6 Oracle Net

Oracle Net for z/OS supports network communications between Oracle applications and Oracle gateway systems across different z/OS systems and different operating systems. Oracle provides OSDI listener (ORANET). This chapter describes how to configure it. For more information on Oracle Net, refer to the Oracle Database Net Services Administrator's Guide.

This chapter includes the following sections:

Overview
OSDI Listener Architecture
OSDI Listener File Names
Configuring the OSDI Listener
Operating the OSDI Listener
Formatting OSDI Listener Trace Files
Oracle Advanced Security Option Encryption

6.1 Overview

The OSDI listener (ORANET), also referred to as the Net service, runs as a service under an OSDI subsystem. In Oracle8i, Release 8.1.7 and Oracle9i, Release 1, all TCP and LU62 connections by Oracle applications, both client and server, were performed through the Net or Net8 service. Now, all Oracle clients on z/OS open their own sockets.

The OSDI listener's primary function is to listen for inbound remote connections to an Oracle instance. For compatibility purposes, the OSDI listener still provides outbound connectivity services for Oracle9i, R1 and Oracle8i, 8.1.7 Oracle clients.

Note that in the case of a database link from an OSDI database instance to an OSDI gateway instance, the OSDI database instance is considered as an Oracle client in the context of OSDI listener for the Oracle gateway instance. Moreover, if the OSDI database instance resides in the same OS390 image as the OSDI gateway instance, then Oracle Net cross-memory protocol could be used.

An OSDI listener is not required for Oracle Net cross-memory protocol. The syntax of cross-memory protocol could be in either of two forms:

(DESCRIPTION=
    (ADDRESS= (PROTOCOL=XM) (SUBSYS=snn) (SERVICE=service_name) )
    (HS=)  )

where ssn is the OSDI subsystem name and service_name is the OSDI gateway service name.

or:

(DESCRIPTION=
    (ADDRESS= (PROTOCOL=XM) (SID=gateway_sid) )
    (HS=)   )

where gateway_sid is the chosen OSDI gateway service SID.

Oracle recommends using the SID format for simplicity.

6.2 OSDI Listener Architecture

On z/OS, Oracle Net is implemented as a z/OS OSDI service running in its own address space separate from the gateway service. The OSDI service acts as a listener for the Oracle z/OS instances and gateway instances. All protocol-specific code runs inside the OSDI listener.

Remote clients that access an OSDI service through an OSDI listener are dispatched on a lightweight unit of work called an enclave SRB. An enclave is created either once per session or for each SRB depending on the ENCLAVE keyword (described under "PARM"). An SRB is scheduled each time work is required to be done by the kernel. The enclave is deleted when the SRB completes. The z/OS Workload Manager component may be used to control the execution characteristics of these enclave SRBs. Refer to the Oracle Database System Administration Guide for IBM z/OS (OS/390) for further details.

For client and server support, the OSDI listener uses the IBM macro implementation and a TCP/IP network to support network communications between the Oracle server and any remote OSDI listener TCP/IP client or server. For more information, refer to "TCP/IP Network Considerations".

6.3 OSDI Listener File Names

The product documentation, Oracle Database Net Services Administrator's Guide, refers to files in the following form:

basename.extension

where:

Variable	Description
`basename`	is the product name.
`extension`	is the extension.

An example of this form is SQLNET.ORA.

These files are then converted to DD names. The following DD names are implemented under z/OS:

DD name	Description
`SQLNET`	defines a data set containing any `SQLNET.ORA` diagnostic, ASO, or Oracle names parameters. It is not necessary to allocate this DD unless these features are desired. Refer to Oracle Database Net Services Administrator's Guide or the Oracle Database Advanced Security Administrator's Guide for more information.
`SQLNETTC`	defines a data set into which trace output is written. It is recommended that this be defined as a `SYSOUT` data set in a held output class.
`SQLNETLG`	defines a data set into which any logging output is written. It is recommended that this be defined as a `SYSOUT` data set in a held output class.
`TNSNAMES`	defines a data set containing all the TNS connect descriptors and aliases for your installation. For further information about TNS connect descriptors, refer to the Oracle Database Net Services Administrator's Guide. This DDname is not necessary on server JCL unless `DBLINKS` originates from the server.
`LDAP`	defines the location of the LDAP server.
`TNSNAV`	TNS client navigation. (Generally not used on z/OS.)
`INTCHG`	Interchange. (Generally not used on z/OS.)

