allows Windows applications to access data on the mainframe. This IBM component serves a similar purpose as the open source SMB server samba.

This document is intended to help you in setting up DFS/SMB explicitly for an SAP HA system on the mainframe. The target group for this information ideally possesses knowledge of SAP software and is very familiar with Unix System Services (USS) on the mainframe. For a general description of the DFS/SMB setup, see the IBM documentation "z/OS Distributed File Service SMB Administration“.

Procedure

The following steps must be carried out to setup DFS/SMB:

• Export mainframe file systems

• Define shared directories

• Map SMB user IDs to z/OS user IDs

• Select method for user authentication without prompting the user for a password

• Define environment variables



To carry out these steps, you must modify several DFS/SMB tables located in the directory "/opt/dfslocal/var/dfs". We indicate the location of the configuration files in the directory "/opt". These are symbolic links, as seen in the following output of the "ls" command:

csh:/etc/dfs/home/dfskern> ls -l /opt total 0 lrwxrwxrwx 1 STC OMVSGRP 10 Jul 30 13:19 dcelocal -> ../etc/dce lrwxrwxrwx 1 STC OMVSGRP 21 Jul 30 13:19 dfsglobal -> ../usr/lpp/dfs/global lrwxrwxrwx 1 STC OMVSGRP 10 Jul 30 13:19 dfslocal -> ../etc/dfs

Export Mainframe File Systems

To share data on the mainframe with computers running on Windows, you must use DFS/SMB to export the file systems that contain the data in question. The following figure displays file systems and their directories on USS. Windows accesses the directories in "/usr/sap“ in USS by using the share "sapmnt“. In the example below, these directories are located in file system LOCAL.USR.SAP. That is the reason why you must export this file system.

There are absolute symbolic links in "/usr/sap" to directories in the USS directory "sapmnt“. It is for that reason that you must export the LOCAL.SAPMNT dataset, since the linked directories are located there. Since the absolute links begin with a slash (/), you must export the file system of the root directory OMVS.ROOT. However, the export does not allow access to this OMVS.ROOT file system. You must explicitly define shares for access purposes.

sap

OMVS.ROOT /

usr sapmnt

LOCAL.SAPMNT LOCAL.USR.SAP

To export the file systems, you define them in DFS/SMB in the tables "devtab“ and "dfstab“. These tables are located in "/opt/dfslocal/var/dfs".

Example: SAP directories and file systems under USS



HFS datasets are exported in “devtab“. These datasets are assigned unique minor device numbers that can be chosen at will. Our example could be as follows:

* define_ufs 3 LOCAL.USR.SAP auto * define_ufs 4 LOCAL.SAPMNT auto * define_ufs 5 OMVS.ROOT auto

Example: „devtab“ Entries

"dfstab" contains a list of the file systems that you need to have exported. The following displays the „dfstab“ entries of file systems that need to be exported with their respective minor device numbers:

/dev/ufs3 hfs3 ufs 3 0,,3 /dev/ufs4 hfs4 ufs 4 0,,4 /dev/ufs3 hfs5 ufs 5 0,,5

Example: „dfstab“ Entries

You can find a detailed description of the entries contained in "devtab" and "dfstab" in the IBM documentation "z/OS Distributed File Service SMB Administration“.

Define Shared Directories

In "smbtab", you define those directories that you want to share. We must be able to access the directory "/usr/sap" and its subdirectories under the share name "/sapmnt". We only need one entry in "smbtab" to make this possible:

# /usr/sap /dev/ufs3 sapmnt ufs "Description of the share" r/w 0 /

Example: „smbtab“ Entry

The absolute links in "/usr/sap" that point to other file systems can now be resolved by DFS/SMB, since we exported the corresponding file systems in the tables "devtab“ and "dfstab“.



Map SMB User IDs to z/OS User IDs

PC users work on their PCs with a Windows user ID. When accessing the mainframe using DFS/SMB, this Windows user ID becomes your SMB user ID. You must map the SMB user IDs of the clients to z/OS user IDs, since the local security subsystem (for example, RACF) does not know SMB user IDs. You can map the user IDs with the file "smbidmap" that is located under "/opt/dfslocal/var/dfs". For an SAP Installation, the following users must be mapped to each other:

SMB(Windows) user ID z/OS user ID

SAPService<SID> <SID>adm

<SID>adm <SID>adm

Administrator <root> (SAP installation user)

Where:

<SID> is the system ID of your SAP system

<root> is the USS user ID, with which the SAP instances are installed on z/OS USS.

The corresponding entries in "smbidmap" are as follows:

SAPService<SID> <SID>adm <SID>adm <SID>adm Administrator <root> Example: “smbidmap” Entries

Each entry has two lines. The first line contains the SMB (Windows) user ID, the second line the z/OS user ID. The blank lines have been inserted to improve readability. For a detailed description of the "smbidmap“ file, see the IBM documentation "z/OS Distributed File Service SMB Administration“.

Select Method for User Authentication Without Prompting the User for a Password

To ensure that an application server can access USS directories without user intervention, DFS/SMB supports two different methods of user authentication: pass-through authentication and RACF DCE segments for SMB encrypted password support.