Example of diagnostic entries in SQLNET file

trace_file_client =/trace/sysout=x,hold
trace_file_server  =/trace/sysout=x,hold
trace_file_agent   =/trace/sysout=x,hold
trace_level_client  = 16
trace_level_server  = 16
trace_level_agent   = 16
trace_functions_all = yes

Example of TNSNAMES entry for use by DBLINK definition

G4XXDB2 =
 (DESCRIPTION =
    (ADDRESS=(PROTOCOL=TCP)(HOST=your.host.tcpip.name)
              (PORT=port#)(SSN=net_sid))
              (HS=)
              (CONNECT_DATA=(SID=G4XX))

6.4 Configuring the OSDI Listener

To create a Network Service under OSDI, you must first define the OSDI listener as a service using the OSDI DEFINE SERVICE command. In addition to defining the service, two other items must be set up before the service can be started. They are a JCL procedure and network protocol-specific (TCP/IP) configuration. After you have defined OSDI listener as a service and have set up the additional items, you can start the service, which creates a z/OS address space based on controls that you have specified.

6.4.1 Network Service Definition

The OSDI DEFINE SERVICE command is described completely in Appendix B. Below, we describe DEFINE parameter considerations that are specific to the OSDI listener.

6.4.2 Service Name

The service name for Oracle Net can be anything that you want within the content limitations described in Appendix B.

6.4.3 TYPE

The TYPE parameter for a gateway service must be specified as NET.

6.4.4 PROC

This procedure specifies the name of a service JCL procedure that you will place in one of your system procedure libraries. The procedure need not exist when DEFINE SERVICE is issued, but it must be in place before the service is started. The procedure name can be anything that you choose or that the naming standards of your installation require. The requirements for this procedure are discussed in the "OSDI Listener Region JCL"section.

6.4.5 PARM

The PARM string is used to specify additional initialization parameters that are specific to the OSDI listener. These parameters are in the form of keywords and determine which protocols are initialized at OSDI listener startup as well as configuration and debugging features.

A description of the OSDI Listener keywords follows:

OSDI Listener Keywords	Description
`HPNS`	specifies support for the TCP/IP protocol.
`ENCLAVE(SESS\|CALL)`	specifies the duration of the enclave. When SESS is specified, the enclave is created at logon and deleted at logoff. When `CALL` is specified, the enclave is created when the server is sent a request and is deleted when the server waits for a receive.
`PORT(nnnn)`	specifies the TCP/IP port number (`nnnn`) on which to listen for incoming connections. The default is 1521.
`GTF`	may be specified at the request of Oracle Support Services. This allows the OSDI listener internal trace to be captured to the z/OS Generalized Trace Facility.
`DUMP(nodename)`	specifies the high level node, or nodes, of transaction dump data set names. The character string can be up to 26 characters in length, must follow the rules for z/OS data set names, and must not end with a period. When an OSDI listener transaction dump occurs, the value defined here will be prefixed to a string that includes a time and date stamp to generate a unique data set name. The default is `ORACLE.TRANDMP`.

6.4.5.1 Example of Network Service Definition

DEFINE SERVICE NET92 TYPE(NET) PROC(ORANET92) -
DESC(' Oracle Network Service 9.2') -
SID(NETG) -
PARM('HPNS GTF PORT(1521)) DUMP(ORACLE.TRANDMP)')

Note:

The entire PARM() string must be on one line.

Note:

if you have an active OSDI database instance, you could use an existing OSDI subsystem for the Oracle gateway instance and/or use existing NET service instance for the Oracle gateway instance.

6.4.6 OSDI Listener Region JCL

As with a gateway service, a JCL procedure must be placed in a system procedure library prior to attempting a start of the service. The OSDI listener JCL procedure name must have an associated z/OS user ID. Refer to the next topic, "TCP/IP Network Considerations" for details. The EXEC card of the JCL must be equivalent to the following:

//NET     EXEC PGM=ORANET,REGION=0M

REGION=0M is specified to ensure that the service can allocate as much private virtual memory as it needs. Some z/OS systems may prohibit or alter a REGION parameter such as this, so you might want to check with your systems programmer to determine if any changes must be made to allow the system to accept your REGION parameter. In addition, the following DD statements are required:

STEPLIB: This DD statement should point to the Oracle-supplied AUTHLOAD which contains the gateway and Net load modules.

NET8LOG: Connection-related informational messages, warning messages, and error messages are written to this sequential output file. Oracle recommends that it also be assigned to a JES spool file.

Note:

The OSDI listener JCL procedure name must have an associated z/OS user ID. Refer to the next topic, "TCP/IP Network Considerations", for details.

6.4.6.1 Example of Network Service Procedure JCL

//NET EXEC PGM=ORANET,REGION=0M
//STEPLIB DD DSN=ORAN.ORAV.AUTHLOAD,DISP=SHR
//NET8LOG DD SYSOUT=X

6.4.6.2 Example of NET8LOG output

2000034 09:50:35.0 MIN0017I message service subtask initialized
2000034 09:50:35.0 MIN0016I command service subtask initialized
2000034 09:50:35.1 MIN0018I bind/unbind service subtask initialized
2000034 09:50:35.2 MIN0026I timer service subtask initialized
2000034 09:50:35.2 MIN0002I networking service NETC     initialization complete
2000034 09:50:35.2 MIN0005I global vector is at 19F0A000
2000034 09:50:35.2 MIN0024I connected to WLM subsystem OSDI
2000034 09:50:50.4 MIN0700I HPNS INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:50.5 MIN0724I HPNS GHBY INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.1 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.1 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.1 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.2 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.2 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.2 MIN0728I HPNS KID INITAPI call performed.  RC=0000, EC=00000
2000034 09:50:51.2 MIN0713I I am listening on port 01522 socket 00000
2000034 10:05:58.8 MIN0733I Socket 0000 connected Subtask Kid1, IP 144.025.040.217, Port 01129.
2000034 10:05:58.8 MIN0733I Socket 0000 connected Subtask Kid2, IP 144.025.040.217, Port 01130.
2000034 12:00:13.9 MIN0098I networking service NETC     termination in progress
2000034 12:00:18.9 MIN0722I HPNS Kid #003 shut down.
2000034 12:00:18.9 MIN0722I HPNS Kid #001 shut down.
2000034 12:00:18.9 MIN0722I HPNS Kid #006 shut down.
2000034 12:00:18.9 MIN0722I HPNS Kid #002 shut down.
2000034 12:00:18.9 MIN0722I HPNS Kid #005 shut down.
2000034 12:00:18.9 MIN0722I HPNS Kid #004 shut down.
2000034 12:00:18.9 MIN0723I HPNS Gethostbyname subtask ended.
2000034 12:00:18.9 MIN0721I HPNS shut down, GoodBye.
2000034 12:00:18.9 MIN0091I timer service subtask terminated
2000034 12:00:18.9 MIN0095I bind/unbind service subtask terminated
2000034 12:00:18.9 MIN0093I command service subtask terminated
2000034 12:00:18.9 MIN0094I message service subtask terminated
MIN0000I End of Net8 Log.

6.4.7 TCP/IP Network Considerations

The OSDI Listener uses the MACRO API interface for TCP/IP, and distributes the communications processing workload across multiple tasks in the OSDI listener address space.

If the IBM stack is being used, then particular attention must be paid to the MAXFILEPROC and MAXSOCKETS parameters (under AF_INET) in the BPXPRMxx member of SYS1.PARMLIB. These parameters must be set high enough to support the expected connection load. Both of these parameters can limit the number of connections that the OSDI listener will be able to open. Also, the OSDI listener JCL procedure name must have an associated z/OS user ID in order to use TCP/IP, which is controlled by z/OS UNIX System Services. The user ID must have an OMVS RACF segment (or equivalent, if a product other than RACF is used) if the installation is not using a default OMVS segment.

In addition, the interface resolves names through the standard GETHOSTBYNAME API. Thus the resolution depends on how IBM TCP/IP is configured. If a DNS is defined to TCP/IP, then it will be used. Otherwise, TCP/IP will default the processing to its SITEINFO file. Also, IBM's Language Environment run-time library (LE) must be available through a STEPLIB DD or linklist to the OSDI listener address space in order for GETHOSTBYNAME to work. This is an IBM requirement. TNS does a GETHOSTBYNAME call at startup to test the function. This call may take minutes to complete if a busy name server is involved. The interface is not ready for work until the MIN0713I message is displayed on the system console. For more information about the GETHOSTBYNAME API, refer to the relevant IBM documentation on TCP/IP.