Pass-through Authentication

This method does not use RACF for authentication. Instead, DFS/SMB uses a domain controller to authenticate PC users. The user must be registered with the domain controller. There is no password verification on the mainframe. In order to change your password in the system, you only have to change it in the domain controller—no other tasks are necessary in USS to ensure that the user is accepted by the system. To accomplish user authentication, DFS/SMB uses the NTLM authentication protocol. Therefore, the domain controller must allow you to use NTLM. For more information, see the IBM documentation "z/OS Distributed File Service SMB Administration“.



RACF DCE Segments for SMB Encrypted Password Support

This method uses RACF. In order to enable DFS/SMB to use encrypted passwords, you must configure „SMB encrypted password support“ for each z/OS user that is mapped to a corresponding Windows user. You must establish a RACF DCE segment for each of these z/OS users. For more information on the necessary steps, see IBM documentation "z/OS Distributed File Service SMB Administration". Using the RACF DCE segment does not imply that DCE needs to be active.

In an SAP system, you must carry out this process for the users <SID>adm and <root>. To enable the SMB server to use encrypted passwords, set the _IOE_SMB_CLEAR_PW dfskern environment variable to _IOE_SMB_CLEAR_PW=NOTALLOWED (see section Defining Environment Variables).

In this case, there is an SMB password. This password must be identical to the password of the Windows login user. This password is set with the USS command "smbpw". Therefore, you must log on as <SID>adm in USS and enter the command:

"smbpw <windows_password> <windows_password>"

to set the SMB password of the user <SID>adm. You must carry out this step once again for the user <root>.

Each time the password of a Windows login user is changed, you must log on with this user to USS on the mainframe and change the corresponding SMB password to match the new password. You can do this by entering the USS command "smbpw <windows_password> <windows_password>".

Define Environment Variables

In the "envar" file in "/opt/dfslocal/var/dfs", you must set environment variables for DFS/SMB. These are as follows:

# set SMB sharing on: _IOE_PROTOCOL_SMB=ON # switch DCE RPC sharing off: _IOE_PROTOCOL_RPC=OFF # if shared HFS is used: _IOE_MOVE_SHARED_FILESYSTEM=ON # for use of encrypted passwords: _IOE_SMB_CLEAR_PW=NOTALLOWED # enable absolute links: _IOE_SMB_ABS_SYMLINK=ON # provide user mapping: _IOE_SMB_IDMAP=/opt/dfslocal/var/dfs/smbidmap # write error messages to console _EUV_SVC_MSG_LOGGING=CONSOLE_LOGGING # if DCE is not used: _EUV_AUTOLOG=NO # if encryption hardware is not to be used: _IOE_SMB_OCSF=OFF # make full use of file tagging (ASCII – EBCDIC): _IOE_HFS_FILETAG=SET

Table: Necessary Environment Variables

(Lines beginning with the pounds sign (#) are comments.)

This list contains only those environment variables that you must set. Depending on the parameter configuration of the DFS or Windows systems, you may have to set other environment variables also.

Regarding the environment variable _IOE_DYNAMIC_EXPORT: If you assign the value "ON" to this variable, all file systems on USS that are accessed from Windows automatically receive minor device numbers from DFS/SMB and are exported. This is even the case if a file system is not listed in "devtab" and "dfstab".



Since this makes it difficult to track which file systems have been exported, we are not going to elaborate on this topic in this document.

For an exact description of all related environment variables, see the IBM documentation "z/OS Distributed File Service SMB Administration“.

Windows Vista, Windows Server 2008

DFS/SMB uses the NTLM authentication protocol. However, as a default, Windows Vista and Windows Server 2008 send NTLMv2 responses. This does not initialize the connection to DFS/SMB. In order to initiate a connection, the default on NTLM must be set down to the first NTLM level. This reduces the security level for all SMB network connections.

To change the defaults, carry out the following steps:

1. Open "Local Security Policy" under "Administrative Tools". Alternatively, you can choose the Windows button + R, or Start -> Run. Then, enter "secpol.msc".

2. Under “Security Options”, open "Network Security: LAN Manager Authentication Level".

3. Change the setting "NTLMv2" to "Send NTLM response only"



Related Content z/OS Distributed File Service SMB Administration

High Availability for SAP on zSeries Using Autonomic Computing Technologies

SAP Planning Guide for SAP NetWeaver for IBM DB2 UDB for z/OS

For more information, visit the Software Logistics homepage.


http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss?CTY=US&FNC=SRX&PBL=SC24-5918-08

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/52450000-0801-0010-a3bd-951bb8fb456a

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/71a54946-0a01-0010-ceb8-aca07c532bb1

https://www.sdn.sap.com/irj/sdn/softwarelogistics



Copyright © 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

DFS_SMB Setup for High Availability Systems With DB2 for Z_OS and Windows Application Servers

Documents

Transcript of DFS_SMB Setup for High Availability Systems With DB2 for Z_OS and Windows Application Servers