6.4.8 Client-Server Access Using the OSDI Listener

Note:

In this section, the term 'client' refers to the Oracle integrating server in the context of a database link session to an OSDI gateway instance.

6.4.8.1 Remote Clients

Remote (inbound) clients access Oracle gateway instances through the OSDI listener as follows:

The OSDI network service listens on a single endpoint (network address) for each protocol. All remote clients that go through a particular OSDI listener with a particular protocol use the same network address regardless of which gateway instance they want to access. All TCP/IP clients specify the same host name (or IP) and port number.
Clients indicate the target gateway instance that they want with the '(CONNECT_DATA=(SID=ssss))' clause in the OSDI listener address string.

The following is an example of a tnsname entry for a database link from a remote Oracle database server to an OSDI gateway instance through TCP/IP.
```
(DESCRIPTION=
   (ADDRESS= (PROTOCOL=TCP)(HOST=MVS08)(PORT=1999)  )
   (HS=)
   (CONNECT_DATA=(SID=TGD4) )
  )
```
MVS08 is the host name that the gateway resides in. 1999 is the port number that OSDI NET listens on that serves the gateway instance. TGD4 is the OSDI TG4DB2 SID it is trying to connect to.

Note that if the remote Oracle database server is an OSDI database instance of release 9.1 or earlier, then you would need to specify SSN parameter (within the ADDRESS specification) that specifies the OSDI NET SID that serves the outbound traffic for the OSDI database instance.

For MPM and OSDI compatibility, refer to Chapter 11.

Oracle clients on z/OS are also able to use an Oracle Names or LDAP server running on another platform to resolve connection requests. The following samples of the OSDI listener configuration file are required to make use of this service.

6.4.8.2 Name Server

SQLNET DD or SQLNET.ORA Definitions

###############
# Names .........:  (CONNECT_TIMEOUT = 0) -MUST- be specified
###############
NAMES.DEFAULT_DOMAIN = world
NAMES.DEFAULT_ZONE = my.domain.com
NAMES.DIRECTORY_PATH = (TNSNAMES,ONAMES,LDAP)
NAMES.PREFERRED_SERVERS =
     (ADDRESS_LIST =
       (DESCRIPTION =
         (ADDRESS =
           (PROTOCOL = TCP)
           (HOST = names_host)
           (Port = 1575)
         )
         (CONNECT_TIMEOUT = 0)
       )
     )
##

6.4.8.3 LDAP Server

LDAP DD or LDAP.ORA Definitions

A sample LDAP.ORA file:

DEFAULT_ADMIN_CONTEXT = "c=us"
DIRECTORY_SERVERS = (hostname:389:636)
DIRECTORY_SERVER_TYPE = OID

LDAP.ORA can be generated using the NETCA utility.

6.5 Operating the OSDI Listener

The OSDI listener is started by the OSDI subsystem start command, for example:

ORSS START NET

This command would start the OSDI listener defined in the earlier example for "Example of Network Service Definition" if the subsystem were named 'ORSS'. You should then see the OSDI listener PROC start up followed by the following messages from the OSDI listener address space:

MIN0001I networking service initializing
MIN0002I networking service NET8     initialization complete
MIN0713I I am listening on port 01521 socket 00000

Additional messages are written to the NET8LOG DD, but message traffic to the console is limited to error and warning messages.

Several commands are available for communicating with a running Net service. Commands are issued using the z/OS MODIFY (or F) system operator command with the general format:

F name,cccc pppppp

where:

Variable	Description
`name`	is the jobname or identifier of the OSDI listener
`cccc`	is a command verb from the table below
`pppppp`	represents an appropriate parameter for that command

Table 6-1 Command Verbs for z/OS MODIFY (or F) System Operator Command

Command	Parameter	Description
`start`	`hpns`	Starts support for the specified protocol in the OSDI listener.
`stop`	`hpns`	Stops support for the specified protocol.
`dis`	`tcp \| all \| pool`	Displays information about existing connections for the specified protocol or storage pool statistics.

The OSDI listener can be stopped with the z/OS stop command (STOP or P), as in 'p net', or through the OSDI subsystem stop command, as in 'ORSS STOP NET'. In either case, the following messages will be seen on the console:

MIN0098I networking service NET termination in progress 
MIN0721I HPNS shut down, GoodBye.
MIN0099I networking service termination complete

The OSDI listener service will also respond to the OSDI subsystem 'display' and 'display long' commands with appropriate information from the address space. Finally, the OSDI subsystem 'drain' command will prevent any new connections on either protocol. Existing connections will not be affected. The OSDI subsystem 'RESUME' command will restore the ability of clients to establish new connections through the OSDI listener.

6.6 Formatting OSDI Listener Trace Files

The OSDI listener provides a utility program called TRCASST that formats the trace files OSDI listener can produce. You may be asked to run TRCASST to help gather diagnostic information required by Oracle Support Services. Sample JCL for TRCASST is provided in oran.orav.SRCLIB(TRCASST).

Before you use TRCASST, ensure that the trace files have not been created with carriage control. TRCASST will be unable to process such files.

When TRCASST runs, the TNSUSMSG DD name must point to a PDS containing a TNSUS message file. This file was placed into oran.orav.MESG(TNSUS) during OSDI listener installation.

6.7 Oracle Advanced Security Option Encryption

The OSDI listener supports CHECKSUM and encryption algorithms. The following sections describe a basic method of verifying this feature, if it is to be used by your site. The easiest way to tell if Oracle Advanced Security Option (ASO) encryption is attempting to work is to deliberately set wrong configuration parameters and attempt a connection between the server and client. Incorrect parameters cause the connection to fail.

After receiving the expected failure message, set the configuration parameters to the correct settings and try the connection again. ASO encryption is working properly if no further error messages are received.

The following procedures test ASO encryption by this method. The incorrect parameter settings produce error 12660.

6.7.1 Setting Up ASO Encryption for Test

Perform the following steps to set up ASO encryption:

6.7.1.1 Checklist for Setting Up ASO Encryption

Set ASO encryption parameters for the server.
Set ASO encryption parameters for the client.

6.7.1.2 Step 1: Set ASO Encryption Parameters for the Server

Use ISPF to edit the OSDI listener configuration file on the z/OS system (server system) to add the following parameters and values. If the server is remote (not z/OS), then use the appropriate editor for the server platform to change SQLNET.ORA.

SQLNET.CRYPTO_CHECKSUM_SERVER = REJECTED
SQLNET.ENCRYPTION_SERVER = REJECTED
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (MD5)
SQLNET.ENCRYPTION_TYPES_SERVER = (DES40,RC4_40)
SQLNET.CRYPTO_SEED = "abcdefg"

The value shown for SQLNET.CRYPTO_SEED is only an example. Set it to the value you want. Refer to the Oracle Database Advanced Security Administrator's Guide for more information.

6.7.1.3 Step 2: Set ASO Encryption Parameters for the Client

Edit the OSDI listener configuration file on the client system to add the following parameters:

SQLNET.CRYPTO_CHECKSUM_CLIENT = REQUIRED
SQLNET.ENCRYPTION_CLIENT = REQUIRED
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT = (MD5)
SLQNET.ENCRYPTION_TYPES_CLIENT = (DES40,RC4_40)
SQLNET.CRYPTO_SEED = "abcdefg"

The value shown for SQLNET.CRYPTO_SEED is only an example. Set it to the same value used on the server system.

6.7.2 Testing ASO Encryption

After completing Steps 1 and 2 of the configuration procedure, you are ready to test the operation of the ASO encryption.

6.7.2.1 Checklist for Testing ASO Encryption

Connect client and server.
Reset configuration parameters on server.

6.7.2.2 Step 1: Connect Client and Server

Attempt a connection between the server and client systems. You should receive the following error message:

ORA-12660: Encryption or crypto-checksumming parameters incompatible

6.7.2.3 Step 2: Reset Configuration Parameters on Server

Change the ASO encryption parameters on the server to:

SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED
SQLNET.ENCRYPTION_SERVER = REQUIRED

Attempt the connection between the client and server again. If no error message is returned and the connection completes, then ASO encryption is working properly.